{ "type": "Domain", "indicator": "this.data", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/this.data", "alexa": "http://www.alexa.com/siteinfo/this.data", "indicator": "this.data", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 9504626, "indicator": "this.data", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 50, "pulses": [ { "id": "69eb254f17eb4a2a990f07e5", "name": "LevelBlue - Open Threat Exchange", "description": "[ As part of security research, we look at some of the most well-known vulnerabilities in the PDF ecosystem, and how they can be identified and mitigated, with the help of a simple hash.] [64xxxx]", "modified": "2026-05-28T07:10:11.800000", "created": "2026-04-24T08:09:51.488000", "tags": [ "pdfkit", "cve202225765", "exploit script", "github", "unicordev", "cves", "xml external", "entity", "pdfs", "knowledge base", "python", "mozilla", "virustotal", "cisa", "apple", "microsoft", "pdfkit ruby", "remote code", "execution", "urls", "malware", "raid", "caddywiper", "wipes", "cve202543529", "webkit", "february", "cve202620643", "bypass", "march", "webkit bug", "command", "control", "levelblue", "open threat" ], "references": [ "https://otx.alienvault.com/indicator/ip/198.49.23.145#:~:text=CIDR:%206%20%7C%20CVE:%20107,infrastructure%20into%20global%20botnet%20clusters." ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Wipes", "display_name": "Wipes", "target": null } ], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1084, "FileHash-SHA1": 874, "FileHash-SHA256": 3052, "CVE": 36, "domain": 437, "hostname": 1086, "URL": 1411, "CIDR": 15, "email": 13 }, "indicator_count": 8008, "is_author": false, "is_subscribing": null, "subscriber_count": 70, "modified_text": "3 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a16a621eac2621d97ca6596", "name": "Credit Q.Vashti [\"Device Isolation | Lumen Technologies | Palantir and\"] clone by Q Vashti (researcher)", "description": "", "modified": "2026-05-27T08:25:07.936000", "created": "2026-05-27T08:06:57.005000", "tags": [ "url https", "url http", "tlsv1", "whitelisted", "united", "read c", "as15169", "stcalifornia", "execution", "dock", "write", "persistence", "malware", "encrypt", "active", "lumen technologies", "number", "error", "regexp", "sxa0", "amptoken", "optout", "retrieving", "notfound", "unknown", "form", "flash", "backdoor", "writeconsolew", "yara detections", "command line", "pdb path", "pe resource", "internalname", "windows command", "A", "aws", "name servers", "url analysis", "passive dns", "urls", "data upload", "extraction", "palantir", "c2", "aerospace", "tracking", "spywatchdog", "palapa-c2", "communications satellite", "amazon", "hughesnet", "icmp traffic", "washington c", "washington ou", "mopr", "mon jul", "local", "dynamic", "apple", "network", "t1057", "discovery", "t1069", "t1071", "protocol", "t1105", "tool transfer", "t1480", "guardrails", "t1566", "present jan", "unknown ns", "ip address", "dnssec", "domain", "dynamic dns", "government", "pcup", "germany unknown", "link", "dns hosting", "cloudns", "cloud dns", "a domains", "ipv4 add", "title", "meta", "class", "servers", "present aug", "aaaa", "present sep", "present nov", "present jul", "present may", "moved", "canada unknown", "begin", "record value", "gmt content", "type", "hostname add", "files", "ascii text", "pattern match", "href", "mitre att", "ck id", "ck matrix", "network traffic", "et info", "general", "path", "click", "learn", "command", "name tactics", "suspicious", "informative", "adversaries", "input url", "defense evasion", "france", "ireland", "netherlands", "denmark", "united kingdom", "type indicator", "role title", "added active", "savvis", "centurylinktechnology", "hybrid analysis", "monitoring tools", "monitored target", "triangulation", "worm", "intel", "ms windows", "pe32", "write c", "delete c", "show", "russia as47764", "unix", "lsan jose", "odigicert inc", "markus", "url add", "http", "related nids", "files location", "russia flag", "russia hostname", "russia", "russia unknown", "hosting", "federation flag", "body", "gmt vary", "accept encoding", "gmt cache", "certificate", "pulse submit", "unknown aaaa", "search", "entries", "script domains", "script urls", "pdx cf" ], "references": [ "\u2018Lumen Technologies\u2019 Acting as administrator of a targeted Apple IOS device", "Yare: compromised_site_redirector_fromcharcode", "Alerts: network_icmp nolookup_communication js_eval recon_fingerprint", "Alerts: console_output has_pdb pe_unknown_resource_name", "File Type PEXE - PE32+ executable (console) x86-64, for MS Windows ..", "Tipped: A targets AI and other cyber research findings.", "A \u2018Target\u2019 became a \u2018Target\u2019 vja close association to main Target of predatory retaliation campaign.", "track.spywarewatchdog.org \u2022 https://track.spywarewatchdog.org - monitoring software", "https://palapa.c.id\t (c.id)", "Containers-Pecorino.PalantirGov.com -pecorino.palantirgov.com", "cedevice.io \u2022 decagonsoftware.com", "http://applevless.dns-dynamic.net/\t\u2022 dns-dynamic.net", "http://www.pcup.gov.ph/images/2018/pdf/ComEnBancReso/Commission_Resolution_07s2018.PDF", "pcup.gov.ph:", "http://www.pcup.gov.ph/images/pdf/Contract_of_SecurityServices2013.pdf pcup.gov.ph:", "https://pcup.gov.ph/375 pcup.gov.ph: | https://www.pcup.gov.ph/ pcup.gov.ph:", "https://elegantcosmedampyeah.pages.dev/", "https://www.ptv.vic.gov.au/more/travelling-on-the-network/lets-go/", "inst.govelopscold.com", "https://feedback.ptv.vic.gov.au/360", "nginx-php.7d4jelnf.trdlpbvl.sdp3.sdp.vic.gov.au", "nginx-php.standby.content-premier-vic-gov-au.sdp3.sdp.vic.gov.au", "https://hybrid-analysis.com/sample/a16d11910953b800369dbb667f178b3cc45cb8e3315217c0e6ceac68eeba206d", "https://brand.centurylinktechnology.com", "https://prod.centurylinktechnology.com", "https://brand2.centurylinktechnology.com", "https://mobile-pocket-guide.centurylinktechnology.com", "UPX_OEP_place", "Russia or Muskware? URL http://store.7box.vip/ad/C467F60A1AD6.Jpeg", "ASP. NET", "https://connect.facebook.net/en_US/sdk.js#xfbml=1&version=v4.0&appId=705930270206797&autoLogAppEvents=1 Akamai rank:", "7box.vip" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan.Tofsee/Botx", "display_name": "Trojan.Tofsee/Botx", "target": null }, { "id": "ALF:JASYP:Trojan:Win32/IRCbot!atmn", "display_name": "ALF:JASYP:Trojan:Win32/IRCbot!atmn", "target": null }, { "id": "PWS:Win32/Axespec.A", "display_name": "PWS:Win32/Axespec.A", "target": "/malware/PWS:Win32/Axespec.A" }, { "id": "Worm:Win32/Lightmoon.H", "display_name": "Worm:Win32/Lightmoon.H", "target": "/malware/Worm:Win32/Lightmoon.H" } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1439", "name": "Eavesdrop on Insecure Network Communication", "display_name": "T1439 - Eavesdrop on Insecure Network Communication" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1069.003", "name": "Cloud Groups", "display_name": "T1069.003 - Cloud Groups" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "green", "cloned_from": "697cdce9ec418c422eee2054", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 102, "FileHash-SHA1": 59, "FileHash-SHA256": 1929, "domain": 854, "hostname": 2156, "URL": 4475, "SSLCertFingerprint": 9, "email": 8, "CVE": 2 }, "indicator_count": 9594, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "4 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69e434769e2a43c088066ca2", "name": "Kraddare \u2022 Agent Tesla \u2022 CVE Jar clone credit octoseek", "description": "", "modified": "2026-05-19T00:09:08.840000", "created": "2026-04-19T01:48:38.335000", "tags": [ "heur", "cisco umbrella", "site", "alexa top", "malware", "million", "xcnfe", "maltiverse", "malware site", "safe site", "malicious", "trojan", "artemis", "vidar", "redline stealer", "raccoon", "keylogger", "riskware", "agent tesla", "remcos", "stealer", "miner", "hacktool", "bank", "agenttesla", "agent", "unknown", "downloader", "unsafe", "detplock", "networm", "win64", "service", "smokeloader", "dropper", "crack", "alexa", "trojanspy", "detection list", "blacklist https", "kyriazhs1975", "noname057", "tag count", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "blacklist", "cyber threat", "united", "engineering", "phishing", "covid19", "facebook", "phishing site", "paypal", "njrat", "emotet", "nanocore rat", "meterpreter", "azorult", "download", "msil", "bladabindi", "mirai", "pony", "nanocore", "bradesco", "cobalt strike", "cve201711882", "redline", "ssl certificate", "tsara brashears", "cyberstalking", "spyware", "apple ios", "quasar", "ransomware", "malware norad", "cry kill", "attack", "installer", "formbook", "lockbit", "open", "banker", "bazarloader", "core", "ransomexx", "name verdict", "pattern match", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "script", "beginstring", "ascii text", "null", "date", "error", "span", "refresh", "class", "generator", "critical", "body", "look", "verify", "restart", "meta", "hybrid", "general", "click", "strings", "tools", "as141773", "as63932", "moved", "passive dns", "search", "entries", "gmt content", "type", "keep alive", "scan endpoints", "all octoseek", "pulse pulses", "as17806 mango", "blacklist http", "phishtank", "malicious site", "apple", "blockchain", "runescape", "twitter", "qakbot", "asyncrat", "team", "internet storm", "generic", "union", "bazaloader", "media", "generic malware", "hostname", "suppobox", "netwire rc", "installcore", "conduit", "iobit", "mediaget", "outbreak", "acint", "installpack", "phish", "rostpay", "fakeinstaller", "spyrixkeylogger", "bitminer", "loadmoney", "filetour", "wacatac", "fusioncore", "dapato", "cleaner", "softonic", "encpk", "qbot", "predator", "swrort", "kraddare", "systweak", "dllinject", "driverpack", "iframe", "downldr", "presenoker", "as61317", "asnone united", "urls", "files", "next", "as15169 google", "japan unknown", "as17506 arteria", "as32244 liquid", "as49505", "russia unknown", "expired", "domain", "falcon", "as19969", "ipv4", "ransom", "encrypt", "file", "windows nt", "indicator", "response", "appdata", "gmt contenttype", "png image", "local", "contacted", "fali malicious", "dropped", "communicating", "referrer", "fali contacted", "silk road", "immediate", "cymulate2", "tsara brashears", "malvertizing" ], "references": [ "https://wallpapers-nature.com/tsara-brashears/urlscan-io", "alohatube.xyz", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "http://alohatube.xyz/search/tsara-brashears", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "ww.google.com.uy", "https://alohatube.xyz/search/tsara-brashears", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "https://polling.portal.gov.bd/js/npc.script.js", "polling.portal.gov.bd", "https://polling.portal.gov.bd/js/npop.script.js", "http://watchhers.net/index.php", "https://brandyallen.com/2022/11/23/sexy", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "http://park.above.com/jr.php?gz=DjDNgvDQ0WlpBALxevxSvkF3jBH95b5riUvmgFjb1tbPDV06suYFlRcPA34ufLE5UZ8spiM7ya7tRXR8nLUgk920DSaIXniiR5hkoveznG%20mez7OU5R%20HKIczV475LuRwxm3J1pcRSpQcePtF/4aD%20frLO%205mYc0Maj8Z1IwBeAMESc9Gk3BzCkGUHNVeCAZ9vZrQhEeVvN%20QVBAu1boZNJTnvCAP0lB5ebMSP92bFHD/ItyL53LoVDSYWMd64KTNMMJaXE0kZVqQn/%20STriQbrA6cmW3Xj4sAJ3XXEbNNJzTbIvgsy00PlKWInEUK/iXzVecaBsXg3vkUcvkeM3HPPIajaBexXO7ATYz/qTeKAksI9l2IoDAsn0S9BYCTuP8uTYdgJAv0LO%20MkNBOrSqJnFQzTlNxG4NRSP6K4VDWklVPpCwQc/s/AfrwIdLcdrV6CQDLaluG1naOjXDc", "http://nhrc.portal.gov.bd/sites/default/files/files/nhrc.portal.gov.bd/page/348ec5eb_22f8_4754_bb62_6a0d15ba1513/Study-Report-on-Sexual-Offences_Final.pdf", "https://twitter.com/PORNO_SEXYBABES", "https://alohatube.xyz/search/sex-mom-dog-animal", "https://www.colorfulbox.jp/", "Hybrid Analysis", "Any.run", "OTX AlienVault", "Urlscan", "UrlVoid", "http://emrd.gov.bd/dead.php", "http://titasgas.portal.gov.bd/dead.php", "http://mincom.gov.bd/dead.php", "http://cabinet.gov.bd/dead.php" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Malaysia", "Bangladesh" ], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Racoon Stealer", "display_name": "Racoon Stealer", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "njRAT - S0385", "display_name": "njRAT - S0385", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Bazaar Loader", "display_name": "Bazaar Loader", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Detplock", "display_name": "Detplock", "target": null }, { "id": "WannaCry Kill Switch", "display_name": "WannaCry Kill Switch", "target": null }, { "id": "Ghandi", "display_name": "Ghandi", "target": null }, { "id": "Systweak", "display_name": "Systweak", "target": null }, { "id": "Swort", "display_name": "Swort", "target": null }, { "id": "Silk Road", "display_name": "Silk Road", "target": null }, { "id": "ALF:HeraklezEval:PUA:Win32/SpyrixKeylogger", "display_name": "ALF:HeraklezEval:PUA:Win32/SpyrixKeylogger", "target": null }, { "id": "Trojan:Win32/Wacatac", "display_name": "Trojan:Win32/Wacatac", "target": "/malware/Trojan:Win32/Wacatac" }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "noname057", "display_name": "noname057", "target": null }, { "id": "Nanocore RAT", "display_name": "Nanocore RAT", "target": null }, { "id": "Worm:VBS/Dapato", "display_name": "Worm:VBS/Dapato", "target": "/malware/Worm:VBS/Dapato" }, { "id": "Kraddare", "display_name": "Kraddare", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" } ], "industries": [], "TLP": "green", "cloned_from": "654a7a53317c717d1f4fee7f", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2522, "FileHash-SHA1": 862, "FileHash-SHA256": 2855, "URL": 7963, "domain": 1168, "hostname": 3181, "CVE": 13, "email": 2 }, "indicator_count": 18566, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "12 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "698e93e1ab02db8c49e8c3ed", "name": "\u201cBroken Seal\u201d DocuSign-themed Delivery with Fileless Process Hollowing (Zeppelin/Bloat-A)", "description": "Forensic analysis indicates a DocuSign-themed phishing campaign using a deliberately invalid X.509 PKI seal (\u201cBroken Seal\u201d) to trigger fail-open verification logic in automated handlers. The delivery mechanism bypasses Secure Email Gateway (SEG) reputation checks by using encrypted channels and human-gated infrastructure. The payload is a fileless Process Hollowing (RunPE) malware that injects into RWX memory of legitimate processes to evade disk-based EDR.", "modified": "2026-05-17T15:52:35.396000", "created": "2026-02-13T03:00:49.872000", "tags": [ "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi", "9698f46495ce9401c8bcaf9a2afe1598", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)", "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71", "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link", "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)" ], "references": [ "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "Verification failure observed in automated verification handlers during sandbox replay.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr", "My Independent research finds an intersect between different pdf DV versions being able to connect to Raspberry Pi devices as it was the FCC application document. Risk: Mac ID connectivity to all." ], "public": 1, "adversary": "", "targeted_countries": [ "China", "United States of America", "Spain", "Japan", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In" ], "TLP": "green", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 28000, "FileHash-SHA256": 48374, "FileHash-MD5": 42596, "FileHash-SHA1": 23243, "hostname": 35654, "URL": 75758, "SSLCertFingerprint": 30, "CVE": 7585, "email": 316, "FileHash-IMPHASH": 8, "CIDR": 26205, "JA3": 1, "URI": 5, "IPv4": 574, "Mutex": 1 }, "indicator_count": 288350, "is_author": false, "is_subscribing": null, "subscriber_count": 92, "modified_text": "13 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d79c38e0a059039b475ebe", "name": "CAPE Sandbox", "description": "Email today from them on my line. Very wild things happening here. trying to close my line", "modified": "2026-05-09T12:10:59.635000", "created": "2026-04-09T12:31:52.495000", "tags": [ "html document", "unicode text", "utf8 text", "crlf", "lf line", "site", "meta", "verizon", "wireless", "internet", "phone services", "official", "shop verizon", "lte network", "get fios", "title", "code", "error", "utc na", "utc google", "tag manager", "gtmw2vn2cq", "utc dc9849921", "utc dc685973", "utc g12r1dx1lx7", "utc aw647962234", "utc aw2761768", "utc aw685973", "verizon business", "verizon for business", "verizon business account", "verizon business phone", "verizon wireless for business", "verizon business service", "verizon business plan", "business internet services", "learn", "gartner", "contact", "find", "discover", "support", "close log", "shop", "upgrade", "small", "voice", "chat", "mitre attack", "network info", "program", "html page", "t1055 process", "overview", "processes extra", "overview zenbox", "verdict", "guest system", "phishing", "next", "ver2", "msclkidn", "utc amazon", "analytics na", "utc bing", "vids1", "vids0", "gdlname" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/edb4c21d60daa44b3429e7ba9bfa342759ebef23c136c934f74aef145453ce19_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775737365&Signature=S%2B7RcHYjab1hbKlKwFfvUbDirFPJS1A2TJQ3bVIObMcON4PD9pRDvhMtYMCnEBrYsICi0UJCFW5eUDolL5Jlbngsc587kF36vvuhlkPprbkSOY1jOyDTpe3Qsb6jRFz3xwOfZc9S5QervoLnRKb%2FyGSyZE6ZK6TxzBrOPczPtZ7sLf9NfD6E%2B2gMRXaRjEqVwVITLG7YqCiiNuohFOuNlK3uNHFpIk53viKvBSAIqLtSklH9bHW4q1DX", "https://www.verizon.com/business/", "https://vtbehaviour.commondatastorage.googleapis.com/edb4c21d60daa44b3429e7ba9bfa342759ebef23c136c934f74aef145453ce19_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775737710&Signature=fbsokraSd7lsYmUfaTEl8Phs2K3hp7AtVmQU9axeEBcYmYbrrYrrfpP5lPEQaE%2Fh3%2BEP9Rn8mD8D1haqQVXCN0VVlxJ4sddjWmyC5USsgBsvUb0%2F72h1WHDS2KXHlteZWE%2Bauckabain9D5kX501AnqFY38s77OIqO6SMOkQ%2BvXiDSSRK%2FZhbfradBnei3ZLHsXGxkoshTyvB0%2BC%2F8SiUzdVsqSjik0Bn2r%2BIlLpDQK90GlZTD0N" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 772, "hostname": 706, "domain": 875, "FileHash-SHA256": 2348, "FileHash-MD5": 2237, "FileHash-SHA1": 2260, "CVE": 1, "email": 9 }, "indicator_count": 9208, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "22 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d7a3f4d72c30f9586634b9", "name": "VirusTotal report\n for flow-browser-main.zip", "description": "A sample of flow-browser-main, an unauthorised version of the web browser, has been detected by researchers at the University of California, Los Angeles, and the National Security Agency (NSA). myvzw.com after an email on ending a #", "modified": "2026-05-09T12:10:59.635000", "created": "2026-04-09T13:04:52.444000", "tags": [ "file type", "png image", "ascii", "ascii text", "java source", "json", "rgba", "creates", "crlf line", "mac os", "date", "malicious", "next", "button", "span", "edit3icon", "rotateccwicon", "xicon", "htmldivelement", "react", "saveicon", "null", "shortcutitem", "click", "zip archive", "png multimedia", "graphics" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739500&Signature=r1pLCgJf%2FQK8TvenCwXy9bnghFzjJ5QssdQSLP37SLv6EkA3WXuFUIvKrsXKokco7bMfQUy%2FArk8F6aP%2Bhaj16Jv7P%2FGB%2Blf7mPvs47VjwfBJRCP8AZLlWvO45%2BjC68v798csdJFPTP31O4yDOE3pXZ3EThm4nSrIwLPhTSPfi3cPlEh2wLSzcySW7BYLw%2BqCoawFCxeLUz7hIV0vC89Mlwi3DeS%2BEnWFF%2FsvT9lVJjdbLoJLEeO", "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739700&Signature=bOTo%2FxCpGDGOsIKJDZjBBhLZRg8UiOGi%2FvVr47Xpmh7tOh9dez7911bi%2F9SUdu4ATLhzRVog%2BdVP%2BUPwTuEfIdEcPuGRGVc1KOSP3fTQrKhRjF3x2dqykxVCH%2B1iqBmCgod%2B1uAdlraxqSOeOgst1l%2Bk250uXff4axktE%2BfGjeNDeGJao%2FfOMktqIL7zU8%2BIQYTObwelnnYx45FBSiXI1bWM4vhdgIX4cs2cT%2F" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 220, "FileHash-MD5": 562, "FileHash-SHA1": 566, "FileHash-SHA256": 1011, "URL": 125, "hostname": 139, "email": 4 }, "indicator_count": 2627, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "22 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d7a3f511d0121d253b753d", "name": "VirusTotal report\n for flow-browser-main.zip", "description": "A sample of flow-browser-main, an unauthorised version of the web browser, has been detected by researchers at the University of California, Los Angeles, and the National Security Agency (NSA). myvzw.com after an email on ending a #", "modified": "2026-05-09T12:10:59.635000", "created": "2026-04-09T13:04:53.436000", "tags": [ "file type", "png image", "ascii", "ascii text", "java source", "json", "rgba", "creates", "crlf line", "mac os", "date", "malicious", "next", "button", "span", "edit3icon", "rotateccwicon", "xicon", "htmldivelement", "react", "saveicon", "null", "shortcutitem", "click", "zip archive", "png multimedia", "graphics" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739500&Signature=r1pLCgJf%2FQK8TvenCwXy9bnghFzjJ5QssdQSLP37SLv6EkA3WXuFUIvKrsXKokco7bMfQUy%2FArk8F6aP%2Bhaj16Jv7P%2FGB%2Blf7mPvs47VjwfBJRCP8AZLlWvO45%2BjC68v798csdJFPTP31O4yDOE3pXZ3EThm4nSrIwLPhTSPfi3cPlEh2wLSzcySW7BYLw%2BqCoawFCxeLUz7hIV0vC89Mlwi3DeS%2BEnWFF%2FsvT9lVJjdbLoJLEeO", "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739700&Signature=bOTo%2FxCpGDGOsIKJDZjBBhLZRg8UiOGi%2FvVr47Xpmh7tOh9dez7911bi%2F9SUdu4ATLhzRVog%2BdVP%2BUPwTuEfIdEcPuGRGVc1KOSP3fTQrKhRjF3x2dqykxVCH%2B1iqBmCgod%2B1uAdlraxqSOeOgst1l%2Bk250uXff4axktE%2BfGjeNDeGJao%2FfOMktqIL7zU8%2BIQYTObwelnnYx45FBSiXI1bWM4vhdgIX4cs2cT%2F" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 224, "FileHash-MD5": 558, "FileHash-SHA1": 564, "FileHash-SHA256": 558, "URL": 140, "hostname": 166, "email": 2, "CVE": 8 }, "indicator_count": 2220, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "22 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d7a3f6657dd0c212d8344a", "name": "VirusTotal report\n for flow-browser-main.zip", "description": "A sample of flow-browser-main, an unauthorised version of the web browser, has been detected by researchers at the University of California, Los Angeles, and the National Security Agency (NSA). myvzw.com after an email on ending a #", "modified": "2026-05-09T12:10:59.635000", "created": "2026-04-09T13:04:54.060000", "tags": [ "file type", "png image", "ascii", "ascii text", "java source", "json", "rgba", "creates", "crlf line", "mac os", "date", "malicious", "next", "button", "span", "edit3icon", "rotateccwicon", "xicon", "htmldivelement", "react", "saveicon", "null", "shortcutitem", "click", "zip archive", "png multimedia", "graphics" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739500&Signature=r1pLCgJf%2FQK8TvenCwXy9bnghFzjJ5QssdQSLP37SLv6EkA3WXuFUIvKrsXKokco7bMfQUy%2FArk8F6aP%2Bhaj16Jv7P%2FGB%2Blf7mPvs47VjwfBJRCP8AZLlWvO45%2BjC68v798csdJFPTP31O4yDOE3pXZ3EThm4nSrIwLPhTSPfi3cPlEh2wLSzcySW7BYLw%2BqCoawFCxeLUz7hIV0vC89Mlwi3DeS%2BEnWFF%2FsvT9lVJjdbLoJLEeO", "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739700&Signature=bOTo%2FxCpGDGOsIKJDZjBBhLZRg8UiOGi%2FvVr47Xpmh7tOh9dez7911bi%2F9SUdu4ATLhzRVog%2BdVP%2BUPwTuEfIdEcPuGRGVc1KOSP3fTQrKhRjF3x2dqykxVCH%2B1iqBmCgod%2B1uAdlraxqSOeOgst1l%2Bk250uXff4axktE%2BfGjeNDeGJao%2FfOMktqIL7zU8%2BIQYTObwelnnYx45FBSiXI1bWM4vhdgIX4cs2cT%2F" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 217, "FileHash-MD5": 558, "FileHash-SHA1": 564, "FileHash-SHA256": 558, "URL": 118, "hostname": 133, "email": 2 }, "indicator_count": 2150, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "22 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d7a3f683111bbbe1c9ae35", "name": "VirusTotal report\n for flow-browser-main.zip", "description": "A sample of flow-browser-main, an unauthorised version of the web browser, has been detected by researchers at the University of California, Los Angeles, and the National Security Agency (NSA). myvzw.com after an email on ending a #", "modified": "2026-05-09T12:10:59.635000", "created": "2026-04-09T13:04:54.775000", "tags": [ "file type", "png image", "ascii", "ascii text", "java source", "json", "rgba", "creates", "crlf line", "mac os", "date", "malicious", "next", "button", "span", "edit3icon", "rotateccwicon", "xicon", "htmldivelement", "react", "saveicon", "null", "shortcutitem", "click", "zip archive", "png multimedia", "graphics" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739500&Signature=r1pLCgJf%2FQK8TvenCwXy9bnghFzjJ5QssdQSLP37SLv6EkA3WXuFUIvKrsXKokco7bMfQUy%2FArk8F6aP%2Bhaj16Jv7P%2FGB%2Blf7mPvs47VjwfBJRCP8AZLlWvO45%2BjC68v798csdJFPTP31O4yDOE3pXZ3EThm4nSrIwLPhTSPfi3cPlEh2wLSzcySW7BYLw%2BqCoawFCxeLUz7hIV0vC89Mlwi3DeS%2BEnWFF%2FsvT9lVJjdbLoJLEeO", "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739700&Signature=bOTo%2FxCpGDGOsIKJDZjBBhLZRg8UiOGi%2FvVr47Xpmh7tOh9dez7911bi%2F9SUdu4ATLhzRVog%2BdVP%2BUPwTuEfIdEcPuGRGVc1KOSP3fTQrKhRjF3x2dqykxVCH%2B1iqBmCgod%2B1uAdlraxqSOeOgst1l%2Bk250uXff4axktE%2BfGjeNDeGJao%2FfOMktqIL7zU8%2BIQYTObwelnnYx45FBSiXI1bWM4vhdgIX4cs2cT%2F" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 218, "FileHash-MD5": 558, "FileHash-SHA1": 564, "FileHash-SHA256": 558, "URL": 119, "hostname": 133, "email": 4 }, "indicator_count": 2154, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "22 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d7a3f6f81dc2388c0fa027", "name": "VirusTotal report\n for flow-browser-main.zip", "description": "A sample of flow-browser-main, an unauthorised version of the web browser, has been detected by researchers at the University of California, Los Angeles, and the National Security Agency (NSA). myvzw.com after an email on ending a #", "modified": "2026-05-09T12:10:59.635000", "created": "2026-04-09T13:04:54.563000", "tags": [ "file type", "png image", "ascii", "ascii text", "java source", "json", "rgba", "creates", "crlf line", "mac os", "date", "malicious", "next", "button", "span", "edit3icon", "rotateccwicon", "xicon", "htmldivelement", "react", "saveicon", "null", "shortcutitem", "click", "zip archive", "png multimedia", "graphics" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739500&Signature=r1pLCgJf%2FQK8TvenCwXy9bnghFzjJ5QssdQSLP37SLv6EkA3WXuFUIvKrsXKokco7bMfQUy%2FArk8F6aP%2Bhaj16Jv7P%2FGB%2Blf7mPvs47VjwfBJRCP8AZLlWvO45%2BjC68v798csdJFPTP31O4yDOE3pXZ3EThm4nSrIwLPhTSPfi3cPlEh2wLSzcySW7BYLw%2BqCoawFCxeLUz7hIV0vC89Mlwi3DeS%2BEnWFF%2FsvT9lVJjdbLoJLEeO", "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739700&Signature=bOTo%2FxCpGDGOsIKJDZjBBhLZRg8UiOGi%2FvVr47Xpmh7tOh9dez7911bi%2F9SUdu4ATLhzRVog%2BdVP%2BUPwTuEfIdEcPuGRGVc1KOSP3fTQrKhRjF3x2dqykxVCH%2B1iqBmCgod%2B1uAdlraxqSOeOgst1l%2Bk250uXff4axktE%2BfGjeNDeGJao%2FfOMktqIL7zU8%2BIQYTObwelnnYx45FBSiXI1bWM4vhdgIX4cs2cT%2F" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 218, "FileHash-MD5": 558, "FileHash-SHA1": 564, "FileHash-SHA256": 558, "URL": 119, "hostname": 133, "email": 4 }, "indicator_count": 2154, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "22 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d4f2d9ce86a445b484593b", "name": "VirusTotal report\n for sample.crx", "description": "A small sample of malware has been identified by researchers at the University of Oregon in the US, and the results are published on the web, as well as on Google's Chrome extension and other sites.", "modified": "2026-05-07T12:05:50.774000", "created": "2026-04-07T12:04:41.097000", "tags": [ "file type", "json", "ascii text", "png image", "crlf line", "ascii", "rgba", "unicode text", "utf8 text", "defense evasion", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 668, "FileHash-MD5": 668, "FileHash-SHA1": 675, "URL": 153, "domain": 230, "hostname": 177, "email": 2 }, "indicator_count": 2573, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "24 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d4f2db0b3448671adcce16", "name": "VirusTotal report\n for sample.crx", "description": "A small sample of malware has been identified by researchers at the University of Oregon in the US, and the results are published on the web, as well as on Google's Chrome extension and other sites.", "modified": "2026-05-07T12:05:50.774000", "created": "2026-04-07T12:04:43.156000", "tags": [ "file type", "json", "ascii text", "png image", "crlf line", "ascii", "rgba", "unicode text", "utf8 text", "defense evasion", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 668, "FileHash-MD5": 668, "FileHash-SHA1": 675, "URL": 153, "domain": 230, "hostname": 177, "email": 2 }, "indicator_count": 2573, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "24 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d4f2dd828bbf0ac5efaa23", "name": "VirusTotal report\n for sample.crx", "description": "A small sample of malware has been identified by researchers at the University of Oregon in the US, and the results are published on the web, as well as on Google's Chrome extension and other sites.", "modified": "2026-05-07T12:05:50.774000", "created": "2026-04-07T12:04:44.957000", "tags": [ "file type", "json", "ascii text", "png image", "crlf line", "ascii", "rgba", "unicode text", "utf8 text", "defense evasion", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 668, "FileHash-MD5": 668, "FileHash-SHA1": 675, "URL": 153, "domain": 230, "hostname": 177, "email": 2 }, "indicator_count": 2573, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "24 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d43ac218b1452b90077c29", "name": "VirusTotal report\n for addon.crx", "description": "<<< This is the full list of results from this year's \u00c2\u00a31.2bn (1bn euros) Google search, which includes the results of the search for the world's most popular search engine.>>", "modified": "2026-05-06T22:12:40.990000", "created": "2026-04-06T22:59:14.467000", "tags": [ "zip archive", "opera widget", "vym mind", "sweet home", "design", "mozilla firefox", "mozilla archive", "format", "file type", "php script", "ascii", "ascii text", "unicode text", "utf8 text", "crlf line", "json", "java source", "extra info" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 316, "FileHash-SHA1": 314, "FileHash-SHA256": 1415, "hostname": 132, "domain": 50, "URL": 86 }, "indicator_count": 2313, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "24 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d43acb355ea778bf740a6d", "name": "VirusTotal report\n for addon.crx", "description": "<<< This is the full list of results from this year's \u00c2\u00a31.2bn (1bn euros) Google search, which includes the results of the search for the world's most popular search engine.>>", "modified": "2026-05-06T22:12:40.990000", "created": "2026-04-06T22:59:23.936000", "tags": [ "zip archive", "opera widget", "vym mind", "sweet home", "design", "mozilla firefox", "mozilla archive", "format", "file type", "php script", "ascii", "ascii text", "unicode text", "utf8 text", "crlf line", "json", "java source", "extra info" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 316, "FileHash-SHA1": 314, "FileHash-SHA256": 1415, "hostname": 132, "domain": 50, "URL": 86 }, "indicator_count": 2313, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "24 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d43ad5128bbd414bbd946f", "name": "VirusTotal report\n for addon.crx", "description": "<<< This is the full list of results from this year's \u00c2\u00a31.2bn (1bn euros) Google search, which includes the results of the search for the world's most popular search engine.>>", "modified": "2026-05-06T22:12:40.990000", "created": "2026-04-06T22:59:33.569000", "tags": [ "zip archive", "opera widget", "vym mind", "sweet home", "design", "mozilla firefox", "mozilla archive", "format", "file type", "php script", "ascii", "ascii text", "unicode text", "utf8 text", "crlf line", "json", "java source", "extra info" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 316, "FileHash-SHA1": 314, "FileHash-SHA256": 1415, "hostname": 132, "domain": 50, "URL": 86 }, "indicator_count": 2313, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "24 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d43ad5541cf4a7ee45cef5", "name": "VirusTotal report\n for addon.crx", "description": "<<< This is the full list of results from this year's \u00c2\u00a31.2bn (1bn euros) Google search, which includes the results of the search for the world's most popular search engine.>>", "modified": "2026-05-06T22:12:40.990000", "created": "2026-04-06T22:59:33.577000", "tags": [ "zip archive", "opera widget", "vym mind", "sweet home", "design", "mozilla firefox", "mozilla archive", "format", "file type", "php script", "ascii", "ascii text", "unicode text", "utf8 text", "crlf line", "json", "java source", "extra info" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 316, "FileHash-SHA1": 314, "FileHash-SHA256": 1415, "hostname": 132, "domain": 50, "URL": 86 }, "indicator_count": 2313, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "24 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d43ada131daf14003078c7", "name": "VirusTotal report\n for addon.crx", "description": "<<< This is the full list of results from this year's \u00c2\u00a31.2bn (1bn euros) Google search, which includes the results of the search for the world's most popular search engine.>>", "modified": "2026-05-06T22:12:40.990000", "created": "2026-04-06T22:59:38.191000", "tags": [ "zip archive", "opera widget", "vym mind", "sweet home", "design", "mozilla firefox", "mozilla archive", "format", "file type", "php script", "ascii", "ascii text", "unicode text", "utf8 text", "crlf line", "json", "java source", "extra info" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 316, "FileHash-SHA1": 314, "FileHash-SHA256": 1415, "hostname": 132, "domain": 50, "URL": 86 }, "indicator_count": 2313, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "24 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d43adaef39c73f026077c0", "name": "VirusTotal report\n for addon.crx", "description": "<<< This is the full list of results from this year's \u00c2\u00a31.2bn (1bn euros) Google search, which includes the results of the search for the world's most popular search engine.>>", "modified": "2026-05-06T22:12:40.990000", "created": "2026-04-06T22:59:38.174000", "tags": [ "zip archive", "opera widget", "vym mind", "sweet home", "design", "mozilla firefox", "mozilla archive", "format", "file type", "php script", "ascii", "ascii text", "unicode text", "utf8 text", "crlf line", "json", "java source", "extra info" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 316, "FileHash-SHA1": 314, "FileHash-SHA256": 1415, "hostname": 132, "domain": 50, "URL": 86 }, "indicator_count": 2313, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "24 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d43adce952052db1643eb1", "name": "VirusTotal report\n for addon.crx", "description": "<<< This is the full list of results from this year's \u00c2\u00a31.2bn (1bn euros) Google search, which includes the results of the search for the world's most popular search engine.>>", "modified": "2026-05-06T22:12:40.990000", "created": "2026-04-06T22:59:40.683000", "tags": [ "zip archive", "opera widget", "vym mind", "sweet home", "design", "mozilla firefox", "mozilla archive", "format", "file type", "php script", "ascii", "ascii text", "unicode text", "utf8 text", "crlf line", "json", "java source", "extra info" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 316, "FileHash-SHA1": 314, "FileHash-SHA256": 1415, "hostname": 132, "domain": 50, "URL": 86 }, "indicator_count": 2313, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "24 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cf21c05e91f60db7f6ed64", "name": "VirusTotal report\n for LEDPMKLECHMKJNGJILBFPOGIEHJBEMKJ_3_0_2_0.crx", "description": "A full report on the results of an analysis of a Google Chrome extension, found in the system's memory, has been published online by the University of Glasgow, Scotland, and the National Security Agency (NSA).", "modified": "2026-05-03T02:18:13.483000", "created": "2026-04-03T02:11:12.197000", "tags": [ "file type", "svg scalable", "vector graphics", "crlf line", "ascii text", "performs dns", "png image", "rgba", "extra info", "sigma", "persistence", "malicious", "next", "fcfcfc", "a57bfc", "c5c6fc", "path", "cname", "dns tcp", "udp http", "smtp irc", "icmp name", "response", "nxdomain" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/000191c1c0d6d324e39789005b1f9851b00a7d709dee3b4d180e9fa0bcfd326f_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775182332&Signature=Xp72bxydgpZ9NgLXV8g1uDJHZ8EUYhy4nqoLGz%2Bh0xoVg3BTq8x0TTFd2Yzzf7nTrREGSvgsL%2BAze%2F%2BynLQFKemQRaJjJvaK1zMdH6y2DhvPyI8gnZcOYdSJTRqEySyE8oR2qveCl85EFiqZ6h%2Fi1k7BfnQ5JBcSRwfyWVmvjaw11sN8hGrAoARJGgs8G1TeXg7evq1TANq0AsmNRp22VNwxTV0ybOoO%2FsRRerzCvQxY2Wdk%2BeKYE1qL", "https://vtbehaviour.commondatastorage.googleapis.com/000191c1c0d6d324e39789005b1f9851b00a7d709dee3b4d180e9fa0bcfd326f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775182346&Signature=XW5qXy9c7zeqGji%2BJtDga4Y7nDZRclI%2FAvwBQCD%2BqVIXyDtTRgNW7n1FjQXwabAMcf5mAt79yx%2FR3w4itjJfZzUgpU7%2B%2BZXq59iQUl88rhWA7NMvGeGKO4bkcHoQPmrJxXtKnzqJrIxqUwygkbti6kHQ3drQZP8FMYevJ6fUbuR6TkIq2jOioIMcjUVg8uC9%2F6LmmBRINXgcd%2FNhS946HKXdlZq7awFoOV7VR%2Fkfiur%" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 42, "URL": 30, "FileHash-MD5": 39, "FileHash-SHA1": 39, "domain": 34, "hostname": 71 }, "indicator_count": 255, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "28 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cf21c0e67b23d631499583", "name": "VirusTotal report\n for LEDPMKLECHMKJNGJILBFPOGIEHJBEMKJ_3_0_2_0.crx", "description": "A full report on the results of an analysis of a Google Chrome extension, found in the system's memory, has been published online by the University of Glasgow, Scotland, and the National Security Agency (NSA).", "modified": "2026-05-03T02:18:13.483000", "created": "2026-04-03T02:11:12.886000", "tags": [ "file type", "svg scalable", "vector graphics", "crlf line", "ascii text", "performs dns", "png image", "rgba", "extra info", "sigma", "persistence", "malicious", "next", "fcfcfc", "a57bfc", "c5c6fc", "path", "cname", "dns tcp", "udp http", "smtp irc", "icmp name", "response", "nxdomain" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/000191c1c0d6d324e39789005b1f9851b00a7d709dee3b4d180e9fa0bcfd326f_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775182332&Signature=Xp72bxydgpZ9NgLXV8g1uDJHZ8EUYhy4nqoLGz%2Bh0xoVg3BTq8x0TTFd2Yzzf7nTrREGSvgsL%2BAze%2F%2BynLQFKemQRaJjJvaK1zMdH6y2DhvPyI8gnZcOYdSJTRqEySyE8oR2qveCl85EFiqZ6h%2Fi1k7BfnQ5JBcSRwfyWVmvjaw11sN8hGrAoARJGgs8G1TeXg7evq1TANq0AsmNRp22VNwxTV0ybOoO%2FsRRerzCvQxY2Wdk%2BeKYE1qL", "https://vtbehaviour.commondatastorage.googleapis.com/000191c1c0d6d324e39789005b1f9851b00a7d709dee3b4d180e9fa0bcfd326f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775182346&Signature=XW5qXy9c7zeqGji%2BJtDga4Y7nDZRclI%2FAvwBQCD%2BqVIXyDtTRgNW7n1FjQXwabAMcf5mAt79yx%2FR3w4itjJfZzUgpU7%2B%2BZXq59iQUl88rhWA7NMvGeGKO4bkcHoQPmrJxXtKnzqJrIxqUwygkbti6kHQ3drQZP8FMYevJ6fUbuR6TkIq2jOioIMcjUVg8uC9%2F6LmmBRINXgcd%2FNhS946HKXdlZq7awFoOV7VR%2Fkfiur%" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 42, "URL": 30, "FileHash-MD5": 39, "FileHash-SHA1": 39, "domain": 34, "hostname": 71 }, "indicator_count": 255, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "28 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cf21c1d1238f23716a11f6", "name": "VirusTotal report\n for LEDPMKLECHMKJNGJILBFPOGIEHJBEMKJ_3_0_2_0.crx", "description": "A full report on the results of an analysis of a Google Chrome extension, found in the system's memory, has been published online by the University of Glasgow, Scotland, and the National Security Agency (NSA).", "modified": "2026-05-03T02:18:13.483000", "created": "2026-04-03T02:11:13.985000", "tags": [ "file type", "svg scalable", "vector graphics", "crlf line", "ascii text", "performs dns", "png image", "rgba", "extra info", "sigma", "persistence", "malicious", "next", "fcfcfc", "a57bfc", "c5c6fc", "path", "cname", "dns tcp", "udp http", "smtp irc", "icmp name", "response", "nxdomain" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/000191c1c0d6d324e39789005b1f9851b00a7d709dee3b4d180e9fa0bcfd326f_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775182332&Signature=Xp72bxydgpZ9NgLXV8g1uDJHZ8EUYhy4nqoLGz%2Bh0xoVg3BTq8x0TTFd2Yzzf7nTrREGSvgsL%2BAze%2F%2BynLQFKemQRaJjJvaK1zMdH6y2DhvPyI8gnZcOYdSJTRqEySyE8oR2qveCl85EFiqZ6h%2Fi1k7BfnQ5JBcSRwfyWVmvjaw11sN8hGrAoARJGgs8G1TeXg7evq1TANq0AsmNRp22VNwxTV0ybOoO%2FsRRerzCvQxY2Wdk%2BeKYE1qL", "https://vtbehaviour.commondatastorage.googleapis.com/000191c1c0d6d324e39789005b1f9851b00a7d709dee3b4d180e9fa0bcfd326f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775182346&Signature=XW5qXy9c7zeqGji%2BJtDga4Y7nDZRclI%2FAvwBQCD%2BqVIXyDtTRgNW7n1FjQXwabAMcf5mAt79yx%2FR3w4itjJfZzUgpU7%2B%2BZXq59iQUl88rhWA7NMvGeGKO4bkcHoQPmrJxXtKnzqJrIxqUwygkbti6kHQ3drQZP8FMYevJ6fUbuR6TkIq2jOioIMcjUVg8uC9%2F6LmmBRINXgcd%2FNhS946HKXdlZq7awFoOV7VR%2Fkfiur%" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 42, "URL": 30, "FileHash-MD5": 39, "FileHash-SHA1": 39, "domain": 34, "hostname": 71 }, "indicator_count": 255, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "28 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cc5323b73b229c433015b3", "name": "CAPE Sandbox", "description": "tmptigu40dy", "modified": "2026-04-30T23:10:15.978000", "created": "2026-03-31T23:05:07.234000", "tags": [ "eaaa", "maaa", "kaca", "kaaa", "eaca", "uaaa", "yaaa", "iaca", "eaei", "waaa", "dino", "cheat", "twitter", "null", "span", "title", "roboto", "false", "error", "kerm", "import", "click", "mono", "cloud", "accept", "manipulator", "restart", "runner", "factory", "checkbox", "star", "egdi", "canvas", "window", "shutdown", "win64", "small", "override", "install", "meta", "body", "project", "outer", "scroll", "speed", "score" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0e93e52376dcfb8eab491737c187ad68d786fab0005bbf9d2ffab78ba19db907_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1774998466&Signature=Y4QdGLgX1a6Ct5CMRDpH9RdwtjTzLLVBFFtxY64ZOhJ4cyy5f3YP7kNt%2Bu9euHjYaM5LUKHRWbswYwhD%2BbmD8KZT57GNGNGF4xYoyqPgzPY1AQodW%2BZx5f3iJqPbAZq9pUjOzXtm22B%2FEx7BVn5qcm86M9I6BaNp8%2FJW2vSfzsewT0w5WhMAjuB84fIG4LrKD2X46mnchNmREfC3GQtUPwzIIkj7IIv7xyHtwbu%2Fwyg8Ib1VFz" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 141, "FileHash-SHA1": 141, "FileHash-SHA256": 142, "URL": 26, "domain": 19, "hostname": 69 }, "indicator_count": 538, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "30 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cc5324a3e01fc39bd2905c", "name": "CAPE Sandbox", "description": "tmptigu40dy", "modified": "2026-04-30T23:10:15.978000", "created": "2026-03-31T23:05:08.976000", "tags": [ "eaaa", "maaa", "kaca", "kaaa", "eaca", "uaaa", "yaaa", "iaca", "eaei", "waaa", "dino", "cheat", "twitter", "null", "span", "title", "roboto", "false", "error", "kerm", "import", "click", "mono", "cloud", "accept", "manipulator", "restart", "runner", "factory", "checkbox", "star", "egdi", "canvas", "window", "shutdown", "win64", "small", "override", "install", "meta", "body", "project", "outer", "scroll", "speed", "score" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0e93e52376dcfb8eab491737c187ad68d786fab0005bbf9d2ffab78ba19db907_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1774998466&Signature=Y4QdGLgX1a6Ct5CMRDpH9RdwtjTzLLVBFFtxY64ZOhJ4cyy5f3YP7kNt%2Bu9euHjYaM5LUKHRWbswYwhD%2BbmD8KZT57GNGNGF4xYoyqPgzPY1AQodW%2BZx5f3iJqPbAZq9pUjOzXtm22B%2FEx7BVn5qcm86M9I6BaNp8%2FJW2vSfzsewT0w5WhMAjuB84fIG4LrKD2X46mnchNmREfC3GQtUPwzIIkj7IIv7xyHtwbu%2Fwyg8Ib1VFz" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 141, "FileHash-SHA1": 141, "FileHash-SHA256": 142, "URL": 26, "domain": 19, "hostname": 69 }, "indicator_count": 538, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "30 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69c2972ecff7f021de5be0d9", "name": "CAPE Sandbox", "description": "traffic manager atm", "modified": "2026-04-23T13:04:04.453000", "created": "2026-03-24T13:52:46.060000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 141, "FileHash-SHA1": 141, "FileHash-SHA256": 142, "URL": 26, "domain": 19, "hostname": 69 }, "indicator_count": 538, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "38 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b7ac3b32ac89ecba53f3d9", "name": "Malicious", "description": "", "modified": "2026-04-15T08:44:52.171000", "created": "2026-03-16T07:07:39.495000", "tags": [ "march", "input http", "posix shell", "ascii text", "threat level", "summary av", "detection", "environment", "action" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 291, "URL": 272, "hostname": 296, "domain": 293, "FileHash-MD5": 90, "FileHash-SHA1": 89, "CIDR": 3, "email": 3, "SSLCertFingerprint": 9 }, "indicator_count": 1346, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "46 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69bf64e1d5e06aa6207f78de", "name": "Spam \u201cBroken Seal\u201d DocuSign-themed Delivery w/Fileless Process Hollowing (Zeppelin/Bloat-A) by msudosos", "description": "", "modified": "2026-03-27T00:30:39.055000", "created": "2026-03-22T03:41:21.863000", "tags": [ "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi", "9698f46495ce9401c8bcaf9a2afe1598", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)", "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71", "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link", "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)" ], "references": [ "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "Verification failure observed in automated verification handlers during sandbox replay.