{
  "type": "Domain",
  "indicator": "systemd.io",
  "general": {
    "sections": [
      "general",
      "geo",
      "url_list",
      "passive_dns",
      "malware",
      "whois",
      "http_scans"
    ],
    "whois": "http://whois.domaintools.com/systemd.io",
    "alexa": "http://www.alexa.com/siteinfo/systemd.io",
    "indicator": "systemd.io",
    "type": "domain",
    "type_title": "Domain",
    "validation": [],
    "base_indicator": {
      "id": 2891164697,
      "indicator": "systemd.io",
      "type": "domain",
      "title": "",
      "description": "",
      "content": "",
      "access_type": "public",
      "access_reason": ""
    },
    "pulse_info": {
      "count": 10,
      "pulses": [
        {
          "id": "6a16ac90f5b7cde86d323464",
          "name": "[\"backup ios...\"] clone by Merkd1904. User note: theres a name tagged here thats interesting",
          "description": "",
          "modified": "2026-05-27T08:34:24.654000",
          "created": "2026-05-27T08:34:24.654000",
          "tags": [
            "fireeye",
            "copyright",
            "base64",
            "dotnettojscript",
            "gadgettojscript",
            "invokeclient",
            "invokeserver",
            "readhost enter",
            "command",
            "roth",
            "nextron",
            "sandworm",
            "detects ssh",
            "grant all",
            "privileges on",
            "to mysqldb",
            "create user",
            "g root",
            "sandworm python",
            "import",
            "phpsploit",
            "host",
            "user",
            "pass",
            "error",
            "establish",
            "pecl oci8",
            "connstr",
            "charset",
            "false",
            "miner",
            "texthtml",
            "module",
            "send custom",
            "swissky",
            "class",
            "serviceip",
            "serviceport",
            "servicedata",
            "e binsh",
            "init",
            "service port",
            "detects",
            "cve202140444",
            "target",
            "targetmode",
            "jeremy brown",
            "windows cve",
            "ms office",
            "modified rule",
            "rperm",
            "wperm",
            "pathsep",
            "string",
            "rwxrxrx",
            "file types",
            "unix",
            "login",
            "autentication",
            "disable",
            "ldapconnect",
            "version",
            "authentication",
            "ldaplist",
            "null",
            "pathelems",
            "execute",
            "backdoor",
            "kingdee oa",
            "yunxingkong",
            "b6oa",
            "code execution",
            "kingdee cloud",
            "starry sky",
            "otherwise",
            "file",
            "setsmartdate",
            "fread",
            "name",
            "force",
            "base64decode",
            "data",
            "substr",
            "array",
            "readdir",
            "getowner",
            "getgroup",
            "getsize",
            "force option",
            "fwrite",
            "permission",
            "check",
            "mode",
            "diraccess",
            "fileaccess",
            "realpath",
            "stat",
            "immutable",
            "posixgetpwuid",
            "posixgetgrgid",
            "explode",
            "etcpasswd",
            "glob",
            "globonlydir",
            "oraclelogin",
            "port",
            "servicename",
            "connector",
            "base",
            "query type",
            "mssqlfetcharray",
            "mssqlassoc",
            "solsocket",
            "timeout",
            "range",
            "portmin",
            "portmax",
            "socketcreate",
            "afinet",
            "sockstream",
            "open",
            "type",
            "true",
            "tcp connection",
            "tcp shell",
            "input",
            "lhost",
            "netcat",
            "lport",
            "shell",
            "dllimport",
            "python",
            "back",
            "fore",
            "pfinet",
            "stdout",
            "this",
            "win32",
            "ldapsearch",
            "select",
            "mysqliassoc",
            "select database",
            "send",
            "newfile",
            "dns stub",
            "third party",
            "see man",
            "exit",
            "o pipefail",
            "v systemctl",
            "devnull",
            "unknown verb",
            "license",
            "gnu lesser",
            "general public",
            "free software",
            "foundation",
            "unit",
            "slice",
            "cpuweight100",
            "tasks slice",
            "cpuweight30",
            "capev2",
            "cape",
            "cuckoo web",
            "setup",
            "grep",
            "limitnofile",
            "install",
            "return",
            "execstart",
            "start",
            "descriptionrun",
            "timer",
            "oncalendardaily",
            "service",
            "prevent rate",
            "delay start",
            "m poetry",
            "sigkill",
            "descriptioncape",
            "ef usercape",
            "g cape",
            "allowisolateyes",
            "typedbus",
            "socket",
            "message bus",
            "listenstream",
            "typenotify",
            "descriptionuser",
            "harald sitter",
            "sitter",
            "kcrash",
            "drkonqi",
            "acceptyes",
            "disable trigger",
            "todo",
            "prevents",
            "path",
            "pathexistsglob",
            "runtimemaxsec31",
            "runtimemaxsec30",
            "restartno",
            "descriptionexit",
            "environmentfile",
            "otheropts",
            "soundfont",
            "descriptiongcr",
            "sshauthsock",
            "descriptionglib",
            "priority6",
            "killmodeprocess",
            "proxy",
            "socketmode0600",
            "apache software",
            "notice file",
            "apache license",
            "unless",
            "as is",
            "basis",
            "or conditions",
            "apple file",
            "conduit monitor",
            "descriptionjack",
            "jackoptions d",
            "driver d",
            "device",
            "media transfer",
            "indexer daemon",
            "memory",
            "memoryhigh512m",
            "system sockets",
            "a user",
            "conditionuser",
            "dbus menus",
            "plasma",
            "phase",
            "workspace core",
            "exit status",
            "x11 connection",
            "timeoutstopsec5",
            "disable restart",
            "timeoutsec40sec",
            "typeoneshot",
            "david edmundson",
            "davidedmundson",
            "osd service",
            "portal",
            "auto restart",
            "dbus",
            "xembed system",
            "logging system",
            "socketmode0660",
            "all containers",
            "restart policy",
            "logging start",
            "execstopbinsh c",
            "logging",
            "x11 plugins",
            "session slice",
            "typeforking",
            "etc userroot",
            "grouproot",
            "onbootsec15min",
            "place",
            "temporary",
            "volatile files",
            "thunar",
            "session manager",
            "wireplumber",
            "service file",
            "xdg autostart",
            "user dir",
            "descriptionxfce",
            "sandbox",
            "malware",
            "analysis",
            "online",
            "submit",
            "vxstream",
            "sample",
            "download",
            "trojan",
            "apt",
            "memoryfile scan",
            "ansi",
            "bpf program",
            "indicator",
            "bpf firewalling",
            "pcap",
            "pcap processing",
            "bpffallowmulti",
            "bpf device",
            "date",
            "suspicious",
            "hybrid",
            "crypto",
            "close",
            "click",
            "april",
            "strings",
            "february",
            "middle",
            "exploit",
            "gameover",
            "contact",
            "scope",
            "thomas koch",
            "gpl v2",
            "imsm",
            "ibftruledir",
            "ibftrules",
            "attr",
            "systemd rule",
            "hannes reinecke",
            "suse labs",
            "ipibft",
            "interface",
            "kernel",
            "configfile",
            "typesimple",
            "apparmor",
            "grouparchaudit",
            "hardening",
            "umask077",
            "persistenttrue",
            "enable debug",
            "networkmanager",
            "trace",
            "wait online",
            "edit",
            "note",
            "reload",
            "capdacoverride",
            "dhcp etc",
            "mdadmscan",
            "mdadmdelay",
            "mdadmmail",
            "mdadmprogram",
            "mdadmconfig",
            "mdadmsendmail",
            "p runsysconfig",
            "userroot",
            "sssd",
            "write access",
            "needed sometime",
            "statedirectory",
            "accountsservice",
            "varloglastlog",
            "bridge daemon",
            "alsa card",
            "card state",
            "required",
            "another auto",
            "nice daemon",
            "memorymax64m",
            "filter system",
            "mount",
            "reboot",
            "clock",
            "logging service",
            "requires",
            "before",
            "please",
            "exit codes",
            "proc",
            "descriptionruns",
            "execstartsh c",
            "switchtoggle",
            "ignoreonisolate",
            "term typeidle",
            "without",
            "any warranty",
            "merchantability",
            "fitness",
            "a particular",
            "vartmp",
            "wants type",
            "preparation",
            "watchdogsec10",
            "filesystem",
            "timer daemon",
            "options",
            "environment",
            "prevent",
            "readwritepaths",
            "security",
            "certain",
            "protectsystem",
            "bindpaths",
            "lower cpu",
            "nice19",
            "manager",
            "userc",
            "celerydnodes",
            "info",
            "chaddevops",
            "aaron brighton",
            "clam antivirus",
            "jon kriel",
            "distribution",
            "script",
            "sanesecurity",
            "securiteinfo",
            "malwarepatrol",
            "oitc",
            "file location",
            "remember",
            "typeexec user",
            "9 cntlm",
            "generate color",
            "profiles",
            "removeipctrue",
            "devpts",
            "authors",
            "any kind",
            "usercouchdb",
            "restartsec5",
            "volumes",
            "server socket",
            "user209",
            "daemon",
            "darkstatiface",
            "reloadconfig",
            "watchdogsec3min",
            "privatetmpyes",
            "protectproc",
            "increase",
            "descriptiontime",
            "date service",
            "debugging only",
            "ignoresigpipeno",
            "unset locale",
            "file system",
            "queue file",
            "whatmqueue",
            "optionsnosuid",
            "pf rundhclient",
            "rate",
            "requiresdirmngr",
            "capfowner",
            "capsetpcap",
            "dhcp",
            "dns server",
            "startlimit",
            "limits",
            "delegateyes",
            "descriptionpass",
            "runtimemaxsec5",
            "mountain",
            "metadata check",
            "all filesystems",
            "online metadata",
            "sunday",
            "oncalendarsun",
            "online ext4",
            "sigterm signal",
            "java process",
            "piddir",
            "standardoutput",
            "elasticsearch",
            "limitnproc4096",
            "limitasinfinity",
            "sendsighupyes",
            "mapper daemon",
            "mainpid",
            "quit",
            "listenstream79",
            "radius server",
            "d etcraddb",
            "protecthomeon",
            "default",
            "systemservice",
            "efiefi bootefi",
            "afinet afinet6",
            "afunix afinet",
            "oncalendar 0000",
            "privatetmptrue",
            "geoip legacy",
            "geoip2",
            "instance",
            "usergit",
            "scdconfig",
            "notice",
            "devinputmice t",
            "descriptiongps",
            "system",
            "sock refclock",
            "gpsdoptions",
            "devices",
            "daemon sockets",
            "2947",
            "bindipv6onlyyes",
            "usbauto",
            "usrbingpsdctl",
            "gps daemon",
            "afterdev",
            "gvmddata",
            "varlibgssproxy",
            "nonewprivileges",
            "privatetmp",
            "protecthome",
            "ieee",
            "etchostapd",
            "killmodemixed",
            "fcopy",
            "uncomment",
            "use sigterm",
            "sigkill i2pd",
            "sendsigkillyes",
            "limitnofile8192",
            "systemd",
            "analog",
            "shutting down",
            "iodineextip p",
            "iodineport p",
            "iodineuser",
            "tunip",
            "topdomain",
            "guessmainpidyes",
            "m node",
            "wants",
            "initiatorname",
            "io driver",
            "typeexec",
            "c etckcptun",
            "usernobody",
            "requireskeyboxd",
            "static device",
            "nofork",
            "restartalways",
            "linker cache",
            "hack",
            "use wants",
            "raise",
            "tasksmax",
            "tasksmax32768",
            "limitmemlock64m",
            "removeonstopyes",
            "ip socket",
            "tls ip",
            "conflictsgetty",
            "aftergetty",
            "busmodules",
            "qabr",
            "hwmonmodules",
            "local file",
            "privatenetwork",
            "lvm2",
            "initialization",
            "autoboot code",
            "s delegatetrue",
            "description",
            "pidfilerunlxc",
            "lynis service",
            "adjust path",
            "lynis binary",
            "lynis timer",
            "tell systemd",
            "lynis security",
            "persistentfalse",
            "container slice",
            "recover",
            "varcacheman",
            "regenerate man",
            "userroot nice19",
            "mysqldopts",
            "mysqldsafe",
            "timezone",
            "core",
            "restart",
            "users",
            "backlog150",
            "listenstreams",
            "servicemariadb",
            "mechanism",
            "mariadb",
            "multi instance",
            "variables",
            "bindirmdadm",
            "gnu general",
            "public license",
            "reshape",
            "onactivesec30",
            "oncalendar",
            "wantedby",
            "monitor",
            "allow mdmon",
            "takeover",
            "k none",
            "c devnull",
            "d runinitramfs",
            "p runmongodb",
            "limitnproc32000",
            "limitmemlock5",
            "device server",
            "requiredbydev",
            "d dev",
            "descriptionreal",
            "extraopts",
            "restartsec30",
            "valid",
            "fifo",
            "priority",
            "batch",
            "nice0",
            "partof",
            "tracking daemon",
            "helper",
            "for testing",
            "only",
            "restrict",
            "grant",
            "capsysptrace",
            "capkill",
            "capipclock",
            "environ",
            "capsysresource",
            "capsyslog",
            "descriptionname",
            "service cache",
            "sysvlsb",
            "descriptionhost",
            "network name",
            "group name",
            "u ntp",
            "time service",
            "t hibernate",
            "software",
            "other",
            "the software",
            "daemon init",
            "software is",
            "provided",
            "fcnvme",
            "wantsmodprobe",
            "aftermodprobe",
            "descriptionall",
            "nbft",
            "nvmeof",
            "connectargs",
            "unit file",
            "descriptionnvmf",
            "red hat",
            "without any",
            "warranty",
            "card daemon",
            "socketmode0666",
            "suite result",
            "kexec screen",
            "oncalendarsat",
            "boot screen",
            "timeoutsec20",
            "power off",
            "runtime data",
            "descriptionhold",
            "timeoutsec0",
            "sandboxing",
            "execstop",
            "colin walters",
            "upgrade",
            "upgrade output",
            "umask0077",
            "transport agent",
            "descriptionmake",
            "descriptionppp",
            "whatnfsd",
            "file formats",
            "automount point",
            "automount",
            "setuid nobody",
            "setgid nobody",
            "setcon",
            "syslog",
            "restartonabort",
            "halt screen",
            "reboot screen",
            "pgroot",
            "postgresql",
            "oom killer",
            "additional",
            "fy nice19",
            "endless os",
            "foundation llc",
            "restartsec0",
            "system quotas",
            "rabbitmq",
            "protecthometrue",
            "etcrathole",
            "guessmainpidno",
            "h etcrdnssd",
            "reflector",
            "afinet6 afunix",
            "umask177",
            "remote file",
            "nfs client",
            "nfsv23 locking",
            "make sure",
            "rpc netconfig",
            "descriptionfast",
            "using ssh",
            "so let",
            "boot",
            "realtimekit",
            "rwhodopts",
            "display manager",
            "specify",
            "interval l",
            "loginterval f",
            "bindstodev",
            "always",
            "usrbingrpck r",
            "slapdoptions",
            "u ldap",
            "slapdurls",
            "smart",
            "pciusb",
            "midi",
            "daemonopts",
            "snmp",
            "trap daemon",
            "g snort",
            "descriptionsudo",
            "hibernate",
            "svnserveargs",
            "whatfusectl",
            "whatconfigfs",
            "whatdebugfs",
            "whattracefs",
            "best way",
            "see https",
            "units service",
            "service slice",
            "offline system",
            "update",
            "wall directory",
            "timeoutsec90s",
            "descriptionmark",
            "current boot",
            "loader entry",
            "any system",
            "units",
            "loader random",
            "loader update",
            "service socket",
            "dump socket",
            "optionally",
            "root device",
            "afalg afinet",
            "execstophomectl",
            "home area",
            "named pipe",
            "sink service",
            "sink socket",
            "upload service",
            "dynamicuseryes",
            "sigkilled",
            "devlog",
            "timestampingus",
            "namespace",
            "sendbuffer8m",
            "kernel command",
            "netlink socket",
            "storage",
            "descriptionwait",
            "network",
            "make",
            "deviceallow",
            "reserve",
            "killer socket",
            "root file",
            "measurement",
            "pcr policy",
            "tpm pcr",
            "code",
            "configuration",
            "machine id",
            "barrier",
            "quota check",
            "system quota",
            "after",
            "random seed",
            "kernel file",
            "gpt partition",
            "kill switch",
            "nvmetcp",
            "trigger",
            "saturday",
            "persistentyes",
            "system update",
            "kernel time",
            "capsystime",
            "ntp service",
            "turn",
            "files",
            "device nodes",
            "srk setup",
            "device events",
            "bootshutdown",
            "change",
            "manager socket",
            "descriptiontinc",
            "proxy server",
            "linrunner",
            "descriptiontlp",
            "tor service",
            "f etctortorrc",
            "tpm device",
            "descriptionudp",
            "tcpicmpudp",
            "etcudp2raw",
            "debug",
            "swap",
            "api file",
            "privatedevices",
            "home",
            "root",
            "runuser",
            "linux control",
            "groups",
            "group",
            "afnetlink",
            "locked memory",
            "limitmemlock0",
            "usb gadget",
            "apple",
            "sliceuser",
            "descriptionuuid",
            "compatibility",
            "typerpcpipefs",
            "vmsvga",
            "hypervisor",
            "usr1",
            "mgmt appuser",
            "dac permission",
            "selinux",
            "xxx someone",
            "qemu",
            "machine tools",
            "vmware tools",
            "pidfilerunvpnc",
            "wacom",
            "iface d",
            "dspeed u",
            "iface",
            "descriptionwpa",
            "oracle",
            "reserved",
            "wong",
            "emailaddr",
            "tunnel protocol",
            "l2tp",
            "isps",
            "russia use",
            "ipsec",
            "d optxplico",
            "b sqlite",
            "descriptionxrdp",
            "xrdpoptions",
            "process",
            "sesmanoptions",
            "zpoolimportopts",
            "an o",
            "t scrub",
            "usrbinzpool",
            "zfs volume",
            "descriptionzfs",
            "f restartalways",
            "remainafterexit",
            "nmbdoptions",
            "smbdoptions",
            "successaction",
            "winbindoptions",
            "ck id",
            "hybrid analysis",
            "mitre att",
            "malicious",
            "sdshared ansi",
            "default und",
            "func global",
            "func local",
            "object local",
            "general",
            "show technique",
            "ck matrix",
            "tasksmax33",
            "empty file",
            "proxycommand",
            "checkhostip",
            "afunix",
            "afvsock",
            "allow",
            "r table",
            "chkbootcheck",
            "gplv2 source",
            "chkbootstyles",
            "etcissue",
            "partition",
            "minimizebest",
            "mit no",
            "match",
            "link",
            "namepolicykeep",
            "ethernet link",
            "kindveth nameve",
            "kindveth namevb",
            "keepmasteryes",
            "dhcpv4",
            "kindsit name6rd",
            "ipv4ll",
            "ipv6ll",
            "dhcpipv6ra",
            "dhcpv6",
            "typeether",
            "dhcpyes",
            "usetimezoneyes",
            "typewlan",
            "tuntap",
            "natdhcp",
            "kindtun namevt",
            "kind",
            "originalname",
            "definedby",
            "peer",
            "sopeergroups",
            "dbus protocol",
            "dbus name",
            "exec",
            "hup signal",
            "sighup",
            "dnssec",
            "sessionid",
            "seatid",
            "sleep",
            "leader",
            "jobresult",
            "coredumppid",
            "coredumpcomm",
            "junit",
            "na zapusk",
            "mikrasiekund",
            "enhed",
            "mikrosekunder",
            "opstart",
            "jobid",
            "a rendszer",
            "ezredmsodpercet",
            "a rendszernapl",
            "user manager",
            "smack",
            "lunit",
            "stato",
            "il processo",
            "il sistema",
            "stata",
            "le processus",
            "notez que",
            "jedinica",
            "zapamtite da",
            "nova",
            "jednostka",
            "prosz zauway",
            "zwykle wskazuje",
            "jest",
            "o processo",
            "processo",
            "isso",
            "inicializao",
            "journal",
            "sizelimit",
            "userid",
            "prozess",
            "speicherabbild",
            "hinweis auf",
            "programmfehler",
            "fehler dem",
            "die systemzeit",
            "realtime"
          ],
          "references": [
            "Hunting_B64Engine_DotNetToJScript_Dos.yar",
            "APT_Backdoor_PS1_BASICPIPESHELL_1.yar",
            "apt_sandworm_exim_expl.yar.002",
            "apt_sandworm_exim_expl.yar.001",
            "apt_sandworm_exim_expl.yar",
            "connect.php",
            "connect.php.002",
            "connect.php.001",
            "crypto-miner.js",
            "eicar",
            "eicar.001",
            "eicar.002",
            "custom.py",
            "eicar.txt",
            "expl_cve_2021_40444.yar.001",
            "expl_cve_2021_40444.yar.002",
            "getPerms.php",
            "input.pcap",
            "list.php",
            "parent.php",
            "payload.php",
            "payload.php.001",
            "kingdee-erp-rce.yaml",
            "payload.php.003",
            "payload.php.002",
            "payload.php.004",
            "payload.php.005",
            "payload.php.006",
            "payload.php.007",
            "payload.php.008",
            "payload.php.010",
            "payload.php.011",
            "payload.php.009",
            "payload.php.012",
            "payload.php.013",
            "payload.php.015",
            "payload.php.016",
            "payload.php.017",
            "reverse_tcp.py",
            "scanner.php",
            "search.php",
            "setdb.php",
            "payload.php.014",
            "setdb.php.001",
            "reader.php",
            "single.php",
            "resolv.conf",
            "systemd-update-helper",
            "90-systemd.preset",
            "60-flatpak",
            "app.slice",
            "background.slice",
            "README.md",
            "bluetooth.target",
            "basic.target",
            "borgmatic-user.timer",
            "borgmatic-user.service",
            "cape.service",
            "cape-dist.service",
            "cape-processor.service",
            "cape-rooter.service",
            "capsule@.target",
            "cape-web.service",
            "clash.service",
            "colord-session.service",
            "dbus.socket",
            "cape-fstab.service",
            "dbus.service",
            "dbus-broker.service",
            "dconf.service",
            "dirmngr.service",
            "default.target",
            "drkonqi-coredump-cleanup.service",
            "dirmngr.socket",
            "drkonqi-coredump-cleanup.timer",
            "drkonqi-coredump-launcher.socket",
            "drkonqi-sentry-postman.path",
            "drkonqi-coredump-pickup.service",
            "drkonqi-sentry-postman.service",
            "drkonqi-sentry-postman.timer",
            "drkonqi-coredump-launcher@.service",
            "dunst.service",
            "flatpak-oci-authenticator.service",
            "filter-chain.service",
            "exit.target",
            "flatpak-session-helper.service",
            "fluidsynth.service",
            "gcr-ssh-agent.socket",
            "flatpak-portal.service",
            "gcr-ssh-agent.service",
            "gnome-keyring-daemon.service",
            "glib-pacrunner.service",
            "gnome-keyring-daemon.socket",
            "gpg-agent-ssh.socket",
            "gnome-terminal-server.service",
            "gpg-agent-extra.socket",
            "gpg-agent.service",
            "gpg-agent.socket",
            "gpg-agent-browser.socket",
            "graphical-session-pre.target",
            "graphical-session.target",
            "gssuserproxy.socket",
            "guacd.service",
            "gvfs-gphoto2-volume-monitor.service",
            "gvfs-daemon.service",
            "gssuserproxy.service",
            "gvfs-afc-volume-monitor.service",
            "gvfs-metadata.service",
            "jack@.service",
            "guac-web.service",
            "gvfs-udisks2-volume-monitor.service",
            "gvfs-mtp-volume-monitor.service",
            "kde-baloo.service",
            "keyboxd.service",
            "kio-fuse.service",
            "keyboxd.socket",
            "p11-kit-server.service",
            "p11-kit-server.socket",
            "paths.target",
            "pipewire.socket",
            "pipewire-pulse.service",
            "plasma-gmenudbusmenuproxy.service",
            "pipewire-pulse.socket",
            "plasma-baloorunner.service",
            "plasma-kcminit.service",
            "plasma-dolphin.service",
            "plasma-kcminit-phase1.service",
            "plasma-core.target",
            "plasma-kded.service",
            "pipewire.service",
            "plasma-kded6.service",
            "plasma-kglobalaccel.service",
            "at-spi-dbus-bus.service",
            "plasma-krunner.service",
            "plasma-kscreen.service",
            "plasma-kscreen-osd.service",
            "plasma-ksmserver.service",
            "plasma-ksplash.service",
            "plasma-ksplash-ready.service",
            "plasma-ksystemstats.service",
            "plasma-kwallet-pam.service",
            "plasma-kwin_wayland.service",
            "plasma-kwin_x11.service",
            "plasma-plasmashell.service",
            "plasma-polkit-agent.service",
            "plasma-powerdevil.service",
            "plasma-powerprofile-osd.service",
            "plasma-restoresession.service",
            "plasma-workspace.target",
            "plasma-workspace-wayland.target",
            "plasma-workspace-x11.target",
            "plasma-xdg-desktop-portal-kde.service",
            "plasma-xembedsniproxy.service",
            "podman.service",
            "podman.socket",
            "podman-auto-update.service",
            "podman-auto-update.timer",
            "podman-kube@.service",
            "podman-restart.service",
            "printer.target",
            "pulseaudio.service",
            "pulseaudio.socket",
            "pulseaudio-x11.service",
            "session.slice",
            "shutdown.target",
            "smartcard.target",
            "sockets.target",
            "sound.target",
            "ssh-agent.service",
            "suricata.service",
            "suricata-update.service",
            "suricata-update.timer",
            "systemd-exit.service",
            "systemd-tmpfiles-clean.service",
            "systemd-tmpfiles-clean.timer",
            "systemd-tmpfiles-setup.service",
            "thunar.service",
            "timers.target",
            "tracker-xdg-portal-3.service",
            "tumblerd.service",
            "wireplumber.service",
            "wireplumber@.service",
            "xdg-desktop-autostart.target",
            "xdg-desktop-portal.service",
            "xdg-desktop-portal-gtk.service",
            "xdg-desktop-portal-hyprland.service",
            "xdg-desktop-portal-rewrite-launchers.service",
            "xdg-desktop-portal-xapp.service",
            "xdg-permission-store.service",
            "xdg-user-dirs-update.service",
            "xfce4-notifyd.service",
            "xsettingsd.service",
            "xdg-document-portal.service",
            "https://hybrid-analysis.com/sample/b1a9e5be43c028442c07071e202f44f33e3a2df167822c5cfed8f998e01fe169/661da09794b343782806018e",
            "defaults.conf",
            "apparmor.conf",
            "nvidia",
            "tlp",
            "fwupd.shutdown",
            "mdadm.shutdown",
            "99-default.preset",
            "50-zfs.preset",
            "ibft-rule-generator",
            "10-arch",
            "60-flatpak-system-only",
            "3proxy.service",
            "apache-tika.service",
            "apparmor.service",
            "arch-audit.service",
            "arch-audit.timer",
            "NetworkManager-dispatcher.service",
            "NetworkManager-wait-online.service",
            "NetworkManager.service",
            "SUSE-mdadm_env.sh",
            "ModemManager.service",
            "3proxy.conf",
            "archlinux-keyring-wkd-sync.service",
            "adsl.service",
            "accounts-daemon.service",
            "adb.service",
            "alsa-restore.service",
            "alsa-state.service",
            "archlinux-keyring-wkd-sync.timer",
            "ananicy-cpp.service",
            "arcolinux-graphical-target.service",
            "atftpd.service",
            "audit-rules.service",
            "auditd.service",
            "auth-rpcgss-module.service",
            "autorandr.service",
            "autorandr-lid-listener.service",
            "autovt@.service",
            "avahi-daemon.service",
            "avahi-daemon.socket",
            "avahi-dnsconfd.service",
            "bettercap.service",
            "betterlockscreen@.service",
            "blk-availability.service",
            "blockdev@.target",
            "bluetooth.service",
            "bmc-watchdog.service",
            "bolt.service",
            "boot-complete.target",
            "borgmatic.service",
            "borgmatic.timer",
            "bpftune.service",
            "btrfs-scrub@.service",
            "btrfs-scrub@.timer",
            "canberra-system-bootup.service",
            "canberra-system-shutdown.service",
            "canberra-system-shutdown-reboot.service",
            "capsule.slice",
            "capsule@.service",
            "celery2@.service",
            "celery@.service",
            "chkboot.service",
            "clamav-clamonacc.service",
            "clamav-daemon.service",
            "clamav-daemon.socket",
            "clamav-freshclam.service",
            "clamav-freshclam-once.service",
            "clamav-freshclam-once.timer",
            "clamav-unofficial-sigs.service",
            "clamav-unofficial-sigs.timer",
            "clash@.service",
            "cntlm.service",
            "colord.service",
            "configure-printer@.service",
            "console-getty.service",
            "container-getty@.service",
            "containerd.service",
            "couchdb.service",
            "cpupower.service",
            "create_ap.service",
            "cronie.service",
            "cryptsetup.target",
            "cryptsetup-pre.target",
            "ctrl-alt-del.target",
            "cups.path",
            "cups.service",
            "cups.socket",
            "cups-lpd.socket",
            "cups-lpd@.service",
            "cxl-monitor.service",
            "darkstat.service",
            "daxdev-reconfigure@.service",
            "dbus-org.freedesktop.hostname1.service",
            "dbus-org.freedesktop.import1.service",
            "dbus-org.freedesktop.locale1.service",
            "dbus-org.freedesktop.login1.service",
            "dbus-org.freedesktop.machine1.service",
            "dbus-org.freedesktop.portable1.service",
            "dbus-org.freedesktop.timedate1.service",
            "debug-shell.service",
            "dev-hugepages.mount",
            "dev-mqueue.mount",
            "dhclient@.service",
            "dhcpd4.service",
            "dhcpd6.service",
            "dirmngr@.service",
            "dirmngr@.socket",
            "dm-event.service",
            "dm-event.socket",
            "dmraid.service",
            "dnscrypt-proxy.service",
            "dnsmasq.service",
            "docker.service",
            "docker.socket",
            "drkonqi-coredump-processor@.service",
            "e2scrub@.service",
            "e2scrub_all.service",
            "e2scrub_all.timer",
            "e2scrub_fail@.service",
            "e2scrub_reap.service",
            "ead.service",
            "elasticsearch.service",
            "elasticsearch-keystore.service",
            "elasticsearch-keystore@.service",
            "elasticsearch@.service",
            "emergency.service",
            "emergency.target",
            "epmd.service",
            "epmd.socket",
            "exabgp.service",
            "factory-reset.target",
            "fancontrol.service",
            "fastnetmon.service",
            "final.target",
            "finger.socket",
            "finger@.service",
            "first-boot-complete.target",
            "flatpak-system-helper.service",
            "freeradius.service",
            "fsidd.service",
            "fstrim.service",
            "fstrim.timer",
            "ftpd.service",
            "fwupd.service",
            "fwupd-offline-update.service",
            "fwupd-refresh.service",
            "fwupd-refresh.timer",
            "geoclue.service",
            "geoipupdate.service",
            "geoipupdate.timer",
            "getty.target",
            "getty-pre.target",
            "getty@.service",
            "git-daemon.socket",
            "git-daemon@.service",
            "gnupg-pkcs11-scd-proxy.service",
            "gpg-agent-browser@.socket",
            "gpg-agent-extra@.socket",
            "gpg-agent-ssh@.socket",
            "gpg-agent@.service",
            "gpg-agent@.socket",
            "gpm.path",
            "gpm.service",
            "gpsd.service",
            "gpsd.socket",
            "gpsdctl@.service",
            "graphical.target",
            "greenbone-certdata-sync.service",
            "greenbone-certdata-sync.timer",
            "greenbone-feed-sync.service",
            "greenbone-feed-sync.timer",
            "greenbone-nvt-sync.service",
            "greenbone-nvt-sync.timer",
            "greenbone-scapdata-sync.service",
            "greenbone-scapdata-sync.timer",
            "gssproxy.service",
            "gvmd.service",
            "halt.target",
            "healthd.service",
            "hibernate.target",
            "hostapd.service",
            "hostapd@.service",
            "httpd.service",
            "hv_fcopy_daemon.service",
            "hv_kvp_daemon.service",
            "hv_vss_daemon.service",
            "hybrid-sleep.target",
            "i2pd.service",
            "iiod.service",
            "initrd.target",
            "initrd-cleanup.service",
            "initrd-fs.target",
            "initrd-parse-etc.service",
            "initrd-root-device.target",
            "initrd-root-fs.target",
            "initrd-switch-root.service",
            "initrd-switch-root.target",
            "initrd-udevadm-cleanup-db.service",
            "initrd-usr-fs.target",
            "integritysetup.target",
            "integritysetup-pre.target",
            "iodined.service",
            "iodined.socket",
            "ip2clued.service",
            "ip6tables.service",
            "ipmidetectd.service",
            "ipmiseld.service",
            "iptables.service",
            "iscsi.service",
            "iscsi-init.service",
            "iscsid.service",
            "iscsid.socket",
            "iscsiuio.service",
            "iscsiuio.socket",
            "isnsd.service",
            "isnsd.socket",
            "iwd.service",
            "kcptun-server@.service",
            "kcptun@.service",
            "kexec.target",
            "keyboxd@.service",
            "keyboxd@.socket",
            "kmod-static-nodes.service",
            "krb5-kadmind.service",
            "krb5-kdc.service",
            "krb5-kpropd.service",
            "krb5-kpropd.socket",
            "krb5-kpropd@.service",
            "lastlog2-import.service",
            "ldconfig.service",
            "libvirt-guests.service",
            "libvirtd.service",
            "libvirtd.socket",
            "libvirtd-admin.socket",
            "libvirtd-ro.socket",
            "libvirtd-tcp.socket",
            "libvirtd-tls.socket",
            "lightdm.service",
            "lm_sensors.service",
            "local-fs.target",
            "local-fs-pre.target",
            "logrotate.service",
            "logrotate.timer",
            "lvm2-lvmpolld.service",
            "lvm2-lvmpolld.socket",
            "lvm2-monitor.service",
            "lxc.service",
            "lxc-auto.service",
            "lxc-monitord.service",
            "lxc-net.service",
            "lxc@.service",
            "lxdm.service",
            "ly.service",
            "lynis.service",
            "lynis.timer",
            "machine.slice",
            "machines.target",
            "man-db.service",
            "man-db.timer",
            "mariadb.service",
            "mariadb.socket",
            "mariadb-extra.socket",
            "mariadb-extra@.socket",
            "mariadb@.service",
            "mariadb@.socket",
            "mdadm-grow-continue@.service",
            "mdadm-last-resort@.service",
            "mdadm-last-resort@.timer",
            "mdcheck_continue.service",
            "mdcheck_continue.timer",
            "mdcheck_start.service",
            "mdcheck_start.timer",
            "mdmon@.service",
            "mdmonitor.service",
            "mdmonitor-oneshot.service",
            "mdmonitor-oneshot.timer",
            "memavaild.service",
            "mkinitcpio-generate-shutdown-ramfs.service",
            "modprobe@.service",
            "mongodb.service",
            "multi-user.target",
            "mysql.service",
            "mysqld.service",
            "named.service",
            "nbd.service",
            "nbd@.service",
            "ndctl-monitor.service",
            "neo4j.service",
            "netavark-dhcp-proxy.service",
            "netavark-dhcp-proxy.socket",
            "netdata.service",
            "network.target",
            "network-online.target",
            "network-pre.target",
            "nfs-blkmap.service",
            "nfs-client.target",
            "nfs-idmapd.service",
            "nfs-mountd.service",
            "nfs-server.service",
            "nfs-utils.service",
            "nfsdcld.service",
            "nfsv4-exportd.service",
            "nfsv4-server.service",
            "nftables.service",
            "nm-priv-helper.service",
            "nmb.service",
            "nohang.service",
            "nohang-desktop.service",
            "nscd.service",
            "nss-lookup.target",
            "nss-user-lookup.target",
            "ntpd.service",
            "ntpdate.service",
            "nvidia-hibernate.service",
            "nvidia-persistenced.service",
            "nvidia-powerd.service",
            "nvidia-resume.service",
            "nvidia-suspend.service",
            "nvmefc-boot-connections.service",
            "nvmf-autoconnect.service",
            "nvmf-connect.target",
            "nvmf-connect-nbft.service",
            "nvmf-connect@.service",
            "pacrunner.service",
            "ostree-boot-complete.service",
            "pacman-filesdb-refresh.timer",
            "pcscd.service",
            "passim.service",
            "pcscd.socket",
            "packagekit-offline-update.service",
            "phoronix-result-server.service",
            "paccache.timer",
            "plymouth-kexec.service",
            "pamac-cleancache.timer",
            "plymouth-quit.service",
            "partimaged.service",
            "plymouth-poweroff.service",
            "plymouth-read-write.service",
            "plymouth-quit-wait.service",
            "paccache.service",
            "plymouth-switch-root-initramfs.service",
            "ostree-remount.service",
            "plymouth-switch-root.service",
            "openvpn-client@.service",
            "podman-clean-transient.service",
            "pamac-offline-upgrade.service",
            "polkit.service",
            "postfix.service",
            "pam_namespace.service",
            "poweroff.target",
            "ppp@.service",
            "opensnitchd.service",
            "proc-fs-nfsd.mount",
            "proc-sys-fs-binfmt_misc.automount",
            "proc-sys-fs-binfmt_misc.mount",
            "phoromatic-server.service",
            "ptunnel.service",
            "openvpn-server@.service",
            "plymouth-halt.service",
            "pamac-cleancache.service",
            "plymouth-reboot.service",
            "ostree-state-overlay@.service",
            "ostree-finalize-staged.service",
            "postgresql.service",
            "phoromatic-client.service",
            "pamac-daemon.service",
            "pacman-filesdb-refresh.service",
            "packagekit.service",
            "pkgfile-update.service",
            "pkgfile-update.timer",
            "plymouth-start.service",
            "ostree-prepare-root.service",
            "ostree-finalize-staged.path",
            "privoxy.service",
            "ostree-finalize-staged-hold.service",
            "qemu-guest-agent.service",
            "quotaon.service",
            "quotaon-root.service",
            "quotaon@.service",
            "rabbitmq.service",
            "ras-mc-ctl.service",
            "rasdaemon.service",
            "rathole@.service",
            "ratholec@.service",
            "ratholes@.service",
            "rc-local.service",
            "rdnssd@.service",
            "reboot.target",
            "redis.service",
            "redis-sentinel.service",
            "reflector.service",
            "reflector.timer",
            "remote-cryptsetup.target",
            "remote-fs.target",
            "remote-fs-pre.target",
            "remote-veritysetup.target",
            "rescue.service",
            "rescue.target",
            "rfkill-block@.service",
            "rfkill-unblock@.service",
            "rlogin.socket",
            "rlogin@.service",
            "rpc-gssd.service",
            "rpc-statd.service",
            "rpc-statd-notify.service",
            "rpc_pipefs.target",
            "rpcbind.service",
            "rpcbind.socket",
            "rpcbind.target",
            "rsh.socket",
            "rsh@.service",
            "rsyncd.service",
            "rsyncd.socket",
            "rsyncd@.service",
            "rtkit-daemon.service",
            "runlevel0.target",
            "runlevel1.target",
            "runlevel2.target",
            "runlevel3.target",
            "runlevel4.target",
            "runlevel5.target",
            "runlevel6.target",
            "rwhod.service",
            "samba.service",
            "sddm.service",
            "seatd.service",
            "sensord.service",
            "serial-getty@.service",
            "shadow.service",
            "shadow.timer",
            "sigpwr.target",
            "slapd.service",
            "sleep.target",
            "slices.target",
            "smartd.service",
            "smb.service",
            "sndiod.service",
            "snmpd.service",
            "snmptrapd.service",
            "snort@.service",
            "snort@1000.service",
            "soft-reboot.target",
            "ssh-access.target",
            "sshd.service",
            "sshdgenkeys.service",
            "sshuttle.service",
            "sslh.service",
            "sslh-fork.service",
            "sslh-select.service",
            "storage-target-mode.target",
            "stunnel.service",
            "sudo_logsrvd.service",
            "suspend.target",
            "suspend-then-hibernate.target",
            "svnserve.service",
            "swap.target",
            "sys-fs-fuse-connections.mount",
            "sys-kernel-config.mount",
            "sys-kernel-debug.mount",
            "sys-kernel-tracing.mount",
            "sysinit.target",
            "syslog.socket",
            "system-systemd\\x2dcryptsetup.slice",
            "system-systemd\\x2dveritysetup.slice",
            "system-update.target",
            "system-update-cleanup.service",
            "system-update-pre.target",
            "systemd-ask-password-console.path",
            "systemd-ask-password-console.service",
            "systemd-ask-password-plymouth.path",
            "systemd-ask-password-plymouth.service",
            "systemd-ask-password-wall.path",
            "systemd-ask-password-wall.service",
            "systemd-backlight@.service",
            "systemd-battery-check.service",
            "systemd-binfmt.service",
            "systemd-bless-boot.service",
            "systemd-boot-check-no-failures.service",
            "systemd-boot-random-seed.service",
            "systemd-boot-update.service",
            "systemd-bootctl.socket",
            "systemd-bootctl@.service",
            "systemd-bsod.service",
            "systemd-confext.service",
            "systemd-coredump.socket",
            "systemd-coredump@.service",
            "systemd-creds.socket",
            "systemd-creds@.service",
            "systemd-firstboot.service",
            "systemd-fsck-root.service",
            "systemd-fsck@.service",
            "systemd-growfs-root.service",
            "systemd-growfs@.service",
            "systemd-halt.service",
            "systemd-hibernate.service",
            "systemd-hibernate-resume.service",
            "systemd-homed.service",
            "systemd-homed-activate.service",
            "systemd-homed-firstboot.service",
            "systemd-hostnamed.service",
            "systemd-hostnamed.socket",
            "systemd-hwdb-update.service",
            "systemd-hybrid-sleep.service",
            "systemd-importd.service",
            "systemd-initctl.service",
            "systemd-initctl.socket",
            "systemd-journal-catalog-update.service",
            "systemd-journal-flush.service",
            "systemd-journal-gatewayd.service",
            "systemd-journal-gatewayd.socket",
            "systemd-journal-remote.service",
            "systemd-journal-remote.socket",
            "systemd-journal-upload.service",
            "systemd-journald.service",
            "systemd-journald.socket",
            "systemd-journald-audit.socket",
            "systemd-journald-dev-log.socket",
            "systemd-journald-varlink@.socket",
            "systemd-journald@.service",
            "systemd-journald@.socket",
            "systemd-kexec.service",
            "systemd-localed.service",
            "systemd-logind.service",
            "systemd-machine-id-commit.service",
            "systemd-machined.service",
            "systemd-modules-load.service",
            "systemd-network-generator.service",
            "systemd-networkd.service",
            "systemd-networkd.socket",
            "systemd-networkd-persistent-storage.service",
            "systemd-networkd-wait-online.service",
            "systemd-networkd-wait-online@.service",
            "systemd-nspawn@.service",
            "systemd-oomd.service",
            "systemd-oomd.socket",
            "systemd-pcrextend.socket",
            "systemd-pcrextend@.service",
            "systemd-pcrfs-root.service",
            "systemd-pcrfs@.service",
            "systemd-pcrlock.socket",
            "systemd-pcrlock-file-system.service",
            "systemd-pcrlock-firmware-code.service",
            "systemd-pcrlock-firmware-config.service",
            "systemd-pcrlock-machine-id.service",
            "systemd-pcrlock-make-policy.service",
            "systemd-pcrlock-secureboot-authority.service",
            "systemd-pcrlock-secureboot-policy.service",
            "systemd-pcrlock@.service",
            "systemd-pcrmachine.service",
            "systemd-pcrphase.service",
            "systemd-pcrphase-initrd.service",
            "systemd-pcrphase-sysinit.service",
            "systemd-portabled.service",
            "systemd-poweroff.service",
            "systemd-pstore.service",
            "systemd-quotacheck.service",
            "systemd-quotacheck-root.service",
            "systemd-quotacheck@.service",
            "systemd-random-seed.service",
            "systemd-reboot.service",
            "systemd-remount-fs.service",
            "systemd-repart.service",
            "systemd-resolved.service",
            "systemd-rfkill.service",
            "systemd-rfkill.socket",
            "systemd-soft-reboot.service",
            "systemd-storagetm.service",
            "systemd-suspend.service",
            "systemd-suspend-then-hibernate.service",
            "systemd-sysctl.service",
            "systemd-sysext.service",
            "systemd-sysext.socket",
            "systemd-sysext@.service",
            "systemd-sysupdate.service",
            "systemd-sysupdate.timer",
            "systemd-sysupdate-reboot.service",
            "systemd-sysupdate-reboot.timer",
            "systemd-sysusers.service",
            "systemd-time-wait-sync.service",
            "systemd-timedated.service",
            "systemd-timesyncd.service",
            "systemd-tmpfiles-setup-dev.service",
            "systemd-tmpfiles-setup-dev-early.service",
            "systemd-tpm2-setup.service",
            "systemd-tpm2-setup-early.service",
            "systemd-udev-trigger.service",
            "systemd-udevd.service",
            "systemd-udevd-control.socket",
            "systemd-udevd-kernel.socket",
            "systemd-update-done.service",
            "systemd-update-utmp.service",
            "systemd-update-utmp-runlevel.service",
            "systemd-user-sessions.service",
            "systemd-userdbd.service",
            "systemd-userdbd.socket",
            "systemd-vconsole-setup.service",
            "systemd-vmspawn@.service",
            "systemd-volatile-root.service",
            "systemd-zram-setup@.service",
            "talk.service",
            "talk.socket",
            "teamd@.service",
            "telnet.socket",
            "telnet@.service",
            "time-set.target",
            "time-sync.target",
            "tinc.service",
            "tinc@.service",
            "tinyproxy.service",
            "tlp.service",
            "tmp.mount",
            "tor.service",
            "tpm2.target",
            "udisks2.service",
            "udp2raw@.service",
            "ufw.service",
            "uksmd.service",
            "umount.target",
            "unbound.service",
            "updatedb.service",
            "updatedb.timer",
            "upower.service",
            "usb-gadget.target",
            "usb_modeswitch@.service",
            "usbipd.service",
            "usbmuxd.service",
            "user.slice",
            "user-runtime-dir@.service",
            "user@.service",
            "uuidd.service",
            "uuidd.socket",
            "var-lib-machines.mount",
            "var-lib-nfs-rpc_pipefs.mount",
            "vboxdrmclient.path",
            "vboxdrmclient.service",
            "vboxservice.service",
            "veritysetup.target",
            "veritysetup-pre.target",
            "virt-guest-shutdown.target",
            "virtchd.service",
            "virtchd.socket",
            "virtchd-admin.socket",
            "virtchd-ro.socket",
            "virtinterfaced.service",
            "virtinterfaced.socket",
            "virtinterfaced-admin.socket",
            "virtinterfaced-ro.socket",
            "virtlockd.service",
            "virtlockd.socket",
            "virtlockd-admin.socket",
            "virtlogd.service",
            "virtlogd.socket",
            "virtlogd-admin.socket",
            "virtlxcd.service",
            "virtlxcd.socket",
            "virtlxcd-admin.socket",
            "virtlxcd-ro.socket",
            "virtnetworkd.service",
            "virtnetworkd.socket",
            "virtnetworkd-admin.socket",
            "virtnetworkd-ro.socket",
            "virtnodedevd.service",
            "virtnodedevd.socket",
            "virtnodedevd-admin.socket",
            "virtnodedevd-ro.socket",
            "virtnwfilterd.service",
            "virtnwfilterd.socket",
            "virtnwfilterd-admin.socket",
            "virtnwfilterd-ro.socket",
            "virtproxyd.service",
            "virtproxyd.socket",
            "virtproxyd-admin.socket",
            "virtproxyd-ro.socket",
            "virtproxyd-tcp.socket",
            "virtproxyd-tls.socket",
            "virtqemud.service",
            "virtqemud.socket",
            "virtqemud-admin.socket",
            "virtqemud-ro.socket",
            "virtsecretd.service",
            "virtsecretd.socket",
            "virtsecretd-admin.socket",
            "virtsecretd-ro.socket",
            "virtstoraged.service",
            "virtstoraged.socket",
            "virtstoraged-admin.socket",
            "virtstoraged-ro.socket",
            "virtvboxd.service",
            "virtvboxd.socket",
            "virtvboxd-admin.socket",
            "virtvboxd-ro.socket",
            "vmtoolsd.service",
            "vmware-vmblock-fuse.service",
            "vpnc@.service",
            "wacom-inputattach@.service",
            "wg-quick.target",
            "wg-quick@.service",
            "winbind.service",
            "wondershaper.service",
            "wpa_supplicant.service",
            "wpa_supplicant-nl80211@.service",
            "wpa_supplicant-wired@.service",
            "wpa_supplicant@.service",
            "xfs_scrub@.service",
            "xfs_scrub_all.service",
            "xfs_scrub_all.timer",
            "xfs_scrub_fail@.service",
            "xl2tpd.service",
            "xplico.service",
            "xrdp.service",
            "xrdp-sesman.service",
            "yate.service",
            "zfs.target",
            "zfs-import.service",
            "zfs-import.target",
            "zfs-import-cache.service",
            "zfs-import-scan.service",
            "zfs-load-key.service",
            "zfs-mount.service",
            "zfs-scrub-monthly@.timer",
            "zfs-scrub-weekly@.timer",
            "zfs-scrub@.service",
            "zfs-share.service",
            "zfs-trim-monthly@.timer",
            "zfs-trim-weekly@.timer",
            "zfs-trim@.service",
            "zfs-volume-wait.service",
            "zfs-volumes.target",
            "zfs-zed.service",
            "plymouth.conf",
            "gpg-agent-ssh@etc-pacman.d-gnupg.socket",
            "keyboxd@etc-pacman.d-gnupg.socket",
            "dirmngr@etc-pacman.d-gnupg.socket",
            "gpg-agent-browser@etc-pacman.d-gnupg.socket",
            "gpg-agent-extra@etc-pacman.d-gnupg.socket",
            "gpg-agent@etc-pacman.d-gnupg.socket",
            "https://hybrid-analysis.com/sample/ff42428f0fcc346cc56e2b00d4b5c4bd43b55f3465b4ccab0efba9c88f4a1c03/661da0b063c895fc2d0a78dc",
            "https://hybrid-analysis.com/sample/9613dee39157b5f9935436b36647047e267b7c10fa4c7ab1fd995db681e58c12/661da5b202eaca78740cf4ed",
            "https://hybrid-analysis.com/sample/479a0170df010c5eb742ff1b8740a2ccf381df44c8a919c95d6e38685278e78a/661da5c768340c1e25092cb2",
            "50-rc_keymap.conf",
            "10-defaults.conf",
            "10-login-barrier.conf",
            "20-systemd-userdb.conf",
            "20-systemd-ssh-proxy.conf",
            "iptables-flush",
            "cpupower",
            "chkboot-bootcheck",
            "10-root.conf",
            "30-root-verity-sig.conf",
            "20-root-verity.conf",
            "80-systemd-timesync.list",
            "80-6rd-tunnel.link",
            "80-container-ve.network",
            "80-container-vb.network",
            "80-container-vz.link",
            "80-6rd-tunnel.network",
            "80-container-vz.network",
            "80-auto-link-local.network.example",
            "80-ethernet.network.example",
            "80-container-host0.network",
            "80-iwd.link",
            "80-container-vb.link",
            "80-vm-vt.link",
            "80-vm-vt.network",
            "80-wifi-adhoc.network",
            "80-wifi-ap.network.example",
            "80-wifi-station.network.example",
            "80-container-ve.link",
            "89-ethernet.network.example",
            "99-default.link",
            "dbus-broker.catalog",
            "dbus-broker-launch.catalog",
            "systemd.be.catalog",
            "systemd.be@latin.catalog",
            "systemd.da.catalog",
            "systemd.bg.catalog",
            "systemd.hu.catalog",
            "systemd.catalog",
            "systemd.it.catalog",
            "systemd.fr.catalog",
            "systemd.ko.catalog",
            "systemd.hr.catalog",
            "systemd.pl.catalog",
            "systemd.pt_BR.catalog",
            "systemd.ru.catalog",
            "systemd.sr.catalog",
            "systemd.zh_CN.catalog",
            "systemd.de.catalog",
            "systemd.zh_TW.catalog",
            "expl_cve_2021_40444.yar"
          ],
          "public": 1,
          "adversary": "Chinese Speaking",
          "targeted_countries": [],
          "malware_families": [
            {
              "id": "RemainAfterExit",
              "display_name": "RemainAfterExit",
              "target": null
            },
            {
              "id": "NMBDOPTIONS",
              "display_name": "NMBDOPTIONS",
              "target": null
            },
            {
              "id": "SMBDOPTIONS",
              "display_name": "SMBDOPTIONS",
              "target": null
            },
            {
              "id": "SuccessAction",
              "display_name": "SuccessAction",
              "target": null
            },
            {
              "id": "WINBINDOPTIONS",
              "display_name": "WINBINDOPTIONS",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1082",
              "name": "System Information Discovery",
              "display_name": "T1082 - System Information Discovery"
            },
            {
              "id": "T1106",
              "name": "Native API",
              "display_name": "T1106 - Native API"
            },
            {
              "id": "T1205",
              "name": "Traffic Signaling",
              "display_name": "T1205 - Traffic Signaling"
            },
            {
              "id": "T1140",
              "name": "Deobfuscate/Decode Files or Information",
              "display_name": "T1140 - Deobfuscate/Decode Files or Information"
            },
            {
              "id": "T1059",
              "name": "Command and Scripting Interpreter",
              "display_name": "T1059 - Command and Scripting Interpreter"
            },
            {
              "id": "T1543",
              "name": "Create or Modify System Process",
              "display_name": "T1543 - Create or Modify System Process"
            },
            {
              "id": "T1569",
              "name": "System Services",
              "display_name": "T1569 - System Services"
            },
            {
              "id": "T1090",
              "name": "Proxy",
              "display_name": "T1090 - Proxy"
            },
            {
              "id": "T1114",
              "name": "Email Collection",
              "display_name": "T1114 - Email Collection"
            },
            {
              "id": "T1573",
              "name": "Encrypted Channel",
              "display_name": "T1573 - Encrypted Channel"
            }
          ],
          "industries": [],
          "TLP": "white",
          "cloned_from": "661db37bf549518bf6f7f377",
          "export_count": 2,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 123,
            "YARA": 16,
            "CVE": 4,
            "FileHash-SHA1": 25,
            "FileHash-SHA256": 20,
            "domain": 102,
            "URL": 16,
            "email": 9,
            "hostname": 4,
            "CIDR": 2
          },
          "indicator_count": 321,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 66,
          "modified_text": "3 days ago ",
          "is_modified": false,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "6a16ac89787e428fe0f7b045",
          "name": "[\"backup ios...\"] clone by Merkd1904. User note: theres a name tagged here thats interesting",
          "description": "",
          "modified": "2026-05-27T08:34:17.204000",
          "created": "2026-05-27T08:34:17.204000",
          "tags": [
            "fireeye",
            "copyright",
            "base64",
            "dotnettojscript",
            "gadgettojscript",
            "invokeclient",
            "invokeserver",
            "readhost enter",
            "command",
            "roth",
            "nextron",
            "sandworm",
            "detects ssh",
            "grant all",
            "privileges on",
            "to mysqldb",
            "create user",
            "g root",
            "sandworm python",
            "import",
            "phpsploit",
            "host",
            "user",
            "pass",
            "error",
            "establish",
            "pecl oci8",
            "connstr",
            "charset",
            "false",
            "miner",
            "texthtml",
            "module",
            "send custom",
            "swissky",
            "class",
