{ "type": "Domain", "indicator": "sourceforge.net", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/sourceforge.net", "alexa": "http://www.alexa.com/siteinfo/sourceforge.net", "indicator": "sourceforge.net", "type": "domain", "type_title": "Domain", "validation": [ { "source": "akamai", "message": "Akamai rank: #9805", "name": "Akamai Popular Domain" }, { "source": "alexa", "message": "Alexa rank: #640", "name": "Listed on Alexa" }, { "source": "majestic", "message": "Whitelisted domain sourceforge.net", "name": "Whitelisted domain" }, { "source": "whitelist", "message": "Whitelisted domain sourceforge.net", "name": "Whitelisted domain" } ], "base_indicator": { "id": 2252713844, "indicator": "sourceforge.net", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 50, "pulses": [ { "id": "698e93e1ab02db8c49e8c3ed", "name": "\u201cBroken Seal\u201d DocuSign-themed Delivery with Fileless Process Hollowing (Zeppelin/Bloat-A)", "description": "Forensic analysis indicates a DocuSign-themed phishing campaign using a deliberately invalid X.509 PKI seal (\u201cBroken Seal\u201d) to trigger fail-open verification logic in automated handlers. The delivery mechanism bypasses Secure Email Gateway (SEG) reputation checks by using encrypted channels and human-gated infrastructure. The payload is a fileless Process Hollowing (RunPE) malware that injects into RWX memory of legitimate processes to evade disk-based EDR.", "modified": "2026-04-19T08:11:41.130000", "created": "2026-02-13T03:00:49.872000", "tags": [ "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi", "9698f46495ce9401c8bcaf9a2afe1598", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)", "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71", "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link", "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)" ], "references": [ "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "Verification failure observed in automated verification handlers during sandbox replay.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr" ], "public": 1, "adversary": "", "targeted_countries": [ "China", "United States of America", "Spain", "Japan", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In" ], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 27678, "FileHash-SHA256": 47676, "FileHash-MD5": 42534, "FileHash-SHA1": 23213, "hostname": 33703, "URL": 75433, "SSLCertFingerprint": 30, "CVE": 7582, "email": 313, "FileHash-IMPHASH": 8, "CIDR": 26205, "JA3": 1, "IPv4": 80, "URI": 5 }, "indicator_count": 284461, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "3 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69bb65707834a02d0a4c7683", "name": "VirusTotal report\n for debug.zip", "description": "", "modified": "2026-04-18T02:04:23.541000", "created": "2026-03-19T02:54:40.990000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 6, "FileHash-SHA256": 121, "URL": 80, "domain": 11, "hostname": 27 }, "indicator_count": 251, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69bb6572706738c6329df151", "name": "VirusTotal report\n for debug.zip", "description": "", "modified": "2026-04-18T02:04:23.541000", "created": "2026-03-19T02:54:42.245000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 6, "FileHash-SHA256": 121, "URL": 80, "domain": 11, "hostname": 27 }, "indicator_count": 251, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6992bae83a5988dff8311490", "name": "Distributed Credential Exhaustion & C2 Orchestration via Golang-Based StealthWorker (ELF.Agent-VW)", "description": "Researcher credit: msudosos, level blue platform----\nThis artifact represents a high-integrity StealthWorker (GoBrut) botnet agent, architected as a statically linked, stripped 32-bit ELF binary to ensure cross-platform environmental independence. The sample utilizes XOR 0x20-encoded JavaScript payloads and String.fromCharCode obfuscation to mask its internal logic and bypass heuristic-based memory scanners. [User Notes] Its operational core is a multi-threaded service bruter targeting SSH, MySQL, and CMS backends, leveraging a massive infrastructure of 1,834 domains and 797 unique IPv4 endpoints for decentralized Command & Control (C2). Network telemetry confirms the use of ICMP and HTTP-based beaconing, indicating a sophisticated retry logic designed to maintain persistence across diverse network topologies. With a malicious file score of 10, this binary serves as a primary vector for large-scale credential harvesting and the subsequent integration of Linux infrastructure into global botnet clusters.", "modified": "2026-04-13T23:46:20.071000", "created": "2026-02-16T06:36:24.788000", "tags": [ "Obfuscation: XOR-based String Encryption (0x20)", "T1110.001 (Brute Force: Password Guessing)", "Primary Hash (SHA256): cd3989830da99a69380901769fd78902efb3cd8ba", "MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf", "#PotentialUS-Origin_FalseFlag_Obfuscation" ], "references": [ "Primary Hash (SHA256): cd3989830da99a69380901769fd78902efb3cd8ba5c9390e94bd4333b7fad186", "Obfuscation: XOR-based String Encryption (0x20)", "T1110.001 (Brute Force: Password Guessing)", "This ELF 32-bit LSB artifact is a sophisticated GoBrut/StealthWorker agent, compiled via Golang 1.10 and stripped to obfuscate its high-velocity service-bruting logic. VirusTotal confirms a critical threat profile with 44/65 security vendors flagging the file, which leverages a unique Go BuildID (nGYES3pajdOm...) and a Telfhash (t1f303a0...) for architectural fingerprinting. The binary orchestrates decentralized Command and Control (C2) through an expansive infrastructure of 797 unique IPs and 1,834 domains", "Pivot-Ready Indicators (IOCs) Go BuildID: nGYES3pajdOmKy1i6Ghh/KO9ydOtZpXtoKtB0KHE-/iisNoniHgTbj_cV6M-uk/XmMYzkBiZs8NXMRZYTiT Telfhash: t1f303a0b3055d54e8b7f08907c7af7624cef6e0f726d078f169e278d09a72c826626874 Imphash: 9698f46495ce9401c8bcaf9a2afe1598 Vhash: 1e53f1a1b59ecb93f821c74b25d81e9f", "Researcher msudosos posits a strategic exploitation of Root Certificate Validation Failures, where the adversary leverages an expired trust chain to bypass heuristic security filters and establish persistence.", "his technique allows the GoBrut/StealthWorker agent to circumvent automated revocation checks, enabling its decentralized C2 infrastructure to recruit Linux hosts via high-velocity credential exhaustion.", "The local environment exhibits advanced telemetry suppression within specialized skim memory regions, effectively neutralizing standard DMARC validation and Microsoft-integrated defensive protocols.", "By maintaining a hollowed root posture, the sample facilitates persistent, low-signal synchronization with external cloud infrastructure while bypassing traditional heuristic trust-chain verification.", "The domain prioritywirreles.com (registered via NAMECHEAP INC) shows a 4/93 detection ratio, confirming it is a live but \"low-noise\" C2 node used to avoid broad-spectrum blacklisting", "", "The environment leverages prioritywirreles.com as a high-fidelity DGA-derived C2 node, utilizing its historical resolution to Russian-hosted IP space (194.61.24.231) to maintain persistent Stealthworker botnet synchronization.", "By operating through WhoisGuard-protected infrastructure and exploiting XOR 0x20 obfuscation, the adversary effectively suppresses telemetry into skim space, successfully bypassing DMARC and Microsoft-integrated trust-chain validation.", "The pivot from cd398983... to this domain confirms a multi-year campaign (2019\u20132023) utilizing Namecheap-registered infrastructure to orchestrate wide-scale T1110.001 brute-force operations while bypassing standard PKI expiration checks.", "LBresearcher: msudosos notes: The campaign's use of T1110.001 (Password Guessing) is specifically tuned to exhaust credentials across SSH, MySQL, and CMS backends, effectively recruiting server infrastructure into a global \"zombie\" network.", "LBresearcher: msudosos notes: The threat actor maintains operational longevity by rotating through WhoisGuard-protected nodes like prioritywirreles.com, which historically resolved to Russian-hosted IP space (194.61.24.231) to obfuscate its origin.", "LBresearcher: msudosos notes: By exploiting Root Certificate Validation Failures, the StealthWorker (GoBrut) agent ensures that its 32-bit ELF binaries bypass the automated reputation checks enforced by major cloud providers.", "Monitor DGA Shifts: Track new domains registered through NAMECHEAP INC using the current WhoisGuard patterns to identify the next cluster before it goes active. Analyze Telfhash Clusters: Use the Telfhash (t1f303a0...) to pivot and find if the adversary has updated to 64-bit ELF or ARM architectures. Harden DMARC: Ensure your environment moves from \"p=none\" to \"p=reject\" to mitigate the internal spoofing loops exploited by this botnet's telemetry suppression.", "Persistent C2 Orchestration: This ELF:Agent-VW variant serves as a critical GoBrut node, utilizing XOR 0x20 obfuscation and ICMP/HTTP beaconing to maintain a persistent link across 1,834 domains and 797 unique IPs", "Researcher msudosos: This activity appears to facilitate a preliminary reconnaissance phase, possibly utilizing system commands to query /proc/cpuinfo and /proc/version for architectural profiling purposes.", "Researcher msudosos suggests the VirusTotal (Tencent HABO) behavior report may indicate a potential execution path from volatile storage at /tmp/EB93A6/996E.elf.", "Msudosos Regional Notes: While historical pivots show Russian-hosted nodes, the current dual-origin telemetry\u2014dominated by 181 United States-based endpoints\u2014strongly suggests a domestic-aligned adversary leveraging global 'grey space' to obfuscate its operational core. This massive US-centric footprint (exceeding all other regions combined) reinforces the theory of a false-flag orchestration designed to divert attribution toward foreign infrastructure while abusing legitimate Western-hosted trust chains.", "WHOIS data anchors administrative and technical operations for prioritywirreles.com in Los Angeles, CA (90064) via Namecheap infrastructure. Following its 2020 expiration, the domain has transitioned into redemptionPeriod/pendingDelete status, signaling the formal decommissioning of this C2 asset." ], "public": 1, "adversary": "StealthWorker/GoBrut (The adversary demonstrates advanced telemetry suppression within specialized s", "targeted_countries": [], "malware_families": [ { "id": "Malware Family: StealthWorker / GoBrut", "display_name": "Malware Family: StealthWorker / GoBrut", "target": "/malware/Malware Family: StealthWorker / GoBrut" }, { "id": "MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf", "display_name": "MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf", "target": null } ], "attack_ids": [ { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2166, "FileHash-SHA1": 2067, "FileHash-SHA256": 3371, "domain": 13295, "URL": 6860, "email": 272, "hostname": 4705, "SSLCertFingerprint": 268, "CVE": 107, "CIDR": 6 }, "indicator_count": 33117, "is_author": false, "is_subscribing": null, "subscriber_count": 62, "modified_text": "5 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69ca434ee788ab3d090e6013", "name": "PDFKIT.NET - Trust Bypass Continued Concerns", "description": "A complete list of key facts and statistics:..3-magnitude-based data-sharing platform, which was first created in 2003, has been published by the University of Oxford.<-- Pretext. Msudosos: Ongoing concerns persist regarding the use of the pdfkit.net library in specific DMV versions, which may allow for trust bypass across multiple platforms. Research indicates that isolating affected areas or voiding certificates will not remediate this issue, as the corrupted trusted root persists even after firmware-level restores.", "modified": "2026-04-07T02:11:33.275000", "created": "2026-03-30T09:33:02.363000", "tags": [ "fcc", "trust bypass", "pi", "hollow-root", "pdfkit.net", "cryptographically-invalid", "Docusign as an exploit", "gov / infra / healthcare / mun", "education", "US", "globalsign2020", "noend--point.", "null" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "Netherlands", "Italy", "United States of America" ], "malware_families": [ { "id": "Stefan", "display_name": "Stefan", "target": null } ], "attack_ids": [ { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" } ], "industries": [ "Telecommunications", "Education", "Government" ], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 77, "IPv4": 8, "domain": 39, "email": 4, "hostname": 60, "FileHash-SHA1": 47, "FileHash-SHA256": 209, "FileHash-MD5": 42, "CVE": 1 }, "indicator_count": 487, "is_author": false, "is_subscribing": null, "subscriber_count": 50, "modified_text": "12 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d44629b6a6bc546fdd357a", "name": "VirusTotal Box of Apples Sandbox report", "description": "<<< full text of the following:.1.2 (2.4m) in text, in the form of file, has been published online by the Linux operating system, known as Linux.>>>", "modified": "2026-04-06T23:47:53.256000", "created": "2026-04-06T23:47:53.256000", "tags": [ "file type", "unix", "wed jun", "thu jun" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1023, "hostname": 54, "IPv4": 4, "FileHash-MD5": 12, "FileHash-SHA1": 12, "URL": 146, "domain": 230 }, "indicator_count": 1481, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "12 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d4462886e53e706aae1674", "name": "VirusTotal Box of Apples Sandbox report", "description": "<<< full text of the following:.1.2 (2.4m) in text, in the form of file, has been published online by the Linux operating system, known as Linux.>>>", "modified": "2026-04-06T23:47:52.536000", "created": "2026-04-06T23:47:52.536000", "tags": [ "file type", "unix", "wed jun", "thu jun" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1023, "hostname": 54, "IPv4": 4, "FileHash-MD5": 12, "FileHash-SHA1": 12, "URL": 146, "domain": 230 }, "indicator_count": 1481, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "12 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d4462288245b27cf606f42", "name": "VirusTotal Box of Apples Sandbox report", "description": "<<< full text of the following:.1.2 (2.4m) in text, in the form of file, has been published online by the Linux operating system, known as Linux.>>>", "modified": "2026-04-06T23:47:46.697000", "created": "2026-04-06T23:47:46.697000", "tags": [ "file type", "unix", "wed jun", "thu jun" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1023, "hostname": 54, "IPv4": 4, "FileHash-MD5": 12, "FileHash-SHA1": 12, "URL": 146, "domain": 230 }, "indicator_count": 1481, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "12 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d4442a0b5217c34bbcbd2d", "name": "VirusTotal report\n for install.sh", "description": "", "modified": "2026-04-06T23:39:22.105000", "created": "2026-04-06T23:39:22.105000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 43, "FileHash-SHA1": 45, "FileHash-SHA256": 1421, "IPv4": 14, "URL": 261, "hostname": 73, "domain": 235, "email": 1 }, "indicator_count": 2093, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "12 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d44428ad43f231ff43e175", "name": "VirusTotal report\n for install.sh", "description": "", "modified": "2026-04-06T23:39:20.767000", "created": "2026-04-06T23:39:20.767000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 43, "FileHash-SHA1": 45, "FileHash-SHA256": 1421, "IPv4": 14, "URL": 261, "hostname": 73, "domain": 235, "email": 1 }, "indicator_count": 2093, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "12 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "698d30c03b57c38dff915023", "name": "Double Umbrella AS15169/AS21928: This evaluates a critical structural convergence between Google (AS15169) and T-Mobile USA (AS21928) within the global Tier-1 routing backbone", "description": "Research credit: msudosos, The research identifies a high-fidelity pattern where traffic from dual origins commingles within a restricted lateral transit hub, allowing for horizontal movement across backbone providers that typically maintain distinct trust boundaries. Specifically, the Content Origin (Umbrella A) originated by Google (AS15169) reaches the core backbone through a high-trust sequence involving Arelion (AS1299), NTT (AS2914), and GTT (AS3257). Simultaneously, the Mobile Origin (Umbrella B) originated by T-Mobile USA (AS21928) enters the backbone via Cogent (AS174) and Lumen (AS3356). The findings designate Lumen (AS3356) as the central lateral hub where traffic pivots horizontally between the \u201cCore Five\u201d partners-including Zayo (AS6461) and Hurricane Electric (AS6939) \u2014before leaking to international sub-transit peers like Sparkle (AS6762) and Telxius (AS12956), finally exiting at global edge points such as PCCW (AS3491) and Tata (AS6453).", "modified": "2026-03-29T06:02:00.914000", "created": "2026-02-12T01:45:36.128000", "tags": [ "The dynamics of the mudoSOSIntersectalign with sophisticated adv" ], "references": [ "as15169" ], "public": 1, "adversary": "Adversary Profile: Salt Typhoon Alignment The architectural gap identified by mudoSO mirrors the act", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 3, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URI": 1, "domain": 2661, "URL": 6810, "hostname": 2147, "email": 56, "FileHash-SHA256": 2781, "CVE": 172, "FileHash-MD5": 365, "FileHash-SHA1": 344, "IPv4": 1, "CIDR": 20940 }, "indicator_count": 36278, "is_author": false, "is_subscribing": null, "subscriber_count": 52, "modified_text": "21 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69bf64eccb5d39a90a3c391e", "name": "Spam \u201cBroken Seal\u201d DocuSign-themed Delivery w/Fileless Process Hollowing (Zeppelin/Bloat-A) by msudosos", "description": "", "modified": "2026-03-27T00:30:39.055000", "created": "2026-03-22T03:41:32.565000", "tags": [ "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi", "9698f46495ce9401c8bcaf9a2afe1598", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)", "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71", "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link", "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)" ], "references": [ "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "Verification failure observed in automated verification handlers during sandbox replay.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr" ], "public": 1, "adversary": "", "targeted_countries": [ "China", "United States of America", "Spain", "Japan", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In" ], "TLP": "green", "cloned_from": "698e93e1ab02db8c49e8c3ed", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 27572, "FileHash-SHA256": 46076, "FileHash-MD5": 42177, "FileHash-SHA1": 22874, "hostname": 33438, "URL": 74810, "SSLCertFingerprint": 21, "CVE": 7579, "email": 297, "FileHash-IMPHASH": 8, "CIDR": 26203, "JA3": 1 }, "indicator_count": 281056, "is_author": false, "is_subscribing": null, "subscriber_count": 145, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69bf64e1d5e06aa6207f78de", "name": "Spam \u201cBroken Seal\u201d DocuSign-themed Delivery w/Fileless Process Hollowing (Zeppelin/Bloat-A) by msudosos", "description": "", "modified": "2026-03-27T00:30:39.055000", "created": "2026-03-22T03:41:21.863000", "tags": [ "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi", "9698f46495ce9401c8bcaf9a2afe1598", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)", "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71", "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link", "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)" ], "references": [ "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "Verification failure observed in automated verification handlers during sandbox replay.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr" ], "public": 1, "adversary": "", "targeted_countries": [ "China", "United States of America", "Spain", "Japan", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In" ], "TLP": "green", "cloned_from": "698e93e1ab02db8c49e8c3ed", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 27572, "FileHash-SHA256": 46076, "FileHash-MD5": 42177, "FileHash-SHA1": 22874, "hostname": 33438, "URL": 74810, "SSLCertFingerprint": 21, "CVE": 7579, "email": 297, "FileHash-IMPHASH": 8, "CIDR": 26203, "JA3": 1 }, "indicator_count": 281056, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69bb64c919c79f2b5953ee4b", "name": "VirusTotal report\n for download.zip", "description": "rat photo. nice", "modified": "2026-03-19T02:52:34.909000", "created": "2026-03-19T02:51:53.023000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 7, "URL": 8, "hostname": 4, "domain": 4 }, "indicator_count": 29, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "31 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69bb64c9af3b72853ba28b17", "name": "VirusTotal report\n for download.zip", "description": "rat photo. nice", "modified": "2026-03-19T02:51:53.743000", "created": "2026-03-19T02:51:53.743000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 3, "URL": 4, "hostname": 2, "domain": 2 }, "indicator_count": 15, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "31 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69af56902f52679a9725a85f", "name": "'imaging center compromise' clone q.vashti", "description": "", "modified": "2026-03-10T02:46:31.610000", "created": "2026-03-09T23:24:00.761000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "684b95a1313f466112ed7e5b", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 236, "FileHash-SHA1": 236, "FileHash-SHA256": 1866, "URL": 6, "domain": 3, "hostname": 327 }, "indicator_count": 2674, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "40 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69a5c36b78ed73550bb0bf22", "name": "by Disable_Duck", "description": "", "modified": "2026-03-04T23:37:24.208000", "created": "2026-03-02T17:05:47.288000", "tags": [ "kgs0", "kls0", "botname http", "entity", "UAlberta", "Telus", "Norton", "ffss", "Alberta", "AlbertaNDP", "InteriorHealth", "RCMP", "CrimeStoppersAB", "EdmontonPolice", "RCMP Kelowna", "RCMP AB", "TLS/SSL Crawler", "CVE-2026-24061 Attempt", "Generic IoT Default Password Attempt", "Cisco Prime Infrastructure CVE-2019-1821 RCE Attempt", "Dahua Backdoor Attempt", "ENV Crawler", "DCERPC Protocol", "Carries HTTP Referer", "GNU Inetutils Telnetd Auth Bypass", "ICMPv4 Protocol" ], "references": [ "https://www.virustotal.com/graph/embed/g34c2ebfedb6c47c286431a829da992c3744ab3fab0d74008946f3b9bbeb83e23?theme=dark", "https://viz.greynoise.io/ip/analysis/61bb7542-40c2-448e-87d4-947a4623eada", "https://viz.greynoise.io/ip/analysis/7e527b44-c950-4c01-bb33-d96" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada", "Netherlands", "Panama", "Poland", "United Kingdom of Great Britain and Northern Ireland", "Slovakia", "Aruba", "Anguilla", "Australia", "Costa Rica", "Guatemala", "Mexico", "Trinidad and Tobago", "Cura\u00e7ao", "Philippines", "Virgin Islands, U.S.", "Ukraine", "Barbados", "Germany", "Sint Maarten (Dutch part)", "Argentina", "Switzerland" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Healthcare", "Government", "Technology", "Energy", "Telecommunications" ], "TLP": "white", "cloned_from": "6901363c4ce422f5caf0f72c", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3903, "FileHash-SHA1": 4967, "FileHash-SHA256": 12884, "URL": 996, "domain": 987, "hostname": 3306, "email": 4, "CVE": 1 }, "indicator_count": 27048, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "45 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6901363c4ce422f5caf0f72c", "name": "Copy of DevT-OddTags-Browser-BasedOdditites - (L4ke.Aff3ct.216, 01.18.26)", "description": "Updated based on VT Graph & Tracking Spread of Cybercrime. This Pulse is mostly covering activity in the Province of Alberta Canada. Given recent news, it appears that BC Interior Health and Kelowna RCMP Detachment impacted in addition to Alberta Sectors of Education, Healthcare, and Government (Provincial & Federal - e.g. Treaty 6,7,8 as well as the Canadian CRA heavily impacted). \nEnriched a graph by vt user (L4ke.Aff3ct.216, 01.02.26)\nSubmitted IOCs to Greynoise.io (10.28.25)", "modified": "2026-02-18T05:00:41.494000", "created": "2025-10-28T21:31:40.008000", "tags": [ "kgs0", "kls0", "botname http", "entity", "UAlberta", "Telus", "Norton", "ffss", "Alberta", "AlbertaNDP", "InteriorHealth", "RCMP", "CrimeStoppersAB", "EdmontonPolice", "RCMP Kelowna", "RCMP AB" ], "references": [ "https://www.virustotal.com/graph/embed/g34c2ebfedb6c47c286431a829da992c3744ab3fab0d74008946f3b9bbeb83e23?theme=dark", "https://viz.greynoise.io/ip/analysis/61bb7542-40c2-448e-87d4-947a4623eada" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada", "Netherlands", "Panama", "Poland", "United Kingdom of Great Britain and Northern Ireland", "Slovakia", "Aruba", "Anguilla", "Australia", "Costa Rica", "Guatemala", "Mexico", "Trinidad and Tobago", "Cura\u00e7ao", "Philippines", "Virgin Islands, U.S.", "Ukraine", "Barbados", "Germany", "Sint Maarten (Dutch part)" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Healthcare", "Government", "Technology", "Energy", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3903, "FileHash-SHA1": 4967, "FileHash-SHA256": 12884, "URL": 995, "domain": 984, "hostname": 3305, "email": 4 }, "indicator_count": 27042, "is_author": false, "is_subscribing": null, "subscriber_count": 128, "modified_text": "60 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "685f4b49b299b1cd7c03be6f", "name": "Booking dot com - iPadOS Lockdown Github Firebase Cocoapods Google Abuse - 11.27.25", "description": "In-Progress [un-enriched]", "modified": "2025-12-28T06:02:35.247000", "created": "2025-06-28T01:54:17.500000", "tags": [ "please", "javascript", "entity" ], "references": [ "https://www.virustotal.com/gui/collection/ac812ebcb5d5570815876327bf29ef2c67015269d1e0bf01f1cd32ab2c23843c", "https://www.virustotal.com/gui/collection/ac812ebcb5d5570815876327bf29ef2c67015269d1e0bf01f1cd32ab2c23843c/iocs", "https://www.virustotal.com/graph/embed/gd1083011fd0b455fb2be107f7ee59516dc3f4c39b05b4a90b15e8b0ad748a0d2?theme=dark" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 71, "domain": 12, "hostname": 23, "FileHash-MD5": 22, "FileHash-SHA1": 22, "FileHash-SHA256": 40 }, "indicator_count": 190, "is_author": false, "is_subscribing": null, "subscriber_count": 129, "modified_text": "112 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "684b95a1313f466112ed7e5b", "name": "Imaging Center comprise - 2nd attempt", "description": "", "modified": "2025-07-13T03:03:56.927000", "created": "2025-06-13T03:06:09.155000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 236, "FileHash-SHA1": 236, "FileHash-SHA256": 1866, "URL": 3, "domain": 3, "hostname": 327 }, "indicator_count": 2671, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "280 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "684690d6dc730b0842d341a7", "name": "Exposing_Malware_in20Linux-Based_Multi-Cloud_Environments_R1Final.pdf", "description": "Falcon Sandbox: \nRansomware/Banking\nDetected indicator that file is ransomware\ndetails\n\"5 | Exposing Malware in Linux-Based Multi-Cloud Environments Ransomware and cryptominers Ransomware The impact of a ransomware attack can range from being a nuisance (e.g., having to restore data from backups and clean up the network) to being devastating (e.g., having to pay large sums of money to regain access to key assets). Unfortunately, when talking about cloud environments, the results tend to be more on the devastating side. Recently, cybercriminals have started calculating the damage they might cause to the valuation of a company going through a financial event to make the potential impact of their attack clear and incentivize ransom payments.5 At the same time, they\\x2122ve been honing their tactics with increasingly sophisticated techniques to target victim organizations\u2026more: https://www.hybrid-analysis.com/sample/92c1ca86f4d025e72acb94ae3cbdd3c6435aaa1b5e3fc3dcb06f8501b5dd3bb7/62e7fdd19a99ce4fa32e6d64", "modified": "2025-07-09T07:03:10.726000", "created": "2025-06-09T07:44:22.507000", "tags": [ "ipv4", "url http", "expiration", "url https", "eid1338769034", "united", "unknown ns", "present jun", "unknown cname", "name servers", "search", "servers", "showing", "ip address", "creation date", "date", "encrypt", "sha256", "submitted", "passive dns", "urls", "address", "xmpg", "malware", "span", "extgstate", "bbox", "subtypeform", "rlength", "resource", "rfit", "pattern match", "path", "code", "cobalt strike", "false", "cloud", "core", "footer", "meta", "black", "ransomware", "r980", "facebook", "discord", "stream", "form", "contact", "story", "february", "rats", "stack", "defense", "launcher", "trace", "august", "hellokitty", "twitter", "upgrade", "android", "decryptor", "green", "enterprise", "team", "small", "systemd", "service", "python", "shell", "reload", "find", "haiduc", "hybrid", "general", "suspicious", "click", "strings", "iframe", "loader", "tools", "template", "daily", "hypervisor", "capture", "stars", "download", "copy", "cobaltstrike", "install", "madcap", "protect", "shift", "beyond", "leverage", "agent", "info", "xmrig", "attack", "demonbot", "multi", "live", "grep", "pass", "ri falsek", "process", "xobject", "format", "june", "crypto", "close", "learn", "ck id", "name tactics", "informative", "adversaries", "command", "defense evasion", "apis", "found" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 39, "FileHash-SHA1": 48, "FileHash-SHA256": 67, "domain": 173, "hostname": 110, "URL": 429, "email": 10 }, "indicator_count": 876, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "284 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67c6bb5aa601e91b1314ff44", "name": "SCANID: S-KhOoOrXsco8: Thor Lite Linux 64 - Sample Lab Device 2 - incomplete (not enriched)", "description": "Thor Lite Linux 64 - Sample Lab Device 2 - incomplete\nhttps://tip.neiki.dev/file/09de67f8d3ce9a276e9665dc2e0013577b38d60b0518ffe7961bdc7f8755a52d\nSCANID: S-KhOoOrXsco8", "modified": "2025-04-22T06:02:28.535000", "created": "2025-03-04T08:35:38.390000", "tags": [ "misc", "filename ioc", "scanid", "sigtype1", "reasonscount", "sg2backup drive", "thu feb", "log entry", "exists1", "matched1", "warp", "trash", "rooter", "service", "puppet", "apache", "ruby", "execution", "android", "glasses", "agent", "hermes", "atlas", "score", "open", "orion", "entity", "download", "enterprise", "nexus", "beyond", "patch", "rest", "bsod", "bind", "june", "upgrade", "project", "surtr", "path", "mandrake", "accept", "openssl", "null", "responder", "shell", "servu", "cargo", "bypass", "green", "python", "iframe", "webex", "blink", "code", "netty", "fall", "grab", "metasploit", "webdav", "postscript", "middle", "assistant", "energy", "august", "diego", "february", "hold", "write", "extras", "fusion", "trace", "click", "rust", "anna", "virustotal", "rootkit", "timestomp", "doublepulsar", "logger", "teamviewer", "obfus", "probe", "win32", "snoopy", "vuln", "april", "format", "flash", "domino", "calendar", "cryptocat", "orca", "hello", "stream", "confi", "sharepoint", "launcher", "hypervisor", "malicious", "lame", "attack", "prior", "simple", "hpack", "homepage", "easy", "live", "cookie", "explorer", "config", "rush", "spark", "chat", "media", "webview", "trigger", "northstar", "monitoring", "false", "impact", "dino", "example", "splash", "macos", "notifier", "error", "spring", "this", "neutrino", "tools", "template", "crow", "magento", "zimbra", "drop", "stack", "linear", "blocker", "deleter", "main", "face", "arch", "hosts", "bifrost", "recursive", "cobaltstrike", "luckycat", "brain", "apt", "php", "rat", "hacktool", "worm", "meterpreter", "obfuscated", "evasive", "exaramel", "anti-vm" ], "references": [ "https://www.virustotal.com/gui/collection/9c02b7b214c51b2fa7b6f2f38943a83ada3fff5ab9cbb9cf52e320bd702c9cd0/iocs", "https://www.virustotal.com/gui/collection/9c02b7b214c51b2fa7b6f2f38943a83ada3fff5ab9cbb9cf52e320bd702c9cd0/summary", "https://www.virustotal.com/graph/embed/ga8f86f452d6d4819b2dedf4c1981843304472a457d9b4b339f35679f4693ce9c?theme=dark", "https://tip.neiki.dev/file/09de67f8d3ce9a276e9665dc2e0013577b38d60b0518ffe7961bdc7f8755a52d", "https://cyber-fortress.com/docs/result/index.php?id=67c6bb9cc8d04e92a4bed8fc", "https://www.filescan.io/uploads/67c6bd19e95d0f9029e3804f/reports/834b740f-9bcb-42d9-b6a1-a0a8dbd07b07/overview", "https://www.filescan.io/uploads/67df8585fae452b82c2115b7/reports/65f03ad1-b5bc-41a8-ae82-21970a18efcb/ioc", "https://hybrid-analysis.com/sample/a6b9deae18604003aa3963d5d83775f5c66bfbe93ea4608fe8a69e6af3722f45/67df874be4fc8d105e0230d1" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1595", "name": "Active Scanning", "display_name": "T1595 - Active Scanning" } ], "industries": [ "Education", "Healthcare", "Government", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 45, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 14071, "FileHash-MD5": 979, "FileHash-SHA1": 2568, "FileHash-SHA256": 636, "URL": 43905, "domain": 2031, "email": 31, "hostname": 3621 }, "indicator_count": 67842, "is_author": false, "is_subscribing": null, "subscriber_count": 132, "modified_text": "362 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67a801c7a6074eb73a688c51", "name": "#OpsBedil Targeted Attack: Malicious Windows Spyware VIM on OS", "description": "The sandbox for vim allows dangerous functions such as (1) writefile, (2) feedkeys, and (3) system, which might allow user-assisted attackers to execute shell commands and write files via modelines; including: \nT1027 - Obfuscated Files or Information\nT1030 - Data Transfer Size Limits\nT1036 - Masquerading\nT1056 - Input Capture\nT1059 - Command and Scripting Interpreter\nT1070 - Indicator Removal on Host\nT1105 - Ingress Tool Transfer\nT1106 - Native API\nT1119 - Automated Collection\nT1134 - Access Token Manipulation\nT1140 - Deobfuscate/Decode Files or Information\nT1176 - Browser Extensions\nT1547 - Boot or Logon Autostart Execution", "modified": "2025-03-11T00:00:59.533000", "created": "2025-02-09T01:15:51.632000", "tags": [ "code", "range", "file offset", "ecxedi20xa", "edi0x6d", "ebp20x20", "esi0x67", "edx0x6f", "esi0x61", "ebp20x62", "hopper", "cve20072438", "normally", "use vim", "checkfile", "vimruntime", "checkdir", "vim project", "https", "bram moolenaar", "bram", "files", "silent", "insert mode", "down", "pumvisible", "vim script", "evim", "maintainer", "spellpopupmenu", "aunmenu", "tlunmenu", "loadbuffermenu", "revert", "difforig", "show", "ctrlu", "diffthis", "bail", "win32", "vim support", "remove", "comment", "genericname", "name", "keywords", "gvim", "edit", "zhcn", "editor", "metin", "rediger", "loadftplugin", "filetype", "expand", "amatch", "make", "sinsert", "middlemouse", "unix", "amiga", "mswindows", "loadindent", "end def", "visual mode", "shiftdel", "copy", "vim default", "selectmode", "insert", "load", "detectfiletype", "addoption", "optiong", "binoptiong", "optionl", "binoptionl", "header", "space", "python", "find", "open", "mark", "shell", "ruby", "install", "vim desktop", "substitute", "vunmenu", "paste", "script", "selectall", "word", "popup", "menu", "line", "close", "window", "back", "toolbar", "compiler", "next", "hack", "vimvimrc", "haiku", "openvms", "setsyn", "lang", "syntax menu", "description", "define", "setsyn function", "assembly", "maya", "bufnewfile", "bufread", "starsetf", "setf", "language", "visual basic", "xml au", "latex", "setfiletypesh", "endif", "lilo", "apache", "postscript", "rexx", "atom", "meta", "clipper", "desktop", "gift", "hercules", "julia", "mercurial", "pacman", "trigger", "puppet", "path", "powershell", "info", "ziggy", "speedup", "systemd", "form", "format", "calendar", "dracula", "config", "sfile", "esc", "iconv", "psflags", "if defined", "newitem force", "itemtype file", "iso88591 t", "utf8", "utf8 t", "iconvpath", "t iso88591", "makefile", "converted", "bob ware", "colorado school", "mines", "vim editor", "on your", "original copy", "please", "golden", "translation", "lesson", "enter", "type", "filename", "press", "normal mode", "repeat", "summary", "notice", "ruler", "test", "letzn", "mrkl", "zeil", "strg", "bewg nn", "end von", "druck", "dautticht", "zipf", "zaichen", "netty", "moveu el", "entrar", "premeu", "fitxer", "normal", "prova", "repetiu", "sumari", "desprs", "ara premeu", "cont", "ctrl", "ctrld", "append", "ctrlr", "ctrli", "shift", "backspace", "lekce", "napi", "dek oznaen", "normlnm mdu", "pesu", "stla", "soubor", "pesu kurzor", "opakuj", "toto", "lektion", "flyt", "skriv", "tryk p", "gentag", "bemrk", "filnavn", "nr der", "tryk", "zeile", "bewege den", "tippe", "zeichen", "cursor zu", "cursor zum", "kommandos", "cursor", "null", "tutor", "ctrlg", "shiftg", "shiftn", "msdos", "vimtutor", "capslock", "michael", "movu la", "leciono", "enenklavo", "kursoron al", "tajpu", "kursoron e", "testo", "premu", "dosiernomo", "resumo", "nova", "anon", "leccin", "mueva el", "intro", "pulse", "escriba", "para", "ahora", "insertar", "esto", "repita", "antes", "tenga", "como", "este", "leon", "tapez", "dplacez", "entre", "chap", "insertion", "puis tapez", "rptez", "appuyez", "lekcija", "otipkajte", "pritisnite", "ponovite", "kako bi", "insert mod", "prijeite", "saetak", "imedatoteke", "note", "windows", "yank", "mozgassuk", "fjlnv", "parancs", "lecke", "teszt", "j sort", "nyomja meg", "norml mdban", "ismtelje", "muovi il", "batti", "lezione", "invio", "premi", "ripeti i", "nomefile", "modalit normale", "adesso batti", "nota", "alla", "stata", "replace", "change", "subtitute", "school", "emiau", "spustelkite", "testas", "pirmj", "failovardas", "fail", "normalij", "santrauka", "ymeklis", "raid", "ramen", "tagad", "ievadiet", "piemram", "apkopojums", "lai izdzstu", "lai ievietotu", "ievadot", "ievrojiet", "js varat", "macos", "leksjon", "flytt", "trykk", "slette", "repeter", "erstatte", "sette", "kommandoen", "sett", "tips", "vise", "druk", "het commando", "herhaal de", "als je", "deze", "de cursor", "gebruik", "voeg", "bestandsnaam", "zorg", "mova", "digite", "teste", "agora", "pressione", "insero", "mais", "lekcja", "przenie kursor", "wcinij", "vima", "wpisz", "teraz", "powtarzaj", "nazwapliku", "uwaga", "jest", "dmesine", "ders", "ilk satra", "bu satrda", "normal kipe", "normal kipte", "daha fazla", "pomerite kursor", "otkucajte", "preite", "imefajla", "rezime lekcije", "za zamenu", "flytta", "filnamn", "normallge", "tryck", "om du", "sammanfattning", "genom", "lekcia", "presu kurzor", "presu", "napsanie", "zopakuj", "poznmka", "lcmessages", "lcall", "slovak tutor", "vim tutor", "amatria", "thevimproject", "slovak", "czech", "number", "motion", "ignore", "hjkl", "by gi", "di chuyn", "cu lnh", "u tin", "thay", "tntptin", "nu bn", "tng kt", "vim c", "lodi", "caps", "lock", "abc de", "command", "krishna", "spellerrors", "display dpy", "none", "false", "xfree", "sendinit", "isserialname", "staticspace", "xsync", "sendtovim", "main", "k command", "shell script", "vt100", "term vt100w", "dec locator", "vsnet", "tools", "external tools", "title", "arguments", "curline", "itempath", "init dir", "empty", "fbshtagsfp", "create", "options", "tags", "bourne shell", "perl", "fbkshfp korn", "tcl shell", "tk windowing", "parse", "new buffer", "buildcasetable", "printf", "buildwidthtable", "keys", "parsefoldprops", "parsewidthprops", "variabletags", "argv", "stephen riehm", "david woodfall", "getopt", "v include", "print version", "suppress", "reason", "file", "severity", "o ccfilter", "following", "this first", "ccfilter", "quickfix format", "though", "start", "john lange", "primitivem", "errorformat", "perl script", "executecore", "aerts", "sw developer", "sony telecom", "europe", "b1130 brussels", "belgium", "port", "host", "server", "vim channel", "chopen", "localhost8765", "json message", "linelength", "compilernames", "irix", "solaris", "hpux", "pablo ariel", "c compiler", "compilerqty", "usage", "project", "collector", "written", "ives aerts", "notes", "r decrement", "v verbose", "outputs", "o treat", "program", "q errorfile", "stdout", "copyright", "joerg ziefle", "perl w", "first", "maketag", "version", "exuberant ctags", "statement", "loop", "michael schaap", "support", "packagename", "look", "february", "push", "sgi mipspro", "error int", "error", "doit", "vim9 function", "nr2char", "c program", "vim quickfix", "awk script", "dec terminal", "make vim", "errors", "begin", "kirchgatterer", "opcodes syn", "addresses", "numbers", "types syn", "blocks syn", "strings syn", "program counter", "hilo byte", "quit", "todo todo", "aappythonscript", "python line", "python block", "blockline", "abap", "statement hi", "string hi", "structure", "vim abap", "abapr4", "marius piedallu", "james allwright", "april", "klmpqwvw", "comment hi", "type hi", "identifier hi", "constant let", "abel", "john cook", "johncook3", "a bunch", "todo xxx", "fixme", "c style", "abaqus", "carl osterwisch", "costerwi", "remark", "abaqus comment", "abaqus keyword", "include hi", "todo hi", "acedb model", "stewart morris", "thu apr", "syntax file", "acedb software", "xref syn", "rest", "preproc hi", "delimiter hi", "nikolai weibull", "include", "useroption", "options medium", "defaultprinter", "outputfirstline", "filecommand", "todo fixme", "martin krischik", "kind", "keyword", "mk bram", "standard", "character", "stype", "date", "vim syn", "altera ahdl", "x syn", "todo", "xnor syn", "specialchar hi", "builtin", "define hi", "builtin rect", "operator hi", "special hi", "dbus", "g3drop", "builtin dump", "builtin number", "builtin call", "redir", "stream", "screen", "function hi", "aflex", "lex syntax", "mathieu clabaut", "lastchange", "ada syntax", "aflex stuff", "patterns", "dominique pelle", "storageclass hi", "keyword let", "endlet", "htmlformat", "htmlcolor", "span", "htmlformatn", "foldcolumnbuild", "css1", "foldedid", "html", "generator", "fixme todo", "xxx note", "spell", "amigados", "campbell", "former url", "syntaxamiga", "krief david", "display drop", "beta cauchy", "irand224 syn", "normal poisson", "antlr4", "another tool", "yinzuo jiang", "jiangyinzuo", "july", "option value", "ben rubson", "hammers", "changelog", "option value1", "option", "value1", "david necas", "yeti", "base", "xxx not", "core", "antlr", "javacc parser", "azaz09", "parserend", "parserbegin", "token skip", "antsyntaxscript", "doug kearns", "zellner", "xmlcdatastart", "xmlcdataend", "xmltag", "xmlendtag", "ayer", "atch", "orkspace", "ngle", "rity", "mbol", "ffset", "istory", "osition", "xport", "stack", "tack", "digi", "flip", "shade", "cluster", "keyb", "arch", "moran", "ecode", "gnu arch", "source", "keyword hi", "simulate", "aptitude", "state", "yann amar", "quidame", "aptconf", "incomplete", "ebug", "autodetect", "fast", "marker", "score", "arduino", "hoff", "october", "license", "vim license", "arduino ide", "erik nomitch", "adam obeng", "artenterprise", "dorai sitaram", "ds26", "thilo six", "number hi", "edfghprs", "gnu assembler", "erik wognsen", "kdahlhaus", "kevin", "label hi", "macro hi", "title hi", "deprecated", "skip", "none hi", "claudio fleiner", "claudio", "end imports", "exports from", "implicitstags", "explicitstags", "absent present", "size universal", "strings", "aspperlscript", "perlscript", "aaron hope", "constant hi", "bwlsdxp", "macro", "specialchar", "error hi", "aspvbserror", "aspvbsfunction", "aspvbsmethods", "aspvbsstatement", "aspvbsnumber", "aspvbscript", "aspvbscomment", "aspvbs", "exits", "floating point", "asterisk", "tilghman lesher", "corydon76", "zonemessages", "atlas", "inaki saez", "jisaez", "flags bef", "orange syn", "containsasytodo", "asymptote", "avid seeker", "c syntax", "autodoc", "berg", "xml dl", "display", "contains", "borz", "kdpds", "oneline", "hotstring", "comspec", "hotkey", "reload", "common", "autoit", "soundplay", "autoit v3", "jared breland", "ping", "shutdown", "vim maintainers", "john williams", "action", "makefile syntax", "avenue", "arcview", "wagner", "esri", "string", "integer number", "operator syn", "xor mod", "hitachi h8300h", "xorc syn", "identifier let", "avr assembler", "avra", "avra home", "avra version", "marius ghita", "mhitza", "gawk ref", "functions syn", "awk ref", "effective awk", "programming", "keeps", "astro", "style", "fold", "enable", "astrojavascript", "htmlpreproc", "wuelner martnez", "html tag", "azaz", "ayaccuniongroup", "ayacc", "clusters", "aunis", "bash", "a formal", "method", "contributor", "csaba hoch", "undef", "defaultchar", "startstartfont", "bdfboundingbox", "containsbdftodo", "bibtex", "bernd feige", "ignore case", "xdata customa", "xref", "ams mref", "data", "basic", "quickbasic", "trim", "metacommands", "kill", "zonenumber", "bind zone", "mehnle", "slava gorbanev", "generates syn", "bcall", "vlado", "keywords syn", "string syn", "comment syn", "parent", "sulejman", "blank", "xspo", "bitbake", "chris