{ "type": "Domain", "indicator": "ssh-access.target", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/ssh-access.target", "alexa": "http://www.alexa.com/siteinfo/ssh-access.target", "indicator": "ssh-access.target", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3874305603, "indicator": "ssh-access.target", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "6a16ac90f5b7cde86d323464", "name": "[\"backup ios...\"] clone by Merkd1904. User note: theres a name tagged here thats interesting", "description": "", "modified": "2026-05-27T08:34:24.654000", "created": "2026-05-27T08:34:24.654000", "tags": [ "fireeye", "copyright", "base64", "dotnettojscript", "gadgettojscript", "invokeclient", "invokeserver", "readhost enter", "command", "roth", "nextron", "sandworm", "detects ssh", "grant all", "privileges on", "to mysqldb", "create user", "g root", "sandworm python", "import", "phpsploit", "host", "user", "pass", "error", "establish", "pecl oci8", "connstr", "charset", "false", "miner", "texthtml", "module", "send custom", "swissky", "class", "serviceip", "serviceport", "servicedata", "e binsh", "init", "service port", "detects", "cve202140444", "target", "targetmode", "jeremy brown", "windows cve", "ms office", "modified rule", "rperm", "wperm", "pathsep", "string", "rwxrxrx", "file types", "unix", "login", "autentication", "disable", "ldapconnect", "version", "authentication", "ldaplist", "null", "pathelems", "execute", "backdoor", "kingdee oa", "yunxingkong", "b6oa", "code execution", "kingdee cloud", "starry sky", "otherwise", "file", "setsmartdate", "fread", "name", "force", "base64decode", "data", "substr", "array", "readdir", "getowner", "getgroup", "getsize", "force option", "fwrite", "permission", "check", "mode", "diraccess", "fileaccess", "realpath", "stat", "immutable", "posixgetpwuid", "posixgetgrgid", "explode", "etcpasswd", "glob", "globonlydir", "oraclelogin", "port", "servicename", "connector", "base", "query type", "mssqlfetcharray", "mssqlassoc", "solsocket", "timeout", "range", "portmin", "portmax", "socketcreate", "afinet", "sockstream", "open", "type", "true", "tcp connection", "tcp shell", "input", "lhost", "netcat", "lport", "shell", "dllimport", "python", "back", "fore", "pfinet", "stdout", "this", "win32", "ldapsearch", "select", "mysqliassoc", "select database", "send", "newfile", "dns stub", "third party", "see man", "exit", "o pipefail", "v systemctl", "devnull", "unknown verb", "license", "gnu lesser", "general public", "free software", "foundation", "unit", "slice", "cpuweight100", "tasks slice", "cpuweight30", "capev2", "cape", "cuckoo web", "setup", "grep", "limitnofile", "install", "return", "execstart", "start", "descriptionrun", "timer", "oncalendardaily", "service", "prevent rate", "delay start", "m poetry", "sigkill", "descriptioncape", "ef usercape", "g cape", "allowisolateyes", "typedbus", "socket", "message bus", "listenstream", "typenotify", "descriptionuser", "harald sitter", "sitter", "kcrash", "drkonqi", "acceptyes", "disable trigger", "todo", "prevents", "path", "pathexistsglob", "runtimemaxsec31", "runtimemaxsec30", "restartno", "descriptionexit", "environmentfile", "otheropts", "soundfont", "descriptiongcr", "sshauthsock", "descriptionglib", "priority6", "killmodeprocess", "proxy", "socketmode0600", "apache software", "notice file", "apache license", "unless", "as is", "basis", "or conditions", "apple file", "conduit monitor", "descriptionjack", "jackoptions d", "driver d", "device", "media transfer", "indexer daemon", "memory", "memoryhigh512m", "system sockets", "a user", "conditionuser", "dbus menus", "plasma", "phase", "workspace core", "exit status", "x11 connection", "timeoutstopsec5", "disable restart", "timeoutsec40sec", "typeoneshot", "david edmundson", "davidedmundson", "osd service", "portal", "auto restart", "dbus", "xembed system", "logging system", "socketmode0660", "all containers", "restart policy", "logging start", "execstopbinsh c", "logging", "x11 plugins", "session slice", "typeforking", "etc userroot", "grouproot", "onbootsec15min", "place", "temporary", "volatile files", "thunar", "session manager", "wireplumber", "service file", "xdg autostart", "user dir", "descriptionxfce", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "memoryfile scan", "ansi", "bpf program", "indicator", "bpf firewalling", "pcap", "pcap processing", "bpffallowmulti", "bpf device", "date", "suspicious", "hybrid", "crypto", "close", "click", "april", "strings", "february", "middle", "exploit", "gameover", "contact", "scope", "thomas koch", "gpl v2", "imsm", "ibftruledir", "ibftrules", "attr", "systemd rule", "hannes reinecke", "suse labs", "ipibft", "interface", "kernel", "configfile", "typesimple", "apparmor", "grouparchaudit", "hardening", "umask077", "persistenttrue", "enable debug", "networkmanager", "trace", "wait online", "edit", "note", "reload", "capdacoverride", "dhcp etc", "mdadmscan", "mdadmdelay", "mdadmmail", "mdadmprogram", "mdadmconfig", "mdadmsendmail", "p runsysconfig", "userroot", "sssd", "write access", "needed sometime", "statedirectory", "accountsservice", "varloglastlog", "bridge daemon", "alsa card", "card state", "required", "another auto", "nice daemon", "memorymax64m", "filter system", "mount", "reboot", "clock", "logging service", "requires", "before", "please", "exit codes", "proc", "descriptionruns", "execstartsh c", "switchtoggle", "ignoreonisolate", "term typeidle", "without", "any warranty", "merchantability", "fitness", "a particular", "vartmp", "wants type", "preparation", "watchdogsec10", "filesystem", "timer daemon", "options", "environment", "prevent", "readwritepaths", "security", "certain", "protectsystem", "bindpaths", "lower cpu", "nice19", "manager", "userc", "celerydnodes", "info", "chaddevops", "aaron brighton", "clam antivirus", "jon kriel", "distribution", "script", "sanesecurity", "securiteinfo", "malwarepatrol", "oitc", "file location", "remember", "typeexec user", "9 cntlm", "generate color", "profiles", "removeipctrue", "devpts", "authors", "any kind", "usercouchdb", "restartsec5", "volumes", "server socket", "user209", "daemon", "darkstatiface", "reloadconfig", "watchdogsec3min", "privatetmpyes", "protectproc", "increase", "descriptiontime", "date service", "debugging only", "ignoresigpipeno", "unset locale", "file system", "queue file", "whatmqueue", "optionsnosuid", "pf rundhclient", "rate", "requiresdirmngr", "capfowner", "capsetpcap", "dhcp", "dns server", "startlimit", "limits", "delegateyes", "descriptionpass", "runtimemaxsec5", "mountain", "metadata check", "all filesystems", "online metadata", "sunday", "oncalendarsun", "online ext4", "sigterm signal", "java process", "piddir", "standardoutput", "elasticsearch", "limitnproc4096", "limitasinfinity", "sendsighupyes", "mapper daemon", "mainpid", "quit", "listenstream79", "radius server", "d etcraddb", "protecthomeon", "default", "systemservice", "efiefi bootefi", "afinet afinet6", "afunix afinet", "oncalendar 0000", "privatetmptrue", "geoip legacy", "geoip2", "instance", "usergit", "scdconfig", "notice", "devinputmice t", "descriptiongps", "system", "sock refclock", "gpsdoptions", "devices", "daemon sockets", "2947", "bindipv6onlyyes", "usbauto", "usrbingpsdctl", "gps daemon", "afterdev", "gvmddata", "varlibgssproxy", "nonewprivileges", "privatetmp", "protecthome", "ieee", "etchostapd", "killmodemixed", "fcopy", "uncomment", "use sigterm", "sigkill i2pd", "sendsigkillyes", "limitnofile8192", "systemd", "analog", "shutting down", "iodineextip p", "iodineport p", "iodineuser", "tunip", "topdomain", "guessmainpidyes", "m node", "wants", "initiatorname", "io driver", "typeexec", "c etckcptun", "usernobody", "requireskeyboxd", "static device", "nofork", "restartalways", "linker cache", "hack", "use wants", "raise", "tasksmax", "tasksmax32768", "limitmemlock64m", "removeonstopyes", "ip socket", "tls ip", "conflictsgetty", "aftergetty", "busmodules", "qabr", "hwmonmodules", "local file", "privatenetwork", "lvm2", "initialization", "autoboot code", "s delegatetrue", "description", "pidfilerunlxc", "lynis service", "adjust path", "lynis binary", "lynis timer", "tell systemd", "lynis security", "persistentfalse", "container slice", "recover", "varcacheman", "regenerate man", "userroot nice19", "mysqldopts", "mysqldsafe", "timezone", "core", "restart", "users", "backlog150", "listenstreams", "servicemariadb", "mechanism", "mariadb", "multi instance", "variables", "bindirmdadm", "gnu general", "public license", "reshape", "onactivesec30", "oncalendar", "wantedby", "monitor", "allow mdmon", "takeover", "k none", "c devnull", "d runinitramfs", "p runmongodb", "limitnproc32000", "limitmemlock5", "device server", "requiredbydev", "d dev", "descriptionreal", "extraopts", "restartsec30", "valid", "fifo", "priority", "batch", "nice0", "partof", "tracking daemon", "helper", "for testing", "only", "restrict", "grant", "capsysptrace", "capkill", "capipclock", "environ", "capsysresource", "capsyslog", "descriptionname", "service cache", "sysvlsb", "descriptionhost", "network name", "group name", "u ntp", "time service", "t hibernate", "software", "other", "the software", "daemon init", "software is", "provided", "fcnvme", "wantsmodprobe", "aftermodprobe", "descriptionall", "nbft", "nvmeof", "connectargs", "unit file", "descriptionnvmf", "red hat", "without any", "warranty", "card daemon", "socketmode0666", "suite result", "kexec screen", "oncalendarsat", "boot screen", "timeoutsec20", "power off", "runtime data", "descriptionhold", "timeoutsec0", "sandboxing", "execstop", "colin walters", "upgrade", "upgrade output", "umask0077", "transport agent", "descriptionmake", "descriptionppp", "whatnfsd", "file formats", "automount point", "automount", "setuid nobody", "setgid nobody", "setcon", "syslog", "restartonabort", "halt screen", "reboot screen", "pgroot", "postgresql", "oom killer", "additional", "fy nice19", "endless os", "foundation llc", "restartsec0", "system quotas", "rabbitmq", "protecthometrue", "etcrathole", "guessmainpidno", "h etcrdnssd", "reflector", "afinet6 afunix", "umask177", "remote file", "nfs client", "nfsv23 locking", "make sure", "rpc netconfig", "descriptionfast", "using ssh", "so let", "boot", "realtimekit", "rwhodopts", "display manager", "specify", "interval l", "loginterval f", "bindstodev", "always", "usrbingrpck r", "slapdoptions", "u ldap", "slapdurls", "smart", "pciusb", "midi", "daemonopts", "snmp", "trap daemon", "g snort", "descriptionsudo", "hibernate", "svnserveargs", "whatfusectl", "whatconfigfs", "whatdebugfs", "whattracefs", "best way", "see https", "units service", "service slice", "offline system", "update", "wall directory", "timeoutsec90s", "descriptionmark", "current boot", "loader entry", "any system", "units", "loader random", "loader update", "service socket", "dump socket", "optionally", "root device", "afalg afinet", "execstophomectl", "home area", "named pipe", "sink service", "sink socket", "upload service", "dynamicuseryes", "sigkilled", "devlog", "timestampingus", "namespace", "sendbuffer8m", "kernel command", "netlink socket", "storage", "descriptionwait", "network", "make", "deviceallow", "reserve", "killer socket", "root file", "measurement", "pcr policy", "tpm pcr", "code", "configuration", "machine id", "barrier", "quota check", "system quota", "after", "random seed", "kernel file", "gpt partition", "kill switch", "nvmetcp", "trigger", "saturday", "persistentyes", "system update", "kernel time", "capsystime", "ntp service", "turn", "files", "device nodes", "srk setup", "device events", "bootshutdown", "change", "manager socket", "descriptiontinc", "proxy server", "linrunner", "descriptiontlp", "tor service", "f etctortorrc", "tpm device", "descriptionudp", "tcpicmpudp", "etcudp2raw", "debug", "swap", "api file", "privatedevices", "home", "root", "runuser", "linux control", "groups", "group", "afnetlink", "locked memory", "limitmemlock0", "usb gadget", "apple", "sliceuser", "descriptionuuid", "compatibility", "typerpcpipefs", "vmsvga", "hypervisor", "usr1", "mgmt appuser", "dac permission", "selinux", "xxx someone", "qemu", "machine tools", "vmware tools", "pidfilerunvpnc", "wacom", "iface d", "dspeed u", "iface", "descriptionwpa", "oracle", "reserved", "wong", "emailaddr", "tunnel protocol", "l2tp", "isps", "russia use", "ipsec", "d optxplico", "b sqlite", "descriptionxrdp", "xrdpoptions", "process", "sesmanoptions", "zpoolimportopts", "an o", "t scrub", "usrbinzpool", "zfs volume", "descriptionzfs", "f restartalways", "remainafterexit", "nmbdoptions", "smbdoptions", "successaction", "winbindoptions", "ck id", "hybrid analysis", "mitre att", "malicious", "sdshared ansi", "default und", "func global", "func local", "object local", "general", "show technique", "ck matrix", "tasksmax33", "empty file", "proxycommand", "checkhostip", "afunix", "afvsock", "allow", "r table", "chkbootcheck", "gplv2 source", "chkbootstyles", "etcissue", "partition", "minimizebest", "mit no", "match", "link", "namepolicykeep", "ethernet link", "kindveth nameve", "kindveth namevb", "keepmasteryes", "dhcpv4", "kindsit name6rd", "ipv4ll", "ipv6ll", "dhcpipv6ra", "dhcpv6", "typeether", "dhcpyes", "usetimezoneyes", "typewlan", "tuntap", "natdhcp", "kindtun namevt", "kind", "originalname", "definedby", "peer", "sopeergroups", "dbus protocol", "dbus name", "exec", "hup signal", "sighup", "dnssec", "sessionid", "seatid", "sleep", "leader", "jobresult", "coredumppid", "coredumpcomm", "junit", "na zapusk", "mikrasiekund", "enhed", "mikrosekunder", "opstart", "jobid", "a rendszer", "ezredmsodpercet", "a rendszernapl", "user manager", "smack", "lunit", "stato", "il processo", "il sistema", "stata", "le processus", "notez que", "jedinica", "zapamtite da", "nova", "jednostka", "prosz zauway", "zwykle wskazuje", "jest", "o processo", "processo", "isso", "inicializao", "journal", "sizelimit", "userid", "prozess", "speicherabbild", "hinweis auf", "programmfehler", "fehler dem", "die systemzeit", "realtime" ], "references": [ "Hunting_B64Engine_DotNetToJScript_Dos.yar", "APT_Backdoor_PS1_BASICPIPESHELL_1.yar", "apt_sandworm_exim_expl.yar.002", "apt_sandworm_exim_expl.yar.001", "apt_sandworm_exim_expl.yar", "connect.php", "connect.php.002", "connect.php.001", "crypto-miner.js", "eicar", "eicar.001", "eicar.002", "custom.py", "eicar.txt", "expl_cve_2021_40444.yar.001", "expl_cve_2021_40444.yar.002", "getPerms.php", "input.pcap", "list.php", "parent.php", "payload.php", "payload.php.001", "kingdee-erp-rce.yaml", "payload.php.003", "payload.php.002", "payload.php.004", "payload.php.005", "payload.php.006", "payload.php.007", "payload.php.008", "payload.php.010", "payload.php.011", "payload.php.009", "payload.php.012", "payload.php.013", "payload.php.015", "payload.php.016", "payload.php.017", "reverse_tcp.py", "scanner.php", "search.php", "setdb.php", "payload.php.014", "setdb.php.001", "reader.php", "single.php", "resolv.conf", "systemd-update-helper", "90-systemd.preset", "60-flatpak", "app.slice", "background.slice", "README.md", "bluetooth.target", "basic.target", "borgmatic-user.timer", "borgmatic-user.service", "cape.service", "cape-dist.service", "cape-processor.service", "cape-rooter.service", "capsule@.target", "cape-web.service", "clash.service", "colord-session.service", "dbus.socket", "cape-fstab.service", "dbus.service", "dbus-broker.service", "dconf.service", "dirmngr.service", "default.target", "drkonqi-coredump-cleanup.service", "dirmngr.socket", "drkonqi-coredump-cleanup.timer", "drkonqi-coredump-launcher.socket", "drkonqi-sentry-postman.path", "drkonqi-coredump-pickup.service", "drkonqi-sentry-postman.service", "drkonqi-sentry-postman.timer", "drkonqi-coredump-launcher@.service", "dunst.service", "flatpak-oci-authenticator.service", "filter-chain.service", "exit.target", "flatpak-session-helper.service", "fluidsynth.service", "gcr-ssh-agent.socket", "flatpak-portal.service", "gcr-ssh-agent.service", "gnome-keyring-daemon.service", "glib-pacrunner.service", "gnome-keyring-daemon.socket", "gpg-agent-ssh.socket", "gnome-terminal-server.service", "gpg-agent-extra.socket", "gpg-agent.service", "gpg-agent.socket", "gpg-agent-browser.socket", "graphical-session-pre.target", "graphical-session.target", "gssuserproxy.socket", "guacd.service", "gvfs-gphoto2-volume-monitor.service", "gvfs-daemon.service", "gssuserproxy.service", "gvfs-afc-volume-monitor.service", "gvfs-metadata.service", "jack@.service", "guac-web.service", "gvfs-udisks2-volume-monitor.service", "gvfs-mtp-volume-monitor.service", "kde-baloo.service", "keyboxd.service", "kio-fuse.service", "keyboxd.socket", "p11-kit-server.service", "p11-kit-server.socket", "paths.target", "pipewire.socket", "pipewire-pulse.service", "plasma-gmenudbusmenuproxy.service", "pipewire-pulse.socket", "plasma-baloorunner.service", "plasma-kcminit.service", "plasma-dolphin.service", "plasma-kcminit-phase1.service", "plasma-core.target", "plasma-kded.service", "pipewire.service", "plasma-kded6.service", "plasma-kglobalaccel.service", "at-spi-dbus-bus.service", "plasma-krunner.service", "plasma-kscreen.service", "plasma-kscreen-osd.service", "plasma-ksmserver.service", "plasma-ksplash.service", "plasma-ksplash-ready.service", "plasma-ksystemstats.service", "plasma-kwallet-pam.service", "plasma-kwin_wayland.service", "plasma-kwin_x11.service", "plasma-plasmashell.service", "plasma-polkit-agent.service", "plasma-powerdevil.service", "plasma-powerprofile-osd.service", "plasma-restoresession.service", "plasma-workspace.target", "plasma-workspace-wayland.target", "plasma-workspace-x11.target", "plasma-xdg-desktop-portal-kde.service", "plasma-xembedsniproxy.service", "podman.service", "podman.socket", "podman-auto-update.service", "podman-auto-update.timer", "podman-kube@.service", "podman-restart.service", "printer.target", "pulseaudio.service", "pulseaudio.socket", "pulseaudio-x11.service", "session.slice", "shutdown.target", "smartcard.target", "sockets.target", "sound.target", "ssh-agent.service", "suricata.service", "suricata-update.service", "suricata-update.timer", "systemd-exit.service", "systemd-tmpfiles-clean.service", "systemd-tmpfiles-clean.timer", "systemd-tmpfiles-setup.service", "thunar.service", "timers.target", "tracker-xdg-portal-3.service", "tumblerd.service", "wireplumber.service", "wireplumber@.service", "xdg-desktop-autostart.target", "xdg-desktop-portal.service", "xdg-desktop-portal-gtk.service", "xdg-desktop-portal-hyprland.service", "xdg-desktop-portal-rewrite-launchers.service", "xdg-desktop-portal-xapp.service", "xdg-permission-store.service", "xdg-user-dirs-update.service", "xfce4-notifyd.service", "xsettingsd.service", "xdg-document-portal.service", "https://hybrid-analysis.com/sample/b1a9e5be43c028442c07071e202f44f33e3a2df167822c5cfed8f998e01fe169/661da09794b343782806018e", "defaults.conf", "apparmor.conf", "nvidia", "tlp", "fwupd.shutdown", "mdadm.shutdown", "99-default.preset", "50-zfs.preset", "ibft-rule-generator", "10-arch", "60-flatpak-system-only", "3proxy.service", "apache-tika.service", "apparmor.service", "arch-audit.service", "arch-audit.timer", "NetworkManager-dispatcher.service", "NetworkManager-wait-online.service", "NetworkManager.service", "SUSE-mdadm_env.sh", "ModemManager.service", "3proxy.conf", "archlinux-keyring-wkd-sync.service", "adsl.service", "accounts-daemon.service", "adb.service", "alsa-restore.service", "alsa-state.service", "archlinux-keyring-wkd-sync.timer", "ananicy-cpp.service", "arcolinux-graphical-target.service", "atftpd.service", "audit-rules.service", "auditd.service", "auth-rpcgss-module.service", "autorandr.service", "autorandr-lid-listener.service", "autovt@.service", "avahi-daemon.service", "avahi-daemon.socket", "avahi-dnsconfd.service", "bettercap.service", "betterlockscreen@.service", "blk-availability.service", "blockdev@.target", "bluetooth.service", "bmc-watchdog.service", "bolt.service", "boot-complete.target", "borgmatic.service", "borgmatic.timer", "bpftune.service", "btrfs-scrub@.service", "btrfs-scrub@.timer", "canberra-system-bootup.service", "canberra-system-shutdown.service", "canberra-system-shutdown-reboot.service", "capsule.slice", "capsule@.service", "celery2@.service", "celery@.service", "chkboot.service", "clamav-clamonacc.service", "clamav-daemon.service", "clamav-daemon.socket", "clamav-freshclam.service", "clamav-freshclam-once.service", "clamav-freshclam-once.timer", "clamav-unofficial-sigs.service", "clamav-unofficial-sigs.timer", "clash@.service", "cntlm.service", "colord.service", "configure-printer@.service", "console-getty.service", "container-getty@.service", "containerd.service", "couchdb.service", "cpupower.service", "create_ap.service", "cronie.service", "cryptsetup.target", "cryptsetup-pre.target", "ctrl-alt-del.target", "cups.path", "cups.service", "cups.socket", "cups-lpd.socket", "cups-lpd@.service", "cxl-monitor.service", "darkstat.service", "daxdev-reconfigure@.service", "dbus-org.freedesktop.hostname1.service", "dbus-org.freedesktop.import1.service", "dbus-org.freedesktop.locale1.service", "dbus-org.freedesktop.login1.service", "dbus-org.freedesktop.machine1.service", "dbus-org.freedesktop.portable1.service", "dbus-org.freedesktop.timedate1.service", "debug-shell.service", "dev-hugepages.mount", "dev-mqueue.mount", "dhclient@.service", "dhcpd4.service", "dhcpd6.service", "dirmngr@.service", "dirmngr@.socket", "dm-event.service", "dm-event.socket", "dmraid.service", "dnscrypt-proxy.service", "dnsmasq.service", "docker.service", "docker.socket", "drkonqi-coredump-processor@.service", "e2scrub@.service", "e2scrub_all.service", "e2scrub_all.timer", "e2scrub_fail@.service", "e2scrub_reap.service", "ead.service", "elasticsearch.service", "elasticsearch-keystore.service", "elasticsearch-keystore@.service", "elasticsearch@.service", "emergency.service", "emergency.target", "epmd.service", "epmd.socket", "exabgp.service", "factory-reset.target", "fancontrol.service", "fastnetmon.service", "final.target", "finger.socket", "finger@.service", "first-boot-complete.target", "flatpak-system-helper.service", "freeradius.service", "fsidd.service", "fstrim.service", "fstrim.timer", "ftpd.service", "fwupd.service", "fwupd-offline-update.service", "fwupd-refresh.service", "fwupd-refresh.timer", "geoclue.service", "geoipupdate.service", "geoipupdate.timer", "getty.target", "getty-pre.target", "getty@.service", "git-daemon.socket", "git-daemon@.service", "gnupg-pkcs11-scd-proxy.service", "gpg-agent-browser@.socket", "gpg-agent-extra@.socket", "gpg-agent-ssh@.socket", "gpg-agent@.service", "gpg-agent@.socket", "gpm.path", "gpm.service", "gpsd.service", "gpsd.socket", "gpsdctl@.service", "graphical.target", "greenbone-certdata-sync.service", "greenbone-certdata-sync.timer", "greenbone-feed-sync.service", "greenbone-feed-sync.timer", "greenbone-nvt-sync.service", "greenbone-nvt-sync.timer", "greenbone-scapdata-sync.service", "greenbone-scapdata-sync.timer", "gssproxy.service", "gvmd.service", "halt.target", "healthd.service", "hibernate.target", "hostapd.service", "hostapd@.service", "httpd.service", "hv_fcopy_daemon.service", "hv_kvp_daemon.service", "hv_vss_daemon.service", "hybrid-sleep.target", "i2pd.service", "iiod.service", "initrd.target", "initrd-cleanup.service", "initrd-fs.target", "initrd-parse-etc.service", "initrd-root-device.target", "initrd-root-fs.target", "initrd-switch-root.service", "initrd-switch-root.target", "initrd-udevadm-cleanup-db.service", "initrd-usr-fs.target", "integritysetup.target", "integritysetup-pre.target", "iodined.service", "iodined.socket", "ip2clued.service", "ip6tables.service", "ipmidetectd.service", "ipmiseld.service", "iptables.service", "iscsi.service", "iscsi-init.service", "iscsid.service", "iscsid.socket", "iscsiuio.service", "iscsiuio.socket", "isnsd.service", "isnsd.socket", "iwd.service", "kcptun-server@.service", "kcptun@.service", "kexec.target", "keyboxd@.service", "keyboxd@.socket", "kmod-static-nodes.service", "krb5-kadmind.service", "krb5-kdc.service", "krb5-kpropd.service", "krb5-kpropd.socket", "krb5-kpropd@.service", "lastlog2-import.service", "ldconfig.service", "libvirt-guests.service", "libvirtd.service", "libvirtd.socket", "libvirtd-admin.socket", "libvirtd-ro.socket", "libvirtd-tcp.socket", "libvirtd-tls.socket", "lightdm.service", "lm_sensors.service", "local-fs.target", "local-fs-pre.target", "logrotate.service", "logrotate.timer", "lvm2-lvmpolld.service", "lvm2-lvmpolld.socket", "lvm2-monitor.service", "lxc.service", "lxc-auto.service", "lxc-monitord.service", "lxc-net.service", "lxc@.service", "lxdm.service", "ly.service", "lynis.service", "lynis.timer", "machine.slice", "machines.target", "man-db.service", "man-db.timer", "mariadb.service", "mariadb.socket", "mariadb-extra.socket", "mariadb-extra@.socket", "mariadb@.service", "mariadb@.socket", "mdadm-grow-continue@.service", "mdadm-last-resort@.service", "mdadm-last-resort@.timer", "mdcheck_continue.service", "mdcheck_continue.timer", "mdcheck_start.service", "mdcheck_start.timer", "mdmon@.service", "mdmonitor.service", "mdmonitor-oneshot.service", "mdmonitor-oneshot.timer", "memavaild.service", "mkinitcpio-generate-shutdown-ramfs.service", "modprobe@.service", "mongodb.service", "multi-user.target", "mysql.service", "mysqld.service", "named.service", "nbd.service", "nbd@.service", "ndctl-monitor.service", "neo4j.service", "netavark-dhcp-proxy.service", "netavark-dhcp-proxy.socket", "netdata.service", "network.target", "network-online.target", "network-pre.target", "nfs-blkmap.service", "nfs-client.target", "nfs-idmapd.service", "nfs-mountd.service", "nfs-server.service", "nfs-utils.service", "nfsdcld.service", "nfsv4-exportd.service", "nfsv4-server.service", "nftables.service", "nm-priv-helper.service", "nmb.service", "nohang.service", "nohang-desktop.service", "nscd.service", "nss-lookup.target", "nss-user-lookup.target", "ntpd.service", "ntpdate.service", "nvidia-hibernate.service", "nvidia-persistenced.service", "nvidia-powerd.service", "nvidia-resume.service", "nvidia-suspend.service", "nvmefc-boot-connections.service", "nvmf-autoconnect.service", "nvmf-connect.target", "nvmf-connect-nbft.service", "nvmf-connect@.service", "pacrunner.service", "ostree-boot-complete.service", "pacman-filesdb-refresh.timer", "pcscd.service", "passim.service", "pcscd.socket", "packagekit-offline-update.service", "phoronix-result-server.service", "paccache.timer", "plymouth-kexec.service", "pamac-cleancache.timer", "plymouth-quit.service", "partimaged.service", "plymouth-poweroff.service", "plymouth-read-write.service", "plymouth-quit-wait.service", "paccache.service", "plymouth-switch-root-initramfs.service", "ostree-remount.service", "plymouth-switch-root.service", "openvpn-client@.service", "podman-clean-transient.service", "pamac-offline-upgrade.service", "polkit.service", "postfix.service", "pam_namespace.service", "poweroff.target", "ppp@.service", "opensnitchd.service", "proc-fs-nfsd.mount", "proc-sys-fs-binfmt_misc.automount", "proc-sys-fs-binfmt_misc.mount", "phoromatic-server.service", "ptunnel.service", "openvpn-server@.service", "plymouth-halt.service", "pamac-cleancache.service", "plymouth-reboot.service", "ostree-state-overlay@.service", "ostree-finalize-staged.service", "postgresql.service", "phoromatic-client.service", "pamac-daemon.service", "pacman-filesdb-refresh.service", "packagekit.service", "pkgfile-update.service", "pkgfile-update.timer", "plymouth-start.service", "ostree-prepare-root.service", "ostree-finalize-staged.path", "privoxy.service", "ostree-finalize-staged-hold.service", "qemu-guest-agent.service", "quotaon.service", "quotaon-root.service", "quotaon@.service", "rabbitmq.service", "ras-mc-ctl.service", "rasdaemon.service", "rathole@.service", "ratholec@.service", "ratholes@.service", "rc-local.service", "rdnssd@.service", "reboot.target", "redis.service", "redis-sentinel.service", "reflector.service", "reflector.timer", "remote-cryptsetup.target", "remote-fs.target", "remote-fs-pre.target", "remote-veritysetup.target", "rescue.service", "rescue.target", "rfkill-block@.service", "rfkill-unblock@.service", "rlogin.socket", "rlogin@.service", "rpc-gssd.service", "rpc-statd.service", "rpc-statd-notify.service", "rpc_pipefs.target", "rpcbind.service", "rpcbind.socket", "rpcbind.target", "rsh.socket", "rsh@.service", "rsyncd.service", "rsyncd.socket", "rsyncd@.service", "rtkit-daemon.service", "runlevel0.target", "runlevel1.target", "runlevel2.target", "runlevel3.target", "runlevel4.target", "runlevel5.target", "runlevel6.target", "rwhod.service", "samba.service", "sddm.service", "seatd.service", "sensord.service", "serial-getty@.service", "shadow.service", "shadow.timer", "sigpwr.target", "slapd.service", "sleep.target", "slices.target", "smartd.service", "smb.service", "sndiod.service", "snmpd.service", "snmptrapd.service", "snort@.service", "snort@1000.service", "soft-reboot.target", "ssh-access.target", "sshd.service", "sshdgenkeys.service", "sshuttle.service", "sslh.service", "sslh-fork.service", "sslh-select.service", "storage-target-mode.target", "stunnel.service", "sudo_logsrvd.service", "suspend.target", "suspend-then-hibernate.target", "svnserve.service", "swap.target", "sys-fs-fuse-connections.mount", "sys-kernel-config.mount", "sys-kernel-debug.mount", "sys-kernel-tracing.mount", "sysinit.target", "syslog.socket", "system-systemd\\x2dcryptsetup.slice", "system-systemd\\x2dveritysetup.slice", "system-update.target", "system-update-cleanup.service", "system-update-pre.target", "systemd-ask-password-console.path", "systemd-ask-password-console.service", "systemd-ask-password-plymouth.path", "systemd-ask-password-plymouth.service", "systemd-ask-password-wall.path", "systemd-ask-password-wall.service", "systemd-backlight@.service", "systemd-battery-check.service", "systemd-binfmt.service", "systemd-bless-boot.service", "systemd-boot-check-no-failures.service", "systemd-boot-random-seed.service", "systemd-boot-update.service", "systemd-bootctl.socket", "systemd-bootctl@.service", "systemd-bsod.service", "systemd-confext.service", "systemd-coredump.socket", "systemd-coredump@.service", "systemd-creds.socket", "systemd-creds@.service", "systemd-firstboot.service", "systemd-fsck-root.service", "systemd-fsck@.service", "systemd-growfs-root.service", "systemd-growfs@.service", "systemd-halt.service", "systemd-hibernate.service", "systemd-hibernate-resume.service", "systemd-homed.service", "systemd-homed-activate.service", "systemd-homed-firstboot.service", "systemd-hostnamed.service", "systemd-hostnamed.socket", "systemd-hwdb-update.service", "systemd-hybrid-sleep.service", "systemd-importd.service", "systemd-initctl.service", "systemd-initctl.socket", "systemd-journal-catalog-update.service", "systemd-journal-flush.service", "systemd-journal-gatewayd.service", "systemd-journal-gatewayd.socket", "systemd-journal-remote.service", "systemd-journal-remote.socket", "systemd-journal-upload.service", "systemd-journald.service", "systemd-journald.socket", "systemd-journald-audit.socket", "systemd-journald-dev-log.socket", "systemd-journald-varlink@.socket", "systemd-journald@.service", "systemd-journald@.socket", "systemd-kexec.service", "systemd-localed.service", "systemd-logind.service", "systemd-machine-id-commit.service", "systemd-machined.service", "systemd-modules-load.service", "systemd-network-generator.service", "systemd-networkd.service", "systemd-networkd.socket", "systemd-networkd-persistent-storage.service", "systemd-networkd-wait-online.service", "systemd-networkd-wait-online@.service", "systemd-nspawn@.service", "systemd-oomd.service", "systemd-oomd.socket", "systemd-pcrextend.socket", "systemd-pcrextend@.service", "systemd-pcrfs-root.service", "systemd-pcrfs@.service", "systemd-pcrlock.socket", "systemd-pcrlock-file-system.service", "systemd-pcrlock-firmware-code.service", "systemd-pcrlock-firmware-config.service", "systemd-pcrlock-machine-id.service", "systemd-pcrlock-make-policy.service", "systemd-pcrlock-secureboot-authority.service", "systemd-pcrlock-secureboot-policy.service", "systemd-pcrlock@.service", "systemd-pcrmachine.service", "systemd-pcrphase.service", "systemd-pcrphase-initrd.service", "systemd-pcrphase-sysinit.service", "systemd-portabled.service", "systemd-poweroff.service", "systemd-pstore.service", "systemd-quotacheck.service", "systemd-quotacheck-root.service", "systemd-quotacheck@.service", "systemd-random-seed.service", "systemd-reboot.service", "systemd-remount-fs.service", "systemd-repart.service", "systemd-resolved.service", "systemd-rfkill.service", "systemd-rfkill.