            "serviceip",
            "serviceport",
            "servicedata",
            "e binsh",
            "init",
            "service port",
            "detects",
            "cve202140444",
            "target",
            "targetmode",
            "jeremy brown",
            "windows cve",
            "ms office",
            "modified rule",
            "rperm",
            "wperm",
            "pathsep",
            "string",
            "rwxrxrx",
            "file types",
            "unix",
            "login",
            "autentication",
            "disable",
            "ldapconnect",
            "version",
            "authentication",
            "ldaplist",
            "null",
            "pathelems",
            "execute",
            "backdoor",
            "kingdee oa",
            "yunxingkong",
            "b6oa",
            "code execution",
            "kingdee cloud",
            "starry sky",
            "otherwise",
            "file",
            "setsmartdate",
            "fread",
            "name",
            "force",
            "base64decode",
            "data",
            "substr",
            "array",
            "readdir",
            "getowner",
            "getgroup",
            "getsize",
            "force option",
            "fwrite",
            "permission",
            "check",
            "mode",
            "diraccess",
            "fileaccess",
            "realpath",
            "stat",
            "immutable",
            "posixgetpwuid",
            "posixgetgrgid",
            "explode",
            "etcpasswd",
            "glob",
            "globonlydir",
            "oraclelogin",
            "port",
            "servicename",
            "connector",
            "base",
            "query type",
            "mssqlfetcharray",
            "mssqlassoc",
            "solsocket",
            "timeout",
            "range",
            "portmin",
            "portmax",
            "socketcreate",
            "afinet",
            "sockstream",
            "open",
            "type",
            "true",
            "tcp connection",
            "tcp shell",
            "input",
            "lhost",
            "netcat",
            "lport",
            "shell",
            "dllimport",
            "python",
            "back",
            "fore",
            "pfinet",
            "stdout",
            "this",
            "win32",
            "ldapsearch",
            "select",
            "mysqliassoc",
            "select database",
            "send",
            "newfile",
            "dns stub",
            "third party",
            "see man",
            "exit",
            "o pipefail",
            "v systemctl",
            "devnull",
            "unknown verb",
            "license",
            "gnu lesser",
            "general public",
            "free software",
            "foundation",
            "unit",
            "slice",
            "cpuweight100",
            "tasks slice",
            "cpuweight30",
            "capev2",
            "cape",
            "cuckoo web",
            "setup",
            "grep",
            "limitnofile",
            "install",
            "return",
            "execstart",
            "start",
            "descriptionrun",
            "timer",
            "oncalendardaily",
            "service",
            "prevent rate",
            "delay start",
            "m poetry",
            "sigkill",
            "descriptioncape",
            "ef usercape",
            "g cape",
            "allowisolateyes",
            "typedbus",
            "socket",
            "message bus",
            "listenstream",
            "typenotify",
            "descriptionuser",
            "harald sitter",
            "sitter",
            "kcrash",
            "drkonqi",
            "acceptyes",
            "disable trigger",
            "todo",
            "prevents",
            "path",
            "pathexistsglob",
            "runtimemaxsec31",
            "runtimemaxsec30",
            "restartno",
            "descriptionexit",
            "environmentfile",
            "otheropts",
            "soundfont",
            "descriptiongcr",
            "sshauthsock",
            "descriptionglib",
            "priority6",
            "killmodeprocess",
            "proxy",
            "socketmode0600",
            "apache software",
            "notice file",
            "apache license",
            "unless",
            "as is",
            "basis",
            "or conditions",
            "apple file",
            "conduit monitor",
            "descriptionjack",
            "jackoptions d",
            "driver d",
            "device",
            "media transfer",
            "indexer daemon",
            "memory",
            "memoryhigh512m",
            "system sockets",
            "a user",
            "conditionuser",
            "dbus menus",
            "plasma",
            "phase",
            "workspace core",
            "exit status",
            "x11 connection",
            "timeoutstopsec5",
            "disable restart",
            "timeoutsec40sec",
            "typeoneshot",
            "david edmundson",
            "davidedmundson",
            "osd service",
            "portal",
            "auto restart",
            "dbus",
            "xembed system",
            "logging system",
            "socketmode0660",
            "all containers",
            "restart policy",
            "logging start",
            "execstopbinsh c",
            "logging",
            "x11 plugins",
            "session slice",
            "typeforking",
            "etc userroot",
            "grouproot",
            "onbootsec15min",
            "place",
            "temporary",
            "volatile files",
            "thunar",
            "session manager",
            "wireplumber",
            "service file",
            "xdg autostart",
            "user dir",
            "descriptionxfce",
            "sandbox",
            "malware",
            "analysis",
            "online",
            "submit",
            "vxstream",
            "sample",
            "download",
            "trojan",
            "apt",
            "memoryfile scan",
            "ansi",
            "bpf program",
            "indicator",
            "bpf firewalling",
            "pcap",
            "pcap processing",
            "bpffallowmulti",
            "bpf device",
            "date",
            "suspicious",
            "hybrid",
            "crypto",
            "close",
            "click",
            "april",
            "strings",
            "february",
            "middle",
            "exploit",
            "gameover",
            "contact",
            "scope",
            "thomas koch",
            "gpl v2",
            "imsm",
            "ibftruledir",
            "ibftrules",
            "attr",
            "systemd rule",
            "hannes reinecke",
            "suse labs",
            "ipibft",
            "interface",
            "kernel",
            "configfile",
            "typesimple",
            "apparmor",
            "grouparchaudit",
            "hardening",
            "umask077",
            "persistenttrue",
            "enable debug",
            "networkmanager",
            "trace",
            "wait online",
            "edit",
            "note",
            "reload",
            "capdacoverride",
            "dhcp etc",
            "mdadmscan",
            "mdadmdelay",
            "mdadmmail",
            "mdadmprogram",
            "mdadmconfig",
            "mdadmsendmail",
            "p runsysconfig",
            "userroot",
            "sssd",
            "write access",
            "needed sometime",
            "statedirectory",
            "accountsservice",
            "varloglastlog",
            "bridge daemon",
            "alsa card",
            "card state",
            "required",
            "another auto",
            "nice daemon",
            "memorymax64m",
            "filter system",
            "mount",
            "reboot",
            "clock",
            "logging service",
            "requires",
            "before",
            "please",
            "exit codes",
            "proc",
            "descriptionruns",
            "execstartsh c",
            "switchtoggle",
            "ignoreonisolate",
            "term typeidle",
            "without",
            "any warranty",
            "merchantability",
            "fitness",
            "a particular",
            "vartmp",
            "wants type",
            "preparation",
            "watchdogsec10",
            "filesystem",
            "timer daemon",
            "options",
            "environment",
            "prevent",
            "readwritepaths",
            "security",
            "certain",
            "protectsystem",
            "bindpaths",
            "lower cpu",
            "nice19",
            "manager",
            "userc",
            "celerydnodes",
            "info",
            "chaddevops",
            "aaron brighton",
            "clam antivirus",
            "jon kriel",
            "distribution",
            "script",
            "sanesecurity",
            "securiteinfo",
            "malwarepatrol",
            "oitc",
            "file location",
            "remember",
            "typeexec user",
            "9 cntlm",
            "generate color",
            "profiles",
            "removeipctrue",
            "devpts",
            "authors",
            "any kind",
            "usercouchdb",
            "restartsec5",
            "volumes",
            "server socket",
            "user209",
            "daemon",
            "darkstatiface",
            "reloadconfig",
            "watchdogsec3min",
            "privatetmpyes",
            "protectproc",
            "increase",
            "descriptiontime",
            "date service",
            "debugging only",
            "ignoresigpipeno",
            "unset locale",
            "file system",
            "queue file",
            "whatmqueue",
            "optionsnosuid",
            "pf rundhclient",
            "rate",
            "requiresdirmngr",
            "capfowner",
            "capsetpcap",
            "dhcp",
            "dns server",
            "startlimit",
            "limits",
            "delegateyes",
            "descriptionpass",
            "runtimemaxsec5",
            "mountain",
            "metadata check",
            "all filesystems",
            "online metadata",
            "sunday",
            "oncalendarsun",
            "online ext4",
            "sigterm signal",
            "java process",
            "piddir",
            "standardoutput",
            "elasticsearch",
            "limitnproc4096",
            "limitasinfinity",
            "sendsighupyes",
            "mapper daemon",
            "mainpid",
            "quit",
            "listenstream79",
            "radius server",
            "d etcraddb",
            "protecthomeon",
            "default",
            "systemservice",
            "efiefi bootefi",
            "afinet afinet6",
            "afunix afinet",
            "oncalendar 0000",
            "privatetmptrue",
            "geoip legacy",
            "geoip2",
            "instance",
            "usergit",
            "scdconfig",
            "notice",
            "devinputmice t",
            "descriptiongps",
            "system",
            "sock refclock",
            "gpsdoptions",
            "devices",
            "daemon sockets",
            "2947",
            "bindipv6onlyyes",
            "usbauto",
            "usrbingpsdctl",
            "gps daemon",
            "afterdev",
            "gvmddata",
            "varlibgssproxy",
            "nonewprivileges",
            "privatetmp",
            "protecthome",
            "ieee",
            "etchostapd",
            "killmodemixed",
            "fcopy",
            "uncomment",
            "use sigterm",
            "sigkill i2pd",
            "sendsigkillyes",
            "limitnofile8192",
            "systemd",
            "analog",
            "shutting down",
            "iodineextip p",
            "iodineport p",
            "iodineuser",
            "tunip",
            "topdomain",
            "guessmainpidyes",
            "m node",
            "wants",
            "initiatorname",
            "io driver",
            "typeexec",
            "c etckcptun",
            "usernobody",
            "requireskeyboxd",
            "static device",
            "nofork",
            "restartalways",
            "linker cache",
            "hack",
            "use wants",
            "raise",
            "tasksmax",
            "tasksmax32768",
            "limitmemlock64m",
            "removeonstopyes",
            "ip socket",
            "tls ip",
            "conflictsgetty",
            "aftergetty",
            "busmodules",
            "qabr",
            "hwmonmodules",
            "local file",
            "privatenetwork",
            "lvm2",
            "initialization",
            "autoboot code",
            "s delegatetrue",
            "description",
            "pidfilerunlxc",
            "lynis service",
            "adjust path",
            "lynis binary",
            "lynis timer",
            "tell systemd",
            "lynis security",
            "persistentfalse",
            "container slice",
            "recover",
            "varcacheman",
            "regenerate man",
            "userroot nice19",
            "mysqldopts",
            "mysqldsafe",
            "timezone",
            "core",
            "restart",
            "users",
            "backlog150",
            "listenstreams",
            "servicemariadb",
            "mechanism",
            "mariadb",
            "multi instance",
            "variables",
            "bindirmdadm",
            "gnu general",
            "public license",
            "reshape",
            "onactivesec30",
            "oncalendar",
            "wantedby",
            "monitor",
            "allow mdmon",
            "takeover",
            "k none",
            "c devnull",
            "d runinitramfs",
            "p runmongodb",
            "limitnproc32000",
            "limitmemlock5",
            "device server",
            "requiredbydev",
            "d dev",
            "descriptionreal",
            "extraopts",
            "restartsec30",
            "valid",
            "fifo",
            "priority",
            "batch",
            "nice0",
            "partof",
            "tracking daemon",
            "helper",
            "for testing",
            "only",
            "restrict",
            "grant",
            "capsysptrace",
            "capkill",
            "capipclock",
            "environ",
            "capsysresource",
            "capsyslog",
            "descriptionname",
            "service cache",
            "sysvlsb",
            "descriptionhost",
            "network name",
            "group name",
            "u ntp",
            "time service",
            "t hibernate",
            "software",
            "other",
            "the software",
            "daemon init",
            "software is",
            "provided",
            "fcnvme",
            "wantsmodprobe",
            "aftermodprobe",
            "descriptionall",
            "nbft",
            "nvmeof",
            "connectargs",
            "unit file",
            "descriptionnvmf",
            "red hat",
            "without any",
            "warranty",
            "card daemon",
            "socketmode0666",
            "suite result",
            "kexec screen",
            "oncalendarsat",
            "boot screen",
            "timeoutsec20",
            "power off",
            "runtime data",
            "descriptionhold",
            "timeoutsec0",
            "sandboxing",
            "execstop",
            "colin walters",
            "upgrade",
            "upgrade output",
            "umask0077",
            "transport agent",
            "descriptionmake",
            "descriptionppp",
            "whatnfsd",
            "file formats",
            "automount point",
            "automount",
            "setuid nobody",
            "setgid nobody",
            "setcon",
            "syslog",
            "restartonabort",
            "halt screen",
            "reboot screen",
            "pgroot",
            "postgresql",
            "oom killer",
            "additional",
            "fy nice19",
            "endless os",
            "foundation llc",
            "restartsec0",
            "system quotas",
            "rabbitmq",
            "protecthometrue",
            "etcrathole",
            "guessmainpidno",
            "h etcrdnssd",
            "reflector",
            "afinet6 afunix",
            "umask177",
            "remote file",
            "nfs client",
            "nfsv23 locking",
            "make sure",
            "rpc netconfig",
            "descriptionfast",
            "using ssh",
            "so let",
            "boot",
            "realtimekit",
            "rwhodopts",
            "display manager",
            "specify",
            "interval l",
            "loginterval f",
            "bindstodev",
            "always",
            "usrbingrpck r",
            "slapdoptions",
            "u ldap",
            "slapdurls",
            "smart",
            "pciusb",
            "midi",
            "daemonopts",
            "snmp",
            "trap daemon",
            "g snort",
            "descriptionsudo",
            "hibernate",
            "svnserveargs",
            "whatfusectl",
            "whatconfigfs",
            "whatdebugfs",
            "whattracefs",
            "best way",
            "see https",
            "units service",
            "service slice",
            "offline system",
            "update",
            "wall directory",
            "timeoutsec90s",
            "descriptionmark",
            "current boot",
            "loader entry",
            "any system",
            "units",
            "loader random",
            "loader update",
            "service socket",
            "dump socket",
            "optionally",
            "root device",
            "afalg afinet",
            "execstophomectl",
            "home area",
            "named pipe",
            "sink service",
            "sink socket",
            "upload service",
            "dynamicuseryes",
            "sigkilled",
            "devlog",
            "timestampingus",
            "namespace",
            "sendbuffer8m",
            "kernel command",
            "netlink socket",
            "storage",
            "descriptionwait",
            "network",
            "make",
            "deviceallow",
            "reserve",
            "killer socket",
            "root file",
            "measurement",
            "pcr policy",
            "tpm pcr",
            "code",
            "configuration",
            "machine id",
            "barrier",
            "quota check",
            "system quota",
            "after",
            "random seed",
            "kernel file",
            "gpt partition",
            "kill switch",
            "nvmetcp",
            "trigger",
            "saturday",
            "persistentyes",
            "system update",
            "kernel time",
            "capsystime",
            "ntp service",
            "turn",
            "files",
            "device nodes",
            "srk setup",
            "device events",
            "bootshutdown",
            "change",
            "manager socket",
            "descriptiontinc",
            "proxy server",
            "linrunner",
            "descriptiontlp",
            "tor service",
            "f etctortorrc",
            "tpm device",
            "descriptionudp",
            "tcpicmpudp",
            "etcudp2raw",
            "debug",
            "swap",
            "api file",
            "privatedevices",
            "home",
            "root",
            "runuser",
            "linux control",
            "groups",
            "group",
            "afnetlink",
            "locked memory",
            "limitmemlock0",
            "usb gadget",
            "apple",
            "sliceuser",
            "descriptionuuid",
            "compatibility",
            "typerpcpipefs",
            "vmsvga",
            "hypervisor",
            "usr1",
            "mgmt appuser",
            "dac permission",
            "selinux",
            "xxx someone",
            "qemu",
            "machine tools",
            "vmware tools",
            "pidfilerunvpnc",
            "wacom",
            "iface d",
            "dspeed u",
            "iface",
            "descriptionwpa",
            "oracle",
            "reserved",
            "wong",
            "emailaddr",
            "tunnel protocol",
            "l2tp",
            "isps",
            "russia use",
            "ipsec",
            "d optxplico",
            "b sqlite",
            "descriptionxrdp",
            "xrdpoptions",
            "process",
            "sesmanoptions",
            "zpoolimportopts",
            "an o",
            "t scrub",
            "usrbinzpool",
            "zfs volume",
            "descriptionzfs",
            "f restartalways",
            "remainafterexit",
            "nmbdoptions",
            "smbdoptions",
            "successaction",
            "winbindoptions",
            "ck id",
            "hybrid analysis",
            "mitre att",
            "malicious",
            "sdshared ansi",
            "default und",
            "func global",
            "func local",
            "object local",
            "general",
            "show technique",
            "ck matrix",
            "tasksmax33",
            "empty file",
            "proxycommand",
            "checkhostip",
            "afunix",
            "afvsock",
            "allow",
            "r table",
            "chkbootcheck",
            "gplv2 source",
            "chkbootstyles",
            "etcissue",
            "partition",
            "minimizebest",
            "mit no",
            "match",
            "link",
            "namepolicykeep",
            "ethernet link",
            "kindveth nameve",
            "kindveth namevb",
            "keepmasteryes",
            "dhcpv4",
            "kindsit name6rd",
            "ipv4ll",
            "ipv6ll",
            "dhcpipv6ra",
            "dhcpv6",
            "typeether",
            "dhcpyes",
            "usetimezoneyes",
            "typewlan",
            "tuntap",
            "natdhcp",
            "kindtun namevt",
            "kind",
            "originalname",
            "definedby",
            "peer",
            "sopeergroups",
            "dbus protocol",
            "dbus name",
            "exec",
            "hup signal",
            "sighup",
            "dnssec",
            "sessionid",
            "seatid",
            "sleep",
            "leader",
            "jobresult",
            "coredumppid",
            "coredumpcomm",
            "junit",
            "na zapusk",
            "mikrasiekund",
            "enhed",
            "mikrosekunder",
            "opstart",
            "jobid",
            "a rendszer",
            "ezredmsodpercet",
            "a rendszernapl",
            "user manager",
            "smack",
            "lunit",
            "stato",
            "il processo",
            "il sistema",
            "stata",
            "le processus",
            "notez que",
            "jedinica",
            "zapamtite da",
            "nova",
            "jednostka",
            "prosz zauway",
            "zwykle wskazuje",
            "jest",
            "o processo",
            "processo",
            "isso",
            "inicializao",
            "journal",
            "sizelimit",
            "userid",
            "prozess",
            "speicherabbild",
            "hinweis auf",
            "programmfehler",
            "fehler dem",
            "die systemzeit",
            "realtime"
          ],
          "references": [
            "Hunting_B64Engine_DotNetToJScript_Dos.yar",
            "APT_Backdoor_PS1_BASICPIPESHELL_1.yar",
            "apt_sandworm_exim_expl.yar.002",
            "apt_sandworm_exim_expl.yar.001",
            "apt_sandworm_exim_expl.yar",
            "connect.php",
            "connect.php.002",
            "connect.php.001",
            "crypto-miner.js",
            "eicar",
            "eicar.001",
            "eicar.002",
            "custom.py",
            "eicar.txt",
            "expl_cve_2021_40444.yar.001",
            "expl_cve_2021_40444.yar.002",
            "getPerms.php",
            "input.pcap",
            "list.php",
            "parent.php",
            "payload.php",
            "payload.php.001",
            "kingdee-erp-rce.yaml",
            "payload.php.003",
            "payload.php.002",
            "payload.php.004",
            "payload.php.005",
            "payload.php.006",
            "payload.php.007",
            "payload.php.008",
            "payload.php.010",
            "payload.php.011",
            "payload.php.009",
            "payload.php.012",
            "payload.php.013",
            "payload.php.015",
            "payload.php.016",
            "payload.php.017",
            "reverse_tcp.py",
            "scanner.php",
            "search.php",
            "setdb.php",
            "payload.php.014",
            "setdb.php.001",
            "reader.php",
            "single.php",
            "resolv.conf",
            "systemd-update-helper",
            "90-systemd.preset",
            "60-flatpak",
            "app.slice",
            "background.slice",
            "README.md",
            "bluetooth.target",
            "basic.target",
            "borgmatic-user.timer",
            "borgmatic-user.service",
            "cape.service",
            "cape-dist.service",
            "cape-processor.service",
            "cape-rooter.service",
            "capsule@.target",
            "cape-web.service",
            "clash.service",
            "colord-session.service",
            "dbus.socket",
            "cape-fstab.service",
            "dbus.service",
            "dbus-broker.service",
            "dconf.service",
            "dirmngr.service",
            "default.target",
            "drkonqi-coredump-cleanup.service",
            "dirmngr.socket",
            "drkonqi-coredump-cleanup.timer",
            "drkonqi-coredump-launcher.socket",
            "drkonqi-sentry-postman.path",
            "drkonqi-coredump-pickup.service",
            "drkonqi-sentry-postman.service",
            "drkonqi-sentry-postman.timer",
            "drkonqi-coredump-launcher@.service",
            "dunst.service",
            "flatpak-oci-authenticator.service",
            "filter-chain.service",
            "exit.target",
            "flatpak-session-helper.service",
            "fluidsynth.service",
            "gcr-ssh-agent.socket",
            "flatpak-portal.service",
            "gcr-ssh-agent.service",
            "gnome-keyring-daemon.service",
            "glib-pacrunner.service",
            "gnome-keyring-daemon.socket",
            "gpg-agent-ssh.socket",
            "gnome-terminal-server.service",
            "gpg-agent-extra.socket",
            "gpg-agent.service",
            "gpg-agent.socket",
            "gpg-agent-browser.socket",
            "graphical-session-pre.target",
            "graphical-session.target",
            "gssuserproxy.socket",
            "guacd.service",
            "gvfs-gphoto2-volume-monitor.service",
            "gvfs-daemon.service",
            "gssuserproxy.service",
            "gvfs-afc-volume-monitor.service",
            "gvfs-metadata.service",
            "jack@.service",
            "guac-web.service",
            "gvfs-udisks2-volume-monitor.service",
            "gvfs-mtp-volume-monitor.service",
            "kde-baloo.service",
            "keyboxd.service",
            "kio-fuse.service",
            "keyboxd.socket",
            "p11-kit-server.service",
            "p11-kit-server.socket",
            "paths.target",
            "pipewire.socket",
            "pipewire-pulse.service",
            "plasma-gmenudbusmenuproxy.service",
            "pipewire-pulse.socket",
            "plasma-baloorunner.service",
            "plasma-kcminit.service",
            "plasma-dolphin.service",
            "plasma-kcminit-phase1.service",
            "plasma-core.target",
            "plasma-kded.service",
            "pipewire.service",
            "plasma-kded6.service",
            "plasma-kglobalaccel.service",
            "at-spi-dbus-bus.service",
            "plasma-krunner.service",
            "plasma-kscreen.service",
            "plasma-kscreen-osd.service",
            "plasma-ksmserver.service",
            "plasma-ksplash.service",
            "plasma-ksplash-ready.service",
            "plasma-ksystemstats.service",
            "plasma-kwallet-pam.service",
            "plasma-kwin_wayland.service",
            "plasma-kwin_x11.service",
            "plasma-plasmashell.service",
            "plasma-polkit-agent.service",
            "plasma-powerdevil.service",
            "plasma-powerprofile-osd.service",
            "plasma-restoresession.service",
            "plasma-workspace.target",
            "plasma-workspace-wayland.target",
            "plasma-workspace-x11.target",
            "plasma-xdg-desktop-portal-kde.service",
            "plasma-xembedsniproxy.service",
            "podman.service",
            "podman.socket",
            "podman-auto-update.service",
            "podman-auto-update.timer",
            "podman-kube@.service",
            "podman-restart.service",
            "printer.target",
            "pulseaudio.service",
            "pulseaudio.socket",
            "pulseaudio-x11.service",
            "session.slice",
            "shutdown.target",
            "smartcard.target",
            "sockets.target",
            "sound.target",
            "ssh-agent.service",
            "suricata.service",
            "suricata-update.service",
            "suricata-update.timer",
            "systemd-exit.service",
            "systemd-tmpfiles-clean.service",
            "systemd-tmpfiles-clean.timer",
            "systemd-tmpfiles-setup.service",
            "thunar.service",
            "timers.target",
            "tracker-xdg-portal-3.service",
            "tumblerd.service",
            "wireplumber.service",
            "wireplumber@.service",
            "xdg-desktop-autostart.target",
            "xdg-desktop-portal.service",
            "xdg-desktop-portal-gtk.service",
            "xdg-desktop-portal-hyprland.service",
            "xdg-desktop-portal-rewrite-launchers.service",
            "xdg-desktop-portal-xapp.service",
            "xdg-permission-store.service",
            "xdg-user-dirs-update.service",
            "xfce4-notifyd.service",
            "xsettingsd.service",
            "xdg-document-portal.service",
            "https://hybrid-analysis.com/sample/b1a9e5be43c028442c07071e202f44f33e3a2df167822c5cfed8f998e01fe169/661da09794b343782806018e",
            "defaults.conf",
            "apparmor.conf",
            "nvidia",
            "tlp",
            "fwupd.shutdown",
            "mdadm.shutdown",
            "99-default.preset",
            "50-zfs.preset",
            "ibft-rule-generator",
            "10-arch",
            "60-flatpak-system-only",
            "3proxy.service",
            "apache-tika.service",
            "apparmor.service",
            "arch-audit.service",
            "arch-audit.timer",
            "NetworkManager-dispatcher.service",
            "NetworkManager-wait-online.service",
            "NetworkManager.service",
            "SUSE-mdadm_env.sh",
            "ModemManager.service",
            "3proxy.conf",
            "archlinux-keyring-wkd-sync.service",
            "adsl.service",
            "accounts-daemon.service",
            "adb.service",
            "alsa-restore.service",
            "alsa-state.service",
            "archlinux-keyring-wkd-sync.timer",
            "ananicy-cpp.service",
            "arcolinux-graphical-target.service",
            "atftpd.service",
            "audit-rules.service",
            "auditd.service",
            "auth-rpcgss-module.service",
            "autorandr.service",
            "autorandr-lid-listener.service",
            "autovt@.service",
            "avahi-daemon.service",
            "avahi-daemon.socket",
            "avahi-dnsconfd.service",
            "bettercap.service",
            "betterlockscreen@.service",
            "blk-availability.service",
            "blockdev@.target",
            "bluetooth.service",
            "bmc-watchdog.service",
            "bolt.service",
            "boot-complete.target",
            "borgmatic.service",
            "borgmatic.timer",
            "bpftune.service",
            "btrfs-scrub@.service",
            "btrfs-scrub@.timer",
            "canberra-system-bootup.service",
            "canberra-system-shutdown.service",
            "canberra-system-shutdown-reboot.service",
            "capsule.slice",
            "capsule@.service",
            "celery2@.service",
            "celery@.service",
            "chkboot.service",
            "clamav-clamonacc.service",
            "clamav-daemon.service",
            "clamav-daemon.socket",
            "clamav-freshclam.service",
            "clamav-freshclam-once.service",
            "clamav-freshclam-once.timer",
            "clamav-unofficial-sigs.service",
            "clamav-unofficial-sigs.timer",
            "clash@.service",
            "cntlm.service",
            "colord.service",
            "configure-printer@.service",
            "console-getty.service",
            "container-getty@.service",
            "containerd.service",
            "couchdb.service",
            "cpupower.service",
            "create_ap.service",
            "cronie.service",
            "cryptsetup.target",
            "cryptsetup-pre.target",
            "ctrl-alt-del.target",
            "cups.path",
            "cups.service",
            "cups.socket",
            "cups-lpd.socket",
            "cups-lpd@.service",
            "cxl-monitor.service",
            "darkstat.service",
            "daxdev-reconfigure@.service",
            "dbus-org.freedesktop.hostname1.service",
            "dbus-org.freedesktop.import1.service",
            "dbus-org.freedesktop.locale1.service",
            "dbus-org.freedesktop.login1.service",
            "dbus-org.freedesktop.machine1.service",
            "dbus-org.freedesktop.portable1.service",
            "dbus-org.freedesktop.timedate1.service",
            "debug-shell.service",
            "dev-hugepages.mount",
            "dev-mqueue.mount",
            "dhclient@.service",
            "dhcpd4.service",
            "dhcpd6.service",
            "dirmngr@.service",
            "dirmngr@.socket",
            "dm-event.service",
            "dm-event.socket",
            "dmraid.service",
            "dnscrypt-proxy.service",
            "dnsmasq.service",
            "docker.service",
            "docker.socket",
            "drkonqi-coredump-processor@.service",
            "e2scrub@.service",
            "e2scrub_all.service",
            "e2scrub_all.timer",
            "e2scrub_fail@.service",
            "e2scrub_reap.service",
            "ead.service",
            "elasticsearch.service",
            "elasticsearch-keystore.service",
            "elasticsearch-keystore@.service",
            "elasticsearch@.service",
            "emergency.service",
            "emergency.target",
            "epmd.service",
            "epmd.socket",
            "exabgp.service",
            "factory-reset.target",
            "fancontrol.service",
            "fastnetmon.service",
            "final.target",
            "finger.socket",
            "finger@.service",
            "first-boot-complete.target",
            "flatpak-system-helper.service",
            "freeradius.service",
            "fsidd.service",
            "fstrim.service",
            "fstrim.timer",
            "ftpd.service",
            "fwupd.service",
            "fwupd-offline-update.service",
            "fwupd-refresh.service",
            "fwupd-refresh.timer",
            "geoclue.service",
            "geoipupdate.service",
            "geoipupdate.timer",
            "getty.target",
            "getty-pre.target",
            "getty@.service",
            "git-daemon.socket",
            "git-daemon@.service",
            "gnupg-pkcs11-scd-proxy.service",
            "gpg-agent-browser@.socket",
            "gpg-agent-extra@.socket",
            "gpg-agent-ssh@.socket",
            "gpg-agent@.service",
            "gpg-agent@.socket",
            "gpm.path",
            "gpm.service",
            "gpsd.service",
            "gpsd.socket",
            "gpsdctl@.service",
            "graphical.target",
            "greenbone-certdata-sync.service",
            "greenbone-certdata-sync.timer",
            "greenbone-feed-sync.service",
            "greenbone-feed-sync.timer",
            "greenbone-nvt-sync.service",
            "greenbone-nvt-sync.timer",
            "greenbone-scapdata-sync.service",
            "greenbone-scapdata-sync.timer",
            "gssproxy.service",
            "gvmd.service",
            "halt.target",
            "healthd.service",
            "hibernate.target",
            "hostapd.service",
            "hostapd@.service",
            "httpd.service",
            "hv_fcopy_daemon.service",
            "hv_kvp_daemon.service",
            "hv_vss_daemon.service",
            "hybrid-sleep.target",
            "i2pd.service",
            "iiod.service",
            "initrd.target",
            "initrd-cleanup.service",
            "initrd-fs.target",
            "initrd-parse-etc.service",
            "initrd-root-device.target",
            "initrd-root-fs.target",
            "initrd-switch-root.service",
            "initrd-switch-root.target",
            "initrd-udevadm-cleanup-db.service",
            "initrd-usr-fs.target",
            "integritysetup.target",
            "integritysetup-pre.target",
            "iodined.service",
            "iodined.socket",
            "ip2clued.service",
            "ip6tables.service",
            "ipmidetectd.service",
            "ipmiseld.service",
            "iptables.service",
            "iscsi.service",
            "iscsi-init.service",
            "iscsid.service",
            "iscsid.socket",
            "iscsiuio.service",
            "iscsiuio.socket",
            "isnsd.service",
            "isnsd.socket",
            "iwd.service",
            "kcptun-server@.service",
            "kcptun@.service",
            "kexec.target",
            "keyboxd@.service",
            "keyboxd@.socket",
            "kmod-static-nodes.service",
            "krb5-kadmind.service",
            "krb5-kdc.service",
            "krb5-kpropd.service",
            "krb5-kpropd.socket",
            "krb5-kpropd@.service",
            "lastlog2-import.service",
            "ldconfig.service",
            "libvirt-guests.service",
            "libvirtd.service",
            "libvirtd.socket",
            "libvirtd-admin.socket",
            "libvirtd-ro.socket",
            "libvirtd-tcp.socket",
            "libvirtd-tls.socket",
            "lightdm.service",
            "lm_sensors.service",
            "local-fs.target",
            "local-fs-pre.target",
            "logrotate.service",
            "logrotate.timer",
            "lvm2-lvmpolld.service",
            "lvm2-lvmpolld.socket",
            "lvm2-monitor.service",
            "lxc.service",
            "lxc-auto.service",
            "lxc-monitord.service",
            "lxc-net.service",
            "lxc@.service",
            "lxdm.service",
            "ly.service",
            "lynis.service",
            "lynis.timer",
            "machine.slice",
            "machines.target",
            "man-db.service",
            "man-db.timer",
            "mariadb.service",
            "mariadb.socket",
            "mariadb-extra.socket",
            "mariadb-extra@.socket",
            "mariadb@.service",
            "mariadb@.socket",
            "mdadm-grow-continue@.service",
            "mdadm-last-resort@.service",
            "mdadm-last-resort@.timer",
            "mdcheck_continue.service",
            "mdcheck_continue.timer",
            "mdcheck_start.service",
            "mdcheck_start.timer",
            "mdmon@.service",
            "mdmonitor.service",
            "mdmonitor-oneshot.service",
            "mdmonitor-oneshot.timer",
            "memavaild.service",
            "mkinitcpio-generate-shutdown-ramfs.service",
            "modprobe@.service",
            "mongodb.service",
            "multi-user.target",
            "mysql.service",
            "mysqld.service",
            "named.service",
            "nbd.service",
            "nbd@.service",
            "ndctl-monitor.service",
            "neo4j.service",
            "netavark-dhcp-proxy.service",
            "netavark-dhcp-proxy.socket",
            "netdata.service",
            "network.target",
            "network-online.target",
            "network-pre.target",
            "nfs-blkmap.service",
            "nfs-client.target",
            "nfs-idmapd.service",
            "nfs-mountd.service",
            "nfs-server.service",
            "nfs-utils.service",
            "nfsdcld.service",
            "nfsv4-exportd.service",
            "nfsv4-server.service",
            "nftables.service",
            "nm-priv-helper.service",
            "nmb.service",
            "nohang.service",
            "nohang-desktop.service",
            "nscd.service",
            "nss-lookup.target",
            "nss-user-lookup.target",
            "ntpd.service",
            "ntpdate.service",
            "nvidia-hibernate.service",
            "nvidia-persistenced.service",
            "nvidia-powerd.service",
            "nvidia-resume.service",
            "nvidia-suspend.service",
            "nvmefc-boot-connections.service",
            "nvmf-autoconnect.service",
            "nvmf-connect.target",
            "nvmf-connect-nbft.service",
            "nvmf-connect@.service",
            "pacrunner.service",
            "ostree-boot-complete.service",
            "pacman-filesdb-refresh.timer",
            "pcscd.service",
            "passim.service",
            "pcscd.socket",
            "packagekit-offline-update.service",
            "phoronix-result-server.service",
            "paccache.timer",
            "plymouth-kexec.service",
            "pamac-cleancache.timer",
            "plymouth-quit.service",
            "partimaged.service",
            "plymouth-poweroff.service",
            "plymouth-read-write.service",
            "plymouth-quit-wait.service",
            "paccache.service",
            "plymouth-switch-root-initramfs.service",
            "ostree-remount.service",
            "plymouth-switch-root.service",
            "openvpn-client@.service",
            "podman-clean-transient.service",
            "pamac-offline-upgrade.service",
            "polkit.service",
            "postfix.service",
            "pam_namespace.service",
            "poweroff.target",
            "ppp@.service",
            "opensnitchd.service",
            "proc-fs-nfsd.mount",
            "proc-sys-fs-binfmt_misc.automount",
            "proc-sys-fs-binfmt_misc.mount",
            "phoromatic-server.service",
            "ptunnel.service",
            "openvpn-server@.service",
            "plymouth-halt.service",
            "pamac-cleancache.service",
            "plymouth-reboot.service",
            "ostree-state-overlay@.service",
            "ostree-finalize-staged.service",
            "postgresql.service",
            "phoromatic-client.service",
            "pamac-daemon.service",
            "pacman-filesdb-refresh.service",
            "packagekit.service",
            "pkgfile-update.service",
            "pkgfile-update.timer",
            "plymouth-start.service",
            "ostree-prepare-root.service",
            "ostree-finalize-staged.path",
            "privoxy.service",
            "ostree-finalize-staged-hold.service",
            "qemu-guest-agent.service",
            "quotaon.service",
            "quotaon-root.service",
            "quotaon@.service",
            "rabbitmq.service",
            "ras-mc-ctl.service",
            "rasdaemon.service",
            "rathole@.service",
            "ratholec@.service",
            "ratholes@.service",
            "rc-local.service",
            "rdnssd@.service",
            "reboot.target",
            "redis.service",
            "redis-sentinel.service",
            "reflector.service",
            "reflector.timer",
            "remote-cryptsetup.target",
            "remote-fs.target",
            "remote-fs-pre.target",
            "remote-veritysetup.target",
            "rescue.service",
            "rescue.target",
            "rfkill-block@.service",
            "rfkill-unblock@.service",
            "rlogin.socket",
            "rlogin@.service",
            "rpc-gssd.service",
            "rpc-statd.service",
            "rpc-statd-notify.service",
            "rpc_pipefs.target",
            "rpcbind.service",
            "rpcbind.socket",
            "rpcbind.target",
            "rsh.socket",
            "rsh@.service",
            "rsyncd.service",
            "rsyncd.socket",
            "rsyncd@.service",
            "rtkit-daemon.service",
            "runlevel0.target",
            "runlevel1.target",
            "runlevel2.target",
            "runlevel3.target",
            "runlevel4.target",
            "runlevel5.target",
            "runlevel6.target",
            "rwhod.service",
            "samba.service",
            "sddm.service",
            "seatd.service",
            "sensord.service",
            "serial-getty@.service",
            "shadow.service",
            "shadow.timer",
            "sigpwr.target",
            "slapd.service",
            "sleep.target",
            "slices.target",
            "smartd.service",
            "smb.service",
            "sndiod.service",
            "snmpd.service",
            "snmptrapd.service",
            "snort@.service",
            "snort@1000.service",
            "soft-reboot.target",
            "ssh-access.target",
            "sshd.service",
            "sshdgenkeys.service",
            "sshuttle.service",
            "sslh.service",
            "sslh-fork.service",
            "sslh-select.service",
            "storage-target-mode.target",
            "stunnel.service",
            "sudo_logsrvd.service",
            "suspend.target",
            "suspend-then-hibernate.target",
            "svnserve.service",
            "swap.target",
            "sys-fs-fuse-connections.mount",
            "sys-kernel-config.mount",
            "sys-kernel-debug.mount",
            "sys-kernel-tracing.mount",
            "sysinit.target",
            "syslog.socket",
            "system-systemd\\x2dcryptsetup.slice",
            "system-systemd\\x2dveritysetup.slice",
            "system-update.target",
            "system-update-cleanup.service",
            "system-update-pre.target",
            "systemd-ask-password-console.path",
            "systemd-ask-password-console.service",
            "systemd-ask-password-plymouth.path",
            "systemd-ask-password-plymouth.service",
            "systemd-ask-password-wall.path",
            "systemd-ask-password-wall.service",
            "systemd-backlight@.service",
            "systemd-battery-check.service",
            "systemd-binfmt.service",
            "systemd-bless-boot.service",
            "systemd-boot-check-no-failures.service",
            "systemd-boot-random-seed.service",
            "systemd-boot-update.service",
            "systemd-bootctl.socket",
            "systemd-bootctl@.service",
            "systemd-bsod.service",
            "systemd-confext.service",
            "systemd-coredump.socket",
            "systemd-coredump@.service",
            "systemd-creds.socket",
            "systemd-creds@.service",
            "systemd-firstboot.service",
            "systemd-fsck-root.service",
            "systemd-fsck@.service",
            "systemd-growfs-root.service",
            "systemd-growfs@.service",
            "systemd-halt.service",
            "systemd-hibernate.service",
            "systemd-hibernate-resume.service",
            "systemd-homed.service",
            "systemd-homed-activate.service",
            "systemd-homed-firstboot.service",
            "systemd-hostnamed.service",
            "systemd-hostnamed.socket",
            "systemd-hwdb-update.service",
            "systemd-hybrid-sleep.service",
            "systemd-importd.service",
            "systemd-initctl.service",
            "systemd-initctl.socket",
            "systemd-journal-catalog-update.service",
            "systemd-journal-flush.service",
            "systemd-journal-gatewayd.service",
            "systemd-journal-gatewayd.socket",
            "systemd-journal-remote.service",
            "systemd-journal-remote.socket",
            "systemd-journal-upload.service",
            "systemd-journald.service",
            "systemd-journald.socket",
            "systemd-journald-audit.socket",
            "systemd-journald-dev-log.socket",
            "systemd-journald-varlink@.socket",
            "systemd-journald@.service",
            "systemd-journald@.socket",
            "systemd-kexec.service",
            "systemd-localed.service",
            "systemd-logind.service",
            "systemd-machine-id-commit.service",
            "systemd-machined.service",
            "systemd-modules-load.service",
            "systemd-network-generator.service",
            "systemd-networkd.service",
            "systemd-networkd.socket",
            "systemd-networkd-persistent-storage.service",
            "systemd-networkd-wait-online.service",
            "systemd-networkd-wait-online@.service",
            "systemd-nspawn@.service",
            "systemd-oomd.service",
            "systemd-oomd.socket",
            "systemd-pcrextend.socket",
            "systemd-pcrextend@.service",
            "systemd-pcrfs-root.service",
            "systemd-pcrfs@.service",
            "systemd-pcrlock.socket",
            "systemd-pcrlock-file-system.service",
            "systemd-pcrlock-firmware-code.service",
            "systemd-pcrlock-firmware-config.service",
            "systemd-pcrlock-machine-id.service",
            "systemd-pcrlock-make-policy.service",
            "systemd-pcrlock-secureboot-authority.service",
            "systemd-pcrlock-secureboot-policy.service",
            "systemd-pcrlock@.service",
            "systemd-pcrmachine.service",
            "systemd-pcrphase.service",
            "systemd-pcrphase-initrd.service",
            "systemd-pcrphase-sysinit.service",
            "systemd-portabled.service",
            "systemd-poweroff.service",
            "systemd-pstore.service",
            "systemd-quotacheck.service",
            "systemd-quotacheck-root.service",
            "systemd-quotacheck@.service",
            "systemd-random-seed.service",
            "systemd-reboot.service",
            "systemd-remount-fs.service",
            "systemd-repart.service",
            "systemd-resolved.service",
            "systemd-rfkill.service",
            "systemd-rfkill.socket",
            "systemd-soft-reboot.service",
            "systemd-storagetm.service",
            "systemd-suspend.service",
            "systemd-suspend-then-hibernate.service",
            "systemd-sysctl.service",
            "systemd-sysext.service",
            "systemd-sysext.socket",
            "systemd-sysext@.service",
            "systemd-sysupdate.service",
            "systemd-sysupdate.timer",
            "systemd-sysupdate-reboot.service",
            "systemd-sysupdate-reboot.timer",
            "systemd-sysusers.service",
            "systemd-time-wait-sync.service",
            "systemd-timedated.service",
            "systemd-timesyncd.service",
            "systemd-tmpfiles-setup-dev.service",
            "systemd-tmpfiles-setup-dev-early.service",
            "systemd-tpm2-setup.service",
            "systemd-tpm2-setup-early.service",
            "systemd-udev-trigger.service",
            "systemd-udevd.service",
            "systemd-udevd-control.socket",
            "systemd-udevd-kernel.socket",
            "systemd-update-done.service",
            "systemd-update-utmp.service",
            "systemd-update-utmp-runlevel.service",
            "systemd-user-sessions.service",
            "systemd-userdbd.service",
            "systemd-userdbd.socket",
            "systemd-vconsole-setup.service",
            "systemd-vmspawn@.service",
            "systemd-volatile-root.service",
            "systemd-zram-setup@.service",
            "talk.service",
            "talk.socket",
            "teamd@.service",
            "telnet.socket",
            "telnet@.service",
            "time-set.target",
            "time-sync.target",
            "tinc.service",
            "tinc@.service",
            "tinyproxy.service",
            "tlp.service",
            "tmp.mount",
            "tor.service",
            "tpm2.target",
            "udisks2.service",
            "udp2raw@.service",
            "ufw.service",
            "uksmd.service",
            "umount.target",
            "unbound.service",
            "updatedb.service",
            "updatedb.timer",
            "upower.service",
            "usb-gadget.target",
            "usb_modeswitch@.service",
            "usbipd.service",
            "usbmuxd.service",
            "user.slice",
            "user-runtime-dir@.service",
            "user@.service",
            "uuidd.service",
            "uuidd.socket",
            "var-lib-machines.mount",
            "var-lib-nfs-rpc_pipefs.mount",
            "vboxdrmclient.path",
            "vboxdrmclient.service",
            "vboxservice.service",
            "veritysetup.target",
            "veritysetup-pre.target",
            "virt-guest-shutdown.target",
            "virtchd.service",
            "virtchd.socket",
            "virtchd-admin.socket",
            "virtchd-ro.socket",
            "virtinterfaced.service",
            "virtinterfaced.socket",
            "virtinterfaced-admin.socket",
            "virtinterfaced-ro.socket",
            "virtlockd.service",
            "virtlockd.socket",
            "virtlockd-admin.socket",
            "virtlogd.service",
            "virtlogd.socket",
            "virtlogd-admin.socket",
            "virtlxcd.service",
            "virtlxcd.socket",
            "virtlxcd-admin.socket",
            "virtlxcd-ro.socket",
            "virtnetworkd.service",
            "virtnetworkd.socket",
            "virtnetworkd-admin.socket",
            "virtnetworkd-ro.socket",
            "virtnodedevd.service",
            "virtnodedevd.socket",
            "virtnodedevd-admin.socket",
            "virtnodedevd-ro.socket",
            "virtnwfilterd.service",
            "virtnwfilterd.socket",
            "virtnwfilterd-admin.socket",
            "virtnwfilterd-ro.socket",
            "virtproxyd.service",
            "virtproxyd.socket",
            "virtproxyd-admin.socket",
            "virtproxyd-ro.socket",
            "virtproxyd-tcp.socket",
            "virtproxyd-tls.socket",
            "virtqemud.service",
            "virtqemud.socket",
            "virtqemud-admin.socket",
            "virtqemud-ro.socket",
            "virtsecretd.service",
            "virtsecretd.socket",
            "virtsecretd-admin.socket",
            "virtsecretd-ro.socket",
            "virtstoraged.service",
            "virtstoraged.socket",
            "virtstoraged-admin.socket",
            "virtstoraged-ro.socket",
            "virtvboxd.service",
            "virtvboxd.socket",
            "virtvboxd-admin.socket",
            "virtvboxd-ro.socket",
            "vmtoolsd.service",
            "vmware-vmblock-fuse.service",
            "vpnc@.service",
            "wacom-inputattach@.service",
            "wg-quick.target",
            "wg-quick@.service",
            "winbind.service",
            "wondershaper.service",
            "wpa_supplicant.service",
            "wpa_supplicant-nl80211@.service",
            "wpa_supplicant-wired@.service",
            "wpa_supplicant@.service",
            "xfs_scrub@.service",
            "xfs_scrub_all.service",
            "xfs_scrub_all.timer",
            "xfs_scrub_fail@.service",
            "xl2tpd.service",
            "xplico.service",
            "xrdp.service",
            "xrdp-sesman.service",
            "yate.service",
            "zfs.target",
            "zfs-import.service",
            "zfs-import.target",
            "zfs-import-cache.service",
            "zfs-import-scan.service",
            "zfs-load-key.service",
            "zfs-mount.service",
            "zfs-scrub-monthly@.timer",
            "zfs-scrub-weekly@.timer",
            "zfs-scrub@.service",
            "zfs-share.service",
            "zfs-trim-monthly@.timer",
            "zfs-trim-weekly@.timer",
            "zfs-trim@.service",
            "zfs-volume-wait.service",
            "zfs-volumes.target",
            "zfs-zed.service",
            "plymouth.conf",
            "gpg-agent-ssh@etc-pacman.d-gnupg.socket",
            "keyboxd@etc-pacman.d-gnupg.socket",
            "dirmngr@etc-pacman.d-gnupg.socket",
            "gpg-agent-browser@etc-pacman.d-gnupg.socket",
            "gpg-agent-extra@etc-pacman.d-gnupg.socket",
            "gpg-agent@etc-pacman.d-gnupg.socket",
            "https://hybrid-analysis.com/sample/ff42428f0fcc346cc56e2b00d4b5c4bd43b55f3465b4ccab0efba9c88f4a1c03/661da0b063c895fc2d0a78dc",
            "https://hybrid-analysis.com/sample/9613dee39157b5f9935436b36647047e267b7c10fa4c7ab1fd995db681e58c12/661da5b202eaca78740cf4ed",
            "https://hybrid-analysis.com/sample/479a0170df010c5eb742ff1b8740a2ccf381df44c8a919c95d6e38685278e78a/661da5c768340c1e25092cb2",
            "50-rc_keymap.conf",
            "10-defaults.conf",
            "10-login-barrier.conf",
            "20-systemd-userdb.conf",
            "20-systemd-ssh-proxy.conf",
            "iptables-flush",
            "cpupower",
            "chkboot-bootcheck",
            "10-root.conf",
            "30-root-verity-sig.conf",
            "20-root-verity.conf",
            "80-systemd-timesync.list",
            "80-6rd-tunnel.link",
            "80-container-ve.network",
            "80-container-vb.network",
            "80-container-vz.link",
            "80-6rd-tunnel.network",
            "80-container-vz.network",
            "80-auto-link-local.network.example",
            "80-ethernet.network.example",
            "80-container-host0.network",
            "80-iwd.link",
            "80-container-vb.link",
            "80-vm-vt.link",
            "80-vm-vt.network",
            "80-wifi-adhoc.network",
            "80-wifi-ap.network.example",
            "80-wifi-station.network.example",
            "80-container-ve.link",
            "89-ethernet.network.example",
            "99-default.link",
            "dbus-broker.catalog",
            "dbus-broker-launch.catalog",
            "systemd.be.catalog",
            "systemd.be@latin.catalog",
            "systemd.da.catalog",
            "systemd.bg.catalog",
            "systemd.hu.catalog",
            "systemd.catalog",
            "systemd.it.catalog",
            "systemd.fr.catalog",
            "systemd.ko.catalog",
            "systemd.hr.catalog",
            "systemd.pl.catalog",
            "systemd.pt_BR.catalog",
            "systemd.ru.catalog",
            "systemd.sr.catalog",
            "systemd.zh_CN.catalog",
            "systemd.de.catalog",
            "systemd.zh_TW.catalog",
            "expl_cve_2021_40444.yar"
          ],
          "public": 1,
          "adversary": "Chinese Speaking",
          "targeted_countries": [],
          "malware_families": [
            {
              "id": "RemainAfterExit",
              "display_name": "RemainAfterExit",
              "target": null
            },
            {
              "id": "NMBDOPTIONS",
              "display_name": "NMBDOPTIONS",
              "target": null
            },
            {
              "id": "SMBDOPTIONS",
              "display_name": "SMBDOPTIONS",
              "target": null
            },
            {
              "id": "SuccessAction",
              "display_name": "SuccessAction",
              "target": null
            },
            {
              "id": "WINBINDOPTIONS",
              "display_name": "WINBINDOPTIONS",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1082",
              "name": "System Information Discovery",
              "display_name": "T1082 - System Information Discovery"
            },
            {
              "id": "T1106",
              "name": "Native API",
              "display_name": "T1106 - Native API"
            },
            {
              "id": "T1205",
              "name": "Traffic Signaling",
              "display_name": "T1205 - Traffic Signaling"
            },
            {
              "id": "T1140",
              "name": "Deobfuscate/Decode Files or Information",
              "display_name": "T1140 - Deobfuscate/Decode Files or Information"
            },
            {
              "id": "T1059",
              "name": "Command and Scripting Interpreter",
              "display_name": "T1059 - Command and Scripting Interpreter"
            },
            {
              "id": "T1543",
              "name": "Create or Modify System Process",
              "display_name": "T1543 - Create or Modify System Process"
            },
            {
              "id": "T1569",
              "name": "System Services",
              "display_name": "T1569 - System Services"
            },
            {
              "id": "T1090",
              "name": "Proxy",
              "display_name": "T1090 - Proxy"
            },
            {
              "id": "T1114",
              "name": "Email Collection",
              "display_name": "T1114 - Email Collection"
            },
            {
              "id": "T1573",
              "name": "Encrypted Channel",
              "display_name": "T1573 - Encrypted Channel"
            }
          ],
          "industries": [],
          "TLP": "white",
          "cloned_from": "661db37bf549518bf6f7f377",
          "export_count": 1,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 123,
            "YARA": 16,
            "CVE": 4,
            "FileHash-SHA1": 25,
            "FileHash-SHA256": 20,
            "domain": 102,
            "URL": 16,
            "email": 9,
            "hostname": 4,
            "CIDR": 2
          },
          "indicator_count": 321,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 66,
          "modified_text": "3 days ago ",
          "is_modified": false,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "698e93e1ab02db8c49e8c3ed",
          "name": "\u201cBroken Seal\u201d DocuSign-themed Delivery with Fileless Process Hollowing (Zeppelin/Bloat-A)",
          "description": "Forensic analysis indicates a DocuSign-themed phishing campaign using a deliberately invalid X.509 PKI seal (\u201cBroken Seal\u201d) to trigger fail-open verification logic in automated handlers. The delivery mechanism bypasses Secure Email Gateway (SEG) reputation checks by using encrypted channels and human-gated infrastructure. The payload is a fileless Process Hollowing (RunPE) malware that injects into RWX memory of legitimate processes to evade disk-based EDR.",
          "modified": "2026-05-17T15:52:35.396000",
          "created": "2026-02-13T03:00:49.872000",
          "tags": [
            "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi",
            "9698f46495ce9401c8bcaf9a2afe1598",
            "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)",
            "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71",
            "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3",
            "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link",
            "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)"
          ],
          "references": [
            "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.",
            "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)",
            "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.",
            "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure",
            "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess",
            "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.",
            "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.",
            "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)",
            "Verification failure observed in automated verification handlers during sandbox replay.",
            "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.",
            "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.",
            "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.",
            "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.",
            "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).",
            "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.",
            "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.",
            "Whitelisted IP Address 204.79.197.212 Location  United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. ,  ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc.,   Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 ,  5943 ,  80211 ,  #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf ,  The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat",
            "",
            "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr",
            "My Independent research finds an intersect between different pdf DV versions being able to connect to Raspberry Pi devices as it was the FCC application document. Risk: Mac ID connectivity to all."