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr" ], "public": 1, "adversary": "", "targeted_countries": [ "China", "United States of America", "Spain", "Japan", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In" ], "TLP": "green", "cloned_from": "698e93e1ab02db8c49e8c3ed", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 27572, "FileHash-SHA256": 46076, "FileHash-MD5": 42177, "FileHash-SHA1": 22874, "hostname": 33438, "URL": 74810, "SSLCertFingerprint": 21, "CVE": 7579, "email": 297, "FileHash-IMPHASH": 8, "CIDR": 26203, "JA3": 1 }, "indicator_count": 281056, "is_author": false, "is_subscribing": null, "subscriber_count": 149, "modified_text": "65 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69bf64eccb5d39a90a3c391e", "name": "Spam \u201cBroken Seal\u201d DocuSign-themed Delivery w/Fileless Process Hollowing (Zeppelin/Bloat-A) by msudosos", "description": "", "modified": "2026-03-27T00:30:39.055000", "created": "2026-03-22T03:41:32.565000", "tags": [ "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi", "9698f46495ce9401c8bcaf9a2afe1598", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)", "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71", "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link", "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)" ], "references": [ "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "Verification failure observed in automated verification handlers during sandbox replay.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr" ], "public": 1, "adversary": "", "targeted_countries": [ "China", "United States of America", "Spain", "Japan", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In" ], "TLP": "green", "cloned_from": "698e93e1ab02db8c49e8c3ed", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 27572, "FileHash-SHA256": 46076, "FileHash-MD5": 42177, "FileHash-SHA1": 22874, "hostname": 33438, "URL": 74810, "SSLCertFingerprint": 21, "CVE": 7579, "email": 297, "FileHash-IMPHASH": 8, "CIDR": 26203, "JA3": 1 }, "indicator_count": 281056, "is_author": false, "is_subscribing": null, "subscriber_count": 152, "modified_text": "65 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "697cdce9ec418c422eee2054", "name": "Device Isolation: Lumen Technologies | Palantir and \u2018Boots on the Ground Operations\u2019", "description": "Device Isolation: Lumen Technologies (formerly CenturyLink) deployed as an admin on iOS devices. Standard factory resets may prove ineffective. Complete hardware \"air-gap\" or clean devices that have never touched your home network may be best option for deeply monitored targets.\n\nSummary of the Campaign:\nThe involvement of Lumen Technologies (as an unwanted admin), Foundry (Palantir) for data mapping, and Mirai Botnet for network disruption represents a \"scorched earth\" approach to digital destruction. Target treated as a criminal through Cellebrite, implicates specific attackers attempted to legalize what was actually a predatory stalking campaign/s.\n\n\nSurveillance Overlap: The use of Lumen Technologies and Palantir, tools allows for real-time tracking of a target's physical location\u2014explains how \u2018boots on the ground\u2019 offenders can stalk , surveillance , confront, assault and engage in various damaging attacks of specific monitored targets.", "modified": "2026-03-01T16:05:57.375000", "created": "2026-01-30T16:31:37.011000", "tags": [ "url https", "url http", "tlsv1", "whitelisted", "united", "read c", "as15169", "stcalifornia", "execution", "dock", "write", "persistence", "malware", "encrypt", "active", "lumen technologies", "number", "error", "regexp", "sxa0", "amptoken", "optout", "retrieving", "notfound", "unknown", "form", "flash", "backdoor", "writeconsolew", "yara detections", "command line", "pdb path", "pe resource", "internalname", "windows command", "A", "aws", "name servers", "url analysis", "passive dns", "urls", "data upload", "extraction", "palantir", "c2", "aerospace", "tracking", "spywatchdog", "palapa-c2", "communications satellite", "amazon", "hughesnet", "icmp traffic", "washington c", "washington ou", "mopr", "mon jul", "local", "dynamic", "apple", "network", "t1057", "discovery", "t1069", "t1071", "protocol", "t1105", "tool transfer", "t1480", "guardrails", "t1566", "present jan", "unknown ns", "ip address", "dnssec", "domain", "dynamic dns", "government", "pcup", "germany unknown", "link", "dns hosting", "cloudns", "cloud dns", "a domains", "ipv4 add", "title", "meta", "class", "servers", "present aug", "aaaa", "present sep", "present nov", "present jul", "present may", "moved", "canada unknown", "begin", "record value", "gmt content", "type", "hostname add", "files", "ascii text", "pattern match", "href", "mitre att", "ck id", "ck matrix", "network traffic", "et info", "general", "path", "click", "learn", "command", "name tactics", "suspicious", "informative", "adversaries", "input url", "defense evasion", "france", "ireland", "netherlands", "denmark", "united kingdom", "type indicator", "role title", "added active", "savvis", "centurylinktechnology", "hybrid analysis", "monitoring tools", "monitored target", "triangulation", "worm", "intel", "ms windows", "pe32", "write c", "delete c", "show", "russia as47764", "unix", "lsan jose", "odigicert inc", "markus", "url add", "http", "related nids", "files location", "russia flag", "russia hostname", "russia", "russia unknown", "hosting", "federation flag", "body", "gmt vary", "accept encoding", "gmt cache", "certificate", "pulse submit", "unknown aaaa", "search", "entries", "script domains", "script urls", "pdx cf" ], "references": [ "\u2018Lumen Technologies\u2019 Acting as administrator of a targeted Apple IOS device", "Yare: compromised_site_redirector_fromcharcode", "Alerts: network_icmp nolookup_communication js_eval recon_fingerprint", "Alerts: console_output has_pdb pe_unknown_resource_name", "File Type PEXE - PE32+ executable (console) x86-64, for MS Windows ..", "Tipped: A targets AI and other cyber research findings.", "A \u2018Target\u2019 became a \u2018Target\u2019 vja close association to main Target of predatory retaliation campaign.", "track.spywarewatchdog.org \u2022 https://track.spywarewatchdog.org - monitoring software", "https://palapa.c.id\t (c.id)", "Containers-Pecorino.PalantirGov.com -pecorino.palantirgov.com", "cedevice.io \u2022 decagonsoftware.com", "http://applevless.dns-dynamic.net/\t\u2022 dns-dynamic.net", "http://www.pcup.gov.ph/images/2018/pdf/ComEnBancReso/Commission_Resolution_07s2018.PDF", "pcup.gov.ph:", "http://www.pcup.gov.ph/images/pdf/Contract_of_SecurityServices2013.pdf pcup.gov.ph:", "https://pcup.gov.ph/375 pcup.gov.ph: | https://www.pcup.gov.ph/ pcup.gov.ph:", "https://elegantcosmedampyeah.pages.dev/", "https://www.ptv.vic.gov.au/more/travelling-on-the-network/lets-go/", "inst.govelopscold.com", "https://feedback.ptv.vic.gov.au/360", "nginx-php.7d4jelnf.trdlpbvl.sdp3.sdp.vic.gov.au", "nginx-php.standby.content-premier-vic-gov-au.sdp3.sdp.vic.gov.au", "https://hybrid-analysis.com/sample/a16d11910953b800369dbb667f178b3cc45cb8e3315217c0e6ceac68eeba206d", "https://brand.centurylinktechnology.com", "https://prod.centurylinktechnology.com", "https://brand2.centurylinktechnology.com", "https://mobile-pocket-guide.centurylinktechnology.com", "UPX_OEP_place", "Russia or Muskware? URL http://store.7box.vip/ad/C467F60A1AD6.Jpeg", "ASP. NET", "https://connect.facebook.net/en_US/sdk.js#xfbml=1&version=v4.0&appId=705930270206797&autoLogAppEvents=1 Akamai rank:", "7box.vip" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan.Tofsee/Botx", "display_name": "Trojan.Tofsee/Botx", "target": null }, { "id": "ALF:JASYP:Trojan:Win32/IRCbot!atmn", "display_name": "ALF:JASYP:Trojan:Win32/IRCbot!atmn", "target": null }, { "id": "PWS:Win32/Axespec.A", "display_name": "PWS:Win32/Axespec.A", "target": "/malware/PWS:Win32/Axespec.A" }, { "id": "Worm:Win32/Lightmoon.H", "display_name": "Worm:Win32/Lightmoon.H", "target": "/malware/Worm:Win32/Lightmoon.H" } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1439", "name": "Eavesdrop on Insecure Network Communication", "display_name": "T1439 - Eavesdrop on Insecure Network Communication" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1069.003", "name": "Cloud Groups", "display_name": "T1069.003 - Cloud Groups" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 102, "FileHash-SHA1": 59, "FileHash-SHA256": 1929, "domain": 854, "hostname": 2156, "URL": 4475, "SSLCertFingerprint": 9, "email": 7, "CVE": 1 }, "indicator_count": 9592, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "90 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "693cdc5b8ebc10664439c2fb", "name": "Project Cicada-.Christopher \u201cBuzz\u201d Ahmann - Freeman Mathis & Gary for The State of Colorado", "description": "State of Colorado attackers use DGA domains set up multiple Law Firms.. Christopher P. \u2019Buzz\u2019 Ahmann Is a legal consultant / attorney./ hacker \nWorks for the State of Colorado/ quasi. Is malicious and doesn\u2019t work alone. Continues to target \nState had relative contacted by a fake entity \u2018Goodness Health\u2019\nLeft vague VM for relative message \u201cWe work on the Medicare side of things.\u201d and? \nSocial engineering call , malicious domain. The State of Colorado has been on a relentless pursuit against target. Fully compromised targets relatives brand new phone. Hacked target since 10/2013.\nMultiple cyber and physical attacks carried out against target and family members.. There are attacks make to look like accidents or malfunctions. This harmful, silencing behavior is somehow illegal for anyone else.", "modified": "2026-02-10T06:05:39.764000", "created": "2025-12-13T03:24:11.414000", "tags": [ "colorado state", "freeman mathis", "history", "cyber risk", "aspen insureds", "gaig insureds", "landy insureds", "nip group", "purm insureds", "overview core", "united", "ip address", "present nov", "present may", "moved", "encrypt", "unknown", "backdoor", "passive dns", "ransom", "checkin", "trojandropper", "mtb nov", "twitter", "trojan", "data upload", "extraction", "failed", "united states", "server response", "google safe", "results may", "lowfi", "virtool", "mtb alf", "mh alf", "port", "windows nt", "destination", "msie", "khtml", "gecko", "unknown aaaa", "a domains", "meta", "for privacy", "cop supply", "urls", "as139646 hong", "hostname", "files", "hong kong", "domain add", "ip related", "hash avast", "avg clamav", "msdefender may", "ddos", "as13335", "ipv4", "certificate", "hostname add", "url analysis", "files ip", "name strings", "category", "united states", "pulse indicator", "address", "error", "null", "object", "string", "number", "google maps", "promise", "javascript api", "dataset", "bigint", "dark", "android", "infinity", "internal", "roboto", "trident", "void", "small", "lightrail", "false", "span", "close", "light", "hybrid", "embed", "iframe", "keygen", "this", "february", "bounce", "drop", "inside", "outside", "marker", "present dec", "pulses otx", "aaaa", "asnone country", "record value", "title", "pulse pulses", "pulses", "showing", "unknown cname", "unknown soa", "next associated", "ipv4 add", "cycbot", "extract indic", "sneaker bots", "proxies data", "script script", "adult content", "nextimage", "porn site", "div div", "platform make", "cloudfront x", "hio52 p3", "unknown ns", "pulse submit", "title error", "reverse dns", "status", "servers", "name servers", "vashti hostname", "scan endpoints", "url http", "http", "files domain", "files related", "pulses none", "dnssec", "sec ch", "ch ua", "ua full", "ua platform", "ua bitness", "ua arch", "version sec", "mobile sec", "model sec", "version list", "domain", "emails", "cookie", "url https", "show", "filehash", "urls show", "date checked", "url hostname", "results nov", "win32", "type", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "ssl certificate", "defense evasion", "spawns", "flag", "llc name", "server", "markmonitor", "name server", "windir", "openurl c", "prefetch2", "show technique", "mitre att", "ck matrix", "pattern match", "ascii text", "sha1", "href", "show process", "file", "general", "local", "path", "germany unknown", "date", "registrar", "ip whois", "dynamicloader", "high", "medium", "search", "displayname", "tofsee", "win64", "write", "stream", "malware", "push", "entries", "tls handshake", "failure", "forbidden", "tlsv1", "april", "next", "write c", "intel", "ms windows", "sha1 add", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "file score", "sha256 add", "present jun", "present mar", "medelln", "colombia asn", "dns resolutions", "address domain", "related tags", "none google", "safe browsing", "external", "present sep", "present aug", "as54113", "present jul", "as8068", "gmt content", "total", "read", "delete", "top source", "quasi", "murderers", "christopher ahmann", "buzz ahmann", "wow64", "slcc2", "media center", "labor", "employment", "cdle", "dowc", "colorado", "workers", "coloradoif", "independent", "state", "company", "entity type", "authorized line", "analysis", "tor analysis", "process details", "network traffic", "t1071", "potential ip", "click", "found", "t1480 execution", "bad traffic", "et info", "ck techniques", "evasion att", "t1057", "refresh", "body", "strings", "tools", "look", "verify", "restart", "cname", "form", "pulse", "script domains", "script urls", "administrator", "services llc", "dns admin", "domain admin", "global llc", "domain manager", "computer system", "ltd domain", "network", "alibaba", "facebook", "phishme", "sogou", "present jan", "present feb", "present oct" ], "references": [ "https://www.fmglaw.com/lawyers/christopher-ahmann - found in adult content pulse.", "Sneaker Bots Proxies Servers Cook Groups Cop Supply", "archive.cop.supply \u2022 dev.cop.supply \u2022 https://cop.supply/ \u2022 https://cop.supply/bot-lists/", "https://cop.supply/supreme-bots/\u2022 https://cop.supply/useful-tools/", "https://cop.supply/proxies-lists/ \u2022 https://cop.supply/shopify-bots/", "dns.army \u2022 www.dcopr.dns.army \u2022 www.glsyaiwjj.dns.army \u2022 www.wgmvk.dns.army", "https://maps.googleapis.com/maps/api/js?sensor=false", "cell-0.af-south-1.prod.telemetry.console.api.aws", "howtoworkacrickoutofyourneck2.pages.dev", "firebase-auth-eich0v.pages.dev", "http://ianswertomom.com/develop-wise-woman-within-yourself", "http://ianswertomom.com/bible-verses-struggling-contentment-mom/ I", "https://i-want-to-start-an-onlyfans.pages.dev/favicon.ico| I bet you do boo boo", "makeapornsite.com \u2022 https://pornhighschool.com/ \u2022 https://ethnicerotic.com \u2022 https://twitter.com/Make", "https://khmerpornvideo.signup0.y.id/", "https://lordseriala.life/6337-zvezdnye-vojny-opornaja-komanda.html", "https://clear.ml/infrastructure-control-plane", "dev-app.project-cicada.com \u2022 http://dev-app.project-cicada.com \u2022 https://dev-app.project-cicada.com (2014 report predates 2016 reports)", "https://amano.inboundtools.com/tpcontact URL https://armg.inboundtools.com/ URL https://gaiax.inboundtools.com/internship URL https://hmk.inboundtools.com/ URL https://hmk.inboundtools.com/form/assetview_siryo_sier", "https://download.clear.ml/cpython_builds/releases/ \u2022 https://download.clear.", "https://links.mail.samsara.com/s/c/P9R6gGlExR4nfCwqwJXUmr7NmKcMNde4ZBhCFprlVtsFNgh-4tuTWla0aXN9rIWCjrWtn0Vln7x-hexxVBlY3xxvnEevR8qJU5G5xV3__wo-X7kkpSOhJVfejac-Xk8qu6zs5Z-tILwWYRkNScZNGlAqfwQuJuRw5M-n_ZKI6tuY5XGCZAqWoQepi1NnJiW4wZJkzZlOwGtNkusbuKDcMsLVrrhji2eKh4kYgrJp_SeycJRhasLFCQ3c2bPu4sahEWpcHZrQBaxvdfQgTEno8kV-RJdTDO0zK5MyWDJLeds7mnaDrxlb0O2zmhebUdlHE0R0xHi25dympBUpMlLsQV8bx1WUTOfgK4k0ci9o_2Gbfe22-jLxsJN-msV6pxWYQMaxRNFd4iZRC9J9Z1SC5MBqbvNzqdt98kFdpibnv_QIHdhFyHOR_Ip_LX67Dncc8V8OvAi-H5phfeSyDzwdzf2FQIi82", "https://voidpet.io/invite/scaredscared/1rpzxWXa61 \u2022 https://sex-doggy.net/tag/censored", "Everyone has simply asked you alll to stop. Target never asked anyone for money.", "Legal court documented agreement to allow and pay target to hire cyber investigators", "Attacks are being carried out by The State of Colorado" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Japan", "France", "Ireland", "Spain", "Italy", "Aruba", "Australia", "Denmark", "United Kingdom of Great Britain and Northern Ireland", "Germany", "T\u00fcrkiye", "Indonesia" ], "malware_families": [ { "id": "Win.Trojan.GravityRAT-6511862-0", "display_name": "Win.Trojan.GravityRAT-6511862-0", "target": null }, { "id": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn", "display_name": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn", "target": null }, { "id": "Unix.Trojan.Tsunami-6981155-0", "display_name": "Unix.Trojan.Tsunami-6981155-0", "target": null }, { "id": "TrojanDropper:Win32/Systex.A", "display_name": "TrojanDropper:Win32/Systex.A", "target": "/malware/TrojanDropper:Win32/Systex.A" }, { "id": "Win.Trojan.Tepfer-61", "display_name": "Win.Trojan.Tepfer-61", "target": null }, { "id": "TrojanDownloader:Win32/CutwailRansom:Win32/Crowti.A", "display_name": "TrojanDownloader:Win32/CutwailRansom:Win32/Crowti.A", "target": null }, { "id": "VirTool:Win32/VBInject.gen!MH", "display_name": "VirTool:Win32/VBInject.gen!MH", "target": "/malware/VirTool:Win32/VBInject.gen!MH" }, { "id": "ALF:NID:Susp_NSIS_Stub.A", "display_name": "ALF:NID:Susp_NSIS_Stub.A", "target": null }, { "id": "#LOWFI:HSTR:Criakl.B1", "display_name": "#LOWFI:HSTR:Criakl.B1", "target": null }, { "id": "Backdoor:Win32/Arwobot.B", "display_name": "Backdoor:Win32/Arwobot.B", "target": "/malware/Backdoor:Win32/Arwobot.B" }, { "id": "Win.Packed.Bandook-9882274-1", "display_name": "Win.Packed.Bandook-9882274-1", "target": null }, { "id": "TrojanDownloader:Win32/Cutwail", "display_name": "TrojanDownloader:Win32/Cutwail", "target": "/malware/TrojanDownloader:Win32/Cutwail" }, { "id": "Win.Downloader.Small-4507", "display_name": "Win.Downloader.Small-4507", "target": null }, { "id": "Trojan:Win32/Qbot.R!MTB", "display_name": "Trojan:Win32/Qbot.R!MTB", "target": "/malware/Trojan:Win32/Qbot.R!MTB" }, { "id": "Win.Malware.Mikey-9949492-0", "display_name": "Win.Malware.Mikey-9949492-0", "target": null }, { "id": "Ransom:Win32/Crowti.A", "display_name": "Ransom:Win32/Crowti.A", "target": "/malware/Ransom:Win32/Crowti.A" }, { "id": "Backdoor:Linux/DemonBot.Aa!MTB", "display_name": "Backdoor:Linux/DemonBot.Aa!MTB", "target": "/malware/Backdoor:Linux/DemonBot.Aa!MTB" }, { "id": "Unix.Trojan.Gafgyt-6981154-0", "display_name": "Unix.Trojan.Gafgyt-6981154-0", "target": null }, { "id": "DDOS:Linux/Gafgyt.YA!MTB", "display_name": "DDOS:Linux/Gafgyt.YA!MTB", "target": "/malware/DDOS:Linux/Gafgyt.YA!MTB" }, { "id": "CVE-2017-11882", "display_name": "CVE-2017-11882", "target": null }, { "id": "ALF:Exploit:O97M/CVE-2017-8977", "display_name": "ALF:Exploit:O97M/CVE-2017-8977", "target": null }, { "id": "Cycbot", "display_name": "Cycbot", "target": null }, { "id": "Win32:BotX-gen\\ [Trj]", "display_name": "Win32:BotX-gen\\ [Trj]", "target": null }, { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "Mirai (ELF)", "display_name": "Mirai (ELF)", "target": null }, { "id": "Worm", "display_name": "Worm", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1574.008", "name": "Path Interception by Search Order Hijacking", "display_name": "T1574.008 - Path Interception by Search Order Hijacking" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1593.002", "name": "Search Engines", "display_name": "T1593.002 - Search Engines" } ], "industries": [ "Insurance", "Construction" ], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 54118, "domain": 11153, "hostname": 18578, "email": 21, "FileHash-SHA256": 4905, "FileHash-MD5": 548, "FileHash-SHA1": 534, "CVE": 7, "SSLCertFingerprint": 20, "CIDR": 1 }, "indicator_count": 89885, "is_author": false, "is_subscribing": null, "subscriber_count": 146, "modified_text": "110 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6963596c4cd594b77b4675ec", "name": "Project Cicada-.Christopher \u201cBuzz\u201d Ahmann - PalantirFoundry | The State of Colorado | ", "description": "", "modified": "2026-02-10T06:05:39.764000", "created": "2026-01-11T08:03:56.534000", "tags": [ "colorado state", "freeman mathis", "history", "cyber risk", "aspen insureds", "gaig insureds", "landy insureds", "nip group", "purm insureds", "overview core", "united", "ip address", "present nov", "present may", "moved", "encrypt", "unknown", "backdoor", "passive dns", "ransom", "checkin", "trojandropper", "mtb nov", "twitter", "trojan", "data upload", "extraction", "failed", "united states", "server response", "google safe", "results may", "lowfi", "virtool", "mtb alf", "mh alf", "port", "windows nt", "destination", "msie", "khtml", "gecko", "unknown aaaa", "a domains", "meta", "for privacy", "cop supply", "urls", "as139646 hong", "hostname", "files", "hong kong", "domain add", "ip related", "hash avast", "avg clamav", "msdefender may", "ddos", "as13335", "ipv4", "certificate", "hostname add", "url analysis", "files ip", "name strings", "category", "united states", "pulse indicator", "address", "error", "null", "object", "string", "number", "google maps", "promise", "javascript api", "dataset", "bigint", "dark", "android", "infinity", "internal", "roboto", "trident", "void", "small", "lightrail", "false", "span", "close", "light", "hybrid", "embed", "iframe", "keygen", "this", "february", "bounce", "drop", "inside", "outside", "marker", "present dec", "pulses otx", "aaaa", "asnone country", "record value", "title", "pulse pulses", "pulses", "showing", "unknown cname", "unknown soa", "next associated", "ipv4 add", "cycbot", "extract indic", "sneaker bots", "proxies data", "script script", "adult content", "nextimage", "porn site", "div div", "platform make", "cloudfront x", "hio52 p3", "unknown ns", "pulse submit", "title error", "reverse dns", "status", "servers", "name servers", "vashti hostname", "scan endpoints", "url http", "http", "files domain", "files related", "pulses none", "dnssec", "sec ch", "ch ua", "ua full", "ua platform", "ua bitness", "ua arch", "version sec", "mobile sec", "model sec", "version list", "domain", "emails", "cookie", "url https", "show", "filehash", "urls show", "date checked", "url hostname", "results nov", "win32", "type", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "ssl certificate", "defense evasion", "spawns", "flag", "llc name", "server", "markmonitor", "name server", "windir", "openurl c", "prefetch2", "show technique", "mitre att", "ck matrix", "pattern match", "ascii text", "sha1", "href", "show process", "file", "general", "local", "path", "germany unknown", "date", "registrar", "ip whois", "dynamicloader", "high", "medium", "search", "displayname", "tofsee", "win64", "write", "stream", "malware", "push", "entries", "tls handshake", "failure", "forbidden", "tlsv1", "april", "next", "write c", "intel", "ms windows", "sha1 add", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "file score", "sha256 add", "present jun", "present mar", "medelln", "colombia asn", "dns resolutions", "address domain", "related tags", "none google", "safe browsing", "external", "present sep", "present aug", "as54113", "present jul", "as8068", "gmt content", "total", "read", "delete", "top source", "quasi", "murderers", "christopher ahmann", "buzz ahmann", "wow64", "slcc2", "media center", "labor", "employment", "cdle", "dowc", "colorado", "workers", "coloradoif", "independent", "state", "company", "entity type", "authorized line", "analysis", "tor analysis", "process details", "network traffic", "t1071", "potential ip", "click", "found", "t1480 execution", "bad traffic", "et info", "ck techniques", "evasion att", "t1057", "refresh", "body", "strings", "tools", "look", "verify", "restart", "cname", "form", "pulse", "script domains", "script urls", "administrator", "services llc", "dns admin", "domain admin", "global llc", "domain manager", "computer system", "ltd domain", "network", "alibaba", "facebook", "phishme", "sogou", "present jan", "present feb", "present oct" ], "references": [ "https://www.fmglaw.com/lawyers/christopher-ahmann - found in adult content pulse.", "Sneaker Bots Proxies Servers Cook Groups Cop Supply", "archive.cop.supply \u2022 dev.cop.supply \u2022 https://cop.supply/ \u2022 https://cop.supply/bot-lists/", "https://cop.supply/supreme-bots/\u2022 https://cop.supply/useful-tools/", "https://cop.supply/proxies-lists/ \u2022 https://cop.supply/shopify-bots/", "dns.army \u2022 www.dcopr.dns.army \u2022 www.glsyaiwjj.dns.army \u2022 www.wgmvk.dns.army", "https://maps.googleapis.com/maps/api/js?sensor=false", "cell-0.af-south-1.prod.telemetry.console.api.aws", "howtoworkacrickoutofyourneck2.pages.dev", "firebase-auth-eich0v.pages.dev", "http://ianswertomom.com/develop-wise-woman-within-yourself", "http://ianswertomom.com/bible-verses-struggling-contentment-mom/ I", "https://i-want-to-start-an-onlyfans.pages.dev/favicon.ico| I bet you do boo boo", "makeapornsite.com \u2022 https://pornhighschool.com/ \u2022 https://ethnicerotic.com \u2022 https://twitter.com/Make", "https://khmerpornvideo.signup0.y.id/", "https://lordseriala.life/6337-zvezdnye-vojny-opornaja-komanda.html", "https://clear.ml/infrastructure-control-plane", "dev-app.project-cicada.com \u2022 http://dev-app.project-cicada.com \u2022 https://dev-app.project-cicada.com (2014 report predates 2016 reports)", "https://amano.inboundtools.com/tpcontact URL https://armg.inboundtools.com/ URL https://gaiax.inboundtools.com/internship URL https://hmk.inboundtools.com/ URL https://hmk.inboundtools.com/form/assetview_siryo_sier", "https://download.clear.ml/cpython_builds/releases/ \u2022 https://download.clear.", "https://links.mail.samsara.com/s/c/P9R6gGlExR4nfCwqwJXUmr7NmKcMNde4ZBhCFprlVtsFNgh-4tuTWla0aXN9rIWCjrWtn0Vln7x-hexxVBlY3xxvnEevR8qJU5G5xV3__wo-X7kkpSOhJVfejac-Xk8qu6zs5Z-tILwWYRkNScZNGlAqfwQuJuRw5M-n_ZKI6tuY5XGCZAqWoQepi1NnJiW4wZJkzZlOwGtNkusbuKDcMsLVrrhji2eKh4kYgrJp_SeycJRhasLFCQ3c2bPu4sahEWpcHZrQBaxvdfQgTEno8kV-RJdTDO0zK5MyWDJLeds7mnaDrxlb0O2zmhebUdlHE0R0xHi25dympBUpMlLsQV8bx1WUTOfgK4k0ci9o_2Gbfe22-jLxsJN-msV6pxWYQMaxRNFd4iZRC9J9Z1SC5MBqbvNzqdt98kFdpibnv_QIHdhFyHOR_Ip_LX67Dncc8V8OvAi-H5phfeSyDzwdzf2FQIi82", "https://voidpet.io/invite/scaredscared/1rpzxWXa61 \u2022 https://sex-doggy.net/tag/censored", "Everyone has simply asked you alll to stop. Target never asked anyone for money.", "Legal court documented agreement to allow and pay target to hire cyber investigators", "Attacks are being carried out by The State of Colorado" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Japan", "France", "Ireland", "Spain", "Italy", "Aruba", "Australia", "Denmark", "United Kingdom of Great Britain and Northern Ireland", "Germany", "T\u00fcrkiye", "Indonesia" ], "malware_families": [ { "id": "Win.Trojan.GravityRAT-6511862-0", "display_name": "Win.Trojan.GravityRAT-6511862-0", "target": null }, { "id": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn", "display_name": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn", "target": null }, { "id": "Unix.Trojan.Tsunami-6981155-0", "display_name": "Unix.Trojan.Tsunami-6981155-0", "target": null }, { "id": "TrojanDropper:Win32/Systex.A", "display_name": "TrojanDropper:Win32/Systex.A", "target": "/malware/TrojanDropper:Win32/Systex.A" }, { "id": "Win.Trojan.Tepfer-61", "display_name": "Win.Trojan.Tepfer-61", "target": null }, { "id": "TrojanDownloader:Win32/CutwailRansom:Win32/Crowti.A", "display_name": "TrojanDownloader:Win32/CutwailRansom:Win32/Crowti.A", "target": null }, { "id": "VirTool:Win32/VBInject.gen!MH", "display_name": "VirTool:Win32/VBInject.gen!MH", "target": "/malware/VirTool:Win32/VBInject.gen!MH" }, { "id": "ALF:NID:Susp_NSIS_Stub.A", "display_name": "ALF:NID:Susp_NSIS_Stub.A", "target": null }, { "id": "#LOWFI:HSTR:Criakl.B1", "display_name": "#LOWFI:HSTR:Criakl.B1", "target": null }, { "id": "Backdoor:Win32/Arwobot.B", "display_name": "Backdoor:Win32/Arwobot.B", "target": "/malware/Backdoor:Win32/Arwobot.B" }, { "id": "Win.Packed.Bandook-9882274-1", "display_name": "Win.Packed.Bandook-9882274-1", "target": null }, { "id": "TrojanDownloader:Win32/Cutwail", "display_name": "TrojanDownloader:Win32/Cutwail", "target": "/malware/TrojanDownloader:Win32/Cutwail" }, { "id": "Win.Downloader.Small-4507", "display_name": "Win.Downloader.Small-4507", "target": null }, { "id": "Trojan:Win32/Qbot.R!MTB", "display_name": "Trojan:Win32/Qbot.R!MTB", "target": "/malware/Trojan:Win32/Qbot.R!MTB" }, { "id": "Win.Malware.Mikey-9949492-0", "display_name": "Win.Malware.Mikey-9949492-0", "target": null }, { "id": "Ransom:Win32/Crowti.A", "display_name": "Ransom:Win32/Crowti.A", "target": "/malware/Ransom:Win32/Crowti.A" }, { "id": "Backdoor:Linux/DemonBot.Aa!MTB", "display_name": "Backdoor:Linux/DemonBot.Aa!MTB", "target": "/malware/Backdoor:Linux/DemonBot.Aa!MTB" }, { "id": "Unix.Trojan.Gafgyt-6981154-0", "display_name": "Unix.Trojan.Gafgyt-6981154-0", "target": null }, { "id": "DDOS:Linux/Gafgyt.YA!MTB", "display_name": "DDOS:Linux/Gafgyt.YA!MTB", "target": "/malware/DDOS:Linux/Gafgyt.YA!MTB" }, { "id": "CVE-2017-11882", "display_name": "CVE-2017-11882", "target": null }, { "id": "ALF:Exploit:O97M/CVE-2017-8977", "display_name": "ALF:Exploit:O97M/CVE-2017-8977", "target": null }, { "id": "Cycbot", "display_name": "Cycbot", "target": null }, { "id": "Win32:BotX-gen\\ [Trj]", "display_name": "Win32:BotX-gen\\ [Trj]", "target": null }, { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "Mirai (ELF)", "display_name": "Mirai (ELF)", "target": null }, { "id": "Worm", "display_name": "Worm", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1574.008", "name": "Path Interception by Search Order Hijacking", "display_name": "T1574.008 - Path Interception by Search Order Hijacking" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1593.002", "name": "Search Engines", "display_name": "T1593.002 - Search Engines" } ], "industries": [ "Insurance", "Construction" ], "TLP": "green", "cloned_from": "693cdc5b8ebc10664439c2fb", "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 54118, "domain": 11153, "hostname": 18578, "email": 21, "FileHash-SHA256": 4905, "FileHash-MD5": 548, "FileHash-SHA1": 534, "CVE": 7, "SSLCertFingerprint": 20, "CIDR": 1 }, "indicator_count": 89885, "is_author": false, "is_subscribing": null, "subscriber_count": 145, "modified_text": "110 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "693b7dc3cf1996347652ef92", "name": "Google Site Redirector - Tesla Hackers", "description": "Silencing. By Tesla hackers. Awful example of how any victim of a crime; can become a target of the government..\nThis is especially true when the actual perpetrators work for the government are government affiliated, very wealthy, a celebrity or someone who is deemed important. In this instance the Quasi government sought to keep target seeking and obtaining life saving medical treatment, financial settlement that she was entitled to from assault, injuries from assault, false imprisonment, punitive damgages, pain and suffering, humiliation, premise liability, permanent (whole body disability @MMI ), many other crimes. The victims suffered from a great sadness and betrayal. \n\nObviously racist Elon Musk and crew have access to all government tools. Musk, All things cyber are at his disposal as \ncontinues to abuse privilege.