larson", "kergoth", "daniel kho", "bsdl", "vhdl syntax", "tim pope", "vimnospam", "highlight", "imperfect", "bstnumber", "entry function", "integers macro", "bazel", "david barnett", "label", "digit", "john leo", "spetz", "boolean", "statuses", "bazaar", "dmitry vasiliev", "dima", "diff", "nospell", "synchronization", "baanerror", "selecteos", "updateerror", "d rows", "default", "selectempty", "selecterror", "updateempty", "union", "hooks", "normal hi", "case", "haskell cabal", "build file", "profunctor", "benchmark", "import", "cabalconfigpath", "cabal config", "original author", "cabalconfigkey", "false ghc", "cabal project", "true false", "cabalprojectnat", "boolean hi", "cparengroup", "cstringgroup", "ccommentgroup", "clabelgroup", "iso c99", "elifs", "ifndef", "ccppoutingroup", "optional", "accept", "public dtddecl", "entity catalog", "errormsg hi", "cdlcommentgroup", "raul segura", "acevedo", "xcheck", "childsname", "parentsname", "grpsdescription", "fixme xxx", "fullburn", "readdriver", "writedevice", "readdevice", "cfgcomment", "uncpath", "cfgstring", "cfgsection", "prischepoff", "on off", "yes no", "dos drive", "zhenyu", "documentation", "and fold", "operator", "punctuation", "transparent", "region and", "cfmlcorekeyword", "linden", "coldfusion", "skipwhite", "nextgroup", "cdrtoctrack", "cdtext", "performer", "silence", "zero", "softintegration", "cc interpreter", "declspec", "exception hi", "structure let", "built", "chaiscript", "jason turner", "lefticus", "escape", "web changes", "andreas scherer", "details", "cweb", "knuth", "silvio levy", "webcweb", "november", "haskell", "armin sander", "changelog file", "menesis", "vinschen", "june", "chatito", "observeroftime", "import syn", "intent syn", "slot syn", "cheetah", "max ischenko", "matches", "precondit hi", "evan hanson", "scheme", "chicken", "repository", "scheme syntax", "lighten", "heredocs", "cc syntax", "hse1", "chorus", "startofverse", "startofbridge", "startoftab", "startofabc", "startofly", "chordfont", "chill", "repeat hi", "avoid", "youngsang yoon", "image", "ccitt high", "this", "ember", "sifs0", "sinclude", "calendarinclude", "andrea callea", "chuck", "object event", "ugen array", "pieter van", "engelen", "arthur van", "leeuwen", "start syn", "int real", "char bool", "zamana", "flagship", "mario eusebio", "accept append", "blank from", "highlight value", "cmake", "comments", "match key", "cmakecachekey", "advanced", "highlight str", "stringstr", "nickspoons", "internal", "clever language", "clever", "multibase", "philip uren", "philuspax", "cmod", "cmodautodoc", "supports", "init init", "exit gcrecurse", "browser", "cocor", "shukla", "any characters", "context end", "from if", "nested pragmas", "to tokens", "cword", "fnameescape", "supplement", "must", "dgacfbe", "clojuretop", "arraychunk", "vecnode", "vecseq", "x00x7f", "partstart", "gondi", "inst", "etcdisktab", "acmsg", "acmsgtype", "hammesr", "yngve inntjore", "levinsen", "khym chanur", "james mccoy", "well", "anything", "conary recipe", "addallflags syn", "run automake", "makeinstall syn", "install copy", "move symlink", "link remove", "doc syn", "crm114", "modemsg hi", "imported", "target", "true", "interface", "quiet", "private", "write", "multi", "never", "unknown", "fatalerror", "sensitive", "android", "download", "guard", "exact", "locale", "trace", "alphabet", "john hoelzel", "hours days", "commands", "llll", "hminsmsusnsi", "ffll", "ken shan", "ccshan", "context", "synname", "startstartz", "endstopz1", "mptop", "luatop", "csccommentgroup", "if else", "endif elseif", "lev sy", "iallancestors", "curgen sy", "warningmsg hi", "essbase", "prior", "descendants", "cshell", "syntaxcsh", "variables", "luul", "csall", "srecord", "az09", "processes", "amsettimer", "sdlmatch", "default hi", "fdr input", "maxim kim", "habamax", "functions", "predefined term", "end predefined", "term variables", "century term", "csdl", "jacek artymiak", "c22032019", "call", "replacing", "comp", "recognize", "ascii", "existing syntax", "ctrlhbold", "ctrlh", "module level", "prop", "media", "cuda", "nvidia compute", "unified device", "architecture", "terriberry", "device global", "host managed", "shared syn", "restrict", "cupl simulation", "cupl syntax", "matt dunford", "sat nov", "statement let", "tex syntax", "cweb source", "cc material", "webincludedc", "double", "rc file", "dada", "dadas", "etant", "scen", "regel", "pero", "esquema", "tapi", "kada", "dados", "maka", "fono", "cupl", "valid integer", "signal", "phil derrick", "phild", "cynpp", "cynlib", "cynlib syntax", "posedge negedge", "changed syn", "instantiate", "out inst", "url http", "default cynscon", "standard syntax", "include debian", "match uri", "addremove", "byhash", "christopher", "dcod trts", "tnxt crlf", "labl syn", "cequ cneq", "cgte clte", "cbit clse", "dcomment", "jason", "pragma", "4857", "digital command", "sword", "mine", "conditional hi", "dart", "eugene pr3d4t0r", "ciurana", "former", "gerfried fuchs", "alpha", "rust", "datascript", "dscommentgroup", "comment let", "debcopyright", "orig author", "rob brady", "robb", "wu yongwei", "library stub", "code windows", "dos syn", "exports imports", "dep3 patch", "gabriel filion", "gabster", "specification", "authorfrom", "adminemail", "lockfile", "matthijs", "match", "ttext", "ccategory", "fflag", "llicense", "rock linux", "ren rebe", "spell syn", "lastline syn", "filter", "disablestrat", "s un", "r en", "jakson alves", "ansi sgr", "ansi sgr8", "jan larres", "term left", "black", "green", "contact", "charityware", "uganda", "entry", "block", "parasitic", "parameter", "devicemos", "rules", "device", "diva", "toby schaffer", "categories", "exectryexec", "unmounticon", "at wp", "chat", "django", "django template", "dave hodder", "dnsbind zone", "docbook sgml", "cest let", "docbook xml", "docbook", "devin weaver", "shlomi fish", "auto detect", "syntax xml", "sgml", "syntax sgml", "rory hunter", "json", "dockerfiles", "honza pokorny", "onbuilds", "from", "add arg", "cmd copy", "mike williams", "mrmrdubya", "windows nt", "msdosms windows", "mckee", "nima talebi", "hong xu", "sept", "keyword hilink", "hilink", "error hilink", "nargs hilink", "markus mottl", "enclosing", "scott bordelon", "wed apr", "cadence", "automation", "design rule", "checking", "layout", "schematic", "dsssl", "cest", "example", "xmlregionhook", "dtml", "dtml syntax", "zope", "markup language", "jordaan", "doxygenhtmltop", "synlink", "link", "syncolor", "strong", "reflink", "cpreprocgroup", "actions", "dtrace d", "d script", "solaris dynamic", "tracing guide", "nicolas weber", "nicolasweber", "first line", "probe", "turn", "entity", "matchgroupnone", "document type", "definition", "brabandt", "dune", "anton kochkov", "samuel hym", "simon cruanes", "kawahara satoru", "urkedal", "etienne millon", "dylan", "justus", "fri sep", "include let", "dylan library", "interface files", "brent fulgham", "bfulgham", "string let", "fulgham", "dnsmasqkeyword", "dnsmasqrange", "editorconfig", "anders", "edif version", "edif", "artem zankovich", "zartem", "5481988", "john beppu", "beppu", "ecd file", "embedix linux", "elm filter", "syntaxelmfilt", "elmfiltnumber", "brssow", "environments", "wraparound", "elinksnumber", "elinkscolor", "savingstylew", "imagelinksuffix", "homepage", "current void", "selse", "sthen", "eiffel", "joseph hager", "ajhager", "typedef hi", "lambda", "xxxx", "kresimir marzic", "oscar hellstrm", "oscar", "kornel", "syntax", "label highlight", "type highlight", "identifier", "george", "exec sql", "preproc let", "esterel", "luca necchi", "nikos andrikos", "esterel regions", "esterel types", "esterel comment", "identifiers", "euphoria", "builtins", "function", "reset", "should suffice", "etermgeneral", "d0xx", "mod5", "rubytop", "eruby", "erubysubtypezsw", "conventional", "text", "generated file", "david nev", "setup", "expect", "normal expect", "ralph jennings", "knowbudy", "user", "sysv", "bsd isms", "syntaxexports", "optset", "eviews", "vaidotas zemlys", "zemlys", "az4857", "assembler", "fasm", "ron aaron", "vim url", "fasm home", "fasm version", "xmm0 xmm1", "xmm2 xmm3", "dwayne bailey", "dwayne", "fdcc", "definitions", "iso tr", "unicode", "shell command", "output", "array", "fantom", "service", "bridle", "informix", "update", "abort abs", "absolute accept", "access acos", "add after", "allocate alter", "drop", "fishnext", "fishstatement", "fishterminator", "fishargument", "nicholas boyle", "flexwiki", "reilly", "home", "fuse", "modify", "table", "pascal makefile", "sections", "comments syn", "forth79", "forth83", "char", "forth83 syn", "body", "noname", "class", "local", "tung", "thu oct", "thomas reiter", "manipulation", "book", "document", "textfile", "apply", "formats", "popu", "crea", "modi", "memo", "defi", "disp", "dele", "appe", "repl", "proj", "alia", "cmon", "nvert", "mwin", "uniq", "blin", "carr", "story", "mult", "rator", "fortran", "ends", "cray", "ulllull", "stop", "fvwmm4", "mainsyntax", "fvwm2m4", "include m4", "include fvwm2", "fvwm1", "hss1", "general syn", "szsw", "check", "journal", "hold", "fvwm", "cursormove", "edgeresistance", "modulepath", "noborder", "windowlistskip", "backcolor", "sticky", "refresh", "buttons", "exclam", "slash", "gdmo", "iso101654", "guidelines", "managed object", "gyuman", "chester", "godot resource", "section syn", "ssss", "gdb command", "simon sobisch", "isplay", "unset", "linkurl", "gemtext markup", "suneel freimuth", "heading", "list", "quote", "heading special", "list statement", "godot", "bug hack", "gitdiff", "dddd", "endt", "commit", "question hi", "giftcef", "linenr hi", "giftceffw", "giftce", "conceal hi", "gedcom", "paul johnson", "december", "abbr addr", "adop adr1", "adr2 afn", "godot gdscript", "website", "pattern", "attribute syn", "macro syn", "gitcommitdiff", "your", "todo let", "crrw", "creator", "xexec", "syn match", "az4857 syn", "adam monsen", "opengl shading", "modified", "godoc", "title let", "gocommentgroup", "chan", "foldenable", "packagecomment", "integer hi", "todo regexp", "todos", "josh wainwright", "dot ja", "at gmail", "dot com", "karim belabas", "texstyle syntax", "todo syntax", "todd zullinger", "daniel kahn", "gillmor", "containsgpgtodo", "gprof output", "flat profile", "gretl", "gretl genr", "variable", "grads", "fronzek", "grid analysis", "display system", "grads scripting", "variables syn", "gnashkeyword", "gnashcomment", "gnashtodo", "solreadonly", "solsafedir", "john marshall", "jmarshall", "pedro alejandro", "lpezvalencia", "ddd0xx", "pager", "terminal", "chainloader", "groovytop", "exception", "groovy", "debug hi", "gtk theme", "packer", "conceal", "json syntax", "single", "trailing commas", "fixme note", "gnu server", "pages", "source html", "include java", "redefine", "argc argv", "begin begg", "end endg", "graph", "vim source", "matchlist", "vimsrcdir", "both", "getqflist", "cent", "kword", "c function", "small", "light", "vimcontinue", "endstr", "gensynvim", "vim9 syn", "vimexprlist", "magic", "hamlrubytop", "hamlcomponent", "hamltop", "haml", "hamlhtmltop", "david fishburn", "sun oct", "hamster classic", "hamster", "harepostfix", "hare", "vim syntax", "amelia clarke", "selene", "haredoc", "miscellaneous", "haste", "vlsi ic", "c preprocessor", "09afaf", "treat", "varid", "error let", "hbfilename", "hbhtmlstring", "hbhtmltagn", "hbhtmltag", "hbdirectivelib", "hbdirectiveset", "hbdirectiveout", "kkmmgg", "upstream", "a block", "szskkzes", "vim program", "restorer", "defunct", "aprl", "helplang", "intel hex", "sams ricahrd", "data digit", "folding data", "records", "record syn", "ignore hi", "vim help", "ident", "dana edwards", "danaedwards", "ic design", "preprocessor", "spacings", "resolutions", "ranges", "slhg", "hgcommitdiff", "sapling", "ken takata", "kentkt", "max coplan", "float hi", "hls playlist", "benot ryder", "comment line", "hogvar", "hogopnot", "hognumber", "hogipaddr", "hogcomment", "hogport", "hogoprange", "hogcomment syn", "hogstring", "bind", "elseif", "html template", "dennis", "htmltop", "htmljavascript", "onas", "htmlxml", "idem", "aria", "m4top", "htmlm4", "htmlos", "repeat syn", "aestiva", "jason rust", "jrust", "django html", "scomment", "i3configident", "i3configstrin", "i3configvalue", "focus", "i3configsh", "i3configstrvar", "i3configcommand", "i3configcolvar", "moving", "itanium", "parth malwankar", "pmalwankar", "file version", "masm syntax", "mark manning", "markem", "allan kelly", "ibasic file", "icewm menu", "james mahler", "fri apr", "icewm", "ids menu", "icon special", "icemenu", "data language", "ajelenak", "paren hi", "paren", "billshannon", "nlps", "npro", "graphics", "iconpregroup", "icon", "wendell turner", "prelude", "inbpc", "ddspe", "leaderscopy", "fontname", "badness", "elan ruusame", "shtop", "value", "args", "substituted", "macros", "ipfspecial", "ipftodo todo", "hendrik scholz", "hendrik", "openbsd pf", "ipfcomment", "xxx fixme", "donovan keohane", "syndisplay", "global", "verbextend", "double2", "snote", "david brgin", "dbuergin", "continuedoelse", "argv binpath", "cr crlf", "del debug", "eav empty", "inno setup", "my innosetup", "jason mills", "enterdisk syn", "sdsetuptype syn", "ifdef", "elif", "else", "cortopassi", "istoutspec", "peter meszaros", "pmeszaros", "istinpspec", "istcharacter", "istnumber", "istcomment", "jamcommentgroup", "jamparengroup", "ralf lemke", "xxx syn", "jargon file", "dan church", "label let", "javascript", "jls17", "see https", "javatop", "javadoctags", "javahtml", "tx0cr", "javamarkdown", "markdowninline", "jinja", "jinja template", "names syn", "standard jess", "jess", "paul baleme", "pbaleme", "jonas munsin", "xaxis yaxis", "x cross", "number let", "javacc", "java compiler", "javasoft", "vim compiler", "vito", "doc comment", "note xxx", "jspjava", "java server", "rgarciasuarez", "darren greaves", "patch", "thomas kimpton", "software", "eli parra", "json keywords", "jsonc", "izhak jakov", "izhak724", "acknowledgement", "kevin locke", "remove syntax", "json5", "mazunki hoksaas", "guten ye", "ywzhaifei", "syntax setup", "endz1", "kconfigconfigif", "abstract", "juliaexprsnodot", "regex", "naninf", "kdlnumber", "kdlnumber d", "aram drevekenin", "kotlin", "generated", "annotation syn", "kix2001 syn", "kixtart", "handle", "trap", "michael piefel", "entwurf", "cpp mode", "preproc", "error highlight", "storageclass", "delimiter", "sysvars", "false true", "kivy", "corey prophitt", "corey", "load python", "kivy language", "define kivy", "lace", "jocelyn fiat", "constants syn", "latte", "nick moffitt", "pre tag", "elsa", "glapagrossklag", "riley bruins", "ribru17", "keywords syntax", "sections memory", "overlay phdrs", "version include", "absolute addr", "names", "ldapconfcomment", "iso dialect", "modula2 dialect", "modula2 input", "styles", "error endif", "august", "pim dialect", "modula2", "longbitset", "procedure", "r10 dialect", "sto dos", "ldap ldif", "zak johnson", "zakj", "less", "jenoma", "todo optimize", "orce", "arset", "prox", "cache", "agent", "haskelltop", "lhstexcontainer", "ian lynagh", "tex markup", "bird style", "markdown style", "tex style", "lexccode", "user code", "flex", "van engelen", "patrick texier", "lifelines", "xref tag", "liquid", "liquidstatement", "yaml front", "matter", "liquidyamltop", "acdfmnrstuklp", "lilonumber hi", "number list", "niels horn", "lite", "liteinside", "lutz eymers", "ixtab", "email", "sql syntax", "errmsg", "livebook syntax", "lisplistcluster", "clisp ffi", "standard lisp", "keyword lispkey", "litestepdir", "litestep rc", "nethood", "winnt", "lotos", "is8807 syn", "specifications", "is8807", "daniel amyot", "damyot", "wed aug", "except", "logtalk", "logtalk entity", "term", "logic", "chfnauth", "chshauth", "createhome", "defaulthome", "lout", "report", "lambdaprolog", "teyjus", "vim version", "general", "lpccommentgroup", "lpcefungroup", "nodule", "lpcparengroup", "lpcpreprocgroup", "echo", "poet", "timo frenay", "timo", "labels syn", "lotusscript", "taryn east", "ultraedit", "textpad", "activateapp as", "base beep", "call case", "scott bigham", "colorterm", "luau", "marcus aurelius", "farias", "carlos augusto", "collapsebrtags", "lynx web", "lynx", "todo note", "uploader", "lyrics", "lrcnumber", "quake", "operators", "hascbackend", "pkg syn", "definelib syn", "definepgm syn", "importm3lib syn", "fleiner", "mainsyntaxm4", "mailquoteexps", "mail", "felix von", "leitner", "am est", "ascii character", "froms", "mallard", "jhradilek", "mallard markup", "draft", "skipnl", "roland hieber", "overrule", "ostype", "manconfcomment", "build", "suffix", "mason", "perltop", "hinrik rn", "sigursson", "pentium", "abgl", "ceopsz", "offset", "align", "floatingpoint", "vpmaxsq syn", "integer", "maple", "release", "focus master", "define syntax", "filename suffix", "segname segtype", "mtaddon", "matlab", "alex burka", "bbddeess", "all functions", "except keywords", "maxima", "robert dodier", "mermaid", "craig maceahern", "4857192255", "self", "accdescr", "click", "meson", "liam beguin", "zpetkovic", "disabler", "wikitop", "containshtmltag", "wikitableformat", "mediawiki", "yakov lerner", "rfc3339", "james vega", "melgroup", "maya extension", "robert minsk", "jason franklin", "sunghyun nam", "goweol", "mudunuri", "version info", "ctrlh syntax", "markdown", "matchstr", "metafont", "page", "latest revision", "magic point", "spam", "xfont vfont", "gero kuhlmann", "gero", "snmpv1", "snmpv2 mib", "martin smat", "msmat", "david pascoe", "pascoedj", "ax16", "donald knuth", "taocp", "mmix", "dirk hsken", "knuthstyle", "precondit endif", "pcimapfile", "parportmapfile", "model", "nil nil", "true syn", "symbols", "mmatop", "stub", "peter funk", "getdialect", "timo pedersen", "dat97tpe", "whitespace", "any array", "mookeyword", "dilnt", "multiplication", "mojonumber", "mojo", "stuff", "monk", "seebeyond", "mike litherland", "dirk van", "deun", "metapost", "manual", "autosync", "dumpvideo", "loadidx", "rawvideo", "tsprog", "color", "tabtitle", "am cdt", "pm est", "dummy", "ms message", "kwl7", "common ms", "messages", "ms idl", "vadim zeitlin", "vadim", "msql", "env variables", "inlclude", "modsim iii", "philipp jocham", "march", "actid all", "and as", "murphi model", "diego ongaro", "integers", "nspemit", "switch", "mushcode syntax", "rick bird", "clock", "dbck", "dump", "hook", "motd", "notify", "nuke", "restart", "snoop", "stats", "teleport", "attributes", "prettyprint", "libpath", "promylibdir", "attributes syn", "mupad source", "dave silvia", "dsilvia", "ymwd", "cciskaf", "float", "mysql", "pronovici", "encrypt", "namednotnumber", "nick hibma", "location", "marcin", "chaos", "dmap", "modules", "control section", "nastran", "tom kowalski", "any integer", "n1ql", "eugene ciurana", "merge syn", "nest syn", "pr3d4t0r", "vim command", "natural", "nasm", "iend", "movs", "time", "interval", "size", "directory cache", "cache buffers", "minimum file", "count", "daylight", "miner", "keith smiley", "login", "netrwtreegroup", "diffchange hi", "netrw listing", "toplevel", "readtoken", "nixexpr", "daiderd jordan", "daiderd", "region match", "bufenter", "syntax event", "synset", "checked", "muttvars", "neomutt", "bounce", "nsisanyopt", "statements", "nsis", "music", "rcx2", "scout syn", "rcx2 syn", "nqcparengroup", "rcx syn", "nqccommentgroup", "modes", "scout", "stefan", "module", "nginx module", "nginx", "http", "gost", "comet", "speed", "sphinx", "curv", "mtllibs", "exmaintainer", "anthony hodsdon", "objc syntax", "odin", "ms44", "and or", "occamnumber", "group", "omnimark", "paul terray", "mailto", "activate again", "catch clear", "close copy", "ocamltypeexpr", "ocamlallerrs", "jon parise", "ondirshell", "operator let", "objc type", "smes12", "qualifiers", "smes7", "smes19", "preparation", "protected", "structure hi", "openscad", "niklas adam", "luis moreno", "abort all", "alter and", "any as", "asc at", "oplstatement", "oplnumber", "open psion", "epoc16epoc32", "af09", "openvpn", "openvpnnumber", "openvpnsignal", "hupinttermuser", "containstop", "keepend", "eval", "menumode", "endurance", "blade", "illusion", "sneak", "onload", "disablemouse", "getclass", "notes todo", "containsallbut", "spells", "ronan pigott", "ronan", "alpm", "tcpip", "gclckprocs syn", "oracle config", "sandor kopanyi", "oraall", "protocol syn", "bequeath syn", "latest change", "haochen tong", "withconceal", "inlinecode", "super", "pappperl", "papphtml", "cdata", "perlinterpdq", "marc lehmann", "perlexpr", "config file", "lennart schultz", "string keywords", "protobuf text", "lakshay garg", "crgut", "tim chase", "austin", "pcctsinrule", "cpptoplevel", "pccts", "nextstep syn", "openbsd packet", "lauri tirkkonen", "sloadsanchor", "phtml", "perlinterpsq", "perlinterpmatch", "perlinterpslash", "perldata", "portb syn", "intcon syn", "gie eeie", "t0ie inte", "rbie t0if", "intf rbif", "microchip", "pdfxml", "nrtbf", "font", "palm os", "schau", "font id", "beware", "data syn", "postfix", "kelemen peter", "peter", "kelemen", "anton shestakov", "pikestmt", "pikebadgroup", "pike", "pine", "thu feb", "macro let", "httpviewer", "infopath", "longmanuallinks", "filter0xb7", "plaintexmath", "glue", "acute", "cdhoopstuvijll", "rrowvert", "skewsqrt", "mega", "phpinnerhtmltop", "phpclfunction", "phpcltop", "refer", "cphil", "number support", "c language", "does", "address and", "dword", "juerd", "plpperl", "plpend syn", "counter syn", "pl1commentgroup", "pl1parengroup", "declare dcl", "procedure proc", "loops", "podformat", "ibsclfx", "perl pod", "poe item", "show hide", "minimal", "address", "obsolete", "openclose", "bjoern jacke", "bjacke", "povray", "syntax syn", "off true", "false yes", "ppwizard", "dennis bareis", "ppwizargval", "constants", "plsqlparengroup", "oracle", "plsql", "klaus muth", "klaus", "altf amcr", "arc asfn", "astk barc", "blk box", "call syn", "cass cir", "melchior franz", "mfranz", "sonia heimann", "todo tbd", "privoxy", "prolog", "promela", "mon oct", "thu aug", "promela types", "class linking", "ps ll3", "dsc comment", "device gstate", "ps level", "postscrstring", "escaped", "matrix", "courier", "buffers", "redistributions", "this software", "including", "but not", "limited to", "pbcommentgrp", "google", "az09az", "posix", "rex barzee", "rexbarzee", "aclqrv", "a af", "ag ax", "e ef", "eg ex", "certain", "ps1comment", "purify header", "informational", "warning", "corrupting", "fatal", "haakon riiser", "hakonrk", "c syn", "pypa", "commands syn", "globs", "line break", "pyrex", "marco barisione", "python syntax", "olor", "chars", "progress", "ation", "progressdebug", "progressnumber", "edure", "progresstodo", "eter", "daniel", "sage", "widget", "rage", "python library", "reference", "quarto", "aquino", "vim runtime", "quickfix", "directory hi", "hee1", "lookdown lookup", "quakeoctalerror", "quake12command", "noprefix", "console", "onoff", "qb64", "z2z1", "qmlexpr", "radiance scene", "georg mischler", "radiance", "greg ward", "surface", "raccruby", "rule", "racc input", "dobie", "xdobie", "handling", "vector", "types syntax", "raml", "restful api", "hopkins", "rofi advanced", "pierguill", "common rc", "resource", "heiko erhardt", "language syn", "bitmap icon", "cursor cursor", "cmash", "ratpoison", "magnus woldrich", "djkea2", "bulls eye", "force control", "number syn", "rapid", "azazxc0xff", "azazxc0xff09", "rakuinterpqq", "rakuregexen", "rakuregexp5", "rcs log", "joe karthauser", "rcs file", "revision", "yyyy", "rebol", "yer todo", "words syn", "view", "view tabs", "spaces", "vicharsearch", "viprevword", "viendword", "visearchagain", "vinextword", "registry key", "registry export", "ulitin", "head", "regedit4", "win9", "bytes", "paths", "xxx bug", "davide alberani", "remind", "ben orchard", "rem omit", "mit license", "raimon49", "permission", "software is", "resolvipcluster", "ipv6 support", "09azaz", "radu dineiu", "hidesymbol", "r help", "r code", "epsilon", "kappa", "slabelsk", "over", "relax ng", "containsrnctodo", "rnoweb", "highlighting", "rnowebr", "ranke", "ferraz pereira", "rosa", "extension", "bytestream", "andrew bromage", "frameend", "worldbegin", "worldend", "attributebegin", "attributeend", "todo improve", "handles", "todo are", "redif", "axel castellane", "templatetype", "and add", "alex zvoleff", "configuration", "r syntax", "syntaxrpcgen", "mikrotik", "cidr notation", "cycle", "exit", "catch", "rpl2", "rmdlatex", "yaml header", "highlight code", "rmdr", "text format", "rich text", "control words", "new control", "rstcruft", "salt state", "jinja runtime", "star", "disallow syn", "disallow", "samba", "new maintainer", "ntlmv2 syn", "synfold", "rubymodifier", "sasbasicsyntax", "add syntax", "sasgraph", "yrdif yyq", "template", "mixin", "extend", "return", "steven dobay", "stevendobay", "sather", "science", "institute", "dede", "scilab", "benoit hamelin", "containedgroup", "preproc syn", "aclchg", "acldel", "aclgrp", "aclumask", "lockscreen", "zombie", "scss", "puria nafisi", "azizi", "always", "ip adresses", "verify", "synopsys design", "constraints", "tcl vim", "thu mar", "tcl syntax", "tcl extension", "xor syn", "task else", "nextstate syn", "in out", "with from", "ebcdic", "closedelay", "txtrigger", "spdnormal", "portd", "comment hilink", "sexplib", "atoms syn", "lists", "clst", "sgml charset", "capacity scope", "features", "baseset descset", "simple", "shfoldheredoc", "shfoldifdofor", "shlooplist", "shfunctionlist", "shidlist", "shecholist", "shcaselist", "shdblquotelist", "provides", "sgml specific", "space crlf", "dquote syn", "percent", "mp luacall", "alephversion", "uchar", "udelimiterunder", "umathchardef", "umathruleheight", "umathstackvgap", "umathxscale", "uoverwithdelims", "hai tp", "bestanden", "hanya dalam", "fiierele", "tp tin", "aemacron amstex", "aacute", "abrevehook", "afterpar", "agrave ahook", "amstex amacron", "atilde", "beforepar beta", "bigm", "delta", "oldstable", "experimental", "bullseye", "trixie", "forky", "focal", "jammy", "devel", "buzz", "maverick", "keyword syntax", "typescriptvalue", "title syntax", "typescripttype", "blabla", "sicad", "zbranyiczky", "irpt", "irptl", "mes1", "swift project", "simula", "simula syn", "keyword end", "when", "nagle", "main url", "comparison", "load sinda", "on si", "off eng", "sieve", "skill", "nsqn", "dirfile", "pnamestring", "pathversion", "schemeskill", "afterbefore", "tolist", "renderman", "dan piponi", "specialkey hi", "headers", "nontext hi", "jan hlavacek", "xuserblock", "for loop", "userblock", "null syn", "tracedrop", "daheartbeat", "slpregcomment", "spi file", "private public", "slrn score", "preben peppe", "guldberg", "age bytes", "syntaxsm", "smarty", "mon nov", "constant", "slice", "zeroc", "morel bodin", "smcl", "stata markup", "jeff pitblado", "jpitblado", "statasmcl", "directive", "smith", "smil", "herve foucher", "smil boston", "animation syn", "smlallerrs", "smlaenoparen", "fabrizio zeno", "cornelli", "zeno", "snns network", "snns http", "lln lun", "toff soff", "ctype syn", "snns", "maximum", "maximum output", "stringcomment", "initvalvalstr", "mono", "snobol4", "rafal sulejman", "site", "csnobol", "parens", "cothi", "afpnumkg", "spice circuit", "noam halevy", "insensitive syn", "spice", "splintallstuff", "splintannotelem", "ralf wildenhues", "splint home", "c code", "purpose", "buildinstall", "linux rpm", "freund", "ormeir", "wed oct", "spyce", "rimon barr", "rimon", "spupordinary", "input output", "spuptextproc", "type stream", "bugs", "execution", "snns result", "fishburn", "thu sep", "sqloracle", "buffer", "sqlforms", "austin ziegler", "prev change", "todo find", "xpos", "java syntax", "sqlj", "sap hana", "upper case", "upper", "schema syn", "user syn", "memory database", "sql syn", "spl syn", "comment syntax", "query language", "adaptive server", "anywhere", "xpscanf syn", "methods syn", "starea syn", "stcentroid syn", "stperimeter syn", "paul moore", "oracle nquote", "diffadd hi", "diffchange let", "section", "query report", "writer", "nathan stratton", "treadway", "jeff lanzarotta", "squid", "thanksto", "ilya sher", "iso8601", "subrip", "range syn", "ddd skipwhite", "bold", "sections syn", "override", "smalltalk", "arndt hesse", "hesse", "openssh client", "jakub jelen", "jakuje", "dominik fischer", "openssh server", "conditional", "repeats", "types", "globals", "statafuncgroup", "statamacrogroup", "stataparengroup", "rmcoll syn", "invftail", "invibeta", "haseprop", "mata", "structurizr dsl", "venthur", "hsiaoming yang", "lepture", "marc harter", "sudoersuser", "lazy", "generic", "swig", "julien marrec", "apache license", "runtime library", "vim maintainer", "emir sari", "nowarn", "i3confignumvar", "endze", "josef litos", "james eapen", "nargs syncolor", "nargs synlink", "syncolor type", "syncolor ignore", "syncolor added", "preproc synlink", "type synlink", "special synlink", "budden", "ingo karkat", "myk taylor", "install syntax", "syntax au", "systemverilog", "verilog syntax", "tads", "amir karger", "karger", "history info", "syntaxtags", "tak2", "tak3", "tak2000", "tak compare", "tak output", "load tak", "tar listing", "type let", "john florian", "wed jul", "key names", "values", "characters", "uuids syn", "rufus cable", "verbose tap", "rufus", "tap output", "pass", "foolman", "cmovsetj", "borland", "united force", "vector graphics", "verbose", "known template", "xfire user", "tcshvarlist", "tcsh", "gautam iyer", "ttlconstant", "term language", "tera term", "kcpy kcrt", "eenlrtbfs", "xhp xhpa", "xt xenl", "msgr", "tclspecialc", "tcltk", "taylor venable", "taylor", "system", "geometry", "tss syn", "typescript", "kao weiko", "jose elera", "campana", "zhao yi", "scott shattuck", "irc channel", "freenode", "vim filetype", "andy lester", "tt2topcluster", "typescriptreact", "react", "strpart", "include perl", "rawperl", "moriki", "atsushi", "ucnumber", "unrealscript", "openwrt unified", "colin caine", "fancy", "normal let", "typstcode", "matchgroupnoise", "noise highlight", "hashtag", "typstmarkup", "noise", "motif uil", "user interface", "thomas koehler", "september", "import hi", "anton", "prunefs", "prunenames", "prunepaths", "prunebindmounts", "upstart", "upstart job", "michael biebl", "biebl", "james hunt", "archivebit syn", "datelimit syn", "daysold syn", "deleted syn", "destination syn", "dirsonly syn", "drivealias syn", "filedate syn", "filedelete syn", "files syn", "msid", "innovation data", "rob owens", "ull ulls", "msg types", "ip address", "agtpcsrv", "profile", "version date", "ms windows", "action devpath", "valgrind memory", "debugger output", "roger luethi", "program url", "christoph gysin", "valve data", "tag syn", "wend", "prather", "pratam", "minor", "iskeyword", "xnor xor", "veraparengroup", "veralabelgroup", "vhdl", "linting", "vhsic", "high speed", "new style", "verilog", "mun johl", "485763", "vos cm", "andrew mcgill", "az syn", "bwlfdgh", "fdgh", "bwlqofdgh", "psect", "virata aconfig", "virata", "viratahexnumber", "execoptions", "ewind", "uffer", "malt", "wind", "vrmlevents", "vrmlfields", "vrmlcomment", "vrmlprotos", "vrmlnodes start", "externproto", "proto", "vgrindefs", "vgrindefs file", "profilesetzss", "java source", "parmp", "novimmain", "extern", "mswin", "featguimswin", "vimdll", "editnone", "level", "heading level", "vimtestsetup", "noop", "java language", "nontext", "returns", "chapter", "annotations", "labels", "text text", "tag head", "void", "htmlsnippets", "object", "object apply", "object bb", "no operation", "u003b", "n value", "pair", "long", "generics", "predicate", "vimtestsetup hi", "error import", "nontext class", "see jls", "declaration", "taggable", "binaryoperator", "i1 x", "i1 y", "string str", "taggable i1", "letters", "letters alpha", "letters beta", "tag tail", "use identity", "supplier", "tests", "identity", "comparable", "intfunction", "a dummy", "tggabl", "string s", "string tostring", "do not", "this file", "indent4", "indent2", "indent8", "tggabls", "fields", "classlock", "defines demo", "testable", "serviceloader", "malformed", "woof", "string s1", "string s2", "browns", "jumpss", "string s4", "string s6", "string apply", "string bay", "as quick", "woofs", "beta", "yieldable", "t yield", "other", "colon", "arrow", "unfoldenable", "italic", "strikethrough", "bold italic", "foobar", "modula2 pim", "test file", "colouring", "is licensed", "under the", "from system", "modula2 iso", "retain", "to do", "modula2 r10", "unsafe", "cardinal", "var abc", "variableb", "variablec", "var3", "var4", "var5", "var6", "variablea", "variabled", "variablee", "variable3", "varb", "variable1", "variable2", "varc", "vard", "variable4", "function1", "function4", "function2", "function3", "eq ne", "gt ge", "le lt", "ne gt", "ge le", "variableathis", "valsubfunc", "below", "reply", "issue", "cfoo", "ifoo", "interrupt", "ctrlc", "e123 catch", "varvalue", "cdpath", "backuptype", "defaultdevice", "executefbackup", "shall", "please wait", "buffer foo", "nargs range", "completer1 foo", "completer2 foo", "foo2", "bang", "nargs foo", "foo delcommand", "multiline", "commenttitle", "end augroup", "autocmd", "fixme call", "matched", "start not", "end not", "end call", "xterm call", "givename", "vim9", "test const", "foo def", "ex command", "dict", "end endfunction", "end enddef", "answer", "warningmsg", "endwhile", "dotest3", "dotest4", "dotest5", "dotest6", "test1", "test2", "test3", "test4", "test5", "funa", "dofuna", "funb", "dofunb", "func", "dofunc", "fund", "dofund", "foo delfunction", "foo function", "foo comment", "foo none", "guifg", "comment none", "ctermfgcyan", "end end", "end let", "end line", "end line1", "a basic", "rhs map", "foo bar", "fubar", "needle", "foogroup foo", "foogroup", "homeinclude", "defabc", "snomagicfoobar", "smagicfoobar", "special", "line comment", "b special", "char0x0044", "testcluster", "cchar", "keywords list", "vim line", "element", "x1f xf", "31 3", "u02a4 u000002a4", "string escape", "hexadecimal", "0xff echo", "decimal", "octal echo", "0377 echo", "vim shebang", "instance", "pairclasstest", "vim keymap", "end const", "expr", "foo unlet", "vim comment", "vim9 ex", "end foo", "xterm foo", "eof foo", "vim9script", "s vim9script", "12345", "0b10101010", "192939", "0777", "0o777", "0xabcdef00", "0x12345678", "runtest", "rticle", "syntax test", "file 0", "dougkearns", "2024 jun", "13 0", "test failures", "when comparing", "italicized text", "eading level", "igure", "eader", "frame", "diomatic text", "nput", "utput", "icture", "rogres", "cript", "earch", "ection", "elect", "reformat", "failure 0", "egend", "oscript", "bject", "ptgroup", "ption", "trong", "tyle", "able", "emplate", "extarea", "itle", "ource", "olgroup", "atalist", "etails", "ialog", "ieldset", "igcaption", "eleted text", "mphasis", "mbed", "side", "udio", "lockquote", "anvas", "aption", "ring at", "ideo", "cronym", "rame", "rameset", "arque", "enuitem", "rack", "narticulated an", "oframes", "trike", "ortal", "aram", "trikethrough", "highlighted", "elements have", "never be", "mage", "interface 0", "efault 0", "mport 0", "redundant", "tail", "alue", "nterface 0", "primer", "label 0", "tatic 0", "oid 0", "edundant", "identity cast", "expres", "to nest", "typeuse an", "htmlcom", "here is", "snip", "tmlsnip", "egion 0", "literal", "html com", "no entry", "point method", "code main", "return 0", "code nul", "eturn 0", "noop1", "may be", "used after", "noop2", "literalu0", "is proces", "return 8", "noop5", "nbsp", "noop6", "noop7", "link j0", "javaignorej0", "vimtestsetup s0", "fen 0", "nt 0", "majorversion", "empty string", "rotected 0", "compares this", "instance with", "the pas", "code that", "no period", "for the", "above sum", "rivate 0", "htmlsnip", "return an", "link m0", "execute", "match visual", "fen c0", "ref0", "literals", "clas", "tostring", "start 0", "ostring 0", "replace 0", "ubstring 0", "noop8", "noop9", "markdowncom", "arkdownsnip", "markdown com", "code public", "the method", "must be", "declared", "code 0", "the major", "java version", "used with", "inal 0", "markdownsnip", "blanks and", "re 0", "static void", "param a0", "rgs 0", "optional c0", "arguments 0", "invoke", "nontext 0", "hrow 0", "ew 0", "object module", "object open", "exports opens", "requires", "bject 0", "eplacement 0", "ar 0", "opens", "object opens", "object provides", "object requires", "object to", "uses", "xtends 0", "mplements 0", "ealed 0", "ermits 0", "bstract 0", "c1 i0", "noop3", "noop4", "a sum", "foldingtests", "static", "object b", "escapestests", "static final", "string hel", "har 0", "0ffffff0", "1200", "1210", "1230", "1240", "1250", "1260", "1270", "1300", "1310", "2040", "3240", "0100", "0120", "0130", "0140", "0150", "0160", "0170", "0200", "0210", "0230", "biginteger", "t1 x", "uper 0", "e element", "radix", "ecord 0", "tatic", "t dum", "isempty", "ublic 0", "ase 0", "ong 0", "witch 0", "genericstests", "todo 0", "3400", "3410", "3420", "3430", "3450", "3460", "3470", "3500", "3510", "3520", "sempty", "opal", "opsome", "ushal", "ushsome", "adix", "romdecimal", "lambdaexpres", "leftconst07", "leftconst08", "leftconst09", "i1 0", "leftconst10", "leftconst1", "leftconst01", "leftconst02", "leftconst03", "leftconst04", "leftconst05", "leftconst06", "leftconst", "const1", "const2", "witch", "hen 0", "alpha w0", "beta w0", "equals", "leftconst12", "typearguments", "identifier 0", "nteger", "ashcode", "omparable", "ry 0", "atch 0", "unction", "tring", "length", "ntfunction", "intsup", "clone", "naryoperator", "alueof", "quals", "redicate", "equalist", "gymnastics for", "ipredicate", "superequalist", "ethodhandle", "invokepredicate", "methodhandle mh", "throwable th", "a dum", "b dum", "t extends", "stringer", "ostring", "ntvalue", "onsumer", "println", "uperequalist", "nvokepredicate", "ethodhandle mh", "remember", "num 0", "asci", "stylable", "t e0", "tringer", "ative 0", "ynchronized 0", "trictfp 0", "thread", "qualist", "ransient 0", "methodstests", "string t0", "la s", "string name", "equires 0", "odule 0", "this module", "to the", "sample project", "published at", "mport m0", "related sup", "ransitive 0", "xports 0", "pens 0", "jdk 23", "ses 0", "rovides 0", "ith 0", "doautocmd", "syntax 0", "0xp0", "ouble 0", "minusoned", "xap1", "doto", "numberstests", "ouble", "loat 0", "maxdecf", "maxhexf", "mindecf", "minhexfa", "minhexfb", "maxdecd", "maxhexd", "minhex", "minoct", "minbin", "minusonehex", "minusoneoct", "minusonebin", "maxhexl", "maxoctl", "minusonehexl", "minusoneoctl", "minusonebinl", "jdk 21", "object o", "rue 0", "alse 0", "stringtests", "a quick", "brown fox", "jumps over", "the lazy", "there are", "lf after", "jumps0", "ver the0", "a nested", "string ap", "brown", "jumps", "over the", "nested com", "switchtests", "ield", "a or", "ield 0", "yte 0", "1let", "hort", "hort 0", "nofoldenable 0", "0000 0", "unfoldingtests", "reak 0", "old italic", "s1024", "talic", "inheritdoc", "object ap", "hile 0", "for vim", "file is", "licensed under", "the vim", "license 0", "efinition 0", "rom 0", "predefined", "ype 0", "ointer 0", "il 0", "nter", "ninter", "octal", "pragmas", "with emphasis", "opyright 0", "uthor 0", "fred flintstone", "icense 0", "baz bam", "ispose 0", "oc 0", "ord 0", "dr 0", "ast 0", "size 0", "rocedure 0", "egin 0", "nd 0", "ixme 0", "eprecated 0", "procedures", "ewfo", "nteger 0", "disabled", "hile fo", "do 0", "while", "synonyms", "itset 0", "roc 0", "roces", "ewproces", "ransfer 0", "ystem 0", "ongcard 0", "bozo bim", "dada jingle", "etbar", "lias 0", "defined pragmas", "numeric", "xcafed0", "inline", "noinline", "implementation", "cho 0", "this for", "done", "is a", "very handy", "solution and", "no real", "replacement", "available", "unction1", "a text", "shel", "his is", "home 0", "ariable10", "this is", "with a", "nset 0", "962 0", "f true", "unab", "abclear 0", "bclear 0", "java module", "changefilename", "restorefilename", "todo highlight", "author", "antonio colombo", "delete", "processing", "hebrew", "complete", "separate", "usercomplete", "matchitem", "cargo", "utility call", "trim trailing", "nvim", "linenr", "newcolumn", "columnnr", "wordregex", "gnat", "atomic", "timeslice", "structmembers", "nextitem", "col2", "typename", "typeref", "mpkeywords", "ctxkeywords", "binarysearch", "contextcmd", "omnisyntaxlist", "vim completion", "alex vear", "sung pae", "clojure version", "emptynode", "unitname", "setsession", "dec ada", "switchsession", "zat line", "vim adadec", "synidattr", "strridx", "auto", "nfz62010", "mdn css", "mask", "mnem", "setprojectfile", "pretty", "project file", "bufreadpost", "vim autoload", "decho", "dret", "getonescript", "e486", "dredir", "buffer test", "beginning", "prevnonblank", "getline", "xhtml", "dot pl", "doctype", "completetags", "harepath", "finddir", "attempt", "hare module", "java", "strive to", "for at", "least vim", "e121", "dialect", "setdialect", "hide", "bruno sutic", "blur", "accesskey", "onblur", "onfocus", "select", "tosource", "anchor", "cookie", "iframe", "checkbox", "codebase", "infinity", "foreign", "dorec", "lexer", "panic", "netrw", "charles e", "win9x", "dfunc", "systemroot", "nfhhtml", "nfhhtm", "nfhjpg", "toolbar menu", "synstack", "indent", "quote handling", "extraoemake", "hostcc", "buildcc", "buildcflags", "buildldflags", "freebasic", "precedence", "searchbracket", "plnum", "shiftwidth", "extrafunc", "python task", "parlnum", "commenttodo", "omni completion", "xml directory", "scope", "abbr", "fixed", "findmatch", "matchmax", "findbracket", "lispword", "isforfold", "inherestring", "nulldict", "column", "rstfoldcache", "cacherstfold", "rstfold", "antony lee", "helper", "getcurpos", "endfunction", "getpos", "shelltokenize", "withpath", "fnamemodify", "jump", "warningmsg echo", "emit", "play", "defpython", "rustfmtcommand", "runrustfmt", "detectversion", "split", "getconfigvar", "stephen sugden", "stephen", "save rustfmt", "vrustfmt", "nread", "loadfile", "getdirchoices", "yesn", "winbufnr", "vimspell", "bufwinnr", "index", "sqlcwarningmsg", "sqlcgetcolumns", "sqlcerrormsg", "compltype", "omni", "allow user", "synlist", "problem", "snum", "lnum", "isinclassdef", "isposinclassdef", "getrubyvartype", "getoption", "tohtml", "diff2html", "jumptoline", "mime charset", "latin1", "typst", "echoerr", "echomsg", "typeset", "echowarn", "getrunningjobs", "tex root", "addjob", "removejob", "showmesg", "chgdir", "vimball", "decompress", "vimballhome", "mkvimball", "restoresettings", "mkdir", "item", "emptystackp", "getlastopentag", "vimxmlattrinfo", "vimxmltaginfo", "tagstack", "istag", "endtag", "decreaseindent", "textwidth", "emptytag", "starttag", "browse", "setsaneopts", "restoreopts", "extract", "adacore", "cmdpre", "makeprg", "cargo file", "cmdpost", "basefont", "samp", "cite", "applet", "input", "middle", "acronym", "button", "gamma", "theta", "omega", "apos", "cong", "legend", "annotation", "attributegroup", "choice", "selector", "field", "choose", "foreach", "sort", "param", "stripspace", "all rights", "apple system", "tmpdir", "containerdir", "supportawdd", "supportbtserver", "apple", "rights", "file system", "fontd", "bookmark", "securityscope", "directory", "utility", "regularfile", "packagekit", "darwincachedir", "store database", "allow", "security", "reboot", "os x", "homedir", "realhomedir", "usersbasedir", "usercachedir", "audio", "callkit", "datacloudkit", "workaround", "rdar", "ckassets", "mmcs", "anyuuid", "caches", "allow fsctl", "fontvalidator", "frameworks", "coreservices", "carbon", "lsarpc", "dssetup sandbox", "squash", "readonly", "deny write", "issue sandbox", "network stack", "services lookup", "readwrite file", "system keychain", "wkssvc sandbox", "brlm", "byte range", "lock manager", "allow smbd", "allow wsp", "allow launchd", "netfsserver", "allow file", "sandbox profile", "ipv4", "ipv6", "netcore", "afsystem", "sysprotocontrol", "edge cache", "video", "allow access", "sandbox", "pkrecipt", "cachedir", "cmds", "applesmcclient", "smt isolation", "verw", "tempdir", "byhost", "sigkill", "sysmacsyscall", "sysaccess", "sysclose", "syscsrctl", "sysfchmod", "sysfsetxattr", "sysfsgetpath", "sysfstat64", "sysfstatat64", "darwintempdir", "reserve", "parampath", "mailv2", "mail importer", "allow mail", "library", "appcontainer", "document being", "quick look", "manage", "carbon noise", "make sure", "opengl", "plugin", "movie", "safari", "unix domain", "uuid cache", "redistribution", "is provided", "direct", "cfnetwork", "satellite", "files access", "daemon", "webdav file", "sharing", "sysgethostuuid", "gr ucs", "freebsd", "netbsd", "ucs gb2312", "cp932vdc", "ucs cp932vdc", "gb2312", "gbk ucs", "gb18030 ucs", "gb18030", "cpucs", "grucs", "appleucs", "gr mapperzone", "iso8859ucs", "big5ucs", "jisucs", "cnsucs", "appleinternal", "applications", "volumes", "gregory mcgarry", "coff dsp21k", "risc os", "programmer", "appendix e", "packdir", "git pack", "acorn", "chunk file", "from risc", "os programmer", "corrupted", "infocom", "david griffith", "glulx", "text adventure", "game", "adventure game", "allen garvin", "dave chapeskie", "aes crypt", "encrypted data", "joerg jenderek", "createdby", "createdby b", "windows gui", "alliant", "alliant fx", "fx series", "allegro", "toby deshane", "algol", "4 string", "bmode", "proc", "defmens vendors", "procedure b", "bref", "bflex", "bsdos", "bsdi", "unix32v", "sunos", "again", "hive