socket", "systemd-soft-reboot.service", "systemd-storagetm.service", "systemd-suspend.service", "systemd-suspend-then-hibernate.service", "systemd-sysctl.service", "systemd-sysext.service", "systemd-sysext.socket", "systemd-sysext@.service", "systemd-sysupdate.service", "systemd-sysupdate.timer", "systemd-sysupdate-reboot.service", "systemd-sysupdate-reboot.timer", "systemd-sysusers.service", "systemd-time-wait-sync.service", "systemd-timedated.service", "systemd-timesyncd.service", "systemd-tmpfiles-setup-dev.service", "systemd-tmpfiles-setup-dev-early.service", "systemd-tpm2-setup.service", "systemd-tpm2-setup-early.service", "systemd-udev-trigger.service", "systemd-udevd.service", "systemd-udevd-control.socket", "systemd-udevd-kernel.socket", "systemd-update-done.service", "systemd-update-utmp.service", "systemd-update-utmp-runlevel.service", "systemd-user-sessions.service", "systemd-userdbd.service", "systemd-userdbd.socket", "systemd-vconsole-setup.service", "systemd-vmspawn@.service", "systemd-volatile-root.service", "systemd-zram-setup@.service", "talk.service", "talk.socket", "teamd@.service", "telnet.socket", "telnet@.service", "time-set.target", "time-sync.target", "tinc.service", "tinc@.service", "tinyproxy.service", "tlp.service", "tmp.mount", "tor.service", "tpm2.target", "udisks2.service", "udp2raw@.service", "ufw.service", "uksmd.service", "umount.target", "unbound.service", "updatedb.service", "updatedb.timer", "upower.service", "usb-gadget.target", "usb_modeswitch@.service", "usbipd.service", "usbmuxd.service", "user.slice", "user-runtime-dir@.service", "user@.service", "uuidd.service", "uuidd.socket", "var-lib-machines.mount", "var-lib-nfs-rpc_pipefs.mount", "vboxdrmclient.path", "vboxdrmclient.service", "vboxservice.service", "veritysetup.target", "veritysetup-pre.target", "virt-guest-shutdown.target", "virtchd.service", "virtchd.socket", "virtchd-admin.socket", "virtchd-ro.socket", "virtinterfaced.service", "virtinterfaced.socket", "virtinterfaced-admin.socket", "virtinterfaced-ro.socket", "virtlockd.service", "virtlockd.socket", "virtlockd-admin.socket", "virtlogd.service", "virtlogd.socket", "virtlogd-admin.socket", "virtlxcd.service", "virtlxcd.socket", "virtlxcd-admin.socket", "virtlxcd-ro.socket", "virtnetworkd.service", "virtnetworkd.socket", "virtnetworkd-admin.socket", "virtnetworkd-ro.socket", "virtnodedevd.service", "virtnodedevd.socket", "virtnodedevd-admin.socket", "virtnodedevd-ro.socket", "virtnwfilterd.service", "virtnwfilterd.socket", "virtnwfilterd-admin.socket", "virtnwfilterd-ro.socket", "virtproxyd.service", "virtproxyd.socket", "virtproxyd-admin.socket", "virtproxyd-ro.socket", "virtproxyd-tcp.socket", "virtproxyd-tls.socket", "virtqemud.service", "virtqemud.socket", "virtqemud-admin.socket", "virtqemud-ro.socket", "virtsecretd.service", "virtsecretd.socket", "virtsecretd-admin.socket", "virtsecretd-ro.socket", "virtstoraged.service", "virtstoraged.socket", "virtstoraged-admin.socket", "virtstoraged-ro.socket", "virtvboxd.service", "virtvboxd.socket", "virtvboxd-admin.socket", "virtvboxd-ro.socket", "vmtoolsd.service", "vmware-vmblock-fuse.service", "vpnc@.service", "wacom-inputattach@.service", "wg-quick.target", "wg-quick@.service", "winbind.service", "wondershaper.service", "wpa_supplicant.service", "wpa_supplicant-nl80211@.service", "wpa_supplicant-wired@.service", "wpa_supplicant@.service", "xfs_scrub@.service", "xfs_scrub_all.service", "xfs_scrub_all.timer", "xfs_scrub_fail@.service", "xl2tpd.service", "xplico.service", "xrdp.service", "xrdp-sesman.service", "yate.service", "zfs.target", "zfs-import.service", "zfs-import.target", "zfs-import-cache.service", "zfs-import-scan.service", "zfs-load-key.service", "zfs-mount.service", "zfs-scrub-monthly@.timer", "zfs-scrub-weekly@.timer", "zfs-scrub@.service", "zfs-share.service", "zfs-trim-monthly@.timer", "zfs-trim-weekly@.timer", "zfs-trim@.service", "zfs-volume-wait.service", "zfs-volumes.target", "zfs-zed.service", "plymouth.conf", "gpg-agent-ssh@etc-pacman.d-gnupg.socket", "keyboxd@etc-pacman.d-gnupg.socket", "dirmngr@etc-pacman.d-gnupg.socket", "gpg-agent-browser@etc-pacman.d-gnupg.socket", "gpg-agent-extra@etc-pacman.d-gnupg.socket", "gpg-agent@etc-pacman.d-gnupg.socket", "https://hybrid-analysis.com/sample/ff42428f0fcc346cc56e2b00d4b5c4bd43b55f3465b4ccab0efba9c88f4a1c03/661da0b063c895fc2d0a78dc", "https://hybrid-analysis.com/sample/9613dee39157b5f9935436b36647047e267b7c10fa4c7ab1fd995db681e58c12/661da5b202eaca78740cf4ed", "https://hybrid-analysis.com/sample/479a0170df010c5eb742ff1b8740a2ccf381df44c8a919c95d6e38685278e78a/661da5c768340c1e25092cb2", "50-rc_keymap.conf", "10-defaults.conf", "10-login-barrier.conf", "20-systemd-userdb.conf", "20-systemd-ssh-proxy.conf", "iptables-flush", "cpupower", "chkboot-bootcheck", "10-root.conf", "30-root-verity-sig.conf", "20-root-verity.conf", "80-systemd-timesync.list", "80-6rd-tunnel.link", "80-container-ve.network", "80-container-vb.network", "80-container-vz.link", "80-6rd-tunnel.network", "80-container-vz.network", "80-auto-link-local.network.example", "80-ethernet.network.example", "80-container-host0.network", "80-iwd.link", "80-container-vb.link", "80-vm-vt.link", "80-vm-vt.network", "80-wifi-adhoc.network", "80-wifi-ap.network.example", "80-wifi-station.network.example", "80-container-ve.link", "89-ethernet.network.example", "99-default.link", "dbus-broker.catalog", "dbus-broker-launch.catalog", "systemd.be.catalog", "systemd.be@latin.catalog", "systemd.da.catalog", "systemd.bg.catalog", "systemd.hu.catalog", "systemd.catalog", "systemd.it.catalog", "systemd.fr.catalog", "systemd.ko.catalog", "systemd.hr.catalog", "systemd.pl.catalog", "systemd.pt_BR.catalog", "systemd.ru.catalog", "systemd.sr.catalog", "systemd.zh_CN.catalog", "systemd.de.catalog", "systemd.zh_TW.catalog", "expl_cve_2021_40444.yar" ], "public": 1, "adversary": "Chinese Speaking", "targeted_countries": [], "malware_families": [ { "id": "RemainAfterExit", "display_name": "RemainAfterExit", "target": null }, { "id": "NMBDOPTIONS", "display_name": "NMBDOPTIONS", "target": null }, { "id": "SMBDOPTIONS", "display_name": "SMBDOPTIONS", "target": null }, { "id": "SuccessAction", "display_name": "SuccessAction", "target": null }, { "id": "WINBINDOPTIONS", "display_name": "WINBINDOPTIONS", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1205", "name": "Traffic Signaling", "display_name": "T1205 - Traffic Signaling" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "white", "cloned_from": "661db37bf549518bf6f7f377", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 123, "YARA": 16, "CVE": 4, "FileHash-SHA1": 25, "FileHash-SHA256": 20, "domain": 102, "URL": 16, "email": 9, "hostname": 4, "CIDR": 2 }, "indicator_count": 321, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "3 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a16ac89787e428fe0f7b045", "name": "[\"backup ios...\"] clone by Merkd1904. User note: theres a name tagged here thats interesting", "description": "", "modified": "2026-05-27T08:34:17.204000", "created": "2026-05-27T08:34:17.204000", "tags": [ "fireeye", "copyright", "base64", "dotnettojscript", "gadgettojscript", "invokeclient", "invokeserver", "readhost enter", "command", "roth", "nextron", "sandworm", "detects ssh", "grant all", "privileges on", "to mysqldb", "create user", "g root", "sandworm python", "import", "phpsploit", "host", "user", "pass", "error", "establish", "pecl oci8", "connstr", "charset", "false", "miner", "texthtml", "module", "send custom", "swissky", "class", "serviceip", "serviceport", "servicedata", "e binsh", "init", "service port", "detects", "cve202140444", "target", "targetmode", "jeremy brown", "windows cve", "ms office", "modified rule", "rperm", "wperm", "pathsep", "string", "rwxrxrx", "file types", "unix", "login", "autentication", "disable", "ldapconnect", "version", "authentication", "ldaplist", "null", "pathelems", "execute", "backdoor", "kingdee oa", "yunxingkong", "b6oa", "code execution", "kingdee cloud", "starry sky", "otherwise", "file", "setsmartdate", "fread", "name", "force", "base64decode", "data", "substr", "array", "readdir", "getowner", "getgroup", "getsize", "force option", "fwrite", "permission", "check", "mode", "diraccess", "fileaccess", "realpath", "stat", "immutable", "posixgetpwuid", "posixgetgrgid", "explode", "etcpasswd", "glob", "globonlydir", "oraclelogin", "port", "servicename", "connector", "base", "query type", "mssqlfetcharray", "mssqlassoc", "solsocket", "timeout", "range", "portmin", "portmax", "socketcreate", "afinet", "sockstream", "open", "type", "true", "tcp connection", "tcp shell", "input", "lhost", "netcat", "lport", "shell", "dllimport", "python", "back", "fore", "pfinet", "stdout", "this", "win32", "ldapsearch", "select", "mysqliassoc", "select database", "send", "newfile", "dns stub", "third party", "see man", "exit", "o pipefail", "v systemctl", "devnull", "unknown verb", "license", "gnu lesser", "general public", "free software", "foundation", "unit", "slice", "cpuweight100", "tasks slice", "cpuweight30", "capev2", "cape", "cuckoo web", "setup", "grep", "limitnofile", "install", "return", "execstart", "start", "descriptionrun", "timer", "oncalendardaily", "service", "prevent rate", "delay start", "m poetry", "sigkill", "descriptioncape", "ef usercape", "g cape", "allowisolateyes", "typedbus", "socket", "message bus", "listenstream", "typenotify", "descriptionuser", "harald sitter", "sitter", "kcrash", "drkonqi", "acceptyes", "disable trigger", "todo", "prevents", "path", "pathexistsglob", "runtimemaxsec31", "runtimemaxsec30", "restartno", "descriptionexit", "environmentfile", "otheropts", "soundfont", "descriptiongcr", "sshauthsock", "descriptionglib", "priority6", "killmodeprocess", "proxy", "socketmode0600", "apache software", "notice file", "apache license", "unless", "as is", "basis", "or conditions", "apple file", "conduit monitor", "descriptionjack", "jackoptions d", "driver d", "device", "media transfer", "indexer daemon", "memory", "memoryhigh512m", "system sockets", "a user", "conditionuser", "dbus menus", "plasma", "phase", "workspace core", "exit status", "x11 connection", "timeoutstopsec5", "disable restart", "timeoutsec40sec", "typeoneshot", "david edmundson", "davidedmundson", "osd service", "portal", "auto restart", "dbus", "xembed system", "logging system", "socketmode0660", "all containers", "restart policy", "logging start", "execstopbinsh c", "logging", "x11 plugins", "session slice", "typeforking", "etc userroot", "grouproot", "onbootsec15min", "place", "temporary", "volatile files", "thunar", "session manager", "wireplumber", "service file", "xdg autostart", "user dir", "descriptionxfce", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "memoryfile scan", "ansi", "bpf program", "indicator", "bpf firewalling", "pcap", "pcap processing", "bpffallowmulti", "bpf device", "date", "suspicious", "hybrid", "crypto", "close", "click", "april", "strings", "february", "middle", "exploit", "gameover", "contact", "scope", "thomas koch", "gpl v2", "imsm", "ibftruledir", "ibftrules", "attr", "systemd rule", "hannes reinecke", "suse labs", "ipibft", "interface", "kernel", "configfile", "typesimple", "apparmor", "grouparchaudit", "hardening", "umask077", "persistenttrue", "enable debug", "networkmanager", "trace", "wait online", "edit", "note", "reload", "capdacoverride", "dhcp etc", "mdadmscan", "mdadmdelay", "mdadmmail", "mdadmprogram", "mdadmconfig", "mdadmsendmail", "p runsysconfig", "userroot", "sssd", "write access", "needed sometime", "statedirectory", "accountsservice", "varloglastlog", "bridge daemon", "alsa card", "card state", "required", "another auto", "nice daemon", "memorymax64m", "filter system", "mount", "reboot", "clock", "logging service", "requires", "before", "please", "exit codes", "proc", "descriptionruns", "execstartsh c", "switchtoggle", "ignoreonisolate", "term typeidle", "without", "any warranty", "merchantability", "fitness", "a particular", "vartmp", "wants type", "preparation", "watchdogsec10", "filesystem", "timer daemon", "options", "environment", "prevent", "readwritepaths", "security", "certain", "protectsystem", "bindpaths", "lower cpu", "nice19", "manager", "userc", "celerydnodes", "info", "chaddevops", "aaron brighton", "clam antivirus", "jon kriel", "distribution", "script", "sanesecurity", "securiteinfo", "malwarepatrol", "oitc", "file location", "remember", "typeexec user", "9 cntlm", "generate color", "profiles", "removeipctrue", "devpts", "authors", "any kind", "usercouchdb", "restartsec5", "volumes", "server socket", "user209", "daemon", "darkstatiface", "reloadconfig", "watchdogsec3min", "privatetmpyes", "protectproc", "increase", "descriptiontime", "date service", "debugging only", "ignoresigpipeno", "unset locale", "file system", "queue file", "whatmqueue", "optionsnosuid", "pf rundhclient", "rate", "requiresdirmngr", "capfowner", "capsetpcap", "dhcp", "dns server", "startlimit", "limits", "delegateyes", "descriptionpass", "runtimemaxsec5", "mountain", "metadata check", "all filesystems", "online metadata", "sunday", "oncalendarsun", "online ext4", "sigterm signal", "java process", "piddir", "standardoutput", "elasticsearch", "limitnproc4096", "limitasinfinity", "sendsighupyes", "mapper daemon", "mainpid", "quit", "listenstream79", "radius server", "d etcraddb", "protecthomeon", "default", "systemservice", "efiefi bootefi", "afinet afinet6", "afunix afinet", "oncalendar 0000", "privatetmptrue", "geoip legacy", "geoip2", "instance", "usergit", "scdconfig", "notice", "devinputmice t", "descriptiongps", "system", "sock refclock", "gpsdoptions", "devices", "daemon sockets", "2947", "bindipv6onlyyes", "usbauto", "usrbingpsdctl", "gps daemon", "afterdev", "gvmddata", "varlibgssproxy", "nonewprivileges", "privatetmp", "protecthome", "ieee", "etchostapd", "killmodemixed", "fcopy", "uncomment", "use sigterm", "sigkill i2pd", "sendsigkillyes", "limitnofile8192", "systemd", "analog", "shutting down", "iodineextip p", "iodineport p", "iodineuser", "tunip", "topdomain", "guessmainpidyes", "m node", "wants", "initiatorname", "io driver", "typeexec", "c etckcptun", "usernobody", "requireskeyboxd", "static device", "nofork", "restartalways", "linker cache", "hack", "use wants", "raise", "tasksmax", "tasksmax32768", "limitmemlock64m", "removeonstopyes", "ip socket", "tls ip", "conflictsgetty", "aftergetty", "busmodules", "qabr", "hwmonmodules", "local file", "privatenetwork", "lvm2", "initialization", "autoboot code", "s delegatetrue", "description", "pidfilerunlxc", "lynis service", "adjust path", "lynis binary", "lynis timer", "tell systemd", "lynis security", "persistentfalse", "container slice", "recover", "varcacheman", "regenerate man", "userroot nice19", "mysqldopts", "mysqldsafe", "timezone", "core", "restart", "users", "backlog150", "listenstreams", "servicemariadb", "mechanism", "mariadb", "multi instance", "variables", "bindirmdadm", "gnu general", "public license", "reshape", "onactivesec30", "oncalendar", "wantedby", "monitor", "allow mdmon", "takeover", "k none", "c devnull", "d runinitramfs", "p runmongodb", "limitnproc32000", "limitmemlock5", "device server", "requiredbydev", "d dev", "descriptionreal", "extraopts", "restartsec30", "valid", "fifo", "priority", "batch", "nice0", "partof", "tracking daemon", "helper", "for testing", "only", "restrict", "grant", "capsysptrace", "capkill", "capipclock", "environ", "capsysresource", "capsyslog", "descriptionname", "service cache", "sysvlsb", "descriptionhost", "network name", "group name", "u ntp", "time service", "t hibernate", "software", "other", "the software", "daemon init", "software is", "provided", "fcnvme", "wantsmodprobe", "aftermodprobe", "descriptionall", "nbft", "nvmeof", "connectargs", "unit file", "descriptionnvmf", "red hat", "without any", "warranty", "card daemon", "socketmode0666", "suite result", "kexec screen", "oncalendarsat", "boot screen", "timeoutsec20", "power off", "runtime data", "descriptionhold", "timeoutsec0", "sandboxing", "execstop", "colin walters", "upgrade", "upgrade output", "umask0077", "transport agent", "descriptionmake", "descriptionppp", "whatnfsd", "file formats", "automount point", "automount", "setuid nobody", "setgid nobody", "setcon", "syslog", "restartonabort", "halt screen", "reboot screen", "pgroot", "postgresql", "oom killer", "additional", "fy nice19", "endless os", "foundation llc", "restartsec0", "system quotas", "rabbitmq", "protecthometrue", "etcrathole", "guessmainpidno", "h etcrdnssd", "reflector", "afinet6 afunix", "umask177", "remote file", "nfs client", "nfsv23 locking", "make sure", "rpc netconfig", "descriptionfast", "using ssh", "so let", "boot", "realtimekit", "rwhodopts", "display manager", "specify", "interval l", "loginterval f", "bindstodev", "always", "usrbingrpck r", "slapdoptions", "u ldap", "slapdurls", "smart", "pciusb", "midi", "daemonopts", "snmp", "trap daemon", "g snort", "descriptionsudo", "hibernate", "svnserveargs", "whatfusectl", "whatconfigfs", "whatdebugfs", "whattracefs", "best way", "see https", "units service", "service slice", "offline system", "update", "wall directory", "timeoutsec90s", "descriptionmark", "current boot", "loader entry", "any system", "units", "loader random", "loader update", "service socket", "dump socket", "optionally", "root device", "afalg afinet", "execstophomectl", "home area", "named pipe", "sink service", "sink socket", "upload service", "dynamicuseryes", "sigkilled", "devlog", "timestampingus", "namespace", "sendbuffer8m", "kernel command", "netlink socket", "storage", "descriptionwait", "network", "make", "deviceallow", "reserve", "killer socket", "root file", "measurement", "pcr policy", "tpm pcr", "code", "configuration", "machine id", "barrier", "quota check", "system quota", "after", "random seed", "kernel file", "gpt partition", "kill switch", "nvmetcp", "trigger", "saturday", "persistentyes", "system update", "kernel time", "capsystime", "ntp service", "turn", "files", "device nodes", "srk setup", "device events", "bootshutdown", "change", "manager socket", "descriptiontinc", "proxy server", "linrunner", "descriptiontlp", "tor service", "f etctortorrc", "tpm device", "descriptionudp", "tcpicmpudp", "etcudp2raw", "debug", "swap", "api file", "privatedevices", "home", "root", "runuser", "linux control", "groups", "group", "afnetlink", "locked memory", "limitmemlock0", "usb gadget", "apple", "sliceuser", "descriptionuuid", "compatibility", "typerpcpipefs", "vmsvga", "hypervisor", "usr1", "mgmt appuser", "dac permission", "selinux", "xxx someone", "qemu", "machine tools", "vmware tools", "pidfilerunvpnc", "wacom", "iface d", "dspeed u", "iface", "descriptionwpa", "oracle", "reserved", "wong", "emailaddr", "tunnel protocol", "l2tp", "isps", "russia use", "ipsec", "d optxplico", "b sqlite", "descriptionxrdp", "xrdpoptions", "process", "sesmanoptions", "zpoolimportopts", "an o", "t scrub", "usrbinzpool", "zfs volume", "descriptionzfs", "f restartalways", "remainafterexit", "nmbdoptions", "smbdoptions", "successaction", "winbindoptions", "ck id", "hybrid analysis", "mitre att", "malicious", "sdshared ansi", "default und", "func global", "func local", "object local", "general", "show technique", "ck matrix", "tasksmax33", "empty file", "proxycommand", "checkhostip", "afunix", "afvsock", "allow", "r table", "chkbootcheck", "gplv2 source", "chkbootstyles", "etcissue", "partition", "minimizebest", "mit no", "match", "link", "namepolicykeep", "ethernet link", "kindveth nameve", "kindveth namevb", "keepmasteryes", "dhcpv4", "kindsit name6rd", "ipv4ll", "ipv6ll", "dhcpipv6ra", "dhcpv6", "typeether", "dhcpyes", "usetimezoneyes", "typewlan", "tuntap", "natdhcp", "kindtun namevt", "kind", "originalname", "definedby", "peer", "sopeergroups", "dbus protocol", "dbus name", "exec", "hup signal", "sighup", "dnssec", "sessionid", "seatid", "sleep", "leader", "jobresult", "coredumppid", "coredumpcomm", "junit", "na zapusk", "mikrasiekund", "enhed", "mikrosekunder", "opstart", "jobid", "a rendszer", "ezredmsodpercet", "a rendszernapl", "user manager", "smack", "lunit", "stato", "il processo", "il sistema", "stata", "le processus", "notez que", "jedinica", "zapamtite da", "nova", "jednostka", "prosz zauway", "zwykle wskazuje", "jest", "o processo", "processo", "isso", "inicializao", "journal", "sizelimit", "userid", "prozess", "speicherabbild", "hinweis auf", "programmfehler", "fehler dem", "die systemzeit", "realtime" ], "references": [ "Hunting_B64Engine_DotNetToJScript_Dos.yar", "APT_Backdoor_PS1_BASICPIPESHELL_1.yar", "apt_sandworm_exim_expl.yar.002", "apt_sandworm_exim_expl.yar.001", "apt_sandworm_exim_expl.yar", "connect.php", "connect.php.002", "connect.php.001", "crypto-miner.js", "eicar", "eicar.001", "eicar.002", "custom.py", "eicar.txt", "expl_cve_2021_40444.yar.001", "expl_cve_2021_40444.yar.002", "getPerms.php", "input.pcap", "list.php", "parent.php", "payload.php", "payload.php.001", "kingdee-erp-rce.yaml", "payload.php.003", "payload.php.002", "payload.php.004", "payload.php.005", "payload.php.006", "payload.php.007", "payload.php.008", "payload.php.010", "payload.php.011", "payload.php.009", "payload.php.012", "payload.php.013", "payload.php.015", "payload.php.016", "payload.php.017", "reverse_tcp.py", "scanner.php", "search.php", "setdb.php", "payload.php.014", "setdb.php.001", "reader.php", "single.php", "resolv.conf", "systemd-update-helper", "90-systemd.preset", "60-flatpak", "app.slice", "background.slice", "README.md", "bluetooth.target", "basic.target", "borgmatic-user.timer", "borgmatic-user.service", "cape.service", "cape-dist.service", "cape-processor.service", "cape-rooter.service", "capsule@.target", "cape-web.service", "clash.service", "colord-session.service", "dbus.socket", "cape-fstab.service", "dbus.service", "dbus-broker.service", "dconf.service", "dirmngr.service", "default.target", "drkonqi-coredump-cleanup.service", "dirmngr.socket", "drkonqi-coredump-cleanup.timer", "drkonqi-coredump-launcher.socket", "drkonqi-sentry-postman.path", "drkonqi-coredump-pickup.service", "drkonqi-sentry-postman.service", "drkonqi-sentry-postman.timer", "drkonqi-coredump-launcher@.service", "dunst.service", "flatpak-oci-authenticator.service", "filter-chain.service", "exit.target", "flatpak-session-helper.service", "fluidsynth.service", "gcr-ssh-agent.socket", "flatpak-portal.service", "gcr-ssh-agent.service", "gnome-keyring-daemon.service", "glib-pacrunner.service", "gnome-keyring-daemon.socket", "gpg-agent-ssh.socket", "gnome-terminal-server.service", "gpg-agent-extra.socket", "gpg-agent.service", "gpg-agent.socket", "gpg-agent-browser.socket", "graphical-session-pre.target", "graphical-session.target", "gssuserproxy.socket", "guacd.service", "gvfs-gphoto2-volume-monitor.service", "gvfs-daemon.service", "gssuserproxy.service", "gvfs-afc-volume-monitor.service", "gvfs-metadata.service", "jack@.service", "guac-web.service", "gvfs-udisks2-volume-monitor.service", "gvfs-mtp-volume-monitor.service", "kde-baloo.service", "keyboxd.service", "kio-fuse.service", "keyboxd.socket", "p11-kit-server.service", "p11-kit-server.socket", "paths.target", "pipewire.socket", "pipewire-pulse.service", "plasma-gmenudbusmenuproxy.service", "pipewire-pulse.socket", "plasma-baloorunner.service", "plasma-kcminit.service", "plasma-dolphin.service", "plasma-kcminit-phase1.service", "plasma-core.target", "plasma-kded.service", "pipewire.service", "plasma-kded6.service", "plasma-kglobalaccel.service", "at-spi-dbus-bus.service", "plasma-krunner.service", "plasma-kscreen.service", "plasma-kscreen-osd.service", "plasma-ksmserver.service", "plasma-ksplash.service", "plasma-ksplash-ready.service", "plasma-ksystemstats.service", "plasma-kwallet-pam.service", "plasma-kwin_wayland.service", "plasma-kwin_x11.service", "plasma-plasmashell.service", "plasma-polkit-agent.service", "plasma-powerdevil.service", "plasma-powerprofile-osd.service", "plasma-restoresession.service", "plasma-workspace.target", "plasma-workspace-wayland.target", "plasma-workspace-x11.target", "plasma-xdg-desktop-portal-kde.service", "plasma-xembedsniproxy.service", "podman.service", "podman.socket", "podman-auto-update.service", "podman-auto-update.timer", "podman-kube@.service", "podman-restart.service", "printer.target", "pulseaudio.service", "pulseaudio.socket", "pulseaudio-x11.service", "session.slice", "shutdown.target", "smartcard.target", "sockets.target", "sound.target", "ssh-agent.service", "suricata.service", "suricata-update.service", "suricata-update.timer", "systemd-exit.service", "systemd-tmpfiles-clean.service", "systemd-tmpfiles-clean.timer", "systemd-tmpfiles-setup.service", "thunar.service", "timers.target", "tracker-xdg-portal-3.service", "tumblerd.service", "wireplumber.service", "wireplumber@.service", "xdg-desktop-autostart.target", "xdg-desktop-portal.service", "xdg-desktop-portal-gtk.service", "xdg-desktop-portal-hyprland.service", "xdg-desktop-portal-rewrite-launchers.service", "xdg-desktop-portal-xapp.service", "xdg-permission-store.service", "xdg-user-dirs-update.service", "xfce4-notifyd.service", "xsettingsd.service", "xdg-document-portal.service", "https://hybrid-analysis.com/sample/b1a9e5be43c028442c07071e202f44f33e3a2df167822c5cfed8f998e01fe169/661da09794b343782806018e", "defaults.conf", "apparmor.conf", "nvidia", "tlp", "fwupd.shutdown", "mdadm.shutdown", "99-default.preset", "50-zfs.preset", "ibft-rule-generator", "10-arch", "60-flatpak-system-only", "3proxy.service", "apache-tika.service", "apparmor.service", "arch-audit.service", "arch-audit.timer", "NetworkManager-dispatcher.service", "NetworkManager-wait-online.service", "NetworkManager.service", "SUSE-mdadm_env.sh", "ModemManager.service", "3proxy.conf", "archlinux-keyring-wkd-sync.service", "adsl.service", "accounts-daemon.service", "adb.service", "alsa-restore.service", "alsa-state.service", "archlinux-keyring-wkd-sync.timer", "ananicy-cpp.service", "arcolinux-graphical-target.service", "atftpd.service", "audit-rules.service", "auditd.service", "auth-rpcgss-module.service", "autorandr.service", "autorandr-lid-listener.service", "autovt@.service", "avahi-daemon.service", "avahi-daemon.socket", "avahi-dnsconfd.service", "bettercap.service", "betterlockscreen@.service", "blk-availability.service", "blockdev@.target", "bluetooth.service", "bmc-watchdog.service", "bolt.service", "boot-complete.target", "borgmatic.service", "borgmatic.timer", "bpftune.service", "btrfs-scrub@.service", "btrfs-scrub@.timer", "canberra-system-bootup.service", "canberra-system-shutdown.service", "canberra-system-shutdown-reboot.service", "capsule.slice", "capsule@.service", "celery2@.service", "celery@.service", "chkboot.service", "clamav-clamonacc.service", "clamav-daemon.service", "clamav-daemon.socket", "clamav-freshclam.service", "clamav-freshclam-once.service", "clamav-freshclam-once.timer", "clamav-unofficial-sigs.service", "clamav-unofficial-sigs.timer", "clash@.service", "cntlm.service", "colord.service", "configure-printer@.service", "console-getty.service", "container-getty@.service", "containerd.service", "couchdb.service", "cpupower.service", "create_ap.service", "cronie.service", "cryptsetup.target", "cryptsetup-pre.target", "ctrl-alt-del.target", "cups.path", "cups.service", "cups.socket", "cups-lpd.socket", "cups-lpd@.service", "cxl-monitor.service", "darkstat.service", "daxdev-reconfigure@.service", "dbus-org.freedesktop.hostname1.service", "dbus-org.freedesktop.import1.service", "dbus-org.freedesktop.locale1.service", "dbus-org.freedesktop.login1.service", "dbus-org.freedesktop.machine1.service", "dbus-org.freedesktop.portable1.service", "dbus-org.freedesktop.timedate1.service", "debug-shell.service", "dev-hugepages.mount", "dev-mqueue.mount", "dhclient@.service", "dhcpd4.service", "dhcpd6.service", "dirmngr@.service", "dirmngr@.socket", "dm-event.service", "dm-event.socket", "dmraid.service", "dnscrypt-proxy.service", "dnsmasq.service", "docker.service", "docker.socket", "drkonqi-coredump-processor@.service", "e2scrub@.service", "e2scrub_all.service", "e2scrub_all.timer", "e2scrub_fail@.service", "e2scrub_reap.service", "ead.service", "elasticsearch.service", "elasticsearch-keystore.service", "elasticsearch-keystore@.service", "elasticsearch@.service", "emergency.service", "emergency.target", "epmd.service", "epmd.socket", "exabgp.service", "factory-reset.target", "fancontrol.service", "fastnetmon.service", "final.target", "finger.socket", "finger@.service", "first-boot-complete.target", "flatpak-system-helper.service", "freeradius.service", "fsidd.service", "fstrim.service", "fstrim.timer", "ftpd.service", "fwupd.service", "fwupd-offline-update.service", "fwupd-refresh.service", "fwupd-refresh.timer", "geoclue.service", "geoipupdate.service", "geoipupdate.timer", "getty.target", "getty-pre.target", "getty@.service", "git-daemon.socket", "git-daemon@.service", "gnupg-pkcs11-scd-proxy.service", "gpg-agent-browser@.socket", "gpg-agent-extra@.socket", "gpg-agent-ssh@.socket", "gpg-agent@.service", "gpg-agent@.socket", "gpm.path", "gpm.service", "gpsd.service", "gpsd.socket", "gpsdctl@.service", "graphical.target", "greenbone-certdata-sync.service", "greenbone-certdata-sync.timer", "greenbone-feed-sync.service", "greenbone-feed-sync.timer", "greenbone-nvt-sync.service", "greenbone-nvt-sync.timer", "greenbone-scapdata-sync.service", "greenbone-scapdata-sync.timer", "gssproxy.service", "gvmd.service", "halt.target", "healthd.service", "hibernate.target", "hostapd.service", "hostapd@.service", "httpd.service", "hv_fcopy_daemon.service", "hv_kvp_daemon.service", "hv_vss_daemon.service", "hybrid-sleep.target", "i2pd.service", "iiod.service", "initrd.target", "initrd-cleanup.service", "initrd-fs.target", "initrd-parse-etc.service", "initrd-root-device.target", "initrd-root-fs.target", "initrd-switch-root.service", "initrd-switch-root.target", "initrd-udevadm-cleanup-db.service", "initrd-usr-fs.target", "integritysetup.target", "integritysetup-pre.target", "iodined.service", "iodined.socket", "ip2clued.service", "ip6tables.service", "ipmidetectd.service", "ipmiseld.service", "iptables.service", "iscsi.service", "iscsi-init.service", "iscsid.service", "iscsid.socket", "iscsiuio.service", "iscsiuio.socket", "isnsd.service", "isnsd.socket", "iwd.service", "kcptun-server@.service", "kcptun@.service", "kexec.target", "keyboxd@.service", "keyboxd@.socket", "kmod-static-nodes.service", "krb5-kadmind.service", "krb5-kdc.service", "krb5-kpropd.service", "krb5-kpropd.socket", "krb5-kpropd@.service", "lastlog2-import.service", "ldconfig.service", "libvirt-guests.service", "libvirtd.service", "libvirtd.socket", "libvirtd-admin.socket", "libvirtd-ro.socket", "libvirtd-tcp.socket", "libvirtd-tls.socket", "lightdm.service", "lm_sensors.service", "local-fs.target", "local-fs-pre.target", "logrotate.service", "logrotate.timer", "lvm2-lvmpolld.service", "lvm2-lvmpolld.socket", "lvm2-monitor.service", "lxc.service", "lxc-auto.service", "lxc-monitord.service", "lxc-net.service", "lxc@.service", "lxdm.service", "ly.service", "lynis.service", "lynis.timer", "machine.slice", "machines.target", "man-db.service", "man-db.timer", "mariadb.service", "mariadb.socket", "mariadb-extra.socket", "mariadb-extra@.socket", "mariadb@.service", "mariadb@.socket", "mdadm-grow-continue@.service", "mdadm-last-resort@.service", "mdadm-last-resort@.timer", "mdcheck_continue.service", "mdcheck_continue.timer", "mdcheck_start.service", "mdcheck_start.timer", "mdmon@.service", "mdmonitor.service", "mdmonitor-oneshot.service", "mdmonitor-oneshot.timer", "memavaild.service", "mkinitcpio-generate-shutdown-ramfs.service", "modprobe@.service", "mongodb.service", "multi-user.target", "mysql.service", "mysqld.service", "named.service", "nbd.service", "nbd@.service", "ndctl-monitor.service", "neo4j.service", "netavark-dhcp-proxy.service", "netavark-dhcp-proxy.socket", "netdata.service", "network.target", "network-online.target", "network-pre.target", "nfs-blkmap.service", "nfs-client.target", "nfs-idmapd.service", "nfs-mountd.service", "nfs-server.service", "nfs-utils.service", "nfsdcld.service", "nfsv4-exportd.service", "nfsv4-server.service", "nftables.service", "nm-priv-helper.service", "nmb.service", "nohang.service", "nohang-desktop.service", "nscd.service", "nss-lookup.target", "nss-user-lookup.target", "ntpd.service", "ntpdate.service", "nvidia-hibernate.service", "nvidia-persistenced.service", "nvidia-powerd.service", "nvidia-resume.service", "nvidia-suspend.service", "nvmefc-boot-connections.service", "nvmf-autoconnect.service