{ "type": "Domain", "indicator": "sqlite.org", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/sqlite.org", "alexa": "http://www.alexa.com/siteinfo/sqlite.org", "indicator": "sqlite.org", "type": "domain", "type_title": "Domain", "validation": [ { "source": "majestic", "message": "Whitelisted domain sqlite.org", "name": "Whitelisted domain" } ], "base_indicator": { "id": 2795521789, "indicator": "sqlite.org", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 12, "pulses": [ { "id": "69d98d5e88461ed06547690c", "name": "CAPE ***** GRAMMERsoft. Love Letter ****", "description": "A Cuckoo has been running on Microsoft's Windows operating system for the past two years. the last time it did so, and the first time in the history of the Windows platform.\n\nUser Notes a Cryptic Message: Killing Eve, Vanishing Triangle. Recent Comment on Belasco Chain is of interest given spellbound.exe...\nUR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR N4XT.txt", "modified": "2026-04-19T09:05:59.274000", "created": "2026-04-10T23:53:02.973000", "tags": [ "cname", "p2404", "accept", "default", "host", "strong", "library", "p11776139675", "gmt range", "p11776090280", "shutdown", "generic", "bits", "next ur", "file type", "ascii text", "crlf line", "ms windows", "pe32", "drops pe", "intel", "yara", "sigma", "njrat", "malicious", "darkcomet", "code", "delphi", "dbatloader", "loader", "fraud", "notpetya", "killmbr", "trojanransom", "ransomware", "next", "settings", "parent pid", "full path", "command line", "mwdb", "bazaar", "sha3384", "ssdeep", "format", "shell", "payload", "kevin", "revengerat", "aspack", "vmprotect", "meteorite", "petya", "infinitylock", "redline", "remcos", "javadropper", "lokibot", "guard", "mono", "eternalromance", "exploit", "badrabbit", "windows sandbox", "calls process", "vbcrlf", "error resume", "next dim", "page", "loveletter", "script", "createobject", "html", "meta", "name", "title", "body", "iloveyou", "generator", "philippines", "loop", "@grammersoft", "calls clear", "ip address", "cape sandbox", "bootkit", "t1055", "t1497", "error", "back", "pe file", "network info", "processes extra", "sample", "aslr", "performs dns", "t1055 process", "overview", "mitre attack", "overview zenbox", "none rticon", "pattern", "none image", "file size", "entity", "winmm", "dword", "locale", "screensaver", "alexa", "stars", "crypt32", "ddraw", "winsta", "ip traffic", "lockfile" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/7395f24f709e2c947593e7124f0107a17bf71f9eff782433f00e9aae27edf6fc_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864018&Signature=fW5cvq8BOIX%2B2wxwBzAnPprHnokOWVWFu4uUJExK8GQG4mwnYf4GO7RCTnuImm3XpXxgU8V7gYbsu%2BSquaGgkh2o8me6vmt8Y%2BhL0j%2BUgRrp8B0qJtHMkSgtfk6doVdGoZ%2FqES823Eiqebeb3NlVMD6tixYW2GDpyliHNL6uGNgIyf2BQZppexftzMN9M2BQhralGJjFZ9Q4XeAi1DalrEfIsb7erXBxVINEYJUbRaapAeQ0Aff8", "https://vtbehaviour.commondatastorage.googleapis.com/7737f90de7e9fc0935561c017e9ddc4a58337ebc25873f0bbcfe860790f3f888_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864214&Signature=Vf0JKebhqo0MUHhpU%2B3Xut2g8SN7IheaL%2FNfOTLj1y8v1aHrjA6QI2jq%2BIVJeWXo8%2Fzpj%2Bd3DpryffdQjNsuRSSn06dSJy%2FvNi5F67wa1RiaanLuxRRK0cWKKrWO9ZQGXVWal8%2BNCVTaMRdhHmkbFou6FA67a1owXMn0IdsdZYIAwgumeuvrMsbnKKkOcd4GucEGy0d9oj63SbZGI%2BwjT5BPH2Tq3O%2BQM%2BPv3XWuZ71sfOOGgD", "https://vtbehaviour.commondatastorage.googleapis.com/7737f90de7e9fc0935561c017e9ddc4a58337ebc25873f0bbcfe860790f3f888_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864361&Signature=veuhxaGctQeo8%2Fn4rw%2B0WB9QOIg%2BQ1N8MB7v3DwF%2B62SjERN%2FRvB6TDfvUUTTliDHAoHz3fjS19CbwtV1Unc1am%2B%2BFc7y%2FvbN%2FI2hV89mw0rCJH%2FQO9AEkKW%2BarXuvgc%2FhRwTho4ZnesEmMpmyTKqbGVDug%2BytkzAr9LluXTWzriWnG1JT1EudSc4CRQEorYeNyPlA7BPaIKmulDdM5whcIEVDFq4ZCywyfT", "https://vtbehaviour.commondatastorage.googleapis.com/7737f90de7e9fc0935561c017e9ddc4a58337ebc25873f0bbcfe860790f3f888_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864415&Signature=yAuZC%2F0HyuJxAQj5f%2FwTa1Eqod6JZKHa9bO0gU6Ir2r2sU2JlNQAvQ0O%2BFC6DWExjg2voi81c%2BEzsk9tDAFyL3WwgJgMTlIvg%2FNT9PRWENEAYOilGjGtzrdzRhMpMzKw7NL5oxGr6hAdndZJ5lY7UvJoIjDp7nDn85EoO4RRNxFKeP4qCsczXGv2%2B9bnOXeGn0HHTaDp8I7UEq7FDpEPmij1KfxHmftv85TcFdOHNt0L", "https://vtbehaviour.commondatastorage.googleapis.com/556700ac50ffa845e5de853498242ee5abb288eb5b8ae1ae12bfdb5746e3b7b1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864574&Signature=bMyayDFFBh9o7SKCdDEmOXLxG1DU4rSM%2FUEOzGrynPSC%2BtV0OxoHoTrSpk4WhCDb9aQtdHkWrbkt3dDAaYhnHSbvWbBqT%2BVfVwWUnst5sI142wOEd2vg4qTum281LBoJ295gTb%2BQKnfTPGXmTW5k9G5L%2FAV%2BegT4neE2xS%2Ba0Daru1OpFYTEq2Cyb0sH66jGRSTHDjHVJaHtZyYTLXjj5Q8rrEBxbDSD0Eh1XqpNLKqoMXQ7", "https://vtbehaviour.commondatastorage.googleapis.com/556700ac50ffa845e5de853498242ee5abb288eb5b8ae1ae12bfdb5746e3b7b1_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864647&Signature=mDHtSOi0zOPuqTTrMsZZ%2BVpqtKq5cnDBge5WCtUppoR8EfcB14tzbezXHfWuEIyjLzT5N3b8WzssT3rIN76R8yEfCMMe32RXWxX3B5Tz%2FF%2BmLQ95M2ysgIHlBEnV4ndYMRbPmJgfEV8X1at%2BQxGaOWCwifeB%2Fjd9hGk0jPWA9aLGj4Lleu%2FzV%2FyljXp2Ncxquv54TyDh55F0W1W0QD9R4i1VpZqh2UpnvpCi8RSM16", "https://vtbehaviour.commondatastorage.googleapis.com/998cd8dcaf876dc66946e1c5f22ef7b8e3ea8de99cd8332d088a9b285fb2f1f7_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864769&Signature=OXXYebSn84nlH1%2FBD4aluVAmCHvma4vurcZhV0H%2B7L8wRtgwWjBRClGbWiS8DnrNVxrwDxScAikU0APxe3iZCU90GclmHDodIz%2BlHFaDkBxBXUt9uyLA9BJmMbRGCKuRj4Vm7MMGUwm7WUwB1UNLqYgq41X0c%2BIhgFvAjtxWMyGnXjvvbgLGXYNo7MTwWLWshQg%2B3UXSqVmivHQAKBmQD75nvfJkl9SPx5GQ5GzjVY8pdgtPv0Ij", "https://vtbehaviour.commondatastorage.googleapis.com/7395f24f709e2c947593e7124f0107a17bf71f9eff782433f00e9aae27edf6fc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864790&Signature=QkiaGhOWFVTMnStxmaJJIVM9Z8cz0n2iUzL%2FmuCfsmMoY%2FI3LrqCLHlcuXzKKyDez5hRYK0DX3OkzaB4F89LFeO6CNQkxxgGBDkjCpg%2Fuyr2HtCZjkFFbEJONHPDJBkBB7JsVRdhR7RveUC2dBG7Wyna%2BF7NYrB3F8lJxQQCwlkFSUiIeF1H6fHA71w3QHiuw61QRe8qkpUK%2BNQfyAeYiLvIhNFj5g4j%2BRVk13k44QjeCxKog1rRZkdp%2", "https://vtbehaviour.commondatastorage.googleapis.com/7395f24f709e2c947593e7124f0107a17bf71f9eff782433f00e9aae27edf6fc_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864829&Signature=SlvEBwegwTfog2bK9svG1CeSSKC94GD98%2FQ7qpBXL7TuHOZt2HhMLd7y8IOgotXMqWiH73xWxbA4jinuUaR5MXolnKuxM86Yy3LSmhMX0S2ZRoWHqqnWIwt02ajTrF%2Bgua0LjZ46ax%2Bqo86h%2Bpme2xYRpZXKhZpVUZBzvDkXraQGdqF1BQ7keV47Y5qESgu16FuxAkm0XbuzS8tqBeq7qAS0r8STul%2BnjFmFMq3OUE68K%2BSmAp", "https://vtbehaviour.commondatastorage.googleapis.com/3e8cba5ce163a9275fe8d4e3f70fbc9815423b9a56b12e7fb03693731e359168_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864913&Signature=IouqGht2TIixfjPtpgKYXJa3ScKi4POLcjQ5l1QIvD%2FFa5zZyHMSYcu%2BxmFWI7uYljRPLlgpgSkRCmIw8EC4uFBI30ISHg83%2F50%2BiqTogu3I4rUpYoX3AQ7hXJwj%2Bz4YoYTt9SoS7jb9WfTUcNYHoIzY9ISoBzndPQfvv5155GpqsCvDXCT2Fd%2Byks95PB9FEdHE1SKYmlWsxPctfAYSIT2mOmBRTrxWO%2BrAUwTATD3cQts0", "https://vtbehaviour.commondatastorage.googleapis.com/998cd8dcaf876dc66946e1c5f22ef7b8e3ea8de99cd8332d088a9b285fb2f1f7_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775865192&Signature=BypXbESJ8I4kqzj5KlF3FCin0434BxGjxXXofwkjyqQfBwNvYJTJGPpRPHnvqmntGoukqmPBezQdcv67hZUXulr885cbljCP90Y6P75SdRtlYOqDEOYGAVgLKOUxW3BGjKy%2FAqS6M0GC9KNsMLw%2FjOyC%2B2N%2F0AlIAyOTl0pX2Pbv6GgplZAbATne%2FCbkvUjwdxaeRv5iLmVrYtOdTVlljzdECcRiQ9rvqI3Aj27UR1qfuhS8vc%2", "https://vtbehaviour.commondatastorage.googleapis.com/00143c38c4f0e4642e956235dac0f589c05c54100015c6f59d4825e9e8400eca_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775865231&Signature=wOONPZI5bCeW4bmQtYa7YV2UQnoPlndg3PkyxqT8OnVSk223qDWubHicrXJAcOXLFj%2FSynVv96i7h1PMkfbz2Ui0lcpPZUjU7sQhWM8wkR2WVoS3YjGgvTEi9pM1ugWhFqDaoNTlaPgNWTVjffc5d%2FPGpVtT6N45P0D2K0%2BEpNuScgpy64%2BrivKYv1pak5OuNuz9mQczkvh4JqLEna59MjTGN9sd5yDBto4EgIoaLYqnBpg8Zn9s2t" ], "public": 1, "adversary": "@GRAMMERSoft", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 513, "FileHash-MD5": 613, "FileHash-SHA1": 373, "FileHash-SHA256": 569, "URL": 466, "hostname": 580, "domain": 60, "email": 3, "CVE": 2, "JA3": 1 }, "indicator_count": 3180, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69ca9cdb34719e60c191a081", "name": "VirusTotal report\n for avast_business_agent_setup_online.exe", "description": "", "modified": "2026-03-30T15:57:49.501000", "created": "2026-03-30T15:55:06.985000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 72, "FileHash-MD5": 66, "FileHash-SHA1": 66, "FileHash-SHA256": 226, "IPv4": 2, "domain": 7, "hostname": 41 }, "indicator_count": 480, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "20 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6916d97edb28b2616ffac3ab", "name": "njRAT| BazarLoader| Darkside 2020 .Beware \u2022 WebToolbar \u2022 Qbot", "description": "", "modified": "2025-11-14T07:41:19.912000", "created": "2025-11-14T07:25:50.524000", "tags": [ "whois record", "ssl certificate", "historical ssl", "resolutions", "referrer", "communicating", "subdomains", "domains", "problems", "urls http", "ransomware", "malware", "contacted", "dropped", "execution", "tsara brashears", "apple ios", "whois whois", "unlocker", "njrat", "core", "hacktool", "metro", "download", "critical", "copy", "relic", "monitoring", "installer", "awful", "open", "banker", "keylogger", "malicious", "tofsee", "mitre attack", "et", "cisco umbrella", "internet storm", "site", "covid19", "cyber threat", "safe site", "cobalt strike", "malicious url", "alexa", "script urls", "united", "a domains", "as396982 google", "as15169 google", "search", "cname", "accept encoding", "showing", "unknown", "date", "body", "meta", "encrypt", "domain related", "as396982", "creation date", "expiration date", "scan endpoints", "all octoseek", "hostname", "pulse submit", "url analysis", "passive dns", "urls", "next", "all search", "otx octoseek", "as7922 comcast", "as16276", "as54113", "aaaa", "france unknown", "as14061", "status", "as40509", "ip address", "for privacy", "as44273 host", "record value", "certificate", "gmt content", "x sucuri", "as8075", "nxdomain", "as30148 sucuri", "as20940", "as31898 oracle", "hong kong", "as139021", "msie", "chrome", "ipv4", "blacklist http", "detection list", "blacklist", "files", "location hong", "kong asn", "tags none", "indicator facts", "name verdict", "falcon sandbox", "mail spammer", "tor known", "tor relayrouter", "exit", "node tcp", "traffic", "heur", "malicious site", "alexa top", "million", "alexa proxy", "outbreak", "installcore", "acint", "conduit", "installpack", "iobit", "artemis", "dropper", "mediaget", "crack", "spammer", "france mail", "summary", "url summary", "phishing", "union", "team", "bank", "unsafe", "threat report", "ip summary", "pattern match", "script", "et tor", "known tor", "relayrouter", "node traffic", "misc attack", "beginstring", "null", "error", "span", "class", "generator", "refresh", "tools", "hybrid", "general", "click", "strings", "servers", "ps ord", "name servers", "poetry", "moved", "content length", "content type", "x powered", "poems", "poem", "topic", "topics", "poem topics", "free poems", "love poems", "romantic poems", "classic poems", "friendship poems", "shone pale", "herself", "heavens", "her beam", "a fleecy", "proud evening", "star", "thou bearest", "heaven", "than", "google", "http", "leasewebuklon11", "search live", "api blog", "docs pricing", "login", "february", "gb summary", "london", "april", "screenshot", "url https", "reverse dns", "general full", "name value", "frankfurt", "main", "germany", "asn15169", "resource", "hashes", "copyright", "gmbh version", "follow", "blacklist https", "phishing site", "malware site", "riskware", "opencandy", "cleaner", "iframe", "xtrat", "agent", "softcnapp", "generic", "patcher", "driverpack", "exploit", "mimikatz", "downldr", "presenoker", "fusioncore", "wacatac", "beach research", "trojanspy", "maltiverse", "firehol", "proxy", "anonymizer", "adware", "kuaizip", "downer", "tag count", "tue apr", "sample", "samples", "fakealert", "genkryptik", "icedid", "coinminer", "nircmd", "swrort", "systweak", "behav", "tiggre", "filetour", "quasar rat", "fuery", "bazaloader", "media", "facebook", "service", "runescape", "webtoolbar", "a9dia", "a1ginaprincipal", "emails", "registrar", "http header", "tcp traffic", "et useragents", "unknown traffic", "antivirus", "server", "gmt united", "accept", "local", "path", "falcon", "file", "ascii text", "windows nt", "png image", "appdata", "jpeg image", "indicator", "twitter", "westlaw njrat", "zuorat", "skynet bot", "glupteba", "asn4583", "thomsonreuters", "asn209242", "june", "back", "united kingdom", "cisco", "umbrella rank", "rank", "page url", "as autonomous", "system", "yndx", "ipasns ip", "november", "de summary", "comodo rsa", "security tls", "software", "resource hash", "security", "ecdhersa", "de indicators", "de page", "url history", "javascript", "gts ca", "secure server", "markmonitor", "ip information", "detail domains", "domain tree", "links certs", "frames domain", "requested", "threat roundup", "march", "threat round", "parent parent", "roundup", "january", "threats", "qbot", "cyberwar", "skynet", "radar ineractive", "control server", "engineering", "host", "services", "pony", "nanocore rat", "meterpreter", "zeus", "zbot", "suppobox", "stealer", "redline stealer", "dnspionage", "mirai", "nanocore", "bradesco", "emotet", "laplasclipper", "asn16276", "get h2", "kb image", "august", "kali", "localappdata", "network traffic", "binary file", "svg scalable", "vector graphics", "mwin", "domain", "url http", "pulse pulses", "related nids", "files location", "customer", "address", "as29789", "hosting", "location united", "status hostname", "query type", "address first", "seen last", "seen asn", "country unknown", "urls date", "checked url", "hostname server", "response ip", "address google", "safe browsing", "present mar", "pulse indicator", "protocol h2", "value", "variables", "waypoint object", "gsqueue", "isotope", "hostnames", "ice fog", "maltiverse top", "financial", "as62597 nsone", "sec ch", "domains show", "entries", "as14720 gamma", "canada unknown", "as397241", "as13335", "applicunwnt", "xrat", "maltiverse safe", "aig", "soc", "hallrender", "brian sabey", "mark brian sabey", "sabey", "mark", "sabey", "data center", "malvertizing", "malware host", "scanning host", "botnetwork", "colorado", "edsaid", "geotracking", "satellite tracking", "radar tracking", "pornhub", "child teen content illegal", "social engineering", "cyber stalking", "CVE-2023-4966", "device control", "camera usage", "hidden users", "message interception", "text archiver", "mail collection", "remote attacks", "js", "python", "inject", "sql", "extraction", "AIG Claims", "hallrender.com", "soc", "milemighmedia", "westlaw", "revengeporn", "bot", "regex", "ai", "yandex" ], "references": [ "web2.westlaw.com (redirects to thbrzzrstr.me)", "http://web2.westlaw.com/ (redirect) https://signon.thomsonreuters.com/?productid=CBT&lr=0&culture=en-US&returnto=https%3a%2f%2f1.next.westlaw.com%...", "https://hybrid-analysis.com/sample/8bf763ce9396c4569afbae58392097fd57408339c0ac59ec256468c9fd8ac4c5/6548ebfe56b25bab28017757", "https://urlscan.io/result/2285cee3-1e08-4e63-b48f-ee685e008480/#summary", "https://hybrid-analysis.com/sample/86479bf7c9a675913b93a0d399f5cbe0c0e8003239e93ae5e00f97cdbc5ec5ba/5c5c13577ca3e12626364777", "https://urlscan.io/result/4f0cabbf-9716-47dd-bd5c-038a953e6672/", "Malware Host: HallRender.com", "riverside.rocks (safebae.com remote uTorrent) https://hybrid-analysis.com/sample/11108ef17bd75f36e0d22d95b1f3bde3e9fa968a78a24c2d2508f4238e22651d/6326a50be4a8a71b885f5bf3", "safebae.org", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu (phishing | cybercrime)", "Hallrender.com and Westlaw.com.= http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu", "Poemhunter.com + rally point.com = pornhub.dev", "Pornhub dev VT community: https://www.virustotal.com/gui/domain/pornhub.dev/community", "Poemhunter.com: https://hybrid-analysis.com/sample/86479bf7c9a675913b93a0d399f5cbe0c0e8003239e93ae5e00f97cdbc5ec5ba", "https://www.poemhunter.com/tsara-brashears/poems/: https://urlscan.io/result/4f0cabbf-9716-47dd-bd5c-038a953e6672/", "Rallypoint.com https://hybrid-analysis.com/sample/66287c2c36699037cb504201693e26b5f3282cebde1d1c78aecd6f97f04fb694", "Malicious revenge malvertizing: https://www.milehighmedia.com/legal/2257", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://matrix.pornhub.dev", "nr-data.net", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/icons/apple-touch-icon-76x76.png", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/icons/apple-touch-icon.png", "https://apple.pantion.top/", "newrelic.se", "user-apple.info", "appleid-comloginaccount.info", "init-p01st.push.apple.com", "boostmobile.com", "www.metrobyt-mobile.com", "http://bpdb.portal.gov.bd:3128/sites/default/files/files/bpdb.portal.gov.bd/npfblock/2021-34bc869d2906198362a4346373ce5b94.jpg", "https://b.link/infringement", "my.mintmobile.com", "CVE-2023-4966", "http://watchhers.net/index.php", "https://rr2---sn-4g5ednsz.googlevideo.com/videoplayback?expire=1699319292&ei=nDlJZfb4G43E-gaYt5XoDg&ip=2001%3A1b60%3A2%3A240%3A3247%3A%3A" ], "public": 1, "adversary": "", "targeted_countries": [ "Spain", "Netherlands", "Canada", "United States of America" ], "malware_families": [ { "id": "Tsara Brashears", "display_name": "Tsara Brashears", "target": null }, { "id": "Mitre Attack", "display_name": "Mitre Attack", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Radar Ineractive", "display_name": "Radar Ineractive", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1450", "name": "Exploit SS7 to Track Device Location", "display_name": "T1450 - Exploit SS7 to Track Device Location" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1423", "name": "Network Service Scanning", "display_name": "T1423 - Network Service Scanning" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1563", "name": "Remote Service Session Hijacking", "display_name": "T1563 - Remote Service Session Hijacking" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1427", "name": "Attack PC via USB Connection", "display_name": "T1427 - Attack PC via USB Connection" }, { "id": "T1445", "name": "Abuse of iOS Enterprise App Signing Key", "display_name": "T1445 - Abuse of iOS Enterprise App Signing Key" }, { "id": "T1453", "name": "Abuse Accessibility Features", "display_name": "T1453 - Abuse Accessibility Features" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1173", "name": "Dynamic Data Exchange", "display_name": "T1173 - Dynamic Data Exchange" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" } ], "industries": [], "TLP": "green", "cloned_from": "654971c396ca4306a6534b12", "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4037, "hostname": 2241, "URL": 2516, "FileHash-MD5": 1224, "FileHash-SHA1": 783, "FileHash-SHA256": 2796, "CVE": 10, "email": 25 }, "indicator_count": 13632, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "157 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68ccd75091991ef8498bbd10", "name": "Zbot affected Payment Apps - Installers", "description": "Some references are outdated. Found hash when researching something else.. Seemed to affect a Hostinger domain payment app in the past. I\u2019m not sure what app galaxus but seems to affect the app, if I kept searching I might be able to find what it\u2019s affecting today. . Some of the items list non sensical descriptions. | NNnK.exe FILEHASH SHA256 d249de5277aaa875154143f14727a761caa652960685ab529327f1affa8954cb | Nothing exciting. Just wondered what and why.", "modified": "2025-10-19T03:02:05.668000", "created": "2025-09-19T04:08:47.998000", "tags": [ "memory pattern", "chi2 md5", "guid", "blob", "payment app", "entropy", "submitted", "prodq", "installers", "upatre", "fakeav", "zbot", "dynamicloader", "medium", "write c", "high", "delete", "trojan", "copy", "write" ], "references": [ "NNnK.exe FILEHASH SHA256 d249de5277aaa875154143f14727a761caa652960685ab529327f1affa8954cb", "NNnK.exe [e755511f154b928f720d8a5c59e34ccb.virus]", "https://open-app.galaxus.com", "Copyright: Gamma Realty 2019 Product: Auty 2 Description: Auty Original Name: NNnK.exe", "Internal Name: NNnK.exe File Version: 1.88.0.0 Comments: Gynecology *File Unsigned", "ihs-markit-login-changes-update-august-2020.pdf [file below]", "\"493fda53120050f85836032324409be6c6484f90a0755ae0c6a673ba7626818b\" has the file format \"text\", which is not supported" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Upatre", "display_name": "Upatre", "target": null }, { "id": "Win.Trojan.FakeAV-10943", "display_name": "Win.Trojan.FakeAV-10943", "target": null }, { "id": "Trojan:Win32/Zbot.SIBG!MTB", "display_name": "Trojan:Win32/Zbot.SIBG!MTB", "target": "/malware/Trojan:Win32/Zbot.SIBG!MTB" } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 242, "FileHash-SHA1": 227, "FileHash-SHA256": 1934, "URL": 256, "domain": 72, "hostname": 99, "SSLCertFingerprint": 1 }, "indicator_count": 2831, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "183 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66f235b9a7a94a6a61acd651", "name": "n0paste - Show paste: \\\"No Problems\\\" - dos meses del URLscan", "description": "This pulse represents a 'scattered sample' of data extracted from 'submissions of interest' made to virustotal, filescan_itsec, HybridAnalysis, anyrun_app, DynamiteLab, and triage (over a period of two months) which were submitted to urlscanio & subsequently GreyNoiseIO (which I've come across both from live samples and also those from offlined data). I don't particularly anticipate this will correlate w. anything specific - but at least will be put in one more place for further analysis & increased visibility.", "modified": "2025-03-07T08:38:08.584000", "created": "2024-09-24T03:44:57.902000", "tags": [ "geoip", "public url", "as16509", "amazon02", "as20940", "akamaiasn1", "as8075", "as15169", "google", "akamaias", "facebook", "telecom", "twitter", "media", "win64", "level3", "mini", "ukraine", "proton", "ghost", "win32", "cuba", "mexico", "indonesia", "seznam", "as3359", "as852" ], "references": [ "https://metadefender.com/results/file/bzI1MDMwMVFWaXRDS0hpWElYcnV0QllCYlB1", "https://mwdb.cert.pl/file/efb45096e24a61b488eb809bd8edf874d15bb498dd75ced8b888b020c87e5c6c", "https://n0paste.eu/UH6n5pD/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada", "Anguilla", "Poland", "Aruba", "Australia", "Barbados", "Costa Rica", "Guatemala", "Philippines", "Panama", "Sint Maarten (Dutch part)", "Saint Martin (French part)", "Cayman Islands", "Cura\u00e7ao", "Mexico", "Saint Vincent and the Grenadines", "Saint Kitts and Nevis", "Tanzania, United Republic of", "Netherlands", "Ukraine", "Trinidad and Tobago", "Japan", "Bahamas", "United Kingdom of Great Britain and Northern Ireland", "Georgia" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Technology", "Government", "Telecommunications", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1, "CIDR": 1186, "CVE": 4, "FileHash-MD5": 29, "FileHash-SHA1": 3, "URL": 25493, "domain": 5396, "email": 10, "hostname": 10770 }, "indicator_count": 42892, "is_author": false, "is_subscribing": null, "subscriber_count": 147, "modified_text": "409 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66f9ae71e7d4851280fa367f", "name": "The Jane Doe Syndrome Files: Credential Dumping and Data Exfiltration", "description": "This pulse outlines a series of techniques (Tactics) utilized in a cyber intrusion targeting Jane Doe's MacBook. These techniques span various stages of the attack lifecycle, including credential dumping (T1003), system discovery (T1016, T1082), and data exfiltration methods (T1114, T1560). The attacker employed advanced obfuscation strategies (T1027) and input capture methods (T1056) to maintain persistence and evade detection, while also utilizing command and scripting interpreters (T1059) to execute malicious commands.\n\nFurthermore, the adversary manipulated system tokens (T1134) and leveraged remote access software (T1219) to control the compromised system. Techniques for data destruction (T1485) and artifact hiding (T1564) indicate a concerted effort to cover tracks and minimize detection.