rc", "sequence", "avro", "parquet", "apache hadoop", "apache big", "obj apache", "orc apache", "par1 apache", "pitentry", "android vdex", "android backup", "0 dalvik", "android bootimg", "password salt", "hidden", "loki", "apl workspace", "module sound", "density", "amigaos", "postma", "soundmon module", "trid", "amiga disk", "dos disk", "application", "mpeg v4", "dmb maf", "ycbcr", "cmaf media", "monaural", "heif image", "apple quicktime", "mike", "codec", "live", "applixware", "peter soos", "words words", "raster bitmap", "macro macro", "builder builder", "mac os", "ii image", "disk image", "blocks", "apple dos", "appleworks word", "spreadsheet", "sweet", "bernie", "rescue", "corrupt", "bobo", "amanda", "tapestart date", "file dump", "arm coff", "aarch64", "arm thumb", "armv7 thumb", "apt cache", "second", "bits per", "image width", "per meter", "asfdataobject", "time offset", "data length", "colors", "040t", "asterx", "guy harris", "word words", "grap graphic", "macr macro", "asterx version", "words document", "graphic", "coff", "we32000 coff", "mau hardware", "sccs", "we32k", "bbxpro5files", "oliver dammer", "dammer", "beetle vm", "beetle", "cable", "box router", "fritz", "box fritz", "password b", "oem b", "language b", "thu jun", "x tap", "sender", "x5fx81x44", "batch", "notification", "georg sauthoff", "gsma", "gsm association", "cdrs", "bflt", "philippe de", "muyter", "blockhashloc", "marco pontello", "sam alignment", "bgzf", "samtools", "binary call", "binary sequence", "fasta", "iupac", "blocked gnu", "patchmaster", "binary format", "alois schloegl", "medica soft", "axgr biosigaxg", "biosigaxg", "ircam file", "adpcm", "david korth", "song", "atari st", "ache", "david", "bonk", "insane", "pokey", "otto", "zbot", "blcr", "uncomment", "vma06", "kernel", "berkeley lab", "c000r000 blcr", "sparc", "armeb", "sparc64", "blender", "native format", "glob chunk", "blender3d", "scripts", "bpy blender3d", "bpython script", "blackberry file", "blackberry rim", "etp file", "0x10", "greg roelofs", "gnu tar", "ascii null", "compress", "0x04", "openoffice", "freeze", "archiver", "designer", "spark", "hpack", "oblivion", "zpack", "blink", "npack", "xpack", "blit mpxmux", "blit", "vaxorder", "blit stuff", "ttcomp", "ttcomp archive", "need", "we32 dmd", "birtual machine", "oses", "sparc demand", "4096", "sparc pure", "chiasmus", "federal", "office", "bundesamt", "sicherheit", "xia1r chiasmus", "xis chiasmus", "btsnoop", "hci uart", "hci bcsp", "hci serial", "mikhail gusarov", "dottedmag", "nekovm", "neko nekovm", "resilient logic", "guile file", "goof", "le b", "be b", "cbor", "concise binary", "raw tape", "cbm basic", "dirk jagdmann", "d64 image", "d71 image", "d81 image", "c64 emultar", "cartridge image", "c source", "bcpl source", "bcpl", "libhdr", "java se", "java bytecode", "macho", "java class", "cpu type", "cafe babes", "java start", "x version", "tablature file", "chord music", "file format", "chord text", "powertab", "jelmer vernooij", "jelmer", "powertab v3", "runect citrus", "lcctype", "ctrsme citrus", "ctrsmo citrus", "lcmonetary", "ctrsnu citrus", "lcnumeric", "ctrsti citrus", "lctime", "cddb", "cd player", "developer", "julien blache", "database", "keyindex", "help", "systems", "microcode", "netbsdalpha", "ios microcode", "kompas", "vrml", "xml document", "reserved", "applicationtype", "autocad dwg", "schema", "scanline", "alliance", "claris", "claris clip", "377377377377001", "claris works", "c1 r1", "c2 r1", "c3 r1", "intergraph", "clipper coff", "fairchild", "clipper use", "hitachi sh", "common object", "coff intel", "intel", "files format", "djgpp", "clojure script", "clojure", "jason felice", "clojure module", "convex", "convex soff", "convex storage", "convexes", "added", "core file", "third", "idc file", "suiteid", "chart", "debacle", "ttcn", "tree", "notation", "suite ttcn", "abstract test", "suite", "boseos", "snmperrnoerror", "commitrow", "readcreate", "retlen", "writecreate", "mydata", "putindexdata", "snmpsetvarvalue", "checkfnslocal", "not be", "note note", "decides", "snmp error", "requestvb", "asnoctetstr", "asnobjectid", "logerr", "undoinfo", "rcsfile", "end code", "debugmsgtl", "initialize", "allowcreation", "adding", "oidlength", "handler", "snmperrgenerr", "colnum", "break", "current", "snmp", "dodescr", "nodeinfo", "calldefine", "doformatedtext", "startperl", "perleval", "mib type", "oids", "const", "register", "asn type", "rorw status", "generating code", "mib tree", "netsnmp style", "getnext", "mib table", "tabledata", "container", "mibs", "print", "please specify", "send", "memcpy", "rscreateandgo", "writemethod", "findvarmethod", "variablesoid", "substr", "varlen", "sprintmaxlen", "datacontext", "mode", "freeundoinfo", "reallyreally", "initializingn", "handlercanronly", "netsnmp", "emitindexvars", "enddefine", "emitgetargs", "emitloaddata", "emitindexinfo", "output skeleton", "loader", "Aishah Siti Lazim", "194 Green Street" ], "references": [ "vimrc", "bugreport.vim", "evim.vim", "delmenu.vim", "defaults.vim", "ftplugof.vim", "ftoff.vim", "gvim.desktop", "ftplugin.vim", "gvimrc_example.vim", "indent.vim", "indoff.vim", "mswin.vim", "scripts.vim", "optwin.vim", "vim.desktop", "menu.vim", "vimrc_example.vim", "synmenu.vim", "filetype.vim", "Make_mvc.mak", "Make_all.mak", "README.ru.utf-8.txt", "README.txt", "tutor", "tutor.bar.utf-8", "tutor.ca.utf-8", "tutor.bg.utf-8", "tutor.cs.utf-8", "tutor.da.utf-8", "tutor.de.utf-8", "tutor.el.utf-8", "tutor.eo.utf-8", "tutor.es.utf-8", "tutor.fr.utf-8", "tutor.hr.utf-8", "tutor.ja.utf-8", "tutor.hu.utf-8", "tutor.it.utf-8", "tutor.ko", "tutor.ko.utf-8", "tutor.lt.utf-8", "tutor.lv.utf-8", "tutor.nb.utf-8", "tutor.nl.utf-8", "tutor.no.utf-8", "tutor.pt.utf-8", "tutor.pl.utf-8", "tutor.ru.utf-8", "tutor.tr.utf-8", "tutor.sr.utf-8", "tutor.sv.utf-8", "tutor.sk.utf-8", "tutor.vim", "tutor.zh_cn.utf-8", "tutor.utf-8", "tutor.vi.utf-8", "tutor.uk.utf-8", "tutor.zh_tw.utf-8", "tutor.zh.utf-8", "vimspell.txt", "xcmdsrv_client.c", "ref", "vim132", "vimm", "vim_vs_net.cmd", "shtags.1", "unicode.vim", "shtags.pl", "ccfilter_README.txt", "blink.c", "efm_filter.txt", "demoserver.py", "ccfilter.c", "efm_filter.pl", "ccfilter.1", "efm_perl.pl", "pltags.pl", "mve.txt", "emoji_list.vim", "mve.awk", "a65.vim", "aap.vim", "abap.vim", "abc.vim", "abel.vim", "abaqus.vim", "acedb.vim", "a2ps.vim", "ada.vim", "ahdl.vim", "8th.vim", "aflex.vim", "aidl.vim", "2html.vim", "alsaconf.vim", "amiga.vim", "ampl.vim", "antlr4.vim", "apachestyle.vim", "apache.vim", "antlr.vim", "ant.vim", "aml.vim", "arch.vim", "aptconf.vim", "arduino.vim", "art.vim", "asm.vim", "asciidoc.vim", "asn.vim", "aspperl.vim", "asm68k.vim", "aspvbs.vim", "asteriskvm.vim", "atlas.vim", "asy.vim", "autodoc.vim", "autohotkey.vim", "autoit.vim", "automake.vim", "ave.vim", "asmh8300.vim", "avra.vim", "awk.vim", "astro.vim", "ayacc.vim", "asterisk.vim", "bash.vim", "b.vim", "bdf.vim", "bib.vim", "basic.vim", "bindzone.vim", "bc.vim", "blank.vim", "bitbake.vim", "bsdl.vim", "bst.vim", "bzl.vim", "btm.vim", "bzr.vim", "baan.vim", "cabal.vim", "cabalconfig.vim", "cabalproject.vim", "c.vim", "catalog.vim", "cdl.vim", "cdrdaoconf.vim", "cfg.vim", "cgdbrc.vim", "cf.vim", "cdrtoc.vim", "ch.vim", "chaiscript.vim", "change.vim", "chaskell.vim", "changelog.vim", "chatito.vim", "cheetah.vim", "chicken.vim", "chordpro.vim", "chill.vim", "calendar.vim", "chuck.vim", "clean.vim", "clipper.vim", "cmakecache.vim", "cl.vim", "cmod.vim", "cmusrc.vim", "coco.vim", "colortest.vim", "clojure.vim", "conf.vim", "config.vim", "confini.vim", "conaryrecipe.vim", "crm.vim", "cmake.vim", "crontab.vim", "cpp.vim", "context.vim", "csc.vim", "csh.vim", "cs.vim", "csp.vim", "csv.vim", "cterm.vim", "csdl.vim", "cobol.vim", "ctrlh.vim", "css.vim", "cuda.vim", "cuplsim.vim", "cvs.vim", "cweb.vim", "cvsrc.vim", "cucumber.vim", "cupl.vim", "cynpp.vim", "cynlib.vim", "deb822sources.vim", "dcd.vim", "d.vim", "dcl.vim", "dart.vim", "debchangelog.vim", "debcontrol.vim", "datascript.vim", "debcopyright.vim", "def.vim", "dep3patch.vim", "denyhosts.vim", "debsources.vim", "desc.vim", "dictconf.vim", "dictdconf.vim", "diff.vim", "dircolors.vim", "dirpager.vim", "diva.vim", "desktop.vim", "django.vim", "dns.vim", "docbksgml.vim", "docbkxml.vim", "docbk.vim", "dockerfile.vim", "dosbatch.vim", "dosini.vim", "dot.vim", "dracula.vim", "dsl.vim", "dtml.vim", "doxygen.vim", "dts.vim", "dtrace.vim", "dtd.vim", "dune.vim", "dylanintr.vim", "dylanlid.vim", "dylan.vim", "dnsmasq.vim", "editorconfig.vim", "edif.vim", "ecd.vim", "elmfilt.vim", "elf.vim", "elinks.vim", "eiffel.vim", "elm.vim", "erlang.vim", "esmtprc.vim", "esqlc.vim", "esterel.vim", "euphoria3.vim", "eterm.vim", "eruby.vim", "euphoria4.vim", "exim.vim", "expect.vim", "exports.vim", "eviews.vim", "fasm.vim", "fdcc.vim", "falcon.vim", "fan.vim", "fetchmail.vim", "fgl.vim", "fish.vim", "flexwiki.vim", "focexec.vim", "fpcmake.vim", "forth.vim", "form.vim", "framescript.vim", "foxpro.vim", "fortran.vim", "freebasic.vim", "fvwm2m4.vim", "fstab.vim", "fvwm.vim", "gdmo.vim", "gdresource.vim", "gdb.vim", "gemtext.vim", "gdshader.vim", "git.vim", "gift.vim", "gedcom.vim", "gdscript.vim", "gitattributes.vim", "gitcommit.vim", "gitconfig.vim", "gitignore.vim", "gitolite.vim", "gitrebase.vim", "gitsendemail.vim", "gkrellmrc.vim", "goaccess.vim", "glsl.vim", "godoc.vim", "go.vim", "gnuplot.vim", "gp.vim", "gpg.vim", "gprof.vim", "gretl.vim", "grads.vim", "gnash.vim", "groff.vim", "grub.vim", "groovy.vim", "gtkrc.vim", "group.vim", "gyp.vim", "gsp.vim", "gvpr.vim", "update_date.vim", "README.md", "gen_syntax_vim.vim", "vim.vim.base", "haml.vim", "hamster.vim", "hare.vim", "haredoc.vim", "haste.vim", "haskell.vim", "hastepreproc.vim", "hb.vim", "hcl.vim", "help_ru.vim", "hex.vim", "help.vim", "hercules.vim", "hgcommit.vim", "hitest.vim", "hlsplaylist.vim", "hog.vim", "hostsaccess.vim", "hostconf.vim", "htmlcheetah.vim", "htmlangular.vim", "html.vim", "htmlm4.vim", "htmlos.vim", "htmldjango.vim", "i3config.vim", "ia64.vim", "ibasic.vim", "icemenu.vim", "idlang.vim", "idl.vim", "icon.vim", "initex.vim", "initng.vim", "ipfilter.vim", "inittab.vim", "inform.vim", "j.vim", "iss.vim", "ishd.vim", "jal.vim", "ist.vim", "jam.vim", "jargon.vim", "javascript.vim", "javascriptreact.vim", "java.vim", "jinja.vim", "jess.vim", "jgraph.vim", "javacc.vim", "jq.vim", "jsp.vim", "json.vim", "jsonc.vim", "json5.vim", "kconfig.vim", "julia.vim", "kdl.vim", "kotlin.vim", "kix.vim", "kwt.vim", "krl.vim", "kscript.vim", "kivy.vim", "lace.vim", "latte.vim", "lc.vim", "ld.vim", "ldapconf.vim", "iso.vim", "pim.vim", "r10.vim", "ldif.vim", "less.vim", "lftp.vim", "lhaskell.vim", "libao.vim", "lex.vim", "lifelines.vim", "liquid.vim", "limits.vim", "lilo.vim", "lite.vim", "livebook.vim", "lisp.vim", "litestep.vim", "lotos.vim", "loginaccess.vim", "logtalk.vim", "logindefs.vim", "lout.vim", "lprolog.vim", "lpc.vim", "lsl.vim", "lscript.vim", "lss.vim", "luau.vim", "lua.vim", "lynx.vim", "lyrics.vim", "m3quake.vim", "m3build.vim", "m4.vim", "mailaliases.vim", "mail.vim", "mailcap.vim", "mallard.vim", "make.vim", "manual.vim", "manconf.vim", "mason.vim", "masm.vim", "maple.vim", "master.vim", "matlab.vim", "maxima.vim", "mermaid.vim", "meson.vim", "mediawiki.vim", "messages.vim", "mel.vim", "man.vim", "markdown.vim", "mf.vim", "mgp.vim", "mgl.vim", "mib.vim", "mix.vim", "mmix.vim", "mmp.vim", "modconf.vim", "model.vim", "mma.vim", "modula2.vim", "modula3.vim", "moo.vim", "mojo.vim", "monk.vim", "mp.vim", "mplayerconf.vim", "mrxvtrc.vim", "msmessages.vim", "msidl.vim", "msql.vim", "modsim3.vim", "murphi.vim", "mush.vim", "mupad.vim", "muttrc.vim", "mysql.vim", "named.vim", "nanorc.vim", "nastran.vim", "n1ql.vim", "natural.vim", "nasm.vim", "ncf.vim", "netrc.vim", "netrw.vim", "ninja.vim", "nix.vim", "nosyntax.vim", "nroff.vim", "neomuttrc.vim", "nsis.vim", "nqc.vim", "nginx.vim", "obj.vim", "objcpp.vim", "odin.vim", "occam.vim", "omnimark.vim", "ocaml.vim", "ondir.vim", "objc.vim", "openscad.vim", "openroad.vim", "opl.vim", "openvpn.vim", "obse.vim", "opam.vim", "pamenv.vim", "pacmanlog.vim", "ora.vim", "pamconf.vim", "pandoc.vim", "papp.vim", "pcap.vim", "pbtxt.vim", "pascal.vim", "passwd.vim", "pccts.vim", "pf.vim", "phtml.vim", "perl.vim", "pic.vim", "pdf.vim", "pilrc.vim", "pfmain.vim", "pike.vim", "pine.vim", "pinfo.vim", "plaintex.vim", "php.vim", "plm.vim", "plp.vim", "pli.vim", "pod.vim", "poefilter.vim", "po.vim", "ppd.vim", "pov.vim", "povini.vim", "ppwiz.vim", "plsql.vim", "prescribe.vim", "procmail.vim", "privoxy.vim", "prolog.vim", "promela.vim", "postscr.vim", "protocols.vim", "proto.vim", "psf.vim", "psl.vim", "ps1.vim", "purifylog.vim", "ptcap.vim", "pymanifest.vim", "pyrex.vim", "progress.vim", "python.vim", "python2.vim", "quarto.vim", "qf.vim", "quake.vim", "qb64.vim", "r.vim", "qml.vim", "radiance.vim", "racc.vim", "racket.vim", "raml.vim", "rasi.vim", "rc.vim", "ratpoison.vim", "rapid.vim", "raku.vim", "rcslog.vim", "rcs.vim", "rebol.vim", "readline.vim", "registry.vim", "rego.vim", "remind.vim", "requirements.vim", "reva.vim", "resolv.vim", "rhelp.vim", "rexx.vim", "rnc.vim", "rng.vim", "rnoweb.vim", "rib.vim", "redif.vim", "rrst.vim", "rpcgen.vim", "routeros.vim", "rpl.vim", "rmd.vim", "rtf.vim", "rst.vim", "salt.vim", "robots.vim", "samba.vim", "ruby.vim", "sas.vim", "sass.vim", "rust.vim", "sbt.vim", "scdoc.vim", "sather.vim", "scilab.vim", "scala.vim", "scheme.vim", "screen.vim", "scss.vim", "sd.vim", "sdc.vim", "sdl.vim", "sensors.vim", "sed.vim", "services.vim", "sendpr.vim", "setserial.vim", "sexplib.vim", "sgmldecl.vim", "sgmllnx.vim", "sh.vim", "sgml.vim", "context-data-metafun.vim", "context-data-tex.vim", "hgcommitDiff.vim", "context-data-context.vim", "context-data-interfaces.vim", "debversions.vim", "typescriptcommon.vim", "sicad.vim", "sil.vim", "simula.vim", "sinda.vim", "sindacmp.vim", "sindaout.vim", "sieve.vim", "skill.vim", "sl.vim", "sisu.vim", "slang.vim", "slpconf.vim", "slpreg.vim", "slpspi.vim", "slrnsc.vim", "sm.vim", "smarty.vim", "slice.vim", "smcl.vim", "smith.vim", "smil.vim", "sml.vim", "snnsnet.vim", "snnspat.vim", "slrnrc.vim", "snobol4.vim", "solidity.vim", "spice.vim", "splint.vim", "spec.vim", "specman.vim", "spyce.vim", "spup.vim", "snnsres.vim", "sql.vim", "sqlforms.vim", "sqlj.vim", "sqlhana.vim", "sqlinformix.vim", "sqlanywhere.vim", "sqloracle.vim", "srec.vim", "sqr.vim", "squirrel.vim", "squid.vim", "srt.vim", "ssa.vim", "st.vim", "sshconfig.vim", "sshdconfig.vim", "stp.vim", "stata.vim", "strace.vim", "structurizr.vim", "stylus.vim", "sudoers.vim", "swift.vim", "swig.vim", "swiftgyb.vim", "swayconfig.vim", "syncolor.vim", "svn.vim", "synload.vim", "sysctl.vim", "systemverilog.vim", "tads.vim", "tags.vim", "tak.vim", "takcmp.vim", "takout.vim", "tar.vim", "taskdata.vim", "taskedit.vim", "tap.vim", "tasm.vim", "svg.vim", "syntax.vim", "template.vim", "tcsh.vim", "teraterm.vim", "terminfo.vim", "terraform.vim", "systemd.vim", "tcl.vim", "tssgm.vim", "typescript.vim", "tsv.vim", "tt2js.vim", "tssop.vim", "typescriptreact.vim", "tt2.vim", "tt2html.vim", "uc.vim", "uci.vim", "typst.vim", "udevconf.vim", "udevperm.vim", "uil.vim", "unison.vim", "updatedb.vim", "upstart.vim", "upstreamdat.vim", "upstreaminstalllog.vim", "upstreamlog.vim", "upstreamrpt.vim", "usw2kagtlog.vim", "urlshortcut.vim", "udevrules.vim", "valgrind.vim", "vdf.vim", "vb.vim", "verilogams.vim", "vera.vim", "vhdl.vim", "viminfo.vim", "verilog.vim", "voscm.vim", "vmasm.vim", "virata.vim", "vim.vim", "vrml.vim", "vgrindefs.vim", "usserverlog.vim", "c.c", "html.html", "java_comments_markdown.java", "java_annotations_signature.java", "java_comments.java", "java_enfoldment.java", "java_escapes.java", "java_generics_signature.java", "java_generics.java", "java_contextual_keywords.java", "java_lambda_expressions_signature.java", "java_annotations.java", "java_lambda_expressions.java", "java_method_references_signature.java", "java_methods_indent4.java", "java_methods_indent2.java", "java_methods_indent4_signature.java", "java_methods_indent2_signature.java", "java_methods_indent8_signature.java", "java_methods_style.java", "java_module_info.java", "java_methods_style_signature.java", "java_numbers.java", "java_previews_430.java", "java_string.java", "java_previews_455.java", "java_switch.java", "java_methods_indent8.java", "java_unfoldment.java", "markdown_conceal.markdown", "modula2_pim.def", "modula2_iso.def", "modula2_r10.def", "progress_comments.p", "sh_02.sh", "sh_01.sh", "sh_04.sh", "sh_03.sh", "sh_05.sh", "sh_07.sh", "sh_09.sh", "sh_08.sh", "sh_10.sh", "sh_11.sh", "vim_ex_abbreviate.vim", "vim_ex_behave.vim", "vim_ex_call.vim", "vim_ex_catch.vim", "sh_06.sh", "vim_ex_command.vim", "vim_ex_comment_strings.vim", "vim_ex_comment-vim9.vim", "vim_ex_comment.vim", "vim_ex_augroup.vim", "vim_ex_commands.vim", "vim_ex_def_nested.vim", "vim_ex_def_nested_fold.vim", "vim_ex_def_fold.vim", "vim_ex_def.vim", "vim_ex_echo.vim", "vim_ex_execute.vim", "vim_ex_function_def_tail_comment_errors.vim", "vim_ex_function_def_tail_comments.vim", "vim_ex_function_nested_fold.vim", "vim_ex_function_nested.vim", "vim_ex_function_fold.vim", "vim_ex_highlight.vim", "vim_ex_let_heredoc.vim", "vim_ex_loadkeymap_after_bar.vim", "vim_ex_loadkeymap_after_colon.vim", "vim_ex_map.vim", "vim_ex_function.vim", "vim_ex_menu.vim", "vim_ex_menutranslate.vim", "vim_ex_no_comment_strings.vim", "vim_ex_match.vim", "vim_ex_range.vim", "vim_ex_set.vim", "vim_ex_sleep.vim", "vim_ex_substitute.vim", "vim_ex_throw.vim", "vim_keymap.vim", "vim_ex_syntax.vim", "vim_key_notation.vim", "vim_line_continuation.vim", "vim_expr.vim", "vim_new.vim", "vim_shebang.vim", "vim_object_methods.vim", "vim_variables.vim", "vim9_ex_comment_strings.vim", "vim9_ex_commands.vim", "vim9_ex_no_comment_strings.vim", "vim9_ex_function_def_tail_comments.vim", "vim9_expr.vim", "vim9_keymap.vim", "vim9_ex_function_def_tail_comment_errors.vim", "vim9_legacy_header_fold.vim", "vim9_legacy_header.vim", "vim9_shebang.vim", "yaml.yaml", "dots_03", "dots_05", "dots_02", "dots_04", "dots_01", "dots_06", "dots_08", "dots_09", "dots_10", "dots_07", "dots_11", "dots_12", "dots_14", "dots_13", "dots_15", "dots_16", "dots_17", "dots_18", "dots_19", "dots_20", "html_00.dump", "html_03.dump", "html_05.dump", "html_04.dump", "html_06.dump", "html_02.dump", "html_01.dump", "html_07.dump", "html_08.dump", "java_annotations_01.dump", "java_annotations_00.dump", "java_annotations_02.dump", "java_annotations_03.dump", "java_annotations_04.dump", "java_annotations_signature_00.dump", "java_annotations_signature_02.dump", "java_annotations_signature_01.dump", "java_annotations_signature_03.dump", "java_annotations_signature_04.dump", "java_comments_html_01.dump", "java_comments_html_02.dump", "java_comments_html_03.dump", "java_comments_html_00.dump", "java_comments_html_04.dump", "java_comments_html_05.dump", "java_comments_markdown_00.dump", "java_comments_html_07.dump", "java_comments_markdown_03.dump", "java_comments_markdown_01.dump", "java_comments_html_06.dump", "java_comments_markdown_04.dump", "java_comments_markdown_02.dump", "java_comments_markdown_05.dump", "java_comments_markdown_06.dump", "java_comments_markdown_07.dump", "java_contextual_keywords_00.dump", "java_comments_markdown_08.dump", "java_contextual_keywords_01.dump", "java_contextual_keywords_02.dump", "java_enfoldment_01.dump", "java_contextual_keywords_03.dump", "java_enfoldment_00.dump", "java_enfoldment_02.dump", "java_escapes_00.dump", "java_escapes_01.dump", "java_escapes_03.dump", "java_escapes_05.dump", "java_escapes_07.dump", "java_escapes_02.dump", "java_escapes_06.dump", "java_generics_01.dump", "java_generics_03.dump", "java_generics_02.dump", "java_generics_04.dump", "java_generics_05.dump", "java_generics_07.dump", "java_generics_00.dump", "java_generics_06.dump", "java_escapes_04.dump", "java_generics_signature_00.dump", "java_generics_signature_01.dump", "java_generics_signature_02.dump", "java_generics_signature_03.dump", "java_generics_signature_04.dump", "java_generics_signature_05.dump", "java_generics_signature_07.dump", "java_generics_signature_06.dump", "java_lambda_expressions_00.dump", "java_lambda_expressions_01.dump", "java_lambda_expressions_03.dump", "java_lambda_expressions_02.dump", "java_lambda_expressions_04.dump", "java_lambda_expressions_05.dump", "java_lambda_expressions_06.dump", "java_lambda_expressions_07.dump", "java_lambda_expressions_08.dump", "java_lambda_expressions_signature_00.dump", "java_lambda_expressions_signature_01.dump", "java_lambda_expressions_signature_02.dump", "java_lambda_expressions_signature_03.dump", "java_lambda_expressions_signature_04.dump", "java_lambda_expressions_signature_05.dump", "java_lambda_expressions_signature_06.dump", "java_lambda_expressions_signature_07.dump", "java_lambda_expressions_signature_08.dump", "java_method_references_00.dump", "java_method_references_01.dump", "java_method_references_03.dump", "java_method_references_04.dump", "java_method_references_06.dump", "java_method_references_05.dump", "java_method_references_07.dump", "java_method_references_08.dump", "java_method_references_09.dump", "java_method_references_10.dump", "java_method_references_signature_00.dump", "java_method_references_signature_01.dump", "java_method_references_02.dump", "java_method_references_signature_02.dump", "java_method_references_signature_03.dump", "java_method_references_signature_04.dump", "java_method_references_signature_05.dump", "java_method_references_signature_07.dump", "java_method_references_signature_08.dump", "java_method_references_signature_09.dump", "java_methods_indent2_00.dump", "java_methods_indent2_00.vim", "java_methods_indent2_01.dump", "java_methods_indent2_01.vim", "java_methods_indent2_02.dump", "java_methods_indent2_02.vim", "java_method_references_signature_10.dump", "java_methods_indent2_03.vim", "java_methods_indent2_03.dump", "java_methods_indent2_04.dump", "java_methods_indent2_04.vim", "java_methods_indent2_05.dump", "java_methods_indent2_05.vim", "java_method_references_signature_06.dump", "java_methods_indent2_signature_00.vim", "java_methods_indent2_signature_01.dump", "java_methods_indent2_signature_01.vim", "java_methods_indent2_signature_02.dump", "java_methods_indent2_signature_02.vim", "java_methods_indent2_signature_03.dump", "java_methods_indent2_signature_03.vim", "java_methods_indent2_signature_04.dump", "java_methods_indent2_signature_04.vim", "java_methods_indent2_signature_05.dump", "java_methods_indent2_signature_05.vim", "java_methods_indent4_00.vim", "java_methods_indent4_01.vim", "java_methods_indent4_01.dump", "java_methods_indent4_02.dump", "java_methods_indent2_signature_00.dump", "java_methods_indent4_02.vim", "java_methods_indent4_03.vim", "java_methods_indent4_03.dump", "java_methods_indent4_04.dump", "java_methods_indent4_04.vim", "java_methods_indent4_05.dump", "java_methods_indent4_06.dump", "java_methods_indent4_05.vim", "java_methods_indent4_signature_00.dump", "java_methods_indent4_signature_01.dump", "java_methods_indent4_signature_01.vim", "java_methods_indent4_signature_02.dump", "java_methods_indent4_signature_02.vim", "java_methods_indent4_signature_03.dump", "java_methods_indent4_signature_03.vim", "java_methods_indent4_signature_04.dump", "java_methods_indent4_signature_04.vim", "java_methods_indent4_signature_05.dump", "java_methods_indent4_signature_05.vim", "java_methods_indent8_00.dump", "java_methods_indent4_signature_06.dump", "java_methods_indent8_00.vim", "java_methods_indent8_01.dump", "java_methods_indent8_01.vim", "java_methods_indent4_signature_00.vim", "java_methods_indent8_02.dump", "java_methods_indent8_02.vim", "java_methods_indent8_03.dump", "java_methods_indent8_03.vim", "java_methods_indent8_04.dump", "java_methods_indent8_05.dump", "java_methods_indent8_06.dump", "java_methods_indent8_05.vim", "java_methods_indent8_signature_00.dump", "java_methods_indent8_signature_01.dump", "java_methods_indent8_signature_01.vim", "java_methods_indent8_signature_02.dump", "java_methods_indent8_signature_02.vim", "java_methods_indent8_signature_00.vim", "java_methods_indent8_signature_03.dump", "java_methods_indent8_signature_03.vim", "java_methods_indent8_signature_04.dump", "java_methods_indent8_signature_04.vim", "java_methods_indent8_signature_05.vim", "java_methods_indent8_signature_05.dump", "java_methods_indent8_signature_06.dump", "java_methods_indent8_signature_06.vim", "java_methods_style_00.dump", "java_methods_style_00.vim", "java_methods_style_01.vim", "java_methods_style_02.vim", "java_methods_indent8_04.vim", "java_methods_style_03.dump", "java_methods_style_04.dump", "java_methods_style_02.dump", "java_methods_style_signature_00.dump", "java_methods_style_signature_00.vim", "java_methods_style_signature_01.vim", "java_methods_style_03.vim", "java_methods_style_signature_02.vim", "java_methods_style_01.dump", "java_methods_style_signature_03.dump", "java_methods_style_signature_03.vim", "java_methods_style_signature_04.dump", "java_methods_style_signature_01.dump", "java_module_info_00.dump", "java_methods_style_04.vim", "java_module_info_01.dump", "java_module_info_02.dump", "java_numbers_01.dump", "java_numbers_02.dump", "java_methods_style_signature_04.vim", "java_numbers_00.dump", "java_numbers_03.dump", "java_numbers_04.dump", "java_numbers_05.dump", "java_previews_430_00.dump", "java_previews_455_00.dump", "java_previews_455_01.dump", "java_previews_455_02.dump", "java_previews_455_03.dump", "java_methods_style_signature_02.dump", "java_methods_indent4_00.dump", "java_string_00.dump", "java_string_01.dump", "java_string_02.dump", "java_string_04.dump", "java_string_03.dump", "java_string_05.dump", "java_switch_00.dump", "java_switch_02.dump", "java_switch_01.dump", "java_switch_04.dump", "java_switch_03.dump", "java_switch_05.dump", "java_switch_07.dump", "java_unfoldment_00.dump", "java_switch_06.dump", "java_unfoldment_01.dump", "java_unfoldment_05.dump", "java_unfoldment_02.dump", "markdown_conceal_00.dump", "java_unfoldment_03.dump", "modula2_iso_00.dump", "modula2_iso_01.dump", "modula2_iso_03.dump", "modula2_iso_02.dump", "modula2_iso_04.dump", "modula2_iso_05.dump", "modula2_pim_00.dump", "modula2_iso_06.dump", "modula2_pim_01.dump", "modula2_pim_02.dump", "modula2_pim_03.dump", "modula2_pim_04.dump", "modula2_pim_06.dump", "modula2_pim_05.dump", "modula2_r10_00.dump", "modula2_r10_03.dump", "sh_07_01.dump", "sh_08_02.dump", "sh_11_00.dump", "vim_ex_abbreviate_01.dump", "vim_ex_command_00.dump", "java_module_info.vim", "markdown_conceal.vim", "cleanadd.vim", "yi.vim", "he.vim", "adacomplete.vim", "cargo.vim", "ccomplete.vim", "clojurecomplete.vim", "decada.vim", "contextcomplete.vim", "csscomplete.vim", "gnat.vim", "gzip.vim", "getscript.vim", "htmlcomplete.vim", "javaformat.vim", "netrw_gitignore.vim", "javascriptcomplete.vim", "haskellcomplete.vim", "netrwSettings.vim", "netrwFileHandlers.vim", "paste.vim", "pythoncomplete.vim", "RstFold.vim", "python3complete.vim", "rustfmt.vim", "spellfile.vim", "sqlcomplete.vim", "syntaxcomplete.vim", "rubycomplete.vim", "tohtml.vim", "typeset.vim", "vimball.vim", "xmlcomplete.vim", "xmlformat.vim", "zip.vim", "quickfix.vim", "html32.vim", "html40f.vim", "html40s.vim", "html40t.vim", "html401f.vim", "html401t.vim", "xhtml10f.vim", "xhtml10s.vim", "xsd.vim", "xhtml10t.vim", "html401s.vim", "xhtml11.vim", "xsl.vim", "airportd.sb", "awdd.sb", "bluetoothd.sb", "com.apple.atsd.internal.sb", "BTLEServer.sb", "com.apple.atsd.support.sb", "com.apple.bootinstalld.sb", "com.apple.ckdiscretionaryd.sb", "com.apple.CommCenter.sb", "com.apple.cloudd.sb", "com.apple.fontd.internal.sb", "com.apple.corespotlightservice.sb", "com.apple.FontValidator.sb", "com.apple.fontd.support.sb", "com.apple.genatsdb.internal.sb", "com.apple.managedcorespotlightd.sb", "com.apple.msrpc.lsarpc.sb", "com.apple.msrpc.mdssvc.sb", "com.apple.mobileassetd.sb", "com.apple.msrpc.netlogon.sb", "com.apple.msrpc.srvsvc.sb", "com.apple.msrpc.wkssvc.sb", "com.apple.smbd.sb", "com.apple.netbiosd.sb", "com.apple.softwareupdate_firstrun_tasks.sb", "com.apple.taskgated-helper.sb", "com.apple.spotlightknowledged.importer.sb", "com.apple.USBAgent.sb", "com.apple.softwareupdated.sb", "com.apple.xscertd-helper.sb", "com.apple.usbd.sb", "com.apple.xscertd.sb", "cvmsCompAgent.sb", "cvmsServer.sb", "fontmover.sb", "fontmoverinternal.sb", "fontworkerinternal.sb", "gss-acceptor.sb", "gss-initiator.sb", "kadmind.sb", "kcm.sb", "mdflagwriter.sb", "kdc.sb", "ftp-proxy.sb", "mds.sb", "mdworker-bundle.sb", "mds_stores.sb", "mdworker-mail.sb", "mdworker-sizing.sb", "mdworker-scan.sb", "mdworker.sb", "natpmpd.sb", "qlmanage.sb", "pfd.sb", "quicklook-satellite-general.sb", "mDNSResponder.sb", "quicklook-satellite.sb", "quicklook-satellite-personal.sb", "quicklookd-job-creation.sb", "webdav_agent.sb", "quicklookd.sb", "watool.sb", "wfs.sb", "wifivelocityd.sb", "Mac-CAD6701F7CEA0921.plist", "Mac-FFE5EF870D7BA81A.plist", "Mac-7DF21CB3ED6977E5.plist", "Mac-35C5E08120C7EEAF.plist", "Mac-2BD1B31983FE1663.plist", "Mac-42FD25EABCABB274.plist", "Mac-35C1E88140C3E6CF.plist", "Mac-27ADBB7B4CEE8E61.plist", "Mac-66E35819EE2D0D05.plist", "Mac-473D31EABEB93F9B.plist", "Mac-06F11FD93F0323C5.plist", "Mac-4B682C642B45593E.plist", "Mac-031B6874CF7F642A.plist", "Mac-551B86E5744E2388.plist", "Mac-A369DDC4E67F1C45.plist", "Mac-BE0E8AC46FE800CC.plist", "Mac-E43C1C25D4880AD6.plist", "default.plist", "Mac-BE088AF8C5EB4FA2.plist", "Mac-EE2EBD4B90B839A8.plist", "Mac-3CBD00234E554E41.plist", "Mac-77EB7D7DAF985301.plist", "Mac-189A3D4F975D5FFC.plist", "Mac-B809C3757DA9BB8D.plist", "Mac-DB15BD556843C820.plist", "Mac-06F11F11946D27C5.plist", "Mac-9F18E312C5C2BF0B.plist", "Mac-9AE82516C7C6B903.plist", "Mac-B4831CEBD52A0C4C.plist", "Mac-FA842E06C61E91C5.plist", "charset.pivot", "mapper.dir", "firmlinks", "Stopwords.plist", "adi", "acorn", "adventure", "aes", "alliant", "allegro", "algol68", "aout", "apache", "android", "apl", "amigaos", "application", "animation", "applix", "apple", "amanda", "arm", "apt", "asf", "assembler", "asterix", "att3b", "basis", "beetle", "avm", "ber", "bflt", "bhl", "bioinformatics", "biosig", "audio", "blcr", "blender", "blackberry", "archive", "blit", "bm", "bout", "bsdi", "bsi", "btsnoop", "bytecode", "cbor", "c64", "c-lang", "cafebabe", "chord", "citrus", "cddb", "clarion", "cisco", "cad", "claris", "clipper", "coff", "clojure", "convex", "communications", "dicrc", "mib2c.access_functions.conf", "mib2c.check_values.conf", "mib2c.check_values_local.conf", "mib2c.column_defines.conf", "mib2c.array-user.conf", "mib2c.column_enums.conf", "mib2c.column_storage.conf", "mib2c.create-dataset.conf", "mib2c.container.conf", "mib2c.genhtml.conf", "mib2c.int_watch.conf", "mib2c.conf", "mib2c.mfd.conf", "mib2c.notify.conf", "mib2c.iterate.conf", "mib2c.old-api.conf", "mib2c.iterate_access.conf", "mib2c.scalar.conf", "mib2c.perl.conf" ], "public": 1, "adversary": "DragonForce Malaysia", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Esc", "display_name": "Esc", "target": null }, { "id": "SelectAll", "display_name": "SelectAll", "target": null }, { "id": "Vim Tutor", "display_name": "Vim Tutor", "target": null }, { "id": "Todo", "display_name": "Todo", "target": null }, { "id": "AdaCore", "display_name": "AdaCore", "target": null } ], "attack_ids": [ { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1030", "name": "Data Transfer Size Limits", "display_name": "T1030 - Data Transfer Size Limits" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 109, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ilyailya", "id": "298851", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "email": 635, "hostname": 840, "URL": 2021, "FileHash-SHA1": 6, "domain": 378, "FileHash-SHA256": 548 }, "indicator_count": 4430, "is_author": false, "is_subscribing": null, "subscriber_count": 34, "modified_text": "404 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67a219f7c06d372f86335d64", "name": "Thor Linux Lite Scan - Sample Device & SG2 - 02.07.25 - Unenriched", "description": "Took a few tries but here is the complete thor Linux 64 Lite Scan on: Sample Device & a single drive (one of many) of the 77 TB of: things I have but don't know what to do with\n---\nOld Notes on previous scan attempts for this sample.\nSee Comments on VT\nMD5\nde880994c51d4055c960e2d32db89774\n \nSHA-1\n539e7c2eefd7a6aa17db436d83738c117f26798c\n \nSHA-256\na6b9deae18604003aa3963d5d83775f5c66bfbe93ea4608fe8a69e6af3722f45\n \nSSDEEP\n98304:hpUsCWtdIdOKfb44V0ipGuEwWPKhmMWMCURFfxzRq6R5qJJfrPOOD86U6BDfIokW:BKftFfuDfqAfPPfa4f3\n \nTLSH\nT10D571AC3C70811188D2373EBE1B4BA59BD06381EDECA9D59F08D642C97946467A2EDCF", "modified": "2025-03-09T16:04:43.604000", "created": "2025-02-04T13:45:27.169000", "tags": [ "stuff", "data", "no problems", "upload", "problems1", "progressb", "progressi", "onedrive", "files", "bitdefender", "scanid", "lite version", "ioc jan", "thor lite", "ip address", "writing", "cron", "envcheck", "filescan", "firewall", "rootkit", "timestomp", "doublepulsar", "logger", "teamviewer", "virustotal", "arch", "hosts" ], "references": [ "pop-os_files_md5s.csv", "https://www.virustotal.com/graph/embed/g532ea94109c54d96ba1bde62201fb4439ef00ab8d0af4a2f99ee42846ad158df?theme=dark", "SCANID: S-yIBIO4Ib0l4", "SCANID: S-9uT7vEdHwHk", "SCANID: S-4FSYbAVw6TA", "SCANID: S-4jjwyMrjTU0", "SCANID: S-jZUP9vdJp8E", "https://www.virustotal.com/gui/collection/d8bbd97abe2ea808a02db46380171df0803a43a379ed3795a316cb1f947939de/iocs", "SCANID: S-CadvV0Kd35c", "SCANID: S-0LxiGnOve0Q", "SCANID: S-YV38dG9guZE", "https://www.virustotal.com/gui/collection/f890b10e639770c7e6ef3eeb804ee9e7391360557aedca7b1daaee02da0f7682/iocs", "https://www.virustotal.com/gui/collection/f890b10e639770c7e6ef3eeb804ee9e7391360557aedca7b1daaee02da0f7682/summary" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Technology", "Education", "Healthcare", "Government", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 701, "FileHash-SHA1": 871, "FileHash-SHA256": 897, "URL": 2920, "domain": 388, "email": 17, "CVE": 830, "hostname": 295 }, "indicator_count": 6919, "is_author": false, "is_subscribing": null, "subscriber_count": 128, "modified_text": "405 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66f9ae71e7d4851280fa367f", "name": "The Jane Doe Syndrome Files: Credential Dumping and Data Exfiltration", "description": "This pulse outlines a series of techniques (Tactics) utilized in a cyber intrusion targeting Jane Doe's MacBook. These techniques span various stages of the attack lifecycle, including credential dumping (T1003), system discovery (T1016, T1082), and data exfiltration methods (T1114, T1560). The attacker employed advanced obfuscation strategies (T1027) and input capture methods (T1056) to maintain persistence and evade detection, while also utilizing command and scripting interpreters (T1059) to execute malicious commands.\n\nFurthermore, the adversary manipulated system tokens (T1134) and leveraged remote access software (T1219) to control the compromised system. Techniques for data destruction (T1485) and artifact hiding (T1564) indicate a concerted effort to cover tracks and minimize detection.\n\nBy examining these techniques, we can better understand the methods used in this intrusion, facilitating enhanced detection and prevention strategies for future incidents.", "modified": "2024-11-08T00:03:35.782000", "created": "2024-09-29T19:45:53.583000", "tags": [ "autogenerated", "please", "class", "hp laserjet", "duplexer", "modify", "printer", "description", "location", "share", "printer make", "ppd file", "model", "driver", "ipp everywhere", "printers", "hardware", "baud rate", "parity", "odd data", "flow control", "software", "rtscts", "dtrdsr", "input", "type", "name", "value", "hidden", "delete class", "form", "h2 class", "warning", "p align", "allow", "advanced", "use kerberos", "save", "max clients", "maximum", "metadata", "documents", "max log", "img src", "width", "height", "align", "absmiddle", "indicator", "status", "printername", "idle", "edit", "cupsdconf", "error", "blockquote", "unknown", "h3 class", "jobs", "help jobs", "helptitle", "qtext", "topic", "bmtext", "qptext", "cups", "search", "online help", "documents all", "hold job", "server default", "shared", "test page", "pause class", "accept jobs", "move all", "jobs cancel", "all jobs", "class delete", "cancel", "move job", "destination", "release", "reprint", "action", "method", "name user", "size pages", "state control", "jobid", "withheld", "held", "change settings", "label", "input type", "select name", "multiple size", "option", "inches feet", "table", "submit", "set default", "prev", "next", "last", "accept", "options", "default", "delete printer", "form action", "pause", "reject", "resume", "print", "self test", "pause printer", "location make", "model status", "test", "please stand", "allowed users", "prevent", "whichjobs", "standard rom", "standard", "copyright", "standard font", "cups ppd", "easy software", "apache license", "license", "symbol special", "deskjet", "cups sample", "hplaserjet", "laserjet", "hpdeskjet", "hpdeskjet2", "epson", "stylus color", "stylus photo", "escp", "epson9pin", "zebra", "dymo3x0", "dymo", "labelwriter", "advance", "leading", "move", "black", "gold", "rotate", "never", "cyan", "yellow", "turn", "long edge", "edge", "oversize", "address", "b1jis b1", "adobe", "small", "image", "apple mime", "xhtml", "pict string", "cgimageio", "radiance", "fujifilm", "preview", "os x", "colorsync", "airprint", "do not", "this file", "it is", "you install", "versions of", "base mime", "format", "postscript", "language", "pattern match", "ras2", "pwgraster", "comment", "attr", "group", "attr language", "attr integer", "attr name", "attributes", "attr keyword", "post", "resource admin", "operation", "group operation", "create", "withvalue", "display", "d recipienturi", "expect", "tv d", "member", "createjob", "senddocument", "create faxout", "get list", "display jobname", "cupsgetdevices", "get job", "expect jobstate", "job template", "get printer", "cupsgetppd", "cupsgetppds", "get ppd", "attr text", "product", "psversion", "version", "message", "hello", "cupsgetprinters", "beep", "sound", "count", "ingroup", "oftype keyword", "oftype integer", "oftype text", "oftype charset", "oftype enum", "az09", "withallvalues", "mediaregex", "oftype", "print file", "printjob", "test printjob", "file", "ippurischeme", "member integer", "print test", "printuri", "post resource", "validatejob", "validate", "printjob group", "repeatmatch", "choice", "envelope", "resolution", "modelname", "inputslot", "pcfilename", "modelnumber", "attribute", "false", "darkness", "media", "generic", "mark", "dark", "tear", "cupsbanner show", "header printer", "footer printer", "notice cups", "header cover", "page footer", "cover page", "header top", "secret footer", "top secret", "header secret", "footer secret", "vzefibootloader", "nsunavailable", "virtualization", "base class", "vzbootloader", "network device", "initialize", "host network", "property", "return", "define", "nsarray", "bsd name", "ethernet", "vzconsoledevice", "console port", "defines", "a directory", "vzexport extern", "apiavailable", "bool", "nsenum", "nsinteger", "local file", "raw format", "nsurl", "nserror", "file handle", "storage device", "nserror error", "nsfilehandle", "boot loader", "efi rom", "efi boot", "vzerrorcode", "vzerrordomain", "error type", "nserror domain", "vzerrorsave", "nbd server", "nbd client", "nsoptions", "nsuinteger", "nsswiftname", "nvram", "write", "sorcvbuf", "sosndbuf", "mtu value", "data", "data sent", "true", "graphics", "intel", "indicate", "enable", "nsdata", "opaque", "host audio", "host output", "host input", "cgsize", "new display", "protocol", "unix domain", "socket", "rosetta", "caching", "rosetta daemon", "nsstring", "abstract socket", "rosetta support", "linux", "arm64", "availability", "download", "vzmacaddress", "mac address", "a vzmacaddress", "linux kernel", "ram disk", "linux boot", "a mac", "configuration", "mac hardware", "describes", "mac platform", "mac keyboard", "usb keyboard", "mac machine", "apple silicon", "rosetta runtime", "nsobject", "handle", "init", "url property", "whether", "recovery", "block", "nullable", "load", "mac trackpad", "usb pointing", "cpus", "overwrite", "nsdictionary", "directory share", "check", "namemax", "vznetworkdevice", "nbd url", "nbd uniform", "nbd protocol", "url error", "nat attachment", "a network", "nvm express", "nsscreen", "nssize", "serial port", "directory", "spice agent", "spice guest", "a console", "vzsocketdevice", "vzstoragedevice", "vzexport", "usb controller", "vzusbcontroller", "usb device", "device uuid", "nsuuid uuid", "usb mass", "vzusbdevice", "virtio block", "device", "storage storage", "virtio console", "delegate object", "a class", "extra care", "virtio entropy", "nsstring name", "array", "virtio file", "system device", "discussion", "nsstring tag", "port", "bool isconsole", "a virtio", "virtio graphics", "virtio gpu", "virtio", "port array", "utf8", "virtio network", "macaddress", "virtio socket", "close", "does nothing", "virtio sound", "nsarray streams", "pointer", "device input", "a pcm", "audio stream", "source", "sink", "device output", "device stream", "memory balloon", "target memory", "return yes", "start", "stop", "usb xhci", "automatically", "nsview", "virtual machine", "cpucount", "verify", "apple swift", "o librarylevel", "swift", "cachingoptions", "vzaudiodevice", "vzdebugstub", "swiftname", "targetosiphone", "targetososx", "targetosios", "apple computer", "targetostv", "targetosvision", "targetostvos", "targetosxr", "vtbaseh", "vtint32point", "vtint32size", "iphonena", "apiunavailable", "vtexport const", "abstract", "cfstringref", "readwrite", "cfnumber", "cfboolean", "optional", "null", "macos", "cmnullable", "pass null", "call", "video toolbox", "contains", "cmtime duration", "cvimagebuffer", "vterrorsh", "cfoptions", "12914", "uint32", "osstatus", "12900", "12901", "12902", "12903", "17690", "vtexport", "encoder", "zero", "alpha", "requires", "cmsamplebuffer", "prototype", "osstatus status", "cfrelease", "cvpixelbuffer", "iosurface", "hdr metadata", "hdr per", "frame metadata", "cf type", "cfretain", "a mechanism", "cmbridgedtype", "interface", "specifies", "a reference", "pixel rotation", "session", "a pixel", "cf object", "vtframesilo", "returns", "vtframesiloh", "vtframesiloref", "pass", "pixel transfer", "vtexport void", "media extension", "video raw", "processors", "standard video", "metal device", "metal", "rawprocessors", "cfstring", "copy", "vtsessionh", "cfdictionaryref", "apis", "vtsessionref", "raw processor", "a cfdictionary", "cfswiftname", "vtutilitiesh", "cgimage", "builds", "cfarrayref", "raw processing", "list", "list element", "cfdictionaries", "skipper", "vdspdftexecute", "vdspdftexecuted", "vdspdftzop", "vdspfft16copv", "vdspfft16zopv", "vdspfft32copv", "vdspfft32zopv", "vdspbiquad", "vdspbiquadd", "vdspbiquadm", "project version", "created", "elana stettin", "apple", "swextern", "title", "typedef", "param", "nsstring title", "represents", "nsitemprovider", "const", "swhidden extern", "swdefines", "swextern extern", "sha256 hash", "merkle tree", "sociallayer", "swperson", "devin clary", "swaction", "sbappcontext", "sbapplocator", "sbapplication", "sbelementarray", "sbobject", "scriptingbridge", "objecttype", "finder", "bridge", "index", "apple event", "target", "urls", "locator", "scripting", "desctype", "receiver", "track", "code", "sccontentfilter", "bgra format", "rgha format", "const nonnull", "nserrorenum", "nsurl outputurl", "avfiletypempeg4", "provides", "scwindow", "scdisplay", "cgrect frame", "bool indicating", "pixel", "scstream", "control center", "takes", "cfdictionary", "rbhash", "initvmrandom", "initvmtranscode", "initarray", "initbarevm", "initbignum", "initcomplex", "initcont", "initdir", "initfile", "libxml", "require", "cfpropertylist", "xml parser", "libxmlparser", "xml file", "plist", "cfplisterror", "exception", "format error", "easy", "kruse", "mit license", "standarderror", "cfformaterror", "cftypeerror", "nokogiri", "parserinterface", "cftype", "cfdate", "cfinteger", "blob", "ruby string", "uidfixnum", "ruby integer", "date", "format constant", "formatbinary", "formatxml", "magicnumber", "enumerator", "cfdata", "ruby", "example", "john", "path", "plainparser", "ascii", "cfreal", "importplain", "escapechar", "read", "length", "utf16be", "cfarray", "offsetsize", "integer", "rexml", "rexmlparser", "float", "appledtd plist", "dom node", "prefix", "config", "item", "bindir", "libruby", "rubypath", "fileoperations", "arch", "installer", "template", "install", "major", "yesno", "todo", "kwargs", "makefiles", "miniportile", "cmakecmd", "configure", "cmakefile", "cmake", "keyringname", "debug", "targetos", "ldflags", "gpgexe", "digest", "stdout", "patch", "installerror", "savefile", "task", "packages", "dlext", "minero aoki", "rubyversion", "loaderror", "sqlite3", "was sqlite3", "apiobjects", "database", "pragmas", "resultset", "sqlite3ruby faq", "sqliteruby faq", "value