\n They keep playing a God they don\u2019t believe in. God is the Ultimate Avenger.", "modified": "2026-01-11T00:03:08.581000", "created": "2025-12-12T02:28:19.107000", "tags": [ "compromised_site_redirector_fromcharcode", "site_redirector", "string", "regexp", "error", "number", "sxa0", "amptoken", "optout", "retrieving", "notfound", "write", "form", "flash", "vd", "tesla hackers", "nxdomain", "passive dns", "ip address", "domain", "a nxdomain", "urls", "files", "ip related", "pulses otx", "google", "unknown", "oracle", "dynamicloader", "medium", "high", "windows", "rndhex", "write c", "rndchar", "displayname", "tofsee", "yara rule", "stream", "strings", "push", "lte all", "search otx", "ource url", "or text", "paste", "data upload", "extraction", "elon musk", "indicator role", "active related", "ipv4", "exploitsource", "url https", "url http", "desktopinternet", "title added", "pulses ipv4", "less see", "ids detections", "vuze bt", "udp connection", "contacted", "filehash", "av detections", "yara detections", "alerts", "0x8aa42", "0xe3107", "upnp", "http request", "bittorrent", "file", "module load", "t1129", "post http", "install", "execution", "malware", "hostile", "crawl", "windows nt", "wow64", "get zona", "get httpget", "hash", "entries", "read c", "suspicious", "next", "united" ], "references": [ "Tesla Hackers | https://www.teslarati.com/spacex", "Yara Detections :compromised_site_redirector_fromcharcode Alerts network_icmp js_eval recon_fingerprint", "142.250.74.142.250.74.138 _exploit_source | 142.250.74.138 _exploit_source | 142.250.74.142_exploit_source", "IDS Detections Win32/ZonaInstaller Install Beacon", "https://www.google \u2022 https://ampcid.google.com/v1/publisher \u2022\u2019https://ampcid.google.com/v1/publisher:getClientId\\", "https://tagassistant.google.com/ \u2022 https://www.google-analytics.com/debug/bootstrap?id=", "https://www.google-analytics.com/debug/bootstrap?id=\\", "https://stats.g.doubleclick.net/j/collect\\ \u2022 https://tagassistant.google.com/ \u2022 https://www.google.com/ads/ga", "https://www.google-analytics.com/gtm/js?id=\\ \u2022 https://www.googletagmanager.com/gtag/js?id= \u2022", "https://www.googletagmanager.com/gtag/js?id=\\ \u2022 https://www.google-analytics.com/gtm/js?id=", "This is why our team tells a back story. It can and does happen to anyone.", "We apologize for so may typos and errors. We strive to do better at that." ], "public": 1, "adversary": "Tesla Hackers", "targeted_countries": [], "malware_families": [ { "id": "Vd", "display_name": "Vd", "target": null }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" }, { "id": "Win.Trojan.12382640-1", "display_name": "Win.Trojan.12382640-1", "target": null } ], "attack_ids": [ { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 65, "FileHash-SHA1": 34, "FileHash-SHA256": 2032, "URL": 4921, "domain": 567, "hostname": 1586, "SSLCertFingerprint": 4 }, "indicator_count": 9209, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "140 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65eea19a23474b8c7dca351f", "name": "All Items - find from the UA archive disk", "description": "Again have zero idea 'what these are' - just uploading from the 'archives' as I sort through things", "modified": "2025-12-24T08:28:47.628000", "created": "2024-03-11T06:15:54.351000", "tags": [], "references": [ "https://www.virustotal.com/gui/collection/09af9ef0b7b23d2dc73d83858106ae4fc97a352dbb521ac04493a0e79095ac69/iocs", "https://www.virustotal.com/gui/collection/79c25168b2f93d9730a56b8d2b834cbfb2752b63b21b9dd51109416fbaa676d8/iocs", "https://www.virustotal.com/graph/embed/g8726609a12794ebeb59edd531961a233068149bcdf994b428f20141be6111551?theme=dark", "https://www.virustotal.com/graph/embed/g365a82115f934e31a69118715695c91c231f66cda9084c9389e56afb985a243e?theme=dark", "", "https://www.virustotal.com/gui/collection/6a8d582df4fe5a29885dad4074236bc9e4ed445aaf0cc00702d45963fb0459bb/iocs" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1165, "hostname": 866, "URL": 657, "FileHash-SHA256": 26, "email": 337, "FileHash-MD5": 12, "FileHash-SHA1": 8, "CIDR": 1 }, "indicator_count": 3072, "is_author": false, "is_subscribing": null, "subscriber_count": 129, "modified_text": "158 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68c954a80675ccc89b0e9b63", "name": "Trump #45470 | Palantir container | virus:DOS/Hellspawn + ioS (compromised)", "description": "Overt. Trump support campaign text message from #45470. Malicious. Received on a victims hyper compromised iPhone. Attempts to or did take CnC of device. Stutters device, changed App Store , has delete service, device sweep, shuts down service , halts all pages, denial of service, throttles service, steals\npasswords, bots , I don\u2019t know if device can be refurbished or research purposes - Palantir DC DGA domains - Trump. Multiple IoC\u2019s , malware with code overlap, it appears to be from a legitimate text for updates #. Visibly affected all aspects of device and software. Commands device shut down. \n[OTX populated: Failed to retrieve suggested indicator for beta-ui, according to the latest results from the Welsh Government's Office for National Statistics (ONS) and the National Data Centre (NDS))", "modified": "2025-10-16T12:03:14.279000", "created": "2025-09-16T12:14:32.327000", "tags": [ "ttl value", "extraction", "data upload", "failed", "extra data", "include review", "exclude sugges", "stop", "line", "path", "polyline", "getprocaddress", "circle", "span", "ck id", "mitre att", "ck matrix", "null", "error", "open", "spinner", "title", "code", "iframe", "window", "void", "infinity", "crypto", "footer", "generator", "general", "format", "click", "strings", "meta", "install", "encoder", "learn", "command", "name tactics", "suspicious", "informative", "spawns", "evasion att", "t1480 execution", "file defense", "adversaries", "calls", "reads", "defense evasion", "model", "server", "registrar abuse", "ascio", "contact phone", "admin city", "admin country", "admin postal", "dnssec", "http", "ip address", "passive dns", "related nids", "urls", "files location", "united", "flag united", "a domains", "search", "unknown aaaa", "certificate", "yara detections", "av detections", "ids detections", "alerts", "entries elf", "filehash", "name servers", "servers", "moved", "script script", "aaaa", "unknown ns", "domain add", "formbook cnc", "checkin", "lowfi", "mtb jun", "github pages", "twitter", "accept", "cryptobit", "extra", "referen data", "trojanproxy", "dynamicloader", "high", "write c", "medium", "intel", "ms windows", "entries", "pe32", "explorer", "worm", "write", "next", "trojan", "hellspawn", "md5 add", "malware", "data", "included iocs", "script urls", "script domains", "gmt content", "cash amtincart", "expirestue", "domain related", "sea x", "accept encoding", "request id", "body doctype", "apache", "encrypt", "skynet", "third eye tv", "calling", "delete app", "potus", "mtb aug", "backdoor", "gmt cache", "sameorigin", "443 ma2592000", "ipv4 add", "utilads", "trojandropper", "mtb sep", "win32upatre aug", "yara rule", "as15169", "guard", "smartassembly", "associated urls", "date checked", "url hostname", "server response", "domain", "url analysis", "files", "date", "delete service", "45470", "text", "hybrid", "present sep", "body", "fastly error", "please", "xor xor", "sha256 add", "analysis date", "file score", "detections alf", "june", "delphi", "attempts", "yara", "high security", "file type", "pe packer", "ransom" ], "references": [ "skynet-dev.tcxn.net tcxn.net Registrar Ascio Technologies, Inc - connection to cloud proxy", "TrojanProxy:Win32/Malynfits CodeOverlap TrojanSpy:Win32/Nivdort CodeOverlap virus:Win32/Lywer CodeOverlap", "https://cryptobit.live/build/assets/app-CkRYqsKL.js \u2022 cryptobit.live \u2022 t.page \u2022 cdn.wallets.cryptobit.live", "Trump Support campaign \u2022_\u2022 lantana-mgmt.washington.palantircloud.com \u2022 containers-reishi.palantirfedstart.com", "Virus:DOS/Hellspawn 192.168.122.49 10/16/25\t\u2022 IPv4 142.251.9.105", "IDS Detections: Win32/Enosch.A gtalk connectivity check | W32/MoonLight.worm User-Agent (HellSpawn)", "PWS:Win32/Ymacco.AA50 Win.Trojan.Generic-9959068-0\t SLF:MSIL/PSTAnomaly.A Win.Dropper.Shakblades-7614016-0\t#LowFI:VBExpensiveLoop Win.Packed.Barys-10031677-0\tTEL:Trojan:MSIL/AgentTesla.VPA!MTB Win.Trojan. Backdoor:MSIL/Remcos!MTB", "hasownproperty.call \u2022 fireeye.grhd.", "Apple Store verified drop down breach \u2018Apple took a screenshot of pages\u201d" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "TrojanProxy:Win32/Malynfits", "display_name": "TrojanProxy:Win32/Malynfits", "target": "/malware/TrojanProxy:Win32/Malynfits" }, { "id": "Virus:Win32/Lywer", "display_name": "Virus:Win32/Lywer", "target": "/malware/Virus:Win32/Lywer" }, { "id": "Worm:Win32/Lightmoon.H", "display_name": "Worm:Win32/Lightmoon.H", "target": "/malware/Worm:Win32/Lightmoon.H" }, { "id": "Virus:DOS/Hellspawn", "display_name": "Virus:DOS/Hellspawn", "target": "/malware/Virus:DOS/Hellspawn" }, { "id": "Win.Trojan.Dialer-266", "display_name": "Win.Trojan.Dialer-266", "target": null }, { "id": "AgentTesla", "display_name": "AgentTesla", "target": null }, { "id": "Backdoor:MSIL/Remcos", "display_name": "Backdoor:MSIL/Remcos", "target": "/malware/Backdoor:MSIL/Remcos" }, { "id": "ALF:JASYP:Trojan:Win32/IRCbot!atmn", "display_name": "ALF:JASYP:Trojan:Win32/IRCbot!atmn", "target": null }, { "id": "Trojandropper:Win32/Muldrop.V!MTB", "display_name": "Trojandropper:Win32/Muldrop.V!MTB", "target": "/malware/Trojandropper:Win32/Muldrop.V!MTB" }, { "id": "#LowFI:VBExpensiveLoop", "display_name": "#LowFI:VBExpensiveLoop", "target": null }, { "id": "TEL:Trojan:MSIL/AgentTesla.VPA!MTB", "display_name": "TEL:Trojan:MSIL/AgentTesla.VPA!MTB", "target": null }, { "id": "PWS:Win32/VB.CU", "display_name": "PWS:Win32/VB.CU", "target": "/malware/PWS:Win32/VB.CU" }, { "id": "ALF:Ransom:Win32/Babax.SG!MTB", "display_name": "ALF:Ransom:Win32/Babax.SG!MTB", "target": null } ], "attack_ids": [ { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 690, "URL": 1479, "domain": 476, "FileHash-MD5": 526, "FileHash-SHA1": 505, "FileHash-SHA256": 1509, "email": 6 }, "indicator_count": 5191, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "227 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6892e73b32af18aa302df0dc", "name": "Part 1.5", "description": "Dark web media \u2022 Political news \u2022 Malvertizing\nlocate \u2022\ntrack [stalk] \u2022 record calls \u2022 control media [youtube , etc] http://t.name?n[++i]=e:this.removeEventListener\t\t\nJeeng &\nPowebox [ accidentally left out in original post pulse]", "modified": "2025-09-05T04:03:06.929000", "created": "2025-08-06T05:25:15.369000", "tags": [ "chromeua", "optout", "object", "path", "value", "access type", "setval", "windir", "localappdata", "null", "win64", "error", "generator", "close", "roboto", "date", "format", "light", "span", "template", "void", "android", "body", "trident", "mexico", "sonic", "black", "critical", "desktop", "dark", "meta", "this", "june", "hybrid", "apache", "write", "crypto", "autodetect", "face", "courier", "gigi", "impact", "shadow", "click", "strings", "cray", "smwg", "eret", "footer", "infinity", "window", "canvas", "legend", "nuke", "lion", "4629", "ahav", "olsa", "false", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "spawns", "defense evasion", "t1480 execution", "file defense", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "script", "mitre att", "pattern match", "show technique", "iframe", "refresh", "august", "general", "local", "tools", "demo", "look", "verify", "restart", "url http", "small", "pulses url", "tellyoun", "showing", "entries", "url https", "indicator role", "title added", "active related", "type indicator", "role title", "added active", "related pulses", "cc08", "f06a6b", "sfurl", "filehashsha256", "types", "indicators show", "search", "pulses", "filehashsha1", "adversaries", "found", "webp image", "ascii text", "riff", "size", "encrypt", "legacy", "filehashmd5", "united", "flag", "server", "markmonitor", "name server", "llc name", "overview dns", "requests domain", "country", "win32", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "file score", "medium risk", "yara", "detections", "malware", "copy", "show", "icmp traffic", "packing t1045", "t1045", "pdb path", "pe resource", "extraction", "data upload", "enter sc", "type", "extra data", "please", "failed", "review", "exclude data", "included review", "ic data", "suggeste", "stop", "type onow", "domain", "passive dns", "urls", "files related", "pulses none", "related tags", "none google", "safe browsing", "sc data", "extr amanuav", "review included", "manualy", "sugges excluded", "filehash", "md5 add", "pulse pulses", "url add", "http", "hostname", "files domain", "pulses otx", "virustotal", "hsmi192547107", "pulses hostname", "r dec", "customer dec", "iski dec", "decision dec", "va dec", "bitcoin", "bitcoin dec", "petra", "torstatus dec", "paul dec", "sodesc", "planet dec", "emilia", "heroin dec", "difference dec", "palantir dec", "loraxlive dec", "chaturbate dec", "sandra", "free dec", "marvel dec", "benjis dec", "fresh dec", "sodesc dec", "srdirport", "srhostname", "link dec", "types of", "italy", "china", "australia", "france", "turkey", "discovery", "information", "ck ids", "t1005", "local system", "t1007", "system service", "part", "track", "locate", "political", "civil society", "news", "created", "hours ago", "report spam", "t1555", "password", "t1560", "collected data", "t1573", "channel", "t1574", "execution flow", "scan", "iocs", "t1497", "u0lhmq", "mtawmq", "t1480", "guardrails", "t1486", "data encrypted", "learn more", "unsubscribe aug", "protocol", "t1074", "staged", "t1083", "t1102", "web service", "t1105", "tool transfer", "t1140", "data engineer", "candidate", "tlsv1", "odigicert inc", "stcalifornia", "lsan jose", "oadobe systems", "incorporated", "cndigicert sha2", "push", "next", "high", "write c", "ireland as16509", "delete", "dirty", "tags", "t1012", "flow endpoint", "security scan", "t1106", "copyright", "levelblue" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 608, "FileHash-SHA1": 433, "FileHash-SHA256": 3663, "URL": 17104, "domain": 1316, "email": 39, "hostname": 4208, "SSLCertFingerprint": 17 }, "indicator_count": 27388, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "268 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6892a73593f73dfc969779b0", "name": "Part I | Track | Locate | Political & Civil society \u2018news\u2019 campaigns", "description": "Part I | Track | Locate | Political & Civil society \u2018news\u2019 campaigns\n*[ddddd.msg]\n[http://tracking.eu1.glintinc.com]\n[stormer5v52vjsw66jmds7ndeecudq444woadhzr2plxlaayexnh6eqd]\n[stackstorm.ops.dev.az.glintinc.com]\n\u2022 http://stormer5v52vjsw66jmds7ndeecudq444woadhzr2plxlaayexnh6eqd.onion/peter-thiel-running-database-to-root-out-those-disloyal-to-the-leader/\\n \u2022\n[http://pixelrz.com/lists/keywords/tsara-brashears-assaulted-at-concentra/360]\n[http://pixelrz.com/lists/keywords/tsara-brashears-dead/360]", "modified": "2025-09-05T00:03:23.223000", "created": "2025-08-06T00:52:05.051000", "tags": [ "url http", "small", "indicator role", "title added", "active related", "pulses hostname", "tellyoun", "n aug", "entries", "data upload", "extraction", "windows error", "june", "fwd urgent", "justice czech", "copy sha256", "rejectedfailed", "timestamp input", "message status", "actions august", "file", "actions june", "actions may", "cta4 https", "context related", "associated urls", "campaigncodedsc", "language", "uid http", "community", "sha256", "size42b type", "submitted", "august", "april", "internal error", "previous1", "iframe", "community score", "scan analysis", "malicious", "intelligence", "learn", "falcon sandbox", "submissions", "status", "adversaries", "ck id", "name tactics", "suspicious", "informative", "defense evasion", "windows folder", "found", "dlls", "impact", "chromeua", "optout", "object", "path", "value", "access type", "setval", "windir", "localappdata", "null", "win64", "error", "generator", "close", "roboto", "date", "format", "light", "span", "template", "void", "android", "body", "trident", "mexico", "sonic", "black", "critical", "desktop", "dark", "meta", "this", "hybrid", "apache", "write", "crypto", "autodetect", "face", "courier", "gigi", "shadow", "click", "strings", "cray", "smwg", "eret", "footer", "infinity", "window", "canvas", "legend", "nuke", "lion", "4629", "ahav", "olsa", "false" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 9062, "domain": 707, "hostname": 2318, "FileHash-MD5": 86, "FileHash-SHA1": 26, "FileHash-SHA256": 2096, "email": 5, "FilePath": 2, "URI": 1 }, "indicator_count": 14303, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "268 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68038f7eb6f6810aa6d6439f", "name": "\"+g+\"", "description": "https://aplikacja.ceidg.gov.pl/CEIDG/CEIDG.Public.UI/EntryChangeHistory.aspx?Id=855bdfc1-7dbc-4a86-9d27-89ebb0ecf166&archival=False", "modified": "2025-09-01T08:05:25.121000", "created": "2025-04-19T11:56:46.933000", "tags": [ "copyright", "customevent", "typeof e", "boomerang", "typeof t", "macintosh", "os x", "post", "typeof", "iframe", "date", "poka menu", "nie znaleziono", "poka start", "poka", "max dostpnych", "pierwsza", "ostatnia", "nastpna", "poprzednia", "brak danych", "first", "ceidg", "wystpi bd", "error", "true", "null", "linkdownload", "show", "ctrlmappings", "version", "versionchange", "body", "false", "span", "input", "paginate", "next", "last", "selectstart", "loop", "function", "bootstrap", "datatables", "responsive", "2016 sprymedia", "amd define", "object", "commonjs", "window", "browser", "button", "datatable", "sprymedia ltd", "columns", "colidx", "column", "parent", "child", "param", "display", "click", "middle", "class", "target", "never", "find", "footer", "close", "regexp", "matches", "cookie", "inputmask", "input mask", "robin herbots", "mit license", "xmlhttprequest", "left", "month", "boolean", "maxdate", "right", "daterangepicker", "yyyymmdd", "calendar", "jquery", "webpackrequire", "typeof symbol", "type", "setprototypeof", "maskpos", "wrapnativesuper", "backspace", "insert", "internal", "mask", "void", "this", "nie mona", "array", "nonmsdombrowser", "horizontal", "leftarrow", "uparrow", "rightarrow", "downarrow", "explorer", "form", "legend", "hmmss", "mmmm d", "yyyy h", "typeof define", "number", "locale", "character", "seeknext", "masked", "input plugin", "josh bush", "azaz", "azaz09", "black", "kontrast", "arrcookies", "getcookielang", "and information", "on business", "sign", "twoja", "opinia", "informacja o", "notify ui", "widget", "eric hynds", "dual", "name", "dtopt", "example", "using", "open", "adata", "hungarian", "aria", "legacy", "trident", "format", "nuke", "apos", "bitcoin", "outer", "mark", "info", "reload", "behaviour", "write", "buttons", "anything", "prop", "thecookie", "create", "thevalue", "string name", "pluginscookie", "author", "eventkey", "datakey", "default", "dataapikey", "defaulttype", "config", "shown", "trigger", "delta", "guard", "arrow", "leave", "scroll", "dataspy", "sessiontimeout", "return", "settimeout", "mytimerid", "requestcounter", "starttimer", "stop", "typeof n", "adminlte", "typeof o", "main", "js application", "adminlte v2", "colorlib", "ui date", "written", "jacek wysocki", "poprzedni", "marzec", "kwiecie", "czerwiec", "lipiec", "sierpie", "wrzesie", "openpopup", "href", "toggle", "msviewport", "popover", "json", "json text", "string", "otherwise", "holder", "mind", "copy", "meta", "third", "text", "choice", "confirm", "nie pytaj", "site", "title", "value", "alert", "warn", "migrate", "foundation", "see http", "forget", "newvalue", "nones5", "fall", "wrongvalid", "onerror", "year", "fast", "argument", "popper", "method", "data", "html", "flip", "factory", "onload", "tbody", "courier", "elem", "handle", "expando", "match", "selector", "sizzle", "android", "capture", "seed", "pass", "enough", "code", "bind", "core", "local", "verify", "accept", "done", "override", "inject", "possible", "hold", "45deg", "larger", "screen styling", "90deg", "support", "sidebar mini", "e1f0ff", "font awesome", "free", "autocomplete", "folder", "expanded folder", "tabela", "sorting", "xform", "nadpisane style", "menlo", "monaco", "consolas", "mono", "courier new", "browse", "twitter", "pt serif", "georgia", "times new", "roman", "times", "typetime", "import", "roboto", "http", "label", "demos", "effect", "inst", "super", "speed", "bounce", "hack", "logic", "shift", "double", "february", "april", "june", "august", "friday", "erase", "atom", "caja", "spinner", "refresh", "alpha", "sentinel", "back", "blind", "drop", "ceidg.gov.pl - centralna ewidencja i informacja o dzia\u0142alno\u015bci g", "prosz czeka", "pobierz plik" ], "references": [ "https://aplikacja.ceidg.gov.pl/CEIDG/CEIDG.Public.UI/EntryChangeHistory.aspx?Id=855bdfc1-7dbc-4a86-9d27-89ebb0ecf166&archival=False", "UE_pl_top.svg", "UE_pl_top_sm.svg", "XZ4AH-ABKPW-SQPBC-CYWES-BCG6V", "dataTables.lang.js.pobrane", "EntryChangeHistory.aspx.js.pobrane", "dataTables.input.js.pobrane", "responsive.bootstrap4.js.pobrane", "dataTables.bootstrap4.js.pobrane", "dataTables.responsive.js.pobrane", "jquery.session.js.pobrane", "inputmask.binding.js.pobrane", "daterangepicker.js.pobrane", "jquery.inputmask.min.js.pobrane", "ScriptResource.axd", "moment-with-locales.min.js.pobrane", "jquery.maskedinput-1.2.2.js.pobrane", "feedback.js.pobrane", "jquery.notify.min.js.pobrane", "jquery.dataTables.js.pobrane", "jquery.cookie.js.pobrane", "bootstrap.js.pobrane", "SessionTimeout.js.pobrane", "adminlte.min.js.pobrane", "jquery.easing.1.3.js.pobrane", "jquery.feedbackBadge.min.js.pobrane", "ui.datepicker-pl.js.pobrane", "ceidg-master.js.pobrane", "CommonResponsive.js.pobrane", "json2.js.pobrane", "jquery.alerts.js.pobrane", "jquery-migrate-1.2.1.js.pobrane", "dataTables.bootstrap4.css", "CommonScripts.js.pobrane", "popper.js.pobrane", "responsive.bootstrap4.css", "jquery-3.0.0.js.pobrane", "daterangepicker.css", "AdminLTE.css", "ui.notify.css", "ceidg.css", "bootstrap-gov-pl.css", "biznes.css", "jquery-ui.js.pobrane", "saved_resource.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 4, "FileHash-SHA256": 25, "URL": 165, "domain": 353, "hostname": 215, "email": 2 }, "indicator_count": 767, "is_author": false, "is_subscribing": null, "subscriber_count": 123, "modified_text": "272 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68abf75bf3b03b94a6762409", "name": "(Repost) How to connect listeners to e.intercom | serverhub.com eonix.net", "description": "", "modified": "2025-08-25T05:40:43.552000", "created": "2025-08-25T05:40:43.552000", "tags": [ "context", "error", "ajaxupdate", "request", "requestdata", "name", "xoctoberassets", "datarequest", "typesubmit", "typetext", "click", "function", "typeof c", "bootstrap", "javascript", "azaz", "popover", "typeof f", "typeof g", "typeof h", "vui", "anda", "tente", "outubro", "trackingclient", "srpanj", "rabu", "vasaris", "image", "typeof atrkopts", "800px", "40px", "i18n", "blockedemail", "typeof i18n", "hubspot", "captcha", "date", "please", "april", "august", "close", "february", "june", "form", "klik", "download", "window", "this", "next", "null", "blank", "este", "anna", "rserver", "mais", "void", "object", "typeerror", "array", "symbol", "bound", "typeof window", "typeof t", "invalid path", "unknown method", "phonenumber", "ninja", "typeof e", "edge", "dataname", "intercom", "typeof symbol", "apple", "webkiti", "criosi", "trident" ], "references": [ "xfe-URL-Eonix.net-stix2-2.1-export.json", "xfe-URL-Serverhub.com-stix2-2.1-export.json", "xfe-URL-Enom.com-stix2-2.1-export 2.json", "https://widget.intercom.io/widget/rbc8ok9w", "https://js.hscollectedforms.net/collectedforms.js", "https://js.hsleadflows.net/leadflows.js", "https://d31qbv1cthcecs.cloudfront.net/atrk.js", "https://serverhub.com/combine/a059fe7a562c0b582328162f0ee69fda-1426025688", "https://serverhub.com/modules/system/assets/js/framework.js", "https://js.hs-scripts.com/3844463.js", "xfe-URL-Cloudfront.net-stix2-2.1-export.json", "xfe-URL-Intercom.io-stix2-2.1-export.json" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Vui", "display_name": "Vui", "target": null }, { "id": "Outubro", "display_name": "Outubro", "target": null }, { "id": "Tente", "display_name": "Tente", "target": null }, { "id": "Anda", "display_name": "Anda", "target": null }, { "id": "Vasaris", "display_name": "Vasaris", "target": null }, { "id": "Rabu", "display_name": "Rabu", "target": null }, { "id": "Srpanj", "display_name": "Srpanj", "target": null }, { "id": "TrackingClient", "display_name": "TrackingClient", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [], "TLP": "white", "cloned_from": "62719a4dec6d0aa4631b9b2f", "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5708, "hostname": 1541, "FileHash-SHA256": 876, "domain": 915, "CVE": 1, "FileHash-MD5": 1 }, "indicator_count": 9042, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "279 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6844240c68255798e08beb3b", "name": "Bilety online: Tw\u00f3j kolejowy partner w podr\u00f3\u017cy", "description": "Microsoft has created a new version of its XMLHttpRequest, which allows users to access a website, via a browser or browser without the permission of a third party, using the same address.", "modified": "2025-07-07T00:01:51.704000", "created": "2025-06-07T11:35:40.942000", "tags": [ "sign", "google sign", "forgot email", "criminalip", "create account", "bilety online", "sprzeday biletw", "polregio", "ssdeep", "license", "typeerror", "regexp", "promise", "function", "version", "typeof symbol", "copyright", "google llc", "apache license", "date", "without", "error", "blank", "trident", "generator", "class", "mountain view", "android", "submission", "california", "common name", "google inc", "unit android", "country code", "us state", "sha1", "sha256", "imphash", "pehash", "file type", "vhash", "authentihash" ], "references": [ "http://bilety.polregio.pl", "https://bilety.polregio.pl", "http://www.salesmanago.pl/static/sm.js" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1295, "hostname": 302, "domain": 137, "FileHash-SHA256": 996, "FileHash-MD5": 38, "FileHash-SHA1": 40, "IPv4": 1 }, "indicator_count": 2809, "is_author": false, "is_subscribing": null, "subscriber_count": 123, "modified_text": "328 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "684c65464466dd19b089f325", "name": "Zesp\u00f3\u0142 Profilaktyki i Rehabilitacji w Janowicach Wielkich - YouTube", "description": "If d=void 0===c,w(\"trustedResourceUrl\",d: \"Trusted resourceUrl,\" thend=c.src,d, c.js, then d:", "modified": "2025-06-13T17:56:28.689000", "created": "2025-06-13T17:52:06.399000", "tags": [ "rehabilitacji w", "youtube tv", "dami jelenia", "tv dami", "jelenia gra", "zakupy wycz", "jeli", "nie korzystasz", "filmy", "aby tego", "copyright", "closure library", "argument", "ifunction", "error", "null", "type", "cast", "webchannel", "su2028u2029", "chrome", "xmlhttp", "kkvoid", "remotecontrol", "android", "unknown", "screen", "desktop", "function", "string", "array", "number", "vfunction", "f8192", "n432", "true", "j2048", "this", "window", "void", "date", "pokau017c", "pytfunction", "fe8function", "qgzfunction", "afunction", "hb28", "r150", "promise", "bigint", "post", "edge", "swhealthlog", "symbol", "trident", "infinity", "embed", "webkitkeyframes", "zoomin", "zoominx", "zoomoutx", "zoominy", "zoomouty", "2000px", "90deg", "20px", "30deg", "30px", "10px", "10deg", "3deg", "5deg", "djmegamenu", "use license", "tabindex", "menu", "close", "msie", "beforechange", "imagehassize", "buildcontrols", "magnific popup", "dmitry semenov", "http", "beforeclose", "afterclose", "open", "next", "open source", "bsd license", "george mcginley", "smith", "djimageslider", "subpackage", "webkit", "khtml", "icab", "countto", "callback", "handler", "object", "typeof", "method", "gnugplv2", "website", "set module", "height script", "regexp", "screenheight", "highcontrast2", "highcontrast3", "highcontrast", "wide", "night", "body", "normalbutton", "cookie plugin", "https", "klaus hartl", "mit license", "register", "nodecommonjs", "factory", "jquery", "write", "sticky bar", "stickybar", "count", "offcanvas", "html", "noscroll", "offcanvas var", "toggle nav", "click jquery", "ajax", "autocomplete", "tomas kirda", "typeof define", "esc27", "tab9", "return13", "left37", "up38", "twitter", "custom version", "joomla", "rolemenu", "boolean", "get adobe", "flash player", "title", "text", "typeof data", "typeof s", "accept", "width", "foundation", "backspace8", "comma188", "delete46", "down40", "end35", "enter13", "escape27", "value", "migrate", "backcompat", "quirks mode", "typeof f", "xtablet768", "document", "ui sortable", "leftright", "gnu general", "public license", "dddddd", "ffffcc", "eeeeee", "verdana", "geneva", "arial", "helvetica", "f0f0f0", "sans", "charset", "utf8", "fontawesome", "typeof b", "pseudo", "child", "sufeffxa0", "class", "attr", "general slider", "slide", "rgba", "navigation", "15deg", "300px", "20deg", "transition", "scale", "baskerville", "main image", "bdbdbd", "f3f3f3", "remove", "fontface", "woff2", "u0131", "u01520153", "u02bb02bc", "u02c6", "u02da", "u02dc", "u0304", "dirrtl", "msviewport", "href", "span", "legend", "halflings", "fieldset", "typeimage", "f2f2f2", "d9edf7", "dff0d8", "f2dede", "thead", "tbody", "tahoma", "00a0", "video", "script", "2500", "xnew ita", "dnew jta", "dataset", "orfunction", "prfunction", "nsafunction", "xsafunction", "vrfunction", "cakes", "ovbfunction", "pvbfunction", "rvbfunction", "qvbfunction", "tvbfunction", "uvbfunction", "vvbclass", "xvbclass", "yvbclass", "svbclass", "lvafunction", "ggfunction", "mvafunction", "ovafunction", "pvafunction", "uvafunction", "tvafunction", "qvafunction", "vvafunction", "nvaclass", "dark", "vector", "yy49", "raster", "roboto", "new tk", "qael", "przechyl", "mars", "mercury", "venus", "pluto", "titan", "weakset", "wfclass", "googlelayer", "uint8array", "weakmap", "5001", "mouseevent", "webassembly", "180180", "9090", "google maps", "javascript api", "internal", "small", "lightrail", "false", "february", "light", "hybrid", "bounce", "drop", "inside", "outside", "marker", "gc" ], "references": [ "embed.html", "ad_status.js.pobrane", "f5Y41t9wqY4.html", "cast_sender.js.pobrane", "remote.js.pobrane", "sw3VTUzeRvWIVwvWSyk6S5gHWPxOOwU1OxerozmN4Hw.js.pobrane", "embed.js.pobrane", "www-embed-player.js.pobrane", "animate.ext.css", "animate.min.css", "jquery.djmegamenu.js.pobrane", "jquery.djmobilemenu.js.pobrane", "magnific.js.pobrane", "jquery.easing.min.js.pobrane", "slider.js.pobrane", "jquery.countTo.js.pobrane", "scripts.js.pobrane", "magnific-init.js.pobrane", "pagesettings.js.pobrane", "jquery.cookie.js.pobrane", "stickybar.js.pobrane", "fontswitcher.js.pobrane", "offcanvas.js.pobrane", "jquery.autocomplete.min.js.pobrane", "bootstrap.min.js.pobrane", "jcemediabox.js.pobrane", "jquery.ui.core.min.js.pobrane", "jquery-migrate.min.js.pobrane", "layout.min.js.pobrane", "jquery.ui.sortable.min.js.pobrane", "caption.js.pobrane", "finder.css", "jquery-noconflict.js.pobrane", "djmegamenu.26.css", "animations.css", "djmobilemenu.css", "jquery.min.js.pobrane", "djimageslider.css", "offcanvas.css", "magnific.css", "font_switcher.26.css", "css", "template_responsive.26.css", "offcanvas.26.css", "bootstrap_responsive.26.css", "extended_layouts.26.css", "style.css", "content.css", "template.26.css", "bootstrap.26.css", "jcemediabox.css", "js", "onion.js.pobrane", "search_impl.js.pobrane", "overlay.js.pobrane", "map.js.pobrane", "util.js.pobrane", "search.js.pobrane", "common.js.pobrane", "geometry.js.pobrane", "main.js.pobrane" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Gc", "display_name": "Gc", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2779, "hostname": 661, "domain": 684, "email": 4, "FileHash-MD5": 1, "FileHash-SHA256": 689 }, "indicator_count": 4818, "is_author": false, "is_subscribing": null, "subscriber_count": 123, "modified_text": "351 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6761887bac8548ef81857a50", "name": "Prokuratura Okr\u0119gowa w Jeleniej G\u00f3rze - Prokuratura Okr\u0119gowa w Jeleniej G\u00f3rze - Portal Gov.pl", "description": "Wstecz prasowy wedi dweud wrthod wybodaeth iawnydd i'wodraethol i gwadu i us\u0142ug.", "modified": "2025-05-14T20:58:17.341000", "created": "2024-12-17T14:19:39.155000", "tags": [ "jeleniej grze", "jelenia gra", "prokuratury", "prokuratura", "usugi dla", "okrgowa", "przejd", "logowanie", "profil zaufany", "strona", "string", "date", "sufeffxa0", "regexp", "matomo", "please", "blob", "null", "tag manager", "link", "typeerror", "typeof symbol", "error", "typeof t", "copyright", "jorik tangelder", "mit license", "zamknij", "nastpne zdjcie", "trace", "hammer", "crlf", "v2 dokument", "plik dokumentu", "dane", "unicode", "utf8", "z bom", "dziennik zdarze", "ms windows", "vista" ], "references": [ "https://www.gov.pl/web/po-jelenia-gora/", "http://www.gov.pl/web/po-jelenia-gora/", "https://matomo.www.gov.pl/analytics/js/container_68lYTZ79.js", "https://www.gov.pl/scripts/bundle.js" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Hammer", "display_name": "Hammer", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "email": 1, "hostname": 179, "domain": 46, "URL": 340, "FileHash-SHA256": 23, "FileHash-MD5": 47, "FileHash-SHA1": 3 }, "indicator_count": 639, "is_author": false, "is_subscribing": null, "subscriber_count": 123, "modified_text": "381 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67f33233092ab19b74879403", "name": "MacOS M2 Chip Infiltration: Game Center & XBOX Pod Game & Chat Server", "description": "pulse explores a variety of files, objects, and functions that could be associated with different system components, libraries, and protocols. It highlights a wide range of potential vulnerabilities that may exist in software related to system functions, APIs, data handling, and device interactions, including issues in devices like game controllers, HID devices, and platform-specific services (such as Apple and Android). The pulse references several components across different platforms (macOS, iOS, ARM architectures, and others), with a focus on low-level code, encryption libraries, system utilities, and network protocols like TCP, IP, and Bluetooth. The identified vulnerabilities could involve buffer overflows, deprecated functions, improper memory handling, and potential exploit vectors related to system security, performance, and integrity.", "modified": "2025-05-07T02:03:20.735000", "created": "2025-04-07T02:02:27.322000", "tags": [ "helper macro", "param", "param inccache", "kerberos", "ccache", "api function", "ccapi", "api version", "param ioccache", "ccacheserver", "win32", "null", "code", "win64", "error", "union", "ccapideprecated", "ccacheapi", "ccapiv2h", "apple", "export", "united", "ccache api", "cplusplus", "x8664", "typedef", "patheq", "none", "popen", "terminate", "false", "winenv", "winexe", "frozen", "winservice", "python", "posixthreads", "pyhavecondvar", "ntthreads", "vista", "pyemulatedwincv", "ntddivista", "semaphore", "pycondt", "win7", "pybuildcore", "fall", "copyright", "technology", "all rights", "reserved", "america", "government", "within that", "klprincipal", "klloginoptions", "inpassword", "klboolean", "klindex inindex", "login", "klstatus", "kerberos login", "inst", "regexp", "typeof e", "function", "typeof t", "typeof o", "width", "typeof", "pseudo", "body", "sticky", "date", "class", "this", "void", "accept", "span", "krb5callconv", "apoptsreserved", "tktflgreserved", "kdcoptreserved", "krb5data", "eblock", "krb5address", "krb5keyblock", "service", "realm", "format", "general", "internal", "entropy", "mask", "mcpeerid", "mcsession", "property", "protocol", "create", "nsuinteger", "notifies", "mcsession api", "interface", "bonjour", "ascii lowercase", "abc company", "section", "bonjour txt", "mcextern", "attribute", "mcextern extern", "mcexternweak", "nsenum", "nsinteger", "mcerrorcode", "mcerrorunknown", "mcerrortimedout", "bonjour apis", "stop", "peer", "example", "tags", "session", "nsprogress", "nserror", "nsstring", "nsurl", "nsarray", "note", "ui element", "utf8 encoding", "nscopying", "nsdictionary", "webpackrequire", "webpackexports", "object", "adobe systems", "adobe", "incorporated", "dissemination", "touchmove", "window", "launch", "close", "core", "webview", "nwebpackrequire", "arraybuffer", "name", "typedarray", "prototype", "string", "number", "nvar", "meta", "infinity", "generator", "zero", "epsilon", "observer", "android", "freeze", "trim", "canvas", "simple", "bind", "fast", "next", "patch", "rest", "middle", "find", "enumerate", "facebook", "executor", "apiunavailable", "gamecontroller", "gcbuttoninput", "gcswitchinput", "nsobject", "apiavailable", "hid device", "cfstr", "iohiddeviceref", "boolean value", "c iohidmanager", "iohidmanager", "c iohiddevice", "issequential", "bool sequential", "bool canwrap", "nsset", "nsunavailable", "gcswitchelement", "bool", "share button", "xbox controller", "xbox elite", "xbox series", "gcxboxgamepad", "gcpoint2", "gcpoint2make", "gcpoint2 p", "cfinline bool", "gcpoint2equal", "gcpoint2 point1", "gcpoint2 point2", "gcrelativeinput", "isanalog", "bool analog", "hasinclude", "gcaxis2dinput", "gcpoint2 value", "gcaxiselement", "certain", "gcaxisinput", "gcbuttonelement", "gccontroller", "nsnotification", "chhapticengine", "gcmicrogamepad", "input", "menu button", "gcdevicelight", "gccolor", "x axis", "xvalue", "developers", "functionality", "options button", "sf symbols", "elements", "gcdevice", "gctouchstate", "gctouchstateup", "apideprecated", "gckeyboard", "gcmouse", "nsswiftname", "gcdevicebattery", "battery level", "direction pad", "directionapad", "thumbstick", "gcdevicecursor", "a controller", "gccolor color", "gcinputbuttona", "gcinputbuttonb", "button b", "check", "a element", "c nil", "nsenumerator", "siri remote", "equivalent", "down", "left", "right", "kindof", "handle button", "c device", "immediate input", "dualsense", "positional", "sony dualsense", "gcmotion", "dualshock", "uievent", "controllers", "uikit user", "uiview", "method", "nsdata", "axes", "nsdata source", "return", "nullable", "nsdata object", "button", "shoulder", "extended", "gamepad profile", "nsdata api", "gcgamepad", "sizeof", "standard", "gckeyboardinput", "keyboard", "nsstring const", "controller", "back buttons", "game controller", "back", "keypad", "delete", "insert", "home", "right arrow", "left arrow", "down arrow", "up arrow", "korean", "backspace", "alongside", "gckeyuparrow", "gckeycode const", "lang1", "gclinearinput", "gcquaternion", "gcacceleration", "y axis", "z axis", "gcmouse mouse", "gcmouse class", "mice", "gcmouseinput", "mouse profile", "scroll", "nsdata instance", "a alias", "press", "micro profile", "siri remotes", "b button", "a gcinput", "button a", "nsoptions", "examining", "c sfsymbolsname", "apple tv", "remote", "control center", "a set", "game", "gcracingwheel", "gcbundlewithpid", "gcinputbuttonx", "gcinputbuttony", "gcinputshifter", "gckeya", "gckeyb", "gckeybackslash", "rawvalue", "apple swift", "o librarylevel", "swift import", "element", "indices", "iterator", "subsequence", "kerberoscomerr", "const", "permission", "mit software", "suitability", "athena", "openvision", "gssdllimp", "gssapigenerich", "this software", "purpose", "disclaims all", "warranties with", "regard to", "constraint", "kerberosprofile", "krb5profileh", "const names", "newvalue", "1429577728l", "gnuc", "mach", "omuint32", "gssapikrb5h", "form", "uid form", "client function", "asrep", "including", "preauth", "db entry", "free", "pointer", "rock", "neither", "direct", "damage", "minorstatus", "gssbuffert", "gssctxidt", "gssoid", "gssnamet", "gsscredidt", "gssoidset", "gssapi", "first", "alcapi", "alcapientry", "alcboolean", "targetosmac", "alcdevice", "alcenum param", "alalch", "alcchar", "alcsizei", "capture", "but not", "limited", "openal cross", "apple computer", "redistribution", "is provided", "type", "alvoid", "alint", "openal", "aluint sid", "alenum", "alint value", "aluint property", "alvoid nonnull", "alfloat", "write", "openalopenalh", "umbrella header", "alenum param", "alapi", "aluint bid", "alsizei", "alfloat value", "alapientry", "aluint", "verify", "play", "speed", "bits", "albuffer3i", "albufferdata", "albufferf", "albufferfv", "albufferi", "albufferiv", "aldistancemodel", "aldopplerfactor", "algetbooleanv", "algetbuffer3f", "iousbhostdevice", "iousbhostobject", "iousbhostpipe", "iousbhoststream", "iousbhost", "brief", "usb host", "bool yes", "bool no", "advance", "iousbhostfamily", "kernel", "ioreturn status", "nsnumber", "ioreturn error", "usb device", "select", "commands", "enqueue", "nsmutabledata", "field", "enum", "options", "retrieve", "iosource", "current address", "bos descriptor", "extract", "a descriptor", "license", "io request", "abort", "discussion", "stream", "please", "swift api", "iousbbitrange", "iousbbitrange64", "iousbbit", "client", "usb controller", "usb descriptor", "unknown", "critical", "refer", "link", "send", "same", "common ui", "bluetooth", "service browser", "option", "1001", "cfstringref", "deprecated", "macos", "returns", "abstract", "nswindow", "creates", "mac os", "uuids", "uuid", "sdp service", "nsimage", "nsview", "mpasskeystring", "nsmutablearray", "uuid array", "ioreturn", "runmodal", "group", "command", "byte", "masks", "pduid", "l2cap", "range", "opcode", "packet", "major", "local", "profiles", "iobluetooth", "framework", "support", "host controller", "rfcomm", "minor class", "pseudoclass", "specific device", "headset", "peripheral", "desktop", "glasses", "device reset", "no hci", "hci controller", "returns number", "variable number", "packdata", "cstring", "pass", "path", "deprecated in", "obex session", "obexsessionref", "rfcomm channel", "obex", "does not", "l2cap channel", "inrefcon", "device", "length", "obex spec", "error code", "make", "headerid", "april", "alarm", "avrcplog", "audiolog", "bccmd16touint16", "bccmd16touint8", "bccmd32touint32", "hfplog", "obexcreatevcard", "obexsessionget", "uint16tobccmd16", "intents", "created", "andrea gottardo", "inimage", "intentsui", "project version", "inshortcut", "ibdesignable", "invoiceshortcut", "nsbundle", "siri", "beralloct", "berbvarrayadd", "berbvarrayfree", "berbvdup", "berbvecadd", "berbvecfree", "berbvfree", "berdump", "berdup", "berdupbv", "ldap", "vdspinput1", "vectorsize", "iirchannel", "osvkerndsplib", "pragmaonce", "paul chang", "fri mar", "original code", "apple operating", "modifications", "apple public", "source license", "version", "lframesize", "i386", "picify", "callmcount", "nonlazystub", "align", "roundtostack", "leaf", "import", "carnegie mellon", "carnegie", "inline void", "software", "school", "august", "xnuarchi386selh", "next computer", "mike demoney", "bruce martin", "state segment", "nxswappedfloat", "osswapint32", "inline float", "inline double", "osswapint64", "armlimitsh", "arm64", "useclangtypes", "bsdarmtypesh", "int8t", "gnuc typedef", "uint8t", "ansi c", "ansi", "use wchart", "armmcontexth", "mcontextt", "armparamh", "round", "darwinsizet", "darwinalign", "uint32t", "darwinalign32", "warranties", "a particular", "university", "armarch6zk", "armarch6k", "armarch4t", "armarch4", "http", "capbitnb", "legacy", "armfeatureflag", "california", "notice", "berkeley", "limited to", "define", "useclanglimits", "lp64", "ansisource", "darwincsource", "longmin", "ulongmax", "parameter", "vmmemcoherent", "vmmemearlyack", "vmmeminner", "vmmemrt", "vmmemguarded", "armmemorytypesh", "armpalroutinesh", "read", "struct", "booleant", "cluster", "devbsize", "mclbytes", "unix system", "laboratories", "devbshift", "thumb", "armv5", "armv7", "cache", "neon", "swift", "bsdarmprofileh", "xxx todo", "block", "mcount", "mcountinit", "mcountenter", "splhigh", "armthreadh", "armtraph", "dflssiz", "targetososx", "maxssiz", "rliminfinity", "maxcsiz", "bsdarmvmparamh", "dfldsiz", "maxdsiz", "xxx stack", "armsignal", "int64t", "armmachtypesh", "int32t", "methods", "thread", "hasapplepac", "atmatmtypesh", "libkernlocksh", "fortifysource", "libkerncopyioh", "sizedby", "darwinosinline", "stdcversion", "osswapint16", "libkerncrch", "blockexport", "vaargs", "blockrelease", "blockh", "collection", "blockcopy", "ososbaseh", "base", "byteoffset", "host endianess", "generic host", "generic", "osmalloc", "osmalloctag tag", "osmalloctag", "pci device", "uint32", "uint32 mask", "safecastptr", "sint32", "osaddatomic64", "uint8", "libkern c", "internal error", "core osreturn", "libkern", "values", "pragmamark", "kexts", "kext", "c string", "grab", "osostypesh", "boolean", "unsignedwide", "uint32 hi", "buildtime value", "libkernversionh", "versionmajor", "versionminor", "versionvariant", "versionrevision", "ostype", "osrelease", "libkernsysctlh", "instructions", "data cache", "future", "rbleft", "rbright", "rbgetparent", "splayright", "splayleft", "rbsetcolor", "rbblack", "rbgetcolor", "comp", "main", "stdc", "msdos", "windows", "sys16bit", "zlibdll", "zextern", "zconfh", "model", "zextern int", "zstreamerror", "znull", "zbuferror", "zmemerror", "zstreamend", "zdataerror", "zfinish", "enough", "possible", "trailer", "compiler", "countedby", "sparta", "osatomic", "ipcipctypesh", "ipcobjectnull", "ipcobjectdead", "osreturn", "nfskrpch", "xdrbuf", "xdrbuf