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "China",
            "United States of America",
            "Spain",
            "Japan",
            "Canada"
          ],
          "malware_families": [],
          "attack_ids": [],
          "industries": [
            "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In"
          ],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 14,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "domain": 28000,
            "FileHash-SHA256": 48374,
            "FileHash-MD5": 42596,
            "FileHash-SHA1": 23243,
            "hostname": 35654,
            "URL": 75758,
            "SSLCertFingerprint": 30,
            "CVE": 7585,
            "email": 316,
            "FileHash-IMPHASH": 8,
            "CIDR": 26205,
            "JA3": 1,
            "URI": 5,
            "IPv4": 574,
            "Mutex": 1
          },
          "indicator_count": 288350,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 92,
          "modified_text": "13 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69b097820c1d5791c2e6db33",
          "name": "CAPE Sandbox - Evil MALWARE",
          "description": "",
          "modified": "2026-04-09T22:03:39.319000",
          "created": "2026-03-10T22:13:22.655000",
          "tags": [],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 109,
            "FileHash-MD5": 284,
            "FileHash-SHA1": 299,
            "FileHash-SHA256": 242,
            "domain": 16,
            "email": 2,
            "hostname": 61
          },
          "indicator_count": 1013,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 66,
          "modified_text": "51 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69bf64e1d5e06aa6207f78de",
          "name": "Spam \u201cBroken Seal\u201d DocuSign-themed Delivery w/Fileless Process Hollowing (Zeppelin/Bloat-A) by msudosos",
          "description": "",
          "modified": "2026-03-27T00:30:39.055000",
          "created": "2026-03-22T03:41:21.863000",
          "tags": [
            "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi",
            "9698f46495ce9401c8bcaf9a2afe1598",
            "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)",
            "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71",
            "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3",
            "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link",
            "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)"
          ],
          "references": [
            "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.",
            "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)",
            "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.",
            "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure",
            "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess",
            "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.",
            "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.",
            "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)",
            "Verification failure observed in automated verification handlers during sandbox replay.",
            "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.",
            "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.",
            "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.",
            "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.",
            "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).",
            "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.",
            "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.",
            "Whitelisted IP Address 204.79.197.212 Location  United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. ,  ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc.,   Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 ,  5943 ,  80211 ,  #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf ,  The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat",
            "",
            "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "China",
            "United States of America",
            "Spain",
            "Japan",
            "Canada"
          ],
          "malware_families": [],
          "attack_ids": [],
          "industries": [
            "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In"
          ],
          "TLP": "green",
          "cloned_from": "698e93e1ab02db8c49e8c3ed",
          "export_count": 3,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Q.Vashti",
            "id": "337942",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "domain": 27572,
            "FileHash-SHA256": 46076,
            "FileHash-MD5": 42177,
            "FileHash-SHA1": 22874,
            "hostname": 33438,
            "URL": 74810,
            "SSLCertFingerprint": 21,
            "CVE": 7579,
            "email": 297,
            "FileHash-IMPHASH": 8,
            "CIDR": 26203,
            "JA3": 1
          },
          "indicator_count": 281056,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 149,
          "modified_text": "65 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69bf64eccb5d39a90a3c391e",
          "name": "Spam \u201cBroken Seal\u201d DocuSign-themed Delivery w/Fileless Process Hollowing (Zeppelin/Bloat-A) by msudosos",
          "description": "",
          "modified": "2026-03-27T00:30:39.055000",
          "created": "2026-03-22T03:41:32.565000",
          "tags": [
            "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi",
            "9698f46495ce9401c8bcaf9a2afe1598",
            "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)",
            "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71",
            "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3",
            "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link",
            "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)"
          ],
          "references": [
            "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.",
            "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)",
            "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.",
            "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure",
            "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess",
            "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.",
            "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.",
            "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)",
            "Verification failure observed in automated verification handlers during sandbox replay.",
            "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.",
            "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.",
            "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.",
            "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.",
            "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).",
            "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.",
            "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.",
            "Whitelisted IP Address 204.79.197.212 Location  United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. ,  ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc.,   Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 ,  5943 ,  80211 ,  #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf ,  The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat",
            "",
            "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "China",
            "United States of America",
            "Spain",
            "Japan",
            "Canada"
          ],
          "malware_families": [],
          "attack_ids": [],
          "industries": [
            "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In"
          ],
          "TLP": "green",
          "cloned_from": "698e93e1ab02db8c49e8c3ed",
          "export_count": 4,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Q.Vashti",
            "id": "337942",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "domain": 27572,
            "FileHash-SHA256": 46076,
            "FileHash-MD5": 42177,
            "FileHash-SHA1": 22874,
            "hostname": 33438,
            "URL": 74810,
            "SSLCertFingerprint": 21,
            "CVE": 7579,
            "email": 297,
            "FileHash-IMPHASH": 8,
            "CIDR": 26203,
            "JA3": 1
          },
          "indicator_count": 281056,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 152,
          "modified_text": "65 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "661db37bf549518bf6f7f377",
          "name": "Backup from 03-28-24 - Systemd dump, malicious ssh and sshd files, libsystemd-vore libsystemd-shared plus supporting php files",
          "description": "Ignoring the yara and eicar files - I was able to recover a partition use for backups from 03/25/24-03/29/24; the day of the XZ supply chain disclosure. This is a preliminary dump with accompanying analysis and sha1, and 256's of my /usr/lib/systemd directory which housed multiple suspect ssh sub directories plus malicous libsystemd-shared and libsystemd-core binaries, and all supporting config, dev, service, and binaries. Dig in.",
          "modified": "2024-04-23T14:28:30.317000",
          "created": "2024-04-15T23:08:43.746000",
          "tags": [
            "fireeye",
            "copyright",
            "base64",
            "dotnettojscript",
            "gadgettojscript",
            "invokeclient",
            "invokeserver",
            "readhost enter",
            "command",
            "roth",
            "nextron",
            "sandworm",
            "detects ssh",
            "grant all",
            "privileges on",
            "to mysqldb",
            "create user",
            "g root",
            "sandworm python",
            "import",
            "phpsploit",
            "host",
            "user",
            "pass",
            "error",
            "establish",
            "pecl oci8",
            "connstr",
            "charset",
            "false",
            "miner",
            "texthtml",
            "module",
            "send custom",
            "swissky",
            "class",
            "serviceip",
            "serviceport",
            "servicedata",
            "e binsh",
            "init",
            "service port",
            "detects",
            "cve202140444",
            "target",
            "targetmode",
            "jeremy brown",
            "windows cve",
            "ms office",
            "modified rule",
            "rperm",
            "wperm",
            "pathsep",
            "string",
            "rwxrxrx",
            "file types",
            "unix",
            "login",
            "autentication",
            "disable",
            "ldapconnect",
            "version",
            "authentication",
            "ldaplist",
            "null",
            "pathelems",
            "execute",
            "backdoor",
            "kingdee oa",
            "yunxingkong",
            "b6oa",
            "code execution",
            "kingdee cloud",
            "starry sky",
            "otherwise",
            "file",
            "setsmartdate",
            "fread",
            "name",
            "force",
            "base64decode",
            "data",
            "substr",
            "array",
            "readdir",
            "getowner",
            "getgroup",
            "getsize",
            "force option",
            "fwrite",
            "permission",
            "check",
            "mode",
            "diraccess",
            "fileaccess",
            "realpath",
            "stat",
            "immutable",
            "posixgetpwuid",
            "posixgetgrgid",
            "explode",
            "etcpasswd",
            "glob",
            "globonlydir",
            "oraclelogin",
            "port",
            "servicename",
            "connector",
            "base",
            "query type",
            "mssqlfetcharray",
            "mssqlassoc",
            "solsocket",
            "timeout",
            "range",
            "portmin",
            "portmax",
            "socketcreate",
            "afinet",
            "sockstream",
            "open",
            "type",
            "true",
            "tcp connection",
            "tcp shell",
            "input",
            "lhost",
            "netcat",
            "lport",
            "shell",
            "dllimport",
            "python",
            "back",
            "fore",
            "pfinet",
            "stdout",
            "this",
            "win32",
            "ldapsearch",
            "select",
            "mysqliassoc",
            "select database",
            "send",
            "newfile",
            "dns stub",
            "third party",
            "see man",
            "exit",
            "o pipefail",
            "v systemctl",
            "devnull",
            "unknown verb",
            "license",
            "gnu lesser",
            "general public",
            "free software",
            "foundation",
            "unit",
            "slice",
            "cpuweight100",
            "tasks slice",
            "cpuweight30",
            "capev2",
            "cape",
            "cuckoo web",
            "setup",
            "grep",
            "limitnofile",
            "install",
            "return",
            "execstart",
            "start",
            "descriptionrun",
            "timer",
            "oncalendardaily",
            "service",
            "prevent rate",
            "delay start",
            "m poetry",
            "sigkill",
            "descriptioncape",
            "ef usercape",
            "g cape",
            "allowisolateyes",
            "typedbus",
            "socket",
            "message bus",
            "listenstream",
            "typenotify",
            "descriptionuser",
            "harald sitter",
            "sitter",
            "kcrash",
            "drkonqi",
            "acceptyes",
            "disable trigger",
            "todo",
            "prevents",
            "path",
            "pathexistsglob",
            "runtimemaxsec31",
            "runtimemaxsec30",
            "restartno",
            "descriptionexit",
            "environmentfile",
            "otheropts",
            "soundfont",
            "descriptiongcr",
            "sshauthsock",
            "descriptionglib",
            "priority6",
            "killmodeprocess",
            "proxy",
            "socketmode0600",
            "apache software",
            "notice file",
            "apache license",
            "unless",
            "as is",
            "basis",
            "or conditions",
            "apple file",
            "conduit monitor",
            "descriptionjack",
            "jackoptions d",
            "driver d",
            "device",
            "media transfer",
            "indexer daemon",
            "memory",
            "memoryhigh512m",
            "system sockets",
            "a user",
            "conditionuser",
            "dbus menus",
            "plasma",
            "phase",
            "workspace core",
            "exit status",
            "x11 connection",
            "timeoutstopsec5",
            "disable restart",
            "timeoutsec40sec",
            "typeoneshot",
            "david edmundson",
            "davidedmundson",
            "osd service",
            "portal",
            "auto restart",
            "dbus",
            "xembed system",
            "logging system",
            "socketmode0660",
            "all containers",
            "restart policy",
            "logging start",
            "execstopbinsh c",
            "logging",
            "x11 plugins",
            "session slice",
            "typeforking",
            "etc userroot",
            "grouproot",
            "onbootsec15min",
            "place",
            "temporary",
            "volatile files",
            "thunar",
            "session manager",
            "wireplumber",
            "service file",
            "xdg autostart",
            "user dir",
            "descriptionxfce",
            "sandbox",
            "malware",
            "analysis",
            "online",
            "submit",
            "vxstream",
            "sample",
            "download",
            "trojan",
            "apt",
            "memoryfile scan",
            "ansi",
            "bpf program",
            "indicator",
            "bpf firewalling",
            "pcap",
            "pcap processing",
            "bpffallowmulti",
            "bpf device",
            "date",
            "suspicious",
            "hybrid",
            "crypto",
            "close",
            "click",
            "april",
            "strings",
            "february",
            "middle",
            "exploit",
            "gameover",
            "contact",
            "scope",
            "thomas koch",
            "gpl v2",
            "imsm",
            "ibftruledir",
            "ibftrules",
            "attr",
            "systemd rule",
            "hannes reinecke",
            "suse labs",
            "ipibft",
            "interface",
            "kernel",
            "configfile",
            "typesimple",
            "apparmor",
            "grouparchaudit",
            "hardening",
            "umask077",
            "persistenttrue",
            "enable debug",
            "networkmanager",
            "trace",
            "wait online",
            "edit",
            "note",
            "reload",
            "capdacoverride",
            "dhcp etc",
            "mdadmscan",
            "mdadmdelay",
            "mdadmmail",
            "mdadmprogram",
            "mdadmconfig",
            "mdadmsendmail",
            "p runsysconfig",
            "userroot",
            "sssd",
            "write access",
            "needed sometime",
            "statedirectory",
            "accountsservice",
            "varloglastlog",
            "bridge daemon",
            "alsa card",
            "card state",
            "required",
            "another auto",
            "nice daemon",
            "memorymax64m",
            "filter system",
            "mount",
            "reboot",
            "clock",
            "logging service",
            "requires",
            "before",
            "please",
            "exit codes",
            "proc",
            "descriptionruns",
            "execstartsh c",
            "switchtoggle",
            "ignoreonisolate",
            "term typeidle",
            "without",
            "any warranty",
            "merchantability",
            "fitness",
            "a particular",
            "vartmp",
            "wants type",
            "preparation",
            "watchdogsec10",
            "filesystem",
            "timer daemon",
            "options",
            "environment",
            "prevent",
            "readwritepaths",
            "security",
            "certain",
            "protectsystem",
            "bindpaths",
            "lower cpu",
            "nice19",
            "manager",
            "userc",
            "celerydnodes",
            "info",
            "chaddevops",
            "aaron brighton",
            "clam antivirus",
            "jon kriel",
            "distribution",
            "script",
            "sanesecurity",
            "securiteinfo",
            "malwarepatrol",
            "oitc",
            "file location",
            "remember",
            "typeexec user",
            "9 cntlm",
            "generate color",
            "profiles",
            "removeipctrue",
            "devpts",
            "authors",
            "any kind",
            "usercouchdb",
            "restartsec5",
            "volumes",
            "server socket",
            "user209",
            "daemon",
            "darkstatiface",
            "reloadconfig",
            "watchdogsec3min",
            "privatetmpyes",
            "protectproc",
            "increase",
            "descriptiontime",
            "date service",
            "debugging only",
            "ignoresigpipeno",
            "unset locale",
            "file system",
            "queue file",
            "whatmqueue",
            "optionsnosuid",
            "pf rundhclient",
            "rate",
            "requiresdirmngr",
            "capfowner",
            "capsetpcap",
            "dhcp",
            "dns server",
            "startlimit",
            "limits",
            "delegateyes",
            "descriptionpass",
            "runtimemaxsec5",
            "mountain",
            "metadata check",
            "all filesystems",
            "online metadata",
            "sunday",
            "oncalendarsun",
            "online ext4",
            "sigterm signal",
            "java process",
            "piddir",
            "standardoutput",
            "elasticsearch",
            "limitnproc4096",
            "limitasinfinity",
            "sendsighupyes",
            "mapper daemon",
            "mainpid",
            "quit",
            "listenstream79",
            "radius server",
            "d etcraddb",
            "protecthomeon",
            "default",
            "systemservice",
            "efiefi bootefi",
            "afinet afinet6",
            "afunix afinet",
            "oncalendar 0000",
            "privatetmptrue",
            "geoip legacy",
            "geoip2",
            "instance",
            "usergit",
            "scdconfig",
            "notice",
            "devinputmice t",
            "descriptiongps",
            "system",
            "sock refclock",
            "gpsdoptions",
            "devices",
            "daemon sockets",
            "2947",
            "bindipv6onlyyes",
            "usbauto",
            "usrbingpsdctl",
            "gps daemon",
            "afterdev",
            "gvmddata",
            "varlibgssproxy",
            "nonewprivileges",
            "privatetmp",
            "protecthome",
            "ieee",
            "etchostapd",
            "killmodemixed",
            "fcopy",
            "uncomment",
            "use sigterm",
            "sigkill i2pd",
            "sendsigkillyes",
            "limitnofile8192",
            "systemd",
            "analog",
            "shutting down",
            "iodineextip p",
            "iodineport p",
            "iodineuser",
            "tunip",
            "topdomain",
            "guessmainpidyes",
            "m node",
            "wants",
            "initiatorname",
            "io driver",
            "typeexec",
            "c etckcptun",
            "usernobody",
            "requireskeyboxd",
            "static device",
            "nofork",
            "restartalways",
            "linker cache",
            "hack",
            "use wants",
            "raise",
            "tasksmax",
            "tasksmax32768",
            "limitmemlock64m",
            "removeonstopyes",
            "ip socket",
            "tls ip",
            "conflictsgetty",
            "aftergetty",
            "busmodules",
            "qabr",
            "hwmonmodules",
            "local file",
            "privatenetwork",
            "lvm2",
            "initialization",
            "autoboot code",
            "s delegatetrue",
            "description",
            "pidfilerunlxc",
            "lynis service",
            "adjust path",
            "lynis binary",
            "lynis timer",
            "tell systemd",
            "lynis security",
            "persistentfalse",
            "container slice",
            "recover",
            "varcacheman",
            "regenerate man",
            "userroot nice19",
            "mysqldopts",
            "mysqldsafe",
            "timezone",
            "core",
            "restart",
            "users",
            "backlog150",
            "listenstreams",
            "servicemariadb",
            "mechanism",
            "mariadb",
            "multi instance",
            "variables",
            "bindirmdadm",
            "gnu general",
            "public license",
            "reshape",
            "onactivesec30",
            "oncalendar",
            "wantedby",
            "monitor",
            "allow mdmon",
            "takeover",
            "k none",
            "c devnull",
            "d runinitramfs",
            "p runmongodb",
            "limitnproc32000",
            "limitmemlock5",
            "device server",
            "requiredbydev",
            "d dev",
            "descriptionreal",
            "extraopts",
            "restartsec30",
            "valid",
            "fifo",
            "priority",
            "batch",
            "nice0",
            "partof",
            "tracking daemon",
            "helper",
            "for testing",
            "only",
            "restrict",
            "grant",
            "capsysptrace",
            "capkill",
            "capipclock",
            "environ",
            "capsysresource",
            "capsyslog",
            "descriptionname",
            "service cache",
            "sysvlsb",
            "descriptionhost",
            "network name",
            "group name",
            "u ntp",
            "time service",
            "t hibernate",
            "software",
            "other",
            "the software",
            "daemon init",
            "software is",
            "provided",
            "fcnvme",
            "wantsmodprobe",
            "aftermodprobe",
            "descriptionall",
            "nbft",
            "nvmeof",
            "connectargs",
            "unit file",
            "descriptionnvmf",
            "red hat",
            "without any",
            "warranty",
            "card daemon",
            "socketmode0666",
            "suite result",
            "kexec screen",
            "oncalendarsat",
            "boot screen",
            "timeoutsec20",
            "power off",
            "runtime data",
            "descriptionhold",
            "timeoutsec0",
            "sandboxing",
            "execstop",
            "colin walters",
            "upgrade",
            "upgrade output",
            "umask0077",
            "transport agent",
            "descriptionmake",
            "descriptionppp",
            "whatnfsd",
            "file formats",
            "automount point",
            "automount",
            "setuid nobody",
            "setgid nobody",
            "setcon",
            "syslog",
            "restartonabort",
            "halt screen",
            "reboot screen",
            "pgroot",
            "postgresql",
            "oom killer",
            "additional",
            "fy nice19",
            "endless os",
            "foundation llc",
            "restartsec0",
            "system quotas",
            "rabbitmq",
            "protecthometrue",
            "etcrathole",
            "guessmainpidno",
            "h etcrdnssd",
            "reflector",
            "afinet6 afunix",
            "umask177",
            "remote file",
            "nfs client",
            "nfsv23 locking",
            "make sure",
            "rpc netconfig",
            "descriptionfast",
            "using ssh",
            "so let",
            "boot",
            "realtimekit",
            "rwhodopts",
            "display manager",
            "specify",
            "interval l",
            "loginterval f",
            "bindstodev",
            "always",
            "usrbingrpck r",
            "slapdoptions",
            "u ldap",
            "slapdurls",
            "smart",
            "pciusb",
            "midi",
            "daemonopts",
            "snmp",
            "trap daemon",
            "g snort",
            "descriptionsudo",
            "hibernate",
            "svnserveargs",
            "whatfusectl",
            "whatconfigfs",
            "whatdebugfs",
            "whattracefs",
            "best way",
            "see https",
            "units service",
            "service slice",
            "offline system",
            "update",
            "wall directory",
            "timeoutsec90s",
            "descriptionmark",
            "current boot",
            "loader entry",
            "any system",
            "units",
            "loader random",
            "loader update",
            "service socket",
            "dump socket",
            "optionally",
            "root device",
            "afalg afinet",
            "execstophomectl",
            "home area",
            "named pipe",
            "sink service",
            "sink socket",
            "upload service",
            "dynamicuseryes",
            "sigkilled",
            "devlog",
            "timestampingus",
            "namespace",
            "sendbuffer8m",
            "kernel command",
            "netlink socket",
            "storage",
            "descriptionwait",
            "network",
            "make",
            "deviceallow",
            "reserve",
            "killer socket",
            "root file",
            "measurement",
            "pcr policy",
            "tpm pcr",
            "code",
            "configuration",
            "machine id",
            "barrier",
            "quota check",
            "system quota",
            "after",
            "random seed",
            "kernel file",
            "gpt partition",
            "kill switch",
            "nvmetcp",
            "trigger",
            "saturday",
            "persistentyes",
            "system update",
            "kernel time",
            "capsystime",
            "ntp service",
            "turn",
            "files",
            "device nodes",
            "srk setup",
            "device events",
            "bootshutdown",
            "change",
            "manager socket",
            "descriptiontinc",
            "proxy server",
            "linrunner",
            "descriptiontlp",
            "tor service",
            "f etctortorrc",
            "tpm device",
            "descriptionudp",
            "tcpicmpudp",
            "etcudp2raw",
            "debug",
            "swap",
            "api file",
            "privatedevices",
            "home",
            "root",
            "runuser",
            "linux control",
            "groups",
            "group",
            "afnetlink",
            "locked memory",
            "limitmemlock0",
            "usb gadget",
            "apple",
            "sliceuser",
            "descriptionuuid",
            "compatibility",
            "typerpcpipefs",
            "vmsvga",
            "hypervisor",
            "usr1",
            "mgmt appuser",
            "dac permission",
            "selinux",
            "xxx someone",
            "qemu",
            "machine tools",
            "vmware tools",
            "pidfilerunvpnc",
            "wacom",
            "iface d",
            "dspeed u",
            "iface",
            "descriptionwpa",
            "oracle",
            "reserved",
            "wong",
            "emailaddr",
            "tunnel protocol",
            "l2tp",
            "isps",
            "russia use",
            "ipsec",
            "d optxplico",
            "b sqlite",
            "descriptionxrdp",
            "xrdpoptions",
            "process",
            "sesmanoptions",
            "zpoolimportopts",
            "an o",
            "t scrub",
            "usrbinzpool",
            "zfs volume",
            "descriptionzfs",
            "f restartalways",
            "remainafterexit",
            "nmbdoptions",
            "smbdoptions",
            "successaction",
            "winbindoptions",
            "ck id",
            "hybrid analysis",
            "mitre att",
            "malicious",
            "sdshared ansi",
            "default und",
            "func global",
            "func local",
            "object local",
            "general",
            "show technique",
            "ck matrix",
            "tasksmax33",
            "empty file",
            "proxycommand",
            "checkhostip",
            "afunix",
            "afvsock",
            "allow",
            "r table",
            "chkbootcheck",
            "gplv2 source",
            "chkbootstyles",
            "etcissue",
            "partition",
            "minimizebest",
            "mit no",
            "match",
            "link",
            "namepolicykeep",
            "ethernet link",
            "kindveth nameve",
            "kindveth namevb",
            "keepmasteryes",
            "dhcpv4",
            "kindsit name6rd",
            "ipv4ll",
            "ipv6ll",
            "dhcpipv6ra",
            "dhcpv6",
            "typeether",
            "dhcpyes",
            "usetimezoneyes",
            "typewlan",
            "tuntap",
            "natdhcp",
            "kindtun namevt",
            "kind",
            "originalname",
            "definedby",
            "peer",
            "sopeergroups",
            "dbus protocol",
            "dbus name",
            "exec",
            "hup signal",
            "sighup",
            "dnssec",
            "sessionid",
            "seatid",
            "sleep",
            "leader",
            "jobresult",
            "coredumppid",
            "coredumpcomm",
            "junit",
            "na zapusk",
            "mikrasiekund",
            "enhed",
            "mikrosekunder",
            "opstart",
            "jobid",
            "a rendszer",
            "ezredmsodpercet",
            "a rendszernapl",
            "user manager",
            "smack",
            "lunit",
            "stato",
            "il processo",
            "il sistema",
            "stata",
            "le processus",
            "notez que",
            "jedinica",
            "zapamtite da",
            "nova",
            "jednostka",
            "prosz zauway",
            "zwykle wskazuje",
            "jest",
            "o processo",
            "processo",
            "isso",
            "inicializao",
            "journal",
            "sizelimit",
            "userid",
            "prozess",
            "speicherabbild",
            "hinweis auf",
            "programmfehler",
            "fehler dem",
            "die systemzeit",
            "realtime"
          ],
          "references": [
            "Hunting_B64Engine_DotNetToJScript_Dos.yar",
            "APT_Backdoor_PS1_BASICPIPESHELL_1.yar",
            "apt_sandworm_exim_expl.yar.002",
            "apt_sandworm_exim_expl.yar.001",
            "apt_sandworm_exim_expl.yar",
            "connect.php",
            "connect.php.002",
            "connect.php.001",
            "crypto-miner.js",
            "eicar",
            "eicar.001",
            "eicar.002",
            "custom.py",
            "eicar.txt",
            "expl_cve_2021_40444.yar.001",
            "expl_cve_2021_40444.yar.002",
            "getPerms.php",
            "input.pcap",
            "list.php",
            "parent.php",
            "payload.php",
            "payload.php.001",
            "kingdee-erp-rce.yaml",
            "payload.php.003",
            "payload.php.002",
            "payload.php.004",
            "payload.php.005",
            "payload.php.006",
            "payload.php.007",
            "payload.php.008",
            "payload.php.010",
            "payload.php.011",
            "payload.php.009",
            "payload.php.012",
            "payload.php.013",
            "payload.php.015",
            "payload.php.016",
            "payload.php.017",
            "reverse_tcp.py",
            "scanner.php",
            "search.php",
            "setdb.php",
            "payload.php.014",
            "setdb.php.001",
            "reader.php",
            "single.php",
            "resolv.conf",
            "systemd-update-helper",
            "90-systemd.preset",
            "60-flatpak",
            "app.slice",
            "background.slice",
            "README.md",
            "bluetooth.target",
            "basic.target",
            "borgmatic-user.timer",
            "borgmatic-user.service",
            "cape.service",
            "cape-dist.service",
            "cape-processor.service",
            "cape-rooter.service",
            "capsule@.target",
            "cape-web.service",
            "clash.service",
            "colord-session.service",
            "dbus.socket",
            "cape-fstab.service",
            "dbus.service",
            "dbus-broker.service",
            "dconf.service",
            "dirmngr.service",
            "default.target",
            "drkonqi-coredump-cleanup.service",
            "dirmngr.socket",
            "drkonqi-coredump-cleanup.timer",
            "drkonqi-coredump-launcher.socket",
            "drkonqi-sentry-postman.path",
            "drkonqi-coredump-pickup.service",
            "drkonqi-sentry-postman.service",
            "drkonqi-sentry-postman.timer",
            "drkonqi-coredump-launcher@.service",
            "dunst.service",
            "flatpak-oci-authenticator.service",
            "filter-chain.service",
            "exit.target",
            "flatpak-session-helper.service",
            "fluidsynth.service",
            "gcr-ssh-agent.socket",
            "flatpak-portal.service",
            "gcr-ssh-agent.service",
            "gnome-keyring-daemon.service",
            "glib-pacrunner.service",
            "gnome-keyring-daemon.socket",
            "gpg-agent-ssh.socket",
            "gnome-terminal-server.service",
            "gpg-agent-extra.socket",
            "gpg-agent.service",
            "gpg-agent.socket",
            "gpg-agent-browser.socket",
            "graphical-session-pre.target",
            "graphical-session.target",
            "gssuserproxy.socket",
            "guacd.service",
            "gvfs-gphoto2-volume-monitor.service",
            "gvfs-daemon.service",
            "gssuserproxy.service",
            "gvfs-afc-volume-monitor.service",
            "gvfs-metadata.service",
            "jack@.service",
            "guac-web.service",
            "gvfs-udisks2-volume-monitor.service",
            "gvfs-mtp-volume-monitor.service",
            "kde-baloo.service",
            "keyboxd.service",
            "kio-fuse.service",
            "keyboxd.socket",
            "p11-kit-server.service",
            "p11-kit-server.socket",
            "paths.target",
            "pipewire.socket",
            "pipewire-pulse.service",
            "plasma-gmenudbusmenuproxy.service",
            "pipewire-pulse.socket",
            "plasma-baloorunner.service",
            "plasma-kcminit.service",
            "plasma-dolphin.service",
            "plasma-kcminit-phase1.service",
            "plasma-core.target",
            "plasma-kded.service",
            "pipewire.service",
            "plasma-kded6.service",
            "plasma-kglobalaccel.service",
            "at-spi-dbus-bus.service",
            "plasma-krunner.service",
            "plasma-kscreen.service",
            "plasma-kscreen-osd.service",
            "plasma-ksmserver.service",
            "plasma-ksplash.service",
            "plasma-ksplash-ready.service",
            "plasma-ksystemstats.service",
            "plasma-kwallet-pam.service",
            "plasma-kwin_wayland.service",
            "plasma-kwin_x11.service",
            "plasma-plasmashell.service",
            "plasma-polkit-agent.service",
            "plasma-powerdevil.service",
            "plasma-powerprofile-osd.service",
            "plasma-restoresession.service",
            "plasma-workspace.target",
            "plasma-workspace-wayland.target",
            "plasma-workspace-x11.target",
            "plasma-xdg-desktop-portal-kde.service",
            "plasma-xembedsniproxy.service",
            "podman.service",
            "podman.socket",
            "podman-auto-update.service",
            "podman-auto-update.timer",
            "podman-kube@.service",
            "podman-restart.service",
            "printer.target",
            "pulseaudio.service",
            "pulseaudio.socket",
            "pulseaudio-x11.service",
            "session.slice",
            "shutdown.target",
            "smartcard.target",
            "sockets.target",
            "sound.target",
            "ssh-agent.service",
            "suricata.service",
            "suricata-update.service",
            "suricata-update.timer",
            "systemd-exit.service",
            "systemd-tmpfiles-clean.service",
            "systemd-tmpfiles-clean.timer",
            "systemd-tmpfiles-setup.service",
            "thunar.service",
            "timers.target",
            "tracker-xdg-portal-3.service",
            "tumblerd.service",
            "wireplumber.service",
            "wireplumber@.service",
            "xdg-desktop-autostart.target",
            "xdg-desktop-portal.service",
            "xdg-desktop-portal-gtk.service",
            "xdg-desktop-portal-hyprland.service",
            "xdg-desktop-portal-rewrite-launchers.service",
            "xdg-desktop-portal-xapp.service",
            "xdg-permission-store.service",
            "xdg-user-dirs-update.service",
            "xfce4-notifyd.service",
            "xsettingsd.service",
            "xdg-document-portal.service",
            "https://hybrid-analysis.com/sample/b1a9e5be43c028442c07071e202f44f33e3a2df167822c5cfed8f998e01fe169/661da09794b343782806018e",
            "defaults.conf",
            "apparmor.conf",
            "nvidia",
            "tlp",
            "fwupd.shutdown",
            "mdadm.shutdown",
            "99-default.preset",
            "50-zfs.preset",
            "ibft-rule-generator",
            "10-arch",
            "60-flatpak-system-only",
            "3proxy.service",
            "apache-tika.service",
            "apparmor.service",
            "arch-audit.service",
            "arch-audit.timer",
            "NetworkManager-dispatcher.service",
            "NetworkManager-wait-online.service",
            "NetworkManager.service",
            "SUSE-mdadm_env.sh",
            "ModemManager.service",
            "3proxy.conf",
            "archlinux-keyring-wkd-sync.service",
            "adsl.service",
            "accounts-daemon.service",
            "adb.service",
            "alsa-restore.service",
            "alsa-state.service",
            "archlinux-keyring-wkd-sync.timer",
            "ananicy-cpp.service",
            "arcolinux-graphical-target.service",
            "atftpd.service",
            "audit-rules.service",
            "auditd.service",
            "auth-rpcgss-module.service",
            "autorandr.service",
            "autorandr-lid-listener.service",
            "autovt@.service",
            "avahi-daemon.service",
            "avahi-daemon.socket",
            "avahi-dnsconfd.service",
            "bettercap.service",
            "betterlockscreen@.service",
            "blk-availability.service",
            "blockdev@.target",
            "bluetooth.service",
            "bmc-watchdog.service",
            "bolt.service",
            "boot-complete.target",
            "borgmatic.service",
            "borgmatic.timer",
            "bpftune.service",
            "btrfs-scrub@.service",
            "btrfs-scrub@.timer",
            "canberra-system-bootup.service",
            "canberra-system-shutdown.service",
            "canberra-system-shutdown-reboot.service",
            "capsule.slice",
            "capsule@.service",
            "celery2@.service",
            "celery@.service",
            "chkboot.service",
            "clamav-clamonacc.service",
            "clamav-daemon.service",
            "clamav-daemon.socket",
            "clamav-freshclam.service",
            "clamav-freshclam-once.service",
            "clamav-freshclam-once.timer",
            "clamav-unofficial-sigs.service",
            "clamav-unofficial-sigs.timer",
            "clash@.service",
            "cntlm.service",
            "colord.service",
            "configure-printer@.service",
            "console-getty.service",
            "container-getty@.service",
            "containerd.service",
            "couchdb.service",
            "cpupower.service",
            "create_ap.service",
            "cronie.service",
            "cryptsetup.target",
            "cryptsetup-pre.target",
            "ctrl-alt-del.target",
            "cups.path",
            "cups.service",
            "cups.socket",
            "cups-lpd.socket",
            "cups-lpd@.service",
            "cxl-monitor.service",
            "darkstat.service",
            "daxdev-reconfigure@.service",
            "dbus-org.freedesktop.hostname1.service",
            "dbus-org.freedesktop.import1.service",
            "dbus-org.freedesktop.locale1.service",
            "dbus-org.freedesktop.login1.service",
            "dbus-org.freedesktop.machine1.service",
            "dbus-org.freedesktop.portable1.service",
            "dbus-org.freedesktop.timedate1.service",
            "debug-shell.service",
            "dev-hugepages.mount",
            "dev-mqueue.mount",
            "dhclient@.service",
            "dhcpd4.service",
            "dhcpd6.service",
            "dirmngr@.service",
            "dirmngr@.socket",
            "dm-event.service",
            "dm-event.socket",
            "dmraid.service",
            "dnscrypt-proxy.service",
            "dnsmasq.service",
            "docker.service",
            "docker.socket",
            "drkonqi-coredump-processor@.service",
            "e2scrub@.service",
            "e2scrub_all.service",
            "e2scrub_all.timer",
            "e2scrub_fail@.service",
            "e2scrub_reap.service",
            "ead.service",
            "elasticsearch.service",
            "elasticsearch-keystore.service",
            "elasticsearch-keystore@.service",
            "elasticsearch@.service",
            "emergency.service",
            "emergency.target",
            "epmd.service",
            "epmd.socket",
            "exabgp.service",
            "factory-reset.target",
            "fancontrol.service",
            "fastnetmon.service",
            "final.target",
            "finger.socket",
            "finger@.service",
            "first-boot-complete.target",
            "flatpak-system-helper.service",
            "freeradius.service",
            "fsidd.service",
            "fstrim.service",
            "fstrim.timer",
            "ftpd.service",
            "fwupd.service",
            "fwupd-offline-update.service",
            "fwupd-refresh.service",
            "fwupd-refresh.timer",
            "geoclue.service",
            "geoipupdate.service",
            "geoipupdate.timer",
            "getty.target",
            "getty-pre.target",
            "getty@.service",
            "git-daemon.socket",
            "git-daemon@.service",
            "gnupg-pkcs11-scd-proxy.service",
            "gpg-agent-browser@.socket",
            "gpg-agent-extra@.socket",
            "gpg-agent-ssh@.socket",
            "gpg-agent@.service",
            "gpg-agent@.socket",
            "gpm.path",
            "gpm.service",
            "gpsd.service",
            "gpsd.socket",
            "gpsdctl@.service",
            "graphical.target",
            "greenbone-certdata-sync.service",
            "greenbone-certdata-sync.timer",
            "greenbone-feed-sync.service",
            "greenbone-feed-sync.timer",
            "greenbone-nvt-sync.service",
            "greenbone-nvt-sync.timer",
            "greenbone-scapdata-sync.service",
            "greenbone-scapdata-sync.timer",
            "gssproxy.service",
            "gvmd.service",
            "halt.target",
            "healthd.service",
            "hibernate.target",
            "hostapd.service",
            "hostapd@.service",
            "httpd.service",
            "hv_fcopy_daemon.service",
            "hv_kvp_daemon.service",
            "hv_vss_daemon.service",
            "hybrid-sleep.target",
            "i2pd.service",
            "iiod.service",
            "initrd.target",
            "initrd-cleanup.service",
            "initrd-fs.target",
            "initrd-parse-etc.service",
            "initrd-root-device.target",
            "initrd-root-fs.target",
            "initrd-switch-root.service",
            "initrd-switch-root.target",
            "initrd-udevadm-cleanup-db.service",
            "initrd-usr-fs.target",
            "integritysetup.target",
            "integritysetup-pre.target",
            "iodined.service",
            "iodined.socket",
            "ip2clued.service",
            "ip6tables.service",
            "ipmidetectd.service",
            "ipmiseld.service",
            "iptables.service",
            "iscsi.service",
            "iscsi-init.service",
            "iscsid.service",
            "iscsid.socket",
            "iscsiuio.service",
            "iscsiuio.socket",
            "isnsd.service",
            "isnsd.socket",
            "iwd.service",
            "kcptun-server@.service",
            "kcptun@.service",
            "kexec.target",
            "keyboxd@.service",
            "keyboxd@.socket",
            "kmod-static-nodes.service",
            "krb5-kadmind.service",
            "krb5-kdc.service",
            "krb5-kpropd.service",
            "krb5-kpropd.socket",
            "krb5-kpropd@.service",
            "lastlog2-import.service",
            "ldconfig.service",
            "libvirt-guests.service",
            "libvirtd.service",
            "libvirtd.socket",
            "libvirtd-admin.socket",
            "libvirtd-ro.socket",
            "libvirtd-tcp.socket",
            "libvirtd-tls.socket",
            "lightdm.service",
            "lm_sensors.service",
            "local-fs.target",
            "local-fs-pre.target",
            "logrotate.service",
            "logrotate.timer",
            "lvm2-lvmpolld.service",
            "lvm2-lvmpolld.socket",
            "lvm2-monitor.service",
            "lxc.service",
            "lxc-auto.service",
            "lxc-monitord.service",
            "lxc-net.service",
            "lxc@.service",
            "lxdm.service",
            "ly.service",
            "lynis.service",
            "lynis.timer",
            "machine.slice",
            "machines.target",
            "man-db.service",
            "man-db.timer",
            "mariadb.service",
            "mariadb.socket",
            "mariadb-extra.socket",
            "mariadb-extra@.socket",
            "mariadb@.service",
            "mariadb@.socket",
            "mdadm-grow-continue@.service",
            "mdadm-last-resort@.service",
            "mdadm-last-resort@.timer",
            "mdcheck_continue.service",
            "mdcheck_continue.timer",
            "mdcheck_start.service",
            "mdcheck_start.timer",
            "mdmon@.service",
            "mdmonitor.service",
            "mdmonitor-oneshot.service",
            "mdmonitor-oneshot.timer",
            "memavaild.service",
            "mkinitcpio-generate-shutdown-ramfs.service",
            "modprobe@.service",
            "mongodb.service",
            "multi-user.target",
            "mysql.service",
            "mysqld.service",
            "named.service",
            "nbd.service",
            "nbd@.service",
            "ndctl-monitor.service",
            "neo4j.service",
            "netavark-dhcp-proxy.service",
            "netavark-dhcp-proxy.socket",
            "netdata.service",
            "network.target",
            "network-online.target",
            "network-pre.target",
            "nfs-blkmap.service",
            "nfs-client.target",
            "nfs-idmapd.service",
            "nfs-mountd.service",
            "nfs-server.service",
            "nfs-utils.service",
            "nfsdcld.service",
            "nfsv4-exportd.service",
            "nfsv4-server.service",
            "nftables.service",
            "nm-priv-helper.service",
            "nmb.service",
            "nohang.service",
            "nohang-desktop.service",
            "nscd.service",
            "nss-lookup.target",
            "nss-user-lookup.target",
            "ntpd.service",
            "ntpdate.service",
            "nvidia-hibernate.service",
            "nvidia-persistenced.service",
            "nvidia-powerd.service",
            "nvidia-resume.service",
            "nvidia-suspend.service",
            "nvmefc-boot-connections.service",
            "nvmf-autoconnect.service",
            "nvmf-connect.target",
            "nvmf-connect-nbft.service",
            "nvmf-connect@.service",
            "pacrunner.service",
            "ostree-boot-complete.service",
            "pacman-filesdb-refresh.timer",
            "pcscd.service",
            "passim.service",
            "pcscd.socket",
            "packagekit-offline-update.service",
            "phoronix-result-server.service",
            "paccache.timer",
            "plymouth-kexec.service",
            "pamac-cleancache.timer",
            "plymouth-quit.service",
            "partimaged.service",
            "plymouth-poweroff.service",
            "plymouth-read-write.service",
            "plymouth-quit-wait.service",
            "paccache.service",
            "plymouth-switch-root-initramfs.service",
            "ostree-remount.service",
            "plymouth-switch-root.service",
            "openvpn-client@.service",
            "podman-clean-transient.service",
            "pamac-offline-upgrade.service",
            "polkit.service",
            "postfix.service",
            "pam_namespace.service",
            "poweroff.target",
            "ppp@.service",
            "opensnitchd.service",
            "proc-fs-nfsd.mount",
            "proc-sys-fs-binfmt_misc.automount",
            "proc-sys-fs-binfmt_misc.mount",
            "phoromatic-server.service",
            "ptunnel.service",
            "openvpn-server@.service",
            "plymouth-halt.service",
            "pamac-cleancache.service",
            "plymouth-reboot.service",
            "ostree-state-overlay@.service",
            "ostree-finalize-staged.service",
            "postgresql.service",
            "phoromatic-client.service",
            "pamac-daemon.service",
            "pacman-filesdb-refresh.service",
            "packagekit.service",
            "pkgfile-update.service",
            "pkgfile-update.timer",
            "plymouth-start.service",
            "ostree-prepare-root.service",
            "ostree-finalize-staged.path",
            "privoxy.service",
            "ostree-finalize-staged-hold.service",
            "qemu-guest-agent.service",
            "quotaon.service",
            "quotaon-root.service",
            "quotaon@.service",
            "rabbitmq.service",
            "ras-mc-ctl.service",
            "rasdaemon.service",
            "rathole@.service",
            "ratholec@.service",
            "ratholes@.service",
            "rc-local.service",
            "rdnssd@.service",
            "reboot.target",
            "redis.service",
            "redis-sentinel.service",
            "reflector.service",
            "reflector.timer",
            "remote-cryptsetup.target",
            "remote-fs.target",
            "remote-fs-pre.target",
            "remote-veritysetup.target",
            "rescue.service",
            "rescue.target",
            "rfkill-block@.service",
            "rfkill-unblock@.service",
            "rlogin.socket",
            "rlogin@.service",
            "rpc-gssd.service",
            "rpc-statd.service",
            "rpc-statd-notify.service",
            "rpc_pipefs.target",
            "rpcbind.service",
            "rpcbind.socket",
            "rpcbind.target",
            "rsh.socket",
            "rsh@.service",
            "rsyncd.service",
            "rsyncd.socket",
            "rsyncd@.service",
            "rtkit-daemon.service",
            "runlevel0.target",
            "runlevel1.target",