klass", "qnil", "sqliteok", "sqliteerror", "sqliteinternal", "sqliteperm", "sqliteabort", "sqlitebusy", "sqlitelocked", "datagetstruct", "int2num", "main", "done", "stringvalueptr", "note", "sqlite3ruby", "sqlite3rubyptr", "unused", "gnuc", "lclint", "usasciip", "utf8p", "utf16lep", "utf16le", "utf16bep", "sqlite3stmtruby", "rubyplatform", "darwin", "rcarchs", "libpkgconfig", "pkgconfigpath", "pkgconf", "mswin", "cflags", "install sqlite3", "int2fix", "rbignumlen", "sizeofbdigits", "charbit", "bdigit", "bmax", "value unused", "sqliteopenuri", "open", "requireopendb", "nilp", "qtrue", "id2sym", "requireopenstmt", "donep", "rstringlen", "num2int", "attrs", "deal", "xsd module", "xmlparser", "nokogiri xml", "simply", "rubyengine", "slop decorator", "css3 selector", "xpath", "nokogiri class", "parse", "html", "xml document", "0x30", "0x41", "0x61", "gumbogentable", "gumboasciicntrl", "gumboasciispace", "gumboasciidigit", "constfn", "gumboasciih", "gumboasciialpha", "gumboasciialnum", "c0 control", "gumbocharrefh", "gumboattributeh", "gumboattribute", "craig barnes", "google inc", "as is", "basis", "or conditions", "any kind", "gumboerrorh", "gumbotag", "additional", "gumbovector", "encoding", "gumboerrparser", "gumboerrortype", "html tag", "minwordlength", "maxwordlength", "maxhashvalue", "ansic code", "m100 n", "computed", "totalkeywords", "minhashvalue", "doctype", "capacity", "doctype system", "sourcelength", "sourcetext", "silence", "html5", "a struct", "text", "gumbo", "gumboh", "anything", "gumboparserh", "output", "library", "oopstyle", "gumboparser", "const localname", "string", "ietfdtd html", "w3cdtd html", "level", "html strict", "terminator", "final", "buffer", "gnucatleast", "hasattribute", "macrosh", "printf", "returnsnonnull", "win32", "unusedifndebug", "malloc", "pure", "m100", "gumbotaglookuph", "gumbotag tag", "taghashslot", "gumbotagunknown", "gumbotokentypeh", "gumbotokencdata", "gumbotokennull", "gumbotokeneof", "gumbotokentype", "gumbotaglast", "position", "gumbotokenizerh", "struct", "gumbotoken", "spec", "stack", "emittoken", "continue", "current", "utf8iterator", "utf8accept", "parser", "html5 spec", "rest", "gumboutf8h", "unicode code", "html5 parser", "utf8 decoding", "func", "gumbodebug", "gumboutilh", "utility", "debug wrapper", "script", "attribute value", "comment end", "doctype name", "cdata section", "rcdata end", "rawtext end", "initialcapacity", "gumboalloc", "vector", "memmove", "gumbovectorh", "initializes", "ownership", "stringvaluecstr", "rtest", "xmlchar", "html document", "nokogiristrnew2", "html4", "value get", "qfalse", "a list", "value list", "attrsdepr", "attrsopt", "chunk", "pushparser", "xmlsax", "value chunk", "w3c dom", "xmlelementnode", "finds", "qundef", "value val", "value args", "value exc", "libxml2patches", "rbconfig", "packagerootdir", "cppflags", "libs", "dldflags", "nokogiri test", "attributedecl", "defaultvalue", "atype", "tree", "ctxt", "noreturn", "xmldocptr doc", "private", "nokogirinative", "nokogiristrnew", "xmldoc", "value setvalue", "value content", "xmlchar value", "xmlnode cur", "content", "cdata", "cdata element", "value argv", "value rbnode", "document", "value document", "value getname", "pcdata", "element", "mult", "datawrapstruct", "value ctxtval", "mydoc", "userdata", "encodinghandler", "value key", "delete", "elementdecl", "id iddocument", "etype", "value prefix", "orig", "externalid", "systemid", "nodenr", "xmlnodeset", "nodeset", "nodetab", "xmldtd", "value hash", "publicid", "notation", "hash", "rbfuncall", "parseargs", "xmlnode", "without", "href", "xmlns", "namespace node", "nodes", "value rbreader", "relaxng schema", "relaxng", "value name", "nokogirisaxself", "rbivget", "rbstrorqnil", "xmlchar name", "xmlparserctxt", "text element", "value string", "schema", "xmlschema", "context", "stringval", "wrapper", "emp0001n", "emp0002n", "xslt", "handler", "handlerstate", "checktype", "tarray", "id documentid", "comment element", "node", "first", "prop", "typeerror", "gc", "pkpublicchannel", "pkpushpayload", "pkpushregistry", "pkpushtypevoip", "pushkit", "object", "pkpushtype type", "forward", "http", "apple push", "pkexport extern", "nsstringenum", "payload data", "voip", "json format", "callkit", "pkpushtype", "framework", "apps", "push", "odsessioncreate", "odattributemap", "odconfiguration", "odcontext", "odmappings", "odmoduleentry", "odnode", "odquery", "odrecord", "odrecordmap", "nsavailablemac", "original code", "nsstring value", "custom", "modifications", "apple public", "source license", "of any", "nsavailable", "nsrunloop", "objc", "sets", "odsession", "sfauthorization", "will", "odsessionref", "cfexport", "odqueryref", "odnoderef", "cfexport bool", "odrecordref", "cfdataref", "cfexport const", "utf8 encoding", "odattributetype", "odrecordtype", "attribute type", "local", "realm", "cftyperef", "odnodegetdsref", "odnodegettypeid", "odrecorddelete", "odtriggercancel", "odnodeinit", "odquerycreate", "odqueryinit", "odsessioninit", "albuffer3i", "albufferdata", "albufferf", "albufferfv", "albufferi", "albufferiv", "aldistancemodel", "aldopplerfactor", "algetbooleanv", "algetbuffer3f", "alcapi", "alcapientry", "alcboolean", "targetosmac", "alcdevice", "alcenum param", "alalch", "alcchar", "alcsizei", "capture", "alenum param", "alapi", "aluint sid", "alfloat", "aluint bid", "alsizei", "alint", "alfloat value", "alapientry", "aluint", "play", "speed", "bits", "alutapi alvoid", "alvoid data", "alsizei size", "alsizei freq", "gnu library", "general public", "aluth", "alenum format", "openalopenalh", "umbrella header", "alvoid", "openal", "alvoid nonnull", "alenum", "roger beep", "sendable", "preconcurrency", "rawvalue", "network import", "failure", "service", "must", "number", "stride", "brief", "descriptor", "matrix", "mtlpackedfloat3", "infinity", "metalversion", "minimum point", "maximum point", "interpolation", "translation", "offset", "acceleration", "declare", "prior", "insert", "nonnull", "nsrange", "mtldevice", "t argname", "mtlstructtype", "mtlarraytype", "mtltype", "mtlpointertype", "instance", "methodkind", "swiftprivate", "mtlbuffer", "nullability", "mtlcommandqueue", "mtlresource", "mtlresidencyset", "command encoder", "individual", "mtlexport", "xcode", "gpu trace", "apideprecated", "mtlcapturescope", "remarks", "mtlallocation", "metal command", "mtldispatchtype", "mtlorigin", "mtlsize", "mtlblitoption", "flush", "gpu work", "marks", "specify", "mtlinline", "mtlintern", "stdcversion", "mtlextern", "definition", "inline", "nsstring label", "stencil", "defaults", "allocate", "typical", "nsprocessinfo", "mtldrawable", "present", "cftimeinterval", "gpustarttime", "gpuendtime", "mtlcountersh", "mtlcounter", "mtlcounterset", "mtllibrary", "a container", "mtlfence", "mtldatatype", "default usage", "mtlfunction", "mtllogcontainer", "mtlsharedevent", "mtlevent", "synchronously", "a function", "cpu cache", "requiredsize", "behavior", "mtlheap", "query device", "dispatch", "metal shading", "language guide", "raytriangle", "vends", "groups", "encodes", "mtliofilehandle", "mtlextern sizet", "mtlextern void", "mtlstoreaction", "mtlloglevel", "enum", "mtlmutability", "astcetc2bc", "normal", "astc", "clamptoedge", "depth", "mtlcoordinate2d", "nsnumber", "controls", "mtlclearcolor", "adds", "mtlregion", "cpu mapping", "mtltexture", "mtlindextype", "filter option", "clamp", "mtlrenderstages", "draw", "mtlstepfunction", "vertex", "compute", "gpu resource", "nsuinteger x", "identify", "nsuinteger y", "nsuinteger z", "mtlsize size", "mtlvertexformat", "nsuintegermax", "mtlpixelformat", "mtltexturetype", "slice", "swiftui", "coregraphics", "swift import", "previewregistry", "libraryitem", "category", "dict", "apple root", "code signing", "public", "uus10u", "GUANGZHOU FIVE SIX TECHNOLOGY", "Havana Syndrome", "Aishah Lazim", "Al-Arqam", "Brooklyn" ], "references": [ "httpd.exp", "metadata.json", "add-class.tmpl", "choose-make.tmpl", "choose-model.tmpl", "choose-device.tmpl", "add-printer.tmpl", "choose-serial.tmpl", "class-added.tmpl", "choose-uri.tmpl", "class-confirm.tmpl", "admin.tmpl", "class-deleted.tmpl", "class-modified.tmpl", "classes-header.tmpl", "command.tmpl", "classes.tmpl", "edit-config.tmpl", "error-op.tmpl", "class-jobs-header.tmpl", "error.tmpl", "header.tmpl", "help-header.tmpl", "help-printable.tmpl", "help-trailer.tmpl", "job-hold.tmpl", "class.tmpl", "job-cancel.tmpl", "job-move.tmpl", "job-moved.tmpl", "job-release.tmpl", "job-restart.tmpl", "list-available-printers.tmpl", "jobs.tmpl", "norestart.tmpl", "option-boolean.tmpl", "option-header.tmpl", "option-conflict.tmpl", "option-pickmany.tmpl", "option-pickone.tmpl", "modify-printer.tmpl", "option-trailer.tmpl", "pager.tmpl", "printer-cancel-jobs.tmpl", "printer-added.tmpl", "printer-accept.tmpl", "printer-configured.tmpl", "printer-default.tmpl", "printer-confirm.tmpl", "printer-deleted.tmpl", "printer-jobs-header.tmpl", "printer-modified.tmpl", "jobs-header.tmpl", "printer-stop.tmpl", "modify-class.tmpl", "printer-reject.tmpl", "printers-header.tmpl", "printer-start.tmpl", "printer.tmpl", "printers.tmpl", "set-printer-options-trailer.tmpl", "test-page.tmpl", "restart.tmpl", "users.tmpl", "set-printer-options-header.tmpl", "search.tmpl", "trailer.tmpl", "font.defs", "hp.h", "epson.h", "label.h", "raster.defs", "media.defs", "apple.types", "apple.convs", "mime.convs", "mime.types", "cancel-current-job.test", "create-job-sheets.test", "create-job.test", "create-job-format.test", "create-job-timeout.test", "create-printer-subscription.test", "cups-create-local-printer.test", "fax-job.test", "get-completed-jobs.test", "get-devices.test", "get-job-attributes.test", "get-job-attributes2.test", "get-notifications.test", "get-jobs.test", "get-job-template-attributes.test", "get-ppd-printer.test", "get-ppds-drv-only.test", "get-ppd.test", "get-ppds-make-and-model.test", "get-ppds-make.test", "get-ppds-product.test", "get-ppds-psversion.test", "get-ppds-language.test", "get-printer-description-attributes.test", "get-ppds.test", "get-printer-attributes.test", "get-subscriptions.test", "identify-printer-display.test", "get-printers-printer-id.test", "identify-printer-multiple.test", "get-printers.test", "identify-printer.test", "get-printer-attributes-suite.test", "ipp-2.0.test", "ipp-2.2.test", "ipp-backend.test", "ipp-2.1.test", "print-job-and-wait.test", "print-job-deflate.test", "print-job-hold.test", "print-job-gzip.test", "ipp-1.1.test", "print-job-manual.test", "print-job-password.test", "print-job.test", "print-job-media-col.test", "print-uri.test", "print-job-letter.test", "set-attrs-hold.test", "validate-job.test", "ipp-everywhere.test", "sample.drv", "testprint", "classified", "standard", "topsecret", "secret", "confidential", "unclassified", "ntp_opendirectory.conf", "ntp.conf", "notify.conf", "nfs.conf", "nsmb.conf", "xtab", "6015FED9-D723-4332-87D9-C478CF341407.aamdownload", "AuraService-fda-test", "com.adobe.acrobat.rna.AcroCefBrowserLock.DC", "ExmanProcessMutex", "proxy.xml", "A53749AF-3855-4842-A1E7-4AEFA60BD2AC", "XPdb-wal", "VZBootLoader.h", "VZAudioInputStreamSource.h", "VZBridgedNetworkDeviceAttachment.h", "VZAudioOutputStreamSink.h", "VZBridgedNetworkInterface.h", "VZConsoleDeviceConfiguration.h", "VZConsoleDevice.h", "VZConsolePortConfiguration.h", "VZDirectorySharingDevice.h", "VZDirectoryShare.h", "VZDefines.h", "VZDiskImageStorageDeviceAttachment.h", "VZDiskSynchronizationMode.h", "VZDiskBlockDeviceStorageDeviceAttachment.h", "Virtualization.h", "VZDirectorySharingDeviceConfiguration.h", "VZEntropyDeviceConfiguration.h", "VZEFIBootLoader.h", "VZError.h", "VZEFIVariableStore.h", "VZFileHandleNetworkDeviceAttachment.h", "VZFileHandleSerialPortAttachment.h", "VZFileSerialPortAttachment.h", "VZGraphicsDevice.h", "VZGenericPlatformConfiguration.h", "VZGenericMachineIdentifier.h", "VZGraphicsDeviceConfiguration.h", "VZGraphicsDisplayConfiguration.h", "VZHostAudioOutputStreamSink.h", "VZKeyboardConfiguration.h", "VZHostAudioInputStreamSource.h", "VZGraphicsDisplay.h", "VZAudioDeviceConfiguration.h", "VZLinuxRosettaUnixSocketCachingOptions.h", "VZLinuxRosettaAbstractSocketCachingOptions.h", "VZLinuxRosettaDirectoryShare.h", "VZMACAddress.h", "VZLinuxBootLoader.h", "VZMacGraphicsDevice.h", "VZMacGraphicsDisplay.h", "VZMacGraphicsDeviceConfiguration.h", "VZMacHardwareModel.h", "VZMacKeyboardConfiguration.h", "VZMacMachineIdentifier.h", "VZMacOSBootLoader.h", "VZLinuxRosettaCachingOptions.h", "VZMacOSInstaller.h", "VZMacOSVirtualMachineStartOptions.h", "VZMacOSRestoreImage.h", "VZMacTrackpadConfiguration.h", "VZMacOSConfigurationRequirements.h", "VZMemoryBalloonDevice.h", "VZMemoryBalloonDeviceConfiguration.h", "VZMacAuxiliaryStorage.h", "VZMultipleDirectoryShare.h", "VZMacPlatformConfiguration.h", "VZNetworkDevice.h", "VZNetworkBlockDeviceStorageDeviceAttachment.h", "VZNATNetworkDeviceAttachment.h", "VZNetworkDeviceAttachment.h", "VZPlatformConfiguration.h", "VZPointingDeviceConfiguration.h", "VZNetworkDeviceConfiguration.h", "VZSharedDirectory.h", "VZSerialPortAttachment.h", "VZNVMExpressControllerDeviceConfiguration.h", "VZMacGraphicsDisplayConfiguration.h", "VZSerialPortConfiguration.h", "VZSingleDirectoryShare.h", "VZSpiceAgentPortAttachment.h", "VZSocketDeviceConfiguration.h", "VZSocketDevice.h", "VZStorageDevice.h", "VZStorageDeviceAttachment.h", "VZStorageDeviceConfiguration.h", "VZUSBControllerConfiguration.h", "VZUSBDeviceConfiguration.h", "VZUSBMassStorageDevice.h", "VZUSBKeyboardConfiguration.h", "VZUSBController.h", "VZUSBDevice.h", "VZVirtioBlockDeviceConfiguration.h", "VZUSBScreenCoordinatePointingDeviceConfiguration.h", "VZUSBMassStorageDeviceConfiguration.h", "VZVirtioConsoleDevice.h", "VZVirtioConsoleDeviceConfiguration.h", "VZVirtioConsoleDeviceSerialPortConfiguration.h", "VZVirtioEntropyDeviceConfiguration.h", "VZVirtioConsolePort.h", "VZVirtioConsolePortConfigurationArray.h", "VZVirtioFileSystemDevice.h", "VZVirtioConsolePortConfiguration.h", "VZVirtioGraphicsDevice.h", "VZVirtioGraphicsDeviceConfiguration.h", "VZVirtioGraphicsScanout.h", "VZVirtioGraphicsScanoutConfiguration.h", "VZVirtioConsolePortArray.h", "VZVirtioFileSystemDeviceConfiguration.h", "VZVirtioNetworkDeviceConfiguration.h", "VZVirtioSocketConnection.h", "VZVirtioSocketDevice.h", "VZVirtioSoundDeviceConfiguration.h", "VZVirtioSocketListener.h", "VZVirtioSoundDeviceInputStreamConfiguration.h", "VZVirtioSocketDeviceConfiguration.h", "VZVirtioSoundDeviceOutputStreamConfiguration.h", "VZVirtioSoundDeviceStreamConfiguration.h", "VZVirtioTraditionalMemoryBalloonDeviceConfiguration.h", "VZVirtualMachineDelegate.h", "VZVirtualMachineStartOptions.h", "VZVirtioTraditionalMemoryBalloonDevice.h", "VZVirtualMachine.h", "VZXHCIControllerConfiguration.h", "VZVirtualMachineView.h", "VZVirtualMachineConfiguration.h", "VZXHCIController.h", "x86_64-apple-macos.swiftinterface", "arm64e-apple-macos.swiftinterface", "module.modulemap", "Virtualization.tbd", "VideoToolbox.apinotes", "VideoToolbox.h", "VTBase.h", "VTDecompressionProperties.h", "VTCompressionSession.h", "VTErrors.h", "VTCompressionProperties.h", "VTDecompressionSession.h", "VTHDRPerFrameMetadataGenerationSession.h", "VTMultiPassStorage.h", "VTPixelRotationSession.h", "VTFrameSilo.h", "VTPixelRotationProperties.h", "VTPixelTransferSession.h", "VTProfessionalVideoWorkflow.h", "VTRAWProcessingProperties.h", "VTPixelTransferProperties.h", "VTSession.h", "VTUtilities.h", "VTVideoEncoderList.h", "VTRAWProcessingSession.h", "libvDSP.tbd", "SharedWithYouCore.h", "SWAction.h", "SWCollaborationActionHandler.h", "SWCollaborationCoordinator.h", "SWCollaborationMetadata.h", "SWCollaborationOption.h", "SWCollaborationOptionsPickerGroup.h", "SWCollaborationOptionsGroup.h", "SWCollaborationShareOptions.h", "SWDefines.h", "SWPersonIdentity.h", "SWPerson.h", "SWStartCollaborationAction.h", "SWPersonIdentityProof.h", "SWUpdateCollaborationParticipantsAction.h", "SharedWithYouCore.tbd", "ScriptingBridge.tbd", "SBElementArray.h", "ScriptingBridge.apinotes", "ScriptingBridge.h", "SBApplication.h", "SBObject.h", "SCScreenshotManager.h", "SCError.h", "SCRecordingOutput.h", "ScreenCaptureKit.h", "SCShareableContent.h", "SCContentSharingPicker.h", "SCStream.h", "Ruby.tbd", "rbLibXMLParser.rb", "rbCFPlistError.rb", "rbNokogiriParser.rb", "rbCFTypes.rb", "rbCFPropertyList.rb", "rbPlainCFPropertyList.rb", "rbBinaryCFPropertyList.rb", "rbREXMLParser.rb", "cfpropertylist.rb", "setup.rb", "libxml.rb", "xml.rb", "mini_portile_cmake.rb", "version.rb", "mini_portile.rb", "sqlite3.rb", "faq.rb", "exception.c", "backup.h", "backup.c", "database.h", "exception.h", "sqlite3_ruby.h", "statement.h", "extconf.rb", "sqlite3.c", "database.c", "statement.c", "nokogiri.rb", "ascii.c", "ascii.h", "char_ref.h", "attribute.h", "attribute.c", "error.h", "foreign_attrs.c", "insertion_mode.h", "error.c", "gumbo.h", "parser.h", "replacement.h", "parser.c", "string_buffer.h", "string_buffer.c", "string_piece.c", "macros.h", "svg_attrs.c", "tag_lookup.h", "svg_tags.c", "tag_lookup.c", "token_type.h", "tag.c", "token_buffer.h", "token_buffer.c", "tokenizer.h", "tokenizer.c", "utf8.c", "utf8.h", "util.c", "util.h", "tokenizer_states.h", "vector.c", "vector.h", "html4_document.c", "html4_entity_lookup.c", "html4_element_description.c", "html4_sax_push_parser.c", "libxml2_backwards_compat.c", "nokogiri.c", "test_global_handlers.c", "xml_attribute_decl.c", "nokogiri.h", "xml_attr.c", "xml_cdata.c", "xml_document_fragment.c", "xml_document.c", "xml_element_content.c", "html4_sax_parser_context.c", "xml_encoding_handler.c", "xml_element_decl.c", "xml_entity_decl.c", "xml_node_set.c", "xml_dtd.c", "gumbo.c", "xml_namespace.c", "xml_processing_instruction.c", "xml_reader.c", "xml_relax_ng.c", "xml_entity_reference.c", "xml_sax_parser.c", "xml_sax_push_parser.c", "xml_sax_parser_context.c", "xml_text.c", "xml_schema.c", "xml_xpath_context.c", "xslt_stylesheet.c", "xml_syntax_error.c", "xml_comment.c", "xml_node.c", "PushKit.tbd", "PKPushCredentials.h", "PKDefines.h", "PKPushPayload.h", "PushKit.h", "PKPushRegistry.h", "PushKit.apinotes", "OpenDirectory.tbd", "ODAttributeMap.h", "ODMappings.h", "NSOpenDirectory.h", "ODConfiguration.h", "ODQuery.h", "ODNode.h", "OpenDirectory.h", "ODRecordMap.h", "ODSession.h", "ODModuleEntry.h", "ODRecord.h", "CFODContext.h", "CFODSession.h", "CFOpenDirectory.h", "CFODQuery.h", "CFODNode.h", "CFODRecord.h", "CFOpenDirectoryConstants.h", "CFOpenDirectory.tbd", "OpenAL.tbd", "alc.h", "al.h", "alut.h", "OpenAL.h", "MacOSX_OALExtensions.h", "arm64e-apple-ios-macabi.swiftinterface", "x86_64-apple-ios-macabi.swiftinterface", "SwiftUI.swiftoverlay", "MTLAccelerationStructure.h", "Metal.h", "MTLAccelerationStructureTypes.h", "MTLAccelerationStructureCommandEncoder.h", "MTLArgumentEncoder.h", "MTLArgument.h", "MTLBinaryArchive.h", "Metal.apinotes", "MTLBlitPass.h", "MTLBuffer.h", "MTLCaptureManager.h", "MTLCaptureScope.h", "MTLAllocation.h", "MTLCommandEncoder.h", "MTLCommandBuffer.h", "MTLComputePass.h", "MTLBlitCommandEncoder.h", "MTLCommandQueue.h", "MTLDefines.h", "MTLDepthStencil.h", "MTLComputePipeline.h", "MTLDeviceCertification.h", "MTLDrawable.h", "MTLCounters.h", "MTLComputeCommandEncoder.h", "MTLDynamicLibrary.h", "MTLFence.h", "MTLFunctionConstantValues.h", "MTLFunctionDescriptor.h", "MTLFunctionLog.h", "MTLFunctionHandle.h", "MTLEvent.h", "MTLFunctionStitching.h", "MTLHeap.h", "MTLDevice.h", "MTLIndirectCommandBuffer.h", "MTLIntersectionFunctionTable.h", "MTLIOCommandQueue.h", "MTLLinkedFunctions.h", "MTLIOCommandBuffer.h", "MTLIOCompressor.h", "MTLParallelRenderCommandEncoder.h", "MTLLogState.h", "MTLPipeline.h", "MTLLibrary.h", "MTLPixelFormat.h", "MTLRasterizationRate.h", "MTLRenderPass.h", "MTLRenderPipeline.h", "MTLResidencySet.h", "MTLResourceStateCommandEncoder.h", "MTLResourceStatePass.h", "MTLResource.h", "MTLIndirectCommandEncoder.h", "MTLSampler.h", "MTLRenderCommandEncoder.h", "MTLStageInputOutputDescriptor.h", "MTLVisibleFunctionTable.h", "MTLTypes.h", "MTLVertexDescriptor.h", "MTLTexture.h", "WebKit.arm64e.bridgesupport", "WebKit.bridgesupport" ], "public": 1, "adversary": "DragonForce Hacker Group Malaysia", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "VZBootLoader", "display_name": "VZBootLoader", "target": null }, { "id": "TypeError", "display_name": "TypeError", "target": null }, { "id": "GC", "display_name": "GC", "target": null }, { "id": "CFTypeRef", "display_name": "CFTypeRef", "target": null } ], "attack_ids": [ { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1135", "name": "Network Share Discovery", "display_name": "T1135 - Network Share Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" } ], "industries": [ "Media" ], "TLP": "white", "cloned_from": null, "export_count": 49, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ravescoutllc.", "id": "288912", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 346, "FileHash-SHA256": 272, "domain": 110, "hostname": 101, "email": 1, "CVE": 2, "FileHash-SHA1": 1 }, "indicator_count": 833, "is_author": false, "is_subscribing": null, "subscriber_count": 34, "modified_text": "527 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66f100d791f9f9f6ab7b4f24", "name": "Cerber \u00bb Charter Communications \u00bb Spectrum Denver", "description": "[107.14.73.70] IP address range owned by Charter Communications Inc and located in Denver, Co United States.\n\nTargets & family neighborhood ISP's attacked again. Internet and targets devices attacked , Internet had to be reset twice by tech teams. Our team was able to track comprises directed towards target and families devices, which they are destroying. Stolen passwords, leaks, forced content, dumping. Both Spectrum & Quantum fiber positive for malicious activity within targeted devices. Fake iOS update pushed to a device. It comes with an agreement from Apple Singapore, LTD. \n\nMalware Families ,\nBackdoor:Win32/Tofse , \nCerber Ransomware ,\nET. \nETPRO ,\nInject3.QGY ,\nKelihos ,\nNIDS ,\nNOD32 ,\nSf:ShellCode-AU\\ [Trj] , \nTrojan:Win32/Glupteba ,\nTrojanDownloader:Win32/Cutwail ,\nVirTool:Win32/Obfuscator", "modified": "2024-10-23T05:03:21.045000", "created": "2024-09-23T05:47:03.625000", "tags": [ "isp charter", "usage type", "fixed line", "isp hostname", "domain name", "country united", "america city", "denver", "colorado", "ip address", "whois", "check", "information isp", "inc usage", "type fixed", "line isp", "hostname", "plesk forum", "centos web", "panel forum", "whois lookup", "netrange", "nethandle", "net107", "net1070000", "cc3517", "inc orgid", "dr city", "stateprov", "postalcode", "status", "as7843 charter", "united", "name servers", "passive dns", "urls", "domain", "search", "emails", "unknown", "scan endpoints", "all scoreblue", "ipv4", "files", "reverse dns", "location united", "win32", "abuseipdb", "read", "write", "read c", "server header", "show", "suspicious", "kelihos", "trojan", "artemis", "virustotal", "download", "drweb", "vipre", "panda", "malware", "specified", "next", "et trojan", "et info", "medium", "http", "ids detections", "yara detections", "e98c1cec8156", "as11426 charter", "as20001 charter", "as11427 charter", "as11351 charter", "as16787 charter", "as33363 charter", "as20115 charter", "as10796 charter", "as12271 charter", "body", "servers", "all search", "entries", "intel", "ms windows", "windows nt", "destination", "port", "asnone", "heurunsec", "etpro trojan", "nxdomain", "a nxdomain", "aaaa", "asnone united", "aaaa nxdomain", "backdoor", "pulse submit", "url analysis", "location oxford", "as3456 charter", "moved", "showing", "body doctype", "html public", "ietfdtd html", "as6976 verizon", "as701 verizon", "file samples", "files matching", "date hash", "copyright", "levelblue", "related pulses", "pulse pulses", "kryptikpii", "msr apr", "date", "creation date", "analyzer paste", "iocs", "samples", "secure server", "cname", "as5742", "body head", "object moved", "content length", "content type", "cookie", "as15133 verizon", "lowfi", "gmt server", "ecacc", "record value", "oxford", "michigan", "ns nxdomain", "soa nxdomain", "url http", "mitre att", "evasion ta0005", "creates", "discovery t1082", "reads software", "file", "t1083 reads", "jujubox", "zenbox", "get http", "request", "host", "win64", "khtml", "gecko", "response", "cus cndigicert", "tls rsa", "user", "javascript c", "doscom c", "text c", "files c", "storage", "file system", "filesadobe c", "appdata", "appdatalocal", "hostnames", "ta0002 command", "t1059 very", "t1064", "javascript", "modules t1129", "ta0003 create", "modify system", "process t1543", "windows service", "cisco umbrella", "blacklist", "safe site", "filerepmalware", "microsoft", "phishing bank", "sgeneric", "malware site", "unsafe", "number", "cus cngts", "ogoogle trust", "subject", "algorithm", "cus ouserver", "ouserver ca", "record type", "ttl value", "msms86718722", "query", "open", "capa", "create process", "windows create", "delete file", "write file", "windows check", "os version", "enumerate", "hashes", "signals mutexes", "mutexes", "open threat", "location los", "emails info", "expiration date", "write c", "process32nextw", "regsetvalueexa", "regdword", "module load", "t1129", "as51167 contabo", "germany unknown", "as40021 contabo", "encrypt", "hosting", "netherlands asn", "as204601 zomro", "pulses", "tags", "related tags", "indicator facts", "historical otx", "files ip", "asnone germany", "as174 cogent", "czechia unknown", "whitelisted", "certificate", "bittorrent dht", "post http", "et p2p", "cryptexportkey", "invalid pointer", "delete c", "post utcore", "benchhttp", "mozilla", "maldoc", "service", "tools", "nids", "et", "x95xd3xa4", "regbinary", "hx88x89", "kx82xd3x11", "xb9x8b", "x8dxb7xb7", "hx88x9ax1e", "mx81xd1r", "x92xac", "stream", "persistence", "execution", "dynamicloader", "contacted", "domains", "yara rule", "high", "dynamic", "pcap", "pushdo", "msie", "activity beacon", "malware beacon", "default", "redacted for", "for privacy", "as3379 kaiser", "server", "gmt content", "type", "x frame", "entries http", "scans show", "domain related", "no data", "tag count", "fakedout threat", "analyzer threat", "url summary", "ip summary", "summary", "sample", "detection list", "components", "zune", "etpro", "nod32", "avast avg", "next http", "example domain", "title meta", "invalid url", "akamai", "urls http", "as20940", "as16625 akamai", "netherlands", "germany", "france", "virtool", "rock", "address", "apache", "accept", "as8075", "pulse http", "related nids", "files location", "moldova related", "pulses none", "as31898 oracle", "title", "kryptiklfq", "win32dh", "vitro", "shutdown", "erase", "find", "close", "as53418", "hat server", "as797 att", "script urls", "a domains", "as10753 level", "script script", "meta", "path", "null", "stop", "as54113", "chrome", "as7018 att", "as28521", "mexico unknown", "fastly error", "please", "sea p", "object", "set cookie", "pragma", "as19536 directv", "united kingdom", "as60664 xion", "trojan features", "moldova unknown", "susp", "breaking news", "business", "finance", "entertainment", "sports", "games", "trending videos", "weather", "home", "as396982 google", "url https", "type indicator", "role title", "added active", "cyberfolks", ".pl", "level 3" ], "references": [ "ISP: Charter Communications Inc Usage Type\tFixed Line ISP", "dnvrco-pub-iedge-vip.email.rr.com \tspectrum.com Denver, Colorado USA", "dnscache2b.cdptpa dnvrco-oms2ims-mta-svip-01.email dnvrco-queue04-ac.email dnvrco-ring-a62.email dnvrco-smss-f01-ac.email dnvrco-west-dhcpw-02.", "Reverse DNS dnvrco-pub-iedge-vip.email.rr.com", "Crypt3.COYL FileHash - SHA256 cb536e2e5eb3b23a74702f80832ab964e7dfe07763300437b5ba581f464a108e", "IDS Detections: Suspicious double Server Header Possible Kelihos", "IDS Detections: Possible Kelihos Infection Executable Download With Malformed Header", "telemetry-incoming.r53-2.services.mozilla.com", "https://otx.alienvault.com/indicator/url/http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel", "http://www.door.net/ARISBE/arisbe.htm", "talk.plesk.com | 4evermusic.pl | nist.gov | alaska.gov.inbound10.mxlogic.net | publicfiles.fcc.gov", "https://cdns.directv.com/resources/js/dtv/framework/plugins/jquery.placeholder.min.js | peri.com.pl" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany", "Hungary", "Ukraine", "Spain", "Brazil", "Russian Federation", "Moldova, Republic of", "Japan", "Ireland", "Luxembourg", "Canada" ], "malware_families": [ { "id": "TrojanDownloader:Win32/Cutwail", "display_name": "TrojanDownloader:Win32/Cutwail", "target": "/malware/TrojanDownloader:Win32/Cutwail" }, { "id": "Backdoor:Win32/Tofsee", "display_name": "Backdoor:Win32/Tofsee", "target": "/malware/Backdoor:Win32/Tofsee" }, { "id": "Cerber Ransomware", "display_name": "Cerber Ransomware", "target": null }, { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Inject3.QGY", "display_name": "Inject3.QGY", "target": null }, { "id": "Kelihos", "display_name": "Kelihos", "target": null }, { "id": "ETPRO", "display_name": "ETPRO", "target": null }, { "id": "NOD32", "display_name": "NOD32", "target": null }, { "id": "VirTool:Win32/Obfuscator", "display_name": "VirTool:Win32/Obfuscator", "target": "/malware/VirTool:Win32/Obfuscator" }, { "id": "Sf:ShellCode-AU\\ [Trj]", "display_name": "Sf:ShellCode-AU\\ [Trj]", "target": null }, { "id": "Trojan:Win32/Glupteba", "display_name": "Trojan:Win32/Glupteba", "target": "/malware/Trojan:Win32/Glupteba" } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 37, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2060, "hostname": 3067, "CIDR": 4, "URL": 1300, "email": 29, "FileHash-MD5": 3181, "FileHash-SHA1": 1994, "FileHash-SHA256": 3228, "CVE": 2, "SSLCertFingerprint": 1 }, "indicator_count": 14866, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "543 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66eb3ef6d765187a437767e4", "name": "Hijacked 'Operation Endgame' Tofsee Ransomware", "description": "This a project. A target has been put into different Operations: Project Hilo, Project Helix, Operation Endgame, The NSO Cellebrite Pegasus hit list. These are real and very serious serious threat. Severe Cyber issues made their way to her infected devices as well as the devices of family members. Death threats continue to come in. Several DoD IP addresses found in a PDF. It's unresearched at this time,, DoD via BGP HE has been questionable considering use gateway abuse by SWIPPER. \n\nStill no authority can confirm victim is a suspect. Must be a crazy high to help Jeffrey Scott Reiner PT. DPT get away with assault in such a ridiculous manner. Court report posted online by Trellis (BS) is of course a falsified , vulnerability filled 'made you click' document.. Faldif0, empty docmpty doc, citing it was refreshed in 2023. \nThere is no doubt these masqueraders mean to intimidate, humiliate, isolate & harm target. These people are not in China. False attribution is likely. Attack is disseminates from USA.", "modified": "2024-10-18T20:04:41.836000", "created": "2024-09-18T20:58:30.691000", "tags": [ "as8075", "united", "pid425870621", "tid700443057", "tpid425870621", "slot1", "mascore2", "bcnt1", "unid88000705", "nct1", "date", "china", "china unknown", "passive dns", "body xml", "error code", "requestid", "hostid ec", "server", "gmt content", "type", "registry", "intel", "ms windows", "show", "entries", "search", "high", "pe32", "high process", "injection t1055", "salicode", "worm", "copy", "tools", "service", "write", "win32", "persistence", "execution", "april", "urls", "http", "unique", "scan endpoints", "all scoreblue", "url http", "pulse pulses", "ip address", "related nids", "code", "as54113", "unknown", "body", "fastly error", "please", "sea p", "msil", "accept", "aaaa", "nxdomain", "whitelisted", "as15169 google", "status", "as44273 host", "as46691", "domain", "url https", "files location", "info", "script urls", "path max", "age86400 set", "cookie", "script domains", "javascript", "script script", "trojanspy", "cname", "emails", "servers", "all search", "related pulses", "file samples", "files matching", "creation date", "germany unknown", "yara detections", "filehash", "av detections", "ids detections", "alerts", "analysis date", "file score", "meta", "home welcome", "write c", "delete c", "query", "local", "hostname", "a domains", "lowfi", "content type", "record value", "suite", "showing", "asnone united", "as29873", "ipv4", "pulse submit", "url analysis", "files", "pe32 executable", "potential scan", "0pgtwhu", "t1045", "port", "infection", "recon", "malware", "june", "delphi", "taobao network", "as45102 alibaba", "as4812 china", "next", "expiration date", "name servers", "dynamicloader", "dynamic", "sha256", "dynamic link", "library exe", "adobe", "incorporated", "read", "yara rule", "delete", "binary file", "push", "malicious", "july", "iocs", "levelbluelabs", "jeff4son", "adversaries", "registry run", "flow t1574", "dll sideloading", "boot", "logon autostart", "execution t1547", "keys", "startup folder", "t1497 may", "encryption", "catalog tree", "analysis ob0001", "virtual machine", "detection b0009", "check registry", "analysis ob0002", "executable code", "stack strings", "control ob0004", "get http", "http requests", "dns resolutions", "ip traffic", "pattern domains", "memory pattern", "urls http", "request", "response", "connection", "trojan", "otx scoreblue", "windows", "embeddedwb", "medium", "shellexecuteexw", "msie", "windows nt", "displayname", "tofsee", "hashes", "vhash", "authentihash", "ssdeep", "win32 exe", "magic pe32", "trid win32", "library", "read c", "file guard", "rtversion", "langchinese", "legalcopyright", "reserved", "ransom", "moved", "media", "ascii text", "default", "upack", "mike", "contacted", "x87xe1x1d", "regsetvalueexa", "x95xd3xa4", "regbinary", "x84xa8xe8i", "x8dxb7xb7", "hx88x9ax1e", "mx81xd1r", "x92xac", "xc2x84", "stream", "swipper", "pdfcreator.sf.net", "botnet", "black mercedes", "please forgive me", "therahand thouroughhand" ], "references": [ "Project Endgame - pegausintel.com -Unsjre if related to NSO Group", "Antivirus Detections: ALF:HeraklezEval:Rogue:Win32/FakeRean", "Yara Detections: compromised_site_redirector_fromcharcode , Cabinet_Archive , SFX_CAB", "Alerts: infostealer_cookies persistence_autorun recon_programs recon_fingerprint removes_zoneid_ads anomalous_deletefile", "P\u2019s Contacted: 93.184.221.240 3.33.130.190 | Domains Contacted: counterslocal.com", "compromised_site_redirector_fromcharcode fromCharCode", "Interesting Strings: http://www.interoperabilitybridges.com/wmp http://crbug.com/40902 http://crbug.com/516527", "Interesting Strings: http://service.real.com/realplayer/security/02062012_player/en/", "Interesting Strings: https://support.google.com/chrome/?p=plugin_pdf", "https://support.google.com/chrome/?p=plugin_quicktime https://chrome.google.com/", "Interesting Strings: http://schema.org/GovernmentOrganization https://support.google.com/chrome/?p=plugin_java https://crbug.com/593166", "Pdf.Phishing.TtraffRobotInstall-7605656-0 00004feb58be42ba1bd506ea89f90c5e1d83e6e1fb84841931949a454b0bb539", "Antivirus Detections Cryp_Xed-12 , Mal/Generic-S , Packed/Upack Yara Detections Upackv039finalDwing , UpackV037Dwing", "https://pin.it/ | https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Worm:Win32/Macoute.A", "display_name": "Worm:Win32/Macoute.A", "target": "/malware/Worm:Win32/Macoute.A" }, { "id": "TrojanDownloader:Win32/Nemucod", "display_name": "TrojanDownloader:Win32/Nemucod", "target": "/malware/TrojanDownloader:Win32/Nemucod" }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "ALF:HeraklezEval:Rogue:Win32/FakeRean", "display_name": "ALF:HeraklezEval:Rogue:Win32/FakeRean", "target": null }, { "id": "Worm:Win32/Fesber.A", "display_name": "Worm:Win32/Fesber.A", "target": "/malware/Worm:Win32/Fesber.A" }, { "id": "Ransom:Win32/Eniqma.A", "display_name": "Ransom:Win32/Eniqma.A", "target": "/malware/Ransom:Win32/Eniqma.A" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "UpackV037Dwing", "display_name": "UpackV037Dwing", "target": null }, { "id": "Cryp_Xed-12", "display_name": "Cryp_Xed-12", "target": null }, { "id": "Mal/Generic-S", "display_name": "Mal/Generic-S", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1493, "FileHash-SHA1": 1393, "FileHash-SHA256": 5881, "URL": 1495, "domain": 1947, "hostname": 1360, "email": 18, "CVE": 1 }, "indicator_count": 13588, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "547 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66e87da28b9c1611223c1a6b", "name": "Telegram - Remote install | log4shell-generic | Botnet | Pegasus Relationship", "description": "0.0.0.0 Day: Exploiting Localhost APIs From the Browser.\nA root of device issues: \nTarget was remotely subscribed to Telegram 10/23. This phone silently made 2 calls to (380) 222-3333. An activation code for blacklisted t.me/login/***** received by text. Target remembers this occured during sleep. Pegasus relationship. Mirai relationship auto-populated. Reference to new Mirai infection. I didn't find Mirai IoC's\nBrian Hau? Lol, idk about that.\n|| SLFPER:SoftwareBundler:Win32/Dlhelper\n#Lowfi:LUA:AutoItV3CraftedOverlay\nALF:HeraklezEval:Trojan:Win32/Ymacco\nBackdoor:Win32/Tofsee\nMirai\nTEL:Exploit:O97M/CVE-2017-8570\nTofsee\nTrojan:Win32/Glupteba\nTrojan:Win32/Kryptik\nTrojan:Win32/Mydoom\nWin.Packed.Enigma-10023199-0\nWin.Packer.pkr_ce1a-9980177-0\nWin32:PWSX-gen\\ [Trj]", "modified": "2024-10-16T15:00:45.833000", "created": "2024-09-16T18:49:06.831000", "tags": [ "dynamicloader", "high", "windows", "medium", "grum", "yara detections", "contacted", "installs", "windows startup", "application", "tofsee", "stream", "less see", "copy", "aaaa", "virgin islands", "whitelisted", "antigua", "org domains", "proxy", "code", "search", "united", "unknown", "msie", "chrome", "passive dns", "formbook cnc", "checkin", "entries", "body", "possible", "mozilla", "delete c", "windows nt", "show", "owotrus ca", "limited", "cnwotrus dv", "server ca", "write", "malware", "encrypt", "as36647 oath", "backdoor", "trojan", "all scoreblue", "ipv4", "urls", "ransom", "trojan features", "related pulses", "file samples", "files matching", "date hash", "memcommit", "read c", "win32", "icmp traffic", "memreserve", "showing", "exploit", "mirai", "barbuda", "barbuda unknown", "hacktool", "program", "python", "macintosh", "intel mac", "os x", "khtml", "gecko", "bios", "guard", "updater", "launcher", "div div", "span div", "span svg", "status", "bugs", "span", "meta", "path", "div h3", "telegram strong", "a li", "virtool", "class", "tour", "read", "delete", "top source", "top destination", "as46606", "change", "moved", "certificate", "creation date", "record value", "suite", "hostname", "cookie", "asnone united", "as29873", "cname", "domain", "url analysis", "redacted for", "script urls", "a domains", "as8560", "germany unknown", "name servers", "for privacy", "files", "verdict", "as393245 oath", "mtb sep", "servers", "expiration date", "overview domain", "files ip", "address", "location united", "asn as22612", "whois registrar", "namecheap inc", "as22612", "content type", "apache", "secure server", "dnssec", "meta http", "content", "gmt server", "litespeed x", "http scans", "equiv cache", "script endif", "create c", "wow64", "slcc2", "media center", "write c", "next", "dock", "execution", "capture", "xport", "united kingdom", "a nxdomain", "as24940 hetzner", "emails", "script script", "param", "script", "ul div", "global domains", "international", "bank", "agent", "stack", "life", "win32mydoom sep", "title", "enigmaprotector", "dynamic", "powershell", "filehash", "worm", "a div", "all search", "lowfi", "copyright", "as54994 quantil", "as15169", "virustotal", "drweb", "vipre", "downloader", "panda", "local", "dns replication", "technology", "server", "privacy billing", "email", "registrar abuse", "organization", "privacy tech", "privacy admin", "algorithm", "first", "v3 serial", "number", "cus ogoogle", "trust", "cnwe1 validity", "subject public", "key info", "key algorithm", "scan endpoints", "pulse pulses", "federation asn", "as49505", "labs pulses", "internet", "iana", "city", "los angeles", "orgabusephone", "orgid", "iana ref", "orgtechhandle", "iana special", "103.28.36.182", "pegasus", "103.224.212.222", "103.129.252.44", "162.0.215.111", "apple", "apple-access.com", "as8075", "date", "phishing", "csam", "pii", "piiexposure", "flag", "domain address", "llc name", "contacted hosts", "ip address", "process details" ], "references": [ "Telegram | Indicator: Query for .su TLD (Soviet Union) Often Malware Related PE EXE or DLL Windows file download HTTP", "Telegram - https://t.me/login/***** | fFileHash-SHA256 cecaa6014e0cdc41ead0b076169175c9342a2ccc4b3e48549f88ea87ba8c034", "Alerts: injection_inter_process creates_largekey network_bind persistence_autorun persistence_autorun_tasks", "Alerts: spawns_dev_util cape_detected_threat injection_process_hollowing antivm_generic_services", "Alerts: deletes_executed_files injection_runpe persistence_ads suspicious_command_tools anomalous_deletefile antisandbox_sleep dead_connect dynamic_function_loading resumethread_remote_process powershell_download powershell_request", "*WEBSITE.WS Your Internet Address For Life", "Telegram | IP 66.235.200.146 | Indicator Possible recent Mirai infection", "Datacenter / Hosting / VPS Reverse DNS host77.ipowerweb.com Location United States", "IDS Detections: W32/Zbot.Variant Fake MSIE 6.0 UA FormBook CnC Checkin (GET) FormBook CnC Checkin (GET) FormBook CnC Checkin (GET)", "User-Agent (Mozilla) - Possible Spyware Related WinHttpRequest Downloading EXE Likely Evil EXE download from WinHttpRequest non-exe extension", "ASN AS13335 cloudflare DNS Resolutions", "0.0.0.0 log4shell-generic-z8lrtjkgkm4zhi6necwi.r.nessus.org", "IDS: Query for .su TLD (Soviet Union) Often Malware Related PE EXE or DLL Windows file download HTTP | Not Russia - Americans Masquerading", "federallegionconnbot.t.me", "thevipporn.com porn25.com lowendporn.com pz7.iqg29.cn", "pegasusintel.com", "appleid-support.com apple-access.com appleid-support.com demo171.apple.com apple.k8s.joewa.com w-t-blu-371ac852.cloudapp.net", "log4shell-generic-ammqgekxvatp3a2qyw71ten.r.nessus.org play.google.com demo171.apple.com apps.apple.com", "Alleged CSAM Alleged Phishing Alleged PIIExposure", "https://t.me/login/36861 = GET /login/36861 | Server: nginx/1.18.0" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Packer.pkr_ce1a-9980177-0", "display_name": "Win.Packer.pkr_ce1a-9980177-0", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Trojan:Win32/Mydoom", "display_name": "Trojan:Win32/Mydoom", "target": "/malware/Trojan:Win32/Mydoom" }, { "id": "Win32:PWSX-gen\\ [Trj]", "display_name": "Win32:PWSX-gen\\ [Trj]", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Trojan:Win32/Glupteba", "display_name": "Trojan:Win32/Glupteba", "target": "/malware/Trojan:Win32/Glupteba" }, { "id": "Trojan:Win32/Kryptik", "display_name": "Trojan:Win32/Kryptik", "target": "/malware/Trojan:Win32/Kryptik" }, { "id": "Backdoor:Win32/Tofsee", "display_name": "Backdoor:Win32/Tofsee", "target": "/malware/Backdoor:Win32/Tofsee" }, { "id": "Win.Packed.Enigma-10023199-0", "display_name": "Win.Packed.Enigma-10023199-0", "target": null }, { "id": "TEL:Exploit:O97M/CVE-2017-8570", "display_name": "TEL:Exploit:O97M/CVE-2017-8570", "target": null }, { "id": "ALF:HeraklezEval:Trojan:Win32/Ymacco", "display_name": "ALF:HeraklezEval:Trojan:Win32/Ymacco", "target": null }, { "id": "SLFPER:SoftwareBundler:Win32/Dlhelper", "display_name": "SLFPER:SoftwareBundler:Win32/Dlhelper", "target": null }, { "id": "#Lowfi:LUA:AutoItV3CraftedOverlay", "display_name": "#Lowfi:LUA:AutoItV3CraftedOverlay", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" } ], "industries": [ "Telecommunications" ], "TLP": "green", "cloned_from": null, "export_count": 40, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1226, "FileHash-SHA256": 1691, "FileHash-MD5": 807, "FileHash-SHA1": 781, "URL": 429, "hostname": 1124, "SSLCertFingerprint": 7, "CVE": 1, "email": 16, "CIDR": 1 }, "indicator_count": 6083, "is_author": false, "is_subscribing": null, "subscriber_count": 232, "modified_text": "549 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66b7a0a606360e458f77aad9", "name": "Exploit Enterprise Resources-Steam Powered | x.com | Hunt | Crypt", "description": "Remotely attacks social media , game services, hunting for IP addresses, and all personal locations of targets. Service modifier, registry modifier.", "modified": "2024-10-11T00:04:00.735000", "created": "2024-08-10T17:17:26.271000", "tags": [ "as46606", "united", "unknown", "passive dns", "all scoreblue", "ipv4", "url analysis", "search", "a nxdomain", "whitelisted", "accept", "ns nxdomain", "soa nxdomain", "aaaa nxdomain", "reverse dns", "as29873", "trojan", "hacktool", "hosting", "ttl value", "algorithm", "full name", "data", "v3 serial", "cus odigicert", "inc cndigicert", "global g2", "tls rsa", "server", "registrar abuse", "dns replication", "subject public", "key info", "key algorithm", "key identifier", "subject key", "identifier", "first", "android", "united states", "status", "hostname", "as13414 twitter", "aaaa", "nxdomain", "date", "as44273 host", "scan endpoints", "systemroot", "ogoogle trust", "cngts ca", "delete c", "tofsee", "stcalifornia", "lsan francisco", "win64", "grum", "copy", "write", "malware", "encrypt", "memcommit", "read c", "yara detections", "medium", "memreserve", "command line", "get ip address", "steam", "api get ip", "steam get ip", "entries", "show", "windows nt", "khtml", "gecko", "next", "showing", "ip address", "writeconsolea", "february", "write c", "regsetvalueexa", "regdword", "delete", "napolar", "persistence", "execution", "network service", "location hunting", "ip hunting" ], "references": [ "analytics.x.com", "Yara Detections: ConventionEngine_Term_Users , ConventionEngine_Keyword_Anti , dbgdetect_procs", "Crypt: 1.3.6.1", "Crypt: FileHash-SHA256 71f1f6c91dbe8050e7c5d54f294f5eabec02dccbe97fb0100e7ebf8f35b0d062", "Crypt: FileHash-SHA1 d8b665ef01e3f9feaa746833cddadf3bf29f72d1", "Crypt: FileHash-MD5 5dd89c5f70c95bae85d864c7baf27b20", "Yara Detections: ryuk_1007_fx2_12_multi_for_crypt_x86 , dbgdetect_files", "IDS Detections: Win32/Tofsee.AX google.com connectivity check HTTP Request with Lowercase host Header Observed External IP Lookup ip-api.com", "Antivirus Detections: Win.Packer.pkr_ce1a-9980177-0", "IDS Detections: Observed External IP Lookup ip-api.