xbp", "xbptr", "xbleft", "tlen", "lval", "xbcleanup", "xbtype", "xbflags", "nfsargsversion", "file", "packed", "nfshz", "mount", "term", "restrict", "stats", "nfsbitmapset", "nfsver3", "nfsxunsigned", "attr", "nfsprogram", "nfssmallfh", "which", "from", "mark", "obsolete", "ip address", "iaddrt", "netinetbootph", "nvmaxtext", "magic", "etheraddrlen", "target", "byteorder", "bigendian", "littleendian", "dest", "igmp", "ushort", "inpcbptr", "inpcblistentry", "ipsec", "pcbs", "cookie", "netinetinstath", "minimal", "result", "arp packet", "icmpparamprob", "icmpredirect", "address", "ditto", "ip filter", "ipv4", "ip packet", "inject", "wifi", "server", "tcpmaxnotifyack", "wired", "ecn setup", "notify", "slow", "definitions", "tcptmax", "retransmit", "mptcp", "tcpsclosewait", "tcpsestablished", "tcpstimewait", "tcpseq", "timer drift", "sack", "char", "icmp", "synack", "tcpoptnop", "syndata", "ver", "internet", "iopcidevice", "constant", "perst", "localonly", "iooptionbits", "optional access", "ioservice", "open", "pcidriverkith", "osmetaclassbase", "iorpc rpc", "auditpipeiobase", "auditsdeviobase", "ioctls", "data", "the software", "stdargh", "hasincludenext", "eli friedman", "as is", "hack", "atomic", "atomicseqcst", "clangstdatomich", "stdchosted", "stdboolh", "needwintt", "stddefh", "hasbuiltin", "const src", "xnumembersize", "const dst", "wcharmax", "wcharmin", "limits", "kernelstdinth", "lp64 typedef", "intmaxc", "uintmaxc", "ptrauth", "olddata", "value", "declkey", "abi pointer", "c function", "float16", "fltevalmethod", "legacy bsd", "c standard", "sincospi", "cosp", "x8664monotonich", "staticifentry", "hasmte", "vmmemorytypesh", "vmwimgdefault", "wimg", "extvectortype", "utilfunction", "aligned", "srcptr", "vmpmaph", "vmdyldpagerh", "vmvmfaulth", "vmvmmaph", "development", "debug", "vmvmoptionsh", "vmvmpageouth", "kasantbi", "machvmmemtagh", "given", "vmmemtagptrsize", "vmmemtagtagsize", "copy", "vmsharedregionh", "vfsvfssupporth", "veclib", "master", "world wide", "various", "veclibtypes", "carbonlib", "availability", "carbon", "noncarbon cfm", "vbasicops", "shift", "vforceh", "vdsplength n", "realp", "nonnull", "vector", "dspsplitcomplex", "ieee", "dspcomplex", "uuiduuidh", "uuiddefine", "public", "uuid library", "kernelserver", "simpleroutine", "undkey", "execution", "strings array", "user", "title string", "info", "1024", "xmldatat", "undreplyref", "kernsuccess", "osaction", "targetosiphone", "istargetvendor", "targetcpux8664", "targetosunix", "targetcpuppc", "targetcpuppc64", "targetcpux86", "targetrtmaccfm", "bridge", "svflags", "svpavreal", "svpavreify", "xpvav", "svany", "avfillp", "for apidoc", "mutableav", "avrealoff", "pltopenv", "stmtstart", "stmtend", "copfile", "plcurstackinfo", "copfilegv", "cophinthashget", "loop", "stack", "beware", "orig", "loops", "this file", "the build", "plbitcount", "u8 value", "cvflags", "xpvcv", "mutableptr", "perlcore", "cvgv", "cvfile", "cvfmethod", "cvflvalue", "cvfconst", "anon", "doinit extconst", "ebcdic", "extconst u8", "index", "ascii platform", "confusingly", "u8 pla2e", "pla2e", "u8 ple2a", "guard", "declspec", "extconst", "ext externc", "init", "larry wall", "gnu general", "readme file", "multiplicity", "plsawampersand", "do not", "perliogetc", "perlioputc", "perliostdoutf", "perlio", "perlfeatureh", "featuresubbit", "featuremyrefbit", "featurefcbit", "featureisabit", "featuresaybit", "featurestatebit", "featuretrybit", "hintfeaturemask", "ffspace", "process", "ffdecimal", "ffend", "gvgp", "gvflags", "gvnamehek", "svtype", "gvegv", "gvstash", "gvxpvgv", "svtpvgv", "svtpvlv", "super", "edit directly", "djgpp", "bitbucket", "perlsysinitbody", "perlioinit", "perlsystermbody", "w macros", "wexitstatus", "shpath", "mkdir", "rotl64", "rotl32", "rotate x", "rotr32", "can64bithash", "rotr64", "ivsize", "u8to16le", "rotluv", "rotruv", "sbox32maxlen", "plhashstate", "perlhash", "perl", "usehashseed", "perlseenhvfunch", "perlhashseed", "siphash24", "siphash13", "seed", "c program", "c type", "c compiler", "gcc attribute", "longsize", "c preprocessor", "install", "kill", "cont", "thus", "ext declspec", "dext", "for apidocitem", "utf8", "ascii", "fitsin8bits", "nativetolatin1", "strwithlen", "u8 end", "test", "poison", "february", "cray", "prior", "behaviour", "except", "alpha", "perlvar", "perlvari", "perlvara", "padoffset", "true", "pmop", "hooks", "hook", "sv invlist", "perlinregcompc", "svcur", "perlinopc", "tointernalsize", "svtinvlist", "invlistlen", "strlen", "hvaux", "heklen", "svook", "hekutf8", "hekkey", "hekflags", "mutablehv", "hvnameheknn", "gosh", "leave", "iperlsock", "plsock", "iperlstdio", "plstdio", "iperlproc", "plproc", "iperllio", "pllio", "perlimplicitsys", "plink", "keypackage", "keyend", "keysub", "keydump", "keylog", "keysend", "keystate", "perlioclose", "perlmemcollxfrm", "nativetoneed", "plclocaleobj", "plno", "plwarnall", "plwarnnone", "plyes", "plzero", "plc9utf8dfatab", "nomathoms", "perlintokec", "perlinutf8c", "perlinsvc", "perlinregexecc", "debugging", "perlinlocalec", "pfinet", "snoop", "ccprint", "ccgraph", "cccharnamecont", "ccascii", "ccwordchar", "ccalphanumeric", "ccidfirst", "ccquotemeta", "ccalpha", "cccased", "ordinal", "magicvtablemax", "extra", "regex match", "env hash", "isa array", "debugger", "sig hash", "available", "shadow", "array length", "magic mg", "sv sv", "mgftainteddir", "hefsvkey", "mutablesv", "ssizet", "mgvtbl entry", "mgfbytes", "perlmagicsv 0", "special", "perlmagicarylen", "perlmagicrhash", "extra data", "perlmagicpos", "perlmagicsymtab", "provides", "dtrace probes", "stdioh", "stdioincluded", "sfioversion", "rxfpmfcharset", "rxfpmfmultiline", "rxfpmffold", "rxfpmfextended", "rxfpmfnocapture", "rxfpmfkeepcopy", "flags", "rxfpmfstrict", "ocshift", "plop", "perlbitfield16", "baseop op", "useithreads", "pmfonce", "padop", "perlcknull", "perlckfun", "opparg1mask", "opparg4mask", "opparg2mask", "perlckftst", "perlppftrowned", "perlckbitop", "perlckcmp", "perlcklfun", "dump", "chroot", "syscall", "flip", "undef", "crypt", "push", "stub", "trans", "predec", "flop", "prtf", "shutdown", "perlcontext cx", "perlmemlog", "c pointer", "cxtype", "logic", "toavamg", "tohvamg", "opftrread", "oplt", "opincmp", "opbitand", "opsbitor", "opsend", "opgetpeername", "opfteexec", "opftbinary", "opclose", "plparser", "yylex", "lexshared", "position", "repl", "memsize", "malloct", "perlmallocctlh", "uv nfree", "uv ntotal", "iv topbucket", "iv totalsbrk", "iv minbucket", "level", "plcomppad", "plcurpad", "uvxf", "ptr2uv", "avarray", "padnameflags", "plcopseqmax", "padlistarray", "c array", "padnametype", "incpushperl5lib", "appllibexp", "privlibexp", "defineincmacros", "perlfsversion", "perl5lib", "sitearchexp", "perllanginfoh", "hasnllanginfo", "ilanginfo", "codeset", "codeset 1", "dtfmt", "dtfmt 2", "dfmt", "dfmt 3", "sipround", "u8to64le", "fallthrough", "uint64c", "perlsiphashfnc", "siprounds", "strlen inlen", "sipfinalrounds", "could", "configure", "plout", "mine001", "argv", "plin", "localpatchcount", "perlapih", "xs code", "portingglossary", "first version", "brand", "symbols", "haswcrtomb", "perlionotstdio", "perlcallconv", "perlio f", "perlioh", "usestdio", "case", "bufsiz", "sizet", "perlstability", "perltypedefs", "perldtracehin", "perlloadedfile", "perlloadingfile", "perlopentry", "perlphasechange", "perlsubentry", "perlsubreturn", "generated", "perlcallconv iv", "sizet count", "sv arg", "mode", "perliofuncs tab", "stdchar", "perliolistt", "sv args", "mutex", "perlinterpreter", "sigsize", "perlioisstdio", "perlcallconv op", "perldokv", "perlppaassign", "perlppabs", "perlppaccept", "perlppadd", "perlppaeach", "perlppaelem", "public license", "free software", "foundation", "yydebug", "bison", "bareword", "funcmeth", "arrow", "targ", "pushs", "tops", "does", "xsub", "pops", "xpushs", "erange", "perlreentrapi", "perlreentrapi0", "hostentsize", "getgrentrproto", "getpwentrproto", "getnetentrproto", "grentbuffer", "grentsize", "hostenterrno", "redebugflag", "debugvtest", "debugr", "u16 nextoff", "argset", "u8 type", "nextoff", "strings", "problem", "june", "invert", "perlfpclass", "longdoublekind", "plstatusvalue", "pldebug", "numclasses", "locale", "grok", "pragma", "dword", "attack", "little", "lynx", "done", "reany", "rxpextflags", "rxextflags", "checkpoint cp", "rxftaintedseen", "rxfcopydone", "plsavestackix", "plsavestack", "plsavestackmax", "ssmaxpush", "enter", "debugscope", "state", "u32 state", "debugsbox32hash", "sbox32warn5", "line", "mutexunlock", "mutexinit", "noop", "mutexlock", "condinit", "detach", "panic", "usetm64", "should", "bsd extension", "configuration", "time64debug", "int64t nv", "gnu extension", "perltime64h", "time64t", "int64t int64", "int64 time64t", "i32 year", "tm64", "hastmtmgmtoff", "decide", "svpvx", "svgmagic", "bonk", "anything", "turn", "crash", "fstat", "perlmicro", "hasioctl", "hasutime", "hasgroup", "haspasswd", "usemybinmode", "idirent", "likely", "generated code", "utfebcdic", "unicode", "step", "ufeff", "u00a0", "u00df", "u00b5", "ufffd", "u017f", "u0300", "unlikely", "nativeutf8toi8", "utf8skip", "nativetouni", "lazy", "extrasize", "regnodemax", "exact", "match", "whilem", "anyof", "curly", "trie", "curlym", "eval", "star", "perlutilh", "hsmapiverlen", "hsxsverlenmax", "hskeyp", "tools", "sv vs", "perlversionlt", "svpvxnolenconst", "perlckwarner", "u32 err", "scroakxsusage", "pluumap", "warnings", "categories", "plcurcop", "perlckwarn", "perlckwarnd", "perlwarnisset", "perlwarnoff", "perlwarnbit", "xsversion", "xsreturn", "perlxshandshake", "plstackbase", "hskey", "zaphod32mix", "u8to32le", "zaphod32warn4", "zaphod32warn3", "zaphod32warn6", "perlform", "i8tonativeutf8", "warnutf8", "myshift", "c extension", "libs", "cflags", "afkuserlog", "kafkeventcancel", "kafkeventerror", "adamsbagmanager", "adjinglerequest", "isinternalbuild", "kickmcxdforuid", "loadappkit", "ardconfig", "authenticator", "dsauthenticator", "dsnode", "dsrecord", "hostconfig", "addtofront", "calcslope", "copyarray", "createcachenode", "defaultebecurve", "deletecache", "disablehcucache", "dumpcache", "dumpoutputhcu", "enablet1sim", "ascagent", "ascagentproxy", "asdevice", "ddrangecompare", "wdosloglauncher", "wdoslogprotocol", "findchar", "ddasllogger", "ddfilelogger", "ddlog", "ddlogfileinfo", "ddlogmessage", "ddloggernode", "mkurlparser", "mkerrordomain", "mkintegerhash", "mklonghash", "mkmaprectinset", "mkmaprectnull", "mkmaprectoffset", "mkmaprectworld", "mkmapsizeworld", "kextensionnonui", "wkarraycreate", "wkbooleancreate", "wkcontextcreate", "wkdatacreate", "wkdatagettypeid", "wkdoublecreate", "wkframecopyurl", "wkgettypeid", "wkimagecreate", "wkpagecandelete", "webkit", "methodkind", "wkerrordomain", "by apple", "document", "a block", "wkcontentworld", "wkwebview", "javascript", "wkerrorcode", "wkerrorunknown", "nsswiftasync", "wkswiftasync", "wkcookiepolicy", "nshttpcookie", "whether", "wknavigation", "wkdownload", "decides", "mime type", "wkscriptmessage", "wkframeinfo", "information", "url scheme", "wkcontentmode", "wkuserscript", "wkextern", "media", "promise", "fulfill", "cgfloat", "targetoswatch", "sign", "password", "provider", "uicontrol", "nscontrol", "opaque user", "apple id", "nsstring user", "asuseragerange", "initiate", "asauthorization", "confirms", "apple upgrade", "nserrorenum", "operation", "relying party", "targetosvision", "a byte", "nsdata userid", "relying", "a string", "asapiavailable", "http response", "authorization", "oauth", "saml", "nsdata readdata", "bool didwrite", "a cose", "nsstring name", "bool appid", "targetosxr", "a state", "a json", "web token", "private seckeys", "nsstring appid", "mdm profile", "nsurl url", "returns yes", "lacontext", "asswiftsendable", "keychain", "cose algorithm", "ecdsa", "sha256", "cose curve", "p256", "nsinteger rank", "enables", "bool success", "remove", "call", "complete", "prepare", "attempt", "list", "nsextension", "settings", "initializes", "a key", "extensions", "hash", "json", "initialize", "nsstring origin", "settings app", "urls", "https urls", "safari", "cancel", "nsuuid uuid", "asextern extern", "asextern", "nsswiftsendable", "uiwindow", "propertykind", "gkplayer", "n tags", "gkerrordomain", "gamecenter", "targetosios", "targetostv", "nsavailable", "gkachievement", "local player", "view", "present", "optional", "gkbaseplayer", "game center", "uiimage", "app store", "gkchallenge", "gklocalplayer", "nsdeprecated", "a singleton", "gkcloudplayer", "returns nil", "nsdeprecatedmac", "internal2", "internal3", "internal4", "gkscore", "gkextern", "gkextern extern", "gkexternweak", "gkerrorcode", "gkerrorunknown", "gkerrorunderage", "friendplayer", "standard view", "nsresponder", "parentwindow", "ibaction", "gkgamesession", "apis", "gkplayer player", "nsinteger score", "nsdate date", "gkleaderboard", "connect", "nsinteger value", "load", "gktransporttype", "nsstring title", "loads array", "localized", "gkmatch", "gkmatchrequest", "gkinvite", "gksession", "gksession api", "gamekit", "asynchronously", "welcome", "nstimeinterval", "delegate", "delivery", "gksenddatamode", "gksessionmode", "gkphotosize", "callbacks", "gkmatchdelegate", "gksavedgame", "default value", "gksessionerror", "gkvoicechat", "participant", "voice chat", "clienta" ], "references": [ "CredentialsCache.h", "CredentialsCache2.h", "config.xml", "popen_spawn_win32.py", "pycore_condvar.h", "Kerberos.h", "KerberosLogin.h", "plugin.js", "krb5.h", "MultipeerConnectivity.tbd", "MCBrowserViewController.h", "MCNearbyServiceAdvertiser.h", "MCError.h", "MCAdvertiserAssistant.h", "MCNearbyServiceBrowser.h", "MultipeerConnectivity.apinotes", "MultipeerConnectivity.h", "MCSession.h", "MCPeerID.h", "canvas.html", "capture_0.bundle.js", "capture_resize.js", "GCRacingWheelInput.h", "GCSyntheticDeviceKeys.h", "GCSwitchPositionInput.h", "GCSteeringWheelElement.h", "GCSwitchElement.h", "GCTouchedStateInput.h", "GCXboxGamepad.h", "GCTypes.h", "GCRelativeInput.h", "GameController.h", "GCAxis2DInput.h", "GCAxisElement.h", "GCAxisInput.h", "GCButtonElement.h", "GCController.h", "GCColor.h", "GCControllerAxisInput.h", "GCControllerDirectionPad.h", "GCControllerInput.h", "GCControllerElement.h", "GCControllerTouchpad.h", "GCDevice.h", "GCDeviceBattery.h", "GCDeviceCursor.h", "GCDeviceHaptics.h", "GCDeviceLight.h", "GCDevicePhysicalInputState.h", "GCDevicePhysicalInputStateDiff.h", "GCDirectionalGamepad.h", "GCDirectionPadElement.h", "GCDevicePhysicalInput.h", "GCDualSenseAdaptiveTrigger.h", "GCDualSenseGamepad.h", "GCDualShockGamepad.h", "GCEventViewController.h", "GCExtendedGamepadSnapshot.h", "GCExtern.h", "GCExtendedGamepad.h", "GCGamepadSnapshot.h", "GCGearShifterElement.h", "GCGamepad.h", "GCKeyboard.h", "GCInputNames.h", "GCControllerButtonInput.h", "GCKeyNames.h", "GCKeyboardInput.h", "GCKeyCodes.h", "GCLinearInput.h", "GCMotion.h", "GCMouse.h", "GCMouseInput.h", "GCMicroGamepadSnapshot.h", "GCPhysicalInputElement.h", "GCMicroGamepad.h", "GCPhysicalInputProfile.h", "GCPhysicalInputSource.h", "GCPressedStateInput.h", "GCProductCategories.h", "GCRacingWheel.h", "GameController.tbd", "arm64e-apple-macos.swiftinterface", "x86_64-apple-macos.swiftinterface", "module.modulemap", "com_err.h", "gssapi_generic.h", "locate_plugin.h", "profile.h", "gssapi_krb5.h", "preauth_plugin.h", "gssapi.h", "alc.h", "oalStaticBufferExtension.h", "oalMacOSX_OALExtensions.h", "OpenAL.h", "al.h", "OpenAL.tbd", "IOUSBHost.tbd", "IOUSBHostCIEndpointStateMachine.h", "IOUSBHostCIControllerStateMachine.h", "IOUSBHost.h", "IOUSBHostCIPortStateMachine.h", "IOUSBHostCIDeviceStateMachine.h", "IOUSBHostControllerInterfaceHelpers.h", "IOUSBHostDevice.h", "IOUSBHostControllerInterface.h", "IOUSBHostDefinitions.h", "IOUSBHostInterface.h", "IOUSBHostIOSource.h", "AppleUSBDescriptorParsing.h", "IOUSBHostStream.h", "IOUSBHostObject.h", "IOUSBHostControllerInterfaceDefinitions.h", "IOUSBHostPipe.h", "IOBluetoothUIUserLib.h", "IOBluetoothUI.h", "IOBluetoothObjectPushUIController.h", "IOBluetoothDeviceSelectorController.h", "IOBluetoothPasskeyDisplay.h", "IOBluetoothPairingController.h", "IOBluetoothServiceBrowserController.h", "IOBluetoothUI.tbd", "Bluetooth.h", "IOBluetooth.h", "BluetoothAssignedNumbers.h", "IOBluetoothTypes.h", "IOBluetoothUtilities.h", "OBEXBluetooth.h", "IOBluetoothUserLib.h", "OBEX.h", "IOBluetooth.tbd", "INImage+IntentsUI.h", "IntentsUI.h", "INUIAddVoiceShortcutButton.h", "IntentsUI.apinotes", "INUIEditVoiceShortcutViewController.h", "INUIAddVoiceShortcutViewController.h", "LDAP.tbd", "OSvKernDSPLib.h", "cpu.h", "asm_help.h", "desc.h", "pio.h", "io.h", "sel.h", "reg_help.h", "tss.h", "table.h", "byte_order.h", "_limits.h", "_types.h", "_mcontext.h", "_param.h", "_endian.h", "arch.h", "cpuid_internal.h", "cpu_capabilities_public.h", "arm_features.inc", "endian.h", "locks.h", "limits.h", "atomic.h", "machine_cpuid.h", "memory_types.h", "pal_routines.h", "machine_routines.h", "param.h", "cpuid.h", "thread.h", "trap.h", "vmparam.h", "signal.h", "types.h", "AFKMemoryDescriptorOptions.h", "machine_machdep.h", "atm_types.h", "copyio.h", "_OSByteOrder.h", "crc.h", "Block.h", "OSBase.h", "OSByteOrder.h", "OSDebug.h", "OSMalloc.h", "OSAtomic.h", "OSReturn.h", "OSKextLib.h", "OSTypes.h", "version.h", "sysctl.h", "tree.h", "zconf.h", "zlib.h", "libkern.h", "kdp_callout.h", "kdp_en_debugger.h", "ipc_types.h", "krpc.h", "rpcv2.h", "xdr_subs.h", "nfs.h", "nfsproto.h", "bootp.h", "if_ether.h", "icmp6.h", "icmp_var.h", "igmp_var.h", "igmp.h", "in_pcb.h", "in_stat.h", "in_private.h", "in_arp.h", "in_var.h", "in_systm.h", "ip_var.h", "ip_icmp.h", "kpi_ipfilter.h", "ip6.h", "tcp_private.h", "ip.h", "tcp_timer.h", "tcp_fsm.h", "udp_var.h", "tcp_seq.h", "tcpip.h", "udp.h", "tcp_var.h", "tcp.h", "IOPCIFamilyDefinitions.h", "IOPCIDevice.iig", "PCIDriverKit.h", "IOPCIDevice.h", "audit_ioctl.h", "stdarg.h", "stdatomic.h", "stdbool.h", "stddef.h", "string.h", "stdint.h", "ptrauth.h", "math.h", "monotonic.h", "static_if.h", "machine_kpc.h", "machine_remote_time.h", "ipc_pthread_priority_types.h", "lz4_assembly_select.h", "vm_compressor_algorithms.h", "lz4.h", "pmap.h", "vm_dyld_pager.h", "vm_far.h", "vm_fault.h", "vm_map.h", "lz4_constants.h", "vm_options.h", "vm_pageout.h", "vm_memtag.h", "vm_shared_region.h", "vm_kern.h", "vfs_support.h", "vecLib.h", "vecLibTypes.h", "vBasicOps.h", "vForce.h", "vDSP.h", "uuid.h", "UNDReply.defs", "UNDRequest.defs", "KUNCUserNotifications.h", "UNDTypes.defs", "UNDTypes.h", "TargetConditionals.h", "apfs_boot_mount.tbd", "av.h", "cop.h", "bitcount.h", "cv.h", "ebcdic_tables.h", "EXTERN.h", "embedvar.h", "fakesdio.h", "feature.h", "form.h", "gv.h", "git_version.h", "dosish.h", "hv_macro.h", "hv_func.h", "config.h", "INTERN.h", "handy.h", "intrpvar.h", "invlist_inline.h", "hv.h", "iperlsys.h", "keywords.h", "libperl.tbd", "embed.h", "l1_char_class_tab.h", "mg_data.h", "mg_raw.h", "mg.h", "mg_vtable.h", "mydtrace.h", "nostdio.h", "op_reg_common.h", "op.h", "opcode.h", "inline.h", "overload.h", "opnames.h", "parser.h", "malloc_ctl.h", "pad.h", "perl_inc_macro.h", "perl_langinfo.h", "perl_siphash.h", "patchlevel.h", "perlapi.h", "metaconfig.h", "perlio.h", "perldtrace.h", "perliol.h", "perlvars.h", "perlsdio.h", "pp_proto.h", "perly.h", "pp.h", "reentr.h", "regcomp.h", "perl.h", "regexp.h", "scope.h", "sbox32_hash.h", "time64_config.h", "time64.h", "sv.h", "unixish.h", "uconfig.h", "utfebcdic.h", "unicode_constants.h", "utf8.h", "regnodes.h", "util.h", "vutil.h", "uudmap.h", "warnings.h", "XSUB.h", "zaphod32_hash.h", "encode.h", "python-3.9.pc", "python-3.9-embed.pc", "python3-embed.pc", "python3.pc", "AFKUser.tbd", "AdID.tbd", "Admin.tbd", "AirPlayReceiver.tbd", "AppSandbox.tbd", "ASEProcessing.tbd", "AuthenticationServicesCore.tbd", "WebGPU.tbd", "WebDriver.tbd", "MapKit.tbd", "SwiftUI.swiftoverlay", "WebKit.tbd", "WebKit.apinotes", "WKBackForwardList.h", "NSAttributedString.h", "WebKit.h", "WKBackForwardListItem.h", "WKContentRuleList.h", "WKContentRuleListStore.h", "WKContextMenuElementInfo.h", "WKDataDetectorTypes.h", "WKContentWorld.h", "WKError.h", "WKFoundation.h", "WKFindResult.h", "WKHTTPCookieStore.h", "WKFrameInfo.h", "WKNavigation.h", "WKFindConfiguration.h", "WKNavigationDelegate.h", "WKNavigationResponse.h", "WKOpenPanelParameters.h", "WebKitLegacy.h", "WKPreviewActionItem.h", "WKNavigationAction.h", "WKPreferences.h", "WKPreviewActionItemIdentifiers.h", "WKPreviewElementInfo.h", "WKProcessPool.h", "WKDownload.h", "WKPDFConfiguration.h", "WKScriptMessage.h", "WKSecurityOrigin.h", "WKScriptMessageHandler.h", "WKSnapshotConfiguration.h", "WKUIDelegate.h", "WKURLSchemeTask.h", "WKWebpagePreferences.h", "WKUserContentController.h", "WKWebsiteDataStore.h", "WKWebsiteDataRecord.h", "WKUserScript.h", "WKURLSchemeHandler.h", "WKWebViewConfiguration.h", "WKWebView.h", "WKScriptMessageHandlerWithReply.h", "WKWindowFeatures.h", "WKDownloadDelegate.h", "ASAccountAuthenticationModificationController.h", "ASAccountAuthenticationModificationViewController.h", "ASAuthorization.h", "ASAuthorizationAppleIDButton.h", "ASAccountAuthenticationModificationRequest.h", "ASAuthorizationAppleIDProvider.h", "ASAuthorizationAppleIDRequest.h", "ASAuthorizationAppleIDCredential.h", "ASAuthorizationController.h", "ASAuthorizationCredential.h", "ASAccountAuthenticationModificationExtensionContext.h", "ASAuthorizationError.h", "ASAuthorizationCustomMethod.h", "ASAuthorizationPasswordRequest.h", "ASAuthorizationOpenIDRequest.h", "ASAuthorizationPlatformPublicKeyCredentialDescriptor.h", "ASAuthorizationPlatformPublicKeyCredentialProvider.h", "ASAccountAuthenticationModificationReplacePasswordWithSignInWithAppleRequest.h", "ASAccountAuthenticationModificationUpgradePasswordToStrongPasswordRequest.h", "ASAuthorizationPlatformPublicKeyCredentialRegistrationRequest.h", "ASAuthorizationPlatformPublicKeyCredentialRegistration.h", "ASAuthorizationProvider.h", "ASAuthorizationPlatformPublicKeyCredentialAssertion.h", "ASAuthorizationPublicKeyCredentialAssertion.h", "ASAuthorizationPublicKeyCredentialAssertionRequest.h", "ASAuthorizationPublicKeyCredentialConstants.h", "ASAuthorizationProviderExtensionAuthorizationResult.h", "ASAuthorizationPublicKeyCredentialDescriptor.h", "ASAuthorizationPublicKeyCredentialLargeBlobAssertionOutput.h", "ASAuthorizationPasswordProvider.h", "ASAuthorizationPublicKeyCredentialLargeBlobRegistrationInput.h", "ASAuthorizationPublicKeyCredentialParameters.h", "ASAuthorizationPublicKeyCredentialLargeBlobRegistrationOutput.h", "ASAuthorizationPublicKeyCredentialRegistration.h", "ASAuthorizationPublicKeyCredentialRegistrationRequest.h", "ASAuthorizationPublicKeyCredentialLargeBlobAssertionInput.h", "ASAuthorizationSecurityKeyPublicKeyCredentialAssertion.h", "ASAuthorizationRequest.h", "ASAuthorizationPlatformPublicKeyCredentialAssertionRequest.h", "ASAuthorizationSecurityKeyPublicKeyCredentialProvider.h", "ASAuthorizationSingleSignOnCredential.h", "ASAuthorizationSecurityKeyPublicKeyCredentialDescriptor.h", "ASAuthorizationSecurityKeyPublicKeyCredentialAssertionRequest.h", "ASAuthorizationSecurityKeyPublicKeyCredentialRegistration.h", "ASAuthorizationSingleSignOnProvider.h", "ASAuthorizationWebBrowserExternallyAuthenticatableRequest.h", "ASAuthorizationWebBrowserPlatformPublicKeyCredentialAssertionRequest.h", "ASAuthorizationWebBrowserPlatformPublicKeyCredentialRegistrationRequest.h", "ASAuthorizationWebBrowserPublicKeyCredentialManager.h", "ASAuthorizationWebBrowserPlatformPublicKeyCredential.h", "ASAuthorizationWebBrowserSecurityKeyPublicKeyCredentialAssertionRequest.h", "ASAuthorizationWebBrowserSecurityKeyPublicKeyCredentialRegistrationRequest.h", "ASCOSEConstants.h", "ASCredentialIdentity.h", "ASAuthorizationSingleSignOnRequest.h", "ASCredentialIdentityStore.h", "ASAuthorizationWebBrowserSecurityKeyPublicKeyCredentialProvider.h", "ASCredentialProviderExtensionContext.h", "ASCredentialProviderViewController.h", "ASAuthorizationSecurityKeyPublicKeyCredentialRegistrationRequest.h", "ASCredentialServiceIdentifier.h", "ASExtensionErrors.h", "ASAuthorizationProviderExtensionAuthorizationRequest.h", "ASCredentialRequest.h", "ASAuthorizationWebBrowserPlatformPublicKeyCredentialProvider.h", "ASPasskeyAssertionCredential.h", "ASPasskeyCredentialRequest.h", "ASPasskeyCredentialRequestParameters.h", "ASCredentialIdentityStoreState.h", "ASPasskeyRegistrationCredential.h", "ASPasswordCredential.h", "ASPublicKeyCredential.h", "ASPasskeyCredentialIdentity.h", "ASPublicKeyCredentialClientData.h", "ASSettingsHelper.h", "ASWebAuthenticationSessionCallback.h", "ASWebAuthenticationSession.h", "ASWebAuthenticationSessionRequest.h", "ASWebAuthenticationSessionWebBrowserSessionManager.h", "AuthenticationServices.h", "ASFoundation.h", "AuthenticationServices.apinotes", "ASWebAuthenticationSessionWebBrowserSessionHandling.h", "ASPasswordCredentialIdentity.h", "ASPasswordCredentialRequest.h", "GameKit.apinotes", "GKAccessPoint.h", "GameKit.h", "GKAchievement.h", "GKAchievementViewController.h", "GKBasePlayer.h", "GKAchievementDescription.h", "GKChallengeEventHandler.h", "GKCloudPlayer.h", "GKChallengesViewController.h", "GKChallenge.h", "GKDefines.h", "GKError.h", "GKEventListener.h", "GKFriendRequestComposeViewController.h", "GKDialogController.h", "GKGameSessionEventListener.h", "GKGameSessionError.h", "GKGameCenterViewController.h", "GKGameSessionSharingViewController.h", "GKLeaderboardEntry.h", "GKLeaderboard.h", "GKLeaderboardScore.h", "GKGameSession.h", "GKLeaderboardSet.h", "GKLocalPlayer.h", "GKLeaderboardViewController.h", "GKMatch.h", "GKMatchmaker.h", "GKMatchmakerViewController.h", "GKPeerPickerController.h", "GKNotificationBanner.h", "GKPublicConstants.h", "GKPlayer.h", "GKPublicProtocols.h", "GKSavedGameListener.h", "GKScore.h", "GKSessionError.h", "GKVoiceChat.h", "GKTurnBasedMatchmakerViewController.h", "GKSession.h", "GKTurnBasedMatch.h", "GKSavedGame.h", "GKVoiceChatService.h" ], "public": 1, "adversary": "Turla Group, FIN7, APT34, APT28, DragonForce Malaysia Hacker Group, Indonesia Islamic Warriors Counc", "targeted_countries": [ "United States of America", "India", "Australia" ], "malware_families": [ { "id": "OSAtomic", "display_name": "OSAtomic", "target": null }, { "id": "OSReturn", "display_name": "OSReturn", "target": null }, { "id": "Ver", "display_name": "Ver", "target": null }, { "id": "Internet", "display_name": "Internet", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 39, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ilyailya", "id": "298851", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1968, "domain": 526, "FileHash-SHA256": 207, "hostname": 972, "email": 55, "FileHash-SHA1": 9, "FileHash-MD5": 4, "CVE": 2, "CIDR": 10 }, "indicator_count": 3753, "is_author": false, "is_subscribing": null, "subscriber_count": 35, "modified_text": "389 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "670ffc8487aaf80605755b62", "name": "vgt.pl (VGT.pl) or plix.pl (plix.net) 104.21.40.140 172.67.186.229", "description": "You can get help with your computer problems using the Help and Support section or via Skype or Telegram, if you want to get in touch with the support team or use the help of the UK's TalkTalk service.", "modified": "2024-12-30T17:38:55.943000", "created": "2024-10-16T17:48:52.704000", "tags": [ "pe32", "intel", "ms windows", "plik", "trojandropper", "trojan", "win32", "msil", "sha1", "sha256", "imphasz", "tekst ascii", "dane obrazu", "crlf", "dokument html", "unicode", "z bom", "rgba", "z terminatorami", "z bardzo", "utf8 unicode", "sobota", "sie usertrust", "salford o", "comodo ca", "limited st", "salt lake", "city o", "wto cze", "worldsetup c", "il l", "error", "null", "mapa", "liczba", "string", "bigint", "obiekt", "prawa autorskie", "nieznanybd", "uint8array", "android", "void", "unknown", "false", "roboto", "body", "this", "infinity", "outside", "span", "as13335", "cloudflare", "datasheet", "arkusz", "wyszukiwarka", "control panel", "support", "email", "a letter", "help", "mail", "management", "jpeg", "jfif", "dane", "dpcm", "ascii z", "dane archiwalne", "windows" ], "references": [ "https://www.plix.pl/system/companies/logos/000/000/526/original/gigainternet-logo.png", "http://plix.net", "http://www.plix.net", "https://www.plix.pl", "http://www.plix.pl" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 291, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 516, "hostname": 705, "URL": 1831, "FileHash-SHA256": 3315, "CIDR": 4, "IPv6": 4, "IPv4": 49, "FileHash-MD5": 794, "FileHash-SHA1": 572, "email": 1, "CVE": 14 }, "indicator_count": 7805, "is_author": false, "is_subscribing": null, "subscriber_count": 128, "modified_text": "516 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "675127405277d037355e5db6", "name": "Beehive.Systems", "description": "#if PRAGMA_ONCE, which includes the word \"pagma\" and the term \"penet\", should not be used as part of any attempt to set a new code.", "modified": "2024-12-05T04:08:32.154000", "created": "2024-12-05T04:08:32.154000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "ilyailya", "id": "298851", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 16, "domain": 30, "hostname": 69 }, "indicator_count": 115, "is_author": false, "is_subscribing": null, "subscriber_count": 31, "modified_text": "542 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "663d2869e0f3a42bbddc42ff", "name": "UPX executable packer.", "description": "A new rule has been introduced a \"suspicious\" ELF binary that is packed with the UPX executable packer.\nSuggested ATT&CK IDs: rule SUSP_ELF_LNX_UPX_Compressed_File { meta: description = \"Detects a suspicious ELF binary with UPX compression\" author = \"Florian Roth (Nextron Systems)\" reference = \"Internal Research\" date = \"2018-12-12\" score = 40 hash1 = \"038ff8b2fef16f8ee9d70e6c219c5f380afe1a21761791e8cbda21fa4d09fdb4\" id = \"078937de-59b3-538e-a5c3-57f4e6050212\" strings: $s1 = \"PROT_EXEC|PROT_WRITE failed.\" fullword ascii $s2 = \"$Id: UPX\" fullword ascii $s3 = \"$Info: This file is packed with the UPX executable packer\" ascii $fp1 = \"check your UCL installation !\"", "modified": "2024-10-14T00:01:17.069000", "created": "2024-05-09T19:47:53.786000", "tags": [ "cioch adrian", "centrum usug", "sieciowych", "elf binary", "upx compression", "roth", "nextron", "info", "javascript", "html", "office open", "xml document", "network capture", "win32 exe", "xml pakietu", "pdf zestawy", "przechwytywanie", "office", "filehashsha1", "url https", "cve cve20201070", "cve cve20203153", "cve cve20201048", "cve cve20211732", "cve20201048 apr", "filehashmd5", "cve cve20010901", "cve cve20021841", "cve20153202 apr", "cve cve20160728", "cve cve20161807", "cve cve20175123", "cve20185407 apr", "cve cve20054605", "cve cve20060745", "cve cve20070452", "cve cve20070453", "cve cve20070454", "cve cve20071355", "cve cve20071358", "cve cve20071871", "cve20149614 apr", "cve cve20151503", "cve cve20152080", "cve cve20157377", "cve cve20170131", "cve20200796 may", "cve cve20113403" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6861, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 5771, "domain": 3139, "URL": 14525, "FileHash-SHA1": 2610, "IPv4": 108, "CIDR": 40, "FileHash-SHA256": 10705, "FileHash-MD5": 3373, "YARA": 2, "CVE": 148, "Mutex": 7, "FilePath": 3, "SSLCertFingerprint": 3, "email": 23, "JA3": 1, "IPv6": 2 }, "indicator_count": 40460, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "594 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "664bd9b732ecaf1b3c3beddf", "name": "Found some problems - Files from the UAlberta Google Drive Archive", "description": "Been looking for these...Gifts from the University of Alberta to the World apparently\n*Please note: I emptied out the Drive, however, there was a significant amount of abuse re: Google and Microsoft Accounts at the University of Alberta (reported).\n*On the Google side I utilized: Drive (a little), Docs/Slides/Sheets (when groupwork was required)\n*On the Microsoft side I utilized: OneDrive, Office 365 (Word, PPT, Excel, and OneNote). I used to also have a personal microsoft account (OneNote, OneDrive, Skype).\nThese were the applications I lived on for my studies. I could access the Gmail/Microsoft accounts for the University (however - 'bad things' usually happen because of this). I have no access to my personal Microsoft Account (i.e. myself and other affected student(s) do not have access to our personal stuff.", "modified": "2024-09-03T00:02:13.980000", "created": "2024-05-20T23:16:07.255000", "tags": [ "contact", "quick", "destination", "entry", "safety", "local", "health", "travel", "notification", "considerations", "service", "criminal", "showit", "click", "outcome", "step", "please", "class", "questions set", "question set", "unlock", "continue", "jointfilingyes", "jointfilingno", "minimum req", "domicileresusno", "joint sponsor", "sponsorjoint", "path", "href", "span", "activetab", "starton", "newpage", "searchq", "datasia", "datacon", "segfilter", "subsite", "issuance agency", "visas", "null", "state", "dialog field", "tabpanel", "recaptcha", "nameinputvisa", "fullnameinput1", "license headers", "tools", "templates", "sia contact", "visa", "website", "phoneregexp", "emailregexp", "azaz", "urlpattern", "example starter", "javascript", "fetch", "comptwo", "compone", "dateofbirth", "function", "date", "passport", "nameinput", "fullnameinput", "adult passport", "child passport", "new child", "new adult", "new passport", "datepicker", "ds5504", "hideit", "infinity", "false", "jquery", "error", "body", "trident", "simple", "turn", "back", "calendar", "format", "february", "april", "june", "august", "show", "page has", "bcdate", "col1child", "col2child", "coldatechild", "rowdisplay", "val1", "val2", "repaginate", "grab", "jandec", "86400000", "current", "namerbcontactme", "agency", "compliment", "complaint", "passportfees", "customerservice", "bymail", "namerbcategory", "brokenlink", "search", "departuredate", "calendar date", "picker", "change", "month", "vital", "records form", "component js", "select", "please enter", "azaz09", "dddddd", "woff2", "woff", "truetype", "css document", "efefef", "ffffff", "gradienttype0", "galaxy", "nexus", "iphone5", "abtn", "bbtn", "cbtn", "dbtn", "ebtn", "fbtn", "gbtn", "hbtn", "ibtn", "media query", "from", "fce68e", "font family", "bold", "document", "cc3333", "b7b7b7", "e2edff", "ced9ea", "pm author", "ipca csi", "helvetica", "arial", "cq aem", "feed classes", "f2cd54", "f4d97e", "portrait", "landscape", "ipad", "declare", "immigrant", "visa navigation", "navigation css", "georgia", "times new", "roman", "times", "verdana", "photomodal", "styles media", "ff0000", "queries", "form component", "typetext", "queries media", "phone media", "tablet styles", "media queries", "jumbo sized", "copyright", "gpl version", "http", "alpha", "button", "out width", "ui css", "framework", "icons", "misc", "mini", "input", "label", "textarea", "overlays", "csi page", "embassy info", "embassy data", "embassy names", "end adjust", "embassy nameso", "pages", "e1a04d", "c0c0c0", "ffffff url", "us survey", "component css", "country list", "e7eceb", "important", "additional css", "wizard", "corner radius", "f97800", "c61700", "largestbox", "thisbox", "csi navigation", "ui autocomplete", "ui menu", "noticeid", "countnote", "largestnote", "thisnote", "desktops", "43px", "42px", "large", "aem interface", "styles", "web email", "ytconfig", "typeerror", "facebook pixel", "pixel code", "symbol", "fblog", "typeof", "iterator", "pageview", "pixel", "facebook", "config", "meta", "propname", "dpjquerydpuuid", "this", "next", "atom", "cookie", "iframe", "close", "string", "number", "edge", "regexp", "silk", "sxa0", "object", "opera", "android", "void", "form", "UAlberta", "Android", "Mac", "iPhone", "Gov Alberta", "AWS", "AZURE", "ENTRA", "iCloud", "Telus", "Bitdefender", "Norton" ], "references": [ "Copy of clientlib.js(1).download", "Copy of clientlib.js(2).download", "Copy of clientlib.js(5).download", "Copy of clientlib.js(7).download", "Copy of clientlib.js(4).download", "Copy of clientlib.js(10).download", "Copy of clientlib.js(8).download", "Copy of clientlib.js(11).download", "Copy of clientlib.js(12).download", "Copy of clientlib.js(13).download", "Copy of clientlib.js(14).download", "Copy of clientlib.js(9).download", "Copy of clientlib.js(16).download", "Copy of clientlib.js(17).download", "Copy of clientlib.js(18).download", "Copy of clientlib.js(3).download", "Copy of clientlib.js(19).download", "Copy of clientlib.js(15).download", "Copy of clientlib.js(22).download", "Copy of clientlib.js(23).download", "Copy of clientlib.js(21).download", "Copy of clientlib.js(26).download", "Copy of clientlib.js(25).download", "Copy of clientlib.js(24).download", "Copy of clientlib.js(31).download", "Copy of clientlib.js(28).download", "Copy of clientlib.js(30).download", "Copy of clientlib.js(32).download", "Copy of clientlib.js(29).download", "Copy of clientlib.js(34).download", "Copy of clientlib.js(35).download", "Copy of clientlib.js(37).download", "Copy of clientlib.js(36).download", "Copy of clientlib.js(38).download", "Copy of clientlib.js(39).download", "Copy of clientlib.js(33).download", "Copy of clientlib.js(44).download", "Copy of clientlib.js(43).download", "Copy of clientlib.js(41).download", "Copy of clientlib.js(42).download", "Copy of clientlib.js(45).download", "Copy of clientlib.js(51).download", "Copy of clientlib.js(56).download", "Copy of clientlib.js(55).download", "Copy of clientlib.js(54).download", "Copy of clientlib.js(57).download", "Copy of clientlib.js(52).download", "Copy of clientlib.js(53).download", "Copy of clientlib.js(60).download", "Copy of clientlib(1).css", "Copy of clientlib.js(59).download", "Copy of clientlib(3).css", "Copy of clientlib(2).css", "Copy of clientlib(5).css", "Copy of clientlib.js(58).download", "Copy of clientlib(8).css", "Copy of clientlib(10).css", "Copy of clientlib(7).css", "Copy of clientlib(6).css", "Copy of clientlib(12).css", "Copy of clientlib(13).css", "Copy of clientlib(9).css", "Copy of clientlib(4).css", "Copy of clientlib(14).css", "Copy of clientlib(17).css", "Copy of clientlib(15).css", "Copy of clientlib(19).css", "Copy of clientlib(18).css", "Copy of clientlib(11).css", "Copy of clientlib(20).css", "Copy of clientlib(16).css", "Copy of clientlib(23).css", "Copy of clientlib(24).css", "Copy of clientlib(26).css", "Copy of clientlib(25).css", "Copy of clientlib(28).css", "Copy of clientlib(22).css", "Copy of clientlib(27).css", "Copy of clientlib(31).css", "Copy of clientlib(29).css", "Copy of clientlib(30).css", "Copy of clientlib(32).css", "Copy of clientlib(34).css", "Copy of clientlib(35).css", "Copy of clientlib(33).css", "Copy of clientlib(38).css", "Copy of clientlib(37).css", "Copy of clientlib(36).css", "Copy of clientlib(40).css", "Copy of clientlib(39).css", "Copy of clientlib(43).css", "Copy of clientlib(21).css", "Copy of clientlib(41).css", "Copy of clientlib(44).css", "Copy of clientlib(42).css", "Copy of clientlib(46).css", "Copy of clientlib(45).css", "Copy of clientlib(47).css", "Copy of clientlib(48).css", "Copy of clientlib(49).css", "Copy of clientlib(50).css", "Copy of clientlib(52).css", "Copy of clientlib(54).css", "Copy of clientlibs.js(3).download", "Copy of clientlib(53).css", "Copy of clientlibs.js(2).download", "Copy of clientlibs(3).css", "Copy of clientlib(51).css", "Copy of clientlibs(1).css", "Copy of clientlibs(2).css", "Copy of clientlibs.js.download", "Copy of clientlibs.js(4).download", "Copy of clientlibs(5).css", "Copy of clientlibs.css", "Copy of clientlibs(4).css", "Copy of dir (1).c9r", "Copy of clientlib(55).css", "Copy of iframe_api", "Copy of fbevents.js.download", "Copy of clientlibs.js(1).download", "Copy of js", "https://www.virustotal.com/gui/collection/7196cbc5285fb7e155a529980dc1797d3ab3884e20c77c66d9b1b971c313fe56/iocs", "https://www.virustotal.com/gui/collection/7196cbc5285fb7e155a529980dc1797d3ab3884e20c77c66d9b1b971c313fe56/graph", "hxxps://go[.]microsoft[.]com/fwlink/?LinkId=2033498", "hxxps://portal[.]office[.]com/Account", "hxxps://myapplications[.]microsoft[.]com/", "https://tria.ge/240521-rvybaahb79", "https://tria.ge/240521-rxpf6ahd6w", "https://tria.ge/240521-r1yh8shd44", "https://tria.ge/240521-ry949ahe2z/behavioral1", "https://tria.ge/240521-r3mvhshd83" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada", "Mexico", "Anguilla", "Aruba", "Panama", "Ukraine", "Trinidad and Tobago", "Saint Vincent and the Grenadines", "Saint Martin (French part)", "Sint Maarten (Dutch part)", "Philippines", "Netherlands", "Cura\u00e7ao", "Georgia", "Tanzania, United Republic of", "Costa Rica", "Guatemala", "Japan", "Barbados" ], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" } ], "industries": [ "Education", "Technology", "Government", "Healthcare", "Biotechnology", "Telecommunications", "Energy", "Construction", "Chemical", "Agriculture", "Finance", "Media", "Defense", "Transportation" ], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 251, "hostname": 