\n\nBy examining these techniques, we can better understand the methods used in this intrusion, facilitating enhanced detection and prevention strategies for future incidents.", "modified": "2024-11-08T00:03:35.782000", "created": "2024-09-29T19:45:53.583000", "tags": [ "autogenerated", "please", "class", "hp laserjet", "duplexer", "modify", "printer", "description", "location", "share", "printer make", "ppd file", "model", "driver", "ipp everywhere", "printers", "hardware", "baud rate", "parity", "odd data", "flow control", "software", "rtscts", "dtrdsr", "input", "type", "name", "value", "hidden", "delete class", "form", "h2 class", "warning", "p align", "allow", "advanced", "use kerberos", "save", "max clients", "maximum", "metadata", "documents", "max log", "img src", "width", "height", "align", "absmiddle", "indicator", "status", "printername", "idle", "edit", "cupsdconf", "error", "blockquote", "unknown", "h3 class", "jobs", "help jobs", "helptitle", "qtext", "topic", "bmtext", "qptext", "cups", "search", "online help", "documents all", "hold job", "server default", "shared", "test page", "pause class", "accept jobs", "move all", "jobs cancel", "all jobs", "class delete", "cancel", "move job", "destination", "release", "reprint", "action", "method", "name user", "size pages", "state control", "jobid", "withheld", "held", "change settings", "label", "input type", "select name", "multiple size", "option", "inches feet", "table", "submit", "set default", "prev", "next", "last", "accept", "options", "default", "delete printer", "form action", "pause", "reject", "resume", "print", "self test", "pause printer", "location make", "model status", "test", "please stand", "allowed users", "prevent", "whichjobs", "standard rom", "standard", "copyright", "standard font", "cups ppd", "easy software", "apache license", "license", "symbol special", "deskjet", "cups sample", "hplaserjet", "laserjet", "hpdeskjet", "hpdeskjet2", "epson", "stylus color", "stylus photo", "escp", "epson9pin", "zebra", "dymo3x0", "dymo", "labelwriter", "advance", "leading", "move", "black", "gold", "rotate", "never", "cyan", "yellow", "turn", "long edge", "edge", "oversize", "address", "b1jis b1", "adobe", "small", "image", "apple mime", "xhtml", "pict string", "cgimageio", "radiance", "fujifilm", "preview", "os x", "colorsync", "airprint", "do not", "this file", "it is", "you install", "versions of", "base mime", "format", "postscript", "language", "pattern match", "ras2", "pwgraster", "comment", "attr", "group", "attr language", "attr integer", "attr name", "attributes", "attr keyword", "post", "resource admin", "operation", "group operation", "create", "withvalue", "display", "d recipienturi", "expect", "tv d", "member", "createjob", "senddocument", "create faxout", "get list", "display jobname", "cupsgetdevices", "get job", "expect jobstate", "job template", "get printer", "cupsgetppd", "cupsgetppds", "get ppd", "attr text", "product", "psversion", "version", "message", "hello", "cupsgetprinters", "beep", "sound", "count", "ingroup", "oftype keyword", "oftype integer", "oftype text", "oftype charset", "oftype enum", "az09", "withallvalues", "mediaregex", "oftype", "print file", "printjob", "test printjob", "file", "ippurischeme", "member integer", "print test", "printuri", "post resource", "validatejob", "validate", "printjob group", "repeatmatch", "choice", "envelope", "resolution", "modelname", "inputslot", "pcfilename", "modelnumber", "attribute", "false", "darkness", "media", "generic", "mark", "dark", "tear", "cupsbanner show", "header printer", "footer printer", "notice cups", "header cover", "page footer", "cover page", "header top", "secret footer", "top secret", "header secret", "footer secret", "vzefibootloader", "nsunavailable", "virtualization", "base class", "vzbootloader", "network device", "initialize", "host network", "property", "return", "define", "nsarray", "bsd name", "ethernet", "vzconsoledevice", "console port", "defines", "a directory", "vzexport extern", "apiavailable", "bool", "nsenum", "nsinteger", "local file", "raw format", "nsurl", "nserror", "file handle", "storage device", "nserror error", "nsfilehandle", "boot loader", "efi rom", "efi boot", "vzerrorcode", "vzerrordomain", "error type", "nserror domain", "vzerrorsave", "nbd server", "nbd client", "nsoptions", "nsuinteger", "nsswiftname", "nvram", "write", "sorcvbuf", "sosndbuf", "mtu value", "data", "data sent", "true", "graphics", "intel", "indicate", "enable", "nsdata", "opaque", "host audio", "host output", "host input", "cgsize", "new display", "protocol", "unix domain", "socket", "rosetta", "caching", "rosetta daemon", "nsstring", "abstract socket", "rosetta support", "linux", "arm64", "availability", "download", "vzmacaddress", "mac address", "a vzmacaddress", "linux kernel", "ram disk", "linux boot", "a mac", "configuration", "mac hardware", "describes", "mac platform", "mac keyboard", "usb keyboard", "mac machine", "apple silicon", "rosetta runtime", "nsobject", "handle", "init", "url property", "whether", "recovery", "block", "nullable", "load", "mac trackpad", "usb pointing", "cpus", "overwrite", "nsdictionary", "directory share", "check", "namemax", "vznetworkdevice", "nbd url", "nbd uniform", "nbd protocol", "url error", "nat attachment", "a network", "nvm express", "nsscreen", "nssize", "serial port", "directory", "spice agent", "spice guest", "a console", "vzsocketdevice", "vzstoragedevice", "vzexport", "usb controller", "vzusbcontroller", "usb device", "device uuid", "nsuuid uuid", "usb mass", "vzusbdevice", "virtio block", "device", "storage storage", "virtio console", "delegate object", "a class", "extra care", "virtio entropy", "nsstring name", "array", "virtio file", "system device", "discussion", "nsstring tag", "port", "bool isconsole", "a virtio", "virtio graphics", "virtio gpu", "virtio", "port array", "utf8", "virtio network", "macaddress", "virtio socket", "close", "does nothing", "virtio sound", "nsarray streams", "pointer", "device input", "a pcm", "audio stream", "source", "sink", "device output", "device stream", "memory balloon", "target memory", "return yes", "start", "stop", "usb xhci", "automatically", "nsview", "virtual machine", "cpucount", "verify", "apple swift", "o librarylevel", "swift", "cachingoptions", "vzaudiodevice", "vzdebugstub", "swiftname", "targetosiphone", "targetososx", "targetosios", "apple computer", "targetostv", "targetosvision", "targetostvos", "targetosxr", "vtbaseh", "vtint32point", "vtint32size", "iphonena", "apiunavailable", "vtexport const", "abstract", "cfstringref", "readwrite", "cfnumber", "cfboolean", "optional", "null", "macos", "cmnullable", "pass null", "call", "video toolbox", "contains", "cmtime duration", "cvimagebuffer", "vterrorsh", "cfoptions", "12914", "uint32", "osstatus", "12900", "12901", "12902", "12903", "17690", "vtexport", "encoder", "zero", "alpha", "requires", "cmsamplebuffer", "prototype", "osstatus status", "cfrelease", "cvpixelbuffer", "iosurface", "hdr metadata", "hdr per", "frame metadata", "cf type", "cfretain", "a mechanism", "cmbridgedtype", "interface", "specifies", "a reference", "pixel rotation", "session", "a pixel", "cf object", "vtframesilo", "returns", "vtframesiloh", "vtframesiloref", "pass", "pixel transfer", "vtexport void", "media extension", "video raw", "processors", "standard video", "metal device", "metal", "rawprocessors", "cfstring", "copy", "vtsessionh", "cfdictionaryref", "apis", "vtsessionref", "raw processor", "a cfdictionary", "cfswiftname", "vtutilitiesh", "cgimage", "builds", "cfarrayref", "raw processing", "list", "list element", "cfdictionaries", "skipper", "vdspdftexecute", "vdspdftexecuted", "vdspdftzop", "vdspfft16copv", "vdspfft16zopv", "vdspfft32copv", "vdspfft32zopv", "vdspbiquad", "vdspbiquadd", "vdspbiquadm", "project version", "created", "elana stettin", "apple", "swextern", "title", "typedef", "param", "nsstring title", "represents", "nsitemprovider", "const", "swhidden extern", "swdefines", "swextern extern", "sha256 hash", "merkle tree", "sociallayer", "swperson", "devin clary", "swaction", "sbappcontext", "sbapplocator", "sbapplication", "sbelementarray", "sbobject", "scriptingbridge", "objecttype", "finder", "bridge", "index", "apple event", "target", "urls", "locator", "scripting", "desctype", "receiver", "track", "code", "sccontentfilter", "bgra format", "rgha format", "const nonnull", "nserrorenum", "nsurl outputurl", "avfiletypempeg4", "provides", "scwindow", "scdisplay", "cgrect frame", "bool indicating", "pixel", "scstream", "control center", "takes", "cfdictionary", "rbhash", "initvmrandom", "initvmtranscode", "initarray", "initbarevm", "initbignum", "initcomplex", "initcont", "initdir", "initfile", "libxml", "require", "cfpropertylist", "xml parser", "libxmlparser", "xml file", "plist", "cfplisterror", "exception", "format error", "easy", "kruse", "mit license", "standarderror", "cfformaterror", "cftypeerror", "nokogiri", "parserinterface", "cftype", "cfdate", "cfinteger", "blob", "ruby string", "uidfixnum", "ruby integer", "date", "format constant", "formatbinary", "formatxml", "magicnumber", "enumerator", "cfdata", "ruby", "example", "john", "path", "plainparser", "ascii", "cfreal", "importplain", "escapechar", "read", "length", "utf16be", "cfarray", "offsetsize", "integer", "rexml", "rexmlparser", "float", "appledtd plist", "dom node", "prefix", "config", "item", "bindir", "libruby", "rubypath", "fileoperations", "arch", "installer", "template", "install", "major", "yesno", "todo", "kwargs", "makefiles", "miniportile", "cmakecmd", "configure", "cmakefile", "cmake", "keyringname", "debug", "targetos", "ldflags", "gpgexe", "digest", "stdout", "patch", "installerror", "savefile", "task", "packages", "dlext", "minero aoki", "rubyversion", "loaderror", "sqlite3", "was sqlite3", "apiobjects", "database", "pragmas", "resultset", "sqlite3ruby faq", "sqliteruby faq", "value klass", "qnil", "sqliteok", "sqliteerror", "sqliteinternal", "sqliteperm", "sqliteabort", "sqlitebusy", "sqlitelocked", "datagetstruct", "int2num", "main", "done", "stringvalueptr", "note", "sqlite3ruby", "sqlite3rubyptr", "unused", "gnuc", "lclint", "usasciip", "utf8p", "utf16lep", "utf16le", "utf16bep", "sqlite3stmtruby", "rubyplatform", "darwin", "rcarchs", "libpkgconfig", "pkgconfigpath", "pkgconf", "mswin", "cflags", "install sqlite3", "int2fix", "rbignumlen", "sizeofbdigits", "charbit", "bdigit", "bmax", "value unused", "sqliteopenuri", "open", "requireopendb", "nilp", "qtrue", "id2sym", "requireopenstmt", "donep", "rstringlen", "num2int", "attrs", "deal", "xsd module", "xmlparser", "nokogiri xml", "simply", "rubyengine", "slop decorator", "css3 selector", "xpath", "nokogiri class", "parse", "html", "xml document", "0x30", "0x41", "0x61", "gumbogentable", "gumboasciicntrl", "gumboasciispace", "gumboasciidigit", "constfn", "gumboasciih", "gumboasciialpha", "gumboasciialnum", "c0 control", "gumbocharrefh", "gumboattributeh", "gumboattribute", "craig barnes", "google inc", "as is", "basis", "or conditions", "any kind", "gumboerrorh", "gumbotag", "additional", "gumbovector", "encoding", "gumboerrparser", "gumboerrortype", "html tag", "minwordlength", "maxwordlength", "maxhashvalue", "ansic code", "m100 n", "computed", "totalkeywords", "minhashvalue", "doctype", "capacity", "doctype system", "sourcelength", "sourcetext", "silence", "html5", "a struct", "text", "gumbo", "gumboh", "anything", "gumboparserh", "output", "library", "oopstyle", "gumboparser", "const localname", "string", "ietfdtd html", "w3cdtd html", "level", "html strict", "terminator", "final", "buffer", "gnucatleast", "hasattribute", "macrosh", "printf", "returnsnonnull", "win32", "unusedifndebug", "malloc", "pure", "m100", "gumbotaglookuph", "gumbotag tag", "taghashslot", "gumbotagunknown", "gumbotokentypeh", "gumbotokencdata", "gumbotokennull", "gumbotokeneof", "gumbotokentype", "gumbotaglast", "position", "gumbotokenizerh", "struct", "gumbotoken", "spec", "stack", "emittoken", "continue", "current", "utf8iterator", "utf8accept", "parser", "html5 spec", "rest", "gumboutf8h", "unicode code", "html5 parser", "utf8 decoding", "func", "gumbodebug", "gumboutilh", "utility", "debug wrapper", "script", "attribute value", "comment end", "doctype name", "cdata section", "rcdata end", "rawtext end", "initialcapacity", "gumboalloc", "vector", "memmove", "gumbovectorh", "initializes", "ownership", "stringvaluecstr", "rtest", "xmlchar", "html document", "nokogiristrnew2", "html4", "value get", "qfalse", "a list", "value list", "attrsdepr", "attrsopt", "chunk", "pushparser", "xmlsax", "value chunk", "w3c dom", "xmlelementnode", "finds", "qundef", "value val", "value args", "value exc", "libxml2patches", "rbconfig", "packagerootdir", "cppflags", "libs", "dldflags", "nokogiri test", "attributedecl", "defaultvalue", "atype", "tree", "ctxt", "noreturn", "xmldocptr doc", "private", "nokogirinative", "nokogiristrnew", "xmldoc", "value setvalue", "value content", "xmlchar value", "xmlnode cur", "content", "cdata", "cdata element", "value argv", "value rbnode", "document", "value document", "value getname", "pcdata", "element", "mult", "datawrapstruct", "value ctxtval", "mydoc", "userdata", "encodinghandler", "value key", "delete", "elementdecl", "id iddocument", "etype", "value prefix", "orig", "externalid", "systemid", "nodenr", "xmlnodeset", "nodeset", "nodetab", "xmldtd", "value hash", "publicid", "notation", "hash", "rbfuncall", "parseargs", "xmlnode", "without", "href", "xmlns", "namespace node", "nodes", "value rbreader", "relaxng schema", "relaxng", "value name", "nokogirisaxself", "rbivget", "rbstrorqnil", "xmlchar name", "xmlparserctxt", "text element", "value string", "schema", "xmlschema", "context", "stringval", "wrapper", "emp0001n", "emp0002n", "xslt", "handler", "handlerstate", "checktype", "tarray", "id documentid", "comment element", "node", "first", "prop", "typeerror", "gc", "pkpublicchannel", "pkpushpayload", "pkpushregistry", "pkpushtypevoip", "pushkit", "object", "pkpushtype type", "forward", "http", "apple push", "pkexport extern", "nsstringenum", "payload data", "voip", "json format", "callkit", "pkpushtype", "framework", "apps", "push", "odsessioncreate", "odattributemap", "odconfiguration", "odcontext", "odmappings", "odmoduleentry", "odnode", "odquery", "odrecord", "odrecordmap", "nsavailablemac", "original code", "nsstring value", "custom", "modifications", "apple public", "source license", "of any", "nsavailable", "nsrunloop", "objc", "sets", "odsession", "sfauthorization", "will", "odsessionref", "cfexport", "odqueryref", "odnoderef", "cfexport bool", "odrecordref", "cfdataref", "cfexport const", "utf8 encoding", "odattributetype", "odrecordtype", "attribute type", "local", "realm", "cftyperef", "odnodegetdsref", "odnodegettypeid", "odrecorddelete", "odtriggercancel", "odnodeinit", "odquerycreate", "odqueryinit", "odsessioninit", "albuffer3i", "albufferdata", "albufferf", "albufferfv", "albufferi", "albufferiv", "aldistancemodel", "aldopplerfactor", "algetbooleanv", "algetbuffer3f", "alcapi", "alcapientry", "alcboolean", "targetosmac", "alcdevice", "alcenum param", "alalch", "alcchar", "alcsizei", "capture", "alenum param", "alapi", "aluint sid", "alfloat", "aluint bid", "alsizei", "alint", "alfloat value", "alapientry", "aluint", "play", "speed", "bits", "alutapi alvoid", "alvoid data", "alsizei size", "alsizei freq", "gnu library", "general public", "aluth", "alenum format", "openalopenalh", "umbrella header", "alvoid", "openal", "alvoid nonnull", "alenum", "roger beep", "sendable", "preconcurrency", "rawvalue", "network import", "failure", "service", "must", "number", "stride", "brief", "descriptor", "matrix", "mtlpackedfloat3", "infinity", "metalversion", "minimum point", "maximum point", "interpolation", "translation", "offset", "acceleration", "declare", "prior", "insert", "nonnull", "nsrange", "mtldevice", "t argname", "mtlstructtype", "mtlarraytype", "mtltype", "mtlpointertype", "instance", "methodkind", "swiftprivate", "mtlbuffer", "nullability", "mtlcommandqueue", "mtlresource", "mtlresidencyset", "command encoder", "individual", "mtlexport", "xcode", "gpu trace", "apideprecated", "mtlcapturescope", "remarks", "mtlallocation", "metal command", "mtldispatchtype", "mtlorigin", "mtlsize", "mtlblitoption", "flush", "gpu work", "marks", "specify", "mtlinline", "mtlintern", "stdcversion", "mtlextern", "definition", "inline", "nsstring label", "stencil", "defaults", "allocate", "typical", "nsprocessinfo", "mtldrawable", "present", "cftimeinterval", "gpustarttime", "gpuendtime", "mtlcountersh", "mtlcounter", "mtlcounterset", "mtllibrary", "a container", "mtlfence", "mtldatatype", "default usage", "mtlfunction", "mtllogcontainer", "mtlsharedevent", "mtlevent", "synchronously", "a function", "cpu cache", "requiredsize", "behavior", "mtlheap", "query device", "dispatch", "metal shading", "language guide", "raytriangle", "vends", "groups", "encodes", "mtliofilehandle", "mtlextern sizet", "mtlextern void", "mtlstoreaction", "mtlloglevel", "enum", "mtlmutability", "astcetc2bc", "normal", "astc", "clamptoedge", "depth", "mtlcoordinate2d", "nsnumber", "controls", "mtlclearcolor", "adds", "mtlregion", "cpu mapping", "mtltexture", "mtlindextype", "filter option", "clamp", "mtlrenderstages", "draw", "mtlstepfunction", "vertex", "compute", "gpu resource", "nsuinteger x", "identify", "nsuinteger y", "nsuinteger z", "mtlsize size", "mtlvertexformat", "nsuintegermax", "mtlpixelformat", "mtltexturetype", "slice", "swiftui", "coregraphics", "swift import", "previewregistry", "libraryitem", "category", "dict", "apple root", "code signing", "public", "uus10u", "GUANGZHOU FIVE SIX TECHNOLOGY", "Havana Syndrome", "Aishah Lazim", "Al-Arqam", "Brooklyn" ], "references": [ "httpd.exp", "metadata.json", "add-class.tmpl", "choose-make.tmpl", "choose-model.tmpl", "choose-device.tmpl", "add-printer.tmpl", "choose-serial.tmpl", "class-added.tmpl", "choose-uri.tmpl", "class-confirm.tmpl", "admin.tmpl", "class-deleted.tmpl", "class-modified.tmpl", "classes-header.tmpl", "command.tmpl", "classes.tmpl", "edit-config.tmpl", "error-op.tmpl", "class-jobs-header.tmpl", "error.tmpl", "header.tmpl", "help-header.tmpl", "help-printable.tmpl", "help-trailer.tmpl", "job-hold.tmpl", "class.tmpl", "job-cancel.tmpl", "job-move.tmpl", "job-moved.tmpl", "job-release.tmpl", "job-restart.tmpl", "list-available-printers.tmpl", "jobs.tmpl", "norestart.tmpl", "option-boolean.tmpl", "option-header.tmpl", "option-conflict.tmpl", "option-pickmany.tmpl", "option-pickone.tmpl", "modify-printer.tmpl", "option-trailer.tmpl", "pager.tmpl", "printer-cancel-jobs.tmpl", "printer-added.tmpl", "printer-accept.tmpl", "printer-configured.tmpl", "printer-default.tmpl", "printer-confirm.tmpl", "printer-deleted.tmpl", "printer-jobs-header.tmpl", "printer-modified.tmpl", "jobs-header.tmpl", "printer-stop.tmpl", "modify-class.tmpl", "printer-reject.tmpl", "printers-header.tmpl", "printer-start.tmpl", "printer.tmpl", "printers.tmpl", "set-printer-options-trailer.tmpl", "test-page.tmpl", "restart.tmpl", "users.tmpl", "set-printer-options-header.tmpl", "search.tmpl", "trailer.tmpl", "font.defs", "hp.h", "epson.h", "label.h", "raster.defs", "media.defs", "apple.types", "apple.convs", "mime.convs", "mime.types", "cancel-current-job.test", "create-job-sheets.test", "create-job.test", "create-job-format.test", "create-job-timeout.test", "create-printer-subscription.test", "cups-create-local-printer.test", "fax-job.test", "get-completed-jobs.test", "get-devices.test", "get-job-attributes.test", "get-job-attributes2.test", "get-notifications.test", "get-jobs.test", "get-job-template-attributes.test", "get-ppd-printer.test", "get-ppds-drv-only.test", "get-ppd.test", "get-ppds-make-and-model.test", "get-ppds-make.test", "get-ppds-product.test", "get-ppds-psversion.test", "get-ppds-language.test", "get-printer-description-attributes.test", "get-ppds.test", "get-printer-attributes.test", "get-subscriptions.test", "identify-printer-display.test", "get-printers-printer-id.test", "identify-printer-multiple.test", "get-printers.test", "identify-printer.test", "get-printer-attributes-suite.test", "ipp-2.0.test", "ipp-2.2.test", "ipp-backend.test", "ipp-2.1.test", "print-job-and-wait.test", "print-job-deflate.test", "print-job-hold.test", "print-job-gzip.test", "ipp-1.1.test", "print-job-manual.test", "print-job-password.test", "print-job.test", "print-job-media-col.test", "print-uri.test", "print-job-letter.test", "set-attrs-hold.test", "validate-job.test", "ipp-everywhere.test", "sample.drv", "testprint", "classified", "standard", "topsecret", "secret", "confidential", "unclassified", "ntp_opendirectory.conf", "ntp.conf", "notify.conf", "nfs.conf", "nsmb.conf", "xtab", "6015FED9-D723-4332-87D9-C478CF341407.aamdownload", "AuraService-fda-test", "com.adobe.acrobat.rna.AcroCefBrowserLock.DC", "ExmanProcessMutex", "proxy.xml", "A53749AF-3855-4842-A1E7-4AEFA60BD2AC", "XPdb-wal", "VZBootLoader.h", "VZAudioInputStreamSource.h", "VZBridgedNetworkDeviceAttachment.h", "VZAudioOutputStreamSink.h", "VZBridgedNetworkInterface.h", "VZConsoleDeviceConfiguration.h", "VZConsoleDevice.h", "VZConsolePortConfiguration.h", "VZDirectorySharingDevice.h", "VZDirectoryShare.h", "VZDefines.h", "VZDiskImageStorageDeviceAttachment.h", "VZDiskSynchronizationMode.h", "VZDiskBlockDeviceStorageDeviceAttachment.h", "Virtualization.h", "VZDirectorySharingDeviceConfiguration.h", "VZEntropyDeviceConfiguration.h", "VZEFIBootLoader.h", "VZError.h", "VZEFIVariableStore.h", "VZFileHandleNetworkDeviceAttachment.h", "VZFileHandleSerialPortAttachment.h", "VZFileSerialPortAttachment.h", "VZGraphicsDevice.h", "VZGenericPlatformConfiguration.h", "VZGenericMachineIdentifier.h", "VZGraphicsDeviceConfiguration.h", "VZGraphicsDisplayConfiguration.h", "VZHostAudioOutputStreamSink.h", "VZKeyboardConfiguration.h", "VZHostAudioInputStreamSource.h", "VZGraphicsDisplay.h", "VZAudioDeviceConfiguration.h", "VZLinuxRosettaUnixSocketCachingOptions.h", "VZLinuxRosettaAbstractSocketCachingOptions.h", "VZLinuxRosettaDirectoryShare.h", "VZMACAddress.h", "VZLinuxBootLoader.h", "VZMacGraphicsDevice.h", "VZMacGraphicsDisplay.h", "VZMacGraphicsDeviceConfiguration.h", "VZMacHardwareModel.h", "VZMacKeyboardConfiguration.h", "VZMacMachineIdentifier.h", "VZMacOSBootLoader.h", "VZLinuxRosettaCachingOptions.h", "VZMacOSInstaller.h", "VZMacOSVirtualMachineStartOptions.h", "VZMacOSRestoreImage.h", "VZMacTrackpadConfiguration.h", "VZMacOSConfigurationRequirements.h", "VZMemoryBalloonDevice.h", "VZMemoryBalloonDeviceConfiguration.h", "VZMacAuxiliaryStorage.h", "VZMultipleDirectoryShare.h", "VZMacPlatformConfiguration.h", "VZNetworkDevice.h", "VZNetworkBlockDeviceStorageDeviceAttachment.h", "VZNATNetworkDeviceAttachment.h", "VZNetworkDeviceAttachment.h", "VZPlatformConfiguration.h", "VZPointingDeviceConfiguration.h", "VZNetworkDeviceConfiguration.h", "VZSharedDirectory.h", "VZSerialPortAttachment.h", "VZNVMExpressControllerDeviceConfiguration.h", "VZMacGraphicsDisplayConfiguration.h", "VZSerialPortConfiguration.h", "VZSingleDirectoryShare.h", "VZSpiceAgentPortAttachment.h", "VZSocketDeviceConfiguration.h", "VZSocketDevice.h", "VZStorageDevice.h", "VZStorageDeviceAttachment.h", "VZStorageDeviceConfiguration.h", "VZUSBControllerConfiguration.h", "VZUSBDeviceConfiguration.h", "VZUSBMassStorageDevice.h", "VZUSBKeyboardConfiguration.h", "VZUSBController.h", "VZUSBDevice.h", "VZVirtioBlockDeviceConfiguration.h", "VZUSBScreenCoordinatePointingDeviceConfiguration.h", "VZUSBMassStorageDeviceConfiguration.h", "VZVirtioConsoleDevice.h", "VZVirtioConsoleDeviceConfiguration.h", "VZVirtioConsoleDeviceSerialPortConfiguration.h", "VZVirtioEntropyDeviceConfiguration.h", "VZVirtioConsolePort.h", "VZVirtioConsolePortConfigurationArray.h", "VZVirtioFileSystemDevice.h", "VZVirtioConsolePortConfiguration.h", "VZVirtioGraphicsDevice.h", "VZVirtioGraphicsDeviceConfiguration.h", "VZVirtioGraphicsScanout.h", "VZVirtioGraphicsScanoutConfiguration.h", "VZVirtioConsolePortArray.h", "VZVirtioFileSystemDeviceConfiguration.h", "VZVirtioNetworkDeviceConfiguration.h", "VZVirtioSocketConnection.h", "VZVirtioSocketDevice.h", "VZVirtioSoundDeviceConfiguration.h", "VZVirtioSocketListener.h", "VZVirtioSoundDeviceInputStreamConfiguration.h", "VZVirtioSocketDeviceConfiguration.h", "VZVirtioSoundDeviceOutputStreamConfiguration.h", "VZVirtioSoundDeviceStreamConfiguration.h", "VZVirtioTraditionalMemoryBalloonDeviceConfiguration.h", "VZVirtualMachineDelegate.h", "VZVirtualMachineStartOptions.h", "VZVirtioTraditionalMemoryBalloonDevice.h", "VZVirtualMachine.h", "VZXHCIControllerConfiguration.h", "VZVirtualMachineView.h", "VZVirtualMachineConfiguration.h", "VZXHCIController.h", "x86_64-apple-macos.swiftinterface", "arm64e-apple-macos.swiftinterface", "module.modulemap", "Virtualization.tbd", "VideoToolbox.apinotes", "VideoToolbox.h", "VTBase.h", "VTDecompressionProperties.h", "VTCompressionSession.h", "VTErrors.h", "VTCompressionProperties.h", "VTDecompressionSession.h", "VTHDRPerFrameMetadataGenerationSession.h", "VTMultiPassStorage.h", "VTPixelRotationSession.h", "VTFrameSilo.h", "VTPixelRotationProperties.h", "VTPixelTransferSession.h", "VTProfessionalVideoWorkflow.h", "VTRAWProcessingProperties.h", "VTPixelTransferProperties.h", "VTSession.h", "VTUtilities.h", "VTVideoEncoderList.h", "VTRAWProcessingSession.h", "libvDSP.tbd", "SharedWithYouCore.h", "SWAction.h", "SWCollaborationActionHandler.h", "SWCollaborationCoordinator.h", "SWCollaborationMetadata.h", "SWCollaborationOption.h", "SWCollaborationOptionsPickerGroup.h", "SWCollaborationOptionsGroup.h", "SWCollaborationShareOptions.h", "SWDefines.h", "SWPersonIdentity.h", "SWPerson.h", "SWStartCollaborationAction.h", "SWPersonIdentityProof.h", "SWUpdateCollaborationParticipantsAction