            "runlevel2.target",
            "runlevel3.target",
            "runlevel4.target",
            "runlevel5.target",
            "runlevel6.target",
            "rwhod.service",
            "samba.service",
            "sddm.service",
            "seatd.service",
            "sensord.service",
            "serial-getty@.service",
            "shadow.service",
            "shadow.timer",
            "sigpwr.target",
            "slapd.service",
            "sleep.target",
            "slices.target",
            "smartd.service",
            "smb.service",
            "sndiod.service",
            "snmpd.service",
            "snmptrapd.service",
            "snort@.service",
            "snort@1000.service",
            "soft-reboot.target",
            "ssh-access.target",
            "sshd.service",
            "sshdgenkeys.service",
            "sshuttle.service",
            "sslh.service",
            "sslh-fork.service",
            "sslh-select.service",
            "storage-target-mode.target",
            "stunnel.service",
            "sudo_logsrvd.service",
            "suspend.target",
            "suspend-then-hibernate.target",
            "svnserve.service",
            "swap.target",
            "sys-fs-fuse-connections.mount",
            "sys-kernel-config.mount",
            "sys-kernel-debug.mount",
            "sys-kernel-tracing.mount",
            "sysinit.target",
            "syslog.socket",
            "system-systemd\\x2dcryptsetup.slice",
            "system-systemd\\x2dveritysetup.slice",
            "system-update.target",
            "system-update-cleanup.service",
            "system-update-pre.target",
            "systemd-ask-password-console.path",
            "systemd-ask-password-console.service",
            "systemd-ask-password-plymouth.path",
            "systemd-ask-password-plymouth.service",
            "systemd-ask-password-wall.path",
            "systemd-ask-password-wall.service",
            "systemd-backlight@.service",
            "systemd-battery-check.service",
            "systemd-binfmt.service",
            "systemd-bless-boot.service",
            "systemd-boot-check-no-failures.service",
            "systemd-boot-random-seed.service",
            "systemd-boot-update.service",
            "systemd-bootctl.socket",
            "systemd-bootctl@.service",
            "systemd-bsod.service",
            "systemd-confext.service",
            "systemd-coredump.socket",
            "systemd-coredump@.service",
            "systemd-creds.socket",
            "systemd-creds@.service",
            "systemd-firstboot.service",
            "systemd-fsck-root.service",
            "systemd-fsck@.service",
            "systemd-growfs-root.service",
            "systemd-growfs@.service",
            "systemd-halt.service",
            "systemd-hibernate.service",
            "systemd-hibernate-resume.service",
            "systemd-homed.service",
            "systemd-homed-activate.service",
            "systemd-homed-firstboot.service",
            "systemd-hostnamed.service",
            "systemd-hostnamed.socket",
            "systemd-hwdb-update.service",
            "systemd-hybrid-sleep.service",
            "systemd-importd.service",
            "systemd-initctl.service",
            "systemd-initctl.socket",
            "systemd-journal-catalog-update.service",
            "systemd-journal-flush.service",
            "systemd-journal-gatewayd.service",
            "systemd-journal-gatewayd.socket",
            "systemd-journal-remote.service",
            "systemd-journal-remote.socket",
            "systemd-journal-upload.service",
            "systemd-journald.service",
            "systemd-journald.socket",
            "systemd-journald-audit.socket",
            "systemd-journald-dev-log.socket",
            "systemd-journald-varlink@.socket",
            "systemd-journald@.service",
            "systemd-journald@.socket",
            "systemd-kexec.service",
            "systemd-localed.service",
            "systemd-logind.service",
            "systemd-machine-id-commit.service",
            "systemd-machined.service",
            "systemd-modules-load.service",
            "systemd-network-generator.service",
            "systemd-networkd.service",
            "systemd-networkd.socket",
            "systemd-networkd-persistent-storage.service",
            "systemd-networkd-wait-online.service",
            "systemd-networkd-wait-online@.service",
            "systemd-nspawn@.service",
            "systemd-oomd.service",
            "systemd-oomd.socket",
            "systemd-pcrextend.socket",
            "systemd-pcrextend@.service",
            "systemd-pcrfs-root.service",
            "systemd-pcrfs@.service",
            "systemd-pcrlock.socket",
            "systemd-pcrlock-file-system.service",
            "systemd-pcrlock-firmware-code.service",
            "systemd-pcrlock-firmware-config.service",
            "systemd-pcrlock-machine-id.service",
            "systemd-pcrlock-make-policy.service",
            "systemd-pcrlock-secureboot-authority.service",
            "systemd-pcrlock-secureboot-policy.service",
            "systemd-pcrlock@.service",
            "systemd-pcrmachine.service",
            "systemd-pcrphase.service",
            "systemd-pcrphase-initrd.service",
            "systemd-pcrphase-sysinit.service",
            "systemd-portabled.service",
            "systemd-poweroff.service",
            "systemd-pstore.service",
            "systemd-quotacheck.service",
            "systemd-quotacheck-root.service",
            "systemd-quotacheck@.service",
            "systemd-random-seed.service",
            "systemd-reboot.service",
            "systemd-remount-fs.service",
            "systemd-repart.service",
            "systemd-resolved.service",
            "systemd-rfkill.service",
            "systemd-rfkill.socket",
            "systemd-soft-reboot.service",
            "systemd-storagetm.service",
            "systemd-suspend.service",
            "systemd-suspend-then-hibernate.service",
            "systemd-sysctl.service",
            "systemd-sysext.service",
            "systemd-sysext.socket",
            "systemd-sysext@.service",
            "systemd-sysupdate.service",
            "systemd-sysupdate.timer",
            "systemd-sysupdate-reboot.service",
            "systemd-sysupdate-reboot.timer",
            "systemd-sysusers.service",
            "systemd-time-wait-sync.service",
            "systemd-timedated.service",
            "systemd-timesyncd.service",
            "systemd-tmpfiles-setup-dev.service",
            "systemd-tmpfiles-setup-dev-early.service",
            "systemd-tpm2-setup.service",
            "systemd-tpm2-setup-early.service",
            "systemd-udev-trigger.service",
            "systemd-udevd.service",
            "systemd-udevd-control.socket",
            "systemd-udevd-kernel.socket",
            "systemd-update-done.service",
            "systemd-update-utmp.service",
            "systemd-update-utmp-runlevel.service",
            "systemd-user-sessions.service",
            "systemd-userdbd.service",
            "systemd-userdbd.socket",
            "systemd-vconsole-setup.service",
            "systemd-vmspawn@.service",
            "systemd-volatile-root.service",
            "systemd-zram-setup@.service",
            "talk.service",
            "talk.socket",
            "teamd@.service",
            "telnet.socket",
            "telnet@.service",
            "time-set.target",
            "time-sync.target",
            "tinc.service",
            "tinc@.service",
            "tinyproxy.service",
            "tlp.service",
            "tmp.mount",
            "tor.service",
            "tpm2.target",
            "udisks2.service",
            "udp2raw@.service",
            "ufw.service",
            "uksmd.service",
            "umount.target",
            "unbound.service",
            "updatedb.service",
            "updatedb.timer",
            "upower.service",
            "usb-gadget.target",
            "usb_modeswitch@.service",
            "usbipd.service",
            "usbmuxd.service",
            "user.slice",
            "user-runtime-dir@.service",
            "user@.service",
            "uuidd.service",
            "uuidd.socket",
            "var-lib-machines.mount",
            "var-lib-nfs-rpc_pipefs.mount",
            "vboxdrmclient.path",
            "vboxdrmclient.service",
            "vboxservice.service",
            "veritysetup.target",
            "veritysetup-pre.target",
            "virt-guest-shutdown.target",
            "virtchd.service",
            "virtchd.socket",
            "virtchd-admin.socket",
            "virtchd-ro.socket",
            "virtinterfaced.service",
            "virtinterfaced.socket",
            "virtinterfaced-admin.socket",
            "virtinterfaced-ro.socket",
            "virtlockd.service",
            "virtlockd.socket",
            "virtlockd-admin.socket",
            "virtlogd.service",
            "virtlogd.socket",
            "virtlogd-admin.socket",
            "virtlxcd.service",
            "virtlxcd.socket",
            "virtlxcd-admin.socket",
            "virtlxcd-ro.socket",
            "virtnetworkd.service",
            "virtnetworkd.socket",
            "virtnetworkd-admin.socket",
            "virtnetworkd-ro.socket",
            "virtnodedevd.service",
            "virtnodedevd.socket",
            "virtnodedevd-admin.socket",
            "virtnodedevd-ro.socket",
            "virtnwfilterd.service",
            "virtnwfilterd.socket",
            "virtnwfilterd-admin.socket",
            "virtnwfilterd-ro.socket",
            "virtproxyd.service",
            "virtproxyd.socket",
            "virtproxyd-admin.socket",
            "virtproxyd-ro.socket",
            "virtproxyd-tcp.socket",
            "virtproxyd-tls.socket",
            "virtqemud.service",
            "virtqemud.socket",
            "virtqemud-admin.socket",
            "virtqemud-ro.socket",
            "virtsecretd.service",
            "virtsecretd.socket",
            "virtsecretd-admin.socket",
            "virtsecretd-ro.socket",
            "virtstoraged.service",
            "virtstoraged.socket",
            "virtstoraged-admin.socket",
            "virtstoraged-ro.socket",
            "virtvboxd.service",
            "virtvboxd.socket",
            "virtvboxd-admin.socket",
            "virtvboxd-ro.socket",
            "vmtoolsd.service",
            "vmware-vmblock-fuse.service",
            "vpnc@.service",
            "wacom-inputattach@.service",
            "wg-quick.target",
            "wg-quick@.service",
            "winbind.service",
            "wondershaper.service",
            "wpa_supplicant.service",
            "wpa_supplicant-nl80211@.service",
            "wpa_supplicant-wired@.service",
            "wpa_supplicant@.service",
            "xfs_scrub@.service",
            "xfs_scrub_all.service",
            "xfs_scrub_all.timer",
            "xfs_scrub_fail@.service",
            "xl2tpd.service",
            "xplico.service",
            "xrdp.service",
            "xrdp-sesman.service",
            "yate.service",
            "zfs.target",
            "zfs-import.service",
            "zfs-import.target",
            "zfs-import-cache.service",
            "zfs-import-scan.service",
            "zfs-load-key.service",
            "zfs-mount.service",
            "zfs-scrub-monthly@.timer",
            "zfs-scrub-weekly@.timer",
            "zfs-scrub@.service",
            "zfs-share.service",
            "zfs-trim-monthly@.timer",
            "zfs-trim-weekly@.timer",
            "zfs-trim@.service",
            "zfs-volume-wait.service",
            "zfs-volumes.target",
            "zfs-zed.service",
            "plymouth.conf",
            "gpg-agent-ssh@etc-pacman.d-gnupg.socket",
            "keyboxd@etc-pacman.d-gnupg.socket",
            "dirmngr@etc-pacman.d-gnupg.socket",
            "gpg-agent-browser@etc-pacman.d-gnupg.socket",
            "gpg-agent-extra@etc-pacman.d-gnupg.socket",
            "gpg-agent@etc-pacman.d-gnupg.socket",
            "https://hybrid-analysis.com/sample/ff42428f0fcc346cc56e2b00d4b5c4bd43b55f3465b4ccab0efba9c88f4a1c03/661da0b063c895fc2d0a78dc",
            "https://hybrid-analysis.com/sample/9613dee39157b5f9935436b36647047e267b7c10fa4c7ab1fd995db681e58c12/661da5b202eaca78740cf4ed",
            "https://hybrid-analysis.com/sample/479a0170df010c5eb742ff1b8740a2ccf381df44c8a919c95d6e38685278e78a/661da5c768340c1e25092cb2",
            "50-rc_keymap.conf",
            "10-defaults.conf",
            "10-login-barrier.conf",
            "20-systemd-userdb.conf",
            "20-systemd-ssh-proxy.conf",
            "iptables-flush",
            "cpupower",
            "chkboot-bootcheck",
            "10-root.conf",
            "30-root-verity-sig.conf",
            "20-root-verity.conf",
            "80-systemd-timesync.list",
            "80-6rd-tunnel.link",
            "80-container-ve.network",
            "80-container-vb.network",
            "80-container-vz.link",
            "80-6rd-tunnel.network",
            "80-container-vz.network",
            "80-auto-link-local.network.example",
            "80-ethernet.network.example",
            "80-container-host0.network",
            "80-iwd.link",
            "80-container-vb.link",
            "80-vm-vt.link",
            "80-vm-vt.network",
            "80-wifi-adhoc.network",
            "80-wifi-ap.network.example",
            "80-wifi-station.network.example",
            "80-container-ve.link",
            "89-ethernet.network.example",
            "99-default.link",
            "dbus-broker.catalog",
            "dbus-broker-launch.catalog",
            "systemd.be.catalog",
            "systemd.be@latin.catalog",
            "systemd.da.catalog",
            "systemd.bg.catalog",
            "systemd.hu.catalog",
            "systemd.catalog",
            "systemd.it.catalog",
            "systemd.fr.catalog",
            "systemd.ko.catalog",
            "systemd.hr.catalog",
            "systemd.pl.catalog",
            "systemd.pt_BR.catalog",
            "systemd.ru.catalog",
            "systemd.sr.catalog",
            "systemd.zh_CN.catalog",
            "systemd.de.catalog",
            "systemd.zh_TW.catalog",
            "expl_cve_2021_40444.yar"
          ],
          "public": 1,
          "adversary": "Chinese Speaking",
          "targeted_countries": [],
          "malware_families": [
            {
              "id": "RemainAfterExit",
              "display_name": "RemainAfterExit",
              "target": null
            },
            {
              "id": "NMBDOPTIONS",
              "display_name": "NMBDOPTIONS",
              "target": null
            },
            {
              "id": "SMBDOPTIONS",
              "display_name": "SMBDOPTIONS",
              "target": null
            },
            {
              "id": "SuccessAction",
              "display_name": "SuccessAction",
              "target": null
            },
            {
              "id": "WINBINDOPTIONS",
              "display_name": "WINBINDOPTIONS",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1082",
              "name": "System Information Discovery",
              "display_name": "T1082 - System Information Discovery"
            },
            {
              "id": "T1106",
              "name": "Native API",
              "display_name": "T1106 - Native API"
            },
            {
              "id": "T1205",
              "name": "Traffic Signaling",
              "display_name": "T1205 - Traffic Signaling"
            },
            {
              "id": "T1140",
              "name": "Deobfuscate/Decode Files or Information",
              "display_name": "T1140 - Deobfuscate/Decode Files or Information"
            },
            {
              "id": "T1059",
              "name": "Command and Scripting Interpreter",
              "display_name": "T1059 - Command and Scripting Interpreter"
            },
            {
              "id": "T1543",
              "name": "Create or Modify System Process",
              "display_name": "T1543 - Create or Modify System Process"
            },
            {
              "id": "T1569",
              "name": "System Services",
              "display_name": "T1569 - System Services"
            },
            {
              "id": "T1090",
              "name": "Proxy",
              "display_name": "T1090 - Proxy"
            },
            {
              "id": "T1114",
              "name": "Email Collection",
              "display_name": "T1114 - Email Collection"
            },
            {
              "id": "T1573",
              "name": "Encrypted Channel",
              "display_name": "T1573 - Encrypted Channel"
            }
          ],
          "industries": [],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 55,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Merkd1904",
            "id": "196517",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 123,
            "YARA": 16,
            "CVE": 4,
            "FileHash-SHA1": 25,
            "FileHash-SHA256": 20,
            "domain": 102,
            "URL": 16,
            "email": 9,
            "hostname": 4,
            "CIDR": 2
          },
          "indicator_count": 321,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 75,
          "modified_text": "767 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "64dd9c1d76a7807782a691d3",
          "name": "IOC's found on my pesonal devices; week starting 08/14/23",
          "description": "I had wrapped the majority of the files i'd run since the 14th into the Pulse of the same date, but at over 17k indicators i think it was time to put that one to rest. Obviously time and life allowing my intention is to keep updating and creating more of these as long as i'm kept flush with content. At current i'm pretty damned flush. This is just a preliminary dump of my /tmp folder on Arch. part of the infection chain is process hallowing and then hijacking a program close to the user, with decent call ability to the rest of the system.",
          "modified": "2024-02-14T21:44:02.852000",
          "created": "2023-08-17T04:03:41.985000",
          "tags": [
            "o cloexec",
            "r procversion",
            "cachyos",
            "gnu ld",
            "gnu binutils",
            "microsoft",
            "f lockfd",
            "cygwin",
            "u respfd",
            "procselffd13",
            "procselffd14",
            "x8664",
            "uname",
            "linux",
            "getconf",
            "cpus32",
            "case",
            "m x8664",
            "s linux",
            "x8664 o",
            "z linux",
            "z x8664",
            "replying",
            "timing",
            "successfully",
            "shift",
            "procselffd16",
            "empty",
            "head",
            "dirty",
            "found",
            "splitting",
            "license",
            "index",
            "kill",
            "zfrm",
            "argv"
          ],
          "references": [
            ".ICE-unix",
            ".org.chromium.Chromium.12ZdF3",
            ".vbox-mrkd-ipc",
            "@tmp",
            ".org.chromium.Chromium.T2jdbS",
            ".X11-unix",
            "albert_yt_ynb2tftv",
            "fish.root",
            "20230816_202710-scantemp.b14ff4bc3a",
            "plasma-csd-generator.LTvjbT",
            "pytest-of-mrkd",
            "runtime-root",
            "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-ananicy-cpp.service-U5RKxp",
            ".org.chromium.Chromium.coQnti",
            "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-bluetooth.service-7fh2tg",
            "bauh@mrkd",
            "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-iwd.service-jnpcHR",
            ".org.chromium.Chromium.8GBhMA",
            "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-polkit.service-CfCUQZ",
            "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-systemd-logind.service-Q9OYbj",
            "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-power-profiles-daemon.service-hSCDr7",
            ".org.chromium.Chromium.HMzFxo",
            "Temp-0c3dc677-7d66-4234-b14e-f604605b2d0c",
            "tmp.D4NXyZ3U4J",
            "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-uksmd.service-oAjI9s",
            "Temp-0148ee46-b3e0-4c4b-aa55-b60c6b63eb6f",
            "tmp.ziktUZeKXL",
            "v8-compile-cache-0",
            "tmp90lfbdek",
            "tst-bz26353KOtJVp",
            "v8-compile-cache-1000",
            ".X0-lock",
            "gitstatus.POWERLEVEL9K.1000.6339.1692232717.2.xtrace.log",
            "Temp-4d7e99a7-2d45-4347-a3b6-b64e3ae65e2e",
            "gitstatus.POWERLEVEL9K.1000.6339.1692232717.1.xtrace.log",
            "gitstatus.POWERLEVEL9K.1000.8928.1692232861.2.xtrace.log",
            "gitstatus.POWERLEVEL9K.1000.8928.1692232861.1.daemon.log",
            "gitstatus.POWERLEVEL9K.1000.6339.1692232717.1.daemon.log",
            "gitstatus.POWERLEVEL9K.1000.6339.1692232717.2.daemon.log",
            "gitstatus.POWERLEVEL9K.1000.9950.1692233029.1.xtrace.log",
            "gitstatus.POWERLEVEL9K.1000.10525.1692233087.1.xtrace.log",
            "gitstatus.POWERLEVEL9K.1000.10291.1692217508.1.daemon.log",
            "gitstatus.POWERLEVEL9K.1000.9950.1692233029.1.daemon.log",
            "gitstatus.POWERLEVEL9K.1000.10858.1692217566.1.daemon.log",
            "gitstatus.POWERLEVEL9K.1000.11926.1692233325.1.daemon.log",
            "gitstatus.POWERLEVEL9K.1000.11270.1692217597.1.daemon.log",
            "gitstatus.POWERLEVEL9K.1000.12470.1692233381.1.xtrace.log",
            "gitstatus.POWERLEVEL9K.1000.8928.1692232861.2.daemon.log",
            "gitstatus.POWERLEVEL9K.1000.10858.1692217566.1.xtrace.log",
            "gitstatus.POWERLEVEL9K.1000.11926.1692233325.1.xtrace.log",
            "gitstatus.POWERLEVEL9K.1000.12928.1692233448.1.daemon.log",
            "gitstatus.POWERLEVEL9K.1000.10525.1692233087.1.daemon.log",
            "gitstatus.POWERLEVEL9K.1000.13309.1692233456.1.daemon.log",
            "gitstatus.POWERLEVEL9K.1000.13878.1692218150.1.daemon.log",
            "gitstatus.POWERLEVEL9K.1000.28823.1692223670.1.xtrace.log",
            "gitstatus.POWERLEVEL9K.1000.12470.1692233381.1.daemon.log",
            "gitstatus.POWERLEVEL9K.1000.23930.1692220492.1.xtrace.log",
            "gitstatus.POWERLEVEL9K.1000.13878.1692218150.1.xtrace.log",
            "gitstatus.POWERLEVEL9K.1000.28463.1692223667.1.xtrace.log",
            "gitstatus.POWERLEVEL9K.1000.75659.1692225165.1.xtrace.log",
            "gitstatus.POWERLEVEL9K.1000.28463.1692223667.1.daemon.log",
            "gitstatus.POWERLEVEL9K.1000.78332.1692225277.1.daemon.log",
            "gitstatus.POWERLEVEL9K.1000.82162.1692225750.1.xtrace.log",
            "gitstatus.POWERLEVEL9K.1000.81737.1692225737.1.daemon.log",
            "gitstatus.POWERLEVEL9K.1000.75659.1692225165.1.daemon.log",
            "gitstatus.POWERLEVEL9K.1000.81737.1692225737.1.xtrace.log",
            "gitstatus.POWERLEVEL9K.1000.78332.1692225277.1.xtrace.log",
            "gitstatus.POWERLEVEL9K.1000.82565.1692225764.1.daemon.log",
            "gitstatus.POWERLEVEL9K.1000.82565.1692225764.1.xtrace.log",
            "gitstatus.POWERLEVEL9K.1000.82162.1692225750.1.daemon.log",
            "gitstatus.POWERLEVEL9K.1000.83486.1692225808.1.daemon.log",
            "gitstatus.POWERLEVEL9K.1000.83486.1692225808.1.xtrace.log",
            "gitstatus.POWERLEVEL9K.1000.83038.1692225779.1.daemon.log",
            "gitstatus.POWERLEVEL9K.1000.83896.1692225820.1.daemon.log",
            "gitstatus.POWERLEVEL9K.1000.83038.1692225779.1.xtrace.log",
            "gitstatus.POWERLEVEL9K.1000.84305.1692225848.1.daemon.log",
            "gitstatus.POWERLEVEL9K.1000.84754.1692225891.1.daemon.log",
            "gitstatus.POWERLEVEL9K.1000.122089.1692235219.1.xtrace.log",
            "gitstatus.POWERLEVEL9K.1000.84305.1692225848.1.xtrace.log",
            "gitstatus.POWERLEVEL9K.1000.154521.1692237692.1.xtrace.log",
            "gitstatus.POWERLEVEL9K.1000.84754.1692225891.1.xtrace.log",
            "gitstatus.POWERLEVEL9K.1000.122089.1692235219.1.daemon.log",
            "gitstatus.POWERLEVEL9K.1000.155609.1692237756.1.xtrace.log",
            "gitstatus.POWERLEVEL9K.1000.83896.1692225820.1.xtrace.log",
            "gitstatus.POWERLEVEL9K.1000.237594.1692238521.1.xtrace.log",
            "gitstatus.POWERLEVEL9K.1000.154521.1692237692.1.daemon.log",
            "gitstatus.POWERLEVEL9K.1000.155609.1692237756.1.daemon.log",
            "gitstatus.POWERLEVEL9K.1000.237594.1692238521.1.daemon.log",
            "gitstatus.POWERLEVEL9K.1000.240024.1692238828.1.xtrace.log",
            "gitstatus.POWERLEVEL9K.1000.237952.1692238535.1.xtrace.log",
            "gitstatus.POWERLEVEL9K.1000.240024.1692238828.1.daemon.log",
            "gitstatus.POWERLEVEL9K.1000.241161.1692238939.1.xtrace.log",
            "gitstatus.POWERLEVEL9K.1000.240792.1692238921.1.daemon.log",
            "gitstatus.POWERLEVEL9K.1000.247194.1692239163.1.xtrace.log",
            "gitstatus.POWERLEVEL9K.1000.237952.1692238535.1.daemon.log",
            "gitstatus.POWERLEVEL9K.1000.248323.1692239206.1.xtrace.log",
            "gitstatus.POWERLEVEL9K.1000.247194.1692239163.1.daemon.log",
            "gitstatus.POWERLEVEL9K.1000.253137.1692239505.1.xtrace.log",
            "gitstatus.POWERLEVEL9K.1000.248323.1692239206.1.daemon.log",
            "gitstatus.POWERLEVEL9K.1000.263981.1692240121.1.daemon.log",
            "gitstatus.POWERLEVEL9K.1000.253137.1692239505.1.daemon.log",
            "gitstatus.POWERLEVEL9K.1000.263981.1692240117.1.xtrace.log",
            "gitstatus.POWERLEVEL9K.1000.263981.1692240121.1.xtrace.log",
            "gitstatus.POWERLEVEL9K.1000.267109.1692240136.1.xtrace.log",
            "gitstatus.POWERLEVEL9K.1000.267109.1692240136.1.daemon.log",
            "gitstatus.POWERLEVEL9K.1000.267109.1692240155.1.xtrace.log",
            "gitstatus.POWERLEVEL9K.1000.267109.1692240155.1.daemon.log",
            "gitstatus.POWERLEVEL9K.1000.267442.1692240150.1.xtrace.log",
            "gitstatus.POWERLEVEL9K.1000.267442.1692240143.1.xtrace.log",
            "gitstatus.POWERLEVEL9K.1000.263981.1692240117.1.daemon.log",
            "gitstatus.POWERLEVEL9K.1000.268412.1692240156.1.xtrace.log",
            "gitstatus.POWERLEVEL9K.1000.317097.1692240795.1.xtrace.log",
            "gitstatus.POWERLEVEL9K.1000.267442.1692240150.1.daemon.log",
            "gitstatus.POWERLEVEL9K.1000.268412.1692240179.1.xtrace.log",
            "gitstatus.POWERLEVEL9K.1000.2586196.1692243336.1.xtrace.log",
            "gitstatus.POWERLEVEL9K.1000.268412.1692240179.1.daemon.log",
            "gitstatus.POWERLEVEL9K.1000.345673.1692241474.1.daemon.log",
            "gitstatus.POWERLEVEL9K.1000.2703415.1692243471.1.daemon.log",
            "qtsingleapp-Notifi-4c42-3e8",
            "gitstatus.POWERLEVEL9K.1000.2588447.1692243345.1.xtrace.log",
            "memmemY_2MMv.c",
            "gitstatus.POWERLEVEL9K.1000.2586196.1692243336.1.daemon.log",
            "gitstatus.POWERLEVEL9K.1000.2703415.1692243471.1.xtrace.log",
            "qtsingleapp-Notifi-4c42-3e8-lockfile",
            "stdbool.hcc0B2j.c",
            "strlcatmMvE1V.c",
            "qtsingleapp-Octopi-1d88-3e8-lockfile",
            "strlcpydb8x03.c",
            "stdbool.ht64kj6qw.c",
            "qtsingleapp-Octopi-1d88-3e8",
            "gitstatus.POWERLEVEL9K.1000.267442.1692240143.1.daemon.log",
            "https://hybrid-analysis.com/sample/43b03483bf2b292ebb1b33469ab4b19e2ac84b1c86c0f34f60adab4bc64176b9",
            "https://hybrid-analysis.com/sample/320a60044adeccec22937423e859d2b095e976698133e37a83e019ce08c8bc0c",
            "https://hybrid-analysis.com/file-collection/64dfee6a3329552c91026445",
            "https://hybrid-analysis.com/sample/79e3317a07b12a977f7fda3463779055bbfec748e7fae4c2c1d1cb9bb8e408ca",
            "https://hybrid-analysis.com/sample/8c7c7246468ffeffe01617b597622cd237fa334fb24dc4977fcac398bbe0df80",
            "https://hybrid-analysis.com/sample/79e3317a07b12a977f7fda3463779055bbfec748e7fae4c2c1d1cb9bb8e408ca/64dff1fbeab7dc252b0e56a6",
            "https://www.virustotal.com/gui/file/79e3317a07b12a977f7fda3463779055bbfec748e7fae4c2c1d1cb9bb8e408ca/details",
            "https://otx.alienvault.com/indicator/file/5820da0bbae4f091dc0248e566d8f1076fd81485d1893effa14cdc1dc122f1fd"
          ],
          "public": 1,
          "adversary": "N/A",
          "targeted_countries": [
            "United States of America"
          ],
          "malware_families": [
            {
              "id": "BV:TelegramBot-A\\ [Trj]",
              "display_name": "BV:TelegramBot-A\\ [Trj]",
              "target": null
            },
            {
              "id": "Ransom:Linux/DarkRadiation.A!MTB",
              "display_name": "Ransom:Linux/DarkRadiation.A!MTB",
              "target": "/malware/Ransom:Linux/DarkRadiation.A!MTB"
            },
            {
              "id": "SLF:MamacseMacro.A",
              "display_name": "SLF:MamacseMacro.A",
              "target": null
            },
            {
              "id": "TrojanDownloader:Linux/Morila!MTB",
              "display_name": "TrojanDownloader:Linux/Morila!MTB",
              "target": "/malware/TrojanDownloader:Linux/Morila!MTB"
            },
            {
              "id": "Backdoor:Win32/R2d2.A",
              "display_name": "Backdoor:Win32/R2d2.A",
              "target": "/malware/Backdoor:Win32/R2d2.A"
            },
            {
              "id": "Sf:ShellCode-DZ\\ [Trj]",
              "display_name": "Sf:ShellCode-DZ\\ [Trj]",
              "target": null
            },
            {
              "id": "NETexecutableMicrosoft",
              "display_name": "NETexecutableMicrosoft",
              "target": null
            },
            {
              "id": "TrojanDropper:Win32/FakeFlexnet.A",
              "display_name": "TrojanDropper:Win32/FakeFlexnet.A",
              "target": "/malware/TrojanDropper:Win32/FakeFlexnet.A"
            },
            {
              "id": "Delphi",
              "display_name": "Delphi",
              "target": null
            }
          ],
          "attack_ids": [],
          "industries": [
            "individuals"
          ],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 33,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 1,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Merkd1904",
            "id": "196517",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-SHA256": 206,
            "domain": 5129,
            "FileHash-MD5": 177,
            "FileHash-SHA1": 114,
            "URL": 646,
            "hostname": 2078,
            "CVE": 412,
            "email": 4
          },
          "indicator_count": 8766,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 82,
          "modified_text": "836 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "659a27b1d4043e822f444ce0",
          "name": "novel (at least in terms of inital hashing) linux backdoor: /usr/lib/libsystemd-shared-255.2-2",
          "description": "Still outside of my paygrade to be able to attribute it to even a family of malware, but it's definitely malicious. When pulling strings and initial investigation i was able to actually run the binary from the terminal which opened the browser and printed this: :) man pagefile://_[0;1;36m_[0;1;90m_[0;1;38;5;245m%s%s#%20%s%s__Failed%20to%20read%20\"%s\":%20%mFailed%20to%20cat%20%s:%20%m_[0m____.rules.install.listenvironment.dudev/rules.dkernel/install.dsystemd/ntp-units.dendswith(*prefix,%20\"/\")Looking%20for%20configuration%20in:%20%20%20%s%s%s%20%20%20%s%s/*%sFailed%20to%20query%20file%20list:%20%mread():%20%mwrite():%20%m__unique_prefix__expr_6e%20==%20f->master_event_sourcefd%20==%20f->master__unique_prefix__expr_7e%20==%20f->stdin_event_sourcefd%20==%20f->input_fde%20==%20f->stdout_event_sourcefd%20==%20f->output_fdf->input_fd%20>=%200ptyfwd-stdinptyfwd-stdoutptyfwd-masterptyfwd-sigwinchlibqrencode.so.4libqrencode.so.3QRcode_encodeStringQRcode_free_[40;37;1m_[0m_____%s:______/run/systemd/reboot-param/sys/ker",
          "modified": "2024-02-14T21:43:40.597000",
          "created": "2024-01-07T04:25:21.009000",
          "tags": [
            "license",
            "gnu lesser",
            "general public",
            "free software",
            "foundation",
            "library url",
            "cflags",
            "sandbox",
            "malware",
            "analysis",
            "online",
            "submit",
            "vxstream",
            "sample",
            "download",
            "trojan",
            "apt",
            "memoryfile scan",
            "ansi",
            "file",
            "indicator",
            "ck id",
            "mitre att",
            "show technique",
            "ck matrix",
            "learn",
            "hybrid analysis",
            "suspicious",
            "code",
            "hybrid",
            "crypto",
            "close",
            "click",
            "strings",
            "malicious",
            "middle",
            "exploit",
            "gameover"
          ],
          "references": [
            "libsystemd.pc",
            "https://hybrid-analysis.com/sample/67c5f0f9649ab398e2fe6fdd586a0c2bf75454fa53d588196cea806665ad0983/659a1fbff70d457d2b04d747",
            "https://www.virustotal.com/gui/file/67c5f0f9649ab398e2fe6fdd586a0c2bf75454fa53d588196cea806665ad0983/behavior"
          ],
          "public": 1,
          "adversary": "Unknown - Chinese speaking",
          "targeted_countries": [
            "United States of America"
          ],
          "malware_families": [
            {
              "id": "Unknown",
              "display_name": "Unknown",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1003",
              "name": "OS Credential Dumping",
              "display_name": "T1003 - OS Credential Dumping"
            },
            {
              "id": "T1018",
              "name": "Remote System Discovery",
              "display_name": "T1018 - Remote System Discovery"
            },
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1082",
              "name": "System Information Discovery",
              "display_name": "T1082 - System Information Discovery"
            },
            {
              "id": "T1106",
              "name": "Native API",
              "display_name": "T1106 - Native API"
            },
            {
              "id": "T1205",
              "name": "Traffic Signaling",
              "display_name": "T1205 - Traffic Signaling"
            }
          ],
          "industries": [
            "individuals"
          ],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 19,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Merkd1904",
            "id": "196517",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 1,
            "domain": 1,
            "CVE": 2,
            "FileHash-MD5": 2,
            "FileHash-SHA1": 2,
            "FileHash-SHA256": 1
          },
          "indicator_count": 9,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 73,
          "modified_text": "836 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "65709ffcf3ffe737f8cb8dfd",
          "name": "IOC's found on my pesonal devices; week starting 08/14/23",
          "description": "",
          "modified": "2023-12-06T16:23:24.919000",
          "created": "2023-12-06T16:23:24.919000",
          "tags": [],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 7,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "api",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "StreamMiningEx",
            "id": "262917",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "CVE": 103,
            "hostname": 524,
            "domain": 1292,
            "FileHash-SHA256": 95,
            "FileHash-MD5": 54,
            "FileHash-SHA1": 39,
            "URL": 169,
            "email": 1
          },
          "indicator_count": 2277,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 110,
          "modified_text": "906 days ago ",
          "is_modified": false,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        }
      ],
      "references": [
        "wondershaper.service",
        "systemd-tmpfiles-setup-dev-early.service",
        "gssuserproxy.socket",
        "",
        "plasma-ksplash-ready.service",
        "cape-dist.service",
        "adsl.service",
        "syslog.socket",
        "blk-availability.service",
        "arch-audit.service",
        "gitstatus.POWERLEVEL9K.1000.28463.1692223667.1.daemon.log",
        "darkstat.service",
        "gitstatus.POWERLEVEL9K.1000.237952.1692238535.1.daemon.log",
        "gpm.service",
        "canberra-system-bootup.service",
        "virtlockd.service",
        "network-pre.target",
        "cxl-monitor.service",
        "kio-fuse.service",
        "clash@.service",
        "systemd-modules-load.service",
        "virtlxcd-ro.socket",
        "sshd.service",
        "smb.service",
        "man-db.timer",
        "systemd-portabled.service",
        "debug-shell.service",
        "virtinterfaced-admin.socket",
        "systemd-update-helper",
        "container-getty@.service",
        "sleep.target",
        "gitstatus.POWERLEVEL9K.1000.83038.1692225779.1.xtrace.log",
        "zfs.target",
        "fstrim.service",
        "pipewire-pulse.socket",
        "tlp",
        "gitstatus.POWERLEVEL9K.1000.247194.1692239163.1.xtrace.log",
        "gpg-agent-browser.socket",
        "resolv.conf",
        "ananicy-cpp.service",
        "gitstatus.POWERLEVEL9K.1000.83486.1692225808.1.daemon.log",
        "drkonqi-coredump-pickup.service",
        "archlinux-keyring-wkd-sync.timer",
        "keyboxd.service",
        "machines.target",
        "reboot.target",
        "payload.php.007",
        "dbus.socket",
        "gpsdctl@.service",
        "systemd-fsck-root.service",
        "virtlxcd-admin.socket",
        "paccache.timer",
        "systemd-oomd.socket",
        "10-login-barrier.conf",
        "virtvboxd-admin.socket",
        "lm_sensors.service",
        "ostree-prepare-root.service",
        "cronie.service",
        "systemd-storagetm.service",
        "virtvboxd-ro.socket",
        "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.",
        "gitstatus.POWERLEVEL9K.1000.84754.1692225891.1.daemon.log",
        "logrotate.timer",
        "thunar.service",
        "e2scrub@.service",
        "libvirtd.service",
        "systemd-ask-password-wall.path",
        "systemd-coredump@.service",
        "search.php",
        "systemd-hwdb-update.service",
        "local-fs.target",
        "openvpn-server@.service",
        "systemd-sysupdate-reboot.service",
        "updatedb.service",
        "avahi-daemon.socket",
        "gitstatus.POWERLEVEL9K.1000.268412.1692240179.1.xtrace.log",
        "glib-pacrunner.service",
        "systemd-poweroff.service",
        "auth-rpcgss-module.service",
        "e2scrub_all.service",
        "gcr-ssh-agent.service",
        "cryptsetup.target",
        "systemd-resolved.service",
        "Temp-4d7e99a7-2d45-4347-a3b6-b64e3ae65e2e",
        "basic.target",
        "zfs-scrub-weekly@.timer",
        "slapd.service",
        "systemd-battery-check.service",
        "gitstatus.POWERLEVEL9K.1000.237594.1692238521.1.xtrace.log",
        "sshdgenkeys.service",
        "sudo_logsrvd.service",
        "systemd-pcrfs-root.service",
        "tinc.service",
        "arch-audit.timer",
        "iptables.service",
        "systemd-random-seed.service",
        "kmod-static-nodes.service",
        "systemd-udev-trigger.service",
        "virtchd.service",
        "gitstatus.POWERLEVEL9K.1000.154521.1692237692.1.xtrace.log",
        "gvfs-udisks2-volume-monitor.service",
        "nvmf-connect-nbft.service",
        "veritysetup-pre.target",
        "zfs-trim-weekly@.timer",
        "e2scrub_reap.service",
        "pkgfile-update.timer",
        "systemd-pcrextend@.service",
        "hibernate.target",
        "gpsd.service",
        "systemd.zh_CN.catalog",
        "mariadb.service",
        "sslh-fork.service",
        "systemd-ask-password-console.path",
        "systemd-update-done.service",
        "vboxdrmclient.service",
        "20-systemd-ssh-proxy.conf",
        "gitstatus.POWERLEVEL9K.1000.247194.1692239163.1.daemon.log",
        "ip6tables.service",
        "dnscrypt-proxy.service",
        "gpg-agent-browser@.socket",
        "gnome-keyring-daemon.socket",
        "plasma-workspace.target",
        "gitstatus.POWERLEVEL9K.1000.78332.1692225277.1.xtrace.log",
        "systemd-reboot.service",
        "guac-web.service",
        "packagekit.service",
        "svnserve.service",
        "rpc-statd.service",
        "btrfs-scrub@.timer",
        "plymouth-switch-root-initramfs.service",
        "ipmiseld.service",
        "postfix.service",
        "rlogin.socket",
        "nohang.service",
        "libsystemd.pc",
        "https://hybrid-analysis.com/sample/79e3317a07b12a977f7fda3463779055bbfec748e7fae4c2c1d1cb9bb8e408ca",
        "pamac-offline-upgrade.service",
        "payload.php.005",
        "rpc-gssd.service",
        "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.",
        "systemd-update-utmp-runlevel.service",
        "shadow.timer",
        "80-container-vz.network",
        "gitstatus.POWERLEVEL9K.1000.267109.1692240136.1.daemon.log",
        "pcscd.service",
        "upower.service",
        "99-default.link",
        "integritysetup-pre.target",
        "clamav-daemon.socket",
        "configure-printer@.service",
        "gitstatus.POWERLEVEL9K.1000.81737.1692225737.1.daemon.log",
        "gpg-agent@.service",
        "bpftune.service",
        "plasma-kded.service",
        "systemd-confext.service",
        ".org.chromium.Chromium.HMzFxo",
        "v8-compile-cache-0",
        "system-systemd\\x2dveritysetup.slice",
        "wg-quick.target",
        "sddm.service",
        "fstrim.timer",
        "eicar.001",
        "mdcheck_continue.timer",
        "systemd-pcrlock-secureboot-policy.service",
        "virtqemud-ro.socket",
        "lynis.timer",
        "flatpak-session-helper.service",
        "nvidia-hibernate.service",
        "connect.php.002",
        "systemd-hibernate.service",
        "systemd-binfmt.service",
        "iodined.service",
        "dbus-org.freedesktop.machine1.service",
        "proc-fs-nfsd.mount",
        "usbipd.service",
        "gitstatus.POWERLEVEL9K.1000.2703415.1692243471.1.daemon.log",
        "lxc-net.service",
        "gpg-agent.service",
        "network-online.target",
        "udisks2.service",
        "passim.service",
        "avahi-dnsconfd.service",
        "flatpak-oci-authenticator.service",
        "user.slice",
        "eicar",
        "zfs-trim-monthly@.timer",
        "plasma-ksystemstats.service",
        "gitstatus.POWERLEVEL9K.1000.83896.1692225820.1.daemon.log",
        "gitstatus.POWERLEVEL9K.1000.345673.1692241474.1.daemon.log",
        "system-update-pre.target",
        "runtime-root",
        "lightdm.service",
        "libvirtd-tcp.socket",
        "virtnodedevd-admin.socket",
        "cape-web.service",
        "user-runtime-dir@.service",
        "20-systemd-userdb.conf",
        "dconf.service",
        "rpcbind.socket",
        "lxc@.service",
        "ibft-rule-generator",
        "dirmngr@etc-pacman.d-gnupg.socket",
        "plasma-workspace-wayland.target",
        "gitstatus.POWERLEVEL9K.1000.122089.1692235219.1.xtrace.log",
        "nscd.service",
        "systemd-journald.service",
        "mysql.service",
        "drkonqi-sentry-postman.service",
        "lxc.service",
        "systemd.ru.catalog",
        "usb_modeswitch@.service",
        "stunnel.service",
        "mdadm-last-resort@.timer",
        "lynis.service",
        "network.target",
        "systemd-journald@.socket",
        "@tmp",
        "gitstatus.POWERLEVEL9K.1000.78332.1692225277.1.daemon.log",
        "suricata-update.timer",
        "mariadb@.socket",
        "mkinitcpio-generate-shutdown-ramfs.service",
        "connect.php.001",
        "payload.php.011",
        "gpg-agent-ssh.socket",
        "neo4j.service",
        "emergency.target",
        "greenbone-feed-sync.service",
        "systemd-pcrlock-file-system.service",
        "dev-mqueue.mount",
        "bettercap.service",
        "systemd.hu.catalog",
        "pytest-of-mrkd",
        "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-systemd-logind.service-Q9OYbj",
        "gitstatus.POWERLEVEL9K.1000.10525.1692233087.1.xtrace.log",
        "background.slice",
        "payload.php.013",
        "gitstatus.POWERLEVEL9K.1000.84305.1692225848.1.daemon.log",
        "plasma-xdg-desktop-portal-kde.service",
        "dbus-broker.service",
        "gitstatus.POWERLEVEL9K.1000.28463.1692223667.1.xtrace.log",
        "xfce4-notifyd.service",
        "printer.target",
        "gpg-agent@.socket",
        "reflector.service",
        "rlogin@.service",
        "systemd-initctl.socket",
        "clamav-freshclam-once.timer",
        "systemd-networkd-persistent-storage.service",
        "openvpn-client@.service",
        "sslh.service",
        "80-systemd-timesync.list",
        "albert_yt_ynb2tftv",
        "Temp-0148ee46-b3e0-4c4b-aa55-b60c6b63eb6f",
        "runlevel3.target",
        "ntpdate.service",
        "pipewire.socket",
        "lvm2-monitor.service",
        "50-rc_keymap.conf",
        "plymouth-reboot.service",
        "https://hybrid-analysis.com/sample/ff42428f0fcc346cc56e2b00d4b5c4bd43b55f3465b4ccab0efba9c88f4a1c03/661da0b063c895fc2d0a78dc",
        "systemd-suspend-then-hibernate.service",
        "sys-kernel-tracing.mount",
        "nvmf-connect.target",
        "virtnetworkd.service",
        "gitstatus.POWERLEVEL9K.1000.23930.1692220492.1.xtrace.log",
        "gitstatus.POWERLEVEL9K.1000.81737.1692225737.1.xtrace.log",
        "quotaon.service",
        "tmp.D4NXyZ3U4J",
        "systemd-pcrlock-firmware-code.service",
        "ldconfig.service",
        "gitstatus.POWERLEVEL9K.1000.263981.1692240117.1.daemon.log",
        "systemd-volatile-root.service",
        "virtnetworkd-admin.socket",
        "zfs-volumes.target",
        "gvfs-afc-volume-monitor.service",
        "systemd-coredump.socket",
        "systemd-hostnamed.socket",
        "xdg-desktop-portal-xapp.service",
        "systemd-rfkill.socket",
        "systemd-sysupdate-reboot.timer",
        "systemd-homed.service",
        "systemd-sysusers.service",
        "systemd-timedated.service",
        "dbus-org.freedesktop.import1.service",
        "zfs-scrub-monthly@.timer",
        "clamav-unofficial-sigs.timer",
        "gitstatus.POWERLEVEL9K.1000.13309.1692233456.1.daemon.log",
        "initrd-usr-fs.target",
        "systemd-journal-upload.service",
        "virtchd.socket",
        "virtvboxd.socket",
        "soft-reboot.target",
        "gitstatus.POWERLEVEL9K.1000.9950.1692233029.1.xtrace.log",
        "virtsecretd.service",
        "mariadb-extra.socket",
        "capsule@.target",
        "unbound.service",
        "custom.py",
        "podman-auto-update.service",
        "systemd-bless-boot.service",
        "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess",
        "systemd-udevd-control.socket",
        "canberra-system-shutdown.service",
        "mdcheck_continue.service",
        "daxdev-reconfigure@.service",
        "gitstatus.POWERLEVEL9K.1000.11926.1692233325.1.daemon.log",
        "gpg-agent-extra@.socket",
        "systemd-update-utmp.service",
        "umount.target",
        "clamav-daemon.service",
        "pkgfile-update.service",
        "tmp.ziktUZeKXL",
        "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-polkit.service-CfCUQZ",
        "dirmngr.service",
        "xrdp-sesman.service",
        "20-root-verity.conf",
        "krb5-kpropd.service",
        "reverse_tcp.py",
        "initrd-switch-root.service",
        "clamav-unofficial-sigs.service",
        "systemd-sysctl.service",
        "wireplumber.service",
        "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.",
        "apparmor.conf",
        "multi-user.target",
        "p11-kit-server.service",
        "My Independent research finds an intersect between different pdf DV versions being able to connect to Raspberry Pi devices as it was the FCC application document. Risk: Mac ID connectivity to all.",
        "80-container-host0.network",
        "partimaged.service",
        "quotaon-root.service",
        "80-container-ve.link",
        "elasticsearch-keystore.service",
        "atftpd.service",
        "nfs-server.service",
        "timers.target",
        "expl_cve_2021_40444.yar.001",
        "ostree-finalize-staged.path",
        "runlevel4.target",
        "suspend-then-hibernate.target",
        "scanner.php",
        "docker.service",
        "hv_vss_daemon.service",
        "udp2raw@.service",
        "usbmuxd.service",
        "systemd-boot-random-seed.service",
        "healthd.service",
        "alsa-restore.service",
        "colord.service",
        "payload.php.003",
        "greenbone-scapdata-sync.timer",
        "plymouth-kexec.service",
        "greenbone-nvt-sync.service",
        "nss-user-lookup.target",
        "nvidia-resume.service",
        "sys-kernel-config.mount",
        "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-iwd.service-jnpcHR",
        "3proxy.conf",
        "payload.php.006",
        "filter-chain.service",
        "tst-bz26353KOtJVp",
        "systemd-journal-gatewayd.service",
        "dirmngr.socket",
        "epmd.service",
        "git-daemon.socket",
        "elasticsearch-keystore@.service",
        "zfs-import.service",
        "gpg-agent-browser@etc-pacman.d-gnupg.socket",
        "gitstatus.POWERLEVEL9K.1000.154521.1692237692.1.daemon.log",
        "couchdb.service",
        "pipewire-pulse.service",
        "systemd-sysupdate.timer",
        "zfs-mount.service",
        "https://hybrid-analysis.com/sample/8c7c7246468ffeffe01617b597622cd237fa334fb24dc4977fcac398bbe0df80",
        "gitstatus.POWERLEVEL9K.1000.13878.1692218150.1.xtrace.log",
        "rwhod.service",
        "89-ethernet.network.example",
        "virtnodedevd-ro.socket",
        "gitstatus.POWERLEVEL9K.1000.83038.1692225779.1.daemon.log",
        "plasma-dolphin.service",
        "gitstatus.POWERLEVEL9K.1000.267442.1692240143.1.daemon.log",
        "betterlockscreen@.service",
        "virtqemud.service",
        "plasma-ksplash.service",
        "dnsmasq.service",
        "virtchd-ro.socket",
        "apparmor.service",
        "runlevel6.target",
        "cape-fstab.service",
        "fwupd-refresh.timer",
        ".X0-lock",
        "containerd.service",
        "var-lib-machines.mount",
        "systemd-zram-setup@.service",
        "krb5-kadmind.service",
        "https://hybrid-analysis.com/sample/9613dee39157b5f9935436b36647047e267b7c10fa4c7ab1fd995db681e58c12/661da5b202eaca78740cf4ed",
        "apt_sandworm_exim_expl.yar.002",
        "rpcbind.target",
        "plymouth.conf",
        "tmp.mount",
        "virtnetworkd-ro.socket",
        "80-auto-link-local.network.example",
        "rfkill-block@.service",
        "systemd-journal-remote.service",
        "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.",
        "gitstatus.POWERLEVEL9K.1000.240792.1692238921.1.daemon.log",
        "gitstatus.POWERLEVEL9K.1000.155609.1692237756.1.xtrace.log",
        "systemd-ask-password-plymouth.path",
        "rpc-statd-notify.service",
        "expl_cve_2021_40444.yar",
        "gitstatus.POWERLEVEL9K.1000.263981.1692240121.1.xtrace.log",
        "mariadb-extra@.socket",
        "virtchd-admin.socket",
        "gitstatus.POWERLEVEL9K.1000.240024.1692238828.1.daemon.log",
        "xfs_scrub_all.service",
        "80-ethernet.network.example",
        "payload.php.001",
        "default.target",
        "factory-reset.target",
        "podman.socket",
        "rabbitmq.service",
        "systemd-quotacheck.service",
        "plasma-restoresession.service",
        "fwupd-offline-update.service",
        "xl2tpd.service",
        "geoclue.service",
        "systemd.da.catalog",
        "gitstatus.POWERLEVEL9K.1000.253137.1692239505.1.xtrace.log",
        "uuidd.service",
        "gssproxy.service",
        "ctrl-alt-del.target",
        "https://hybrid-analysis.com/sample/b1a9e5be43c028442c07071e202f44f33e3a2df167822c5cfed8f998e01fe169/661da09794b343782806018e",
        "greenbone-certdata-sync.timer",
        "clash.service",
        "sound.target",
        "gssuserproxy.service",
        "systemd-repart.service",
        "fsidd.service",
        "freeradius.service",
        "rpcbind.service",
        "modprobe@.service",
        "systemd-quotacheck-root.service",
        "ssh-agent.service",
        "nvmf-connect@.service",
        "systemd-user-sessions.service",
        "systemd-journal-gatewayd.socket",
        "systemd-networkd.service",
        "dhcpd6.service",
        "virtvboxd.service",
        "keyboxd@.socket",
        "nbd.service",
        "podman-auto-update.timer",
        "telnet.socket",
        "cpupower",
        "fish.root",
        "yate.service",
        "gitstatus.POWERLEVEL9K.1000.82162.1692225750.1.daemon.log",
        "cups.path",
        "setdb.php.001",
        "systemd-homed-activate.service",
        "payload.php.008",
        "nohang-desktop.service",
        "systemd-pcrmachine.service",
        "README.md",
        "updatedb.timer",
        "systemd-ask-password-console.service",
        "cpupower.service",
        "wpa_supplicant-nl80211@.service",
        "80-wifi-ap.network.example",
        "zfs-load-key.service",
        "Temp-0c3dc677-7d66-4234-b14e-f604605b2d0c",
        "plasma-kded6.service",
        "99-default.preset",
        "dhclient@.service",
        "sslh-select.service",
        "systemd-network-generator.service",
        "zfs-share.service",
        "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)",
        "systemd-sysext@.service",
        "celery@.service",
        "xdg-desktop-portal-hyprland.service",
        "systemd-pcrlock-make-policy.service",
        "80-6rd-tunnel.network",
        "gitstatus.POWERLEVEL9K.1000.82565.1692225764.1.daemon.log",
        "https://hybrid-analysis.com/sample/67c5f0f9649ab398e2fe6fdd586a0c2bf75454fa53d588196cea806665ad0983/659a1fbff70d457d2b04d747",
        "gvfs-daemon.service",
        "shutdown.target",
        "xdg-desktop-portal.service",
        "cups-lpd@.service",
        "greenbone-nvt-sync.timer",
        "systemd-journald-varlink@.socket",
        "snmpd.service",
        "gitstatus.POWERLEVEL9K.1000.10525.1692233087.1.daemon.log",
        "xdg-document-portal.service",
        "nbd@.service",
        "10-arch",
        "keyboxd@etc-pacman.d-gnupg.socket",
        "80-container-vb.link",
        "rfkill-unblock@.service",
        "iodined.socket",
        "dm-event.socket",
        "usb-gadget.target",
        "expl_cve_2021_40444.yar.002",
        "systemd-tmpfiles-clean.timer",
        "initrd-root-fs.target",
        "systemd-journal-remote.socket",
        "payload.php.017",
        "initrd-switch-root.target",
        "clamav-freshclam-once.service",
        "systemd-ask-password-plymouth.service",
        "reader.php",
        "plasma-powerprofile-osd.service",
        "systemd-creds@.service",
        "virtlogd.socket",
        "machine.slice",
        "systemd.sr.catalog",
        "input.pcap",
        "archlinux-keyring-wkd-sync.service",
        "wpa_supplicant.service",
        "NetworkManager-wait-online.service",
        "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-uksmd.service-oAjI9s",
        "qtsingleapp-Notifi-4c42-3e8-lockfile",
        "systemd-machined.service",
        "gitstatus.POWERLEVEL9K.1000.75659.1692225165.1.daemon.log",
        "gcr-ssh-agent.socket",
        "cups-lpd.socket",
        "dbus-org.freedesktop.portable1.service",
        "xfs_scrub@.service",
        "tmp90lfbdek",
        "eicar.002",
        "rdnssd@.service",
        "systemd-homed-firstboot.service",