188, "FileHash-SHA256": 142, "URL": 69, "FileHash-MD5": 77, "FileHash-SHA1": 77 }, "indicator_count": 804, "is_author": false, "is_subscribing": null, "subscriber_count": 134, "modified_text": "635 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6639853fc403f7be5bd6f27d", "name": "Facebook+", "description": "", "modified": "2024-05-07T01:34:55.365000", "created": "2024-05-07T01:34:55.365000", "tags": [], "references": [ "https://www.virustotal.com/gui/collection/09af9ef0b7b23d2dc73d83858106ae4fc97a352dbb521ac04493a0e79095ac69/iocs", "https://www.virustotal.com/gui/collection/79c25168b2f93d9730a56b8d2b834cbfb2752b63b21b9dd51109416fbaa676d8/iocs", "https://www.virustotal.com/graph/embed/g8726609a12794ebeb59edd531961a233068149bcdf994b428f20141be6111551?theme=dark", "https://www.virustotal.com/graph/embed/g365a82115f934e31a69118715695c91c231f66cda9084c9389e56afb985a243e?theme=dark", "", "https://www.virustotal.com/gui/collection/6a8d582df4fe5a29885dad4074236bc9e4ed445aaf0cc00702d45963fb0459bb/iocs" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "65eea19a23474b8c7dca351f", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Phone2209", "id": "281168", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1165, "hostname": 866, "URL": 657, "FileHash-SHA256": 26, "email": 337, "FileHash-MD5": 12, "FileHash-SHA1": 8, "CIDR": 1 }, "indicator_count": 3072, "is_author": false, "is_subscribing": null, "subscriber_count": 1, "modified_text": "754 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "660ec2cd7185f30ee98e0406", "name": "TP-Link ER605 Firmware Image download", "description": "After downloading a new firmware image for my TPlink ER605 switch/vpn-router, and since TP-Link doesn't provide a checksum for it. I decided to hit it with binwalk out of curiosity since I've had multiple issues with it the past two years. Immediately binwalk had to /dev/null the /var directory and further it hit two ip's as exploit sources once uploaded to criminalip and otx so I decided to upload the entire squash-fs for posterity", "modified": "2024-05-04T06:04:15.503000", "created": "2024-04-04T15:10:05.285000", "tags": [ "binmount o", "syskerneldebug", "limit", "netmask", "broadcast", "network", "prefix", "argc", "start", "copyright", "etcpasswd", "failsafe", "login", "important", "binash", "sample", "attention", "maxfds1024", "etcfrr", "somename", "openwrt", "deviceproduct", "generic", "devicerevision", "dns server", "ipv6 prefix", "duid", "ipv6 address", "x5 x8", "xdxrn502j", "y1 y1s", "linkits7688d", "omega2p", "wrtnode2p", "s boot", "sample vpn", "olinux", "cnpeer name", "target", "change", "ldap", "text", "port", "priority", "a srv", "srv record", "ldap server", "dnssd", "ipsec", "yang xiaoqiang", "varlogwtmp", "unavailreturn", "distribid", "distribrelease", "barrier breaker", "distribrevision", "distribcodename", "distribtarget", "openwrt barrier", "breaker", "distribtaints", "overlay srcgz", "home", "etcbanner", "pathusrbin", "ps1u", "libmodules", "ulimit", "binmore", "usrbinvim", "kshversion", "etcmkshrc", "preinit", "pathbin", "ipv6", "protocol", "isis", "icmp", "cisco", "header", "skip", "path first", "internet", "iana", "devnull", "stop", "ipkginstroot", "allcommands", "term", "stop value", "sqlite", "dh exponent", "grep", "w processor", "begin", "fix bug129941", "xfrm", "ipsec tunnel", "bug97836", "cmdlistend", "bundle command", "cmdliststart", "list", "procname", "list procname", "zebra route", "frr support", "bgp support", "zebra support", "firewallrule", "firewallruleset", "httpport", "path wifidog", "redirectdomain", "clienttimeout", "public key", "info", "version", "node id", "menu", "wifidog", "status", "wifidog wifidog", "gnu gpl", "rt3x5x", "sbinswconfig", "power", "wifi", "ethernet", "wifi5g", "rssilow", "rssimedium", "rssihigh", "wan led", "devconsole cp", "conffiles", "file 99ensync", "abort", "ansert", "abort error", "atz say", "atcgmm", "atcgmr", "ok atcsq", "ok atcgmr", "ok atcgmi", "atgmm", "atgmr", "timeout", "abort busy", "carrier", "report connect", "ate1", "useapn", "dialnumber", "connect", "atcgmi", "ok atcgmm", "atgmi", "answer", "v1 e1", "d2 fclass0", "at ok", "abort no", "dialtone", "sierra wireless", "cdma", "sprint", "verizon", "dial tone", "certificate", "telnet 23", "http 80", "https 443", "ssh 22", "webtimeout", "010001", "admin", "airplay option", "afp option", "ftp option", "samba option", "scanners option", "ssh option", "lanv6", "brlan", "network1", "sigusr2", "passwordauth on", "port 22", "10000s", "12000s", "4000s", "6000s", "ikepro1", "modp1024", "ikepro2", "aes128", "ikeph1name", "ph2proposal1", "ph2proposal2", "ikeph2name", "combination", "ikev1", "google", "cloudflare", "cleanbrowsing", "quad9", "opendns", "quad91", "quad92", "ipaddresspurely", "fqdn", "peertopeer", "presharekey", "tplink", "wan1", "ipgroupany", "ipv6groupany", "roseville194", "openwrt system", "balance", "dhcpclient", "portal", "pppoeclient", "onlinedection", "auto", "flashkeep", "etcopenvpn", "etcconfig", "etcdropbear", "global", "natlanwan1", "accept option", "accept", "drop", "reject", "reject option", "ipv6 icmp", "sections", "wan2", "0000", "usb0", "password", "eth1", "wan1eth", "wan1poe", "wan2eth", "wan2poe", "wan3eth", "wan3poe", "wan4eth", "wan4poe", "4094409340920", "onlinecheck", "openvpn", "ip address", "openvpn server", "windows", "remember", "common name", "generate", "etcopenvpnccd", "thelonious", "silence", "push", "first", "advertisecfg", "ospfcfg", "dslite", "pppoeshare", "wan1v6", "wan2v6", "wan3v6", "wan4v6", "static", "dynamic", "radvdinterface", "advmanagedflag", "advsendadvert", "advrouteraddr", "advautonomous", "advonlink", "ssh config", "http list", "https list", "telnet list", "http", "telnet", "https", "tcpudp", "2121", "2222", "2323", "smtp", "2525", "5353", "pop3", "partitionuuid1", "16043212800", "devsda1", "partitionuuid2", "devsda2", "udp161 option", "er605", "vpn router", "maximum number", "http listen", "https listen", "server document", "rfc1918 ip", "dns rebinding", "tcp connection", "akroniteshare", "account", "4094", "switch0", "vlan1", "vlan4094", "vlan0", "vwan", "veth1", "1024", "gmt0800", "ledsys", "switchled1", "switchled2", "switchled3", "switchled4", "switchled5", "modem", "options", "devnull p", "name", "match", "pkix", "randfile", "cadefault", "ca certificate", "sha256", "t61string", "bmpstring", "utf8strings", "mask", "import", "easyrsa", "keydir", "openvpn package", "openssl", "pkcs11tool", "keyconfig", "easyrsakeys", "issue rm", "pkcs11", "scdftprof1m", "setapn", "setuser", "setpass", "setauth", "atcgdcont1", "qcpdpp1", "scact11m", "paul hardwick", "paul", "empty input", "command", "error", "atcops", "atcops10m", "atcops12m", "atim", "atcreg2m", "atcgreg2m", "atcgeqneg1m", "atcreg", "atcgreg", "atndisdup11", "atcgatt", "1 goto", "wwan error", "useauth", "useuser", "usepass", "qcpdpp3", "atcfun1m", "atcgdcont3", "scact13m", "scact03m", "wwan connection", "atcimim", "atcpin", "sim puk", "sim pin", "ready", "atcsqm", "atmode", "atband", "atcsnr", "atsysinfoexm", "atsyscfgex", "atsyscfg", "atsysinfom", "atltersrp", "atcnumm", "busy", "errorn", "atcops0m", "mccmnc", "atcops12", "atcmd", "atq0 v1", "e1 s00", "e1 z", "atcmgf1m", "atcmgf0m", "wwan mode", "mode", "atzpas", "atzrssim", "atzrssi", "atzsnt", "pincode", "sim readyn", "sim pin2", "pinn", "gstatus", "selrat", "car0", "atcnti0m", "atecio", "atrscp", "umtschan", "atcommandn", "atcommand", "atcmgs", "action", "delete", "wanmod", "acldeleterule", "acladdrule", "ipgrouplan", "i actiondelete", "hplog", "hotplog", "hotplog fi", "deleterule", "addrule", "natlan", "qosdeleterule", "interface", "devconsole uci", "devconsole", "wanhook", "onlinedelzone", "onlineaddzone", "shenzhen tplink", "create", "delayreboot", "vpn hook", "devconsole echo", "reboot delayed", "no vpn", "hook event", "return", "pppdconfigpath", "ifname", "grep q", "pppdtype", "pppdusername", "pppdpid", "ipremote", "iplocal", "tmpl2tp", "vpnfwmark", "vpnforwardtable", "t mangle", "chain", "m comment", "connmark", "mark", "device", "actionifup", "actionifdown", "exit", "routetableid", "cachetableid", "gateway", "yuan fengjia", "grep w", "not response", "check if", "interface init", "thus", "phddnsready", "phddns", "devconsole exit", "cmxddnsready", "cmxddns", "natready", "qosdeleteiface", "vnetlibdir", "procnumber", "w arpreq", "v grep", "procnumber le", "deviced", "ifnamefile", "zone", "ipv6addr", "ipv6addrlen", "delaycommit", "hotplugtypevnet", "zaction", "prerouting i", "dnat", "p tcp", "p udp", "q delete", "interface uci", "dhcpsconfigfile", "dhcpslibdir", "urlprefix", "device uci", "w nvl", "w nl", "vlan", "vlan fi", "usb auto", "scan", "devicename", "er605v2 usb", "no need", "omada gateway", "specialid", "usb modem", "1usb modem", "devconsole fi", "nat elif", "clean", "module", "napt", "snetmaskg", "snetworkg", "j masquerade", "masquerade", "hwnat", "x usrsbinxfwdm", "xfwdm f", "systemparams", "config", "l2tpname", "l2tpisserver", "l2tpmark", "l2tppppdpid", "l2tpaction", "l2tpremoteip", "q get", "6 route", "interface proto", "v6wan", "interface03", "t ifup", "skip interface", "devconsole res", "setup", "zonegetzonebyif", "imbprefix", "ipprefix", "usrsbinddns", "dyndns", "noip", "interface04", "interrface", "bridge", "m tcp", "j accept", "number", "shift", "ifup", "action ready", "lockfile", "ospfpipewrite", "ospfpiperead", "ospfpiperead fi", "lockfile fi", "zhu xianfeng", "params miss", "m multiport", "usbifs", "managedevschain", "zte tele2", "usbifname p", "modemlib", "firmware", "firmware bs1", "inicmacaddr", "please", "dts file", "tmpfileport", "checkports", "v6ports", "j v6plusoutput", "d zonewannat", "i zonewannat", "f v6plusoutput", "i v6plusoutput", "inputgrep", "input accept", "outputgrep", "output accept", "add filter", "forwardgrep", "forward accept", "confif2", "brif", "option", "option bindif", "rundir runfile", "confif1 confif2", "brif action", "addbr", "updbr", "delbr", "option zone", "ifpong", "where interface", "set interface", "update", "rundir", "runfile", "t backup", "p notice", "t fault", "ipt n", "ipt a", "ipt s", "prerouting grep", "tpsrhook", "tpsrposthook", "cut d", "ipt i", "prerouting", "tmpaccessctl", "varconffilepath", "conffilepath", "options fi", "tmpcrontabtmp", "binsh", "start80 start", "start99 start", "cmxddnxrule", "stop98", "e sbiniscal", "tmp insmod", "tmprsacheck", "pass", "ipt f", "ipt x", "start96 ipt", "ipt d", "prerouting j", "n1 ve", "etcdhcp6cctlkey", "duidll", "rfc3315", "x0ax00", "x00x03x00x06x", "using mac", "using user", "etcdhcp6sctlkey", "invalid proto", "usrsbindhcp6s c", "usrsbindhcp6s", "d tmproot", "filddpirunning", "usrlib", "dpimodule", "filepidpath", "start99", "nete", "vnl forward", "dpirestriction", "vardir", "pidvar", "confvar", "v grepawk", "etcdir", "confback", "cabundlepath", "bannerfile", "pidcount", "prog", "kill", "md5sum", "passwordauth", "configfile", "hostfile", "debugfile", "domain", "dfconfigfile", "dnsservers", "configfile fi", "xappend", "etccrontabsroot", "rulelibdir", "p varspoolcron", "s etccrontabs", "c etccrontabs", "start40 start", "usrsharextgeoip", "start20 stop91", "c etcgeoip", "s etcgeoipbe", "s etcgeoiple", "start71 stop71", "start97", "h webserverwww", "servicepidfile", "start95 start", "conffile", "lockfd", "prerouting p", "vnetconffile", "init process", "pidf", "rund", "detectdir", "backuplist", "gao jie", "start98 start", "p output", "start99 stop90", "input drop", "p forward", "etcconfigipstat", "usrsbinipstat", "sysclassleds", "brightness", "e sysclassleds", "usblteled", "usbstorageled", "check fan", "fannormalled", "fanerrorled", "devnull ps", "rf tmpl2tp", "i fi", "loadbalancepre", "usrsbinlldpd", "openwrt release", "sysclassnet", "groupadd", "p varrunlldp", "varrunlldp", "chen chen", "zhangzhongwei", "reorganize", "start46", "option ifname", "enable", "note", "varrun", "ndppdconffile", "usrsbinndppd p", "ndppdconffile d", "nginxbin s", "p varlognginx", "p varlibnginx", "procmeminfo", "memtotal", "nginxbin", "start68 start", "jophilipp wich", "gnu general", "public license", "see license", "start90 stop10", "extracommands", "openvpnsecrets", "phddnsinit", "prerouting m", "input m", "reject vnete", "vme dst", "j drop", "redirect", "start50 stop26", "bin rundvarrun", "vpnserverconfig", "default", "default mkdir", "start50 start", "radvdconfigfile", "radvdinterfaces", "langc", "afaf09", "base6interface", "getip6addr", "start22 start", "start97 start", "the author", "config sfe", "software is", "provided", "as is", "disclaims all", "warranties", "with regard", "direct", "runc", "runc configget", "libd", "logd", "rundvarrun pidf", "runc configload", "routenum", "rtnetlink", "existret", "routenum fi", "routestatefile", "e procnanduid", "procnanduid", "tmpspideviceid", "grep v", "rebootschedule", "tmptz", "sysparams", "fang zhao", "start21 tddpbin", "tddpbin", "libvnet", "uhttpdkey", "uhttpdcert", "uhttpdbin", "px5gbin", "uhttpdcert rm", "tmpuserconfig", "check", "tslibdirsettime", "start96 boot", "usrsbinupnpd", "urllibdir", "modemstorage", "p tmpmodem", "storagemodem", "usb modemusb", "start80 stop", "usrsbinusbmuxd", "vnet", "start70 debug", "tmppassword1", "f tmppassword", "f tmppassword1", "extrahelp", "print", "start91 start", "wanconfig", "vpnclientconfig", "start25 stop25", "zoneconfbuild", "wanmax", "zydas zd1211rw", "wlan usb", "variant", "option hso", "messagecontent", "option gi0643", "xyfi", "standardeject1", "configuration2", "netgear", "kobil midentity", "kobilmode1", "mobile action", "smart cable", "mediatek wimax", "usb card", "blackberry q10", "sony ericsson", "gw d301", "advinne amc", "configuration3", "c100", "c120", "c170", "c270", "c3xx", "needresponse1", "hummer dtm5731", "aircard", "alegro", "starcomms", "alcatel otx080c", "etcom e300", "haier evdo", "alcatel x602d", "archos g9", "alcatel otx220d", "alcatel ot", "prolink pcm100", "bsnl capitel", "explay slim", "telewell tw3g", "hspa", "fs01bu", "smartbro wm66e", "alcatel", "touch x020", "tu930", "ivio iv2010u", "vibe", "emobile d12lc", "mywave sw006", "emobile d21lc", "techfaith bsnl", "aiko", "qisda h21", "flying beetle", "qisdamode1", "wisue w340", "solomon s3gm660", "philips picopix", "option icon", "prolink phs100", "ph300", "hyundai mb810", "alink", "airplus mcd800", "onda mv815u", "onda mdc655", "onda mw833up", "mw835up", "onda mo835up", "onda mw836upk", "onda mw875up", "onda msa", "tim brasil", "onda tm201", "tim italy", "onda wm301", "cricket a600", "u210", "hp laserjet", "io data", "wmx2u wimax", "nexperia tm", "tdscdma", "samsung gtb1110", "samsung gtb3730", "samsung u209", "sunplus techn", "axesstel modems", "targetvendor", "anydata", "bless uc165", "celot k300", "techfaith venus", "celot ct680", "quirky option", "samsung sghz810", "prolink p2000", "vertex wireless", "various usb", "dlink dwm162u5", "dwm162 c1", "micromax mmx", "anydata ape540h", "tl131 tdlte", "siptune lm75", "linuxmodem", "qtronix evdo", "tianyi", "dlink dwm156", "hsupa", "rndis", "pantech lte", "huawei e173s", "huawei gp02", "e587 variant", "huawei e173", "moviestar", "huaweinewmode1", "huawei et302", "huawei et8282", "huawei et127", "huaweimode1", "huawei e353", "vodafone", "huawei kxxxx", "huawei k4203", "huawei e5377", "kddi", "huawei", "hwd12 lte", "huawei k3773", "vodafone k4305", "vodafone k5150", "vodafone k4201", "vodafone k4202", "vodafone k4606", "viettel", "huawei e173u2", "huawei k3770", "huawei e352", "huawei e3131", "huawei e3372", "huawei e3531", "huawei u7510", "u7517", "huawei e392u12", "e3131", "huawei e171", "huawei e3331", "huawei bm358", "huawei e169", "huawei e220", "e230", "e270", "huawei v725", "phone", "huawei ets1201", "huawei u8220", "tmobile pulse", "huawei u8110", "android sdk", "huawei ec168", "huawei e180", "huawei ec156", "huawei e372u8", "huawei k3765", "huawei k4505", "huawei r201", "huawei k3772", "huawei e1553", "huawei r215", "huawei w5101", "huawei u2800", "china telecom", "cdu680", "cnu680", "chu629s", "huawei generic", "linux", "cgu628", "cgu628a", "xs stick", "zte mu351", "zte ac581", "zte mf110", "zte mf112", "zte mf637", "orange france", "zte mf651", "ztet a356", "zte mf652", "zte mf190", "zte mf656a", "mf668a", "zte mf820", "zte a371b", "onda mt8205", "zte mf821d", "zte mf821dmf826", "zte mf90", "mobile hotspot", "telewell twlte", "vodafone k5006z", "mf821", "k5008z", "mf823", "vodafone k4607z", "zte k3770z", "zte mf691", "tmobile rocket", "zte mf192", "zte mf195", "zte mf668", "zte mf680", "zte mfxxx", "zte mf825a", "zte mf730", "zte mf591", "zte mf196", "zte mf190j", "zte mf710m", "zte mf60", "zte ax226", "zte ac682", "cricket a605", "zte generic", "uncomment", "intex", "tlaytech teu800", "strongrising", "china telcom", "air flexinet", "tata photon", "titan", "avm fritz", "stick n", "utstarcom um175", "alltel", "pantech", "pantech uml290", "option beemo", "p4200 lte", "hisense e910", "evdo phone", "sqn1210sqn1220", "sequansmode1", "motorola", "wlan", "tergusb3e", "joa telecom", "beceem bcsm250", "haier ce682", "evdo", "messagecontent2", "haier ce", "zoom", "intex speed", "bsnl teracom", "visiontek", "teracom lw272", "unknown", "quanta muq101", "message", "quanta", "yota router", "quantamode1", "speedup su8500u", "nokia cs10", "nokia cs11", "nokia cs19", "nokia cs15", "nokia cs12", "nokia cs17", "nokia cs18", "nokia cs7m01", "nokia cs21m02", "philips", "vodafone md950", "dragonfly", "kyocera w06k", "cdma modem", "hspa modem", "targetproduct", "toshiba g450", "lg vl600", "lg l02c", "lg sd711", "lg l08c", "ntt docomo", "lg hdm2100", "lg l05a", "lg luu2100ti", "t usbconnect", "turbo", "lg l07a", "lg ldu1900d", "lg luu2110ti", "lg ad600", "lg l03d", "huawei e630", "sagem f", "gctmode1", "sierra", "digicom", "pirelli", "experimental", "cisco am10", "valet connector", "novatel mc990d", "novatel mc996d", "novatel u760", "novatel mc760", "mifi", "novatel generic", "novatel mifi", "mc545 hspa", "u679 lte", "amoi h01", "amoi h02", "axesstel mu130", "dlink dwm157", "dlink dwm221", "messagecontent3", "dwp157 b1", "dlink dwm167", "dlink dwm158", "dlink dwr510", "mediatek mt6229", "olicard", "speedup su8000", "speedup su8000u", "changhong ch690", "dlink dwm163", "dwm168", "telenet", "w wu160", "viettel vt100", "tplink ma180", "tplink ma260", "exiss mobile", "e190 series", "cmotech", "xtcomment xtlog", "xtdscp xtlength", "xtecn xthl", "xtnat nfnatipv4", "querystring", "requestmethod", "contenttype", "contentlength", "scriptname", "requesturi", "documenturi", "documentroot", "serverprotocol", "requestscheme", "byelorussian", "a3 b8", "a4 ba", "a6 b3", "a7 bf", "ad b4", "ae a2", "b0 b0", "b3 a8", "yo b4", "apache", "weixin", "luci", "fastcgi", "sslv2 sslv3", "tlsv1", "high", "ssl1m", "e2809a", "e2809e", "e280a6", "e280a0", "e280a1", "e282ac", "e280b0", "e28098", "e28099", "e280a2", "c2a0", "c2b7", "a3 d191", "a4 d194", "a6 d196", "a7 d197", "ad d291", "private key", "vendor asnet", "attribute", "asnet attribute", "speedup", "asnet", "server secret", "microsoft", "values value", "mschapresponse", "mschaperror", "mschapcpw1", "mschapcpw2", "mschaplmencpw", "mschapntencpw", "plural", "value", "value authtype", "roaringpenguin", "cistronradiusd", "local", "translations", "valid", "example", "attribute value", "interfacemode", "wirelesshost", "wizard", "systemmode", "interfacemac", "wirelessmac", "timemngt", "service", "10000", "4096", "factory", "framedprotocol", "alive", "merit", "merit extension", "value sipmethod", "invite", "cancel", "obsolete", "move", "include", "vjtcpip", "shelluser", "unix", "radius", "radius server", "general", "radius client", "server name", "clientserver", "ascend", "jens glaser", "euraw", "euui", "comb", "frcir", "frdirectno", "frdirectyes", "type", "button", "pidfile", "seen", "usrbinlogsave", "rfkillstate1", "bseoe6fuwg", "amvzwg", "kwbqbm0", "qrbdj3nghvdjigc", "ihnzbm8m9yop5w", "okue6n36b9k", "tppdpfquww", "drw5visp", "ubkwb1whnw0a", "efcmq", "root ca", "traditional pem", "authority", "global root", "root", "ecc root", "bwme", "gts root", "sectigo public", "premium", "whether", "netlink message", "buffer size", "netlink", "pagesize", "firewall mark", "netlink route", "netlink xfrm", "ike xfrm", "attr", "engine id", "openssl plugin", "set openssl", "fips mode", "suite b", "file", "rngstrong class", "rngtrue class", "listen", "set source", "ipv4", "analyze", "treat", "socket", "disable charon", "configuration", "loglevel", "ikesa", "identifier", "ikesas", "ike daemon", "id payload", "childsa", "install", "path", "rsa private", "t timer", "active", "reset", "expire", "accesscontrol", "tmnglog", "rest", "reset event", "etcconfigfstab", "moving root", "hexdump e", "q batch", "eof exit", "thu oct", "fri oct", "in dnskey", "internet domain", "bind domain", "internic", "in ns", "by verisign", "by ripe", "by icann", "by wide", "huawei 0004", "huawei 0003", "huawei 0005", "huawei 0001", "zte 0001", "zte 0002", "zte 0003", "zte 0004", "huawei 0002", "versalink", "configname", "rulename", "zonenumber", "targetname", "require", "l accessctl", "lan2lan", "position", "aclkeys", "zonein", "ucir", "zonedict", "zonenoin", "acllog", "1acl", "come in", "oldifs", "configtype", "section", "fwlibdir", "fwacllibdir", "m udp", "sectionname", "zonesnil", "srcnetwork", "ctmarkshift", "ctmarkrelated", "ctmarknewbit", "ctmarkinvalid", "ctmarkdef", "ctmarknew", "name fi", "1acl j", "icmpall", "huang zhenwei", "adlibdir", "adinitialized", "noexport", "stretz", "configappend1", "configappend", "function", "output", "iface", "line", "setname", "m set", "input", "v incomplete", "v address", "tmparplist1", "procuptime", "routingmode", "routingmode1", "devnull uci", "timer", "rtfile", "rtret", "rtfile f", "rtflag", "n awk", "grep g", "h grep", "rtflag fi", "baifacefile", "bastatefile", "srcurid", "srinfaceid", "bastatedir", "baifacedir", "srdir", "srinfaceid grep", "retfile", "xujun", "invalid option", "invalid func", "usrsbinarpreq", "clicfgpath", "tmpaccessconfig", "cfgpath", "gettimerange", "getifall", "getif", "lanlan", "success", "failed", "result", "setlocalaccount", "getlanlist", "getipgroup", "accesslistnum", "servicetype", "ruleid", "getindex", "tonumber", "currenttime", "februarynum", "smallfebdaymax", "bigfebdaymax", "timezone", "date", "keyname", "interfaceerror", "assert", "tagtype", "setdesc", "submask", "para", "ipv4address", "ipv4netwknum", "insert", "copy", "ipsecfailstatus", "checkexist", "ipaddress", "optionname", "encmode1", "fail", "responder", "portid", "data", "mirrorport", "portend", "sourceport", "naterror", "natsuccess end", "natprompt", "prompt", "natdata", "selectedname", "portstart", "istart", "routingerror", "adddata", "index", "routingsuccess", "crud error", "ospfinterface", "ospf", "ospfretre", "ospfautotypemd5", "simple", "vlan type", "down", "wanport", "primary ip", "proto", "ipaddrbits", "ripv1", "duplex", "flowctrl", "activemedium", "linkup", "setsnmpv1v2", "snmpv3en", "username", "contact", "setsshserver", "equal", "time settings", "weekday1", "sectimenumhour", "timeslicepoint", "entryname", "calendar", "vlanfailstatus", "vconfig", "vlanform", "vlan id", "address", "optional", "time", "settings", "please enter", "comment", "telecom", "upgrade", "reboot", "refresh", "defense", "code", "tokyo", "armenia", "panama", "jakarta", "back", "next", "tips", "class", "flood", "flash", "speed", "download", "lockout", "belarus", "indonesia", "mexico", "paraguay", "philippines", "ukraine", "uruguay", "facebook", "middle", "bind", "tools", "period", "media", "ping", "death", "stream", "enterprise", "live", "maha", "mais", "adduser", "never", "format", "trace", "clock", "alma", "third", "multi", "little", "critical", "done", "false", "mainserver", "execution", "keepalive", "package", "uciconfigdir", "sbinuci", "configsection", "120m", "ippool", "config dnsmasq", "directoryd", "type1", "type28", "f2cut d", "xargs", "g nogroup", "ctlcmd c", "vardir cp", "switch", "fdlibdir", "fdinitialized", "j dosdefense", "j dosdrop", "t raw", "all fin", "forward", "j zone", "mssfix", "forward j", "input j", "output j", "accept accept", "drop drop", "need v6", "fwinitialized", "libnetwork", "i restarton", "t firewall", "snat", "dnated traffic", "sbinifconfig", "notrack", "notrack rule", "j return", "j connextmark", "a sfemark", "a hwnatmark", "a prerouting", "j extmark", "export", "fwicmp4types", "fwicmp6types", "fwruleofs", "fwzones4", "fwzones6", "stretz export", "fwaerror0", "m mac", "sadd", "sdel", "a flooddefense", "m conntrack", "new j", "extmark", "m extmark", "connextmark", "c tmp", "i prerouting", "d forwardauth", "s usr1", "xargs kill", "loadrule", "j freestrategy", "luo pei", "free", "pistacklist", "kernelvermajor", "part", "piran", "awk f", "o noatime", "n pihooksplice1", "networkifstatus", "addr", "ipv4 address", "ipv4 subnet", "servicesig", "exec", "servicewritepid", "args", "serviceusepid", "servicedebug", "servicequiet", "servicesigstop", "procdsetparam", "procdkill", "script", "complete", "procdcall", "procdwrapper", "procdubuscall", "saved", "strtype", "parentdir", "ramfsdirs", "file strlen", "strlen1", "strlen", "cfgsync", "prefixdevmtd", "d devmtd", "ne x", "configsections", "lock", "etcgroup", "tunnelname", "wanname", "tunnelname p", "greservicerule", "j ct", "j snat", "plutoverb", "plutoconnection", "exist anete", "include zone", "ripaddr", "effde", "effif", "imbprocfile", "tmpstateimb", "ifip", "imblibdir", "imbinitialized", "zones", "n members", "move handling", "i actionupdate", "me hash", "me zonelist", "ipgrplibdir", "me set", "processfailover", "autofailback", "failoverpids", "autopids", "onlinezones", "j connmark", "input p", "myecho", "usrsbintmngtd", "domainspecial", "dnsq", "oldaddr", "usage exit", "invalid command", "ipsecsection", "checking", "connectionname", "etcconfigipsec", "chen xing", "algorithm", "ipsecweblock", "remotenetwork", "j dnat", "c vpnpre", "chenxing", "targetchain", "nfqueue", "tmplogvnetclog", "vnetcexecinvnet", "wanpassthrough", "wantype", "lanpassthrough", "lantype", "ttadvrouteraddr", "wang wenjing", "ipv6grplibdir", "tmpipv6loggg", "aawk v", "xl2tp", "sname", "xname", "devnull fi", "32 fi", "ikeph1", "dut init", "plutopeer", "plutomarkout", "plutouniqueid", "devconsole kill", "l2tpcdistribute", "mtu1300", "loadglobal", "xl2tpd", "killxl2tpd", "search", "nettimeout", "configdir", "nettimeout3", "tlsreqcert", "allowg", "pptpconfigfile", "l2tpconfigfile", "usage", "rstart", "sessiontimeout", "ldapquery", "mediatek mt7621", "ramipsmodel", "snor", "zyxel keenetic", "ramipsboardname", "all0256n", "asl26555", "awm002 evb", "f5d8235", "nand", "omni", "mkdir", "luopei create", "o veth1", "mflibdir", "mfinitialized", "macgrplibdir", "backup", "blank", "pwr1", "pwr2", "tmpfanstate fi", "er8411", "tmpfanspeed", "modvpn", "natlogprint", "rewrite", "root chain", "modules chain", "modone", "moddmz", "rules", "build filter", "dnat j", "naptdevicechain", "naptdevicemark", "naptdevicecache", "modpt", "validptifaces", "j trigger", "port triggering", "return fi", "modvs", "loopback snat", "32 p", "natprint", "natfd", "wc l", "natready flock", "natlogfile", "natlogdir", "natlibdir", "nattmpdir", "natlogenable", "natlogfile fi", "natdebug", "natwritefile", "modnapt", "determine", "includeonly", "nowanlink", "missingaddress", "zone6rd", "hardversion", "iface6rd", "e usrsbinallifs", "usrsbinallifs", "sigusr1", "l sigusr1", "nodevice", "f sysclasstty", "noifname", "baddevice", "pinfailed", "logprotosetup", "loggetsignal", "getinfofailed", "logprotoinit", "control device", "no apn", "noapn", "devconsole eval", "usrsbindhcp6c", "authfailed", "invalidoptions", "l sigterm", "getmacaddrerror", "geteuiiderror", "nowanaddress", "logmoduleipv6", "logipv66to4up", "v zone", "jsongetvar", "usrsbinpppd", "etcpppfilter", "interval5", "usrsbinxl2tpd", "could", "lcp term", "stdout", "aftrname", "stdoutdevnull", "dnssnd", "stdout mtu65000", "rssi", "dhcppidfile", "x v6plusoutput", "6 tunnel", "legacy1", "invalidprefix", "promisc", "oifs", "xprefixlen", "todo", "preconfig", "xifname", "xipaddr", "netifdmaindir", "wdevnotifyinit", "wirelesssetup", "wirelesssetdata", "ccmp tkip", "ccmp", "tkip", "wiface setup", "device setup", "protoprefix6", "protokeep", "protonestedopen", "protodns", "protodnssearch", "protoipaddr", "protoip6addr", "protoroute", "protoroute6", "pppipparam", "dns1", "dns2", "lllocal", "llremote", "state", "logipv6dhcp6cup", "procnetifinet6", "size", "aftrname echo", "svar", "random", "dhcppidfilehgw", "d forward", "dhcpscript", "ifnamendiscmbit", "slaac", "lanphyportset", "lanportset", "lan2", "lan3", "lan4", "wanportset", "wanphyportset", "cpu phy", "s call", "onlinestatefile", "onlinedevfile", "onlinestatedir", "onlineblockfile", "omada", "onlinemodeid", "link backup", "dowmlogid", "ubusobject", "remoteip", "localdevnet", "vpnrulenum", "virtual", "openvpnfwmark", "reply m", "remtoeip", "devname", "actualip", "configfilename", "zonewanopenvpn", "vlocalip", "vpnrulenum fi", "vremoteip", "echo", "unknown option", "i nobindd", "i locald", "publicdnsserver", "usrsbinopenvpn", "tmpopenvpnpwd", "authretryd", "i proto", "chroot", "sectionname wan", "devconsole fw", "sectionname dev", "author", "secname", "interface flag0", "4 route", "tpprconnected", "t grep", "tmppolicyroute", "l2tp", "pptp", "configptah", "killpptpd", "echoinfo", "pppoxpptptype", "pppoxpath", "pppoxl2tptype", "v wan", "serverpath", "loadoneuser", "tmppppoxpptp", "beginloaduser", "endloaduser", "usertypematch1", "profile", "serveron", "serveron pns", "pppoxpppoetype", "loadonepppoe", "deladd", "isexist", "configmyconfig", "q tmppptp", "tmppptpserver", "i snoccp", "usepeerdns", "persist", "plugin", "zonex", "maxfail", "sigchild", "mgrfather", "mt7620", "board", "hexdump", "checksum", "jffs2 partition", "wnce2001", "signature", "asus rtn56u", "preinitn", "initramfs", "boothookadd", "failsafetrue", "press", "int trap", "usr1", "tmpdebuglevel", "failsafe grep", "q failsafe", "proccmdline", "please reboot", "procnetdev", "doing openwrt", "libsh", "qosready", "thismodule", "qosconfigdir", "qosuci", "qoslogprint", "qoslibdir", "qostmpdir", "qostmpdirready", "moduleuci", "styperule", "idxv4", "idxv6", "qosfile", "qosrulechain", "qoschain", "qosfileip4", "qosfileip6", "qosret", "if iface", "uci grep", "stypeiface", "qosmarkbitstart", "qosmarkbitlen2", "qosgmarkmask", "qosmarkmask", "qostcidfile", "tcidbase", "tcidspec", "qoswritefile", "qosinfoprint", "qoserror", "incqoscid", "tcidmax", "spec", "qospollingfile", "deal", "qosthreshold gt", "qosthreshold eq", "qosgrpmarkfile", "grpmarkbitbase", "grpmarkspec", "incqosgrpmark", "grpmarkbase", "insertrule", "qoswritelog", "iptprefix", "iptprefix nvl", "e 1d", "iptprefix l", "iptprefix n", "iptprefix a", "qosret 0", "qosstate", "qosconfiger", "wanall", "snameglobal", "ifacelist", "ruleoptlist", "stopflag", "stub", "qosmarkfile", "markspec", "markbitbase", "markbase", "incqosmark", "m mark", "o get", "zonelist", "wan3", "wan4", "linerate", "qosstatefile", "qosrulespec", "incqosstate", "lannetdev", "grplist", "tttt", "forward vn", "tc qdisc", "tc class", "r2qhtb", "filest", "qdiscl", "defaulthdl", "tc p", "this", "rmchain", "serverports", "rejectports", "m vlan", "routestatedir", "src6", "dst6", "exist", "servicelibdir", "ipset", "j reject", "m tpconnlimit", "restart", "t mirror", "egress", "maxportnum", "s state", "m mode", "p mirrorport", "m ingress", "maxportnum1", "s17p1statusreg", "led bling", "ar8337portsmax1", "portvlanmax", "memeber", "null", "p portsid", "o flush", "rxnormal", "rxall", "flush", "maxportnum5", "t pvlan", "portvidmem", "cpu port", "port vlan", "v vid", "s17phycontrol", "t para", "10mh", "100mf 1000mf", "check rsa", "flowlinken reg", "full", "half", "multicast", "mbps", "rate", "t control", "ingress", "i istate", "m imode", "mirror state", "10mh 10mf", "100mh 100mf", "1000mf", "f flowcontrol", "r irate", "rtl8367sled0reg", "rtl8367sled1reg", "sfp2", "maxportnum11", "sfp0", "sfp1", "uciconfigdir cd", "macflowa", "macflowon", "macflow0", "macflowoff", "wan port", "swconfig", "unicast", "write address", "vlanid", "tbopwrite", "tbtargetcvlan", "write command", "port4control", "port5control", "port3control", "port0control", "port1", "tmplanmac", "mac learning", "lan port", "port1control", "port2control", "mirror mode", "phycontrolreg", "txall", "mt7530", "tlwvr458l", "lanport", "lanend1", "maxportnum fi", "cpuport", "vlanidx", "cpuport1", "0x0de0", "msb bit01", "enable reg", "ifg reg", "phyresolvedreg", "tmpcfg", "realtek", "wvr458war458", "phy index", "copyight", "yuanfengjia", "ceate", "timeobjadd", "timeobjdelete", "etcprofile", "montbl", "tblstartmonth", "weekdaytbl", "yeardaytbl", "startweekday", "tblstartcount", "tblstartweekday", "d etcnixio", "invalid image", "argv", "sysupgrade", "devwatchdog", "ciubipart", "cikernpart", "remove volume", "n troot", "wc c", "n kernel", "n rootfsdata", "kernel", "ramrootlib64", "conftar", "ramroot", "binmount", "bindd", "proc", "modupnp", "ucitmppath", "ucitmpconfig", "ucitmpupuppath", "upnplanchain", "upnplock", "l urlfilter", "tmpcon", "original p", "m urlsetmatch", "url j", "m urldnsmatch", "a urlfilter", "websec", "zoneapireturn", "zonefilelock", "vneton", "logconsole", "vnetbootingy", "loadavvlan", "ipv6addr fi", "ipv6addrlen fi", "loadunload", "loadainterface", "cleanainterface", "vnetiflock", "vnetlock", "vifname", "ipv6prefixlen", "vipaddr", "vnetmask", "vipaddr6", "vprefixlen6", "t filter", "buildainterface", "cleanazone", "i forward", "a webfilter", "l webfilter", "a websec", "sec j", "j websec", "f websec", "ipt t", "tmpwebsecurity", "l websec", "fileexts", "allowip", "wireguardfwmark", "listenport", "ifname p", "method", "nvl inputrule", "nginxconf", "wifidogconf", "lan1", "liwei mkdir", "ruleknownip", "ruleknownmac", "ruleknownipmac", "ruleremind", "ruleremindmac", "ruleremindipmac", "ipsetlimit", "ipsetlimitip", "zonestart", "zonestop", "zonerestart", "get vpn", "get effect", "get normal", "normal", "groupvzones", "groupzones", "wanw", "zonevgname", "zonecreategroup", "configvpniface", "zonestateconfig", "vpn iface", "newmac", "newmac yes", "yes1", "current mac", "overwrite", "converthex", "new mac", "write", "eeprom", "hotplugtype", "path logname", "user export", "devpath", "ifdown", "ev wan", "s list", "brightness exit", "head", "tmplog", "tmplog fi", "devmtdblock", "reloading", "md5file", "md5file rm", "gmac", "updates", "overlay tar", "kill runramfs", "volatile", "snapshot", "verbose", "confrestore", "tarv", "confbackup", "confimage", "needimage1", "needimage", "meta", "drivers", "devices", "type case", "devices drivers", "libwifi", "devubi0 s", "n logrecovery", "n database", "usrbiniptables", "iptablesok", "testiptmac", "wddirwdctl", "scanning disk", "test", "kamikaze", "downloadser605", "build", "integer", "valuepair", "uint4", "namelength", "ipaddr", "radiusclientngh", "begindecls", "enddecls", "servermax", "prohibit", "void", "dpidatabaseram", "sigint", "dpiappdatabase", "dpitagdatabase", "gnu libtool", "please do", "linker", "directory", "free software", "foundation", "license", "without any", "warranty", "merchantability", "fitness", "ddnseventmodule", "ddnseventid", "guo dongxian", "april", "tp new", "ui status", "dns error", "dyndns state", "dynamic dns", "june", "common log", "service start", "service stop", "servicepath", "linevalue", "linevalue fi", "angus mackay", "offline", "noipretcodegood", "noipstaterunok0", "ddnsextver eq", "newlineifs", "r n1", "registeredip", "eric paul", "bishop", "leave", "written", "janary", "tp log", "myip", "column", "wildcardno", "mxnochg", "backmxnochg", "add yours", "here", "dpidbpath", "procdpiappstat", "procdpiappblock", "dbenv", "tostring", "tmpdpitmpstat", "tmpdpitmpblock", "plutopeerclient", "plutome", "plutomyclient", "plutopeerid", "tag p", "facprio", "plutomysourceip", "plutomyprotocol", "pluto", "authiplimit", "authiplimitip", "curauthnum", "auth num", "logmoduleportal", "authtypeweb", "authtyperadius", "authtypewifi", "loguserexpired", "authtypeonekey", "authtypeldap", "idlemintimesec", "authtypewechat", "useragent", "wportalradius", "cookie", "android", "varchar", "authressucc", "authsvrconn", "authresmacerr", "authlistconn", "select from", "label", "span", "strong", "zempty", "icons", "select", "striptags", "pcdata", "legend", "fieldset", "textarea", "replace entry", "steven barth", "apache license", "found", "sorry", "internal server", "footer", "indexer", "collectgarbage", "peak", "retval", "main", "vendor", "prodid", "cls02", "sub0e prot00", "modemtmp", "logallport", "searchtty", "alltty", "d dev", "busfile", "clsff", "clse0", "cls0a", "break", "vid pid", "unsuretty", "storage", "reinit usb", "modemliblogawk", "logmodeswitchs", "cls08", "atr03", "count", "driver", "usbport", "logunlockpin", "unlockpin", "puk code", "modem unlock", "loggetisp", "fileispjson", "findcountry", "location", "findisp", "usbmodemdebug1", "portfile", "usbport fi", "cfgfilepath", "tmpcsfilepath", "ubiquiti", "atheros", "powerstation2", "ralink", "subsystem", "powerstation5", "sr4c", "frequency", "jsonprefix", "jsoncur", "jsongetvar cur", "jsonunset", "keys", "jsonvar", "dest", "jsonseq", "cidr static", "routes", "document", "150px 524px", "46px 524px", "195px 524px", "150px 556px", "46px 556px", "195px 556px", "219px 309px", "219px 333px", "90px 36px", "f4f4f4", "f2f2f2", "151px 151px", "f9b61e", "80px 224px", "eaeae8", "f3f3f5", "verdana", "54px 36px", "geneva", "326px 54px", "329px 58px", "532px 85px", "ebebeb", "21px 21px", "chrome", "7px 7px", "219px 111px", "dd4040", "252px 54px", "220px 5px", "access control", "inner", "app dist", "arp scan", "bwlist qq", "location group", "switch ddm", "dns cache", "backup restore", "gre overipsec", "interface mac", "interface mode", "ipgroup address", "ipgroup group", "ipgroup view", "ipsids", "systemroutetbl", "ipv6group group", "l2tp client", "l2tp server", "l2tp tunnel", "ldap profiles", "mac filtering", "nat dmz", "online check", "pptp tunnel", "reserved", "login auth", "class inbound", "status outbound", "session limit", "switchportvlan", "syetem mode", "systemstate cpu", "url filter", "auto backup", "usb storage", "usermngr backup", "server", "port setting", "port pvid", "relation table", "vlan setting", "vpn user", "vpn wireguard", "website filter", "url set", "wizard wan", "advanced", "rngpptr", "array", "biginteger", "birc", "rsa encryption", "arcfour", "pkcs", "xhlhxl", "bits", "explorer", "canvas", "awidth", "aheight", "canvasgradient", "param", "arcscaley", "canvaspattern", "htmlelement", "without", "html5 shiv", "jdalton", "jonneal", "mitgpl2", "freebsdlicense", "examples", "arial", "alignoffset", "xalign", "point", "formatter", "flot plugin", "iola", "ole laursen", "mit license", "x axis", "otherps", "flot", "series", "axis", "angle", "coord", "axismargin", "width", "delta", "infinity", "zero", "shutdown", "trigger", "ftrue", "ystartangle", "lnull", "bnull", "oparsefloat", "m100", "pm100", "ffalse", "sfalse", "jsonobject", "json", "string", "typenumber", "syntaxerror", "typeof e", "regexp", "typeof n", "typeof t", "typeof r", "pseudo", "ariel flesler", "parseint", "scroll", "html", "toff", "borderbwidth", "targ", "round", "0xff", "transformbuffer", "i4offset", "i4joffset", "0xffffffff7", "0xffffffff1", "invalid type", "mapping", "typecheckbox", "valuearray", "vold", "numflag", "percolumnnum", "unselectable", "items", "store", "callback", "field", "xtype", "typefile", "getcontainer", "title", "params", "parentuuid", "keyproperty", "node", "nodes", "uuid", "form", "increase", "decrease", "encrypt", "charlength", "flagup", "flaglow", "trim", "property", "height", "dataname", "widthvalue", "heightvalue", "contentflag", "boxvalue", "abcd", "jkmn", "regchar", "efghi", "argentina", "australia", "classobj", "oneclass", "minvalue", "maxrange", "minrange", "range", "maxvalue", "invalid range", "caps lock", "sepmark", "separator", "azaz09", "len1", "week", "dataweek", "msgcontaienr", "datatimestart", "datatimeend", "timearray", "0 dismissdelay", "editingindex", "editortype", "invalid editor", "dataindex", "dindex", "jndex", "daindex", "totalpage", "currentpage", "minnum", "maxnum", "gap1", "keywordtype", "columns", "temp", "maxkeys", "inhtml", "alert", "case", "currentindex", "item", "nextindex", "previndex", "invalid step", "widget", "fieldlabel", "posx", "container", "inlineblock", "combinekey", "statustemp", "instance", "callbackfail", "callbackerror", "keyarray", "debug", "jlen", "ajax", "nodeid", "controller", "d1dd", "true", "iframe", "09afaf", "mind", "typeof symbol", "window", "math", "object", "typeerror", "reflect", "generator", "epsilon", "reset yui3", "typehidden", "ecf4d3", "opera", "cache manifest", "cache", "128c", "qrcode", "2g2g2q2q0g", "modenumber1", "modealphanum2", "mode8bitbyte4", "helvetica neue", "helvetica", "heiti sc", "hiragino sans", "microsoft yahei", "gradienttype0", "typesearch", "typebutton", "typereset", "typesubmit", "typeradio", "cbit", "cbid", "click", "checkbox", "xhrpollstatus", "xhrpollstatuson", "xmlhttprequest", "activexobject", "close" ], "references": [ "hwnat", "ipcalc.sh", "login.sh", "cli_accountmgnt_cmd.tree", "cli_base_cmd.tree", "cli_cmd.tree", "cli_clock_cmd.tree", "cli_access_cmd.tree", "cli_extra_cmd.tree", "cli_http_cmd.tree", "cli_ipsec_cmd.tree", "cli_nat_cmd.tree", "cli_show_iface_cmd.tree", "cli_ssh_cmd.tree", "cli_routing_cmd.tree", "cli_show_interface_status_cmd.tree", "cli_snmp_cmd.tree", "cli_interface_cmd.tree", "cli_time_range_cmd.tree", "daemons.conf", "daemons", "cli_vlan_cmd.tree", "dhcp6sctlkey", "device_info", "dhcp6s.conf", "diag.sh", "frr.conf", "filesystems", "firewall.user", "hosts", "group", "inittab", "ipsec.conf", "dnsmasq.conf", "ipsec.secrets", "mtab", "logrotate.conf", "nsswitch.conf", "openwrt_release", "openwrt_version", "passwd", "pptpd.conf", "opkg.conf", "profile", "preinit", "protocols", "rc.common", "shells", "services", "shadow", "strongswan.conf", "rc.local", "sysctl.conf", "sysupgrade.conf", "support_bundle_commands.conf", "vtysh.conf", "sys_monitor.conf", "wifidog.conf", "verify_pub.key", "wifidog-msg.html", "usb-mode.json", "02_network", "01_leds", "65_nginx_sync.sh", "00_start_sync.sh", "99_end_sync.sh", "chat-get-qualcomm_2", "chat-get", "chat-get-anydata_2", "chat-get-qualcomm_1", "3g.chat", "chat-gsm-test", "chat-gsm-test-anydata", "chat-get-anydata_1", "chat-gsm-test-qualcomm", "chat-modem-test", "chat-modem-configure", "disconn-script", "evdo.chat", "cloud_service.cfg", "cloud_config.cfg", "2048_newroot.cer", "access_ctl", "administration", "accountmgnt", "arp_scan_range", "auto_backup", "arp_defense", "avahi-daemon", "controller.lock", "cli_server", "controller.conf", "countrygroup", "cmxddns", "custom_dhcp", "customddns", "dhcp6s", "ddns", "dhcp", "dhcp6c", "dhcp_logrotate", "dos_defense", "dpi", "dynddns", "ecs", "ecsIfName", "filter_global", "freePolicy", "dropbear", "flood_defense", "freeStrategy", "gre", "imb", "ifstat-mini", "improxy", "ipsec", "ippool", "ipsec_failover", "dnsproxySecurity", "ipsec_secrets", "ipstat", "iptv", "ipgroup", "l2tp-global", "ipv6group", "l2tp-client", "l2tp-server", "ldap", "led_set", "line_backup", "l2tp-server.reference", "lldpd", "load_balance", "logger", "luci", "locale", "mac_filter", "nat", "firewall", "macgroup", "modem", "mwan3", "omada-tool.conf", "noipddns", "nwadditional", "omada-tool.lock", "network", "online", "openvpn_user", "openvpn", "phddns", "policy_route", "ospf", "pptp-client", "portal_mgmt", "pptp-client-global", "pptp-global", "protocol", "pptp-server-global", "qos_ctl", "radvd", "qos", "reference", "rip", "remote_mngt", "sdnInfo", "pptp-server", "session_limits", "service", "sfe", "sharecfg", "snmpd", "static_route", "splitaccess", "switch", "system_mode", "tddp", "time_mngt", "system_params", "uhttpd", "upnp", "url_filter", "usermngr", "usbshare", "user-secrets", "ucitrack", "vlan", "vnetwork", "vpnlog", "webfilter", "system", "webfilter_global", "websort", "web_security", "wireguard_interface", "wireguard_peers", "wportal", "zone", "user-secrets.reference", "dropbear_rsa_host_key", "serial", "index.txt", "openssl.cnf", "vars", "openssl-1.0.0.cnf", "connect-directip.gcom", "command.gcom", "baseinfo.gcom", "cellinfo.gcom", "connect-ncm.gcom", "getcarrier.gcom", "directip.gcom", "getcardinfo.gcom", "connect-ppp.gcom", "directip-stop.gcom", "getimsi.gcom", "getimsi_b.gcom", "getpinstatus.gcom", "getstrength.gcom", "huaweiinfo.gcom", "getcnum.gcom", "modem-gsm-test-anydata.gcom", "getregistestate.gcom", "lock-prov.gcom", "modem-gsm-test-qualcomm.gcom", "ncm.json", "run-at.gcom", "reset.gcom", "modem-configure.gcom", "sendsms-at.gcom", "setapn.gcom", "setmode.gcom", "zteinfo.gcom", "setpin.gcom", "sierrainfo.gcom", "runcommand.gcom", "smschk.gcom", "11-led", "10-firewall.sh", "22-access_ctl.sh", "25-pppox.sh", "22-imb.sh", "21-nat.sh", "40-qos.sh", "70-policy_route.sh", "26-openvpn.sh", "70-switch.sh", "89-remote_mngt.sh", "95-online.sh", "96-customddns.sh", "96-cmxddns.sh", "96-dynddns.sh", "96-noipddns.sh", "96-phddns.sh", "97-line_backup.sh", "97-route.sh", "98-ipsec.sh", "98-iptv.sh", "99-wan_hook.sh", "97-load_balance.sh", "97-upnp.sh", "12-netbios-passthrough", "10-pppox-if-up-down.sh", "30-policy_route.sh", "22-access_ctl", "29-static_route", "20-firewall", "02-split_access", "80-balance.sh", "40-qos", "00-vpn_hook.sh", "97-mwan3.sh", "99-vpn_hook.sh", "00-vnet_client.sh", "00-ecsIfChange", "1-vnet_lanhook.sh", "1-vnet_lanv6hook.sh", "05-vnet-lanv6", "20-upnp", "18-dnsproxyvnet.sh", "22-imb", "00-vnet.sh", "22-qos-tplink", "50-improxy", "40-remote_mngt", "60-dhcpsvnet.sh", "65-wifidog.sh", "92-pppox-vpn.sh", "99-mdns.sh", "90-portal_mgmt", "02-usb-auto-scan", "10-motion", "01-usb-led", "15-usb_mode", "30-3g", "20-firewall.sh", "10-pppox-response-nat.sh", "10-metric.sh", "50-l2tp-up-down.sh", "50-qos_ctl", "1-lanhook.sh", "1-lanv6hook.sh", "00-netstate", "01-zone", "03-vlan", "05-lanv6", "04-ipv6", "02-vnet.sh", "06-wan_log", "10-sysctl", "18-ipgroup", "15-online.sh", "18-ipv6group", "22-dos_defense", "25-ddns", "26-freeStrategy", "50-l2tp-lowerif-up-down.sh", "65-iptv", "70-pptp-ifdown.sh", "72-wan_ip_alias", "85-ntp", "92-dynamic_route", "90-vpn", "91-gre.sh", "99-hotplug_done", "99-vnet.sh", "99-z3g4g-connect", "60-dnsmasq", "10-rt2x00-eeprom", "30-v6plus", "60-pptp-reload-rules.sh", "10-l2tp-pptp.sh", "50-access_ctl.sh", "18-dnsproxy.sh", "40-imb.sh", "60-dnsmasq.sh", "46-nat.sh", "60-mac_filter.sh", "99-load_balance.sh", "97-qos.sh", "99-nginx.sh", "00-configlink.sh", "10-mount", "10-policy_route.sh", "70-backup", "15-mwan3", "40-load_balance", "backup", "bootcount", "boot", "default_balance", "done", "dnsproxy", "dnsmasq", "dynamic_route", "drop_caches", "cron", "fstab", "geoip", "gre_init", "enablemodem", "ipv6", "led", "l2tp", "led_early", "loggerd", "monitor", "netbios_passthrough", "ndppd", "nginx", "pppox", "pptpd", "queueventd", "qos-tplink", "rsa_check", "smp", "spi_device_id", "sys_monitor", "sysntpd", "tddpd", "sysctl", "tmngtd", "umount", "time_setting", "usbmodem", "usbmuxd", "vnet", "wifidog", "wireguard", "zbalance_loop_reset", "xl2tpd", "zero_boot_done", "zombie_monitor", "zzomada_server", "zzzzzsys_info", "zzzcloud_proc", "telnet", "zzddns", "rt_tables", "location.json", "0ace:20ff", "0ace:2011", "0af0:7a01", "0af0:7a05", "0af0:4007", "0af0:6711", "0af0:6731", "0af0:6751", "0af0:6771", "0af0:6791", "0af0:6811", "0af0:6911", "0af0:6951", "0af0:6971", "0af0:7011", "0af0:7031", "0af0:7051", "0af0:7071", "0af0:7111", "0af0:7211", "0af0:7251", "0af0:7271", "0af0:7301", "0af0:7311", "0af0:7361", "0af0:7381", "0af0:7401", "0af0:7501", "0af0:7601", "0af0:7701", "0af0:7706", "0af0:7801", "0af0:7901", "0af0:8006", "0af0:8200", "0af0:8201", "0af0:8300", "0af0:8302", "0af0:8304", "0af0:8400", "0af0:8600", "0af0:8700", "0af0:8800", "0af0:8900", "0af0:9000", "0af0:9200", "0af0:c031", "0af0:c100", "0af0:d001", "0af0:d013", "0af0:d031", "0af0:d033", "0af0:d035", "0af0:d055", "0af0:d057", "0af0:d058", "0af0:d155", "0af0:d157", "0af0:d255", "0af0:d257", "0af0:d357", "0b3c:c700", "0b3c:f000", "0b3c:f00c", "0b3c:f017", "0bdb:190d", "0bdb:1910", "0cf3:20ff", "0d46:45a1", "0d46:45a5", "0df7:0800", "0e8d:0002:uPr=MT", "0e8d:0002:uPr=Product", "0e8d:7109", "0fca:8020", "0fce:d0cf", "0fce:d0df", "0fce:d0e1", "0fce:d103", "0fd1:1000", "1a8d:1000", "1a8d:2000", "1ab7:5700", "1b7d:0700", "1bbb:00ca", "1bbb:000f", "1bbb:011f", "1bbb:022c", "1bbb:f000", "1bbb:f017", "1bbb:f052", "1c9e:9d00", "1c9e:9e00", "1c9e:9e08", "1c9e:98ff", "1c9e:1001", "1c9e:6000", "1c9e:6061:uPr=Storage", "1c9e:9101", "1c9e:9200", "1c9e:9401", "1c9e:9800", "1c9e:f000", "1c9e:f000:uMa=USB_Modem", "1d09:1000", "1d09:1021", "1d09:1025", "1da5:f000", "1dbc:0669", "1dd6:1000", "1de1:1101", "1e0e:f000", "1e89:f000", "1edf:6003", "1ee8:0003", "1ee8:004a", "1ee8:004f", "1ee8:0009", "1ee8:0013", "1ee8:0018", "1ee8:0040", "1ee8:0045", "1ee8:0054", "1ee8:0060", "1ee8:0063", "1ee8:0068", "1f28:0021", "1fac:0032", "1fac:0130", "1fac:0150", "1fac:0151", "03f0:002a", "04bb:bccd", "04cc:225c", "04cc:226e", "04cc:226f", "04cc:2251", "04e8:680c", "04e8:689a", "04e8:f000:sMo=U209", "04fc:2140", "05c6:0010", "05c6:1000:sVe=GT", "05c6:1000:sVe=Option", "05c6:1000:uMa=AnyDATA", "05c6:1000:uMa=CELOT", "05c6:1000:uMa=Co.,Ltd", "05c6:1000:uMa=DGT", "05c6:1000:uMa=Option", "05c6:1000:uMa=SAMSUNG", "05c6:1000:uMa=SSE", "05c6:1000:uMa=StrongRising", "05c6:1000:uMa=Vertex", "05c6:2000", "05c6:2001", "05c6:6503", "05c6:9024", "05c6:f000", "05c7:1000", "07d1:a800", "07d1:a804", "10a9:606f", "10a9:6080", "12d1:1c0b", "12d1:1c1b", "12d1:1c24", "12d1:1d50", "12d1:1da1", "12d1:1f01", "12d1:1f1b", "12d1:1f1c", "12d1:1f1d", "12d1:1f1e", "12d1:1f02", "12d1:1f03", "12d1:1f07", "12d1:1f09", "12d1:1f11", "12d1:1f15", "12d1:1f16", "12d1:1f17", "12d1:1f18", "12d1:1f19", "12d1:14ad", "12d1:14b5", "12d1:14b7", "12d1:14ba", "12d1:14c1", "12d1:14c3", "12d1:14c4", "12d1:14c5", "12d1:14d1", "12d1:14fe", "12d1:15ca", "12d1:15cd", "12d1:15cf", "12d1:15e7", "12d1:101e", "12d1:151a", "12d1:155a", "12d1:155b", "12d1:156a", "12d1:157c", "12d1:157d", "12d1:380b", "12d1:1001", "12d1:1003", "12d1:1009", "12d1:1010", "12d1:1030", "12d1:1031", "12d1:1413", "12d1:1414", "12d1:1446", "12d1:1449", "12d1:1505", "12d1:1520", "12d1:1521", "12d1:1523", "12d1:1526", "12d1:1553", "12d1:1557", "12d1:1582", "12d1:1583", "12d1:1805", "15eb:7153", "16d8:6803", "16d8:6281", "16d8:700b", "12d1:#android", "12d1:#linux", "16d8:6804", "16d8:700a", "16d8:f000", "19d2:0003", "19d2:0026", "19d2:0040", "19d2:0053", "19d2:0083:uPr=WCDMA", "19d2:0101", "19d2:0103", "19d2:0110", "19d2:0115", "19d2:0120", "19d2:0146", "19d2:0149", "19d2:0150", "19d2:0154", "19d2:0166", "19d2:0169", "19d2:0266", "19d2:0304", "19d2:0318", "19d2:0325", "19d2:0388", "19d2:0413", "19d2:1001", "19d2:1007", "19d2:1009", "19d2:1013", "19d2:1017", "19d2:1030", "19d2:1038", "19d2:1171", "19d2:1175", "19d2:1179", "19d2:1201", "19d2:1207", "19d2:1210", "19d2:1216", "19d2:1219", "19d2:1224", "19d2:1225", "19d2:1227", "19d2:1232", "19d2:1233", "19d2:1237", "19d2:1238", "19d2:1420", "19d2:1511", "19d2:1514", "19d2:1517", "19d2:1520", "19d2:1523", "19d2:1528", "19d2:1536", "19d2:1542", "19d2:1588", "19d2:2000", "19d2:2004", "19d2:bccd", "19d2:ffde", "19d2:ffe6", "19d2:fff5", "19d2:fff6", "19d2:#linux", "20a6:f00e", "20b9:1682", "21f5:1000", "21f5:3010", "22de:6801", "22de:6803", "22f4:0021", "23a2:1010", "057c:62ff", "057c:84ff", "072f:100d", "106c:3b03", "106c:3b05", "106c:3b06", "106c:3b11", "106c:3b14", "109b:f009", "148e:a000", "148f:2578", "198a:0003", "198f:bccd", "201e:1023", "201e:2009", "230d:000b", "230d:000d", "230d:0001", "230d:0003", "230d:0007", "230d:0101", "230d:0103", "257a:a000", "257a:b000", "257a:c000", "257a:d000", "0408:1000", "0408:ea17", "0408:ea25", "0408:ea43", "0408:f000", "0408:f001", "0421:060c", "0421:061d", "0421:062c", "0421:0610", "0421:0618", "0421:0622", "0421:0627", "0421:0632", "0421:0637", "0471:1210:uMa=Philips", "0471:1210:uMa=Wisue", "0471:1237", "0482:024d", "0685:2000", "0922:1001", "0922:1003", "0930:0d46", "1004:61aa", "1004:61dd", "1004:61e7", "1004:61eb", "1004:607f", "1004:613a", "1004:613f", "1004:614e", "1004:1000", "1004:6156", "1004:6190", "1004:6327", "1033:0035", "1076:7f40", "1199:0fff", "1266:1000", "1307:1169", "1410:5010", "1410:5020", "1410:5023", "1410:5030", "1410:5031", "1410:5041", "1410:5055", "1410:5059", "1410:7001", "1614:0800", "1614:0802", "1726:f00e", "1782:0003", "2001:00a6", "2001:98ff", "2001:a80b", "2001:a401", "2001:a403", "2001:a405", "2001:a706", "2001:a707", "2001:a708", "2001:a805", "2020:0002", "2020:f00e", "2020:f00f", "2077:1000", "2077:f000", "2262:0001", "2357:0200", "2357:f000", "8888:6500", "ed09:1021", "20-usb-core", "25-nls-cp437", "05-liblogger", "20-fs-exportfs", "25-nls-cp864", "25-nls-cp775", "25-nls-cp866", "15-mii", "25-nls-cp932", "25-nls-cp852", "25-nls-cp1250", "25-nls-cp850", "25-nls-cp1251", "25-nls-iso8859-1", "25-nls-iso8859-2", "25-nls-cp862", "25-nls-iso8859-6", "25-nls-iso8859-8", "25-nls-iso8859-13", "25-nls-iso8859-15", "25-nls-koi8r", "25-nls-utf8", "29-fs-fscache", "30-atm", "30-fs-autofs4", "30-fs-btrfs", "30-fs-cifs", "30-fs-configfs", "30-fs-cramfs", "30-fs-ext4", "30-fs-hfs", "30-fs-hfsplus", "30-fs-isofs", "30-fs-jfs", "30-fs-minix", "30-fs-nfs-common", "30-fs-ntfs", "30-fs-reiserfs", "30-fs-udf", "30-fs-vfat", "30-fs-xfs", "30-gpio-button-hotplug", "30-ipsec", "30-tun", "30-veth", "31-iptunnel", "31-iptunnel4", "31-iptunnel6", "32-ip6-tunnel", "32-ipsec4", "32-ipsec6", "32-l2tp", "32-sit", "39-gre", "40-bonding", "40-fs-msdos", "40-fs-nfs", "40-fs-nfsd", "40-pppoa", "40-scsi-core", "40-usb2", "42-ip6tables", "42-usb2-pci", "49-ipt-ipset-tplink", "50-usb-ohci", "50-usb-uhci", "54-usb3", "65-scsi-generic", "80-fuse", "89-portal", "90-urlset", "90-xt_CTSTATEMARK", "90-xt_dosdrop", "90-xt_doslogonly", "90-xt_ipsecmark", "90-xt_multinetdev", "90-xt_qoslimit", "90-xt_tplimit", "90-xt_vlan", "91-authlimit", "91-xt_authlimit", "98-ipt_url_dns_match", "98-ipt_urlset_match", "98-ipt_web_dns_match", "98-ipt_webfilter_match", "98-ipt_websec_match", "98-load_balance", "99-balance_route", "99-ipt_tpconnlimit", "99-ipt_TRIGGER", "99-ipt_urlset_target", "99-xt_l2tp", "crypto-hw-eip93", "fs-exfat", "ipt-account", "ipt-compat-xtables", "ipt-conntrack", "ipt-conntrack-extra", "ipt-core", "ipt-extra", "ipt-filter", "ipt-geoip", "ipt-ipopt", "ipt-iprange", "ipt-ipsec", "ipt-ipv4options", "ipt-nat", "ipt-nat-extra", "ipt-nathelper", "ipt-nathelper-extra", "ipt-nfqueue", "ipt-tproxy", "lib-crc-ccitt", "lib-textsearch", "mmc", "mppe", "nf-conntrack-netlink", "nfnetlink", "nfnetlink-queue", "ppp", "pppoe", "pppol2tp", "pptp", "sdhci-mt7621", "usb-acm", "usb-net", "usb-net-asix", "usb-net-cdc-ether", "usb-net-cdc-mbim", "usb-net-cdc-ncm", "usb-net-huawei-cdc-ncm", "usb-net-ipheth", "usb-net-qmi-wwan", "usb-net-rndis", "usb-printer", "usb-serial", "usb-serial-option", "usb-serial-wwan", "usb-storage", "usb-storage-extras", "usb-wdm", "cleanTMP.sh", "fastcgi_params", "koi-win", "nginx.conf", "mime.types", "win-utf", "koi-utf", "ldap.conf", "crt.sed", "client.crt", "client.key", "dictionary.asnet", "servers", "dictionary.microsoft", "dictionary", "options.default", "options.l2tp", "filter", "chap-secrets", "options.pptp", "options.pptpd", "options.xl2tpd", "radius.conf", "dictionary.merit", "dictionary.sip", "issue", "dictionary.compat", "port-id-map", "radiusclient.conf", "dictionary.ascend", "failsafe", "power", "reset", "rfkill", "K10improxy", "K10openvpn", "K10portal_mgmt", "K25zone", "K50dropbear", "K71hwnat", "K90ipv6", "K91network", "K91geoip", "K99umount", "K98boot", "S00zombie_monitor", "K26pppox", "S01spi_device_id", "S01led_early", "S10boot", "S15loggerd", "S19vnet", "S10system", "S20network", "S21tddpd", "S20geoip", "S25sysctl", "S26time_setting", "S25zone", "S22rsa_check", "S42ipgroup", "S31tmngtd", "S40fstab", "S42ipv6group", "S45firewall", "S42macgroup", "S46iptv", "S42service", "S46nat", "S46netbios_passthrough", "S47access_ctl", "S47administration", "S47dos_defense", "S42ippool", "S47flood_defense", "S47imb", "S47mac_filter", "S50cron", "S50dropbear", "S50pppox", "S50qos-tplink", "S50queueventd", "S50radvd", "S50snmpd", "S50uhttpd", "S60dnsmasq", "S60monitor", "S60pptpd", "S60url_filter", "S60xl2tpd", "S65wifidog", "S68online", "S70freeStrategy", "S70usbshare", "S71hwnat", "S72sfe", "S80usbmuxd", "S80websort", "S83web_security", "S85webfilter", "S89remote_mngt", "S90ndppd", "S90openvpn", "S90portal_mgmt", "S91wireguard", "S92qos_ctl", "S95done", "S95ifstat-mini", "S95ipstat", "S95l2tp", "S95mwan3", "S96backup", "S96cmxddns", "S96default_balance", "S96load_balance", "S96policy_route", "S96static_route", "S96sysntpd", "S96upnp", "S97gre_init", "S97ipsec", "S97session_limits", "S98ipsec_failover", "S98led", "S99avahi-daemon", "S99bootcount", "S99dnsproxy", "S99dpi", "S99drop_caches", "S99dynamic_route", "S99enablemodem", "S99improxy", "S99ipv6", "S99led_set", "S99lldpd", "S99phddns", "S99smp", "S99switch", "S99sys_monitor", "S99system_params", "S99usbmodem", "S99zbalance_loop_reset", "S99zero_boot_done", "S99zzddns", "S99zzomada_server", "S99zzzcloud_proc", "S99zzzzzsys_info", "0a775a30.0", "0b1b94ef.0", "0bf05006.0", "0f5dc4f3.0", "0f6fa695.0", "1d3472b9.0", "1e08bfd1.0", "1e09d511.0", "2ae6433e.0", "2b349938.0", "002c0b4f.0", "3bde41ac.0", "3e44d2f7.0", "3e45d192.0", "3fb36b73.0", "4a6481c9.0", "4b718d9b.0", "4bfab552.0", "4f316efb.0", "5ad8a5d6.0", "5cd81ad7.0", "5d3033c5.0", "5e98733a.0", "5f15c80c.0", "5f618aec.0", "6b99d060.0", "6d41d539.0", "06dc52d5.0", "6fa5da56.0", "7aaf71c0.0", "7f3d5d1d.0", "8cb5ee0f.0", "8d86cdd1.0", "8d89cda1.0", "9b5697b0.0", "9c8dfbd4.0", "9d04f354.0", "14bc7599.0", "48bec511.0", "57bcb2da.0", "062cdee6.0", "064e0aa9.0", "68dd7389.0", "75d1b2ed.0", "76cb8f92.0", "76faf6c0.0", "93bc0acc.0", "106f3e4d.0", "244b5494.0", "349f2832.0", "406c9bb1.0", "626dceaf.0", "653b494a.0", "706f604c.0", "749e9e03.0", "773e07ad.0", "930ac5d2.0", "988a38cb.0", "1001acf7.0", "2923b3f9.0", "03179a64.0", "4042bcee.0", "4304c5e5.0", "5273a94c.0", "5443e9e3.0", "7719f463.0", "8160b96c.0", "9482e63a.0", "18856ac4.0", "32888f65.0", "40547a79.0", "607986c7.0", "1636090b.0", "02265526.0", "3513523f.0", "09789157.0", "40193066.0", "54657681.0", "a94d09e5.0", "a3418fda.0", "ACCVRAIZ1.crt", "AC_RAIZ_FNMT-RCM.crt", "AC_RAIZ_FNMT-RCM_SERVIDORES_SEGUROS.crt", "Actalis_Authentication_Root_CA.crt", "aee5f10d.0", "AffirmTrust_Commercial.crt", "AffirmTrust_Networking.crt", "AffirmTrust_Premium.crt", "AffirmTrust_Premium_ECC.crt", "Amazon_Root_CA_1.crt", "Amazon_Root_CA_2.crt", "Amazon_Root_CA_3.crt", "Amazon_Root_CA_4.crt", "ANF_Secure_Server_Root_CA.crt", "Atos_TrustedRoot_2011.crt", "Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.crt", "b0e59380.0", "b7a5b843.0", "b81b93f0.0", "b1159c4c.0", "b66938e9.0", "b433981b.0", "b727005e.0", "Baltimore_CyberTrust_Root.crt", "bf53fb88.0", "Buypass_Class_2_Root_CA.crt", "Buypass_Class_3_Root_CA.crt", "c01eb047.0", "c28a8a30.0", "ca6e4ad9.0", "ca-certificates.crt", "CA_Disig_Root_R2.crt", "cbf06781.0", "cc450945.0", "cd8c0d63.0", "cd58d51e.0", "ce5e74ef.0", "Certigna.crt", "Certigna_Root_CA.crt", "certSIGN_ROOT_CA.crt", "certSIGN_Root_CA_G2.crt", "Certum_EC-384_CA.crt", "Certum_Trusted_Network_CA.crt", "Certum_Trusted_Network_CA_2.crt", "Certum_Trusted_Root_CA.crt", "CFCA_EV_ROOT.crt", "Comodo_AAA_Services_root.crt", "COMODO_Certification_Authority.crt", "COMODO_ECC_Certification_Authority.crt", "COMODO_RSA_Certification_Authority.crt", "Cybertrust_Global_Root.crt", "d4dae3dd.0", "d7e8dc79.0", "d887a5bb.0", "d6325660.0", "dc4d6a89.0", "dd8e9d41.0", "de6d66f3.0", "DigiCert_Assured_ID_Root_CA.crt", "DigiCert_Assured_ID_Root_G2.crt", "DigiCert_Assured_ID_Root_G3.crt", "DigiCert_Global_Root_CA.crt", "DigiCert_Global_Root_G2.crt", "DigiCert_Global_Root_G3.crt", "DigiCert_High_Assurance_EV_Root_CA.crt", "DigiCert_Trusted_Root_G4.crt", "D-TRUST_Root_Class_3_CA_2_2009.crt", "D-TRUST_Root_Class_3_CA_2_EV_2009.crt", "e8de2f56.0", "e18bfb83.0", "e36a6752.0", "e73d606e.0", "e113c810.0", "e868b802.0", "e35234b1.0", "EC-ACC.crt", "ee64a828.0", "eed8c118.0", "ef954a4e.0", "emSign_ECC_Root_CA_-_C3.crt", "emSign_ECC_Root_CA_-_G3.crt", "emSign_Root_CA_-_C1.crt", "emSign_Root_CA_-_G1.crt", "Entrust.net_Premium_2048_Secure_Server_CA.crt", "Entrust_Root_Certification_Authority.crt", "Entrust_Root_Certification_Authority_-_EC1.crt", "Entrust_Root_Certification_Authority_-_G2.crt", "Entrust_Root_Certification_Authority_-_G4.crt", "ePKI_Root_Certification_Authority.crt", "e-Szigno_Root_CA_2017.crt", "E-Tugra_Certification_Authority.crt", "f0c70a8d.0", "f30dd6ad.0", "f39fc864.0", "f51bb24c.0", "f249de83.0", "f3377b1b.0", "f081611a.0", "f387163d.0", "fa5da96b.0", "fc5a8f99.0", "fe8a2cd8.0", "feffd413.0", "ff34af3f.0", "GDCA_TrustAUTH_R5_ROOT.crt", "GlobalSign_ECC_Root_CA_-_R4.crt", "GlobalSign_ECC_Root_CA_-_R5.crt", "GlobalSign_Root_CA.crt", "GlobalSign_Root_CA_-_R2.crt", "GlobalSign_Root_CA_-_R3.crt", "GlobalSign_Root_CA_-_R6.crt", "GlobalSign_Root_E46.crt", "GlobalSign_Root_R46.crt", "GLOBALTRUST_2020.crt", "Go_Daddy_Class_2_CA.crt", "Go_Daddy_Root_Certificate_Authority_-_G2.crt", "GTS_Root_R1.crt", "GTS_Root_R2.crt", "GTS_Root_R3.crt", "GTS_Root_R4.crt", "Hellenic_Academic_and_Research_Institutions_ECC_RootCA_2015.crt", "Hellenic_Academic_and_Research_Institutions_RootCA_2011.crt", "Hellenic_Academic_and_Research_Institutions_RootCA_2015.crt", "Hongkong_Post_Root_CA_1.crt", "Hongkong_Post_Root_CA_3.crt", "IdenTrust_Commercial_Root_CA_1.crt", "IdenTrust_Public_Sector_Root_CA_1.crt", "ISRG_Root_X1.crt", "Izenpe.com.crt", "Microsec_e-Szigno_Root_CA_2009.crt", "Microsoft_ECC_Root_Certificate_Authority_2017.crt", "Microsoft_RSA_Root_Certificate_Authority_2017.crt", "NAVER_Global_Root_Certification_Authority.crt", "NetLock_Arany_=Class_Gold=_F?tan\u00fas\u00edtv\u00e1ny.crt", "Network_Solutions_Certificate_Authority.crt", "OISTE_WISeKey_Global_Root_GB_CA.crt", "OISTE_WISeKey_Global_Root_GC_CA.crt", "QuoVadis_Root_CA_1_G3.crt", "QuoVadis_Root_CA_2.crt", "QuoVadis_Root_CA_2_G3.crt", "QuoVadis_Root_CA_3.crt", "QuoVadis_Root_CA_3_G3.crt", "Secure_Global_CA.crt", "SecureSign_RootCA11.crt", "SecureTrust_CA.crt", "Security_Communication_Root_CA.crt", "Security_Communication_RootCA2.crt", "SSL.com_EV_Root_Certification_Authority_ECC.crt", "SSL.com_EV_Root_Certification_Authority_RSA_R2.crt", "SSL.com_Root_Certification_Authority_ECC.crt", "SSL.com_Root_Certification_Authority_RSA.crt", "Staat_der_Nederlanden_EV_Root_CA.crt", "Starfield_Class_2_CA.crt", "Starfield_Root_Certificate_Authority_-_G2.crt", "Starfield_Services_Root_Certificate_Authority_-_G2.crt", "SwissSign_Gold_CA_-_G2.crt", "SwissSign_Silver_CA_-_G2.crt", "SZAFIR_ROOT_CA2.crt", "TeliaSonera_Root_CA_v1.crt", "TrustCor_ECA-1.crt", "TrustCor_RootCert_CA-1.crt", "TrustCor_RootCert_CA-2.crt", "Trustwave_Global_Certification_Authority.crt", "Trustwave_Global_ECC_P256_Certification_Authority.crt", "Trustwave_Global_ECC_P384_Certification_Authority.crt", "T-TeleSec_GlobalRoot_Class_2.crt", "T-TeleSec_GlobalRoot_Class_3.crt", "TUBITAK_Kamu_SM_SSL_Kok_Sertifikasi_-_Surum_1.crt", "TWCA_Global_Root_CA.crt", "TWCA_Root_Certification_Authority.crt", "UCA_Extended_Validation_Root.crt", "UCA_Global_G2_Root.crt", "USERTrust_ECC_Certification_Authority.crt", "USERTrust_RSA_Certification_Authority.crt", "XRamp_Global_CA_Root.crt", "cert.pem", "dnskey.conf", "connmark.conf", "des.conf", "aes.conf", "kernel-netlink.conf", "constraints.conf", "md5.conf", "attr.conf", "nonce.conf", "gmp.conf", "openssl.conf", "fips-prf.conf", "pem.conf", "hmac.conf", "pgp.conf", "pkcs1.conf", "pkcs7.conf", "pkcs12.conf", "pubkey.conf", "random.conf", "rc2.conf", "resolve.conf", "revocation.conf", "sha1.conf", "sha2.conf", "socket-default.conf", "sshkey.conf", "stroke.conf", "updown.conf", "x509.conf", "xauth-generic.conf", "xcbc.conf", "pki.conf", "scepclient.conf", "starter.conf", "charon-logging.conf", "charon.conf", "priv-key.pem", "server-cert.pem", "access_control", "00_uhttpd_ubus", "10-fstab", "10_migrate-shadow", "11_migrate-sysctl", "09_fix-seama-header", "12_network-generate-ula", "root.key", "unbound.conf.back", "named.cache", "12d1_0004", "12d1_0003", "12d1_0005", "12d1_0001", "19d2_0001", "19d2_0002", "19d2_0003", "19d2_0004", "ffff_0001", "12d1_0002", "ffff_0002", "ffff_0003", "xl2tpd.conf", "xl2tp-secrets", "acl_timeobj.lua", "acl_timeobj_v6.lua", "acl_wanhook.lua", "access_func_v6.sh", "attach_timeobj.lua", "core.sh", "access_func.sh", "interface.sh", "acl_delete_rule.lua", "core_log.sh", "markdef.sh", "time.sh", "core_acl.sh", "config.sh", "core_global.sh", "arp.sh", "gettime.sh", "cmd.sh", "backup.sh", "ecmp.sh", "api.sh", "ecmp.lua", "dynanmic_arpreq.sh", "getVid.sh", "access_time_help.lua", "access_dir_help.lua", "accountmgnt.lua", "access_ip_help.lua", "access.lua", "clock.lua", "http.lua", "interface.lua", "dhcp.lua", "ipsec.lua", "monitor_port.lua", "nat.lua", "show_if_help.lua", "routing.lua", "cli_ospf.lua", "show_interface.lua", "rip.lua", "show_interface_status.lua", "snmp.lua", "ssh.lua", "time_range.lua", "vlan.lua", "lan.js", "uci.sh", "arping.sh", "get_option.lua", "dhcps.sh", "main.sh", "dnssecquery.sh", "core_forwarding.sh", "core_init.sh", "core_interface.sh", "core_redirect.sh", "core_rule.sh", "core_tpfirewall.sh", "uci_firewall.sh", "fw.sh", "tpcmd.sh", "freeStrategy_backup.sh", "add_delete_tuple.sh", "add_delete.sh", "getip.sh", "preinit.sh", "leds.sh", "network.sh", "service.sh", "switch_port.sh", "procd.sh", "userconfig.sh", "uci-defaults.sh", "system.sh", "functions.sh", "gre_common.sh", "gre-ipsec-up-down.sh", "delete_restart.sh", "core_ipgroup.sh", "ipsec_check_domain_wrap.sh", "ipsec_failover_process.sh", "ipsec_handle_iptables.sh", "ipsec_check_domain.sh", "ipsec_generate_domain.sh", "ipsec_execute_stroke.sh", "ipsec_monitor_tunnel.sh", "ipsec_vnet.sh", "pd_api.sh", "lanv6_server.sh", "pd_server.sh", "core_ipv6group.sh", "get-vpn-gw.sh", "ifup-l2tp.sh", "ifdown-l2tp.sh", "l2tp-get-tunnel-info.sh", "get-vpn-ip.sh", "l2tp-init.sh", "l2tp-ipsec-delete.lua", "l2tp-ipsec-setstatus.lua", "l2tp-doipsec.sh", "l2tp-ipsec-up-down.sh", "l2tp-functions.sh", "l2tp-reload.sh", "char_conv.sh", "api_VPN.sh", "ldap_check_result.sh", "ldap_query.sh", "pre_setting_config.sh", "net_share.sh", "ramips.sh", "lldp_get_wan_device.sh", "50-xt_flood", "50-arp_garp", "get_rps.sh", "get_temperature.sh", "set_fan.sh", "nat_alg.sh", "nat_config.sh", "nat_dmz.sh", "nat_common.sh", "nat_pt.sh", "nat_dmz_bypass.sh", "nat_vs.sh", "nat_core.sh", "nat_log.sh", "nat_one.sh", "nat_napt.sh", "6rd.sh", "dhcp.sh", "directip.sh", "3g.sh", "ncm.sh", "dhcp6c.sh", "6to4.sh", "ppp.sh", "l2tp.sh", "pppv6.sh", "dslite.sh", "qmi.sh", "v6plus.sh", "lanv6.sh", "passthrough.sh", "dhcp.script", "netifd-wireless.sh", "netifd-proto.sh", "if-do-timeobj.sh", "ppp-down", "ppp-up", "pppv6-share", "dslite-up.sh", "pppv6-up", "dhcp6c.script", "utils.sh", "v6plus-dial.sh", "ppp-dhcp6c.script", "switch.sh", "network_arch.sh", "online_api.sh", "online_reload.lua", "openvpn-client-disconnect.sh", "openvpn-client-routeup.sh", "openvpn-client-connect.sh", "openvpn-client-down.sh", "openvpn-server-up.sh", "openvpn-client-up.sh", "openvpn-common.sh", "openvpn-instance.sh", "openvpn-password.lua", "openvpn-server-down.sh", "pppox-default-variables.sh", "pppox-header.sh", "kill-pptpd-xl2tpd.sh", "pppox-reload-user.lua", "pppox-functions.sh", "pppox-reload-user.sh", "pppox-begin-reload-user.sh", "pppox-remote-management.sh", "pppox-load-user.lua", "pppox-pppoetimer.sh", "pppox-remote-management-get-ippool.lua", "pppox-wheader.sh", "pppox-killtunnel.sh", "ifup_down.sh", "add-service.sh", "enable_service.sh", "pptp-get-tuunel-info.sh", "delete-service.sh", "pptp-global-setting.sh", "pptp-client-add.sh", "pptp-ifdevice-info.sh", "pptp-client-update.sh", "pptp-option.sh", "pptp-startup.sh", "pptp-tunnel-action.sh", "test.sh", "pptp-client-delete.sh", "05_set_iface_mac_mediatek", "02_default_set_state", "07_set_preinit_iface_ramips", "40_run_failsafe_hook", "04_handle_checksumming", "50_indicate_regular_preinit", "10_indicate_failsafe", "70_initramfs_test", "03_preinit_do_ramips.sh", "80_mount_root", "98_10_mtk_failsafe_init", "30_failsafe_wait", "99_10_failsafe_login", "99_10_run_init", "10_indicate_preinit", "qos_config_sync.lua", "qos_nf.sh", "qos_api.sh", "qos_cid.sh", "qos_dpdk.sh", "qos_grpmark.sh", "find_index.lua", "qos_ifgroup.sh", "qos_core.sh", "qos_ipset.sh", "qos_mark.sh", "qos_polling.sh", "qos_public.sh", "qos_state.sh", "qos_tc.sh", "state_gen.lua", "zone-450", "qos_delete_rule.lua", "remote_mngt.sh", "route_api.sh", "core_service.sh", "session_limits.sh", "ar8327_switch_led", "ar8327_switch_portMirror", "ar8327_switch_init", "ar8327_switch_portStatistic", "ar8327_register", "ar8327_switch_portVlan", "ar8327_switch_portPara", "ar9533_register", "ar8327_switch_portState", "ar9533_switch_init", "ar8327_switch_portRateControl", "ar9533_switch_portMirror", "ar9533_switch_portPara", "ar9533_switch_portRateControl", "ar8327_switch_8021Qvlan", "ar9533_switch_portState", "ar9533_switch_portStatistic", "ar9533_switch_portVlan", "cn9130_register", "cn9130_switch_globalLed", "cn9130_switch_init", "cn9130_switch_portMirror", "cn9130_switch_portPara", "cn9130_switch_portRateControl", "cn9130_switch_portState", "cn9130_switch_portStatistic", "cn9130_switch_portVlan", "mt7621_register", "mt7621_switch_globalLed", "mt7621_switch_led", "mt7621_switch_portMirror", "mt7621_switch_portPara", "mt7621_switch_portRateControl", "mt7621_switch_portState", "mt7621_switch_portStatistic", "mt7621_switch_portVlan", "mt7628_register", "mt7628_switch_init", "mt7628_switch_led", "mt7628_switch_portMirror", "mt7628_switch_portPara", "mt7628_switch_portRateControl", "mt7628_switch_portState", "mt7628_switch_portStatistic", "mt7628_switch_portVlan", "rtl8367s_register", "rtl8367s_switch_globalLed", "rtl8367s_switch_init", "rtl8367s_switch_portMirror", "rtl8367s_switch_portPara", "rtl8367s_switch_portRateControl", "rtl8367s_switch_portState", "rtl8367s_switch_portStatistic", "rtl8367s_switch_portVlan", "switch_functions", "vlan_network", "sysparams_net.sh", "timeobj_cron_api.sh", "timeobj_api.sh", "boot_done", "led.sh", "set_time", "base-files-essential", "libopenldap", "base-files", "online_check", "mwan3-tplink", "openvpn-easy-rsa", "openvpn-mgmt", "portal-mgmt", "ppp-mod-radius", "snmpd-static", "https-dns-proxy", "luci-add-conffiles.sh", "platform.sh", "ubnt.sh", "nand.sh", "common.sh", "upnp_api.sh", "find_target.lua", "url_func.sh", "detach_timeobj.lua", "csv2db.sh", "vnet_zone_api.sh", "vnet_init.sh", "vnet.sh", "vnet_core.sh", "vnet_zone_init.sh", "webfilter_func.sh", "web_func.sh", "websec_timeobj.lua", "start_rule.sh", "wireguard-up.sh", "wireguard-down.sh", "auth_port_modify.sh", "core_wportal.sh", "zone_api.sh", "zone_core.sh", "zone_api_all.sh", "zone_conf.sh", "zone_init.sh", "zone_api_core.sh", "zone_init_all.sh", "note", "devstatus", "firstboot", "fixup-mac-address", "fw", "hotplug-call", "ifdown", "ifstart", "ifrestart", "ifstatus", "loadopenvpncert", "log_oops_recovery.sh", "luci-reload", "ifup", "reload_config", "restorefactory", "smp.sh", "snapshot", "sysupgrade", "wifi", "ubi_make_extra_volume.sh", "ipset.debug", "ipxd", "iptables.debug", "ipxr", "wifidog-init", "radiusclient-ng.h", "dpi.sh", "libradiusclient-ng.la", "libstdc++.so.6.0.21-gdb.py", "dynamic_dns_dyndns.sh", "dynamic_dns_log.sh", "customddns_set_url.sh", "url_escape.sed", "dynamic_dns_customddns.sh", "dynamic_dns_noip.sh", "dynamic_dns_updater.sh", "dynamic_dns_functions.sh", "dpi_log_database.lua", "dpi_log_database.sh", "dpi_tmngtd.sh", "_updown", "ngx_init.lua", "authlistCheck.lua", "ngx_wdas.lua", "ngx_sqlApi.lua", "cell_valueheader.htm", "cell_valuefooter.htm", "dvalue.htm", "compound.htm", "dynlist.htm", "browser.htm", "apply_xhr.htm", "firewall_zoneforwards.htm", "button.htm", "firewall_zonelist.htm", "delegator.htm", "footer.htm", "full_valuefooter.htm", "full_valueheader.htm", "fvalue.htm", "header.htm", "lvalue.htm", "map.htm", "mvalue.htm", "network_ifacelist.htm", "network_netinfo.htm", "network_netlist.htm", "nsection.htm", "nullsection.htm", "simpleform.htm", "tabcontainer.htm", "tabmenu.htm", "tblsection.htm", "tsection.htm", "tvalue.htm", "ucisection.htm", "upload.htm", "value.htm", "valuefooter.htm", "valueheader.htm", "error404.htm", "error500.htm", "indexer.htm", "sysauth.htm", "debug.lua", "mbimfind.lua", "log_awk", "modem_scan.sh", "check_switchmode.lua", "protofind.lua", "handle_card_process.sh", "search_tty.lua", "handle_card.sh", "unlock_pin.sh", "getisp.sh", "usbmodem_log.sh", "modemLedCtrl.sh", "portal_mgmt_monitor.lua", "portal_mgmt_monitor.sh", "rewrite.lua", "portal_status.sh", "hardware.txt", "jshn.sh", "default.script", "dbus-K5ae4EDHao", "osui.sock", "qipc_sharedmemory_xFMOjWbQizvIQbjaGodBkPpoECFzUYyznnjEncea48051f6b8a69e2450843f1f32c0bb393e04349", "qipc_systemsem_xFMOjWbQizvIQbjaGodBkPpoECFzUYyznnjEncea48051f6b8a69e2450843f1f32c0bb393e04349", "sddm-:0-BoTuTx", "sddm-auth-52b94a64-454a-4d7f-903e-32df6aac784a", "tmp.QMAjonKZB0", "xF43MOjWbQiz+vIQbjaGodBk4PpoECFzUYyznnj8Enc=", "about.svg", "about_hover.svg", "ie.css", "style.css", "widget.css", "access_control.html", "account_config.html", "account_mngt.html", "action_check.html", "alg.html", "appdist.html", "appdist_database.html", "appflow_statistics.html", "application_filter.html", "application_list.html", "arp_list.html", "arp_scan.html", "assign_restriction.html", "attack-defense.html", "balance_basic.html", "bridge.html", "bwlist_qq.html", "cmxddns.html", "controller_setting.html", "country_group.html", "custom_ddns.html", "ddm.html", "dhcp_client.html", "dhcp_lan_settings.html", "dhcp_lan_settings_standalone.html", "dhcp_server.html", "dhcp_static.html", "diagnostic.html", "dia_info.html", "dns_cache.html", "dns_doh.html", "dns_dot.html", "dnsproxy.html", "dnssec.html", "dyn3322ddns.html", "dynddns.html", "firmware_backuprestore.html", "firmware_factory.html", "firmware_managing.html", "firmware_reboot.html", "firmware_reseting.html", "firmware_upgrade.html", "gre_overipsec.html", "ifstat.html", "imb.html", "interface.html", "interface_mac.html", "interface_mode.html", "interface_wan.html", "interface_wan_standalone.html", "ipgroup_address.html", "ipgroup_group.html", "ipgroup_view.html", "ippool.html", "ips_blacklists.html", "ipsec_sa.html", "ipsec_tunnel.html", "ips_setting.html", "ips_signature_suppression.html", "ips_stats.html", "ip_stats.html", "ips_threat_management.html", "ips_whitelists.html", "iptv.html", "ipv6.html", "ipv6group_address.html", "ipv6group_group.html", "ipv6_lan.html", "isp_routing.html", "l2tp_client.html", "l2tp_global.html", "l2tp_server.html", "l2tp_tunnel.html", "ldap_profiles.html", "line_backup.html", "macFiltering.html", "mdns.html", "napt.html", "nat_dmz.html", "noipddns.html", "one_nat.html", "online.html", "openvpn_client.html", "openvpn_server.html", "openvpn_tunnel.html", "ospf.html", "phddns.html", "policy_routing.html", "port_trigger.html", "pptp_client.html", "pptp_global.html", "pptp_server.html", "pptp_tunnel.html", "preview_mobile_wifi.html", "preview_remind.html", "preview_wportal.html", "print_server.html", "qos.html", "qos_Band_ctrl.html", "qos_Class_role.html", "qos_Traffic.html", "qos_VoIP.html", "quick_setup.html", "reboot_schedule.html", "remote_mngt.html", "rip_routing.html", "rules.html", "service.html", "session_limits.html", "session_monitor.html", "sessmngr.html", "snmp.html", "ssl_vpn_auth.html", "ssl_vpn_auth_radius.html", "ssl_vpn_locked_user.html", "ssl_vpn_quicksetup.html", "ssl_vpn_server.html", "ssl_vpn_status.html", "ssl_vpn_tunnel.html", "ssl_vpn_tunnel_group.html", "ssl_vpn_user.html", "ssl_vpn_user_group.html", "static_routing.html", "switch_Parameter.html", "switch_portLimit.html", "switch_portMonitor.html", "switch_portStatistics.html", "switch_portStatus.html", "switch_portVlan.html", "sys_status.html", "system_log.html", "system_mode.html", "system_params.html", "system_routetbl.html", "system_state.html", "time_mngt.html", "time_setting.html", "upnp.html", "url_filtering.html", "usb_backup.html", "usb_firmware_upgrade.html", "usbModem.html", "usb_storage.html", "usermngr_backup.html", "usermngr_user.html", "virtual_server.html", "vlan_portSetting.html", "vlan_relationTbl.html", "vlan_vlanSetting.html", "vpn_general.html", "vpn_peers.html", "vpn_user.html", "vpn_wireguard.html", "web_filter.html", "web_group.html", "web_security.html", "wechat.html", "wechat_wifi.html", "wizard.html", "wportal.html", "wportal_free.html", "advanced.html", "basic.html", "encrypt.js", "excanvas.js", "html5.js", "jquery.flot.barnumbers.js", "jquery.flot.crosshair.js", "jquery.flot.fillbetween.js", "jquery.flot.js", "jquery.flot.pie.min.js", "jquery.json-2.4.min.js", "jquery.min.js", "jquery.scrollTo.min.js", "md5.js", "button.js", "buttongroup.js", "checkbox.js", "combobox.js", "fieldset.js", "file.js", "folderTree.js", "form.js", "number.js", "password.js", "portrange.js", "progressbar.js", "radio.js", "region.js", "slider.js", "status.js", "subnet.js", "switch.js", "textarea.js", "textbox.js", "time.js", "timepicker.js", "tip.js", "waitingbar.js", "editor.js", "grid.js", "paging.js", "chart.js", "foldertree.js", "keyword.js", "msg.js", "page.js", "panel.js", "wizard.js", "widget.js", "proxy.js", "store.js", "treestore.js", "controller.js", "su.full.min.js", "su.js", "account.2ca6a054.js", "chunk-vendors.0cdf10f0.js", "index.a415cbb4.js", "login.4f52b876.js", "chunk-common.72de4705.css", "account.html", "app.manifest", "cs_dis.html", "error.html", "index.html", "login.html", "mobile_wifi.html", "pcauth.js", "pc_wifi.html", "style-pcdemo.css", "style-simple-follow.css", "web_login.html", "cbi.js", "xhr.js" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1520", "name": "Domain Generation Algorithms", "display_name": "T1520 - Domain Generation Algorithms" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 38, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Merkd1904", "id": "196517", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 11, "hostname": 491, "FileHash-SHA256": 3479, "FileHash-MD5": 67, "domain": 312, "FileHash-SHA1": 61, "email": 20, "URL": 373 }, "indicator_count": 4814, "is_author": false, "is_subscribing": null, "subscriber_count": 72, "modified_text": "757 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66303f1c9212e2d44c9bf691", "name": "gmail for cloudflare", "description": "The following is the full text of the new code for the English language, which includes the word \"che2sf\" and \"ch 2sf\", as well as its full set of characters.", "modified": "2024-04-30T00:45:16.241000", "created": "2024-04-30T00:45:16.241000", "tags": [ "globalprefix", "null", "google inc", "error", "function", "void", "span", "ufe0f", "string", "ud83c", "u2695u2696u2708", "ud83d", "date", "slow", "code", "window", "acfyuc" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "phoenix-choi1", "id": "278628", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 136, "domain": 18 }, "indicator_count": 154, "is_author": false, "is_subscribing": null, "subscriber_count": 26, "modified_text": "761 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "", "ASAuthorizationPlatformPublicKeyCredentialRegistration.h", "11_migrate-sysctl", "nat_log.sh", "led", "ip_stats.html", "ASAuthorizationPublicKeyCredentialLargeBlobRegistrationInput.h", "jshn.sh", "SSL.com_Root_Certification_Authority_RSA.crt", "ASEProcessing.tbd", "12d1:1c0b", "19d2:0101", "rfkill", "dhcp6sctlkey", "logger", "fe8a2cd8.0", "Go_Daddy_Class_2_CA.crt", "ASAuthorizationProviderExtensionAuthorizationResult.h", "nwadditional", "12d1:1f1e", "749e9e03.0", "90-xt_ipsecmark", "dns_dot.html", "ce5e74ef.0", "html5.js", "1001acf7.0", "textbox.js", "https://www.colorfulbox.jp/", "12d1:1f1c", "pio.h", "2020:f00e", "7box.vip", "19d2:1219", "directip.sh", "04bb:bccd", "tcp_timer.h", "S47administration", "SSL.com_EV_Root_Certification_Authority_RSA_R2.crt", "dynamic_dns_functions.sh", "GCExtendedGamepadSnapshot.h", "IOBluetoothUI.h", "command.gcom", "ANF_Secure_Server_Root_CA.crt", "https://connect.facebook.net/en_US/sdk.js#xfbml=1&version=v4.0&appId=705930270206797&autoLogAppEvents=1 Akamai rank:", "Copy of clientlib(26).css", "Copy of clientlib.js(30).download", "19d2:1225", "DigiCert_Trusted_Root_G4.crt", "chart.js", "wireguard-up.sh", "25-nls-cp1251", "d6325660.0", "ASCredentialIdentityStoreState.h", "getisp.sh", "GCMouse.h", "03179a64.0", "2077:f000", "GKSessionError.h", "device_info", "encrypt.js", "COMODO_Certification_Authority.crt", "qos_tc.sh", "vecLibTypes.h", "filesystems", "AFKMemoryDescriptorOptions.h", "ipt-account", "imb", "https://khmerpornvideo.signup0.y.id/", "jquery.countTo.js.pobrane", "WKPreviewElementInfo.h", "system", "lib-textsearch", "ar9533_switch_portVlan", "ASP. NET", "ecsIfName", "python3-embed.pc", "sysctl.h", "charon.conf", "login.sh", "12d1:1f1b", "1c9e:9200", "https://alohatube.xyz/search/sex-mom-dog-animal", "chat-modem-test", "1ee8:0068", "https://brand.centurylinktechnology.com", "22-imb", "desc.h", "http://www.salesmanago.pl/static/sm.js", "SwissSign_Silver_CA_-_G2.crt", "crt.sed", "vm_dyld_pager.h", "GCKeyCodes.h", "unlock_pin.sh", "49-ipt-ipset-tplink", "find_target.lua", "S50pppox", "https://tria.ge/240521-r3mvhshd83", "jquery-migrate.min.js.pobrane", "config.h", "S26time_setting", "adminlte.min.js.pobrane", "Copy of clientlibs(4).css", "usb-net-huawei-cdc-ncm", "mydtrace.h", "fixup-mac-address", "inst.govelopscold.com", "Bluetooth.h", "1199:0fff", "attack-defense.html", "Baltimore_CyberTrust_Root.crt", "AdminLTE.css", "hosts", "ipsec_check_domain.sh", "Trustwave_Global_Certification_Authority.crt", "biznes.css", "_updown", "40547a79.0", "Copy of clientlibs.js.download", "vnet_zone_init.sh", "folderTree.js", "2001:00a6", "230d:0001", "https://www.googletagmanager.com/gtag/js?id=\\ \u2022 https://www.google-analytics.com/gtm/js?id=", "ASAuthorizationPublicKeyCredentialConstants.h", "pptp-ifdevice-info.sh", "thread.h", "S99enablemodem", "tcp_var.h", "INTERN.h", "delegator.htm", "sdnInfo", "96-customddns.sh", "xl2tpd", "preinit", "50-xt_flood", "plugin.js", "excanvas.js", "kill-pptpd-xl2tpd.sh", "Yara Detections :compromised_site_redirector_fromcharcode Alerts network_icmp js_eval recon_fingerprint", "SZAFIR_ROOT_CA2.crt", "v6plus.sh", "modem-configure.gcom", "rtl8367s_switch_globalLed", "GKPublicConstants.h", "hmac.conf", "in_arp.h", "05c6:1000:uMa=StrongRising", "restorefactory", "12d1:14ad", "openvpn-client-down.sh", "sha1.conf", "OSAtomic.h", "S47imb", "getpinstatus.gcom", "web_group.html", "ASWebAuthenticationSession.h", "00-vnet.sh", "IOUSBHostDefinitions.h", "19d2_0001", "https://amano.inboundtools.com/tpcontact URL https://armg.inboundtools.com/ URL https://gaiax.inboundtools.com/internship URL https://hmk.inboundtools.com/ URL https://hmk.inboundtools.com/form/assetview_siryo_sier", "compound.htm", "oalStaticBufferExtension.h", "ISRG_Root_X1.crt", "jquery.alerts.js.pobrane", "service.sh", "full_valuefooter.htm", "GKChallengeEventHandler.h", "verify_pub.key", "30-policy_route.sh", "S60url_filter", "rtl8367s_switch_portPara", "https://elegantcosmedampyeah.pages.dev/", "regexp.h", "ipt-compat-xtables", "nat_pt.sh", "sys_status.html", "54-usb3", "K71hwnat", "pppox-reload-user.lua", "S99smp", "ASCredentialIdentity.h", "GKVoiceChatService.h", "1ee8:0003", "enable_service.sh", "GKLeaderboardSet.h", "0fce:d0cf", "S97ipsec", "230d:000d", "cbi.js", "ca-certificates.crt", "ips_threat_management.html", "ipsec_failover", "fakesdio.h", "custom_dhcp", "show_if_help.lua", "ipsec_vnet.sh", "nsection.htm", "dvalue.htm", "18-ipgroup", "WKDownload.h", "ip_icmp.h", "rip.lua", "interface.sh", "Tipped: A targets AI and other cyber research findings.", "Copy of iframe_api", "19d2:0026", "qos_VoIP.html", "ncm.json", "S98led", "12d1:14c1", "gre_init", "S99zero_boot_done", "09789157.0", "ASAuthorizationPlatformPublicKeyCredentialProvider.h", "noipddns", "32888f65.0", "serial", "1004:613f", "1dbc:0669", "30-fs-autofs4", "ipsec_failover_process.sh", "usb_firmware_upgrade.html", "1bbb:f017", "keywords.h", "mt7621_switch_portVlan", "UNDTypes.h", "usb-net-ipheth", "98-iptv.sh", "frr.conf", "customddns", "19d2_0002", "S96sysntpd", "WKContentRuleList.h", "dhcp6c.sh", "param.h", "smp", "22-imb.sh", "cedevice.io \u2022 decagonsoftware.com", "04-ipv6", "S65wifidog", "ipt-nfqueue", "rip", "ASAuthorizationWebBrowserPublicKeyCredentialManager.h", "pp.h", "ifdown-l2tp.sh", "pppox-begin-reload-user.sh", "Copy of clientlib(20).css", "12d1:101e", "handy.h", "accountmgnt", "12d1:1c1b", "get_rps.sh", "02_network", "1fac:0032", "ar9533_switch_portStatistic", "Copy of clientlib(15).css", "gmp.conf", "IdenTrust_Commercial_Root_CA_1.crt", "03_preinit_do_ramips.sh", "GKDefines.h", "ipgroup_group.html", "dynanmic_arpreq.sh", "apply_xhr.htm", "index.a415cbb4.js", "font_switcher.26.css", "jquery-ui.js.pobrane", "106c:3b11", "ASAccountAuthenticationModificationRequest.h", "dataTables.bootstrap4.js.pobrane", "WKWebView.h", "4bfab552.0", "machine_remote_time.h", "0af0:7501", "l2tp-ipsec-up-down.sh", "vm_compressor_algorithms.h", "acl_wanhook.lua", "19d2:#linux", "atm_types.h", "KerberosLogin.h", "ar8327_switch_portRateControl", "portrange.js", "dslite.sh", "switch_port.sh", "WKScriptMessageHandlerWithReply.h", "1e09d511.0", "nginx-php.standby.content-premier-vic-gov-au.sdp3.sdp.vic.gov.au", "S96load_balance", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "QuoVadis_Root_CA_1_G3.crt", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "Copy of clientlib(29).css", "19d2:1216", "ipt-ipopt", "16d8:6281", "S91wireguard", "wechat.html", "05c6:2000", "NSAttributedString.h", "rsa_check", "pd_server.sh", "25-nls-cp864", "nat_dmz_bypass.sh", "ar8327_switch_portVlan", "stdatomic.h", "ad_status.js.pobrane", "Copy of clientlibs.js(2).download", "search.js.pobrane", "GCExtendedGamepad.h", "97-mwan3.sh", "GlobalSign_Root_CA_-_R2.crt", "Copy of clientlib.js(29).download", "1fac:0151", "ppp-down", "1-vnet_lanv6hook.sh", "Copy of clientlib.js(3).download", "0fca:8020", "Copy of clientlib(2).css", "GameController.tbd", "reboot_schedule.html", "css", "sysupgrade.conf", "05c6:6503", "19d2:0154", "GTS_Root_R1.crt", "wifidog.conf", "uci-defaults.sh", "UE_pl_top.svg", "WKURLSchemeHandler.h", "user-secrets.reference", "assign_restriction.html", "DigiCert_Assured_ID_Root_CA.crt", "GameKit.h", "sendsms-at.gcom", "19d2:1511", "perl_siphash.h", "sbox32_hash.h", "GCXboxGamepad.h", "xauth-generic.conf", "Attacks are being carried out by The State of Colorado", "0408:ea17", "zone_core.sh", "http://www.gov.pl/web/po-jelenia-gora/", "Copy of clientlib.js(58).download", "directip.gcom", "ipt-nathelper", "S19vnet", "mt7628_switch_portVlan", "https://twitter.com/PORNO_SEXYBABES", "ar9533_switch_portState", "25-nls-cp850", "imb.html", "mwan3-tplink", "8d86cdd1.0", "isp_routing.html", "atomic.h", "accountmgnt.lua", "access_control.html", "support_bundle_commands.conf", "advanced.html", "table.h", "saved_resource.html", "Copy of clientlib(11).css", "3bde41ac.0", "1004:6327", "Copy of clientlib.js(51).download", "firmware_reseting.html", "dhcp6s.conf", "072f:100d", "05c6:0010", "TWCA_Root_Certification_Authority.crt", "qos_Traffic.html", "1bbb:011f", "S95ifstat-mini", "a94d09e5.0", "WebKitLegacy.h", "core_global.sh", "1307:1169", "18-dnsproxyvnet.sh", "access_ctl", "40-remote_mngt", "S97session_limits", "stdint.h", "access_time_help.lua", "modemLedCtrl.sh", "vpn_peers.html", "vm_memtag.h", "30-fs-minix", "0922:1003", "named.cache", "Copy of clientlib(33).css", "Izenpe.com.crt", "cli_routing_cmd.tree", "5d3033c5.0", "inputmask.binding.js.pobrane", "log_oops_recovery.sh", "interface_mac.html", "nfnetlink", "pkcs1.conf", "ASAccountAuthenticationModificationViewController.h", "ASAuthorizationProviderExtensionAuthorizationRequest.h", "40-fs-nfsd", "GCDevicePhysicalInput.h", "session_limits", "http://park.above.com/jr.php?gz=DjDNgvDQ0WlpBALxevxSvkF3jBH95b5riUvmgFjb1tbPDV06suYFlRcPA34ufLE5UZ8spiM7ya7tRXR8nLUgk920DSaIXniiR5hkoveznG%20mez7OU5R%20HKIczV475LuRwxm3J1pcRSpQcePtF/4aD%20frLO%205mYc0Maj8Z1IwBeAMESc9Gk3BzCkGUHNVeCAZ9vZrQhEeVvN%20QVBAu1boZNJTnvCAP0lB5ebMSP92bFHD/ItyL53LoVDSYWMd64KTNMMJaXE0kZVqQn/%20STriQbrA6cmW3Xj4sAJ3XXEbNNJzTbIvgsy00PlKWInEUK/iXzVecaBsXg3vkUcvkeM3HPPIajaBexXO7ATYz/qTeKAksI9l2IoDAsn0S9BYCTuP8uTYdgJAv0LO%20MkNBOrSqJnFQzTlNxG4NRSP6K4VDWklVPpCwQc/s/AfrwIdLcdrV6CQDLaluG1naOjXDc", "sv.h", "Copy of clientlib(21).css", "tabcontainer.htm", "su.js", "daterangepicker.css", "com_err.h", "99_10_failsafe_login", "50-qos_ctl", "0421:060c", "3g.sh", "cell_valuefooter.htm", "https://www.virustotal.com/graph/embed/g365a82115f934e31a69118715695c91c231f66cda9084c9389e56afb985a243e?theme=dark", "Kerberos.h", "ASPasswordCredentialIdentity.h", "show_interface.lua", "My Independent research finds an intersect between different pdf DV versions being able to connect to Raspberry Pi devices as it was the FCC application document. Risk: Mac ID connectivity to all.", "WKFindResult.h", "slider.js.pobrane", "core_rule.sh", "30-veth", "https://prod.centurylinktechnology.com", "howtoworkacrickoutofyourneck2.pages.dev", "1033:0035", "1614:0802", "rc.common", "09_fix-seama-header", "ipsec", "1ee8:004a", "1004:613a", "GCDualShockGamepad.h", "interface.lua", "19d2:1030", "20-usb-core", "https://hybrid-analysis.com/sample/a16d11910953b800369dbb667f178b3cc45cb8e3315217c0e6ceac68eeba206d", "257a:d000", "pppox-reload-user.sh", "perl_langinfo.h", "port_trigger.html", "custom_ddns.html", "https://www.virustotal.com/gui/collection/7196cbc5285fb7e155a529980dc1797d3ab3884e20c77c66d9b1b971c313fe56/graph", "AffirmTrust_Commercial.crt", "8888:6500", "https://www.gov.pl/scripts/bundle.js", "time.sh", "26-openvpn.sh", "openvpn-client-routeup.sh", "IOBluetoothTypes.h", "pptp-client-update.sh", "1410:7001", "api_VPN.sh", "90-xt_qoslimit", "qos_config_sync.lua", "ASAuthorizationSingleSignOnProvider.h", "_limits.h", "ppp-up", "core_ipv6group.sh", "5f618aec.0", "99-balance_route", "led.sh", "error500.htm", "30-fs-xfs", "25-nls-koi8r", "webfilter_global", "dnssecquery.sh", "0af0:d031", "wizard.js", "19d2:1207", "machine_kpc.h", "SessionTimeout.js.pobrane", "c01eb047.0", "Copy of clientlib.js(52).download", "web_login.html", "Copy of clientlibs.js(1).download", "K91network", "S50cron", "ASAuthorization.h", "ucitrack", "1ee8:0054", "SecureTrust_CA.crt", "ASAuthorizationWebBrowserSecurityKeyPublicKeyCredentialProvider.h", "system_params", "usb-net-cdc-ncm", "18-ipv6group", "96-dynddns.sh", "nf-conntrack-netlink", "K90ipv6", "ceidg.css", "https://brand2.centurylinktechnology.com", "switch.sh", "Copy of clientlib(34).css", "time_mngt", "filter", "05-liblogger", "Copy of clientlib(47).css", "0b3c:f000", "qos_core.sh", "zero_boot_done", "Copy of clientlib.js(10).download", "port-id-map", "locate_plugin.h", "S42ippool", "l2tp-init.sh", "S95l2tp", "ssl_vpn_server.html", "3e44d2f7.0", "GlobalSign_Root_CA_-_R3.crt", "WKPreviewActionItemIdentifiers.h", "l2tp-ipsec-delete.lua", "Copy of clientlib(55).css", "02-usb-auto-scan", "1ee8:0018", "crc.h", "wportal.html", "freeStrategy", "kernel-netlink.conf", "locale", "boot", "1a8d:2000", "openvpn_user", "05c6:f000", "ASPasskeyCredentialRequestParameters.h", "d4dae3dd.0", "dd8e9d41.0", "Copy of clientlib.js(59).download", "91-xt_authlimit", "32-sit", "widget.css", "vlan_portSetting.html", "S99switch", "S72sfe", "12d1_0003", "memory_types.h", "https://www.virustotal.com/gui/collection/79c25168b2f93d9730a56b8d2b834cbfb2752b63b21b9dd51109416fbaa676d8/iocs", "ipxr", "Alerts: console_output has_pdb pe_unknown_resource_name", "geometry.js.pobrane", "96-cmxddns.sh", "0af0:7311", "radiusclient.conf", "0af0:7031", "http://www.plix.net", "Copy of clientlib(28).css", "349f2832.0", "ipt-conntrack", "https://serverhub.com/modules/system/assets/js/framework.js", "D-TRUST_Root_Class_3_CA_2_2009.crt", "25-nls-cp852", "48bec511.0", "0af0:7801", "30-atm", "xfe-URL-Intercom.io-stix2-2.1-export.json", "0af0:8900", "b727005e.0", "qos_public.sh", "Copy of clientlib.js(28).download", "_OSByteOrder.h", "5e98733a.0", "Starfield_Root_Certificate_Authority_-_G2.crt", "S99zzzzzsys_info", "0af0:8302", "dhcp6s", "1d3472b9.0", "perly.h", "mg_vtable.h", "OSvKernDSPLib.h", "ippool", "pre_setting_config.sh", "90-portal_mgmt", "99-ipt_urlset_target", "ar8327_switch_8021Qvlan", "AffirmTrust_Premium.crt", "fastcgi_params", "ipv6group_group.html", "BluetoothAssignedNumbers.h", "vDSP.h", "K10openvpn", "onion.js.pobrane", "WKWebViewConfiguration.h", "devstatus", "l2tp-client", "https://alohatube.xyz/search/tsara-brashears", "12d1:1449", "libkern.h", "TUBITAK_Kamu_SM_SSL_Kok_Sertifikasi_-_Surum_1.crt", "MCPeerID.h", "style-simple-follow.css", "ppp.sh", "tcp.h", "Copy of clientlib.js(22).download", "dev-app.project-cicada.com \u2022 http://dev-app.project-cicada.com \u2022 https://dev-app.project-cicada.com (2014 report predates 2016 reports)", "responsive.bootstrap4.js.pobrane", "lib-crc-ccitt", "5cd81ad7.0", "openvpn-server-up.sh", "sysauth.htm", "account.2ca6a054.js", "ips_blacklists.html", "WKSecurityOrigin.h", "zzzcloud_proc", "07d1:a804", "8d89cda1.0", "gettime.sh", "stddef.h", "12d1:14b5", "luci-add-conffiles.sh", "certSIGN_Root_CA_G2.crt", "https://maps.googleapis.com/maps/api/js?sensor=false", "qos_ipset.sh", "network_arch.sh", "chunk-vendors.0cdf10f0.js", "switch_functions", "0af0:c100", "c28a8a30.0", "25-nls-cp775", "0922:1001", "extended_layouts.26.css", "rtl8367s_switch_portRateControl", "dyn3322ddns.html", "malloc_ctl.h", "00-configlink.sh", "0fce:d103", "jquery.djmegamenu.js.pobrane", "Copy of clientlib.js(24).download", "54657681.0", "0482:024d", "Secure_Global_CA.crt", "Buypass_Class_2_Root_CA.crt", "main.sh", "20b9:1682", "22de:6803", "10_migrate-shadow", "machine_machdep.h", "ASSettingsHelper.h", "disconn-script", "https://www.plix.pl/system/companies/logos/000/000/526/original/gigainternet-logo.png", "hxxps://go[.]microsoft[.]com/fwlink/?LinkId=2033498", "cli_extra_cmd.tree", "string.h", "animations.css", "finder.css", "GCKeyboardInput.h", "WKError.h", "50-usb-ohci", "xfe-URL-Cloudfront.net-stix2-2.1-export.json", "tree.h", "ddm.html", "polling.portal.gov.bd", "IDS Detections: Win32/Enosch.A gtalk connectivity check | W32/MoonLight.worm User-Agent (HellSpawn)", "controller.js", "Trump Support campaign \u2022_\u2022 lantana-mgmt.washington.palantircloud.com \u2022 containers-reishi.palantirfedstart.com", "CommonScripts.js.pobrane", "getregistestate.gcom", "options.pptpd", "jquery.easing.1.3.js.pobrane", "preview_wportal.html", "pcup.gov.ph:", "policy_routing.html", "index.html", "IOBluetoothServiceBrowserController.h", "AuthenticationServices.h", "gre_overipsec.html", "vnet_core.sh", "nfnetlink-queue", "AppleUSBDescriptorParsing.h", "mg_raw.h", "d887a5bb.0", "nat.lua", "IOUSBHostStream.h", "icmp6.h", "e868b802.0", "offcanvas.26.css", "_endian.h", "openvpn-client-disconnect.sh", "Copy of clientlib.js(14).download", "25-nls-utf8", "QuoVadis_Root_CA_2.crt", "WKSnapshotConfiguration.h", "ubnt.sh", "sdhci-mt7621", "online_reload.lua", "S83web_security", "50-access_ctl.sh", "power", "00-vnet_client.sh", "aes.conf", "GCRelativeInput.h", "l2tp-global", "91-gre.sh", "WKWebsiteDataStore.h", "ASAuthorizationPublicKeyCredentialAssertion.h", "04e8:f000:sMo=U209", "http://mincom.gov.bd/dead.php", "functions.sh", "core_acl.sh", "op.h", "vBasicOps.h", "f0c70a8d.0", "0af0:7381", "geoip", "Alerts: network_icmp nolookup_communication js_eval recon_fingerprint", "Yare: compromised_site_redirector_fromcharcode", "openssl.cnf", "Containers-Pecorino.PalantirGov.com -pecorino.palantirgov.com", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr", "GKEventListener.h", "0af0:7401", "S96static_route", "95-online.sh", "USERTrust_ECC_Certification_Authority.crt", "slider.js", "19d2:0304", "https://i-want-to-start-an-onlyfans.pages.dev/favicon.ico| I bet you do boo boo", "network_netlist.htm", "md5.conf", "30-fs-nfs-common", "1bbb:00ca", "COMODO_ECC_Certification_Authority.crt", "https://lordseriala.life/6337-zvezdnye-vojny-opornaja-komanda.html", "ipstat", "19d2:0120", "jquery.autocomplete.min.js.pobrane", "Copy of clientlib.js(32).download", "apfs_boot_mount.tbd", "core_ipgroup.sh", "ASPasskeyRegistrationCredential.h", "12d1:15e7", "usb-storage-extras", "ifstatus", "60-dnsmasq", "util.h", "89-remote_mngt.sh", "4f316efb.0", "Copy of clientlib.js(9).download", "updown.conf", "02-split_access", "05c6:1000:uMa=Option", "arp_defense", "iperlsys.h", "login.4f52b876.js", "76faf6c0.0", "40-load_balance", "S95mwan3", "S99avahi-daemon", "GlobalSign_Root_CA.crt", "openvpn-common.sh", "WKWindowFeatures.h", "AirPlayReceiver.tbd", "phddns.html", "pd_api.sh", "qos_Class_role.html", "cn9130_switch_portMirror", "GCControllerInput.h", "0f6fa695.0", "0af0:8700", "Apple Store verified drop down breach \u2018Apple took a screenshot of pages\u201d", "json2.js.pobrane", "2923b3f9.0", "uconfig.h", "feffd413.0", "UE_pl_top_sm.svg", "radiusclient-ng.h", "0b3c:f00c", "90-xt_tplimit", "0af0:6731", "WKPreferences.h", "GCTypes.h", "chat-get", "ips_whitelists.html", "ifstat-mini", "kdp_en_debugger.h", "lock-prov.gcom", "0af0:d155", "footer.htm", "backup", "05c6:1000:uMa=DGT", "IOUSBHostCIDeviceStateMachine.h", "19d2:1179", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "dynamic_dns_updater.sh", "Hongkong_Post_Root_CA_1.crt", "GKTurnBasedMatchmakerViewController.h", "PCIDriverKit.h", "uudmap.h", "issue", "Certigna_Root_CA.crt", "ee64a828.0", "12d1:157c", "19d2:1210", "Copy of clientlib(13).css", "loadopenvpncert", "sddm-:0-BoTuTx", "109b:f009", "TargetConditionals.h", "0af0:6911", "options.pptp", "Copy of clientlib(23).css", "tblsection.htm", "usermngr_backup.html", "valuefooter.htm", "4042bcee.0", "ldap_check_result.sh", "97-load_balance.sh", "https://www.virustotal.com/gui/collection/09af9ef0b7b23d2dc73d83858106ae4fc97a352dbb521ac04493a0e79095ac69/iocs", "Copy of clientlib(6).css", "ifdown", "tvalue.htm", "00_start_sync.sh", "https://wallpapers-nature.com/tsara-brashears/urlscan-io", "Copy of clientlib.js(34).download", "e35234b1.0", "0408:f000", "S85webfilter", "snmpd", "Certum_Trusted_Network_CA_2.crt", "1bbb:000f", "cloud_service.cfg", "19d2:0110", "99-ipt_tpconnlimit", "in_var.h", "ippool.html", "25-nls-iso8859-13", "GCSwitchElement.h", "arp_scan.html", "https://www.virustotal.com/gui/collection/7196cbc5285fb7e155a529980dc1797d3ab3884e20c77c66d9b1b971c313fe56/iocs", "GKTurnBasedMatch.h", "switch_portStatistics.html", "getcarrier.gcom", "03-vlan", "checkbox.js", "142.250.74.142.250.74.138 _exploit_source | 142.250.74.138 _exploit_source | 142.250.74.142_exploit_source", "hardware.txt", "qos.html", "0af0:7701", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "usb-mode.json", "pptp-option.sh", "19d2:0053", "Copy of clientlib(32).css", "WKDataDetectorTypes.h", "30_failsafe_wait", "ipc_types.h", "40-qos.sh", "XRamp_Global_CA_Root.crt", "1c9e:9e00", "IOBluetooth.tbd", "30-fs-reiserfs", "usb-net-cdc-ether", "in_systm.h", "opnames.h", "perlapi.h", "access_func_v6.sh", "ASAuthorizationSingleSignOnRequest.h", "portal_mgmt", "GKVoiceChat.h", "freePolicy", "widget.js", "mt7628_switch_init", "S47access_ctl", "tmp.QMAjonKZB0", "106c:3b05", "unbound.conf.back", "openvpn-mgmt", "ff34af3f.0", "GKSavedGameListener.h", "cli_time_range_cmd.tree", "230d:0003", "ASAuthorizationCustomMethod.h", "system_routetbl.html", "getimsi_b.gcom", "application_filter.html", "signal.h", "GCPhysicalInputProfile.h", "arp_scan_range", "0af0:9200", "PWS:Win32/Ymacco.AA50 Win.Trojan.Generic-9959068-0\t SLF:MSIL/PSTAnomaly.A Win.Dropper.Shakblades-7614016-0\t#LowFI:VBExpensiveLoop Win.Packed.Barys-10031677-0\tTEL:Trojan:MSIL/AgentTesla.VPA!MTB Win.Trojan. Backdoor:MSIL/Remcos!MTB", "0af0:7271", "pc_wifi.html", "OTX AlienVault", "NAVER_Global_Root_Certification_Authority.crt", "19d2:1517", "GKCloudPlayer.h", "2262:0001", "dictionary.merit", "markdef.sh", "19d2:2004", "fontswitcher.js.pobrane", "lz4_assembly_select.h", "b66938e9.0", "pppox-remote-management.sh", "preinit.sh", "wireguard_interface", "warnings.h", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "S99dynamic_route", "arping.sh", "gv.h", "1004:1000", "note", "12d1:1001", "dia_info.html", "99-xt_l2tp", "system_mode.html", "1bbb:022c", "snapshot", "zombie_monitor", "flood_defense", "12d1:1f02", "ASAuthorizationWebBrowserSecurityKeyPublicKeyCredentialAssertionRequest.h", "system_mode", "T-TeleSec_GlobalRoot_Class_3.crt", "GCDevice.h", "arp.sh", "12d1:155b", "sysntpd", "1004:61dd", "GKMatchmaker.h", "static_if.h", "198a:0003", "E-Tugra_Certification_Authority.crt", "python-3.9-embed.pc", "keyword.js", "lldp_get_wan_device.sh", "05c6:1000:uMa=Co.,Ltd", "v6plus-dial.sh", "1ee8:0009", "98-ipt_web_dns_match", "0af0:7071", "ASAuthorizationSecurityKeyPublicKeyCredentialAssertionRequest.h", "ldap.conf", "nat_napt.sh", "dynamic_route", "106f3e4d.0", "0af0:7011", "1d09:1021", "ASAuthorizationPlatformPublicKeyCredentialDescriptor.h", "auto_backup", "92-dynamic_route", "hxxps://myapplications[.]microsoft[.]com/", "GCDualSenseGamepad.h", "ASAuthorizationAppleIDProvider.h", "2357:f000", "dynddns.html", "macFiltering.html", "dropbear", "60-dnsmasq.sh", "emSign_Root_CA_-_G1.crt", "pptp-startup.sh", "ASAuthorizationRequest.h", "1004:61e7", "handle_card.sh", "track.spywarewatchdog.org \u2022 https://track.spywarewatchdog.org - monitoring software", "ASAuthorizationSecurityKeyPublicKeyCredentialDescriptor.h", "19d2:0146", "15-usb_mode", "charon-logging.conf", "OBEX.h", "Copy of clientlib(22).css", "vlan_vlanSetting.html", "embed.h", "05c6:9024", "7f3d5d1d.0", "controller_setting.html", "web_security", "ips_signature_suppression.html", "10_indicate_failsafe", "content.css", "30-fs-cifs", "qos", "reference", "DigiCert_Global_Root_CA.crt", "acl_delete_rule.lua", "pgp.conf", "show_interface_status.lua", "Copy of clientlib(4).css", "basic.html", "form.js", "OSTypes.h", "time_range.lua", "XSUB.h", "ASPublicKeyCredentialClientData.h", "modem", "AdID.tbd", "3e45d192.0", "1c9e:f000", "10-pppox-if-up-down.sh", "04cc:225c", "19d2:1007", "Entrust_Root_Certification_Authority_-_G4.crt", "dns_doh.html", "10-mount", "0bdb:190d", "30-fs-cramfs", "alc.h", "OSDebug.h", "ipt-iprange", "2077:1000", "IOUSBHostIOSource.h", "https://clear.ml/infrastructure-control-plane", "base-files-essential", "remote_mngt.sh", "set_fan.sh", "dnsproxySecurity", "mg.h", "setmode.gcom", "f081611a.0", "https://www.virustotal.com/gui/collection/6a8d582df4fe5a29885dad4074236bc9e4ed445aaf0cc00702d45963fb0459bb/iocs", "Block.h", "1782:0003", "https://otx.alienvault.com/indicator/ip/198.49.23.145#:~:text=CIDR:%206%20%7C%20CVE:%20107,infrastructure%20into%20global%20botnet%20clusters.", "Hongkong_Post_Root_CA_3.crt", "19d2:0040", "1410:5010", "radio.js", "Copy of clientlib(46).css", "WKFoundation.h", "19d2:1238", "ASCredentialIdentityStore.h", "S71hwnat", "switch_portLimit.html", "GKChallengesViewController.h", "Copy of clientlib(51).css", "S95done", "http://watchhers.net/index.php", "cn9130_switch_portRateControl", "ipcalc.sh", "usb-printer", "des.conf", "auth_port_modify.sh", "https://www.google-analytics.com/debug/bootstrap?id=\\", "ASAccountAuthenticationModificationUpgradePasswordToStrongPasswordRequest.h", "set_time", "python-3.9.pc", "su.full.min.js", "OBEXBluetooth.h", "Atos_TrustedRoot_2011.crt", "12d1:1f19", "portal_mgmt_monitor.lua", "vpn_user.html", "common.js.pobrane", "default_balance", "websort", "0fd1:1000", "tmngtd", "module.modulemap", "ca6e4ad9.0", "http://ianswertomom.com/develop-wise-woman-within-yourself", "File Type PEXE - PE32+ executable (console) x86-64, for MS Windows ..", "zone", "nginx", "90-xt_dosdrop", "Cybertrust_Global_Root.crt", "panel.js", "core_redirect.sh", "S42service", "editor.js", "arm64e-apple-macos.swiftinterface", "zbalance_loop_reset", "0b1b94ef.0", "firebase-auth-eich0v.pages.dev", "cli_http_cmd.tree", "cn9130_switch_init", "service.html", "openvpn-instance.sh", "97-line_backup.sh", "openvpn-password.lua", "openvpn", "monitor_port.lua", "GCMotion.h", "types.h", "socket-default.conf", "mobile_wifi.html", "timeobj_cron_api.sh", "moment-with-locales.min.js.pobrane", "machine_routines.h", "a3418fda.0", "S70freeStrategy", "GCDeviceCursor.h", "https://mobile-pocket-guide.centurylinktechnology.com", "ip6.h", "GKSession.h", "Copy of clientlib.js(23).download", "S90ndppd", "bootstrap.min.js.pobrane", "backup.sh", "12d1:156a", "dataTables.responsive.js.pobrane", "S50radvd", "passwd", "pcauth.js", "websec_timeobj.lua", "ASCredentialServiceIdentifier.h", "revocation.conf", "1636090b.0", "iptv.html", "timepicker.js", "Copy of clientlib.js(55).download", "online", "0af0:7361", "ASAuthorizationWebBrowserSecurityKeyPublicKeyCredentialRegistrationRequest.h", "GKPlayer.h", "jquery.djmobilemenu.js.pobrane", "win-utf", "S10system", "04_handle_checksumming", "omada-tool.conf", "ASAuthorizationWebBrowserPlatformPublicKeyCredential.h", "ipv6", "getimsi.gcom", "mwan3", "19d2:1171", "ipsec_handle_iptables.sh", "omada-tool.lock", "0471:1237", "reset", "30-v6plus", "WKUserScript.h", "90-xt_vlan", "routing.lua", "ips_setting.html", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "dynamic_dns_customddns.sh", "ipt-geoip", "ptrauth.h", "15-mii", "jquery.scrollTo.min.js", "vnet_zone_api.sh", "in_stat.h", "Copy of clientlib(43).css", "dictionary.asnet", "usermngr_user.html", "K99umount", "30-fs-udf", "IntentsUI.apinotes", "6to4.sh", "06-wan_log", "GameKit.apinotes", "_types.h", "TrojanProxy:Win32/Malynfits CodeOverlap TrojanSpy:Win32/Nivdort CodeOverlap virus:Win32/Lywer CodeOverlap", "mt7621_switch_portPara", "19d2:1520", "Entrust_Root_Certification_Authority_-_G2.crt", "19d2:0266", "pad.h", "dnskey.conf", "10-sysctl", "jquery.min.js.pobrane", "dhcps.sh", "zone_init.sh", "tcp_seq.h", "chat-modem-configure", "Trustwave_Global_ECC_P384_Certification_Authority.crt", "perlsdio.h", "preauth_plugin.h", "OSMalloc.h", "20-upnp", "embedvar.h", "Starfield_Services_Root_Certificate_Authority_-_G2.crt", "12d1_0004", "https://vtbehaviour.commondatastorage.googleapis.com/edb4c21d60daa44b3429e7ba9bfa342759ebef23c136c934f74aef145453ce19_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775737365&Signature=S%2B7RcHYjab1hbKlKwFfvUbDirFPJS1A2TJQ3bVIObMcON4PD9pRDvhMtYMCnEBrYsICi0UJCFW5eUDolL5Jlbngsc587kF36vvuhlkPprbkSOY1jOyDTpe3Qsb6jRFz3xwOfZc9S5QervoLnRKb%2FyGSyZE6ZK6TxzBrOPczPtZ7sLf9NfD6E%2B2gMRXaRjEqVwVITLG7YqCiiNuohFOuNlK3uNHFpIk53viKvBSAIqLtSklH9bHW4q1DX", "e73d606e.0", "mbimfind.lua", "S40fstab", "l2tp_client.html", "sysctl", "xdr_subs.h", "0af0:d033", "snmp.lua", "12d1:1030", "jquery.flot.fillbetween.js", "0ace:20ff", "31-iptunnel", "perl.h", "IOPCIDevice.h", "dynamic_dns_log.sh", "Microsoft_RSA_Root_Certificate_Authority_2017.crt", "Copy of clientlib.js(41).download", "12d1:1523", "dhcp.lua", "handle_card_process.sh", "IOUSBHostControllerInterface.h", "load_balance", "30-ipsec", "jquery.min.js", "foldertree.js", "l2tp_global.html", "12d1:1526", "40-usb2", "UCA_Extended_Validation_Root.crt", "S98ipsec_failover", "30-tun", "GCProductCategories.h", "cli_ssh_cmd.tree", "CA_Disig_Root_R2.crt", "S96upnp", "GKChallenge.h", "rewrite.lua", "interface_mode.html", "dhcp_lan_settings_standalone.html", "sysparams_net.sh", "http://titasgas.portal.gov.bd/dead.php", "jquery.session.js.pobrane", "S10boot", "https://links.mail.samsara.com/s/c/P9R6gGlExR4nfCwqwJXUmr7NmKcMNde4ZBhCFprlVtsFNgh-4tuTWla0aXN9rIWCjrWtn0Vln7x-hexxVBlY3xxvnEevR8qJU5G5xV3__wo-X7kkpSOhJVfejac-Xk8qu6zs5Z-tILwWYRkNScZNGlAqfwQuJuRw5M-n_ZKI6tuY5XGCZAqWoQepi1NnJiW4wZJkzZlOwGtNkusbuKDcMsLVrrhji2eKh4kYgrJp_SeycJRhasLFCQ3c2bPu4sahEWpcHZrQBaxvdfQgTEno8kV-RJdTDO0zK5MyWDJLeds7mnaDrxlb0O2zmhebUdlHE0R0xHi25dympBUpMlLsQV8bx1WUTOfgK4k0ci9o_2Gbfe22-jLxsJN-msV6pxWYQMaxRNFd4iZRC9J9Z1SC5MBqbvNzqdt98kFdpibnv_QIHdhFyHOR_Ip_LX67Dncc8V8OvAi-H5phfeSyDzwdzf2FQIi82", "S21tddpd", "ASAuthorizationWebBrowserPlatformPublicKeyCredentialProvider.h", "Copy of clientlib.js(8).download", "ssl_vpn_tunnel_group.html", "ASCredentialRequest.h", "GKAchievementViewController.h", "GKLocalPlayer.h", "vnet.sh", "10-rt2x00-eeprom", "IOUSBHost.h", "Copy of clientlib(25).css", "snmp.html", "99-load_balance.sh", "nand.sh", "upload.htm", "dnsmasq", "ASAuthorizationPublicKeyCredentialLargeBlobRegistrationOutput.h", "ASPasskeyCredentialIdentity.h", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "UNDReply.defs", "Copy of clientlib(54).css", "lldpd", "dictionary", "IOUSBHostObject.h", "xfe-URL-Eonix.net-stix2-2.1-export.json", "access_func.sh", "pppox", "nat_vs.sh", "4b718d9b.0", "firstboot", "https://js.hs-scripts.com/3844463.js", "75d1b2ed.0", "12_network-generate-ula", "QuoVadis_Root_CA_3.crt", "ePKI_Root_Certification_Authority.crt", "25-nls-cp1250", "GKGameSessionError.h", "access_control", "zteinfo.gcom", "19d2:0169", "ASAuthorizationPublicKeyCredentialDescriptor.h", "ngx_wdas.lua", "05-lanv6", "audit_ioctl.h", "system_params.html", "Copy of clientlib(39).css", "dpi.sh", "tddp", "ef954a4e.0", "pptpd.conf", "chat-get-qualcomm_1", "get_option.lua", "controller.conf", "S01led_early", "daemons.conf", "pptp-server", "GCMouseInput.h", "shells", "1dd6:1000", "qos_mark.sh", "appdist_database.html", "kpi_ipfilter.h", "99-hotplug_done", "bwlist_qq.html", "Copy of clientlib.js(31).download", "bootstrap_responsive.26.css", "7aaf71c0.0", "Copy of clientlib(36).css", "148f:2578", "K50dropbear", "umount", "mime.types", "freeStrategy_backup.sh", "ifup-l2tp.sh", "random.conf", "IOUSBHostCIControllerStateMachine.h", "S00zombie_monitor", "gre-ipsec-up-down.sh", "MCError.h", "https://www.gov.pl/web/po-jelenia-gora/", "IOUSBHostControllerInterfaceHelpers.h", "usb-serial", "igmp_var.h", "portal_status.sh", "98-ipt_urlset_match", "koi-utf", "0408:ea43", "core_service.sh", "openwrt_version", "Copy of clientlib.js(33).download", "cn9130_register", "GCController.h", "19d2:1227", "IOBluetoothPairingController.h", "in_pcb.h", "60-dhcpsvnet.sh", "qos_grpmark.sh", "ipt-nat", "pptp_global.html", "90-xt_multinetdev", "MultipeerConnectivity.h", "1410:5059", "1edf:6003", "https://tria.ge/240521-r1yh8shd44", "Copy of clientlib.js(56).download", "overlay.js.pobrane", "GKLeaderboardViewController.h", "706f604c.0", "url_filter", "WKBackForwardListItem.h", "Copy of clientlib.js(19).download", "ipv6.html", "Legal court documented agreement to allow and pay target to hire cyber investigators", "emSign_Root_CA_-_C1.crt", "limits.h", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "DigiCert_Global_Root_G2.crt", "S25sysctl", "vm_pageout.h", "GKLeaderboardEntry.h", "0b3c:f017", "1-vnet_lanhook.sh", "MultipeerConnectivity.apinotes", "get-vpn-ip.sh", "1076:7f40", "406c9bb1.0", "detach_timeobj.lua", "modem-gsm-test-qualcomm.gcom", "acl_timeobj.lua", "05c6:1000:sVe=GT", "animate.min.css", "vm_kern.h", "Go_Daddy_Root_Certificate_Authority_-_G2.crt", "05c6:1000:sVe=Option", "ecmp.lua", "04fc:2140", "cloud_config.cfg", "80-fuse", "dynddns", "subnet.js", "Verification failure observed in automated verification handlers during sandbox replay.", "https://www.plix.pl", "iptv", "1004:614e", "50-l2tp-lowerif-up-down.sh", "1004:6190", "ipset.debug", "Entrust_Root_Certification_Authority_-_EC1.crt", "ipv6group", "https://www.virustotal.com/graph/embed/g8726609a12794ebeb59edd531961a233068149bcdf994b428f20141be6111551?theme=dark", "jcemediabox.css", "1c9e:6061:uPr=Storage", "pppoe", "04e8:689a", "S31tmngtd", "SwissSign_Gold_CA_-_G2.crt", "e113c810.0", "12d1:14c3", "S60xl2tpd", "Certigna.crt", "ipsec.lua", "S90portal_mgmt", "12d1:#android", "12d1:151a", "xfe-URL-Serverhub.com-stix2-2.1-export.json", "Copy of clientlib.js(57).download", "ASAuthorizationProvider.h", "boot_done", "wifidog-init", "vecLib.h", "TrustCor_RootCert_CA-1.crt", "Certum_Trusted_Root_CA.crt", "05c6:1000:uMa=SAMSUNG", "19d2:0150", "d7e8dc79.0", "wportal", "12d1:1582", "Copy of clientlib(8).css", "DigiCert_High_Assurance_EV_Root_CA.crt", "byte_order.h", "nostdio.h", "http://nhrc.portal.gov.bd/sites/default/files/files/nhrc.portal.gov.bd/page/348ec5eb_22f8_4754_bb62_6a0d15ba1513/Study-Report-on-Sexual-Offences_Final.pdf", "Hellenic_Academic_and_Research_Institutions_RootCA_2011.crt", "wizard.html", "b433981b.0", "usb-acm", "S99zbalance_loop_reset", "07_set_preinit_iface_ramips", "protocols", "Copy of clientlib(40).css", "time64_config.h", "usb-net-cdc-mbim", "S50snmpd", "xcbc.conf", "led_early", "openssl-1.0.0.cnf", "timeobj_api.sh", "gssapi_krb5.h", "cpuid_internal.h", "Copy of clientlib.js(54).download", "S99zzddns", "Copy of clientlib(24).css", "ASWebAuthenticationSessionWebBrowserSessionHandling.h", "mac_filter", "cert.pem", "19d2:0003", "ASPublicKeyCredential.h", "mt7628_switch_portPara", "0bf05006.0", "9d04f354.0", "25-nls-cp862", "chat-gsm-test-qualcomm", "ASWebAuthenticationSessionWebBrowserSessionManager.h", "ScriptResource.axd", "xfe-URL-Enom.com-stix2-2.1-export 2.json", "1ab7:5700", "2020:f00f", "90-xt_doslogonly", "Buypass_Class_3_Root_CA.crt", "options.l2tp", "GDCA_TrustAUTH_R5_ROOT.crt", "usbshare", "connect-ppp.gcom", "14bc7599.0", "stdarg.h", "IOBluetoothPasskeyDisplay.h", "webfilter_func.sh", "gre_common.sh", "stdbool.h", "GCColor.h", "GKPeerPickerController.h", "Copy of clientlib.js(42).download", "connect-ncm.gcom", "pptpd", "zconf.h", "ASAuthorizationWebBrowserPlatformPublicKeyCredentialRegistrationRequest.h", "servers", "qos_api.sh", "WebKit.apinotes", "S60dnsmasq", "mppe", "ASAuthorizationSecurityKeyPublicKeyCredentialRegistrationRequest.h", "jquery.ui.core.min.js.pobrane", "b81b93f0.0", "80_mount_root", "zlib.h", "pal_routines.h", "chat-gsm-test-anydata", "avahi-daemon", "S46netbios_passthrough", "05c6:1000:uMa=Vertex", "drop_caches", "usbmodem_log.sh", "0af0:6771", "IOBluetoothUI.tbd", "K26pppox", "ssl_vpn_locked_user.html", "usb-wdm", "OSBase.h", "usbmuxd", "GCControllerTouchpad.h", "1e0e:f000", "uci.sh", "scepclient.conf", "25-nls-iso8859-1", "ipgroup", "IOUSBHostCIEndpointStateMachine.h", "S42macgroup", "https://www.fmglaw.com/lawyers/christopher-ahmann - found in adult content pulse.", "nfsproto.h", "40-scsi-core", "time_setting.html", "Amazon_Root_CA_2.crt", "http://bilety.polregio.pl", "policy_route", "96-noipddns.sh", "store.js", "js", "authlistCheck.lua", "https://download.clear.ml/cpython_builds/releases/ \u2022 https://download.clear.", "vars", "S96default_balance", "reg_help.h", "search_tty.lua", "core_log.sh", "_param.h", "99_end_sync.sh", "account.html", "12d1:157d", "csv2db.sh", "0af0:c031", "page.js", "http://applevless.dns-dynamic.net/\t\u2022 dns-dynamic.net", "nat_common.sh", "Copy of clientlib(5).css", "01-usb-led", "05c6:2001", "S20network", "ipsec_secrets", "S50qos-tplink", "usb-net", "cli_vlan_cmd.tree", "30-fs-isofs", "0af0:7301", "upnp", "12d1:1f17", "12d1:1505", "Copy of clientlib(7).css", "pagesettings.js.pobrane", "Copy of clientlib(19).css", "S50dropbear", "dc4d6a89.0", "usbmodem", "XZ4AH-ABKPW-SQPBC-CYWES-BCG6V", "GCGamepadSnapshot.h", "Copy of clientlib(52).css", "pppol2tp", "92-pppox-vpn.sh", "19d2:fff6", "21-nat.sh", "if-do-timeobj.sh", "hv.h", "qos-tplink", "0af0:8200", "dhcp.sh", "Copy of clientlib.js(5).download", "1c9e:6000", "19d2:1001", "openwrt_release", "_mcontext.h", "responsive.bootstrap4.css", "WKBackForwardList.h", "https://brandyallen.com/2022/11/23/sexy", "90-vpn", "GKAccessPoint.h", "1ee8:004f", "2001:a707", "A \u2018Target\u2019 became a \u2018Target\u2019 vja close association to main Target of predatory retaliation campaign.", "19d2:fff5", "system_log.html", "ASAuthorizationPublicKeyCredentialRegistration.h", "30-fs-ntfs", "https://js.hscollectedforms.net/collectedforms.js", "add-service.sh", "WKURLSchemeTask.h", "arch.h", "http://www.plix.pl", "DigiCert_Assured_ID_Root_G3.crt", "napt.html", "logrotate.conf", "0421:0622", "shadow", "1c9e:9d00", "ASAuthorizationPasswordRequest.h", "10-policy_route.sh", "0cf3:20ff", "cli_base_cmd.tree", "WKNavigationResponse.h", "rt_tables", "popen_spawn_win32.py", "ospf", "nfs.h", "16d8:700b", "9b5697b0.0", "tpcmd.sh", "230d:0101", "paging.js", "huaweiinfo.gcom", "02265526.0", "dpi_log_database.lua", "pptp-global", "12d1:15ca", "net_share.sh", "test.sh", "WKFrameInfo.h", "nullsection.htm", "12d1:1413", "lvalue.htm", "ar8327_switch_init", "12d1:1521", "getip.sh", "dnssec.html", "http://www.pcup.gov.ph/images/2018/pdf/ComEnBancReso/Commission_Resolution_07s2018.PDF", "endian.h", "qos_dpdk.sh", "Copy of clientlib.js(21).download", "Copy of clientlib.js(36).download", "wifidog-msg.html", "773e07ad.0", "wireguard-down.sh", "tddpd", "e8de2f56.0", "30-fs-hfsplus", "core.sh", "IOUSBHost.tbd", "dnsmasq.conf", "S99lldpd", "MCNearbyServiceBrowser.h", "rip_routing.html", "DigiCert_Global_Root_G3.crt", "0fce:d0e1", "getstrength.gcom", "198f:bccd", "mvalue.htm", "UPX_OEP_place", "GTS_Root_R2.crt", "client.key", "pppv6-share", "1a8d:1000", "Copy of clientlibs(1).css", "00-ecsIfChange", "65-iptv", "progressbar.js", "GlobalSign_Root_R46.crt", "usb-serial-wwan", "22-qos-tplink", "Copy of clientlib.js(26).download", "ASWebAuthenticationSessionCallback.h", "WKContextMenuElementInfo.h", "21f5:1000", "Copy of clientlib(1).css", "https://vtbehaviour.commondatastorage.googleapis.com/000191c1c0d6d324e39789005b1f9851b00a7d709dee3b4d180e9fa0bcfd326f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775182346&Signature=XW5qXy9c7zeqGji%2BJtDga4Y7nDZRclI%2FAvwBQCD%2BqVIXyDtTRgNW7n1FjQXwabAMcf5mAt79yx%2FR3w4itjJfZzUgpU7%2B%2BZXq59iQUl88rhWA7NMvGeGKO4bkcHoQPmrJxXtKnzqJrIxqUwygkbti6kHQ3drQZP8FMYevJ6fUbuR6TkIq2jOioIMcjUVg8uC9%2F6LmmBRINXgcd%2FNhS946HKXdlZq7awFoOV7VR%2Fkfiur%", "19d2:1175", "cli_ospf.lua", "S01spi_device_id", "GCDirectionalGamepad.h", "18-dnsproxy.sh", "network", "12d1_0005", "sysupgrade", "https://www.verizon.com/business/", "0421:062c", "intrpvar.h", "connect-directip.gcom", "99-vnet.sh", "5f15c80c.0", "qos_ifgroup.sh", "98-load_balance", "gssapi.h", "26-freeStrategy", "19d2:ffde", "Microsoft_ECC_Root_Certificate_Authority_2017.crt", "GlobalSign_Root_E46.crt", "country_group.html", "bf53fb88.0", "15eb:7153", "ebcdic_tables.h", "IntentsUI.h", "skynet-dev.tcxn.net tcxn.net Registrar Ascio Technologies, Inc - connection to cloud proxy", "ASAuthorizationPlatformPublicKeyCredentialAssertionRequest.h", "rtl8367s_switch_portVlan", "Security_Communication_Root_CA.crt", "bootstrap.26.css", "wireguard_peers", "60-mac_filter.sh", "cmxddns", "Amazon_Root_CA_1.crt", "platform.sh", "42-usb2-pci", "0af0:6971", "ecs", "GCEventViewController.h", "cron", "25-nls-cp866", "97-qos.sh", "archive.cop.supply \u2022 dev.cop.supply \u2022 https://cop.supply/ \u2022 https://cop.supply/bot-lists/", "utf8.h", "rpcv2.h", "pptp-client", "switch", "TWCA_Global_Root_CA.crt", "qos_delete_rule.lua", "sha2.conf", "dos_defense", "uci_firewall.sh", "GKPublicProtocols.h", "MapKit.tbd", "19d2_0004", "vnetwork", "12d1:1f09", "dictionary.compat", "portal-mgmt", "daterangepicker.js.pobrane", "Copy of clientlib.js(1).download", "K10portal_mgmt", "nginx-php.7d4jelnf.trdlpbvl.sdp3.sdp.vic.gov.au", "service", "6b99d060.0", "GCSteeringWheelElement.h", "93bc0acc.0", "42-ip6tables", "ifstart", "e36a6752.0", "log_awk", "01-zone", "pptp-client-add.sh", "WKWebsiteDataRecord.h", "0421:061d", "ipt-nathelper-extra", "https://js.hsleadflows.net/leadflows.js", "tcpip.h", "25-nls-iso8859-6", "GCGamepad.h", "12d1:14c4", "delete_restart.sh", "filter_global", "ar8327_switch_portState", "19d2:0388", "930ac5d2.0", "S22rsa_check", "19d2:0318", "ffff_0002", "19d2:1201", "wifidog", "S47mac_filter", "aee5f10d.0", "ASAuthorizationPublicKeyCredentialAssertionRequest.h", "2357:0200", "reload_config", "web_security.html", "65-wifidog.sh", "19d2:1588", "ifstat.html", "mt7628_switch_portMirror", "CommonResponsive.js.pobrane", "1-lanv6hook.sh", "b0e59380.0", "dslite-up.sh", "https-dns-proxy", "pptp-server-global", "cpu.h", "99-wan_hook.sh", "machine_cpuid.h", "GCPhysicalInputSource.h", "xhr.js", "https://polling.portal.gov.bd/js/npc.script.js", "http://alohatube.xyz/search/tsara-brashears", "https://tria.ge/240521-rvybaahb79", "radius.conf", "pptp_tunnel.html", "pppox-remote-management-get-ippool.lua", "user-secrets", "profile", "ecmp.sh", "19d2:1237", "Entrust.net_Premium_2048_Secure_Server_CA.crt", "about_hover.svg", "static_routing.html", "UCA_Global_G2_Root.crt", "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739700&Signature=bOTo%2FxCpGDGOsIKJDZjBBhLZRg8UiOGi%2FvVr47Xpmh7tOh9dez7911bi%2F9SUdu4ATLhzRVog%2BdVP%2BUPwTuEfIdEcPuGRGVc1KOSP3fTQrKhRjF3x2dqykxVCH%2B1iqBmCgod%2B1uAdlraxqSOeOgst1l%2Bk250uXff4axktE%2BfGjeNDeGJao%2FfOMktqIL7zU8%2BIQYTObwelnnYx45FBSiXI1bWM4vhdgIX4cs2cT%2F", "tcp_private.h", "0ace:2011", "root.key", "jcemediabox.js.pobrane", "30-fs-configfs", "dictionary.sip", "mt7628_register", "12d1:1009", "2ae6433e.0", "GlobalSign_ECC_Root_CA_-_R5.crt", "firmware_factory.html", "IOUSBHostDevice.h", "l2tp.sh", "pppv6-up", "1e89:f000", "Copy of clientlib(10).css", "ssl_vpn_user_group.html", "quick_setup.html", "region.js", "https://cryptobit.live/build/assets/app-CkRYqsKL.js \u2022 cryptobit.live \u2022 t.page \u2022 cdn.wallets.cryptobit.live", "20-firewall.sh", "math.h", "1d09:1025", "COMODO_RSA_Certification_Authority.crt", "lanv6_server.sh", "1c9e:9401", "00-vpn_hook.sh", "customddns_set_url.sh", "password.js", "full_valueheader.htm", "0b3c:c700", "19d2:0166", "ASAuthorizationSecurityKeyPublicKeyCredentialRegistration.h", "opkg.conf", "22-dos_defense", "19d2:2000", "K98boot", "5443e9e3.0", "dhcp.script", "Copy of clientlib.js(39).download", "lanv6.sh", "hasownproperty.call \u2022 fireeye.grhd.