.h", "SharedWithYouCore.tbd", "ScriptingBridge.tbd", "SBElementArray.h", "ScriptingBridge.apinotes", "ScriptingBridge.h", "SBApplication.h", "SBObject.h", "SCScreenshotManager.h", "SCError.h", "SCRecordingOutput.h", "ScreenCaptureKit.h", "SCShareableContent.h", "SCContentSharingPicker.h", "SCStream.h", "Ruby.tbd", "rbLibXMLParser.rb", "rbCFPlistError.rb", "rbNokogiriParser.rb", "rbCFTypes.rb", "rbCFPropertyList.rb", "rbPlainCFPropertyList.rb", "rbBinaryCFPropertyList.rb", "rbREXMLParser.rb", "cfpropertylist.rb", "setup.rb", "libxml.rb", "xml.rb", "mini_portile_cmake.rb", "version.rb", "mini_portile.rb", "sqlite3.rb", "faq.rb", "exception.c", "backup.h", "backup.c", "database.h", "exception.h", "sqlite3_ruby.h", "statement.h", "extconf.rb", "sqlite3.c", "database.c", "statement.c", "nokogiri.rb", "ascii.c", "ascii.h", "char_ref.h", "attribute.h", "attribute.c", "error.h", "foreign_attrs.c", "insertion_mode.h", "error.c", "gumbo.h", "parser.h", "replacement.h", "parser.c", "string_buffer.h", "string_buffer.c", "string_piece.c", "macros.h", "svg_attrs.c", "tag_lookup.h", "svg_tags.c", "tag_lookup.c", "token_type.h", "tag.c", "token_buffer.h", "token_buffer.c", "tokenizer.h", "tokenizer.c", "utf8.c", "utf8.h", "util.c", "util.h", "tokenizer_states.h", "vector.c", "vector.h", "html4_document.c", "html4_entity_lookup.c", "html4_element_description.c", "html4_sax_push_parser.c", "libxml2_backwards_compat.c", "nokogiri.c", "test_global_handlers.c", "xml_attribute_decl.c", "nokogiri.h", "xml_attr.c", "xml_cdata.c", "xml_document_fragment.c", "xml_document.c", "xml_element_content.c", "html4_sax_parser_context.c", "xml_encoding_handler.c", "xml_element_decl.c", "xml_entity_decl.c", "xml_node_set.c", "xml_dtd.c", "gumbo.c", "xml_namespace.c", "xml_processing_instruction.c", "xml_reader.c", "xml_relax_ng.c", "xml_entity_reference.c", "xml_sax_parser.c", "xml_sax_push_parser.c", "xml_sax_parser_context.c", "xml_text.c", "xml_schema.c", "xml_xpath_context.c", "xslt_stylesheet.c", "xml_syntax_error.c", "xml_comment.c", "xml_node.c", "PushKit.tbd", "PKPushCredentials.h", "PKDefines.h", "PKPushPayload.h", "PushKit.h", "PKPushRegistry.h", "PushKit.apinotes", "OpenDirectory.tbd", "ODAttributeMap.h", "ODMappings.h", "NSOpenDirectory.h", "ODConfiguration.h", "ODQuery.h", "ODNode.h", "OpenDirectory.h", "ODRecordMap.h", "ODSession.h", "ODModuleEntry.h", "ODRecord.h", "CFODContext.h", "CFODSession.h", "CFOpenDirectory.h", "CFODQuery.h", "CFODNode.h", "CFODRecord.h", "CFOpenDirectoryConstants.h", "CFOpenDirectory.tbd", "OpenAL.tbd", "alc.h", "al.h", "alut.h", "OpenAL.h", "MacOSX_OALExtensions.h", "arm64e-apple-ios-macabi.swiftinterface", "x86_64-apple-ios-macabi.swiftinterface", "SwiftUI.swiftoverlay", "MTLAccelerationStructure.h", "Metal.h", "MTLAccelerationStructureTypes.h", "MTLAccelerationStructureCommandEncoder.h", "MTLArgumentEncoder.h", "MTLArgument.h", "MTLBinaryArchive.h", "Metal.apinotes", "MTLBlitPass.h", "MTLBuffer.h", "MTLCaptureManager.h", "MTLCaptureScope.h", "MTLAllocation.h", "MTLCommandEncoder.h", "MTLCommandBuffer.h", "MTLComputePass.h", "MTLBlitCommandEncoder.h", "MTLCommandQueue.h", "MTLDefines.h", "MTLDepthStencil.h", "MTLComputePipeline.h", "MTLDeviceCertification.h", "MTLDrawable.h", "MTLCounters.h", "MTLComputeCommandEncoder.h", "MTLDynamicLibrary.h", "MTLFence.h", "MTLFunctionConstantValues.h", "MTLFunctionDescriptor.h", "MTLFunctionLog.h", "MTLFunctionHandle.h", "MTLEvent.h", "MTLFunctionStitching.h", "MTLHeap.h", "MTLDevice.h", "MTLIndirectCommandBuffer.h", "MTLIntersectionFunctionTable.h", "MTLIOCommandQueue.h", "MTLLinkedFunctions.h", "MTLIOCommandBuffer.h", "MTLIOCompressor.h", "MTLParallelRenderCommandEncoder.h", "MTLLogState.h", "MTLPipeline.h", "MTLLibrary.h", "MTLPixelFormat.h", "MTLRasterizationRate.h", "MTLRenderPass.h", "MTLRenderPipeline.h", "MTLResidencySet.h", "MTLResourceStateCommandEncoder.h", "MTLResourceStatePass.h", "MTLResource.h", "MTLIndirectCommandEncoder.h", "MTLSampler.h", "MTLRenderCommandEncoder.h", "MTLStageInputOutputDescriptor.h", "MTLVisibleFunctionTable.h", "MTLTypes.h", "MTLVertexDescriptor.h", "MTLTexture.h", "WebKit.arm64e.bridgesupport", "WebKit.bridgesupport" ], "public": 1, "adversary": "DragonForce Hacker Group Malaysia", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "VZBootLoader", "display_name": "VZBootLoader", "target": null }, { "id": "TypeError", "display_name": "TypeError", "target": null }, { "id": "GC", "display_name": "GC", "target": null }, { "id": "CFTypeRef", "display_name": "CFTypeRef", "target": null } ], "attack_ids": [ { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1135", "name": "Network Share Discovery", "display_name": "T1135 - Network Share Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" } ], "industries": [ "Media" ], "TLP": "white", "cloned_from": null, "export_count": 49, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ravescoutllc.", "id": "288912", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 346, "FileHash-SHA256": 272, "domain": 110, "hostname": 101, "email": 1, "CVE": 2, "FileHash-SHA1": 1 }, "indicator_count": 833, "is_author": false, "is_subscribing": null, "subscriber_count": 34, "modified_text": "528 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66eb3ef6d765187a437767e4", "name": "Hijacked 'Operation Endgame' Tofsee Ransomware", "description": "This a project. A target has been put into different Operations: Project Hilo, Project Helix, Operation Endgame, The NSO Cellebrite Pegasus hit list. These are real and very serious serious threat. Severe Cyber issues made their way to her infected devices as well as the devices of family members. Death threats continue to come in. Several DoD IP addresses found in a PDF. It's unresearched at this time,, DoD via BGP HE has been questionable considering use gateway abuse by SWIPPER. \n\nStill no authority can confirm victim is a suspect. Must be a crazy high to help Jeffrey Scott Reiner PT. DPT get away with assault in such a ridiculous manner. Court report posted online by Trellis (BS) is of course a falsified , vulnerability filled 'made you click' document.. Faldif0, empty docmpty doc, citing it was refreshed in 2023. \nThere is no doubt these masqueraders mean to intimidate, humiliate, isolate & harm target. These people are not in China. False attribution is likely. Attack is disseminates from USA.", "modified": "2024-10-18T20:04:41.836000", "created": "2024-09-18T20:58:30.691000", "tags": [ "as8075", "united", "pid425870621", "tid700443057", "tpid425870621", "slot1", "mascore2", "bcnt1", "unid88000705", "nct1", "date", "china", "china unknown", "passive dns", "body xml", "error code", "requestid", "hostid ec", "server", "gmt content", "type", "registry", "intel", "ms windows", "show", "entries", "search", "high", "pe32", "high process", "injection t1055", "salicode", "worm", "copy", "tools", "service", "write", "win32", "persistence", "execution", "april", "urls", "http", "unique", "scan endpoints", "all scoreblue", "url http", "pulse pulses", "ip address", "related nids", "code", "as54113", "unknown", "body", "fastly error", "please", "sea p", "msil", "accept", "aaaa", "nxdomain", "whitelisted", "as15169 google", "status", "as44273 host", "as46691", "domain", "url https", "files location", "info", "script urls", "path max", "age86400 set", "cookie", "script domains", "javascript", "script script", "trojanspy", "cname", "emails", "servers", "all search", "related pulses", "file samples", "files matching", "creation date", "germany unknown", "yara detections", "filehash", "av detections", "ids detections", "alerts", "analysis date", "file score", "meta", "home welcome", "write c", "delete c", "query", "local", "hostname", "a domains", "lowfi", "content type", "record value", "suite", "showing", "asnone united", "as29873", "ipv4", "pulse submit", "url analysis", "files", "pe32 executable", "potential scan", "0pgtwhu", "t1045", "port", "infection", "recon", "malware", "june", "delphi", "taobao network", "as45102 alibaba", "as4812 china", "next", "expiration date", "name servers", "dynamicloader", "dynamic", "sha256", "dynamic link", "library exe", "adobe", "incorporated", "read", "yara rule", "delete", "binary file", "push", "malicious", "july", "iocs", "levelbluelabs", "jeff4son", "adversaries", "registry run", "flow t1574", "dll sideloading", "boot", "logon autostart", "execution t1547", "keys", "startup folder", "t1497 may", "encryption", "catalog tree", "analysis ob0001", "virtual machine", "detection b0009", "check registry", "analysis ob0002", "executable code", "stack strings", "control ob0004", "get http", "http requests", "dns resolutions", "ip traffic", "pattern domains", "memory pattern", "urls http", "request", "response", "connection", "trojan", "otx scoreblue", "windows", "embeddedwb", "medium", "shellexecuteexw", "msie", "windows nt", "displayname", "tofsee", "hashes", "vhash", "authentihash", "ssdeep", "win32 exe", "magic pe32", "trid win32", "library", "read c", "file guard", "rtversion", "langchinese", "legalcopyright", "reserved", "ransom", "moved", "media", "ascii text", "default", "upack", "mike", "contacted", "x87xe1x1d", "regsetvalueexa", "x95xd3xa4", "regbinary", "x84xa8xe8i", "x8dxb7xb7", "hx88x9ax1e", "mx81xd1r", "x92xac", "xc2x84", "stream", "swipper", "pdfcreator.sf.net", "botnet", "black mercedes", "please forgive me", "therahand thouroughhand" ], "references": [ "Project Endgame - pegausintel.com -Unsjre if related to NSO Group", "Antivirus Detections: ALF:HeraklezEval:Rogue:Win32/FakeRean", "Yara Detections: compromised_site_redirector_fromcharcode , Cabinet_Archive , SFX_CAB", "Alerts: infostealer_cookies persistence_autorun recon_programs recon_fingerprint removes_zoneid_ads anomalous_deletefile", "P\u2019s Contacted: 93.184.221.240 3.33.130.190 | Domains Contacted: counterslocal.com", "compromised_site_redirector_fromcharcode fromCharCode", "Interesting Strings: http://www.interoperabilitybridges.com/wmp http://crbug.com/40902 http://crbug.com/516527", "Interesting Strings: http://service.real.com/realplayer/security/02062012_player/en/", "Interesting Strings: https://support.google.com/chrome/?p=plugin_pdf", "https://support.google.com/chrome/?p=plugin_quicktime https://chrome.google.com/", "Interesting Strings: http://schema.org/GovernmentOrganization https://support.google.com/chrome/?p=plugin_java https://crbug.com/593166", "Pdf.Phishing.TtraffRobotInstall-7605656-0 00004feb58be42ba1bd506ea89f90c5e1d83e6e1fb84841931949a454b0bb539", "Antivirus Detections Cryp_Xed-12 , Mal/Generic-S , Packed/Upack Yara Detections Upackv039finalDwing , UpackV037Dwing", "https://pin.it/ | https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Worm:Win32/Macoute.A", "display_name": "Worm:Win32/Macoute.A", "target": "/malware/Worm:Win32/Macoute.A" }, { "id": "TrojanDownloader:Win32/Nemucod", "display_name": "TrojanDownloader:Win32/Nemucod", "target": "/malware/TrojanDownloader:Win32/Nemucod" }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "ALF:HeraklezEval:Rogue:Win32/FakeRean", "display_name": "ALF:HeraklezEval:Rogue:Win32/FakeRean", "target": null }, { "id": "Worm:Win32/Fesber.A", "display_name": "Worm:Win32/Fesber.A", "target": "/malware/Worm:Win32/Fesber.A" }, { "id": "Ransom:Win32/Eniqma.A", "display_name": "Ransom:Win32/Eniqma.A", "target": "/malware/Ransom:Win32/Eniqma.A" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "UpackV037Dwing", "display_name": "UpackV037Dwing", "target": null }, { "id": "Cryp_Xed-12", "display_name": "Cryp_Xed-12", "target": null }, { "id": "Mal/Generic-S", "display_name": "Mal/Generic-S", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1493, "FileHash-SHA1": 1393, "FileHash-SHA256": 5881, "URL": 1495, "domain": 1947, "hostname": 1360, "email": 18, "CVE": 1 }, "indicator_count": 13588, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "548 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66e00320d65236e032faa26a", "name": "Global- Injection | Phone service modification campaign - Cryprsoft", "description": "Malicious\u00bb http://www.forensickb.com/2013/03/file-entropy-explained.html | Cryptsoft | ET ,\nVirus:Win32/Sality.AT ,\nWin32:Kukacka , TrojanSpy:Win32/Nivdort.AJ , Worm:Win32/Mydoom.O!backdoor , \nWorm:Win32/Bloored , TrojanSpy:Win32/Invader.S!MSR , \nText: Mydoom spreading via SMTP 29 192.168.56.110 198.133.159.125 2018340 ET TROJAN Win32.Sality-GR Checkin 192.168.56.110 52.28.249.128 2018340 ET TROJAN Win32.Sality-GR Checkin 192.168.56.110 166.78.145.90 2016803 ET TROJAN Known Sinkhole Response Header 166.78.145.90 192.168.56.110 2018\nATT&CK | Query Registry , Modify Existing Service , Scheduled Task/Job , Process Injection , Registry Run Keys / Startup Folder , System Information Discovery , Disabling Security Tools , Modify Registry", "modified": "2024-10-10T08:03:36.798000", "created": "2024-09-10T08:28:16.120000", "tags": [ "amazonaws", "employment scam", "pe resource", "united", "as15169 google", "aaaa", "unknown", "search", "as44273 host", "passive dns", "all scoreblue", "worm", "files", "error", "code", "emails", "ireland", "poland", "high", "yara detections", "virus", "msvisualcpp2003", "high process", "injection t1055", "t1055", "icmp traffic", "pe file", "service", "win32", "copy", "tools", "cryptsoft", "nxdomain", "a br", "key management", "meta", "open", "twitter", "a domains", "cryptsoft src", "meet cryptsoft", "products a", "authority", "record value", "contact", "metro", "log id", "gmtn", "go daddy", "tls web", "arizona", "scottsdale", "ca issuers", "false", "windows nt", "msie", "read c", "ms windows", "intel", "et trojan", "pe32", "zip archive", "write", "possible", "malware", "beethoven", "et", "body", "scan endpoints", "category", "file samples", "files matching", "date hash", "phishing", "show", "t1045", "nrv2x", "lzma", "laszlo molnar", "john reiser", "antivirus", "xp sp2", "sp2 working", "alerts", "contacted", "0pgtwhu", "filehash", "february", "crack.zip", "as396982 google", "urls", "domain", "hostname", "next", "belgium unknown", "status", "name servers", "creation date", "date", "servers", "entries", "trojan", "ipv4", "pulse pulses", "ransom", "gandcrab", "active", "parking crews" ], "references": [ "Researched: http://www.forensickb.com/2013/03/file-entropy-explained.html", "https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://www.forensickb.com/2013/03/file-entropy-explained.html", "www.crackedmindstechnologies.com", "IDS Detections: Tempedreve Checkin Hiloti Style GET to PHP with invalid terse MSIE headers W32/Bayrob Attempted Checkin 2", "Observed GandCrab Ransomware Domain (carder .bit in DNS Lookup) Worm.Mydoom Checkin", "IDS Detections: User-Agent (explwer) Hiloti/Mufanom Downloader Checkin Win32/Unruy.R Checkin Ransom.Win32.Birele.gsg Checkin Observed GandCrab Ransomware Domain (ransomware .bit in DNS Lookup)", "IDS Detections: Worm.Mydoom Checkin User-Agent (explwer) Hiloti/Mufanom Downloader Checkin Win32/Unruy.R Checkin", "IDS Detections: Ransom.Win32.Birele.gsg Checkin Observed GandCrab Ransomware Domain (ransomware .bit in DNS Lookup)", "relay.cryptsoft.com | smtp.cryptsoft.com\t| ghs.google.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Romania", "Netherlands", "Poland", "Belgium", "Germany", "Spain", "Italy", "Czechia", "Austria", "Bulgaria", "Canada", "United Arab Emirates" ], "malware_families": [ { "id": "Virus:Win32/Sality.AT", "display_name": "Virus:Win32/Sality.AT", "target": "/malware/Virus:Win32/Sality.AT" }, { "id": "Win32:Kukacka", "display_name": "Win32:Kukacka", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Worm:Win32/Mydoom.O!backdoor", "display_name": "Worm:Win32/Mydoom.O!backdoor", "target": "/malware/Worm:Win32/Mydoom.O!backdoor" }, { "id": "Worm:Win32/Bloored.E", "display_name": "Worm:Win32/Bloored.E", "target": "/malware/Worm:Win32/Bloored.E" }, { "id": "GandCrab", "display_name": "GandCrab", "target": null }, { "id": "TrojanSpy:Win32/Nivdort.AJ", "display_name": "TrojanSpy:Win32/Nivdort.AJ", "target": "/malware/TrojanSpy:Win32/Nivdort.AJ" }, { "id": "TrojanSpy:Win32/Invader.S!MSR", "display_name": "TrojanSpy:Win32/Invader.S!MSR", "target": "/malware/TrojanSpy:Win32/Invader.S!MSR" } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" } ], "industries": [ "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 220, "FileHash-MD5": 626, "FileHash-SHA1": 539, "FileHash-SHA256": 1335, "domain": 501, "hostname": 617, "email": 4, "SSLCertFingerprint": 2 }, "indicator_count": 3844, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "557 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66d95bd10bfcc8c3dd66a44d", "name": "Qbot ", "description": "", "modified": "2024-09-05T09:51:10.113000", "created": "2024-09-05T07:20:49.138000", "tags": [ "whois record", "ssl certificate", "historical ssl", "resolutions", "referrer", "communicating", "subdomains", "domains", "problems", "urls http", "ransomware", "malware", "contacted", "dropped", "execution", "tsara brashears", "apple ios", "whois whois", "unlocker", "njrat", "core", "hacktool", "metro", "download", "critical", "copy", "relic", "monitoring", "installer", "awful", "open", "banker", "keylogger", "malicious", "tofsee", "mitre attack", "et", "cisco umbrella", "internet storm", "site", "covid19", "cyber threat", "safe site", "cobalt strike", "malicious url", "alexa", "script urls", "united", "a domains", "as396982 google", "as15169 google", "search", "cname", "accept encoding", "showing", "unknown", "date", "body", "meta", "encrypt", "domain related", "as396982", "creation date", "expiration date", "scan endpoints", "all octoseek", "hostname", "pulse submit", "url analysis", "passive dns", "urls", "next", "all search", "otx octoseek", "as7922 comcast", "as16276", "as54113", "aaaa", "france unknown", "as14061", "status", "as40509", "ip address", "for privacy", "as44273 host", "record value", "certificate", "gmt content", "x sucuri", "as8075", "nxdomain", "as30148 sucuri", "as20940", "as31898 oracle", "hong kong", "as139021", "msie", "chrome", "ipv4", "blacklist http", "detection list", "blacklist", "files", "location hong", "kong asn", "tags none", "indicator facts", "name verdict", "falcon sandbox", "mail spammer", "tor known", "tor relayrouter", "exit", "node tcp", "traffic", "heur", "malicious site", "alexa top", "million", "alexa proxy", "outbreak", "installcore", "acint", "conduit", "installpack", "iobit", "artemis", "dropper", "mediaget", "crack", "spammer", "france mail", "summary", "url summary", "phishing", "union", "team", "bank", "unsafe", "threat report", "ip summary", "pattern match", "script", "et tor", "known tor", "relayrouter", "node traffic", "misc attack", "beginstring", "null", "error", "span", "class", "generator", "refresh", "tools", "hybrid", "general", "click", "strings", "servers", "ps ord", "name servers", "poetry", "moved", "content length", "content type", "x powered", "poems", "poem", "topic", "topics", "poem topics", "free poems", "love poems", "romantic poems", "classic poems", "friendship poems", "shone pale", "herself", "heavens", "her beam", "a fleecy", "proud evening", "star", "thou bearest", "heaven", "than", "google", "http", "leasewebuklon11", "search live", "api blog", "docs pricing", "login", "february", "gb summary", "london", "april", "screenshot", "url https", "reverse dns", "general full", "name value", "frankfurt", "main", "germany", "asn15169", "resource", "hashes", "copyright", "gmbh version", "follow", "blacklist https", "phishing site", "malware site", "riskware", "opencandy", "cleaner", "iframe", "xtrat", "agent", "softcnapp", "generic", "patcher", "driverpack", "exploit", "mimikatz", "downldr", "presenoker", "fusioncore", "wacatac", "beach research", "trojanspy", "maltiverse", "firehol", "proxy", "anonymizer", "adware", "kuaizip", "downer", "tag count", "tue apr", "sample", "samples", "fakealert", "genkryptik", "icedid", "coinminer", "nircmd", "swrort", "systweak", "behav", "tiggre", "filetour", "quasar rat", "fuery", "bazaloader", "media", "facebook", "service", "runescape", "webtoolbar", "a9dia", "a1ginaprincipal", "emails", "registrar", "http header", "tcp traffic", "et useragents", "unknown traffic", "antivirus", "server", "gmt united", "accept", "local", "path", "falcon", "file", "ascii text", "windows nt", "png image", "appdata", "jpeg image", "indicator", "twitter", "westlaw njrat", "zuorat", "skynet bot", "glupteba", "asn4583", "thomsonreuters", "asn209242", "june", "back", "united kingdom", "cisco", "umbrella rank", "rank", "page url", "as autonomous", "system", "yndx", "ipasns ip", "november", "de summary", "comodo rsa", "security tls", "software", "resource hash", "security", "ecdhersa", "de indicators", "de page", "url history", "javascript", "gts ca", "secure server", "markmonitor", "ip information", "detail domains", "domain tree", "links certs", "frames domain", "requested", "threat roundup", "march", "threat round", "parent parent", "roundup", "january", "threats", "qbot", "cyberwar", "skynet", "radar ineractive", "control server", "engineering", "host", "services", "pony", "nanocore rat", "meterpreter", "zeus", "zbot", "suppobox", "stealer", "redline stealer", "dnspionage", "mirai", "nanocore", "bradesco", "emotet", "laplasclipper", "asn16276", "get h2", "kb image", "august", "kali", "localappdata", "network traffic", "binary file", "svg scalable", "vector graphics", "mwin", "domain", "url http", "pulse pulses", "related nids", "files location", "customer", "address", "as29789", "hosting", "location united", "status hostname", "query type", "address first", "seen last", "seen asn", "country unknown", "urls date", "checked url", "hostname server", "response ip", "address google", "safe browsing", "present mar", "pulse indicator", "protocol h2", "value", "variables", "waypoint object", "gsqueue", "isotope", "hostnames", "ice fog", "maltiverse top", "financial", "as62597 nsone", "sec ch", "domains show", "entries", "as14720 gamma", "canada unknown", "as397241", "as13335", "applicunwnt", "xrat", "maltiverse safe", "aig", "soc", "hallrender", "brian sabey", "mark brian sabey", "sabey", "mark", "sabey", "data center", "malvertizing", "malware host", "scanning host", "botnetwork", "colorado", "edsaid", "geotracking", "satellite tracking", "radar tracking", "pornhub", "child teen content illegal", "social engineering", "cyber stalking", "CVE-2023-4966", "device control", "camera usage", "hidden users", "message interception", "text archiver", "mail collection", "remote attacks", "js", "python", "inject", "sql", "extraction", "AIG Claims", "hallrender.com", "soc", "milemighmedia", "westlaw", "revengeporn", "bot", "regex", "ai", "yandex" ], "references": [ "web2.westlaw.com (redirects to thbrzzrstr.me)", "http://web2.westlaw.com/ (redirect) https://signon.thomsonreuters.com/?productid=CBT&lr=0&culture=en-US&returnto=https%3a%2f%2f1.next.westlaw.com%...", "https://hybrid-analysis.com/sample/8bf763ce9396c4569afbae58392097fd57408339c0ac59ec256468c9fd8ac4c5/6548ebfe56b25bab28017757", "https://urlscan.io/result/2285cee3-1e08-4e63-b48f-ee685e008480/#summary", "https://hybrid-analysis.com/sample/86479bf7c9a675913b93a0d399f5cbe0c0e8003239e93ae5e00f97cdbc5ec5ba/5c5c13577ca3e12626364777", "https://urlscan.io/result/4f0cabbf-9716-47dd-bd5c-038a953e6672/", "Malware Host: HallRender.com", "riverside.rocks (safebae.com remote uTorrent) https://hybrid-analysis.com/sample/11108ef17bd75f36e0d22d95b1f3bde3e9fa968a78a24c2d2508f4238e22651d/6326a50be4a8a71b885f5bf3", "safebae.org", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu (phishing | cybercrime)", "Hallrender.com and Westlaw.com.