        "initrd-parse-etc.service",
        "ostree-remount.service",
        "gitstatus.POWERLEVEL9K.1000.240024.1692238828.1.xtrace.log",
        "virtlxcd.socket",
        "gitstatus.POWERLEVEL9K.1000.253137.1692239505.1.daemon.log",
        "gitstatus.POWERLEVEL9K.1000.8928.1692232861.1.daemon.log",
        "systemd-soft-reboot.service",
        "finger@.service",
        "audit-rules.service",
        ".ICE-unix",
        "epmd.socket",
        "systemd-nspawn@.service",
        "virtstoraged-ro.socket",
        "systemd-tpm2-setup.service",
        "gvfs-gphoto2-volume-monitor.service",
        "gitstatus.POWERLEVEL9K.1000.237952.1692238535.1.xtrace.log",
        "nvmf-autoconnect.service",
        "systemd-journal-flush.service",
        "gitstatus.POWERLEVEL9K.1000.317097.1692240795.1.xtrace.log",
        "kcptun-server@.service",
        "systemd-journald.socket",
        "virtlockd-admin.socket",
        "system-systemd\\x2dcryptsetup.slice",
        "systemd-pcrlock-firmware-config.service",
        "remote-cryptsetup.target",
        "gitstatus.POWERLEVEL9K.1000.237594.1692238521.1.daemon.log",
        "session.slice",
        "getty.target",
        "plymouth-quit-wait.service",
        "sigpwr.target",
        "nss-lookup.target",
        "systemd.it.catalog",
        "gitstatus.POWERLEVEL9K.1000.248323.1692239206.1.daemon.log",
        "flatpak-portal.service",
        "sys-fs-fuse-connections.mount",
        "apt_sandworm_exim_expl.yar.001",
        "seatd.service",
        "snort@.service",
        "greenbone-scapdata-sync.service",
        "30-root-verity-sig.conf",
        "dbus-broker-launch.catalog",
        "runlevel0.target",
        "virtlogd-admin.socket",
        "virtnwfilterd-admin.socket",
        "jack@.service",
        "systemd-tmpfiles-clean.service",
        "mdcheck_start.service",
        "virtproxyd-ro.socket",
        "plasma-kscreen-osd.service",
        "virtqemud.socket",
        "kde-baloo.service",
        "drkonqi-coredump-launcher.socket",
        "dirmngr@.service",
        "payload.php.010",
        "ly.service",
        "wg-quick@.service",
        "rescue.service",
        "gitstatus.POWERLEVEL9K.1000.248323.1692239206.1.xtrace.log",
        "systemd.catalog",
        "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.",
        "systemd-fsck@.service",
        "capsule@.service",
        "mariadb@.service",
        "fwupd.shutdown",
        "gitstatus.POWERLEVEL9K.1000.268412.1692240156.1.xtrace.log",
        ".X11-unix",
        "https://www.virustotal.com/gui/file/67c5f0f9649ab398e2fe6fdd586a0c2bf75454fa53d588196cea806665ad0983/behavior",
        "systemd-importd.service",
        "nvidia-persistenced.service",
        "ead.service",
        "system-update-cleanup.service",
        "chkboot.service",
        "gitstatus.POWERLEVEL9K.1000.11270.1692217597.1.daemon.log",
        "gitstatus.POWERLEVEL9K.1000.263981.1692240121.1.daemon.log",
        "50-zfs.preset",
        "iscsid.service",
        "isnsd.socket",
        "gitstatus.POWERLEVEL9K.1000.84754.1692225891.1.xtrace.log",
        "ftpd.service",
        "drkonqi-sentry-postman.path",
        "lvm2-lvmpolld.service",
        "vboxservice.service",
        "rsh.socket",
        "smartcard.target",
        "systemd-exit.service",
        "libvirtd-admin.socket",
        "xrdp.service",
        "canberra-system-shutdown-reboot.service",
        "systemd-machine-id-commit.service",
        "cape-processor.service",
        "pulseaudio.service",
        "nfs-utils.service",
        "chkboot-bootcheck",
        "payload.php.002",
        "iscsiuio.socket",
        "pulseaudio.socket",
        "systemd-bootctl.socket",
        "gpg-agent.socket",
        "rsyncd@.service",
        "boot-complete.target",
        "gnome-keyring-daemon.service",
        "dbus-org.freedesktop.login1.service",
        "keyboxd@.service",
        "systemd-ask-password-wall.service",
        "gitstatus.POWERLEVEL9K.1000.83486.1692225808.1.xtrace.log",
        "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-power-profiles-daemon.service-hSCDr7",
        "plymouth-read-write.service",
        "60-flatpak",
        "rc-local.service",
        "sockets.target",
        "wireplumber@.service",
        "gpg-agent-extra@etc-pacman.d-gnupg.socket",
        "80-wifi-adhoc.network",
        "borgmatic.service",
        "hv_kvp_daemon.service",
        "systemd-sysext.socket",
        "app.slice",
        "gitstatus.POWERLEVEL9K.1000.10291.1692217508.1.daemon.log",
        "systemd-udevd-kernel.socket",
        "mdmonitor-oneshot.timer",
        "pipewire.service",
        "graphical-session.target",
        "ppp@.service",
        "rathole@.service",
        "proc-sys-fs-binfmt_misc.automount",
        "virtnodedevd.socket",
        "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-ananicy-cpp.service-U5RKxp",
        "gitstatus.POWERLEVEL9K.1000.2588447.1692243345.1.xtrace.log",
        "opensnitchd.service",
        "telnet@.service",
        "10-root.conf",
        "proc-sys-fs-binfmt_misc.mount",
        "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.",
        "pamac-cleancache.timer",
        "payload.php.015",
        "eicar.txt",
        "mdmonitor-oneshot.service",
        "hybrid-sleep.target",
        "emergency.service",
        "phoromatic-client.service",
        "ModemManager.service",
        "systemd-pcrlock@.service",
        "user@.service",
        "remote-veritysetup.target",
        "plasma-csd-generator.LTvjbT",
        "xplico.service",
        "Whitelisted IP Address 204.79.197.212 Location  United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. ,  ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc.,   Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 ,  5943 ,  80211 ,  #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf ,  The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat",
        "80-6rd-tunnel.link",
        "nfs-blkmap.service",
        "systemd-quotacheck@.service",
        "mdmon@.service",
        "phoronix-result-server.service",
        "systemd-hibernate-resume.service",
        "systemd-sysupdate.service",
        "paths.target",
        "finger.socket",
        "ip2clued.service",
        "tlp.service",
        "tpm2.target",
        "plasma-kwallet-pam.service",
        "gitstatus.POWERLEVEL9K.1000.267109.1692240136.1.xtrace.log",
        "memmemY_2MMv.c",
        "stdbool.ht64kj6qw.c",
        "initrd-fs.target",
        "blockdev@.target",
        "gitstatus.POWERLEVEL9K.1000.6339.1692232717.1.daemon.log",
        "logrotate.service",
        "rtkit-daemon.service",
        "uksmd.service",
        "zfs-zed.service",
        "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure",
        "getPerms.php",
        "systemd-bsod.service",
        "systemd-userdbd.service",
        "talk.socket",
        "netavark-dhcp-proxy.socket",
        "mdadm.shutdown",
        "qemu-guest-agent.service",
        "80-wifi-station.network.example",
        "dbus-broker.catalog",
        "80-vm-vt.network",
        "ptunnel.service",
        "gnome-terminal-server.service",
        "drkonqi-coredump-cleanup.timer",
        "libvirtd.socket",
        "gitstatus.POWERLEVEL9K.1000.8928.1692232861.2.daemon.log",
        "dbus-org.freedesktop.hostname1.service",
        "btrfs-scrub@.service",
        "virtstoraged.service",
        "systemd-networkd-wait-online.service",
        "80-container-vz.link",
        "systemd.de.catalog",
        "autorandr.service",
        "lxdm.service",
        "redis.service",
        "systemd-sysext.service",
        "gitstatus.POWERLEVEL9K.1000.82162.1692225750.1.xtrace.log",
        "cape-rooter.service",
        "tumblerd.service",
        "80-container-vb.network",
        "payload.php.009",
        "systemd-pstore.service",
        "gitstatus.POWERLEVEL9K.1000.83896.1692225820.1.xtrace.log",
        "borgmatic-user.service",
        "console-getty.service",
        "xdg-desktop-portal-rewrite-launchers.service",
        "pulseaudio-x11.service",
        "mysqld.service",
        "nfs-client.target",
        "80-iwd.link",
        "payload.php.014",
        "systemd-pcrphase-sysinit.service",
        "zfs-scrub@.service",
        "fancontrol.service",
        "gnupg-pkcs11-scd-proxy.service",
        "wacom-inputattach@.service",
        "paccache.service",
        "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).",
        "rsyncd.service",
        "gitstatus.POWERLEVEL9K.1000.122089.1692235219.1.daemon.log",
        "pam_namespace.service",
        "plasma-workspace-x11.target",
        "plasma-core.target",
        "list.php",
        "podman.service",
        "single.php",
        "rasdaemon.service",
        "redis-sentinel.service",
        "arcolinux-graphical-target.service",
        "elasticsearch@.service",
        "veritysetup.target",
        "systemd.bg.catalog",
        "systemd-localed.service",
        "gitstatus.POWERLEVEL9K.1000.13878.1692218150.1.daemon.log",
        "gitstatus.POWERLEVEL9K.1000.2703415.1692243471.1.xtrace.log",
        "drkonqi-coredump-processor@.service",
        "tor.service",
        "gitstatus.POWERLEVEL9K.1000.12928.1692233448.1.daemon.log",
        "accounts-daemon.service",
        "plymouth-quit.service",
        "zfs-import-scan.service",
        "80-container-ve.network",
        "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.",
        "git-daemon@.service",
        "hostapd@.service",
        "kcptun@.service",
        "nfs-mountd.service",
        "nvidia-suspend.service",
        "netavark-dhcp-proxy.service",
        "vpnc@.service",
        "sys-kernel-debug.mount",
        "nmb.service",
        ".org.chromium.Chromium.12ZdF3",
        "halt.target",
        "cape.service",
        "systemd-hybrid-sleep.service",
        "plasma-kcminit-phase1.service",
        "guacd.service",
        "autorandr-lid-listener.service",
        "dhcpd4.service",
        "virtproxyd.socket",
        "plasma-kglobalaccel.service",
        "systemd-suspend.service",
        "APT_Backdoor_PS1_BASICPIPESHELL_1.yar",
        "iscsiuio.service",
        "libvirtd-tls.socket",
        "memavaild.service",
        "systemd-kexec.service",
        "storage-target-mode.target",
        "gitstatus.POWERLEVEL9K.1000.2586196.1692243336.1.daemon.log",
        "initrd-root-device.target",
        "parent.php",
        "mdcheck_start.timer",
        "system-update.target",
        "xdg-permission-store.service",
        "gpg-agent-ssh@.socket",
        "mdadm-last-resort@.service",
        "celery2@.service",
        "initrd-cleanup.service",
        "ssh-access.target",
        "virt-guest-shutdown.target",
        "iscsid.socket",
        "virtinterfaced.socket",
        "plasma-ksmserver.service",
        "rescue.target",
        "ufw.service",
        "connect.php",
        "virtnwfilterd.service",
        "plasma-kcminit.service",
        "virtstoraged-admin.socket",
        "integritysetup.target",
        "80-vm-vt.link",
        "gitstatus.POWERLEVEL9K.1000.268412.1692240179.1.daemon.log",
        "https://hybrid-analysis.com/sample/320a60044adeccec22937423e859d2b095e976698133e37a83e019ce08c8bc0c",
        "krb5-kpropd@.service",
        "nfsv4-server.service",
        "graphical.target",
        "systemd-journald-dev-log.socket",
        "gitstatus.POWERLEVEL9K.1000.8928.1692232861.2.xtrace.log",
        "plasma-kwin_wayland.service",
        "qtsingleapp-Octopi-1d88-3e8",
        "gitstatus.POWERLEVEL9K.1000.12470.1692233381.1.xtrace.log",
        "systemd-vmspawn@.service",
        "pacman-filesdb-refresh.timer",
        "suricata.service",
        "systemd.pl.catalog",
        ".vbox-mrkd-ipc",
        "systemd-tpm2-setup-early.service",
        "v8-compile-cache-1000",
        "libvirtd-ro.socket",
        "dunst.service",
        "systemd-growfs@.service",
        "virtproxyd-admin.socket",
        "gpm.path",
        "virtproxyd-tls.socket",
        "lastlog2-import.service",
        "gvmd.service",
        "privoxy.service",
        "systemd-bootctl@.service",
        "gitstatus.POWERLEVEL9K.1000.84305.1692225848.1.xtrace.log",
        "systemd-journal-catalog-update.service",
        "qtsingleapp-Octopi-1d88-3e8-lockfile",
        "systemd-backlight@.service",
        "borgmatic-user.timer",
        "SUSE-mdadm_env.sh",
        "dbus-org.freedesktop.locale1.service",
        "mariadb.socket",
        "gvfs-mtp-volume-monitor.service",
        "systemd-networkd.socket",
        "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.",
        "sensord.service",
        "shadow.service",
        "virtsecretd-ro.socket",
        "nvmefc-boot-connections.service",
        "virtnetworkd.socket",
        "https://www.virustotal.com/gui/file/79e3317a07b12a977f7fda3463779055bbfec748e7fae4c2c1d1cb9bb8e408ca/details",
        "https://hybrid-analysis.com/sample/479a0170df010c5eb742ff1b8740a2ccf381df44c8a919c95d6e38685278e78a/661da5c768340c1e25092cb2",
        "systemd.fr.catalog",
        "apt_sandworm_exim_expl.yar",
        "virtinterfaced-ro.socket",
        "plasma-polkit-agent.service",
        "bmc-watchdog.service",
        "pacrunner.service",
        "kexec.target",
        "systemd-vconsole-setup.service",
        "payload.php.012",
        "fastnetmon.service",
        "ras-mc-ctl.service",
        "systemd-userdbd.socket",
        "gitstatus.POWERLEVEL9K.1000.28823.1692223670.1.xtrace.log",
        "smartd.service",
        "capsule.slice",
        "lxc-auto.service",
        "systemd-creds.socket",
        "wpa_supplicant@.service",
        "20230816_202710-scantemp.b14ff4bc3a",
        "packagekit-offline-update.service",
        "3proxy.service",
        "zfs-volume-wait.service",
        "payload.php",
        "local-fs-pre.target",
        "lxc-monitord.service",
        "nfs-idmapd.service",
        "man-db.service",
        "virtinterfaced.service",
        "cups.service",
        "var-lib-nfs-rpc_pipefs.mount",
        "payload.php.004",
        "60-flatpak-system-only",
        "i2pd.service",
        "gitstatus.POWERLEVEL9K.1000.10858.1692217566.1.xtrace.log",
        "xfs_scrub_all.timer",
        "greenbone-feed-sync.timer",
        "fwupd.service",
        "sndiod.service",
        "time-set.target",
        "virtlockd.socket",
        "virtnwfilterd.socket",
        "auditd.service",
        "keyboxd.socket",
        "plasma-xembedsniproxy.service",
        "systemd-tmpfiles-setup.service",
        "systemd-boot-update.service",
        "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr",
        "ntpd.service",
        "nfsv4-exportd.service",
        "exabgp.service",
        "uuidd.socket",
        "time-sync.target",
        "zfs-import-cache.service",
        "drkonqi-sentry-postman.timer",
        "dirmngr@.socket",
        "elasticsearch.service",
        "krb5-kpropd.socket",
        "docker.socket",
        "exit.target",
        "runlevel1.target",
        "Hunting_B64Engine_DotNetToJScript_Dos.yar",
        "initrd-udevadm-cleanup-db.service",
        "quotaon@.service",
        "winbind.service",
        "adb.service",
        "httpd.service",
        "qtsingleapp-Notifi-4c42-3e8",
        "hostapd.service",
        "mdmonitor.service",
        "plasma-krunner.service",
        "rpc_pipefs.target",
        "systemd-pcrfs@.service",
        "poweroff.target",
        "90-systemd.preset",
        "dev-hugepages.mount",
        "payload.php.016",
        "plymouth-switch-root.service",
        "systemd-logind.service",
        "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.",
        "bauh@mrkd",
        "systemd-pcrlock.socket",
        "netdata.service",
        "ratholec@.service",
        "kingdee-erp-rce.yaml",
        "ratholes@.service",
        "getty-pre.target",
        "systemd.hr.catalog",
        "plasma-powerdevil.service",
        "runlevel5.target",
        "iscsi.service",
        "virtproxyd.service",
        "strlcpydb8x03.c",
        "autovt@.service",
        "iscsi-init.service",
        "virtqemud-admin.socket",
        "virtsecretd-admin.socket",
        "Verification failure observed in automated verification handlers during sandbox replay.",
        "bluetooth.target",
        "ostree-state-overlay@.service",
        "remote-fs.target",
        "suricata-update.service",
        "sysinit.target",
        "borgmatic.timer",
        "setdb.php",
        "vboxdrmclient.path",
        "tinc@.service",
        ".org.chromium.Chromium.T2jdbS",
        "postgresql.service",
        "zfs-import.target",
        "systemd-time-wait-sync.service",
        "ostree-finalize-staged.service",
        "systemd-networkd-wait-online@.service",
        "systemd-timesyncd.service",
        "systemd.be@latin.catalog",
        "systemd-remount-fs.service",
        "nm-priv-helper.service",
        "systemd-pcrlock-machine-id.service",
        "rsyncd.socket",
        "virtsecretd.socket",
        "gpg-agent@etc-pacman.d-gnupg.socket",
        "ipmidetectd.service",
        "gitstatus.POWERLEVEL9K.1000.11926.1692233325.1.xtrace.log",
        "plasma-gmenudbusmenuproxy.service",
        "pamac-cleancache.service",
        "slices.target",
        "xdg-user-dirs-update.service",
        "systemd-hostnamed.service",
        "colord-session.service",
        "flatpak-system-helper.service",
        "systemd.be.catalog",
        "fluidsynth.service",
        "gpg-agent-ssh@etc-pacman.d-gnupg.socket",
        "drkonqi-coredump-cleanup.service",
        "plasma-kwin_x11.service",
        "nfsdcld.service",
        "gitstatus.POWERLEVEL9K.1000.2586196.1692243336.1.xtrace.log",
        "systemd-initctl.service",
        "systemd-tmpfiles-setup-dev.service",
        "plymouth-poweroff.service",
        "alsa-state.service",
        "ostree-finalize-staged-hold.service",
        "virtnodedevd.service",
        "gitstatus.POWERLEVEL9K.1000.267442.1692240150.1.xtrace.log",
        "iwd.service",
        "virtstoraged.socket",
        "xfs_scrub_fail@.service",
        "gitstatus.POWERLEVEL9K.1000.241161.1692238939.1.xtrace.log",
        "podman-clean-transient.service",
        "snort@1000.service",
        "clamav-clamonacc.service",
        "sshuttle.service",
        "systemd-halt.service",
        "geoipupdate.timer",
        "pacman-filesdb-refresh.service",
        "talk.service",
        "gitstatus.POWERLEVEL9K.1000.6339.1692232717.2.xtrace.log",
        "rsh@.service",
        "phoromatic-server.service",
        "systemd-pcrphase.service",
        "systemd-pcrlock-secureboot-authority.service",
        "https://otx.alienvault.com/indicator/file/5820da0bbae4f091dc0248e566d8f1076fd81485d1893effa14cdc1dc122f1fd",
        "systemd-journald@.service",
        "samba.service",
        "systemd-udevd.service",
        "gitstatus.POWERLEVEL9K.1000.263981.1692240117.1.xtrace.log",
        "dmraid.service",
        "cntlm.service",
        "systemd-rfkill.service",
        "pamac-daemon.service",
        "NetworkManager.service",
        "nvidia-powerd.service",
        "plymouth-halt.service",
        "NetworkManager-dispatcher.service",
        "gitstatus.POWERLEVEL9K.1000.12470.1692233381.1.daemon.log",
        "virtlogd.service",
        "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)",
        "gitstatus.POWERLEVEL9K.1000.267442.1692240150.1.daemon.log",
        "lvm2-lvmpolld.socket",
        "e2scrub_fail@.service",
        "mdadm-grow-continue@.service",
        "drkonqi-coredump-launcher@.service",
        "e2scrub_all.timer",
        "libvirt-guests.service",
        "zfs-trim@.service",
        "systemd-pcrextend.socket",
        "10-defaults.conf",
        ".org.chromium.Chromium.coQnti",
        "gitstatus.POWERLEVEL9K.1000.82565.1692225764.1.xtrace.log",
        "apache-tika.service",
        "gitstatus.POWERLEVEL9K.1000.267442.1692240143.1.xtrace.log",
        "avahi-daemon.service",
        "cryptsetup-pre.target",
        "systemd-firstboot.service",
        "systemd-oomd.service",
        "reflector.timer",
        "https://hybrid-analysis.com/sample/79e3317a07b12a977f7fda3463779055bbfec748e7fae4c2c1d1cb9bb8e408ca/64dff1fbeab7dc252b0e56a6",
        "systemd.ko.catalog",
        "gvfs-metadata.service",
        "fwupd-refresh.service",
        "remote-fs-pre.target",
        "suspend.target",
        "pcscd.socket",
        "gitstatus.POWERLEVEL9K.1000.9950.1692233029.1.daemon.log",
        "gpsd.socket",
        "systemd.zh_TW.catalog",
        "teamd@.service",
        "hv_fcopy_daemon.service",
        "bluetooth.service",
        "wpa_supplicant-wired@.service",
        "systemd-pcrphase-initrd.service",
        "clamav-freshclam.service",
        "dm-event.service",
        "systemd-growfs-root.service",
        "gitstatus.POWERLEVEL9K.1000.155609.1692237756.1.daemon.log",
        "first-boot-complete.target",
        "https://hybrid-analysis.com/sample/43b03483bf2b292ebb1b33469ab4b19e2ac84b1c86c0f34f60adab4bc64176b9",
        "virtnwfilterd-ro.socket",
        "plasma-kscreen.service",
        "geoipupdate.service",
        "defaults.conf",
        "vmware-vmblock-fuse.service",
        "gitstatus.POWERLEVEL9K.1000.75659.1692225165.1.xtrace.log",
        "xdg-desktop-portal-gtk.service",
        "mongodb.service",
        "getty@.service",
        "tinyproxy.service",
        "gitstatus.POWERLEVEL9K.1000.6339.1692232717.1.xtrace.log",
        "podman-kube@.service",
        "cups.socket",
        "dbus.service",
        "xdg-desktop-autostart.target",
        "nvidia",
        "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-bluetooth.service-7fh2tg",
        "final.target",
        "gitstatus.POWERLEVEL9K.1000.267109.1692240155.1.xtrace.log",
        "plasma-plasmashell.service",
        "vmtoolsd.service",
        "gpg-agent-extra.socket",
        "stdbool.hcc0B2j.c",
        "p11-kit-server.socket",
        "https://hybrid-analysis.com/file-collection/64dfee6a3329552c91026445",
        "named.service",
        ".org.chromium.Chromium.8GBhMA",
        "gitstatus.POWERLEVEL9K.1000.10858.1692217566.1.daemon.log",
        "strlcatmMvE1V.c",
        "iptables-flush",
        "nftables.service",
        "polkit.service",
        "systemd-boot-check-no-failures.service",
        "plymouth-start.service",
        "systemd.pt_BR.catalog",
        "xsettingsd.service",
        "gitstatus.POWERLEVEL9K.1000.267109.1692240155.1.daemon.log",
        "krb5-kdc.service",
        "crypto-miner.js",
        "serial-getty@.service",
        "virtproxyd-tcp.socket",
        "iiod.service",
        "graphical-session-pre.target",
        "snmptrapd.service",
        "ostree-boot-complete.service",
        "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.",
        "tracker-xdg-portal-3.service",
        "podman-restart.service",
        "create_ap.service",
        "dbus-org.freedesktop.timedate1.service",
        "ndctl-monitor.service",
        "virtlxcd.service",
        "gitstatus.POWERLEVEL9K.1000.6339.1692232717.2.daemon.log",
        "runlevel2.target",
        "initrd.target",
        "plasma-baloorunner.service",
        "at-spi-dbus-bus.service",
        "isnsd.service",
        "bolt.service",
        "greenbone-certdata-sync.service",
        "swap.target",
        "systemd-journald-audit.socket"
      ],
      "related": {
        "alienvault": {
          "adversary": [],
          "malware_families": [],
          "industries": []
        },
        "other": {
          "adversary": [
            "Unknown - Chinese speaking",
            "Chinese Speaking",
            "N/A"
          ],
          "malware_families": [
            "Backdoor:win32/r2d2.a",
            "Sf:shellcode-dz\\ [trj]",
            "Netexecutablemicrosoft",
            "Slf:mamacsemacro.a",
            "Remainafterexit",
            "Trojandownloader:linux/morila!mtb",
            "Bv:telegrambot-a\\ [trj]",
            "Nmbdoptions",
            "Unknown",
            "Trojandropper:win32/fakeflexnet.a",
            "Ransom:linux/darkradiation.a!mtb",
            "Delphi",
            "Successaction",
            "Smbdoptions",
            "Winbindoptions"
          ],
          "industries": [
            "Legal, financial, healthcare, government, municipal, real-estate, enterprise-technology, critical-in",
            "Individuals"
          ]
        }
      }
    },
    "false_positive": []
  },
  "geo": {},
  "geo_ipapicom": {},
  "pulse_count": 10,
  "pulses": [
    {
      "id": "6a16ac90f5b7cde86d323464",
      "name": "[\"backup ios...\"] clone by Merkd1904. User note: theres a name tagged here thats interesting",
      "description": "",
      "modified": "2026-05-27T08:34:24.654000",
      "created": "2026-05-27T08:34:24.654000",
      "tags": [
        "fireeye",
        "copyright",
        "base64",
        "dotnettojscript",
        "gadgettojscript",
        "invokeclient",
        "invokeserver",
        "readhost enter",
        "command",
        "roth",
        "nextron",
        "sandworm",
        "detects ssh",
        "grant all",
        "privileges on",
        "to mysqldb",
        "create user",
        "g root",
        "sandworm python",
        "import",
        "phpsploit",
        "host",
        "user",
        "pass",
        "error",
        "establish",
        "pecl oci8",
        "connstr",
        "charset",
        "false",
        "miner",
        "texthtml",
        "module",
        "send custom",
        "swissky",
        "class",
        "serviceip",
        "serviceport",
        "servicedata",
        "e binsh",
        "init",
        "service port",
        "detects",
        "cve202140444",
        "target",
        "targetmode",
        "jeremy brown",
        "windows cve",
        "ms office",
        "modified rule",
        "rperm",
        "wperm",
        "pathsep",
        "string",
        "rwxrxrx",
        "file types",
        "unix",
        "login",
        "autentication",
        "disable",
        "ldapconnect",
        "version",
        "authentication",
        "ldaplist",
        "null",
        "pathelems",
        "execute",
        "backdoor",
        "kingdee oa",
        "yunxingkong",
        "b6oa",
        "code execution",
        "kingdee cloud",
        "starry sky",
        "otherwise",
        "file",
        "setsmartdate",
        "fread",
        "name",
        "force",
        "base64decode",
        "data",
        "substr",
        "array",
        "readdir",
        "getowner",
        "getgroup",
        "getsize",
        "force option",
        "fwrite",
        "permission",
        "check",
        "mode",
        "diraccess",
        "fileaccess",
        "realpath",
        "stat",
        "immutable",
        "posixgetpwuid",
        "posixgetgrgid",
        "explode",
        "etcpasswd",
        "glob",
        "globonlydir",
        "oraclelogin",
        "port",
        "servicename",
        "connector",
        "base",
        "query type",
        "mssqlfetcharray",
        "mssqlassoc",
        "solsocket",
        "timeout",
        "range",
        "portmin",
        "portmax",
        "socketcreate",
        "afinet",
        "sockstream",
        "open",
        "type",
        "true",
        "tcp connection",
        "tcp shell",
        "input",
        "lhost",
        "netcat",
        "lport",
        "shell",
        "dllimport",
        "python",
        "back",
        "fore",
        "pfinet",
        "stdout",
        "this",
        "win32",
        "ldapsearch",
        "select",
        "mysqliassoc",
        "select database",
        "send",
        "newfile",
        "dns stub",
        "third party",
        "see man",
        "exit",
        "o pipefail",
        "v systemctl",
        "devnull",
        "unknown verb",
        "license",
        "gnu lesser",
        "general public",
        "free software",
        "foundation",
        "unit",
        "slice",
        "cpuweight100",
        "tasks slice",
        "cpuweight30",
        "capev2",
        "cape",
        "cuckoo web",
        "setup",
        "grep",
        "limitnofile",
        "install",
        "return",
        "execstart",
        "start",
        "descriptionrun",
        "timer",
        "oncalendardaily",
        "service",
        "prevent rate",
        "delay start",
        "m poetry",
        "sigkill",
        "descriptioncape",
        "ef usercape",
        "g cape",
        "allowisolateyes",
        "typedbus",
        "socket",
        "message bus",
        "listenstream",
        "typenotify",
        "descriptionuser",
        "harald sitter",
        "sitter",
        "kcrash",
        "drkonqi",
        "acceptyes",
        "disable trigger",
        "todo",
        "prevents",
        "path",
        "pathexistsglob",
        "runtimemaxsec31",
        "runtimemaxsec30",
        "restartno",
        "descriptionexit",
        "environmentfile",
        "otheropts",
        "soundfont",
        "descriptiongcr",
        "sshauthsock",
        "descriptionglib",
        "priority6",
        "killmodeprocess",
        "proxy",
        "socketmode0600",
        "apache software",
        "notice file",
        "apache license",
        "unless",
        "as is",
        "basis",
        "or conditions",
        "apple file",
        "conduit monitor",
        "descriptionjack",
        "jackoptions d",
        "driver d",
        "device",
        "media transfer",
        "indexer daemon",
        "memory",
        "memoryhigh512m",
        "system sockets",
        "a user",
        "conditionuser",
        "dbus menus",
        "plasma",
        "phase",
        "workspace core",
        "exit status",
        "x11 connection",
        "timeoutstopsec5",
        "disable restart",
        "timeoutsec40sec",
        "typeoneshot",
        "david edmundson",
        "davidedmundson",
        "osd service",
        "portal",
        "auto restart",
        "dbus",
        "xembed system",
        "logging system",
        "socketmode0660",
        "all containers",
        "restart policy",
        "logging start",
        "execstopbinsh c",
        "logging",
        "x11 plugins",
        "session slice",
        "typeforking",
        "etc userroot",
        "grouproot",
        "onbootsec15min",
        "place",
        "temporary",
        "volatile files",
        "thunar",
        "session manager",
        "wireplumber",
        "service file",
        "xdg autostart",
        "user dir",
        "descriptionxfce",
        "sandbox",
        "malware",
        "analysis",
        "online",
        "submit",
        "vxstream",
        "sample",
        "download",
        "trojan",
        "apt",
        "memoryfile scan",
        "ansi",
        "bpf program",
        "indicator",
        "bpf firewalling",
        "pcap",
        "pcap processing",
        "bpffallowmulti",
        "bpf device",
        "date",
        "suspicious",
        "hybrid",
        "crypto",
        "close",
        "click",
        "april",
        "strings",
        "february",
        "middle",
        "exploit",
        "gameover",
        "contact",
        "scope",
        "thomas koch",
        "gpl v2",
        "imsm",
        "ibftruledir",
        "ibftrules",
        "attr",
        "systemd rule",
        "hannes reinecke",
        "suse labs",
        "ipibft",
        "interface",
        "kernel",
        "configfile",
        "typesimple",
        "apparmor",
        "grouparchaudit",
        "hardening",
        "umask077",
        "persistenttrue",
        "enable debug",
        "networkmanager",
        "trace",
        "wait online",
        "edit",
        "note",
        "reload",
        "capdacoverride",
        "dhcp etc",
        "mdadmscan",
        "mdadmdelay",
        "mdadmmail",
        "mdadmprogram",
        "mdadmconfig",
        "mdadmsendmail",
        "p runsysconfig",
        "userroot",
        "sssd",
        "write access",
        "needed sometime",
        "statedirectory",
        "accountsservice",
        "varloglastlog",
        "bridge daemon",
        "alsa card",
        "card state",
        "required",
        "another auto",
        "nice daemon",
        "memorymax64m",
        "filter system",
        "mount",
        "reboot",
        "clock",
        "logging service",
        "requires",
        "before",
        "please",
        "exit codes",
        "proc",
        "descriptionruns",
        "execstartsh c",
        "switchtoggle",
        "ignoreonisolate",
        "term typeidle",
        "without",
        "any warranty",
        "merchantability",
        "fitness",
        "a particular",
        "vartmp",
        "wants type",
        "preparation",
        "watchdogsec10",
        "filesystem",
        "timer daemon",
        "options",
        "environment",
        "prevent",
        "readwritepaths",
        "security",
        "certain",
        "protectsystem",
        "bindpaths",
        "lower cpu",
        "nice19",
        "manager",
        "userc",
        "celerydnodes",
        "info",
        "chaddevops",
        "aaron brighton",
        "clam antivirus",
        "jon kriel",
        "distribution",
        "script",
        "sanesecurity",
        "securiteinfo",
        "malwarepatrol",
        "oitc",
        "file location",
        "remember",
        "typeexec user",
        "9 cntlm",
        "generate color",
        "profiles",
        "removeipctrue",
        "devpts",
        "authors",
        "any kind",
        "usercouchdb",
        "restartsec5",
        "volumes",
        "server socket",
        "user209",
        "daemon",
        "darkstatiface",
        "reloadconfig",
        "watchdogsec3min",
        "privatetmpyes",
        "protectproc",
        "increase",
        "descriptiontime",
        "date service",
        "debugging only",
        "ignoresigpipeno",
        "unset locale",
        "file system",
        "queue file",
        "whatmqueue",
        "optionsnosuid",
        "pf rundhclient",
        "rate",
        "requiresdirmngr",
        "capfowner",
        "capsetpcap",
        "dhcp",
        "dns server",
        "startlimit",
        "limits",
        "delegateyes",
        "descriptionpass",
        "runtimemaxsec5",
        "mountain",
        "metadata check",
        "all filesystems",
        "online metadata",
        "sunday",
        "oncalendarsun",
        "online ext4",
        "sigterm signal",
        "java process",
        "piddir",
        "standardoutput",
        "elasticsearch",
        "limitnproc4096",
        "limitasinfinity",
        "sendsighupyes",
        "mapper daemon",
        "mainpid",
        "quit",
        "listenstream79",
        "radius server",
        "d etcraddb",
        "protecthomeon",
        "default",
        "systemservice",
        "efiefi bootefi",
        "afinet afinet6",
        "afunix afinet",
        "oncalendar 0000",
        "privatetmptrue",
        "geoip legacy",
        "geoip2",
        "instance",
        "usergit",
        "scdconfig",
        "notice",
        "devinputmice t",
        "descriptiongps",
        "system",
        "sock refclock",
        "gpsdoptions",
        "devices",
        "daemon sockets",
        "2947",
        "bindipv6onlyyes",
        "usbauto",
        "usrbingpsdctl",
        "gps daemon",
        "afterdev",
        "gvmddata",
        "varlibgssproxy",
        "nonewprivileges",
        "privatetmp",
        "protecthome",
        "ieee",
        "etchostapd",
        "killmodemixed",
        "fcopy",
        "uncomment",
        "use sigterm",
        "sigkill i2pd",
        "sendsigkillyes",
        "limitnofile8192",
        "systemd",
        "analog",
        "shutting down",
        "iodineextip p",
        "iodineport p",
        "iodineuser",
        "tunip",
        "topdomain",
        "guessmainpidyes",
        "m node",
        "wants",
        "initiatorname",
        "io driver",
        "typeexec",
        "c etckcptun",
        "usernobody",
        "requireskeyboxd",
        "static device",
        "nofork",
        "restartalways",
        "linker cache",
        "hack",
        "use wants",
        "raise",
        "tasksmax",
        "tasksmax32768",
        "limitmemlock64m",
        "removeonstopyes",
        "ip socket",
        "tls ip",
        "conflictsgetty",
        "aftergetty",
        "busmodules",
        "qabr",
        "hwmonmodules",
        "local file",
        "privatenetwork",
        "lvm2",
        "initialization",
        "autoboot code",
        "s delegatetrue",
        "description",
        "pidfilerunlxc",
        "lynis service",
        "adjust path",
        "lynis binary",
        "lynis timer",
        "tell systemd",
        "lynis security",
        "persistentfalse",
        "container slice",
        "recover",
        "varcacheman",
        "regenerate man",
        "userroot nice19",
        "mysqldopts",
        "mysqldsafe",
        "timezone",
        "core",
        "restart",
        "users",
        "backlog150",
        "listenstreams",
        "servicemariadb",
        "mechanism",
        "mariadb",
        "multi instance",
        "variables",
        "bindirmdadm",
        "gnu general",
        "public license",
        "reshape",
        "onactivesec30",
        "oncalendar",
        "wantedby",
        "monitor",
        "allow mdmon",
        "takeover",
        "k none",
        "c devnull",
        "d runinitramfs",
        "p runmongodb",
        "limitnproc32000",
        "limitmemlock5",
        "device server",
        "requiredbydev",
        "d dev",
        "descriptionreal",
        "extraopts",
        "restartsec30",
        "valid",
        "fifo",
        "priority",
        "batch",
        "nice0",
        "partof",
        "tracking daemon",
        "helper",
        "for testing",
        "only",
        "restrict",
        "grant",
        "capsysptrace",
        "capkill",
        "capipclock",
        "environ",
        "capsysresource",
        "capsyslog",
        "descriptionname",
        "service cache",
        "sysvlsb",
        "descriptionhost",
        "network name",
        "group name",
        "u ntp",
        "time service",
        "t hibernate",
        "software",
        "other",
        "the software",
        "daemon init",
        "software is",
        "provided",
        "fcnvme",
        "wantsmodprobe",
        "aftermodprobe",
        "descriptionall",
        "nbft",
        "nvmeof",
        "connectargs",
        "unit file",
        "descriptionnvmf",
        "red hat",
        "without any",
        "warranty",
        "card daemon",
        "socketmode0666",
        "suite result",
        "kexec screen",
        "oncalendarsat",
        "boot screen",
        "timeoutsec20",
        "power off",
        "runtime data",
        "descriptionhold",
        "timeoutsec0",
        "sandboxing",
        "execstop",
        "colin walters",
        "upgrade",
        "upgrade output",
        "umask0077",
        "transport agent",
        "descriptionmake",
        "descriptionppp",
        "whatnfsd",
        "file formats",
        "automount point",
        "automount",
        "setuid nobody",
        "setgid nobody",
        "setcon",
        "syslog",
        "restartonabort",
        "halt screen",
        "reboot screen",
        "pgroot",
        "postgresql",
        "oom killer",
        "additional",
        "fy nice19",
        "endless os",
        "foundation llc",
        "restartsec0",
        "system quotas",
        "rabbitmq",
        "protecthometrue",
        "etcrathole",
        "guessmainpidno",
        "h etcrdnssd",
        "reflector",
        "afinet6 afunix",
        "umask177",
        "remote file",
        "nfs client",
        "nfsv23 locking",
        "make sure",
        "rpc netconfig",
        "descriptionfast",
        "using ssh",
        "so let",
        "boot",
        "realtimekit",
        "rwhodopts",
        "display manager",
        "specify",
        "interval l",
        "loginterval f",
        "bindstodev",
        "always",
        "usrbingrpck r",
        "slapdoptions",
        "u ldap",
        "slapdurls",
        "smart",
        "pciusb",
        "midi",
        "daemonopts",
        "snmp",
        "trap daemon",
        "g snort",
        "descriptionsudo",
        "hibernate",
        "svnserveargs",
        "whatfusectl",
        "whatconfigfs",
        "whatdebugfs",
        "whattracefs",
        "best way",
        "see https",
        "units service",
        "service slice",
        "offline system",
        "update",
        "wall directory",
        "timeoutsec90s",
        "descriptionmark",
        "current boot",
        "loader entry",
        "any system",
        "units",
        "loader random",
        "loader update",
        "service socket",
        "dump socket",
        "optionally",
        "root device",
        "afalg afinet",
        "execstophomectl",
        "home area",
        "named pipe",
        "sink service",
        "sink socket",
        "upload service",
        "dynamicuseryes",
        "sigkilled",
        "devlog",
        "timestampingus",
        "namespace",
        "sendbuffer8m",
        "kernel command",
        "netlink socket",
        "storage",
        "descriptionwait",
        "network",
        "make",
        "deviceallow",
        "reserve",
        "killer socket",
        "root file",
        "measurement",
        "pcr policy",
        "tpm pcr",
        "code",
        "configuration",
        "machine id",
        "barrier",
        "quota check",
        "system quota",
        "after",
        "random seed",
        "kernel file",
        "gpt partition",
        "kill switch",
        "nvmetcp",
        "trigger",
        "saturday",
        "persistentyes",
        "system update",
        "kernel time",
        "capsystime",
        "ntp service",
        "turn",
        "files",
        "device nodes",
        "srk setup",
        "device events",
        "bootshutdown",
        "change",
        "manager socket",
        "descriptiontinc",
        "proxy server",
        "linrunner",
        "descriptiontlp",
        "tor service",
        "f etctortorrc",
        "tpm device",
        "descriptionudp",
        "tcpicmpudp",
        "etcudp2raw",
        "debug",
        "swap",
        "api file",
        "privatedevices",
        "home",
        "root",
        "runuser",
        "linux control",
        "groups",
        "group",
        "afnetlink",
        "locked memory",
        "limitmemlock0",
        "usb gadget",
        "apple",
        "sliceuser",
        "descriptionuuid",
        "compatibility",
        "typerpcpipefs",
        "vmsvga",
        "hypervisor",
        "usr1",
        "mgmt appuser",
        "dac permission",
        "selinux",
        "xxx someone",
        "qemu",
        "machine tools",
        "vmware tools",
        "pidfilerunvpnc",
        "wacom",
        "iface d",
        "dspeed u",
        "iface",
        "descriptionwpa",
        "oracle",
        "reserved",
        "wong",
        "emailaddr",
        "tunnel protocol",
        "l2tp",
        "isps",
        "russia use",
        "ipsec",
        "d optxplico",
        "b sqlite",
        "descriptionxrdp",
        "xrdpoptions",
        "process",
        "sesmanoptions",
        "zpoolimportopts",
        "an o",
        "t scrub",
        "usrbinzpool",
        "zfs volume",
        "descriptionzfs",
        "f restartalways",
        "remainafterexit",
        "nmbdoptions",
        "smbdoptions",
        "successaction",
        "winbindoptions",
        "ck id",
        "hybrid analysis",
        "mitre att",
        "malicious",
        "sdshared ansi",
        "default und",
        "func global",
        "func local",
        "object local",
        "general",
        "show technique",
        "ck matrix",
        "tasksmax33",
        "empty file",
        "proxycommand",
        "checkhostip",
        "afunix",
        "afvsock",
        "allow",
        "r table",
        "chkbootcheck",
        "gplv2 source",
        "chkbootstyles",
        "etcissue",
        "partition",
        "minimizebest",
        "mit no",
        "match",
        "link",
        "namepolicykeep",
        "ethernet link",
        "kindveth nameve",
        "kindveth namevb",
        "keepmasteryes",
        "dhcpv4",
        "kindsit name6rd",
        "ipv4ll",
        "ipv6ll",
        "dhcpipv6ra",
        "dhcpv6",
        "typeether",
        "dhcpyes",
        "usetimezoneyes",
        "typewlan",
        "tuntap",
        "natdhcp",
        "kindtun namevt",
        "kind",
        "originalname",
        "definedby",
        "peer",
        "sopeergroups",
        "dbus protocol",
        "dbus name",
        "exec",
        "hup signal",
        "sighup",
        "dnssec",
        "sessionid",
        "seatid",
        "sleep",
        "leader",
        "jobresult",
        "coredumppid",
        "coredumpcomm",
        "junit",
        "na zapusk",
        "mikrasiekund",
        "enhed",
        "mikrosekunder",
        "opstart",
        "jobid",
        "a rendszer",
        "ezredmsodpercet",
        "a rendszernapl",
        "user manager",
        "smack",
        "lunit",
        "stato",
        "il processo",
        "il sistema",
        "stata",
        "le processus",
        "notez que",
        "jedinica",
        "zapamtite da",
        "nova",
        "jednostka",
        "prosz zauway",
        "zwykle wskazuje",
        "jest",
        "o processo",
        "processo",
        "isso",
        "inicializao",
        "journal",
        "sizelimit",
        "userid",
        "prozess",
        "speicherabbild",
        "hinweis auf",
        "programmfehler",
        "fehler dem",
        "die systemzeit",
        "realtime"
      ],
      "references": [
        "Hunting_B64Engine_DotNetToJScript_Dos.yar",
        "APT_Backdoor_PS1_BASICPIPESHELL_1.yar",
        "apt_sandworm_exim_expl.yar.002",
        "apt_sandworm_exim_expl.yar.001",
        "apt_sandworm_exim_expl.yar",
        "connect.php",
        "connect.php.002",
        "connect.php.001",
        "crypto-miner.js",
        "eicar",
        "eicar.001",
        "eicar.002",
        "custom.py",
        "eicar.txt",
        "expl_cve_2021_40444.yar.001",
        "expl_cve_2021_40444.yar.002",
        "getPerms.php",
        "input.pcap",
        "list.php",
        "parent.php",
        "payload.php",
        "payload.php.001",
        "kingdee-erp-rce.yaml",
        "payload.php.003",
        "payload.php.002",
        "payload.php.004",
        "payload.php.005",
        "payload.php.006",
        "payload.php.007",
        "payload.php.008",
        "payload.php.010",
        "payload.php.011",
        "payload.php.009",
        "payload.php.012",
        "payload.php.013",
        "payload.php.015",
        "payload.php.016",
        "payload.php.017",
        "reverse_tcp.py",
        "scanner.php",
        "search.php",
        "setdb.php",
        "payload.php.014",
        "setdb.php.001",
        "reader.php",
        "single.php",
        "resolv.conf",
        "systemd-update-helper",
        "90-systemd.preset",
        "60-flatpak",
        "app.slice",
        "background.slice",
        "README.md",
        "bluetooth.target",
        "basic.target",
        "borgmatic-user.timer",
        "borgmatic-user.service",
        "cape.service",
        "cape-dist.service",
        "cape-processor.service",
        "cape-rooter.service",
        "capsule@.target",
        "cape-web.service",
        "clash.service",
        "colord-session.service",
        "dbus.socket",
        "cape-fstab.service",
        "dbus.service",
        "dbus-broker.service",
        "dconf.service",
        "dirmngr.service",
        "default.target",
        "drkonqi-coredump-cleanup.service",
        "dirmngr.socket",
        "drkonqi-coredump-cleanup.timer",
        "drkonqi-coredump-launcher.socket",
        "drkonqi-sentry-postman.path",
        "drkonqi-coredump-pickup.service",
        "drkonqi-sentry-postman.service",
        "drkonqi-sentry-postman.timer",
        "drkonqi-coredump-launcher@.service",
        "dunst.service",
        "flatpak-oci-authenticator.service",
        "filter-chain.service",
        "exit.target",
        "flatpak-session-helper.service",
        "fluidsynth.service",
        "gcr-ssh-agent.socket",
        "flatpak-portal.service",
        "gcr-ssh-agent.service",
        "gnome-keyring-daemon.service",
        "glib-pacrunner.service",
        "gnome-keyring-daemon.socket",
        "gpg-agent-ssh.socket",
        "gnome-terminal-server.service",
        "gpg-agent-extra.socket",
        "gpg-agent.service",
        "gpg-agent.socket",
        "gpg-agent-browser.socket",
        "graphical-session-pre.target",
        "graphical-session.target",
        "gssuserproxy.socket",
        "guacd.service",
        "gvfs-gphoto2-volume-monitor.service",
        "gvfs-daemon.service",
        "gssuserproxy.service",
        "gvfs-afc-volume-monitor.service",
        "gvfs-metadata.service",
        "jack@.service",
        "guac-web.service",
        "gvfs-udisks2-volume-monitor.service",
        "gvfs-mtp-volume-monitor.service",
        "kde-baloo.service",
        "keyboxd.service",
        "kio-fuse.service",
        "keyboxd.socket",
        "p11-kit-server.service",
        "p11-kit-server.socket",
        "paths.target",
        "pipewire.socket",
        "pipewire-pulse.service",
        "plasma-gmenudbusmenuproxy.service",
        "pipewire-pulse.socket",
        "plasma-baloorunner.service",
        "plasma-kcminit.service",
        "plasma-dolphin.service",
        "plasma-kcminit-phase1.service",
        "plasma-core.target",
        "plasma-kded.service",
        "pipewire.service",
        "plasma-kded6.service",
        "plasma-kglobalaccel.service",
        "at-spi-dbus-bus.service",
        "plasma-krunner.service",
        "plasma-kscreen.service",
        "plasma-kscreen-osd.service",
        "plasma-ksmserver.service",
        "plasma-ksplash.service",
        "plasma-ksplash-ready.service",
        "plasma-ksystemstats.service",
        "plasma-kwallet-pam.service",
        "plasma-kwin_wayland.service",
        "plasma-kwin_x11.service",
        "plasma-plasmashell.service",
        "plasma-polkit-agent.service",
        "plasma-powerdevil.service",
        "plasma-powerprofile-osd.service",
        "plasma-restoresession.service",
        "plasma-workspace.target",
        "plasma-workspace-wayland.target",
        "plasma-workspace-x11.target",
        "plasma-xdg-desktop-portal-kde.service",
        "plasma-xembedsniproxy.service",
        "podman.service",
        "podman.socket",
        "podman-auto-update.service",
        "podman-auto-update.timer",
        "podman-kube@.service",
        "podman-restart.service",
        "printer.target",
        "pulseaudio.service",
        "pulseaudio.socket",
        "pulseaudio-x11.service",
        "session.slice",
        "shutdown.target",
        "smartcard.target",
        "sockets.target",
        "sound.target",
        "ssh-agent.service",
        "suricata.service",
        "suricata-update.service",
        "suricata-update.timer",
        "systemd-exit.service",
        "systemd-tmpfiles-clean.service",
        "systemd-tmpfiles-clean.timer",
        "systemd-tmpfiles-setup.service",
        "thunar.service",
        "timers.target",
        "tracker-xdg-portal-3.service",
        "tumblerd.service",
        "wireplumber.service",
        "wireplumber@.service",
        "xdg-desktop-autostart.target",
        "xdg-desktop-portal.service",
        "xdg-desktop-portal-gtk.service",
        "xdg-desktop-portal-hyprland.service",
        "xdg-desktop-portal-rewrite-launchers.service",
        "xdg-desktop-portal-xapp.service",
        "xdg-permission-store.service",
        "xdg-user-dirs-update.service",
        "xfce4-notifyd.service",
        "xsettingsd.service",
        "xdg-document-portal.service",
        "https://hybrid-analysis.com/sample/b1a9e5be43c028442c07071e202f44f33e3a2df167822c5cfed8f998e01fe169/661da09794b343782806018e",
        "defaults.conf",
        "apparmor.conf",
        "nvidia",
        "tlp",
        "fwupd.shutdown",
        "mdadm.shutdown",
        "99-default.preset",
        "50-zfs.preset",
        "ibft-rule-generator",
        "10-arch",
        "60-flatpak-system-only",
        "3proxy.service",
        "apache-tika.service",
        "apparmor.service",
        "arch-audit.service",
        "arch-audit.timer",
        "NetworkManager-dispatcher.service",
        "NetworkManager-wait-online.service",
        "NetworkManager.service",
        "SUSE-mdadm_env.sh",
        "ModemManager.service",
        "3proxy.conf",
        "archlinux-keyring-wkd-sync.service",
        "adsl.service",
        "accounts-daemon.service",
        "adb.service",
        "alsa-restore.service",
        "alsa-state.service",
        "archlinux-keyring-wkd-sync.timer",
        "ananicy-cpp.service",
        "arcolinux-graphical-target.service",
        "atftpd.service",
        "audit-rules.service",
        "auditd.service",
        "auth-rpcgss-module.service",
        "autorandr.service",
        "autorandr-lid-listener.service",
        "autovt@.service",
        "avahi-daemon.service",
        "avahi-daemon.socket",
        "avahi-dnsconfd.service",
        "bettercap.service",
        "betterlockscreen@.service",
        "blk-availability.service",
        "blockdev@.target",
        "bluetooth.service",
        "bmc-watchdog.service",
        "bolt.service",
        "boot-complete.target",
        "borgmatic.service",
        "borgmatic.timer",
        "bpftune.service",
        "btrfs-scrub@.service",
        "btrfs-scrub@.timer",
        "canberra-system-bootup.service",
        "canberra-system-shutdown.service",
        "canberra-system-shutdown-reboot.service",
        "capsule.slice",
        "capsule@.service",
        "celery2@.service",
        "celery@.service",
        "chkboot.service",
        "clamav-clamonacc.service",
        "clamav-daemon.service",
        "clamav-daemon.socket",
        "clamav-freshclam.service",
        "clamav-freshclam-once.service",
        "clamav-freshclam-once.timer",
        "clamav-unofficial-sigs.service",
        "clamav-unofficial-sigs.timer",
        "clash@.service",
        "cntlm.service",
        "colord.service",
        "configure-printer@.service",
        "console-getty.service",
        "container-getty@.service",
        "containerd.service",
        "couchdb.service",
        "cpupower.service",
        "create_ap.service",
        "cronie.service",
        "cryptsetup.target",
        "cryptsetup-pre.target",
        "ctrl-alt-del.target",
        "cups.path",
        "cups.service",
        "cups.socket",
        "cups-lpd.socket",
        "cups-lpd@.service",
        "cxl-monitor.service",
        "darkstat.service",
        "daxdev-reconfigure@.service",
        "dbus-org.freedesktop.hostname1.service",
        "dbus-org.freedesktop.import1.service",
        "dbus-org.freedesktop.locale1.service",
        "dbus-org.freedesktop.login1.service",
        "dbus-org.freedesktop.machine1.service",
        "dbus-org.freedesktop.portable1.service",
        "dbus-org.freedesktop.timedate1.service",
        "debug-shell.service",
        "dev-hugepages.mount",
        "dev-mqueue.mount",
        "dhclient@.service",
        "dhcpd4.service",
        "dhcpd6.service",
        "dirmngr@.service",
        "dirmngr@.socket",
        "dm-event.service",
        "dm-event.socket",
        "dmraid.service",
        "dnscrypt-proxy.service",
        "dnsmasq.service",
        "docker.service",
        "docker.socket",
        "drkonqi-coredump-processor@.service",
        "e2scrub@.service",
        "e2scrub_all.service",
        "e2scrub_all.timer",
        "e2scrub_fail@.service",
        "e2scrub_reap.service",
        "ead.service",
        "elasticsearch.service",
        "elasticsearch-keystore.service",
        "elasticsearch-keystore@.service",
        "elasticsearch@.service",
        "emergency.service",
        "emergency.target",
        "epmd.service",
        "epmd.socket",
        "exabgp.service",