", "nvmf-connect.target", "nvmf-connect-nbft.service", "nvmf-connect@.service", "pacrunner.service", "ostree-boot-complete.service", "pacman-filesdb-refresh.timer", "pcscd.service", "passim.service", "pcscd.socket", "packagekit-offline-update.service", "phoronix-result-server.service", "paccache.timer", "plymouth-kexec.service", "pamac-cleancache.timer", "plymouth-quit.service", "partimaged.service", "plymouth-poweroff.service", "plymouth-read-write.service", "plymouth-quit-wait.service", "paccache.service", "plymouth-switch-root-initramfs.service", "ostree-remount.service", "plymouth-switch-root.service", "openvpn-client@.service", "podman-clean-transient.service", "pamac-offline-upgrade.service", "polkit.service", "postfix.service", "pam_namespace.service", "poweroff.target", "ppp@.service", "opensnitchd.service", "proc-fs-nfsd.mount", "proc-sys-fs-binfmt_misc.automount", "proc-sys-fs-binfmt_misc.mount", "phoromatic-server.service", "ptunnel.service", "openvpn-server@.service", "plymouth-halt.service", "pamac-cleancache.service", "plymouth-reboot.service", "ostree-state-overlay@.service", "ostree-finalize-staged.service", "postgresql.service", "phoromatic-client.service", "pamac-daemon.service", "pacman-filesdb-refresh.service", "packagekit.service", "pkgfile-update.service", "pkgfile-update.timer", "plymouth-start.service", "ostree-prepare-root.service", "ostree-finalize-staged.path", "privoxy.service", "ostree-finalize-staged-hold.service", "qemu-guest-agent.service", "quotaon.service", "quotaon-root.service", "quotaon@.service", "rabbitmq.service", "ras-mc-ctl.service", "rasdaemon.service", "rathole@.service", "ratholec@.service", "ratholes@.service", "rc-local.service", "rdnssd@.service", "reboot.target", "redis.service", "redis-sentinel.service", "reflector.service", "reflector.timer", "remote-cryptsetup.target", "remote-fs.target", "remote-fs-pre.target", "remote-veritysetup.target", "rescue.service", "rescue.target", "rfkill-block@.service", "rfkill-unblock@.service", "rlogin.socket", "rlogin@.service", "rpc-gssd.service", "rpc-statd.service", "rpc-statd-notify.service", "rpc_pipefs.target", "rpcbind.service", "rpcbind.socket", "rpcbind.target", "rsh.socket", "rsh@.service", "rsyncd.service", "rsyncd.socket", "rsyncd@.service", "rtkit-daemon.service", "runlevel0.target", "runlevel1.target", "runlevel2.target", "runlevel3.target", "runlevel4.target", "runlevel5.target", "runlevel6.target", "rwhod.service", "samba.service", "sddm.service", "seatd.service", "sensord.service", "serial-getty@.service", "shadow.service", "shadow.timer", "sigpwr.target", "slapd.service", "sleep.target", "slices.target", "smartd.service", "smb.service", "sndiod.service", "snmpd.service", "snmptrapd.service", "snort@.service", "snort@1000.service", "soft-reboot.target", "ssh-access.target", "sshd.service", "sshdgenkeys.service", "sshuttle.service", "sslh.service", "sslh-fork.service", "sslh-select.service", "storage-target-mode.target", "stunnel.service", "sudo_logsrvd.service", "suspend.target", "suspend-then-hibernate.target", "svnserve.service", "swap.target", "sys-fs-fuse-connections.mount", "sys-kernel-config.mount", "sys-kernel-debug.mount", "sys-kernel-tracing.mount", "sysinit.target", "syslog.socket", "system-systemd\\x2dcryptsetup.slice", "system-systemd\\x2dveritysetup.slice", "system-update.target", "system-update-cleanup.service", "system-update-pre.target", "systemd-ask-password-console.path", "systemd-ask-password-console.service", "systemd-ask-password-plymouth.path", "systemd-ask-password-plymouth.service", "systemd-ask-password-wall.path", "systemd-ask-password-wall.service", "systemd-backlight@.service", "systemd-battery-check.service", "systemd-binfmt.service", "systemd-bless-boot.service", "systemd-boot-check-no-failures.service", "systemd-boot-random-seed.service", "systemd-boot-update.service", "systemd-bootctl.socket", "systemd-bootctl@.service", "systemd-bsod.service", "systemd-confext.service", "systemd-coredump.socket", "systemd-coredump@.service", "systemd-creds.socket", "systemd-creds@.service", "systemd-firstboot.service", "systemd-fsck-root.service", "systemd-fsck@.service", "systemd-growfs-root.service", "systemd-growfs@.service", "systemd-halt.service", "systemd-hibernate.service", "systemd-hibernate-resume.service", "systemd-homed.service", "systemd-homed-activate.service", "systemd-homed-firstboot.service", "systemd-hostnamed.service", "systemd-hostnamed.socket", "systemd-hwdb-update.service", "systemd-hybrid-sleep.service", "systemd-importd.service", "systemd-initctl.service", "systemd-initctl.socket", "systemd-journal-catalog-update.service", "systemd-journal-flush.service", "systemd-journal-gatewayd.service", "systemd-journal-gatewayd.socket", "systemd-journal-remote.service", "systemd-journal-remote.socket", "systemd-journal-upload.service", "systemd-journald.service", "systemd-journald.socket", "systemd-journald-audit.socket", "systemd-journald-dev-log.socket", "systemd-journald-varlink@.socket", "systemd-journald@.service", "systemd-journald@.socket", "systemd-kexec.service", "systemd-localed.service", "systemd-logind.service", "systemd-machine-id-commit.service", "systemd-machined.service", "systemd-modules-load.service", "systemd-network-generator.service", "systemd-networkd.service", "systemd-networkd.socket", "systemd-networkd-persistent-storage.service", "systemd-networkd-wait-online.service", "systemd-networkd-wait-online@.service", "systemd-nspawn@.service", "systemd-oomd.service", "systemd-oomd.socket", "systemd-pcrextend.socket", "systemd-pcrextend@.service", "systemd-pcrfs-root.service", "systemd-pcrfs@.service", "systemd-pcrlock.socket", "systemd-pcrlock-file-system.service", "systemd-pcrlock-firmware-code.service", "systemd-pcrlock-firmware-config.service", "systemd-pcrlock-machine-id.service", "systemd-pcrlock-make-policy.service", "systemd-pcrlock-secureboot-authority.service", "systemd-pcrlock-secureboot-policy.service", "systemd-pcrlock@.service", "systemd-pcrmachine.service", "systemd-pcrphase.service", "systemd-pcrphase-initrd.service", "systemd-pcrphase-sysinit.service", "systemd-portabled.service", "systemd-poweroff.service", "systemd-pstore.service", "systemd-quotacheck.service", "systemd-quotacheck-root.service", "systemd-quotacheck@.service", "systemd-random-seed.service", "systemd-reboot.service", "systemd-remount-fs.service", "systemd-repart.service", "systemd-resolved.service", "systemd-rfkill.service", "systemd-rfkill.socket", "systemd-soft-reboot.service", "systemd-storagetm.service", "systemd-suspend.service", "systemd-suspend-then-hibernate.service", "systemd-sysctl.service", "systemd-sysext.service", "systemd-sysext.socket", "systemd-sysext@.service", "systemd-sysupdate.service", "systemd-sysupdate.timer", "systemd-sysupdate-reboot.service", "systemd-sysupdate-reboot.timer", "systemd-sysusers.service", "systemd-time-wait-sync.service", "systemd-timedated.service", "systemd-timesyncd.service", "systemd-tmpfiles-setup-dev.service", "systemd-tmpfiles-setup-dev-early.service", "systemd-tpm2-setup.service", "systemd-tpm2-setup-early.service", "systemd-udev-trigger.service", "systemd-udevd.service", "systemd-udevd-control.socket", "systemd-udevd-kernel.socket", "systemd-update-done.service", "systemd-update-utmp.service", "systemd-update-utmp-runlevel.service", "systemd-user-sessions.service", "systemd-userdbd.service", "systemd-userdbd.socket", "systemd-vconsole-setup.service", "systemd-vmspawn@.service", "systemd-volatile-root.service", "systemd-zram-setup@.service", "talk.service", "talk.socket", "teamd@.service", "telnet.socket", "telnet@.service", "time-set.target", "time-sync.target", "tinc.service", "tinc@.service", "tinyproxy.service", "tlp.service", "tmp.mount", "tor.service", "tpm2.target", "udisks2.service", "udp2raw@.service", "ufw.service", "uksmd.service", "umount.target", "unbound.service", "updatedb.service", "updatedb.timer", "upower.service", "usb-gadget.target", "usb_modeswitch@.service", "usbipd.service", "usbmuxd.service", "user.slice", "user-runtime-dir@.service", "user@.service", "uuidd.service", "uuidd.socket", "var-lib-machines.mount", "var-lib-nfs-rpc_pipefs.mount", "vboxdrmclient.path", "vboxdrmclient.service", "vboxservice.service", "veritysetup.target", "veritysetup-pre.target", "virt-guest-shutdown.target", "virtchd.service", "virtchd.socket", "virtchd-admin.socket", "virtchd-ro.socket", "virtinterfaced.service", "virtinterfaced.socket", "virtinterfaced-admin.socket", "virtinterfaced-ro.socket", "virtlockd.service", "virtlockd.socket", "virtlockd-admin.socket", "virtlogd.service", "virtlogd.socket", "virtlogd-admin.socket", "virtlxcd.service", "virtlxcd.socket", "virtlxcd-admin.socket", "virtlxcd-ro.socket", "virtnetworkd.service", "virtnetworkd.socket", "virtnetworkd-admin.socket", "virtnetworkd-ro.socket", "virtnodedevd.service", "virtnodedevd.socket", "virtnodedevd-admin.socket", "virtnodedevd-ro.socket", "virtnwfilterd.service", "virtnwfilterd.socket", "virtnwfilterd-admin.socket", "virtnwfilterd-ro.socket", "virtproxyd.service", "virtproxyd.socket", "virtproxyd-admin.socket", "virtproxyd-ro.socket", "virtproxyd-tcp.socket", "virtproxyd-tls.socket", "virtqemud.service", "virtqemud.socket", "virtqemud-admin.socket", "virtqemud-ro.socket", "virtsecretd.service", "virtsecretd.socket", "virtsecretd-admin.socket", "virtsecretd-ro.socket", "virtstoraged.service", "virtstoraged.socket", "virtstoraged-admin.socket", "virtstoraged-ro.socket", "virtvboxd.service", "virtvboxd.socket", "virtvboxd-admin.socket", "virtvboxd-ro.socket", "vmtoolsd.service", "vmware-vmblock-fuse.service", "vpnc@.service", "wacom-inputattach@.service", "wg-quick.target", "wg-quick@.service", "winbind.service", "wondershaper.service", "wpa_supplicant.service", "wpa_supplicant-nl80211@.service", "wpa_supplicant-wired@.service", "wpa_supplicant@.service", "xfs_scrub@.service", "xfs_scrub_all.service", "xfs_scrub_all.timer", "xfs_scrub_fail@.service", "xl2tpd.service", "xplico.service", "xrdp.service", "xrdp-sesman.service", "yate.service", "zfs.target", "zfs-import.service", "zfs-import.target", "zfs-import-cache.service", "zfs-import-scan.service", "zfs-load-key.service", "zfs-mount.service", "zfs-scrub-monthly@.timer", "zfs-scrub-weekly@.timer", "zfs-scrub@.service", "zfs-share.service", "zfs-trim-monthly@.timer", "zfs-trim-weekly@.timer", "zfs-trim@.service", "zfs-volume-wait.service", "zfs-volumes.target", "zfs-zed.service", "plymouth.conf", "gpg-agent-ssh@etc-pacman.d-gnupg.socket", "keyboxd@etc-pacman.d-gnupg.socket", "dirmngr@etc-pacman.d-gnupg.socket", "gpg-agent-browser@etc-pacman.d-gnupg.socket", "gpg-agent-extra@etc-pacman.d-gnupg.socket", "gpg-agent@etc-pacman.d-gnupg.socket", "https://hybrid-analysis.com/sample/ff42428f0fcc346cc56e2b00d4b5c4bd43b55f3465b4ccab0efba9c88f4a1c03/661da0b063c895fc2d0a78dc", "https://hybrid-analysis.com/sample/9613dee39157b5f9935436b36647047e267b7c10fa4c7ab1fd995db681e58c12/661da5b202eaca78740cf4ed", "https://hybrid-analysis.com/sample/479a0170df010c5eb742ff1b8740a2ccf381df44c8a919c95d6e38685278e78a/661da5c768340c1e25092cb2", "50-rc_keymap.conf", "10-defaults.conf", "10-login-barrier.conf", "20-systemd-userdb.conf", "20-systemd-ssh-proxy.conf", "iptables-flush", "cpupower", "chkboot-bootcheck", "10-root.conf", "30-root-verity-sig.conf", "20-root-verity.conf", "80-systemd-timesync.list", "80-6rd-tunnel.link", "80-container-ve.network", "80-container-vb.network", "80-container-vz.link", "80-6rd-tunnel.network", "80-container-vz.network", "80-auto-link-local.network.example", "80-ethernet.network.example", "80-container-host0.network", "80-iwd.link", "80-container-vb.link", "80-vm-vt.link", "80-vm-vt.network", "80-wifi-adhoc.network", "80-wifi-ap.network.example", "80-wifi-station.network.example", "80-container-ve.link", "89-ethernet.network.example", "99-default.link", "dbus-broker.catalog", "dbus-broker-launch.catalog", "systemd.be.catalog", "systemd.be@latin.catalog", "systemd.da.catalog", "systemd.bg.catalog", "systemd.hu.catalog", "systemd.catalog", "systemd.it.catalog", "systemd.fr.catalog", "systemd.ko.catalog", "systemd.hr.catalog", "systemd.pl.catalog", "systemd.pt_BR.catalog", "systemd.ru.catalog", "systemd.sr.catalog", "systemd.zh_CN.catalog", "systemd.de.catalog", "systemd.zh_TW.catalog", "expl_cve_2021_40444.yar" ], "public": 1, "adversary": "Chinese Speaking", "targeted_countries": [], "malware_families": [ { "id": "RemainAfterExit", "display_name": "RemainAfterExit", "target": null }, { "id": "NMBDOPTIONS", "display_name": "NMBDOPTIONS", "target": null }, { "id": "SMBDOPTIONS", "display_name": "SMBDOPTIONS", "target": null }, { "id": "SuccessAction", "display_name": "SuccessAction", "target": null }, { "id": "WINBINDOPTIONS", "display_name": "WINBINDOPTIONS", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1205", "name": "Traffic Signaling", "display_name": "T1205 - Traffic Signaling" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "white", "cloned_from": "661db37bf549518bf6f7f377", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 123, "YARA": 16, "CVE": 4, "FileHash-SHA1": 25, "FileHash-SHA256": 20, "domain": 102, "URL": 16, "email": 9, "hostname": 4, "CIDR": 2 }, "indicator_count": 321, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "3 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "661db37bf549518bf6f7f377", "name": "Backup from 03-28-24 - Systemd dump, malicious ssh and sshd files, libsystemd-vore libsystemd-shared plus supporting php files", "description": "Ignoring the yara and eicar files - I was able to recover a partition use for backups from 03/25/24-03/29/24; the day of the XZ supply chain disclosure. This is a preliminary dump with accompanying analysis and sha1, and 256's of my /usr/lib/systemd directory which housed multiple suspect ssh sub directories plus malicous libsystemd-shared and libsystemd-core binaries, and all supporting config, dev, service, and binaries. Dig in.", "modified": "2024-04-23T14:28:30.317000", "created": "2024-04-15T23:08:43.746000", "tags": [ "fireeye", "copyright", "base64", "dotnettojscript", "gadgettojscript", "invokeclient", "invokeserver", "readhost enter", "command", "roth", "nextron", "sandworm", "detects ssh", "grant all", "privileges on", "to mysqldb", "create user", "g root", "sandworm python", "import", "phpsploit", "host", "user", "pass", "error", "establish", "pecl oci8", "connstr", "charset", "false", "miner", "texthtml", "module", "send custom", "swissky", "class", "serviceip", "serviceport", "servicedata", "e binsh", "init", "service port", "detects", "cve202140444", "target", "targetmode", "jeremy brown", "windows cve", "ms office", "modified rule", "rperm", "wperm", "pathsep", "string", "rwxrxrx", "file types", "unix", "login", "autentication", "disable", "ldapconnect", "version", "authentication", "ldaplist", "null", "pathelems", "execute", "backdoor", "kingdee oa", "yunxingkong", "b6oa", "code execution", "kingdee cloud", "starry sky", "otherwise", "file", "setsmartdate", "fread", "name", "force", "base64decode", "data", "substr", "array", "readdir", "getowner", "getgroup", "getsize", "force option", "fwrite", "permission", "check", "mode", "diraccess", "fileaccess", "realpath", "stat", "immutable", "posixgetpwuid", "posixgetgrgid", "explode", "etcpasswd", "glob", "globonlydir", "oraclelogin", "port", "servicename", "connector", "base", "query type", "mssqlfetcharray", "mssqlassoc", "solsocket", "timeout", "range", "portmin", "portmax", "socketcreate", "afinet", "sockstream", "open", "type", "true", "tcp connection", "tcp shell", "input", "lhost", "netcat", "lport", "shell", "dllimport", "python", "back", "fore", "pfinet", "stdout", "this", "win32", "ldapsearch", "select", "mysqliassoc", "select database", "send", "newfile", "dns stub", "third party", "see man", "exit", "o pipefail", "v systemctl", "devnull", "unknown verb", "license", "gnu lesser", "general public", "free software", "foundation", "unit", "slice", "cpuweight100", "tasks slice", "cpuweight30", "capev2", "cape", "cuckoo web", "setup", "grep", "limitnofile", "install", "return", "execstart", "start", "descriptionrun", "timer", "oncalendardaily", "service", "prevent rate", "delay start", "m poetry", "sigkill", "descriptioncape", "ef usercape", "g cape", "allowisolateyes", "typedbus", "socket", "message bus", "listenstream", "typenotify", "descriptionuser", "harald sitter", "sitter", "kcrash", "drkonqi", "acceptyes", "disable trigger", "todo", "prevents", "path", "pathexistsglob", "runtimemaxsec31", "runtimemaxsec30", "restartno", "descriptionexit", "environmentfile", "otheropts", "soundfont", "descriptiongcr", "sshauthsock", "descriptionglib", "priority6", "killmodeprocess", "proxy", "socketmode0600", "apache software", "notice file", "apache license", "unless", "as is", "basis", "or conditions", "apple file", "conduit monitor", "descriptionjack", "jackoptions d", "driver d", "device", "media transfer", "indexer daemon", "memory", "memoryhigh512m", "system sockets", "a user", "conditionuser", "dbus menus", "plasma", "phase", "workspace core", "exit status", "x11 connection", "timeoutstopsec5", "disable restart", "timeoutsec40sec", "typeoneshot", "david edmundson", "davidedmundson", "osd service", "portal", "auto restart", "dbus", "xembed system", "logging system", "socketmode0660", "all containers", "restart policy", "logging start", "execstopbinsh c", "logging", "x11 plugins", "session slice", "typeforking", "etc userroot", "grouproot", "onbootsec15min", "place", "temporary", "volatile files", "thunar", "session manager", "wireplumber", "service file", "xdg autostart", "user dir", "descriptionxfce", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "memoryfile scan", "ansi", "bpf program", "indicator", "bpf firewalling", "pcap", "pcap processing", "bpffallowmulti", "bpf device", "date", "suspicious", "hybrid", "crypto", "close", "click", "april", "strings", "february", "middle", "exploit", "gameover", "contact", "scope", "thomas koch", "gpl v2", "imsm", "ibftruledir", "ibftrules", "attr", "systemd rule", "hannes reinecke", "suse labs", "ipibft", "interface", "kernel", "configfile", "typesimple", "apparmor", "grouparchaudit", "hardening", "umask077", "persistenttrue", "enable debug", "networkmanager", "trace", "wait online", "edit", "note", "reload", "capdacoverride", "dhcp etc", "mdadmscan", "mdadmdelay", "mdadmmail", "mdadmprogram", "mdadmconfig", "mdadmsendmail", "p runsysconfig", "userroot", "sssd", "write access", "needed sometime", "statedirectory", "accountsservice", "varloglastlog", "bridge daemon", "alsa card", "card state", "required", "another auto", "nice daemon", "memorymax64m", "filter system", "mount", "reboot", "clock", "logging service", "requires", "before", "please", "exit codes", "proc", "descriptionruns", "execstartsh c", "switchtoggle", "ignoreonisolate", "term typeidle", "without", "any warranty", "merchantability", "fitness", "a particular", "vartmp", "wants type", "preparation", "watchdogsec10", "filesystem", "timer daemon", "options", "environment", "prevent", "readwritepaths", "security", "certain", "protectsystem", "bindpaths", "lower cpu", "nice19", "manager", "userc", "celerydnodes", "info", "chaddevops", "aaron brighton", "clam antivirus", "jon kriel", "distribution", "script", "sanesecurity", "securiteinfo", "malwarepatrol", "oitc", "file location", "remember", "typeexec user", "9 cntlm", "generate color", "profiles", "removeipctrue", "devpts", "authors", "any kind", "usercouchdb", "restartsec5", "volumes", "server socket", "user209", "daemon", "darkstatiface", "reloadconfig", "watchdogsec3min", "privatetmpyes", "protectproc", "increase", "descriptiontime", "date service", "debugging only", "ignoresigpipeno", "unset locale", "file system", "queue file", "whatmqueue", "optionsnosuid", "pf rundhclient", "rate", "requiresdirmngr", "capfowner", "capsetpcap", "dhcp", "dns server", "startlimit", "limits", "delegateyes", "descriptionpass", "runtimemaxsec5", "mountain", "metadata check", "all filesystems", "online metadata", "sunday", "oncalendarsun", "online ext4", "sigterm signal", "java process", "piddir", "standardoutput", "elasticsearch", "limitnproc4096", "limitasinfinity", "sendsighupyes", "mapper daemon", "mainpid", "quit", "listenstream79", "radius server", "d etcraddb", "protecthomeon", "default", "systemservice", "efiefi bootefi", "afinet afinet6", "afunix afinet", "oncalendar 0000", "privatetmptrue", "geoip legacy", "geoip2", "instance", "usergit", "scdconfig", "notice", "devinputmice t", "descriptiongps", "system", "sock refclock", "gpsdoptions", "devices", "daemon sockets", "2947", "bindipv6onlyyes", "usbauto", "usrbingpsdctl", "gps daemon", "afterdev", "gvmddata", "varlibgssproxy", "nonewprivileges", "privatetmp", "protecthome", "ieee", "etchostapd", "killmodemixed", "fcopy", "uncomment", "use sigterm", "sigkill i2pd", "sendsigkillyes", "limitnofile8192", "systemd", "analog", "shutting down", "iodineextip p", "iodineport p", "iodineuser", "tunip", "topdomain", "guessmainpidyes", "m node", "wants", "initiatorname", "io driver", "typeexec", "c etckcptun", "usernobody", "requireskeyboxd", "static device", "nofork", "restartalways", "linker cache", "hack", "use wants", "raise", "tasksmax", "tasksmax32768", "limitmemlock64m", "removeonstopyes", "ip socket", "tls ip", "conflictsgetty", "aftergetty", "busmodules", "qabr", "hwmonmodules", "local file", "privatenetwork", "lvm2", "initialization", "autoboot code", "s delegatetrue", "description", "pidfilerunlxc", "lynis service", "adjust path", "lynis binary", "lynis timer", "tell systemd", "lynis security", "persistentfalse", "container slice", "recover", "varcacheman", "regenerate man", "userroot nice19", "mysqldopts", "mysqldsafe", "timezone", "core", "restart", "users", "backlog150", "listenstreams", "servicemariadb", "mechanism", "mariadb", "multi instance", "variables", "bindirmdadm", "gnu general", "public license", "reshape", "onactivesec30", "oncalendar", "wantedby", "monitor", "allow mdmon", "takeover", "k none", "c devnull", "d runinitramfs", "p runmongodb", "limitnproc32000", "limitmemlock5", "device server", "requiredbydev", "d dev", "descriptionreal", "extraopts", "restartsec30", "valid", "fifo", "priority", "batch", "nice0", "partof", "tracking daemon", "helper", "for testing", "only", "restrict", "grant", "capsysptrace", "capkill", "capipclock", "environ", "capsysresource", "capsyslog", "descriptionname", "service cache", "sysvlsb", "descriptionhost", "network name", "group name", "u ntp", "time service", "t hibernate", "software", "other", "the software", "daemon init", "software is", "provided", "fcnvme", "wantsmodprobe", "aftermodprobe", "descriptionall", "nbft", "nvmeof", "connectargs", "unit file", "descriptionnvmf", "red hat", "without any", "warranty", "card daemon", "socketmode0666", "suite result", "kexec screen", "oncalendarsat", "boot screen", "timeoutsec20", "power off", "runtime data", "descriptionhold", "timeoutsec0", "sandboxing", "execstop", "colin walters", "upgrade", "upgrade output", "umask0077", "transport agent", "descriptionmake", "descriptionppp", "whatnfsd", "file formats", "automount point", "automount", "setuid nobody", "setgid nobody", "setcon", "syslog", "restartonabort", "halt screen", "reboot screen", "pgroot", "postgresql", "oom killer", "additional", "fy nice19", "endless os", "foundation llc", "restartsec0", "system quotas", "rabbitmq", "protecthometrue", "etcrathole", "guessmainpidno", "h etcrdnssd", "reflector", "afinet6 afunix", "umask177", "remote file", "nfs client", "nfsv23 locking", "make sure", "rpc netconfig", "descriptionfast", "using ssh", "so let", "boot", "realtimekit", "rwhodopts", "display manager", "specify", "interval l", "loginterval f", "bindstodev", "always", "usrbingrpck r", "slapdoptions", "u ldap", "slapdurls", "smart", "pciusb", "midi", "daemonopts", "snmp", "trap daemon", "g snort", "descriptionsudo", "hibernate", "svnserveargs", "whatfusectl", "whatconfigfs", "whatdebugfs", "whattracefs", "best way", "see https", "units service", "service slice", "offline system", "update", "wall directory", "timeoutsec90s", "descriptionmark", "current boot", "loader entry", "any system", "units", "loader random", "loader update", "service socket", "dump socket", "optionally", "root device", "afalg afinet", "execstophomectl", "home area", "named pipe", "sink service", "sink socket", "upload service", "dynamicuseryes", "sigkilled", "devlog", "timestampingus", "namespace", "sendbuffer8m", "kernel command", "netlink socket", "storage", "descriptionwait", "network", "make", "deviceallow", "reserve", "killer socket", "root file", "measurement", "pcr policy", "tpm pcr", "code", "configuration", "machine id", "barrier", "quota check", "system quota", "after", "random seed", "kernel file", "gpt partition", "kill switch", "nvmetcp", "trigger", "saturday", "persistentyes", "system update", "kernel time", "capsystime", "ntp service", "turn", "files", "device nodes", "srk setup", "device events", "bootshutdown", "change", "manager socket", "descriptiontinc", "proxy server", "linrunner", "descriptiontlp", "tor service", "f etctortorrc", "tpm device", "descriptionudp", "tcpicmpudp", "etcudp2raw", "debug", "swap", "api file", "privatedevices", "home", "root", "runuser", "linux control", "groups", "group", "afnetlink", "locked memory", "limitmemlock0", "usb gadget", "apple", "sliceuser", "descriptionuuid", "compatibility", "typerpcpipefs", "vmsvga", "hypervisor", "usr1", "mgmt appuser", "dac permission", "selinux", "xxx someone", "qemu", "machine tools", "vmware tools", "pidfilerunvpnc", "wacom", "iface d", "dspeed u", "iface", "descriptionwpa", "oracle", "reserved", "wong", "emailaddr", "tunnel protocol", "l2tp", "isps", "russia use", "ipsec", "d optxplico", "b sqlite", "descriptionxrdp", "xrdpoptions", "process", "sesmanoptions", "zpoolimportopts", "an o", "t scrub", "usrbinzpool", "zfs volume", "descriptionzfs", "f restartalways", "remainafterexit", "nmbdoptions", "smbdoptions", "successaction", "winbindoptions", "ck id", "hybrid analysis", "mitre att", "malicious", "sdshared ansi", "default und", "func global", "func local", "object local", "general", "show technique", "ck matrix", "tasksmax33", "empty file", "proxycommand", "checkhostip", "afunix", "afvsock", "allow", "r table", "chkbootcheck", "gplv2 source", "chkbootstyles", "etcissue", "partition", "minimizebest", "mit no", "match", "link", "namepolicykeep", "ethernet link", "kindveth nameve", "kindveth namevb", "keepmasteryes", "dhcpv4", "kindsit name6rd", "ipv4ll", "ipv6ll", "dhcpipv6ra", "dhcpv6", "typeether", "dhcpyes", "usetimezoneyes", "typewlan", "tuntap", "natdhcp", "kindtun namevt", "kind", "originalname", "definedby", "peer", "sopeergroups", "dbus protocol", "dbus name", "exec", "hup signal", "sighup", "dnssec", "sessionid", "seatid", "sleep", "leader", "jobresult", "coredumppid", "coredumpcomm", "junit", "na zapusk", "mikrasiekund", "enhed", "mikrosekunder", "opstart", "jobid", "a rendszer", "ezredmsodpercet", "a rendszernapl", "user manager", "smack", "lunit", "stato", "il processo", "il sistema", "stata", "le processus", "notez que", "jedinica", "zapamtite da", "nova", "jednostka", "prosz zauway", "zwykle wskazuje", "jest", "o processo", "processo", "isso", "inicializao", "journal", "sizelimit", "userid", "prozess", "speicherabbild", "hinweis auf", "programmfehler", "fehler dem", "die systemzeit", "realtime" ], "references": [ "Hunting_B64Engine_DotNetToJScript_Dos.yar", "APT_Backdoor_PS1_BASICPIPESHELL_1.yar", "apt_sandworm_exim_expl.yar.002", "apt_sandworm_exim_expl.yar.001", "apt_sandworm_exim_expl.yar", "connect.php", "connect.php.002", "connect.php.001", "crypto-miner.js", "eicar", "eicar.001", "eicar.002", "custom.py", "eicar.txt", "expl_cve_2021_40444.yar.001", "expl_cve_2021_40444.yar.002", "getPerms.php", "input.pcap", "list.php", "parent.php", "payload.php", "payload.php.001", "kingdee-erp-rce.yaml", "payload.php.003", "payload.php.002", "payload.php.004", "payload.php.005", "payload.php.006", "payload.php.007", "payload.php.008", "payload.php.010", "payload.php.011", "payload.php.009", "payload.php.012", "payload.php.013", "payload.php.015", "payload.php.016", "payload.php.017", "reverse_tcp.py", "scanner.php", "search.php", "setdb.php", "payload.php.014", "setdb.php.001", "reader.php", "single.php", "resolv.conf", "systemd-update-helper", "90-systemd.preset", "60-flatpak", "app.slice", "background.slice", "README.md", "bluetooth.target", "basic.target", "borgmatic-user.timer", "borgmatic-user.service", "cape.service", "cape-dist.service", "cape-processor.service", "cape-rooter.service", "capsule@.target", "cape-web.service", "clash.service", "colord-session.service", "dbus.socket", "cape-fstab.service", "dbus.service", "dbus-broker.service", "dconf.service", "dirmngr.service", "default.target", "drkonqi-coredump-cleanup.service", "dirmngr.socket", "drkonqi-coredump-cleanup.timer", "drkonqi-coredump-launcher.socket", "drkonqi-sentry-postman.path", "drkonqi-coredump-pickup.service", "drkonqi-sentry-postman.service", "drkonqi-sentry-postman.timer", "drkonqi-coredump-launcher@.service", "dunst.service", "flatpak-oci-authenticator.service", "filter-chain.service", "exit.target", "flatpak-session-helper.service", "fluidsynth.service", "gcr-ssh-agent.socket", "flatpak-portal.service", "gcr-ssh-agent.service", "gnome-keyring-daemon.service", "glib-pacrunner.service", "gnome-keyring-daemon.socket", "gpg-agent-ssh.socket", "gnome-terminal-server.service", "gpg-agent-extra.socket", "gpg-agent.service", "gpg-agent.socket", "gpg-agent-browser.socket", "graphical-session-pre.target", "graphical-session.target", "gssuserproxy.socket", "guacd.service", "gvfs-gphoto2-volume-monitor.service", "gvfs-daemon.service", "gssuserproxy.service", "gvfs-afc-volume-monitor.service", "gvfs-metadata.service", "jack@.service", "guac-web.service", "gvfs-udisks2-volume-monitor.service", "gvfs-mtp-volume-monitor.service", "kde-baloo.service", "keyboxd.service", "kio-fuse.service", "keyboxd.socket", "p11-kit-server.service", "p11-kit-server.socket", "paths.target", "pipewire.socket", "pipewire-pulse.service", "plasma-gmenudbusmenuproxy.service", "pipewire-pulse.socket", "plasma-baloorunner.service", "plasma-kcminit.service", "plasma-dolphin.service", "plasma-kcminit-phase1.service", "plasma-core.target", "plasma-kded.service", "pipewire.service", "plasma-kded6.service", "plasma-kglobalaccel.service", "at-spi-dbus-bus.service", "plasma-krunner.service", "plasma-kscreen.service", "plasma-kscreen-osd.service", "plasma-ksmserver.service", "plasma-ksplash.service", "plasma-ksplash-ready.service", "plasma-ksystemstats.service", "plasma-kwallet-pam.service", "plasma-kwin_wayland.service", "plasma-kwin_x11.service", "plasma-plasmashell.service", "plasma-polkit-agent.service", "plasma-powerdevil.service", "plasma-powerprofile-osd.service", "plasma-restoresession.service", "plasma-workspace.target", "plasma-workspace-wayland.target", "plasma-workspace-x11.target", "plasma-xdg-desktop-portal-kde.service", "plasma-xembedsniproxy.service", "podman.service", "podman.socket", "podman-auto-update.service", "podman-auto-update.timer", "podman-kube@.service", "podman-restart.service", "printer.target", "pulseaudio.service", "pulseaudio.socket", "pulseaudio-x11.service", "session.slice", "shutdown.target", "smartcard.target", "sockets.target", "sound.target", "ssh-agent.service", "suricata.service", "suricata-update.service", "suricata-update.timer", "systemd-exit.service", "systemd-tmpfiles-clean.service", "systemd-tmpfiles-clean.timer", "systemd-tmpfiles-setup.service", "thunar.service", "timers.target", "tracker-xdg-portal-3.service", "tumblerd.service", "wireplumber.service", "wireplumber@.service", "xdg-desktop-autostart.target", "xdg-desktop-portal.service", "xdg-desktop-portal-gtk.service", "xdg-desktop-portal-hyprland.service", "xdg-desktop-portal-rewrite-launchers.service", "xdg-desktop-portal-xapp.service", "xdg-permission-store.service", "xdg-user-dirs-update.service", "xfce4-notifyd.service", "xsettingsd.service", "xdg-document-portal.service", "https://hybrid-analysis.com/sample/b1a9e5be43c028442c07071e202f44f33e3a2df167822c5cfed8f998e01fe169/661da09794b343782806018e", "defaults.conf", "apparmor.conf", "nvidia", "tlp", "fwupd.shutdown", "mdadm.shutdown", "99-default.preset", "50-zfs.preset", "ibft-rule-generator", "10-arch", "60-flatpak-system-only", "3proxy.service", "apache-tika.service", "apparmor.service", "arch-audit.service", "arch-audit.timer", "NetworkManager-dispatcher.service", "NetworkManager-wait-online.service", "NetworkManager.service", "SUSE-mdadm_env.sh", "ModemManager.service", "3proxy.conf", "archlinux-keyring-wkd-sync.service", "adsl.service", "accounts-daemon.service", "adb.service", "alsa-restore.service", "alsa-state.service", "archlinux-keyring-wkd-sync.timer", "ananicy-cpp.service", "arcolinux-graphical-target.service", "atftpd.service", "audit-rules.service", "auditd.service", "auth-rpcgss-module.service", "autorandr.service", "autorandr-lid-listener.service", "autovt@.service", "avahi-daemon.service", "avahi-daemon.socket", "avahi-dnsconfd.service", "bettercap.service", "betterlockscreen@.service", "blk-availability.service", "blockdev@.target", "bluetooth.service", "bmc-watchdog.service", "bolt.service", "boot-complete.target", "borgmatic.service", "borgmatic.timer", "bpftune.service", "btrfs-scrub@.service", "btrfs-scrub@.timer", "canberra-system-bootup.service", "canberra-system-shutdown.service", "canberra-system-shutdown-reboot.service", "capsule.slice", "capsule@.service", "celery2@.service", "celery@.service", "chkboot.service", "clamav-clamonacc.service", "clamav-daemon.service", "clamav-daemon.socket", "clamav-freshclam.service", "clamav-freshclam-once.service", "clamav-freshclam-once.timer", "clamav-unofficial-sigs.service", "clamav-unofficial-sigs.timer", "clash@.service", "cntlm.service", "colord.service", "configure-printer@.service", "console-getty.service", "container-getty@.service", "containerd.service", "couchdb.service", "cpupower.service", "create_ap.service", "cronie.service", "cryptsetup.target", "cryptsetup-pre.target", "ctrl-alt-del.target", "cups.path", "cups.service", "cups.socket", "cups-lpd.socket", "cups-lpd@.service", "cxl-monitor.service", "darkstat.service", "daxdev-reconfigure@.service", "dbus-org.freedesktop.hostname1.service", "dbus-org.freedesktop.import1.service", "dbus-org.freedesktop.locale1.service", "dbus-org.freedesktop.login1.service", "dbus-org.freedesktop.machine1.service", "dbus-org.freedesktop.portable1.service", "dbus-org.freedesktop.timedate1.service", "debug-shell.service", "dev-hugepages.mount", "dev-mqueue.mount", "dhclient@.service", "dhcpd4.service", "dhcpd6.service", "dirmngr@.service", "dirmngr@.socket", "dm-event.service", "dm-event.socket", "dmraid.service", "dnscrypt-proxy.service", "dnsmasq.service", "docker.service", "docker.socket", "drkonqi-coredump-processor@.service", "e2scrub@.service", "e2scrub_all.service", "e2scrub_all.timer", "e2scrub_fail@.service", "e2scrub_reap.service", "ead.service", "elasticsearch.service", "elasticsearch-keystore.service", "elasticsearch-keystore@.service", "elasticsearch@.service", "emergency.service", "emergency.target", "epmd.service", "epmd.socket", "exabgp.service", "factory-reset.target", "fancontrol.service", "fastnetmon.service", "final.target", "finger.socket", "finger@.service", "first-boot-complete.target", "flatpak-system-helper.service", "freeradius.service", "fsidd.service", "fstrim.service", "fstrim.timer", "ftpd.service", "fwupd.service", "fwupd-offline-update.service", "fwupd-refresh.service", "fwupd-refresh.timer", "geoclue.service", "geoipupdate.service", "geoipupdate.timer", "getty.target", "getty-pre.target", "getty@.service", "git-daemon.socket", "git-daemon@.service", "gnupg-pkcs11-scd-proxy.service", "gpg-agent-browser@.socket", "gpg-agent-extra@.socket", "gpg-agent-ssh@.socket", "gpg-agent@.service", "gpg-agent@.socket", "gpm.path", "gpm.service", "gpsd.service", "gpsd.socket", "gpsdctl@.service", "graphical.target", "greenbone-certdata-sync.service", "greenbone-certdata-sync.timer", "greenbone-feed-sync.service", "greenbone-feed-sync.timer", "greenbone-nvt-sync.service", "greenbone-nvt-sync.timer", "greenbone-scapdata-sync.service", "greenbone-scapdata-sync.timer", "gssproxy.service", "gvmd.service", "halt.target", "healthd.service", "hibernate.target", "hostapd.service", "hostapd@.service", "httpd.service", "hv_fcopy_daemon.service", "hv_kvp_daemon.service", "hv_vss_daemon.service", "hybrid-sleep.target", "i2pd.service", "iiod.service", "initrd.target", "initrd-cleanup.service", "initrd-fs.target", "initrd-parse-etc.service", "initrd-root-device.target", "initrd-root-fs.target", "initrd-switch-root.service", "initrd-switch-root.target", "initrd-udevadm-cleanup-db.service", "initrd-usr-fs.target", "integritysetup.target", "integritysetup-pre.target", "iodined.service", "iodined.socket", "ip2clued.service", "ip6tables.service", "ipmidetectd.service", "ipmiseld.service", "iptables.service", "iscsi.service", "iscsi-init.service", "iscsid.service", "iscsid.socket", "iscsiuio.service", "iscsiuio.socket", "isnsd.service", "isnsd.socket", "iwd.service", "kcptun-server@.service", "kcptun@.service", "kexec.target", "keyboxd@.service", "keyboxd@.socket", "kmod-static-nodes.service", "krb5-kadmind.service", "krb5-kdc.service", "krb5-kpropd.service", "krb5-kpropd.socket", "krb5-kpropd@.service", "lastlog2-import.service", "ldconfig.service", "libvirt-guests.service", "libvirtd.service", "libvirtd.socket", "libvirtd-admin.socket", "libvirtd-ro.socket", "libvirtd-tcp.socket", "libvirtd-tls.socket", "lightdm.service", "lm_sensors.service", "local-fs.target", "local-fs-pre.target", "logrotate.service", "logrotate.timer", "lvm2-lvmpolld.service", "lvm2-lvmpolld.socket", "lvm2-monitor.service", "lxc.service", "lxc-auto.service", "lxc-monitord.service", "lxc-net.service", "lxc@.service", "lxdm.service", "ly.service", "lynis.service", "lynis.timer", "machine.slice", "machines.target", "man-db.service", "man-db.timer", "mariadb.service", "mariadb.socket", "mariadb-extra.socket", "mariadb-extra@.socket", "mariadb@.service", "mariadb@.socket", "mdadm-grow-continue@.service", "mdadm-last-resort@.service", "mdadm-last-resort@.timer", "mdcheck_continue.service", "mdcheck_continue.timer", "mdcheck_start.service", "mdcheck_start.timer", "mdmon@.service", "mdmonitor.service", "mdmonitor-oneshot.service", "mdmonitor-oneshot.timer", "memavaild.service", "mkinitcpio-generate-shutdown-ramfs.service", "modprobe@.service", "mongodb.service", "multi-user.target", "mysql.service", "mysqld.service", "named.service", "nbd.service", "nbd@.service", "ndctl-monitor.service", "neo4j.service", "netavark-dhcp-proxy.service", "netavark-dhcp-proxy.socket", "netdata.service", "network.target", "network-online.target", "network-pre.target", "nfs-blkmap.service", "nfs-client.target", "nfs-idmapd.service", "nfs-mountd.service", "nfs-server.service", "nfs-utils.service", "nfsdcld.service", "nfsv4-exportd.service", "nfsv4-server.service", "nftables.service", "nm-priv-helper.service", "nmb.service", "nohang.service", "nohang-desktop.service", "nscd.service", "nss-lookup.target", "nss-user-lookup.target", "ntpd.service", "ntpdate.service", "nvidia-hibernate.service", "nvidia-persistenced.service", "nvidia-powerd.service", "nvidia-resume.service", "nvidia-suspend.service", "nvmefc-boot-connections.service", "nvmf-autoconnect.service", "nvmf-connect.target", "nvmf-connect-nbft.service", "nvmf-connect@.service", "pacrunner.service", "ostree-boot-complete.service", "pacman-filesdb-refresh.timer", "pcscd.service", "passim.service", "pcscd.socket", "packagekit-offline-update.service", "phoronix-result-server.service", "paccache.timer", "plymouth-kexec.service", "pamac-cleancache.timer", "plymouth-quit.service", "partimaged.service", "plymouth-poweroff.service", "plymouth-read-write.service", "plymouth-quit-wait.service", "paccache.service", "plymouth-switch-root-initramfs.service", "ostree-remount.service", "plymouth-switch-root.service", "openvpn-client@.service", "podman-clean-transient.service", "pamac-offline-upgrade.service", "polkit.service", "postfix.service", "pam_namespace.service", "poweroff.target", "ppp@.service", "opensnitchd.service", "proc-fs-nfsd.mount", "proc-sys-fs-binfmt_misc.automount", "proc-sys-fs-binfmt_misc.mount", "phoromatic-server.service", "ptunnel.service", "openvpn-server@.service", "plymouth-halt.service", "pamac-cleancache.service", "plymouth-reboot.service", "ostree-state-overlay@.service", "ostree-finalize-staged.service", "postgresql.service", "phoromatic-client.service", "pamac-daemon.service", "pacman-filesdb-refresh.service", "packagekit.service", "pkgfile-update.service", "pkgfile-update.timer", "plymouth-start.service", "ostree-prepare-root.service", "ostree-finalize-staged.path", "privoxy.service", "ostree-finalize-staged-hold.service", "qemu-guest-agent.service", "quotaon.service", "quotaon-root.service", "quotaon@.service", "rabbitmq.service", "ras-mc-ctl.service", "rasdaemon.service", "rathole@.service", "ratholec@.service", "ratholes@.service", "rc-local.service", "rdnssd@.service", "reboot.target", "redis.service", "redis-sentinel.service", "reflector.service", "reflector.timer", "remote-cryptsetup.target", "remote-fs.target", "remote-fs-pre.target", "remote-veritysetup.target", "rescue.service", "rescue.target", "rfkill-block@.service", "rfkill-unblock@.service", "rlogin.socket", "rlogin@.service", "rpc-gssd.service", "rpc-statd.service", "rpc-statd-notify.service", "rpc_pipefs.target", "rpcbind.service", "rpcbind.socket", "rpcbind.target", "rsh.socket", "rsh@.service", "rsyncd.service", "rsyncd.socket", "rsyncd@.service", "rtkit-daemon.service", "runlevel0.target", "runlevel1.target", "runlevel2.target", "runlevel3.target", "runlevel4.target", "runlevel5.target", "runlevel6.target", "rwhod.service", "samba.service", "sddm.service", "seatd.service", "sensord.service", "serial-getty@.service", "shadow.service", "shadow.timer", "sigpwr.target", "slapd.service", "sleep.target", "slices.target", "smartd.service", "smb.service", "sndiod.service", "snmpd.service", "snmptrapd.service", "snort@.service", "snort@1000.service", "soft-reboot.target", "ssh-access.target", "sshd.service", "sshdgenkeys.service", "sshuttle.service", "sslh.service", "sslh-fork.service", "sslh-select.service", "storage-target-mode.target", "stunnel.service", "sudo_logsrvd.service", "suspend.target", "suspend-then-hibernate.target", "svnserve.service", "swap.target", "sys-fs-fuse-connections.mount", "sys-kernel-config.mount", "sys-kernel-debug.mount", "sys-kernel-tracing.mount", "sysinit.target", "syslog.socket", "system-systemd\\x2dcryptsetup.slice", "system-systemd\\x2dveritysetup.slice", "system-update.target", "system-update-cleanup.service", "system-update-pre.target", "systemd-ask-password-console.path", "systemd-ask-password-console.service", "systemd-ask-password-plymouth.path", "systemd-ask-password-plymouth.service", "systemd-ask-password-wall.path", "systemd-ask-password-wall.service", "systemd-backlight@.service", "systemd-battery-check.service", "systemd-binfmt.service", "systemd-bless-boot.service", "systemd-boot-check-no-failures.service", "systemd-boot-random-seed.service", "systemd-boot-update.service", "systemd-bootctl.socket", "systemd-bootctl@.service", "systemd-bsod.service", "systemd-confext.service", "systemd-coredump.socket", "systemd-coredump@.service", "systemd-creds.socket", "systemd-creds@.service", "systemd-firstboot.service", "systemd-fsck-root.service", "systemd-fsck@.service", "systemd-growfs-root.service", "systemd-growfs@.service", "systemd-halt.service", "systemd-hibernate.service", "systemd-hibernate-resume.service", "systemd-homed.service", "systemd-homed-activate.service", "systemd-homed-firstboot.service", "systemd-hostnamed.service", "systemd-hostnamed.socket", "systemd-hwdb-update.service", "systemd-hybrid-sleep.service", "systemd-importd.service", "systemd-initctl.service", "systemd-initctl.socket", "systemd-journal-catalog-update.service", "systemd-journal-flush.service", "systemd-journal-gatewayd.service", "systemd-journal-gatewayd.socket", "systemd-journal-remote.service", "systemd-journal-remote.socket", "systemd-journal-upload.service", "systemd-journald.service", "systemd-journald.socket", "systemd-journald-audit.socket", "systemd-journald-dev-log.socket", "systemd-journald-varlink@.socket", "systemd-journald@.service", "systemd-journald@.socket", "systemd-kexec.service", "systemd-localed.service", "systemd-logind.service", "systemd-machine-id-commit.service", "systemd-machined.service", "systemd-modules-load.service", "systemd-network-generator.service", "systemd-networkd.service", "systemd-networkd.socket", "systemd-networkd-persistent-storage.service", "systemd-networkd-wait-online.service", "systemd-networkd-wait-online@.service", "systemd-nspawn@.service", "systemd-oomd.service", "systemd-oomd.socket", "systemd-pcrextend.socket", "systemd-pcrextend@.service", "systemd-pcrfs-root.service", "systemd-pcrfs@.service", "systemd-pcrlock.socket", "systemd-pcrlock-file-system.service", "systemd-pcrlock-firmware-code.service", "systemd-pcrlock-firmware-config.service", "systemd-pcrlock-machine-id.service", "systemd-pcrlock-make-policy.service", "systemd-pcrlock-secureboot-authority.service", "systemd-pcrlock-secureboot-policy.service", "systemd-pcrlock@.service", "systemd-pcrmachine.service", "systemd-pcrphase.service", "systemd-pcrphase-initrd.service", "systemd-pcrphase-sysinit.service", "systemd-portabled.service", "systemd-poweroff.service", "systemd-pstore.service", "systemd-quotacheck.service", "systemd-quotacheck-root.service", "systemd-quotacheck@.service", "systemd-random-seed.service", "systemd-reboot.service", "systemd-remount-fs.service", "systemd-repart.service", "systemd-resolved.service", "systemd-rfkill.service", "systemd-rfkill.socket", "systemd-soft-reboot.service", "systemd-storagetm.service", "systemd-suspend.service", "systemd-suspend-then-hibernate.service", "systemd-sysctl.service", "systemd-sysext.service", "systemd-sysext.socket", "systemd-sysext@.service", "systemd-sysupdate.service", "systemd-sysupdate.timer", "systemd-sysupdate-reboot.service", "systemd-sysupdate-reboot.timer", "systemd-sysusers.service", "systemd-time-wait-sync.service", "systemd-timedated.service", "systemd-timesyncd.service", "systemd-tmpfiles-setup-dev.service", "systemd-tmpfiles-setup-dev-early.service", "systemd-tpm2-setup.service", "systemd-tpm2-setup-early.service", "systemd-udev-trigger.service", "systemd-udevd.service", "systemd-udevd-control.socket", "systemd-udevd-kernel.socket", "systemd-update-done.service", "systemd-update-utmp.service", "systemd-update-utmp-runlevel.service", "systemd-user-sessions.service", "systemd-userdbd.service", "systemd-userdbd.socket", "systemd-vconsole-setup.service", "systemd-vmspawn@.service", "systemd-volatile-root.service", "systemd-zram-setup@.service", "talk.service", "talk.socket", "teamd@.service", "telnet.socket", "telnet@.service", "time-set.target", "time-sync.target", "tinc.service", "tinc@.service", "tinyproxy.service", "tlp.service", "tmp.mount", "tor.service", "tpm2.target", "udisks2.service", "udp2raw@.service", "ufw.service", "uksmd.service", "umount.target", "unbound.service", "updatedb.service", "updatedb.timer", "upower.service", "usb-gadget.target", "usb_modeswitch@.service", "usbipd.service", "usbmuxd.service", "user.slice", "user-runtime-dir@.service", "user@.service", "uuidd.service", "uuidd.socket", "var-lib-machines.mount", "var-lib-nfs-rpc_pipefs.mount", "vboxdrmclient.path", "vboxdrmclient.service", "vboxservice.service", "veritysetup.target", "veritysetup-pre.target", "virt-guest-shutdown.target", "virtchd.service", "virtchd.socket", "virtchd-admin.socket", "virtchd-ro.socket", "virtinterfaced.service", "virtinterfaced.socket", "virtinterfaced-admin.socket", "virtinterfaced-ro.socket", "virtlockd.service", "virtlockd.socket", "virtlockd-admin.socket", "virtlogd.service", "virtlogd.socket", "virtlogd-admin.socket", "virtlxcd.service", "virtlxcd.socket", "virtlxcd-admin.socket", "virtlxcd-ro.socket", "virtnetworkd.service", "virtnetworkd.socket", "virtnetworkd-admin.socket", "virtnetworkd-ro.socket", "virtnodedevd.service", "virtnodedevd.socket", "virtnodedevd-admin.socket", "virtnodedevd-ro.socket", "virtnwfilterd.service", "virtnwfilterd.socket", "virtnwfilterd-admin.socket", "virtnwfilterd-ro.socket", "virtproxyd.service", "virtproxyd.socket", "virtproxyd-admin.socket", "virtproxyd-ro.socket", "virtproxyd-tcp.socket", "virtproxyd-tls.socket", "virtqemud.service", "virtqemud.socket", "virtqemud-admin.socket", "virtqemud-ro.socket", "virtsecretd.service", "virtsecretd.socket", "virtsecretd-admin.socket", "virtsecretd-ro.socket", "virtstoraged.service", "virtstoraged.socket", "virtstoraged-admin.socket", "virtstoraged-ro.socket", "virtvboxd.service", "virtvboxd.socket", "virtvboxd-admin.socket", "virtvboxd-ro.socket", "vmtoolsd.service", "vmware-vmblock-fuse.service", "vpnc@.service", "wacom-inputattach@.service", "wg-quick.target", "wg-quick@.service", "winbind.service", "wondershaper.service", "wpa_supplicant.service", "wpa_supplicant-nl80211@.service", "wpa_supplicant-wired@.service", "wpa_supplicant@.service", "xfs_scrub@.service", "xfs_scrub_all.service", "xfs_scrub_all.timer", "xfs_scrub_fail@.service", "xl2tpd.service", "xplico.service", "xrdp.service", "xrdp-sesman.service", "yate.service", "zfs.target", "zfs-import.service", "zfs-import.target", "zfs-import-cache.service", "zfs-import-scan.service", "zfs-load-key.service", "zfs-mount.service", "zfs-scrub-monthly@.timer", "zfs-scrub-weekly@.timer", "zfs-scrub@.service", "zfs-share.service", "zfs-trim-monthly@.timer", "zfs-trim-weekly@.timer", "zfs-trim@.service", "zfs-volume-wait.service", "zfs-volumes.target", "zfs-zed.service", "plymouth.conf", "gpg-agent-ssh@etc-pacman.d-gnupg.socket", "keyboxd@etc-pacman.d-gnupg.socket", "dirmngr@etc-pacman.d-gnupg.socket", "gpg-agent-browser@etc-pacman.d-gnupg.socket", "gpg-agent-extra@etc-pacman.d-gnupg.socket", "gpg-agent@etc-pacman.d-gnupg.socket", "https://hybrid-analysis.com/sample/ff42428f0fcc346cc56e2b00d4b5c4bd43b55f3465b4ccab0efba9c88f4a1c03/661da0b063c895fc2d0a78dc", "https://hybrid-analysis.com/sample/9613dee39157b5f9935436b36647047e267b7c10fa4c7ab1fd995db681e58c12/661da5b202eaca78740cf4ed", "https://hybrid-analysis.com/sample/479a0170df010c5eb742ff1b8740a2ccf381df44c8a919c95d6e38685278e78a/661da5c768340c1e25092cb2", "50-rc_keymap.conf", "10-defaults.conf", "10-login-barrier.conf", "20-systemd-userdb.conf", "20-systemd-ssh-proxy.conf", "iptables-flush", "cpupower", "chkboot-bootcheck", "10-root.conf", "30-root-verity-sig.conf", "20-root-verity.conf", "80-systemd-timesync.list", "80-6rd-tunnel.link", "80-container-ve.network", "80-container-vb.network", "80-container-vz.link", "80-6rd-tunnel.network", "80-container-vz.network", "80-auto-link-local.network.example", "80-ethernet.network.example", "80-container-host0.network", "80-iwd.link", "80-container-vb.link", "80-vm-vt.link", "80-vm-vt.network", "80-wifi-adhoc.network", "80-wifi-ap.network.example", "80-wifi-station.network.example", "80-container-ve.link", "89-ethernet.network.example", "99-default.link", "dbus-broker.catalog", "dbus-broker-launch.catalog", "systemd.be.catalog", "systemd.be@latin.catalog", "systemd.da.catalog", "systemd.bg.catalog", "systemd.hu.catalog", "systemd.catalog", "systemd.it.catalog", "systemd.fr.catalog", "systemd.ko.catalog", "systemd.hr.catalog", "systemd.pl.catalog", "systemd.pt_BR.catalog", "systemd.ru.catalog", "systemd.sr.catalog", "systemd.zh_CN.catalog", "systemd.de.catalog", "systemd.zh_TW.catalog", "expl_cve_2021_40444.yar" ], "public": 1, "adversary": "Chinese Speaking", "targeted_countries": [], "malware_families": [ { "id": "RemainAfterExit", "display_name": "RemainAfterExit", "target": null }, { "id": "NMBDOPTIONS", "display_name": "NMBDOPTIONS", "target": null }, { "id": "SMBDOPTIONS", "display_name": "SMBDOPTIONS", "target": null }, { "id": "SuccessAction", "display_name": "SuccessAction", "target": null }, { "id": "WINBINDOPTIONS", "display_name": "WINBINDOPTIONS", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1205", "name": "Traffic Signaling", "display_name": "T1205 - Traffic Signaling" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 55, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Merkd1904", "id": "196517", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 123, "YARA": 16, "CVE": 4, "FileHash-SHA1": 25, "FileHash-SHA256": 20, "domain": 102, "URL": 16, "email": 9, "hostname": 4, "CIDR": 2 }, "indicator_count": 321, "is_author": false, "is_subscribing": null, "subscriber_count": 75, "modified_text": "767 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "opensnitchd.service", "plasma-workspace-wayland.target", "avahi-daemon.service", "isnsd.socket", "systemd-networkd-wait-online@.service", "runlevel1.target", "adb.service", "systemd-journal-flush.service", "gpg-agent-extra@etc-pacman.d-gnupg.socket", "postgresql.service", "systemd-battery-check.service", "libvirtd.service", "50-rc_keymap.conf", "virtqemud-ro.socket", "pam_namespace.service", "plasma-ksplash.service", "polkit.service", "talk.service", "mkinitcpio-generate-shutdown-ramfs.service", "rsyncd@.service", "systemd-pcrphase.service", "virtlockd.socket", "systemd.ru.catalog", "payload.php.010", "gpm.service", "cups.path", "fstrim.service", "systemd-sysupdate-reboot.timer", "plasma-xembedsniproxy.service", "virtstoraged.service", "eicar", "plasma-krunner.service", "git-daemon@.service", "podman-auto-update.service", "gcr-ssh-agent.socket", "plasma-dolphin.service", "pamac-offline-upgrade.service", "pamac-daemon.service", "man-db.timer", "clash@.service", "connect.php", "virtinterfaced-ro.socket", "shadow.timer", "qemu-guest-agent.service", "system-update-cleanup.service", "input.pcap", "gpg-agent@etc-pacman.d-gnupg.socket", "borgmatic.timer", "systemd-pcrlock.socket", "systemd-sysupdate.timer", "systemd-resolved.service", "systemd-journal-gatewayd.socket", "nfs-mountd.service", "uuidd.service", "iscsid.service", "plasma-workspace.target", "e2scrub_all.service", "packagekit-offline-update.service", "integritysetup.target", "cape-dist.service", "systemd-tmpfiles-clean.service", "clamav-daemon.socket", "lvm2-lvmpolld.socket", "plasma-kded.service", "lvm2-monitor.service", "dirmngr.socket", "suspend-then-hibernate.target", "rsyncd.socket", "ras-mc-ctl.service", "app.slice", "printer.target", "avahi-daemon.socket", "chkboot.service", "clamav-freshclam-once.service", "flatpak-session-helper.service", "graphical-session-pre.target", "dbus-org.freedesktop.timedate1.service", "modprobe@.service", "wpa_supplicant@.service", "systemd-time-wait-sync.service", "systemd-hybrid-sleep.service", "drkonqi-sentry-postman.timer", "systemd-logind.service", "updatedb.timer", "nvidia-suspend.service", "network-online.target", "mdadm-grow-continue@.service", "nmb.service", "udisks2.service", "80-ethernet.network.example", "rsh@.service", "10-login-barrier.conf", "swap.target", "plasma-core.target", "p11-kit-server.socket", "cups.service", "sigpwr.target", "xsettingsd.service", "nfsv4-server.service", "https://hybrid-analysis.com/sample/9613dee39157b5f9935436b36647047e267b7c10fa4c7ab1fd995db681e58c12/661da5b202eaca78740cf4ed", "systemd.de.catalog", "elasticsearch.service", "geoclue.service", "virtproxyd-ro.socket", "80-wifi-station.network.example", "pkgfile-update.service", "initrd-root-device.target", "borgmatic-user.service", "payload.php.008", "pulseaudio.service", "wpa_supplicant-nl80211@.service", "var-lib-machines.mount", "gcr-ssh-agent.service", "greenbone-nvt-sync.service", "systemd-tmpfiles-setup-dev.service", "custom.py", "local-fs-pre.target", "iscsi-init.service", "atftpd.service", "systemd-rfkill.service", "tlp.service", "ssh-agent.service", "virtnetworkd-ro.socket", "sddm.service", "ssh-access.target", "local-fs.target", "plasma-baloorunner.service", "nvmefc-boot-connections.service", "pkgfile-update.timer", "systemd-pcrphase-initrd.service", "talk.socket", "virtproxyd-tcp.socket", "systemd-poweroff.service", "initrd-usr-fs.target", "pipewire-pulse.service", "systemd-udev-trigger.service", "openvpn-client@.service", "wireplumber@.service", "virtlxcd.socket", "systemd-pcrextend@.service", "fstrim.timer", "zfs-scrub-weekly@.timer", "initrd.target", "bluetooth.service", "keyboxd@.socket", "mysql.service", "dbus-org.freedesktop.machine1.service", "blk-availability.service", "systemd-ask-password-console.path", "hostapd.service", "kmod-static-nodes.service", "kingdee-erp-rce.yaml", "virtsecretd.service", "uuidd.socket", "systemd.da.catalog", "veritysetup-pre.target", "mdmonitor-oneshot.timer", "cxl-monitor.service", "10-defaults.conf", "ostree-prepare-root.service", "git-daemon.socket", "initrd-switch-root.target", "couchdb.service", "systemd.it.catalog", "80-container-ve.link", "alsa-restore.service", "tinc.service", "systemd-creds@.service", "nvmf-connect-nbft.service", "smb.service", "time-sync.target", "suricata.service", "systemd-pcrlock-machine-id.service", "proc-fs-nfsd.mount", "30-root-verity-sig.conf", "10-arch", "syslog.socket", "plasma-powerprofile-osd.service", "systemd-portabled.service", "systemd-suspend-then-hibernate.service", "virtchd-admin.socket", "finger.socket", "rathole@.service", "user.slice", "reboot.target", "gpsd.service", "svnserve.service", "search.php", "systemd-udevd.service", "flatpak-portal.service", "wg-quick.target", "tinyproxy.service", "plymouth-reboot.service", "plasma-kglobalaccel.service", "dirmngr@.service", "mdcheck_start.service", "quotaon-root.service", "graphical-session.target", "systemd-growfs@.service", "virtnwfilterd.socket", "i2pd.service", "zfs-import.service", "adsl.service", "clamav-clamonacc.service", "tracker-xdg-portal-3.service", "neo4j.service", "systemd-initctl.service", "initrd-switch-root.service", "xdg-desktop-portal.service", "virtnodedevd.socket", "cryptsetup-pre.target", "clamav-freshclam.service", "dev-hugepages.mount", "fsidd.service", "plymouth-read-write.service", "systemd-userdbd.service", "payload.php.011", "plasma-workspace-x11.target", "iscsi.service", "systemd-initctl.socket", "systemd-update-utmp.service", "ipmidetectd.service", "netavark-dhcp-proxy.service", "gnome-keyring-daemon.service", "lynis.timer", "mdcheck_continue.timer", "libvirtd.socket", "virtvboxd.service", "runlevel6.target", "xplico.service", "80-6rd-tunnel.link", "iptables.service", "systemd-ask-password-plymouth.path", "systemd-journal-remote.service", "ly.service", "remote-cryptsetup.target", "paths.target", "wireplumber.service", "telnet@.service", "emergency.service", "80-container-host0.network", "payload.php.007", "tinc@.service", "drkonqi-coredump-launcher.socket", "virtsecretd.socket", "systemd-pcrextend.socket", "machines.target", "mdadm.shutdown", "systemd-exit.service", "auth-rpcgss-module.service", "initrd-parse-etc.service", "bolt.service", "zfs-share.service", "gpg-agent-ssh@etc-pacman.d-gnupg.socket", "archlinux-keyring-wkd-sync.timer", "ip6tables.service", "ostree-state-overlay@.service", "postfix.service", "systemd-machine-id-commit.service", "systemd-sysupdate.service", "zfs-trim-monthly@.timer", "daxdev-reconfigure@.service", "eicar.002", "plasma-restoresession.service", "libvirtd-ro.socket", "capsule@.target", "man-db.service", "systemd-pcrphase-sysinit.service", "plasma-kwin_x11.service", "virtlogd.socket", "wpa_supplicant.service", "sys-fs-fuse-connections.mount", "systemd-journald@.service", "stunnel.service", "flatpak-system-helper.service", "colord.service", "eicar.txt", "systemd-ask-password-plymouth.service", "system-systemd\\x2dcryptsetup.slice", "mariadb-extra@.socket", "docker.socket", "mdcheck_start.timer", "systemd-journal-gatewayd.service", "iscsiuio.socket", "systemd-pcrlock-make-policy.service", "canberra-system-shutdown.service", "plasma-gmenudbusmenuproxy.service", "nfs-blkmap.service", "pulseaudio.socket", "apt_sandworm_exim_expl.yar.002", "snort@.service", "nss-lookup.target", "e2scrub@.service", "pipewire-pulse.socket", "rfkill-block@.service", "gpg-agent-browser@.socket", "virtlxcd-ro.socket", "system-update-pre.target", "systemd-homed.service", "systemd-importd.service", "virtlockd-admin.socket", "payload.php.016", "teamd@.service", "dconf.service", "openvpn-server@.service", "drkonqi-coredump-processor@.service", "systemd-journald.service", "systemd-pstore.service", "dhcpd6.service", "systemd-nspawn@.service", "suricata-update.timer", "accounts-daemon.service", "payload.php.015", "pulseaudio-x11.service", "virtchd.service", "gnome-terminal-server.service", "lxdm.service", "libvirtd-admin.socket", "nvmf-connect.target", "cronie.service", "dm-event.service", "virtstoraged-ro.socket", "proc-sys-fs-binfmt_misc.mount", "zfs-import-scan.service", "nftables.service", "ndctl-monitor.service", "systemd-remount-fs.service", "list.php", "systemd-homed-activate.service", "pcscd.service", "poweroff.target", "systemd.be@latin.catalog", "sound.target", "systemd-oomd.service", "virtinterfaced-admin.socket", "exabgp.service", "nvmf-connect@.service", "systemd-journal-catalog-update.service", "tmp.mount", "snmpd.service", "nvidia-resume.service", "gvfs-udisks2-volume-monitor.service", "mdmonitor.service", "mdmon@.service", "dev-mqueue.mount", "canberra-system-shutdown-reboot.service", "ostree-finalize-staged.path", "cups-lpd@.service", "payload.php.014", "parent.php", "systemd-quotacheck@.service", "libvirt-guests.service", "samba.service", "runlevel3.target", "systemd-journald-dev-log.socket", "named.service", "systemd-coredump@.service", "suspend.target", "systemd-boot-check-no-failures.service", "cntlm.service", "arcolinux-graphical-target.service", "healthd.service", "systemd-vconsole-setup.service", "vpnc@.service", "wpa_supplicant-wired@.service", "xfs_scrub_all.timer", "redis.service", "gvfs-metadata.service", "rtkit-daemon.service", "drkonqi-coredump-launcher@.service", "mariadb@.socket", "phoronix-result-server.service", "dbus.service", "usb-gadget.target", "plymouth.conf", "cpupower.service", "scanner.php", "ntpdate.service", "debug-shell.service", "smartcard.target", "runlevel5.target", "gnupg-pkcs11-scd-proxy.service", "virtnodedevd.service", "payload.php.002", "dbus-org.freedesktop.hostname1.service", "httpd.service", "virtproxyd.service", "final.target", "proc-sys-fs-binfmt_misc.automount", "systemd-boot-random-seed.service", "rpc-statd-notify.service", "sleep.target", "kcptun@.service", "system-update.target", "systemd-network-generator.service", "var-lib-nfs-rpc_pipefs.mount", "vmtoolsd.service", "zfs-mount.service", "configure-printer@.service", "80-container-vz.link", "drkonqi-sentry-postman.path", "iodined.socket", "systemd-pcrfs-root.service", "tlp", "initrd-cleanup.service", "systemd-growfs-root.service", "clamav-unofficial-sigs.service", "systemd-creds.socket", "lxc-net.service", "libvirtd-tls.socket", "krb5-kdc.service", "fwupd.service", "gpm.path", "systemd.bg.catalog", "e2scrub_reap.service", "auditd.service", "dm-event.socket", "greenbone-certdata-sync.timer", "systemd-timedated.service", "20-systemd-userdb.conf", "systemd-bless-boot.service", "systemd-repart.service", "virtinterfaced.socket", "systemd.sr.catalog", "systemd-pcrlock-firmware-code.service", "plymouth-switch-root.service", "sudo_logsrvd.service", "umount.target", "session.slice", "ratholes@.service", "systemd-storagetm.service", "xdg-user-dirs-update.service", "pipewire.service", "drkonqi-coredump-cleanup.timer", "systemd-update-utmp-runlevel.service", "systemd-tmpfiles-clean.timer", "dirmngr.service", "payload.php.005", "gpg-agent.socket", "freeradius.service", "gpg-agent@.service", "krb5-kpropd.socket", "krb5-kpropd@.service", "network.target", "paccache.service", "plasma-kscreen.service", "systemd-bootctl@.service", "container-getty@.service", "systemd-pcrlock@.service", "virtproxyd-tls.socket", "systemd-fsck@.service", "zfs-trim@.service", "dirmngr@etc-pacman.d-gnupg.socket", "winbind.service", "89-ethernet.network.example", "dbus-org.freedesktop.portable1.service", "ip2clued.service", "xdg-desktop-portal-hyprland.service", "ipmiseld.service", "nscd.service", "usb_modeswitch@.service", "hv_vss_daemon.service", "podman-auto-update.timer", "podman-restart.service", "rpcbind.target", "apparmor.service", "plymouth-halt.service", "sslh-select.service", "user@.service", "boot-complete.target", "blockdev@.target", "dnsmasq.service", "systemd-udevd-kernel.socket", "mariadb@.service", "systemd-fsck-root.service", "kcptun-server@.service", "tor.service", "systemd-oomd.socket", "initrd-udevadm-cleanup-db.service", "virtnetworkd.service", "drkonqi-coredump-pickup.service", "greenbone-scapdata-sync.service", "reverse_tcp.py", "iiod.service", "elasticsearch-keystore@.service", "systemd-homed-firstboot.service", "gvfs-afc-volume-monitor.service", "cpupower", "btrfs-scrub@.timer", "nm-priv-helper.service", "3proxy.service", "bmc-watchdog.service", "plymouth-kexec.service