= http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu", "Poemhunter.com + rally point.com = pornhub.dev", "Pornhub dev VT community: https://www.virustotal.com/gui/domain/pornhub.dev/community", "Poemhunter.com: https://hybrid-analysis.com/sample/86479bf7c9a675913b93a0d399f5cbe0c0e8003239e93ae5e00f97cdbc5ec5ba", "https://www.poemhunter.com/tsara-brashears/poems/: https://urlscan.io/result/4f0cabbf-9716-47dd-bd5c-038a953e6672/", "Rallypoint.com https://hybrid-analysis.com/sample/66287c2c36699037cb504201693e26b5f3282cebde1d1c78aecd6f97f04fb694", "Malicious revenge malvertizing: https://www.milehighmedia.com/legal/2257", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://matrix.pornhub.dev", "nr-data.net", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/icons/apple-touch-icon-76x76.png", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/icons/apple-touch-icon.png", "https://apple.pantion.top/", "newrelic.se", "user-apple.info", "appleid-comloginaccount.info", "init-p01st.push.apple.com", "boostmobile.com", "www.metrobyt-mobile.com", "http://bpdb.portal.gov.bd:3128/sites/default/files/files/bpdb.portal.gov.bd/npfblock/2021-34bc869d2906198362a4346373ce5b94.jpg", "https://b.link/infringement", "my.mintmobile.com", "CVE-2023-4966", "http://watchhers.net/index.php", "https://rr2---sn-4g5ednsz.googlevideo.com/videoplayback?expire=1699319292&ei=nDlJZfb4G43E-gaYt5XoDg&ip=2001%3A1b60%3A2%3A240%3A3247%3A%3A" ], "public": 1, "adversary": "", "targeted_countries": [ "Spain", "Netherlands", "Canada", "United States of America" ], "malware_families": [ { "id": "Tsara Brashears", "display_name": "Tsara Brashears", "target": null }, { "id": "Mitre Attack", "display_name": "Mitre Attack", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Radar Ineractive", "display_name": "Radar Ineractive", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1450", "name": "Exploit SS7 to Track Device Location", "display_name": "T1450 - Exploit SS7 to Track Device Location" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1423", "name": "Network Service Scanning", "display_name": "T1423 - Network Service Scanning" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1563", "name": "Remote Service Session Hijacking", "display_name": "T1563 - Remote Service Session Hijacking" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1427", "name": "Attack PC via USB Connection", "display_name": "T1427 - Attack PC via USB Connection" }, { "id": "T1445", "name": "Abuse of iOS Enterprise App Signing Key", "display_name": "T1445 - Abuse of iOS Enterprise App Signing Key" }, { "id": "T1453", "name": "Abuse Accessibility Features", "display_name": "T1453 - Abuse Accessibility Features" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1173", "name": "Dynamic Data Exchange", "display_name": "T1173 - Dynamic Data Exchange" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" } ], "industries": [], "TLP": "green", "cloned_from": "654971c396ca4306a6534b12", "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4091, "hostname": 2422, "URL": 3167, "FileHash-MD5": 1424, "FileHash-SHA1": 983, "FileHash-SHA256": 3174, "CVE": 10, "email": 25 }, "indicator_count": 15296, "is_author": false, "is_subscribing": null, "subscriber_count": 234, "modified_text": "592 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "668318428080452342a0699d", "name": "FormBook (MaaS) - Injection", "description": "Gained access to victims likely non-safeguarded device via PowerPoint document fully infecting victims business devices. \u2206 FormBook malware (AKA xLoader) is classified as a stealer (spyware) and, as its name implies, is known for its form-grabbing techniques to extract data directly from website HTML forms as well as its ability to steal data from keystrokes, browser autofill features, and copy-and-paste clipboards.", "modified": "2024-07-31T19:00:14.104000", "created": "2024-07-01T20:57:38.668000", "tags": [ "search", "entries", "show", "read c", "showing", "copy", "high process", "injection t1055", "allocates", "checks", "write", "win32", "malware", "win32 exe", "pe32 executable", "ms windows", "intel", "generic cil", "executable", "mono", "win32 dynamic", "link library", "win16 ne", "assembly common", "clr version", "assembly name", "address", "assembly", "rva entry", "streams size", "entropy chi2", "guid", "blob", "rticon neutral", "neutral", "info header", "name md5", "type", "language", "contained", "sha256", "png rticon", "type name", "ip detections", "country", "contacted", "execution", "namecheap inc", "namesilo", "cosmotown", "cv jogjacamp", "hong kong", "juming network", "webcc", "domains", "android", "win32 dll", "njrat", "synapse", "stealer", "get http", "connection", "windows nt", "host", "sdermh request", "post http", "request", "origin http", "accept", "win64", "samplepath", "file execution", "process", "created", "shell commands", "c cmd", "f json", "k wersvcgroup", "tree", "windir", "sdermh", "historical ssl", "runtime-modules", "detect-debug-environment", "direct-cpu-clock-access", "crypto_obfuscator", "memcommit", "createsuspended", "cryptexportkey", "invalid pointer", "medium", "keylogger", "process hollowing" ], "references": [ "Formbook \u2022 Stealer\u2022 BCBNFD.exe - FileHash-SHA256 f69e4fd7802b9947826db300268eb4a88d14a4a30e5e7617cebe17d1584f6c26", "https://www.virustotal.com/gui/file/f69e4fd7802b9947826db300268eb4a88d14a4a30e5e7617cebe17d1584f6c26/detection", "https://otx.alienvault.com/indicator/file/f69e4fd7802b9947826db300268eb4a88d14a4a30e5e7617cebe17d1584f6c26", "Yara Detections: ConventionEngine_Term_Users , ConventionEngine_Term_Documents , ConventionEngine_Keyword_Obfuscat , DotNET_Crypto_Obfuscator", "Alerts: injection_runpe allocates_execute_remote_process injection_modifies_memory allocates_rwx packer_entropy privilege_luid_check terminates_remote_process checks_debugger generates_crypto_key", "Win32:PWSX-gen\\ [Trj]: FileHash-MD5 183666b988ee12982a774e26adb30ce0", "Win32:PWSX-gen\\ [Trj]: FileHash-SHA1 27d6f0a6c36d3f198f41485e8d73da19d0569c9e", "Win32:PWSX-gen\\ [Trj]: FileHash-SHA256 f69e4fd7802b9947826db300268eb4a88d14a4a30e5e7617cebe17d1584f6c26", "Formbook: FileHash-MD5 ab9077915a4f2f52de634df05b681849", "Formbook: FileHash-SHA1 0162d8c955aaf0f9f0cd6f7365c5ba514be895c6", "Formbook: FileHash-SHA256 06c7385ce806a0c86049b99d727503a8e04f06989d9f4f5002cde47efc0b55b7", "Formbook: FileHash-MD5 3fed8c5a7c3a95c9270d18c304f19655", "Formbook: FileHash-SHA1 e8e453dd5fd6a37f65889b2c3b289f954bfc3c3b", "Formbook: FileHash-SHA256 4f5a404fc51da90adc3d3b690924263e64bfbf7c3e9918a949e10aca0f3096d1", "YARA Signature Match - THOR APT Scanner RULE: SUSP_CryptoObfuscator RULE_SET: Livehunt - Suspicious8 Indicators \ud83c\udff9 \u2022 Florian Roth", "RULE_TYPE: THOR APT Scanner's rule set only \ud83d\udd28 RULE_LINK: https://valhalla.nextron-systems.com/info/rule/SUSP_CryptoObfuscator \u2022 Florian Roth", "DESCRIPTION: Detects file obfuscated with CryptoObfuscator RULE_AUTHOR: Florian Roth", "More information: https://www.nextron-systems.com/notes-on-virustotal-matches/", "CryptoObfuscator" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win32:PWSX-gen\\ [Trj]", "display_name": "Win32:PWSX-gen\\ [Trj]", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "TrojanSpy:MSIL/Formbook", "display_name": "TrojanSpy:MSIL/Formbook", "target": "/malware/TrojanSpy:MSIL/Formbook" } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 153, "FileHash-SHA1": 136, "FileHash-SHA256": 462, "URL": 236, "hostname": 66, "domain": 245 }, "indicator_count": 1298, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "627 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "659fa1fad840744f75eb2d14", "name": "Worm:Win32/Benjamin IoC's", "description": "https://otx.alienvault.com/malware/Worm:Win32%2FBenjamin/samples | \nFiles Matching Antivirus Detection - 296,250 \nNetwork Icmp\nPersistence Autorun\nNetwork Http\nDynamic Function Loading\nProcmem Yara\nInjection Rwx\nPowershell Request\nDead Connect\nSuricata Alert\nPe Features\nPacker Entropy\nAntivm Memory Available\nAllocates Rwx\nCreates Exe\nPacker Polymorphic\nNids Alert\nDead Host\nNolookup Communication", "modified": "2024-02-10T07:03:55.140000", "created": "2024-01-11T08:08:26.689000", "tags": [ "worm", "win32", "benjamin", "passive dns", "as47846", "germany unknown", "urls", "next", "scan endpoints", "all octoseek", "unknown", "threat roundup", "ssl certificate", "whois record", "august", "april", "execution", "october", "july", "march", "contacted", "june", "emotet", "quasar", "core", "hacktool", "goldfinder", "sibot", "ryuk", "drxk0gdg2s06f8p", "cfom2jtlf", "k60zzli http", "whois whois", "historical ssl", "resolutions", "referrer" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 144, "FileHash-SHA1": 145, "FileHash-SHA256": 2888, "hostname": 1075, "domain": 1007, "URL": 4964, "CVE": 1 }, "indicator_count": 10224, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "800 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "654971c396ca4306a6534b12", "name": "njRAT| BazarLoader| Daekside2020 .Beware \u2022 WebToolbar \u2022 Qbot", "description": "CNC, botnetwork, malware attacks, malvertizing, remote attacks, decryption, device stalking, ' has own property call command', illegal service interference, teen and adult content, cyber stalking, password cracking. Intimidation, harassment , threatening, libel , cybercrime hacking, defacement", "modified": "2023-12-06T21:03:06.189000", "created": "2023-11-06T23:07:46.880000", "tags": [ "whois record", "ssl certificate", "historical ssl", "resolutions", "referrer", "communicating", "subdomains", "domains", "problems", "urls http", "ransomware", "malware", "contacted", "dropped", "execution", "tsara brashears", "apple ios", "whois whois", "unlocker", "njrat", "core", "hacktool", "metro", "download", "critical", "copy", "relic", "monitoring", "installer", "awful", "open", "banker", "keylogger", "malicious", "tofsee", "mitre attack", "et", "cisco umbrella", "internet storm", "site", "covid19", "cyber threat", "safe site", "cobalt strike", "malicious url", "alexa", "script urls", "united", "a domains", "as396982 google", "as15169 google", "search", "cname", "accept encoding", "showing", "unknown", "date", "body", "meta", "encrypt", "domain related", "as396982", "creation date", "expiration date", "scan endpoints", "all octoseek", "hostname", "pulse submit", "url analysis", "passive dns", "urls", "next", "all search", "otx octoseek", "as7922 comcast", "as16276", "as54113", "aaaa", "france unknown", "as14061", "status", "as40509", "ip address", "for privacy", "as44273 host", "record value", "certificate", "gmt content", "x sucuri", "as8075", "nxdomain", "as30148 sucuri", "as20940", "as31898 oracle", "hong kong", "as139021", "msie", "chrome", "ipv4", "blacklist http", "detection list", "blacklist", "files", "location hong", "kong asn", "tags none", "indicator facts", "name verdict", "falcon sandbox", "mail spammer", "tor known", "tor relayrouter", "exit", "node tcp", "traffic", "heur", "malicious site", "alexa top", "million", "alexa proxy", "outbreak", "installcore", "acint", "conduit", "installpack", "iobit", "artemis", "dropper", "mediaget", "crack", "spammer", "france mail", "summary", "url summary", "phishing", "union", "team", "bank", "unsafe", "threat report", "ip summary", "pattern match", "script", "et tor", "known tor", "relayrouter", "node traffic", "misc attack", "beginstring", "null", "error", "span", "class", "generator", "refresh", "tools", "hybrid", "general", "click", "strings", "servers", "ps ord", "name servers", "poetry", "moved", "content length", "content type", "x powered", "poems", "poem", "topic", "topics", "poem topics", "free poems", "love poems", "romantic poems", "classic poems", "friendship poems", "shone pale", "herself", "heavens", "her beam", "a fleecy", "proud evening", "star", "thou bearest", "heaven", "than", "google", "http", "leasewebuklon11", "search live", "api blog", "docs pricing", "login", "february", "gb summary", "london", "april", "screenshot", "url https", "reverse dns", "general full", "name value", "frankfurt", "main", "germany", "asn15169", "resource", "hashes", "copyright", "gmbh version", "follow", "blacklist https", "phishing site", "malware site", "riskware", "opencandy", "cleaner", "iframe", "xtrat", "agent", "softcnapp", "generic", "patcher", "driverpack", "exploit", "mimikatz", "downldr", "presenoker", "fusioncore", "wacatac", "beach research", "trojanspy", "maltiverse", "firehol", "proxy", "anonymizer", "adware", "kuaizip", "downer", "tag count", "tue apr", "sample", "samples", "fakealert", "genkryptik", "icedid", "coinminer", "nircmd", "swrort", "systweak", "behav", "tiggre", "filetour", "quasar rat", "fuery", "bazaloader", "media", "facebook", "service", "runescape", "webtoolbar", "a9dia", "a1ginaprincipal", "emails", "registrar", "http header", "tcp traffic", "et useragents", "unknown traffic", "antivirus", "server", "gmt united", "accept", "local", "path", "falcon", "file", "ascii text", "windows nt", "png image", "appdata", "jpeg image", "indicator", "twitter", "westlaw njrat", "zuorat", "skynet bot", "glupteba", "asn4583", "thomsonreuters", "asn209242", "june", "back", "united kingdom", "cisco", "umbrella rank", "rank", "page url", "as autonomous", "system", "yndx", "ipasns ip", "november", "de summary", "comodo rsa", "security tls", "software", "resource hash", "security", "ecdhersa", "de indicators", "de page", "url history", "javascript", "gts ca", "secure server", "markmonitor", "ip information", "detail domains", "domain tree", "links certs", "frames domain", "requested", "threat roundup", "march", "threat round", "parent parent", "roundup", "january", "threats", "qbot", "cyberwar", "skynet", "radar ineractive", "control server", "engineering", "host", "services", "pony", "nanocore rat", "meterpreter", "zeus", "zbot", "suppobox", "stealer", "redline stealer", "dnspionage", "mirai", "nanocore", "bradesco", "emotet", "laplasclipper", "asn16276", "get h2", "kb image", "august", "kali", "localappdata", "network traffic", "binary file", "svg scalable", "vector graphics", "mwin", "domain", "url http", "pulse pulses", "related nids", "files location", "customer", "address", "as29789", "hosting", "location united", "status hostname", "query type", "address first", "seen last", "seen asn", "country unknown", "urls date", "checked url", "hostname server", "response ip", "address google", "safe browsing", "present mar", "pulse indicator", "protocol h2", "value", "variables", "waypoint object", "gsqueue", "isotope", "hostnames", "ice fog", "maltiverse top", "financial", "as62597 nsone", "sec ch", "domains show", "entries", "as14720 gamma", "canada unknown", "as397241", "as13335", "applicunwnt", "xrat", "maltiverse safe", "aig", "soc", "hallrender", "brian sabey", "mark brian sabey", "sabey", "mark", "sabey", "data center", "malvertizing", "malware host", "scanning host", "botnetwork", "colorado", "edsaid", "geotracking", "satellite tracking", "radar tracking", "pornhub", "child teen content illegal", "social engineering", "cyber stalking", "CVE-2023-4966", "device control", "camera usage", "hidden users", "message interception", "text archiver", "mail collection", "remote attacks", "js", "python", "inject", "sql", "extraction", "AIG Claims", "hallrender.com", "soc", "milemighmedia", "westlaw", "revengeporn", "bot", "regex", "ai", "yandex" ], "references": [ "web2.westlaw.com (redirects to thbrzzrstr.me)", "http://web2.westlaw.com/ (redirect) https://signon.thomsonreuters.com/?productid=CBT&lr=0&culture=en-US&returnto=https%3a%2f%2f1.next.westlaw.com%...", "https://hybrid-analysis.com/sample/8bf763ce9396c4569afbae58392097fd57408339c0ac59ec256468c9fd8ac4c5/6548ebfe56b25bab28017757", "https://urlscan.io/result/2285cee3-1e08-4e63-b48f-ee685e008480/#summary", "https://hybrid-analysis.com/sample/86479bf7c9a675913b93a0d399f5cbe0c0e8003239e93ae5e00f97cdbc5ec5ba/5c5c13577ca3e12626364777", "https://urlscan.io/result/4f0cabbf-9716-47dd-bd5c-038a953e6672/", "Malware Host: HallRender.com", "riverside.rocks (safebae.com remote uTorrent) https://hybrid-analysis.com/sample/11108ef17bd75f36e0d22d95b1f3bde3e9fa968a78a24c2d2508f4238e22651d/6326a50be4a8a71b885f5bf3", "safebae.org", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu (phishing | cybercrime)", "Hallrender.com and Westlaw.com.= http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu", "Poemhunter.com + rally point.com = pornhub.dev", "Pornhub dev VT community: https://www.virustotal.com/gui/domain/pornhub.dev/community", "Poemhunter.com: https://hybrid-analysis.com/sample/86479bf7c9a675913b93a0d399f5cbe0c0e8003239e93ae5e00f97cdbc5ec5ba", "https://www.poemhunter.com/tsara-brashears/poems/: https://urlscan.io/result/4f0cabbf-9716-47dd-bd5c-038a953e6672/", "Rallypoint.com https://hybrid-analysis.com/sample/66287c2c36699037cb504201693e26b5f3282cebde1d1c78aecd6f97f04fb694", "Malicious revenge malvertizing: https://www.milehighmedia.com/legal/2257", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://matrix.pornhub.dev", "nr-data.net", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/icons/apple-touch-icon-76x76.png", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/icons/apple-touch-icon.png", "https://apple.pantion.top/", "newrelic.se", "user-apple.info", "appleid-comloginaccount.info", "init-p01st.push.apple.com", "boostmobile.com", "www.metrobyt-mobile.com", "http://bpdb.portal.gov.bd:3128/sites/default/files/files/bpdb.portal.gov.bd/npfblock/2021-34bc869d2906198362a4346373ce5b94.jpg", "https://b.link/infringement", "my.mintmobile.com", "CVE-2023-4966", "http://watchhers.net/index.php", "https://rr2---sn-4g5ednsz.googlevideo.com/videoplayback?expire=1699319292&ei=nDlJZfb4G43E-gaYt5XoDg&ip=2001%3A1b60%3A2%3A240%3A3247%3A%3A" ], "public": 1, "adversary": "", "targeted_countries": [ "Spain", "Netherlands", "Canada", "United States of America" ], "malware_families": [ { "id": "Tsara Brashears", "display_name": "Tsara Brashears", "target": null }, { "id": "Mitre Attack", "display_name": "Mitre Attack", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Radar Ineractive", "display_name": "Radar Ineractive", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1450", "name": "Exploit SS7 to Track Device Location", "display_name": "T1450 - Exploit SS7 to Track Device Location" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1423", "name": "Network Service Scanning", "display_name": "T1423 - Network Service Scanning" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1563", "name": "Remote Service Session Hijacking", "display_name": "T1563 - Remote Service Session Hijacking" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1427", "name": "Attack PC via USB Connection", "display_name": "T1427 - Attack PC via USB Connection" }, { "id": "T1445", "name": "Abuse of iOS Enterprise App Signing Key", "display_name": "T1445 - Abuse of iOS Enterprise App Signing Key" }, { "id": "T1453", "name": "Abuse Accessibility Features", "display_name": "T1453 - Abuse Accessibility Features" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1173", "name": "Dynamic Data Exchange", "display_name": "T1173 - Dynamic Data Exchange" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 140, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4018, "hostname": 2152, "URL": 2105, "FileHash-MD5": 1223, "FileHash-SHA1": 783, "FileHash-SHA256": 2789, "CVE": 9, "email": 25 }, "indicator_count": 13104, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "865 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "set-printer-options-header.tmpl", "gumbo.h", "backup.h", "SharedWithYouCore.tbd", "Virtualization.h", "VZVirtioTraditionalMemoryBalloonDeviceConfiguration.h", "PKPushRegistry.h", "VZLinuxRosettaCachingOptions.h", "VZVirtioConsolePortConfiguration.h", "OpenDirectory.h", "PKDefines.h", "SCContentSharingPicker.h", "svg_tags.c", "VZPlatformConfiguration.h", "alc.h", "VZVirtualMachine.h", "printer-accept.tmpl", "VTPixelTransferSession.h", "VZEFIVariableStore.h", "sqlite3_ruby.h", "Win32:PWSX-gen\\ [Trj]: FileHash-SHA1 27d6f0a6c36d3f198f41485e8d73da19d0569c9e", "VZGraphicsDeviceConfiguration.h", "VTFrameSilo.h", "SCScreenshotManager.h", "MTLAccelerationStructureCommandEncoder.h", "ipp-2.1.test", "print-job-manual.test", "faq.rb", "html4_sax_parser_context.c", "nsmb.conf", "http://bpdb.portal.gov.bd:3128/sites/default/files/files/bpdb.portal.gov.bd/npfblock/2021-34bc869d2906198362a4346373ce5b94.jpg", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu (phishing | cybercrime)", "Pornhub dev VT community: https://www.virustotal.com/gui/domain/pornhub.dev/community", "MTLArgument.h", "tokenizer_states.h", "VZMacMachineIdentifier.h", "print-job.test", "hp.h", "https://urlscan.io/result/4f0cabbf-9716-47dd-bd5c-038a953e6672/", "VZNATNetworkDeviceAttachment.h", "SWUpdateCollaborationParticipantsAction.h", "https://vtbehaviour.commondatastorage.googleapis.com/556700ac50ffa845e5de853498242ee5abb288eb5b8ae1ae12bfdb5746e3b7b1_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864647&Signature=mDHtSOi0zOPuqTTrMsZZ%2BVpqtKq5cnDBge5WCtUppoR8EfcB14tzbezXHfWuEIyjLzT5N3b8WzssT3rIN76R8yEfCMMe32RXWxX3B5Tz%2FF%2BmLQ95M2ysgIHlBEnV4ndYMRbPmJgfEV8X1at%2BQxGaOWCwifeB%2Fjd9hGk0jPWA9aLGj4Lleu%2FzV%2FyljXp2Ncxquv54TyDh55F0W1W0QD9R4i1VpZqh2UpnvpCi8RSM16", "ipp-2.2.test", "printer-configured.tmpl", "RULE_TYPE: THOR APT Scanner's rule set only \ud83d\udd28 RULE_LINK: https://valhalla.nextron-systems.com/info/rule/SUSP_CryptoObfuscator \u2022 Florian Roth", "get-devices.test", "SWCollaborationActionHandler.h", "IDS Detections: Tempedreve Checkin Hiloti Style GET to PHP with invalid terse MSIE headers W32/Bayrob Attempted Checkin 2", "www.crackedmindstechnologies.com", "rbCFPropertyList.rb", "option-header.tmpl", "get-ppds-product.test", "VTPixelTransferProperties.h", "option-boolean.tmpl", "unclassified", "libxml.rb", "mime.convs", "VZUSBDeviceConfiguration.h", "ipp-2.0.test", "XPdb-wal", "VZFileHandleSerialPortAttachment.h", "MTLBuffer.h", "VZStorageDevice.h", "VZXHCIController.h", "arm64e-apple-macos.swiftinterface", "rbCFTypes.rb", "ODNode.h", "MTLVisibleFunctionTable.h", "Alerts: infostealer_cookies persistence_autorun recon_programs recon_fingerprint removes_zoneid_ads anomalous_deletefile", "SWCollaborationShareOptions.h", "ihs-markit-login-changes-update-august-2020.pdf [file below]", "Formbook: FileHash-SHA1 0162d8c955aaf0f9f0cd6f7365c5ba514be895c6", "xml_sax_push_parser.c", "job-hold.tmpl", "MTLFunctionHandle.h", "VZMacGraphicsDevice.h", "MTLRenderPass.h", "VZNetworkDeviceAttachment.h", "ipp-1.1.test", "VideoToolbox.h", "VZMacPlatformConfiguration.h", "choose-serial.tmpl", "class-added.tmpl", "vector.c", "topsecret", "printer-stop.tmpl", "ascii.c", "Ruby.tbd", "web2.westlaw.com (redirects to thbrzzrstr.me)", "print-job-deflate.test", "ExmanProcessMutex", "More information: https://www.nextron-systems.com/notes-on-virustotal-matches/", "https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://www.forensickb.com/2013/03/file-entropy-explained.html", "VZVirtioConsoleDeviceSerialPortConfiguration.h", "set-printer-options-trailer.tmpl", "get-subscriptions.test", "SWCollaborationCoordinator.h", "MTLResourceStateCommandEncoder.h", "IDS Detections: User-Agent (explwer) Hiloti/Mufanom Downloader Checkin Win32/Unruy.R Checkin Ransom.Win32.Birele.gsg Checkin Observed GandCrab Ransomware Domain (ransomware .bit in DNS Lookup)", "VZAudioInputStreamSource.h", "http://web2.westlaw.com/ (redirect) https://signon.thomsonreuters.com/?productid=CBT&lr=0&culture=en-US&returnto=https%3a%2f%2f1.next.westlaw.com%...", "P\u2019s Contacted: 93.184.221.240 3.33.130.190 | Domains Contacted: counterslocal.com", "VZMacGraphicsDeviceConfiguration.h", "ipp-everywhere.test", "VZUSBMassStorageDevice.h", "xml_sax_parser_context.c", "Metal.apinotes", "Metal.h", "VZMacOSRestoreImage.h", "PKPushCredentials.h", "get-notifications.test", "add-class.tmpl", "MTLStageInputOutputDescriptor.h", "MTLAccelerationStructure.h", "VZVirtualMachineView.h", "choose-device.tmpl", "job-cancel.tmpl", "Internal Name: NNnK.exe File Version: 1.88.0.0 Comments: Gynecology *File Unsigned", "fax-job.test", "VZUSBControllerConfiguration.h", "job-move.tmpl", "libvDSP.tbd", "MTLArgumentEncoder.h", "VZBridgedNetworkInterface.h", "error-op.tmpl", "tag_lookup.c", "tag.c", "SWAction.h", "token_buffer.h", "create-job-sheets.test", "MTLResourceStatePass.h", "apple.convs", "vector.h", "ODSession.h", "rbLibXMLParser.rb", "https://vtbehaviour.commondatastorage.googleapis.com/3e8cba5ce163a9275fe8d4e3f70fbc9815423b9a56b12e7fb03693731e359168_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864913&Signature=IouqGht2TIixfjPtpgKYXJa3ScKi4POLcjQ5l1QIvD%2FFa5zZyHMSYcu%2BxmFWI7uYljRPLlgpgSkRCmIw8EC4uFBI30ISHg83%2F50%2BiqTogu3I4rUpYoX3AQ7hXJwj%2Bz4YoYTt9SoS7jb9WfTUcNYHoIzY9ISoBzndPQfvv5155GpqsCvDXCT2Fd%2Byks95PB9FEdHE1SKYmlWsxPctfAYSIT2mOmBRTrxWO%2BrAUwTATD3cQts0", "set-attrs-hold.test", "VZLinuxRosettaUnixSocketCachingOptions.h", "VZVirtualMachineDelegate.h", "printer.tmpl", "MTLIOCommandBuffer.h", "WebKit.arm64e.bridgesupport", "MTLFence.h", "VZUSBScreenCoordinatePointingDeviceConfiguration.h", "cancel-current-job.test", "print-job-media-col.test", "xml_entity_decl.c", "xml_attribute_decl.c", "MTLLogState.h", "secret", "create-job-format.test", "VZNVMExpressControllerDeviceConfiguration.h", "SWPersonIdentity.h", "https://apple.pantion.top/", "MTLIndirectCommandBuffer.h", "appleid-comloginaccount.info", "https://vtbehaviour.commondatastorage.googleapis.com/00143c38c4f0e4642e956235dac0f589c05c54100015c6f59d4825e9e8400eca_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775865231&Signature=wOONPZI5bCeW4bmQtYa7YV2UQnoPlndg3PkyxqT8OnVSk223qDWubHicrXJAcOXLFj%2FSynVv96i7h1PMkfbz2Ui0lcpPZUjU7sQhWM8wkR2WVoS3YjGgvTEi9pM1ugWhFqDaoNTlaPgNWTVjffc5d%2FPGpVtT6N45P0D2K0%2BEpNuScgpy64%2BrivKYv1pak5OuNuz9mQczkvh4JqLEna59MjTGN9sd5yDBto4EgIoaLYqnBpg8Zn9s2t", "html4_entity_lookup.c", "notify.conf", "https://vtbehaviour.commondatastorage.googleapis.com/7737f90de7e9fc0935561c017e9ddc4a58337ebc25873f0bbcfe860790f3f888_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864361&Signature=veuhxaGctQeo8%2Fn4rw%2B0WB9QOIg%2BQ1N8MB7v3DwF%2B62SjERN%2FRvB6TDfvUUTTliDHAoHz3fjS19CbwtV1Unc1am%2B%2BFc7y%2FvbN%2FI2hV89mw0rCJH%2FQO9AEkKW%2BarXuvgc%2FhRwTho4ZnesEmMpmyTKqbGVDug%2BytkzAr9LluXTWzriWnG1JT1EudSc4CRQEorYeNyPlA7BPaIKmulDdM5whcIEVDFq4ZCywyfT", "VZUSBController.h", "MTLIOCommandQueue.h", "https://matrix.pornhub.dev", "YARA