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Packer.pkr_ce1a-9980177-0", "display_name": "Win.Packer.pkr_ce1a-9980177-0", "target": null }, { "id": "Crypt", "display_name": "Crypt", "target": null }, { "id": "Ransom", "display_name": "Ransom", "target": null } ], "attack_ids": [ { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1056.004", "name": "Credential API Hooking", "display_name": "T1056.004 - Credential API Hooking" }, { "id": "T1585.001", "name": "Social Media Accounts", "display_name": "T1585.001 - Social Media Accounts" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 570, "domain": 563, "hostname": 1131, "FileHash-SHA1": 498, "FileHash-SHA256": 2070, "URL": 83, "email": 7, "SSLCertFingerprint": 10 }, "indicator_count": 4932, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "555 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65b3fb6752ac464268b971b1", "name": "BazaarLoader | REDCAP | https://jbplegal com/ | Cyber espionage", "description": "Found periphery.m (moderate sized dump) Targets Tsara Brashears Several staffed law offices based on Colorado, USA.\nContact made. Physical records. Client: Brashears.\nhttps://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/Trojan.Win32.REDCAP.MCRK/\n1c597b7c7934ef03eb0def0b64655dd79abe08567ff3053761e5516064a43376\nhttps://otx.alienvault.com/malware/TEL:Trojan:Win32%2FBazaarLoader!MTB/\nhttps://www.trendmicro.com/en_ph/research/21/k/bazarloader-adds-compromised-installers-iso-to-arrival-delivery-vectors.html\nTEL:Trojan:Win32/BazaarLoader\n987204ca82337f0a3f28097a5d66d5f3ecb11d43d82f67cd753d0bf2ce40b7a7", "modified": "2024-09-05T07:02:20.491000", "created": "2024-01-26T18:35:19.690000", "tags": [ "no expiration", "filehashsha1", "filehashmd5", "filehashsha256", "url http", "ipv4", "iocs", "url https", "next", "scan endpoints", "expiration", "domain", "pdf report", "pcap", "all scoreblue", "hostname", "tagwearable", "email", "united", "as46562", "unknown", "as213120", "search", "creation date", "dnssec", "showing", "entries", "as32400 hostway", "encrypt", "status", "date", "passive dns", "urls", "record value", "apache", "pragma", "body", "as9009 m247", "pulse pulses", "files", "hosting", "location new", "as58955 bangmod", "pulse submit", "url analysis", "reverse dns", "all search", "otx scoreblue", "http", "ip address", "related nids", "filehash", "sha256", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "june", "copy", "aaaa", "a domains", "address", "div div", "span span", "span h2", "a li", "lucky guy", "span", "customer", "location united", "cookie", "as54113", "xamzexpires300", "hstr", "github pages", "request id", "accept", "win64", "found", "show", "win32", "related pulses", "sea x", "cache", "dynamicloader", "targetname", "pe32", "intel", "ms windows", "yara rule", "high", "write", "bruteforce", "location china", "asn as45090", "cobalt strike", "internet", "iana", "whois lookups", "city", "los angeles", "orgabusephone", "orgid", "iana ref", "net192", "net1920000", "ssl cert", "ssl certificate", "tlsv1 apr", "cobaltstrike", "default", "read", "trojan", "ghost rat", "webtoolbar", "nanocore rat", "gamehack", "redlinestealer", "installcore", "installbrain", "emotet", "tofsee", "bradesco", "agent tesla", "trojanspy", "suppobox", "occamy", "dnspionage", "stealer", "malware", "no entries", "entries found", "delete", "found pe", "stus", "cnus", "tlsv1", "as20940", "as16625 akamai", "asnone united", "emails", "microsoft way", "as8075", "united kingdom", "aaaa nxdomain", "a nxdomain", "nxdomain", "as8068", "as3356 level", "as15133 verizon", "as22822", "as20446", "cname", "honeypot", "read c", "regsetvalueexa", "regdword", "as29789", "moved", "morphex", "cryp", "susp" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Brazil" ], "malware_families": [], "attack_ids": [ { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2401, "FileHash-MD5": 2428, "FileHash-SHA1": 2136, "FileHash-SHA256": 5377, "domain": 3794, "hostname": 2763, "CVE": 5, "email": 19, "SSLCertFingerprint": 4 }, "indicator_count": 18927, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "591 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65b85df45cc3d3fd07139ea9", "name": "Honeypot | https://jbplegal com/ | Cyber espionage | DynamicLoader", "description": "", "modified": "2024-09-05T06:38:09.443000", "created": "2024-01-30T02:24:52.774000", "tags": [ "no expiration", "filehashsha1", "filehashmd5", "filehashsha256", "url http", "ipv4", "iocs", "url https", "next", "scan endpoints", "expiration", "domain", "pdf report", "pcap", "all scoreblue", "hostname", "tagwearable", "email", "united", "as46562", "unknown", "as213120", "search", "creation date", "dnssec", "showing", "entries", "as32400 hostway", "encrypt", "status", "date", "passive dns", "urls", "record value", "apache", "pragma", "body", "as9009 m247", "pulse pulses", "files", "hosting", "location new", "as58955 bangmod", "pulse submit", "url analysis", "reverse dns", "all search", "otx scoreblue", "http", "ip address", "related nids", "filehash", "sha256", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "june", "copy", "aaaa", "a domains", "address", "div div", "span span", "span h2", "a li", "lucky guy", "span", "customer", "location united", "cookie", "as54113", "xamzexpires300", "hstr", "github pages", "request id", "accept", "win64", "found", "show", "win32", "related pulses", "sea x", "cache", "dynamicloader", "targetname", "pe32", "intel", "ms windows", "yara rule", "high", "write", "bruteforce", "location china", "asn as45090", "cobalt strike", "internet", "iana", "whois lookups", "city", "los angeles", "orgabusephone", "orgid", "iana ref", "net192", "net1920000", "ssl cert", "ssl certificate", "tlsv1 apr", "cobaltstrike", "default", "read", "trojan", "ghost rat", "webtoolbar", "nanocore rat", "gamehack", "redlinestealer", "installcore", "installbrain", "emotet", "tofsee", "bradesco", "agent tesla", "trojanspy", "suppobox", "occamy", "dnspionage", "stealer", "malware", "no entries", "entries found", "delete", "found pe", "stus", "cnus", "tlsv1", "as20940", "as16625 akamai", "asnone united", "emails", "microsoft way", "as8075", "united kingdom", "aaaa nxdomain", "a nxdomain", "nxdomain", "as8068", "as14061", "whitelisted", "as16276", "script urls", "name servers", "meta", "as43317 fishnet" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Brazil", "Netherlands", "Romania", "Russian Federation", "Japan" ], "malware_families": [], "attack_ids": [ { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [], "TLP": "green", "cloned_from": "65b47501fcbc39983f098723", "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2390, "FileHash-MD5": 2213, "FileHash-SHA1": 1921, "FileHash-SHA256": 4357, "domain": 3534, "hostname": 2670, "CVE": 5, "email": 17, "SSLCertFingerprint": 4 }, "indicator_count": 17111, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "591 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "666d1488316880c73e04054e", "name": "Prorat.19.i | Backdoor:Win32/Tofsee.T - Amazon.com | iOS | Denver", "description": "Targets family members device attacked while shopping on Amazon.com using an obviously device compromised, newer, fully updated iOS device. \nAmazon legal? [legal-choice.ru, youla.legal, https://www.effectv.com/legal/advertiser-terms-and-conditions]\n[applehealthcare.com apple-rehab.com: Backdoor:Win32/Tofsee.T]\nAdversarial CnC over devices and networks.\nRelentless attacks.", "modified": "2024-07-15T03:03:34.888000", "created": "2024-06-15T04:11:52.737000", "tags": [ "server", "hostmaster", "amazon legal", "dept", "amazon", "street", "stateprovince", "postal code", "view whois", "whois record", "date", "contact", "threat roundup", "november", "march", "december", "february", "october", "january", "highly targeted", "data", "boost mobile", "formbook", "response final", "url https", "ip address", "status code", "body length", "kb body", "sha256", "headers", "ord52c2 via", "cloudfront", "sha1", "pattern match", "ascii text", "document file", "v2 document", "crlf line", "size", "unicode", "beginstring", "null", "hybrid", "refresh", "body", "span", "june", "click", "strings", "error", "tools", "look", "verify", "restart", "unknown", "embeddedwb", "windows", "search", "medium", "united", "show", "whitelisted", "shellexecuteexw", "msie", "tofsee", "service", "write", "win32", "malware", "copy", "a nxdomain", "passive dns", "domain", "scan endpoints", "all scoreblue", "pulse pulses", "urls", "files", "ip related", "process32nextw", "components", "writeconsolew", "copy c", "delete c", "query", "useruin", "delphi", "capture", "install", "prorat", "url http", "http", "related nids", "files location", "regsetvalueexa", "hx88x89", "regbinary", "x95xd3xa4", "x8dxb7xb7", "hx88x9ax1e", "mx81xd1r", "x92xac", "xc2x84", "x93xaf", "stream", "persistence", "execution", "creation date", "entries", "as44273 host", "record value", "status", "nxdomain", "content type", "accept", "gmt server", "gmt etag", "accept encoding", "ipv4", "path", "pragma", "name servers", "west domains", "hostname", "next", "asnone germany", "as21499 host", "singapore", "france", "object", "com cnt", "dem fin", "found", "as16276", "spain unknown", "meta name", "frame src", "ok set", "cookie", "gmt date", "gmt content", "encrypt", "levelblue", "open threat", "meta", "a div", "div div", "france unknown", "ok server", "type", "seychelles", "whitesky", "as29182 jsc", "showing", "as24940 hetzner", "moved", "expiration date", "aaaa", "russia", "as15169 google", "germany", "emails", "germany unknown", "a domains", "body doctype", "html public", "ietfdtd html", "finland", "asnone iran", "iran", "td tr", "td td", "tbody", "tr tr", "domains", "backdoor", "apple", "radio hacking", "voicestram", "listening", "trojan", "twitter", "servers", "vbs", "data center", "avg clamav", "msdefender sep", "vitro mar", "Win32:Vitro", "target: tsara brashears", "target: brashears personal devices", "target: whitesky communication network", "target: accounting firm devices", "targets: intellectual property", "redrum", "open", "tr tbody", "rsa ca", "apache", "as7922 comcast", "pulse submit", "url analysis", "epss", "impact", "cve cve20178977", "exploits", "targeted", "cve overview", "media" ], "references": [ "Targets Apple iPad /iOS | www.amazon.com/ref=ap_frn_logo [embedded] | www.amazon.com ns1.amzndns.co.uk , ns1.amzndns.com", "cory@whiteskycommunications.com IP: 137.83.95.132 targets victims associates Amazon account and all devices. CnC target Network", "High Priority Alerts: dead_host network_icmp nolookup_communication persistence_autorun bypass_firewall", "Win32/Tofsee.AX - https://otx.alienvault.com/indicator/file/47565f3a809e997530e8b0d1602a39cb9cc3dd9e1361db2f9dd5891dfd444383", "network_http suspicious_tld allocates_rwx antivm_disk_size creates_exe creates_service suspicious_process stealth_window packer_entropy uses_windows_utilities console_output pe_features", "Prorat.19.i: https://otx.alienvault.com/indicator/file/03f92e83f56ad2d687ee2fb7ab21b7fea0bebc1abc82d387a52510b61506e68f", "IDS: Prorat.19.i Checkin | DYNAMIC_DNS Query to a Suspicious no-ip Domain | CP Email Send via HTTP - Often Trojan Install Reports", "Domains Contacted: you.no-ip.com smtp.secureserver.net www.icq.com www.yoursite.com gmali.com", "message.htm.com | Ransomware", "www.test_ico355_subsequent_invoices.htm.com\tA NXDOMAIN", "htm.com: htm | prod.phx3.secureserver.net | unknown.ip.secureserver.net", "https://otx.alienvault.com/indicator/file/03f92e83f56ad2d687ee2fb7ab21b7fea0bebc1abc82d387a52510b61506e68f", "Win.Trojan.Tofsee-6840338-0 | https://otx.alienvault.com/indicator/domain/applehealthcare.com", "applegatecode.com, applehealthcare.com, nord-com.it, mail.apple-rehab.com, msa-smtp-mx1.hinet.net, https://itae-innova.com/wp-content/themes/itaeinnova/images/apple-touch-icon-114x114.png No Expiration\t0\t Domain itae-innova.com No Expiration\t0\t URL https://itae-innova.com/wp-content/themes/itaeinnova/images/apple-touch-icon-152x152.png, 50.205.3.1 2024-07-14T22:00:00\t0\t Domain apple-rehab.com No Expiration\t0\t Domain applegatecode.com", "Some items found relates to research exploited against or researched by target: disabled_duck", "Crypt_r.AWJ: FileHash-SHA256 cc83b186700b21e5c4cae0f8236ae3e50ab47c2c21a3987ea00463056cbd1c26", "Crypt_r.BCM: FileHash-SHA256 1e0449b5a573e08289ba8de12b70410abfb021f81819b462cd7659fbcb361b11", "Crypt_r.BCM: FileHash-SHA256 cc83b186700b21e5c4cae", "Crypt_r.BDI: FileHash-SHA256 1e0449b5a573e08289ba8de12b70410abfb021f81819b462cd7659fbcb361b11", "Crypt_r.BDI: FileHash-SHA256 71906e67e75f832dfbd2c63fde953d76b6502e48e78badd3ef6fe30d02390268", "3.33.152.147: Trojan:Win32/Dursg.K | Verdict External> IP Lookup Service Classification Cloud provider Reverse DNS a4ec4c6ea1c92e2e6.awsglobalaccelerator.com", "3.33.152.147: https://otx.alienvault.com/indicator/ip/3.33.152.147", "3.33.152.147 - High Priority IDS Detections: Worm.Win32/Chiviper.C Checkin Possible Fake AV Checkin Kazy/Kryptor/Cycbot", "3.33.152.147 - High Priority IDS Detections: Trojan Checkin Win32.Meredrop Checkin CryptoWall Check-in Net-Worm.Win32.Koobface.jxs", "3.33.152.147 - High Priority IDS Detections: Checkin Virut Counter/Check-in Backdoor.Win32.Polybot.A Checkin 3 Koobface HTTP Request (2) Win32.Sality-GR Checkin", "3.33.152.147 - ALF:HSTR:Trojan:Win32/StartPage.ZS!bit , ALF:HeraklezEval:PUA:Win32/InstallCore.R , ALF:HeraklezEval:Ransom:Win32/Tescrypt!rfn", "3.33.152.147 - Antivirus Detections: !#AddsCopyToStartup , !#HSTR:SigGen0136cb6c , ALF:AGGR:OpcCl:99!ml , ALF:Exploit:O97M/CVE-2017-8977", "3.33.152.147 - Antivirus Detections: ALF:HeraklezEval:Trojan:Win32/Startpage!rfn , ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47", "3.33.152.147 - Antivirus Detections: ALF:HeraklezEval:Trojan:Win32/SpyNoon!rfn ,", "85.10.215.232 - Classification Datacenter / Hosting / VPS Reverse DNS dediextern.your-server.de Location: Munich, Germany | konsoleH :: Login", "87.98.231.87 - Classification Datacenter / Hosting / VPS Reverse DNS cluster014.ovh.net Location; Spain | AVD:: TrojanDownloader:JS/Nemucod.QJ", "87.98.231.87 - IDS Detections: MalDoc Request for Payload, Unsupported/Fake Windows NT Version 5.0", "CVE-2017-8977 - https://otx.alienvault.com/indicator/cve/CVE-2017-8977", "CVE-2017-11882 - https://otx.alienvault.com/indicator/cve/CVE-2017-11882" ], "public": 1, "adversary": "", "targeted_countries": [ "Seychelles", "Netherlands", "France", "United States of America" ], "malware_families": [ { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" }, { "id": "Win32:BackdoorX-gen\\ [Trj]", "display_name": "Win32:BackdoorX-gen\\ [Trj]", "target": null }, { "id": "Win.Trojan.Tofsee-6840338-0", "display_name": "Win.Trojan.Tofsee-6840338-0", "target": null }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Trojan:Win32/Dursg.K", "display_name": "Trojan:Win32/Dursg.K", "target": "/malware/Trojan:Win32/Dursg.K" }, { "id": "Win.Packer.pkr_ce1a-9980177-0", "display_name": "Win.Packer.pkr_ce1a-9980177-0", "target": null }, { "id": "Win.Trojan.Downloader-42770", "display_name": "Win.Trojan.Downloader-42770", "target": null }, { "id": "TrojanDownloader:JS/Nemucod.QJ", "display_name": "TrojanDownloader:JS/Nemucod.QJ", "target": "/malware/TrojanDownloader:JS/Nemucod.QJ" }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Win32:Kamso", "display_name": "Win32:Kamso", "target": null }, { "id": "Win.Trojan.Magania-13720", "display_name": "Win.Trojan.Magania-13720", "target": null }, { "id": "Win32:Sality", "display_name": "Win32:Sality", "target": null }, { "id": "Win.Trojan.Swisyn-6819", "display_name": "Win.Trojan.Swisyn-6819", "target": null }, { "id": "Win32:SaliCode", "display_name": "Win32:SaliCode", "target": null }, { "id": "Win.Trojan.Agent-1313630", "display_name": "Win.Trojan.Agent-1313630", "target": null }, { "id": "Crypt_r.BCM", "display_name": "Crypt_r.BCM", "target": null }, { "id": "ALF:AGGR:Exploit:O97M/CVE-2017-11882", "display_name": "ALF:AGGR:Exploit:O97M/CVE-2017-11882", "target": null }, { "id": "ALF:Exploit:O97M/CVE-2017-8977", "display_name": "ALF:Exploit:O97M/CVE-2017-8977", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1416", "name": "URI Hijacking", "display_name": "T1416 - URI Hijacking" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1003.005", "name": "Cached Domain Credentials", "display_name": "T1003.005 - Cached Domain Credentials" }, { "id": "T1212", "name": "Exploitation for Credential Access", "display_name": "T1212 - Exploitation for Credential Access" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" } ], "industries": [ "Retail", "Technology", "Telecommunications", "Civil Society", "Online Shopping", "Legal" ], "TLP": "green", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1965, "hostname": 1378, "domain": 1922, "FileHash-SHA256": 2639, "FileHash-MD5": 386, "FileHash-SHA1": 377, "email": 11, "CVE": 2 }, "indicator_count": 8680, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "643 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6665d9ae1b06b560698b2a70", "name": "Assurance [a Prudential company] S0094-Remote Access", "description": "Assurance experienced an abrupt shutdown April 2024. Health Insurance agents were notified mid business; Prudential [Assurance partner] had fully taken over thus ending all contracts amid business. Cyber investigations date back to 2023. Trojan.Karagany [old] is a modular remote access tool used for recon and linked to Dragonfly/Crouching Yeti and more. Infostealer, malware and unwanted programs downloader.\nPersistence. Severe | S0094 - Remote Access\nCVE-2023-22518 | CVE-2023-4966", "modified": "2024-07-09T15:02:04.111000", "created": "2024-06-09T16:34:54.161000", "tags": [ "falcon sandbox", "sha256", "sha1", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "pattern match", "ascii text", "null", "hybrid", "refresh", "body", "span", "june", "click", "date", "strings", "error", "tools", "look", "verify", "restart", "contact", "historical ssl", "referrer", "httponly", "path", "secure", "maxage31557600", "expiresmon", "samesitenone", "expireswed", "etag w", "setcookie dids", "maxage864000", "http response", "final url", "serving ip", "address", "status code", "html document", "history", "utc names", "html info", "title assurance", "meta tags", "script tags", "anchor hrefs", "code", "requestid", "hostid", "xml file", "accessdenied", "message", "signature", "expires", "awsaccesskeyid", "log id", "gmtn", "passive dns", "urls", "digicert global", "g2 tls", "rsa sha256", "tls web", "full name", "self", "false", "united", "as8075", "unknown", "gmt server", "scan endpoints", "all scoreblue", "ipv4", "pulse submit", "url analysis", "url https", "pulse pulses", "http", "ip address", "related nids", "files location", "aaaa", "meta", "link", "search", "creation date", "wheels up", "moved", "homepage", "servers", "service", "name servers", "hostname", "next", "japan unknown", "as2510 fujitsu", "status", "page", "ltd dba", "com laude", "record value", "ireland", "germany", "australia", "as44786 adobe", "whitelisted", "win32", "present may", "trojan", "karaganye", "regsetvalueexa", "regdword", "default", "show", "presto", "regbinary", "medium", "create c", "query", "double", "malware", "copy", "karagany", "write", "showing", "as35908 krypt", "as45102 alibaba", "hong kong", "data service", "script script", "div div", "title", "entries", "files", "japan asn", "dns resolutions", "memory pattern", "ip traffic", "domains", "urls https", "files c", "filesgoogle c", "written c", "extensions", "as20446", "as14061", "emails", "threat roundup", "bashlite", "jupyter rising", "vmware", "security blog", "april", "september", "december", "january", "enemybot", "core" ], "references": [ "Assurance", "IDS Detections: Trojan Internet Connectivity Check TrojanDownloader.Win32/Karagany.H checkin 2", "IDS Detections: Query for .cc TLD Suspicious User-Agent (Presto) Double User-Agent (User-Agent User-Agent)", "Alerts: network_icmp modifies_proxy_wpad network_http suspicious_tld allocates_rwx creates_exe antivm_network_adapters checks_debugger", "Domains Contacted: simplesausages.cx.cc adobe.com", "https://test2.ditproducts.com/dat/wannacry1.html", "http://email.critizr.com/asm/unsubscribe/?user_id=1464008&data=anW5I3azQrbEzQ84_I2zsSfJkpp1WTl08_zW0p5h4i5oMDAwdTAwMIqknJPIfal-ld9TvXgRLVf_F", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "CVE-2023-22518 | CVE-2023-4966" ], "public": 1, "adversary": "Berserk Bear (also known as BROMINE, Crouching Yeti, Dragonfly,", "targeted_countries": [ "United States of America", "Netherlands" ], "malware_families": [ { "id": "ALF:JASYP:TrojanDownloader:Win32/Karagany!atmn", "display_name": "ALF:JASYP:TrojanDownloader:Win32/Karagany!atmn", "target": null }, { "id": "Win32:Karagany-D\\ [Trj]", "display_name": "Win32:Karagany-D\\ [Trj]", "target": null }, { "id": "Win.Trojan.Xtoober-650", "display_name": "Win.Trojan.Xtoober-650", "target": null }, { "id": "Trojan:Win32/Startpage.SS", "display_name": "Trojan:Win32/Startpage.SS", "target": "/malware/Trojan:Win32/Startpage.SS" }, { "id": "Win.Packed.Pincav-7537597-0", "display_name": "Win.Packed.Pincav-7537597-0", "target": null }, { "id": "Trojan.Karagany - S0094", "display_name": "Trojan.Karagany - S0094", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0008", "name": "Lateral Movement", "display_name": "TA0008 - Lateral Movement" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [ "Healthcare", "Technology", "Telecommunications", "Finance - Insurance Sector" ], "TLP": "green", "cloned_from": null, "export_count": 38, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2950, "FileHash-MD5": 193, "FileHash-SHA1": 171, "FileHash-SHA256": 1885, "URL": 8907, "domain": 2945, "SSLCertFingerprint": 2, "email": 11, "CVE": 2 }, "indicator_count": 17066, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "648 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6665d55d941729c5f283b3f7", "name": "S0094-Remote Access - Assurance [a Prudential company]", "description": "Assurance experienced an abrupt shutdown April 2024. Health Insurance agents were notified mid business; Prudential [Assurance partner] had fully taken over thus ending all contracts amid business. Cyber investigations date back to 2023. health insurance agents Trojan.Karagany [old] is a modular remote access tool used for recon and linked to Dragonfly. Infostealer, malware and unwanted programs downloader.\nPersistence. Severe | S0094 - Remote Access\nCVE-2023-22518 | CVE-2023-4966", "modified": "2024-07-09T15:02:04.111000", "created": "2024-06-09T16:16:29.634000", "tags": [ "falcon sandbox", "sha256", "sha1", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "pattern match", "ascii text", "null", "hybrid", "refresh", "body", "span", "june", "click", "date", "strings", "error", "tools", "look", "verify", "restart", "contact", "historical ssl", "referrer", "httponly", "path", "secure", "maxage31557600", "expiresmon", "samesitenone", "expireswed", "etag w", "setcookie dids", "maxage864000", "http response", "final url", "serving ip", "address", "status code", "html document", "history", "utc names", "html info", "title assurance", "meta tags", "script tags", "anchor hrefs", "code", "requestid", "hostid", "xml file", "accessdenied", "message", "signature", "expires", "awsaccesskeyid", "log id", "gmtn", "passive dns", "urls", "digicert global", "g2 tls", "rsa sha256", "tls web", "full name", "self", "false", "united", "as8075", "unknown", "gmt server", "scan endpoints", "all scoreblue", "ipv4", "pulse submit", "url analysis", "url https", "pulse pulses", "http", "ip address", "related nids", "files location", "aaaa", "meta", "link", "search", "creation date", "wheels up", "moved", "homepage", "servers", "service", "name servers", "hostname", "next", "japan unknown", "as2510 fujitsu", "status", "page", "ltd dba", "com laude", "record value", "ireland", "germany", "australia", "as44786 adobe", "whitelisted", "win32", "present may", "trojan", "karaganye", "regsetvalueexa", "regdword", "default", "show", "presto", "regbinary", "medium", "create c", "query", "double", "malware", "copy", "karagany", "write", "showing", "as35908 krypt", "as45102 alibaba", "hong kong", "data service", "script script", "div div", "title", "entries", "files", "japan asn", "dns resolutions", "memory pattern", "ip traffic", "domains", "urls https", "files c", "filesgoogle c", "written c", "extensions", "as20446", "as14061", "emails", "threat roundup", "bashlite", "jupyter rising", "vmware", "security blog", "april", "september", "december", "january", "enemybot", "core" ], "references": [ "Assurance", "IDS Detections: Trojan Internet Connectivity Check TrojanDownloader.Win32/Karagany.H checkin 2", "IDS Detections: Query for .cc TLD Suspicious User-Agent (Presto) Double User-Agent (User-Agent User-Agent)", "Alerts: network_icmp modifies_proxy_wpad network_http suspicious_tld allocates_rwx creates_exe antivm_network_adapters checks_debugger", "Domains Contacted: simplesausages.cx.cc adobe.com", "https://test2.ditproducts.com/dat/wannacry1.html", "http://email.critizr.com/asm/unsubscribe/?user_id=1464008&data=anW5I3azQrbEzQ84_I2zsSfJkpp1WTl08_zW0p5h4i5oMDAwdTAwMIqknJPIfal-ld9TvXgRLVf_F", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "CVE-2023-22518 | CVE-2023-4966" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands" ], "malware_families": [ { "id": "ALF:JASYP:TrojanDownloader:Win32/Karagany!atmn", "display_name": "ALF:JASYP:TrojanDownloader:Win32/Karagany!atmn", "target": null }, { "id": "Win32:Karagany-D\\ [Trj]", "display_name": "Win32:Karagany-D\\ [Trj]", "target": null }, { "id": "Win.Trojan.Xtoober-650", "display_name": "Win.Trojan.Xtoober-650", "target": null }, { "id": "Trojan:Win32/Startpage.SS", "display_name": "Trojan:Win32/Startpage.SS", "target": "/malware/Trojan:Win32/Startpage.SS" }, { "id": "Win.Packed.Pincav-7537597-0", "display_name": "Win.Packed.Pincav-7537597-0", "target": null }, { "id": "Trojan.Karagany - S0094", "display_name": "Trojan.Karagany - S0094", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0008", "name": "Lateral Movement", "display_name": "TA0008 - Lateral Movement" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [ "Healthcare", "Technology", "Telecommunications", "Finance - Insurance Sector" ], "TLP": "green", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2950, "FileHash-MD5": 193, "FileHash-SHA1": 171, "FileHash-SHA256": 1885, "URL": 8907, "domain": 2945, "SSLCertFingerprint": 2, "email": 11, "CVE": 2 }, "indicator_count": 17066, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "648 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "665182d791bfc08412ec2c0a", "name": "Shadow Pad | Appears as investigation of an infirmed non criminal", "description": "ShadowPad is a modular backdoor attack platform that uses an ecosystem of plugins. It stealthily infiltrates target systems and provides attackers with capabilities to gather data execute commands, interacts with the file system and registry, and deploys new modules to extend functionality controlling the compromised systems remotely.\n\nElderly ill target cannot summon help.\n*Forced Updates for Google Chrome\n*Browser bar plug-in. \nRedirects calls to OOS phone message who;e call is still dialing\n*Emergency calls are always answered by 'police communication' at every given time of the day there are no police , ambulance, or any help available. They have already left for the day. \n*Nefarious user has on UTC time.\n Merits further investigation.", "modified": "2024-06-24T05:01:31.025000", "created": "2024-05-25T06:19:03.896000", "tags": [ "threat roundup", "historical ssl", "referrer", "socs", "water dybbuk", "a bec", "actor using", "service", "privateloader", "blacknet rat", "shadowpad", "algorithm", "v3 serial", "number", "cus ogoogle", "trust", "llc cngts", "validity", "subject public", "key info", "aaaa", "record type", "ttl value", "cname", "server", "domain status", "google llc", "registrar abuse", "registrar", "admin country", "ca creation", "dnssec", "subdomains", "key algorithm", "ec oid", "key identifier", "subject key", "identifier", "first", "name verdict", "falcon sandbox", "et tor", "known tor", "misc attack", "relayrouter", "exit", "node traffic", "sha1", "sha256", "severity", "ascii text", "hybrid", "local", "click", "strings", "contact", "isoscope", "malicious", "Trojan:PDF/Owaphish.A", "android", "cisco", "show", "create c", "related pulses", "copy", "search", "peter pdf", "modifydate", "hacker playbook", "practical guide", "write", "trojan", "format", "core", "united", "unknown", "passive dns", "scan endpoints", "all scoreblue", "urls", "files", "none related", "miles", "all search", "otx scoreblue", "filehash", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "abuse", "pentest", "127.0.0.1" ], "references": [ "Trojan:PDF/Owaphish.A: https://otx.alienvault.com/indicator/file/b3735b6a91f612fdb28832408fe53ee286d0d618802db2e35f0c9e1f266f8918", "https://www.hybrid-analysis.com/sample/1843e6de2e062031e54642a10f4582884a2a9e5d97092f7221c35e9fa9b92cc7/665173a88bb19689e2005033" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "RCE CVE-2023-3519", "display_name": "RCE CVE-2023-3519", "target": null }, { "id": "Trojan:PDF/Owaphish.A", "display_name": "Trojan:PDF/Owaphish.A", "target": "/malware/Trojan:PDF/Owaphish.A" } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1453", "name": "Abuse Accessibility Features", "display_name": "T1453 - Abuse Accessibility Features" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 36, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 97, "FileHash-SHA1": 93, "FileHash-SHA256": 822, "domain": 166, "URL": 571, "hostname": 252, "email": 6, "SSLCertFingerprint": 4 }, "indicator_count": 2012, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "664 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65f9a6c7f53e3e65891da823", "name": "Emotet CnC Server| Injection | 192.96.223.11 - sectorlink.com |", "description": "", "modified": "2024-04-18T14:05:16.862000", "created": "2024-03-19T14:52:55.036000", "tags": [ "script urls", "united", "as12129", "search", "redacted for", "entries", "passive dns", "urls", "record value", "date", "unknown", "encrypt", "meta", "address", "creation date", "customer", "body", "span", "accept", "apache", "moved", "gmt server", "apache location", "scan endpoints", "all scoreblue", "ipv4", "gmt etag", "accept encoding", "user agent", "x frame", "privacy inc", "next", "for privacy", "a domains", "a li", "div div", "ul li", "read c", "write c", "delete c", "delete", "write", "create c", "crlf line", "default", "medium", "dock", "execution", "copy", "xport", "showing", "number", "sectorlink", "eisert", "google", "basic", "network", "label", "registry arin", "country us", "continent na", "first", "algorithm", "v3 serial", "subject public", "key info", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "record type", "ttl value", "aaaa", "zemqyj", "full name", "data", "cus cnrapidssl", "global tls", "rsa4096 sha256", "ca1 odigicert", "server", "whois lookup", "dnssec", "domain name", "status", "domain status", "abuse contact", "email", "registrar abuse", "issuer", "ssl certificate", "whois record", "historical ssl", "referrer", "whois whois", "resolutions", "siblings domain", "contacted", "trojan", "emotet", "process32nextw", "post", "regsetvalueexa", "win32emotet cnc", "activity", "regdword", "post http", "cryptexportkey", "emotet", "malware", "win32" ], "references": [ "192.96.223.11 - sectorlink.com", "M9 W32/Emotet CnC Checkin M3" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win32:BankerX-gen\\ [Trj]", "display_name": "Win32:BankerX-gen\\ [Trj]", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1583.004", "name": "Server", "display_name": "T1583.004 - Server" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 159, "FileHash-SHA1": 148, "FileHash-SHA256": 1504, "URL": 2182, "domain": 454, "hostname": 993, "email": 5, "CIDR": 4 }, "indicator_count": 5449, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "730 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65cd05cd3c9d0cc0b9ed215f", "name": "Emotet - https://www.gambinospizza.com | Brian Sabey \u2022 HallRender", "description": "\u2022Emotet botnets were observed dropping Trickbot to deliver ransomware payloads against some victims and Qakbot Trojans to steal banking credentials and data from other targets.\n\n\u2022Scammer 'Attorney' Brian Sabey | HallRender associated ; utilizes every form of social engineering to gain full access to phone numbers, email, banking, network, relatives, contacts, PHI, PII, modifies services.\n.", "modified": "2024-04-15T08:03:32.381000", "created": "2024-02-14T18:26:21.427000", "tags": [ "united", "unknown", "status", "sec ch", "as44273 host", "search", "aaaa", "showing", "ch ua", "record value", "ssl certificate", "threat roundup", "contacted", "communicating", "historical ssl", "referrer", "resolutions", "http", "execution", "gopher", "pattern match", "breakpoint", "command decode", "desktop", "base", "gambino", "pizza", "suricata ipv4", "mitre att", "date", "meta", "footer", "february", "general", "model", "comspec", "click", "strings", "main", "brian sabey", "hallrender", "trojan", "worm", "frankfurt", "germany", "asn15169", "google", "asn16509", "amazon02", "asn396982", "kansas city", "franchise url", "gmbh version", "status page", "service privacy", "legal", "impressum", "reverse dns", "general full", "url https", "resource", "hash", "protocol h2", "asn13335", "cloudflarenet", "software", "domains", "hashes", "learn", "issues tab", "value", "variables", "typeof function", "topropertykey", "bricksintersect", "bricksfunction", "domainpath name", "request chain", "chain", "nl page", "url history", "javascript", "page url", "redirected", "poweshell", "bruschettab", "mobsterstageda", "calzonec", "threat analyzer", "threat", "paste", "iocs", "hostnames", "beefpizzac", "superitaliansub", "cname", "msie", "chrome", "asnone united", "as6336 turn", "nxdomain", "whitelisted", "creation date", "turn", "body", "algorithm", "v3 serial", "number", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "x509v3 extended", "info", "first", "server", "registrar abuse", "iana id", "registrar url", "registrar whois", "contact email", "registry domain", "contact phone", "dnssec", "code", "type name", "win32 exe", "recreation", "whois record", "infected", "page dow", "poser", "scammer", "security", "malvertizing", "betting", "illegal activity", "linux", "teen porn", "child exploitation", "script urls", "a domains", "as10796 charter", "find your", "next franchise", "x content", "backend", "as13768 aptum", "moved", "passive dns", "urls", "as2635", "as14061", "scan endpoints", "all octoseek", "url http", "pulse pulses", "ip address", "related nids", "files location", "date hash", "avast avg", "nastya", "entries", "emotet", "windows nt", "show", "etpro trojan", "channel", "artemis", "medium", "delete", "copy", "virustotal", "trojan", "write", "trojanproxy", "vipre", "panda", "malware", "malware infection", "dga", "algorithm generated domains", "command and control", "pe32 executable", "tag", "tagging", "porn tagging", "as3356 level", "tahoma arial", "servers", "as1136 kpn", "next", "et", "remote", "confirm http", "sectrack", "openssl", "fulldisc", "secunia", "confirm https", "openssl tls", "multiple", "remote", "misc https", "impact", "heartbleed", "external source", "name hyperlink", "hp hpsbmu02998", "hp hpsbmu03019", "hp hpsbmu03030", "hp hpsbmu03018", "title", "lowfi", "title error", "body doctype", "html public", "w3cdtd html", "html head", "mozilla", "720.282.2025", "masquerading", "ninite feb", "mtb feb", "telper", "trojandropper", "ninite", "create c", "read c", "default", "create", "unicode", "dock", "xport" ], "references": [ "www.gambinospizza.com", "0qMrDxlbqY9THmtdz56XQ2fTe-p9H49lftTmBXmn1WY9Z16q1vJdZdjO5Wnq_Pn3gEAAP__hu8yPQ", "https://apps.apple.com/us/app/gambinos-pizza/id1500338496 \u2022 apps.apple.com", "https://play.google.com/store/apps/details?id=com.e9117073d4e0.www", "targeting.unrulymedia.com \u2022 http://theteenhealthdoc.com", "https://www.hallrender.com/attorney/brian-sabey/ \u2022 www.hallrender.com \u2022 https://www.hallrender.com/wp-json/oembed/1.0/embed?url=https://www.hallrender.com/attorney/brian-sabey/&", "https://www.hallrender.com/wp-content/uploads/2016/02/Denver-150x150.jpg \u2022 https://www.hallrender.com/xmlrpc.php?rsd", "https://teenlist.toplistcreator.eu/in.php?nr=15170//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu", "http://fboomporn.com/teens/51826-gloryholeswallow-flora-floras-1st-gloryhole-visit-fullhd-1080p.html \u2022 teenystar18.toplistcreator.eu", "theteenhealthdoc.com \u2022 http://jailbait.toplistcreator.eu/link.php?link=teenystar18.toplistcreator.eu&nr=522 \u2022 franchisefifteen.com", "https://fboomporn.com/engine/opensearch.php \u2022 http://porn.hub-accessories.site/ \u2022 https://pic.porn.hub-accessories.site", "http://porn.toplistcreator.eu/in.php", "ETPRO TROJAN Trojan/Win32.Zbot Covert Channel 2 port 53\t192.168.56.103\t85.17.142.7\t 2807561\tETPRO TROJAN Trojan/Win32.Zbot Covert Channel 2 port 53\t192.168.56.103\t85.17.142.7\t\t\t\t 2807561\tETPRO TROJAN Trojan/Win32.Zbot Covert Channel 2 port 53\t192.168.56.103\t95.169.186.\t\t 2807561\tETPRO TROJAN Trojan/Win32.Zbot Covert Channel 2 port 53\t192.168.56.103\t95.169.186.63", "Trojan/Win32.Zbot Covert Channel 2 port 53\t192.168.56.10", "https://tag.1rx.io/rmp/215626/0/mvo?z=1r&hbv=8.16,2.1\ttag.1rx.io \u2022 192.208.222.110", "http://email.acm.mg.hydrantid.com/c/eJxUyTGygyAQBuDTQMksPyhYULzGe-C6LzCKOoYmt88kXdrvWxPlEJ3TkmygcbQBHrokFk-R4WwexpBl-J8Ce8uygBdeJqtrAsGTdWQB8jA0yQDEL0qMrD", "CVE-2014-0160 \u2022 CVE-2017-11882", "a17-250-248-150.www.bing.com \u2022 appledirectory.www.bing.com", "animate-citadel-t3gbc9x3gzd7invrzh8w00zm.herokudns.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan:Win32/Comspec", "display_name": "Trojan:Win32/Comspec", "target": "/malware/Trojan:Win32/Comspec" }, { "id": "XLS:Nastya\\ [Trj]", "display_name": "XLS:Nastya\\ [Trj]", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Crypt4.YGM", "display_name": "Crypt4.YGM", "target": null }, { "id": "ZBot", "display_name": "ZBot", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Heartbleed Bug", "display_name": "Heartbleed Bug", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 59, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 118, "FileHash-SHA1": 106, "domain": 3271, "hostname": 2451, "URL": 8652, "email": 8, "FileHash-SHA256": 3153, "CVE": 4 }, "indicator_count": 17763, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "734 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65be56d6df9d36bac14ccd87", "name": "AZORult CnC", "description": "Behaviors\n\nSteals computer data, such as installed programs, machine globally unique identifier (GUID), system architecture, system language, user name, computer name, and operating system (OS) version\nSteals stored account information used in different installed File Transfer Protocol (FTP) clients or file manager software\nSteals stored email credentials of different mail clients\nSteals user names, passwords, and hostnames from different browsers\nSteals bitcoin wallets - Monero and uCoin\nSteals Steam and telegram credentials\nSteals Skype chat history and messages\nExecutes backdoor commands from a remote malicious user to collect host Internet protocol (IP) information, download/execute/delete file\nCapabilities\n\nInformation Theft\nBackdoor commands\nExploits\nDownload Routine\nImpact\n\nCompromise system security - with backdoor capabilities that can execute malicious commands, downloads and installs additional malwares", "modified": "2024-03-04T14:03:17.574000", "created": "2024-02-03T15:08:06.808000", "tags": [ "ssl certificate", "whois record", "threat roundup", "whois whois", "january", "historical ssl", "referrer", "april", "resolutions", "siblings domain", "march", "february", "obz4usfn0 http", "problems", "threat network", "infrastructure", "st201601152", "startpage", "iframe", "united", "unknown", "search", "showing", "united kingdom", "creation date", "aaaa", "cname", "scan endpoints", "all octoseek", "date", "next", "script urls", "soa nxdomain", "link", "xml title", "portugal", "domain", "status", "expiration date", "pulse pulses", "as44273 host", "domain robot", "as61969 team", "body", "as8075", "netherlands", "servers", "emails", "duo insight", "type", "asnone united", "name servers", "germany unknown", "passive dns", "as14061", "as49453", "lowfi", "a domains", "urls", "privacy inc", "customer", "trojandropper", "dynamicloader", "default", "medium", "entries", "khtml", "download", "show", "activity", "http", "copy", "write", "malware", "adware affiliate", "hostname", "trojan", "pulse submit", "url analysis", "files", "as212913 fop", "russia unknown", "as397240", "as15169 google", "as19237 omnis", "as22169 omnis", "as20068 hawk", "as133618", "as47846", "as22489", "encrypt", "record value", "pragma", "accept ch", "ireland unknown", "msie", "chrome", "style", "gmt setcookie", "as6724 strato", "core", "win32", "backdoor", "expl", "exploit", "ipv4", "virtool", "azorult cnc", "possible", "as7018 att", "regsetvalueexa", "china as4134", "service", "asnone", "dns lookup", "ransom", "push", "eternalblue", "recon", "playgame", "domain name", "as13768 aptum", "meta", "error", "as43350 nforce", "as55286", "as60558 phoenix", "ip address", "registrar", "1996", "contacted", "unlocker", "red team", "af81 http", "execution", "open", "whois sslcert", "suspicious c2", "cve202322518", "collection", "vt graph", "excel", "emotet", "metro", "jeffrey reimer pt", "sharecare", "tsara brashears", "apple", "icloud" ], "references": [ "https://www.sharecare.com/doctor/jeffrey-reimer-6ie6z", "qbot.zip", "imp.fusioninstall.com", "https://mylegalbid.com/malwarebytes", "192.185.223.216 | 192.168.56.1 [malware]", "http://45.159.189.105/bot/regex", "https://success.trendmicro.com/dcx/s/solution/000146108-azorult-malware-information?language=en_US&sfdcIFrameOrigin=null", "http://config.premiuminstaller.com/config/ls/offers.json?pid=installer&ts=2014-10-14T18:54:45.9443368Z&br=CR&adprovider=marmarf", "xhamster.comyouporn.com", "cams4all.com", "watchhers.net", "weconnect.com", "icloud-appleidsuport.com | appleid.com | apple.com | apple-dns.net", "http://install.oinstaller5.com/o/jfaquew_jupdate/setup.exe?mode=dlshift&sf=0&subid=a208&filedescription=setup&adprovider=jfaquew&cpixe", "init.ess.apple.com | 0-courier.push.apple.com | dns1.registrar-servers.com", "Apple -dns1.registrar-servers.com | emails.redvue.com | icloud-appleidsuport.com", "https://songculture.com/tsara-brashears | https://www.songculture.com/tsara-brashears-music", "https://www.songculture.com/tsara-lynn-brashears-music", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "youramateuporn.com", "ns2.abovedomains.com", "ww16.porn-community.porn25.com", "https://totallyspies.1000hentai.com/tag/clover-porn/", "pirateproxy.cc", "mwilliams.dev@gmail.com | piratepages.com", "838114.parkingcrew.net", "static-push-preprod.porndig.com", "www.redtube.comyouporn.com", "https://severeporn-com.pornproxy.page/", "https://spankbang-com.pornproxy.page/593ao/video/sunshine%20mouth%20stuffed%20gagged%20and%20tied%20with%20her%20friend", "yoursexy.porn | indianyouporn.com", "source-6.youporn.express | source-6.sexpornsource.com\t hostname\tsource-3.xxxporn.club | source-2.pornhubs.best | source-2.freepornxo.com", "cdn.pornsocket.com", "http://secure.indianpornpass.com/track/hotpornstuff", "www.anyxxxtube.net", "https://twitter.com/PORNO_SEXYBABES", "http://www.my-sexcam.com/mf6w/?K48hY=mUHPm4taPKwCazx4uoqkcvO3m838TOpLC/XyTruUQEV1lwGjr5ldYJa4yIBvf0ifHE4=&sHB=DPfXxzFpo", "campaign-manager.sharecare.com", "qa.companycam.com", "https://app.join.engineeringim.com/e/er?utm_source=eloqua&utm_medium=email&utm_campaign=&sp_cid=&utm_content=PB_NAM23BSE_PB_06_BATT_PW_Shmuel&sp_aid=27591&sp_rid=31788066&sp_eh=577a94ae55b9b9c106e776e684a2413f8c4dac061fc5b814c054be9e822698d9&s=949606000&lid=79146&elqTrackId=2AD273F3E5AB3555FA7D5FA11122C7C2&elq=a46790e54bbc42d2b0adbc4e6533814e&elqaid=27591&elqat=1", "24-70mm.camera", "dropboxpayments.com", "http://r3.i.lencr.org/ | r3.i.lencr.org | c.lencr.org | x1.c.lencr.org", "http://xred.mooo.com", "https://sexgalaxy.net/tag/rodneymoore/", "http://alive.overit.com/~schoolbu/badmood3.exe", "jimgaffigan.