", "virtlxcd.service", "virtinterfaced.service", "systemd-update-helper", "virtsecretd-admin.socket", "xrdp-sesman.service", "borgmatic.service", "sys-kernel-tracing.mount", "setdb.php", "ratholec@.service", "canberra-system-bootup.service", "sslh.service", "factory-reset.target", "virtlogd-admin.socket", "nvidia-hibernate.service", "redis-sentinel.service", "80-container-ve.network", "colord-session.service", "nfsdcld.service", "systemd-pcrlock-firmware-config.service", "nss-user-lookup.target", "plasma-ksystemstats.service", "dhcpd4.service", "audit-rules.service", "rescue.service", "80-vm-vt.network", "xdg-desktop-portal-gtk.service", "nfs-utils.service", "60-flatpak-system-only", "create_ap.service", "dbus.socket", "bettercap.service", "xfs_scrub_fail@.service", "rpcbind.service", "ctrl-alt-del.target", "60-flatpak", "lxc-auto.service", "glib-pacrunner.service", "autovt@.service", "borgmatic-user.timer", "suricata-update.service", "plymouth-switch-root-initramfs.service", "sensord.service", "resolv.conf", "payload.php.009", "lxc.service", "systemd-journald.socket", "docker.service", "kio-fuse.service", "unbound.service", "gssproxy.service", "systemd.fr.catalog", "connect.php.002", "shadow.service", "gpg-agent@.socket", "virtlxcd-admin.socket", "celery@.service", "logrotate.service", "ostree-boot-complete.service", "fluidsynth.service", "netavark-dhcp-proxy.socket", "virtnodedevd-ro.socket", "systemd-sysext.service", "systemd-coredump.socket", "initrd-root-fs.target", "updatedb.service", "systemd-reboot.service", "10-root.conf", "greenbone-feed-sync.service", "gpsdctl@.service", "apt_sandworm_exim_expl.yar", "greenbone-nvt-sync.timer", "sys-kernel-config.mount", "https://hybrid-analysis.com/sample/479a0170df010c5eb742ff1b8740a2ccf381df44c8a919c95d6e38685278e78a/661da5c768340c1e25092cb2", "drkonqi-coredump-cleanup.service", "systemd-sysext.socket", "isnsd.service", "rwhod.service", "ModemManager.service", "dbus-org.freedesktop.import1.service", "zfs-scrub-monthly@.timer", "getty.target", "systemd-sysusers.service", "ostree-finalize-staged-hold.service", "connect.php.001", "plasma-polkit-agent.service", "systemd-pcrlock-secureboot-authority.service", "gvfs-gphoto2-volume-monitor.service", "xrdp.service", "phoromatic-server.service", "epmd.service", "cups-lpd.socket", "hv_kvp_daemon.service", "xdg-document-portal.service", "systemd-userdbd.socket", "NetworkManager-wait-online.service", "systemd-networkd.service", "virtvboxd-ro.socket", "dbus-broker.catalog", "rlogin.socket", "nvidia-powerd.service", "zfs-load-key.service", "mdadm-last-resort@.service", "network-pre.target", "podman.service", "bluetooth.target", "nohang.service", "seatd.service", "halt.target", "gssuserproxy.service", "default.target", "gnome-keyring-daemon.socket", "plasma-kscreen-osd.service", "80-6rd-tunnel.network", "integritysetup-pre.target", "privoxy.service", "gvfs-daemon.service", "payload.php.006", "remote-fs-pre.target", "gpg-agent-ssh@.socket", "80-vm-vt.link", "systemd.hu.catalog", "nbd.service", "plymouth-quit.service", "basic.target", "ibft-rule-generator", "quotaon@.service", "wondershaper.service", "80-systemd-timesync.list", "systemd-journald@.socket", "Hunting_B64Engine_DotNetToJScript_Dos.yar", "uksmd.service", "lxc-monitord.service", "apt_sandworm_exim_expl.yar.001", "xdg-desktop-portal-xapp.service", "90-systemd.preset", "rfkill-unblock@.service", "getty@.service", "80-auto-link-local.network.example", "plasma-xdg-desktop-portal-kde.service", "systemd.pt_BR.catalog", "virtchd-ro.socket", "clash.service", "rasdaemon.service", "systemd-hibernate.service", "3proxy.conf", "plymouth-quit-wait.service", "rdnssd@.service", "podman-kube@.service", "nfs-idmapd.service", "betterlockscreen@.service", "capsule.slice", "systemd-tpm2-setup.service", "rc-local.service", "80-wifi-ap.network.example", "greenbone-certdata-sync.service", "wacom-inputattach@.service", "soft-reboot.target", "capsule@.service", "zfs-volume-wait.service", "single.php", "hybrid-sleep.target", "payload.php.017", "ldconfig.service", "mdadm-last-resort@.timer", "multi-user.target", "virtlockd.service", "virt-guest-shutdown.target", "systemd-kexec.service", "mdcheck_continue.service", "usbipd.service", "serial-getty@.service", "systemd.hr.catalog", "smartd.service", "cape.service", "systemd-journal-remote.socket", "systemd-confext.service", "pamac-cleancache.service", "lxc@.service", "passim.service", "xl2tpd.service", "nfs-client.target", "dhclient@.service", "gpg-agent-browser@etc-pacman.d-gnupg.socket", "bpftune.service", "NetworkManager.service", "virtlogd.service", "plasma-kcminit.service", "systemd-tmpfiles-setup-dev-early.service", "dbus-broker-launch.catalog", "initrd-fs.target", "rpc_pipefs.target", "ptunnel.service", "pacman-filesdb-refresh.service", "sslh-fork.service", "mariadb.service", "cape-rooter.service", "fancontrol.service", "system-systemd\\x2dveritysetup.slice", "systemd-networkd.socket", "systemd-tmpfiles-setup.service", "kde-baloo.service", "systemd-backlight@.service", "user-runtime-dir@.service", "iwd.service", "rescue.target", "paccache.timer", "greenbone-feed-sync.timer", "pacman-filesdb-refresh.timer", "gpg-agent-ssh.socket", "guacd.service", "mdmonitor-oneshot.service", "plymouth-poweroff.service", "systemd-ask-password-wall.service", "systemd-sysctl.service", "ppp@.service", "systemd-hwdb-update.service", "lightdm.service", "nbd@.service", "nohang-desktop.service", "systemd.zh_CN.catalog", "p11-kit-server.service", "systemd-hostnamed.socket", "cryptsetup.target", "systemd-sysupdate-reboot.service", "krb5-kadmind.service", "80-iwd.link", "20-systemd-ssh-proxy.conf", "reflector.service", "systemd-udevd-control.socket", "https://hybrid-analysis.com/sample/b1a9e5be43c028442c07071e202f44f33e3a2df167822c5cfed8f998e01fe169/661da09794b343782806018e", "elasticsearch-keystore.service", "sysinit.target", "rpc-statd.service", "virtsecretd-ro.socket", "cape-processor.service", "systemd-bootctl.socket", "mariadb-extra.socket", "jack@.service", "plymouth-start.service", "krb5-kpropd.service", "systemd-timesyncd.service", "tpm2.target", "partimaged.service", "zfs-import.target", "systemd.pl.catalog", "reader.php", "btrfs-scrub@.service", "dbus-org.freedesktop.login1.service", "systemd-boot-update.service", "virtvboxd-admin.socket", "gpg-agent.service", "README.md", "payload.php.004", "systemd-rfkill.socket", "systemd-soft-reboot.service", "tumblerd.service", "guac-web.service", "autorandr.service", "99-default.preset", "rpcbind.socket", "dirmngr@.socket", "plasma-ksmserver.service", "xdg-desktop-portal-rewrite-launchers.service", "filter-chain.service", "netdata.service", "sys-kernel-debug.mount", "systemd-hostnamed.service", "yate.service", "dbus-org.freedesktop.locale1.service", "clamav-daemon.service", "payload.php", "slapd.service", "mysqld.service", "gpg-agent-browser.socket", "systemd-firstboot.service", "podman.socket", "snmptrapd.service", "vmware-vmblock-fuse.service", "systemd-networkd-wait-online.service", "ead.service", "80-container-vb.link", "payload.php.013", "systemd-binfmt.service", "geoipupdate.timer", "nfs-server.service", "ananicy-cpp.service", "fwupd-refresh.service", "autorandr-lid-listener.service", "dmraid.service", "arch-audit.timer", "lastlog2-import.service", "packagekit.service", "systemd-halt.service", "systemd-update-done.service", "eicar.001", "avahi-dnsconfd.service", "pipewire.socket", "pacrunner.service", "memavaild.service", "keyboxd@.service", "virtstoraged.socket", "ntpd.service", "nvmf-autoconnect.service", "ftpd.service", "systemd-pcrlock-secureboot-policy.service", "runlevel0.target", "virtnodedevd-admin.socket", "gpg-agent-extra.socket", "80-wifi-adhoc.network", "systemd-hibernate-resume.service", "upower.service", "vboxdrmclient.path", "APT_Backdoor_PS1_BASICPIPESHELL_1.yar", "mariadb.socket", "systemd-pcrlock-file-system.service", "apache-tika.service", "iscsiuio.service", "fwupd.shutdown", "e2scrub_all.timer", "vboxservice.service", "gpsd.socket", "virtnetworkd-admin.socket", "runlevel2.target", "setdb.php.001", "gvmd.service", "usbmuxd.service", "payload.php.003", "iodined.service", "remote-fs.target", "systemd-user-sessions.service", "virtproxyd-admin.socket", "chkboot-bootcheck", "quotaon.service", "virtqemud.socket", "lm_sensors.service", "arch-audit.service", "rlogin@.service", "payload.php.012", "sshdgenkeys.service", "storage-target-mode.target", "drkonqi-sentry-postman.service", "systemd-journald-audit.socket", "darkstat.service", "nvidia", "gvfs-mtp-volume-monitor.service", "plasma-kwallet-pam.service", "alsa-state.service", "systemd-random-seed.service", "iptables-flush", "expl_cve_2021_40444.yar.001", "systemd-suspend.service", "virtvboxd.socket", "systemd-machined.service", "ufw.service", "fastnetmon.service", "hibernate.target", "99-default.link", "console-getty.service", "hv_fcopy_daemon.service", "systemd-zram-setup@.service", "exit.target", "thunar.service", "archlinux-keyring-wkd-sync.service", "getty-pre.target", "keyboxd.socket", "zfs-volumes.target", "epmd.socket", "virtproxyd.socket", "rpc-gssd.service", "shutdown.target", "lynis.service", "systemd.zh_TW.catalog", "defaults.conf", "systemd-vmspawn@.service", "virtnwfilterd.service", "SUSE-mdadm_env.sh", "ostree-finalize-staged.service", "fwupd-offline-update.service", "clamav-unofficial-sigs.timer", "getPerms.php", "graphical.target", "ostree-remount.service", "udp2raw@.service", "veritysetup.target", "virtchd.socket", "wg-quick@.service", "xfs_scrub@.service", "zfs-scrub@.service", "sndiod.service", "systemd-pcrmachine.service", "zfs-import-cache.service", "libvirtd-tcp.socket", "xdg-desktop-autostart.target", "systemd-volatile-root.service", "systemd-pcrfs@.service", "dnscrypt-proxy.service", "systemd-tpm2-setup-early.service", "first-boot-complete.target", "virtqemud.service", "nfsv4-exportd.service", "keyboxd@etc-pacman.d-gnupg.socket", "gssuserproxy.socket", "rabbitmq.service", "systemd-localed.service", "snort@1000.service", "expl_cve_2021_40444.yar", "xfs_scrub_all.service", "elasticsearch@.service", "zfs.target", "plasma-kwin_wayland.service", "runlevel4.target", "systemd.ko.catalog", "80-container-vb.network", "systemd-ask-password-console.service", "systemd-bsod.service", "vboxdrmclient.service", "mongodb.service", "cape-fstab.service", "reflector.timer", "plasma-powerdevil.service", "podman-clean-transient.service", "virtnetworkd.socket", "flatpak-oci-authenticator.service", "keyboxd.service", "slices.target", "systemd-sysext@.service", "phoromatic-client.service", "crypto-miner.js", "lvm2-lvmpolld.service", "machine.slice", "pcscd.socket", "rsyncd.service", "systemd-modules-load.service", "systemd-networkd-persistent-storage.service", "timers.target", "80-container-vz.network", "cups.socket", "telnet.socket", "zfs-zed.service", "pamac-cleancache.timer", "gpg-agent-extra@.socket", "greenbone-scapdata-sync.timer", "20-root-verity.conf", "systemd-journal-upload.service", "systemd-journald-varlink@.socket", "dunst.service", "e2scrub_fail@.service", "hostapd@.service", "rsh.socket", "emergency.target", "sshuttle.service", "logrotate.timer", "clamav-freshclam-once.timer", "iscsid.socket", "sockets.target", "dbus-broker.service", "systemd-ask-password-wall.path", "systemd-quotacheck-root.service", "xfce4-notifyd.service", "nvidia-persistenced.service", "containerd.service", "cape-web.service", "plasma-kcminit-phase1.service", "plasma-kded6.service", "zfs-trim-weekly@.timer", "virtnwfilterd-admin.socket", "time-set.target", "payload.php.001", "virtstoraged-admin.socket", "remote-veritysetup.target", "virtnwfilterd-ro.socket", "NetworkManager-dispatcher.service", "background.slice", "systemd-quotacheck.service", "at-spi-dbus-bus.service", "fwupd-refresh.timer", "https://hybrid-analysis.com/sample/ff42428f0fcc346cc56e2b00d4b5c4bd43b55f3465b4ccab0efba9c88f4a1c03/661da0b063c895fc2d0a78dc", "plasma-ksplash-ready.service", "finger@.service", "plasma-plasmashell.service", "kexec.target", "celery2@.service", "virtqemud-admin.socket", "systemd.be.catalog", "apparmor.conf", "50-zfs.preset", "geoipupdate.service", "expl_cve_2021_40444.yar.002", "xdg-permission-store.service", "systemd.catalog", "sshd.service" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "Chinese Speaking" ], "malware_families": [ "Smbdoptions", "Remainafterexit", "Nmbdoptions", "Winbindoptions", "Successaction" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "6a16ac90f5b7cde86d323464", "name": "[\"backup ios...\"] clone by Merkd1904. User note: theres a name tagged here thats interesting", "description": "", "modified": "2026-05-27T08:34:24.654000", "created": "2026-05-27T08:34:24.654000", "tags": [ "fireeye", "copyright", "base64", "dotnettojscript", "gadgettojscript", "invokeclient", "invokeserver", "readhost enter", "command", "roth", "nextron", "sandworm", "detects ssh", "grant all", "privileges on", "to mysqldb", "create user", "g root", "sandworm python", "import", "phpsploit", "host", "user", "pass", "error", "establish", "pecl oci8", "connstr", "charset", "false", "miner", "texthtml", "module", "send custom", "swissky", "class", "serviceip", "serviceport", "servicedata", "e binsh", "init", "service port", "detects", "cve202140444", "target", "targetmode", "jeremy brown", "windows cve", "ms office", "modified rule", "rperm", "wperm", "pathsep", "string", "rwxrxrx", "file types", "unix", "login", "autentication", "disable", "ldapconnect", "version", "authentication", "ldaplist", "null", "pathelems", "execute", "backdoor", "kingdee oa", "yunxingkong", "b6oa", "code execution", "kingdee cloud", "starry sky", "otherwise", "file", "setsmartdate", "fread", "name", "force", "base64decode", "data", "substr", "array", "readdir", "getowner", "getgroup", "getsize", "force option", "fwrite", "permission", "check", "mode", "diraccess", "fileaccess", "realpath", "stat", "immutable", "posixgetpwuid", "posixgetgrgid", "explode", "etcpasswd", "glob", "globonlydir", "oraclelogin", "port", "servicename", "connector", "base", "query type", "mssqlfetcharray", "mssqlassoc", "solsocket", "timeout", "range", "portmin", "portmax", "socketcreate", "afinet", "sockstream", "open", "type", "true", "tcp connection", "tcp shell", "input", "lhost", "netcat", "lport", "shell", "dllimport", "python", "back", "fore", "pfinet", "stdout", "this", "win32", "ldapsearch", "select", "mysqliassoc", "select database", "send", "newfile", "dns stub", "third party", "see man", "exit", "o pipefail", "v systemctl", "devnull", "unknown verb", "license", "gnu lesser", "general public", "free software", "foundation", "unit", "slice", "cpuweight100", "tasks slice", "cpuweight30", "capev2", "cape", "cuckoo web", "setup", "grep", "limitnofile", "install", "return", "execstart", "start", "descriptionrun", "timer", "oncalendardaily", "service", "prevent rate", "delay start", "m poetry", "sigkill", "descriptioncape", "ef usercape", "g cape", "allowisolateyes", "typedbus", "socket", "message bus", "listenstream", "typenotify", "descriptionuser", "harald sitter", "sitter", "kcrash", "drkonqi", "acceptyes", "disable trigger", "todo", "prevents", "path", "pathexistsglob", "runtimemaxsec31", "runtimemaxsec30", "restartno", "descriptionexit", "environmentfile", "otheropts", "soundfont", "descriptiongcr", "sshauthsock", "descriptionglib", "priority6", "killmodeprocess", "proxy", "socketmode0600", "apache software", "notice file", "apache license", "unless", "as is", "basis", "or conditions", "apple file", "conduit monitor", "descriptionjack", "jackoptions d", "driver d", "device", "media transfer", "indexer daemon", "memory", "memoryhigh512m", "system sockets", "a user", "conditionuser", "dbus menus", "plasma", "phase", "workspace core", "exit status", "x11 connection", "timeoutstopsec5", "disable restart", "timeoutsec40sec", "typeoneshot", "david edmundson", "davidedmundson", "osd service", "portal", "auto restart", "dbus", "xembed system", "logging system", "socketmode0660", "all containers", "restart policy", "logging start", "execstopbinsh c", "logging", "x11 plugins", "session slice", "typeforking", "etc userroot", "grouproot", "onbootsec15min", "place", "temporary", "volatile files", "thunar", "session manager", "wireplumber", "service file", "xdg autostart", "user dir", "descriptionxfce", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "memoryfile scan", "ansi", "bpf program", "indicator", "bpf firewalling", "pcap", "pcap processing", "bpffallowmulti", "bpf device", "date", "suspicious", "hybrid", "crypto", "close", "click", "april", "strings", "february", "middle", "exploit", "gameover", "contact", "scope", "thomas koch", "gpl v2", "imsm", "ibftruledir", "ibftrules", "attr", "systemd rule", "hannes reinecke", "suse labs", "ipibft", "interface", "kernel", "configfile", "typesimple", "apparmor", "grouparchaudit", "hardening", "umask077", "persistenttrue", "enable debug", "networkmanager", "trace", "wait online", "edit", "note", "reload", "capdacoverride", "dhcp etc", "mdadmscan", "mdadmdelay", "mdadmmail", "mdadmprogram", "mdadmconfig", "mdadmsendmail", "p runsysconfig", "userroot", "sssd", "write access", "needed sometime", "statedirectory", "accountsservice", "varloglastlog", "bridge daemon", "alsa card", "card state", "required", "another auto", "nice daemon", "memorymax64m", "filter system", "mount", "reboot", "clock", "logging service", "requires", "before", "please", "exit codes", "proc", "descriptionruns", "execstartsh c", "switchtoggle", "ignoreonisolate", "term typeidle", "without", "any warranty", "merchantability", "fitness", "a particular", "vartmp", "wants type", "preparation", "watchdogsec10", "filesystem", "timer daemon", "options", "environment", "prevent", "readwritepaths", "security", "certain", "protectsystem", "bindpaths", "lower cpu", "nice19", "manager", "userc", "celerydnodes", "info", "chaddevops", "aaron brighton", "clam antivirus", "jon kriel", "distribution", "script", "sanesecurity", "securiteinfo", "malwarepatrol", "oitc", "file location", "remember", "typeexec user", "9 cntlm", "generate color", "profiles", "removeipctrue", "devpts", "authors", "any kind", "usercouchdb", "restartsec5", "volumes", "server socket", "user209", "daemon", "darkstatiface", "reloadconfig", "watchdogsec3min", "privatetmpyes", "protectproc", "increase", "descriptiontime", "date service", "debugging only", "ignoresigpipeno", "unset locale", "file system", "queue file", "whatmqueue", "optionsnosuid", "pf rundhclient", "rate", "requiresdirmngr", "capfowner", "capsetpcap", "dhcp", "dns server", "startlimit", "limits", "delegateyes", "descriptionpass", "runtimemaxsec5", "mountain", "metadata check", "all filesystems", "online metadata", "sunday", "oncalendarsun", "online ext4", "sigterm signal", "java process", "piddir", "standardoutput", "elasticsearch", "limitnproc4096", "limitasinfinity", "sendsighupyes", "mapper daemon", "mainpid", "quit", "listenstream79", "radius server", "d etcraddb", "protecthomeon", "default", "systemservice", "efiefi bootefi", "afinet afinet6", "afunix afinet", "oncalendar 0000", "privatetmptrue", "geoip legacy", "geoip2", "instance", "usergit", "scdconfig", "notice", "devinputmice t", "descriptiongps", "system", "sock refclock", "gpsdoptions", "devices", "daemon sockets", "2947", "bindipv6onlyyes", "usbauto", "usrbingpsdctl", "gps daemon", "afterdev", "gvmddata", "varlibgssproxy", "nonewprivileges", "privatetmp", "protecthome", "ieee", "etchostapd", "killmodemixed", "fcopy", "uncomment", "use sigterm", "sigkill i2pd", "sendsigkillyes", "limitnofile8192", "systemd", "analog", "shutting down", "iodineextip p", "iodineport p", "iodineuser", "tunip", "topdomain", "guessmainpidyes", "m node", "wants", "initiatorname", "io driver", "typeexec", "c etckcptun", "usernobody", "requireskeyboxd", "static device", "nofork", "restartalways", "linker cache", "hack", "use wants", "raise", "tasksmax", "tasksmax32768", "limitmemlock64m", "removeonstopyes", "ip socket", "tls ip", "conflictsgetty", "aftergetty", "busmodules", "qabr", "hwmonmodules", "local file", "privatenetwork", "lvm2", "initialization", "autoboot code", "s delegatetrue", "description", "pidfilerunlxc", "lynis service", "adjust path", "lynis binary", "lynis timer", "tell systemd", "lynis security", "persistentfalse", "container slice", "recover", "varcacheman", "regenerate man", "userroot nice19", "mysqldopts", "mysqldsafe", "timezone", "core", "restart", "users", "backlog150", "listenstreams", "servicemariadb", "mechanism", "mariadb", "multi instance", "variables", "bindirmdadm", "gnu general", "public license", "reshape", "onactivesec30", "oncalendar", "wantedby", "monitor", "allow mdmon", "takeover", "k none", "c devnull", "d runinitramfs", "p runmongodb", "limitnproc32000", "limitmemlock5", "device server", "requiredbydev", "d dev", "descriptionreal", "extraopts", "restartsec30", "valid", "fifo", "priority", "batch", "nice0", "partof", "tracking daemon", "helper", "for testing", "only", "restrict", "grant", "capsysptrace", "capkill", "capipclock", "environ", "capsysresource", "capsyslog", "descriptionname", "service cache", "sysvlsb", "descriptionhost", "network name", "group name", "u ntp", "time service", "t hibernate", "software", "other", "the software", "daemon init", "software is", "provided", "fcnvme", "wantsmodprobe", "aftermodprobe", "descriptionall", "nbft", "nvmeof", "connectargs", "unit file", "descriptionnvmf", "red hat", "without any", "warranty", "card daemon", "socketmode0666", "suite result", "kexec screen", "oncalendarsat", "boot screen", "timeoutsec20", "power off", "runtime data", "descriptionhold", "timeoutsec0", "sandboxing", "execstop", "colin walters", "upgrade", "upgrade output", "umask0077", "transport agent", "descriptionmake", "descriptionppp", "whatnfsd", "file formats", "automount point", "automount", "setuid nobody", "setgid nobody", "setcon", "syslog", "restartonabort", "halt screen", "reboot screen", "pgroot", "postgresql", "oom killer", "additional", "fy nice19", "endless os", "foundation llc", "restartsec0", "system quotas", "rabbitmq", "protecthometrue", "etcrathole", "guessmainpidno", "h etcrdnssd", "reflector", "afinet6 afunix", "umask177", "remote file", "nfs client", "nfsv23 locking", "make sure", "rpc netconfig", "descriptionfast", "using ssh", "so let", "boot", "realtimekit", "rwhodopts", "display manager", "specify", "interval l", "loginterval f", "bindstodev", "always", "usrbingrpck r", "slapdoptions", "u ldap", "slapdurls", "smart", "pciusb", "midi", "daemonopts", "snmp", "trap daemon", "g snort", "descriptionsudo", "hibernate", "svnserveargs", "whatfusectl", "whatconfigfs", "whatdebugfs", "whattracefs", "best way", "see https", "units service", "service slice", "offline system", "update", "wall directory", "timeoutsec90s", "descriptionmark", "current boot", "loader entry", "any system", "units", "loader random", "loader update", "service socket", "dump socket", "optionally", "root device", "afalg afinet", "execstophomectl", "home area", "named pipe", "sink service", "sink socket", "upload service", "dynamicuseryes", "sigkilled", "devlog", "timestampingus", "namespace", "sendbuffer8m", "kernel command", "netlink socket", "storage", "descriptionwait", "network", "make", "deviceallow", "reserve", "killer socket", "root file", "measurement", "pcr policy", "tpm pcr", "code", "configuration", "machine id", "barrier", "quota check", "system quota", "after", "random seed", "kernel file", "gpt partition", "kill switch", "nvmetcp", "trigger", "saturday", "persistentyes", "system update", "kernel time", "capsystime", "ntp service", "turn", "files", "device nodes", "srk setup", "device events", "bootshutdown", "change", "manager socket", "descriptiontinc", "proxy server", "linrunner", "descriptiontlp", "tor service", "f etctortorrc", "tpm device", "descriptionudp", "tcpicmpudp", "etcudp2raw", "debug", "swap", "api file", "privatedevices", "home", "root", "runuser", "linux control", "groups", "group", "afnetlink", "locked memory", "limitmemlock0", "usb gadget", "apple", "sliceuser", "descriptionuuid", "compatibility", "typerpcpipefs", "vmsvga", "hypervisor", "usr1", "mgmt appuser", "dac permission", "selinux", "xxx someone", "qemu", "machine tools", "vmware tools", "pidfilerunvpnc", "wacom", "iface d", "dspeed u", "iface", "descriptionwpa", "oracle", "reserved", "wong", "emailaddr", "tunnel protocol", "l2tp", "isps", "russia use", "ipsec", "d optxplico", "b sqlite", "descriptionxrdp", "xrdpoptions", "process", "sesmanoptions", "zpoolimportopts", "an o", "t scrub", "usrbinzpool", "zfs volume", "descriptionzfs", "f restartalways", "remainafterexit", "nmbdoptions", "smbdoptions", "successaction", "winbindoptions", "ck id", "hybrid analysis", "mitre att", "malicious", "sdshared ansi", "default und", "func global", "func local", "object local", "general", "show technique", "ck matrix", "tasksmax33", "empty file", "proxycommand", "checkhostip", "afunix", "afvsock", "allow", "r table", "chkbootcheck", "gplv2 source", "chkbootstyles", "etcissue", "partition", "minimizebest", "mit no", "match", "link", "namepolicykeep", "ethernet link", "kindveth nameve", "kindveth namevb", "keepmasteryes", "dhcpv4", "kindsit name6rd", "ipv4ll", "ipv6ll", "dhcpipv6ra", "dhcpv6", "typeether", "dhcpyes", "usetimezoneyes", "typewlan", "tuntap", "natdhcp", "kindtun namevt", "kind", "originalname", "definedby", "peer", "sopeergroups", "dbus protocol", "dbus name", "exec", "hup signal", "sighup", "dnssec", "sessionid", "seatid", "sleep", "leader", "jobresult", "coredumppid", "coredumpcomm", "junit", "na zapusk", "mikrasiekund", "enhed", "mikrosekunder", "opstart", "jobid", "a rendszer", "ezredmsodpercet", "a rendszernapl", "user manager", "smack", "lunit", "stato", "il processo", "il sistema", "stata", "le processus", "notez que", "jedinica", "zapamtite da", "nova", "jednostka", "prosz zauway", "zwykle wskazuje", "jest", "o processo", "processo", "isso", "inicializao", "journal", "sizelimit", "userid", "prozess", "speicherabbild", "hinweis auf", "programmfehler", "fehler dem", "die systemzeit", "realtime" ], "references": [ "Hunting_B64Engine_DotNetToJScript_Dos.yar", "APT_Backdoor_PS1_BASICPIPESHELL_1.yar", "apt_sandworm_exim_expl.yar.002", "apt_sandworm_exim_expl.yar.001", "apt_sandworm_exim_expl.yar", "connect.php", "connect.php.002", "connect.php.001", "crypto-miner.js", "eicar", "eicar.001", "eicar.002", "custom.py", "eicar.txt", "expl_cve_2021_40444.yar.001", "expl_cve_2021_40444.yar.002", "getPerms.php", "input.pcap", "list.php", "parent.php", "payload.php", "payload.php.001", "kingdee-erp-rce.yaml", "payload.php.003", "payload.php.002", "payload.php.004", "payload.php.005", "payload.php.006", "payload.php.007", "payload.php.008", "payload.php.010", "payload.php.011", "payload.php.009", "payload.php.012", "payload.php.013", "payload.php.015", "payload.php.016", "payload.php.017", "reverse_tcp.py", "scanner.php", "search.php", "setdb.php", "payload.php.014", "setdb.php.001", "reader.php", "single.php", "resolv.conf", "systemd-update-helper", "90-systemd.preset", "60-flatpak", "app.slice", "background.slice", "README.md", "bluetooth.target", "basic.target", "borgmatic-user.timer", "borgmatic-user.service", "cape.service", "cape-dist.service", "cape-processor.service", "cape-rooter.service", "capsule@.target", "cape-web.service", "clash.service", "colord-session.service", "dbus.socket", "cape-fstab.service", "dbus.service", "dbus-broker.service", "dconf.service", "dirmngr.service", "default.target", "drkonqi-coredump-cleanup.service", "dirmngr.socket", "drkonqi-coredump-cleanup.timer", "drkonqi-coredump-launcher.socket", "drkonqi-sentry-postman.path", "drkonqi-coredump-pickup.service", "drkonqi-sentry-postman.service", "drkonqi-sentry-postman.timer", "drkonqi-coredump-launcher@.service", "dunst.service", "flatpak-oci-authenticator.service", "filter-chain.service", "exit.target", "flatpak-session-helper.service", "fluidsynth.service", "gcr-ssh-agent.socket", "flatpak-portal.service", "gcr-ssh-agent.service", "gnome-keyring-daemon.service", "glib-pacrunner.service", "gnome-keyring-daemon.socket", "gpg-agent-ssh.socket", "gnome-terminal-server.service", "gpg-agent-extra.socket", "gpg-agent.service", "gpg-agent.socket", "gpg-agent-browser.socket", "graphical-session-pre.target", "graphical-session.target", "gssuserproxy.socket", "guacd.service", "gvfs-gphoto2-volume-monitor.service", "gvfs-daemon.service", "gssuserproxy.service", "gvfs-afc-volume-monitor.service", "gvfs-metadata.service", "jack@.service", "guac-web.service", "gvfs-udisks2-volume-monitor.service", "gvfs-mtp-volume-monitor.service", "kde-baloo.service", "keyboxd.service", "kio-fuse.service", "keyboxd.socket", "p11-kit-server.service", "p11-kit-server.socket", "paths.target", "pipewire.socket", "pipewire-pulse.service", "plasma-gmenudbusmenuproxy.service", "pipewire-pulse.socket", "plasma-baloorunner.service", "plasma-kcminit.service", "plasma-dolphin.service", "plasma-kcminit-phase1.service", "plasma-core.target", "plasma-kded.service", "pipewire.service", "plasma-kded6.service", "plasma-kglobalaccel.service", "at-spi-dbus-bus.service", "plasma-krunner.service", "plasma-kscreen.service", "plasma-kscreen-osd.service", "plasma-ksmserver.service", "plasma-ksplash.service", "plasma-ksplash-ready.service", "plasma-ksystemstats.service", "plasma-kwallet-pam.service", "plasma-kwin_wayland.service", "plasma-kwin_x11.service", "plasma-plasmashell.service", "plasma-polkit-agent.service", "plasma-powerdevil.service", "plasma-powerprofile-osd.service", "plasma-restoresession.service", "plasma-workspace.target", "plasma-workspace-wayland.target", "plasma-workspace-x11.target", "plasma-xdg-desktop-portal-kde.service", "plasma-xembedsniproxy.service", "podman.service", "podman.socket", "podman-auto-update.service", "podman-auto-update.timer", "podman-kube@.service", "podman-restart.service", "printer.target", "pulseaudio.service", "pulseaudio.socket", "pulseaudio-x11.service", "session.slice", "shutdown.target", "smartcard.target", "sockets.target", "sound.target", "ssh-agent.service", "suricata.service", "suricata-update.service", "suricata-update.timer", "systemd-exit.service", "systemd-tmpfiles-clean.service", "systemd-tmpfiles-clean.timer", "systemd-tmpfiles-setup.service", "thunar.service", "timers.target", "tracker-xdg-portal-3.service", "tumblerd.service", "wireplumber.service", "wireplumber@.service", "xdg-desktop-autostart.target", "xdg-desktop-portal.service", "xdg-desktop-portal-gtk.service", "xdg-desktop-portal-hyprland.service", "xdg-desktop-portal-rewrite-launchers.service", "xdg-desktop-portal-xapp.service", "xdg-permission-store.service", "xdg-user-dirs-update.service", "xfce4-notifyd.service", "xsettingsd.service", "xdg-document-portal.service", "https://hybrid-analysis.com/sample/b1a9e5be43c028442c07071e202f44f33e3a2df167822c5cfed8f998e01fe169/661da09794b343782806018e", "defaults.conf", "apparmor.conf", "nvidia", "tlp", "fwupd.shutdown", "mdadm.shutdown", "99-default.preset", "50-zfs.preset", "ibft-rule-generator", "10-arch", "60-flatpak-system-only", "3proxy.service", "apache-tika.service", "apparmor.service", "arch-audit.service", "arch-audit.timer", "NetworkManager-dispatcher.service", "NetworkManager-wait-online.service", "NetworkManager.service", "SUSE-mdadm_env.sh", "ModemManager.service", "3proxy.conf", "archlinux-keyring-wkd-sync.service", "adsl.service", "accounts-daemon.service", "adb.service", "alsa-restore.service", "alsa-state.service", "archlinux-keyring-wkd-sync.timer", "ananicy-cpp.service", "arcolinux-graphical-target.service", "atftpd.service", "audit-rules.service", "auditd.service", "auth-rpcgss-module.service", "autorandr.service", "autorandr-lid-listener.service", "autovt@.service", "avahi-daemon.service", "avahi-daemon.socket", "avahi-dnsconfd.service", "bettercap.service", "betterlockscreen@.service", "blk-availability.service", "blockdev@.target", "bluetooth.service", "bmc-watchdog.service", "bolt.service", "boot-complete.target", "borgmatic.service", "borgmatic.timer", "bpftune.service", "btrfs-scrub@.service", "btrfs-scrub@.timer", "canberra-system-bootup.service", "canberra-system-shutdown.service", "canberra-system-shutdown-reboot.service", "capsule.slice", "capsule@.service", "celery2@.service", "celery@.service", "chkboot.service", "clamav-clamonacc.service", "clamav-daemon.service", "clamav-daemon.socket", "clamav-freshclam.service", "clamav-freshclam-once.service", "clamav-freshclam-once.timer", "clamav-unofficial-sigs.service", "clamav-unofficial-sigs.timer", "clash@.service", "cntlm.service", "colord.service", "configure-printer@.service", "console-getty.service", "container-getty@.service", "containerd.service", "couchdb.service", "cpupower.service", "create_ap.service", "cronie.service", "cryptsetup.target", "cryptsetup-pre.target", "ctrl-alt-del.target", "cups.path", "cups.service", "cups.socket", "cups-lpd.socket", "cups-lpd@.service", "cxl-monitor.service", "darkstat.service", "daxdev-reconfigure@.service", "dbus-org.freedesktop.hostname1.service", "dbus-org.freedesktop.import1.service", "dbus-org.freedesktop.locale1.service", "dbus-org.freedesktop.login1.service", "dbus-org.freedesktop.machine1.service", "dbus-org.freedesktop.portable1.service", "dbus-org.freedesktop.timedate1.service", "debug-shell.service", "dev-hugepages.mount", "dev-mqueue.mount", "dhclient@.service", "dhcpd4.service", "dhcpd6.service", "dirmngr@.service", "dirmngr@.socket", "dm-event.service", "dm-event.socket", "dmraid.service", "dnscrypt-proxy.service", "dnsmasq.service", "docker.service", "docker.socket", "drkonqi-coredump-processor@.service", "e2scrub@.service", "e2scrub_all.service", "e2scrub_all.timer", "e2scrub_fail@.service", "e2scrub_reap.service", "ead.service", "elasticsearch.service", "elasticsearch-keystore.service", "elasticsearch-keystore@.service", "elasticsearch@.service", "emergency.service", "emergency.target", "epmd.service", "epmd.socket", "exabgp.service", "factory-reset.target", "fancontrol.service", "fastnetmon.service", "final.target", "finger.socket", "finger@.service", "first-boot-complete.target", "flatpak-system-helper.service", "freeradius.service", "fsidd.service", "fstrim.service", "fstrim.timer", "ftpd.service", "fwupd.service", "fwupd-offline-update.service", "fwupd-refresh.service", "fwupd-refresh.timer", "geoclue.service", "geoipupdate.service", "geoipupdate.timer", "getty.target", "getty-pre.target", "getty@.service", "git-daemon.socket", "git-daemon@.service", "gnupg-pkcs11-scd-proxy.service", "gpg-agent-browser@.socket", "gpg-agent-extra@.socket", "gpg-agent-ssh@.socket", "gpg-agent@.service", "gpg-agent@.socket", "gpm.path", "gpm.service", "gpsd.service", "gpsd.socket", "gpsdctl@.service", "graphical.target", "greenbone-certdata-sync.service", "greenbone-certdata-sync.timer", "greenbone-feed-sync.service", "greenbone-feed-sync.timer", "greenbone-nvt-sync.service", "greenbone-nvt-sync.timer", "greenbone-scapdata-sync.service", "greenbone-scapdata-sync.timer", "gssproxy.service", "gvmd.service", "halt.target", "healthd.service", "hibernate.target", "hostapd.service", "hostapd@.service", "httpd.service", "hv_fcopy_daemon.service", "hv_kvp_daemon.service", "hv_vss_daemon.service", "hybrid-sleep.target", "i2pd.service", "iiod.service", "initrd.target", "initrd-cleanup.service", "initrd-fs.target", "initrd-parse-etc.service", "initrd-root-device.target", "initrd-root-fs.target", "initrd-switch-root.service", "initrd-switch-root.target", "initrd-udevadm-cleanup-db.service", "initrd-usr-fs.target", "integritysetup.target", "integritysetup-pre.target", "iodined.service", "iodined.socket", "ip2clued.service", "ip6tables.service", "ipmidetectd.service", "ipmiseld.service", "iptables.service", "iscsi.service", "iscsi-init.service", "iscsid.service", "iscsid.socket", "iscsiuio.service", "iscsiuio.socket", "isnsd.service", "isnsd.socket", "iwd.service", "kcptun-server@.service", "kcptun@.service", "kexec.target", "keyboxd@.service", "keyboxd@.socket", "kmod-static-nodes.service", "krb5-kadmind.service", "krb5-kdc.service", "krb5-kpropd.service", "krb5-kpropd.socket", "krb5-kpropd@.service", "lastlog2-import.service", "ldconfig.service", "libvirt-guests.service", "libvirtd.service", "libvirtd.socket", "libvirtd-admin.socket", "libvirtd-ro.socket", "libvirtd-tcp.socket", "libvirtd-tls.socket", "lightdm.service", "lm_sensors.service", "local-fs.target", "local-fs-pre.target", "logrotate.service", "logrotate.timer", "lvm2-lvmpolld.service", "lvm2-lvmpolld.socket", "lvm2-monitor.service", "lxc.service", "lxc-auto.service", "lxc-monitord.service", "lxc-net.service", "lxc@.service", "lxdm.service", "ly.service", "lynis.service", "lynis.timer", "machine.slice", "machines.target", "man-db.service", "man-db.timer", "mariadb.service", "mariadb.socket", "mariadb-extra.socket", "mariadb-extra@.socket", "mariadb@.service", "mariadb@.socket", "mdadm-grow-continue@.service", "mdadm-last-resort@.service", "mdadm-last-resort@.timer", "mdcheck_continue.service", "mdcheck_continue.timer", "mdcheck_start.service", "mdcheck_start.timer", "mdmon@.service", "mdmonitor.service", "mdmonitor-oneshot.service", "mdmonitor-oneshot.timer", "memavaild.service", "mkinitcpio-generate-shutdown-ramfs.service", "modprobe@.service", "mongodb.service", "multi-user.target", "mysql.service", "mysqld.service", "named.service", "nbd.service", "nbd@.service", "ndctl-monitor.service", "neo4j.service", "netavark-dhcp-proxy.service", "netavark-dhcp-proxy.socket", "netdata.service", "network.target", "network-online.target", "network-pre.target", "nfs-blkmap.service", "nfs-client.target", "nfs-idmapd.service", "nfs-mountd.service", "nfs-server.service", "nfs-utils.service", "nfsdcld.service", "nfsv4-exportd.service", "nfsv4-server.service", "nftables.service", "nm-priv-helper.service", "nmb.service", "nohang.service", "nohang-desktop.service", "nscd.service", "nss-lookup.target", "nss-user-lookup.target", "ntpd.service", "ntpdate.service", "nvidia-hibernate.service", "nvidia-persistenced.service", "nvidia-powerd.service", "nvidia-resume.service", "nvidia-suspend.service", "nvmefc-boot-connections.service", "nvmf-autoconnect.service", "nvmf-connect.target", "nvmf-connect-nbft.service", "nvmf-connect@.service", "pacrunner.service", "ostree-boot-complete.service", "pacman-filesdb-refresh.timer", "pcscd.service", "passim.service", "pcscd.socket", "packagekit-offline-update.service", "phoronix-result-server.service", "paccache.timer", "plymouth-kexec.service", "pamac-cleancache.timer", "plymouth-quit.service", "partimaged.service", "plymouth-poweroff.service", "plymouth-read-write.service", "plymouth-quit-wait.service", "paccache.service", "plymouth-switch-root-initramfs.service", "ostree-remount.service", "plymouth-switch-root.service", "openvpn-client@.service", "podman-clean-transient.service", "pamac-offline-upgrade.service", "polkit.service", "postfix.service", "pam_namespace.service", "poweroff.target", "ppp@.service", "opensnitchd.service", "proc-fs-nfsd.mount", "proc-sys-fs-binfmt_misc.automount", "proc-sys-fs-binfmt_misc.mount", "phoromatic-server.service", "ptunnel.service", "openvpn-server@.service", "plymouth-halt.service", "pamac-cleancache.service", "plymouth-reboot.service", "ostree-state-overlay@.service", "ostree-finalize-staged.service", "postgresql.service", "phoromatic-client.service", "pamac-daemon.service", "pacman-filesdb-refresh.service", "packagekit.service", "pkgfile-update.service", "pkgfile-update.timer", "plymouth-start.service", "ostree-prepare-root.service", "ostree-finalize-staged.path", "privoxy.service", "ostree-finalize-staged-hold.service", "qemu-guest-agent.service", "quotaon.service", "quotaon-root.service", "quotaon@.service", "rabbitmq.service", "ras-mc-ctl.service", "rasdaemon.service", "rathole@.service", "ratholec@.service", "ratholes@.service", "rc-local.service", "rdnssd@.service", "reboot.target", "redis.service", "redis-sentinel.service", "reflector.service", "reflector.timer", "remote-cryptsetup.target", "remote-fs.target", "remote-fs-pre.target", "remote-veritysetup.target", "rescue.service", "rescue.target", "rfkill-block@.service", "rfkill-unblock@.service", "rlogin.socket", "rlogin@.service", "rpc-gssd.service", "rpc-statd.service", "rpc-statd-notify.service", "rpc_pipefs.target", "rpcbind.service", "rpcbind.socket", "rpcbind.target", "rsh.socket", "rsh@.service", "rsyncd.service", "rsyncd.socket", "rsyncd@.service", "rtkit-daemon.service", "runlevel0.target", "runlevel1.target", "runlevel2.target", "runlevel3.target", "runlevel4.target", "runlevel5.target", "runlevel6.target", "rwhod.service", "samba.service", "sddm.service", "seatd.service", "sensord.service", "serial-getty@.service", "shadow.service", "shadow.timer", "sigpwr.target", "slapd.service", "sleep.target", "slices.target", "smartd.service", "smb.service", "sndiod.service", "snmpd.service", "snmptrapd.service", "snort@.service", "snort@1000.service", "soft-reboot.target", "ssh-access.target", "sshd.service", "sshdgenkeys.service", "sshuttle.service", "sslh.service", "sslh-fork.service", "sslh-select.service", "storage-target-mode.target", "stunnel.service", "sudo_logsrvd.service", "suspend.target", "suspend-then-hibernate.target", "svnserve.service", "swap.target", "sys-fs-fuse-connections.mount", "sys-kernel-config.mount", "sys-kernel-debug.mount", "sys-kernel-tracing.mount", "sysinit.target", "syslog.socket", "system-systemd\\x2dcryptsetup.slice", "system-systemd\\x2dveritysetup.slice", "system-update.target", "system-update-cleanup.service", "system-update-pre.target", "systemd-ask-password-console.path", "systemd-ask-password-console.service", "systemd-ask-password-plymouth.path", "systemd-ask-password-plymouth.service", "systemd-ask-password-wall.path", "systemd-ask-password-wall.service", "systemd-backlight@.service", "systemd-battery-check.service", "systemd-binfmt.service", "systemd-bless-boot.service", "systemd-boot-check-no-failures.service", "systemd-boot-random-seed.service", "systemd-boot-update.service", "systemd-bootctl.socket", "systemd-bootctl@.service", "systemd-bsod.service", "systemd-confext.service", "systemd-coredump.socket", "systemd-coredump@.service", "systemd-creds.socket", "systemd-creds@.service", "systemd-firstboot.service", "systemd-fsck-root.service", "systemd-fsck@.service", "systemd-growfs-root.service", "systemd-growfs@.service", "systemd-halt.service", "systemd-hibernate.service", "systemd-hibernate-resume.service", "systemd-homed.service", "systemd-homed-activate.service", "systemd-homed-firstboot.service", "systemd-hostnamed.service", "systemd-hostnamed.socket", "systemd-hwdb-update.service", "systemd-hybrid-sleep.service", "systemd-importd.service", "systemd-initctl.service", "systemd-initctl.socket", "systemd-journal-catalog-update.service", "systemd-journal-flush.service", "systemd-journal-gatewayd.service", "systemd-journal-gatewayd.socket", "systemd-journal-remote.service", "systemd-journal-remote.socket", "systemd-journal-upload.service", "systemd-journald.service", "systemd-journald.socket", "systemd-journald-audit.socket", "systemd-journald-dev-log.socket", "systemd-journald-varlink@.socket", "systemd-journald@.service", "systemd-journald@.socket", "systemd-kexec.service", "systemd-localed.service", "systemd-logind.service", "systemd-machine-id-commit.service", "systemd-machined.service", "systemd-modules-load.service", "systemd-network-generator.service", "systemd-networkd.service", "systemd-networkd.socket", "systemd-networkd-persistent-storage.service", "systemd-networkd-wait-online.service", "systemd-networkd-wait-online@.service", "systemd-nspawn@.service", "systemd-oomd.service", "systemd-oomd.socket", "systemd-pcrextend.socket", "systemd-pcrextend@.service", "systemd-pcrfs-root.service", "systemd-pcrfs@.service", "systemd-pcrlock.socket", "systemd-pcrlock-file-system.service", "systemd-pcrlock-firmware-code.service", "systemd-pcrlock-firmware-config.service", "systemd-pcrlock-machine-id.service", "systemd-pcrlock-make-policy.service", "systemd-pcrlock-secureboot-authority.service", "systemd-pcrlock-secureboot-policy.service", "systemd-pcrlock@.service", "systemd-pcrmachine.service", "systemd-pcrphase.service", "systemd-pcrphase-initrd.service", "systemd-pcrphase-sysinit.service", "systemd-portabled.service", "systemd-poweroff.service", "systemd-pstore.service", "systemd-quotacheck.service", "systemd-quotacheck-root.service", "systemd-quotacheck@.service", "systemd-random-seed.service", "systemd-reboot.service", "systemd-remount-fs.service", "systemd-repart.service", "systemd-resolved.service", "systemd-rfkill.service", "systemd-rfkill.socket", "systemd-soft-reboot.service", "systemd-storagetm.service", "systemd-suspend.service", "systemd-suspend-then-hibernate.service", "systemd-sysctl.service", "systemd-sysext.service", "systemd-sysext.socket", "systemd-sysext@.service", "systemd-sysupdate.service", "systemd-sysupdate.timer", "systemd-sysupdate-reboot.service", "systemd-sysupdate-reboot.timer", "systemd-sysusers.service", "systemd-time-wait-sync.service", "systemd-timedated.service", "systemd-timesyncd.service", "systemd-tmpfiles-setup-dev.service", "systemd-tmpfiles-setup-dev-early.service", "systemd-tpm2-setup.service", "systemd-tpm2-setup-early.service", "systemd-udev-trigger.service", "systemd-udevd.service", "systemd-udevd-control.socket", "systemd-udevd-kernel.socket", "systemd-update-done.service", "systemd-update-utmp.service", "systemd-update-utmp-runlevel.service", "systemd-user-sessions.service", "systemd-userdbd.service", "systemd-userdbd.socket", "systemd-vconsole-setup.service", "systemd-vmspawn@.service", "systemd-volatile-root.service", "systemd-zram-setup@.service", "talk.service", "talk.socket", "teamd@.service", "telnet.socket", "telnet@.service", "time-set.target", "time-sync.target", "tinc.service", "tinc@.service", "tinyproxy.service", "tlp.service", "tmp.mount", "tor.service", "tpm2.target", "udisks2.service", "udp2raw@.service", "ufw.service", "uksmd.service", "umount.target", "unbound.service", "updatedb.service", "updatedb.timer", "upower.service", "usb-gadget.target", "usb_modeswitch@.service", "usbipd.service", "usbmuxd.service", "user.slice", "user-runtime-dir@.service", "user@.service", "uuidd.service", "uuidd.socket", "var-lib-machines.mount", "var-lib-nfs-rpc_pipefs.mount", "vboxdrmclient.path", "vboxdrmclient.service", "vboxservice.service", "veritysetup.target", "veritysetup-pre.target", "virt-guest-shutdown.target", "virtchd.service", "virtchd.socket", "virtchd-admin.socket", "virtchd-ro.socket", "virtinterfaced.service", "virtinterfaced.socket", "virtinterfaced-admin.socket", "virtinterfaced-ro.socket", "virtlockd.service", "virtlockd.socket", "virtlockd-admin.socket", "virtlogd.service", "virtlogd.socket", "virtlogd-admin.socket", "virtlxcd.service", "virtlxcd.socket", "virtlxcd-admin.socket", "virtlxcd-ro.socket", "virtnetworkd.service", "virtnetworkd.socket", "virtnetworkd-admin.socket", "virtnetworkd-ro.socket", "virtnodedevd.service", "virtnodedevd.socket", "virtnodedevd-admin.socket", "virtnodedevd-ro.socket", "virtnwfilterd.service", "virtnwfilterd.socket", "virtnwfilterd-admin.socket", "virtnwfilterd-ro.socket", "virtproxyd.service", "virtproxyd.socket", "virtproxyd-admin.socket", "virtproxyd-ro.socket", "virtproxyd-tcp.socket", "virtproxyd-tls.socket", "virtqemud.service", "virtqemud.socket", "virtqemud-admin.socket", "virtqemud-ro.socket", "virtsecretd.service", "virtsecretd.socket", "virtsecretd-admin.socket", "virtsecretd-ro.socket", "virtstoraged.service", "virtstoraged.socket", "virtstoraged-admin.socket", "virtstoraged-ro.socket", "virtvboxd.service", "virtvboxd.socket", "virtvboxd-admin.socket", "virtvboxd-ro.socket", "vmtoolsd.service", "vmware-vmblock-fuse.service", "vpnc@.service", "wacom-inputattach@.service", "wg-quick.target", "wg-quick@.service", "winbind.service", "wondershaper.service", "wpa_supplicant.service", "wpa_supplicant-nl80211@.service", "wpa_supplicant-wired@.service", "wpa_supplicant@.service", "xfs_scrub@.service", "xfs_scrub_all.service", "xfs_scrub_all.timer", "xfs_scrub_fail@.service", "xl2tpd.service", "xplico.service", "xrdp.service", "xrdp-sesman.service", "yate.service", "zfs.target", "zfs-import.service", "zfs-import.target", "zfs-import-cache.service", "zfs-import-scan.service", "zfs-load-key.service", "zfs-mount.service", "zfs-scrub-monthly@.timer", "zfs-scrub-weekly@.timer", "zfs-scrub@.service", "zfs-share.service", "zfs-trim-monthly@.timer", "zfs-trim-weekly@.timer", "zfs-trim@.service", "zfs-volume-wait.service", "zfs-volumes.target", "zfs-zed.service", "plymouth.conf", "gpg-agent-ssh@etc-pacman.d-gnupg.socket", "keyboxd@etc-pacman.d-gnupg.socket", "dirmngr@etc-pacman.d-gnupg.socket", "gpg-agent-browser@etc-pacman.d-gnupg.socket", "gpg-agent-extra@etc-pacman.d-gnupg.socket", "gpg-agent@etc-pacman.d-gnupg.socket", "https://hybrid-analysis.com/sample/ff42428f0fcc346cc56e2b00d4b5c4bd43b55f3465b4ccab0efba9c88f4a1c03/661da0b063c895fc2d0a78dc", "https://hybrid-analysis.com/sample/9613dee39157b5f9935436b36647047e267b7c10fa4c7ab1fd995db681e58c12/661da5b202eaca78740cf4ed", "https://hybrid-analysis.com/sample/479a0170df010c5eb742ff1b8740a2ccf381df44c8a919c95d6e38685278e78a/661da5c768340c1e25092cb2", "50-rc_keymap.conf", "10-defaults.conf", "10-login-barrier.conf", "20-systemd-userdb.conf", "20-systemd-ssh-proxy.conf", "iptables-flush", "cpupower", "chkboot-bootcheck", "10-root.conf", "30-root-verity-sig.conf", "20-root-verity.conf", "80-systemd-timesync.list", "80-6rd-tunnel.link", "80-container-ve.network", "80-container-vb.network", "80-container-vz.link", "80-6rd-tunnel.network", "80-container-vz.network", "80-auto-link-local.network.example", "80-ethernet.network.example", "80-container-host0.network", "80-iwd.link", "80-container-vb.link", "80-vm-vt.link", "80-vm-vt.network", "80-wifi-adhoc.network", "80-wifi-ap.network.example", "80-wifi-station.network.example", "80-container-ve.link", "89-ethernet.network.example", "99-default.link", "dbus-broker.catalog", "dbus-broker-launch.catalog", "systemd.be.catalog", "systemd.be@latin.catalog", "systemd.da.catalog", "systemd.bg.catalog", "systemd.hu.catalog", "systemd.catalog", "systemd.it.catalog", "systemd.fr.catalog", "systemd.ko.catalog", "systemd.hr.catalog", "systemd.pl.catalog", "systemd.pt_BR.catalog", "systemd.ru.catalog", "systemd.sr.catalog", "systemd.zh_CN.catalog", "systemd.de.catalog", "systemd.zh_TW.catalog", "expl_cve_2021_40444.yar" ], "public": 1, "adversary": "Chinese Speaking", "targeted_countries": [], "malware_families": [ { "id": "RemainAfterExit", "display_name": "RemainAfterExit", "target": null }, { "id": "NMBDOPTIONS", "display_name": "NMBDOPTIONS", "target": null }, { "id": "SMBDOPTIONS", "display_name": "SMBDOPTIONS", "target": null }, { "id": "SuccessAction", "display_name": "SuccessAction", "target": null }, { "id": "WINBINDOPTIONS", "display_name": "WINBINDOPTIONS", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1205", "name": "Traffic Signaling", "display_name": "T1205 - Traffic Signaling" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "white", "cloned_from": "661db37bf549518bf6f7f377", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 123, "YARA": 16, "CVE": 4, "FileHash-SHA1": 25, "FileHash-SHA256": 20, "domain": 102, "URL": 16, "email": 9, "hostname": 4, "CIDR": 2 }, "indicator_count": 321, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "3 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a16ac89787e428fe0f7b045", "name": "[\"backup ios...\"] clone by Merkd1904. User note: theres a name tagged here thats interesting", "description": "", "modified": "2026-05-27T08:34:17.204000", "created": "2026-05-27T08:34:17.204000", "tags": [ "fireeye", "copyright", "base64", "dotnettojscript", "gadgettojscript", "invokeclient", "invokeserver", "readhost enter", "command", "roth", "nextron", "sandworm", "detects ssh", "grant all", "privileges on", "to mysqldb", "create user", "g root", "sandworm python", "import", "phpsploit", "host", "user", "pass", "error", "establish", "pecl oci8", "connstr", "charset", "false", "miner", "texthtml", "module", "send custom", "swissky", "class", "serviceip", "serviceport", "servicedata", "e binsh", "init", "service port", "detects", "cve202140444", "target", "targetmode", "jeremy brown", "windows cve", "ms office", "modified rule", "rperm", "wperm", "pathsep", "string", "rwxrxrx", "file types", "unix", "login", "autentication", "disable", "ldapconnect", "version", "authentication", "ldaplist", "null", "pathelems", "execute", "backdoor", "kingdee oa", "yunxingkong", "b6oa", "code execution", "kingdee cloud", "starry sky", "otherwise", "file", "setsmartdate", "fread", "name", "force", "base64decode", "data", "substr", "array", "readdir", "getowner", "getgroup", "getsize", "force option", "fwrite", "permission", "check", "mode", "diraccess", "fileaccess", "realpath", "stat", "immutable", "posixgetpwuid", "posixgetgrgid", "explode", "etcpasswd", "glob", "globonlydir", "oraclelogin", "port", "servicename", "connector", "base", "query type", "mssqlfetcharray", "mssqlassoc", "solsocket", "timeout", "range", "portmin", "portmax", "socketcreate", "afinet", "sockstream", "open", "type", "true", "tcp connection", "tcp shell", "input", "lhost", "netcat", "lport", "shell", "dllimport", "python", "back", "fore", "pfinet", "stdout", "this", "win32", "ldapsearch", "select", "mysqliassoc", "select database", "send", "newfile", "dns stub", "third party", "see man", "exit", "o pipefail", "v systemctl", "devnull", "unknown verb", "license", "gnu lesser", "general public", "free software", "foundation", "unit", "slice", "cpuweight100", "tasks slice", "cpuweight30", "capev2", "cape", "cuckoo web", "setup", "grep", "limitnofile", "install", "return", "execstart", "start", "descriptionrun", "timer", "oncalendardaily", "service", "prevent rate", "delay start", "m poetry", "sigkill", "descriptioncape", "ef usercape", "g cape", "allowisolateyes", "typedbus", "socket", "message bus", "listenstream", "typenotify", "descriptionuser", "harald sitter", "sitter", "kcrash", "drkonqi", "acceptyes", "disable trigger", "todo", "prevents", "path", "pathexistsglob", "runtimemaxsec31", "runtimemaxsec30", "restartno", "descriptionexit", "environmentfile", "otheropts", "soundfont", "descriptiongcr", "sshauthsock", "descriptionglib", "priority6", "killmodeprocess", "proxy", "socketmode0600", "apache software", "notice file", "apache license", "unless", "as is", "basis", "or conditions", "apple file", "conduit monitor", "descriptionjack", "jackoptions d", "driver d", "device", "media transfer", "indexer daemon", "memory", "memoryhigh512m", "system sockets", "a user", "conditionuser", "dbus menus", "plasma", "phase", "workspace core", "exit status", "x11 connection", "timeoutstopsec5", "disable restart", "timeoutsec40sec", "typeoneshot", "david edmundson", "davidedmundson", "osd service", "portal", "auto restart", "dbus", "xembed system", "logging system", "socketmode0660", "all containers", "restart policy", "logging start", "execstopbinsh c", "logging", "x11 plugins", "session slice", "typeforking", "etc userroot", "grouproot", "onbootsec15min", "place", "temporary", "volatile files", "thunar", "session manager", "wireplumber", "service file", "xdg autostart", "user dir", "descriptionxfce", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "memoryfile scan", "ansi", "bpf program", "indicator", "bpf firewalling", "pcap", "pcap processing", "bpffallowmulti", "bpf device", "date", "suspicious", "hybrid", "crypto", "close", "click", "april", "strings", "february", "middle", "exploit", "gameover", "contact", "scope", "thomas koch", "gpl v2", "imsm", "ibftruledir", "ibftrules", "attr", "systemd rule", "hannes reinecke", "suse labs", "ipibft", "interface", "kernel", "configfile", "typesimple", "apparmor", "grouparchaudit", "hardening", "umask077", "persistenttrue", "enable debug", "networkmanager", "trace", "wait online", "edit", "note", "reload", "capdacoverride", "dhcp etc", "mdadmscan", "mdadmdelay", "mdadmmail", "mdadmprogram", "mdadmconfig", "mdadmsendmail", "p runsysconfig", "userroot", "sssd", "write access", "needed sometime", "statedirectory", "accountsservice", "varloglastlog", "bridge daemon", "alsa card", "card state", "required", "another auto", "nice daemon", "memorymax64m", "filter system", "mount", "reboot", "clock", "logging service", "requires", "before", "please", "exit codes", "proc", "descriptionruns", "execstartsh c", "switchtoggle", "ignoreonisolate", "term typeidle", "without", "any warranty", "merchantability", "fitness", "a particular", "vartmp", "wants type", "preparation", "watchdogsec10", "filesystem", "timer daemon", "options", "environment", "prevent", "readwritepaths", "security", "certain", "protectsystem", "bindpaths", "lower cpu", "nice19", "manager", "userc", "celerydnodes", "info", "chaddevops", "aaron brighton", "clam antivirus", "jon kriel", "distribution", "script", "sanesecurity", "securiteinfo", "malwarepatrol", "oitc", "file location", "remember", "typeexec user", "9 cntlm", "generate color", "profiles", "removeipctrue", "devpts", "authors", "any kind", "usercouchdb", "restartsec5", "volumes", "server socket", "user209", "daemon", "darkstatiface", "reloadconfig", "watchdogsec3min", "privatetmpyes", "protectproc", "increase", "descriptiontime", "date service", "debugging only", "ignoresigpipeno", "unset locale", "file system", "queue file", "whatmqueue", "optionsnosuid", "pf rundhclient", "rate", "requiresdirmngr", "capfowner", "capsetpcap", "dhcp", "dns server", "startlimit", "limits", "delegateyes", "descriptionpass", "runtimemaxsec5", "mountain", "metadata check", "all filesystems", "online metadata", "sunday", "oncalendarsun", "online ext4", "sigterm signal", "java process", "piddir", "standardoutput", "elasticsearch", "limitnproc4096", "limitasinfinity", "sendsighupyes", "mapper daemon", "mainpid", "quit", "listenstream79", "radius server", "d etcraddb", "protecthomeon", "default", "systemservice", "efiefi bootefi", "afinet afinet6", "afunix afinet", "oncalendar 0000", "privatetmptrue", "geoip legacy", "geoip2", "instance", "usergit", "scdconfig", "notice", "devinputmice t", "descriptiongps", "system", "sock refclock", "gpsdoptions", "devices", "daemon sockets", "2947", "bindipv6onlyyes", "usbauto", "usrbingpsdctl", "gps daemon", "afterdev", "gvmddata", "varlibgssproxy", "nonewprivileges", "privatetmp", "protecthome", "ieee", "etchostapd", "killmodemixed", "fcopy", "uncomment", "use sigterm", "sigkill i2pd", "sendsigkillyes", "limitnofile8192", "systemd", "analog", "shutting down", "iodineextip p", "iodineport p", "iodineuser", "tunip", "topdomain", "guessmainpidyes", "m node", "wants", "initiatorname", "io driver", "typeexec", "c etckcptun", "usernobody", "requireskeyboxd", "static device", "nofork", "restartalways", "linker cache", "hack", "use wants", "raise", "tasksmax", "tasksmax32768", "limitmemlock64m", "removeonstopyes", "ip socket", "tls ip", "conflictsgetty", "aftergetty", "busmodules", "qabr", "hwmonmodules", "local file", "privatenetwork", "lvm2", "initialization", "autoboot code", "s delegatetrue", "description", "pidfilerunlxc", "lynis service", "adjust path", "lynis binary", "lynis timer", "tell systemd", "lynis security", "persistentfalse", "container slice", "recover", "varcacheman", "regenerate man", "userroot nice19", "mysqldopts", "mysqldsafe", "timezone", "core", "restart", "users", "backlog150", "listenstreams", "servicemariadb", "mechanism", "mariadb", "multi instance", "variables", "bindirmdadm", "gnu general", "public license", "reshape", "onactivesec30", "oncalendar", "wantedby", "monitor", "allow mdmon", "takeover", "k none", "c devnull", "d runinitramfs", "p runmongodb", "limitnproc32000", "limitmemlock5", "device server", "requiredbydev", "d dev", "descriptionreal", "extraopts", "restartsec30", "valid", "fifo", "priority", "batch", "nice0", "partof", "tracking daemon", "helper", "for testing", "only", "restrict", "grant", "capsysptrace", "capkill", "capipclock", "environ", "capsysresource", "capsyslog", "descriptionname", "service cache", "sysvlsb", "descriptionhost", "network name", "group name", "u ntp", "time service", "t hibernate", "software", "other", "the software", "daemon init", "software is", "provided", "fcnvme", "wantsmodprobe", "aftermodprobe", "descriptionall", "nbft", "nvmeof", "connectargs", "unit file", "descriptionnvmf", "red hat", "without any", "warranty", "card daemon", "socketmode0666", "suite result", "kexec screen", "oncalendarsat", "boot screen", "timeoutsec20", "power off", "runtime data", "descriptionhold", "timeoutsec0", "sandboxing", "execstop", "colin walters", "upgrade", "upgrade output", "umask0077", "transport agent", "descriptionmake", "descriptionppp", "whatnfsd", "file formats", "automount point", "automount", "setuid nobody", "setgid nobody", "setcon", "syslog", "restartonabort", "halt screen", "reboot screen", "pgroot", "postgresql", "oom killer", "additional", "fy nice19", "endless os", "foundation llc", "restartsec0", "system quotas", "rabbitmq", "protecthometrue", "etcrathole", "guessmainpidno", "h etcrdnssd", "reflector", "afinet6 afunix", "umask177", "remote file", "nfs client", "nfsv23 locking", "make sure", "rpc netconfig", "descriptionfast", "using ssh", "so let", "boot", "realtimekit", "rwhodopts", "display manager", "specify", "interval l", "loginterval f", "bindstodev", "always", "usrbingrpck r", "slapdoptions", "u ldap", "slapdurls", "smart", "pciusb", "midi", "daemonopts", "snmp", "trap daemon", "g snort", "descriptionsudo", "hibernate", "svnserveargs", "whatfusectl", "whatconfigfs", "whatdebugfs", "whattracefs", "best way", "see https", "units service", "service slice", "offline system", "update", "wall directory", "timeoutsec90s", "descriptionmark", "current boot", "loader entry", "any system", "units", "loader random", "loader update", "service socket", "dump socket", "optionally", "root device", "afalg afinet", "execstophomectl", "home area", "named pipe", "sink service", "sink socket", "upload service", "dynamicuseryes", "sigkilled", "devlog", "timestampingus", "namespace", "sendbuffer8m", "kernel command", "netlink socket", "storage", "descriptionwait", "network", "make", "deviceallow", "reserve", "killer socket", "root file", "measurement", "pcr policy", "tpm pcr", "code", "configuration", "machine id", "barrier", "quota check", "system quota", "after", "random seed", "kernel file", "gpt partition", "kill switch", "nvmetcp", "trigger", "saturday", "persistentyes", "system update", "kernel time", "capsystime", "ntp service", "turn", "files", "device nodes", "srk setup", "device events", "bootshutdown", "change", "manager socket", "descriptiontinc", "proxy server", "linrunner", "descriptiontlp", "tor service", "f etctortorrc", "tpm device", "descriptionudp", "tcpicmpudp", "etcudp2raw", "debug", "swap", "api file", "privatedevices", "home", "root", "runuser", "linux control", "groups", "group", "afnetlink", "locked memory", "limitmemlock0", "usb gadget", "apple", "sliceuser", "descriptionuuid", "compatibility", "typerpcpipefs", "vmsvga", "hypervisor", "usr1", "mgmt appuser", "dac permission", "selinux", "xxx someone", "qemu", "machine tools", "vmware tools", "pidfilerunvpnc", "wacom", "iface d", "dspeed u", "iface", "descriptionwpa", "oracle", "reserved", "wong", "emailaddr", "tunnel protocol", "l2tp", "isps", "russia use", "ipsec", "d optxplico", "b sqlite", "descriptionxrdp", "xrdpoptions", "process", "sesmanoptions", "zpoolimportopts", "an o", "t scrub", "usrbinzpool", "zfs volume", "descriptionzfs", "f restartalways", "remainafterexit", "nmbdoptions", "smbdoptions", "successaction", "winbindoptions", "ck id", "hybrid analysis", "mitre att", "malicious", "sdshared ansi", "default und", "func global", "func local", "object local", "general", "show technique", "ck matrix", "tasksmax33", "empty file", "proxycommand", "checkhostip", "afunix", "afvsock", "allow", "r table", "chkbootcheck", "gplv2 source", "chkbootstyles", "etcissue", "partition", "minimizebest", "mit no", "match", "link", "namepolicykeep", "ethernet link", "kindveth nameve", "kindveth namevb", "keepmasteryes", "dhcpv4", "kindsit name6rd", "ipv4ll", "ipv6ll", "dhcpipv6ra", "dhcpv6", "typeether", "dhcpyes", "usetimezoneyes", "typewlan", "tuntap", "natdhcp", "kindtun namevt", "kind", "originalname", "definedby", "peer", "sopeergroups", "dbus protocol", "dbus name", "exec", "hup signal", "sighup", "dnssec", "sessionid", "seatid", "sleep", "leader", "jobresult", "coredumppid", "coredumpcomm", "junit", "na zapusk", "mikrasiekund", "enhed", "mikrosekunder", "opstart", "jobid", "a rendszer", "ezredmsodpercet", "a rendszernapl", "user manager", "smack", "lunit", "stato", "il processo", "il sistema", "stata", "le processus", "notez que", "jedinica", "zapamtite da", "nova", "jednostka", "prosz zauway", "zwykle wskazuje", "jest", "o processo", "processo", "isso", "inicializao", "journal", "sizelimit", "userid", "prozess", "speicherabbild", "hinweis auf", "programmfehler", "fehler dem", "die systemzeit", "realtime" ], "references": [ "Hunting_B64Engine_DotNetToJScript_Dos.yar", "APT_Backdoor_PS1_BASICPIPESHELL_1.yar", "apt_sandworm_exim_expl.yar.002", "apt_sandworm_exim_expl.yar.001", "apt_sandworm_exim_expl.yar", "connect.php", "connect.php.002", "connect.php.001", "crypto-miner.js", "eicar", "eicar.001", "eicar.002", "custom.py", "eicar.txt", "expl_cve_2021_40444.yar.001", "expl_cve_2021_40444.yar.002", "getPerms.php", "input.pcap", "list.php", "parent.php", "payload.php", "payload.php.001", "kingdee-erp-rce.yaml", "payload.php.003", "payload.php.002", "payload.php.004", "payload.php.005", "payload.php.006", "payload.php.007", "payload.php.008", "payload.php.010", "payload.php.011", "payload.php.009", "payload.php.012", "payload.php.013", "payload.php.015", "payload.php.016", "payload.php.017", "reverse_tcp.py", "scanner.php", "search.php", "setdb.php", "payload.php.014", "setdb.php.001", "reader.php", "single.php", "resolv.conf", "systemd-update-helper", "90-systemd.preset", "60-flatpak", "app.slice", "background.slice", "README.md", "bluetooth.target", "basic.target", "borgmatic-user.timer", "borgmatic-user.service", "cape.service", "cape-dist.service", "cape-processor.service", "cape-rooter.service", "capsule@.target", "cape-web.service", "clash.service", "colord-session.service", "dbus.socket", "cape-fstab.service", "dbus.service", "dbus-broker.service", "dconf.service", "dirmngr.service", "default.target", "drkonqi-coredump-cleanup.service", "dirmngr.socket", "drkonqi-coredump-cleanup.timer", "drkonqi-coredump-launcher.socket", "drkonqi-sentry-postman.path", "drkonqi-coredump-pickup.service", "drkonqi-sentry-postman.service", "drkonqi-sentry-postman.timer", "drkonqi-coredump-launcher@.service", "dunst.service", "flatpak-oci-authenticator.service", "filter-chain.service", "exit.target", "flatpak-session-helper.service", "fluidsynth.service", "gcr-ssh-agent.socket", "flatpak-portal.service", "gcr-ssh-agent.service", "gnome-keyring-daemon.service", "glib-pacrunner.service", "gnome-keyring-daemon.socket", "gpg-agent-ssh.socket", "gnome-terminal-server.service", "gpg-agent-extra.socket", "gpg-agent.service", "gpg-agent.socket", "gpg-agent-browser.socket", "graphical-session-pre.target", "graphical-session.target", "gssuserproxy.socket", "guacd.service", "gvfs-gphoto2-volume-monitor.service", "gvfs-daemon.service", "gssuserproxy.service", "gvfs-afc-volume-monitor.service", "gvfs-metadata.service", "jack@.service", "guac-web.service", "gvfs-udisks2-volume-monitor.service", "gvfs-mtp-volume-monitor.service", "kde-baloo.service", "keyboxd.service", "kio-fuse.service", "keyboxd.socket", "p11-kit-server.service", "p11-kit-server.socket", "paths.target", "pipewire.socket", "pipewire-pulse.service", "plasma-gmenudbusmenuproxy.service", "pipewire-pulse.socket", "plasma-baloorunner.service", "plasma-kcminit.service", "plasma-dolphin.service", "plasma-kcminit-phase1.service", "plasma-core.target", "plasma-kded.service", "pipewire.service", "plasma-kded6.service", "plasma-kglobalaccel.service", "at-spi-dbus-bus.service", "plasma-krunner.service", "plasma-kscreen.service", "plasma-kscreen-osd.service", "plasma-ksmserver.service", "plasma-ksplash.service", "plasma-ksplash-ready.service", "plasma-ksystemstats.service", "plasma-kwallet-pam.service", "plasma-kwin_wayland.service", "plasma-kwin_x11.service", "plasma-plasmashell.service", "plasma-polkit-agent.service", "plasma-powerdevil.service", "plasma-powerprofile-osd.service", "plasma-restoresession.service", "plasma-workspace.target", "plasma-workspace-wayland.target", "plasma-workspace-x11.target", "plasma-xdg-desktop-portal-kde.service", "plasma-xembedsniproxy.service", "podman.service", "podman.socket", "podman-auto-update.service", "podman-auto-update.timer", "podman-kube@.service", "podman-restart.service", "printer.target", "pulseaudio.service", "pulseaudio.socket", "pulseaudio-x11.service", "session.slice", "shutdown.target", "smartcard.target", "sockets.target", "sound.target", "ssh-agent.service", "suricata.service", "suricata-update.service", "suricata-update.timer", "systemd-exit.service", "systemd-tmpfiles-clean.service", "systemd-tmpfiles-clean.timer", "systemd-tmpfiles-setup.service", "thunar.service", "timers.target", "tracker-xdg-portal-3.service", "tumblerd.service", "wireplumber.service", "wireplumber@.service", "xdg-desktop-autostart.target", "xdg-desktop-portal.service", "xdg-desktop-portal-gtk.service", "xdg-desktop-portal-hyprland.service", "xdg-desktop-portal-rewrite-launchers.service", "xdg-desktop-portal-xapp.service", "xdg-permission-store.service", "xdg-user-dirs-update.service", "xfce4-notifyd.service", "xsettingsd.service", "xdg-document-portal.service", "https://hybrid-analysis.com/sample/b1a9e5be43c028442c07071e202f44f33e3a2df167822c5cfed8f998e01fe169/661da09794b343782806018e", "defaults.conf", "apparmor.conf", "nvidia", "tlp", "fwupd.shutdown", "mdadm.shutdown", "99-default.preset", "50-zfs.preset", "ibft-rule-generator", "10-arch", "60-flatpak-system-only", "3proxy.service", "apache-tika.service", "apparmor.service", "arch-audit.service", "arch-audit.timer", "NetworkManager-dispatcher.service", "NetworkManager-wait-online.service", "NetworkManager.service", "SUSE-mdadm_env.sh", "ModemManager.service", "3proxy.conf", "archlinux-keyring-wkd-sync.service", "adsl.service", "accounts-daemon.service", "adb.service", "alsa-restore.service", "alsa-state.service", "archlinux-keyring-wkd-sync.timer", "ananicy-cpp.service", "arcolinux-graphical-target.service", "atftpd.service", "audit-rules.service", "auditd.service", "auth-rpcgss-module.service", "autorandr.service", "autorandr-lid-listener.service", "autovt@.service", "avahi-daemon.service", "avahi-daemon.socket", "avahi-dnsconfd.service", "bettercap.service", "betterlockscreen@.service", "blk-availability.service", "blockdev@.target", "bluetooth.service", "bmc-watchdog.service", "bolt.service", "boot-complete.target", "borgmatic.service", "borgmatic.timer", "bpftune.service", "btrfs-scrub@.service", "btrfs-scrub@.timer", "canberra-system-bootup.service", "canberra-system-shutdown.service", "canberra-system-shutdown-reboot.service", "capsule.slice", "capsule@.service", "celery2@.service", "celery@.service", "chkboot.service", "clamav-clamonacc.service", "clamav-daemon.service", "clamav-daemon.socket", "clamav-freshclam.service", "clamav-freshclam-once.service", "clamav-freshclam-once.timer", "clamav-unofficial-sigs.service", "clamav-unofficial-sigs.timer", "clash@.service", "cntlm.service", "colord.service", "configure-printer@.service", "console-getty.service", "container-getty@.service", "containerd.service", "couchdb.service", "cpupower.service", "create_ap.service", "cronie.service", "cryptsetup.target", "cryptsetup-pre.target", "ctrl-alt-del.target", "cups.path", "cups.service", "cups.socket", "cups-lpd.socket", "cups-lpd@.service", "cxl-monitor.service", "darkstat.service", "daxdev-reconfigure@.service", "dbus-org.freedesktop.hostname1.service", "dbus-org.freedesktop.import1.service", "dbus-org.freedesktop.locale1.service", "dbus-org.freedesktop.login1.service", "dbus-org.freedesktop.machine1.service", "dbus-org.freedesktop.portable1.service", "dbus-org.freedesktop.timedate1.service", "debug-shell.service", "dev-hugepages.mount", "dev-mqueue.mount", "dhclient@.service", "dhcpd4.service", "dhcpd6.service", "dirmngr@.service", "dirmngr@.socket", "dm-event.service", "dm-event.socket", "dmraid.service", "dnscrypt-proxy.service", "dnsmasq.service", "docker.service", "docker.socket", "drkonqi-coredump-processor@.service", "e2scrub@.service", "e2scrub_all.service", "e2scrub_all.timer", "e2scrub_fail@.service", "e2scrub_reap.service", "ead.service", "elasticsearch.service", "elasticsearch-keystore.service", "elasticsearch-keystore@.service", "elasticsearch@.service", "emergency.service", "emergency.target", "epmd.service", "epmd.socket", "exabgp.service", "factory-reset.target", "fancontrol.service", "fastnetmon.service", "final.target", "finger.socket", "finger@.service", "first-boot-complete.target", "flatpak-system-helper.service", "freeradius.service", "fsidd.service", "fstrim.service", "fstrim.timer", "ftpd.service", "fwupd.service", "fwupd-offline-update.service", "fwupd-refresh.service", "fwupd-refresh.timer", "geoclue.service", "geoipupdate.service", "geoipupdate.timer", "getty.target", "getty-pre.target", "getty@.service", "git-daemon.socket", "git-daemon@.service", "gnupg-pkcs11-scd-proxy.service", "gpg-agent-browser@.socket", "gpg-agent-extra@.socket", "gpg-agent-ssh@.socket", "gpg-agent@.service", "gpg-agent@.socket", "gpm.path", "gpm.service", "gpsd.service", "gpsd.socket", "gpsdctl@.service", "graphical.target", "greenbone-certdata-sync.service", "greenbone-certdata-sync.timer", "greenbone-feed-sync.service", "greenbone-feed-sync.timer", "greenbone-nvt-sync.service", "greenbone-nvt-sync.timer", "greenbone-scapdata-sync.service", "greenbone-scapdata-sync.timer", "gssproxy.service", "gvmd.service", "halt.target", "healthd.service", "hibernate.target", "hostapd.service", "hostapd@.service", "httpd.service", "hv_fcopy_daemon.service", "hv_kvp_daemon.service", "hv_vss_daemon.service", "hybrid-sleep.target", "i2pd.service", "iiod.service", "initrd.target", "initrd-cleanup.service", "initrd-fs.target", "initrd-parse-etc.service", "initrd-root-device.target", "initrd-root-fs.target", "initrd-switch-root.service", "initrd-switch-root.target", "initrd-udevadm-cleanup-db.service", "initrd-usr-fs.target", "integritysetup.target", "integritysetup-pre.target", "iodined.service", "iodined.socket", "ip2clued.service", "ip6tables.service", "ipmidetectd.service", "ipmiseld.service", "iptables.service", "iscsi.service", "iscsi-init.service", "iscsid.service", "iscsid.socket", "iscsiuio.service", "iscsiuio.socket", "isnsd.service", "isnsd.socket", "iwd.service", "kcptun-server@.service", "kcptun@.service", "kexec.target", "keyboxd@.service", "keyboxd@.socket", "kmod-static-nodes.service", "krb5-kadmind.service", "krb5-kdc.service", "krb5-kpropd.service", "krb5-kpropd.socket", "krb5-kpropd@.service", "lastlog2-import.service", "ldconfig.service", "libvirt-guests.service", "libvirtd.service", "libvirtd.socket", "libvirtd-admin.socket", "libvirtd-ro.socket", "libvirtd-tcp.socket", "libvirtd-tls.socket", "lightdm.service", "lm_sensors.service", "local-fs.target", "local-fs-pre.target", "logrotate.service", "logrotate.timer", "lvm2-lvmpolld.service", "lvm2-lvmpolld.socket", "lvm2-monitor.service", "lxc.service", "lxc-auto.service", "lxc-monitord.service", "lxc-net.service", "lxc@.service", "lxdm.service", "ly.service", "lynis.service", "lynis.timer", "machine.slice", "machines.target", "man-db.service", "man-db.timer", "mariadb.service", "mariadb.socket", "mariadb-extra.socket", "mariadb-extra@.socket", "mariadb@.service", "mariadb@.socket", "mdadm-grow-continue@.service", "mdadm-last-resort@.service", "mdadm-last-resort@.timer", "mdcheck_continue.service", "mdcheck_continue.timer", "mdcheck_start.service", "mdcheck_start.timer", "mdmon@.service", "mdmonitor.service", "mdmonitor-oneshot.service", "mdmonitor-oneshot.timer", "memavaild.service", "mkinitcpio-generate-shutdown-ramfs.service", "modprobe@.service", "mongodb.service", "multi-user.target", "mysql.service", "mysqld.service", "named.service", "nbd.service", "nbd@.service", "ndctl-monitor.service", "neo4j.service", "netavark-dhcp-proxy.service", "netavark-dhcp-proxy.socket", "netdata.service", "network.target", "network-online.target", "network-pre.target", "nfs-blkmap.service", "nfs-client.target", "nfs-idmapd.service", "nfs-mountd.service", "nfs-server.service", "nfs-utils.service", "nfsdcld.service", "nfsv4-exportd.service", "nfsv4-server.service", "nftables.service", "nm-priv-helper.service", "nmb.service", "nohang.service", "nohang-desktop.service", "nscd.service", "nss-lookup.target", "nss-user-lookup.target", "ntpd.service", "ntpdate.service", "nvidia-hibernate.service", "nvidia-persistenced.service", "nvidia-powerd.service", "nvidia-resume.service", "nvidia-suspend.service", "nvmefc-boot-connections.service", "nvmf-autoconnect.service", "nvmf-connect.target", "nvmf-connect-nbft.service", "nvmf-connect@.service", "pacrunner.service", "ostree-boot-complete.service", "pacman-filesdb-refresh.timer", "pcscd.service", "passim.service", "pcscd.socket", "packagekit-offline-update.service", "phoronix-result-server.service", "paccache.timer", "plymouth-kexec.service", "pamac-cleancache.timer", "plymouth-quit.service", "partimaged.service", "plymouth-poweroff.service", "plymouth-read-write.service", "plymouth-quit-wait.service", "paccache.service", "plymouth-switch-root-initramfs.service", "ostree-remount.service", "plymouth-switch-root.service", "openvpn-client@.service", "podman-clean-transient.service", "pamac-offline-upgrade.service", "polkit.service", "postfix.service", "pam_namespace.service", "poweroff.target", "ppp@.service", "opensnitchd.service", "proc-fs-nfsd.mount", "proc-sys-fs-binfmt_misc.automount", "proc-sys-fs-binfmt_misc.mount", "phoromatic-server.service", "ptunnel.service", "openvpn-server@.service", "plymouth-halt.service", "pamac-cleancache.service", "plymouth-reboot.service", "ostree-state-overlay@.service", "ostree-finalize-staged.service", "postgresql.service", "phoromatic-client.service", "pamac-daemon.service", "pacman-filesdb-refresh.service", "packagekit.service", "pkgfile-update.service", "pkgfile-update.timer", "plymouth-start.service", "ostree-prepare-root.service", "ostree-finalize-staged.path", "privoxy.service", "ostree-finalize-staged-hold.service", "qemu-guest-agent.service", "quotaon.service", "quotaon-root.service", "quotaon@.service", "rabbitmq.service", "ras-mc-ctl.service", "rasdaemon.service", "rathole@.service", "ratholec@.service", "ratholes@.service", "rc-local.service", "rdnssd@.service", "reboot.target", "redis.service", "redis-sentinel.service", "reflector.service", "reflector.timer", "remote-cryptsetup.target", "remote-fs.target", "remote-fs-pre.target", "remote-veritysetup.target", "rescue.service", "rescue.target", "rfkill-block@.service", "rfkill-unblock@.service", "rlogin.socket", "rlogin@.service", "rpc-gssd.service", "rpc-statd.service", "rpc-statd-notify.service", "rpc_pipefs.target", "rpcbind.service", "rpcbind.socket", "rpcbind.target", "rsh.socket", "rsh@.service", "rsyncd.service", "rsyncd.socket", "rsyncd@.service", "rtkit-daemon.service", "runlevel0.target", "runlevel1.target", "runlevel2.target", "runlevel3.target", "runlevel4.target", "runlevel5.target", "runlevel6.target", "rwhod.service", "samba.service", "sddm.service", "seatd.service", "sensord.service", "serial-getty@.service", "shadow.service", "shadow.timer", "sigpwr.target", "slapd.service", "sleep.target", "slices.target", "smartd.service", "smb.service", "sndiod.service", "snmpd.service", "snmptrapd.service", "snort@.service", "snort@1000.service", "soft-reboot.target", "ssh-access.target", "sshd.service", "sshdgenkeys.service", "sshuttle.service", "sslh.service", "sslh-fork.service", "sslh-select.service", "storage-target-mode.target", "stunnel.service", "sudo_logsrvd.service", "suspend.target", "suspend-then-hibernate.target", "svnserve.service", "swap.target", "sys-fs-fuse-connections.mount", "sys-kernel-config.mount", "sys-kernel-debug.mount", "sys-kernel-tracing.mount", "sysinit.target", "syslog.socket", "system-systemd\\x2dcryptsetup.slice", "system-systemd\\x2dveritysetup.slice", "system-update.target", "system-update-cleanup.service", "system-update-pre.target", "systemd-ask-password-console.path", "systemd-ask-password-console.service", "systemd-ask-password-plymouth.path", "systemd-ask-password-plymouth.service", "systemd-ask-password-wall.path", "systemd-ask-password-wall.service", "systemd-backlight@.service", "systemd-battery-check.service", "systemd-binfmt.service", "systemd-bless-boot.service", "systemd-boot-check-no-failures.service", "systemd-boot-random-seed.service", "systemd-boot-update.service", "systemd-bootctl.socket", "systemd-bootctl@.service", "systemd-bsod.service", "systemd-confext.service", "systemd-coredump.socket", "systemd-coredump@.service", "systemd-creds.socket", "systemd-creds@.service", "systemd-firstboot.service", "systemd-fsck-root.service", "systemd-fsck@.service", "systemd-growfs-root.service", "systemd-growfs@.service", "systemd-halt.service", "systemd-hibernate.service", "systemd-hibernate-resume.service", "systemd-homed.service", "systemd-homed-activate.service", "systemd-homed-firstboot.service", "systemd-hostnamed.service", "systemd-hostnamed.socket", "systemd-hwdb-update.service", "systemd-hybrid-sleep.service", "systemd-importd.service", "systemd-initctl.service", "systemd-initctl.socket", "systemd-journal-catalog-update.service", "systemd-journal-flush.service", "systemd-journal-gatewayd.service", "systemd-journal-gatewayd.socket", "systemd-journal-remote.service", "systemd-journal-remote.socket", "systemd-journal-upload.service", "systemd-journald.service", "systemd-journald.socket", "systemd-journald-audit.socket", "systemd-journald-dev-log.socket", "systemd-journald-varlink@.socket", "systemd-journald@.service", "systemd-journald@.socket", "systemd-kexec.service", "systemd-localed.service", "systemd-logind.service", "systemd-machine-id-commit.service", "systemd-machined.service", "systemd-modules-load.service", "systemd-network-generator.service", "systemd-networkd.service", "systemd-networkd.socket", "systemd-networkd-persistent-storage.service", "systemd-networkd-wait-online.service", "systemd-networkd-wait-online@.service", "systemd-nspawn@.service", "systemd-oomd.service", "systemd-oomd.socket", "systemd-pcrextend.socket", "systemd-pcrextend@.service", "systemd-pcrfs-root.service", "systemd-pcrfs@.service", "systemd-pcrlock.socket", "systemd-pcrlock-file-system.service", "systemd-pcrlock-firmware-code.service", "systemd-pcrlock-firmware-config.service", "systemd-pcrlock-machine-id.service", "systemd-pcrlock-make-policy.service", "systemd-pcrlock-secureboot-authority.service", "systemd-pcrlock-secureboot-policy.service", "systemd-pcrlock@.service", "systemd-pcrmachine.service", "systemd-pcrphase.service", "systemd-pcrphase-initrd.service", "systemd-pcrphase-sysinit.service", "systemd-portabled.service", "systemd-poweroff.service", "systemd-pstore.service", "systemd-quotacheck.service", "systemd-quotacheck-root.service", "systemd-quotacheck@.service", "systemd-random-seed.service", "systemd-reboot.service", "systemd-remount-fs.service", "systemd-repart.service", "systemd-resolved.service", "systemd-rfkill.service", "systemd-rfkill.socket", "systemd-soft-reboot.service", "systemd-storagetm.service", "systemd-suspend.service", "systemd-suspend-then-hibernate.service", "systemd-sysctl.service", "systemd-sysext.service", "systemd-sysext.socket", "systemd-sysext@.service", "systemd-sysupdate.service", "systemd-sysupdate.timer", "systemd-sysupdate-reboot.service", "systemd-sysupdate-reboot.timer", "systemd-sysusers.service", "systemd-time-wait-sync.service", "systemd-timedated.service", "systemd-timesyncd.service", "systemd-tmpfiles-setup-dev.service", "systemd-tmpfiles-setup-dev-early.service", "systemd-tpm2-setup.service", "systemd-tpm2-setup-early.service", "systemd-udev-trigger.service", "systemd-udevd.service", "systemd-udevd-control.socket", "systemd-udevd-kernel.socket", "systemd-update-done.service", "systemd-update-utmp.service", "systemd-update-utmp-runlevel.service", "systemd-user-sessions.service", "systemd-userdbd.service", "systemd-userdbd.socket", "systemd-vconsole-setup.service", "systemd-vmspawn@.service", "systemd-volatile-root.service", "systemd-zram-setup@.service", "talk.service", "talk.socket", "teamd@.service", "telnet.socket", "telnet@.service", "time-set.target", "time-sync.target", "tinc.service", "tinc@.service", "tinyproxy.service", "tlp.service", "tmp.mount", "tor.service", "tpm2.target", "udisks2.service", "udp2raw@.service", "ufw.service", "uksmd.service", "umount.target", "unbound.service", "updatedb.service", "updatedb.timer", "upower.service", "usb-gadget.target", "usb_modeswitch@.service", "usbipd.service", "usbmuxd.service", "user.slice", "user-runtime-dir@.service", "user@.service", "uuidd.service", "uuidd.socket", "var-lib-machines.mount", "var-lib-nfs-rpc_pipefs.mount", "vboxdrmclient.path", "vboxdrmclient.service", "vboxservice.service", "veritysetup.target", "veritysetup-pre.target", "virt-guest-shutdown.target", "virtchd.service", "virtchd.socket", "virtchd-admin.socket", "virtchd-ro.socket", "virtinterfaced.service", "virtinterfaced.socket", "virtinterfaced-admin.socket", "virtinterfaced-ro.socket", "virtlockd.service", "virtlockd.socket", "virtlockd-admin.socket", "virtlogd.service", "virtlogd.socket", "virtlogd-admin.socket", "virtlxcd.service", "virtlxcd.socket", "virtlxcd-admin.socket", "virtlxcd-ro.socket", "virtnetworkd.service", "virtnetworkd.socket", "virtnetworkd-admin.socket", "virtnetworkd-ro.socket", "virtnodedevd.service", "virtnodedevd.socket", "virtnodedevd-admin.socket", "virtnodedevd-ro.socket", "virtnwfilterd.service", "virtnwfilterd.socket", "virtnwfilterd-admin.socket", "virtnwfilterd-ro.socket", "virtproxyd.service", "virtproxyd.socket", "virtproxyd-admin.socket", "virtproxyd-ro.socket", "virtproxyd-tcp.socket", "virtproxyd-tls.socket", "virtqemud.service", "virtqemud.socket", "virtqemud-admin.socket", "virtqemud-ro.socket", "virtsecretd.service", "virtsecretd.socket", "virtsecretd-admin.socket", "virtsecretd-ro.socket", "virtstoraged.service", "virtstoraged.socket", "virtstoraged-admin.socket", "virtstoraged-ro.socket", "virtvboxd.service", "virtvboxd.socket", "virtvboxd-admin.socket", "virtvboxd-ro.socket", "vmtoolsd.service", "vmware-vmblock-fuse.service", "vpnc@.service", "wacom-inputattach@.service", "wg-quick.target", "wg-quick@.service", "winbind.service", "wondershaper.service", "wpa_supplicant.service", "wpa_supplicant-nl80211@.service", "wpa_supplicant-wired@.service", "wpa_supplicant@.service", "xfs_scrub@.service", "xfs_scrub_all.service", "xfs_scrub_all.timer", "xfs_scrub_fail@.service", "xl2tpd.service", "xplico.service", "xrdp.service", "xrdp-sesman.service", "yate.service", "zfs.target", "zfs-import.service", "zfs-import.target", "zfs-import-cache.service", "zfs-import-scan.service", "zfs-load-key.service", "zfs-mount.service", "zfs-scrub-monthly@.timer", "zfs-scrub-weekly@.timer", "zfs-scrub@.service", "zfs-share.service", "zfs-trim-monthly@.timer", "zfs-trim-weekly@.timer", "zfs-trim@.service", "zfs-volume-wait.service", "zfs-volumes.target", "zfs-zed.service", "plymouth.conf", "gpg-agent-ssh@etc-pacman.d-gnupg.socket", "keyboxd@etc-pacman.d-gnupg.socket", "dirmngr@etc-pacman.d-gnupg.socket", "gpg-agent-browser@etc-pacman.d-gnupg.socket", "gpg-agent-extra@etc-pacman.d-gnupg.socket", "gpg-agent@etc-pacman.d-gnupg.socket", "https://hybrid-analysis.com/sample/ff42428f0fcc346cc56e2b00d4b5c4bd43b55f3465b4ccab0efba9c88f4a1c03/661da0b063c895fc2d0a78dc", "https://hybrid-analysis.com/sample/9613dee39157b5f9935436b36647047e267b7c10fa4c7ab1fd995db681e58c12/661da5b202eaca78740cf4ed", "https://hybrid-analysis.com/sample/479a0170df010c5eb742ff1b8740a2ccf381df44c8a919c95d6e38685278e78a/661da5c768340c1e25092cb2", "50-rc_keymap.conf", "10-defaults.conf", "10-login-barrier.conf", "20-systemd-userdb.conf", "20-systemd-ssh-proxy.conf", "iptables-flush", "cpupower", "chkboot-bootcheck", "10-root.conf", "30-root-verity-sig.conf", "20-root-verity.conf", "80-systemd-timesync.list", "80-6rd-tunnel.link", "80-container-ve.network", "80-container-vb.network", "80-container-vz.link", "80-6rd-tunnel.network", "80-container-vz.network", "80-auto-link-local.network.example", "80-ethernet.network.example", "80-container-host0.network", "80-iwd.link", "80-container-vb.link", "80-vm-vt.link", "80-vm-vt.network", "80-wifi-adhoc.network", "80-wifi-ap.network.example", "80-wifi-station.network.example", "80-container-ve.link", "89-ethernet.network.example", "99-default.link", "dbus-broker.catalog", "dbus-broker-launch.catalog", "systemd.be.catalog", "systemd.be@latin.catalog", "systemd.da.catalog", "systemd.bg.catalog", "systemd.hu.catalog", "systemd.catalog", "systemd.it.catalog", "systemd.fr.catalog", "systemd.ko.catalog", "systemd.hr.catalog", "systemd.pl.catalog", "systemd.pt_BR.catalog", "systemd.ru.catalog", "systemd.sr.catalog", "systemd.zh_CN.catalog", "systemd.de.catalog", "systemd.zh_TW.catalog", "expl_cve_2021_40444.yar" ], "public": 1, "adversary": "Chinese Speaking", "targeted_countries": [], "malware_families": [ { "id": "RemainAfterExit", "display_name": "RemainAfterExit", "target": null }, { "id": "NMBDOPTIONS", "display_name": "NMBDOPTIONS", "target": null }, { "id": "SMBDOPTIONS", "display_name": "SMBDOPTIONS", "target": null }, { "id": "SuccessAction", "display_name": "SuccessAction", "target": null }, { "id": "WINBINDOPTIONS", "display_name": "WINBINDOPTIONS", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1205", "name": "Traffic Signaling", "display_name": "T1205 - Traffic Signaling" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "white", "cloned_from": "661db37bf549518bf6f7f377", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 123, "YARA": 16, "CVE": 4, "FileHash-SHA1": 25, "FileHash-SHA256": 20, "domain": 102, "URL": 16, "email": 9, "hostname": 4, "CIDR": 2 }, "indicator_count": 321, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "3 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "661db37bf549518bf6f7f377", "name": "Backup from 03-28-24 - Systemd dump, malicious ssh and sshd files, libsystemd-vore libsystemd-shared plus supporting php files", "description": "Ignoring the yara and eicar files - I was able to recover a partition use for backups from 03/25/24-03/29/24; the day of the XZ supply chain disclosure. This is a preliminary dump with accompanying analysis and sha1, and 256's of my /usr/lib/systemd directory which housed multiple suspect ssh sub directories plus malicous libsystemd-shared and libsystemd-core binaries, and all supporting config, dev, service, and binaries. Dig in.", "modified": "2024-04-23T14:28:30.317000", "created": "2024-04-15T23:08:43.746000", "tags": [ "fireeye", "copyright", "base64", "dotnettojscript", "gadgettojscript", "invokeclient", "invokeserver", "readhost enter", "command", "roth", "nextron", "sandworm", "detects ssh", "grant all", "privileges on", "to mysqldb", "create user", "g root", "sandworm python", "import", "phpsploit", "host", "user", "pass", "error", "establish", "pecl oci8", "connstr", "charset", "false", "miner", "texthtml", "module", "send custom", "swissky", "class", "serviceip", "serviceport", "servicedata", "e binsh", "init", "service port", "detects", "cve202140444", "target", "targetmode", "jeremy brown", "windows cve", "ms office", "modified rule", "rperm", "wperm", "pathsep", "string", "rwxrxrx", "file types", "unix", "login", "autentication", "disable", "ldapconnect", "version", "authentication", "ldaplist", "null", "pathelems", "execute", "backdoor", "kingdee oa", "yunxingkong", "b6oa", "code execution", "kingdee cloud", "starry sky", "otherwise", "file", "setsmartdate", "fread", "name", "force", "base64decode", "data", "substr", "array", "readdir", "getowner", "getgroup", "getsize", "force option", "fwrite", "permission", "check", "mode", "diraccess", "fileaccess", "realpath", "stat", "immutable", "posixgetpwuid", "posixgetgrgid", "explode", "etcpasswd", "glob", "globonlydir", "oraclelogin", "port", "servicename", "connector", "base", "query type", "mssqlfetcharray", "mssqlassoc", "solsocket", "timeout", "range", "portmin", "portmax", "socketcreate", "afinet", "sockstream", "open", "type", "true", "tcp connection", "tcp shell", "input", "lhost", "netcat", "lport", "shell", "dllimport", "python", "back", "fore", "pfinet", "stdout", "this", "win32", "ldapsearch", "select", "mysqliassoc", "select database", "send", "newfile", "dns stub", "third party", "see man", "exit", "o pipefail", "v systemctl", "devnull", "unknown verb", "license", "gnu lesser", "general public", "free software", "foundation", "unit", "slice", "cpuweight100", "tasks slice", "cpuweight30", "capev2", "cape", "cuckoo web", "setup", "grep", "limitnofile", "install", "return", "execstart", "start", "descriptionrun", "timer", "oncalendardaily", "service", "prevent rate", "delay start", "m poetry", "sigkill", "descriptioncape", "ef usercape", "g cape", "allowisolateyes", "typedbus", "socket", "message bus", "listenstream", "typenotify", "descriptionuser", "harald sitter", "sitter", "kcrash", "drkonqi", "acceptyes", "disable trigger", "todo", "prevents", "path", "pathexistsglob", "runtimemaxsec31", "runtimemaxsec30", "restartno", "descriptionexit", "environmentfile", "otheropts", "soundfont", "descriptiongcr", "sshauthsock", "descriptionglib", "priority6", "killmodeprocess", "proxy", "socketmode0600", "apache software", "notice file", "apache license", "unless", "as is", "basis", "or conditions", "apple file", "conduit monitor", "descriptionjack", "jackoptions d", "driver d", "device", "media transfer", "indexer daemon", "memory", "memoryhigh512m", "system sockets", "a user", "conditionuser", "dbus menus", "plasma", "phase", "workspace core", "exit status", "x11 connection", "timeoutstopsec5", "disable restart", "timeoutsec40sec", "typeoneshot", "david edmundson", "davidedmundson", "osd service", "portal", "auto restart", "dbus", "xembed system", "logging system", "socketmode0660", "all containers", "restart policy", "logging start", "execstopbinsh c", "logging", "x11 plugins", "session slice", "typeforking", "etc userroot", "grouproot", "onbootsec15min", "place", "temporary", "volatile files", "thunar", "session manager", "wireplumber", "service file", "xdg autostart", "user dir", "descriptionxfce", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "memoryfile scan", "ansi", "bpf program", "indicator", "bpf firewalling", "pcap", "pcap processing", "bpffallowmulti", "bpf device", "date", "suspicious", "hybrid", "crypto", "close", "click", "april", "strings", "february", "middle", "exploit", "gameover", "contact", "scope", "thomas koch", "gpl v2", "imsm", "ibftruledir", "ibftrules", "attr", "systemd rule", "hannes reinecke", "suse labs", "ipibft", "interface", "kernel", "configfile", "typesimple", "apparmor", "grouparchaudit", "hardening", "umask077", "persistenttrue", "enable debug", "networkmanager", "trace", "wait online", "edit", "note", "reload", "capdacoverride", "dhcp etc", "mdadmscan", "mdadmdelay", "mdadmmail", "mdadmprogram", "mdadmconfig", "mdadmsendmail", "p runsysconfig", "userroot", "sssd", "write access", "needed sometime", "statedirectory", "accountsservice", "varloglastlog", "bridge daemon", "alsa card", "card state", "required", "another auto", "nice daemon", "memorymax64m", "filter system", "mount", "reboot", "clock", "logging service", "requires", "before", "please", "exit codes", "proc", "descriptionruns", "execstartsh c", "switchtoggle", "ignoreonisolate", "term typeidle", "without", "any warranty", "merchantability", "fitness", "a particular", "vartmp", "wants type", "preparation", "watchdogsec10", "filesystem", "timer daemon", "options", "environment", "prevent", "readwritepaths", "security", "certain", "protectsystem", "bindpaths", "lower cpu", "nice19", "manager", "userc", "celerydnodes", "info", "chaddevops", "aaron brighton", "clam antivirus", "jon kriel", "distribution", "script", "sanesecurity", "securiteinfo", "malwarepatrol", "oitc", "file location", "remember", "typeexec user", "9 cntlm", "generate color", "profiles", "removeipctrue", "devpts", "authors", "any kind", "usercouchdb", "restartsec5", "volumes", "server socket", "user209", "daemon", "darkstatiface", "reloadconfig", "watchdogsec3min", "privatetmpyes", "protectproc", "increase", "descriptiontime", "date service", "debugging only", "ignoresigpipeno", "unset locale", "file system", "queue file", "whatmqueue", "optionsnosuid", "pf rundhclient", "rate", "requiresdirmngr", "capfowner", "capsetpcap", "dhcp", "dns server", "startlimit", "limits", "delegateyes", "descriptionpass", "runtimemaxsec5", "mountain", "metadata check", "all filesystems", "online metadata", "sunday", "oncalendarsun", "online ext4", "sigterm signal", "java process", "piddir", "standardoutput", "elasticsearch", "limitnproc4096", "limitasinfinity", "sendsighupyes", "mapper daemon", "mainpid", "quit", "listenstream79", "radius server", "d etcraddb", "protecthomeon", "default", "systemservice", "efiefi bootefi", "afinet afinet6", "afunix afinet", "oncalendar 0000", "privatetmptrue", "geoip legacy", "geoip2", "instance", "usergit", "scdconfig", "notice", "devinputmice