        "factory-reset.target",
        "fancontrol.service",
        "fastnetmon.service",
        "final.target",
        "finger.socket",
        "finger@.service",
        "first-boot-complete.target",
        "flatpak-system-helper.service",
        "freeradius.service",
        "fsidd.service",
        "fstrim.service",
        "fstrim.timer",
        "ftpd.service",
        "fwupd.service",
        "fwupd-offline-update.service",
        "fwupd-refresh.service",
        "fwupd-refresh.timer",
        "geoclue.service",
        "geoipupdate.service",
        "geoipupdate.timer",
        "getty.target",
        "getty-pre.target",
        "getty@.service",
        "git-daemon.socket",
        "git-daemon@.service",
        "gnupg-pkcs11-scd-proxy.service",
        "gpg-agent-browser@.socket",
        "gpg-agent-extra@.socket",
        "gpg-agent-ssh@.socket",
        "gpg-agent@.service",
        "gpg-agent@.socket",
        "gpm.path",
        "gpm.service",
        "gpsd.service",
        "gpsd.socket",
        "gpsdctl@.service",
        "graphical.target",
        "greenbone-certdata-sync.service",
        "greenbone-certdata-sync.timer",
        "greenbone-feed-sync.service",
        "greenbone-feed-sync.timer",
        "greenbone-nvt-sync.service",
        "greenbone-nvt-sync.timer",
        "greenbone-scapdata-sync.service",
        "greenbone-scapdata-sync.timer",
        "gssproxy.service",
        "gvmd.service",
        "halt.target",
        "healthd.service",
        "hibernate.target",
        "hostapd.service",
        "hostapd@.service",
        "httpd.service",
        "hv_fcopy_daemon.service",
        "hv_kvp_daemon.service",
        "hv_vss_daemon.service",
        "hybrid-sleep.target",
        "i2pd.service",
        "iiod.service",
        "initrd.target",
        "initrd-cleanup.service",
        "initrd-fs.target",
        "initrd-parse-etc.service",
        "initrd-root-device.target",
        "initrd-root-fs.target",
        "initrd-switch-root.service",
        "initrd-switch-root.target",
        "initrd-udevadm-cleanup-db.service",
        "initrd-usr-fs.target",
        "integritysetup.target",
        "integritysetup-pre.target",
        "iodined.service",
        "iodined.socket",
        "ip2clued.service",
        "ip6tables.service",
        "ipmidetectd.service",
        "ipmiseld.service",
        "iptables.service",
        "iscsi.service",
        "iscsi-init.service",
        "iscsid.service",
        "iscsid.socket",
        "iscsiuio.service",
        "iscsiuio.socket",
        "isnsd.service",
        "isnsd.socket",
        "iwd.service",
        "kcptun-server@.service",
        "kcptun@.service",
        "kexec.target",
        "keyboxd@.service",
        "keyboxd@.socket",
        "kmod-static-nodes.service",
        "krb5-kadmind.service",
        "krb5-kdc.service",
        "krb5-kpropd.service",
        "krb5-kpropd.socket",
        "krb5-kpropd@.service",
        "lastlog2-import.service",
        "ldconfig.service",
        "libvirt-guests.service",
        "libvirtd.service",
        "libvirtd.socket",
        "libvirtd-admin.socket",
        "libvirtd-ro.socket",
        "libvirtd-tcp.socket",
        "libvirtd-tls.socket",
        "lightdm.service",
        "lm_sensors.service",
        "local-fs.target",
        "local-fs-pre.target",
        "logrotate.service",
        "logrotate.timer",
        "lvm2-lvmpolld.service",
        "lvm2-lvmpolld.socket",
        "lvm2-monitor.service",
        "lxc.service",
        "lxc-auto.service",
        "lxc-monitord.service",
        "lxc-net.service",
        "lxc@.service",
        "lxdm.service",
        "ly.service",
        "lynis.service",
        "lynis.timer",
        "machine.slice",
        "machines.target",
        "man-db.service",
        "man-db.timer",
        "mariadb.service",
        "mariadb.socket",
        "mariadb-extra.socket",
        "mariadb-extra@.socket",
        "mariadb@.service",
        "mariadb@.socket",
        "mdadm-grow-continue@.service",
        "mdadm-last-resort@.service",
        "mdadm-last-resort@.timer",
        "mdcheck_continue.service",
        "mdcheck_continue.timer",
        "mdcheck_start.service",
        "mdcheck_start.timer",
        "mdmon@.service",
        "mdmonitor.service",
        "mdmonitor-oneshot.service",
        "mdmonitor-oneshot.timer",
        "memavaild.service",
        "mkinitcpio-generate-shutdown-ramfs.service",
        "modprobe@.service",
        "mongodb.service",
        "multi-user.target",
        "mysql.service",
        "mysqld.service",
        "named.service",
        "nbd.service",
        "nbd@.service",
        "ndctl-monitor.service",
        "neo4j.service",
        "netavark-dhcp-proxy.service",
        "netavark-dhcp-proxy.socket",
        "netdata.service",
        "network.target",
        "network-online.target",
        "network-pre.target",
        "nfs-blkmap.service",
        "nfs-client.target",
        "nfs-idmapd.service",
        "nfs-mountd.service",
        "nfs-server.service",
        "nfs-utils.service",
        "nfsdcld.service",
        "nfsv4-exportd.service",
        "nfsv4-server.service",
        "nftables.service",
        "nm-priv-helper.service",
        "nmb.service",
        "nohang.service",
        "nohang-desktop.service",
        "nscd.service",
        "nss-lookup.target",
        "nss-user-lookup.target",
        "ntpd.service",
        "ntpdate.service",
        "nvidia-hibernate.service",
        "nvidia-persistenced.service",
        "nvidia-powerd.service",
        "nvidia-resume.service",
        "nvidia-suspend.service",
        "nvmefc-boot-connections.service",
        "nvmf-autoconnect.service",
        "nvmf-connect.target",
        "nvmf-connect-nbft.service",
        "nvmf-connect@.service",
        "pacrunner.service",
        "ostree-boot-complete.service",
        "pacman-filesdb-refresh.timer",
        "pcscd.service",
        "passim.service",
        "pcscd.socket",
        "packagekit-offline-update.service",
        "phoronix-result-server.service",
        "paccache.timer",
        "plymouth-kexec.service",
        "pamac-cleancache.timer",
        "plymouth-quit.service",
        "partimaged.service",
        "plymouth-poweroff.service",
        "plymouth-read-write.service",
        "plymouth-quit-wait.service",
        "paccache.service",
        "plymouth-switch-root-initramfs.service",
        "ostree-remount.service",
        "plymouth-switch-root.service",
        "openvpn-client@.service",
        "podman-clean-transient.service",
        "pamac-offline-upgrade.service",
        "polkit.service",
        "postfix.service",
        "pam_namespace.service",
        "poweroff.target",
        "ppp@.service",
        "opensnitchd.service",
        "proc-fs-nfsd.mount",
        "proc-sys-fs-binfmt_misc.automount",
        "proc-sys-fs-binfmt_misc.mount",
        "phoromatic-server.service",
        "ptunnel.service",
        "openvpn-server@.service",
        "plymouth-halt.service",
        "pamac-cleancache.service",
        "plymouth-reboot.service",
        "ostree-state-overlay@.service",
        "ostree-finalize-staged.service",
        "postgresql.service",
        "phoromatic-client.service",
        "pamac-daemon.service",
        "pacman-filesdb-refresh.service",
        "packagekit.service",
        "pkgfile-update.service",
        "pkgfile-update.timer",
        "plymouth-start.service",
        "ostree-prepare-root.service",
        "ostree-finalize-staged.path",
        "privoxy.service",
        "ostree-finalize-staged-hold.service",
        "qemu-guest-agent.service",
        "quotaon.service",
        "quotaon-root.service",
        "quotaon@.service",
        "rabbitmq.service",
        "ras-mc-ctl.service",
        "rasdaemon.service",
        "rathole@.service",
        "ratholec@.service",
        "ratholes@.service",
        "rc-local.service",
        "rdnssd@.service",
        "reboot.target",
        "redis.service",
        "redis-sentinel.service",
        "reflector.service",
        "reflector.timer",
        "remote-cryptsetup.target",
        "remote-fs.target",
        "remote-fs-pre.target",
        "remote-veritysetup.target",
        "rescue.service",
        "rescue.target",
        "rfkill-block@.service",
        "rfkill-unblock@.service",
        "rlogin.socket",
        "rlogin@.service",
        "rpc-gssd.service",
        "rpc-statd.service",
        "rpc-statd-notify.service",
        "rpc_pipefs.target",
        "rpcbind.service",
        "rpcbind.socket",
        "rpcbind.target",
        "rsh.socket",
        "rsh@.service",
        "rsyncd.service",
        "rsyncd.socket",
        "rsyncd@.service",
        "rtkit-daemon.service",
        "runlevel0.target",
        "runlevel1.target",
        "runlevel2.target",
        "runlevel3.target",
        "runlevel4.target",
        "runlevel5.target",
        "runlevel6.target",
        "rwhod.service",
        "samba.service",
        "sddm.service",
        "seatd.service",
        "sensord.service",
        "serial-getty@.service",
        "shadow.service",
        "shadow.timer",
        "sigpwr.target",
        "slapd.service",
        "sleep.target",
        "slices.target",
        "smartd.service",
        "smb.service",
        "sndiod.service",
        "snmpd.service",
        "snmptrapd.service",
        "snort@.service",
        "snort@1000.service",
        "soft-reboot.target",
        "ssh-access.target",
        "sshd.service",
        "sshdgenkeys.service",
        "sshuttle.service",
        "sslh.service",
        "sslh-fork.service",
        "sslh-select.service",
        "storage-target-mode.target",
        "stunnel.service",
        "sudo_logsrvd.service",
        "suspend.target",
        "suspend-then-hibernate.target",
        "svnserve.service",
        "swap.target",
        "sys-fs-fuse-connections.mount",
        "sys-kernel-config.mount",
        "sys-kernel-debug.mount",
        "sys-kernel-tracing.mount",
        "sysinit.target",
        "syslog.socket",
        "system-systemd\\x2dcryptsetup.slice",
        "system-systemd\\x2dveritysetup.slice",
        "system-update.target",
        "system-update-cleanup.service",
        "system-update-pre.target",
        "systemd-ask-password-console.path",
        "systemd-ask-password-console.service",
        "systemd-ask-password-plymouth.path",
        "systemd-ask-password-plymouth.service",
        "systemd-ask-password-wall.path",
        "systemd-ask-password-wall.service",
        "systemd-backlight@.service",
        "systemd-battery-check.service",
        "systemd-binfmt.service",
        "systemd-bless-boot.service",
        "systemd-boot-check-no-failures.service",
        "systemd-boot-random-seed.service",
        "systemd-boot-update.service",
        "systemd-bootctl.socket",
        "systemd-bootctl@.service",
        "systemd-bsod.service",
        "systemd-confext.service",
        "systemd-coredump.socket",
        "systemd-coredump@.service",
        "systemd-creds.socket",
        "systemd-creds@.service",
        "systemd-firstboot.service",
        "systemd-fsck-root.service",
        "systemd-fsck@.service",
        "systemd-growfs-root.service",
        "systemd-growfs@.service",
        "systemd-halt.service",
        "systemd-hibernate.service",
        "systemd-hibernate-resume.service",
        "systemd-homed.service",
        "systemd-homed-activate.service",
        "systemd-homed-firstboot.service",
        "systemd-hostnamed.service",
        "systemd-hostnamed.socket",
        "systemd-hwdb-update.service",
        "systemd-hybrid-sleep.service",
        "systemd-importd.service",
        "systemd-initctl.service",
        "systemd-initctl.socket",
        "systemd-journal-catalog-update.service",
        "systemd-journal-flush.service",
        "systemd-journal-gatewayd.service",
        "systemd-journal-gatewayd.socket",
        "systemd-journal-remote.service",
        "systemd-journal-remote.socket",
        "systemd-journal-upload.service",
        "systemd-journald.service",
        "systemd-journald.socket",
        "systemd-journald-audit.socket",
        "systemd-journald-dev-log.socket",
        "systemd-journald-varlink@.socket",
        "systemd-journald@.service",
        "systemd-journald@.socket",
        "systemd-kexec.service",
        "systemd-localed.service",
        "systemd-logind.service",
        "systemd-machine-id-commit.service",
        "systemd-machined.service",
        "systemd-modules-load.service",
        "systemd-network-generator.service",
        "systemd-networkd.service",
        "systemd-networkd.socket",
        "systemd-networkd-persistent-storage.service",
        "systemd-networkd-wait-online.service",
        "systemd-networkd-wait-online@.service",
        "systemd-nspawn@.service",
        "systemd-oomd.service",
        "systemd-oomd.socket",
        "systemd-pcrextend.socket",
        "systemd-pcrextend@.service",
        "systemd-pcrfs-root.service",
        "systemd-pcrfs@.service",
        "systemd-pcrlock.socket",
        "systemd-pcrlock-file-system.service",
        "systemd-pcrlock-firmware-code.service",
        "systemd-pcrlock-firmware-config.service",
        "systemd-pcrlock-machine-id.service",
        "systemd-pcrlock-make-policy.service",
        "systemd-pcrlock-secureboot-authority.service",
        "systemd-pcrlock-secureboot-policy.service",
        "systemd-pcrlock@.service",
        "systemd-pcrmachine.service",
        "systemd-pcrphase.service",
        "systemd-pcrphase-initrd.service",
        "systemd-pcrphase-sysinit.service",
        "systemd-portabled.service",
        "systemd-poweroff.service",
        "systemd-pstore.service",
        "systemd-quotacheck.service",
        "systemd-quotacheck-root.service",
        "systemd-quotacheck@.service",
        "systemd-random-seed.service",
        "systemd-reboot.service",
        "systemd-remount-fs.service",
        "systemd-repart.service",
        "systemd-resolved.service",
        "systemd-rfkill.service",
        "systemd-rfkill.socket",
        "systemd-soft-reboot.service",
        "systemd-storagetm.service",
        "systemd-suspend.service",
        "systemd-suspend-then-hibernate.service",
        "systemd-sysctl.service",
        "systemd-sysext.service",
        "systemd-sysext.socket",
        "systemd-sysext@.service",
        "systemd-sysupdate.service",
        "systemd-sysupdate.timer",
        "systemd-sysupdate-reboot.service",
        "systemd-sysupdate-reboot.timer",
        "systemd-sysusers.service",
        "systemd-time-wait-sync.service",
        "systemd-timedated.service",
        "systemd-timesyncd.service",
        "systemd-tmpfiles-setup-dev.service",
        "systemd-tmpfiles-setup-dev-early.service",
        "systemd-tpm2-setup.service",
        "systemd-tpm2-setup-early.service",
        "systemd-udev-trigger.service",
        "systemd-udevd.service",
        "systemd-udevd-control.socket",
        "systemd-udevd-kernel.socket",
        "systemd-update-done.service",
        "systemd-update-utmp.service",
        "systemd-update-utmp-runlevel.service",
        "systemd-user-sessions.service",
        "systemd-userdbd.service",
        "systemd-userdbd.socket",
        "systemd-vconsole-setup.service",
        "systemd-vmspawn@.service",
        "systemd-volatile-root.service",
        "systemd-zram-setup@.service",
        "talk.service",
        "talk.socket",
        "teamd@.service",
        "telnet.socket",
        "telnet@.service",
        "time-set.target",
        "time-sync.target",
        "tinc.service",
        "tinc@.service",
        "tinyproxy.service",
        "tlp.service",
        "tmp.mount",
        "tor.service",
        "tpm2.target",
        "udisks2.service",
        "udp2raw@.service",
        "ufw.service",
        "uksmd.service",
        "umount.target",
        "unbound.service",
        "updatedb.service",
        "updatedb.timer",
        "upower.service",
        "usb-gadget.target",
        "usb_modeswitch@.service",
        "usbipd.service",
        "usbmuxd.service",
        "user.slice",
        "user-runtime-dir@.service",
        "user@.service",
        "uuidd.service",
        "uuidd.socket",
        "var-lib-machines.mount",
        "var-lib-nfs-rpc_pipefs.mount",
        "vboxdrmclient.path",
        "vboxdrmclient.service",
        "vboxservice.service",
        "veritysetup.target",
        "veritysetup-pre.target",
        "virt-guest-shutdown.target",
        "virtchd.service",
        "virtchd.socket",
        "virtchd-admin.socket",
        "virtchd-ro.socket",
        "virtinterfaced.service",
        "virtinterfaced.socket",
        "virtinterfaced-admin.socket",
        "virtinterfaced-ro.socket",
        "virtlockd.service",
        "virtlockd.socket",
        "virtlockd-admin.socket",
        "virtlogd.service",
        "virtlogd.socket",
        "virtlogd-admin.socket",
        "virtlxcd.service",
        "virtlxcd.socket",
        "virtlxcd-admin.socket",
        "virtlxcd-ro.socket",
        "virtnetworkd.service",
        "virtnetworkd.socket",
        "virtnetworkd-admin.socket",
        "virtnetworkd-ro.socket",
        "virtnodedevd.service",
        "virtnodedevd.socket",
        "virtnodedevd-admin.socket",
        "virtnodedevd-ro.socket",
        "virtnwfilterd.service",
        "virtnwfilterd.socket",
        "virtnwfilterd-admin.socket",
        "virtnwfilterd-ro.socket",
        "virtproxyd.service",
        "virtproxyd.socket",
        "virtproxyd-admin.socket",
        "virtproxyd-ro.socket",
        "virtproxyd-tcp.socket",
        "virtproxyd-tls.socket",
        "virtqemud.service",
        "virtqemud.socket",
        "virtqemud-admin.socket",
        "virtqemud-ro.socket",
        "virtsecretd.service",
        "virtsecretd.socket",
        "virtsecretd-admin.socket",
        "virtsecretd-ro.socket",
        "virtstoraged.service",
        "virtstoraged.socket",
        "virtstoraged-admin.socket",
        "virtstoraged-ro.socket",
        "virtvboxd.service",
        "virtvboxd.socket",
        "virtvboxd-admin.socket",
        "virtvboxd-ro.socket",
        "vmtoolsd.service",
        "vmware-vmblock-fuse.service",
        "vpnc@.service",
        "wacom-inputattach@.service",
        "wg-quick.target",
        "wg-quick@.service",
        "winbind.service",
        "wondershaper.service",
        "wpa_supplicant.service",
        "wpa_supplicant-nl80211@.service",
        "wpa_supplicant-wired@.service",
        "wpa_supplicant@.service",
        "xfs_scrub@.service",
        "xfs_scrub_all.service",
        "xfs_scrub_all.timer",
        "xfs_scrub_fail@.service",
        "xl2tpd.service",
        "xplico.service",
        "xrdp.service",
        "xrdp-sesman.service",
        "yate.service",
        "zfs.target",
        "zfs-import.service",
        "zfs-import.target",
        "zfs-import-cache.service",
        "zfs-import-scan.service",
        "zfs-load-key.service",
        "zfs-mount.service",
        "zfs-scrub-monthly@.timer",
        "zfs-scrub-weekly@.timer",
        "zfs-scrub@.service",
        "zfs-share.service",
        "zfs-trim-monthly@.timer",
        "zfs-trim-weekly@.timer",
        "zfs-trim@.service",
        "zfs-volume-wait.service",
        "zfs-volumes.target",
        "zfs-zed.service",
        "plymouth.conf",
        "gpg-agent-ssh@etc-pacman.d-gnupg.socket",
        "keyboxd@etc-pacman.d-gnupg.socket",
        "dirmngr@etc-pacman.d-gnupg.socket",
        "gpg-agent-browser@etc-pacman.d-gnupg.socket",
        "gpg-agent-extra@etc-pacman.d-gnupg.socket",
        "gpg-agent@etc-pacman.d-gnupg.socket",
        "https://hybrid-analysis.com/sample/ff42428f0fcc346cc56e2b00d4b5c4bd43b55f3465b4ccab0efba9c88f4a1c03/661da0b063c895fc2d0a78dc",
        "https://hybrid-analysis.com/sample/9613dee39157b5f9935436b36647047e267b7c10fa4c7ab1fd995db681e58c12/661da5b202eaca78740cf4ed",
        "https://hybrid-analysis.com/sample/479a0170df010c5eb742ff1b8740a2ccf381df44c8a919c95d6e38685278e78a/661da5c768340c1e25092cb2",
        "50-rc_keymap.conf",
        "10-defaults.conf",
        "10-login-barrier.conf",
        "20-systemd-userdb.conf",
        "20-systemd-ssh-proxy.conf",
        "iptables-flush",
        "cpupower",
        "chkboot-bootcheck",
        "10-root.conf",
        "30-root-verity-sig.conf",
        "20-root-verity.conf",
        "80-systemd-timesync.list",
        "80-6rd-tunnel.link",
        "80-container-ve.network",
        "80-container-vb.network",
        "80-container-vz.link",
        "80-6rd-tunnel.network",
        "80-container-vz.network",
        "80-auto-link-local.network.example",
        "80-ethernet.network.example",
        "80-container-host0.network",
        "80-iwd.link",
        "80-container-vb.link",
        "80-vm-vt.link",
        "80-vm-vt.network",
        "80-wifi-adhoc.network",
        "80-wifi-ap.network.example",
        "80-wifi-station.network.example",
        "80-container-ve.link",
        "89-ethernet.network.example",
        "99-default.link",
        "dbus-broker.catalog",
        "dbus-broker-launch.catalog",
        "systemd.be.catalog",
        "systemd.be@latin.catalog",
        "systemd.da.catalog",
        "systemd.bg.catalog",
        "systemd.hu.catalog",
        "systemd.catalog",
        "systemd.it.catalog",
        "systemd.fr.catalog",
        "systemd.ko.catalog",
        "systemd.hr.catalog",
        "systemd.pl.catalog",
        "systemd.pt_BR.catalog",
        "systemd.ru.catalog",
        "systemd.sr.catalog",
        "systemd.zh_CN.catalog",
        "systemd.de.catalog",
        "systemd.zh_TW.catalog",
        "expl_cve_2021_40444.yar"
      ],
      "public": 1,
      "adversary": "Chinese Speaking",
      "targeted_countries": [],
      "malware_families": [
        {
          "id": "RemainAfterExit",
          "display_name": "RemainAfterExit",
          "target": null
        },
        {
          "id": "NMBDOPTIONS",
          "display_name": "NMBDOPTIONS",
          "target": null
        },
        {
          "id": "SMBDOPTIONS",
          "display_name": "SMBDOPTIONS",
          "target": null
        },
        {
          "id": "SuccessAction",
          "display_name": "SuccessAction",
          "target": null
        },
        {
          "id": "WINBINDOPTIONS",
          "display_name": "WINBINDOPTIONS",
          "target": null
        }
      ],
      "attack_ids": [
        {
          "id": "T1027",
          "name": "Obfuscated Files or Information",
          "display_name": "T1027 - Obfuscated Files or Information"
        },
        {
          "id": "T1071",
          "name": "Application Layer Protocol",
          "display_name": "T1071 - Application Layer Protocol"
        },
        {
          "id": "T1082",
          "name": "System Information Discovery",
          "display_name": "T1082 - System Information Discovery"
        },
        {
          "id": "T1106",
          "name": "Native API",
          "display_name": "T1106 - Native API"
        },
        {
          "id": "T1205",
          "name": "Traffic Signaling",
          "display_name": "T1205 - Traffic Signaling"
        },
        {
          "id": "T1140",
          "name": "Deobfuscate/Decode Files or Information",
          "display_name": "T1140 - Deobfuscate/Decode Files or Information"
        },
        {
          "id": "T1059",
          "name": "Command and Scripting Interpreter",
          "display_name": "T1059 - Command and Scripting Interpreter"
        },
        {
          "id": "T1543",
          "name": "Create or Modify System Process",
          "display_name": "T1543 - Create or Modify System Process"
        },
        {
          "id": "T1569",
          "name": "System Services",
          "display_name": "T1569 - System Services"
        },
        {
          "id": "T1090",
          "name": "Proxy",
          "display_name": "T1090 - Proxy"
        },
        {
          "id": "T1114",
          "name": "Email Collection",
          "display_name": "T1114 - Email Collection"
        },
        {
          "id": "T1573",
          "name": "Encrypted Channel",
          "display_name": "T1573 - Encrypted Channel"
        }
      ],
      "industries": [],
      "TLP": "white",
      "cloned_from": "661db37bf549518bf6f7f377",
      "export_count": 2,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "FileHash-MD5": 123,
        "YARA": 16,
        "CVE": 4,
        "FileHash-SHA1": 25,
        "FileHash-SHA256": 20,
        "domain": 102,
        "URL": 16,
        "email": 9,
        "hostname": 4,
        "CIDR": 2
      },
      "indicator_count": 321,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 66,
      "modified_text": "3 days ago ",
      "is_modified": false,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "6a16ac89787e428fe0f7b045",
      "name": "[\"backup ios...\"] clone by Merkd1904. User note: theres a name tagged here thats interesting",
      "description": "",
      "modified": "2026-05-27T08:34:17.204000",
      "created": "2026-05-27T08:34:17.204000",
      "tags": [
        "fireeye",
        "copyright",
        "base64",
        "dotnettojscript",
        "gadgettojscript",
        "invokeclient",
        "invokeserver",
        "readhost enter",
        "command",
        "roth",
        "nextron",
        "sandworm",
        "detects ssh",
        "grant all",
        "privileges on",
        "to mysqldb",
        "create user",
        "g root",
        "sandworm python",
        "import",
        "phpsploit",
        "host",
        "user",
        "pass",
        "error",
        "establish",
        "pecl oci8",
        "connstr",
        "charset",
        "false",
        "miner",
        "texthtml",
        "module",
        "send custom",
        "swissky",
        "class",
        "serviceip",
        "serviceport",
        "servicedata",
        "e binsh",
        "init",
        "service port",
        "detects",
        "cve202140444",
        "target",
        "targetmode",
        "jeremy brown",
        "windows cve",
        "ms office",
        "modified rule",
        "rperm",
        "wperm",
        "pathsep",
        "string",
        "rwxrxrx",
        "file types",
        "unix",
        "login",
        "autentication",
        "disable",
        "ldapconnect",
        "version",
        "authentication",
        "ldaplist",
        "null",
        "pathelems",
        "execute",
        "backdoor",
        "kingdee oa",
        "yunxingkong",
        "b6oa",
        "code execution",
        "kingdee cloud",
        "starry sky",
        "otherwise",
        "file",
        "setsmartdate",
        "fread",
        "name",
        "force",
        "base64decode",
        "data",
        "substr",
        "array",
        "readdir",
        "getowner",
        "getgroup",
        "getsize",
        "force option",
        "fwrite",
        "permission",
        "check",
        "mode",
        "diraccess",
        "fileaccess",
        "realpath",
        "stat",
        "immutable",
        "posixgetpwuid",
        "posixgetgrgid",
        "explode",
        "etcpasswd",
        "glob",
        "globonlydir",
        "oraclelogin",
        "port",
        "servicename",
        "connector",
        "base",
        "query type",
        "mssqlfetcharray",
        "mssqlassoc",
        "solsocket",
        "timeout",
        "range",
        "portmin",
        "portmax",
        "socketcreate",
        "afinet",
        "sockstream",
        "open",
        "type",
        "true",
        "tcp connection",
        "tcp shell",
        "input",
        "lhost",
        "netcat",
        "lport",
        "shell",
        "dllimport",
        "python",
        "back",
        "fore",
        "pfinet",
        "stdout",
        "this",
        "win32",
        "ldapsearch",
        "select",
        "mysqliassoc",
        "select database",
        "send",
        "newfile",
        "dns stub",
        "third party",
        "see man",
        "exit",
        "o pipefail",
        "v systemctl",
        "devnull",
        "unknown verb",
        "license",
        "gnu lesser",
        "general public",
        "free software",
        "foundation",
        "unit",
        "slice",
        "cpuweight100",
        "tasks slice",
        "cpuweight30",
        "capev2",
        "cape",
        "cuckoo web",
        "setup",
        "grep",
        "limitnofile",
        "install",
        "return",
        "execstart",
        "start",
        "descriptionrun",
        "timer",
        "oncalendardaily",
        "service",
        "prevent rate",
        "delay start",
        "m poetry",
        "sigkill",
        "descriptioncape",
        "ef usercape",
        "g cape",
        "allowisolateyes",
        "typedbus",
        "socket",
        "message bus",
        "listenstream",
        "typenotify",
        "descriptionuser",
        "harald sitter",
        "sitter",
        "kcrash",
        "drkonqi",
        "acceptyes",
        "disable trigger",
        "todo",
        "prevents",
        "path",
        "pathexistsglob",
        "runtimemaxsec31",
        "runtimemaxsec30",
        "restartno",
        "descriptionexit",
        "environmentfile",
        "otheropts",
        "soundfont",
        "descriptiongcr",
        "sshauthsock",
        "descriptionglib",
        "priority6",
        "killmodeprocess",
        "proxy",
        "socketmode0600",
        "apache software",
        "notice file",
        "apache license",
        "unless",
        "as is",
        "basis",
        "or conditions",
        "apple file",
        "conduit monitor",
        "descriptionjack",
        "jackoptions d",
        "driver d",
        "device",
        "media transfer",
        "indexer daemon",
        "memory",
        "memoryhigh512m",
        "system sockets",
        "a user",
        "conditionuser",
        "dbus menus",
        "plasma",
        "phase",
        "workspace core",
        "exit status",
        "x11 connection",
        "timeoutstopsec5",
        "disable restart",
        "timeoutsec40sec",
        "typeoneshot",
        "david edmundson",
        "davidedmundson",
        "osd service",
        "portal",
        "auto restart",
        "dbus",
        "xembed system",
        "logging system",
        "socketmode0660",
        "all containers",
        "restart policy",
        "logging start",
        "execstopbinsh c",
        "logging",
        "x11 plugins",
        "session slice",
        "typeforking",
        "etc userroot",
        "grouproot",
        "onbootsec15min",
        "place",
        "temporary",
        "volatile files",
        "thunar",
        "session manager",
        "wireplumber",
        "service file",
        "xdg autostart",
        "user dir",
        "descriptionxfce",
        "sandbox",
        "malware",
        "analysis",
        "online",
        "submit",
        "vxstream",
        "sample",
        "download",
        "trojan",
        "apt",
        "memoryfile scan",
        "ansi",
        "bpf program",
        "indicator",
        "bpf firewalling",
        "pcap",
        "pcap processing",
        "bpffallowmulti",
        "bpf device",
        "date",
        "suspicious",
        "hybrid",
        "crypto",
        "close",
        "click",
        "april",
        "strings",
        "february",
        "middle",
        "exploit",
        "gameover",
        "contact",
        "scope",
        "thomas koch",
        "gpl v2",
        "imsm",
        "ibftruledir",
        "ibftrules",
        "attr",
        "systemd rule",
        "hannes reinecke",
        "suse labs",
        "ipibft",
        "interface",
        "kernel",
        "configfile",
        "typesimple",
        "apparmor",
        "grouparchaudit",
        "hardening",
        "umask077",
        "persistenttrue",
        "enable debug",
        "networkmanager",
        "trace",
        "wait online",
        "edit",
        "note",
        "reload",
        "capdacoverride",
        "dhcp etc",
        "mdadmscan",
        "mdadmdelay",
        "mdadmmail",
        "mdadmprogram",
        "mdadmconfig",
        "mdadmsendmail",
        "p runsysconfig",
        "userroot",
        "sssd",
        "write access",
        "needed sometime",
        "statedirectory",
        "accountsservice",
        "varloglastlog",
        "bridge daemon",
        "alsa card",
        "card state",
        "required",
        "another auto",
        "nice daemon",
        "memorymax64m",
        "filter system",
        "mount",
        "reboot",
        "clock",
        "logging service",
        "requires",
        "before",
        "please",
        "exit codes",
        "proc",
        "descriptionruns",
        "execstartsh c",
        "switchtoggle",
        "ignoreonisolate",
        "term typeidle",
        "without",
        "any warranty",
        "merchantability",
        "fitness",
        "a particular",
        "vartmp",
        "wants type",
        "preparation",
        "watchdogsec10",
        "filesystem",
        "timer daemon",
        "options",
        "environment",
        "prevent",
        "readwritepaths",
        "security",
        "certain",
        "protectsystem",
        "bindpaths",
        "lower cpu",
        "nice19",
        "manager",
        "userc",
        "celerydnodes",
        "info",
        "chaddevops",
        "aaron brighton",
        "clam antivirus",
        "jon kriel",
        "distribution",
        "script",
        "sanesecurity",
        "securiteinfo",
        "malwarepatrol",
        "oitc",
        "file location",
        "remember",
        "typeexec user",
        "9 cntlm",
        "generate color",
        "profiles",
        "removeipctrue",
        "devpts",
        "authors",
        "any kind",
        "usercouchdb",
        "restartsec5",
        "volumes",
        "server socket",
        "user209",
        "daemon",
        "darkstatiface",
        "reloadconfig",
        "watchdogsec3min",
        "privatetmpyes",
        "protectproc",
        "increase",
        "descriptiontime",
        "date service",
        "debugging only",
        "ignoresigpipeno",
        "unset locale",
        "file system",
        "queue file",
        "whatmqueue",
        "optionsnosuid",
        "pf rundhclient",
        "rate",
        "requiresdirmngr",
        "capfowner",
        "capsetpcap",
        "dhcp",
        "dns server",
        "startlimit",
        "limits",
        "delegateyes",
        "descriptionpass",
        "runtimemaxsec5",
        "mountain",
        "metadata check",
        "all filesystems",
        "online metadata",
        "sunday",
        "oncalendarsun",
        "online ext4",
        "sigterm signal",
        "java process",
        "piddir",
        "standardoutput",
        "elasticsearch",
        "limitnproc4096",
        "limitasinfinity",
        "sendsighupyes",
        "mapper daemon",
        "mainpid",
        "quit",
        "listenstream79",
        "radius server",
        "d etcraddb",
        "protecthomeon",
        "default",
        "systemservice",
        "efiefi bootefi",
        "afinet afinet6",
        "afunix afinet",
        "oncalendar 0000",
        "privatetmptrue",
        "geoip legacy",
        "geoip2",
        "instance",
        "usergit",
        "scdconfig",
        "notice",
        "devinputmice t",
        "descriptiongps",
        "system",
        "sock refclock",
        "gpsdoptions",
        "devices",
        "daemon sockets",
        "2947",
        "bindipv6onlyyes",
        "usbauto",
        "usrbingpsdctl",
        "gps daemon",
        "afterdev",
        "gvmddata",
        "varlibgssproxy",
        "nonewprivileges",
        "privatetmp",
        "protecthome",
        "ieee",
        "etchostapd",
        "killmodemixed",
        "fcopy",
        "uncomment",
        "use sigterm",
        "sigkill i2pd",
        "sendsigkillyes",
        "limitnofile8192",
        "systemd",
        "analog",
        "shutting down",
        "iodineextip p",
        "iodineport p",
        "iodineuser",
        "tunip",
        "topdomain",
        "guessmainpidyes",
        "m node",
        "wants",
        "initiatorname",
        "io driver",
        "typeexec",
        "c etckcptun",
        "usernobody",
        "requireskeyboxd",
        "static device",
        "nofork",
        "restartalways",
        "linker cache",
        "hack",
        "use wants",
        "raise",
        "tasksmax",
        "tasksmax32768",
        "limitmemlock64m",
        "removeonstopyes",
        "ip socket",
        "tls ip",
        "conflictsgetty",
        "aftergetty",
        "busmodules",
        "qabr",
        "hwmonmodules",
        "local file",
        "privatenetwork",
        "lvm2",
        "initialization",
        "autoboot code",
        "s delegatetrue",
        "description",
        "pidfilerunlxc",
        "lynis service",
        "adjust path",
        "lynis binary",
        "lynis timer",
        "tell systemd",
        "lynis security",
        "persistentfalse",
        "container slice",
        "recover",
        "varcacheman",
        "regenerate man",
        "userroot nice19",
        "mysqldopts",
        "mysqldsafe",
        "timezone",
        "core",
        "restart",
        "users",
        "backlog150",
        "listenstreams",
        "servicemariadb",
        "mechanism",
        "mariadb",
        "multi instance",
        "variables",
        "bindirmdadm",
        "gnu general",
        "public license",
        "reshape",
        "onactivesec30",
        "oncalendar",
        "wantedby",
        "monitor",
        "allow mdmon",
        "takeover",
        "k none",
        "c devnull",
        "d runinitramfs",
        "p runmongodb",
        "limitnproc32000",
        "limitmemlock5",
        "device server",
        "requiredbydev",
        "d dev",
        "descriptionreal",
        "extraopts",
        "restartsec30",
        "valid",
        "fifo",
        "priority",
        "batch",
        "nice0",
        "partof",
        "tracking daemon",
        "helper",
        "for testing",
        "only",
        "restrict",
        "grant",
        "capsysptrace",
        "capkill",
        "capipclock",
        "environ",
        "capsysresource",
        "capsyslog",
        "descriptionname",
        "service cache",
        "sysvlsb",
        "descriptionhost",
        "network name",
        "group name",
        "u ntp",
        "time service",
        "t hibernate",
        "software",
        "other",
        "the software",
        "daemon init",
        "software is",
        "provided",
        "fcnvme",
        "wantsmodprobe",
        "aftermodprobe",
        "descriptionall",
        "nbft",
        "nvmeof",
        "connectargs",
        "unit file",
        "descriptionnvmf",
        "red hat",
        "without any",
        "warranty",
        "card daemon",
        "socketmode0666",
        "suite result",
        "kexec screen",
        "oncalendarsat",
        "boot screen",
        "timeoutsec20",
        "power off",
        "runtime data",
        "descriptionhold",
        "timeoutsec0",
        "sandboxing",
        "execstop",
        "colin walters",
        "upgrade",
        "upgrade output",
        "umask0077",
        "transport agent",
        "descriptionmake",
        "descriptionppp",
        "whatnfsd",
        "file formats",
        "automount point",
        "automount",
        "setuid nobody",
        "setgid nobody",
        "setcon",
        "syslog",
        "restartonabort",
        "halt screen",
        "reboot screen",
        "pgroot",
        "postgresql",
        "oom killer",
        "additional",
        "fy nice19",
        "endless os",
        "foundation llc",
        "restartsec0",
        "system quotas",
        "rabbitmq",
        "protecthometrue",
        "etcrathole",
        "guessmainpidno",
        "h etcrdnssd",
        "reflector",
        "afinet6 afunix",
        "umask177",
        "remote file",
        "nfs client",
        "nfsv23 locking",
        "make sure",
        "rpc netconfig",
        "descriptionfast",
        "using ssh",
        "so let",
        "boot",
        "realtimekit",
        "rwhodopts",
        "display manager",
        "specify",
        "interval l",
        "loginterval f",
        "bindstodev",
        "always",
        "usrbingrpck r",
        "slapdoptions",
        "u ldap",
        "slapdurls",
        "smart",
        "pciusb",
        "midi",
        "daemonopts",
        "snmp",
        "trap daemon",
        "g snort",
        "descriptionsudo",
        "hibernate",
        "svnserveargs",
        "whatfusectl",
        "whatconfigfs",
        "whatdebugfs",
        "whattracefs",
        "best way",
        "see https",
        "units service",
        "service slice",
        "offline system",
        "update",
        "wall directory",
        "timeoutsec90s",
        "descriptionmark",
        "current boot",
        "loader entry",
        "any system",
        "units",
        "loader random",
        "loader update",
        "service socket",
        "dump socket",
        "optionally",
        "root device",
        "afalg afinet",
        "execstophomectl",
        "home area",
        "named pipe",
        "sink service",
        "sink socket",
        "upload service",
        "dynamicuseryes",
        "sigkilled",
        "devlog",
        "timestampingus",
        "namespace",
        "sendbuffer8m",
        "kernel command",
        "netlink socket",
        "storage",
        "descriptionwait",
        "network",
        "make",
        "deviceallow",
        "reserve",
        "killer socket",
        "root file",
        "measurement",
        "pcr policy",
        "tpm pcr",
        "code",
        "configuration",
        "machine id",
        "barrier",
        "quota check",
        "system quota",
        "after",
        "random seed",
        "kernel file",
        "gpt partition",
        "kill switch",
        "nvmetcp",
        "trigger",
        "saturday",
        "persistentyes",
        "system update",
        "kernel time",
        "capsystime",
        "ntp service",
        "turn",
        "files",
        "device nodes",
        "srk setup",
        "device events",
        "bootshutdown",
        "change",
        "manager socket",
        "descriptiontinc",
        "proxy server",
        "linrunner",
        "descriptiontlp",
        "tor service",
        "f etctortorrc",
        "tpm device",
        "descriptionudp",
        "tcpicmpudp",
        "etcudp2raw",
        "debug",
        "swap",
        "api file",
        "privatedevices",
        "home",
        "root",
        "runuser",
        "linux control",
        "groups",
        "group",
        "afnetlink",
        "locked memory",
        "limitmemlock0",
        "usb gadget",
        "apple",
        "sliceuser",
        "descriptionuuid",
        "compatibility",
        "typerpcpipefs",
        "vmsvga",
        "hypervisor",
        "usr1",
        "mgmt appuser",
        "dac permission",
        "selinux",
        "xxx someone",
        "qemu",
        "machine tools",
        "vmware tools",
        "pidfilerunvpnc",
        "wacom",
        "iface d",
        "dspeed u",
        "iface",
        "descriptionwpa",
        "oracle",
        "reserved",
        "wong",
        "emailaddr",
        "tunnel protocol",
        "l2tp",
        "isps",
        "russia use",
        "ipsec",
        "d optxplico",
        "b sqlite",
        "descriptionxrdp",
        "xrdpoptions",
        "process",
        "sesmanoptions",
        "zpoolimportopts",
        "an o",
        "t scrub",
        "usrbinzpool",
        "zfs volume",
        "descriptionzfs",
        "f restartalways",
        "remainafterexit",
        "nmbdoptions",
        "smbdoptions",
        "successaction",
        "winbindoptions",
        "ck id",
        "hybrid analysis",
        "mitre att",
        "malicious",
        "sdshared ansi",
        "default und",
        "func global",
        "func local",
        "object local",
        "general",
        "show technique",
        "ck matrix",
        "tasksmax33",
        "empty file",
        "proxycommand",
        "checkhostip",
        "afunix",
        "afvsock",
        "allow",
        "r table",
        "chkbootcheck",
        "gplv2 source",
        "chkbootstyles",
        "etcissue",
        "partition",
        "minimizebest",
        "mit no",
        "match",
        "link",
        "namepolicykeep",
        "ethernet link",
        "kindveth nameve",
        "kindveth namevb",
        "keepmasteryes",
        "dhcpv4",
        "kindsit name6rd",
        "ipv4ll",
        "ipv6ll",
        "dhcpipv6ra",
        "dhcpv6",
        "typeether",
        "dhcpyes",
        "usetimezoneyes",
        "typewlan",
        "tuntap",
        "natdhcp",
        "kindtun namevt",
        "kind",
        "originalname",
        "definedby",
        "peer",
        "sopeergroups",
        "dbus protocol",
        "dbus name",
        "exec",
        "hup signal",
        "sighup",
        "dnssec",
        "sessionid",
        "seatid",
        "sleep",
        "leader",
        "jobresult",
        "coredumppid",
        "coredumpcomm",
        "junit",
        "na zapusk",
        "mikrasiekund",
        "enhed",
        "mikrosekunder",
        "opstart",
        "jobid",
        "a rendszer",
        "ezredmsodpercet",
        "a rendszernapl",
        "user manager",
        "smack",
        "lunit",
        "stato",
        "il processo",
        "il sistema",
        "stata",
        "le processus",
        "notez que",
        "jedinica",
        "zapamtite da",
        "nova",
        "jednostka",
        "prosz zauway",
        "zwykle wskazuje",
        "jest",
        "o processo",
        "processo",
        "isso",
        "inicializao",
        "journal",
        "sizelimit",
        "userid",
        "prozess",
        "speicherabbild",
        "hinweis auf",
        "programmfehler",
        "fehler dem",
        "die systemzeit",
        "realtime"
      ],
      "references": [
        "Hunting_B64Engine_DotNetToJScript_Dos.yar",
        "APT_Backdoor_PS1_BASICPIPESHELL_1.yar",
        "apt_sandworm_exim_expl.yar.002",
        "apt_sandworm_exim_expl.yar.001",
        "apt_sandworm_exim_expl.yar",
        "connect.php",
        "connect.php.002",
        "connect.php.001",
        "crypto-miner.js",
        "eicar",
        "eicar.001",
        "eicar.002",
        "custom.py",
        "eicar.txt",
        "expl_cve_2021_40444.yar.001",
        "expl_cve_2021_40444.yar.002",
        "getPerms.php",
        "input.pcap",
        "list.php",
        "parent.php",
        "payload.php",
        "payload.php.001",
        "kingdee-erp-rce.yaml",
        "payload.php.003",
        "payload.php.002",
        "payload.php.004",
        "payload.php.005",
        "payload.php.006",
        "payload.php.007",
        "payload.php.008",
        "payload.php.010",
        "payload.php.011",
        "payload.php.009",
        "payload.php.012",
        "payload.php.013",
        "payload.php.015",
        "payload.php.016",
        "payload.php.017",
        "reverse_tcp.py",
        "scanner.php",
        "search.php",
        "setdb.php",
        "payload.php.014",
        "setdb.php.001",
        "reader.php",
        "single.php",
        "resolv.conf",
        "systemd-update-helper",
        "90-systemd.preset",
        "60-flatpak",
        "app.slice",
        "background.slice",
        "README.md",
        "bluetooth.target",
        "basic.target",
        "borgmatic-user.timer",
        "borgmatic-user.service",
        "cape.service",
        "cape-dist.service",
        "cape-processor.service",
        "cape-rooter.service",
        "capsule@.target",
        "cape-web.service",
        "clash.service",
        "colord-session.service",
        "dbus.socket",
        "cape-fstab.service",
        "dbus.service",
        "dbus-broker.service",
        "dconf.service",
        "dirmngr.service",
        "default.target",
        "drkonqi-coredump-cleanup.service",
        "dirmngr.socket",
        "drkonqi-coredump-cleanup.timer",
        "drkonqi-coredump-launcher.socket",
        "drkonqi-sentry-postman.path",
        "drkonqi-coredump-pickup.service",
        "drkonqi-sentry-postman.service",
        "drkonqi-sentry-postman.timer",
        "drkonqi-coredump-launcher@.service",
        "dunst.service",
        "flatpak-oci-authenticator.service",
        "filter-chain.service",
        "exit.target",
        "flatpak-session-helper.service",
        "fluidsynth.service",
        "gcr-ssh-agent.socket",
        "flatpak-portal.service",
        "gcr-ssh-agent.service",
        "gnome-keyring-daemon.service",
        "glib-pacrunner.service",
        "gnome-keyring-daemon.socket",
        "gpg-agent-ssh.socket",
        "gnome-terminal-server.service",
        "gpg-agent-extra.socket",
        "gpg-agent.service",
        "gpg-agent.socket",
        "gpg-agent-browser.socket",
        "graphical-session-pre.target",
        "graphical-session.target",
        "gssuserproxy.socket",
        "guacd.service",
        "gvfs-gphoto2-volume-monitor.service",
        "gvfs-daemon.service",
        "gssuserproxy.service",
        "gvfs-afc-volume-monitor.service",
        "gvfs-metadata.service",
        "jack@.service",
        "guac-web.service",
        "gvfs-udisks2-volume-monitor.service",
        "gvfs-mtp-volume-monitor.service",
        "kde-baloo.service",
        "keyboxd.service",
        "kio-fuse.service",
        "keyboxd.socket",
        "p11-kit-server.service",
        "p11-kit-server.socket",
        "paths.target",
        "pipewire.socket",
        "pipewire-pulse.service",
        "plasma-gmenudbusmenuproxy.service",
        "pipewire-pulse.socket",
        "plasma-baloorunner.service",
        "plasma-kcminit.service",
        "plasma-dolphin.service",
        "plasma-kcminit-phase1.service",
        "plasma-core.target",
        "plasma-kded.service",
        "pipewire.service",
        "plasma-kded6.service",
        "plasma-kglobalaccel.service",
        "at-spi-dbus-bus.service",
        "plasma-krunner.service",
        "plasma-kscreen.service",
        "plasma-kscreen-osd.service",
        "plasma-ksmserver.service",
        "plasma-ksplash.service",
        "plasma-ksplash-ready.service",
        "plasma-ksystemstats.service",
        "plasma-kwallet-pam.service",
        "plasma-kwin_wayland.service",
        "plasma-kwin_x11.service",
        "plasma-plasmashell.service",
        "plasma-polkit-agent.service",
        "plasma-powerdevil.service",
        "plasma-powerprofile-osd.service",
        "plasma-restoresession.service",
        "plasma-workspace.target",
        "plasma-workspace-wayland.target",
        "plasma-workspace-x11.target",
        "plasma-xdg-desktop-portal-kde.service",
        "plasma-xembedsniproxy.service",
        "podman.service",
        "podman.socket",
        "podman-auto-update.service",
        "podman-auto-update.timer",
        "podman-kube@.service",
        "podman-restart.service",
        "printer.target",
        "pulseaudio.service",
        "pulseaudio.socket",
        "pulseaudio-x11.service",
        "session.slice",
        "shutdown.target",
        "smartcard.target",
        "sockets.target",
        "sound.target",
        "ssh-agent.service",
        "suricata.service",
        "suricata-update.service",
        "suricata-update.timer",
        "systemd-exit.service",
        "systemd-tmpfiles-clean.service",
        "systemd-tmpfiles-clean.timer",
        "systemd-tmpfiles-setup.service",
        "thunar.service",
        "timers.target",
        "tracker-xdg-portal-3.service",
        "tumblerd.service",
        "wireplumber.service",
        "wireplumber@.service",
        "xdg-desktop-autostart.target",
        "xdg-desktop-portal.service",
        "xdg-desktop-portal-gtk.service",
        "xdg-desktop-portal-hyprland.service",
        "xdg-desktop-portal-rewrite-launchers.service",
        "xdg-desktop-portal-xapp.service",
        "xdg-permission-store.service",
        "xdg-user-dirs-update.service",
        "xfce4-notifyd.service",
        "xsettingsd.service",
        "xdg-document-portal.service",
        "https://hybrid-analysis.com/sample/b1a9e5be43c028442c07071e202f44f33e3a2df167822c5cfed8f998e01fe169/661da09794b343782806018e",
        "defaults.conf",
        "apparmor.conf",
        "nvidia",
        "tlp",
        "fwupd.shutdown",
        "mdadm.shutdown",
        "99-default.preset",
        "50-zfs.preset",
        "ibft-rule-generator",
        "10-arch",
        "60-flatpak-system-only",
        "3proxy.service",
        "apache-tika.service",
        "apparmor.service",
        "arch-audit.service",
        "arch-audit.timer",
        "NetworkManager-dispatcher.service",
        "NetworkManager-wait-online.service",
        "NetworkManager.service",
        "SUSE-mdadm_env.sh",
        "ModemManager.service",
        "3proxy.conf",
        "archlinux-keyring-wkd-sync.service",
        "adsl.service",
        "accounts-daemon.service",
        "adb.service",
        "alsa-restore.service",
        "alsa-state.service",
        "archlinux-keyring-wkd-sync.timer",
        "ananicy-cpp.service",
        "arcolinux-graphical-target.service",
        "atftpd.service",
        "audit-rules.service",
        "auditd.service",
        "auth-rpcgss-module.service",
        "autorandr.service",
        "autorandr-lid-listener.service",
        "autovt@.service",
        "avahi-daemon.service",
        "avahi-daemon.socket",
        "avahi-dnsconfd.service",
        "bettercap.service",
        "betterlockscreen@.service",
        "blk-availability.service",
        "blockdev@.target",
        "bluetooth.service",
        "bmc-watchdog.service",
        "bolt.service",
        "boot-complete.target",
        "borgmatic.service",
        "borgmatic.timer",
        "bpftune.service",
        "btrfs-scrub@.service",
        "btrfs-scrub@.timer",
        "canberra-system-bootup.service",
        "canberra-system-shutdown.service",
        "canberra-system-shutdown-reboot.service",
        "capsule.slice",
        "capsule@.service",
        "celery2@.service",
        "celery@.service",
        "chkboot.service",
        "clamav-clamonacc.service",
        "clamav-daemon.service",
        "clamav-daemon.socket",
        "clamav-freshclam.service",
        "clamav-freshclam-once.service",
        "clamav-freshclam-once.timer",
        "clamav-unofficial-sigs.service",
        "clamav-unofficial-sigs.timer",
        "clash@.service",
        "cntlm.service",
        "colord.service",
        "configure-printer@.service",
        "console-getty.service",
        "container-getty@.service",
        "containerd.service",
        "couchdb.service",
        "cpupower.service",
        "create_ap.service",
        "cronie.service",
        "cryptsetup.target",
        "cryptsetup-pre.target",
        "ctrl-alt-del.target",
        "cups.path",
        "cups.service",
        "cups.socket",
        "cups-lpd.socket",
        "cups-lpd@.service",
        "cxl-monitor.service",
        "darkstat.service",
        "daxdev-reconfigure@.service",
        "dbus-org.freedesktop.hostname1.service",
        "dbus-org.freedesktop.import1.service",
        "dbus-org.freedesktop.locale1.service",
        "dbus-org.freedesktop.login1.service",
        "dbus-org.freedesktop.machine1.service",
        "dbus-org.freedesktop.portable1.service",
        "dbus-org.freedesktop.timedate1.service",
        "debug-shell.service",
        "dev-hugepages.mount",
        "dev-mqueue.mount",
        "dhclient@.service",
        "dhcpd4.service",
        "dhcpd6.service",
        "dirmngr@.service",
        "dirmngr@.socket",
        "dm-event.service",
        "dm-event.socket",
        "dmraid.service",
        "dnscrypt-proxy.service",
        "dnsmasq.service",
        "docker.service",