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United Kingdom of Great Britain and Northern Ireland", "United States of America", "Netherlands", "Germany", "France" ], "malware_families": [ { "id": "Adware Affiliate", "display_name": "Adware Affiliate", "target": null }, { "id": "AZORult CnC", "display_name": "AZORult CnC", "target": null }, { "id": "Possible", "display_name": "Possible", "target": null }, { "id": "VirTool", "display_name": "VirTool", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8134, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 737, "FileHash-SHA1": 692, "FileHash-SHA256": 7488, "URL": 6694, "domain": 5247, "hostname": 2932, "email": 49, "CVE": 2, "SSLCertFingerprint": 1 }, "indicator_count": 23842, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "775 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65be56d257bb241c4fa3f68d", "name": "AZORult CnC", "description": "Behaviors\n\nSteals computer data, such as installed programs, machine globally unique identifier (GUID), system architecture, system language, user name, computer name, and operating system (OS) version\nSteals stored account information used in different installed File Transfer Protocol (FTP) clients or file manager software\nSteals stored email credentials of different mail clients\nSteals user names, passwords, and hostnames from different browsers\nSteals bitcoin wallets - Monero and uCoin\nSteals Steam and telegram credentials\nSteals Skype chat history and messages\nExecutes backdoor commands from a remote malicious user to collect host Internet protocol (IP) information, download/execute/delete file\nCapabilities\n\nInformation Theft\nBackdoor commands\nExploits\nDownload Routine\nImpact\n\nCompromise system security - with backdoor capabilities that can execute malicious commands, downloads and installs additional malwares", "modified": "2024-03-04T14:03:17.574000", "created": "2024-02-03T15:08:02.291000", "tags": [ "ssl certificate", "whois record", "threat roundup", "whois whois", "january", "historical ssl", "referrer", "april", "resolutions", "siblings domain", "march", "february", "obz4usfn0 http", "problems", "threat network", "infrastructure", "st201601152", "startpage", "iframe", "united", "unknown", "search", "showing", "united kingdom", "creation date", "aaaa", "cname", "scan endpoints", "all octoseek", "date", "next", "script urls", "soa nxdomain", "link", "xml title", "portugal", "domain", "status", "expiration date", "pulse pulses", "as44273 host", "domain robot", "as61969 team", "body", "as8075", "netherlands", "servers", "emails", "duo insight", "type", "asnone united", "name servers", "germany unknown", "passive dns", "as14061", "as49453", "lowfi", "a domains", "urls", "privacy inc", "customer", "trojandropper", "dynamicloader", "default", "medium", "entries", "khtml", "download", "show", "activity", "http", "copy", "write", "malware", "adware affiliate", "hostname", "trojan", "pulse submit", "url analysis", "files", "as212913 fop", "russia unknown", "as397240", "as15169 google", "as19237 omnis", "as22169 omnis", "as20068 hawk", "as133618", "as47846", "as22489", "encrypt", "record value", "pragma", "accept ch", "ireland unknown", "msie", "chrome", "style", "gmt setcookie", "as6724 strato", "core", "win32", "backdoor", "expl", "exploit", "ipv4", "virtool", "azorult cnc", "possible", "as7018 att", "regsetvalueexa", "china as4134", "service", "asnone", "dns lookup", "ransom", "push", "eternalblue", "recon", "playgame", "domain name", "as13768 aptum", "meta", "error", "as43350 nforce", "as55286", "as60558 phoenix", "ip address", "registrar", "1996", "contacted", "unlocker", "red team", "af81 http", "execution", "open", "whois sslcert", "suspicious c2", "cve202322518", "collection", "vt graph", "excel", "emotet", "metro", "jeffrey reimer pt", "sharecare", "tsara brashears", "apple", "icloud" ], "references": [ "https://www.sharecare.com/doctor/jeffrey-reimer-6ie6z", "qbot.zip", "imp.fusioninstall.com", "https://mylegalbid.com/malwarebytes", "192.185.223.216 | 192.168.56.1 [malware]", "http://45.159.189.105/bot/regex", "https://success.trendmicro.com/dcx/s/solution/000146108-azorult-malware-information?language=en_US&sfdcIFrameOrigin=null", "http://config.premiuminstaller.com/config/ls/offers.json?pid=installer&ts=2014-10-14T18:54:45.9443368Z&br=CR&adprovider=marmarf", "xhamster.comyouporn.com", "cams4all.com", "watchhers.net", "weconnect.com", "icloud-appleidsuport.com | appleid.com | apple.com | apple-dns.net", "http://install.oinstaller5.com/o/jfaquew_jupdate/setup.exe?mode=dlshift&sf=0&subid=a208&filedescription=setup&adprovider=jfaquew&cpixe", "init.ess.apple.com | 0-courier.push.apple.com | dns1.registrar-servers.com", "Apple -dns1.registrar-servers.com | emails.redvue.com | icloud-appleidsuport.com", "https://songculture.com/tsara-brashears | https://www.songculture.com/tsara-brashears-music", "https://www.songculture.com/tsara-lynn-brashears-music", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "youramateuporn.com", "ns2.abovedomains.com", "ww16.porn-community.porn25.com", "https://totallyspies.1000hentai.com/tag/clover-porn/", "pirateproxy.cc", "mwilliams.dev@gmail.com | piratepages.com", "838114.parkingcrew.net", "static-push-preprod.porndig.com", "www.redtube.comyouporn.com", "https://severeporn-com.pornproxy.page/", "https://spankbang-com.pornproxy.page/593ao/video/sunshine%20mouth%20stuffed%20gagged%20and%20tied%20with%20her%20friend", "yoursexy.porn | indianyouporn.com", "source-6.youporn.express | source-6.sexpornsource.com\t hostname\tsource-3.xxxporn.club | source-2.pornhubs.best | source-2.freepornxo.com", "cdn.pornsocket.com", "http://secure.indianpornpass.com/track/hotpornstuff", "www.anyxxxtube.net", "https://twitter.com/PORNO_SEXYBABES", "http://www.my-sexcam.com/mf6w/?K48hY=mUHPm4taPKwCazx4uoqkcvO3m838TOpLC/XyTruUQEV1lwGjr5ldYJa4yIBvf0ifHE4=&sHB=DPfXxzFpo", "campaign-manager.sharecare.com", "qa.companycam.com", "https://app.join.engineeringim.com/e/er?utm_source=eloqua&utm_medium=email&utm_campaign=&sp_cid=&utm_content=PB_NAM23BSE_PB_06_BATT_PW_Shmuel&sp_aid=27591&sp_rid=31788066&sp_eh=577a94ae55b9b9c106e776e684a2413f8c4dac061fc5b814c054be9e822698d9&s=949606000&lid=79146&elqTrackId=2AD273F3E5AB3555FA7D5FA11122C7C2&elq=a46790e54bbc42d2b0adbc4e6533814e&elqaid=27591&elqat=1", "24-70mm.camera", "dropboxpayments.com", "http://r3.i.lencr.org/ | r3.i.lencr.org | c.lencr.org | x1.c.lencr.org", "http://xred.mooo.com", "https://sexgalaxy.net/tag/rodneymoore/", "http://alive.overit.com/~schoolbu/badmood3.exe", "jimgaffigan.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United Kingdom of Great Britain and Northern Ireland", "United States of America", "Netherlands", "Germany", "France" ], "malware_families": [ { "id": "Adware Affiliate", "display_name": "Adware Affiliate", "target": null }, { "id": "AZORult CnC", "display_name": "AZORult CnC", "target": null }, { "id": "Possible", "display_name": "Possible", "target": null }, { "id": "VirTool", "display_name": "VirTool", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 737, "FileHash-SHA1": 692, "FileHash-SHA256": 7488, "URL": 6694, "domain": 5247, "hostname": 2932, "email": 49, "CVE": 2, "SSLCertFingerprint": 1 }, "indicator_count": 23842, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "775 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65b80982381b53c66f0dd1e1", "name": "BazaarLoader | REDCAP | https://jbplegal com/ | Cyber espionage", "description": "", "modified": "2024-02-25T17:03:29.232000", "created": "2024-01-29T20:24:34.644000", "tags": [ "no expiration", "filehashsha1", "filehashmd5", "filehashsha256", "url http", "ipv4", "iocs", "url https", "next", "scan endpoints", "expiration", "domain", "pdf report", "pcap", "all scoreblue", "hostname", "tagwearable", "email", "united", "as46562", "unknown", "as213120", "search", "creation date", "dnssec", "showing", "entries", "as32400 hostway", "encrypt", "status", "date", "passive dns", "urls", "record value", "apache", "pragma", "body", "as9009 m247", "pulse pulses", "files", "hosting", "location new", "as58955 bangmod", "pulse submit", "url analysis", "reverse dns", "all search", "otx scoreblue", "http", "ip address", "related nids", "filehash", "sha256", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "june", "copy", "aaaa", "a domains", "address", "div div", "span span", "span h2", "a li", "lucky guy", "span", "customer", "location united", "cookie", "as54113", "xamzexpires300", "hstr", "github pages", "request id", "accept", "win64", "found", "show", "win32", "related pulses", "sea x", "cache", "dynamicloader", "targetname", "pe32", "intel", "ms windows", "yara rule", "high", "write", "bruteforce", "location china", "asn as45090", "cobalt strike", "internet", "iana", "whois lookups", "city", "los angeles", "orgabusephone", "orgid", "iana ref", "net192", "net1920000", "ssl cert", "ssl certificate", "tlsv1 apr", "cobaltstrike", "default", "read", "trojan", "ghost rat", "webtoolbar", "nanocore rat", "gamehack", "redlinestealer", "installcore", "installbrain", "emotet", "tofsee", "bradesco", "agent tesla", "trojanspy", "suppobox", "occamy", "dnspionage", "stealer", "malware", "no entries", "entries found", "delete", "found pe", "stus", "cnus", "tlsv1", "as20940", "as16625 akamai", "asnone united", "emails", "microsoft way", "as8075", "united kingdom", "aaaa nxdomain", "a nxdomain", "nxdomain", "as8068", "as3356 level", "as15133 verizon", "as22822", "as20446", "cname", "honeypot", "read c", "regsetvalueexa", "regdword", "as29789", "moved", "morphex", "cryp", "susp" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Brazil" ], "malware_families": [], "attack_ids": [ { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [], "TLP": "green", "cloned_from": "65b47524b1ec6b5c783a832e", "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1530, "FileHash-MD5": 2428, "FileHash-SHA1": 2136, "FileHash-SHA256": 5239, "domain": 3740, "hostname": 2560, "CVE": 5, "email": 19, "SSLCertFingerprint": 4 }, "indicator_count": 17661, "is_author": false, "is_subscribing": null, "subscriber_count": 232, "modified_text": "783 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65be8dde8544d0b022b4c464", "name": "Honeypot | https://jbplegal com/ | Cyber espionage | Emotet ", "description": "", "modified": "2024-02-25T17:03:29.232000", "created": "2024-02-03T19:02:54.507000", "tags": [ "no expiration", "filehashsha1", "filehashmd5", "filehashsha256", "url http", "ipv4", "iocs", "url https", "next", "scan endpoints", "expiration", "domain", "pdf report", "pcap", "all scoreblue", "hostname", "tagwearable", "email", "united", "as46562", "unknown", "as213120", "search", "creation date", "dnssec", "showing", "entries", "as32400 hostway", "encrypt", "status", "date", "passive dns", "urls", "record value", "apache", "pragma", "body", "as9009 m247", "pulse pulses", "files", "hosting", "location new", "as58955 bangmod", "pulse submit", "url analysis", "reverse dns", "all search", "otx scoreblue", "http", "ip address", "related nids", "filehash", "sha256", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "june", "copy", "aaaa", "a domains", "address", "div div", "span span", "span h2", "a li", "lucky guy", "span", "customer", "location united", "cookie", "as54113", "xamzexpires300", "hstr", "github pages", "request id", "accept", "win64", "found", "show", "win32", "related pulses", "sea x", "cache", "dynamicloader", "targetname", "pe32", "intel", "ms windows", "yara rule", "high", "write", "bruteforce", "location china", "asn as45090", "cobalt strike", "internet", "iana", "whois lookups", "city", "los angeles", "orgabusephone", "orgid", "iana ref", "net192", "net1920000", "ssl cert", "ssl certificate", "tlsv1 apr", "cobaltstrike", "default", "read", "trojan", "ghost rat", "webtoolbar", "nanocore rat", "gamehack", "redlinestealer", "installcore", "installbrain", "emotet", "tofsee", "bradesco", "agent tesla", "trojanspy", "suppobox", "occamy", "dnspionage", "stealer", "malware", "no entries", "entries found", "delete", "found pe", "stus", "cnus", "tlsv1", "as20940", "as16625 akamai", "asnone united", "emails", "microsoft way", "as8075", "united kingdom", "aaaa nxdomain", "a nxdomain", "nxdomain", "as8068", "as14061", "whitelisted", "as16276", "script urls", "name servers", "meta", "as43317 fishnet" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Brazil", "Netherlands", "Romania", "Russian Federation", "Japan" ], "malware_families": [], "attack_ids": [ { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [], "TLP": "green", "cloned_from": "65b85df45cc3d3fd07139ea9", "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1509, "FileHash-MD5": 2213, "FileHash-SHA1": 1921, "FileHash-SHA256": 4239, "domain": 3480, "hostname": 2466, "CVE": 5, "email": 17, "SSLCertFingerprint": 4 }, "indicator_count": 15854, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "783 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65b3fe6c4cd0f5158eb18692", "name": "Honeypot | https://jbplegal com/ | Cyber espionage | DynamicLoader,", "description": "Found periphery.m (moderate sized dump) Targets Tsara Brashears Several staffed law offices based on Colorado, USA. Contact made. Physical records. Client: Brashears. https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/Trojan.Win32.REDCAP.MCRK/ 1c597b7c7934ef03eb0def0b64655dd79abe08567ff3053761e5516064a43376 https://otx.alienvault.com/malware/TEL:Trojan:Win32%2FBazaarLoader!MTB/ https://www.trendmicro.com/en_ph/research/21/k/bazarloader-adds-compromised-installers-iso-to-arrival-delivery-vectors.html TEL:Trojan:Win32/BazaarLoader 987204ca82337f0a3f28097a5d66d5f3ecb11d43d82f67cd753d0bf2ce40b7a7https://www.joesandbox.com/analysis/1311477\nTarget: Critical Risk. In person contact made. Fraud services offered. \nThis is crazy.", "modified": "2024-02-25T17:03:29.232000", "created": "2024-01-26T18:48:12.433000", "tags": [ "no expiration", "filehashsha1", "filehashmd5", "filehashsha256", "url http", "ipv4", "iocs", "url https", "next", "scan endpoints", "expiration", "domain", "pdf report", "pcap", "all scoreblue", "hostname", "tagwearable", "email", "united", "as46562", "unknown", "as213120", "search", "creation date", "dnssec", "showing", "entries", "as32400 hostway", "encrypt", "status", "date", "passive dns", "urls", "record value", "apache", "pragma", "body", "as9009 m247", "pulse pulses", "files", "hosting", "location new", "as58955 bangmod", "pulse submit", "url analysis", "reverse dns", "all search", "otx scoreblue", "http", "ip address", "related nids", "filehash", "sha256", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "june", "copy", "aaaa", "a domains", "address", "div div", "span span", "span h2", "a li", "lucky guy", "span", "customer", "location united", "cookie", "as54113", "xamzexpires300", "hstr", "github pages", "request id", "accept", "win64", "found", "show", "win32", "related pulses", "sea x", "cache", "dynamicloader", "targetname", "pe32", "intel", "ms windows", "yara rule", "high", "write", "bruteforce", "location china", "asn as45090", "cobalt strike", "internet", "iana", "whois lookups", "city", "los angeles", "orgabusephone", "orgid", "iana ref", "net192", "net1920000", "ssl cert", "ssl certificate", "tlsv1 apr", "cobaltstrike", "default", "read", "trojan", "ghost rat", "webtoolbar", "nanocore rat", "gamehack", "redlinestealer", "installcore", "installbrain", "emotet", "tofsee", "bradesco", "agent tesla", "trojanspy", "suppobox", "occamy", "dnspionage", "stealer", "malware", "no entries", "entries found", "delete", "found pe", "stus", "cnus", "tlsv1", "as20940", "as16625 akamai", "asnone united", "emails", "microsoft way", "as8075", "united kingdom", "aaaa nxdomain", "a nxdomain", "nxdomain", "as8068", "as14061", "whitelisted", "as16276", "script urls", "name servers", "meta", "as43317 fishnet" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Brazil", "Netherlands", "Romania", "Russian Federation", "Japan" ], "malware_families": [], "attack_ids": [ { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1509, "FileHash-MD5": 2213, "FileHash-SHA1": 1921, "FileHash-SHA256": 4239, "domain": 3480, "hostname": 2466, "CVE": 5, "email": 17, "SSLCertFingerprint": 4 }, "indicator_count": 15854, "is_author": false, "is_subscribing": null, "subscriber_count": 231, "modified_text": "783 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65b47524b1ec6b5c783a832e", "name": "BazaarLoader | REDCAP | https://jbplegal com/ | Cyber espionage", "description": "", "modified": "2024-02-25T17:03:29.232000", "created": "2024-01-27T03:14:44.070000", "tags": [ "no expiration", "filehashsha1", "filehashmd5", "filehashsha256", "url http", "ipv4", "iocs", "url https", "next", "scan endpoints", "expiration", "domain", "pdf report", "pcap", "all scoreblue", "hostname", "tagwearable", "email", "united", "as46562", "unknown", "as213120", "search", "creation date", "dnssec", "showing", "entries", "as32400 hostway", "encrypt", "status", "date", "passive dns", "urls", "record value", "apache", "pragma", "body", "as9009 m247", "pulse pulses", "files", "hosting", "location new", "as58955 bangmod", "pulse submit", "url analysis", "reverse dns", "all search", "otx scoreblue", "http", "ip address", "related nids", "filehash", "sha256", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "june", "copy", "aaaa", "a domains", "address", "div div", "span span", "span h2", "a li", "lucky guy", "span", "customer", "location united", "cookie", "as54113", "xamzexpires300", "hstr", "github pages", "request id", "accept", "win64", "found", "show", "win32", "related pulses", "sea x", "cache", "dynamicloader", "targetname", "pe32", "intel", "ms windows", "yara rule", "high", "write", "bruteforce", "location china", "asn as45090", "cobalt strike", "internet", "iana", "whois lookups", "city", "los angeles", "orgabusephone", "orgid", "iana ref", "net192", "net1920000", "ssl cert", "ssl certificate", "tlsv1 apr", "cobaltstrike", "default", "read", "trojan", "ghost rat", "webtoolbar", "nanocore rat", "gamehack", "redlinestealer", "installcore", "installbrain", "emotet", "tofsee", "bradesco", "agent tesla", "trojanspy", "suppobox", "occamy", "dnspionage", "stealer", "malware", "no entries", "entries found", "delete", "found pe", "stus", "cnus", "tlsv1", "as20940", "as16625 akamai", "asnone united", "emails", "microsoft way", "as8075", "united kingdom", "aaaa nxdomain", "a nxdomain", "nxdomain", "as8068", "as3356 level", "as15133 verizon", "as22822", "as20446", "cname", "honeypot", "read c", "regsetvalueexa", "regdword", "as29789", "moved", "morphex", "cryp", "susp" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Brazil" ], "malware_families": [], "attack_ids": [ { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [], "TLP": "green", "cloned_from": "65b3fb6752ac464268b971b1", "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1530, "FileHash-MD5": 2428, "FileHash-SHA1": 2136, "FileHash-SHA256": 5239, "domain": 3740, "hostname": 2560, "CVE": 5, "email": 19, "SSLCertFingerprint": 4 }, "indicator_count": 17661, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "783 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65b47501fcbc39983f098723", "name": "Honeypot | https://jbplegal com/ | Cyber espionage | DynamicLoader", "description": "", "modified": "2024-02-25T17:03:29.232000", "created": "2024-01-27T03:14:09.392000", "tags": [ "no expiration", "filehashsha1", "filehashmd5", "filehashsha256", "url http", "ipv4", "iocs", "url https", "next", "scan endpoints", "expiration", "domain", "pdf report", "pcap", "all scoreblue", "hostname", "tagwearable", "email", "united", "as46562", "unknown", "as213120", "search", "creation date", "dnssec", "showing", "entries", "as32400 hostway", "encrypt", "status", "date", "passive dns", "urls", "record value", "apache", "pragma", "body", "as9009 m247", "pulse pulses", "files", "hosting", "location new", "as58955 bangmod", "pulse submit", "url analysis", "reverse dns", "all search", "otx scoreblue", "http", "ip address", "related nids", "filehash", "sha256", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "june", "copy", "aaaa", "a domains", "address", "div div", "span span", "span h2", "a li", "lucky guy", "span", "customer", "location united", "cookie", "as54113", "xamzexpires300", "hstr", "github pages", "request id", "accept", "win64", "found", "show", "win32", "related pulses", "sea x", "cache", "dynamicloader", "targetname", "pe32", "intel", "ms windows", "yara rule", "high", "write", "bruteforce", "location china", "asn as45090", "cobalt strike", "internet", "iana", "whois lookups", "city", "los angeles", "orgabusephone", "orgid", "iana ref", "net192", "net1920000", "ssl cert", "ssl certificate", "tlsv1 apr", "cobaltstrike", "default", "read", "trojan", "ghost rat", "webtoolbar", "nanocore rat", "gamehack", "redlinestealer", "installcore", "installbrain", "emotet", "tofsee", "bradesco", "agent tesla", "trojanspy", "suppobox", "occamy", "dnspionage", "stealer", "malware", "no entries", "entries found", "delete", "found pe", "stus", "cnus", "tlsv1", "as20940", "as16625 akamai", "asnone united", "emails", "microsoft way", "as8075", "united kingdom", "aaaa nxdomain", "a nxdomain", "nxdomain", "as8068", "as14061", "whitelisted", "as16276", "script urls", "name servers", "meta", "as43317 fishnet" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Brazil", "Netherlands", "Romania", "Russian Federation", "Japan" ], "malware_families": [], "attack_ids": [ { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [], "TLP": "green", "cloned_from": "65b3fe6c4cd0f5158eb18692", "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1509, "FileHash-MD5": 2213, "FileHash-SHA1": 1921, "FileHash-SHA256": 4239, "domain": 3480, "hostname": 2466, "CVE": 5, "email": 17, "SSLCertFingerprint": 4 }, "indicator_count": 15854, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "783 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65b4757a662a146889c60b6c", "name": "PEXE - DOS executable (COM)", "description": "", "modified": "2024-02-24T16:01:22.095000", "created": "2024-01-27T03:16:10.970000", "tags": [ "network_icmp", "sha256", "yara detections", "alerts", "icmp traffic", "scan endpoints", "all scoreblue", "filehash", "pulse pulses", "av detections", "ids detections", "spain unknown", "search", "date", "status", "passive dns", "urls", "pulse submit", "url analysis", "files", "domain", "next", "as197068 hll", "russia unknown", "ipv4", "body", "alive", "belarus unknown", "aaaa", "moved", "domain names", "creation date", "record value", "expiration date", "a domains", "facebook", "twitter", "encrypt", "httponly", "url http", "http", "ip address", "related nids", "germany unknown", "united", "as3320 deutsche", "france unknown", "united kingdom", "italy unknown", "as7922 comcast", "as701 verizon", "as3209 vodafone", "china unknown", "unknown", "as44273 host", "msie", "chrome", "name servers", "hostname", "maxage86400", "ip asn", "maxage2592000", "gmt server", "amazons3", "unique", "as58061 scalaxy", "all search", "otx scoreblue", "cyprus unknown", "as26347", "customer", "entries", "sexkompas", "script urls", "meta", "as29182 jsc", "gmt content", "script domains", "gmt etag", "as61400", "screenshot", "apache", "path", "as59711 hz", "asn as59711", "dns resolutions", "non dsp", "cor cura", "url https", "as199386 zilore", "showing", "admitad meta", "as44066", "connection", "date sat", "server amazons3", "cloudfront", "xcache miss", "contentlength", "acceptranges", "server", "gmt expires", "code", "title error", "trojan", "body doctype", "html public", "w3cdtd html", "html head", "meta http", "win32", "as3326", "present jan", "reverse dns", "gmt path", "set cookie", "certificate", "pragma", "location united", "show", "medium", "authenticode", "delete", "productversion", "fileversion", "thawte", "copy", "malware", "write", "etpro", "as14061", "whitelisted", "as9009 m247", "paris", "otx telemetry", "for privacy", "redacted for", "dns", "DNSpionage", "apple", "ios", "global", "cyber threat", "tracking", "legal abuse", "privilege escalation", "network", "redirect", "exploit kit", "mey", "spyware", "dropper", "x adblock", "virgin islands", "type", "content length", "dga", "as3175 filanco", "cname", "thawte code", "as32244 liquid", "as24940 hetzner", "head body", "center hr", "gmt contenttype", "title", "registrar", "markmonitor", "internet", "iana", "nethandle", "net192", "net1920000", "iana special", "icann", "please refer", "ietf", "best current", "whois whois", "resolutions", "communicating", "referrer", "win32 exe", "putty", "java", "type name", "pe32 executable", "ms windows", "win16 ne", "os2 executable", "generic windos", "executable", "dos executable", "generic", "info compiler", "products", "vs2005", "vs2008 sp1", "vs2008", "header x64", "name md5", "virtualalloc" ], "references": [ "PEXE - DOS executable (COM)", "redirect_keitaro_exploit_kit_compromised_site_se_referrer", "Found in: https://jbplegal.com", "http://sexkompas.xyz", "DGA Malware Mall Domains: hackingapple.com, video.import-apple.com, DGA- appledreamz.com", "tracking2youdu.com , cdn.livechatinc.com", "device-local-bf56eb52-6fc6-435b-aadb-9fa1dd89702c.remotewd.com | remotewd.com | 192.168.56.108", "http://www.mobiset.ru/photos/2011/march/15/samsung_s3850/img_9.jpg" ], "public": 1, "adversary": "", "targeted_countries": [ "Netherlands", "China", "United States of America", "Chile", "Germany", "France" ], "malware_families": [ { "id": "Win32:Injector-CVF\\ [Trj]\t\tWin.Mal", "display_name": "Win32:Injector-CVF\\ [Trj]\t\tWin.Mal", "target": null }, { "id": "Win.Malware.Vtflooder-6260355-1", "display_name": "Win.Malware.Vtflooder-6260355-1", "target": null }, { "id": "Win.Trojan.Buzus-5453", "display_name": "Win.Trojan.Buzus-5453", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win32:PWSX-gen", "display_name": "Win32:PWSX-gen", "target": null }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" }, { "id": "ETPRO", "display_name": "ETPRO", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" } ], "industries": [ "Legal", "Healthcare", "Civil Society" ], "TLP": "white", "cloned_from": "65b2909ffdc623904cbfd91d", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 153, "FileHash-SHA1": 71, "FileHash-SHA256": 1690, "URL": 9526, "domain": 4882, "hostname": 6120, "email": 250, "CVE": 2 }, "indicator_count": 22694, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "784 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65b2909ffdc623904cbfd91d", "name": "PEXE - DOS executable (COM)", "description": "I don't have a very good description. I can say this was found in a law firms website and it's not uncommon. Certain attorneys may be under attack based on clients represented. I other instances attorneys use a tool box of malware and other cyber weaponry to track, intimidating and spy on opposition. Very aggressive tactics use. Unfortunately attacks against opponents aren't limited to \"contactless\" attacks. Tracking. cyber espionage, malvertizing, iOS 'remotwd' , location tracking, reputation abuse.", "modified": "2024-02-24T16:01:22.095000", "created": "2024-01-25T16:47:26.970000", "tags": [ "network_icmp", "sha256", "yara detections", "alerts", "icmp traffic", "scan endpoints", "all scoreblue", "filehash", "pulse pulses", "av detections", "ids detections", "spain unknown", "search", "date", "status", "passive dns", "urls", "pulse submit", "url analysis", "files", "domain", "next", "as197068 hll", "russia unknown", "ipv4", "body", "alive", "belarus unknown", "aaaa", "moved", "domain names", "creation date", "record value", "expiration date", "a domains", "facebook", "twitter", "encrypt", "httponly", "url http", "http", "ip address", "related nids", "germany unknown", "united", "as3320 deutsche", "france unknown", "united kingdom", "italy unknown", "as7922 comcast", "as701 verizon", "as3209 vodafone", "china unknown", "unknown", "as44273 host", "msie", "chrome", "name servers", "hostname", "maxage86400", "ip asn", "maxage2592000", "gmt server", "amazons3", "unique", "as58061 scalaxy", "all search", "otx scoreblue", "cyprus unknown", "as26347", "customer", "entries", "sexkompas", "script urls", "meta", "as29182 jsc", "gmt content", "script domains", "gmt etag", "as61400", "screenshot", "apache", "path", "as59711 hz", "asn as59711", "dns resolutions", "non dsp", "cor cura", "url https", "as199386 zilore", "showing", "admitad meta", "as44066", "connection", "date sat", "server amazons3", "cloudfront", "xcache miss", "contentlength", "acceptranges", "server", "gmt expires", "code", "title error", "trojan", "body doctype", "html public", "w3cdtd html", "html head", "meta http", "win32", "as3326", "present jan", "reverse dns", "gmt path", "set cookie", "certificate", "pragma", "location united", "show", "medium", "authenticode", "delete", "productversion", "fileversion", "thawte", "copy", "malware", "write", "etpro", "as14061", "whitelisted", "as9009 m247", "paris", "otx telemetry", "for privacy", "redacted for", "dns", "DNSpionage", "apple", "ios", "global", "cyber threat", "tracking", "legal abuse", "privilege escalation", "network", "redirect", "exploit kit", "mey", "spyware", "dropper", "x adblock", "virgin islands", "type", "content length", "dga", "as3175 filanco", "cname", "thawte code", "as32244 liquid", "as24940 hetzner", "head body", "center hr", "gmt contenttype", "title", "registrar", "markmonitor", "internet", "iana", "nethandle", "net192", "net1920000", "iana special", "icann", "please refer", "ietf", "best current", "whois whois", "resolutions", "communicating", "referrer", "win32 exe", "putty", "java", "type name", "pe32 executable", "ms windows", "win16 ne", "os2 executable", "generic windos", "executable", "dos executable", "generic", "info compiler", "products", "vs2005", "vs2008 sp1", "vs2008", "header x64", "name md5", "virtualalloc" ], "references": [ "PEXE - DOS executable (COM)", "redirect_keitaro_exploit_kit_compromised_site_se_referrer", "Found in: https://jbplegal.com", "http://sexkompas.xyz", "DGA Malware Mall Domains: hackingapple.com, video.import-apple.com, DGA- appledreamz.com", "tracking2youdu.com , cdn.livechatinc.com", "device-local-bf56eb52-6fc6-435b-aadb-9fa1dd89702c.remotewd.com | remotewd.com | 192.168.56.108", "http://www.mobiset.ru/photos/2011/march/15/samsung_s3850/img_9.jpg" ], "public": 1, "adversary": "", "targeted_countries": [ "Netherlands", "China", "United States of America", "Chile", "Germany", "France" ], "malware_families": [ { "id": "Win32:Injector-CVF\\ [Trj]\t\tWin.Mal", "display_name": "Win32:Injector-CVF\\ [Trj]\t\tWin.Mal", "target": null }, { "id": "Win.Malware.Vtflooder-6260355-1", "display_name": "Win.Malware.Vtflooder-6260355-1", "target": null }, { "id": "Win.Trojan.Buzus-5453", "display_name": "Win.Trojan.Buzus-5453", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win32:PWSX-gen", "display_name": "Win32:PWSX-gen", "target": null }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" }, { "id": "ETPRO", "display_name": "ETPRO", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" } ], "industries": [ "Legal", "Healthcare", "Civil Society" ], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 153, "FileHash-SHA1": 71, "FileHash-SHA256": 1690, "URL": 9526, "domain": 4882, "hostname": 6120, "email": 250, "CVE": 2 }, "indicator_count": 22694, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "784 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65b4757d6dd7dae344aed3f5", "name": "PEXE - DOS executable (COM)", "description": "", "modified": "2024-02-24T16:01:22.095000", "created": "2024-01-27T03:16:13.209000", "tags": [ "network_icmp", "sha256", "yara detections", "alerts", "icmp traffic", "scan endpoints", "all scoreblue", "filehash", "pulse pulses", "av detections", "ids detections", "spain unknown", "search", "date", "status", "passive dns", "urls", "pulse submit", "url analysis", "files", "domain", "next", "as197068 hll", "russia unknown", "ipv4", "body", "alive", "belarus unknown", "aaaa", "moved", "domain names", "creation date", "record value", "expiration date", "a domains", "facebook", "twitter", "encrypt", "httponly", "url http", "http", "ip address", "related nids", "germany unknown", "united", "as3320 deutsche", "france unknown", "united kingdom", "italy unknown", "as7922 comcast", "as701 verizon", "as3209 vodafone", "china unknown", "unknown", "as44273 host", "msie", "chrome", "name servers", "hostname", "maxage86400", "ip asn", "maxage2592000", "gmt server", "amazons3", "unique", "as58061 scalaxy", "all search", "otx scoreblue", "cyprus unknown", "as26347", "customer", "entries", "sexkompas", "script urls", "meta", "as29182 jsc", "gmt content", "script domains", "gmt etag", "as61400", "screenshot", "apache", "path", "as59711 hz", "asn as59711", "dns resolutions", "non dsp", "cor cura", "url https", "as199386 zilore", "showing", "admitad meta", "as44066", "connection", "date sat", "server amazons3", "cloudfront", "xcache miss", "contentlength", "acceptranges", "server", "gmt expires", "code", "title error", "trojan", "body doctype", "html public", "w3cdtd html", "html head", "meta http", "win32", "as3326", "present jan", "reverse dns", "gmt path", "set cookie", "certificate", "pragma", "location united", "show", "medium", "authenticode", "delete", "productversion", "fileversion", "thawte", "copy", "malware", "write", "etpro", "as14061", "whitelisted", "as9009 m247", "paris", "otx telemetry", "for privacy", "redacted for", "dns", "DNSpionage", "apple", "ios", "global", "cyber threat", "tracking", "legal abuse", "privilege escalation", "network", "redirect", "exploit kit", "mey", "spyware", "dropper", "x adblock", "virgin islands", "type", "content length", "dga", "as3175 filanco", "cname", "thawte code", "as32244 liquid", "as24940 hetzner", "head body", "center hr", "gmt contenttype", "title", "registrar", "markmonitor", "internet", "iana", "nethandle", "net192", "net1920000", "iana special", "icann", "please refer", "ietf", "best current", "whois whois", "resolutions", "communicating", "referrer", "win32 exe", "putty", "java", "type name", "pe32 executable", "ms windows", "win16 ne", "os2 executable", "generic windos", "executable", "dos executable", "generic", "info compiler", "products", "vs2005", "vs2008 sp1", "vs2008", "header x64", "name md5", "virtualalloc" ], "references": [ "PEXE - DOS executable (COM)", "redirect_keitaro_exploit_kit_compromised_site_se_referrer", "Found in: https://jbplegal.com", "http://sexkompas.xyz", "DGA Malware Mall Domains: hackingapple.com, video.import-apple.com, DGA- appledreamz.com", "tracking2youdu.com , cdn.livechatinc.com", "device-local-bf56eb52-6fc6-435b-aadb-9fa1dd89702c.remotewd.com | remotewd.com | 192.168.56.108", "http://www.mobiset.ru/photos/2011/march/15/samsung_s3850/img_9.jpg" ], "public": 1, "adversary": "", "targeted_countries": [ "Netherlands", "China", "United States of America", "Chile", "Germany", "France" ], "malware_families": [ { "id": "Win32:Injector-CVF\\ [Trj]\t\tWin.Mal", "display_name": "Win32:Injector-CVF\\ [Trj]\t\tWin.Mal", "target": null }, { "id": "Win.Malware.Vtflooder-6260355-1", "display_name": "Win.Malware.Vtflooder-6260355-1", "target": null }, { "id": "Win.Trojan.Buzus-5453", "display_name": "Win.Trojan.Buzus-5453", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win32:PWSX-gen", "display_name": "Win32:PWSX-gen", "target": null }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" }, { "id": "ETPRO", "display_name": "ETPRO", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" } ], "industries": [ "Legal", "Healthcare", "Civil Society" ], "TLP": "white", "cloned_from": "65b2909ffdc623904cbfd91d", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 153, "FileHash-SHA1": 71, "FileHash-SHA256": 1690, "URL": 9526, "domain": 4882, "hostname": 6120, "email": 250, "CVE": 2 }, "indicator_count": 22694, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "784 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65b85dca7d8bf0aea33abc3a", "name": "PEXE - DOS executable ", "description": "", "modified": "2024-02-24T16:01:22.095000", "created": "2024-01-30T02:24:10.454000", "tags": [ "network_icmp", "sha256", "yara detections", "alerts", "icmp traffic", "scan endpoints", "all scoreblue", "filehash", "pulse pulses", "av detections", "ids detections", "spain unknown", "search", "date", "status", "passive dns", "urls", "pulse submit", "url analysis", "files", "domain", "next", "as197068 hll", "russia unknown", "ipv4", "body", "alive", "belarus unknown", "aaaa", "moved", "domain names", "creation date", "record value", "expiration date", "a domains", "facebook", "twitter", "encrypt", "httponly", "url http", "http", "ip address", "related nids", "germany unknown", "united", "as3320 deutsche", "france unknown", "united kingdom", "italy unknown", "as7922 comcast", "as701 verizon", "as3209 vodafone", "china unknown", "unknown", "as44273 host", "msie", "chrome", "name servers", "hostname", "maxage86400", "ip asn", "maxage2592000", "gmt server", "amazons3", "unique", "as58061 scalaxy", "all search", "otx scoreblue", "cyprus unknown", "as26347", "customer", "entries", "sexkompas", "script urls", "meta", "as29182 jsc", "gmt content", "script domains", "gmt etag", "as61400", "screenshot", "apache", "path", "as59711 hz", "asn as59711", "dns resolutions", "non dsp", "cor cura", "url https", "as199386 zilore", "showing", "admitad meta", "as44066", "connection", "date sat", "server amazons3", "cloudfront", "xcache miss", "contentlength", "acceptranges", "server", "gmt expires", "code", "title error", "trojan", "body doctype", "html public", "w3cdtd html", "html head", "meta http", "win32", "as3326", "present jan", "reverse dns", "gmt path", "set cookie", "certificate", "pragma", "location united", "show", "medium", "authenticode", "delete", "productversion", "fileversion", "thawte", "copy", "malware", "write", "etpro", "as14061", "whitelisted", "as9009 m247", "paris", "otx telemetry", "for privacy", "redacted for", "dns", "DNSpionage", "apple", "ios", "global", "cyber threat", "tracking", "legal abuse", "privilege escalation", "network", "redirect", "exploit kit", "mey", "spyware", "dropper", "x adblock", "virgin islands", "type", "content length", "dga", "as3175 filanco", "cname", "thawte code", "as32244 liquid", "as24940 hetzner", "head body", "center hr", "gmt contenttype", "title", "registrar", "markmonitor", "internet", "iana", "nethandle", "net192", "net1920000", "iana special", "icann", "please refer", "ietf", "best current", "whois whois", "resolutions", "communicating", "referrer", "win32 exe", "putty", "java", "type name", "pe32 executable", "ms windows", "win16 ne", "os2 executable", "generic windos", "executable", "dos executable", "generic", "info compiler", "products", "vs2005", "vs2008 sp1", "vs2008", "header x64", "name md5", "virtualalloc" ], "references": [ "PEXE - DOS executable (COM)", "redirect_keitaro_exploit_kit_compromised_site_se_referrer", "Found in: https://jbplegal.com", "http://sexkompas.xyz", "DGA Malware Mall Domains: hackingapple.com, video.import-apple.com, DGA- appledreamz.com", "tracking2youdu.com , cdn.livechatinc.com", "device-local-bf56eb52-6fc6-435b-aadb-9fa1dd89702c.remotewd.com | remotewd.com | 192.168.56.108", "http://www.mobiset.ru/photos/2011/march/15/samsung_s3850/img_9.jpg" ], "public": 1, "adversary": "", "targeted_countries": [ "Netherlands", "China", "United States of America", "Chile", "Germany", "France" ], "malware_families": [ { "id": "Win32:Injector-CVF\\ [Trj]\t\tWin.Mal", "display_name": "Win32:Injector-CVF\\ [Trj]\t\tWin.Mal", "target": null }, { "id": "Win.Malware.Vtflooder-6260355-1", "display_name": "Win.Malware.Vtflooder-6260355-1", "target": null }, { "id": "Win.Trojan.Buzus-5453", "display_name": "Win.Trojan.Buzus-5453", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win32:PWSX-gen", "display_name": "Win32:PWSX-gen", "target": null }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" }, { "id": "ETPRO", "display_name": "ETPRO", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" } ], "industries": [ "Legal", "Healthcare", "Civil Society" ], "TLP": "white", "cloned_from": "65b4757a662a146889c60b6c", "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 153, "FileHash-SHA1": 71, "FileHash-SHA256": 1690, "URL": 9526, "domain": 4882, "hostname": 6120, "email": 250, "CVE": 2 }, "indicator_count": 22694, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "784 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65a2418a73d5d36efff0b0f7", "name": "Lotus -Game-Version-Update.exe | trojan.onlinegames/aoks", "description": "Potentially downloads with other malware. Remote. Downloads installer. Alerts victim of a compromise, (through an update)attempts to have user purchases fix.", "modified": "2024-02-12T06:00:23.986000", "created": "2024-01-13T07:53:46.481000", "tags": [ "langchinese", "rtcursor", "rtgroupcursor", "lotus", "regsetvalueexa", "write", "search", "regdword", "create c", "read c", "trojan", "copy", "win32", "malware", "agent", "unknown", "next", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "urls http", "gameid0 http", "please", "xport", "malware infection", "default", "crlf line", "unicode", "showing", "show", "medium", "compiler", "submission", "vhash", "imphash", "rich pe", "ssdeep", "win32 exe", "magic pe32", "ms windows", "intel", "simplified", "sections", "sha256 file", "type type", "chi2", "vs2003", "highlights", "file", "file version", "description", "original", "internal name", "version", "portable", "info compiler", "products", "whois record", "contacted", "pe resource", "whois whois", "historical ssl", "ssl certificate", "resolutions", "subdomains", "referrer", "pippidxsd", "execution", "stealer", "benjamin", "worm", "rar", "pe", "pexee", "crack", "remote", "download", "registrar abuse", "date", "redacted for", "server", "letshost", "domain status", "registry tech", "registrar whois", "contact email", "registry domain", "code", "service", "algorithm", "first", "v3 serial", "number", "subject public", "key info", "key algorithm", "key identifier", "subject key", "identifier", "win32 dll", "ace utilities", "unhackme", "type name", "wextract", "total commander", "powerpack", "windows doctor", "tagwrapcore", "communicating", "51260032", "61760164", "bundled", "scam", "password", "fraud services", "cybercrime" ], "references": [ "Game-Version-Update.exe", "File: 2373aaec6f38bb129aab12741f2d8be237e0629db1f50206bae0ebefd959815a", "history.ie", "Yara ruleset match: Windows_API_Function by InQuest Labs", "registry-commander.exe", "password-recovery-tools-2012-professional-trial.exe", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [how could this be in everything!?]", "https://www.anyxxxtube.net/media/favicon/apple", "https://mail.greycroft.com/owa/redir.aspx?SURL=zRgJdPcEmzMcui5aPZuMhrMWFaQp7UWJt7B48ki50f3tl7bBVhrTCGgAdAB0AHAAcwA6AC8ALwBpAHQAdQBuAGUAcwAuAGEAcABwAGwAZQAuAGMAbwBtAC8AdQBzAC8AYQBwAHAALwBhAG4AaQBtAGEAdABpAGMALQBiAHkALQBpAG4AawBiAG8AYQByAGQALwBpAGQAMQAwADUAMgAzADcAOQAxADUANAA_AGwAcwA9ADEAJgBtAHQAPQA4AA..&URL=https://itunes.apple.com/us/app/animatic-by-inkboard/id1052379154?ls=1&mt=8", "https://mediacherry.space/vn/vb/wheel/?key=eyJ0aW1lc3RhbXAiOiIxNzA0ODcwMzc2IiwiaGFzaCI6ImI5OWQ3ODQ3NTIyMDA5NTBmNmRiODY1NmUxNWY5YWMyZTc3MGExMTcifQ==&ccc=VN&ppp=PropellerAds:Popunder&tdom=www.a1000.online&zoneid=6534225&bemobdata=c=2f8cb72d-d2e6-4570-b258-aeb3acc53b24..l=6d25aa09-cccc-4797-aef4-7aa11d1e0dcb..a=0..b=0..z=0.000035..e=768844675632074752..c1=6534225..c2=7541054..c3=VN..c4=wireless..c5=viettel_mobile-vn..c6=other..c7=chrome..c8=27..c9=viettelcorporation..c10=Mozilla/5~BEMOB_DOT~0(Linux;Android10;K", "device-local-bf56eb52-6fc6-435b-aadb-9fa1dd89702c.remotewd.