Signature Match - THOR APT Scanner RULE: SUSP_CryptoObfuscator RULE_SET: Livehunt - Suspicious8 Indicators \ud83c\udff9 \u2022 Florian Roth", "Poemhunter.com: https://hybrid-analysis.com/sample/86479bf7c9a675913b93a0d399f5cbe0c0e8003239e93ae5e00f97cdbc5ec5ba", "Win32:PWSX-gen\\ [Trj]: FileHash-MD5 183666b988ee12982a774e26adb30ce0", "VZVirtualMachineConfiguration.h", "token_type.h", "MTLDefines.h", "OpenDirectory.tbd", "https://vtbehaviour.commondatastorage.googleapis.com/7395f24f709e2c947593e7124f0107a17bf71f9eff782433f00e9aae27edf6fc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864790&Signature=QkiaGhOWFVTMnStxmaJJIVM9Z8cz0n2iUzL%2FmuCfsmMoY%2FI3LrqCLHlcuXzKKyDez5hRYK0DX3OkzaB4F89LFeO6CNQkxxgGBDkjCpg%2Fuyr2HtCZjkFFbEJONHPDJBkBB7JsVRdhR7RveUC2dBG7Wyna%2BF7NYrB3F8lJxQQCwlkFSUiIeF1H6fHA71w3QHiuw61QRe8qkpUK%2BNQfyAeYiLvIhNFj5g4j%2BRVk13k44QjeCxKog1rRZkdp%2", "classes.tmpl", "macros.h", "epson.h", "xml_namespace.c", "MTLParallelRenderCommandEncoder.h", "database.h", "xml.rb", "raster.defs", "trailer.tmpl", "VZVirtioGraphicsScanout.h", "standard", "xml_xpath_context.c", "http://watchhers.net/index.php", "sqlite3.c", "VZConsolePortConfiguration.h", "VZLinuxRosettaAbstractSocketCachingOptions.h", "MTLTexture.h", "printer-start.tmpl", "xml_sax_parser.c", "get-job-attributes.test", "option-trailer.tmpl", "CFODNode.h", "VZLinuxRosettaDirectoryShare.h", "WebKit.bridgesupport", "newrelic.se", "https://vtbehaviour.commondatastorage.googleapis.com/7737f90de7e9fc0935561c017e9ddc4a58337ebc25873f0bbcfe860790f3f888_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864214&Signature=Vf0JKebhqo0MUHhpU%2B3Xut2g8SN7IheaL%2FNfOTLj1y8v1aHrjA6QI2jq%2BIVJeWXo8%2Fzpj%2Bd3DpryffdQjNsuRSSn06dSJy%2FvNi5F67wa1RiaanLuxRRK0cWKKrWO9ZQGXVWal8%2BNCVTaMRdhHmkbFou6FA67a1owXMn0IdsdZYIAwgumeuvrMsbnKKkOcd4GucEGy0d9oj63SbZGI%2BwjT5BPH2Tq3O%2BQM%2BPv3XWuZ71sfOOGgD", "printer-deleted.tmpl", "Interesting Strings: http://service.real.com/realplayer/security/02062012_player/en/", "print-job-and-wait.test", "identify-printer-display.test", "option-pickmany.tmpl", "VZDefines.h", "VZSocketDeviceConfiguration.h", "parser.c", "6015FED9-D723-4332-87D9-C478CF341407.aamdownload", "VZPointingDeviceConfiguration.h", "VTRAWProcessingProperties.h", "pager.tmpl", "init-p01st.push.apple.com", "Formbook: FileHash-SHA256 06c7385ce806a0c86049b99d727503a8e04f06989d9f4f5002cde47efc0b55b7", "error.tmpl", "attribute.h", "MTLIndirectCommandEncoder.h", "xml_entity_reference.c", "label.h", "VZNetworkDevice.h", "user-apple.info", "VZSingleDirectoryShare.h", "MTLRenderPipeline.h", "com.adobe.acrobat.rna.AcroCefBrowserLock.DC", "VZVirtioBlockDeviceConfiguration.h", "https://open-app.galaxus.com", "xml_dtd.c", "VTPixelRotationSession.h", "NSOpenDirectory.h", "MTLLibrary.h", "ODModuleEntry.h", "printer-added.tmpl", "VZGenericMachineIdentifier.h", "VZConsoleDeviceConfiguration.h", "MTLRenderCommandEncoder.h", "get-printers-printer-id.test", "mime.types", "proxy.xml", "parser.h", "MTLCaptureManager.h", "nokogiri.c", "create-job-timeout.test", "module.modulemap", "MTLRasterizationRate.h", "validate-job.test", "VZVirtioNetworkDeviceConfiguration.h", "xml_text.c", "MTLDrawable.h", "MTLCommandBuffer.h", "printers-header.tmpl", "VZVirtioSoundDeviceConfiguration.h", "MTLComputePipeline.h", "Alerts: injection_runpe allocates_execute_remote_process injection_modifies_memory allocates_rwx packer_entropy privilege_luid_check terminates_remote_process checks_debugger generates_crypto_key", "printer-default.tmpl", "VZMacOSVirtualMachineStartOptions.h", "VZHostAudioOutputStreamSink.h", "Antivirus Detections: ALF:HeraklezEval:Rogue:Win32/FakeRean", "VTUtilities.h", "VZDiskBlockDeviceStorageDeviceAttachment.h", "MTLVertexDescriptor.h", "VTDecompressionSession.h", "print-job-password.test", "xml_document.c", "x86_64-apple-ios-macabi.swiftinterface", "https://support.google.com/chrome/?p=plugin_quicktime https://chrome.google.com/", "A53749AF-3855-4842-A1E7-4AEFA60BD2AC", "NNnK.exe FILEHASH SHA256 d249de5277aaa875154143f14727a761caa652960685ab529327f1affa8954cb", "VZConsoleDevice.h", "VZVirtioEntropyDeviceConfiguration.h", "html4_document.c", "CVE-2023-4966", "https://rr2---sn-4g5ednsz.googlevideo.com/videoplayback?expire=1699319292&ei=nDlJZfb4G43E-gaYt5XoDg&ip=2001%3A1b60%3A2%3A240%3A3247%3A%3A", "printer-confirm.tmpl", "my.mintmobile.com", "mini_portile.rb", "choose-model.tmpl", "util.h", "VZGraphicsDisplay.h", "job-release.tmpl", "Malicious revenge malvertizing: https://www.milehighmedia.com/legal/2257", "AuraService-fda-test", "database.c", "Virtualization.tbd", "get-printer-attributes-suite.test", "https://hybrid-analysis.com/sample/86479bf7c9a675913b93a0d399f5cbe0c0e8003239e93ae5e00f97cdbc5ec5ba/5c5c13577ca3e12626364777", "VZLinuxBootLoader.h", "VZMemoryBalloonDeviceConfiguration.h", "MTLCommandQueue.h", "MTLDeviceCertification.h", "https://pin.it/ | https://www.anyxxxtube.net/search-porn/tsara-brashears/", "MTLFunctionConstantValues.h", "MTLBlitCommandEncoder.h", "VZSerialPortConfiguration.h", "tokenizer.c", "compromised_site_redirector_fromcharcode fromCharCode", "SWCollaborationOptionsGroup.h", "VZKeyboardConfiguration.h", "html4_element_description.c", "identify-printer-multiple.test", "ScriptingBridge.apinotes", "char_ref.h", "MTLPixelFormat.h", "mini_portile_cmake.rb", "OpenAL.h", "get-ppds-make-and-model.test", "identify-printer.test", "safebae.org", "xml_document_fragment.c", "job-restart.tmpl", "https://www.virustotal.com/gui/file/f69e4fd7802b9947826db300268eb4a88d14a4a30e5e7617cebe17d1584f6c26/detection", "SBObject.h", "choose-make.tmpl", "setup.rb", "printer-jobs-header.tmpl", "x86_64-apple-macos.swiftinterface", "SWDefines.h", "Yara Detections: ConventionEngine_Term_Users , ConventionEngine_Term_Documents , ConventionEngine_Keyword_Obfuscat , DotNET_Crypto_Obfuscator", "VZVirtioSocketListener.h", "test_global_handlers.c", "VZMacOSBootLoader.h", "get-ppds-psversion.test", "print-uri.test", "VideoToolbox.apinotes", "MTLBlitPass.h", "xml_element_content.c", "Interesting Strings: http://www.interoperabilitybridges.com/wmp http://crbug.com/40902 http://crbug.com/516527", "class-modified.tmpl", "VZStorageDeviceConfiguration.h", "MTLEvent.h", "confidential", "VZVirtioTraditionalMemoryBalloonDevice.h", "get-ppd-printer.test", "tokenizer.h", "MTLIOCompressor.h", "IDS Detections: Ransom.Win32.Birele.gsg Checkin Observed GandCrab Ransomware Domain (ransomware .bit in DNS Lookup)", "VZMACAddress.h", "MTLBinaryArchive.h", "https://metadefender.com/results/file/bzI1MDMwMVFWaXRDS0hpWElYcnV0QllCYlB1", "VZBridgedNetworkDeviceAttachment.h", "exception.h", "VTBase.h", "VZUSBMassStorageDeviceConfiguration.h", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "VZNetworkDeviceConfiguration.h", "version.rb", "MTLPipeline.h", "MTLComputeCommandEncoder.h", "get-completed-jobs.test", "add-printer.tmpl", "get-ppds-make.test", "nokogiri.rb", "class-confirm.tmpl", "VZMacOSConfigurationRequirements.h", "search.tmpl", "https://vtbehaviour.commondatastorage.googleapis.com/7395f24f709e2c947593e7124f0107a17bf71f9eff782433f00e9aae27edf6fc_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864018&Signature=fW5cvq8BOIX%2B2wxwBzAnPprHnokOWVWFu4uUJExK8GQG4mwnYf4GO7RCTnuImm3XpXxgU8V7gYbsu%2BSquaGgkh2o8me6vmt8Y%2BhL0j%2BUgRrp8B0qJtHMkSgtfk6doVdGoZ%2FqES823Eiqebeb3NlVMD6tixYW2GDpyliHNL6uGNgIyf2BQZppexftzMN9M2BQhralGJjFZ9Q4XeAi1DalrEfIsb7erXBxVINEYJUbRaapAeQ0Aff8", "job-moved.tmpl", "admin.tmpl", "printers.tmpl", "https://www.poemhunter.com/tsara-brashears/poems/: https://urlscan.io/result/4f0cabbf-9716-47dd-bd5c-038a953e6672/", "jobs-header.tmpl", "xml_cdata.c", "CFOpenDirectoryConstants.h", "MTLTypes.h", "MTLCommandEncoder.h", "Formbook: FileHash-MD5 3fed8c5a7c3a95c9270d18c304f19655", "CFOpenDirectory.tbd", "ODRecord.h", "error.c", "PushKit.tbd", "statement.h", "class-deleted.tmpl", "Interesting Strings: https://support.google.com/chrome/?p=plugin_pdf", "get-job-template-attributes.test", "VZDirectorySharingDeviceConfiguration.h", "class-jobs-header.tmpl", "nokogiri.h", "xml_attr.c", "error.h", "string_piece.c", "Interesting Strings: http://schema.org/GovernmentOrganization https://support.google.com/chrome/?p=plugin_java https://crbug.com/593166", "PKPushPayload.h", "help-header.tmpl", "rbREXMLParser.rb", "ODQuery.h", "get-printers.test", "MTLHeap.h", "ODRecordMap.h", "SWPerson.h", "riverside.rocks (safebae.com remote uTorrent) https://hybrid-analysis.com/sample/11108ef17bd75f36e0d22d95b1f3bde3e9fa968a78a24c2d2508f4238e22651d/6326a50be4a8a71b885f5bf3", "VZVirtioConsolePortArray.h", "VZDirectorySharingDevice.h", "xml_syntax_error.c", "ODAttributeMap.h", "Malware Host: HallRender.com", "arm64e-apple-ios-macabi.swiftinterface", "MTLDynamicLibrary.h", "svg_attrs.c", "modify-class.tmpl", "VZVirtioSoundDeviceStreamConfiguration.h", "al.h", "apple.types", "Observed GandCrab Ransomware Domain (carder .bit in DNS Lookup) Worm.Mydoom Checkin", "foreign_attrs.c", "https://vtbehaviour.commondatastorage.googleapis.com/556700ac50ffa845e5de853498242ee5abb288eb5b8ae1ae12bfdb5746e3b7b1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864574&Signature=bMyayDFFBh9o7SKCdDEmOXLxG1DU4rSM%2FUEOzGrynPSC%2BtV0OxoHoTrSpk4WhCDb9aQtdHkWrbkt3dDAaYhnHSbvWbBqT%2BVfVwWUnst5sI142wOEd2vg4qTum281LBoJ295gTb%2BQKnfTPGXmTW5k9G5L%2FAV%2BegT4neE2xS%2Ba0Daru1OpFYTEq2Cyb0sH66jGRSTHDjHVJaHtZyYTLXjj5Q8rrEBxbDSD0Eh1XqpNLKqoMXQ7", "PushKit.h", "xml_node_set.c", "VZVirtioConsoleDeviceConfiguration.h", "xml_reader.c", "Formbook: FileHash-MD5 ab9077915a4f2f52de634df05b681849", "MTLDevice.h", "VZVirtioFileSystemDevice.h", "utf8.h", "help-trailer.tmpl", "https://vtbehaviour.commondatastorage.googleapis.com/998cd8dcaf876dc66946e1c5f22ef7b8e3ea8de99cd8332d088a9b285fb2f1f7_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775865192&Signature=BypXbESJ8I4kqzj5KlF3FCin0434BxGjxXXofwkjyqQfBwNvYJTJGPpRPHnvqmntGoukqmPBezQdcv67hZUXulr885cbljCP90Y6P75SdRtlYOqDEOYGAVgLKOUxW3BGjKy%2FAqS6M0GC9KNsMLw%2FjOyC%2B2N%2F0AlIAyOTl0pX2Pbv6GgplZAbATne%2FCbkvUjwdxaeRv5iLmVrYtOdTVlljzdECcRiQ9rvqI3Aj27UR1qfuhS8vc%2", "VZVirtioGraphicsDeviceConfiguration.h", "get-printer-attributes.test", "get-ppds-language.test", "VZMacKeyboardConfiguration.h", "SBApplication.h", "IDS Detections: Worm.Mydoom Checkin User-Agent (explwer) Hiloti/Mufanom Downloader Checkin Win32/Unruy.R Checkin", "VZVirtioSocketConnection.h", "VZMultipleDirectoryShare.h", "edit-config.tmpl", "norestart.tmpl", "string_buffer.h", "create-printer-subscription.test", "gumbo.c", "classified", "rbPlainCFPropertyList.rb", "extconf.rb", "Poemhunter.com + rally point.com = pornhub.dev", "ntp_opendirectory.conf", "VZMacAuxiliaryStorage.h", "VZVirtualMachineStartOptions.h", "boostmobile.com", "SCStream.h", "list-available-printers.tmpl", "VTCompressionSession.h", "print-job-letter.test", "VTMultiPassStorage.h", "VZMacOSInstaller.h", "SWCollaborationOption.h", "MTLFunctionStitching.h", "MTLSampler.h", "Yara Detections: compromised_site_redirector_fromcharcode , Cabinet_Archive , SFX_CAB", "VZSerialPortAttachment.h", "VZMacHardwareModel.h", "Researched: http://www.forensickb.com/2013/03/file-entropy-explained.html", "utf8.c", "SwiftUI.swiftoverlay", "choose-uri.tmpl", "nfs.conf", "https://vtbehaviour.commondatastorage.googleapis.com/7737f90de7e9fc0935561c017e9ddc4a58337ebc25873f0bbcfe860790f3f888_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864415&Signature=yAuZC%2F0HyuJxAQj5f%2FwTa1Eqod6JZKHa9bO0gU6Ir2r2sU2JlNQAvQ0O%2BFC6DWExjg2voi81c%2BEzsk9tDAFyL3WwgJgMTlIvg%2FNT9PRWENEAYOilGjGtzrdzRhMpMzKw7NL5oxGr6hAdndZJ5lY7UvJoIjDp7nDn85EoO4RRNxFKeP4qCsczXGv2%2B9bnOXeGn0HHTaDp8I7UEq7FDpEPmij1KfxHmftv85TcFdOHNt0L", "VTErrors.h", "help-printable.tmpl", "Formbook \u2022 Stealer\u2022 BCBNFD.exe - FileHash-SHA256 f69e4fd7802b9947826db300268eb4a88d14a4a30e5e7617cebe17d1584f6c26", "print-job-gzip.test", "\"493fda53120050f85836032324409be6c6484f90a0755ae0c6a673ba7626818b\" has the file format \"text\", which is not supported", "Formbook: FileHash-SHA256 4f5a404fc51da90adc3d3b690924263e64bfbf7c3e9918a949e10aca0f3096d1", "MTLFunctionDescriptor.h", "attribute.c", "rbBinaryCFPropertyList.rb", "VTHDRPerFrameMetadataGenerationSession.h", "VTSession.h", "MTLResidencySet.h", "insertion_mode.h", "restart.tmpl", "VZUSBKeyboardConfiguration.h", "VZDiskSynchronizationMode.h", "xml_schema.c", "Hallrender.com and Westlaw.com.= http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu", "option-pickone.tmpl", "Rallypoint.com https://hybrid-analysis.com/sample/66287c2c36699037cb504201693e26b5f3282cebde1d1c78aecd6f97f04fb694", "https://n0paste.eu/UH6n5pD/", "Pdf.Phishing.TtraffRobotInstall-7605656-0 00004feb58be42ba1bd506ea89f90c5e1d83e6e1fb84841931949a454b0bb539", "SCError.h", "xml_relax_ng.c", "ipp-backend.test", "MTLCaptureScope.h", "command.tmpl", "CFODSession.h", "modify-printer.tmpl", "VZGenericPlatformConfiguration.h", "OpenAL.tbd", "test-page.tmpl", "users.tmpl", "nr-data.net", "xslt_stylesheet.c", "xml_node.c", "VZUSBDevice.h", "VZDiskImageStorageDeviceAttachment.h", "ntp.conf", "VZVirtioConsoleDevice.h", "VTCompressionProperties.h", "VZAudioDeviceConfiguration.h", "util.c", "header.tmpl", "VZVirtioSocketDevice.h", "xml_element_decl.c", "VTProfessionalVideoWorkflow.h", "VTDecompressionProperties.h", "SWPersonIdentityProof.h", "SBElementArray.h", "replacement.h", "Project Endgame - pegausintel.com -Unsjre if related to NSO Group", "VZSocketDevice.h", "VZVirtioSoundDeviceOutputStreamConfiguration.h", "metadata.json", "class.tmpl", "CFOpenDirectory.h", "MTLDepthStencil.h", "VZVirtioFileSystemDeviceConfiguration.h", "VZVirtioSoundDeviceInputStreamConfiguration.h", "xtab", "VZEFIBootLoader.h", "VZFileHandleNetworkDeviceAttachment.h", "DESCRIPTION: Detects file obfuscated with CryptoObfuscator RULE_AUTHOR: Florian Roth", "VZMacGraphicsDisplay.h", "relay.cryptsoft.com | smtp.cryptsoft.com\t| ghs.google.com", "MTLAllocation.h", "VZMacTrackpadConfiguration.h", "Copyright: Gamma Realty 2019 Product: Auty 2 Description: Auty Original Name: NNnK.exe", "VTRAWProcessingSession.h", "VZMacGraphicsDisplayConfiguration.h", "libxml2_backwards_compat.c", "Formbook: FileHash-SHA1 e8e453dd5fd6a37f65889b2c3b289f954bfc3c3b", "VZGraphicsDevice.h", "VZMemoryBalloonDevice.h", "jobs.tmpl", "ScriptingBridge.h", "MTLFunctionLog.h", "https://urlscan.io/result/2285cee3-1e08-4e63-b48f-ee685e008480/#summary", "printer-reject.tmpl", "VZHostAudioInputStreamSource.h", "Antivirus Detections Cryp_Xed-12 , Mal/Generic-S , Packed/Upack Yara Detections Upackv039finalDwing , UpackV037Dwing", "print-job-hold.test", "cups-create-local-printer.test", "printer-modified.tmpl", "CFODRecord.h", "VZError.h", "https://b.link/infringement", "VZBootLoader.h", "ascii.h", "VZVirtioConsolePortConfigurationArray.h", "ScreenCaptureKit.h", "get-job-attributes2.test", "VZSpiceAgentPortAttachment.h", "VZVirtioGraphicsDevice.h", "VZNetworkBlockDeviceStorageDeviceAttachment.h", "Win32:PWSX-gen\\ [Trj]: FileHash-SHA256 f69e4fd7802b9947826db300268eb4a88d14a4a30e5e7617cebe17d1584f6c26", "VZAudioOutputStreamSink.h", "VZGraphicsDisplayConfiguration.h", "MTLIntersectionFunctionTable.h", "SharedWithYouCore.h", "ScriptingBridge.tbd", "get-ppds-drv-only.test", "string_buffer.c", "MacOSX_OALExtensions.h", "https://vtbehaviour.commondatastorage.googleapis.com/7395f24f709e2c947593e7124f0107a17bf71f9eff782433f00e9aae27edf6fc_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864829&Signature=SlvEBwegwTfog2bK9svG1CeSSKC94GD98%2FQ7qpBXL7TuHOZt2HhMLd7y8IOgotXMqWiH73xWxbA4jinuUaR5MXolnKuxM86Yy3LSmhMX0S2ZRoWHqqnWIwt02ajTrF%2Bgua0LjZ46ax%2Bqo86h%2Bpme2xYRpZXKhZpVUZBzvDkXraQGdqF1BQ7keV47Y5qESgu16FuxAkm0XbuzS8tqBeq7qAS0r8STul%2BnjFmFMq3OUE68K%2BSmAp", "cfpropertylist.rb", "get-ppds.test", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/icons/apple-touch-icon-76x76.png", "MTLAccelerationStructureTypes.h", "VTPixelRotationProperties.h", "sample.drv", "https://mwdb.cert.pl/file/efb45096e24a61b488eb809bd8edf874d15bb498dd75ced8b888b020c87e5c6c", "VZFileSerialPortAttachment.h", "ODMappings.h", "create-job.test", "SWCollaborationMetadata.h", "MTLComputePass.h", "media.defs", "get-ppd.test", "CFODContext.h", "font.defs", "SCShareableContent.h", "rbCFPlistError.rb", "backup.c", "xml_processing_instruction.c", "MTLResource.h", "sqlite3.rb", "CryptoObfuscator", "get-printer-description-attributes.test", "VZVirtioSocketDeviceConfiguration.h", "exception.c", "VZDirectoryShare.h", "classes-header.tmpl", "SWStartCollaborationAction.h", "xml_encoding_handler.c", "testprint", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/icons/apple-touch-icon.png", "httpd.exp", "token_buffer.c", "https://vtbehaviour.commondatastorage.googleapis.com/998cd8dcaf876dc66946e1c5f22ef7b8e3ea8de99cd8332d088a9b285fb2f1f7_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864769&Signature=OXXYebSn84nlH1%2FBD4aluVAmCHvma4vurcZhV0H%2B7L8wRtgwWjBRClGbWiS8DnrNVxrwDxScAikU0APxe3iZCU90GclmHDodIz%2BlHFaDkBxBXUt9uyLA9BJmMbRGCKuRj4Vm7MMGUwm7WUwB1UNLqYgq41X0c%2BIhgFvAjtxWMyGnXjvvbgLGXYNo7MTwWLWshQg%2B3UXSqVmivHQAKBmQD75nvfJkl9SPx5GQ5GzjVY8pdgtPv0Ij", "VZXHCIControllerConfiguration.h", "VZStorageDeviceAttachment.h", "html4_sax_push_parser.c", "CFODQuery.h", "VZEntropyDeviceConfiguration.h", "tag_lookup.h", "printer-cancel-jobs.tmpl", "VZSharedDirectory.h", "statement.c", "rbNokogiriParser.rb", "www.metrobyt-mobile.com", "MTLLinkedFunctions.h", "VTVideoEncoderList.h", "https://otx.alienvault.com/indicator/file/f69e4fd7802b9947826db300268eb4a88d14a4a30e5e7617cebe17d1584f6c26", "ODConfiguration.h", "PushKit.apinotes", "VZVirtioConsolePort.h", "alut.h", "MTLCounters.h", "VZVirtioGraphicsScanoutConfiguration.h", "NNnK.exe [e755511f154b928f720d8a5c59e34ccb.virus]", "xml_comment.c", "https://hybrid-analysis.com/sample/8bf763ce9396c4569afbae58392097fd57408339c0ac59ec256468c9fd8ac4c5/6548ebfe56b25bab28017757", "get-jobs.test", "option-conflict.tmpl", "SWCollaborationOptionsPickerGroup.h", "SCRecordingOutput.h" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "@GRAMMERSoft", "DragonForce Hacker Group Malaysia" ], "malware_families": [ "Gc", "Cftyperef", "Upackv037dwing", "Worm:win32/fesber.a", "Trojanspy:win32/nivdort.aj", "Formbook", "Worm:win32/bloored.e", "Tsara brashears", "Win32:pwsx-gen\\ [trj]", "Trojanspy:win32/nivdort", "Trojandownloader:win32/nemucod", "Radar ineractive", "Win.trojan.fakeav-10943", "Beach research", "Maltiverse", "Upatre", "Trojanspy", "Alf:heraklezeval:rogue:win32/fakerean", "Et", "Ransom:win32/eniqma.a", "Mitre attack", "Trojanspy:win32/invader.s!msr", "Webtoolbar", "Vzbootloader", "Worm:win32/mydoom.o!backdoor", "Trojanspy:msil/formbook", "Cryp_xed-12", "Mal/generic-s", "Typeerror", "Gandcrab", "Trojan:win32/zbot.sibg!mtb", "Worm:win32/macoute.a", "Win32:kukacka", "Virus:win32/sality.at", "Tofsee" ], "industries": [ "Media", "Education", "Telecommunications", "Government", "Technology", "Healthcare" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 12, "pulses": [ { "id": "69d98d5e88461ed06547690c", "name": "CAPE ***** GRAMMERsoft. Love Letter ****", "description": "A Cuckoo has been running on Microsoft's Windows operating system for the past two years. the last time it did so, and the first time in the history of the Windows platform.\n\nUser Notes a Cryptic Message: Killing Eve, Vanishing Triangle. Recent Comment on Belasco Chain is of interest given spellbound.exe...\nUR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR N4XT.txt", "modified": "2026-04-19T09:05:59.274000", "created": "2026-04-10T23:53:02.973000", "tags": [ "cname", "p2404", "accept", "default", "host", "strong", "library", "p11776139675", "gmt range", "p11776090280", "shutdown", "generic", "bits", "next ur", "file type", "ascii text", "crlf line", "ms windows", "pe32", "drops pe", "intel", "yara", "sigma", "njrat", "malicious", "darkcomet", "code", "delphi", "dbatloader", "loader", "fraud", "notpetya", "killmbr", "trojanransom", "ransomware", "next", "settings", "parent pid", "full path", "command line", "mwdb", "bazaar", "sha3384", "ssdeep", "format", "shell", "payload", "kevin", "revengerat", "aspack", "vmprotect", "meteorite", "petya", "infinitylock", "redline", "remcos", "javadropper", "lokibot", "guard", "mono", "eternalromance", "exploit", "badrabbit", "windows sandbox", "calls process", "vbcrlf", "error resume", "next dim", "page", "loveletter", "script", "createobject", "html", "meta", "name", "title", "body", "iloveyou", "generator", "philippines", "loop", "@grammersoft", "calls clear", "ip address", "cape sandbox", "bootkit", "t1055", "t1497", "error", "back", "pe file", "network info", "processes extra", "sample", "aslr", "performs dns", "t1055 process", "overview", "mitre attack", "overview zenbox", "none rticon", "pattern", "none image", "file size", "entity", "winmm", "dword", "locale", "screensaver", "alexa", "stars", "crypt32", "ddraw", "winsta", "ip traffic", "lockfile" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/7395f24f709e2c947593e7124f0107a17bf71f9eff782433f00e9aae27edf6fc_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864018&Signature=fW5cvq8BOIX%2B2wxwBzAnPprHnokOWVWFu4uUJExK8GQG4mwnYf4GO7RCTnuImm3XpXxgU8V7gYbsu%2BSquaGgkh2o8me6vmt8Y%2BhL0j%2BUgRrp8B0qJtHMkSgtfk6doVdGoZ%2FqES823Eiqebeb3NlVMD6tixYW2GDpyliHNL6uGNgIyf2BQZppexftzMN9M2BQhralGJjFZ9Q4XeAi1DalrEfIsb7erXBxVINEYJUbRaapAeQ0Aff8", "https://vtbehaviour.commondatastorage.googleapis.com/7737f90de7e9fc0935561c017e9ddc4a58337ebc25873f0bbcfe860790f3f888_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864214&Signature=Vf0JKebhqo0MUHhpU%2B3Xut2g8SN7IheaL%2FNfOTLj1y8v1aHrjA6QI2jq%2BIVJeWXo8%2Fzpj%2Bd3DpryffdQjNsuRSSn06dSJy%2FvNi5F67wa1RiaanLuxRRK0cWKKrWO9ZQGXVWal8%2BNCVTaMRdhHmkbFou6FA67a1owXMn0IdsdZYIAwgumeuvrMsbnKKkOcd4GucEGy0d9oj63SbZGI%2BwjT5BPH2Tq3O%2BQM%2BPv3XWuZ71sfOOGgD", "https://vtbehaviour.commondatastorage.googleapis.com/7737f90de7e9fc0935561c017e9ddc4a58337ebc25873f0bbcfe860790f3f888_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864361&Signature=veuhxaGctQeo8%2Fn4rw%2B0WB9QOIg%2BQ1N8MB7v3DwF%2B62SjERN%2FRvB6TDfvUUTTliDHAoHz3fjS19CbwtV1Unc1am%2B%2BFc7y%2FvbN%2FI2hV89mw0rCJH%2FQO9AEkKW%2BarXuvgc%2FhRwTho4ZnesEmMpmyTKqbGVDug%2BytkzAr9LluXTWzriWnG1JT1EudSc4CRQEorYeNyPlA7BPaIKmulDdM5whcIEVDFq4ZCywyfT", "https://vtbehaviour.commondatastorage.googleapis.com/7737f90de7e9fc0935561c017e9ddc4a58337ebc25873f0bbcfe860790f3f888_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864415&Signature=yAuZC%2F0HyuJxAQj5f%2FwTa1Eqod6JZKHa9bO0gU6Ir2r2sU2JlNQAvQ0O%2BFC6DWExjg2voi81c%2BEzsk9tDAFyL3WwgJgMTlIvg%2FNT9PRWENEAYOilGjGtzrdzRhMpMzKw7NL5oxGr6hAdndZJ5lY7UvJoIjDp7nDn85EoO4RRNxFKeP4qCsczXGv2%2B9bnOXeGn0HHTaDp8I7UEq7FDpEPmij1KfxHmftv85TcFdOHNt0L", "https://vtbehaviour.commondatastorage.googleapis.com/556700ac50ffa845e5de853498242ee5abb288eb5b8ae1ae12bfdb5746e3b7b1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864574&Signature=bMyayDFFBh9o7SKCdDEmOXLxG1DU4rSM%2FUEOzGrynPSC%2BtV0OxoHoTrSpk4WhCDb9aQtdHkWrbkt3dDAaYhnHSbvWbBqT%2BVfVwWUnst5sI142wOEd2vg4qTum281LBoJ295gTb%2BQKnfTPGXmTW5k9G5L%2FAV%2BegT4neE2xS%2Ba0Daru1OpFYTEq2Cyb0sH66jGRSTHDjHVJaHtZyYTLXjj5Q8rrEBxbDSD0Eh1XqpNLKqoMXQ7", "https://vtbehaviour.commondatastorage.googleapis.com/556700ac50ffa845e5de853498242ee5abb288eb5b8ae1ae12bfdb5746e3b7b1_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864647&Signature=mDHtSOi0zOPuqTTrMsZZ%2BVpqtKq5cnDBge5WCtUppoR8EfcB14tzbezXHfWuEIyjLzT5N3b8WzssT3rIN76R8yEfCMMe32RXWxX3B5Tz%2FF%2BmLQ95M2ysgIHlBEnV4ndYMRbPmJgfEV8X1at%2BQxGaOWCwifeB%2Fjd9hGk0jPWA9aLGj4Lleu%2FzV%2FyljXp2Ncxquv54TyDh55F0W1W0QD9R4i1VpZqh2UpnvpCi8RSM16", "https://vtbehaviour.commondatastorage.googleapis.com/998cd8dcaf876dc66946e1c5f22ef7b8e3ea8de99cd8332d088a9b285fb2f1f7_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864769&Signature=OXXYebSn84nlH1%2FBD4aluVAmCHvma4vurcZhV0H%2B7L8wRtgwWjBRClGbWiS8DnrNVxrwDxScAikU0APxe3iZCU90GclmHDodIz%2BlHFaDkBxBXUt9uyLA9BJmMbRGCKuRj4Vm7MMGUwm7WUwB1UNLqYgq41X0c%2BIhgFvAjtxWMyGnXjvvbgLGXYNo7MTwWLWshQg%2B3UXSqVmivHQAKBmQD75nvfJkl9SPx5GQ5GzjVY8pdgtPv0Ij", "https://vtbehaviour.commondatastorage.googleapis.com/7395f24f709e2c947593e7124f0107a17bf71f9eff782433f00e9aae27edf6fc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864790&Signature=QkiaGhOWFVTMnStxmaJJIVM9Z8cz0n2iUzL%2FmuCfsmMoY%2FI3LrqCLHlcuXzKKyDez5hRYK0DX3OkzaB4F89LFeO6CNQkxxgGBDkjCpg%2Fuyr2HtCZjkFFbEJONHPDJBkBB7JsVRdhR7RveUC2dBG7Wyna%2BF7NYrB3F8lJxQQCwlkFSUiIeF1H6fHA71w3QHiuw61QRe8qkpUK%2BNQfyAeYiLvIhNFj5g4j%2BRVk13k44QjeCxKog1rRZkdp%2", "https://vtbehaviour.commondatastorage.googleapis.com/7395f24f709e2c947593e7124f0107a17bf71f9eff782433f00e9aae27edf6fc_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864829&Signature=SlvEBwegwTfog2bK9svG1CeSSKC94GD98%2FQ7qpBXL7TuHOZt2HhMLd7y8IOgotXMqWiH73xWxbA4jinuUaR5MXolnKuxM86Yy3LSmhMX0S2ZRoWHqqnWIwt02ajTrF%2Bgua0LjZ46ax%2Bqo86h%2Bpme2xYRpZXKhZpVUZBzvDkXraQGdqF1BQ7keV47Y5qESgu16FuxAkm0XbuzS8tqBeq7qAS0r8STul%2BnjFmFMq3OUE68K%2BSmAp", "https://vtbehaviour.commondatastorage.googleapis.com/3e8cba5ce163a9275fe8d4e3f70fbc9815423b9a56b12e7fb03693731e359168_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864913&Signature=IouqGht2TIixfjPtpgKYXJa3ScKi4POLcjQ5l1QIvD%2FFa5zZyHMSYcu%2BxmFWI7uYljRPLlgpgSkRCmIw8EC4uFBI30ISHg83%2F50%2BiqTogu3I4rUpYoX3AQ7hXJwj%2Bz4YoYTt9SoS7jb9WfTUcNYHoIzY9ISoBzndPQfvv5155GpqsCvDXCT2Fd%2Byks95PB9FEdHE1SKYmlWsxPctfAYSIT2mOmBRTrxWO%2BrAUwTATD3cQts0", "https://vtbehaviour.commondatastorage.googleapis.com/998cd8dcaf876dc66946e1c5f22ef7b8e3ea8de99cd8332d088a9b285fb2f1f7_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775865192&Signature=BypXbESJ8I4kqzj5KlF3FCin0434BxGjxXXofwkjyqQfBwNvYJTJGPpRPHnvqmntGoukqmPBezQdcv67hZUXulr885cbljCP90Y6P75SdRtlYOqDEOYGAVgLKOUxW3BGjKy%2FAqS6M0GC9KNsMLw%2FjOyC%2B2N%2F0AlIAyOTl0pX2Pbv6GgplZAbATne%2FCbkvUjwdxaeRv5iLmVrYtOdTVlljzdECcRiQ9rvqI3Aj27UR1qfuhS8vc%2", "https://vtbehaviour.commondatastorage.googleapis.com/00143c38c4f0e4642e956235dac0f589c05c54100015c6f59d4825e9e8400eca_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775865231&Signature=wOONPZI5bCeW4bmQtYa7YV2UQnoPlndg3PkyxqT8OnVSk223qDWubHicrXJAcOXLFj%2FSynVv96i7h1PMkfbz2Ui0lcpPZUjU7sQhWM8wkR2WVoS3YjGgvTEi9pM1ugWhFqDaoNTlaPgNWTVjffc5d%2FPGpVtT6N45P0D2K0%2BEpNuScgpy64%2BrivKYv1pak5OuNuz9mQczkvh4JqLEna59MjTGN9sd5yDBto4EgIoaLYqnBpg8Zn9s2t" ], "public": 