        "docker.socket",
        "drkonqi-coredump-processor@.service",
        "e2scrub@.service",
        "e2scrub_all.service",
        "e2scrub_all.timer",
        "e2scrub_fail@.service",
        "e2scrub_reap.service",
        "ead.service",
        "elasticsearch.service",
        "elasticsearch-keystore.service",
        "elasticsearch-keystore@.service",
        "elasticsearch@.service",
        "emergency.service",
        "emergency.target",
        "epmd.service",
        "epmd.socket",
        "exabgp.service",
        "factory-reset.target",
        "fancontrol.service",
        "fastnetmon.service",
        "final.target",
        "finger.socket",
        "finger@.service",
        "first-boot-complete.target",
        "flatpak-system-helper.service",
        "freeradius.service",
        "fsidd.service",
        "fstrim.service",
        "fstrim.timer",
        "ftpd.service",
        "fwupd.service",
        "fwupd-offline-update.service",
        "fwupd-refresh.service",
        "fwupd-refresh.timer",
        "geoclue.service",
        "geoipupdate.service",
        "geoipupdate.timer",
        "getty.target",
        "getty-pre.target",
        "getty@.service",
        "git-daemon.socket",
        "git-daemon@.service",
        "gnupg-pkcs11-scd-proxy.service",
        "gpg-agent-browser@.socket",
        "gpg-agent-extra@.socket",
        "gpg-agent-ssh@.socket",
        "gpg-agent@.service",
        "gpg-agent@.socket",
        "gpm.path",
        "gpm.service",
        "gpsd.service",
        "gpsd.socket",
        "gpsdctl@.service",
        "graphical.target",
        "greenbone-certdata-sync.service",
        "greenbone-certdata-sync.timer",
        "greenbone-feed-sync.service",
        "greenbone-feed-sync.timer",
        "greenbone-nvt-sync.service",
        "greenbone-nvt-sync.timer",
        "greenbone-scapdata-sync.service",
        "greenbone-scapdata-sync.timer",
        "gssproxy.service",
        "gvmd.service",
        "halt.target",
        "healthd.service",
        "hibernate.target",
        "hostapd.service",
        "hostapd@.service",
        "httpd.service",
        "hv_fcopy_daemon.service",
        "hv_kvp_daemon.service",
        "hv_vss_daemon.service",
        "hybrid-sleep.target",
        "i2pd.service",
        "iiod.service",
        "initrd.target",
        "initrd-cleanup.service",
        "initrd-fs.target",
        "initrd-parse-etc.service",
        "initrd-root-device.target",
        "initrd-root-fs.target",
        "initrd-switch-root.service",
        "initrd-switch-root.target",
        "initrd-udevadm-cleanup-db.service",
        "initrd-usr-fs.target",
        "integritysetup.target",
        "integritysetup-pre.target",
        "iodined.service",
        "iodined.socket",
        "ip2clued.service",
        "ip6tables.service",
        "ipmidetectd.service",
        "ipmiseld.service",
        "iptables.service",
        "iscsi.service",
        "iscsi-init.service",
        "iscsid.service",
        "iscsid.socket",
        "iscsiuio.service",
        "iscsiuio.socket",
        "isnsd.service",
        "isnsd.socket",
        "iwd.service",
        "kcptun-server@.service",
        "kcptun@.service",
        "kexec.target",
        "keyboxd@.service",
        "keyboxd@.socket",
        "kmod-static-nodes.service",
        "krb5-kadmind.service",
        "krb5-kdc.service",
        "krb5-kpropd.service",
        "krb5-kpropd.socket",
        "krb5-kpropd@.service",
        "lastlog2-import.service",
        "ldconfig.service",
        "libvirt-guests.service",
        "libvirtd.service",
        "libvirtd.socket",
        "libvirtd-admin.socket",
        "libvirtd-ro.socket",
        "libvirtd-tcp.socket",
        "libvirtd-tls.socket",
        "lightdm.service",
        "lm_sensors.service",
        "local-fs.target",
        "local-fs-pre.target",
        "logrotate.service",
        "logrotate.timer",
        "lvm2-lvmpolld.service",
        "lvm2-lvmpolld.socket",
        "lvm2-monitor.service",
        "lxc.service",
        "lxc-auto.service",
        "lxc-monitord.service",
        "lxc-net.service",
        "lxc@.service",
        "lxdm.service",
        "ly.service",
        "lynis.service",
        "lynis.timer",
        "machine.slice",
        "machines.target",
        "man-db.service",
        "man-db.timer",
        "mariadb.service",
        "mariadb.socket",
        "mariadb-extra.socket",
        "mariadb-extra@.socket",
        "mariadb@.service",
        "mariadb@.socket",
        "mdadm-grow-continue@.service",
        "mdadm-last-resort@.service",
        "mdadm-last-resort@.timer",
        "mdcheck_continue.service",
        "mdcheck_continue.timer",
        "mdcheck_start.service",
        "mdcheck_start.timer",
        "mdmon@.service",
        "mdmonitor.service",
        "mdmonitor-oneshot.service",
        "mdmonitor-oneshot.timer",
        "memavaild.service",
        "mkinitcpio-generate-shutdown-ramfs.service",
        "modprobe@.service",
        "mongodb.service",
        "multi-user.target",
        "mysql.service",
        "mysqld.service",
        "named.service",
        "nbd.service",
        "nbd@.service",
        "ndctl-monitor.service",
        "neo4j.service",
        "netavark-dhcp-proxy.service",
        "netavark-dhcp-proxy.socket",
        "netdata.service",
        "network.target",
        "network-online.target",
        "network-pre.target",
        "nfs-blkmap.service",
        "nfs-client.target",
        "nfs-idmapd.service",
        "nfs-mountd.service",
        "nfs-server.service",
        "nfs-utils.service",
        "nfsdcld.service",
        "nfsv4-exportd.service",
        "nfsv4-server.service",
        "nftables.service",
        "nm-priv-helper.service",
        "nmb.service",
        "nohang.service",
        "nohang-desktop.service",
        "nscd.service",
        "nss-lookup.target",
        "nss-user-lookup.target",
        "ntpd.service",
        "ntpdate.service",
        "nvidia-hibernate.service",
        "nvidia-persistenced.service",
        "nvidia-powerd.service",
        "nvidia-resume.service",
        "nvidia-suspend.service",
        "nvmefc-boot-connections.service",
        "nvmf-autoconnect.service",
        "nvmf-connect.target",
        "nvmf-connect-nbft.service",
        "nvmf-connect@.service",
        "pacrunner.service",
        "ostree-boot-complete.service",
        "pacman-filesdb-refresh.timer",
        "pcscd.service",
        "passim.service",
        "pcscd.socket",
        "packagekit-offline-update.service",
        "phoronix-result-server.service",
        "paccache.timer",
        "plymouth-kexec.service",
        "pamac-cleancache.timer",
        "plymouth-quit.service",
        "partimaged.service",
        "plymouth-poweroff.service",
        "plymouth-read-write.service",
        "plymouth-quit-wait.service",
        "paccache.service",
        "plymouth-switch-root-initramfs.service",
        "ostree-remount.service",
        "plymouth-switch-root.service",
        "openvpn-client@.service",
        "podman-clean-transient.service",
        "pamac-offline-upgrade.service",
        "polkit.service",
        "postfix.service",
        "pam_namespace.service",
        "poweroff.target",
        "ppp@.service",
        "opensnitchd.service",
        "proc-fs-nfsd.mount",
        "proc-sys-fs-binfmt_misc.automount",
        "proc-sys-fs-binfmt_misc.mount",
        "phoromatic-server.service",
        "ptunnel.service",
        "openvpn-server@.service",
        "plymouth-halt.service",
        "pamac-cleancache.service",
        "plymouth-reboot.service",
        "ostree-state-overlay@.service",
        "ostree-finalize-staged.service",
        "postgresql.service",
        "phoromatic-client.service",
        "pamac-daemon.service",
        "pacman-filesdb-refresh.service",
        "packagekit.service",
        "pkgfile-update.service",
        "pkgfile-update.timer",
        "plymouth-start.service",
        "ostree-prepare-root.service",
        "ostree-finalize-staged.path",
        "privoxy.service",
        "ostree-finalize-staged-hold.service",
        "qemu-guest-agent.service",
        "quotaon.service",
        "quotaon-root.service",
        "quotaon@.service",
        "rabbitmq.service",
        "ras-mc-ctl.service",
        "rasdaemon.service",
        "rathole@.service",
        "ratholec@.service",
        "ratholes@.service",
        "rc-local.service",
        "rdnssd@.service",
        "reboot.target",
        "redis.service",
        "redis-sentinel.service",
        "reflector.service",
        "reflector.timer",
        "remote-cryptsetup.target",
        "remote-fs.target",
        "remote-fs-pre.target",
        "remote-veritysetup.target",
        "rescue.service",
        "rescue.target",
        "rfkill-block@.service",
        "rfkill-unblock@.service",
        "rlogin.socket",
        "rlogin@.service",
        "rpc-gssd.service",
        "rpc-statd.service",
        "rpc-statd-notify.service",
        "rpc_pipefs.target",
        "rpcbind.service",
        "rpcbind.socket",
        "rpcbind.target",
        "rsh.socket",
        "rsh@.service",
        "rsyncd.service",
        "rsyncd.socket",
        "rsyncd@.service",
        "rtkit-daemon.service",
        "runlevel0.target",
        "runlevel1.target",
        "runlevel2.target",
        "runlevel3.target",
        "runlevel4.target",
        "runlevel5.target",
        "runlevel6.target",
        "rwhod.service",
        "samba.service",
        "sddm.service",
        "seatd.service",
        "sensord.service",
        "serial-getty@.service",
        "shadow.service",
        "shadow.timer",
        "sigpwr.target",
        "slapd.service",
        "sleep.target",
        "slices.target",
        "smartd.service",
        "smb.service",
        "sndiod.service",
        "snmpd.service",
        "snmptrapd.service",
        "snort@.service",
        "snort@1000.service",
        "soft-reboot.target",
        "ssh-access.target",
        "sshd.service",
        "sshdgenkeys.service",
        "sshuttle.service",
        "sslh.service",
        "sslh-fork.service",
        "sslh-select.service",
        "storage-target-mode.target",
        "stunnel.service",
        "sudo_logsrvd.service",
        "suspend.target",
        "suspend-then-hibernate.target",
        "svnserve.service",
        "swap.target",
        "sys-fs-fuse-connections.mount",
        "sys-kernel-config.mount",
        "sys-kernel-debug.mount",
        "sys-kernel-tracing.mount",
        "sysinit.target",
        "syslog.socket",
        "system-systemd\\x2dcryptsetup.slice",
        "system-systemd\\x2dveritysetup.slice",
        "system-update.target",
        "system-update-cleanup.service",
        "system-update-pre.target",
        "systemd-ask-password-console.path",
        "systemd-ask-password-console.service",
        "systemd-ask-password-plymouth.path",
        "systemd-ask-password-plymouth.service",
        "systemd-ask-password-wall.path",
        "systemd-ask-password-wall.service",
        "systemd-backlight@.service",
        "systemd-battery-check.service",
        "systemd-binfmt.service",
        "systemd-bless-boot.service",
        "systemd-boot-check-no-failures.service",
        "systemd-boot-random-seed.service",
        "systemd-boot-update.service",
        "systemd-bootctl.socket",
        "systemd-bootctl@.service",
        "systemd-bsod.service",
        "systemd-confext.service",
        "systemd-coredump.socket",
        "systemd-coredump@.service",
        "systemd-creds.socket",
        "systemd-creds@.service",
        "systemd-firstboot.service",
        "systemd-fsck-root.service",
        "systemd-fsck@.service",
        "systemd-growfs-root.service",
        "systemd-growfs@.service",
        "systemd-halt.service",
        "systemd-hibernate.service",
        "systemd-hibernate-resume.service",
        "systemd-homed.service",
        "systemd-homed-activate.service",
        "systemd-homed-firstboot.service",
        "systemd-hostnamed.service",
        "systemd-hostnamed.socket",
        "systemd-hwdb-update.service",
        "systemd-hybrid-sleep.service",
        "systemd-importd.service",
        "systemd-initctl.service",
        "systemd-initctl.socket",
        "systemd-journal-catalog-update.service",
        "systemd-journal-flush.service",
        "systemd-journal-gatewayd.service",
        "systemd-journal-gatewayd.socket",
        "systemd-journal-remote.service",
        "systemd-journal-remote.socket",
        "systemd-journal-upload.service",
        "systemd-journald.service",
        "systemd-journald.socket",
        "systemd-journald-audit.socket",
        "systemd-journald-dev-log.socket",
        "systemd-journald-varlink@.socket",
        "systemd-journald@.service",
        "systemd-journald@.socket",
        "systemd-kexec.service",
        "systemd-localed.service",
        "systemd-logind.service",
        "systemd-machine-id-commit.service",
        "systemd-machined.service",
        "systemd-modules-load.service",
        "systemd-network-generator.service",
        "systemd-networkd.service",
        "systemd-networkd.socket",
        "systemd-networkd-persistent-storage.service",
        "systemd-networkd-wait-online.service",
        "systemd-networkd-wait-online@.service",
        "systemd-nspawn@.service",
        "systemd-oomd.service",
        "systemd-oomd.socket",
        "systemd-pcrextend.socket",
        "systemd-pcrextend@.service",
        "systemd-pcrfs-root.service",
        "systemd-pcrfs@.service",
        "systemd-pcrlock.socket",
        "systemd-pcrlock-file-system.service",
        "systemd-pcrlock-firmware-code.service",
        "systemd-pcrlock-firmware-config.service",
        "systemd-pcrlock-machine-id.service",
        "systemd-pcrlock-make-policy.service",
        "systemd-pcrlock-secureboot-authority.service",
        "systemd-pcrlock-secureboot-policy.service",
        "systemd-pcrlock@.service",
        "systemd-pcrmachine.service",
        "systemd-pcrphase.service",
        "systemd-pcrphase-initrd.service",
        "systemd-pcrphase-sysinit.service",
        "systemd-portabled.service",
        "systemd-poweroff.service",
        "systemd-pstore.service",
        "systemd-quotacheck.service",
        "systemd-quotacheck-root.service",
        "systemd-quotacheck@.service",
        "systemd-random-seed.service",
        "systemd-reboot.service",
        "systemd-remount-fs.service",
        "systemd-repart.service",
        "systemd-resolved.service",
        "systemd-rfkill.service",
        "systemd-rfkill.socket",
        "systemd-soft-reboot.service",
        "systemd-storagetm.service",
        "systemd-suspend.service",
        "systemd-suspend-then-hibernate.service",
        "systemd-sysctl.service",
        "systemd-sysext.service",
        "systemd-sysext.socket",
        "systemd-sysext@.service",
        "systemd-sysupdate.service",
        "systemd-sysupdate.timer",
        "systemd-sysupdate-reboot.service",
        "systemd-sysupdate-reboot.timer",
        "systemd-sysusers.service",
        "systemd-time-wait-sync.service",
        "systemd-timedated.service",
        "systemd-timesyncd.service",
        "systemd-tmpfiles-setup-dev.service",
        "systemd-tmpfiles-setup-dev-early.service",
        "systemd-tpm2-setup.service",
        "systemd-tpm2-setup-early.service",
        "systemd-udev-trigger.service",
        "systemd-udevd.service",
        "systemd-udevd-control.socket",
        "systemd-udevd-kernel.socket",
        "systemd-update-done.service",
        "systemd-update-utmp.service",
        "systemd-update-utmp-runlevel.service",
        "systemd-user-sessions.service",
        "systemd-userdbd.service",
        "systemd-userdbd.socket",
        "systemd-vconsole-setup.service",
        "systemd-vmspawn@.service",
        "systemd-volatile-root.service",
        "systemd-zram-setup@.service",
        "talk.service",
        "talk.socket",
        "teamd@.service",
        "telnet.socket",
        "telnet@.service",
        "time-set.target",
        "time-sync.target",
        "tinc.service",
        "tinc@.service",
        "tinyproxy.service",
        "tlp.service",
        "tmp.mount",
        "tor.service",
        "tpm2.target",
        "udisks2.service",
        "udp2raw@.service",
        "ufw.service",
        "uksmd.service",
        "umount.target",
        "unbound.service",
        "updatedb.service",
        "updatedb.timer",
        "upower.service",
        "usb-gadget.target",
        "usb_modeswitch@.service",
        "usbipd.service",
        "usbmuxd.service",
        "user.slice",
        "user-runtime-dir@.service",
        "user@.service",
        "uuidd.service",
        "uuidd.socket",
        "var-lib-machines.mount",
        "var-lib-nfs-rpc_pipefs.mount",
        "vboxdrmclient.path",
        "vboxdrmclient.service",
        "vboxservice.service",
        "veritysetup.target",
        "veritysetup-pre.target",
        "virt-guest-shutdown.target",
        "virtchd.service",
        "virtchd.socket",
        "virtchd-admin.socket",
        "virtchd-ro.socket",
        "virtinterfaced.service",
        "virtinterfaced.socket",
        "virtinterfaced-admin.socket",
        "virtinterfaced-ro.socket",
        "virtlockd.service",
        "virtlockd.socket",
        "virtlockd-admin.socket",
        "virtlogd.service",
        "virtlogd.socket",
        "virtlogd-admin.socket",
        "virtlxcd.service",
        "virtlxcd.socket",
        "virtlxcd-admin.socket",
        "virtlxcd-ro.socket",
        "virtnetworkd.service",
        "virtnetworkd.socket",
        "virtnetworkd-admin.socket",
        "virtnetworkd-ro.socket",
        "virtnodedevd.service",
        "virtnodedevd.socket",
        "virtnodedevd-admin.socket",
        "virtnodedevd-ro.socket",
        "virtnwfilterd.service",
        "virtnwfilterd.socket",
        "virtnwfilterd-admin.socket",
        "virtnwfilterd-ro.socket",
        "virtproxyd.service",
        "virtproxyd.socket",
        "virtproxyd-admin.socket",
        "virtproxyd-ro.socket",
        "virtproxyd-tcp.socket",
        "virtproxyd-tls.socket",
        "virtqemud.service",
        "virtqemud.socket",
        "virtqemud-admin.socket",
        "virtqemud-ro.socket",
        "virtsecretd.service",
        "virtsecretd.socket",
        "virtsecretd-admin.socket",
        "virtsecretd-ro.socket",
        "virtstoraged.service",
        "virtstoraged.socket",
        "virtstoraged-admin.socket",
        "virtstoraged-ro.socket",
        "virtvboxd.service",
        "virtvboxd.socket",
        "virtvboxd-admin.socket",
        "virtvboxd-ro.socket",
        "vmtoolsd.service",
        "vmware-vmblock-fuse.service",
        "vpnc@.service",
        "wacom-inputattach@.service",
        "wg-quick.target",
        "wg-quick@.service",
        "winbind.service",
        "wondershaper.service",
        "wpa_supplicant.service",
        "wpa_supplicant-nl80211@.service",
        "wpa_supplicant-wired@.service",
        "wpa_supplicant@.service",
        "xfs_scrub@.service",
        "xfs_scrub_all.service",
        "xfs_scrub_all.timer",
        "xfs_scrub_fail@.service",
        "xl2tpd.service",
        "xplico.service",
        "xrdp.service",
        "xrdp-sesman.service",
        "yate.service",
        "zfs.target",
        "zfs-import.service",
        "zfs-import.target",
        "zfs-import-cache.service",
        "zfs-import-scan.service",
        "zfs-load-key.service",
        "zfs-mount.service",
        "zfs-scrub-monthly@.timer",
        "zfs-scrub-weekly@.timer",
        "zfs-scrub@.service",
        "zfs-share.service",
        "zfs-trim-monthly@.timer",
        "zfs-trim-weekly@.timer",
        "zfs-trim@.service",
        "zfs-volume-wait.service",
        "zfs-volumes.target",
        "zfs-zed.service",
        "plymouth.conf",
        "gpg-agent-ssh@etc-pacman.d-gnupg.socket",
        "keyboxd@etc-pacman.d-gnupg.socket",
        "dirmngr@etc-pacman.d-gnupg.socket",
        "gpg-agent-browser@etc-pacman.d-gnupg.socket",
        "gpg-agent-extra@etc-pacman.d-gnupg.socket",
        "gpg-agent@etc-pacman.d-gnupg.socket",
        "https://hybrid-analysis.com/sample/ff42428f0fcc346cc56e2b00d4b5c4bd43b55f3465b4ccab0efba9c88f4a1c03/661da0b063c895fc2d0a78dc",
        "https://hybrid-analysis.com/sample/9613dee39157b5f9935436b36647047e267b7c10fa4c7ab1fd995db681e58c12/661da5b202eaca78740cf4ed",
        "https://hybrid-analysis.com/sample/479a0170df010c5eb742ff1b8740a2ccf381df44c8a919c95d6e38685278e78a/661da5c768340c1e25092cb2",
        "50-rc_keymap.conf",
        "10-defaults.conf",
        "10-login-barrier.conf",
        "20-systemd-userdb.conf",
        "20-systemd-ssh-proxy.conf",
        "iptables-flush",
        "cpupower",
        "chkboot-bootcheck",
        "10-root.conf",
        "30-root-verity-sig.conf",
        "20-root-verity.conf",
        "80-systemd-timesync.list",
        "80-6rd-tunnel.link",
        "80-container-ve.network",
        "80-container-vb.network",
        "80-container-vz.link",
        "80-6rd-tunnel.network",
        "80-container-vz.network",
        "80-auto-link-local.network.example",
        "80-ethernet.network.example",
        "80-container-host0.network",
        "80-iwd.link",
        "80-container-vb.link",
        "80-vm-vt.link",
        "80-vm-vt.network",
        "80-wifi-adhoc.network",
        "80-wifi-ap.network.example",
        "80-wifi-station.network.example",
        "80-container-ve.link",
        "89-ethernet.network.example",
        "99-default.link",
        "dbus-broker.catalog",
        "dbus-broker-launch.catalog",
        "systemd.be.catalog",
        "systemd.be@latin.catalog",
        "systemd.da.catalog",
        "systemd.bg.catalog",
        "systemd.hu.catalog",
        "systemd.catalog",
        "systemd.it.catalog",
        "systemd.fr.catalog",
        "systemd.ko.catalog",
        "systemd.hr.catalog",
        "systemd.pl.catalog",
        "systemd.pt_BR.catalog",
        "systemd.ru.catalog",
        "systemd.sr.catalog",
        "systemd.zh_CN.catalog",
        "systemd.de.catalog",
        "systemd.zh_TW.catalog",
        "expl_cve_2021_40444.yar"
      ],
      "public": 1,
      "adversary": "Chinese Speaking",
      "targeted_countries": [],
      "malware_families": [
        {
          "id": "RemainAfterExit",
          "display_name": "RemainAfterExit",
          "target": null
        },
        {
          "id": "NMBDOPTIONS",
          "display_name": "NMBDOPTIONS",
          "target": null
        },
        {
          "id": "SMBDOPTIONS",
          "display_name": "SMBDOPTIONS",
          "target": null
        },
        {
          "id": "SuccessAction",
          "display_name": "SuccessAction",
          "target": null
        },
        {
          "id": "WINBINDOPTIONS",
          "display_name": "WINBINDOPTIONS",
          "target": null
        }
      ],
      "attack_ids": [
        {
          "id": "T1027",
          "name": "Obfuscated Files or Information",
          "display_name": "T1027 - Obfuscated Files or Information"
        },
        {
          "id": "T1071",
          "name": "Application Layer Protocol",
          "display_name": "T1071 - Application Layer Protocol"
        },
        {
          "id": "T1082",
          "name": "System Information Discovery",
          "display_name": "T1082 - System Information Discovery"
        },
        {
          "id": "T1106",
          "name": "Native API",
          "display_name": "T1106 - Native API"
        },
        {
          "id": "T1205",
          "name": "Traffic Signaling",
          "display_name": "T1205 - Traffic Signaling"
        },
        {
          "id": "T1140",
          "name": "Deobfuscate/Decode Files or Information",
          "display_name": "T1140 - Deobfuscate/Decode Files or Information"
        },
        {
          "id": "T1059",
          "name": "Command and Scripting Interpreter",
          "display_name": "T1059 - Command and Scripting Interpreter"
        },
        {
          "id": "T1543",
          "name": "Create or Modify System Process",
          "display_name": "T1543 - Create or Modify System Process"
        },
        {
          "id": "T1569",
          "name": "System Services",
          "display_name": "T1569 - System Services"
        },
        {
          "id": "T1090",
          "name": "Proxy",
          "display_name": "T1090 - Proxy"
        },
        {
          "id": "T1114",
          "name": "Email Collection",
          "display_name": "T1114 - Email Collection"
        },
        {
          "id": "T1573",
          "name": "Encrypted Channel",
          "display_name": "T1573 - Encrypted Channel"
        }
      ],
      "industries": [],
      "TLP": "white",
      "cloned_from": "661db37bf549518bf6f7f377",
      "export_count": 1,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "FileHash-MD5": 123,
        "YARA": 16,
        "CVE": 4,
        "FileHash-SHA1": 25,
        "FileHash-SHA256": 20,
        "domain": 102,
        "URL": 16,
        "email": 9,
        "hostname": 4,
        "CIDR": 2
      },
      "indicator_count": 321,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 66,
      "modified_text": "3 days ago ",
      "is_modified": false,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "698e93e1ab02db8c49e8c3ed",
      "name": "\u201cBroken Seal\u201d DocuSign-themed Delivery with Fileless Process Hollowing (Zeppelin/Bloat-A)",
      "description": "Forensic analysis indicates a DocuSign-themed phishing campaign using a deliberately invalid X.509 PKI seal (\u201cBroken Seal\u201d) to trigger fail-open verification logic in automated handlers. The delivery mechanism bypasses Secure Email Gateway (SEG) reputation checks by using encrypted channels and human-gated infrastructure. The payload is a fileless Process Hollowing (RunPE) malware that injects into RWX memory of legitimate processes to evade disk-based EDR.",
      "modified": "2026-05-17T15:52:35.396000",
      "created": "2026-02-13T03:00:49.872000",
      "tags": [
        "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi",
        "9698f46495ce9401c8bcaf9a2afe1598",
        "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)",
        "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71",
        "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3",
        "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link",
        "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)"
      ],
      "references": [
        "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.",
        "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)",
        "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.",
        "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure",
        "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess",
        "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.",
        "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.",
        "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)",
        "Verification failure observed in automated verification handlers during sandbox replay.",
        "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.",
        "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.",
        "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.",
        "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.",
        "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).",
        "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.",
        "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.",
        "Whitelisted IP Address 204.79.197.212 Location  United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. ,  ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc.,   Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 ,  5943 ,  80211 ,  #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf ,  The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat",
        "",
        "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr",
        "My Independent research finds an intersect between different pdf DV versions being able to connect to Raspberry Pi devices as it was the FCC application document. Risk: Mac ID connectivity to all."
      ],
      "public": 1,
      "adversary": "",
      "targeted_countries": [
        "China",
        "United States of America",
        "Spain",
        "Japan",
        "Canada"
      ],
      "malware_families": [],
      "attack_ids": [],
      "industries": [
        "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In"
      ],
      "TLP": "green",
      "cloned_from": null,
      "export_count": 14,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "domain": 28000,
        "FileHash-SHA256": 48374,
        "FileHash-MD5": 42596,
        "FileHash-SHA1": 23243,
        "hostname": 35654,
        "URL": 75758,
        "SSLCertFingerprint": 30,
        "CVE": 7585,
        "email": 316,
        "FileHash-IMPHASH": 8,
        "CIDR": 26205,
        "JA3": 1,
        "URI": 5,
        "IPv4": 574,
        "Mutex": 1
      },
      "indicator_count": 288350,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 92,
      "modified_text": "13 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "69b097820c1d5791c2e6db33",
      "name": "CAPE Sandbox - Evil MALWARE",
      "description": "",
      "modified": "2026-04-09T22:03:39.319000",
      "created": "2026-03-10T22:13:22.655000",
      "tags": [],
      "references": [],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [],
      "attack_ids": [],
      "industries": [],
      "TLP": "green",
      "cloned_from": null,
      "export_count": 0,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "URL": 109,
        "FileHash-MD5": 284,
        "FileHash-SHA1": 299,
        "FileHash-SHA256": 242,
        "domain": 16,
        "email": 2,
        "hostname": 61
      },
      "indicator_count": 1013,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 66,
      "modified_text": "51 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "69bf64e1d5e06aa6207f78de",
      "name": "Spam \u201cBroken Seal\u201d DocuSign-themed Delivery w/Fileless Process Hollowing (Zeppelin/Bloat-A) by msudosos",
      "description": "",
      "modified": "2026-03-27T00:30:39.055000",
      "created": "2026-03-22T03:41:21.863000",
      "tags": [
        "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi",
        "9698f46495ce9401c8bcaf9a2afe1598",
        "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)",
        "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71",
        "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3",
        "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link",
        "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)"
      ],
      "references": [
        "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.",
        "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)",
        "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.",
        "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure",
        "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess",
        "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.",
        "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.",
        "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)",
        "Verification failure observed in automated verification handlers during sandbox replay.",
        "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.",
        "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.",
        "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.",
        "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.",
        "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).",
        "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.",
        "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.",
        "Whitelisted IP Address 204.79.197.212 Location  United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. ,  ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc.,   Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 ,  5943 ,  80211 ,  #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf ,  The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat",
        "",
        "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr"
      ],
      "public": 1,
      "adversary": "",
      "targeted_countries": [
        "China",
        "United States of America",
        "Spain",
        "Japan",
        "Canada"
      ],
      "malware_families": [],
      "attack_ids": [],
      "industries": [
        "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In"
      ],
      "TLP": "green",
      "cloned_from": "698e93e1ab02db8c49e8c3ed",
      "export_count": 3,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "Q.Vashti",
        "id": "337942",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "domain": 27572,
        "FileHash-SHA256": 46076,
        "FileHash-MD5": 42177,
        "FileHash-SHA1": 22874,
        "hostname": 33438,
        "URL": 74810,
        "SSLCertFingerprint": 21,
        "CVE": 7579,
        "email": 297,
        "FileHash-IMPHASH": 8,
        "CIDR": 26203,
        "JA3": 1
      },
      "indicator_count": 281056,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 149,
      "modified_text": "65 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "69bf64eccb5d39a90a3c391e",
      "name": "Spam \u201cBroken Seal\u201d DocuSign-themed Delivery w/Fileless Process Hollowing (Zeppelin/Bloat-A) by msudosos",
      "description": "",
      "modified": "2026-03-27T00:30:39.055000",
      "created": "2026-03-22T03:41:32.565000",
      "tags": [
        "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi",
        "9698f46495ce9401c8bcaf9a2afe1598",
        "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)",
        "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71",
        "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3",
        "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link",
        "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)"
      ],
      "references": [
        "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.",
        "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)",
        "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.",
        "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure",
        "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess",
        "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.",
        "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.",
        "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)",
        "Verification failure observed in automated verification handlers during sandbox replay.",
        "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.",
        "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.",
        "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.",
        "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.",
        "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).",
        "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.",
        "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.",
        "Whitelisted IP Address 204.79.197.212 Location  United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. ,  ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc.,   Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 ,  5943 ,  80211 ,  #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf ,  The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat",
        "",
        "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr"
      ],
      "public": 1,
      "adversary": "",
      "targeted_countries": [
        "China",
        "United States of America",
        "Spain",
        "Japan",
        "Canada"
      ],
      "malware_families": [],
      "attack_ids": [],
      "industries": [
        "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In"
      ],
      "TLP": "green",
      "cloned_from": "698e93e1ab02db8c49e8c3ed",
      "export_count": 4,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "Q.Vashti",
        "id": "337942",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "domain": 27572,
        "FileHash-SHA256": 46076,
        "FileHash-MD5": 42177,
        "FileHash-SHA1": 22874,
        "hostname": 33438,
        "URL": 74810,
        "SSLCertFingerprint": 21,
        "CVE": 7579,
        "email": 297,
        "FileHash-IMPHASH": 8,
        "CIDR": 26203,
        "JA3": 1
      },
      "indicator_count": 281056,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 152,
      "modified_text": "65 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "661db37bf549518bf6f7f377",
      "name": "Backup from 03-28-24 - Systemd dump, malicious ssh and sshd files, libsystemd-vore libsystemd-shared plus supporting php files",
      "description": "Ignoring the yara and eicar files - I was able to recover a partition use for backups from 03/25/24-03/29/24; the day of the XZ supply chain disclosure. This is a preliminary dump with accompanying analysis and sha1, and 256's of my /usr/lib/systemd directory which housed multiple suspect ssh sub directories plus malicous libsystemd-shared and libsystemd-core binaries, and all supporting config, dev, service, and binaries. Dig in.",
      "modified": "2024-04-23T14:28:30.317000",
      "created": "2024-04-15T23:08:43.746000",
      "tags": [
        "fireeye",
        "copyright",
        "base64",
        "dotnettojscript",
        "gadgettojscript",
        "invokeclient",
        "invokeserver",
        "readhost enter",
        "command",
        "roth",
        "nextron",
        "sandworm",
        "detects ssh",
        "grant all",
        "privileges on",
        "to mysqldb",
        "create user",
        "g root",
        "sandworm python",
        "import",
        "phpsploit",
        "host",
        "user",
        "pass",
        "error",
        "establish",
        "pecl oci8",
        "connstr",
        "charset",
        "false",
        "miner",
        "texthtml",
        "module",
        "send custom",
        "swissky",
        "class",
        "serviceip",
        "serviceport",
        "servicedata",
        "e binsh",
        "init",
        "service port",
        "detects",
        "cve202140444",
        "target",
        "targetmode",
        "jeremy brown",
        "windows cve",
        "ms office",
        "modified rule",
        "rperm",
        "wperm",
        "pathsep",
        "string",
        "rwxrxrx",
        "file types",
        "unix",
        "login",
        "autentication",
        "disable",
        "ldapconnect",
        "version",
        "authentication",
        "ldaplist",
        "null",
        "pathelems",
        "execute",
        "backdoor",
        "kingdee oa",
        "yunxingkong",
        "b6oa",
        "code execution",
        "kingdee cloud",
        "starry sky",
        "otherwise",
        "file",
        "setsmartdate",
        "fread",
        "name",
        "force",
        "base64decode",
        "data",
        "substr",
        "array",
        "readdir",
        "getowner",
        "getgroup",
        "getsize",
        "force option",
        "fwrite",
        "permission",
        "check",
        "mode",
        "diraccess",
        "fileaccess",
        "realpath",
        "stat",
        "immutable",
        "posixgetpwuid",
        "posixgetgrgid",
        "explode",
        "etcpasswd",
        "glob",
        "globonlydir",
        "oraclelogin",
        "port",
        "servicename",
        "connector",
        "base",
        "query type",
        "mssqlfetcharray",
        "mssqlassoc",
        "solsocket",
        "timeout",
        "range",
        "portmin",
        "portmax",
        "socketcreate",
        "afinet",
        "sockstream",
        "open",
        "type",
        "true",
        "tcp connection",
        "tcp shell",
        "input",
        "lhost",
        "netcat",
        "lport",
        "shell",
        "dllimport",
        "python",
        "back",
        "fore",
        "pfinet",
        "stdout",
        "this",
        "win32",
        "ldapsearch",
        "select",
        "mysqliassoc",
        "select database",
        "send",
        "newfile",
        "dns stub",
        "third party",
        "see man",
        "exit",
        "o pipefail",
        "v systemctl",
        "devnull",
        "unknown verb",
        "license",
        "gnu lesser",
        "general public",
        "free software",
        "foundation",
        "unit",
        "slice",
        "cpuweight100",
        "tasks slice",
        "cpuweight30",
        "capev2",
        "cape",
        "cuckoo web",
        "setup",
        "grep",
        "limitnofile",
        "install",
        "return",
        "execstart",
        "start",
        "descriptionrun",
        "timer",
        "oncalendardaily",
        "service",
        "prevent rate",
        "delay start",
        "m poetry",
        "sigkill",
        "descriptioncape",
        "ef usercape",
        "g cape",
        "allowisolateyes",
        "typedbus",
        "socket",
        "message bus",
        "listenstream",
        "typenotify",
        "descriptionuser",
        "harald sitter",
        "sitter",
        "kcrash",
        "drkonqi",
        "acceptyes",
        "disable trigger",
        "todo",
        "prevents",
        "path",
        "pathexistsglob",
        "runtimemaxsec31",
        "runtimemaxsec30",
        "restartno",
        "descriptionexit",
        "environmentfile",
        "otheropts",
        "soundfont",
        "descriptiongcr",
        "sshauthsock",
        "descriptionglib",
        "priority6",
        "killmodeprocess",
        "proxy",
        "socketmode0600",
        "apache software",
        "notice file",
        "apache license",
        "unless",
        "as is",
        "basis",
        "or conditions",
        "apple file",
        "conduit monitor",
        "descriptionjack",
        "jackoptions d",
        "driver d",
        "device",
        "media transfer",
        "indexer daemon",
        "memory",
        "memoryhigh512m",
        "system sockets",
        "a user",
        "conditionuser",
        "dbus menus",
        "plasma",
        "phase",
        "workspace core",
        "exit status",
        "x11 connection",
        "timeoutstopsec5",
        "disable restart",
        "timeoutsec40sec",
        "typeoneshot",
        "david edmundson",
        "davidedmundson",
        "osd service",
        "portal",
        "auto restart",
        "dbus",
        "xembed system",
        "logging system",
        "socketmode0660",
        "all containers",
        "restart policy",
        "logging start",
        "execstopbinsh c",
        "logging",
        "x11 plugins",
        "session slice",
        "typeforking",
        "etc userroot",
        "grouproot",
        "onbootsec15min",
        "place",
        "temporary",
        "volatile files",
        "thunar",
        "session manager",
        "wireplumber",
        "service file",
        "xdg autostart",
        "user dir",
        "descriptionxfce",
        "sandbox",
        "malware",
        "analysis",
        "online",
        "submit",
        "vxstream",
        "sample",
        "download",
        "trojan",
        "apt",
        "memoryfile scan",
        "ansi",
        "bpf program",
        "indicator",
        "bpf firewalling",
        "pcap",
        "pcap processing",
        "bpffallowmulti",
        "bpf device",
        "date",
        "suspicious",
        "hybrid",
        "crypto",
        "close",
        "click",
        "april",
        "strings",
        "february",
        "middle",
        "exploit",
        "gameover",
        "contact",
        "scope",
        "thomas koch",
        "gpl v2",
        "imsm",
        "ibftruledir",
        "ibftrules",
        "attr",
        "systemd rule",
        "hannes reinecke",
        "suse labs",
        "ipibft",
        "interface",
        "kernel",
        "configfile",
        "typesimple",
        "apparmor",
        "grouparchaudit",
        "hardening",
        "umask077",
        "persistenttrue",
        "enable debug",
        "networkmanager",
        "trace",
        "wait online",
        "edit",
        "note",
        "reload",
        "capdacoverride",
        "dhcp etc",
        "mdadmscan",
        "mdadmdelay",
        "mdadmmail",
        "mdadmprogram",
        "mdadmconfig",
        "mdadmsendmail",
        "p runsysconfig",
        "userroot",
        "sssd",
        "write access",
        "needed sometime",
        "statedirectory",
        "accountsservice",
        "varloglastlog",
        "bridge daemon",
        "alsa card",
        "card state",
        "required",
        "another auto",
        "nice daemon",
        "memorymax64m",
        "filter system",
        "mount",
        "reboot",
        "clock",
        "logging service",
        "requires",
        "before",
        "please",
        "exit codes",
        "proc",
        "descriptionruns",
        "execstartsh c",
        "switchtoggle",
        "ignoreonisolate",
        "term typeidle",
        "without",
        "any warranty",
        "merchantability",
        "fitness",
        "a particular",
        "vartmp",
        "wants type",
        "preparation",
        "watchdogsec10",
        "filesystem",
        "timer daemon",
        "options",
        "environment",
        "prevent",
        "readwritepaths",
        "security",
        "certain",
        "protectsystem",
        "bindpaths",
        "lower cpu",
        "nice19",
        "manager",
        "userc",
        "celerydnodes",
        "info",
        "chaddevops",
        "aaron brighton",
        "clam antivirus",
        "jon kriel",
        "distribution",
        "script",
        "sanesecurity",
        "securiteinfo",
        "malwarepatrol",
        "oitc",
        "file location",
        "remember",
        "typeexec user",
        "9 cntlm",
        "generate color",
        "profiles",
        "removeipctrue",
        "devpts",
        "authors",
        "any kind",
        "usercouchdb",
        "restartsec5",
        "volumes",
        "server socket",
        "user209",
        "daemon",
        "darkstatiface",
        "reloadconfig",
        "watchdogsec3min",
        "privatetmpyes",
        "protectproc",
        "increase",
        "descriptiontime",
        "date service",
        "debugging only",
        "ignoresigpipeno",
        "unset locale",
        "file system",
        "queue file",
        "whatmqueue",
        "optionsnosuid",
        "pf rundhclient",
        "rate",
        "requiresdirmngr",
        "capfowner",
        "capsetpcap",
        "dhcp",
        "dns server",
        "startlimit",
        "limits",
        "delegateyes",
        "descriptionpass",
        "runtimemaxsec5",
        "mountain",
        "metadata check",
        "all filesystems",
        "online metadata",
        "sunday",
        "oncalendarsun",
        "online ext4",
        "sigterm signal",
        "java process",
        "piddir",
        "standardoutput",
        "elasticsearch",
        "limitnproc4096",
        "limitasinfinity",
        "sendsighupyes",
        "mapper daemon",
        "mainpid",
        "quit",
        "listenstream79",
        "radius server",
        "d etcraddb",
        "protecthomeon",
        "default",
        "systemservice",
        "efiefi bootefi",
        "afinet afinet6",
        "afunix afinet",
        "oncalendar 0000",
        "privatetmptrue",
        "geoip legacy",
        "geoip2",
        "instance",
        "usergit",
        "scdconfig",
        "notice",
        "devinputmice t",
        "descriptiongps",
        "system",
        "sock refclock",
        "gpsdoptions",
        "devices",
        "daemon sockets",
        "2947",
        "bindipv6onlyyes",
        "usbauto",
        "usrbingpsdctl",
        "gps daemon",
        "afterdev",
        "gvmddata",
        "varlibgssproxy",
        "nonewprivileges",
        "privatetmp",
        "protecthome",
        "ieee",
        "etchostapd",
        "killmodemixed",
        "fcopy",
        "uncomment",
        "use sigterm",
        "sigkill i2pd",
        "sendsigkillyes",
        "limitnofile8192",
        "systemd",
        "analog",
        "shutting down",
        "iodineextip p",
        "iodineport p",
        "iodineuser",
        "tunip",
        "topdomain",
        "guessmainpidyes",
        "m node",
        "wants",
        "initiatorname",
        "io driver",
        "typeexec",
        "c etckcptun",
        "usernobody",
        "requireskeyboxd",
        "static device",
        "nofork",
        "restartalways",
        "linker cache",
        "hack",
        "use wants",
        "raise",
        "tasksmax",
        "tasksmax32768",
        "limitmemlock64m",
        "removeonstopyes",
        "ip socket",
        "tls ip",
        "conflictsgetty",
        "aftergetty",
        "busmodules",
        "qabr",
        "hwmonmodules",
        "local file",
        "privatenetwork",
        "lvm2",
        "initialization",
        "autoboot code",
        "s delegatetrue",
        "description",
        "pidfilerunlxc",
        "lynis service",
        "adjust path",
        "lynis binary",
        "lynis timer",
        "tell systemd",
        "lynis security",
        "persistentfalse",
        "container slice",
        "recover",
        "varcacheman",
        "regenerate man",
        "userroot nice19",
        "mysqldopts",
        "mysqldsafe",
        "timezone",
        "core",
        "restart",
        "users",
        "backlog150",
        "listenstreams",
        "servicemariadb",
        "mechanism",
        "mariadb",
        "multi instance",
        "variables",
        "bindirmdadm",
        "gnu general",
        "public license",
        "reshape",
        "onactivesec30",
        "oncalendar",
        "wantedby",
        "monitor",
        "allow mdmon",
        "takeover",
        "k none",
        "c devnull",
        "d runinitramfs",
        "p runmongodb",
        "limitnproc32000",
        "limitmemlock5",
        "device server",
        "requiredbydev",
        "d dev",
        "descriptionreal",
        "extraopts",
        "restartsec30",
        "valid",
        "fifo",
        "priority",
        "batch",
        "nice0",
        "partof",
        "tracking daemon",
        "helper",
        "for testing",
        "only",
        "restrict",
        "grant",
        "capsysptrace",
        "capkill",
        "capipclock",
        "environ",
        "capsysresource",
        "capsyslog",
        "descriptionname",
        "service cache",
        "sysvlsb",
        "descriptionhost",
        "network name",
        "group name",
        "u ntp",
        "time service",
        "t hibernate",
        "software",
        "other",
        "the software",
        "daemon init",
        "software is",
        "provided",
        "fcnvme",
        "wantsmodprobe",
        "aftermodprobe",
        "descriptionall",
        "nbft",
        "nvmeof",
        "connectargs",
        "unit file",
        "descriptionnvmf",
        "red hat",
        "without any",
        "warranty",
        "card daemon",
        "socketmode0666",
        "suite result",
        "kexec screen",
        "oncalendarsat",
        "boot screen",
        "timeoutsec20",
        "power off",
        "runtime data",
        "descriptionhold",
        "timeoutsec0",
        "sandboxing",
        "execstop",
        "colin walters",
        "upgrade",
        "upgrade output",
        "umask0077",
        "transport agent",
        "descriptionmake",
        "descriptionppp",
        "whatnfsd",
        "file formats",
        "automount point",
        "automount",
        "setuid nobody",
        "setgid nobody",
        "setcon",
        "syslog",
        "restartonabort",
        "halt screen",
        "reboot screen",
        "pgroot",
        "postgresql",
        "oom killer",
        "additional",
        "fy nice19",
        "endless os",
        "foundation llc",
        "restartsec0",
        "system quotas",
        "rabbitmq",
        "protecthometrue",
        "etcrathole",
        "guessmainpidno",
        "h etcrdnssd",
        "reflector",
        "afinet6 afunix",
        "umask177",
        "remote file",
        "nfs client",
        "nfsv23 locking",
        "make sure",
        "rpc netconfig",
        "descriptionfast",
        "using ssh",
        "so let",
        "boot",
        "realtimekit",
        "rwhodopts",
        "display manager",
        "specify",
        "interval l",
        "loginterval f",
        "bindstodev",
        "always",
        "usrbingrpck r",
        "slapdoptions",
        "u ldap",
        "slapdurls",
        "smart",
        "pciusb",
        "midi",
        "daemonopts",
        "snmp",
        "trap daemon",
        "g snort",
        "descriptionsudo",
        "hibernate",
        "svnserveargs",
        "whatfusectl",
        "whatconfigfs",
        "whatdebugfs",
        "whattracefs",
        "best way",
        "see https",
        "units service",
        "service slice",
        "offline system",
        "update",
        "wall directory",
        "timeoutsec90s",
        "descriptionmark",
        "current boot",
        "loader entry",
        "any system",
        "units",
        "loader random",
        "loader update",
        "service socket",
        "dump socket",
        "optionally",
        "root device",
        "afalg afinet",
        "execstophomectl",
        "home area",
        "named pipe",
        "sink service",
        "sink socket",
        "upload service",
        "dynamicuseryes",
        "sigkilled",
        "devlog",
        "timestampingus",
        "namespace",
        "sendbuffer8m",
        "kernel command",
        "netlink socket",
        "storage",
        "descriptionwait",
        "network",
        "make",
        "deviceallow",
        "reserve",
        "killer socket",
        "root file",
        "measurement",
        "pcr policy",
        "tpm pcr",
        "code",
        "configuration",
        "machine id",
        "barrier",
        "quota check",
        "system quota",
        "after",
        "random seed",
        "kernel file",
        "gpt partition",
        "kill switch",
        "nvmetcp",
        "trigger",
        "saturday",
        "persistentyes",
        "system update",
        "kernel time",
        "capsystime",
        "ntp service",
        "turn",
        "files",
        "device nodes",
        "srk setup",
        "device events",
        "bootshutdown",
        "change",
        "manager socket",
        "descriptiontinc",
        "proxy server",
        "linrunner",
        "descriptiontlp",
        "tor service",
        "f etctortorrc",
        "tpm device",
        "descriptionudp",
        "tcpicmpudp",
        "etcudp2raw",
        "debug",
        "swap",
        "api file",
        "privatedevices",
        "home",
        "root",
        "runuser",
        "linux control",
        "groups",
        "group",
        "afnetlink",
        "locked memory",
        "limitmemlock0",
        "usb gadget",
        "apple",
        "sliceuser",
        "descriptionuuid",
        "compatibility",
        "typerpcpipefs",
        "vmsvga",
        "hypervisor",
        "usr1",
        "mgmt appuser",
        "dac permission",
        "selinux",
        "xxx someone",
        "qemu",
        "machine tools",
        "vmware tools",
        "pidfilerunvpnc",
        "wacom",
        "iface d",
        "dspeed u",
        "iface",
        "descriptionwpa",
        "oracle",
        "reserved",
        "wong",
        "emailaddr",
        "tunnel protocol",
        "l2tp",
        "isps",
        "russia use",
        "ipsec",
        "d optxplico",
        "b sqlite",
        "descriptionxrdp",
        "xrdpoptions",