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win32:Agent-AOKS\\ [Trj]", "display_name": "Win32:Agent-AOKS\\ [Trj]", "target": null }, { "id": "Win.Trojan.Bho-136", "display_name": "Win.Trojan.Bho-136", "target": null }, { "id": "Trojan:Win32/BHO.CV", "display_name": "Trojan:Win32/BHO.CV", "target": "/malware/Trojan:Win32/BHO.CV" }, { "id": "trojan.onlinegames/aoks", "display_name": "trojan.onlinegames/aoks", "target": null }, { "id": "Worm:Win32/Benjamin", "display_name": "Worm:Win32/Benjamin", "target": "/malware/Worm:Win32/Benjamin" }, { "id": "CRACK_UnHackMe_sigma.rar", "display_name": "CRACK_UnHackMe_sigma.rar", "target": null } ], "attack_ids": [ { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1016.001", "name": "Internet Connection Discovery", "display_name": "T1016.001 - Internet Connection Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 679, "FileHash-SHA1": 630, "FileHash-SHA256": 4958, "URL": 4966, "domain": 437, "hostname": 1429, "email": 1 }, "indicator_count": 13100, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "797 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "658ef9146f87e38603fe8bbb", "name": "Pegasus Attacking SA victim & advocate | Target in harms way ", "description": "", "modified": "2024-01-28T00:00:51.288000", "created": "2023-12-29T16:51:32.324000", "tags": [ "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "hostnames", "microsoft", "expiration", "url https", "no expiration", "url http", "hostname", "ipv4", "domain", "next", "scan endpoints", "filehashsha256", "filehashmd5", "filehashsha1", "all octoseek", "create new", "pulse use", "pdf report", "pcap", "stix", "Hall Render", "advocate", "amazon02", "ascii text", "assaulted", "bangladesh", "beijing baidu", "blackbag", "car bomb threats", "cellbrite", "brian sabey", "brian", "ck id", "ck matrix", "class", "click", "communicating", "comspec", "iocs", "limited", "local", "contacted", "core", "critical", "crypto", "ursnif", "utc", "submissions", "windir", "highly targeted", "historical ssl", "december", "discord", "domestic cyber terrorism", "date", "error", "execution", "factory", "falcon", "falcon sandbox", "filehashmd5", "first", "getprocaddress", "gmo", "internet", "hacktool", "hallrender", "attacks", "hashes", "files", "hybrid", "infection source", "installer", "localappdata", "malicious", "malware http", "malware", "http", "malicious malware", "march", "spyware", "ssl certificate", "mark", "mark brian sabey", "mark sabey", "meekserver", "meta", "metro", "microsoft", "survivor", "submitters", "strings", "mitre att", "model", "name", "name verdict", "netcom science", "no expiration", "online sas", "open paste", "path pattern match", "pegasus", "prynt", "redline stealer", "smokeloader", "referrer", "reports", "roboto", "runtime process", "sabey", "script", "show technique", "sha1", "sha256", "new ioc", "stopransomware", "targets sa", "teams", "api", "threat", "threat analyzer", "threat roundup", "tsara brashears", "unknown", "url http", "url https", "urls https", "malvertizing", "Jeffrey reimer dpt assault case", "114.114.114.114", "T1622 - Debugger Evasion" ], "references": [ "Pegasus Attacking SA victim & advocate | Not interested in Predator", "https://www.virustotal.com/gui/url/9bd3f99373b39e31fc935f62744c14e595df92c3f388753b507a395112f2dbda/summary", "https://cellebrite.com/en/federal-government/", "http://pegasus.diskel.co.uk/", "deviceinbox.com", "https://www.virustotal.com/gui/collection/29a886e3e9eed3e8185f260116f9b036abf042022e9a9b5b1b311f92be705122/iocs", "https://hallrender.com/attorney/brian-sabey", "https://hybrid-analysis.com/sample/209db5b7a473df6f2bff9274b96e556ec296237fdb134959f413c6b3b93fff74", "https://hybrid-analysis.com/sample/e607e46da2b0d7129c9e783417619ee924be28792ce1323ed5cdfcbeb5c2c2e9/658df78b0dd01fa2970b7a7e", "https://hybrid-analysis.com/sample/9c664935c8b82101733515e488e990d3c2db4b2594b0e427d01147e50953906e/658df4ed7644098eee08e1a4", "Below are malvertizing links featuring target and alleged assaulter", "https://urlscan.io/domain/video-lal.com | Was extremely malicious", "https://archive.ph/rhBxZ", "https://mypornwap.fun/downloads/search/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears-tgz", "https://www.hybrid-analysis.com/sample/eab469685b2890cd50ca8a3705119a1c0a9c273c5951b57794aa8b16e8a42d6c/5f772b611a96402847793b79", "https://otx.alienvault.com/browse/global/pulses?q=tag:threats&include_inactive=0&sort=-modified&page=1&limit=10&indicatorsSearch=threats", "https://otx.alienvault.com/pulse/6570a6c41702fdce6c496a1d", "https://otx.alienvault.com/indicator/url/http:%2F%2Fpixelrz.com%2Flists%2Fkeywords%2F%2520dr-jeffrey-reimer-dpt-funds-tsara-brashears%2F", "https://www. pornhub .com /video/ search?search=tsara+brashears", "wapwon(.)live/category/tsara-brashears-assaulted-by-jeffrey-reimerAccept-Language", "https://www(.)tryindiansex(.)com/s/tsara-brashears/", "https://m.youtube.com/watch?v=GyuMozsVyYs | Sabey angry over music expression that's never named assaulter", "Victim to afraid to bring lawsuit for attack that caused SCI. Endlessly bullied.", "https://pornbitter.com/storage/jeffrey-reimer-puts-his-love-on-top-tsara-brashears/", "https://iporntv.mobi/tsara-brashears.html?page=4", "https://www.toindian.com/s/jeffrey-reimer-dpt-porn/", "https://otx.alienvault.com/pulse/655d0f94ad4d7cdc5e3f0a98", "Social Engineering", "https://otx.alienvault.com/pulse/652214c652025febf66cde33", "https://hallrender.com/attorney/brian-sabey", "https://timersys.com/wordpress-social-invitations/docs/cron-jobs/", "Apple iOS", "https://t.me/hermitspyware/24", "developer.apple.com", "Tulach: 114.114.114.114" ], "public": 1, "adversary": "", "targeted_countries": [ "Saudi Arabia", "United States of America" ], "malware_families": [ { "id": "ASCII", "display_name": "ASCII", "target": null }, { "id": "Appleservice", "display_name": "Appleservice", "target": null }, { "id": "Amazon", "display_name": "Amazon", "target": null }, { "id": "Comspec", "display_name": "Comspec", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "Pegasus for iOS - S0289", "display_name": "Pegasus for iOS - S0289", "target": null }, { "id": "Prynt", "display_name": "Prynt", "target": null }, { "id": "Roboto", "display_name": "Roboto", "target": null }, { "id": "Sabey Urself - S0386", "display_name": "Sabey Urself - S0386", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1037", "name": "Boot or Logon Initialization Scripts", "display_name": "T1037 - Boot or Logon Initialization Scripts" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1207", "name": "Rogue Domain Controller", "display_name": "T1207 - Rogue Domain Controller" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1467", "name": "Rogue Cellular Base Station", "display_name": "T1467 - Rogue Cellular Base Station" } ], "industries": [], "TLP": "white", "cloned_from": "658e2893e01cff9072864f8e", "export_count": 30, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 591, "FileHash-MD5": 194, "FileHash-SHA1": 153, "FileHash-SHA256": 801, "domain": 230, "hostname": 637, "CVE": 1, "email": 1 }, "indicator_count": 2608, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "812 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "", "com.apple.atsd.support.sb", "svn.vim", "logindefs.vim", "n1ql.vim", "https://www.filescan.io/uploads/67c6bd19e95d0f9029e3804f/reports/834b740f-9bcb-42d9-b6a1-a0a8dbd07b07/overview", "taskedit.vim", "Mac-B4831CEBD52A0C4C.plist", "SWAction.h", "dsl.vim", "java_methods_style_signature_03.vim", "MTLEvent.h", "htm.com: htm | prod.phx3.secureserver.net | unknown.ip.secureserver.net", "dots_02", "VZStorageDeviceAttachment.h", "antlr.vim", "https://www.hybrid-analysis.com/sample/eab469685b2890cd50ca8a3705119a1c0a9c273c5951b57794aa8b16e8a42d6c/5f772b611a96402847793b79", "get-devices.test", "java_methods_style.java", "print-job-media-col.test", "matlab.vim", "Alerts: spawns_dev_util cape_detected_threat injection_process_hollowing antivm_generic_services", "dtrace.vim", "vim_ex_throw.vim", "java_numbers_02.dump", "cleanadd.vim", "racc.vim", "verilogams.vim", "IDS Detections: Query for .cc TLD Suspicious User-Agent (Presto) Double User-Agent (User-Agent User-Agent)", "https://pin.it/ | https://www.anyxxxtube.net/search-porn/tsara-brashears/", "java_lambda_expressions_signature_08.dump", "al.h", "nosyntax.vim", "https://fboomporn.com/engine/opensearch.php \u2022 http://porn.hub-accessories.site/ \u2022 https://pic.porn.hub-accessories.site", "SCError.h", "xml_processing_instruction.c", "telemetry-incoming.r53-2.services.mozilla.com", "desktop.vim", "java_methods_indent4_signature_00.dump", "cams4all.com", "Game-Version-Update.exe", "mix.vim", "rbCFPlistError.rb", "Apple iOS", "inittab.vim", "vector.c", "com.apple.FontValidator.sb", "modula2_iso_01.dump", "upstreamdat.vim", "WebKit.bridgesupport", "java_methods_style_02.vim", "mib2c.mfd.conf", "https://viz.greynoise.io/ip/analysis/61bb7542-40c2-448e-87d4-947a4623eada", "Interesting Strings: http://schema.org/GovernmentOrganization https://support.google.com/chrome/?p=plugin_java https://crbug.com/593166", "https://severeporn-com.pornproxy.page/", "java_generics_02.dump", "java_method_references_08.dump", "sml.vim", "MTLIntersectionFunctionTable.h", "MTLIOCompressor.h", "java_methods_indent2_signature_01.vim", "ppd.vim", "forth.vim", "asm.vim", "java_annotations_02.dump", "cancel-current-job.test", "IDS Detections: Win32/Tofsee.AX google.com connectivity check HTTP Request with Lowercase host Header Observed External IP Lookup ip-api.com", "sqlinformix.vim", "http://www.mobiset.ru/photos/2011/march/15/samsung_s3850/img_9.jpg", "java_method_references_02.dump", "hp.h", "sdc.vim", "tutor", "mini_portile_cmake.rb", "biosig", "sqlite3.c", "acorn", "ondir.vim", "rcslog.vim", "Alerts: network_icmp modifies_proxy_wpad network_http suspicious_tld allocates_rwx creates_exe antivm_network_adapters checks_debugger", "password-recovery-tools-2012-professional-trial.exe", "dictdconf.vim", "printer-jobs-header.tmpl", "MTLLogState.h", "jsp.vim", "java_numbers_05.dump", "raml.vim", "groovy.vim", "VZLinuxRosettaUnixSocketCachingOptions.h", "yoursexy.porn | indianyouporn.com", "Persistent C2 Orchestration: This ELF:Agent-VW variant serves as a critical GoBrut node, utilizing XOR 0x20 obfuscation and ICMP/HTTP beaconing to maintain a persistent link across 1,834 domains and 797 unique IPs", "tag_lookup.c", "VZSocketDevice.h", "MTLSampler.h", "asmh8300.vim", "87.98.231.87 - IDS Detections: MalDoc Request for Payload, Unsupported/Fake Windows NT Version 5.0", "setup.rb", "Mac-42FD25EABCABB274.plist", "java_method_references_signature_05.dump", "snnsnet.vim", "VZFileHandleSerialPortAttachment.h", "mib2c.column_enums.conf", "java_methods_indent8_00.dump", "MTLArgumentEncoder.h", "gemtext.vim", "a65.vim", "libao.vim", "qbot.zip", "odin.vim", "html4_document.c", "statement.h", "json.vim", "cheetah.vim", "Ruby.tbd", "java_lambda_expressions_signature_03.dump", "dracula.vim", "Targets Apple iPad /iOS | www.amazon.com/ref=ap_frn_logo [embedded] | www.amazon.com ns1.amzndns.co.uk , ns1.amzndns.com", "sdl.vim", "mib2c.check_values.conf", "MTLTypes.h", "gnat.vim", "chaskell.vim", "citrus", "pod.vim", "rustfmt.vim", "java_switch_05.dump", "proxy.xml", "xhtml11.vim", "mgl.vim", "tokenizer.h", "spice.vim", "java_methods_indent8_01.dump", "choose-device.tmpl", "docbksgml.vim", "printer-stop.tmpl", "weconnect.com", "java_escapes_05.dump", "VZVirtualMachineView.h", "context-data-tex.vim", "com.apple.fontd.internal.sb", "option-trailer.tmpl", "sd.vim", "adacomplete.vim", "java_methods_style_04.dump", "VZEntropyDeviceConfiguration.h", "upstreamrpt.vim", "VTHDRPerFrameMetadataGenerationSession.h", "https://www.virustotal.com/gui/collection/29a886e3e9eed3e8185f260116f9b036abf042022e9a9b5b1b311f92be705122/iocs", "java_method_references_signature_02.dump", "java_method_references_01.dump", "https://test2.ditproducts.com/dat/wannacry1.html", "solidity.vim", "grub.vim", "Tulach: 114.114.114.114", "VZVirtioConsoleDeviceConfiguration.h", "ipp-2.1.test", "typst.vim", "abel.vim", "mib.vim", "java_method_references_signature_06.dump", "class-added.tmpl", "flexwiki.vim", "java_enfoldment_01.dump", "RstFold.vim", "print-job-gzip.test", "VZPointingDeviceConfiguration.h", "unicode.vim", "cpp.vim", "jinja.vim", "krl.vim", "SharedWithYouCore.h", "https://twitter.com/PORNO_SEXYBABES", "java_module_info_02.dump", "xml_document_fragment.c", "testprint", "jargon.vim", "vim_ex_echo.vim", "get-ppd.test", "VZDirectoryShare.h", "CFODQuery.h", "java_methods_indent2_signature_04.vim", "java_methods_indent4_signature_02.vim", "SWCollaborationShareOptions.h", "b.vim", "liquid.vim", "AuraService-fda-test", "High Priority Alerts: dead_host network_icmp nolookup_communication persistence_autorun bypass_firewall", "MTLDrawable.h", "SharedWithYouCore.tbd", "java_comments_markdown_05.dump", "vimm", "tutor.da.utf-8", "java_methods_indent2_04.dump", "modula2_pim_02.dump", "util.h", "sysctl.vim", "mib2c.genhtml.conf", "Apple -dns1.registrar-servers.com | emails.redvue.com | icloud-appleidsuport.com", "debversions.vim", "vim_ex_function_def_tail_comment_errors.vim", "samba.vim", "named.vim", "java_generics_signature_01.dump", "sqlcomplete.vim", "html40f.vim", "edit-config.tmpl", "https://www.hybrid-analysis.com/sample/1843e6de2e062031e54642a10f4582884a2a9e5d97092f7221c35e9fa9b92cc7/665173a88bb19689e2005033", "get-job-attributes.test", "java_methods_indent4_01.vim", "initng.vim", "java_escapes_01.dump", "https://apps.apple.com/us/app/gambinos-pizza/id1500338496 \u2022 apps.apple.com", "VZSingleDirectoryShare.h", "xhtml10s.vim", "cterm.vim", "vim_ex_def_nested.vim", "racket.vim", "com.apple.corespotlightservice.sb", "jobs.tmpl", "htmlm4.vim", "sqlforms.vim", "aflex.vim", "Domains Contacted: simplesausages.cx.cc adobe.com", "vdf.vim", "elmfilt.vim", "btm.vim", "taskdata.vim", "VZAudioInputStreamSource.h", "Mac-7DF21CB3ED6977E5.plist", "sshdconfig.vim", "java_methods_indent8_signature_03.vim", "java_previews_430.java", "vim_ex_command_00.dump", "https://www.virustotal.com/gui/collection/ac812ebcb5d5570815876327bf29ef2c67015269d1e0bf01f1cd32ab2c23843c", "Make_all.mak", "opam.vim", "attribute.h", "sudoers.vim", "Some items found relates to research exploited against or researched by target: disabled_duck", "menu.vim", "sample.drv", "java_annotations.java", "mojo.vim", "quicklook-satellite-general.sb", "aspvbs.vim", "java_methods_indent8_signature_04.vim", "less.vim", "https://otx.alienvault.com/indicator/file/03f92e83f56ad2d687ee2fb7ab21b7fea0bebc1abc82d387a52510b61506e68f", "java_previews_430_00.dump", "ocaml.vim", "3.33.152.147 - ALF:HSTR:Trojan:Win32/StartPage.ZS!bit , ALF:HeraklezEval:PUA:Win32/InstallCore.R , ALF:HeraklezEval:Ransom:Win32/Tescrypt!rfn", "modify-printer.tmpl", "xml_sax_parser_context.c", "vim_ex_function_nested.vim", "sqlite3_ruby.h", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "indoff.vim", "https://otx.alienvault.com/indicator/url/http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel", "mib2c.int_watch.conf", "By operating through WhoisGuard-protected infrastructure and exploiting XOR 0x20 obfuscation, the adversary effectively suppresses telemetry into skim space, successfully bypassing DMARC and Microsoft-integrated trust-chain validation.", "plm.vim", "get-notifications.test", "modula2_pim_01.dump", "mib2c.check_values_local.conf", "error.c", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "dirpager.vim", "bluetoothd.sb", "SCRecordingOutput.h", "msql.vim", "MTLIOCommandBuffer.h", "def.vim", "java_contextual_keywords_01.dump", "skill.vim", "xml_node_set.c", "https://otx.alienvault.com/pulse/652214c652025febf66cde33", "ctrlh.vim", "progress.vim", "mve.awk", "mdworker-mail.sb", "https://www.virustotal.com/gui/collection/f890b10e639770c7e6ef3eeb804ee9e7391360557aedca7b1daaee02da0f7682/summary", "aptconf.vim", "MTLFunctionLog.h", "sh_03.sh", "java_generics_04.dump", "blender", "VZUSBMassStorageDeviceConfiguration.h", "fontworkerinternal.sb", "lua.vim", "lace.vim", "smil.vim", "Mac-BE0E8AC46FE800CC.plist", "java_method_references_05.dump", "hog.vim", "java_unfoldment_01.dump", "smith.vim", "vim.vim", "vim_ex_sleep.vim", "java_method_references_09.dump", "java_switch_02.dump", "java_generics_signature_06.dump", "fan.vim", "VZGraphicsDisplay.h", "colortest.vim", "rmd.vim", "java_methods_indent8_04.dump", "csp.vim", "ODNode.h", "falcon.vim", "bzr.vim", "asterix", "VZVirtioFileSystemDevice.h", "mdflagwriter.sb", "protocols.vim", "glsl.vim", "modula2_iso.def", "vim_ex_behave.vim", "java_methods_style_signature_01.dump", "limits.vim", "get-ppds-product.test", "VTErrors.h", "VZStorageDevice.h", "omnimark.vim", "java_previews_455_00.dump", "0.0.0.0 log4shell-generic-z8lrtjkgkm4zhi6necwi.r.nessus.org", "www.test_ico355_subsequent_invoices.htm.com\tA NXDOMAIN", "metadata.json", "java_methods_indent4_05.dump", "svg.vim", "CFOpenDirectory.h", "Interesting Strings: http://www.interoperabilitybridges.com/wmp http://crbug.com/40902 http://crbug.com/516527", "animation", "java_lambda_expressions_signature_01.dump", "lout.vim", "Antivirus Detections Cryp_Xed-12 , Mal/Generic-S , Packed/Upack Yara Detections Upackv039finalDwing , UpackV037Dwing", "kscript.vim", "mDNSResponder.sb", "rbLibXMLParser.rb", "bzl.vim", "java_generics_signature_02.dump", "lftp.vim", "8th.vim", "gkrellmrc.vim", "evim.vim", "verilog.vim", "VZPlatformConfiguration.h", "SWCollaborationOption.h", "Crypt: FileHash-MD5 5dd89c5f70c95bae85d864c7baf27b20", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr", "vim.vim.base", "federallegionconnbot.t.me", "pic.vim", "povini.vim", "http://pegasus.diskel.co.uk/", "netrc.vim", "vimspell.txt", "VZVirtioSocketListener.h", "ptcap.vim", "https://hybrid-analysis.com/sample/9c664935c8b82101733515e488e990d3c2db4b2594b0e427d01147e50953906e/658df4ed7644098eee08e1a4", "uc.vim", "fgl.vim", "resolv.vim", "tutor.vim", "algol68", "tutor.vi.utf-8", "tads.vim", "get-printers-printer-id.test", "VZMacGraphicsDisplay.h", "OpenAL.tbd", "Assurance", "euphoria3.vim", "java_methods_style_signature.java", "modula2_iso_04.dump", "LBresearcher: msudosos notes: The campaign's use of T1110.001 (Password Guessing) is specifically tuned to exhaust credentials across SSH, MySQL, and CMS backends, effectively recruiting server infrastructure into a global \"zombie\" network.", "tutor.nb.utf-8", "vim_ex_loadkeymap_after_colon.vim", "pegasusintel.com", "VZGenericMachineIdentifier.h", "mallard.vim", "VZMacMachineIdentifier.h", "cynlib.vim", "html401f.vim", "Crypt: 1.3.6.1", "VZNetworkBlockDeviceStorageDeviceAttachment.h", "denyhosts.vim", "ccomplete.vim", "cory@whiteskycommunications.com IP: 137.83.95.132 targets victims associates Amazon account and all devices. CnC target Network", "euphoria4.vim", "scss.vim", "VZXHCIControllerConfiguration.h", "VZMemoryBalloonDeviceConfiguration.h", "syncolor.vim", "option-header.tmpl", "srec.vim", "Prorat.19.i: https://otx.alienvault.com/indicator/file/03f92e83f56ad2d687ee2fb7ab21b7fea0bebc1abc82d387a52510b61506e68f", "java_annotations_signature_02.dump", "get-subscriptions.test", "Reverse DNS dnvrco-pub-iedge-vip.email.rr.com", "https://www.virustotal.com/gui/collection/f890b10e639770c7e6ef3eeb804ee9e7391360557aedca7b1daaee02da0f7682/iocs", "delmenu.vim", "java_switch.java", "Virtualization.h", "java_comments_html_00.dump", "help.vim", "java_methods_indent2_01.vim", "salt.vim", "java_methods_indent2_05.vim", "DGA Malware Mall Domains: hackingapple.com, video.import-apple.com, DGA- appledreamz.com", "The local environment exhibits advanced telemetry suppression within specialized skim memory regions, effectively neutralizing standard DMARC validation and Microsoft-integrated defensive protocols.", "Crypt_r.BDI: FileHash-SHA256 1e0449b5a573e08289ba8de12b70410abfb021f81819b462cd7659fbcb361b11", "watchhers.net", "sh_02.sh", "masm.vim", "pfmain.vim", "rpl.vim", "dropboxpayments.com", "sh_06.sh", "ipp-everywhere.test", "c.c", "java_methods_indent4_signature_06.dump", "CVE-2017-11882 - https://otx.alienvault.com/indicator/cve/CVE-2017-11882", "mib2c.create-dataset.conf", "File: 2373aaec6f38bb129aab12741f2d8be237e0629db1f50206bae0ebefd959815a", "hare.vim", "jess.vim", "MTLPixelFormat.h", "rcs.vim", "VZGraphicsDeviceConfiguration.h", "VZVirtioTraditionalMemoryBalloonDeviceConfiguration.h", "www.redtube.comyouporn.com", "ppwiz.vim", "java_methods_style_signature_01.vim", "java_methods_indent4_03.dump", "By maintaining a hollowed root posture, the sample facilitates persistent, low-signal synchronization with external cloud infrastructure while bypassing traditional heuristic trust-chain verification.", "MTLCounters.h", "sexplib.vim", "3.33.152.147 - High Priority IDS Detections: Worm.Win32/Chiviper.C Checkin Possible Fake AV Checkin Kazy/Kryptor/Cycbot", "confini.vim", "wapwon(.)live/category/tsara-brashears-assaulted-by-jeffrey-reimerAccept-Language", "dots_19", "vim_ex_def.vim", "xsd.vim", "https://tip.neiki.dev/file/09de67f8d3ce9a276e9665dc2e0013577b38d60b0518ffe7961bdc7f8755a52d", "bsdi", "java_methods_indent8_01.vim", "VTDecompressionProperties.h", "VZSharedDirectory.h", "Mac-4B682C642B45593E.plist", "scilab.vim", "job-release.tmpl", "norestart.tmpl", "chill.vim", "gvimrc_example.vim", "java_contextual_keywords_00.dump", "j.vim", "java_methods_indent4_signature_04.vim", "modula2_iso_06.dump", "IDS: Query for .su TLD (Soviet Union) Often Malware Related PE EXE or DLL Windows file download HTTP | Not Russia - Americans Masquerading", "updatedb.vim", "netrw_gitignore.vim", "slrnrc.vim", "vim_ex_comment-vim9.vim", "parser.c", "archive", "MTLDefines.h", "com.adobe.acrobat.rna.AcroCefBrowserLock.DC", "VZVirtioGraphicsScanoutConfiguration.h", "java_escapes_02.dump", "rpcgen.vim", "xml_document.c", "arduino.vim", "VZMACAddress.h", "tcl.vim", "ccfilter_README.txt", "printer-accept.tmpl", "cl.vim", "smcl.vim", "sh_11.sh", "autodoc.vim", "rst.vim", "debchangelog.vim", "modula2_pim_00.dump", "VZGraphicsDevice.h", "sass.vim", "diva.vim", "java_methods_indent4_signature_03.vim", "history.ie", "java_string_01.dump", "http://email.critizr.com/asm/unsubscribe/?user_id=1464008&data=anW5I3azQrbEzQ84_I2zsSfJkpp1WTl08_zW0p5h4i5oMDAwdTAwMIqknJPIfal-ld9TvXgRLVf_F", "udevconf.vim", "quicklookd-job-creation.sb", "tag.c", "obse.vim", "java_switch_06.dump", "debcontrol.vim", "PKPushCredentials.h", "progress_comments.p", "bdf.vim", "tutor.zh_tw.utf-8", "markdown.vim", "java_contextual_keywords_03.dump", "java_methods_indent8_signature_00.vim", "lynx.vim", "utf8.h", "usw2kagtlog.vim", "VZUSBScreenCoordinatePointingDeviceConfiguration.h", "https://www.virustotal.com/gui/collection/9c02b7b214c51b2fa7b6f2f38943a83ada3fff5ab9cbb9cf52e320bd702c9cd0/iocs", "java_methods_indent8_signature_03.dump", "dockerfile.vim", "https://www.virustotal.com/gui/collection/9c02b7b214c51b2fa7b6f2f38943a83ada3fff5ab9cbb9cf52e320bd702c9cd0/summary", "VZVirtioSoundDeviceConfiguration.h", "allegro", "SCContentSharingPicker.h", "nix.vim", "mib2c.notify.conf", "3.33.152.147 - High Priority IDS Detections: Trojan Checkin Win32.Meredrop Checkin CryptoWall Check-in Net-Worm.Win32.Koobface.jxs", "BTLEServer.sb", "vimrc_example.vim", "scdoc.vim", "java_methods_indent8_05.vim", "confidential", "VZEFIVariableStore.h", "perl.vim", "java_methods_indent2_signature_05.vim", "java_enfoldment.java", "cmusrc.vim", "utf8.c", "Below are malvertizing links featuring target and alleged assaulter", "http://www.my-sexcam.com/mf6w/?K48hY=mUHPm4taPKwCazx4uoqkcvO3m838TOpLC/XyTruUQEV1lwGjr5ldYJa4yIBvf0ifHE4=&sHB=DPfXxzFpo", "vim.desktop", "dots_01", "fish.vim", "tutor.bg.utf-8", "VZDirectorySharingDeviceConfiguration.h", "Mac-06F11F11946D27C5.plist", "aml.vim", "bib.vim", "routeros.vim", "Antivirus Detections: Win.Packer.pkr_ce1a-9980177-0", "java_comments_markdown_00.dump", "communications", "java_methods_indent4_signature_01.dump", "haredoc.vim", "modula2_pim_05.dump", "Mac-FFE5EF870D7BA81A.plist", "faq.rb", "lhaskell.vim", "mysql.vim", "bflt", "hastepreproc.vim", "msidl.vim", "tcsh.vim", "MTLBlitCommandEncoder.h", "tutor.ru.utf-8", "https://www.hallrender.com/wp-content/uploads/2016/02/Denver-150x150.jpg \u2022 https://www.hallrender.com/xmlrpc.php?rsd", "class-jobs-header.tmpl", "Found in: https://jbplegal.com", "make.vim", "java_generics_06.dump", "ftoff.vim", "mswin.vim", "ASN AS13335 cloudflare DNS Resolutions", "tak.vim", "xml_schema.c", "icemenu.vim", "mwilliams.dev@gmail.com | piratepages.com", "clean.vim", "swift.vim", "get-ppds-language.test", "amigaos", "Win32/Tofsee.AX - https://otx.alienvault.com/indicator/file/47565f3a809e997530e8b0d1602a39cb9cc3dd9e1361db2f9dd5891dfd444383", "gdb.vim", "MTLResource.h", "java_methods_indent4_02.vim", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [how could this be in everything!?]", "Mac-DB15BD556843C820.plist", "dircolors.vim", "alsaconf.vim", "sh_07.sh", "*WEBSITE.WS Your Internet Address For Life", "vim9_expr.vim", "https://www. pornhub .com /video/ search?search=tsara+brashears", "java_enfoldment_02.dump", "java_method_references_07.dump", "vim9_ex_function_def_tail_comments.vim", "dots_15", "hercules.vim", "ber", "24-70mm.camera", "swig.vim", "gdshader.vim", "java_annotations_signature_04.dump", "M9 W32/Emotet CnC Checkin M3", "www.anyxxxtube.net", "Antivirus Detections: ALF:HeraklezEval:Rogue:Win32/FakeRean", "java_switch_04.dump", "mib2c.old-api.conf", "mrxvtrc.vim", "rtf.vim", "systemverilog.vim", "SWCollaborationMetadata.h", "tutor.pt.utf-8", "vim_ex_no_comment_strings.vim", "Verification failure observed in automated verification handlers during sandbox replay.", "VideoToolbox.apinotes", "SCANID: S-4jjwyMrjTU0", "token_type.h", "sl.vim", "vim_ex_menu.vim", "java_methods_style_signature_03.dump", "framescript.vim", "cvmsServer.sb", "usserverlog.vim", "java_methods_indent2_00.dump", "xml.rb", "java_comments_html_06.dump", "inform.vim", "https://www.virustotal.com/gui/url/9bd3f99373b39e31fc935f62744c14e595df92c3f388753b507a395112f2dbda/summary", "VZBridgedNetworkInterface.h", "squid.vim", "bindzone.vim", "vim_shebang.vim", "test-page.tmpl", "java_methods_style_signature_00.vim", "mib2c.container.conf", "https://www.virustotal.com/gui/collection/ac812ebcb5d5570815876327bf29ef2c67015269d1e0bf01f1cd32ab2c23843c/iocs", "SCScreenshotManager.h", "kix.vim", "arch.vim", "dots_11", "rego.vim", "logtalk.vim", "VZVirtioConsoleDevice.h", "ftp-proxy.sb", "device-local-bf56eb52-6fc6-435b-aadb-9fa1dd89702c.remotewd.com | remotewd.com | 192.168.56.108", "mib2c.column_defines.conf", "deb822sources.vim", "java_methods_indent4_02.dump", "mplayerconf.vim", "get-ppds-make.test", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "gtkrc.vim", "java_method_references_04.dump", "MTLStageInputOutputDescriptor.h", "jgraph.vim", "mib2c.array-user.conf", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "html40s.vim", "java_methods_indent4_00.dump", "rc.vim", "dylan.vim", "java_lambda_expressions_04.dump", "rbCFPropertyList.rb", "spec.vim", "tasm.vim", "VZBootLoader.h", "webdav_agent.sb", "prolog.vim", "choose-make.tmpl", "module.modulemap", "VZVirtioConsoleDeviceSerialPortConfiguration.h", "http://alive.overit.com/~schoolbu/badmood3.exe", "README.txt", "splint.vim", "cabalconfig.vim", "VZMacGraphicsDisplayConfiguration.h", "3.33.152.147 - Antivirus Detections: ALF:HeraklezEval:Trojan:Win32/Startpage!rfn , ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47", "xml_relax_ng.c", "MTLFunctionConstantValues.h", "VZNetworkDeviceConfiguration.h", "com.apple.bootinstalld.sb", "add-class.tmpl", "ntp_opendirectory.conf", "PushKit.h", "automake.vim", "avra.vim", "Telegram | Indicator: Query for .su TLD (Soviet Union) Often Malware Related PE EXE or DLL Windows file download HTTP", "3.33.152.147 - Antivirus Detections: ALF:HeraklezEval:Trojan:Win32/SpyNoon!rfn ,", "debcopyright.vim", "T1110.001 (Brute Force: Password Guessing)", "IDS Detections: Possible Kelihos Infection Executable Download With Malformed Header", "tags.vim", "mailaliases.vim", "mve.txt", "https://www.filescan.io/uploads/67df8585fae452b82c2115b7/reports/65f03ad1-b5bc-41a8-ae82-21970a18efcb/ioc", "java_annotations_03.dump", "csc.vim", "modula2_iso_05.dump", "r.vim", "WHOIS data anchors administrative and technical operations for prioritywirreles.com in Los Angeles, CA (90064) via Namecheap infrastructure. Following its 2020 expiration, the domain has transitioned into redemptionPeriod/pendingDelete status, signaling the formal decommissioning of this C2 asset.", "upstart.vim", "MTLDeviceCertification.h", "PushKit.apinotes", "sensors.vim", "dots_18", "SCANID: S-yIBIO4Ib0l4", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "CFOpenDirectoryConstants.h", "chaiscript.vim", "Alerts: infostealer_cookies persistence_autorun recon_programs recon_fingerprint removes_zoneid_ads anomalous_deletefile", "sendpr.vim", "fpcmake.vim", "vim_expr.vim", "html_04.dump", "rbCFTypes.rb", "tap.vim", "pbtxt.vim", "xml_element_decl.c", "https://hallrender.com/attorney/brian-sabey", "java_methods_indent8_02.dump", "d.vim", "Researcher msudosos suggests the VirusTotal (Tencent HABO) behavior report may indicate a potential execution path from volatile storage at /tmp/EB93A6/996E.elf.", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "grads.vim", "services.vim", "com.apple.fontd.support.sb", "MTLRasterizationRate.h", "vim_ex_function_fold.vim", "classes.tmpl", "openvpn.vim", "targeting.unrulymedia.com \u2022 http://theteenhealthdoc.com", "redif.vim", "mmix.vim", "netrw.vim", "opl.vim", "set-attrs-hold.test", "rubycomplete.vim", "job-cancel.tmpl", "pov.vim", "IDS Detections: Trojan Internet Connectivity Check TrojanDownloader.Win32/Karagany.H checkin 2", "0qMrDxlbqY9THmtdz56XQ2fTe-p9H49lftTmBXmn1WY9Z16q1vJdZdjO5Wnq_Pn3gEAAP__hu8yPQ", "class-modified.tmpl", "postscr.vim", "lsl.vim", "Interesting Strings: http://service.real.com/realplayer/security/02062012_player/en/", "java_methods_indent8.java", "arm64e-apple-ios-macabi.swiftinterface", "appleid-support.com apple-access.com appleid-support.com demo171.apple.com apple.k8s.joewa.com w-t-blu-371ac852.cloudapp.net", "vim_ex_comment_strings.vim", "get-job-template-attributes.test", "charset.pivot", "MTLHeap.h", "com.apple.spotlightknowledged.importer.sb", "VZUSBMassStorageDevice.h", "admin.tmpl", "VZVirtioSoundDeviceStreamConfiguration.h", "phtml.vim", "P\u2019s Contacted: 93.184.221.240 3.33.130.190 | Domains Contacted: counterslocal.com", "MTLTexture.h", "tutor.bar.utf-8", "xml_entity_decl.c", "analytics.x.com", "xml_sax_parser.c", "VZVirtioSoundDeviceInputStreamConfiguration.h", "wifivelocityd.sb", "papp.vim", "animate-citadel-t3gbc9x3gzd7invrzh8w00zm.herokudns.com", "privoxy.vim", "applix", "https://support.google.com/chrome/?p=plugin_quicktime https://chrome.google.com/", "ipfilter.vim", "http://secure.indianpornpass.com/track/hotpornstuff", "class-deleted.tmpl", "sather.vim", "VTPixelTransferProperties.h", "clarion", "printer-added.tmpl", "java_methods_indent4_04.vim", "gumbo.h", "http://45.159.189.105/bot/regex", "java_methods_indent8_signature_06.vim", "classified", "choose-model.tmpl", "A53749AF-3855-4842-A1E7-4AEFA60BD2AC", "lifelines.vim", "fontmoverinternal.sb", "dtd.vim", "valgrind.vim", "sh_08_02.dump", "tokenizer_states.h", "help-header.tmpl", "quarto.vim", "standard", "chicken.vim", "vim_new.vim", "hostconf.vim", "PushKit.tbd", "Crypt_r.BCM: FileHash-SHA256 cc83b186700b21e5c4cae", "Researcher msudosos: This activity appears to facilitate a preliminary reconnaissance phase, possibly utilizing system commands to query /proc/cpuinfo and /proc/version for architectural profiling purposes.", "ccfilter.c", "html_07.dump", "java_lambda_expressions_07.dump", "java_previews_455_03.dump", "wfs.sb", "aidl.vim", "dnvrco-pub-iedge-vip.email.rr.com \tspectrum.com Denver, Colorado USA", "contextcomplete.vim", "MTLAccelerationStructureTypes.h", "gvpr.vim", "java_methods_indent2_05.dump", "cdn.pornsocket.com", "dcd.vim", "cdrdaoconf.vim", "blank.vim", "cvsrc.vim", "version.rb", "option-conflict.tmpl", "IDS Detections: W32/Zbot.Variant Fake MSIE 6.0 UA FormBook CnC Checkin (GET) FormBook CnC Checkin (GET) FormBook CnC Checkin (GET)", "svg_attrs.c", "sh_05.sh", "VZVirtioGraphicsScanout.h", "apache.vim", "label.h", "users.tmpl", "MTLRenderPipeline.h", "com.apple.softwareupdate_firstrun_tasks.sb", "html4_entity_lookup.c", "MTLComputePipeline.h", "nanorc.vim", "mf.vim", "https://otx.alienvault.com/indicator/url/http:%2F%2Fpixelrz.com%2Flists%2Fkeywords%2F%2520dr-jeffrey-reimer-dpt-funds-tsara-brashears%2F", "alut.h", "https://hybrid-analysis.com/sample/a6b9deae18604003aa3963d5d83775f5c66bfbe93ea4608fe8a69e6af3722f45/67df874be4fc8d105e0230d1", "vim_ex_syntax.vim", "adventure", "crm.vim", "msmessages.vim", "he.vim", "kotlin.vim", "VZMacGraphicsDeviceConfiguration.h", "VZVirtioFileSystemDeviceConfiguration.h", "VTMultiPassStorage.h", "scala.vim", "upstreamlog.vim", "cucumber.vim", "get-printer-description-attributes.test", "192.96.223.11 - sectorlink.com", "vim_ex_abbreviate_01.dump", "get-ppds-psversion.test", "Crypt3.COYL FileHash - SHA256 cb536e2e5eb3b23a74702f80832ab964e7dfe07763300437b5ba581f464a108e", "VTUtilities.h", "sh_10.sh", "ns2.abovedomains.com", "gss-acceptor.sb", "modsim3.vim", "ETPRO TROJAN Trojan/Win32.Zbot Covert Channel 2 port 53\t192.168.56.103\t85.17.142.7\t 2807561\tETPRO TROJAN Trojan/Win32.Zbot Covert Channel 2 port 53\t192.168.56.103\t85.17.142.7\t\t\t\t 2807561\tETPRO TROJAN Trojan/Win32.Zbot Covert Channel 2 port 53\t192.168.56.103\t95.169.186.\t\t 2807561\tETPRO TROJAN Trojan/Win32.Zbot Covert Channel 2 port 53\t192.168.56.103\t95.169.186.63", "passwd.vim", "Crypt: FileHash-SHA1 d8b665ef01e3f9feaa746833cddadf3bf29f72d1", "MTLFence.h", "html.html", "tutor.sk.utf-8", "vim_ex_highlight.vim", "strace.vim", "sh_01.sh", "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "sisu.vim", "swiftgyb.vim", "VZUSBKeyboardConfiguration.h", "pymanifest.vim", "VZVirtioBlockDeviceConfiguration.h", "acedb.vim", "fax-job.test", "mupad.vim", "VZMacKeyboardConfiguration.h", "Trojan/Win32.Zbot Covert Channel 2 port 53\t192.168.56.10", "kdl.vim", "get-printer-attributes.test", "xml_comment.c", "command.tmpl", "lss.vim", "Yara Detections: ryuk_1007_fx2_12_multi_for_crypt_x86 , dbgdetect_files", "java_string.java", "javascript.vim", "fortran.vim", "diff.vim", "VZVirtualMachineDelegate.h", "MTLBuffer.h", "bc.vim", "source-6.youporn.express | source-6.sexpornsource.com\t hostname\tsource-3.xxxporn.club | source-2.pornhubs.best | source-2.freepornxo.com", "gitconfig.vim", "dylanlid.vim", "html401s.vim", "takcmp.vim", "aes", "kdc.sb", "c64", "vim_ex_function_nested_fold.vim", "tutor.no.utf-8", "ratpoison.vim", "tt2.vim", "java_methods_indent2_02.vim", "java_unfoldment_02.dump", "Mac-EE2EBD4B90B839A8.plist", "MTLRenderPass.h", "apl", "markdown_conceal_00.dump", "foxpro.vim", "sql.vim", "java_contextual_keywords.java", "java_methods_indent4_signature_02.dump", "test_global_handlers.c", "ld.vim", "java_methods_indent8_signature_06.dump", "VZUSBDevice.h", "java_methods_indent8_03.vim", "java_methods_indent4_signature_05.vim", "netrwFileHandlers.vim", "vmasm.vim", "upstreaminstalllog.vim", "MTLCaptureScope.h", "vb.vim", "unison.vim", "html_08.dump", "java_escapes_03.dump", "hamster.vim", "context-data-interfaces.vim", "ahdl.vim", "dune.vim", "jal.vim", "debsources.vim", "exception.h", "mailcap.vim", "https://sexgalaxy.net/tag/rodneymoore/", "vim9_shebang.vim", "config.vim", "filetype.vim", "VZMacOSRestoreImage.h", "edif.vim", "ch.vim", "java_lambda_expressions_00.dump", "gitsendemail.vim", "string_piece.c", "paste.vim", "https://viz.greynoise.io/ip/analysis/7e527b44-c950-4c01-bb33-d96", "SWStartCollaborationAction.h", "ScriptingBridge.h", "VZMacPlatformConfiguration.h", "statement.c", "muttrc.vim", "https://www.songculture.com/tsara-lynn-brashears-music", "clipper.vim", "3.33.152.147 - High Priority IDS Detections: Checkin Virut Counter/Check-in Backdoor.Win32.Polybot.A Checkin 3 Koobface HTTP Request (2) Win32.Sality-GR Checkin", "rapid.vim", "java_numbers_04.dump", "Domains Contacted: you.no-ip.com smtp.secureserver.net www.icq.com www.yoursite.com gmali.com", "pamenv.vim", "tutor.it.utf-8", "com.apple.msrpc.srvsvc.sb", "ora.vim", "com.apple.softwareupdated.sb", "VZSerialPortConfiguration.h", "https://m.youtube.com/watch?v=GyuMozsVyYs | Sabey angry over music expression that's never named assaulter", "printer-cancel-jobs.tmpl", "vim9_ex_commands.vim", "cfpropertylist.rb", "dnscache2b.cdptpa dnvrco-oms2ims-mta-svip-01.email dnvrco-queue04-ac.email dnvrco-ring-a62.email dnvrco-smss-f01-ac.email dnvrco-west-dhcpw-02.", "vim_ex_map.vim", "www.gambinospizza.com", "xtab", "datascript.vim", "goaccess.vim", "ww16.porn-community.porn25.com", "pilrc.vim", "php.vim", "haskellcomplete.vim", "sindaout.vim", "remind.vim", "VZMacAuxiliaryStorage.h", "https://cyber-fortress.com/docs/result/index.php?id=67c6bb9cc8d04e92a4bed8fc", "radiance.vim", "java_annotations_signature_00.dump", "https://pornbitter.com/storage/jeffrey-reimer-puts-his-love-on-top-tsara-brashears/", "dots_20", "java_string_05.dump", "convex", "The domain prioritywirreles.com (registered via NAMECHEAP INC) shows a 4/93 detection ratio, confirming it is a live but \"low-noise\" C2 node used to avoid broad-spectrum blacklisting", "sh.vim", "modula2_pim_04.dump", "gift.vim", "eruby.vim", "java_methods_indent8_signature_05.vim", "MTLResidencySet.h", "Mac-473D31EABEB93F9B.plist", "xml_reader.c", "job-moved.tmpl", "tutor.utf-8", "kcm.sb", "java_methods_indent8_signature_01.dump", "snnspat.vim", "vim_ex_command.vim", "PKPushPayload.h", "java_methods_style_00.vim", "VZDiskSynchronizationMode.h", "VTCompressionProperties.h", "MTLVertexDescriptor.h", "mapper.dir", "icloud-appleidsuport.com | appleid.com | apple.com | apple-dns.net", "print-job.test", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "awdd.sb", "apple.types", "com.apple.smbd.sb", "modula2_pim.def", "list-available-printers.tmpl", "change.vim", "java_method_references_03.dump", "cuplsim.vim", "sqlite3.rb", "VZKeyboardConfiguration.h", "ntp.conf", "clojure.vim", "asciidoc.vim", "java_generics_signature_03.dump", "Obfuscation: XOR-based String Encryption (0x20)", "java_comments_html_01.dump", "IDS Detections: Observed External IP Lookup ip-api.com", "java_escapes.java", "java_switch_01.dump", "VTRAWProcessingSession.h", "tutor.zh_cn.utf-8", "Mac-B809C3757DA9BB8D.plist", "java_methods_indent8_signature_02.dump", "CFODSession.h", "ruby.vim", "java_methods_style_01.dump", "java_methods_indent8_06.dump", "PEXE - DOS executable (COM)", "SBElementArray.h", "efm_filter.txt", "java_methods_indent8_signature_05.dump", "network_http suspicious_tld allocates_rwx antivm_disk_size creates_exe creates_service suspicious_process stealth_window packer_entropy uses_windows_utilities console_output pe_features", "systemd.vim", "java_generics_07.dump", "VZDefines.h", "bugreport.vim", "VZStorageDeviceConfiguration.h", "screen.vim", "fstab.vim", "java_methods_indent2_signature_01.dump", "VZVirtioSocketDeviceConfiguration.h", "mp.vim", "VZVirtualMachineStartOptions.h", "autoit.vim", "mail.vim", "LBresearcher: msudosos notes: By exploiting Root Certificate Validation Failures, the StealthWorker (GoBrut) agent ensures that its 32-bit ELF binaries bypass the automated reputation checks enforced by major cloud providers.", "search.tmpl", "amiga.vim", "The environment leverages prioritywirreles.com as a high-fidelity DGA-derived C2 node, utilizing its historical resolution to Russian-hosted IP space (194.61.24.231) to maintain persistent Stealthworker botnet synchronization.", "topsecret", "slpspi.vim", "Mac-2BD1B31983FE1663.plist", "cddb", "dylanintr.vim", "bitbake.vim", "VZXHCIController.h", "dots_04", "java_method_references_signature_07.dump", "com.apple.msrpc.lsarpc.sb", "vim_ex_comment.vim", "Crypt_r.BCM: FileHash-SHA256 1e0449b5a573e08289ba8de12b70410abfb021f81819b462cd7659fbcb361b11", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "ODQuery.h", "lilo.vim", "slpreg.vim", "syntax.vim", "rng.vim", "LBresearcher: msudosos notes: The threat actor maintains operational longevity by rotating through WhoisGuard-protected nodes like prioritywirreles.com, which historically resolved to Russian-hosted IP space (194.61.24.231) to obfuscate its origin.", "dots_17", "elinks.vim", "bytecode", "java_methods_indent2_signature_04.dump", "vim9_ex_comment_strings.vim", "VTDecompressionSession.h", "Interesting Strings: https://support.google.com/chrome/?p=plugin_pdf", "java_previews_455_02.dump", "Project Endgame - pegausintel.com -Unsjre if related to NSO Group", "java.vim", "pythoncomplete.vim", "VZFileHandleNetworkDeviceAttachment.h", "com.apple.genatsdb.internal.sb", "nokogiri.rb", "html_05.dump", "pop-os_files_md5s.csv", "ascii.c", "OpenDirectory.tbd", "exports.vim", "unclassified", "VZVirtioConsolePortArray.h", "cad", "gprof.vim", "tsv.vim", "https://www.hallrender.com/attorney/brian-sabey/ \u2022 www.hallrender.com \u2022 https://www.hallrender.com/wp-json/oembed/1.0/embed?url=https://www.hallrender.com/attorney/brian-sabey/&", "html40t.vim", "SCANID: S-0LxiGnOve0Q", "xml_xpath_context.c", "get-jobs.test", "htmldjango.vim", "mib2c.iterate.conf", "java_methods_indent2_signature_05.dump", "rhelp.vim", "syntaxcomplete.vim", "maple.vim", "ldif.vim", "com.apple.xscertd-helper.sb", "MTLAllocation.h", "asterisk.vim", "PKDefines.h", "IDS: Prorat.19.i Checkin | DYNAMIC_DNS Query to a Suspicious no-ip Domain | CP Email Send via HTTP - Often Trojan Install Reports", "java_method_references_signature.java", "java_methods_style_signature_00.dump", "MTLFunctionHandle.h", "mib2c.access_functions.conf", "VTSession.h", "gitignore.vim", "java_methods_indent2_00.vim", "java_methods_indent8_05.dump", "dts.vim", "libvDSP.tbd", "SCShareableContent.h", "class.tmpl", "his technique allows the GoBrut/StealthWorker agent to circumvent automated revocation checks, enabling its decentralized C2 infrastructure to recruit Linux hosts via high-velocity credential exhaustion.", "CFODContext.h", "git.vim", "virata.vim", "VZMacOSVirtualMachineStartOptions.h", "idlang.vim", "vector.h", "modula2_r10_00.dump", "java_methods_indent4_04.dump", "dots_14", "sed.vim", "java_numbers_00.dump", "htmlos.vim", "mdworker.sb", "java_methods_indent2_02.dump", "rbBinaryCFPropertyList.rb", "poefilter.vim", "vim_variables.vim", "emoji_list.vim", "java_comments_markdown_07.dump", "java_methods_indent8_signature_01.vim", "cupl.vim", "haskell.vim", "man.vim", "print-job-deflate.test", "chuck.vim", "watool.sb", "OpenAL.h", "VZVirtualMachineConfiguration.h", "compromised_site_redirector_fromcharcode fromCharCode", "backup.h", "MTLDepthStencil.h", "qf.vim", "error-op.tmpl", "murphi.vim", "html_03.dump", "MTLBinaryArchive.h", "btsnoop", "kadmind.sb", "latte.vim", "CFOpenDirectory.tbd", "fvwm2m4.vim", "com.apple.usbd.sb", "sqlanywhere.vim", "modula2_r10.def", "simula.vim", "ftplugof.vim", "SCStream.h", "java_methods_indent2_03.vim", "sgmldecl.vim", "dosini.vim", "raku.vim", "julia.vim", "default.plist", "3.33.152.147: Trojan:Win32/Dursg.K | Verdict External> IP Lookup Service Classification Cloud provider Reverse DNS a4ec4c6ea1c92e2e6.awsglobalaccelerator.com", "https://archive.ph/rhBxZ", "mib2c.iterate_access.conf", "scheme.vim", "cargo.vim", "java_comments_markdown_08.dump", "mdworker-sizing.sb", "xml_cdata.c", "http://xred.mooo.com", "com.apple.atsd.internal.sb", "com.apple.msrpc.mdssvc.sb", "CVE-2023-22518 | CVE-2023-4966", "deviceinbox.com", "html.vim", "device-local-bf56eb52-6fc6-435b-aadb-9fa1dd89702c.remotewd.com", "hgcommit.vim", "hex.vim", "ScriptingBridge.tbd", "groff.vim", "java_methods_indent2_signature_00.dump", "VZVirtioTraditionalMemoryBalloonDevice.h", "clipper", "tutor.ko", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "arm", "crontab.vim", "https://www.anyxxxtube.net/media/favicon/apple", "MTLDevice.h", "java_lambda_expressions_01.dump", "MTLFunctionDescriptor.h", "stata.vim", "vim_ex_menutranslate.vim", "notify.conf", "asm68k.vim", "help_ru.vim", "docbkxml.vim", "java_comments_html_03.dump", "3.33.152.147: https://otx.alienvault.com/indicator/ip/3.33.152.147", "tutor.ko.utf-8", "apple", "qa.companycam.com", "nastran.vim", "sicad.vim", "registry-commander.exe", "Telegram | IP 66.235.200.146 | Indicator Possible recent Mirai infection", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "error.h", "pascal.vim", "add-printer.tmpl", "markdown_conceal.vim", "context-data-metafun.vim", "java_generics_signature_05.dump", "x86_64-apple-ios-macabi.swiftinterface", "quickfix.vim", "https://mypornwap.fun/downloads/search/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears-tgz", "java_numbers.java", "html_00.dump", "Alleged CSAM Alleged Phishing Alleged PIIExposure", "cobol.vim", "MTLCommandBuffer.h", "a2ps.vim", "tutor.ja.utf-8", "java_string_03.dump", "backup.c", "VZConsoleDevice.h", "iss.vim", "https://timersys.com/wordpress-social-invitations/docs/cron-jobs/", "pcap.vim", "sqlj.vim", "tutor.zh.utf-8", "modula3.vim", "VTPixelRotationProperties.h", "abc.vim", "choose-serial.tmpl", "html4_element_description.c", "st.vim", "gdscript.vim", "mason.vim", "Researcher msudosos posits a strategic exploitation of Root Certificate Validation Failures, where the adversary leverages an expired trust chain to bypass heuristic security filters and establish persistence.", "java_methods_indent2_signature_03.dump", "tutor.pl.utf-8", "dots_08", "Win.Trojan.Tofsee-6840338-0 | https://otx.alienvault.com/indicator/domain/applehealthcare.com", "conf.vim", "VZMacOSInstaller.h", "gdresource.vim", "com.apple.xscertd.sb", "Mac-551B86E5744E2388.plist", "Mac-A369DDC4E67F1C45.plist", "cups-create-local-printer.test", "slang.vim", "85.10.215.232 - Classification Datacenter / Hosting / VPS Reverse DNS dediextern.your-server.de Location: Munich, Germany | konsoleH :: Login", "desc.vim", "VZMacGraphicsDevice.h", "VZVirtioConsolePortConfiguration.h", "quicklook-satellite.sb", "freebasic.vim", "This ELF 32-bit LSB artifact is a sophisticated GoBrut/StealthWorker agent, compiled via Golang 1.10 and stripped to obfuscate its high-velocity service-bruting logic. VirusTotal confirms a critical threat profile with 44/65 security vendors flagging the file, which leverages a unique Go BuildID (nGYES3pajdOm...) and a Telfhash (t1f303a0...) for architectural fingerprinting. The binary orchestrates decentralized Command and Control (C2) through an expansive infrastructure of 797 unique IPs and 1,834 domains", "bst.vim", "rrst.vim", "psl.vim", "vim_ex_let_heredoc.vim", "2html.vim", "hostsaccess.vim", "swayconfig.vim", "restart.tmpl", "java_comments_markdown.java", "udevrules.vim", "java_comments_html_07.dump", "plaintex.vim", "ODSession.h", "sh_11_00.dump", "option-pickmany.tmpl", "dart.vim", "SBApplication.h", "CFODRecord.h", "hcl.vim", "java_methods_style_04.vim", "Trojan:PDF/Owaphish.A: https://otx.alienvault.com/indicator/file/b3735b6a91f612fdb28832408fe53ee286d0d618802db2e35f0c9e1f266f8918", "https://iporntv.mobi/tsara-brashears.html?page=4", "claris", "https://hybrid-analysis.com/sample/e607e46da2b0d7129c9e783417619ee924be28792ce1323ed5cdfcbeb5c2c2e9/658df78b0dd01fa2970b7a7e", "apache", "eviews.vim", "MTLComputePass.h", "Stopwords.plist", "basis", "ODRecordMap.h", "SCANID: S-jZUP9vdJp8E", "basic.vim", "dicrc", "x86_64-apple-macos.swiftinterface", "WebKit.arm64e.bridgesupport", "VZVirtioSocketDevice.h", "cbor", "readline.vim", "xcmdsrv_client.c", "VZMultipleDirectoryShare.h", "avm", "java_methods_indent8_signature_02.vim", "VZUSBControllerConfiguration.h", "vim_ex_match.vim", "ascii.h", "pirateproxy.cc", "dosbatch.vim", "psf.vim", "cafebabe", "html_06.dump", "java_annotations_signature_01.dump", "java_contextual_keywords_02.dump", "Mac-031B6874CF7F642A.plist", "Pdf.Phishing.TtraffRobotInstall-7605656-0 00004feb58be42ba1bd506ea89f90c5e1d83e6e1fb84841931949a454b0bb539", "applegatecode.com, applehealthcare.com, nord-com.it, mail.apple-rehab.com, msa-smtp-mx1.hinet.net, https://itae-innova.com/wp-content/themes/itaeinnova/images/apple-touch-icon-114x114.png No Expiration\t0\t Domain itae-innova.com No Expiration\t0\t URL https://itae-innova.com/wp-content/themes/itaeinnova/images/apple-touch-icon-152x152.png, 50.205.3.1 2024-07-14T22:00:00\t0\t Domain apple-rehab.com No Expiration\t0\t Domain applegatecode.com", "synmenu.vim", "https://tag.1rx.io/rmp/215626/0/mvo?z=1r&hbv=8.16,2.1\ttag.1rx.io \u2022 192.208.222.110", "defaults.vim", "m4.vim", "hgcommitDiff.vim", "java_numbers_01.dump", "cuda.vim", "java_generics_05.dump", "attribute.c", "htmlcheetah.vim", "context-data-context.vim", "cmakecache.vim", "sm.vim", "mush.vim", "MTLComputeCommandEncoder.h", "calendar.vim", "firmlinks", "bash.vim", "decada.vim", "help-printable.tmpl", "xml_dtd.c", "java_method_references_signature_01.dump", "astro.vim", "java_lambda_expressions_02.dump", "java_generics_signature_04.dump", "dictconf.vim", "87.98.231.87 - Classification Datacenter / Hosting / VPS Reverse DNS cluster014.ovh.net Location; Spain | AVD:: TrojanDownloader:JS/Nemucod.QJ", "java_lambda_expressions_signature_05.dump", "java_comments_markdown_03.dump", "java_methods_indent2_signature_02.dump", "chatito.vim", "https://mediacherry.space/vn/vb/wheel/?key=eyJ0aW1lc3RhbXAiOiIxNzA0ODcwMzc2IiwiaGFzaCI6ImI5OWQ3ODQ3NTIyMDA5NTBmNmRiODY1NmUxNWY5YWMyZTc3MGExMTcifQ==&ccc=VN&ppp=PropellerAds:Popunder&tdom=www.a1000.online&zoneid=6534225&bemobdata=c=2f8cb72d-d2e6-4570-b258-aeb3acc53b24..l=6d25aa09-cccc-4797-aef4-7aa11d1e0dcb..a=0..b=0..z=0.000035..e=768844675632074752..c1=6534225..c2=7541054..c3=VN..c4=wireless..c5=viettel_mobile-vn..c6=other..c7=chrome..c8=27..c9=viettelcorporation..c10=Mozilla/5~BEMOB_DOT~0(Linux;Android10;K", "printer-reject.tmpl", "dots_13", "cmake.vim", "https://otx.alienvault.com/pulse/6570a6c41702fdce6c496a1d", "java_methods_indent2_signature.java", "baan.vim", "ldapconf.vim", "com.apple.mobileassetd.sb", "pf.vim", "java_methods_indent4_05.vim", "java_lambda_expressions_signature_07.dump", "java_enfoldment_00.dump", "VZBridgedNetworkDeviceAttachment.h", "printers-header.tmpl", "VZLinuxRosettaCachingOptions.h", "c-lang", "README.ru.utf-8.txt", "natpmpd.sb", "editorconfig.vim", "prescribe.vim", "https://t.me/login/36861 = GET /login/36861 | Server: nginx/1.18.0", "exception.c", "VZLinuxRosettaDirectoryShare.h", "vim_keymap.vim", "antlr4.vim", "cvs.vim", "modula2_iso_03.dump", "dots_07", "messages.vim", "init.ess.apple.com | 0-courier.push.apple.com | dns1.registrar-servers.com", "java_comments_markdown_06.dump", "rnc.vim", "tutor.uk.utf-8", "java_comments_html_02.dump", "adi", "mime.types", "CVE-2014-0160 \u2022 CVE-2017-11882", "MTLAccelerationStructure.h", "https://play.google.com/store/apps/details?id=com.e9117073d4e0.www", "vim_ex_def_nested_fold.vim", "VZNetworkDeviceAttachment.h", "trailer.tmpl", "get-ppds-drv-only.test", "amanda", "mdworker-scan.sb", "font.defs", "typescriptcommon.vim", "tutor.lt.utf-8", "pine.vim", "neomuttrc.vim", "java_escapes_06.dump", "modula2.vim", "java_methods_indent2_01.dump", "lpc.vim", "typescript.vim", "VZDiskImageStorageDeviceAttachment.h", "Yara Detections: compromised_site_redirector_fromcharcode , Cabinet_Archive , SFX_CAB", "https://t.me/hermitspyware/24", "clojure", "css.vim", "group.vim", "vim_ex_loadkeymap_after_bar.vim", "spyce.vim", "https://totallyspies.1000hentai.com/tag/clover-porn/", "conaryrecipe.vim", "tutor.el.utf-8", "pli.vim", "set-printer-options-trailer.tmpl", "epson.h", "VideoToolbox.h", "java_lambda_expressions_signature_04.dump", "typeset.vim", "vim_ex_catch.vim", "xsl.vim", "vim_ex_set.vim", "atlas.vim", "Monitor DGA Shifts: Track new domains registered through NAMECHEAP INC using the current WhoisGuard patterns to identify the next cluster before it goes active. Analyze Telfhash Clusters: Use the Telfhash (t1f303a0...) to pivot and find if the adversary has updated to 64-bit ELF or ARM architectures. Harden DMARC: Ensure your environment moves from \"p=none\" to \"p=reject\" to mitigate the internal spoofing loops exploited by this botnet's telemetry suppression.", "squirrel.vim", "xml_attr.c", "django.vim", "jam.vim", "ayacc.vim", "html4_sax_push_parser.c", "Alerts: injection_inter_process creates_largekey network_bind persistence_autorun persistence_autorun_tasks", "modify-class.tmpl", "VTProfessionalVideoWorkflow.h", "luau.vim", "java_method_references_signature_10.dump", "fvwm.vim", "icon.vim", "java_method_references_10.dump", "SWPersonIdentity.h", "gen_syntax_vim.vim", "VZEFIBootLoader.h", "gitolite.vim", "zip.vim", "java_annotations_01.dump", "ref", "plsql.vim", "elm.vim", "csh.vim", "coco.vim", "ibasic.vim", "vhdl.vim", "cisco", "nginx.vim", "java_method_references_signature_03.dump", "vim_object_methods.vim", "gzip.vim", "java_methods_indent4_signature_00.vim", "validate-job.test", "http://www.door.net/ARISBE/arisbe.htm", "printer.tmpl", "https://www.sharecare.com/doctor/jeffrey-reimer-6ie6z", "6015FED9-D723-4332-87D9-C478CF341407.aamdownload", "vim_ex_execute.vim", "java_method_references_signature_04.dump", "specman.vim", "vim_ex_commands.vim", "message.htm.com | Ransomware", "template.vim", "dcl.vim", "VZAudioOutputStreamSink.h", "create-printer-subscription.test", "purifylog.vim", "nfs.conf", "cs.vim", "xslt_stylesheet.c", "art.vim", "fdcc.vim", "assembler", "header.tmpl", "moo.vim", "mds.sb", "rasi.vim", "cweb.vim", "CFODNode.h", "python3complete.vim", "char_ref.h", "printer-default.tmpl", "java_lambda_expressions_06.dump", "exim.vim", "java_previews_455.java", "MTLArgument.h", "lex.vim", "CVE-2017-8977 - https://otx.alienvault.com/indicator/cve/CVE-2017-8977", "token_buffer.h", "SWCollaborationOptionsPickerGroup.h", "viminfo.vim", "VTPixelRotationSession.h", "printer-deleted.tmpl", "java_comments_markdown_04.dump", "libxml2_backwards_compat.c", "java_methods_indent4_00.vim", "model.vim", "java_methods_indent2_04.vim", "robots.vim", "vim_key_notation.vim", "java_module_info_01.dump", "java_annotations_00.dump", "aspperl.vim", "sh_08.sh", "vim_ex_augroup.vim", "jq.vim", "ipp-backend.test", "MTLParallelRenderCommandEncoder.h", "pfd.sb", "smarty.vim", "VZVirtioGraphicsDeviceConfiguration.h", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "bsdl.vim", "autohotkey.vim", "structurizr.vim", "pim.vim", "java_methods_indent8_signature_04.dump", "ada.vim", "vim9_keymap.vim", "vim_line_continuation.vim", "VZLinuxBootLoader.h", "http://fboomporn.com/teens/51826-gloryholeswallow-flora-floras-1st-gloryhole-visit-fullhd-1080p.html \u2022 teenystar18.toplistcreator.eu", "esqlc.vim", "xml_encoding_handler.c", "promela.vim", "monk.vim", "clojurecomplete.vim", "nsis.vim", "mib2c.scalar.conf", "java_methods_indent4_03.vim", "shtags.pl", "printers.tmpl", "Mac-35C5E08120C7EEAF.plist", "ampl.vim", "create-job.test", "qb64.vim", "token_buffer.c", "loginaccess.vim", "optwin.vim", "java_switch_00.dump", "MTLFunctionStitching.h", "VZConsoleDeviceConfiguration.h", "README.md", "svg_tags.c", "database.c", "sil.vim", "get-ppd-printer.test", "vim_ex_function_def_tail_comments.vim", "choose-uri.tmpl", "xml_entity_reference.c", "objc.vim", "User-Agent (Mozilla) - Possible Spyware Related WinHttpRequest Downloading EXE Likely Evil EXE download from WinHttpRequest non-exe extension", "Metal.apinotes", "fontmover.sb", "MTLResourceStatePass.h", "natural.vim", "MTLPipeline.h", "vim_ex_call.vim", "docbk.vim", "python2.vim", "ScreenCaptureKit.h", "blink.c", "tutor.es.utf-8", "att3b", "kwt.vim", "haste.vim", "json5.vim", "ninja.vim", "litestep.vim", "mini_portile.rb", "tutor.tr.utf-8", "help-trailer.tmpl", "SWDefines.h", "com.apple.CommCenter.sb", "VZHostAudioOutputStreamSink.h", "VZNVMExpressControllerDeviceConfiguration.h", "java_comments_html_05.dump", "classes-header.tmpl", "sh_04.sh", "python.vim", "https://spankbang-com.pornproxy.page/593ao/video/sunshine%20mouth%20stuffed%20gagged%20and%20tied%20with%20her%20friend", "xmlcomplete.vim", "sgmllnx.vim", "http://porn.toplistcreator.eu/in.php", "pdf.vim", "snnsres.vim", "identify-printer-multiple.test", "insertion_mode.h", "VZMacOSConfigurationRequirements.h", "java_methods_style_signature_04.vim", "java_lambda_expressions_05.dump", "slrnsc.vim", "vim_vs_net.cmd", "MTLCaptureManager.h", "com.apple.msrpc.netlogon.sb", "Mac-9AE82516C7C6B903.plist", "Datacenter / Hosting / VPS Reverse DNS host77.ipowerweb.com Location United States", "java_methods_indent2.java", "bout", "a17-250-248-150.www.bing.com \u2022 appledirectory.www.bing.com", "http://config.premiuminstaller.com/config/ls/offers.json?pid=installer&ts=2014-10-14T18:54:45.9443368Z&br=CR&adprovider=marmarf", "demoserver.py", "cabalproject.vim", "m3quake.vim", "database.h", "beetle", "java_lambda_expressions_03.dump", "cdl.vim", "dots_10", "pandoc.vim", "spup.vim", "java_methods_indent4.java", "VZVirtualMachine.h", "modula2_r10_03.dump", "ODRecord.h", "teraterm.vim", "java_comments_html_04.dump", "pccts.vim", "Mac-77EB7D7DAF985301.plist", "bhl", "MTLAccelerationStructureCommandEncoder.h", "java_generics_03.dump", "VZSocketDeviceConfiguration.h", "option-pickone.tmpl", "tutor.de.utf-8", "vim9_ex_no_comment_strings.vim", "sh_07_01.dump", "jobs-header.tmpl", "form.vim", "https://urlscan.io/domain/video-lal.com | Was extremely malicious", "reva.vim", "ipp-2.2.test", "java_methods_indent4_signature_05.dump", "imp.fusioninstall.com", "java_methods_style_01.vim", "VZHostAudioInputStreamSource.h", "java_unfoldment.java", "Mac-06F11FD93F0323C5.plist", "nroff.vim", "catalog.vim", "blackberry", "gsp.vim", "bsi", "ipp-2.0.test", "markdown_conceal.markdown", "java_methods_indent8_02.vim", "string_buffer.h", "uci.vim", "nokogiri.c", "mdworker-bundle.sb", "https://teenlist.toplistcreator.eu/in.php?nr=15170//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu", "ExmanProcessMutex", "urlshortcut.vim", "pike.vim", "https://app.join.engineeringim.com/e/er?utm_source=eloqua&utm_medium=email&utm_campaign=&sp_cid=&utm_content=PB_NAM23BSE_PB_06_BATT_PW_Shmuel&sp_aid=27591&sp_rid=31788066&sp_eh=577a94ae55b9b9c106e776e684a2413f8c4dac061fc5b814c054be9e822698d9&s=949606000&lid=79146&elqTrackId=2AD273F3E5AB3555FA7D5FA11122C7C2&elq=a46790e54bbc42d2b0adbc4e6533814e&elqaid=27591&elqat=1", "cynpp.vim", "identify-printer.test", "lprolog.vim", "java_comments_markdown_02.dump", "modula2_pim_06.dump", "cmod.vim", "job-hold.tmpl", "java_string_00.dump", "https://www.virustotal.com/gui/collection/d8bbd97abe2ea808a02db46380171df0803a43a379ed3795a316cb1f947939de/iocs", "VZUSBController.h", "theteenhealthdoc.com \u2022 http://jailbait.toplistcreator.eu/link.php?link=teenystar18.toplistcreator.eu&nr=522 \u2022 franchisefifteen.com", "https://success.trendmicro.com/dcx/s/solution/000146108-azorult-malware-information?language=en_US&sfdcIFrameOrigin=null", "static-push-preprod.porndig.com", "VTRAWProcessingProperties.h", "vim132", "pyrex.vim", "vgrindefs.vim", "synload.vim", "xml_syntax_error.c", "Pegasus Attacking SA victim & advocate | Not interested in Predator", "openscad.vim", "mma.vim", "SCANID: S-9uT7vEdHwHk", "spellfile.vim", "Social Engineering", "pltags.pl", "focexec.vim", "java_generics_01.dump", "chord", "tutor.fr.utf-8", "bioinformatics", "tar.vim", "ishd.vim", "printer-confirm.tmpl", "initex.vim", "VZMemoryBalloonDevice.h", "get-completed-jobs.test", "Msudosos Regional Notes: While historical pivots show Russian-hosted nodes, the current dual-origin telemetry\u2014dominated by 181 United States-based endpoints\u2014strongly suggests a domestic-aligned adversary leveraging global 'grey space' to obfuscate its operational core. This massive US-centric footprint (exceeding all other regions combined) reinforces the theory of a false-flag orchestration designed to divert attribution toward foreign infrastructure while abusing legitimate Western-hosted trust chains.", "Telegram - https://t.me/login/***** | fFileHash-SHA256 cecaa6014e0cdc41ead0b076169175c9342a2ccc4b3e48549f88ea87ba8c034", "ODModuleEntry.h", "util.c", "sqr.vim", "java_method_references_06.dump", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "Pivot-Ready Indicators (IOCs) Go BuildID: nGYES3pajdOmKy1i6Ghh/KO9ydOtZpXtoKtB0KHE-/iisNoniHgTbj_cV6M-uk/XmMYzkBiZs8NXMRZYTiT Telfhash: t1f303a0b3055d54e8b7f08907c7af7624cef6e0f726d078f169e278d09a72c826626874 Imphash: 9698f46495ce9401c8bcaf9a2afe1598 Vhash: 1e53f1a1b59ecb93f821c74b25d81e9f", "tag_lookup.h", "com.apple.managedcorespotlightd.sb", "bm", "htmlangular.vim", "modula2_pim_03.dump", "ccfilter.1", "lotos.vim", "slice.vim", "vim_ex_abbreviate.vim", "java_comments.java", "indent.vim", "ecd.vim", "i3config.vim", "parser.h", "haml.vim", "procmail.vim", "java_previews_455_01.dump", "ps1.vim", "192.185.223.216 | 192.168.56.1 [malware]", "print-uri.test", "com.apple.USBAgent.sb", "vrml.vim", "Metal.h", "create-job-sheets.test", "The pivot from cd398983... to this domain confirms a multi-year campaign (2019\u20132023) utilizing Namecheap-registered infrastructure to orchestrate wide-scale T1110.001 brute-force operations while bypassing standard PKI expiration checks.", "asy.vim", "takout.vim", "jimgaffigan.com", "print-job-manual.test", "java_comments_markdown_01.dump", "registry.vim", "java_methods_indent2_signature_02.vim", "html_01.dump", "https://www.virustotal.com/graph/embed/g34c2ebfedb6c47c286431a829da992c3744ab3fab0d74008946f3b9bbeb83e23?theme=dark", "hb.vim", "html_02.dump", "lisp.vim", "java_method_references_signature_09.dump", "dnsmasq.vim", "MTLLinkedFunctions.h", "qml.vim", "VZConsolePortConfiguration.h", "developer.apple.com", "java_lambda_expressions_signature.java", "uil.vim", "replacement.h", "java_escapes_04.dump", "java_methods_style_03.dump", "quicklookd.sb", "rbREXMLParser.rb", "http://email.acm.mg.hydrantid.com/c/eJxUyTGygyAQBuDTQMksPyhYULzGe-C6LzCKOoYmt88kXdrvWxPlEJ3TkmygcbQBHrokFk-R4WwexpBl-J8Ce8uygBdeJqtrAsGTdWQB8jA0yQDEL0qMrD", "slpconf.vim", "javascriptreact.vim", "cfg.vim", "Crypt_r.BDI: FileHash-SHA256 71906e67e75f832dfbd2c63fde953d76b6502e48e78badd3ef6fe30d02390268", "dots_05", "gretl.vim", "java_methods_indent4_signature_03.dump", "3.33.152.147 - Antivirus Detections: !#AddsCopyToStartup , !#HSTR:SigGen0136cb6c , ALF:AGGR:OpcCl:99!ml , ALF:Exploit:O97M/CVE-2017-8977", "javascriptcomplete.vim", "http://sexkompas.xyz", "https://cellebrite.com/en/federal-government/", "https://otx.alienvault.com/browse/global/pulses?q=tag:threats&include_inactive=0&sort=-modified&page=1&limit=10&indicatorsSearch=threats", "tokenizer.c", "blit", "gnuplot.vim", "java_unfoldment_00.dump", "obj.vim", "VZSerialPortAttachment.h", "yi.vim", "aout", "java_generics.java", "VZNetworkDevice.h", "gpg.vim", "tssop.vim", "http://install.oinstaller5.com/o/jfaquew_jupdate/setup.exe?mode=dlshift&sf=0&subid=a208&filedescription=setup&adprovider=jfaquew&cpixe", "eterm.vim", "changelog.vim", "sh_09.sh", "java_generics_00.dump", "VZGraphicsDisplayConfiguration.h", "VZUSBDeviceConfiguration.h", "maxima.vim", "terraform.vim", "SWUpdateCollaborationParticipantsAction.h", "application", "java_methods_indent8_04.vim", "java_numbers_03.dump", "sieve.vim", "nasm.vim", "SWCollaborationActionHandler.h", "MTLDynamicLibrary.h", "rebol.vim", "xhtml10f.vim", "sindacmp.vim", "sqlhana.vim", "requirements.vim", "Mac-27ADBB7B4CEE8E61.plist", "https://www.toindian.com/s/jeffrey-reimer-dpt-porn/", "campaign-manager.sharecare.com", "javacc.vim", "java_annotations_04.dump", "SWPerson.h", "option-boolean.tmpl", "java_methods_indent2_signature_00.vim", "VTVideoEncoderList.h", "html4_sax_parser_context.c", "mel.vim", "doxygen.vim", "java_methods_indent8_03.dump", "gnash.vim", "kivy.vim", "quicklook-satellite-personal.sb", "java_methods_style_signature_02.dump", "VZDirectorySharingDevice.h", "as15169", "java_methods_indent4_06.dump", "eiffel.vim", "lyrics.vim", "awk.vim", "Mac-35C1E88140C3E6CF.plist", "gitattributes.vim", "getscript.vim", "ODAttributeMap.h", "blcr", "MTLRenderCommandEncoder.h", "get-printer-attributes-suite.test", "sinda.vim", "VZError.h", "media.defs", "aap.vim", "vimrc", "cf.vim", "error.tmpl", "tohtml.vim", "java_lambda_expressions_08.dump", "dots_16", "java_methods_indent4_01.dump", "audio", "set-printer-options-header.tmpl", "tssgm.vim", "dots_09", "java_switch_03.dump", "expect.vim", "VZVirtioSocketConnection.h", "printer-configured.tmpl", "httpd.exp", "SCANID: S-4FSYbAVw6TA", "youramateuporn.com", "java_lambda_expressions_signature_06.dump", "java_module_info.java", "hitest.vim", "ant.vim", "java_methods_indent2_03.dump", "shtags.1", "dots_12", "Mac-3CBD00234E554E41.plist", "gitrebase.vim", "log4shell-generic-ammqgekxvatp3a2qyw71ten.r.nessus.org play.google.com demo171.apple.com apps.apple.com", "java_methods_indent8_00.vim", "xml_text.c", "Mac-9F18E312C5C2BF0B.plist", "mib2c.perl.conf", "fetchmail.vim", "srt.vim", "mime.convs", "job-move.tmpl", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "quake.vim", "java_generics_signature_00.dump", "objcpp.vim", "extconf.rb", "VZMacTrackpadConfiguration.h", "https://www.virustotal.com/graph/embed/ga8f86f452d6d4819b2dedf4c1981843304472a457d9b4b339f35679f4693ce9c?theme=dark", "mib2c.column_storage.conf", "udevperm.vim", "libxml.rb", "VZDiskBlockDeviceStorageDeviceAttachment.h", "abaqus.vim", "https://otx.alienvault.com/pulse/655d0f94ad4d7cdc5e3f0a98", "efm_perl.pl", "java_lambda_expressions_signature_00.dump", "sbt.vim", "Mac-189A3D4F975D5FFC.plist", "Mac-CAD6701F7CEA0921.plist", "tutor.eo.utf-8", "java_annotations_signature.java", "manconf.vim", "java_generics_signature_07.dump", "nokogiri.h", "https://www(.)tryindiansex(.)com/s/tsara-brashears/", "ftplugin.vim", "modconf.vim", "sshconfig.vim", "java_lambda_expressions_signature_02.dump", "xml_node.c", "vera.vim", "pinfo.vim", "xml_element_content.c", "csdl.vim", "SWPersonIdentityProof.h", "nqc.vim", "vim9_ex_function_def_tail_comment_errors.vim", "scripts.vim", "mermaid.vim", "cvmsCompAgent.sb", "context.vim", "cdrtoc.vim", "macros.h", "erlang.vim", "identify-printer-display.test", "cabal.vim", "Primary Hash (SHA256): cd3989830da99a69380901769fd78902efb3cd8ba5c9390e94bd4333b7fad186", "gdmo.vim", "m3build.vim", "pamconf.vim", "sas.vim", "ncf.vim", "VZVirtioEntropyDeviceConfiguration.h", "XPdb-wal", "printer-modified.tmpl", "get-ppds.test", "idl.vim", "meson.vim", "tutor.ca.utf-8", "dots_06", "java_module_info_00.dump", "create-job-timeout.test", "rexx.vim", "java_annotations_signature_03.dump", "ODConfiguration.h", "occam.vim", "xhtml10t.vim", "MTLIOCommandQueue.h", "MTLVisibleFunctionTable.h", "sgml.vim", "VZFileSerialPortAttachment.h", "print-job-letter.test", "talk.plesk.com | 4evermusic.pl | nist.gov | alaska.gov.inbound10.mxlogic.net | publicfiles.fcc.gov", "OpenDirectory.h", "xml_attribute_decl.c", "arm64e-apple-macos.swiftinterface", "Crypt_r.AWJ: FileHash-SHA256 cc83b186700b21e5c4cae0f8236ae3e50ab47c2c21a3987ea00463056cbd1c26", "rust.vim", "lc.vim", "838114.parkingcrew.net", "ia64.vim", "SWCollaborationOptionsGroup.h", "gvim.desktop", "MacOSX_OALExtensions.h", "ipp-1.1.test", "rbNokogiriParser.rb", "java_methods_style_signature_04.dump", "https://mail.greycroft.com/owa/redir.aspx?SURL=zRgJdPcEmzMcui5aPZuMhrMWFaQp7UWJt7B48ki50f3tl7bBVhrTCGgAdAB0AHAAcwA6AC8ALwBpAHQAdQBuAGUAcwAuAGEAcABwAGwAZQAuAGMAbwBtAC8AdQBzAC8AYQBwAHAALwBhAG4AaQBtAGEAdABpAGMALQBiAHkALQBpAG4AawBiAG8AYQByAGQALwBpAGQAMQAwADUAMgAzADcAOQAxADUANAA_AGwAcwA9ADEAJgBtAHQAPQA4AA..&URL=https://itunes.apple.com/us/app/animatic-by-inkboard/id1052379154?ls=1&mt=8", "fasm.vim", "java_escapes_07.dump", "java_methods_indent4_signature.java", "get-ppds-make-and-model.test", "VZGenericPlatformConfiguration.h", "java_module_info.vim", "VZVirtioNetworkDeviceConfiguration.h", "manual.vim", "java_methods_style_02.dump", "VZMacHardwareModel.h", "print-job-hold.test", "xml_namespace.c", "nsmb.conf", "VZNATNetworkDeviceAttachment.h", "print-job-and-wait.test", "abap.vim", "java_methods_style_00.dump", "iso.vim", "com.apple.cloudd.sb", "com.apple.taskgated-helper.sb", "snobol4.vim", "html401t.vim", "livebook.vim", "string_buffer.c", "pacmanlog.vim", "mmp.vim", "mib2c.conf", "go.vim", "qlmanage.sb", "raster.defs", "printer-start.tmpl", "ScriptingBridge.apinotes", "efm_filter.pl", "tracking2youdu.com , cdn.livechatinc.com", "sqloracle.vim", "java_string_02.dump", "SCANID: S-YV38dG9guZE", "vim_ex_function.vim", "class-confirm.tmpl", "gedcom.vim", "secret", "thevipporn.com porn25.com lowendporn.com pz7.iqg29.cn", "java_methods_indent4_signature_04.dump", "proto.vim", "tutor.hr.utf-8", "java_escapes_00.dump", "chordpro.vim", "godoc.vim", "java_method_references_signature_08.dump", "elf.vim", "get-printers.test", "vim9_legacy_header_fold.vim", "VTPixelTransferSession.h", "tt2js.vim", "foreign_attrs.c", "asn.vim", "http://r3.i.lencr.org/ | r3.i.lencr.org | c.lencr.org | x1.c.lencr.org", "com.apple.msrpc.wkssvc.sb", "ave.vim", "lite.vim", "MTLLibrary.h", "po.vim", "java_methods_indent4_signature_01.vim", "typescriptreact.vim", "Mac-66E35819EE2D0D05.plist", "SBObject.h", "modula2_iso_00.dump", "dep3patch.vim", "java_method_references_00.dump", "jsonc.vim", "mds_stores.sb", "htmlcomplete.vim", "java_methods_style_signature_02.vim", "xhamster.comyouporn.com", "MTLIndirectCommandEncoder.h", "alc.h", "VZVirtioConsolePortConfigurationArray.h", "csv.vim", "netrwSettings.vim", "apt", "MTLResourceStateCommandEncoder.h", "tutor.nl.utf-8", "com.apple.netbiosd.sb", "VTBase.h", "MTLCommandEncoder.h", "SWCollaborationCoordinator.h", "ISP: Charter Communications Inc Usage Type\tFixed Line ISP", "MTLBlitPass.h", "update_date.vim", "stylus.vim", "rib.vim", "asf", "xmlformat.vim", "gp.vim", "alliant", "openroad.vim", "Yara Detections: ConventionEngine_Term_Users , ConventionEngine_Keyword_Anti , dbgdetect_procs", "Make_mvc.mak", "dot.vim", "java_method_references_signature_00.dump", "tutor.hu.utf-8", "csscomplete.vim", "PKPushRegistry.h", "https://cdns.directv.com/resources/js/dtv/framework/plugins/jquery.placeholder.min.js | peri.com.pl", "Victim to afraid to bring lawsuit for attack that caused SCI. Endlessly bullied.", "MTLIndirectCommandBuffer.h", "gyp.vim", "android", "https://www.virustotal.com/graph/embed/g532ea94109c54d96ba1bde62201fb4439ef00ab8d0af4a2f99ee42846ad158df?theme=dark", "gumbo.c", "vim_ex_substitute.vim", "vimball.vim", "tutor.sv.utf-8", "dots_03", "job-restart.tmpl", "VZLinuxRosettaAbstractSocketCachingOptions.h", "java_generics_signature.java", "Yara ruleset match: Windows_API_Function by InQuest Labs", "java_lambda_expressions.java", "MTLCommandQueue.h", "vim9_legacy_header.vim", "terminfo.vim", "com.apple.ckdiscretionaryd.sb", "modula2_iso_02.dump", "SwiftUI.swiftoverlay", "Mac-E43C1C25D4880AD6.plist", "plp.vim", "rbPlainCFPropertyList.rb", "lscript.vim", "tt2html.vim", "VZVirtioConsolePort.h", "c.vim", "java_methods_indent8_signature_00.dump", "airportd.sb", "mediawiki.vim", "get-job-attributes2.test", "pager.tmpl", "java_methods_style_03.vim", "ODMappings.h", "stp.vim", "tutor.sr.utf-8", "setserial.vim", "gss-initiator.sb", "create-job-format.test", "dns.vim", "yaml.yaml", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "esterel.vim", "Mac-FA842E06C61E91C5.plist", "dtml.vim", "SCANID: S-CadvV0Kd35c", "VZAudioDeviceConfiguration.h", "VZVirtioGraphicsDevice.h", "https://mylegalbid.com/malwarebytes", "java_methods_indent2_signature_03.vim", "apple.convs", "java_switch_07.dump", "print-job-password.test", "java_string_04.dump", "coff", "master.vim", "mgp.vim", "voscm.vim", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "javaformat.vim", "asteriskvm.vim", "VZSpiceAgentPortAttachment.h", "esmtprc.vim", "ssa.vim", "r10.vim", "hlsplaylist.vim", "html32.vim", "Alerts: deletes_executed_files injection_runpe persistence_ads suspicious_command_tools anomalous_deletefile antisandbox_sleep dead_connect dynamic_function_loading resumethread_remote_process powershell_download powershell_request", "Crypt: FileHash-SHA256 71f1f6c91dbe8050e7c5d54f294f5eabec02dccbe97fb0100e7ebf8f35b0d062", "VTFrameSilo.h", "gitcommit.vim", "IDS Detections: Suspicious double Server Header Possible Kelihos", "redirect_keitaro_exploit_kit_compromised_site_se_referrer", "java_methods_indent8_signature.java", "VZMacOSBootLoader.h", "Mac-BE088AF8C5EB4FA2.plist", "VTCompressionSession.h", "https://songculture.com/tsara-brashears | https://www.songculture.com/tsara-brashears-music", "xml_sax_push_parser.c", "cgdbrc.vim", "vim_ex_def_fold.vim", "https://www.virustotal.com/graph/embed/gd1083011fd0b455fb2be107f7ee59516dc3f4c39b05b4a90b15e8b0ad748a0d2?theme=dark", "tutor.lv.utf-8", "https://hybrid-analysis.com/sample/209db5b7a473df6f2bff9274b96e556ec296237fdb134959f413c6b3b93fff74", "tutor.cs.utf-8", "vim_ex_range.vim", "ist.vim", "NSOpenDirectory.h", "java_unfoldment_05.dump", "kconfig.vim", "Virtualization.tbd", "VZVirtioSoundDeviceOutputStreamConfiguration.h", "rnoweb.vim", "java_unfoldment_03.dump", "apachestyle.vim" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "DragonForce Hacker Group Malaysia", "Berserk Bear (also known as BROMINE, Crouching Yeti, Dragonfly,", "Adversary Profile: Salt Typhoon Alignment The architectural gap identified by mudoSO mirrors the act", "StealthWorker/GoBrut (The adversary demonstrates advanced telemetry suppression within specialized s", "DragonForce Malaysia" ], "malware_families": [ "Win32:salicode", "Alf:heraklezeval:trojan:win32/ymacco", "Win.trojan.downloader-42770", "Trojan.onlinegames/aoks", "Crypt4.ygm", "Kelihos", "Amazon", "Cryp_xed-12", "Crypt_r.bcm", "Etpro", "Trojan:win32/dursg.k", "Vzbootloader", "Zbot", "Trojan:pdf/owaphish.a", "Win.trojan.xtoober-650", "#lowfi:lua:autoitv3craftedoverlay", "Ransom", "Win.trojan.magania-13720", "Heartbleed bug", "Hallrender", "Vim tutor", "Inject3.qgy", "Selectall", "Win32:kamso", "Emotet", "Win.trojan.agent-1313630", "Backdoor:win32/tofsee.t", "Tel:exploit:o97m/cve-2017-8570", "Win32:karagany-d\\ [trj]", "Md5 hash: f8add7e7161460ea2b1970cf4ca535bf", "Ransom:win32/eniqma.a", "Win.trojan.bho-136", "Win.trojan.tofsee-6840338-0", "Mirai", "Trojan:win32/comspec", "Win32:agent-aoks\\ [trj]", "Possible", "Adacore", "Cftyperef", "Hacktool", "Upackv037dwing", "Win.packed.pincav-7537597-0", "Et", "Worm:win32/benjamin", "Slfper:softwarebundler:win32/dlhelper", "Crypt", "Azorult cnc", "Alf:heraklezeval:rogue:win32/fakerean", "Win32:injector-cvf\\ [trj]\t\twin.mal", "Trojan:win32/glupteba.mt!mtb", "Comspec", "Win.packed.enigma-10023199-0", "Stefan", "Alf:exploit:o97m/cve-2017-8977", "Trojan.karagany - s0094", "Malware family: stealthworker / gobrut", "Backdoor:win32/tofsee", "Tulach", "Alf:aggr:exploit:o97m/cve-2017-11882", "Win32:backdoorx-gen\\ [trj]", "Ascii", "Xls:nastya\\ [trj]", "Trojan:win32/mydoom", "Win32:malware-gen", "Sabey urself - s0386", "Trojan:win32/glupteba", "Appleservice", "Win32:pwsx-gen", "Cerber ransomware", "Typeerror", "Nod32", "Win.packer.pkr_ce1a-9980177-0", "Win.malware.vtflooder-6260355-1", "Trojan:win32/bho.cv", "Cobalt strike", "Nids", "Win32:trojan-gen", "Win32:sality", "Gc", "Prynt", "Virtool", "Virtool:win32/obfuscator", "Worm:win32/fesber.a", "Esc", "Tofsee", "Win.trojan.buzus-5453", "Trojandownloader:win32/nemucod", "Pegasus for ios - s0289", "Sf:shellcode-au\\ [trj]", "Win32:pwsx-gen\\ [trj]", "Roboto", "Rce cve-2023-3519", "Trojandownloader:win32/cutwail", "Worm:win32/macoute.a", "Mal/generic-s", "Trojan:win32/kryptik", "Todo", "Adware affiliate", "Trojan:win32/startpage.ss", "Trojanspy:win32/nivdort", "Alf:jasyp:trojandownloader:win32/karagany!atmn", "Win.trojan.swisyn-6819", "Trojandownloader:js/nemucod.qj", "Win32:bankerx-gen\\ [trj]", "Crack_unhackme_sigma.rar" ], "industries": [ "Finance - insurance sector", "Civil society", "Healthcare", "Technology", "Energy", "Media", "Legal", "Legal, financial, healthcare, government, municipal, real-estate, enterprise-technology, critical-in", "Government", "Retail", "Online shopping", "Telecommunications", "Education" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 50, "pulses": [ { "id": "698e93e1ab02db8c49e8c3ed", "name": "\u201cBroken Seal\u201d DocuSign-themed Delivery with Fileless Process Hollowing (Zeppelin/Bloat-A)", "description": "Forensic analysis indicates a DocuSign-themed phishing campaign using a deliberately invalid X.509 PKI seal (\u201cBroken Seal\u201d) to trigger fail-open verification logic in automated handlers. The delivery mechanism bypasses Secure Email Gateway (SEG) reputation checks by using encrypted channels and human-gated infrastructure. The payload is a fileless Process Hollowing (RunPE) malware that injects into RWX memory of legitimate processes to evade disk-based EDR.", "modified": "2026-04-19T08:11:41.130000", "created": "2026-02-13T03:00:49.872000", "tags": [ "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi", "9698f46495ce9401c8bcaf9a2afe1598", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)", "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71", "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link", "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)" ], "references": [ "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "Verification failure observed in automated verification handlers during sandbox replay.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr" ], "public": 1, "adversary": "", "targeted_countries": [ "China", "United States of America", "Spain", "Japan", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In" ], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 27678, "FileHash-SHA256": 47676, "FileHash-MD5": 42534, "FileHash-SHA1": 23213, "hostname": 33703, "URL": 75433, "SSLCertFingerprint": 30, "CVE": 7582, "email": 313, "FileHash-IMPHASH": 8, "CIDR": 26205, "JA3": 1, "IPv4": 80, "URI": 5 }, "indicator_count": 284461, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "3 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69bb65707834a02d0a4c7683", "name": "VirusTotal report\n for debug.zip", "description": "", "modified": "2026-04-18T02:04:23.541000", "created": "2026-03-19T02:54:40.990000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 6, "FileHash-SHA256": 121, "URL": 80, "domain": 11, "hostname": 27 }, "indicator_count": 251, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69bb6572706738c6329df151", "name": "VirusTotal report\n for debug.zip", "description": "", "modified": "2026-04-18T02:04:23.541000", "created": "2026-03-19T02:54:42.245000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 6, "FileHash-SHA256": 121, "URL": 80, "domain": 11, "hostname": 27 }, "indicator_count": 251, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6992bae83a5988dff8311490", "name": "Distributed Credential Exhaustion & C2 Orchestration via Golang-Based StealthWorker (ELF.Agent-VW)", "description": "Researcher credit: msudosos, level blue platform----\nThis artifact represents a high-integrity StealthWorker (GoBrut) botnet agent, architected as a statically linked, stripped 32-bit ELF binary to ensure cross-platform environmental independence. The sample utilizes XOR 0x20-encoded JavaScript payloads and String.fromCharCode obfuscation to mask its internal logic and bypass heuristic-based memory scanners. [User Notes] Its operational core is a multi-threaded service bruter targeting SSH, MySQL, and CMS backends, leveraging a massive infrastructure of 1,834 domains and 797 unique IPv4 endpoints for decentralized Command & Control (C2). Network telemetry confirms the use of ICMP and HTTP-based beaconing, indicating a sophisticated retry logic designed to maintain persistence across diverse network topologies. With a malicious file score of 10, this binary serves as a primary vector for large-scale credential harvesting and the subsequent integration of Linux infrastructure into global botnet clusters.", "modified": "2026-04-13T23:46:20.071000", "created": "2026-02-16T06:36:24.788000", "tags": [ "Obfuscation: XOR-based String Encryption (0x20)", "T1110.001 (Brute Force: Password Guessing)", "Primary Hash (SHA256): cd3989830da99a69380901769fd78902efb3cd8ba", "MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf", "#PotentialUS-Origin_FalseFlag_Obfuscation" ], "references": [ "Primary Hash (SHA256): cd3989830da99a69380901769fd78902efb3cd8ba5c9390e94bd4333b7fad186", "Obfuscation: XOR-based String Encryption (0x20)", "T1110.001 (Brute Force: Password Guessing)", "This ELF 32-bit LSB artifact is a sophisticated GoBrut/StealthWorker agent, compiled via Golang 1.10 and stripped to obfuscate its high-velocity service-bruting logic. VirusTotal confirms a critical threat profile with 44/65 security vendors flagging the file, which leverages a unique Go BuildID (nGYES3pajdOm...) and a Telfhash (t1f303a0...) for architectural fingerprinting. The binary orchestrates decentralized Command and Control (C2) through an expansive infrastructure of 797 unique IPs and 1,834 domains", "Pivot-Ready Indicators (IOCs) Go BuildID: nGYES3pajdOmKy1i6Ghh/KO9ydOtZpXtoKtB0KHE-/iisNoniHgTbj_cV6M-uk/XmMYzkBiZs8NXMRZYTiT Telfhash: t1f303a0b3055d54e8b7f08907c7af7624cef6e0f726d078f169e278d09a72c826626874 Imphash: 9698f46495ce9401c8bcaf9a2afe1598 Vhash: 1e53f1a1b59ecb93f821c74b25d81e9f", "Researcher msudosos posits a strategic exploitation of Root Certificate Validation Failures, where the adversary leverages an expired trust chain to bypass heuristic security filters and establish persistence.", "his technique allows the GoBrut/StealthWorker agent to circumvent automated revocation checks, enabling its decentralized C2 infrastructure to recruit Linux hosts via high-velocity credential exhaustion.", "The local environment exhibits advanced telemetry suppression within specialized skim memory regions, effectively neutralizing standard DMARC validation and Microsoft-integrated defensive protocols.", "By maintaining a hollowed root posture, the sample facilitates persistent, low-signal synchronization with external cloud infrastructure while bypassing traditional heuristic trust-chain verification.", "The domain prioritywirreles.com (registered via NAMECHEAP INC) shows a 4/93 detection ratio, confirming it is a live but \"low-noise\" C2 node used to avoid broad-spectrum blacklisting", "", "The environment leverages prioritywirreles.com as a high-fidelity DGA-derived C2 node, utilizing its historical resolution to Russian-hosted IP space (194.61.24.231) to maintain persistent Stealthworker botnet synchronization.", "By operating through WhoisGuard-protected infrastructure and exploiting XOR 0x20 obfuscation, the adversary effectively suppresses telemetry into skim space, successfully bypassing DMARC and Microsoft-integrated trust-chain validation.", "The pivot from cd398983... to this domain confirms a multi-year campaign (2019\u20132023) utilizing Namecheap-registered infrastructure to orchestrate wide-scale T1110.001 brute-force operations while bypassing standard PKI expiration checks.", "LBresearcher: msudosos notes: The campaign's use of T1110.001 (Password Guessing) is specifically tuned to exhaust credentials across SSH, MySQL, and CMS backends, effectively recruiting server infrastructure into a global \"zombie\" network.", "LBresearcher: msudosos notes: The threat actor maintains operational longevity by rotating through WhoisGuard-protected nodes like prioritywirreles.com, which historically resolved to Russian-hosted IP space (194.61.24.231) to obfuscate its origin.", "LBresearcher: msudosos notes: By exploiting Root Certificate Validation Failures, the StealthWorker (GoBrut) agent ensures that its 32-bit ELF binaries bypass the automated reputation checks enforced by major cloud providers.", "Monitor DGA Shifts: Track new domains registered through NAMECHEAP INC using the current WhoisGuard patterns to identify the next cluster before it goes active. Analyze Telfhash Clusters: Use the Telfhash (t1f303a0...) to pivot and find if the adversary has updated to 64-bit ELF or ARM architectures. Harden DMARC: Ensure your environment moves from \"p=none\" to \"p=reject\" to mitigate the internal spoofing loops exploited by this botnet's telemetry suppression.", "Persistent C2 Orchestration: This ELF:Agent-VW variant serves as a critical GoBrut node, utilizing XOR 0x20 obfuscation and ICMP/HTTP beaconing to maintain a persistent link across 1,834 domains and 797 unique IPs", "Researcher msudosos: This activity appears to facilitate a preliminary reconnaissance phase, possibly utilizing system commands to query /proc/cpuinfo and /proc/version for architectural profiling purposes.", "Researcher msudosos suggests the VirusTotal (Tencent HABO) behavior report may indicate a potential execution path from volatile storage at /tmp/EB93A6/996E.elf.", "Msudosos Regional Notes: While historical pivots show Russian-hosted nodes, the current dual-origin telemetry\u2014dominated by 181 United States-based endpoints\u2014strongly suggests a domestic-aligned adversary leveraging global 'grey space' to obfuscate its operational core. This massive US-centric footprint (exceeding all other regions combined) reinforces the theory of a false-flag orchestration designed to divert attribution toward foreign infrastructure while abusing legitimate Western-hosted trust chains.", "WHOIS data anchors administrative and technical operations for prioritywirreles.com in Los Angeles, CA (90064) via Namecheap infrastructure. Following its 2020 expiration, the domain has transitioned into redemptionPeriod/pendingDelete status, signaling the formal decommissioning of this C2 asset." ], "public": 1, "adversary": "StealthWorker/GoBrut (The adversary demonstrates advanced telemetry suppression within specialized s", "targeted_countries": [], "malware_families": [ { "id": "Malware Family: StealthWorker / GoBrut", "display_name": "Malware Family: StealthWorker / GoBrut", "target": "/malware/Malware Family: StealthWorker / GoBrut" }, { "id": "MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf", "display_name": "MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf", "target": null } ], "attack_ids": [ { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2166, "FileHash-SHA1": 2067, "FileHash-SHA256": 3371, "domain": 13295, "URL": 6860, "email": 272, "hostname": 4705, "SSLCertFingerprint": 268, "CVE": 107, "CIDR": 6 }, "indicator_count": 33117, "is_author": false, "is_subscribing": null, "subscriber_count": 62, "modified_text": "5 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69ca434ee788ab3d090e6013", "name": "PDFKIT.NET - Trust Bypass Continued Concerns", "description": "A complete list of key facts and statistics:..3-magnitude-based data-sharing platform, which was first created in 2003, has been published by the University of Oxford.<-- Pretext. Msudosos: Ongoing concerns persist regarding the use of the pdfkit.net library in specific DMV versions, which may allow for trust bypass across multiple platforms. Research indicates that isolating affected areas or voiding certificates will not remediate this issue, as the corrupted trusted root persists even after firmware-level restores.", "modified": "2026-04-07T02:11:33.275000", "created": "2026-03-30T09:33:02.363000", "tags": [ "fcc", "trust bypass", "pi", "hollow-root", "pdfkit.net", "cryptographically-invalid", "Docusign as an exploit", "gov / infra / healthcare / mun", "education", "US", "globalsign2020", "noend--point.", "null" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "Netherlands", "Italy", "United States of America" ], "malware_families": [ { "id": "Stefan", "display_name": "Stefan", "target": null } ], "attack_ids": [ { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" } ], "industries": [ "Telecommunications", "Education", "Government" ], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 77, "IPv4": 8, "domain": 39, "email": 4, "hostname": 60, "FileHash-SHA1": 47, "FileHash-SHA256": 209, "FileHash-MD5": 42, "CVE": 1 }, "indicator_count": 487, "is_author": false, "is_subscribing": null, "subscriber_count": 50, "modified_text": "12 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d44629b6a6bc546fdd357a", "name": "VirusTotal Box of Apples Sandbox report", "description": "<<< full text of the following:.1.2 (2.4m) in text, in the form of file, has been published online by the Linux operating system, known as Linux.>>>", "modified": "2026-04-06T23:47:53.256000", "created": "2026-04-06T23:47:53.256000", "tags": [ "file type", "unix", "wed jun", "thu jun" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1023, "hostname": 54, "IPv4": 4, "FileHash-MD5": 12, "FileHash-SHA1": 12, "URL": 146, "domain": 230 }, "indicator_count": 1481, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "12 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d4462886e53e706aae1674", "name": "VirusTotal Box of Apples Sandbox report", "description": "<<< full text of the following:.1.2 (2.4m) in text, in the form of file, has been published online by the Linux operating system, known as Linux.>>>", "modified": "2026-04-06T23:47:52.536000", "created": "2026-04-06T23:47:52.536000", "tags": [ "file type", "unix", "wed jun", "thu jun" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1023, "hostname": 54, "IPv4": 4, "FileHash-MD5": 12, "FileHash-SHA1": 12, "URL": 146, "domain": 230 }, "indicator_count": 1481, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "12 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d4462288245b27cf606f42", "name": "VirusTotal Box of Apples Sandbox report", "description": "<<< full text of the following:.1.2 (2.4m) in text, in the form of file, has been published online by the Linux operating system, known as Linux.>>>", "modified": "2026-04-06T23:47:46.697000", "created": "2026-04-06T23:47:46.697000", "tags": [ "file type", "unix", "wed jun", "thu jun" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1023, "hostname": 54, "IPv4": 4, "FileHash-MD5": 12, "FileHash-SHA1": 12, "URL": 146, "domain": 230 }, "indicator_count": 1481, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "12 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d4442a0b5217c34bbcbd2d", "name": "VirusTotal report\n for install.sh", "description": "", "modified": "2026-04-06T23:39:22.105000", "created": "2026-04-06T23:39:22.105000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 43, "FileHash-SHA1": 45, "FileHash-SHA256": 1421, "IPv4": 14, "URL": 261, "hostname": 73, "domain": 235, "email": 1 }, "indicator_count": 2093, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "12 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d44428ad43f231ff43e175", "name": "VirusTotal report\n for install.sh", "description": "", "modified": "2026-04-06T23:39:20.767000", "created": "2026-04-06T23:39:20.767000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 43, "FileHash-SHA1": 45, "FileHash-SHA256": 1421, "IPv4": 14, "URL": 261, "hostname": 73, "domain": 235, "email": 1 }, "indicator_count": 2093, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "12 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "sourceforge.net", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "sourceforge.net", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1776597690.4182992 }