1, "adversary": "@GRAMMERSoft", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 513, "FileHash-MD5": 613, "FileHash-SHA1": 373, "FileHash-SHA256": 569, "URL": 466, "hostname": 580, "domain": 60, "email": 3, "CVE": 2, "JA3": 1 }, "indicator_count": 3180, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69ca9cdb34719e60c191a081", "name": "VirusTotal report\n for avast_business_agent_setup_online.exe", "description": "", "modified": "2026-03-30T15:57:49.501000", "created": "2026-03-30T15:55:06.985000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 72, "FileHash-MD5": 66, "FileHash-SHA1": 66, "FileHash-SHA256": 226, "IPv4": 2, "domain": 7, "hostname": 41 }, "indicator_count": 480, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "20 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6916d97edb28b2616ffac3ab", "name": "njRAT| BazarLoader| Darkside 2020 .Beware \u2022 WebToolbar \u2022 Qbot", "description": "", "modified": "2025-11-14T07:41:19.912000", "created": "2025-11-14T07:25:50.524000", "tags": [ "whois record", "ssl certificate", "historical ssl", "resolutions", "referrer", "communicating", "subdomains", "domains", "problems", "urls http", "ransomware", "malware", "contacted", "dropped", "execution", "tsara brashears", "apple ios", "whois whois", "unlocker", "njrat", "core", "hacktool", "metro", "download", "critical", "copy", "relic", "monitoring", "installer", "awful", "open", "banker", "keylogger", "malicious", "tofsee", "mitre attack", "et", "cisco umbrella", "internet storm", "site", "covid19", "cyber threat", "safe site", "cobalt strike", "malicious url", "alexa", "script urls", "united", "a domains", "as396982 google", "as15169 google", "search", "cname", "accept encoding", "showing", "unknown", "date", "body", "meta", "encrypt", "domain related", "as396982", "creation date", "expiration date", "scan endpoints", "all octoseek", "hostname", "pulse submit", "url analysis", "passive dns", "urls", "next", "all search", "otx octoseek", "as7922 comcast", "as16276", "as54113", "aaaa", "france unknown", "as14061", "status", "as40509", "ip address", "for privacy", "as44273 host", "record value", "certificate", "gmt content", "x sucuri", "as8075", "nxdomain", "as30148 sucuri", "as20940", "as31898 oracle", "hong kong", "as139021", "msie", "chrome", "ipv4", "blacklist http", "detection list", "blacklist", "files", "location hong", "kong asn", "tags none", "indicator facts", "name verdict", "falcon sandbox", "mail spammer", "tor known", "tor relayrouter", "exit", "node tcp", "traffic", "heur", "malicious site", "alexa top", "million", "alexa proxy", "outbreak", "installcore", "acint", "conduit", "installpack", "iobit", "artemis", "dropper", "mediaget", "crack", "spammer", "france mail", "summary", "url summary", "phishing", "union", "team", "bank", "unsafe", "threat report", "ip summary", "pattern match", "script", "et tor", "known tor", "relayrouter", "node traffic", "misc attack", "beginstring", "null", "error", "span", "class", "generator", "refresh", "tools", "hybrid", "general", "click", "strings", "servers", "ps ord", "name servers", "poetry", "moved", "content length", "content type", "x powered", "poems", "poem", "topic", "topics", "poem topics", "free poems", "love poems", "romantic poems", "classic poems", "friendship poems", "shone pale", "herself", "heavens", "her beam", "a fleecy", "proud evening", "star", "thou bearest", "heaven", "than", "google", "http", "leasewebuklon11", "search live", "api blog", "docs pricing", "login", "february", "gb summary", "london", "april", "screenshot", "url https", "reverse dns", "general full", "name value", "frankfurt", "main", "germany", "asn15169", "resource", "hashes", "copyright", "gmbh version", "follow", "blacklist https", "phishing site", "malware site", "riskware", "opencandy", "cleaner", "iframe", "xtrat", "agent", "softcnapp", "generic", "patcher", "driverpack", "exploit", "mimikatz", "downldr", "presenoker", "fusioncore", "wacatac", "beach research", "trojanspy", "maltiverse", "firehol", "proxy", "anonymizer", "adware", "kuaizip", "downer", "tag count", "tue apr", "sample", "samples", "fakealert", "genkryptik", "icedid", "coinminer", "nircmd", "swrort", "systweak", "behav", "tiggre", "filetour", "quasar rat", "fuery", "bazaloader", "media", "facebook", "service", "runescape", "webtoolbar", "a9dia", "a1ginaprincipal", "emails", "registrar", "http header", "tcp traffic", "et useragents", "unknown traffic", "antivirus", "server", "gmt united", "accept", "local", "path", "falcon", "file", "ascii text", "windows nt", "png image", "appdata", "jpeg image", "indicator", "twitter", "westlaw njrat", "zuorat", "skynet bot", "glupteba", "asn4583", "thomsonreuters", "asn209242", "june", "back", "united kingdom", "cisco", "umbrella rank", "rank", "page url", "as autonomous", "system", "yndx", "ipasns ip", "november", "de summary", "comodo rsa", "security tls", "software", "resource hash", "security", "ecdhersa", "de indicators", "de page", "url history", "javascript", "gts ca", "secure server", "markmonitor", "ip information", "detail domains", "domain tree", "links certs", "frames domain", "requested", "threat roundup", "march", "threat round", "parent parent", "roundup", "january", "threats", "qbot", "cyberwar", "skynet", "radar ineractive", "control server", "engineering", "host", "services", "pony", "nanocore rat", "meterpreter", "zeus", "zbot", "suppobox", "stealer", "redline stealer", "dnspionage", "mirai", "nanocore", "bradesco", "emotet", "laplasclipper", "asn16276", "get h2", "kb image", "august", "kali", "localappdata", "network traffic", "binary file", "svg scalable", "vector graphics", "mwin", "domain", "url http", "pulse pulses", "related nids", "files location", "customer", "address", "as29789", "hosting", "location united", "status hostname", "query type", "address first", "seen last", "seen asn", "country unknown", "urls date", "checked url", "hostname server", "response ip", "address google", "safe browsing", "present mar", "pulse indicator", "protocol h2", "value", "variables", "waypoint object", "gsqueue", "isotope", "hostnames", "ice fog", "maltiverse top", "financial", "as62597 nsone", "sec ch", "domains show", "entries", "as14720 gamma", "canada unknown", "as397241", "as13335", "applicunwnt", "xrat", "maltiverse safe", "aig", "soc", "hallrender", "brian sabey", "mark brian sabey", "sabey", "mark", "sabey", "data center", "malvertizing", "malware host", "scanning host", "botnetwork", "colorado", "edsaid", "geotracking", "satellite tracking", "radar tracking", "pornhub", "child teen content illegal", "social engineering", "cyber stalking", "CVE-2023-4966", "device control", "camera usage", "hidden users", "message interception", "text archiver", "mail collection", "remote attacks", "js", "python", "inject", "sql", "extraction", "AIG Claims", "hallrender.com", "soc", "milemighmedia", "westlaw", "revengeporn", "bot", "regex", "ai", "yandex" ], "references": [ "web2.westlaw.com (redirects to thbrzzrstr.me)", "http://web2.westlaw.com/ (redirect) https://signon.thomsonreuters.com/?productid=CBT&lr=0&culture=en-US&returnto=https%3a%2f%2f1.next.westlaw.com%...", "https://hybrid-analysis.com/sample/8bf763ce9396c4569afbae58392097fd57408339c0ac59ec256468c9fd8ac4c5/6548ebfe56b25bab28017757", "https://urlscan.io/result/2285cee3-1e08-4e63-b48f-ee685e008480/#summary", "https://hybrid-analysis.com/sample/86479bf7c9a675913b93a0d399f5cbe0c0e8003239e93ae5e00f97cdbc5ec5ba/5c5c13577ca3e12626364777", "https://urlscan.io/result/4f0cabbf-9716-47dd-bd5c-038a953e6672/", "Malware Host: HallRender.com", "riverside.rocks (safebae.com remote uTorrent) https://hybrid-analysis.com/sample/11108ef17bd75f36e0d22d95b1f3bde3e9fa968a78a24c2d2508f4238e22651d/6326a50be4a8a71b885f5bf3", "safebae.org", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu (phishing | cybercrime)", "Hallrender.com and Westlaw.com.= http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu", "Poemhunter.com + rally point.com = pornhub.dev", "Pornhub dev VT community: https://www.virustotal.com/gui/domain/pornhub.dev/community", "Poemhunter.com: https://hybrid-analysis.com/sample/86479bf7c9a675913b93a0d399f5cbe0c0e8003239e93ae5e00f97cdbc5ec5ba", "https://www.poemhunter.com/tsara-brashears/poems/: https://urlscan.io/result/4f0cabbf-9716-47dd-bd5c-038a953e6672/", "Rallypoint.com https://hybrid-analysis.com/sample/66287c2c36699037cb504201693e26b5f3282cebde1d1c78aecd6f97f04fb694", "Malicious revenge malvertizing: https://www.milehighmedia.com/legal/2257", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://matrix.pornhub.dev", "nr-data.net", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/icons/apple-touch-icon-76x76.png", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/icons/apple-touch-icon.png", "https://apple.pantion.top/", "newrelic.se", "user-apple.info", "appleid-comloginaccount.info", "init-p01st.push.apple.com", "boostmobile.com", "www.metrobyt-mobile.com", "http://bpdb.portal.gov.bd:3128/sites/default/files/files/bpdb.portal.gov.bd/npfblock/2021-34bc869d2906198362a4346373ce5b94.jpg", "https://b.link/infringement", "my.mintmobile.com", "CVE-2023-4966", "http://watchhers.net/index.php", "https://rr2---sn-4g5ednsz.googlevideo.com/videoplayback?expire=1699319292&ei=nDlJZfb4G43E-gaYt5XoDg&ip=2001%3A1b60%3A2%3A240%3A3247%3A%3A" ], "public": 1, "adversary": "", "targeted_countries": [ "Spain", "Netherlands", "Canada", "United States of America" ], "malware_families": [ { "id": "Tsara Brashears", "display_name": "Tsara Brashears", "target": null }, { "id": "Mitre Attack", "display_name": "Mitre Attack", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Radar Ineractive", "display_name": "Radar Ineractive", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1450", "name": "Exploit SS7 to Track Device Location", "display_name": "T1450 - Exploit SS7 to Track Device Location" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1423", "name": "Network Service Scanning", "display_name": "T1423 - Network Service Scanning" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1563", "name": "Remote Service Session Hijacking", "display_name": "T1563 - Remote Service Session Hijacking" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1427", "name": "Attack PC via USB Connection", "display_name": "T1427 - Attack PC via USB Connection" }, { "id": "T1445", "name": "Abuse of iOS Enterprise App Signing Key", "display_name": "T1445 - Abuse of iOS Enterprise App Signing Key" }, { "id": "T1453", "name": "Abuse Accessibility Features", "display_name": "T1453 - Abuse Accessibility Features" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1173", "name": "Dynamic Data Exchange", "display_name": "T1173 - Dynamic Data Exchange" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" } ], "industries": [], "TLP": "green", "cloned_from": "654971c396ca4306a6534b12", "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4037, "hostname": 2241, "URL": 2516, "FileHash-MD5": 1224, "FileHash-SHA1": 783, "FileHash-SHA256": 2796, "CVE": 10, "email": 25 }, "indicator_count": 13632, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "157 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68ccd75091991ef8498bbd10", "name": "Zbot affected Payment Apps - Installers", "description": "Some references are outdated. Found hash when researching something else.. Seemed to affect a Hostinger domain payment app in the past. I\u2019m not sure what app galaxus but seems to affect the app, if I kept searching I might be able to find what it\u2019s affecting today. . Some of the items list non sensical descriptions. | NNnK.exe FILEHASH SHA256 d249de5277aaa875154143f14727a761caa652960685ab529327f1affa8954cb | Nothing exciting. Just wondered what and why.", "modified": "2025-10-19T03:02:05.668000", "created": "2025-09-19T04:08:47.998000", "tags": [ "memory pattern", "chi2 md5", "guid", "blob", "payment app", "entropy", "submitted", "prodq", "installers", "upatre", "fakeav", "zbot", "dynamicloader", "medium", "write c", "high", "delete", "trojan", "copy", "write" ], "references": [ "NNnK.exe FILEHASH SHA256 d249de5277aaa875154143f14727a761caa652960685ab529327f1affa8954cb", "NNnK.exe [e755511f154b928f720d8a5c59e34ccb.virus]", "https://open-app.galaxus.com", "Copyright: Gamma Realty 2019 Product: Auty 2 Description: Auty Original Name: NNnK.exe", "Internal Name: NNnK.exe File Version: 1.88.0.0 Comments: Gynecology *File Unsigned", "ihs-markit-login-changes-update-august-2020.pdf [file below]", "\"493fda53120050f85836032324409be6c6484f90a0755ae0c6a673ba7626818b\" has the file format \"text\", which is not supported" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Upatre", "display_name": "Upatre", "target": null }, { "id": "Win.Trojan.FakeAV-10943", "display_name": "Win.Trojan.FakeAV-10943", "target": null }, { "id": "Trojan:Win32/Zbot.SIBG!MTB", "display_name": "Trojan:Win32/Zbot.SIBG!MTB", "target": "/malware/Trojan:Win32/Zbot.SIBG!MTB" } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 242, "FileHash-SHA1": 227, "FileHash-SHA256": 1934, "URL": 256, "domain": 72, "hostname": 99, "SSLCertFingerprint": 1 }, "indicator_count": 2831, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "183 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66f235b9a7a94a6a61acd651", "name": "n0paste - Show paste: \\\"No Problems\\\" - dos meses del URLscan", "description": "This pulse represents a 'scattered sample' of data extracted from 'submissions of interest' made to virustotal, filescan_itsec, HybridAnalysis, anyrun_app, DynamiteLab, and triage (over a period of two months) which were submitted to urlscanio & subsequently GreyNoiseIO (which I've come across both from live samples and also those from offlined data). I don't particularly anticipate this will correlate w. anything specific - but at least will be put in one more place for further analysis & increased visibility.", "modified": "2025-03-07T08:38:08.584000", "created": "2024-09-24T03:44:57.902000", "tags": [ "geoip", "public url", "as16509", "amazon02", "as20940", "akamaiasn1", "as8075", "as15169", "google", "akamaias", "facebook", "telecom", "twitter", "media", "win64", "level3", "mini", "ukraine", "proton", "ghost", "win32", "cuba", "mexico", "indonesia", "seznam", "as3359", "as852" ], "references": [ "https://metadefender.com/results/file/bzI1MDMwMVFWaXRDS0hpWElYcnV0QllCYlB1", "https://mwdb.cert.pl/file/efb45096e24a61b488eb809bd8edf874d15bb498dd75ced8b888b020c87e5c6c", "https://n0paste.eu/UH6n5pD/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada", "Anguilla", "Poland", "Aruba", "Australia", "Barbados", "Costa Rica", "Guatemala", "Philippines", "Panama", "Sint Maarten (Dutch part)", "Saint Martin (French part)", "Cayman Islands", "Cura\u00e7ao", "Mexico", "Saint Vincent and the Grenadines", "Saint Kitts and Nevis", "Tanzania, United Republic of", "Netherlands", "Ukraine", "Trinidad and Tobago", "Japan", "Bahamas", "United Kingdom of Great Britain and Northern Ireland", "Georgia" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Technology", "Government", "Telecommunications", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1, "CIDR": 1186, "CVE": 4, "FileHash-MD5": 29, "FileHash-SHA1": 3, "URL": 25493, "domain": 5396, "email": 10, "hostname": 10770 }, "indicator_count": 42892, "is_author": false, "is_subscribing": null, "subscriber_count": 147, "modified_text": "409 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66f9ae71e7d4851280fa367f", "name": "The Jane Doe Syndrome Files: Credential Dumping and Data Exfiltration", "description": "This pulse outlines a series of techniques (Tactics) utilized in a cyber intrusion targeting Jane Doe's MacBook. These techniques span various stages of the attack lifecycle, including credential dumping (T1003), system discovery (T1016, T1082), and data exfiltration methods (T1114, T1560). The attacker employed advanced obfuscation strategies (T1027) and input capture methods (T1056) to maintain persistence and evade detection, while also utilizing command and scripting interpreters (T1059) to execute malicious commands.\n\nFurthermore, the adversary manipulated system tokens (T1134) and leveraged remote access software (T1219) to control the compromised system. Techniques for data destruction (T1485) and artifact hiding (T1564) indicate a concerted effort to cover tracks and minimize detection.\n\nBy examining these techniques, we can better understand the methods used in this intrusion, facilitating enhanced detection and prevention strategies for future incidents.", "modified": "2024-11-08T00:03:35.782000", "created": "2024-09-29T19:45:53.583000", "tags": [ "autogenerated", "please", "class", "hp laserjet", "duplexer", "modify", "printer", "description", "location", "share", "printer make", "ppd file", "model", "driver", "ipp everywhere", "printers", "hardware", "baud rate", "parity", "odd data", "flow control", "software", "rtscts", "dtrdsr", "input", "type", "name", "value", "hidden", "delete class", "form", "h2 class", "warning", "p align", "allow", "advanced", "use kerberos", "save", "max clients", "maximum", "metadata", "documents", "max log", "img src", "width", "height", "align", "absmiddle", "indicator", "status", "printername", "idle", "edit", "cupsdconf", "error", "blockquote", "unknown", "h3 class", "jobs", "help jobs", "helptitle", "qtext", "topic", "bmtext", "qptext", "cups", "search", "online help", "documents all", "hold job", "server default", "shared", "test page", "pause class", "accept jobs", "move all", "jobs cancel", "all jobs", "class delete", "cancel", "move job", "destination", "release", "reprint", "action", "method", "name user", "size pages", "state control", "jobid", "withheld", "held", "change settings", "label", "input type", "select name", "multiple size", "option", "inches feet", "table", "submit", "set default", "prev", "next", "last", "accept", "options", "default", "delete printer", "form action", "pause", "reject", "resume", "print", "self test", "pause printer", "location make", "model status", "test", "please stand", "allowed users", "prevent", "whichjobs", "standard rom", "standard", "copyright", "standard font", "cups ppd", "easy software", "apache license", "license", "symbol special", "deskjet", "cups sample", "hplaserjet", "laserjet", "hpdeskjet", "hpdeskjet2", "epson", "stylus color", "stylus photo", "escp", "epson9pin", "zebra", "dymo3x0", "dymo", "labelwriter", "advance", "leading", "move", "black", "gold", "rotate", "never", "cyan", "yellow", "turn", "long edge", "edge", "oversize", "address", "b1jis b1", "adobe", "small", "image", "apple mime", "xhtml", "pict string", "cgimageio", "radiance", "fujifilm", "preview", "os x", "colorsync", "airprint", "do not", "this file", "it is", "you install", "versions of", "base mime", "format", "postscript", "language", "pattern match", "ras2", "pwgraster", "comment", "attr", "group", "attr language", "attr integer", "attr name", "attributes", "attr keyword", "post", "resource admin", "operation", "group operation", "create", "withvalue", "display", "d recipienturi", "expect", "tv d", "member", "createjob", "senddocument", "create faxout", "get list", "display jobname", "cupsgetdevices", "get job", "expect jobstate", "job template", "get printer", "cupsgetppd", "cupsgetppds", "get ppd", "attr text", "product", "psversion", "version", "message", "hello", "cupsgetprinters", "beep", "sound", "count", "ingroup", "oftype keyword", "oftype integer", "oftype text", "oftype charset", "oftype enum", "az09", "withallvalues", "mediaregex", "oftype", "print file", "printjob", "test printjob", "file", "ippurischeme", "member integer", "print test", "printuri", "post resource", "validatejob", "validate", "printjob group", "repeatmatch", "choice", "envelope", "resolution", "modelname", "inputslot", "pcfilename", "modelnumber", "attribute", "false", "darkness", "media", "generic", "mark", "dark", "tear", "cupsbanner show", "header printer", "footer printer", "notice cups", "header cover", "page footer", "cover page", "header top", "secret footer", "top secret", "header secret", "footer secret", "vzefibootloader", "nsunavailable", "virtualization", "base class", "vzbootloader", "network device", "initialize", "host network", "property", "return", "define", "nsarray", "bsd name", "ethernet", "vzconsoledevice", "console port", "defines", "a directory", "vzexport extern", "apiavailable", "bool", "nsenum", "nsinteger", "local file", "raw format", "nsurl", "nserror", "file handle", "storage device", "nserror error", "nsfilehandle", "boot loader", "efi rom", "efi boot", "vzerrorcode", "vzerrordomain", "error type", "nserror domain", "vzerrorsave", "nbd server", "nbd client", "nsoptions", "nsuinteger", "nsswiftname", "nvram", "write", "sorcvbuf", "sosndbuf", "mtu value", "data", "data sent", "true", "graphics", "intel", "indicate", "enable", "nsdata", "opaque", "host audio", "host output", "host input", "cgsize", "new display", "protocol", "unix domain", "socket", "rosetta", "caching", "rosetta daemon", "nsstring", "abstract socket", "rosetta support", "linux", "arm64", "availability", "download", "vzmacaddress", "mac address", "a vzmacaddress", "linux kernel", "ram disk", "linux boot", "a mac", "configuration", "mac hardware", "describes", "mac platform", "mac keyboard", "usb keyboard", "mac machine", "apple silicon", "rosetta runtime", "nsobject", "handle", "init", "url property", "whether", "recovery", "block", "nullable", "load", "mac trackpad", "usb pointing", "cpus", "overwrite", "nsdictionary", "directory share", "check", "namemax", "vznetworkdevice", "nbd url", "nbd uniform", "nbd protocol", "url error", "nat attachment", "a network", "nvm express", "nsscreen", "nssize", "serial port", "directory", "spice agent", "spice guest", "a console", "vzsocketdevice", "vzstoragedevice", "vzexport", "usb controller", "vzusbcontroller", "usb device", "device uuid", "nsuuid uuid", "usb mass", "vzusbdevice", "virtio block", "device", "storage storage", "virtio console", "delegate object", "a class", "extra care", "virtio entropy", "nsstring name", "array", "virtio file", "system device", "discussion", "nsstring tag", "port", "bool isconsole", "a virtio", "virtio graphics", "virtio gpu", "virtio", "port array", "utf8", "virtio network", "macaddress", "virtio socket", "close", "does nothing", "virtio sound", "nsarray streams", "pointer", "device input", "a pcm", "audio stream", "source", "sink", "device output", "device stream", "memory balloon", "target memory", "return yes", "start", "stop", "usb xhci", "automatically", "nsview", "virtual machine", "cpucount", "verify", "apple swift", "o librarylevel", "swift", "cachingoptions", "vzaudiodevice", "vzdebugstub", "swiftname", "targetosiphone", "targetososx", "targetosios", "apple computer", "targetostv", "targetosvision", "targetostvos", "targetosxr", "vtbaseh", "vtint32point", "vtint32size", "iphonena", "apiunavailable", "vtexport const", "abstract", "cfstringref", "readwrite", "cfnumber", "cfboolean", "optional", "null", "macos", "cmnullable", "pass null", "call", "video toolbox", "contains", "cmtime duration", "cvimagebuffer", "vterrorsh", "cfoptions", "12914", "uint32", "osstatus", "12900", "12901", "12902", "12903", "17690", "vtexport", "encoder", "zero", "alpha", "requires", "cmsamplebuffer", "prototype", "osstatus status", "cfrelease", "cvpixelbuffer", "iosurface", "hdr metadata", "hdr per", "frame metadata", "cf type", "cfretain", "a mechanism", "cmbridgedtype", "interface", "specifies", "a reference", "pixel rotation", "session", "a pixel", "cf object", "vtframesilo", "returns", "vtframesiloh", "vtframesiloref", "pass", "pixel transfer", "vtexport void", "media extension", "video raw", "processors", "standard video", "metal device", "metal", "rawprocessors", "cfstring", "copy", "vtsessionh", "cfdictionaryref", "apis", "vtsessionref", "raw processor", "a cfdictionary", "cfswiftname", "vtutilitiesh", "cgimage", "builds", "cfarrayref", "raw processing", "list", "list element", "cfdictionaries", "skipper", "vdspdftexecute", "vdspdftexecuted", "vdspdftzop", "vdspfft16copv", "vdspfft16zopv", "vdspfft32copv", "vdspfft32zopv", "vdspbiquad", "vdspbiquadd", "vdspbiquadm", "project version", "created", "elana stettin", "apple", "swextern", "title", "typedef", "param", "nsstring title", "represents", "nsitemprovider", "const", "swhidden extern", "swdefines", "swextern extern", "sha256 hash", "merkle tree", "sociallayer", "swperson", "devin clary", "swaction", "sbappcontext", "sbapplocator", "sbapplication", "sbelementarray", "sbobject", "scriptingbridge", "objecttype", "finder", "bridge", "index", "apple event", "target", "urls", "locator", "scripting", "desctype", "receiver", "track", "code", "sccontentfilter", "bgra format", "rgha format", "const nonnull", "nserrorenum", "nsurl outputurl", "avfiletypempeg4", "provides", "scwindow", "scdisplay", "cgrect frame", "bool indicating", "pixel", "scstream", "control center", "takes", "cfdictionary", "rbhash", "initvmrandom", "initvmtranscode", "initarray", "initbarevm", "initbignum", "initcomplex", "initcont", "initdir", "initfile", "libxml", "require", "cfpropertylist", "xml parser", "libxmlparser", "xml file", "plist", "cfplisterror", "exception", "format error", "easy", "kruse", "mit license", "standarderror", "cfformaterror", "cftypeerror", "nokogiri", "parserinterface", "cftype", "cfdate", "cfinteger", "blob", "ruby string", "uidfixnum", "ruby integer", "date", "format constant", "formatbinary", "formatxml", "magicnumber", "enumerator", "cfdata", "ruby", "example", "john", "path", "plainparser", "ascii", "cfreal", "importplain", "escapechar", "read", "length", "utf16be", "cfarray", "offsetsize", "integer", "rexml", "rexmlparser", "float", "appledtd plist", "dom node", "prefix", "config", "item", "bindir", "libruby", "rubypath", "fileoperations", "arch", "installer", "template", "install", "major", "yesno", "todo", "kwargs", "makefiles", "miniportile", "cmakecmd", "configure", "cmakefile", "cmake", "keyringname", "debug", "targetos", "ldflags", "gpgexe", "digest", "stdout", "patch", "installerror", "savefile", "task", "packages", "dlext", "minero aoki", "rubyversion", "loaderror", "sqlite3", "was sqlite3", "apiobjects", "database", "pragmas", "resultset", "sqlite3ruby faq", "sqliteruby faq", "value klass", "qnil", "sqliteok", "sqliteerror", "sqliteinternal", "sqliteperm", "sqliteabort", "sqlitebusy", "sqlitelocked", "datagetstruct", "int2num", "main", "done", "stringvalueptr", "note", "sqlite3ruby", "sqlite3rubyptr", "unused", "gnuc", "lclint", "usasciip", "utf8p", "utf16lep", "utf16le", "utf16bep", "sqlite3stmtruby", "rubyplatform", "darwin", "rcarchs", "libpkgconfig", "pkgconfigpath", "pkgconf", "mswin", "cflags", "install sqlite3", "int2fix", "rbignumlen", "sizeofbdigits", "charbit", "bdigit", "bmax", "value unused", "sqliteopenuri", "open", "requireopendb", "nilp", "qtrue", "id2sym", "requireopenstmt", "donep", "rstringlen", "num2int", "attrs", "deal", "xsd module", "xmlparser", "nokogiri xml", "simply", "rubyengine", "slop decorator", "css3 selector", "xpath", "nokogiri class", "parse", "html", "xml document", "0x30", "0x41", "0x61", "gumbogentable", "gumboasciicntrl", "gumboasciispace", "gumboasciidigit", "constfn", "gumboasciih", "gumboasciialpha", "gumboasciialnum", "c0 control", "gumbocharrefh", "gumboattributeh", "gumboattribute", "craig barnes", "google inc", "as is", "basis", "or conditions", "any kind", "gumboerrorh", "gumbotag", "additional", "gumbovector", "encoding", "gumboerrparser", "gumboerrortype", "html tag", "minwordlength", "maxwordlength", "maxhashvalue", "ansic code", "m100 n", "computed", "totalkeywords", "minhashvalue", "doctype", "capacity", "doctype system", "sourcelength", "sourcetext", "silence", "html5", "a struct", "text", "gumbo", "gumboh", "anything", "gumboparserh", "output", "library", "oopstyle", "gumboparser", "const localname", "string", "ietfdtd html", "w3cdtd html", "level", "html strict", "terminator", "final", "buffer", "gnucatleast", "hasattribute", "macrosh", "printf", "returnsnonnull", "win32", "unusedifndebug", "malloc", "pure", "m100", "gumbotaglookuph", "gumbotag tag", "taghashslot", "gumbotagunknown", "gumbotokentypeh", "gumbotokencdata", "gumbotokennull", "gumbotokeneof", "gumbotokentype", "gumbotaglast", "position", "gumbotokenizerh", "struct", "gumbotoken", "spec", "stack", "emittoken", "continue", "current", "utf8iterator", "utf8accept", "parser", "html5 spec", "rest", "gumboutf8h", "unicode code", "html5 parser", "utf8 decoding", "func", "gumbodebug", "gumboutilh", "utility", "debug wrapper", "script", "attribute value", "comment end", "doctype name", "cdata section", "rcdata end", "rawtext end", "initialcapacity", "gumboalloc", "vector", "memmove", "gumbovectorh", "initializes", "ownership", "stringvaluecstr", "rtest", "xmlchar", "html document", "nokogiristrnew2", "html4", "value get", "qfalse", "a list", "value list", "attrsdepr", "attrsopt", "chunk", "pushparser", "xmlsax", "value chunk", "w3c dom", "xmlelementnode", "finds", "qundef", "value val", "value args", "value exc", "libxml2patches", "rbconfig", "packagerootdir", "cppflags", "libs", "dldflags", "nokogiri test", "attributedecl", "defaultvalue", "atype", "tree", "ctxt", "noreturn", "xmldocptr doc", "private", "nokogirinative", "nokogiristrnew", "xmldoc", "value setvalue", "value content", "xmlchar value", "xmlnode cur", "content", "cdata", "cdata element", "value argv", "value rbnode", "document", "value document", "value getname", "pcdata", "element", "mult", "datawrapstruct", "value ctxtval", "mydoc", "userdata", "encodinghandler", "value key", "delete", "elementdecl", "id iddocument", "etype", "value prefix", "orig", "externalid", "systemid", "nodenr", "xmlnodeset", "nodeset", "nodetab", "xmldtd", "value hash", "publicid", "notation", "hash", "rbfuncall", "parseargs", "xmlnode", "without", "href", "xmlns", "namespace node", "nodes", "value rbreader", "relaxng schema", "relaxng", "value name", "nokogirisaxself", "rbivget", "rbstrorqnil", "xmlchar name", "xmlparserctxt", "text element", "value string", "schema", "xmlschema", "context", "stringval", "wrapper", "emp0001n", "emp0002n", "xslt", "handler", "handlerstate", "checktype", "tarray", "id documentid", "comment element", "node", "first", "prop", "typeerror", "gc", "pkpublicchannel", "pkpushpayload", "pkpushregistry", "pkpushtypevoip", "pushkit", "object", "pkpushtype type", "forward", "http", "apple push", "pkexport extern", "nsstringenum", "payload data", "voip", "json format", "callkit", "pkpushtype", "framework", "apps", "push", "odsessioncreate", "odattributemap", "odconfiguration", "odcontext", "odmappings", "odmoduleentry", "odnode", "odquery", "odrecord", "odrecordmap", "nsavailablemac", "original code", "nsstring value", "custom", "modifications", "apple public", "source license", "of any", "nsavailable", "nsrunloop", "objc", "sets", "odsession", "sfauthorization", "will", "odsessionref", "cfexport", "odqueryref", "odnoderef", "cfexport bool", "odrecordref", "cfdataref", "cfexport const", "utf8 encoding", "odattributetype", "odrecordtype", "attribute type", "local", "realm", "cftyperef", "odnodegetdsref", "odnodegettypeid", "odrecorddelete", "odtriggercancel", "odnodeinit", "odquerycreate", "odqueryinit", "odsessioninit", "albuffer3i", "albufferdata", "albufferf", "albufferfv", "albufferi", "albufferiv", "aldistancemodel", "aldopplerfactor", "algetbooleanv", "algetbuffer3f", "alcapi", "alcapientry", "alcboolean", "targetosmac", "alcdevice", "alcenum param", "alalch", "alcchar", "alcsizei", "capture", "alenum param", "alapi", "aluint sid", "alfloat", "aluint bid", "alsizei", "alint", "alfloat value", "alapientry", "aluint", "play", "speed", "bits", "alutapi alvoid", "alvoid data", "alsizei size", "alsizei freq", "gnu library", "general public", "aluth", "alenum format", "openalopenalh", "umbrella header", "alvoid", "openal", "alvoid nonnull", "alenum", "roger beep", "sendable", "preconcurrency", "rawvalue", "network import", "failure", "service", "must", "number", "stride", "brief", "descriptor", "matrix", "mtlpackedfloat3", "infinity", "metalversion", "minimum point", "maximum point", "interpolation", "translation", "offset", "acceleration", "declare", "prior", "insert", "nonnull", "nsrange", "mtldevice", "t argname", "mtlstructtype", "mtlarraytype", "mtltype", "mtlpointertype", "instance", "methodkind", "swiftprivate", "mtlbuffer", "nullability", "mtlcommandqueue", "mtlresource", "mtlresidencyset", "command encoder", "individual", "mtlexport", "xcode", "gpu trace", "apideprecated", "mtlcapturescope", "remarks", "mtlallocation", "metal command", "mtldispatchtype", "mtlorigin", "mtlsize", "mtlblitoption", "flush", "gpu work", "marks", "specify", "mtlinline", "mtlintern", "stdcversion", "mtlextern", "definition", "inline", "nsstring label", "stencil", "defaults", "allocate", "typical", "nsprocessinfo", "mtldrawable", "present", "cftimeinterval", "gpustarttime", "gpuendtime", "mtlcountersh", "mtlcounter", "mtlcounterset", "mtllibrary", "a container", "mtlfence", "mtldatatype", "default usage", "mtlfunction", "mtllogcontainer", "mtlsharedevent", "mtlevent", "synchronously", "a function", "cpu cache", "requiredsize", "behavior", "mtlheap", "query device", "dispatch", "metal shading", "language guide", "raytriangle", "vends", "groups", "encodes", "mtliofilehandle", "mtlextern sizet", "mtlextern void", "mtlstoreaction", "mtlloglevel", "enum", "mtlmutability", "astcetc2bc", "normal", "astc", "clamptoedge", "depth", "mtlcoordinate2d", "nsnumber", "controls", "mtlclearcolor", "adds", "mtlregion", "cpu mapping", "mtltexture", "mtlindextype", "filter option", "clamp", "mtlrenderstages", "draw", "mtlstepfunction", "vertex", "compute", "gpu resource", "nsuinteger x", "identify", "nsuinteger y", "nsuinteger z", "mtlsize size", "mtlvertexformat", "nsuintegermax", "mtlpixelformat", "mtltexturetype", "slice", "swiftui", "coregraphics", "swift import", "previewregistry", "libraryitem", "category", "dict", "apple root", "code signing", "public", "uus10u", "GUANGZHOU FIVE SIX TECHNOLOGY", "Havana Syndrome", "Aishah Lazim", "Al-Arqam", "Brooklyn" ], "references": [ "httpd.exp", "metadata.json", "add-class.tmpl", "choose-make.tmpl", "choose-model.tmpl", "choose-device.tmpl", "add-printer.tmpl", "choose-serial.tmpl", "class-added.tmpl", "choose-uri.tmpl", "class-confirm.tmpl", "admin.tmpl", "class-deleted.tmpl", "class-modified.tmpl", "classes-header.tmpl", "command.tmpl", "classes.tmpl", "edit-config.tmpl", "error-op.tmpl", "class-jobs-header.tmpl", "error.tmpl", "header.tmpl", "help-header.tmpl", "help-printable.tmpl", "help-trailer.tmpl", "job-hold.tmpl", "class.tmpl", "job-cancel.tmpl", "job-move.tmpl", "job-moved.tmpl", "job-release.tmpl", "job-restart.tmpl", "list-available-printers.tmpl", "jobs.tmpl", "norestart.tmpl", "option-boolean.tmpl", "option-header.tmpl", "option-conflict.tmpl", "option-pickmany.tmpl", "option-pickone.tmpl", "modify-printer.tmpl", "option-trailer.tmpl", "pager.tmpl", "printer-cancel-jobs.tmpl", "printer-added.tmpl", "printer-accept.tmpl", "printer-configured.tmpl", "printer-default.tmpl", "printer-confirm.tmpl", "printer-deleted.tmpl", "printer-jobs-header.tmpl", "printer-modified.tmpl", "jobs-header.tmpl", "printer-stop.tmpl", "modify-class.tmpl", "printer-reject.tmpl", "printers-header.tmpl", "printer-start.tmpl", "printer.tmpl", "printers.tmpl", "set-printer-options-trailer.tmpl", "test-page.tmpl", "restart.tmpl", "users.tmpl", "set-printer-options-header.tmpl", "search.tmpl", "trailer.tmpl", "font.defs", "hp.h", "epson.h", "label.h", "raster.defs", "media.defs", "apple.types", "apple.convs", "mime.convs", "mime.types", "cancel-current-job.test", "create-job-sheets.test", "create-job.test", "create-job-format.test", "create-job-timeout.test", "create-printer-subscription.test", "cups-create-local-printer.test", "fax-job.test", "get-completed-jobs.test", "get-devices.test", "get-job-attributes.test", "get-job-attributes2.test", "get-notifications.test", "get-jobs.test", "get-job-template-attributes.test", "get-ppd-printer.test", "get-ppds-drv-only.test", "get-ppd.test", "get-ppds-make-and-model.test", "get-ppds-make.test", "get-ppds-product.test", "get-ppds-psversion.test", "get-ppds-language.test", "get-printer-description-attributes.test", "get-ppds.test", "get-printer-attributes.test", "get-subscriptions.test", "identify-printer-display.test", "get-printers-printer-id.test", "identify-printer-multiple.test", "get-printers.test", "identify-printer.test", "get-printer-attributes-suite.test", "ipp-2.0.test", "ipp-2.2.test", "ipp-backend.test", "ipp-2.1.test", "print-job-and-wait.test", "print-job-deflate.test", "print-job-hold.test", "print-job-gzip.test", "ipp-1.1.test", "print-job-manual.test", "print-job-password.test", "print-job.test", "print-job-media-col.test", "print-uri.test", "print-job-letter.test", "set-attrs-hold.test", "validate-job.test", "ipp-everywhere.test", "sample.drv", "testprint", "classified", "standard", "topsecret", "secret", "confidential", "unclassified", "ntp_opendirectory.conf", "ntp.conf", "notify.conf", "nfs.conf", "nsmb.conf", "xtab", "6015FED9-D723-4332-87D9-C478CF341407.aamdownload", "AuraService-fda-test", "com.adobe.acrobat.rna.AcroCefBrowserLock.DC", "ExmanProcessMutex", "proxy.xml", "A53749AF-3855-4842-A1E7-4AEFA60BD2AC", "XPdb-wal", "VZBootLoader.h", "VZAudioInputStreamSource.h", "VZBridgedNetworkDeviceAttachment.h", "VZAudioOutputStreamSink.h", "VZBridgedNetworkInterface.h", "VZConsoleDeviceConfiguration.h", "VZConsoleDevice.h", "VZConsolePortConfiguration.h", "VZDirectorySharingDevice.h", "VZDirectoryShare.h", "VZDefines.h", "VZDiskImageStorageDeviceAttachment.h", "VZDiskSynchronizationMode.h", "VZDiskBlockDeviceStorageDeviceAttachment.h", "Virtualization.h", "VZDirectorySharingDeviceConfiguration.h", "VZEntropyDeviceConfiguration.h", "VZEFIBootLoader.h", "VZError.h", "VZEFIVariableStore.h", "VZFileHandleNetworkDeviceAttachment.h", "VZFileHandleSerialPortAttachment.h", "VZFileSerialPortAttachment.h", "VZGraphicsDevice.h", "VZGenericPlatformConfiguration.h", "VZGenericMachineIdentifier.h", "VZGraphicsDeviceConfiguration.h", "VZGraphicsDisplayConfiguration.h", "VZHostAudioOutputStreamSink.h", "VZKeyboardConfiguration.h", "VZHostAudioInputStreamSource.h", "VZGraphicsDisplay.h", "VZAudioDeviceConfiguration.h", "VZLinuxRosettaUnixSocketCachingOptions.h", "VZLinuxRosettaAbstractSocketCachingOptions.h", "VZLinuxRosettaDirectoryShare.h", "VZMACAddress.h", "VZLinuxBootLoader.h", "VZMacGraphicsDevice.h", "VZMacGraphicsDisplay.h", "VZMacGraphicsDeviceConfiguration.h", "VZMacHardwareModel.h", "VZMacKeyboardConfiguration.h", "VZMacMachineIdentifier.h", "VZMacOSBootLoader.h", "VZLinuxRosettaCachingOptions.h", "VZMacOSInstaller.h", "VZMacOSVirtualMachineStartOptions.h", "VZMacOSRestoreImage.h", "VZMacTrackpadConfiguration.h", "VZMacOSConfigurationRequirements.h", "VZMemoryBalloonDevice.h", "VZMemoryBalloonDeviceConfiguration.h", "VZMacAuxiliaryStorage.h", "VZMultipleDirectoryShare.h", "VZMacPlatformConfiguration.h", "VZNetworkDevice.h", "VZNetworkBlockDeviceStorageDeviceAttachment.h", "VZNATNetworkDeviceAttachment.h", "VZNetworkDeviceAttachment.h", "VZPlatformConfiguration.h", "VZPointingDeviceConfiguration.h", "VZNetworkDeviceConfiguration.h", "VZSharedDirectory.h", "VZSerialPortAttachment.h", "VZNVMExpressControllerDeviceConfiguration.h", "VZMacGraphicsDisplayConfiguration.h", "VZSerialPortConfiguration.h", "VZSingleDirectoryShare.h", "VZSpiceAgentPortAttachment.h", "VZSocketDeviceConfiguration.h", "VZSocketDevice.h", "VZStorageDevice.h", "VZStorageDeviceAttachment.h", "VZStorageDeviceConfiguration.h", "VZUSBControllerConfiguration.h", "VZUSBDeviceConfiguration.h", "VZUSBMassStorageDevice.h", "VZUSBKeyboardConfiguration.h", "VZUSBController.h", "VZUSBDevice.h", "VZVirtioBlockDeviceConfiguration.h", "VZUSBScreenCoordinatePointingDeviceConfiguration.h", "VZUSBMassStorageDeviceConfiguration.h", "VZVirtioConsoleDevice.h", "VZVirtioConsoleDeviceConfiguration.h", "VZVirtioConsoleDeviceSerialPortConfiguration.h", "VZVirtioEntropyDeviceConfiguration.h", "VZVirtioConsolePort.h", "VZVirtioConsolePortConfigurationArray.h", "VZVirtioFileSystemDevice.h", "VZVirtioConsolePortConfiguration.h", "VZVirtioGraphicsDevice.h", "VZVirtioGraphicsDeviceConfiguration.h", "VZVirtioGraphicsScanout.h", "VZVirtioGraphicsScanoutConfiguration.h", "VZVirtioConsolePortArray.h", "VZVirtioFileSystemDeviceConfiguration.h", "VZVirtioNetworkDeviceConfiguration.h", "VZVirtioSocketConnection.h", "VZVirtioSocketDevice.h", "VZVirtioSoundDeviceConfiguration.h", "VZVirtioSocketListener.h", "VZVirtioSoundDeviceInputStreamConfiguration.h", "VZVirtioSocketDeviceConfiguration.h", "VZVirtioSoundDeviceOutputStreamConfiguration.h", "VZVirtioSoundDeviceStreamConfiguration.h", "VZVirtioTraditionalMemoryBalloonDeviceConfiguration.h", "VZVirtualMachineDelegate.h", "VZVirtualMachineStartOptions.h", "VZVirtioTraditionalMemoryBalloonDevice.h", "VZVirtualMachine.h", "VZXHCIControllerConfiguration.h", "VZVirtualMachineView.h", "VZVirtualMachineConfiguration.h", "VZXHCIController.h", "x86_64-apple-macos.swiftinterface", "arm64e-apple-macos.swiftinterface", "module.modulemap", "Virtualization.tbd", "VideoToolbox.apinotes", "VideoToolbox.h", "VTBase.h", "VTDecompressionProperties.h", "VTCompressionSession.h", "VTErrors.h", "VTCompressionProperties.h", "VTDecompressionSession.h", "VTHDRPerFrameMetadataGenerationSession.h", "VTMultiPassStorage.h", "VTPixelRotationSession.h", "VTFrameSilo.h", "VTPixelRotationProperties.h", "VTPixelTransferSession.h", "VTProfessionalVideoWorkflow.h", "VTRAWProcessingProperties.h", "VTPixelTransferProperties.h", "VTSession.h", "VTUtilities.h", "VTVideoEncoderList.h", "VTRAWProcessingSession.h", "libvDSP.tbd", "SharedWithYouCore.h", "SWAction.h", "SWCollaborationActionHandler.h", "SWCollaborationCoordinator.h", "SWCollaborationMetadata.h", "SWCollaborationOption.h", "SWCollaborationOptionsPickerGroup.h", "SWCollaborationOptionsGroup.h", "SWCollaborationShareOptions.h", "SWDefines.h", "SWPersonIdentity.h", "SWPerson.h", "SWStartCollaborationAction.h", "SWPersonIdentityProof.h", "SWUpdateCollaborationParticipantsAction.h", "SharedWithYouCore.tbd", "ScriptingBridge.tbd", "SBElementArray.h", "ScriptingBridge.apinotes", "ScriptingBridge.h", "SBApplication.h", "SBObject.h", "SCScreenshotManager.h", "SCError.h", "SCRecordingOutput.h", "ScreenCaptureKit.h", "SCShareableContent.h", "SCContentSharingPicker.h", "SCStream.h", "Ruby.tbd", "rbLibXMLParser.rb", "rbCFPlistError.rb", "rbNokogiriParser.rb", "rbCFTypes.rb", "rbCFPropertyList.rb", "rbPlainCFPropertyList.rb", "rbBinaryCFPropertyList.rb", "rbREXMLParser.rb", "cfpropertylist.rb", "setup.rb", "libxml.rb", "xml.rb", "mini_portile_cmake.rb", "version.rb", "mini_portile.rb", "sqlite3.rb", "faq.rb", "exception.c", "backup.h", "backup.c", "database.h", "exception.h", "sqlite3_ruby.h", "statement.h", "extconf.rb", "sqlite3.c", "database.c", "statement.c", "nokogiri.rb", "ascii.c", "ascii.h", "char_ref.h", "attribute.h", "attribute.c", "error.h", "foreign_attrs.c", "insertion_mode.h", "error.c", "gumbo.h", "parser.h", "replacement.h", "parser.c", "string_buffer.h", "string_buffer.c", "string_piece.c", "macros.h", "svg_attrs.c", "tag_lookup.h", "svg_tags.c", "tag_lookup.c", "token_type.h", "tag.c", "token_buffer.h", "token_buffer.c", "tokenizer.h", "tokenizer.c", "utf8.c", "utf8.h", "util.c", "util.h", "tokenizer_states.h", "vector.c", "vector.h", "html4_document.c", "html4_entity_lookup.c", "html4_element_description.c", "html4_sax_push_parser.c", "libxml2_backwards_compat.c", "nokogiri.c", "test_global_handlers.c", "xml_attribute_decl.c", "nokogiri.h", "xml_attr.c", "xml_cdata.c", "xml_document_fragment.c", "xml_document.c", "xml_element_content.c", "html4_sax_parser_context.c", "xml_encoding_handler.c", "xml_element_decl.c", "xml_entity_decl.c", "xml_node_set.c", "xml_dtd.c", "gumbo.c", "xml_namespace.c", "xml_processing_instruction.c", "xml_reader.c", "xml_relax_ng.c", "xml_entity_reference.c", "xml_sax_parser.c", "xml_sax_push_parser.c", "xml_sax_parser_context.c", "xml_text.c", "xml_schema.c", "xml_xpath_context.c", "xslt_stylesheet.c", "xml_syntax_error.c", "xml_comment.c", "xml_node.c", "PushKit.tbd", "PKPushCredentials.h", "PKDefines.h", "PKPushPayload.h", "PushKit.h", "PKPushRegistry.h", "PushKit.apinotes", "OpenDirectory.tbd", "ODAttributeMap.h", "ODMappings.h", "NSOpenDirectory.h", "ODConfiguration.h", "ODQuery.h", "ODNode.h", "OpenDirectory.h", "ODRecordMap.h", "ODSession.h", "ODModuleEntry.h", "ODRecord.h", "CFODContext.h", "CFODSession.h", "CFOpenDirectory.h", "CFODQuery.h", "CFODNode.h", "CFODRecord.h", "CFOpenDirectoryConstants.h", "CFOpenDirectory.tbd", "OpenAL.tbd", "alc.h", "al.h", "alut.h", "OpenAL.h", "MacOSX_OALExtensions.h", "arm64e-apple-ios-macabi.swiftinterface", "x86_64-apple-ios-macabi.swiftinterface", "SwiftUI.swiftoverlay", "MTLAccelerationStructure.h", "Metal.h", "MTLAccelerationStructureTypes.h", "MTLAccelerationStructureCommandEncoder.h", "MTLArgumentEncoder.h", "MTLArgument.h", "MTLBinaryArchive.h", "Metal.apinotes", "MTLBlitPass.h", "MTLBuffer.h", "MTLCaptureManager.h", "MTLCaptureScope.h", "MTLAllocation.h", "MTLCommandEncoder.h", "MTLCommandBuffer.h", "MTLComputePass.h", "MTLBlitCommandEncoder.h", "MTLCommandQueue.h", "MTLDefines.h", "MTLDepthStencil.h", "MTLComputePipeline.h", "MTLDeviceCertification.h", "MTLDrawable.h", "MTLCounters.h", "MTLComputeCommandEncoder.h", "MTLDynamicLibrary.h", "MTLFence.h", "MTLFunctionConstantValues.h", "MTLFunctionDescriptor.h", "MTLFunctionLog.h", "MTLFunctionHandle.h", "MTLEvent.h", "MTLFunctionStitching.h", "MTLHeap.h", "MTLDevice.h", "MTLIndirectCommandBuffer.h", "MTLIntersectionFunctionTable.h", "MTLIOCommandQueue.h", "MTLLinkedFunctions.h", "MTLIOCommandBuffer.h", "MTLIOCompressor.h", "MTLParallelRenderCommandEncoder.h", "MTLLogState.h", "MTLPipeline.h", "MTLLibrary.h", "MTLPixelFormat.h", "MTLRasterizationRate.h", "MTLRenderPass.h", "MTLRenderPipeline.h", "MTLResidencySet.h", "MTLResourceStateCommandEncoder.h", "MTLResourceStatePass.h", "MTLResource.h", "MTLIndirectCommandEncoder.h", "MTLSampler.h", "MTLRenderCommandEncoder.h", "MTLStageInputOutputDescriptor.h", "MTLVisibleFunctionTable.h", "MTLTypes.h", "MTLVertexDescriptor.h", "MTLTexture.h", "WebKit.arm64e.bridgesupport", "WebKit.bridgesupport" ], "public": 1, "adversary": "DragonForce Hacker Group Malaysia", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "VZBootLoader", "display_name": "VZBootLoader", "target": null }, { "id": "TypeError", "display_name": "TypeError", "target": null }, { "id": "GC", "display_name": "GC", "target": null }, { "id": "CFTypeRef", "display_name": "CFTypeRef", "target": null } ], "attack_ids": [ { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1135", "name": "Network Share Discovery", "display_name": "T1135 - Network Share Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" } ], "industries": [ "Media" ], "TLP": "white", "cloned_from": null, "export_count": 49, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ravescoutllc.", "id": "288912", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 346, "FileHash-SHA256": 272, "domain": 110, "hostname": 101, "email": 1, "CVE": 2, "FileHash-SHA1": 1 }, "indicator_count": 833, "is_author": false, "is_subscribing": null, "subscriber_count": 34, "modified_text": "528 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66eb3ef6d765187a437767e4", "name": "Hijacked 'Operation Endgame' Tofsee Ransomware", "description": "This a project. A target has been put into different Operations: Project Hilo, Project Helix, Operation Endgame, The NSO Cellebrite Pegasus hit list. These are real and very serious serious threat. Severe Cyber issues made their way to her infected devices as well as the devices of family members. Death threats continue to come in. Several DoD IP addresses found in a PDF. It's unresearched at this time,, DoD via BGP HE has been questionable considering use gateway abuse by SWIPPER. \n\nStill no authority can confirm victim is a suspect. Must be a crazy high to help Jeffrey Scott Reiner PT. DPT get away with assault in such a ridiculous manner. Court report posted online by Trellis (BS) is of course a falsified , vulnerability filled 'made you click' document.. Faldif0, empty docmpty doc, citing it was refreshed in 2023. \nThere is no doubt these masqueraders mean to intimidate, humiliate, isolate & harm target. These people are not in China. False attribution is likely. Attack is disseminates from USA.", "modified": "2024-10-18T20:04:41.836000", "created": "2024-09-18T20:58:30.691000", "tags": [ "as8075", "united", "pid425870621", "tid700443057", "tpid425870621", "slot1", "mascore2", "bcnt1", "unid88000705", "nct1", "date", "china", "china unknown", "passive dns", "body xml", "error code", "requestid", "hostid ec", "server", "gmt content", "type", "registry", "intel", "ms windows", "show", "entries", "search", "high", "pe32", "high process", "injection t1055", "salicode", "worm", "copy", "tools", "service", "write", "win32", "persistence", "execution", "april", "urls", "http", "unique", "scan endpoints", "all scoreblue", "url http", "pulse pulses", "ip address", "related nids", "code", "as54113", "unknown", "body", "fastly error", "please", "sea p", "msil", "accept", "aaaa", "nxdomain", "whitelisted", "as15169 google", "status", "as44273 host", "as46691", "domain", "url https", "files location", "info", "script urls", "path max", "age86400 set", "cookie", "script domains", "javascript", "script script", "trojanspy", "cname", "emails", "servers", "all search", "related pulses", "file samples", "files matching", "creation date", "germany unknown", "yara detections", "filehash", "av detections", "ids detections", "alerts", "analysis date", "file score", "meta", "home welcome", "write c", "delete c", "query", "local", "hostname", "a domains", "lowfi", "content type", "record value", "suite", "showing", "asnone united", "as29873", "ipv4", "pulse submit", "url analysis", "files", "pe32 executable", "potential scan", "0pgtwhu", "t1045", "port", "infection", "recon", "malware", "june", "delphi", "taobao network", "as45102 alibaba", "as4812 china", "next", "expiration date", "name servers", "dynamicloader", "dynamic", "sha256", "dynamic link", "library exe", "adobe", "incorporated", "read", "yara rule", "delete", "binary file", "push", "malicious", "july", "iocs", "levelbluelabs", "jeff4son", "adversaries", "registry run", "flow t1574", "dll sideloading", "boot", "logon autostart", "execution t1547", "keys", "startup folder", "t1497 may", "encryption", "catalog tree", "analysis ob0001", "virtual machine", "detection b0009", "check registry", "analysis ob0002", "executable code", "stack strings", "control ob0004", "get http", "http requests", "dns resolutions", "ip traffic", "pattern domains", "memory pattern", "urls http", "request", "response", "connection", "trojan", "otx scoreblue", "windows", "embeddedwb", "medium", "shellexecuteexw", "msie", "windows nt", "displayname", "tofsee", "hashes", "vhash", "authentihash", "ssdeep", "win32 exe", "magic pe32", "trid win32", "library", "read c", "file guard", "rtversion", "langchinese", "legalcopyright", "reserved", "ransom", "moved", "media", "ascii text", "default", "upack", "mike", "contacted", "x87xe1x1d", "regsetvalueexa", "x95xd3xa4", "regbinary", "x84xa8xe8i", "x8dxb7xb7", "hx88x9ax1e", "mx81xd1r", "x92xac", "xc2x84", "stream", "swipper", "pdfcreator.sf.net", "botnet", "black mercedes", "please forgive me", "therahand thouroughhand" ], "references": [ "Project Endgame - pegausintel.com -Unsjre if related to NSO Group", "Antivirus Detections: ALF:HeraklezEval:Rogue:Win32/FakeRean", "Yara Detections: compromised_site_redirector_fromcharcode , Cabinet_Archive , SFX_CAB", "Alerts: infostealer_cookies persistence_autorun recon_programs recon_fingerprint removes_zoneid_ads anomalous_deletefile", "P\u2019s Contacted: 93.184.221.240 3.33.130.190 | Domains Contacted: counterslocal.com", "compromised_site_redirector_fromcharcode fromCharCode", "Interesting Strings: http://www.interoperabilitybridges.com/wmp http://crbug.com/40902 http://crbug.com/516527", "Interesting Strings: http://service.real.com/realplayer/security/02062012_player/en/", "Interesting Strings: https://support.google.com/chrome/?p=plugin_pdf", "https://support.google.com/chrome/?p=plugin_quicktime https://chrome.google.com/", "Interesting Strings: http://schema.org/GovernmentOrganization https://support.google.com/chrome/?p=plugin_java https://crbug.com/593166", "Pdf.Phishing.TtraffRobotInstall-7605656-0 00004feb58be42ba1bd506ea89f90c5e1d83e6e1fb84841931949a454b0bb539", "Antivirus Detections Cryp_Xed-12 , Mal/Generic-S , Packed/Upack Yara Detections Upackv039finalDwing , UpackV037Dwing", "https://pin.it/ | https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Worm:Win32/Macoute.A", "display_name": "Worm:Win32/Macoute.A", "target": "/malware/Worm:Win32/Macoute.A" }, { "id": "TrojanDownloader:Win32/Nemucod", "display_name": "TrojanDownloader:Win32/Nemucod", "target": "/malware/TrojanDownloader:Win32/Nemucod" }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "ALF:HeraklezEval:Rogue:Win32/FakeRean", "display_name": "ALF:HeraklezEval:Rogue:Win32/FakeRean", "target": null }, { "id": "Worm:Win32/Fesber.A", "display_name": "Worm:Win32/Fesber.A", "target": "/malware/Worm:Win32/Fesber.A" }, { "id": "Ransom:Win32/Eniqma.A", "display_name": "Ransom:Win32/Eniqma.A", "target": "/malware/Ransom:Win32/Eniqma.A" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "UpackV037Dwing", "display_name": "UpackV037Dwing", "target": null }, { "id": "Cryp_Xed-12", "display_name": "Cryp_Xed-12", "target": null }, { "id": "Mal/Generic-S", "display_name": "Mal/Generic-S", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1493, "FileHash-SHA1": 1393, "FileHash-SHA256": 5881, "URL": 1495, "domain": 1947, "hostname": 1360, "email": 18, "CVE": 1 }, "indicator_count": 13588, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "548 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66e00320d65236e032faa26a", "name": "Global- Injection | Phone service modification campaign - Cryprsoft", "description": "Malicious\u00bb http://www.forensickb.com/2013/03/file-entropy-explained.html | Cryptsoft | ET ,\nVirus:Win32/Sality.AT ,\nWin32:Kukacka , TrojanSpy:Win32/Nivdort.AJ , Worm:Win32/Mydoom.O!backdoor , \nWorm:Win32/Bloored , TrojanSpy:Win32/Invader.S!MSR , \nText: Mydoom spreading via SMTP 29 192.168.56.110 198.133.159.125 2018340 ET TROJAN Win32.Sality-GR Checkin 192.168.56.110 52.28.249.128 2018340 ET TROJAN Win32.Sality-GR Checkin 192.168.56.110 166.78.145.90 2016803 ET TROJAN Known Sinkhole Response Header 166.78.145.90 192.168.56.110 2018\nATT&CK | Query Registry , Modify Existing Service , Scheduled Task/Job , Process Injection , Registry Run Keys / Startup Folder , System Information Discovery , Disabling Security Tools , Modify Registry", "modified": "2024-10-10T08:03:36.798000", "created": "2024-09-10T08:28:16.120000", "tags": [ "amazonaws", "employment scam", "pe resource", "united", "as15169 google", "aaaa", "unknown", "search", "as44273 host", "passive dns", "all scoreblue", "worm", "files", "error", "code", "emails", "ireland", "poland", "high", "yara detections", "virus", "msvisualcpp2003", "high process", "injection t1055", "t1055", "icmp traffic", "pe file", "service", "win32", "copy", "tools", "cryptsoft", "nxdomain", "a br", "key management", "meta", "open", "twitter", "a domains", "cryptsoft src", "meet cryptsoft", "products a", "authority", "record value", "contact", "metro", "log id", "gmtn", "go daddy", "tls web", "arizona", "scottsdale", "ca issuers", "false", "windows nt", "msie", "read c", "ms windows", "intel", "et trojan", "pe32", "zip archive", "write", "possible", "malware", "beethoven", "et", "body", "scan endpoints", "category", "file samples", "files matching", "date hash", "phishing", "show", "t1045", "nrv2x", "lzma", "laszlo molnar", "john reiser", "antivirus", "xp sp2", "sp2 working", "alerts", "contacted", "0pgtwhu", "filehash", "february", "crack.zip", "as396982 google", "urls", "domain", "hostname", "next", "belgium unknown", "status", "name servers", "creation date", "date", "servers", "entries", "trojan", "ipv4", "pulse pulses", "ransom", "gandcrab", "active", "parking crews" ], "references": [ "Researched: http://www.forensickb.com/2013/03/file-entropy-explained.html", "https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://www.forensickb.com/2013/03/file-entropy-explained.html", "www.crackedmindstechnologies.com", "IDS Detections: Tempedreve Checkin Hiloti Style GET to PHP with invalid terse MSIE headers W32/Bayrob Attempted Checkin 2", "Observed GandCrab Ransomware Domain (carder .bit in DNS Lookup) Worm.Mydoom Checkin", "IDS Detections: User-Agent (explwer) Hiloti/Mufanom Downloader Checkin Win32/Unruy.R Checkin Ransom.Win32.Birele.gsg Checkin Observed GandCrab Ransomware Domain (ransomware .bit in DNS Lookup)", "IDS Detections: Worm.Mydoom Checkin User-Agent (explwer) Hiloti/Mufanom Downloader Checkin Win32/Unruy.R Checkin", "IDS Detections: Ransom.Win32.Birele.gsg Checkin Observed GandCrab Ransomware Domain (ransomware .bit in DNS Lookup)", "relay.cryptsoft.com | smtp.cryptsoft.com\t| ghs.google.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Romania", "Netherlands", "Poland", "Belgium", "Germany", "Spain", "Italy", "Czechia", "Austria", "Bulgaria", "Canada", "United Arab Emirates" ], "malware_families": [ { "id": "Virus:Win32/Sality.AT", "display_name": "Virus:Win32/Sality.AT", "target": "/malware/Virus:Win32/Sality.AT" }, { "id": "Win32:Kukacka", "display_name": "Win32:Kukacka", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Worm:Win32/Mydoom.O!backdoor", "display_name": "Worm:Win32/Mydoom.O!backdoor", "target": "/malware/Worm:Win32/Mydoom.O!backdoor" }, { "id": "Worm:Win32/Bloored.E", "display_name": "Worm:Win32/Bloored.E", "target": "/malware/Worm:Win32/Bloored.E" }, { "id": "GandCrab", "display_name": "GandCrab", "target": null }, { "id": "TrojanSpy:Win32/Nivdort.AJ", "display_name": "TrojanSpy:Win32/Nivdort.AJ", "target": "/malware/TrojanSpy:Win32/Nivdort.AJ" }, { "id": "TrojanSpy:Win32/Invader.S!MSR", "display_name": "TrojanSpy:Win32/Invader.S!MSR", "target": "/malware/TrojanSpy:Win32/Invader.S!MSR" } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" } ], "industries": [ "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 220, "FileHash-MD5": 626, "FileHash-SHA1": 539, "FileHash-SHA256": 1335, "domain": 501, "hostname": 617, "email": 4, "SSLCertFingerprint": 2 }, "indicator_count": 3844, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "557 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66d95bd10bfcc8c3dd66a44d", "name": "Qbot ", "description": "", "modified": "2024-09-05T09:51:10.113000", "created": "2024-09-05T07:20:49.138000", "tags": [ "whois record", "ssl certificate", "historical ssl", "resolutions", "referrer", "communicating", "subdomains", "domains", "problems", "urls http", "ransomware", "malware", "contacted", "dropped", "execution", "tsara brashears", "apple ios", "whois whois", "unlocker", "njrat", "core", "hacktool", "metro", "download", "critical", "copy", "relic", "monitoring", "installer", "awful", "open", "banker", "keylogger", "malicious", "tofsee", "mitre attack", "et", "cisco umbrella", "internet storm", "site", "covid19", "cyber threat", "safe site", "cobalt strike", "malicious url", "alexa", "script urls", "united", "a domains", "as396982 google", "as15169 google", "search", "cname", "accept encoding", "showing", "unknown", "date", "body", "meta", "encrypt", "domain related", "as396982", "creation date", "expiration date", "scan endpoints", "all octoseek", "hostname", "pulse submit", "url analysis", "passive dns", "urls", "next", "all search", "otx octoseek", "as7922 comcast", "as16276", "as54113", "aaaa", "france unknown", "as14061", "status", "as40509", "ip address", "for privacy", "as44273 host", "record value", "certificate", "gmt content", "x sucuri", "as8075", "nxdomain", "as30148 sucuri", "as20940", "as31898 oracle", "hong kong", "as139021", "msie", "chrome", "ipv4", "blacklist http", "detection list", "blacklist", "files", "location hong", "kong asn", "tags none", "indicator facts", "name verdict", "falcon sandbox", "mail spammer", "tor known", "tor relayrouter", "exit", "node tcp", "traffic", "heur", "malicious site", "alexa top", "million", "alexa proxy", "outbreak", "installcore", "acint", "conduit", "installpack", "iobit", "artemis", "dropper", "mediaget", "crack", "spammer", "france mail", "summary", "url summary", "phishing", "union", "team", "bank", "unsafe", "threat report", "ip summary", "pattern match", "script", "et tor", "known tor", "relayrouter", "node traffic", "misc attack", "beginstring", "null", "error", "span", "class", "generator", "refresh", "tools", "hybrid", "general", "click", "strings", "servers", "ps ord", "name servers", "poetry", "moved", "content length", "content type", "x powered", "poems", "poem", "topic", "topics", "poem topics", "free poems", "love poems", "romantic poems", "classic poems", "friendship poems", "shone pale", "herself", "heavens", "her beam", "a fleecy", "proud evening", "star", "thou bearest", "heaven", "than", "google", "http", "leasewebuklon11", "search live", "api blog", "docs pricing", "login", "february", "gb summary", "london", "april", "screenshot", "url https", "reverse dns", "general full", "name value", "frankfurt", "main", "germany", "asn15169", "resource", "hashes", "copyright", "gmbh version", "follow", "blacklist https", "phishing site", "malware site", "riskware", "opencandy", "cleaner", "iframe", "xtrat", "agent", "softcnapp", "generic", "patcher", "driverpack", "exploit", "mimikatz", "downldr", "presenoker", "fusioncore", "wacatac", "beach research", "trojanspy", "maltiverse", "firehol", "proxy", "anonymizer", "adware", "kuaizip", "downer", "tag count", "tue apr", "sample", "samples", "fakealert", "genkryptik", "icedid", "coinminer", "nircmd", "swrort", "systweak", "behav", "tiggre", "filetour", "quasar rat", "fuery", "bazaloader", "media", "facebook", "service", "runescape", "webtoolbar", "a9dia", "a1ginaprincipal", "emails", "registrar", "http header", "tcp traffic", "et useragents", "unknown traffic", "antivirus", "server", "gmt united", "accept", "local", "path", "falcon", "file", "ascii text", "windows nt", "png image", "appdata", "jpeg image", "indicator", "twitter", "westlaw njrat", "zuorat", "skynet bot", "glupteba", "asn4583", "thomsonreuters", "asn209242", "june", "back", "united kingdom", "cisco", "umbrella rank", "rank", "page url", "as autonomous", "system", "yndx", "ipasns ip", "november", "de summary", "comodo rsa", "security tls", "software", "resource hash", "security", "ecdhersa", "de indicators", "de page", "url history", "javascript", "gts ca", "secure server", "markmonitor", "ip information", "detail domains", "domain tree", "links certs", "frames domain", "requested", "threat roundup", "march", "threat round", "parent parent", "roundup", "january", "threats", "qbot", "cyberwar", "skynet", "radar ineractive", "control server", "engineering", "host", "services", "pony", "nanocore rat", "meterpreter", "zeus", "zbot", "suppobox", "stealer", "redline stealer", "dnspionage", "mirai", "nanocore", "bradesco", "emotet", "laplasclipper", "asn16276", "get h2", "kb image", "august", "kali", "localappdata", "network traffic", "binary file", "svg scalable", "vector graphics", "mwin", "domain", "url http", "pulse pulses", "related nids", "files location", "customer", "address", "as29789", "hosting", "location united", "status hostname", "query type", "address first", "seen last", "seen asn", "country unknown", "urls date", "checked url", "hostname server", "response ip", "address google", "safe browsing", "present mar", "pulse indicator", "protocol h2", "value", "variables", "waypoint object", "gsqueue", "isotope", "hostnames", "ice fog", "maltiverse top", "financial", "as62597 nsone", "sec ch", "domains show", "entries", "as14720 gamma", "canada unknown", "as397241", "as13335", "applicunwnt", "xrat", "maltiverse safe", "aig", "soc", "hallrender", "brian sabey", "mark brian sabey", "sabey", "mark", "sabey", "data center", "malvertizing", "malware host", "scanning host", "botnetwork", "colorado", "edsaid", "geotracking", "satellite tracking", "radar tracking", "pornhub", "child teen content illegal", "social engineering", "cyber stalking", "CVE-2023-4966", "device control", "camera usage", "hidden users", "message interception", "text archiver", "mail collection", "remote attacks", "js", "python", "inject", "sql", "extraction", "AIG Claims", "hallrender.com", "soc", "milemighmedia", "westlaw", "revengeporn", "bot", "regex", "ai", "yandex" ], "references": [ "web2.westlaw.com (redirects to thbrzzrstr.me)", "http://web2.westlaw.com/ (redirect) https://signon.thomsonreuters.com/?productid=CBT&lr=0&culture=en-US&returnto=https%3a%2f%2f1.next.westlaw.com%...", "https://hybrid-analysis.com/sample/8bf763ce9396c4569afbae58392097fd57408339c0ac59ec256468c9fd8ac4c5/6548ebfe56b25bab28017757", "https://urlscan.io/result/2285cee3-1e08-4e63-b48f-ee685e008480/#summary", "https://hybrid-analysis.com/sample/86479bf7c9a675913b93a0d399f5cbe0c0e8003239e93ae5e00f97cdbc5ec5ba/5c5c13577ca3e12626364777", "https://urlscan.io/result/4f0cabbf-9716-47dd-bd5c-038a953e6672/", "Malware Host: HallRender.com", "riverside.rocks (safebae.com remote uTorrent) https://hybrid-analysis.com/sample/11108ef17bd75f36e0d22d95b1f3bde3e9fa968a78a24c2d2508f4238e22651d/6326a50be4a8a71b885f5bf3", "safebae.org", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu (phishing | cybercrime)", "Hallrender.com and Westlaw.com.= http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu", "Poemhunter.com + rally point.com = pornhub.dev", "Pornhub dev VT community: https://www.virustotal.com/gui/domain/pornhub.dev/community", "Poemhunter.com: https://hybrid-analysis.com/sample/86479bf7c9a675913b93a0d399f5cbe0c0e8003239e93ae5e00f97cdbc5ec5ba", "https://www.poemhunter.com/tsara-brashears/poems/: https://urlscan.io/result/4f0cabbf-9716-47dd-bd5c-038a953e6672/", "Rallypoint.com https://hybrid-analysis.com/sample/66287c2c36699037cb504201693e26b5f3282cebde1d1c78aecd6f97f04fb694", "Malicious revenge malvertizing: https://www.milehighmedia.com/legal/2257", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://matrix.pornhub.dev", "nr-data.net", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/icons/apple-touch-icon-76x76.png", "https://www.hallrender.com/wp-content/themes/Hall-Render/assets/icons/apple-touch-icon.png", "https://apple.pantion.top/", "newrelic.se", "user-apple.info", "appleid-comloginaccount.info", "init-p01st.push.apple.com", "boostmobile.com", "www.metrobyt-mobile.com", "http://bpdb.portal.gov.bd:3128/sites/default/files/files/bpdb.portal.gov.bd/npfblock/2021-34bc869d2906198362a4346373ce5b94.jpg", "https://b.link/infringement", "my.mintmobile.com", "CVE-2023-4966", "http://watchhers.net/index.php", "https://rr2---sn-4g5ednsz.googlevideo.com/videoplayback?expire=1699319292&ei=nDlJZfb4G43E-gaYt5XoDg&ip=2001%3A1b60%3A2%3A240%3A3247%3A%3A" ], "public": 1, "adversary": "", "targeted_countries": [ "Spain", "Netherlands", "Canada", "United States of America" ], "malware_families": [ { "id": "Tsara Brashears", "display_name": "Tsara Brashears", "target": null }, { "id": "Mitre Attack", "display_name": "Mitre Attack", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Radar Ineractive", "display_name": "Radar Ineractive", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1450", "name": "Exploit SS7 to Track Device Location", "display_name": "T1450 - Exploit SS7 to Track Device Location" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1423", "name": "Network Service Scanning", "display_name": "T1423 - Network Service Scanning" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1563", "name": "Remote Service Session Hijacking", "display_name": "T1563 - Remote Service Session Hijacking" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1427", "name": "Attack PC via USB Connection", "display_name": "T1427 - Attack PC via USB Connection" }, { "id": "T1445", "name": "Abuse of iOS Enterprise App Signing Key", "display_name": "T1445 - Abuse of iOS Enterprise App Signing Key" }, { "id": "T1453", "name": "Abuse Accessibility Features", "display_name": "T1453 - Abuse Accessibility Features" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1173", "name": "Dynamic Data Exchange", "display_name": "T1173 - Dynamic Data Exchange" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" } ], "industries": [], "TLP": "green", "cloned_from": "654971c396ca4306a6534b12", "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4091, "hostname": 2422, "URL": 3167, "FileHash-MD5": 1424, "FileHash-SHA1": 983, "FileHash-SHA256": 3174, "CVE": 10, "email": 25 }, "indicator_count": 15296, "is_author": false, "is_subscribing": null, "subscriber_count": 234, "modified_text": "592 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "668318428080452342a0699d", "name": "FormBook (MaaS) - Injection", "description": "Gained access to victims likely non-safeguarded device via PowerPoint document fully infecting victims business devices. \u2206 FormBook malware (AKA xLoader) is classified as a stealer (spyware) and, as its name implies, is known for its form-grabbing techniques to extract data directly from website HTML forms as well as its ability to steal data from keystrokes, browser autofill features, and copy-and-paste clipboards.", "modified": "2024-07-31T19:00:14.104000", "created": "2024-07-01T20:57:38.668000", "tags": [ "search", "entries", "show", "read c", "showing", "copy", "high process", "injection t1055", "allocates", "checks", "write", "win32", "malware", "win32 exe", "pe32 executable", "ms windows", "intel", "generic cil", "executable", "mono", "win32 dynamic", "link library", "win16 ne", "assembly common", "clr version", "assembly name", "address", "assembly", "rva entry", "streams size", "entropy chi2", "guid", "blob", "rticon neutral", "neutral", "info header", "name md5", "type", "language", "contained", "sha256", "png rticon", "type name", "ip detections", "country", "contacted", "execution", "namecheap inc", "namesilo", "cosmotown", "cv jogjacamp", "hong kong", "juming network", "webcc", "domains", "android", "win32 dll", "njrat", "synapse", "stealer", "get http", "connection", "windows nt", "host", "sdermh request", "post http", "request", "origin http", "accept", "win64", "samplepath", "file execution", "process", "created", "shell commands", "c cmd", "f json", "k wersvcgroup", "tree", "windir", "sdermh", "historical ssl", "runtime-modules", "detect-debug-environment", "direct-cpu-clock-access", "crypto_obfuscator", "memcommit", "createsuspended", "cryptexportkey", "invalid pointer", "medium", "keylogger", "process hollowing" ], "references": [ "Formbook \u2022 Stealer\u2022 BCBNFD.exe - FileHash-SHA256 f69e4fd7802b9947826db300268eb4a88d14a4a30e5e7617cebe17d1584f6c26", "https://www.virustotal.com/gui/file/f69e4fd7802b9947826db300268eb4a88d14a4a30e5e7617cebe17d1584f6c26/detection", "https://otx.alienvault.com/indicator/file/f69e4fd7802b9947826db300268eb4a88d14a4a30e5e7617cebe17d1584f6c26", "Yara Detections: ConventionEngine_Term_Users , ConventionEngine_Term_Documents , ConventionEngine_Keyword_Obfuscat , DotNET_Crypto_Obfuscator", "Alerts: injection_runpe allocates_execute_remote_process injection_modifies_memory allocates_rwx packer_entropy privilege_luid_check terminates_remote_process checks_debugger generates_crypto_key", "Win32:PWSX-gen\\ [Trj]: FileHash-MD5 183666b988ee12982a774e26adb30ce0", "Win32:PWSX-gen\\ [Trj]: FileHash-SHA1 27d6f0a6c36d3f198f41485e8d73da19d0569c9e", "Win32:PWSX-gen\\ [Trj]: FileHash-SHA256 f69e4fd7802b9947826db300268eb4a88d14a4a30e5e7617cebe17d1584f6c26", "Formbook: FileHash-MD5 ab9077915a4f2f52de634df05b681849", "Formbook: FileHash-SHA1 0162d8c955aaf0f9f0cd6f7365c5ba514be895c6", "Formbook: FileHash-SHA256 06c7385ce806a0c86049b99d727503a8e04f06989d9f4f5002cde47efc0b55b7", "Formbook: FileHash-MD5 3fed8c5a7c3a95c9270d18c304f19655", "Formbook: FileHash-SHA1 e8e453dd5fd6a37f65889b2c3b289f954bfc3c3b", "Formbook: FileHash-SHA256 4f5a404fc51da90adc3d3b690924263e64bfbf7c3e9918a949e10aca0f3096d1", "YARA Signature Match - THOR APT Scanner RULE: SUSP_CryptoObfuscator RULE_SET: Livehunt - Suspicious8 Indicators \ud83c\udff9 \u2022 Florian Roth", "RULE_TYPE: THOR APT Scanner's rule set only \ud83d\udd28 RULE_LINK: https://valhalla.nextron-systems.com/info/rule/SUSP_CryptoObfuscator \u2022 Florian Roth", "DESCRIPTION: Detects file obfuscated with CryptoObfuscator RULE_AUTHOR: Florian Roth", "More information: https://www.nextron-systems.com/notes-on-virustotal-matches/", "CryptoObfuscator" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win32:PWSX-gen\\ [Trj]", "display_name": "Win32:PWSX-gen\\ [Trj]", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "TrojanSpy:MSIL/Formbook", "display_name": "TrojanSpy:MSIL/Formbook", "target": "/malware/TrojanSpy:MSIL/Formbook" } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 153, "FileHash-SHA1": 136, "FileHash-SHA256": 462, "URL": 236, "hostname": 66, "domain": 245 }, "indicator_count": 1298, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "627 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "sqlite.org", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "sqlite.org", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1776680763.2301624 }