        "process",
        "sesmanoptions",
        "zpoolimportopts",
        "an o",
        "t scrub",
        "usrbinzpool",
        "zfs volume",
        "descriptionzfs",
        "f restartalways",
        "remainafterexit",
        "nmbdoptions",
        "smbdoptions",
        "successaction",
        "winbindoptions",
        "ck id",
        "hybrid analysis",
        "mitre att",
        "malicious",
        "sdshared ansi",
        "default und",
        "func global",
        "func local",
        "object local",
        "general",
        "show technique",
        "ck matrix",
        "tasksmax33",
        "empty file",
        "proxycommand",
        "checkhostip",
        "afunix",
        "afvsock",
        "allow",
        "r table",
        "chkbootcheck",
        "gplv2 source",
        "chkbootstyles",
        "etcissue",
        "partition",
        "minimizebest",
        "mit no",
        "match",
        "link",
        "namepolicykeep",
        "ethernet link",
        "kindveth nameve",
        "kindveth namevb",
        "keepmasteryes",
        "dhcpv4",
        "kindsit name6rd",
        "ipv4ll",
        "ipv6ll",
        "dhcpipv6ra",
        "dhcpv6",
        "typeether",
        "dhcpyes",
        "usetimezoneyes",
        "typewlan",
        "tuntap",
        "natdhcp",
        "kindtun namevt",
        "kind",
        "originalname",
        "definedby",
        "peer",
        "sopeergroups",
        "dbus protocol",
        "dbus name",
        "exec",
        "hup signal",
        "sighup",
        "dnssec",
        "sessionid",
        "seatid",
        "sleep",
        "leader",
        "jobresult",
        "coredumppid",
        "coredumpcomm",
        "junit",
        "na zapusk",
        "mikrasiekund",
        "enhed",
        "mikrosekunder",
        "opstart",
        "jobid",
        "a rendszer",
        "ezredmsodpercet",
        "a rendszernapl",
        "user manager",
        "smack",
        "lunit",
        "stato",
        "il processo",
        "il sistema",
        "stata",
        "le processus",
        "notez que",
        "jedinica",
        "zapamtite da",
        "nova",
        "jednostka",
        "prosz zauway",
        "zwykle wskazuje",
        "jest",
        "o processo",
        "processo",
        "isso",
        "inicializao",
        "journal",
        "sizelimit",
        "userid",
        "prozess",
        "speicherabbild",
        "hinweis auf",
        "programmfehler",
        "fehler dem",
        "die systemzeit",
        "realtime"
      ],
      "references": [
        "Hunting_B64Engine_DotNetToJScript_Dos.yar",
        "APT_Backdoor_PS1_BASICPIPESHELL_1.yar",
        "apt_sandworm_exim_expl.yar.002",
        "apt_sandworm_exim_expl.yar.001",
        "apt_sandworm_exim_expl.yar",
        "connect.php",
        "connect.php.002",
        "connect.php.001",
        "crypto-miner.js",
        "eicar",
        "eicar.001",
        "eicar.002",
        "custom.py",
        "eicar.txt",
        "expl_cve_2021_40444.yar.001",
        "expl_cve_2021_40444.yar.002",
        "getPerms.php",
        "input.pcap",
        "list.php",
        "parent.php",
        "payload.php",
        "payload.php.001",
        "kingdee-erp-rce.yaml",
        "payload.php.003",
        "payload.php.002",
        "payload.php.004",
        "payload.php.005",
        "payload.php.006",
        "payload.php.007",
        "payload.php.008",
        "payload.php.010",
        "payload.php.011",
        "payload.php.009",
        "payload.php.012",
        "payload.php.013",
        "payload.php.015",
        "payload.php.016",
        "payload.php.017",
        "reverse_tcp.py",
        "scanner.php",
        "search.php",
        "setdb.php",
        "payload.php.014",
        "setdb.php.001",
        "reader.php",
        "single.php",
        "resolv.conf",
        "systemd-update-helper",
        "90-systemd.preset",
        "60-flatpak",
        "app.slice",
        "background.slice",
        "README.md",
        "bluetooth.target",
        "basic.target",
        "borgmatic-user.timer",
        "borgmatic-user.service",
        "cape.service",
        "cape-dist.service",
        "cape-processor.service",
        "cape-rooter.service",
        "capsule@.target",
        "cape-web.service",
        "clash.service",
        "colord-session.service",
        "dbus.socket",
        "cape-fstab.service",
        "dbus.service",
        "dbus-broker.service",
        "dconf.service",
        "dirmngr.service",
        "default.target",
        "drkonqi-coredump-cleanup.service",
        "dirmngr.socket",
        "drkonqi-coredump-cleanup.timer",
        "drkonqi-coredump-launcher.socket",
        "drkonqi-sentry-postman.path",
        "drkonqi-coredump-pickup.service",
        "drkonqi-sentry-postman.service",
        "drkonqi-sentry-postman.timer",
        "drkonqi-coredump-launcher@.service",
        "dunst.service",
        "flatpak-oci-authenticator.service",
        "filter-chain.service",
        "exit.target",
        "flatpak-session-helper.service",
        "fluidsynth.service",
        "gcr-ssh-agent.socket",
        "flatpak-portal.service",
        "gcr-ssh-agent.service",
        "gnome-keyring-daemon.service",
        "glib-pacrunner.service",
        "gnome-keyring-daemon.socket",
        "gpg-agent-ssh.socket",
        "gnome-terminal-server.service",
        "gpg-agent-extra.socket",
        "gpg-agent.service",
        "gpg-agent.socket",
        "gpg-agent-browser.socket",
        "graphical-session-pre.target",
        "graphical-session.target",
        "gssuserproxy.socket",
        "guacd.service",
        "gvfs-gphoto2-volume-monitor.service",
        "gvfs-daemon.service",
        "gssuserproxy.service",
        "gvfs-afc-volume-monitor.service",
        "gvfs-metadata.service",
        "jack@.service",
        "guac-web.service",
        "gvfs-udisks2-volume-monitor.service",
        "gvfs-mtp-volume-monitor.service",
        "kde-baloo.service",
        "keyboxd.service",
        "kio-fuse.service",
        "keyboxd.socket",
        "p11-kit-server.service",
        "p11-kit-server.socket",
        "paths.target",
        "pipewire.socket",
        "pipewire-pulse.service",
        "plasma-gmenudbusmenuproxy.service",
        "pipewire-pulse.socket",
        "plasma-baloorunner.service",
        "plasma-kcminit.service",
        "plasma-dolphin.service",
        "plasma-kcminit-phase1.service",
        "plasma-core.target",
        "plasma-kded.service",
        "pipewire.service",
        "plasma-kded6.service",
        "plasma-kglobalaccel.service",
        "at-spi-dbus-bus.service",
        "plasma-krunner.service",
        "plasma-kscreen.service",
        "plasma-kscreen-osd.service",
        "plasma-ksmserver.service",
        "plasma-ksplash.service",
        "plasma-ksplash-ready.service",
        "plasma-ksystemstats.service",
        "plasma-kwallet-pam.service",
        "plasma-kwin_wayland.service",
        "plasma-kwin_x11.service",
        "plasma-plasmashell.service",
        "plasma-polkit-agent.service",
        "plasma-powerdevil.service",
        "plasma-powerprofile-osd.service",
        "plasma-restoresession.service",
        "plasma-workspace.target",
        "plasma-workspace-wayland.target",
        "plasma-workspace-x11.target",
        "plasma-xdg-desktop-portal-kde.service",
        "plasma-xembedsniproxy.service",
        "podman.service",
        "podman.socket",
        "podman-auto-update.service",
        "podman-auto-update.timer",
        "podman-kube@.service",
        "podman-restart.service",
        "printer.target",
        "pulseaudio.service",
        "pulseaudio.socket",
        "pulseaudio-x11.service",
        "session.slice",
        "shutdown.target",
        "smartcard.target",
        "sockets.target",
        "sound.target",
        "ssh-agent.service",
        "suricata.service",
        "suricata-update.service",
        "suricata-update.timer",
        "systemd-exit.service",
        "systemd-tmpfiles-clean.service",
        "systemd-tmpfiles-clean.timer",
        "systemd-tmpfiles-setup.service",
        "thunar.service",
        "timers.target",
        "tracker-xdg-portal-3.service",
        "tumblerd.service",
        "wireplumber.service",
        "wireplumber@.service",
        "xdg-desktop-autostart.target",
        "xdg-desktop-portal.service",
        "xdg-desktop-portal-gtk.service",
        "xdg-desktop-portal-hyprland.service",
        "xdg-desktop-portal-rewrite-launchers.service",
        "xdg-desktop-portal-xapp.service",
        "xdg-permission-store.service",
        "xdg-user-dirs-update.service",
        "xfce4-notifyd.service",
        "xsettingsd.service",
        "xdg-document-portal.service",
        "https://hybrid-analysis.com/sample/b1a9e5be43c028442c07071e202f44f33e3a2df167822c5cfed8f998e01fe169/661da09794b343782806018e",
        "defaults.conf",
        "apparmor.conf",
        "nvidia",
        "tlp",
        "fwupd.shutdown",
        "mdadm.shutdown",
        "99-default.preset",
        "50-zfs.preset",
        "ibft-rule-generator",
        "10-arch",
        "60-flatpak-system-only",
        "3proxy.service",
        "apache-tika.service",
        "apparmor.service",
        "arch-audit.service",
        "arch-audit.timer",
        "NetworkManager-dispatcher.service",
        "NetworkManager-wait-online.service",
        "NetworkManager.service",
        "SUSE-mdadm_env.sh",
        "ModemManager.service",
        "3proxy.conf",
        "archlinux-keyring-wkd-sync.service",
        "adsl.service",
        "accounts-daemon.service",
        "adb.service",
        "alsa-restore.service",
        "alsa-state.service",
        "archlinux-keyring-wkd-sync.timer",
        "ananicy-cpp.service",
        "arcolinux-graphical-target.service",
        "atftpd.service",
        "audit-rules.service",
        "auditd.service",
        "auth-rpcgss-module.service",
        "autorandr.service",
        "autorandr-lid-listener.service",
        "autovt@.service",
        "avahi-daemon.service",
        "avahi-daemon.socket",
        "avahi-dnsconfd.service",
        "bettercap.service",
        "betterlockscreen@.service",
        "blk-availability.service",
        "blockdev@.target",
        "bluetooth.service",
        "bmc-watchdog.service",
        "bolt.service",
        "boot-complete.target",
        "borgmatic.service",
        "borgmatic.timer",
        "bpftune.service",
        "btrfs-scrub@.service",
        "btrfs-scrub@.timer",
        "canberra-system-bootup.service",
        "canberra-system-shutdown.service",
        "canberra-system-shutdown-reboot.service",
        "capsule.slice",
        "capsule@.service",
        "celery2@.service",
        "celery@.service",
        "chkboot.service",
        "clamav-clamonacc.service",
        "clamav-daemon.service",
        "clamav-daemon.socket",
        "clamav-freshclam.service",
        "clamav-freshclam-once.service",
        "clamav-freshclam-once.timer",
        "clamav-unofficial-sigs.service",
        "clamav-unofficial-sigs.timer",
        "clash@.service",
        "cntlm.service",
        "colord.service",
        "configure-printer@.service",
        "console-getty.service",
        "container-getty@.service",
        "containerd.service",
        "couchdb.service",
        "cpupower.service",
        "create_ap.service",
        "cronie.service",
        "cryptsetup.target",
        "cryptsetup-pre.target",
        "ctrl-alt-del.target",
        "cups.path",
        "cups.service",
        "cups.socket",
        "cups-lpd.socket",
        "cups-lpd@.service",
        "cxl-monitor.service",
        "darkstat.service",
        "daxdev-reconfigure@.service",
        "dbus-org.freedesktop.hostname1.service",
        "dbus-org.freedesktop.import1.service",
        "dbus-org.freedesktop.locale1.service",
        "dbus-org.freedesktop.login1.service",
        "dbus-org.freedesktop.machine1.service",
        "dbus-org.freedesktop.portable1.service",
        "dbus-org.freedesktop.timedate1.service",
        "debug-shell.service",
        "dev-hugepages.mount",
        "dev-mqueue.mount",
        "dhclient@.service",
        "dhcpd4.service",
        "dhcpd6.service",
        "dirmngr@.service",
        "dirmngr@.socket",
        "dm-event.service",
        "dm-event.socket",
        "dmraid.service",
        "dnscrypt-proxy.service",
        "dnsmasq.service",
        "docker.service",
        "docker.socket",
        "drkonqi-coredump-processor@.service",
        "e2scrub@.service",
        "e2scrub_all.service",
        "e2scrub_all.timer",
        "e2scrub_fail@.service",
        "e2scrub_reap.service",
        "ead.service",
        "elasticsearch.service",
        "elasticsearch-keystore.service",
        "elasticsearch-keystore@.service",
        "elasticsearch@.service",
        "emergency.service",
        "emergency.target",
        "epmd.service",
        "epmd.socket",
        "exabgp.service",
        "factory-reset.target",
        "fancontrol.service",
        "fastnetmon.service",
        "final.target",
        "finger.socket",
        "finger@.service",
        "first-boot-complete.target",
        "flatpak-system-helper.service",
        "freeradius.service",
        "fsidd.service",
        "fstrim.service",
        "fstrim.timer",
        "ftpd.service",
        "fwupd.service",
        "fwupd-offline-update.service",
        "fwupd-refresh.service",
        "fwupd-refresh.timer",
        "geoclue.service",
        "geoipupdate.service",
        "geoipupdate.timer",
        "getty.target",
        "getty-pre.target",
        "getty@.service",
        "git-daemon.socket",
        "git-daemon@.service",
        "gnupg-pkcs11-scd-proxy.service",
        "gpg-agent-browser@.socket",
        "gpg-agent-extra@.socket",
        "gpg-agent-ssh@.socket",
        "gpg-agent@.service",
        "gpg-agent@.socket",
        "gpm.path",
        "gpm.service",
        "gpsd.service",
        "gpsd.socket",
        "gpsdctl@.service",
        "graphical.target",
        "greenbone-certdata-sync.service",
        "greenbone-certdata-sync.timer",
        "greenbone-feed-sync.service",
        "greenbone-feed-sync.timer",
        "greenbone-nvt-sync.service",
        "greenbone-nvt-sync.timer",
        "greenbone-scapdata-sync.service",
        "greenbone-scapdata-sync.timer",
        "gssproxy.service",
        "gvmd.service",
        "halt.target",
        "healthd.service",
        "hibernate.target",
        "hostapd.service",
        "hostapd@.service",
        "httpd.service",
        "hv_fcopy_daemon.service",
        "hv_kvp_daemon.service",
        "hv_vss_daemon.service",
        "hybrid-sleep.target",
        "i2pd.service",
        "iiod.service",
        "initrd.target",
        "initrd-cleanup.service",
        "initrd-fs.target",
        "initrd-parse-etc.service",
        "initrd-root-device.target",
        "initrd-root-fs.target",
        "initrd-switch-root.service",
        "initrd-switch-root.target",
        "initrd-udevadm-cleanup-db.service",
        "initrd-usr-fs.target",
        "integritysetup.target",
        "integritysetup-pre.target",
        "iodined.service",
        "iodined.socket",
        "ip2clued.service",
        "ip6tables.service",
        "ipmidetectd.service",
        "ipmiseld.service",
        "iptables.service",
        "iscsi.service",
        "iscsi-init.service",
        "iscsid.service",
        "iscsid.socket",
        "iscsiuio.service",
        "iscsiuio.socket",
        "isnsd.service",
        "isnsd.socket",
        "iwd.service",
        "kcptun-server@.service",
        "kcptun@.service",
        "kexec.target",
        "keyboxd@.service",
        "keyboxd@.socket",
        "kmod-static-nodes.service",
        "krb5-kadmind.service",
        "krb5-kdc.service",
        "krb5-kpropd.service",
        "krb5-kpropd.socket",
        "krb5-kpropd@.service",
        "lastlog2-import.service",
        "ldconfig.service",
        "libvirt-guests.service",
        "libvirtd.service",
        "libvirtd.socket",
        "libvirtd-admin.socket",
        "libvirtd-ro.socket",
        "libvirtd-tcp.socket",
        "libvirtd-tls.socket",
        "lightdm.service",
        "lm_sensors.service",
        "local-fs.target",
        "local-fs-pre.target",
        "logrotate.service",
        "logrotate.timer",
        "lvm2-lvmpolld.service",
        "lvm2-lvmpolld.socket",
        "lvm2-monitor.service",
        "lxc.service",
        "lxc-auto.service",
        "lxc-monitord.service",
        "lxc-net.service",
        "lxc@.service",
        "lxdm.service",
        "ly.service",
        "lynis.service",
        "lynis.timer",
        "machine.slice",
        "machines.target",
        "man-db.service",
        "man-db.timer",
        "mariadb.service",
        "mariadb.socket",
        "mariadb-extra.socket",
        "mariadb-extra@.socket",
        "mariadb@.service",
        "mariadb@.socket",
        "mdadm-grow-continue@.service",
        "mdadm-last-resort@.service",
        "mdadm-last-resort@.timer",
        "mdcheck_continue.service",
        "mdcheck_continue.timer",
        "mdcheck_start.service",
        "mdcheck_start.timer",
        "mdmon@.service",
        "mdmonitor.service",
        "mdmonitor-oneshot.service",
        "mdmonitor-oneshot.timer",
        "memavaild.service",
        "mkinitcpio-generate-shutdown-ramfs.service",
        "modprobe@.service",
        "mongodb.service",
        "multi-user.target",
        "mysql.service",
        "mysqld.service",
        "named.service",
        "nbd.service",
        "nbd@.service",
        "ndctl-monitor.service",
        "neo4j.service",
        "netavark-dhcp-proxy.service",
        "netavark-dhcp-proxy.socket",
        "netdata.service",
        "network.target",
        "network-online.target",
        "network-pre.target",
        "nfs-blkmap.service",
        "nfs-client.target",
        "nfs-idmapd.service",
        "nfs-mountd.service",
        "nfs-server.service",
        "nfs-utils.service",
        "nfsdcld.service",
        "nfsv4-exportd.service",
        "nfsv4-server.service",
        "nftables.service",
        "nm-priv-helper.service",
        "nmb.service",
        "nohang.service",
        "nohang-desktop.service",
        "nscd.service",
        "nss-lookup.target",
        "nss-user-lookup.target",
        "ntpd.service",
        "ntpdate.service",
        "nvidia-hibernate.service",
        "nvidia-persistenced.service",
        "nvidia-powerd.service",
        "nvidia-resume.service",
        "nvidia-suspend.service",
        "nvmefc-boot-connections.service",
        "nvmf-autoconnect.service",
        "nvmf-connect.target",
        "nvmf-connect-nbft.service",
        "nvmf-connect@.service",
        "pacrunner.service",
        "ostree-boot-complete.service",
        "pacman-filesdb-refresh.timer",
        "pcscd.service",
        "passim.service",
        "pcscd.socket",
        "packagekit-offline-update.service",
        "phoronix-result-server.service",
        "paccache.timer",
        "plymouth-kexec.service",
        "pamac-cleancache.timer",
        "plymouth-quit.service",
        "partimaged.service",
        "plymouth-poweroff.service",
        "plymouth-read-write.service",
        "plymouth-quit-wait.service",
        "paccache.service",
        "plymouth-switch-root-initramfs.service",
        "ostree-remount.service",
        "plymouth-switch-root.service",
        "openvpn-client@.service",
        "podman-clean-transient.service",
        "pamac-offline-upgrade.service",
        "polkit.service",
        "postfix.service",
        "pam_namespace.service",
        "poweroff.target",
        "ppp@.service",
        "opensnitchd.service",
        "proc-fs-nfsd.mount",
        "proc-sys-fs-binfmt_misc.automount",
        "proc-sys-fs-binfmt_misc.mount",
        "phoromatic-server.service",
        "ptunnel.service",
        "openvpn-server@.service",
        "plymouth-halt.service",
        "pamac-cleancache.service",
        "plymouth-reboot.service",
        "ostree-state-overlay@.service",
        "ostree-finalize-staged.service",
        "postgresql.service",
        "phoromatic-client.service",
        "pamac-daemon.service",
        "pacman-filesdb-refresh.service",
        "packagekit.service",
        "pkgfile-update.service",
        "pkgfile-update.timer",
        "plymouth-start.service",
        "ostree-prepare-root.service",
        "ostree-finalize-staged.path",
        "privoxy.service",
        "ostree-finalize-staged-hold.service",
        "qemu-guest-agent.service",
        "quotaon.service",
        "quotaon-root.service",
        "quotaon@.service",
        "rabbitmq.service",
        "ras-mc-ctl.service",
        "rasdaemon.service",
        "rathole@.service",
        "ratholec@.service",
        "ratholes@.service",
        "rc-local.service",
        "rdnssd@.service",
        "reboot.target",
        "redis.service",
        "redis-sentinel.service",
        "reflector.service",
        "reflector.timer",
        "remote-cryptsetup.target",
        "remote-fs.target",
        "remote-fs-pre.target",
        "remote-veritysetup.target",
        "rescue.service",
        "rescue.target",
        "rfkill-block@.service",
        "rfkill-unblock@.service",
        "rlogin.socket",
        "rlogin@.service",
        "rpc-gssd.service",
        "rpc-statd.service",
        "rpc-statd-notify.service",
        "rpc_pipefs.target",
        "rpcbind.service",
        "rpcbind.socket",
        "rpcbind.target",
        "rsh.socket",
        "rsh@.service",
        "rsyncd.service",
        "rsyncd.socket",
        "rsyncd@.service",
        "rtkit-daemon.service",
        "runlevel0.target",
        "runlevel1.target",
        "runlevel2.target",
        "runlevel3.target",
        "runlevel4.target",
        "runlevel5.target",
        "runlevel6.target",
        "rwhod.service",
        "samba.service",
        "sddm.service",
        "seatd.service",
        "sensord.service",
        "serial-getty@.service",
        "shadow.service",
        "shadow.timer",
        "sigpwr.target",
        "slapd.service",
        "sleep.target",
        "slices.target",
        "smartd.service",
        "smb.service",
        "sndiod.service",
        "snmpd.service",
        "snmptrapd.service",
        "snort@.service",
        "snort@1000.service",
        "soft-reboot.target",
        "ssh-access.target",
        "sshd.service",
        "sshdgenkeys.service",
        "sshuttle.service",
        "sslh.service",
        "sslh-fork.service",
        "sslh-select.service",
        "storage-target-mode.target",
        "stunnel.service",
        "sudo_logsrvd.service",
        "suspend.target",
        "suspend-then-hibernate.target",
        "svnserve.service",
        "swap.target",
        "sys-fs-fuse-connections.mount",
        "sys-kernel-config.mount",
        "sys-kernel-debug.mount",
        "sys-kernel-tracing.mount",
        "sysinit.target",
        "syslog.socket",
        "system-systemd\\x2dcryptsetup.slice",
        "system-systemd\\x2dveritysetup.slice",
        "system-update.target",
        "system-update-cleanup.service",
        "system-update-pre.target",
        "systemd-ask-password-console.path",
        "systemd-ask-password-console.service",
        "systemd-ask-password-plymouth.path",
        "systemd-ask-password-plymouth.service",
        "systemd-ask-password-wall.path",
        "systemd-ask-password-wall.service",
        "systemd-backlight@.service",
        "systemd-battery-check.service",
        "systemd-binfmt.service",
        "systemd-bless-boot.service",
        "systemd-boot-check-no-failures.service",
        "systemd-boot-random-seed.service",
        "systemd-boot-update.service",
        "systemd-bootctl.socket",
        "systemd-bootctl@.service",
        "systemd-bsod.service",
        "systemd-confext.service",
        "systemd-coredump.socket",
        "systemd-coredump@.service",
        "systemd-creds.socket",
        "systemd-creds@.service",
        "systemd-firstboot.service",
        "systemd-fsck-root.service",
        "systemd-fsck@.service",
        "systemd-growfs-root.service",
        "systemd-growfs@.service",
        "systemd-halt.service",
        "systemd-hibernate.service",
        "systemd-hibernate-resume.service",
        "systemd-homed.service",
        "systemd-homed-activate.service",
        "systemd-homed-firstboot.service",
        "systemd-hostnamed.service",
        "systemd-hostnamed.socket",
        "systemd-hwdb-update.service",
        "systemd-hybrid-sleep.service",
        "systemd-importd.service",
        "systemd-initctl.service",
        "systemd-initctl.socket",
        "systemd-journal-catalog-update.service",
        "systemd-journal-flush.service",
        "systemd-journal-gatewayd.service",
        "systemd-journal-gatewayd.socket",
        "systemd-journal-remote.service",
        "systemd-journal-remote.socket",
        "systemd-journal-upload.service",
        "systemd-journald.service",
        "systemd-journald.socket",
        "systemd-journald-audit.socket",
        "systemd-journald-dev-log.socket",
        "systemd-journald-varlink@.socket",
        "systemd-journald@.service",
        "systemd-journald@.socket",
        "systemd-kexec.service",
        "systemd-localed.service",
        "systemd-logind.service",
        "systemd-machine-id-commit.service",
        "systemd-machined.service",
        "systemd-modules-load.service",
        "systemd-network-generator.service",
        "systemd-networkd.service",
        "systemd-networkd.socket",
        "systemd-networkd-persistent-storage.service",
        "systemd-networkd-wait-online.service",
        "systemd-networkd-wait-online@.service",
        "systemd-nspawn@.service",
        "systemd-oomd.service",
        "systemd-oomd.socket",
        "systemd-pcrextend.socket",
        "systemd-pcrextend@.service",
        "systemd-pcrfs-root.service",
        "systemd-pcrfs@.service",
        "systemd-pcrlock.socket",
        "systemd-pcrlock-file-system.service",
        "systemd-pcrlock-firmware-code.service",
        "systemd-pcrlock-firmware-config.service",
        "systemd-pcrlock-machine-id.service",
        "systemd-pcrlock-make-policy.service",
        "systemd-pcrlock-secureboot-authority.service",
        "systemd-pcrlock-secureboot-policy.service",
        "systemd-pcrlock@.service",
        "systemd-pcrmachine.service",
        "systemd-pcrphase.service",
        "systemd-pcrphase-initrd.service",
        "systemd-pcrphase-sysinit.service",
        "systemd-portabled.service",
        "systemd-poweroff.service",
        "systemd-pstore.service",
        "systemd-quotacheck.service",
        "systemd-quotacheck-root.service",
        "systemd-quotacheck@.service",
        "systemd-random-seed.service",
        "systemd-reboot.service",
        "systemd-remount-fs.service",
        "systemd-repart.service",
        "systemd-resolved.service",
        "systemd-rfkill.service",
        "systemd-rfkill.socket",
        "systemd-soft-reboot.service",
        "systemd-storagetm.service",
        "systemd-suspend.service",
        "systemd-suspend-then-hibernate.service",
        "systemd-sysctl.service",
        "systemd-sysext.service",
        "systemd-sysext.socket",
        "systemd-sysext@.service",
        "systemd-sysupdate.service",
        "systemd-sysupdate.timer",
        "systemd-sysupdate-reboot.service",
        "systemd-sysupdate-reboot.timer",
        "systemd-sysusers.service",
        "systemd-time-wait-sync.service",
        "systemd-timedated.service",
        "systemd-timesyncd.service",
        "systemd-tmpfiles-setup-dev.service",
        "systemd-tmpfiles-setup-dev-early.service",
        "systemd-tpm2-setup.service",
        "systemd-tpm2-setup-early.service",
        "systemd-udev-trigger.service",
        "systemd-udevd.service",
        "systemd-udevd-control.socket",
        "systemd-udevd-kernel.socket",
        "systemd-update-done.service",
        "systemd-update-utmp.service",
        "systemd-update-utmp-runlevel.service",
        "systemd-user-sessions.service",
        "systemd-userdbd.service",
        "systemd-userdbd.socket",
        "systemd-vconsole-setup.service",
        "systemd-vmspawn@.service",
        "systemd-volatile-root.service",
        "systemd-zram-setup@.service",
        "talk.service",
        "talk.socket",
        "teamd@.service",
        "telnet.socket",
        "telnet@.service",
        "time-set.target",
        "time-sync.target",
        "tinc.service",
        "tinc@.service",
        "tinyproxy.service",
        "tlp.service",
        "tmp.mount",
        "tor.service",
        "tpm2.target",
        "udisks2.service",
        "udp2raw@.service",
        "ufw.service",
        "uksmd.service",
        "umount.target",
        "unbound.service",
        "updatedb.service",
        "updatedb.timer",
        "upower.service",
        "usb-gadget.target",
        "usb_modeswitch@.service",
        "usbipd.service",
        "usbmuxd.service",
        "user.slice",
        "user-runtime-dir@.service",
        "user@.service",
        "uuidd.service",
        "uuidd.socket",
        "var-lib-machines.mount",
        "var-lib-nfs-rpc_pipefs.mount",
        "vboxdrmclient.path",
        "vboxdrmclient.service",
        "vboxservice.service",
        "veritysetup.target",
        "veritysetup-pre.target",
        "virt-guest-shutdown.target",
        "virtchd.service",
        "virtchd.socket",
        "virtchd-admin.socket",
        "virtchd-ro.socket",
        "virtinterfaced.service",
        "virtinterfaced.socket",
        "virtinterfaced-admin.socket",
        "virtinterfaced-ro.socket",
        "virtlockd.service",
        "virtlockd.socket",
        "virtlockd-admin.socket",
        "virtlogd.service",
        "virtlogd.socket",
        "virtlogd-admin.socket",
        "virtlxcd.service",
        "virtlxcd.socket",
        "virtlxcd-admin.socket",
        "virtlxcd-ro.socket",
        "virtnetworkd.service",
        "virtnetworkd.socket",
        "virtnetworkd-admin.socket",
        "virtnetworkd-ro.socket",
        "virtnodedevd.service",
        "virtnodedevd.socket",
        "virtnodedevd-admin.socket",
        "virtnodedevd-ro.socket",
        "virtnwfilterd.service",
        "virtnwfilterd.socket",
        "virtnwfilterd-admin.socket",
        "virtnwfilterd-ro.socket",
        "virtproxyd.service",
        "virtproxyd.socket",
        "virtproxyd-admin.socket",
        "virtproxyd-ro.socket",
        "virtproxyd-tcp.socket",
        "virtproxyd-tls.socket",
        "virtqemud.service",
        "virtqemud.socket",
        "virtqemud-admin.socket",
        "virtqemud-ro.socket",
        "virtsecretd.service",
        "virtsecretd.socket",
        "virtsecretd-admin.socket",
        "virtsecretd-ro.socket",
        "virtstoraged.service",
        "virtstoraged.socket",
        "virtstoraged-admin.socket",
        "virtstoraged-ro.socket",
        "virtvboxd.service",
        "virtvboxd.socket",
        "virtvboxd-admin.socket",
        "virtvboxd-ro.socket",
        "vmtoolsd.service",
        "vmware-vmblock-fuse.service",
        "vpnc@.service",
        "wacom-inputattach@.service",
        "wg-quick.target",
        "wg-quick@.service",
        "winbind.service",
        "wondershaper.service",
        "wpa_supplicant.service",
        "wpa_supplicant-nl80211@.service",
        "wpa_supplicant-wired@.service",
        "wpa_supplicant@.service",
        "xfs_scrub@.service",
        "xfs_scrub_all.service",
        "xfs_scrub_all.timer",
        "xfs_scrub_fail@.service",
        "xl2tpd.service",
        "xplico.service",
        "xrdp.service",
        "xrdp-sesman.service",
        "yate.service",
        "zfs.target",
        "zfs-import.service",
        "zfs-import.target",
        "zfs-import-cache.service",
        "zfs-import-scan.service",
        "zfs-load-key.service",
        "zfs-mount.service",
        "zfs-scrub-monthly@.timer",
        "zfs-scrub-weekly@.timer",
        "zfs-scrub@.service",
        "zfs-share.service",
        "zfs-trim-monthly@.timer",
        "zfs-trim-weekly@.timer",
        "zfs-trim@.service",
        "zfs-volume-wait.service",
        "zfs-volumes.target",
        "zfs-zed.service",
        "plymouth.conf",
        "gpg-agent-ssh@etc-pacman.d-gnupg.socket",
        "keyboxd@etc-pacman.d-gnupg.socket",
        "dirmngr@etc-pacman.d-gnupg.socket",
        "gpg-agent-browser@etc-pacman.d-gnupg.socket",
        "gpg-agent-extra@etc-pacman.d-gnupg.socket",
        "gpg-agent@etc-pacman.d-gnupg.socket",
        "https://hybrid-analysis.com/sample/ff42428f0fcc346cc56e2b00d4b5c4bd43b55f3465b4ccab0efba9c88f4a1c03/661da0b063c895fc2d0a78dc",
        "https://hybrid-analysis.com/sample/9613dee39157b5f9935436b36647047e267b7c10fa4c7ab1fd995db681e58c12/661da5b202eaca78740cf4ed",
        "https://hybrid-analysis.com/sample/479a0170df010c5eb742ff1b8740a2ccf381df44c8a919c95d6e38685278e78a/661da5c768340c1e25092cb2",
        "50-rc_keymap.conf",
        "10-defaults.conf",
        "10-login-barrier.conf",
        "20-systemd-userdb.conf",
        "20-systemd-ssh-proxy.conf",
        "iptables-flush",
        "cpupower",
        "chkboot-bootcheck",
        "10-root.conf",
        "30-root-verity-sig.conf",
        "20-root-verity.conf",
        "80-systemd-timesync.list",
        "80-6rd-tunnel.link",
        "80-container-ve.network",
        "80-container-vb.network",
        "80-container-vz.link",
        "80-6rd-tunnel.network",
        "80-container-vz.network",
        "80-auto-link-local.network.example",
        "80-ethernet.network.example",
        "80-container-host0.network",
        "80-iwd.link",
        "80-container-vb.link",
        "80-vm-vt.link",
        "80-vm-vt.network",
        "80-wifi-adhoc.network",
        "80-wifi-ap.network.example",
        "80-wifi-station.network.example",
        "80-container-ve.link",
        "89-ethernet.network.example",
        "99-default.link",
        "dbus-broker.catalog",
        "dbus-broker-launch.catalog",
        "systemd.be.catalog",
        "systemd.be@latin.catalog",
        "systemd.da.catalog",
        "systemd.bg.catalog",
        "systemd.hu.catalog",
        "systemd.catalog",
        "systemd.it.catalog",
        "systemd.fr.catalog",
        "systemd.ko.catalog",
        "systemd.hr.catalog",
        "systemd.pl.catalog",
        "systemd.pt_BR.catalog",
        "systemd.ru.catalog",
        "systemd.sr.catalog",
        "systemd.zh_CN.catalog",
        "systemd.de.catalog",
        "systemd.zh_TW.catalog",
        "expl_cve_2021_40444.yar"
      ],
      "public": 1,
      "adversary": "Chinese Speaking",
      "targeted_countries": [],
      "malware_families": [
        {
          "id": "RemainAfterExit",
          "display_name": "RemainAfterExit",
          "target": null
        },
        {
          "id": "NMBDOPTIONS",
          "display_name": "NMBDOPTIONS",
          "target": null
        },
        {
          "id": "SMBDOPTIONS",
          "display_name": "SMBDOPTIONS",
          "target": null
        },
        {
          "id": "SuccessAction",
          "display_name": "SuccessAction",
          "target": null
        },
        {
          "id": "WINBINDOPTIONS",
          "display_name": "WINBINDOPTIONS",
          "target": null
        }
      ],
      "attack_ids": [
        {
          "id": "T1027",
          "name": "Obfuscated Files or Information",
          "display_name": "T1027 - Obfuscated Files or Information"
        },
        {
          "id": "T1071",
          "name": "Application Layer Protocol",
          "display_name": "T1071 - Application Layer Protocol"
        },
        {
          "id": "T1082",
          "name": "System Information Discovery",
          "display_name": "T1082 - System Information Discovery"
        },
        {
          "id": "T1106",
          "name": "Native API",
          "display_name": "T1106 - Native API"
        },
        {
          "id": "T1205",
          "name": "Traffic Signaling",
          "display_name": "T1205 - Traffic Signaling"
        },
        {
          "id": "T1140",
          "name": "Deobfuscate/Decode Files or Information",
          "display_name": "T1140 - Deobfuscate/Decode Files or Information"
        },
        {
          "id": "T1059",
          "name": "Command and Scripting Interpreter",
          "display_name": "T1059 - Command and Scripting Interpreter"
        },
        {
          "id": "T1543",
          "name": "Create or Modify System Process",
          "display_name": "T1543 - Create or Modify System Process"
        },
        {
          "id": "T1569",
          "name": "System Services",
          "display_name": "T1569 - System Services"
        },
        {
          "id": "T1090",
          "name": "Proxy",
          "display_name": "T1090 - Proxy"
        },
        {
          "id": "T1114",
          "name": "Email Collection",
          "display_name": "T1114 - Email Collection"
        },
        {
          "id": "T1573",
          "name": "Encrypted Channel",
          "display_name": "T1573 - Encrypted Channel"
        }
      ],
      "industries": [],
      "TLP": "white",
      "cloned_from": null,
      "export_count": 55,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "Merkd1904",
        "id": "196517",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "FileHash-MD5": 123,
        "YARA": 16,
        "CVE": 4,
        "FileHash-SHA1": 25,
        "FileHash-SHA256": 20,
        "domain": 102,
        "URL": 16,
        "email": 9,
        "hostname": 4,
        "CIDR": 2
      },
      "indicator_count": 321,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 75,
      "modified_text": "767 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "64dd9c1d76a7807782a691d3",
      "name": "IOC's found on my pesonal devices; week starting 08/14/23",
      "description": "I had wrapped the majority of the files i'd run since the 14th into the Pulse of the same date, but at over 17k indicators i think it was time to put that one to rest. Obviously time and life allowing my intention is to keep updating and creating more of these as long as i'm kept flush with content. At current i'm pretty damned flush. This is just a preliminary dump of my /tmp folder on Arch. part of the infection chain is process hallowing and then hijacking a program close to the user, with decent call ability to the rest of the system.",
      "modified": "2024-02-14T21:44:02.852000",
      "created": "2023-08-17T04:03:41.985000",
      "tags": [
        "o cloexec",
        "r procversion",
        "cachyos",
        "gnu ld",
        "gnu binutils",
        "microsoft",
        "f lockfd",
        "cygwin",
        "u respfd",
        "procselffd13",
        "procselffd14",
        "x8664",
        "uname",
        "linux",
        "getconf",
        "cpus32",
        "case",
        "m x8664",
        "s linux",
        "x8664 o",
        "z linux",
        "z x8664",
        "replying",
        "timing",
        "successfully",
        "shift",
        "procselffd16",
        "empty",
        "head",
        "dirty",
        "found",
        "splitting",
        "license",
        "index",
        "kill",
        "zfrm",
        "argv"
      ],
      "references": [
        ".ICE-unix",
        ".org.chromium.Chromium.12ZdF3",
        ".vbox-mrkd-ipc",
        "@tmp",
        ".org.chromium.Chromium.T2jdbS",
        ".X11-unix",
        "albert_yt_ynb2tftv",
        "fish.root",
        "20230816_202710-scantemp.b14ff4bc3a",
        "plasma-csd-generator.LTvjbT",
        "pytest-of-mrkd",
        "runtime-root",
        "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-ananicy-cpp.service-U5RKxp",
        ".org.chromium.Chromium.coQnti",
        "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-bluetooth.service-7fh2tg",
        "bauh@mrkd",
        "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-iwd.service-jnpcHR",
        ".org.chromium.Chromium.8GBhMA",
        "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-polkit.service-CfCUQZ",
        "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-systemd-logind.service-Q9OYbj",
        "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-power-profiles-daemon.service-hSCDr7",
        ".org.chromium.Chromium.HMzFxo",
        "Temp-0c3dc677-7d66-4234-b14e-f604605b2d0c",
        "tmp.D4NXyZ3U4J",
        "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-uksmd.service-oAjI9s",
        "Temp-0148ee46-b3e0-4c4b-aa55-b60c6b63eb6f",
        "tmp.ziktUZeKXL",
        "v8-compile-cache-0",
        "tmp90lfbdek",
        "tst-bz26353KOtJVp",
        "v8-compile-cache-1000",
        ".X0-lock",
        "gitstatus.POWERLEVEL9K.1000.6339.1692232717.2.xtrace.log",
        "Temp-4d7e99a7-2d45-4347-a3b6-b64e3ae65e2e",
        "gitstatus.POWERLEVEL9K.1000.6339.1692232717.1.xtrace.log",
        "gitstatus.POWERLEVEL9K.1000.8928.1692232861.2.xtrace.log",
        "gitstatus.POWERLEVEL9K.1000.8928.1692232861.1.daemon.log",
        "gitstatus.POWERLEVEL9K.1000.6339.1692232717.1.daemon.log",
        "gitstatus.POWERLEVEL9K.1000.6339.1692232717.2.daemon.log",
        "gitstatus.POWERLEVEL9K.1000.9950.1692233029.1.xtrace.log",
        "gitstatus.POWERLEVEL9K.1000.10525.1692233087.1.xtrace.log",
        "gitstatus.POWERLEVEL9K.1000.10291.1692217508.1.daemon.log",
        "gitstatus.POWERLEVEL9K.1000.9950.1692233029.1.daemon.log",
        "gitstatus.POWERLEVEL9K.1000.10858.1692217566.1.daemon.log",
        "gitstatus.POWERLEVEL9K.1000.11926.1692233325.1.daemon.log",
        "gitstatus.POWERLEVEL9K.1000.11270.1692217597.1.daemon.log",
        "gitstatus.POWERLEVEL9K.1000.12470.1692233381.1.xtrace.log",
        "gitstatus.POWERLEVEL9K.1000.8928.1692232861.2.daemon.log",
        "gitstatus.POWERLEVEL9K.1000.10858.1692217566.1.xtrace.log",
        "gitstatus.POWERLEVEL9K.1000.11926.1692233325.1.xtrace.log",
        "gitstatus.POWERLEVEL9K.1000.12928.1692233448.1.daemon.log",
        "gitstatus.POWERLEVEL9K.1000.10525.1692233087.1.daemon.log",
        "gitstatus.POWERLEVEL9K.1000.13309.1692233456.1.daemon.log",
        "gitstatus.POWERLEVEL9K.1000.13878.1692218150.1.daemon.log",
        "gitstatus.POWERLEVEL9K.1000.28823.1692223670.1.xtrace.log",
        "gitstatus.POWERLEVEL9K.1000.12470.1692233381.1.daemon.log",
        "gitstatus.POWERLEVEL9K.1000.23930.1692220492.1.xtrace.log",
        "gitstatus.POWERLEVEL9K.1000.13878.1692218150.1.xtrace.log",
        "gitstatus.POWERLEVEL9K.1000.28463.1692223667.1.xtrace.log",
        "gitstatus.POWERLEVEL9K.1000.75659.1692225165.1.xtrace.log",
        "gitstatus.POWERLEVEL9K.1000.28463.1692223667.1.daemon.log",
        "gitstatus.POWERLEVEL9K.1000.78332.1692225277.1.daemon.log",
        "gitstatus.POWERLEVEL9K.1000.82162.1692225750.1.xtrace.log",
        "gitstatus.POWERLEVEL9K.1000.81737.1692225737.1.daemon.log",
        "gitstatus.POWERLEVEL9K.1000.75659.1692225165.1.daemon.log",
        "gitstatus.POWERLEVEL9K.1000.81737.1692225737.1.xtrace.log",
        "gitstatus.POWERLEVEL9K.1000.78332.1692225277.1.xtrace.log",
        "gitstatus.POWERLEVEL9K.1000.82565.1692225764.1.daemon.log",
        "gitstatus.POWERLEVEL9K.1000.82565.1692225764.1.xtrace.log",
        "gitstatus.POWERLEVEL9K.1000.82162.1692225750.1.daemon.log",
        "gitstatus.POWERLEVEL9K.1000.83486.1692225808.1.daemon.log",
        "gitstatus.POWERLEVEL9K.1000.83486.1692225808.1.xtrace.log",
        "gitstatus.POWERLEVEL9K.1000.83038.1692225779.1.daemon.log",
        "gitstatus.POWERLEVEL9K.1000.83896.1692225820.1.daemon.log",
        "gitstatus.POWERLEVEL9K.1000.83038.1692225779.1.xtrace.log",
        "gitstatus.POWERLEVEL9K.1000.84305.1692225848.1.daemon.log",
        "gitstatus.POWERLEVEL9K.1000.84754.1692225891.1.daemon.log",
        "gitstatus.POWERLEVEL9K.1000.122089.1692235219.1.xtrace.log",
        "gitstatus.POWERLEVEL9K.1000.84305.1692225848.1.xtrace.log",
        "gitstatus.POWERLEVEL9K.1000.154521.1692237692.1.xtrace.log",
        "gitstatus.POWERLEVEL9K.1000.84754.1692225891.1.xtrace.log",
        "gitstatus.POWERLEVEL9K.1000.122089.1692235219.1.daemon.log",
        "gitstatus.POWERLEVEL9K.1000.155609.1692237756.1.xtrace.log",
        "gitstatus.POWERLEVEL9K.1000.83896.1692225820.1.xtrace.log",
        "gitstatus.POWERLEVEL9K.1000.237594.1692238521.1.xtrace.log",
        "gitstatus.POWERLEVEL9K.1000.154521.1692237692.1.daemon.log",
        "gitstatus.POWERLEVEL9K.1000.155609.1692237756.1.daemon.log",
        "gitstatus.POWERLEVEL9K.1000.237594.1692238521.1.daemon.log",
        "gitstatus.POWERLEVEL9K.1000.240024.1692238828.1.xtrace.log",
        "gitstatus.POWERLEVEL9K.1000.237952.1692238535.1.xtrace.log",
        "gitstatus.POWERLEVEL9K.1000.240024.1692238828.1.daemon.log",
        "gitstatus.POWERLEVEL9K.1000.241161.1692238939.1.xtrace.log",
        "gitstatus.POWERLEVEL9K.1000.240792.1692238921.1.daemon.log",
        "gitstatus.POWERLEVEL9K.1000.247194.1692239163.1.xtrace.log",
        "gitstatus.POWERLEVEL9K.1000.237952.1692238535.1.daemon.log",
        "gitstatus.POWERLEVEL9K.1000.248323.1692239206.1.xtrace.log",
        "gitstatus.POWERLEVEL9K.1000.247194.1692239163.1.daemon.log",
        "gitstatus.POWERLEVEL9K.1000.253137.1692239505.1.xtrace.log",
        "gitstatus.POWERLEVEL9K.1000.248323.1692239206.1.daemon.log",
        "gitstatus.POWERLEVEL9K.1000.263981.1692240121.1.daemon.log",
        "gitstatus.POWERLEVEL9K.1000.253137.1692239505.1.daemon.log",
        "gitstatus.POWERLEVEL9K.1000.263981.1692240117.1.xtrace.log",
        "gitstatus.POWERLEVEL9K.1000.263981.1692240121.1.xtrace.log",
        "gitstatus.POWERLEVEL9K.1000.267109.1692240136.1.xtrace.log",
        "gitstatus.POWERLEVEL9K.1000.267109.1692240136.1.daemon.log",
        "gitstatus.POWERLEVEL9K.1000.267109.1692240155.1.xtrace.log",
        "gitstatus.POWERLEVEL9K.1000.267109.1692240155.1.daemon.log",
        "gitstatus.POWERLEVEL9K.1000.267442.1692240150.1.xtrace.log",
        "gitstatus.POWERLEVEL9K.1000.267442.1692240143.1.xtrace.log",
        "gitstatus.POWERLEVEL9K.1000.263981.1692240117.1.daemon.log",
        "gitstatus.POWERLEVEL9K.1000.268412.1692240156.1.xtrace.log",
        "gitstatus.POWERLEVEL9K.1000.317097.1692240795.1.xtrace.log",
        "gitstatus.POWERLEVEL9K.1000.267442.1692240150.1.daemon.log",
        "gitstatus.POWERLEVEL9K.1000.268412.1692240179.1.xtrace.log",
        "gitstatus.POWERLEVEL9K.1000.2586196.1692243336.1.xtrace.log",
        "gitstatus.POWERLEVEL9K.1000.268412.1692240179.1.daemon.log",
        "gitstatus.POWERLEVEL9K.1000.345673.1692241474.1.daemon.log",
        "gitstatus.POWERLEVEL9K.1000.2703415.1692243471.1.daemon.log",
        "qtsingleapp-Notifi-4c42-3e8",
        "gitstatus.POWERLEVEL9K.1000.2588447.1692243345.1.xtrace.log",
        "memmemY_2MMv.c",
        "gitstatus.POWERLEVEL9K.1000.2586196.1692243336.1.daemon.log",
        "gitstatus.POWERLEVEL9K.1000.2703415.1692243471.1.xtrace.log",
        "qtsingleapp-Notifi-4c42-3e8-lockfile",
        "stdbool.hcc0B2j.c",
        "strlcatmMvE1V.c",
        "qtsingleapp-Octopi-1d88-3e8-lockfile",
        "strlcpydb8x03.c",
        "stdbool.ht64kj6qw.c",
        "qtsingleapp-Octopi-1d88-3e8",
        "gitstatus.POWERLEVEL9K.1000.267442.1692240143.1.daemon.log",
        "https://hybrid-analysis.com/sample/43b03483bf2b292ebb1b33469ab4b19e2ac84b1c86c0f34f60adab4bc64176b9",
        "https://hybrid-analysis.com/sample/320a60044adeccec22937423e859d2b095e976698133e37a83e019ce08c8bc0c",
        "https://hybrid-analysis.com/file-collection/64dfee6a3329552c91026445",
        "https://hybrid-analysis.com/sample/79e3317a07b12a977f7fda3463779055bbfec748e7fae4c2c1d1cb9bb8e408ca",
        "https://hybrid-analysis.com/sample/8c7c7246468ffeffe01617b597622cd237fa334fb24dc4977fcac398bbe0df80",
        "https://hybrid-analysis.com/sample/79e3317a07b12a977f7fda3463779055bbfec748e7fae4c2c1d1cb9bb8e408ca/64dff1fbeab7dc252b0e56a6",
        "https://www.virustotal.com/gui/file/79e3317a07b12a977f7fda3463779055bbfec748e7fae4c2c1d1cb9bb8e408ca/details",
        "https://otx.alienvault.com/indicator/file/5820da0bbae4f091dc0248e566d8f1076fd81485d1893effa14cdc1dc122f1fd"
      ],
      "public": 1,
      "adversary": "N/A",
      "targeted_countries": [
        "United States of America"
      ],
      "malware_families": [
        {
          "id": "BV:TelegramBot-A\\ [Trj]",
          "display_name": "BV:TelegramBot-A\\ [Trj]",
          "target": null
        },
        {
          "id": "Ransom:Linux/DarkRadiation.A!MTB",
          "display_name": "Ransom:Linux/DarkRadiation.A!MTB",
          "target": "/malware/Ransom:Linux/DarkRadiation.A!MTB"
        },
        {
          "id": "SLF:MamacseMacro.A",
          "display_name": "SLF:MamacseMacro.A",
          "target": null
        },
        {
          "id": "TrojanDownloader:Linux/Morila!MTB",
          "display_name": "TrojanDownloader:Linux/Morila!MTB",
          "target": "/malware/TrojanDownloader:Linux/Morila!MTB"
        },
        {
          "id": "Backdoor:Win32/R2d2.A",
          "display_name": "Backdoor:Win32/R2d2.A",
          "target": "/malware/Backdoor:Win32/R2d2.A"
        },
        {
          "id": "Sf:ShellCode-DZ\\ [Trj]",
          "display_name": "Sf:ShellCode-DZ\\ [Trj]",
          "target": null
        },
        {
          "id": "NETexecutableMicrosoft",
          "display_name": "NETexecutableMicrosoft",
          "target": null
        },
        {
          "id": "TrojanDropper:Win32/FakeFlexnet.A",
          "display_name": "TrojanDropper:Win32/FakeFlexnet.A",
          "target": "/malware/TrojanDropper:Win32/FakeFlexnet.A"
        },
        {
          "id": "Delphi",
          "display_name": "Delphi",
          "target": null
        }
      ],
      "attack_ids": [],
      "industries": [
        "individuals"
      ],
      "TLP": "white",
      "cloned_from": null,
      "export_count": 33,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 1,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "Merkd1904",
        "id": "196517",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "FileHash-SHA256": 206,
        "domain": 5129,
        "FileHash-MD5": 177,
        "FileHash-SHA1": 114,
        "URL": 646,
        "hostname": 2078,
        "CVE": 412,
        "email": 4
      },
      "indicator_count": 8766,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 82,
      "modified_text": "836 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "659a27b1d4043e822f444ce0",
      "name": "novel (at least in terms of inital hashing) linux backdoor: /usr/lib/libsystemd-shared-255.2-2",
      "description": "Still outside of my paygrade to be able to attribute it to even a family of malware, but it's definitely malicious. When pulling strings and initial investigation i was able to actually run the binary from the terminal which opened the browser and printed this: :) man pagefile://_[0;1;36m_[0;1;90m_[0;1;38;5;245m%s%s#%20%s%s__Failed%20to%20read%20\"%s\":%20%mFailed%20to%20cat%20%s:%20%m_[0m____.rules.install.listenvironment.dudev/rules.dkernel/install.dsystemd/ntp-units.dendswith(*prefix,%20\"/\")Looking%20for%20configuration%20in:%20%20%20%s%s%s%20%20%20%s%s/*%sFailed%20to%20query%20file%20list:%20%mread():%20%mwrite():%20%m__unique_prefix__expr_6e%20==%20f->master_event_sourcefd%20==%20f->master__unique_prefix__expr_7e%20==%20f->stdin_event_sourcefd%20==%20f->input_fde%20==%20f->stdout_event_sourcefd%20==%20f->output_fdf->input_fd%20>=%200ptyfwd-stdinptyfwd-stdoutptyfwd-masterptyfwd-sigwinchlibqrencode.so.4libqrencode.so.3QRcode_encodeStringQRcode_free_[40;37;1m_[0m_____%s:______/run/systemd/reboot-param/sys/ker",
      "modified": "2024-02-14T21:43:40.597000",
      "created": "2024-01-07T04:25:21.009000",
      "tags": [
        "license",
        "gnu lesser",
        "general public",
        "free software",
        "foundation",
        "library url",
        "cflags",
        "sandbox",
        "malware",
        "analysis",
        "online",
        "submit",
        "vxstream",
        "sample",
        "download",
        "trojan",
        "apt",
        "memoryfile scan",
        "ansi",
        "file",
        "indicator",
        "ck id",
        "mitre att",
        "show technique",
        "ck matrix",
        "learn",
        "hybrid analysis",
        "suspicious",
        "code",
        "hybrid",
        "crypto",
        "close",
        "click",
        "strings",
        "malicious",
        "middle",
        "exploit",
        "gameover"
      ],
      "references": [
        "libsystemd.pc",
        "https://hybrid-analysis.com/sample/67c5f0f9649ab398e2fe6fdd586a0c2bf75454fa53d588196cea806665ad0983/659a1fbff70d457d2b04d747",
        "https://www.virustotal.com/gui/file/67c5f0f9649ab398e2fe6fdd586a0c2bf75454fa53d588196cea806665ad0983/behavior"
      ],
      "public": 1,
      "adversary": "Unknown - Chinese speaking",
      "targeted_countries": [
        "United States of America"
      ],
      "malware_families": [
        {
          "id": "Unknown",
          "display_name": "Unknown",
          "target": null
        }
      ],
      "attack_ids": [
        {
          "id": "T1003",
          "name": "OS Credential Dumping",
          "display_name": "T1003 - OS Credential Dumping"
        },
        {
          "id": "T1018",
          "name": "Remote System Discovery",
          "display_name": "T1018 - Remote System Discovery"
        },
        {
          "id": "T1027",
          "name": "Obfuscated Files or Information",
          "display_name": "T1027 - Obfuscated Files or Information"
        },
        {
          "id": "T1071",
          "name": "Application Layer Protocol",
          "display_name": "T1071 - Application Layer Protocol"
        },
        {
          "id": "T1082",
          "name": "System Information Discovery",
          "display_name": "T1082 - System Information Discovery"
        },
        {
          "id": "T1106",
          "name": "Native API",
          "display_name": "T1106 - Native API"
        },
        {
          "id": "T1205",
          "name": "Traffic Signaling",
          "display_name": "T1205 - Traffic Signaling"
        }
      ],
      "industries": [
        "individuals"
      ],
      "TLP": "white",
      "cloned_from": null,
      "export_count": 19,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "Merkd1904",
        "id": "196517",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "URL": 1,
        "domain": 1,
        "CVE": 2,
        "FileHash-MD5": 2,
        "FileHash-SHA1": 2,
        "FileHash-SHA256": 1
      },
      "indicator_count": 9,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 73,
      "modified_text": "836 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "65709ffcf3ffe737f8cb8dfd",
      "name": "IOC's found on my pesonal devices; week starting 08/14/23",
      "description": "",
      "modified": "2023-12-06T16:23:24.919000",
      "created": "2023-12-06T16:23:24.919000",
      "tags": [],
      "references": [],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [],
      "attack_ids": [],
      "industries": [],
      "TLP": "green",
      "cloned_from": null,
      "export_count": 7,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "api",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "StreamMiningEx",
        "id": "262917",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "CVE": 103,
        "hostname": 524,
        "domain": 1292,
        "FileHash-SHA256": 95,
        "FileHash-MD5": 54,
        "FileHash-SHA1": 39,
        "URL": 169,
        "email": 1
      },
      "indicator_count": 2277,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 110,
      "modified_text": "906 days ago ",
      "is_modified": false,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    }
  ],
  "error": null,
  "vt": {
    "error": "VirusTotal rate limit reached. Try again shortly.",
    "indicator": "systemd.io",
    "type": "Domain"
  },
  "abuseipdb": null,
  "urlhaus": {
    "indicator": "systemd.io",
    "found": false,
    "verdict": "clean",
    "urls": [],
    "error": null
  },
  "from_cache": true,
  "_cached_at": 1780200369.773006
}