t", "descriptiongps", "system", "sock refclock", "gpsdoptions", "devices", "daemon sockets", "2947", "bindipv6onlyyes", "usbauto", "usrbingpsdctl", "gps daemon", "afterdev", "gvmddata", "varlibgssproxy", "nonewprivileges", "privatetmp", "protecthome", "ieee", "etchostapd", "killmodemixed", "fcopy", "uncomment", "use sigterm", "sigkill i2pd", "sendsigkillyes", "limitnofile8192", "systemd", "analog", "shutting down", "iodineextip p", "iodineport p", "iodineuser", "tunip", "topdomain", "guessmainpidyes", "m node", "wants", "initiatorname", "io driver", "typeexec", "c etckcptun", "usernobody", "requireskeyboxd", "static device", "nofork", "restartalways", "linker cache", "hack", "use wants", "raise", "tasksmax", "tasksmax32768", "limitmemlock64m", "removeonstopyes", "ip socket", "tls ip", "conflictsgetty", "aftergetty", "busmodules", "qabr", "hwmonmodules", "local file", "privatenetwork", "lvm2", "initialization", "autoboot code", "s delegatetrue", "description", "pidfilerunlxc", "lynis service", "adjust path", "lynis binary", "lynis timer", "tell systemd", "lynis security", "persistentfalse", "container slice", "recover", "varcacheman", "regenerate man", "userroot nice19", "mysqldopts", "mysqldsafe", "timezone", "core", "restart", "users", "backlog150", "listenstreams", "servicemariadb", "mechanism", "mariadb", "multi instance", "variables", "bindirmdadm", "gnu general", "public license", "reshape", "onactivesec30", "oncalendar", "wantedby", "monitor", "allow mdmon", "takeover", "k none", "c devnull", "d runinitramfs", "p runmongodb", "limitnproc32000", "limitmemlock5", "device server", "requiredbydev", "d dev", "descriptionreal", "extraopts", "restartsec30", "valid", "fifo", "priority", "batch", "nice0", "partof", "tracking daemon", "helper", "for testing", "only", "restrict", "grant", "capsysptrace", "capkill", "capipclock", "environ", "capsysresource", "capsyslog", "descriptionname", "service cache", "sysvlsb", "descriptionhost", "network name", "group name", "u ntp", "time service", "t hibernate", "software", "other", "the software", "daemon init", "software is", "provided", "fcnvme", "wantsmodprobe", "aftermodprobe", "descriptionall", "nbft", "nvmeof", "connectargs", "unit file", "descriptionnvmf", "red hat", "without any", "warranty", "card daemon", "socketmode0666", "suite result", "kexec screen", "oncalendarsat", "boot screen", "timeoutsec20", "power off", "runtime data", "descriptionhold", "timeoutsec0", "sandboxing", "execstop", "colin walters", "upgrade", "upgrade output", "umask0077", "transport agent", "descriptionmake", "descriptionppp", "whatnfsd", "file formats", "automount point", "automount", "setuid nobody", "setgid nobody", "setcon", "syslog", "restartonabort", "halt screen", "reboot screen", "pgroot", "postgresql", "oom killer", "additional", "fy nice19", "endless os", "foundation llc", "restartsec0", "system quotas", "rabbitmq", "protecthometrue", "etcrathole", "guessmainpidno", "h etcrdnssd", "reflector", "afinet6 afunix", "umask177", "remote file", "nfs client", "nfsv23 locking", "make sure", "rpc netconfig", "descriptionfast", "using ssh", "so let", "boot", "realtimekit", "rwhodopts", "display manager", "specify", "interval l", "loginterval f", "bindstodev", "always", "usrbingrpck r", "slapdoptions", "u ldap", "slapdurls", "smart", "pciusb", "midi", "daemonopts", "snmp", "trap daemon", "g snort", "descriptionsudo", "hibernate", "svnserveargs", "whatfusectl", "whatconfigfs", "whatdebugfs", "whattracefs", "best way", "see https", "units service", "service slice", "offline system", "update", "wall directory", "timeoutsec90s", "descriptionmark", "current boot", "loader entry", "any system", "units", "loader random", "loader update", "service socket", "dump socket", "optionally", "root device", "afalg afinet", "execstophomectl", "home area", "named pipe", "sink service", "sink socket", "upload service", "dynamicuseryes", "sigkilled", "devlog", "timestampingus", "namespace", "sendbuffer8m", "kernel command", "netlink socket", "storage", "descriptionwait", "network", "make", "deviceallow", "reserve", "killer socket", "root file", "measurement", "pcr policy", "tpm pcr", "code", "configuration", "machine id", "barrier", "quota check", "system quota", "after", "random seed", "kernel file", "gpt partition", "kill switch", "nvmetcp", "trigger", "saturday", "persistentyes", "system update", "kernel time", "capsystime", "ntp service", "turn", "files", "device nodes", "srk setup", "device events", "bootshutdown", "change", "manager socket", "descriptiontinc", "proxy server", "linrunner", "descriptiontlp", "tor service", "f etctortorrc", "tpm device", "descriptionudp", "tcpicmpudp", "etcudp2raw", "debug", "swap", "api file", "privatedevices", "home", "root", "runuser", "linux control", "groups", "group", "afnetlink", "locked memory", "limitmemlock0", "usb gadget", "apple", "sliceuser", "descriptionuuid", "compatibility", "typerpcpipefs", "vmsvga", "hypervisor", "usr1", "mgmt appuser", "dac permission", "selinux", "xxx someone", "qemu", "machine tools", "vmware tools", "pidfilerunvpnc", "wacom", "iface d", "dspeed u", "iface", "descriptionwpa", "oracle", "reserved", "wong", "emailaddr", "tunnel protocol", "l2tp", "isps", "russia use", "ipsec", "d optxplico", "b sqlite", "descriptionxrdp", "xrdpoptions", "process", "sesmanoptions", "zpoolimportopts", "an o", "t scrub", "usrbinzpool", "zfs volume", "descriptionzfs", "f restartalways", "remainafterexit", "nmbdoptions", "smbdoptions", "successaction", "winbindoptions", "ck id", "hybrid analysis", "mitre att", "malicious", "sdshared ansi", "default und", "func global", "func local", "object local", "general", "show technique", "ck matrix", "tasksmax33", "empty file", "proxycommand", "checkhostip", "afunix", "afvsock", "allow", "r table", "chkbootcheck", "gplv2 source", "chkbootstyles", "etcissue", "partition", "minimizebest", "mit no", "match", "link", "namepolicykeep", "ethernet link", "kindveth nameve", "kindveth namevb", "keepmasteryes", "dhcpv4", "kindsit name6rd", "ipv4ll", "ipv6ll", "dhcpipv6ra", "dhcpv6", "typeether", "dhcpyes", "usetimezoneyes", "typewlan", "tuntap", "natdhcp", "kindtun namevt", "kind", "originalname", "definedby", "peer", "sopeergroups", "dbus protocol", "dbus name", "exec", "hup signal", "sighup", "dnssec", "sessionid", "seatid", "sleep", "leader", "jobresult", "coredumppid", "coredumpcomm", "junit", "na zapusk", "mikrasiekund", "enhed", "mikrosekunder", "opstart", "jobid", "a rendszer", "ezredmsodpercet", "a rendszernapl", "user manager", "smack", "lunit", "stato", "il processo", "il sistema", "stata", "le processus", "notez que", "jedinica", "zapamtite da", "nova", "jednostka", "prosz zauway", "zwykle wskazuje", "jest", "o processo", "processo", "isso", "inicializao", "journal", "sizelimit", "userid", "prozess", "speicherabbild", "hinweis auf", "programmfehler", "fehler dem", "die systemzeit", "realtime" ], "references": [ "Hunting_B64Engine_DotNetToJScript_Dos.yar", "APT_Backdoor_PS1_BASICPIPESHELL_1.yar", "apt_sandworm_exim_expl.yar.002", "apt_sandworm_exim_expl.yar.001", "apt_sandworm_exim_expl.yar", "connect.php", "connect.php.002", "connect.php.001", "crypto-miner.js", "eicar", "eicar.001", "eicar.002", "custom.py", "eicar.txt", "expl_cve_2021_40444.yar.001", "expl_cve_2021_40444.yar.002", "getPerms.php", "input.pcap", "list.php", "parent.php", "payload.php", "payload.php.001", "kingdee-erp-rce.yaml", "payload.php.003", "payload.php.002", "payload.php.004", "payload.php.005", "payload.php.006", "payload.php.007", "payload.php.008", "payload.php.010", "payload.php.011", "payload.php.009", "payload.php.012", "payload.php.013", "payload.php.015", "payload.php.016", "payload.php.017", "reverse_tcp.py", "scanner.php", "search.php", "setdb.php", "payload.php.014", "setdb.php.001", "reader.php", "single.php", "resolv.conf", "systemd-update-helper", "90-systemd.preset", "60-flatpak", "app.slice", "background.slice", "README.md", "bluetooth.target", "basic.target", "borgmatic-user.timer", "borgmatic-user.service", "cape.service", "cape-dist.service", "cape-processor.service", "cape-rooter.service", "capsule@.target", "cape-web.service", "clash.service", "colord-session.service", "dbus.socket", "cape-fstab.service", "dbus.service", "dbus-broker.service", "dconf.service", "dirmngr.service", "default.target", "drkonqi-coredump-cleanup.service", "dirmngr.socket", "drkonqi-coredump-cleanup.timer", "drkonqi-coredump-launcher.socket", "drkonqi-sentry-postman.path", "drkonqi-coredump-pickup.service", "drkonqi-sentry-postman.service", "drkonqi-sentry-postman.timer", "drkonqi-coredump-launcher@.service", "dunst.service", "flatpak-oci-authenticator.service", "filter-chain.service", "exit.target", "flatpak-session-helper.service", "fluidsynth.service", "gcr-ssh-agent.socket", "flatpak-portal.service", "gcr-ssh-agent.service", "gnome-keyring-daemon.service", "glib-pacrunner.service", "gnome-keyring-daemon.socket", "gpg-agent-ssh.socket", "gnome-terminal-server.service", "gpg-agent-extra.socket", "gpg-agent.service", "gpg-agent.socket", "gpg-agent-browser.socket", "graphical-session-pre.target", "graphical-session.target", "gssuserproxy.socket", "guacd.service", "gvfs-gphoto2-volume-monitor.service", "gvfs-daemon.service", "gssuserproxy.service", "gvfs-afc-volume-monitor.service", "gvfs-metadata.service", "jack@.service", "guac-web.service", "gvfs-udisks2-volume-monitor.service", "gvfs-mtp-volume-monitor.service", "kde-baloo.service", "keyboxd.service", "kio-fuse.service", "keyboxd.socket", "p11-kit-server.service", "p11-kit-server.socket", "paths.target", "pipewire.socket", "pipewire-pulse.service", "plasma-gmenudbusmenuproxy.service", "pipewire-pulse.socket", "plasma-baloorunner.service", "plasma-kcminit.service", "plasma-dolphin.service", "plasma-kcminit-phase1.service", "plasma-core.target", "plasma-kded.service", "pipewire.service", "plasma-kded6.service", "plasma-kglobalaccel.service", "at-spi-dbus-bus.service", "plasma-krunner.service", "plasma-kscreen.service", "plasma-kscreen-osd.service", "plasma-ksmserver.service", "plasma-ksplash.service", "plasma-ksplash-ready.service", "plasma-ksystemstats.service", "plasma-kwallet-pam.service", "plasma-kwin_wayland.service", "plasma-kwin_x11.service", "plasma-plasmashell.service", "plasma-polkit-agent.service", "plasma-powerdevil.service", "plasma-powerprofile-osd.service", "plasma-restoresession.service", "plasma-workspace.target", "plasma-workspace-wayland.target", "plasma-workspace-x11.target", "plasma-xdg-desktop-portal-kde.service", "plasma-xembedsniproxy.service", "podman.service", "podman.socket", "podman-auto-update.service", "podman-auto-update.timer", "podman-kube@.service", "podman-restart.service", "printer.target", "pulseaudio.service", "pulseaudio.socket", "pulseaudio-x11.service", "session.slice", "shutdown.target", "smartcard.target", "sockets.target", "sound.target", "ssh-agent.service", "suricata.service", "suricata-update.service", "suricata-update.timer", "systemd-exit.service", "systemd-tmpfiles-clean.service", "systemd-tmpfiles-clean.timer", "systemd-tmpfiles-setup.service", "thunar.service", "timers.target", "tracker-xdg-portal-3.service", "tumblerd.service", "wireplumber.service", "wireplumber@.service", "xdg-desktop-autostart.target", "xdg-desktop-portal.service", "xdg-desktop-portal-gtk.service", "xdg-desktop-portal-hyprland.service", "xdg-desktop-portal-rewrite-launchers.service", "xdg-desktop-portal-xapp.service", "xdg-permission-store.service", "xdg-user-dirs-update.service", "xfce4-notifyd.service", "xsettingsd.service", "xdg-document-portal.service", "https://hybrid-analysis.com/sample/b1a9e5be43c028442c07071e202f44f33e3a2df167822c5cfed8f998e01fe169/661da09794b343782806018e", "defaults.conf", "apparmor.conf", "nvidia", "tlp", "fwupd.shutdown", "mdadm.shutdown", "99-default.preset", "50-zfs.preset", "ibft-rule-generator", "10-arch", "60-flatpak-system-only", "3proxy.service", "apache-tika.service", "apparmor.service", "arch-audit.service", "arch-audit.timer", "NetworkManager-dispatcher.service", "NetworkManager-wait-online.service", "NetworkManager.service", "SUSE-mdadm_env.sh", "ModemManager.service", "3proxy.conf", "archlinux-keyring-wkd-sync.service", "adsl.service", "accounts-daemon.service", "adb.service", "alsa-restore.service", "alsa-state.service", "archlinux-keyring-wkd-sync.timer", "ananicy-cpp.service", "arcolinux-graphical-target.service", "atftpd.service", "audit-rules.service", "auditd.service", "auth-rpcgss-module.service", "autorandr.service", "autorandr-lid-listener.service", "autovt@.service", "avahi-daemon.service", "avahi-daemon.socket", "avahi-dnsconfd.service", "bettercap.service", "betterlockscreen@.service", "blk-availability.service", "blockdev@.target", "bluetooth.service", "bmc-watchdog.service", "bolt.service", "boot-complete.target", "borgmatic.service", "borgmatic.timer", "bpftune.service", "btrfs-scrub@.service", "btrfs-scrub@.timer", "canberra-system-bootup.service", "canberra-system-shutdown.service", "canberra-system-shutdown-reboot.service", "capsule.slice", "capsule@.service", "celery2@.service", "celery@.service", "chkboot.service", "clamav-clamonacc.service", "clamav-daemon.service", "clamav-daemon.socket", "clamav-freshclam.service", "clamav-freshclam-once.service", "clamav-freshclam-once.timer", "clamav-unofficial-sigs.service", "clamav-unofficial-sigs.timer", "clash@.service", "cntlm.service", "colord.service", "configure-printer@.service", "console-getty.service", "container-getty@.service", "containerd.service", "couchdb.service", "cpupower.service", "create_ap.service", "cronie.service", "cryptsetup.target", "cryptsetup-pre.target", "ctrl-alt-del.target", "cups.path", "cups.service", "cups.socket", "cups-lpd.socket", "cups-lpd@.service", "cxl-monitor.service", "darkstat.service", "daxdev-reconfigure@.service", "dbus-org.freedesktop.hostname1.service", "dbus-org.freedesktop.import1.service", "dbus-org.freedesktop.locale1.service", "dbus-org.freedesktop.login1.service", "dbus-org.freedesktop.machine1.service", "dbus-org.freedesktop.portable1.service", "dbus-org.freedesktop.timedate1.service", "debug-shell.service", "dev-hugepages.mount", "dev-mqueue.mount", "dhclient@.service", "dhcpd4.service", "dhcpd6.service", "dirmngr@.service", "dirmngr@.socket", "dm-event.service", "dm-event.socket", "dmraid.service", "dnscrypt-proxy.service", "dnsmasq.service", "docker.service", "docker.socket", "drkonqi-coredump-processor@.service", "e2scrub@.service", "e2scrub_all.service", "e2scrub_all.timer", "e2scrub_fail@.service", "e2scrub_reap.service", "ead.service", "elasticsearch.service", "elasticsearch-keystore.service", "elasticsearch-keystore@.service", "elasticsearch@.service", "emergency.service", "emergency.target", "epmd.service", "epmd.socket", "exabgp.service", "factory-reset.target", "fancontrol.service", "fastnetmon.service", "final.target", "finger.socket", "finger@.service", "first-boot-complete.target", "flatpak-system-helper.service", "freeradius.service", "fsidd.service", "fstrim.service", "fstrim.timer", "ftpd.service", "fwupd.service", "fwupd-offline-update.service", "fwupd-refresh.service", "fwupd-refresh.timer", "geoclue.service", "geoipupdate.service", "geoipupdate.timer", "getty.target", "getty-pre.target", "getty@.service", "git-daemon.socket", "git-daemon@.service", "gnupg-pkcs11-scd-proxy.service", "gpg-agent-browser@.socket", "gpg-agent-extra@.socket", "gpg-agent-ssh@.socket", "gpg-agent@.service", "gpg-agent@.socket", "gpm.path", "gpm.service", "gpsd.service", "gpsd.socket", "gpsdctl@.service", "graphical.target", "greenbone-certdata-sync.service", "greenbone-certdata-sync.timer", "greenbone-feed-sync.service", "greenbone-feed-sync.timer", "greenbone-nvt-sync.service", "greenbone-nvt-sync.timer", "greenbone-scapdata-sync.service", "greenbone-scapdata-sync.timer", "gssproxy.service", "gvmd.service", "halt.target", "healthd.service", "hibernate.target", "hostapd.service", "hostapd@.service", "httpd.service", "hv_fcopy_daemon.service", "hv_kvp_daemon.service", "hv_vss_daemon.service", "hybrid-sleep.target", "i2pd.service", "iiod.service", "initrd.target", "initrd-cleanup.service", "initrd-fs.target", "initrd-parse-etc.service", "initrd-root-device.target", "initrd-root-fs.target", "initrd-switch-root.service", "initrd-switch-root.target", "initrd-udevadm-cleanup-db.service", "initrd-usr-fs.target", "integritysetup.target", "integritysetup-pre.target", "iodined.service", "iodined.socket", "ip2clued.service", "ip6tables.service", "ipmidetectd.service", "ipmiseld.service", "iptables.service", "iscsi.service", "iscsi-init.service", "iscsid.service", "iscsid.socket", "iscsiuio.service", "iscsiuio.socket", "isnsd.service", "isnsd.socket", "iwd.service", "kcptun-server@.service", "kcptun@.service", "kexec.target", "keyboxd@.service", "keyboxd@.socket", "kmod-static-nodes.service", "krb5-kadmind.service", "krb5-kdc.service", "krb5-kpropd.service", "krb5-kpropd.socket", "krb5-kpropd@.service", "lastlog2-import.service", "ldconfig.service", "libvirt-guests.service", "libvirtd.service", "libvirtd.socket", "libvirtd-admin.socket", "libvirtd-ro.socket", "libvirtd-tcp.socket", "libvirtd-tls.socket", "lightdm.service", "lm_sensors.service", "local-fs.target", "local-fs-pre.target", "logrotate.service", "logrotate.timer", "lvm2-lvmpolld.service", "lvm2-lvmpolld.socket", "lvm2-monitor.service", "lxc.service", "lxc-auto.service", "lxc-monitord.service", "lxc-net.service", "lxc@.service", "lxdm.service", "ly.service", "lynis.service", "lynis.timer", "machine.slice", "machines.target", "man-db.service", "man-db.timer", "mariadb.service", "mariadb.socket", "mariadb-extra.socket", "mariadb-extra@.socket", "mariadb@.service", "mariadb@.socket", "mdadm-grow-continue@.service", "mdadm-last-resort@.service", "mdadm-last-resort@.timer", "mdcheck_continue.service", "mdcheck_continue.timer", "mdcheck_start.service", "mdcheck_start.timer", "mdmon@.service", "mdmonitor.service", "mdmonitor-oneshot.service", "mdmonitor-oneshot.timer", "memavaild.service", "mkinitcpio-generate-shutdown-ramfs.service", "modprobe@.service", "mongodb.service", "multi-user.target", "mysql.service", "mysqld.service", "named.service", "nbd.service", "nbd@.service", "ndctl-monitor.service", "neo4j.service", "netavark-dhcp-proxy.service", "netavark-dhcp-proxy.socket", "netdata.service", "network.target", "network-online.target", "network-pre.target", "nfs-blkmap.service", "nfs-client.target", "nfs-idmapd.service", "nfs-mountd.service", "nfs-server.service", "nfs-utils.service", "nfsdcld.service", "nfsv4-exportd.service", "nfsv4-server.service", "nftables.service", "nm-priv-helper.service", "nmb.service", "nohang.service", "nohang-desktop.service", "nscd.service", "nss-lookup.target", "nss-user-lookup.target", "ntpd.service", "ntpdate.service", "nvidia-hibernate.service", "nvidia-persistenced.service", "nvidia-powerd.service", "nvidia-resume.service", "nvidia-suspend.service", "nvmefc-boot-connections.service", "nvmf-autoconnect.service", "nvmf-connect.target", "nvmf-connect-nbft.service", "nvmf-connect@.service", "pacrunner.service", "ostree-boot-complete.service", "pacman-filesdb-refresh.timer", "pcscd.service", "passim.service", "pcscd.socket", "packagekit-offline-update.service", "phoronix-result-server.service", "paccache.timer", "plymouth-kexec.service", "pamac-cleancache.timer", "plymouth-quit.service", "partimaged.service", "plymouth-poweroff.service", "plymouth-read-write.service", "plymouth-quit-wait.service", "paccache.service", "plymouth-switch-root-initramfs.service", "ostree-remount.service", "plymouth-switch-root.service", "openvpn-client@.service", "podman-clean-transient.service", "pamac-offline-upgrade.service", "polkit.service", "postfix.service", "pam_namespace.service", "poweroff.target", "ppp@.service", "opensnitchd.service", "proc-fs-nfsd.mount", "proc-sys-fs-binfmt_misc.automount", "proc-sys-fs-binfmt_misc.mount", "phoromatic-server.service", "ptunnel.service", "openvpn-server@.service", "plymouth-halt.service", "pamac-cleancache.service", "plymouth-reboot.service", "ostree-state-overlay@.service", "ostree-finalize-staged.service", "postgresql.service", "phoromatic-client.service", "pamac-daemon.service", "pacman-filesdb-refresh.service", "packagekit.service", "pkgfile-update.service", "pkgfile-update.timer", "plymouth-start.service", "ostree-prepare-root.service", "ostree-finalize-staged.path", "privoxy.service", "ostree-finalize-staged-hold.service", "qemu-guest-agent.service", "quotaon.service", "quotaon-root.service", "quotaon@.service", "rabbitmq.service", "ras-mc-ctl.service", "rasdaemon.service", "rathole@.service", "ratholec@.service", "ratholes@.service", "rc-local.service", "rdnssd@.service", "reboot.target", "redis.service", "redis-sentinel.service", "reflector.service", "reflector.timer", "remote-cryptsetup.target", "remote-fs.target", "remote-fs-pre.target", "remote-veritysetup.target", "rescue.service", "rescue.target", "rfkill-block@.service", "rfkill-unblock@.service", "rlogin.socket", "rlogin@.service", "rpc-gssd.service", "rpc-statd.service", "rpc-statd-notify.service", "rpc_pipefs.target", "rpcbind.service", "rpcbind.socket", "rpcbind.target", "rsh.socket", "rsh@.service", "rsyncd.service", "rsyncd.socket", "rsyncd@.service", "rtkit-daemon.service", "runlevel0.target", "runlevel1.target", "runlevel2.target", "runlevel3.target", "runlevel4.target", "runlevel5.target", "runlevel6.target", "rwhod.service", "samba.service", "sddm.service", "seatd.service", "sensord.service", "serial-getty@.service", "shadow.service", "shadow.timer", "sigpwr.target", "slapd.service", "sleep.target", "slices.target", "smartd.service", "smb.service", "sndiod.service", "snmpd.service", "snmptrapd.service", "snort@.service", "snort@1000.service", "soft-reboot.target", "ssh-access.target", "sshd.service", "sshdgenkeys.service", "sshuttle.service", "sslh.service", "sslh-fork.service", "sslh-select.service", "storage-target-mode.target", "stunnel.service", "sudo_logsrvd.service", "suspend.target", "suspend-then-hibernate.target", "svnserve.service", "swap.target", "sys-fs-fuse-connections.mount", "sys-kernel-config.mount", "sys-kernel-debug.mount", "sys-kernel-tracing.mount", "sysinit.target", "syslog.socket", "system-systemd\\x2dcryptsetup.slice", "system-systemd\\x2dveritysetup.slice", "system-update.target", "system-update-cleanup.service", "system-update-pre.target", "systemd-ask-password-console.path", "systemd-ask-password-console.service", "systemd-ask-password-plymouth.path", "systemd-ask-password-plymouth.service", "systemd-ask-password-wall.path", "systemd-ask-password-wall.service", "systemd-backlight@.service", "systemd-battery-check.service", "systemd-binfmt.service", "systemd-bless-boot.service", "systemd-boot-check-no-failures.service", "systemd-boot-random-seed.service", "systemd-boot-update.service", "systemd-bootctl.socket", "systemd-bootctl@.service", "systemd-bsod.service", "systemd-confext.service", "systemd-coredump.socket", "systemd-coredump@.service", "systemd-creds.socket", "systemd-creds@.service", "systemd-firstboot.service", "systemd-fsck-root.service", "systemd-fsck@.service", "systemd-growfs-root.service", "systemd-growfs@.service", "systemd-halt.service", "systemd-hibernate.service", "systemd-hibernate-resume.service", "systemd-homed.service", "systemd-homed-activate.service", "systemd-homed-firstboot.service", "systemd-hostnamed.service", "systemd-hostnamed.socket", "systemd-hwdb-update.service", "systemd-hybrid-sleep.service", "systemd-importd.service", "systemd-initctl.service", "systemd-initctl.socket", "systemd-journal-catalog-update.service", "systemd-journal-flush.service", "systemd-journal-gatewayd.service", "systemd-journal-gatewayd.socket", "systemd-journal-remote.service", "systemd-journal-remote.socket", "systemd-journal-upload.service", "systemd-journald.service", "systemd-journald.socket", "systemd-journald-audit.socket", "systemd-journald-dev-log.socket", "systemd-journald-varlink@.socket", "systemd-journald@.service", "systemd-journald@.socket", "systemd-kexec.service", "systemd-localed.service", "systemd-logind.service", "systemd-machine-id-commit.service", "systemd-machined.service", "systemd-modules-load.service", "systemd-network-generator.service", "systemd-networkd.service", "systemd-networkd.socket", "systemd-networkd-persistent-storage.service", "systemd-networkd-wait-online.service", "systemd-networkd-wait-online@.service", "systemd-nspawn@.service", "systemd-oomd.service", "systemd-oomd.socket", "systemd-pcrextend.socket", "systemd-pcrextend@.service", "systemd-pcrfs-root.service", "systemd-pcrfs@.service", "systemd-pcrlock.socket", "systemd-pcrlock-file-system.service", "systemd-pcrlock-firmware-code.service", "systemd-pcrlock-firmware-config.service", "systemd-pcrlock-machine-id.service", "systemd-pcrlock-make-policy.service", "systemd-pcrlock-secureboot-authority.service", "systemd-pcrlock-secureboot-policy.service", "systemd-pcrlock@.service", "systemd-pcrmachine.service", "systemd-pcrphase.service", "systemd-pcrphase-initrd.service", "systemd-pcrphase-sysinit.service", "systemd-portabled.service", "systemd-poweroff.service", "systemd-pstore.service", "systemd-quotacheck.service", "systemd-quotacheck-root.service", "systemd-quotacheck@.service", "systemd-random-seed.service", "systemd-reboot.service", "systemd-remount-fs.service", "systemd-repart.service", "systemd-resolved.service", "systemd-rfkill.service", "systemd-rfkill.socket", "systemd-soft-reboot.service", "systemd-storagetm.service", "systemd-suspend.service", "systemd-suspend-then-hibernate.service", "systemd-sysctl.service", "systemd-sysext.service", "systemd-sysext.socket", "systemd-sysext@.service", "systemd-sysupdate.service", "systemd-sysupdate.timer", "systemd-sysupdate-reboot.service", "systemd-sysupdate-reboot.timer", "systemd-sysusers.service", "systemd-time-wait-sync.service", "systemd-timedated.service", "systemd-timesyncd.service", "systemd-tmpfiles-setup-dev.service", "systemd-tmpfiles-setup-dev-early.service", "systemd-tpm2-setup.service", "systemd-tpm2-setup-early.service", "systemd-udev-trigger.service", "systemd-udevd.service", "systemd-udevd-control.socket", "systemd-udevd-kernel.socket", "systemd-update-done.service", "systemd-update-utmp.service", "systemd-update-utmp-runlevel.service", "systemd-user-sessions.service", "systemd-userdbd.service", "systemd-userdbd.socket", "systemd-vconsole-setup.service", "systemd-vmspawn@.service", "systemd-volatile-root.service", "systemd-zram-setup@.service", "talk.service", "talk.socket", "teamd@.service", "telnet.socket", "telnet@.service", "time-set.target", "time-sync.target", "tinc.service", "tinc@.service", "tinyproxy.service", "tlp.service", "tmp.mount", "tor.service", "tpm2.target", "udisks2.service", "udp2raw@.service", "ufw.service", "uksmd.service", "umount.target", "unbound.service", "updatedb.service", "updatedb.timer", "upower.service", "usb-gadget.target", "usb_modeswitch@.service", "usbipd.service", "usbmuxd.service", "user.slice", "user-runtime-dir@.service", "user@.service", "uuidd.service", "uuidd.socket", "var-lib-machines.mount", "var-lib-nfs-rpc_pipefs.mount", "vboxdrmclient.path", "vboxdrmclient.service", "vboxservice.service", "veritysetup.target", "veritysetup-pre.target", "virt-guest-shutdown.target", "virtchd.service", "virtchd.socket", "virtchd-admin.socket", "virtchd-ro.socket", "virtinterfaced.service", "virtinterfaced.socket", "virtinterfaced-admin.socket", "virtinterfaced-ro.socket", "virtlockd.service", "virtlockd.socket", "virtlockd-admin.socket", "virtlogd.service", "virtlogd.socket", "virtlogd-admin.socket", "virtlxcd.service", "virtlxcd.socket", "virtlxcd-admin.socket", "virtlxcd-ro.socket", "virtnetworkd.service", "virtnetworkd.socket", "virtnetworkd-admin.socket", "virtnetworkd-ro.socket", "virtnodedevd.service", "virtnodedevd.socket", "virtnodedevd-admin.socket", "virtnodedevd-ro.socket", "virtnwfilterd.service", "virtnwfilterd.socket", "virtnwfilterd-admin.socket", "virtnwfilterd-ro.socket", "virtproxyd.service", "virtproxyd.socket", "virtproxyd-admin.socket", "virtproxyd-ro.socket", "virtproxyd-tcp.socket", "virtproxyd-tls.socket", "virtqemud.service", "virtqemud.socket", "virtqemud-admin.socket", "virtqemud-ro.socket", "virtsecretd.service", "virtsecretd.socket", "virtsecretd-admin.socket", "virtsecretd-ro.socket", "virtstoraged.service", "virtstoraged.socket", "virtstoraged-admin.socket", "virtstoraged-ro.socket", "virtvboxd.service", "virtvboxd.socket", "virtvboxd-admin.socket", "virtvboxd-ro.socket", "vmtoolsd.service", "vmware-vmblock-fuse.service", "vpnc@.service", "wacom-inputattach@.service", "wg-quick.target", "wg-quick@.service", "winbind.service", "wondershaper.service", "wpa_supplicant.service", "wpa_supplicant-nl80211@.service", "wpa_supplicant-wired@.service", "wpa_supplicant@.service", "xfs_scrub@.service", "xfs_scrub_all.service", "xfs_scrub_all.timer", "xfs_scrub_fail@.service", "xl2tpd.service", "xplico.service", "xrdp.service", "xrdp-sesman.service", "yate.service", "zfs.target", "zfs-import.service", "zfs-import.target", "zfs-import-cache.service", "zfs-import-scan.service", "zfs-load-key.service", "zfs-mount.service", "zfs-scrub-monthly@.timer", "zfs-scrub-weekly@.timer", "zfs-scrub@.service", "zfs-share.service", "zfs-trim-monthly@.timer", "zfs-trim-weekly@.timer", "zfs-trim@.service", "zfs-volume-wait.service", "zfs-volumes.target", "zfs-zed.service", "plymouth.conf", "gpg-agent-ssh@etc-pacman.d-gnupg.socket", "keyboxd@etc-pacman.d-gnupg.socket", "dirmngr@etc-pacman.d-gnupg.socket", "gpg-agent-browser@etc-pacman.d-gnupg.socket", "gpg-agent-extra@etc-pacman.d-gnupg.socket", "gpg-agent@etc-pacman.d-gnupg.socket", "https://hybrid-analysis.com/sample/ff42428f0fcc346cc56e2b00d4b5c4bd43b55f3465b4ccab0efba9c88f4a1c03/661da0b063c895fc2d0a78dc", "https://hybrid-analysis.com/sample/9613dee39157b5f9935436b36647047e267b7c10fa4c7ab1fd995db681e58c12/661da5b202eaca78740cf4ed", "https://hybrid-analysis.com/sample/479a0170df010c5eb742ff1b8740a2ccf381df44c8a919c95d6e38685278e78a/661da5c768340c1e25092cb2", "50-rc_keymap.conf", "10-defaults.conf", "10-login-barrier.conf", "20-systemd-userdb.conf", "20-systemd-ssh-proxy.conf", "iptables-flush", "cpupower", "chkboot-bootcheck", "10-root.conf", "30-root-verity-sig.conf", "20-root-verity.conf", "80-systemd-timesync.list", "80-6rd-tunnel.link", "80-container-ve.network", "80-container-vb.network", "80-container-vz.link", "80-6rd-tunnel.network", "80-container-vz.network", "80-auto-link-local.network.example", "80-ethernet.network.example", "80-container-host0.network", "80-iwd.link", "80-container-vb.link", "80-vm-vt.link", "80-vm-vt.network", "80-wifi-adhoc.network", "80-wifi-ap.network.example", "80-wifi-station.network.example", "80-container-ve.link", "89-ethernet.network.example", "99-default.link", "dbus-broker.catalog", "dbus-broker-launch.catalog", "systemd.be.catalog", "systemd.be@latin.catalog", "systemd.da.catalog", "systemd.bg.catalog", "systemd.hu.catalog", "systemd.catalog", "systemd.it.catalog", "systemd.fr.catalog", "systemd.ko.catalog", "systemd.hr.catalog", "systemd.pl.catalog", "systemd.pt_BR.catalog", "systemd.ru.catalog", "systemd.sr.catalog", "systemd.zh_CN.catalog", "systemd.de.catalog", "systemd.zh_TW.catalog", "expl_cve_2021_40444.yar" ], "public": 1, "adversary": "Chinese Speaking", "targeted_countries": [], "malware_families": [ { "id": "RemainAfterExit", "display_name": "RemainAfterExit", "target": null }, { "id": "NMBDOPTIONS", "display_name": "NMBDOPTIONS", "target": null }, { "id": "SMBDOPTIONS", "display_name": "SMBDOPTIONS", "target": null }, { "id": "SuccessAction", "display_name": "SuccessAction", "target": null }, { "id": "WINBINDOPTIONS", "display_name": "WINBINDOPTIONS", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1205", "name": "Traffic Signaling", "display_name": "T1205 - Traffic Signaling" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 55, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Merkd1904", "id": "196517", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 123, "YARA": 16, "CVE": 4, "FileHash-SHA1": 25, "FileHash-SHA256": 20, "domain": 102, "URL": 16, "email": 9, "hostname": 4, "CIDR": 2 }, "indicator_count": 321, "is_author": false, "is_subscribing": null, "subscriber_count": 75, "modified_text": "767 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "ssh-access.target", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "ssh-access.target", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780212889.9153652 }