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "embed.js.pobrane", "ldap_query.sh", "resolve.conf", "12d1:14fe", "ssh.lua", "openvpn-client-up.sh", "12d1:14c5", "Copy of clientlibs.js(4).download", "qos_cid.sh", "http://plix.net", "oalMacOSX_OALExtensions.h", "ramips.sh", "ipsec.conf", "19d2:0413", "S99sys_monitor", "1004:6156", "72-wan_ip_alias", "pppox-functions.sh", "rules.html", "Copy of clientlibs(3).css", "regnodes.h", "b1159c4c.0", "jquery.flot.pie.min.js", "value.htm", "rtl8367s_switch_portMirror", "firmware_upgrade.html", "pem.conf", "api.sh", "0e8d:7109", "dhcp_lan_settings.html", "dhcp_client.html", "Copy of clientlib(27).css", "cli_cmd.tree", "0af0:8300", "0af0:8201", "91-authlimit", "ipsec_check_domain_wrap.sh", "Copy of clientlib.js(44).download", "Copy of clientlib(31).css", "18856ac4.0", "S99ipv6", "85-ntp", "koi-win", "ndppd", "Copy of clientlib.js(45).download", "Copy of clientlib.js(38).download", "19d2:1536", "6d41d539.0", "session_monitor.html", "pycore_condvar.h", "sharecfg", "time64.h", "2001:a401", "ar8327_switch_portPara", "Copy of clientlib.js(43).download", "12d1:#linux", "106c:3b14", "12d1_0002", "50_indicate_regular_preinit", "valueheader.htm", "default.script", "dataTables.lang.js.pobrane", "mdns.html", "\u2018Lumen Technologies\u2019 Acting as administrator of a targeted Apple IOS device", "Copy of clientlib.js(2).download", "ppp-dhcp6c.script", "rtl8367s_register", "qos_polling.sh", "location.json", "ldap_profiles.html", "cli_accountmgnt_cmd.tree", "K91geoip", "GCControllerButtonInput.h", "WKOpenPanelParameters.h", "ASPasskeyAssertionCredential.h", "S99phddns", "fips-prf.conf", "pkcs7.conf", "find_index.lua", "alohatube.xyz", "GLOBALTRUST_2020.crt", "40-fs-msdos", "ipt-core", "IOUSBHostControllerInterfaceDefinitions.h", "magnific.js.pobrane", "ppp", "qos_ctl", "Hellenic_Academic_and_Research_Institutions_ECC_RootCA_2015.crt", "Copy of clientlib(42).css", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "SSL.com_Root_Certification_Authority_ECC.crt", "simpleform.htm", "libperl.tbd", "inittab", "16d8:6803", "0408:1000", "12d1:1f16", "jquery.flot.js", "Copy of clientlib(18).css", "ldap", "ASFoundation.h", "fc5a8f99.0", "12d1:14b7", "passthrough.sh", "0af0:7706", "upnp.html", "IOBluetoothUtilities.h", "25-ddns", "Amazon_Root_CA_3.crt", "IOBluetoothUIUserLib.h", "Virus:DOS/Hellspawn 192.168.122.49 10/16/25\t\u2022 IPv4 142.251.9.105", "99-vpn_hook.sh", "12d1:1f15", "mt7628_switch_portStatistic", "acl_timeobj_v6.lua", "pptp-client-delete.sh", "browser.htm", "error404.htm", "config.sh", "tcp_fsm.h", "config.xml", "spi_device_id", "GCGearShifterElement.h", "ASCredentialProviderExtensionContext.h", "qos_nf.sh", "0af0:8006", "sw3VTUzeRvWIVwvWSyk6S5gHWPxOOwU1OxerozmN4Hw.js.pobrane", "ASAuthorizationWebBrowserExternallyAuthenticatableRequest.h", "https://tria.ge/240521-ry949ahe2z/behavioral1", "988a38cb.0", "feature.h", "Copy of clientlib(17).css", "version.h", "cmxddns.html", "106c:3b06", "l2tp_tunnel.html", "map.js.pobrane", "S47flood_defense", "de6d66f3.0", "state_gen.lua", "12d1:1f18", "metaconfig.h", "www-embed-player.js.pobrane", "cli_interface_cmd.tree", "20a6:f00e", "url_func.sh", "interface_wan_standalone.html", "Copy of clientlib.js(53).download", "nat_config.sh", "python3.pc", "openvpn_tunnel.html", "cn9130_switch_portState", "10-motion", "daemons", "Copy of clientlibs.css", "12d1:15cd", "openvpn-client-connect.sh", "S68online", "perlio.h", "pubkey.conf", "udp.h", "treestore.js", "1da5:f000", "pppox-killtunnel.sh", "e-Szigno_Root_CA_2017.crt", "ngx_init.lua", "jquery.easing.min.js.pobrane", "core_wportal.sh", "19d2:0325", "perl_inc_macro.h", "dictionary.ascend", "99-mdns.sh", "AFKUser.tbd", "ssl_vpn_status.html", "get-vpn-gw.sh", "1410:5031", "GCLinearInput.h", "Copy of clientlib(16).css", "jquery.cookie.js.pobrane", "cs_dis.html", "057c:62ff", "WKDownloadDelegate.h", "1de1:1101", "WKUserContentController.h", "ASCredentialProviderViewController.h", "GCDualSenseAdaptiveTrigger.h", "D-TRUST_Root_Class_3_CA_2_EV_2009.crt", "ipt-extra", "luci", "15-mwan3", "pptp-get-tuunel-info.sh", "offcanvas.css", "0408:ea25", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "WKFindConfiguration.h", "02-vnet.sh", "rc2.conf", "parser.h", "29-static_route", "unicode_constants.h", "Urlscan", "23a2:1010", "attach_timeobj.lua", "Copy of clientlibs.js(3).download", "GCControllerDirectionPad.h", "ASAuthorizationError.h", "if_ether.h", "fvalue.htm", "status.js", "GKLeaderboardScore.h", "OpenAL.h", "8cb5ee0f.0", "patchlevel.h", "getVid.sh", "canvas.html", "98_10_mtk_failsafe_init", "hotplug-call", "10-fstab", "layout.min.js.pobrane", "qmi.sh", "MCSession.h", "257a:b000", "virtual_server.html", "add_delete.sh", "fieldset.js", "0af0:7901", "19d2:1542", "S20geoip", "preview_remind.html", "f5Y41t9wqY4.html", "firmware_managing.html", "cast_sender.js.pobrane", "32-ip6-tunnel", "reset.gcom", "cd58d51e.0", "Copy of clientlib.js(13).download", "OISTE_WISeKey_Global_Root_GB_CA.crt", "l2tp_server.html", "usermngr", "b7a5b843.0", "06dc52d5.0", "K25zone", "https://voidpet.io/invite/scaredscared/1rpzxWXa61 \u2022 https://sex-doggy.net/tag/censored", "dhcp_static.html", "cpuid.h", "core_interface.sh", "MCNearbyServiceAdvertiser.h", "GCSwitchPositionInput.h", "S99bootcount", "65-scsi-generic", "bootcount", "search_impl.js.pobrane", "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739500&Signature=r1pLCgJf%2FQK8TvenCwXy9bnghFzjJ5QssdQSLP37SLv6EkA3WXuFUIvKrsXKokco7bMfQUy%2FArk8F6aP%2Bhaj16Jv7P%2FGB%2Blf7mPvs47VjwfBJRCP8AZLlWvO45%2BjC68v798csdJFPTP31O4yDOE3pXZ3EThm4nSrIwLPhTSPfi3cPlEh2wLSzcySW7BYLw%2BqCoawFCxeLUz7hIV0vC89Mlwi3DeS%2BEnWFF%2FsvT9lVJjdbLoJLEeO", "Copy of clientlib.js(11).download", "zzomada_server", "portal_mgmt_monitor.sh", "ASAuthorizationPlatformPublicKeyCredentialAssertion.h", "preview_mobile_wifi.html", "1bbb:f052", "S96cmxddns", "access_ip_help.lua", "CFCA_EV_ROOT.crt", "0af0:8600", "arp_list.html", "UNDTypes.defs", "EntryChangeHistory.aspx.js.pobrane", "ipt-ipsec", "S99dnsproxy", "S99zzomada_server", "19d2:1224", "ar9533_register", "qipc_systemsem_xFMOjWbQizvIQbjaGodBkPpoECFzUYyznnjEncea48051f6b8a69e2450843f1f32c0bb393e04349", "12d1:155a", "ar8327_switch_led", "ipv6group_address.html", "1726:f00e", "ipt-conntrack-extra", "0421:0618", "nat_dmz.sh", "magnific.css", "57bcb2da.0", "1614:0800", "30-fs-btrfs", "zone_init_all.sh", "IDS Detections Win32/ZonaInstaller Install Beacon", "GKScore.h", "0df7:0800", "wireguard", "pppox-pppoetimer.sh", "ASAuthorizationPublicKeyCredentialParameters.h", "03f0:002a", "0af0:d001", "mt7628_switch_portRateControl", "djmobilemenu.css", "rtl8367s_switch_portStatistic", "access.lua", "WKProcessPool.h", "http://www.pcup.gov.ph/images/pdf/Contract_of_SecurityServices2013.pdf pcup.gov.ph:", "INUIAddVoiceShortcutViewController.h", "Copy of clientlib.js(37).download", "25-nls-cp932", "0af0:d058", "0af0:7601", "02_default_set_state", "vlan_relationTbl.html", "jquery.inputmask.min.js.pobrane", "leds.sh", "upnp_api.sh", "dropbear_rsa_host_key", "Copy of clientlib(14).css", "1d09:1000", "cleanTMP.sh", "dataTables.bootstrap4.css", "template.26.css", "trap.h", "04cc:2251", "25-nls-iso8859-8", "av.h", "S90openvpn", "firmware_reboot.html", "dhcp_server.html", "animate.ext.css", "f387163d.0", "tip.js", "0af0:8800", "ASAuthorizationPlatformPublicKeyCredentialRegistrationRequest.h", "Copy of clientlib(12).css", "ceidg-master.js.pobrane", "Entrust_Root_Certification_Authority.crt", "CredentialsCache.h", "IOUSBHostInterface.h", "mtab", "05-vnet-lanv6", "core_init.sh", "connmark.conf", "ipsec_sa.html", "overload.h", "DigiCert_Assured_ID_Root_G2.crt", "about.svg", "50-l2tp-up-down.sh", "priv-key.pem", "openvpn-easy-rsa", "16d8:700a", "0930:0d46", "remote_mngt.html", "http://ianswertomom.com/bible-verses-struggling-contentment-mom/ I", "WebGPU.tbd", "ed09:1021", "OSByteOrder.h", "luci-reload", "setpin.gcom", "improxy", "ip.h", "Copy of clientlib.js(60).download", "xl2tpd.conf", "https://vtbehaviour.commondatastorage.googleapis.com/000191c1c0d6d324e39789005b1f9851b00a7d709dee3b4d180e9fa0bcfd326f_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775182332&Signature=Xp72bxydgpZ9NgLXV8g1uDJHZ8EUYhy4nqoLGz%2Bh0xoVg3BTq8x0TTFd2Yzzf7nTrREGSvgsL%2BAze%2F%2BynLQFKemQRaJjJvaK1zMdH6y2DhvPyI8gnZcOYdSJTRqEySyE8oR2qveCl85EFiqZ6h%2Fi1k7BfnQ5JBcSRwfyWVmvjaw11sN8hGrAoARJGgs8G1TeXg7evq1TANq0AsmNRp22VNwxTV0ybOoO%2FsRRerzCvQxY2Wdk%2BeKYE1qL", "igmp.h", "WKNavigation.h", "IOBluetoothObjectPushUIController.h", "util.js.pobrane", "vnet_init.sh", "usb_backup.html", "257a:c000", "19d2:1017", "MCBrowserViewController.h", "1410:5023", "dnsproxy.html", "ssl_vpn_user.html", "web_filter.html", "lan.js", "S80usbmuxd", "0421:0627", "19d2:1009", "19d2:0149", "chap-secrets", "Admin.tbd", "2048_newroot.cer", "bitcount.h", "pptp-tunnel-action.sh", "40-bonding", "S95ipstat", "time.js", "6fa5da56.0", "ipgroup_address.html", "S99drop_caches", "0af0:d257", "1004:61eb", "AffirmTrust_Premium_ECC.crt", "WKContentRuleListStore.h", "https://vtbehaviour.commondatastorage.googleapis.com/0e93e52376dcfb8eab491737c187ad68d786fab0005bbf9d2ffab78ba19db907_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1774998466&Signature=Y4QdGLgX1a6Ct5CMRDpH9RdwtjTzLLVBFFtxY64ZOhJ4cyy5f3YP7kNt%2Bu9euHjYaM5LUKHRWbswYwhD%2BbmD8KZT57GNGNGF4xYoyqPgzPY1AQodW%2BZx5f3iJqPbAZq9pUjOzXtm22B%2FEx7BVn5qcm86M9I6BaNp8%2FJW2vSfzsewT0w5WhMAjuB84fIG4LrKD2X46mnchNmREfC3GQtUPwzIIkj7IIv7xyHtwbu%2Fwyg8Ib1VFz", "telnet", "0af0:d055", "Network_Solutions_Certificate_Authority.crt", "buttongroup.js", "ASPasskeyCredentialRequest.h", "usb_storage.html", "12-netbios-passthrough", "19d2:1232", "chat-get-anydata_1", "Everyone has simply asked you alll to stop. Target never asked anyone for money.", "0af0:6811", "19d2:ffe6", "22f4:0021", "7719f463.0", "Russia or Muskware? URL http://store.7box.vip/ad/C467F60A1AD6.Jpeg", "WKContentWorld.h", "230d:0103", "25-pppox.sh", "administration", "sfe", "1e08bfd1.0", "ipsec_generate_domain.sh", "1ee8:0040", "ppp-mod-radius", "60-pptp-reload-rules.sh", "stickybar.js.pobrane", "line_backup.html", "unixish.h", "EXTERN.h", "l2tp-server", "04e8:680c", "ipt-ipv4options", "cn9130_switch_portStatistic", "65_nginx_sync.sh", "Copy of clientlibs(5).css", "0af0:d255", "GlobalSign_Root_CA_-_R6.crt", "Actalis_Authentication_Root_CA.crt", "ACCVRAIZ1.crt", "ASAuthorizationSecurityKeyPublicKeyCredentialAssertion.h", "dpi", "fs-exfat", "GKDialogController.h", "19d2:1013", "00_uhttpd_ubus", "70-pptp-ifdown.sh", "chat-get-anydata_2", "39-gre", "Copy of clientlib(3).css", "vm_fault.h", "sshkey.conf", "https://polling.portal.gov.bd/js/npop.script.js", "S25zone", "99-nginx.sh", "S99dpi", "ipt-filter", "print_server.html", "22-access_ctl", "EC-ACC.crt", "scripts.js.pobrane", "ucisection.htm", "action_check.html", "error.html", "zone_api_core.sh", "l1_char_class_tab.h", "50-improxy", "AuthenticationServicesCore.tbd", "wechat_wifi.html", "f51bb24c.0", "21f5:3010", "GKMatch.h", "jquery.flot.barnumbers.js", "1c9e:9800", "perldtrace.h", "244b5494.0", "ar8327_switch_portStatistic", "switch_portStatus.html", "snmpd-static", "fw", "https://serverhub.com/combine/a059fe7a562c0b582328162f0ee69fda-1426025688", "S80websort", "system.sh", "vlan_network", "12d1:1f07", "2001:a403", "stroke.conf", "ips_stats.html", "12d1:1446", "zone-450", "cli_snmp_cmd.tree", "0af0:8400", "libradiusclient-ng.la", "sys_monitor.conf", "12d1:1520", "S46iptv", "90-urlset", "GCAxisInput.h", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "31-iptunnel6", "network_netinfo.htm", "cmd.sh", "vm_map.h", "pppox-load-user.lua", "Copy of clientlib.js(7).download", "url_escape.sed", "mt7621_switch_portState", "sessmngr.html", "AuthenticationServices.apinotes", "hv_func.h", "Starfield_Class_2_CA.crt", "waitingbar.js", "countrygroup", "vfs_support.h", "Copy of clientlib(37).css", "UNDRequest.defs", "dhcp", "OSReturn.h", "Trustwave_Global_ECC_P256_Certification_Authority.crt", "online.html", "rtl8367s_switch_portState", "sddm-auth-52b94a64-454a-4d7f-903e-32df6aac784a", "jquery-3.0.0.js.pobrane", "cli_clock_cmd.tree", "WKNavigationDelegate.h", "pptp", "GKAchievementDescription.h", "ASAuthorizationSingleSignOnCredential.h", "25-nls-cp437", "vForce.h", "3513523f.0", "alg.html", "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "GCMicroGamepadSnapshot.h", "vm_shared_region.h", "sysctl.conf", "attr.conf", "UrlVoid", "32-ipsec4", "xl2tp-secrets", "5ad8a5d6.0", "kdp_callout.h", "19d2:1528", "WKScriptMessage.h", "utfebcdic.h", "nat_core.sh", "GCRacingWheelInput.h", "19d2:1523", "ie.css", "djmegamenu.26.css", "f249de83.0", "12d1:1583", "usb-net-asix", "IdenTrust_Public_Sector_Root_CA_1.crt", "GCTouchedStateInput.h", "xF43MOjWbQiz+vIQbjaGodBk4PpoECFzUYyznnj8Enc=", "1ee8:0013", "S92qos_ctl", "offcanvas.js.pobrane", "base-files", "balance_basic.html", "INUIEditVoiceShortcutViewController.h", "hxxps://portal[.]office[.]com/Account", "vm_far.h", "98-ipt_url_dns_match", "0af0:d013", "230d:000b", "runcommand.gcom", "emSign_ECC_Root_CA_-_C3.crt", "x509.conf", "We apologize for so may typos and errors. We strive to do better at that.", "01_leds", "GKAchievement.h", "12d1:380b", "makeapornsite.com \u2022 https://pornhighschool.com/ \u2022 https://ethnicerotic.com \u2022 https://twitter.com/Make", "https://d31qbv1cthcecs.cloudfront.net/atrk.js", "IOBluetooth.h", "mt7628_switch_led", "1c9e:f000:uMa=USB_Modem", "GKError.h", "ospf.html", "50-arp_garp", "al.h", "monotonic.h", "reentr.h", "l2tp-reload.sh", "5273a94c.0", "combobox.js", "12d1:1805", "tss.h", "options.default", "70-switch.sh", "time_mngt.html", "ipsec_execute_stroke.sh", "smp.sh", "op_reg_common.h", "vnet", "bootstrap-gov-pl.css", "S99zzzcloud_proc", "IOUSBHostPipe.h", "static_route", "enablemodem", "1bbb:f000", "mt7621_switch_globalLed", "S46nat", "jquery.feedbackBadge.min.js.pobrane", "70_initramfs_test", "ar9533_switch_portMirror", "https://www.google \u2022 https://ampcid.google.com/v1/publisher \u2022\u2019https://ampcid.google.com/v1/publisher:getClientId\\", "2001:a80b", "Security_Communication_RootCA2.crt", "certSIGN_ROOT_CA.crt", "perlvars.h", "monitor", "12d1:15cf", "ssl_vpn_auth_radius.html", "30-fs-hfs", "1004:607f", "getcnum.gcom", "ASAuthorizationSecurityKeyPublicKeyCredentialProvider.h", "nonce.conf", "Hellenic_Academic_and_Research_Institutions_RootCA_2015.crt", "ar9533_switch_portPara", "ASAuthorizationCredential.h", "Copy of js", "smschk.gcom", "dpi_log_database.sh", "Copy of clientlibs(2).css", "cn9130_switch_portPara", "jquery.json-2.4.min.js", "https://vtbehaviour.commondatastorage.googleapis.com/edb4c21d60daa44b3429e7ba9bfa342759ebef23c136c934f74aef145453ce19_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775737710&Signature=fbsokraSd7lsYmUfaTEl8Phs2K3hp7AtVmQU9axeEBcYmYbrrYrrfpP5lPEQaE%2Fh3%2BEP9Rn8mD8D1haqQVXCN0VVlxJ4sddjWmyC5USsgBsvUb0%2F72h1WHDS2KXHlteZWE%2Bauckabain9D5kX501AnqFY38s77OIqO6SMOkQ%2BvXiDSSRK%2FZhbfradBnei3ZLHsXGxkoshTyvB0%2BC%2F8SiUzdVsqSjik0Bn2r%2BIlLpDQK90GlZTD0N", "12d1:1010", "modem-gsm-test-anydata.gcom", "WKPreviewActionItem.h", "ASWebAuthenticationSessionRequest.h", "2001:98ff", "cop.h", "10-firewall.sh", "0af0:6711", "97-route.sh", "procd.sh", "macgroup", "1410:5020", "tsection.htm", "T-TeleSec_GlobalRoot_Class_2.crt", "cv.h", "230d:0007", "nat_alg.sh", "70-backup", "cn9130_switch_portVlan", "caption.js.pobrane", "NetLock_Arany_=Class_Gold=_F?tan\u00fas\u00edtv\u00e1ny.crt", "delete-service.sh", "GKGameSessionEventListener.h", "AC_RAIZ_FNMT-RCM.crt", "106c:3b03", "mt7621_switch_led", "popper.js.pobrane", "noipddns.html", "Copy of clientlib(41).css", "dhcp6c", "ffff_0003", "12d1_0001", "ncm.sh", "chat-gsm-test", "0471:1210:uMa=Wisue", "10-pppox-response-nat.sh", "1fac:0150", "pptp-global-setting.sh", "https://www.ptv.vic.gov.au/more/travelling-on-the-network/lets-go/", "pppox-header.sh", "GCPressedStateInput.h", "ASAuthorizationPasswordProvider.h", "GCDeviceLight.h", "remote_mngt", "tabmenu.htm", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "0af0:7051", "07d1:a800", "3fb36b73.0", "server-cert.pem", "IOBluetoothDeviceSelectorController.h", "IOPCIFamilyDefinitions.h", "firewall.user", "usb-storage", "grid.js", "arm_features.inc", "GCKeyboard.h", "ASCOSEConstants.h", "QuoVadis_Root_CA_2_G3.crt", "textarea.js", "Copy of clientlib(53).css", "cli_access_cmd.tree", "system_state.html", "607986c7.0", "Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.crt", "style-pcdemo.css", "number.js", "GCControllerAxisInput.h", "l2tp-ipsec-setstatus.lua", "S15loggerd", "1c9e:9101", "one_nat.html", "jquery-migrate-1.2.1.js.pobrane", "git_version.h", "webfilter", "bootp.h", "form.h", "S99improxy", "30-fs-jfs", "dhcp_logrotate", "19d2_0003", "ipsec_tunnel.html", "064e0aa9.0", "057c:84ff", "GCSyntheticDeviceKeys.h", "IOUSBHostCIPortStateMachine.h", "2b349938.0", "0af0:6751", "ipt-nat-extra", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "netifd-proto.sh", "GKMatchmakerViewController.h", "switch.js", "98-ipsec.sh", "OSKextLib.h", "vpnlog", "12d1:1f1d", "ASAuthorizationPublicKeyCredentialRegistrationRequest.h", "05c6:1000:uMa=SSE", "INImage+IntentsUI.h", "12d1:1003", "GCDevicePhysicalInputState.h", "splitaccess", "0f5dc4f3.0", "dbus-K5ae4EDHao", "firewall_zoneforwards.htm", "GCPhysicalInputElement.h", "index.txt", "16d8:f000", "4a6481c9.0", "IOPCIDevice.iig", "04cc:226e", "96-phddns.sh", "pp_proto.h", "cli_ipsec_cmd.tree", "0685:2000", "vlan.lua", "80-balance.sh", "GCMicroGamepad.h", "2001:a405", "led_set", "32-l2tp", "capture_resize.js", "0af0:6791", "dictionary.microsoft", "netbios_passthrough", "AffirmTrust_Networking.crt", "cell-0.af-south-1.prod.telemetry.console.api.aws", "653b494a.0", "10-l2tp-pptp.sh", "1410:5030", "S99usbmodem", "1c9e:9e08", "40-fs-nfs", "0af0:d357", "SSL.com_EV_Root_Certification_Authority_ECC.crt", "GKBasePlayer.h", "http.lua", "indexer.htm", "Tesla Hackers | https://www.teslarati.com/spacex", "in_private.h", "pppox-default-variables.sh", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "firmware_backuprestore.html", "pptp-client-global", "40-imb.sh", "40-pppoa", "http://cabinet.gov.bd/dead.php", "remote.js.pobrane", "2001:a805", "online_api.sh", "x86_64-apple-macos.swiftinterface", "12d1:1f01", "vlan", "directip-stop.gcom", "sys_monitor", "05c6:1000:uMa=CELOT", "https://stats.g.doubleclick.net/j/collect\\ \u2022 https://tagassistant.google.com/ \u2022 https://www.google.com/ads/ga", "TrustCor_RootCert_CA-2.crt", "zone_api_all.sh", "inline.h", "hwnat", "1b7d:0700", "9c8dfbd4.0", "S47dos_defense", "bootstrap.js.pobrane", "https://tria.ge/240521-rxpf6ahd6w", "10_indicate_preinit", "0af0:7251", "WKNavigationAction.h", "70-policy_route.sh", "12d1:1553", "ww.google.com.uy", "controller.lock", "20-firewall", "main.js.pobrane", "12d1:1414", "This is why our team tells a back story. It can and does happen to anyone.", "ASAuthorizationAppleIDRequest.h", "ASAuthorizationAppleIDCredential.h", "gre", "1fac:0130", "0471:1210:uMa=Philips", "1004:61aa", "2001:a706", "invlist_inline.h", "vpn_wireguard.html", "2001:a708", "vmparam.h", "76cb8f92.0", "ASAuthorizationWebBrowserPlatformPublicKeyCredentialAssertionRequest.h", "hv_macro.h", "K10improxy", "core_forwarding.sh", "file.js", "f39fc864.0", "l2tp-get-tunnel-info.sh", "97-upnp.sh", "Copy of clientlib.js(4).download", "99-ipt_TRIGGER", "group", "zzddns", "f30dd6ad.0", "12d1:1557", "cn9130_switch_globalLed", "rtl8367s_switch_init", "Copy of clientlib.js(12).download", "online_check", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "GCControllerElement.h", "Copy of clientlib(45).css", "1ee8:0063", "05c6:1000:uMa=AnyDATA", "0fce:d0df", "emSign_ECC_Root_CA_-_G3.crt", "99-z3g4g-connect", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "https://cop.supply/supreme-bots/\u2022 https://cop.supply/useful-tools/", "0af0:7a05", "00-netstate", "header.htm", "fstab", "l2tp", "40193066.0", "appflow_statistics.html", "account_config.html", "vm_options.h", "cellinfo.gcom", "89-portal", "web_func.sh", "Copy of clientlib(30).css", "services", "Copy of clientlib.js(16).download", "ssl_vpn_quicksetup.html", "network.sh", "radvd", "GKGameSessionSharingViewController.h", "68dd7389.0", "40-qos", "201e:1023", "QuoVadis_Root_CA_3_G3.crt", "ui.notify.css", "Copy of clientlib.js(15).download", "6rd.sh", "SecureSign_RootCA11.crt", "jquery.maskedinput-1.2.2.js.pobrane", "Copy of clientlib(49).css", "Certum_Trusted_Network_CA.crt", "dpi_tmngtd.sh", "https://tagassistant.google.com/ \u2022 https://www.google-analytics.com/debug/bootstrap?id=", "GKNotificationBanner.h", "0d46:45a1", "1266:1000", "S42ipgroup", "S50queueventd", "ffff_0001", "Copy of clientlib.js(25).download", "jquery-noconflict.js.pobrane", "30-fs-vfat", "pmap.h", "16d8:6804", "openvpn_server.html", "cell_valueheader.htm", "usbModem.html", "12d1:14d1", "TrustCor_ECA-1.crt", "19d2:1038", "https://aplikacja.ceidg.gov.pl/CEIDG/CEIDG.Public.UI/EntryChangeHistory.aspx?Id=855bdfc1-7dbc-4a86-9d27-89ebb0ecf166&archival=False", "dns.army \u2022 www.dcopr.dns.army \u2022 www.glsyaiwjj.dns.army \u2022 www.wgmvk.dns.army", "protofind.lua", "MCAdvertiserAssistant.h", "626dceaf.0", "9482e63a.0", "uhttpd", "19d2:1233", "wifi", "ipc_pthread_priority_types.h", "zone_api.sh", "pppv6.sh", "GCDeviceBattery.h", "GKGameSession.h", "krpc.h", "openssl.conf", "ipxd", "nat_dmz.html", "pptp_client.html", "05_set_iface_mac_mediatek", "0e8d:0002:uPr=MT", "firewall", "ar8327_register", "nat_one.sh", "http://emrd.gov.bd/dead.php", "ASPasswordCredentialRequest.h", "INUIAddVoiceShortcutButton.h", "access_dir_help.lua", "constraints.conf", "GCDevicePhysicalInputStateDiff.h", "ASAuthorizationAppleIDButton.h", "201e:2009", "get_temperature.sh", "loggerd", "GCButtonElement.h", "ar9533_switch_portRateControl", "usb-net-rndis", "ssl_vpn_auth.html", "GCRacingWheel.h", "ASPasswordCredential.h", "12d1:14ba", "nginx.conf", "mt7621_switch_portRateControl", "profile.h", "scope.h", "KUNCUserNotifications.h", "GCKeyNames.h", "route_api.sh", "ipsec_monitor_tunnel.sh", "l2tp-server.reference", "cpu_capabilities_public.h", "12d1:1f11", "32-ipsec6", "bridge.html", "1410:5041", "modem_scan.sh", "nat", "AC_RAIZ_FNMT-RCM_SERVIDORES_SEGUROS.crt", "GCExtern.h", "lz4_constants.h", "pptp_server.html", "S45firewall", "wportal_free.html", "1410:5055", "Comodo_AAA_Services_root.crt", "qos_state.sh", "switch_portVlan.html", "cli_show_interface_status_cmd.tree", "dynamic_dns_dyndns.sh", "session_limits.html", "check_switchmode.lua", "cli_server", "GTS_Root_R4.crt", "0af0:4007", "osui.sock", "asm_help.h", "Copy of dir (1).c9r", "ip_var.h", "io.h", "openvpn_client.html", "GTS_Root_R3.crt", "05c7:1000", "failsafe", "chunk-common.72de4705.css", "CredentialsCache2.h", "WKHTTPCookieStore.h", "10a9:6080", "0bdb:1910", "vutil.h", "29-fs-fscache", "ASAccountAuthenticationModificationController.h", "148e:a000", "GKLeaderboard.h", "qipc_sharedmemory_xFMOjWbQizvIQbjaGodBkPpoECFzUYyznnjEncea48051f6b8a69e2450843f1f32c0bb393e04349", "app.manifest", "switch_portMonitor.html", "locks.h", "MultipeerConnectivity.tbd", "openvpn-server-down.sh", "LDAP.tbd", "ifrestart", "https://widget.intercom.io/widget/rbc8ok9w", "getcardinfo.gcom", "WKUIDelegate.h", "add_delete_tuple.sh", "Certum_EC-384_CA.crt", "dns_cache.html", "ifup", "line_backup", "GCDeviceHaptics.h", "1c9e:98ff", "starter.conf", "chat-get-qualcomm_2", "https://matomo.www.gov.pl/analytics/js/container_68lYTZ79.js", "062cdee6.0", "90-xt_CTSTATEMARK", "1f28:0021", "ifup_down.sh", "template_responsive.26.css", "GameController.h", "ddns", "19d2:0115", "15-online.sh", "dynamic_dns_noip.sh", "f3377b1b.0", "sierrainfo.gcom", "regcomp.h", "fw.sh", "rc.local", "phddns", "30-gpio-button-hotplug", "utils.sh", "Any.run", "button.htm", "Amazon_Root_CA_4.crt", "22de:6801", "l2tp-functions.sh", "ssl_vpn_tunnel.html", "WebDriver.tbd", "S96policy_route", "iptables.debug", "setapn.gcom", "mt7628_switch_portState", "0421:0632", "queueventd", "gssapi_generic.h", "GCAxisElement.h", "GKGameCenterViewController.h", "S96backup", "feedback.js.pobrane", "AppSandbox.tbd", "1-lanhook.sh", "dosish.h", "ipv6_lan.html", "12d1:1da1", "0a775a30.0", "icmp_var.h", "dataTables.input.js.pobrane", "0af0:6951", "0421:0610", "19d2:bccd", "baseinfo.gcom", "e18bfb83.0", "copyio.h", "0d46:45a5", "md5.js", "vpn_general.html", "12d1:1031", "10-metric.sh", "0421:0637", "0af0:9000", "pki.conf", "12d1:1c24", "19d2:0083:uPr=WCDMA", "proxy.js", "S60monitor", "Microsec_e-Szigno_Root_CA_2009.crt", "40_run_failsafe_hook", "S97gre_init", "style.css", "perliol.h", "S70usbshare", "client.crt", "WebKit.h", "IOBluetoothUserLib.h", "Sneaker Bots Proxies Servers Cook Groups Cop Supply", "257a:a000", "eed8c118.0", "mt7621_switch_portMirror", "network_ifacelist.htm", "debug.lua", "https://www.google-analytics.com/gtm/js?id=\\ \u2022 https://www.googletagmanager.com/gtag/js?id= \u2022", "options.xl2tpd", "protocol", "Copy of clientlib(9).css", "30-fs-ext4", "ASAccountAuthenticationModificationReplacePasswordWithSignInWithAppleRequest.h", "WKScriptMessageHandler.h", "19d2:1420", "0af0:d057", "ngx_sqlApi.lua", "OISTE_WISeKey_Global_Root_GC_CA.crt", "interface.html", "sel.h", "url_filtering.html", "qos_Band_ctrl.html", "evdo.chat", "application_list.html", "25-nls-iso8859-15", "TeliaSonera_Root_CA_v1.crt", "Hybrid Analysis", "1ee8:0060", "ASAuthorizationPublicKeyCredentialLargeBlobAssertionInput.h", "98-ipt_websec_match", "cbf06781.0", "done", "Copy of clientlib(48).css", "jquery.ui.sortable.min.js.pobrane", "WebKit.tbd", "1ee8:0045", "usb-serial-option", "core_tpfirewall.sh", "Copy of clientlib(35).css", "ar9533_switch_init", "djimageslider.css", "GCInputNames.h", "0af0:7111", "https://cop.supply/proxies-lists/ \u2022 https://cop.supply/shopify-bots/", "char_conv.sh", "jquery.dataTables.js.pobrane", "Copy of clientlib.js(18).download", "11-led", "ipsec.secrets", "2020:0002", "session_limits.sh", "10a9:606f", "ASAuthorizationController.h", "common.sh", "https://feedback.ptv.vic.gov.au/360", "1c9e:1001", "button.js", "ASAuthorizationOpenIDRequest.h", "ubi_make_extra_volume.sh", "S99system_params", "mt7621_register", "diag.sh", "22-access_ctl.sh", "31-iptunnel4", "cc450945.0", "002c0b4f.0", "pppox-wheader.sh", "0e8d:0002:uPr=Product", "libstdc++.so.6.0.21-gdb.py", "mg_data.h", "0af0:d157", "25-nls-iso8859-2", "mmc", "0af0:7a01", "https://pcup.gov.ph/375 pcup.gov.ph: | https://www.pcup.gov.ph/ pcup.gov.ph:", "3g.chat", "encode.h", "https://bilety.polregio.pl", "l2tp-doipsec.sh", "interface_wan.html", "msg.js", "https://palapa.c.id\t (c.id)", "ASExtensionErrors.h", "map.htm", "dnsproxy", "vtysh.conf", "0af0:7211", "run-at.gcom", "usb-net-qmi-wwan", "zzzzzsys_info", "46-nat.sh", "krb5.h", "20-fs-exportfs", "GKSavedGame.h", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "Copy of clientlib(50).css", "cd8c0d63.0", "ar8327_switch_portMirror", "98-ipt_webfilter_match", "dynlist.htm", "SwiftUI.swiftoverlay", "uuid.h", "0af0:8304", "0af0:d035", "crypto-hw-eip93", "S60pptpd", "jquery.notify.min.js.pobrane", "ASAccountAuthenticationModificationExtensionContext.h", "19d2:0103", "WKPDFConfiguration.h", "ui.datepicker-pl.js.pobrane", "04cc:226f", "fa5da96b.0", "switch_Parameter.html", "lz4.h", "Copy of fbevents.js.download", "50-usb-uhci", "GCAxis2DInput.h", "strongswan.conf", "30-3g", "jquery.flot.crosshair.js", "nsswitch.conf", "opcode.h", "WKWebpagePreferences.h", "netifd-wireless.sh", "appdist.html", "cli_nat_cmd.tree", "dhcp6c.script", "clock.lua", "4304c5e5.0", "S50uhttpd", "GlobalSign_ECC_Root_CA_-_R4.crt", "Copy of clientlib(38).css", "libopenldap", "firewall_zonelist.htm", "Copy of clientlib.js(35).download", "diagnostic.html", "S99led_set", "login.html", "capture_0.bundle.js", "GKFriendRequestComposeViewController.h", "ipt-tproxy", "S42ipv6group", "99_10_run_init", "start_rule.sh", "zaphod32_hash.h", "embed.html", "12d1:1d50", "8160b96c.0", "udp_var.h", "cli_show_iface_cmd.tree", "12d1:1f03", "account_mngt.html", "ASAuthorizationPublicKeyCredentialLargeBlobAssertionOutput.h", "ipgroup_view.html", "OpenAL.tbd", "userconfig.sh", "Copy of clientlib(44).css", "time_setting", "0408:f001", "GCDirectionPadElement.h", "mt7621_switch_portStatistic", "S89remote_mngt", "Staat_der_Nederlanden_EV_Root_CA.crt", "19d2:1514", "magnific-init.js.pobrane", "Copy of clientlib.js(17).download", "pkcs12.conf", "zone_conf.sh", "USERTrust_RSA_Certification_Authority.crt" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "Turla Group, FIN7, APT34, APT28, DragonForce Malaysia Hacker Group, Indonesia Islamic Warriors Counc", "Tesla Hackers" ], "malware_families": [ "Unix.trojan.tsunami-6981155-0", "Trojandropper:win32/muldrop.v!mtb", "Mirai (elf)", "Osreturn", "Backdoor:msil/remcos", "Backdoor:win32/arwobot.b", "Nanocore rat", "Kraddare", "Formbook", "Pws:win32/vb.cu", "Anda", "Tel:trojan:msil/agenttesla.vpa!mtb", "Ddos:linux/gafgyt.ya!mtb", "Nids", "Backdoor:win32/tofsee.t", "Noname057", "Osatomic", "Bazaar loader", "Ransomexx", "Outubro", "Agenttesla", "Tente", "Cve-2017-11882", "Vd", "Racoon stealer", "Systweak", "Trojandownloader:win32/cutwail", "Alf:heraklezeval:pua:win32/spyrixkeylogger", "Detplock", "Alf:ransom:win32/babax.sg!mtb", "Virus:dos/hellspawn", "Gc", "Win32:botx-gen\\ [trj]", "Internet", "Ver", "Worm", "Pws:win32/axespec.a", "Ghandi", "Backdoor:linux/demonbot.aa!mtb", "Vui", "#lowfi:vbexpensiveloop", "Unix.trojan.gafgyt-6981154-0", "Alf:heraklezeval:trojan:msil/gravityrat!rfn", "Win.trojan.tepfer-61", "Wipes", "Trackingclient", "Emotet", "Swort", "Silk road", "Win.malware.mikey-9949492-0", "Trojanspy", "Trojanspy:win32/nivdort", "Trojan.tofsee/botx", "Trojandropper:win32/systex.a", "Trojanproxy:win32/malynfits", "Win.downloader.small-4507", "Vasaris", "Worm:win32/lightmoon.h", "Win.trojan.gravityrat-6511862-0", "Win.trojan.dialer-266", "Cycbot", "Virus:win32/lywer", "Virtool:win32/vbinject.gen!mh", "Alf:exploit:o97m/cve-2017-8977", "Hammer", "Njrat - s0385", "#lowfi:hstr:criakl.b1", "Srpanj", "Trojan:win32/wacatac", "Quasar rat", "Win.trojan.12382640-1", "Trojan:win32/qbot.r!mtb", "Ransom:win32/crowti.a", "Worm:vbs/dapato", "Rabu", "Redline", "Trojandownloader:win32/cutwailransom:win32/crowti.a", "Maltiverse", "Wannacry kill switch", "Win.packed.bandook-9882274-1", "Alf:nid:susp_nsis_stub.a", "Alf:jasyp:trojan:win32/ircbot!atmn" ], "industries": [ "Education", "Government", "Chemical", "Construction", "Energy", "Agriculture", "Insurance", "Technology", "Media", "Telecommunications", "Healthcare", "Defense", "Biotechnology", "Legal, financial, healthcare, government, municipal, real-estate, enterprise-technology, critical-in", "Transportation", "Finance" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 50, "pulses": [ { "id": "69eb254f17eb4a2a990f07e5", "name": "LevelBlue - Open Threat Exchange", "description": "[ As part of security research, we look at some of the most well-known vulnerabilities in the PDF ecosystem, and how they can be identified and mitigated, with the help of a simple hash.] [64xxxx]", "modified": "2026-05-28T07:10:11.800000", "created": "2026-04-24T08:09:51.488000", "tags": [ "pdfkit", "cve202225765", "exploit script", "github", "unicordev", "cves", "xml external", "entity", "pdfs", "knowledge base", "python", "mozilla", "virustotal", "cisa", "apple", "microsoft", "pdfkit ruby", "remote code", "execution", "urls", "malware", "raid", "caddywiper", "wipes", "cve202543529", "webkit", "february", "cve202620643", "bypass", "march", "webkit bug", "command", "control", "levelblue", "open threat" ], "references": [ "https://otx.alienvault.com/indicator/ip/198.49.23.145#:~:text=CIDR:%206%20%7C%20CVE:%20107,infrastructure%20into%20global%20botnet%20clusters." ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Wipes", "display_name": "Wipes", "target": null } ], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1084, "FileHash-SHA1": 874, "FileHash-SHA256": 3052, "CVE": 36, "domain": 437, "hostname": 1086, "URL": 1411, "CIDR": 15, "email": 13 }, "indicator_count": 8008, "is_author": false, "is_subscribing": null, "subscriber_count": 70, "modified_text": "3 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a16a621eac2621d97ca6596", "name": "Credit Q.Vashti [\"Device Isolation | Lumen Technologies | Palantir and\"] clone by Q Vashti (researcher)", "description": "", "modified": "2026-05-27T08:25:07.936000", "created": "2026-05-27T08:06:57.005000", "tags": [ "url https", "url http", "tlsv1", "whitelisted", "united", "read c", "as15169", "stcalifornia", "execution", "dock", "write", "persistence", "malware", "encrypt", "active", "lumen technologies", "number", "error", "regexp", "sxa0", "amptoken", "optout", "retrieving", "notfound", "unknown", "form", "flash", "backdoor", "writeconsolew", "yara detections", "command line", "pdb path", "pe resource", "internalname", "windows command", "A", "aws", "name servers", "url analysis", "passive dns", "urls", "data upload", "extraction", "palantir", "c2", "aerospace", "tracking", "spywatchdog", "palapa-c2", "communications satellite", "amazon", "hughesnet", "icmp traffic", "washington c", "washington ou", "mopr", "mon jul", "local", "dynamic", "apple", "network", "t1057", "discovery", "t1069", "t1071", "protocol", "t1105", "tool transfer", "t1480", "guardrails", "t1566", "present jan", "unknown ns", "ip address", "dnssec", "domain", "dynamic dns", "government", "pcup", "germany unknown", "link", "dns hosting", "cloudns", "cloud dns", "a domains", "ipv4 add", "title", "meta", "class", "servers", "present aug", "aaaa", "present sep", "present nov", "present jul", "present may", "moved", "canada unknown", "begin", "record value", "gmt content", "type", "hostname add", "files", "ascii text", "pattern match", "href", "mitre att", "ck id", "ck matrix", "network traffic", "et info", "general", "path", "click", "learn", "command", "name tactics", "suspicious", "informative", "adversaries", "input url", "defense evasion", "france", "ireland", "netherlands", "denmark", "united kingdom", "type indicator", "role title", "added active", "savvis", "centurylinktechnology", "hybrid analysis", "monitoring tools", "monitored target", "triangulation", "worm", "intel", "ms windows", "pe32", "write c", "delete c", "show", "russia as47764", "unix", "lsan jose", "odigicert inc", "markus", "url add", "http", "related nids", "files location", "russia flag", "russia hostname", "russia", "russia unknown", "hosting", "federation flag", "body", "gmt vary", "accept encoding", "gmt cache", "certificate", "pulse submit", "unknown aaaa", "search", "entries", "script domains", "script urls", "pdx cf" ], "references": [ "\u2018Lumen Technologies\u2019 Acting as administrator of a targeted Apple IOS device", "Yare: compromised_site_redirector_fromcharcode", "Alerts: network_icmp nolookup_communication js_eval recon_fingerprint", "Alerts: console_output has_pdb pe_unknown_resource_name", "File Type PEXE - PE32+ executable (console) x86-64, for MS Windows ..", "Tipped: A targets AI and other cyber research findings.", "A \u2018Target\u2019 became a \u2018Target\u2019 vja close association to main Target of predatory retaliation campaign.", "track.spywarewatchdog.org \u2022 https://track.spywarewatchdog.org - monitoring software", "https://palapa.c.id\t (c.id)", "Containers-Pecorino.PalantirGov.com -pecorino.palantirgov.com", "cedevice.io \u2022 decagonsoftware.com", "http://applevless.dns-dynamic.net/\t\u2022 dns-dynamic.net", "http://www.pcup.gov.ph/images/2018/pdf/ComEnBancReso/Commission_Resolution_07s2018.PDF", "pcup.gov.ph:", "http://www.pcup.gov.ph/images/pdf/Contract_of_SecurityServices2013.pdf pcup.gov.ph:", "https://pcup.gov.ph/375 pcup.gov.ph: | https://www.pcup.gov.ph/ pcup.gov.ph:", "https://elegantcosmedampyeah.pages.dev/", "https://www.ptv.vic.gov.au/more/travelling-on-the-network/lets-go/", "inst.govelopscold.com", "https://feedback.ptv.vic.gov.au/360", "nginx-php.7d4jelnf.trdlpbvl.sdp3.sdp.vic.gov.au", "nginx-php.standby.content-premier-vic-gov-au.sdp3.sdp.vic.gov.au", "https://hybrid-analysis.com/sample/a16d11910953b800369dbb667f178b3cc45cb8e3315217c0e6ceac68eeba206d", "https://brand.centurylinktechnology.com", "https://prod.centurylinktechnology.com", "https://brand2.centurylinktechnology.com", "https://mobile-pocket-guide.centurylinktechnology.com", "UPX_OEP_place", "Russia or Muskware? URL http://store.7box.vip/ad/C467F60A1AD6.Jpeg", "ASP. NET", "https://connect.facebook.net/en_US/sdk.js#xfbml=1&version=v4.0&appId=705930270206797&autoLogAppEvents=1 Akamai rank:", "7box.vip" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan.Tofsee/Botx", "display_name": "Trojan.Tofsee/Botx", "target": null }, { "id": "ALF:JASYP:Trojan:Win32/IRCbot!atmn", "display_name": "ALF:JASYP:Trojan:Win32/IRCbot!atmn", "target": null }, { "id": "PWS:Win32/Axespec.A", "display_name": "PWS:Win32/Axespec.A", "target": "/malware/PWS:Win32/Axespec.A" }, { "id": "Worm:Win32/Lightmoon.H", "display_name": "Worm:Win32/Lightmoon.H", "target": "/malware/Worm:Win32/Lightmoon.H" } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1439", "name": "Eavesdrop on Insecure Network Communication", "display_name": "T1439 - Eavesdrop on Insecure Network Communication" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1069.003", "name": "Cloud Groups", "display_name": "T1069.003 - Cloud Groups" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "green", "cloned_from": "697cdce9ec418c422eee2054", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 102, "FileHash-SHA1": 59, "FileHash-SHA256": 1929, "domain": 854, "hostname": 2156, "URL": 4475, "SSLCertFingerprint": 9, "email": 8, "CVE": 2 }, "indicator_count": 9594, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "4 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69e434769e2a43c088066ca2", "name": "Kraddare \u2022 Agent Tesla \u2022 CVE Jar clone credit octoseek", "description": "", "modified": "2026-05-19T00:09:08.840000", "created": "2026-04-19T01:48:38.335000", "tags": [ "heur", "cisco umbrella", "site", "alexa top", "malware", "million", "xcnfe", "maltiverse", "malware site", "safe site", "malicious", "trojan", "artemis", "vidar", "redline stealer", "raccoon", "keylogger", "riskware", "agent tesla", "remcos", "stealer", "miner", "hacktool", "bank", "agenttesla", "agent", "unknown", "downloader", "unsafe", "detplock", "networm", "win64", "service", "smokeloader", "dropper", "crack", "alexa", "trojanspy", "detection list", "blacklist https", "kyriazhs1975", "noname057", "tag count", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "blacklist", "cyber threat", "united", "engineering", "phishing", "covid19", "facebook", "phishing site", "paypal", "njrat", "emotet", "nanocore rat", "meterpreter", "azorult", "download", "msil", "bladabindi", "mirai", "pony", "nanocore", "bradesco", "cobalt strike", "cve201711882", "redline", "ssl certificate", "tsara brashears", "cyberstalking", "spyware", "apple ios", "quasar", "ransomware", "malware norad", "cry kill", "attack", "installer", "formbook", "lockbit", "open", "banker", "bazarloader", "core", "ransomexx", "name verdict", "pattern match", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "script", "beginstring", "ascii text", "null", "date", "error", "span", "refresh", "class", "generator", "critical", "body", "look", "verify", "restart", "meta", "hybrid", "general", "click", "strings", "tools", "as141773", "as63932", "moved", "passive dns", "search", "entries", "gmt content", "type", "keep alive", "scan endpoints", "all octoseek", "pulse pulses", "as17806 mango", "blacklist http", "phishtank", "malicious site", "apple", "blockchain", "runescape", "twitter", "qakbot", "asyncrat", "team", "internet storm", "generic", "union", "bazaloader", "media", "generic malware", "hostname", "suppobox", "netwire rc", "installcore", "conduit", "iobit", "mediaget", "outbreak", "acint", "installpack", "phish", "rostpay", "fakeinstaller", "spyrixkeylogger", "bitminer", "loadmoney", "filetour", "wacatac", "fusioncore", "dapato", "cleaner", "softonic", "encpk", "qbot", "predator", "swrort", "kraddare", "systweak", "dllinject", "driverpack", "iframe", "downldr", "presenoker", "as61317", "asnone united", "urls", "files", "next", "as15169 google", "japan unknown", "as17506 arteria", "as32244 liquid", "as49505", "russia unknown", "expired", "domain", "falcon", "as19969", "ipv4", "ransom", "encrypt", "file", "windows nt", "indicator", "response", "appdata", "gmt contenttype", "png image", "local", "contacted", "fali malicious", "dropped", "communicating", "referrer", "fali contacted", "silk road", "immediate", "cymulate2", "tsara brashears", "malvertizing" ], "references": [ "https://wallpapers-nature.com/tsara-brashears/urlscan-io", "alohatube.xyz", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "http://alohatube.xyz/search/tsara-brashears", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "ww.google.com.uy", "https://alohatube.xyz/search/tsara-brashears", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "https://polling.portal.gov.bd/js/npc.script.js", "polling.portal.gov.bd", "https://polling.portal.gov.bd/js/npop.script.js", "http://watchhers.net/index.php", "https://brandyallen.com/2022/11/23/sexy", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "http://park.above.com/jr.php?gz=DjDNgvDQ0WlpBALxevxSvkF3jBH95b5riUvmgFjb1tbPDV06suYFlRcPA34ufLE5UZ8spiM7ya7tRXR8nLUgk920DSaIXniiR5hkoveznG%20mez7OU5R%20HKIczV475LuRwxm3J1pcRSpQcePtF/4aD%20frLO%205mYc0Maj8Z1IwBeAMESc9Gk3BzCkGUHNVeCAZ9vZrQhEeVvN%20QVBAu1boZNJTnvCAP0lB5ebMSP92bFHD/ItyL53LoVDSYWMd64KTNMMJaXE0kZVqQn/%20STriQbrA6cmW3Xj4sAJ3XXEbNNJzTbIvgsy00PlKWInEUK/iXzVecaBsXg3vkUcvkeM3HPPIajaBexXO7ATYz/qTeKAksI9l2IoDAsn0S9BYCTuP8uTYdgJAv0LO%20MkNBOrSqJnFQzTlNxG4NRSP6K4VDWklVPpCwQc/s/AfrwIdLcdrV6CQDLaluG1naOjXDc", "http://nhrc.portal.gov.bd/sites/default/files/files/nhrc.portal.gov.bd/page/348ec5eb_22f8_4754_bb62_6a0d15ba1513/Study-Report-on-Sexual-Offences_Final.pdf", "https://twitter.com/PORNO_SEXYBABES", "https://alohatube.xyz/search/sex-mom-dog-animal", "https://www.colorfulbox.jp/", "Hybrid Analysis", "Any.run", "OTX AlienVault", "Urlscan", "UrlVoid", "http://emrd.gov.bd/dead.php", "http://titasgas.portal.gov.bd/dead.php", "http://mincom.gov.bd/dead.php", "http://cabinet.gov.bd/dead.php" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Malaysia", "Bangladesh" ], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Racoon Stealer", "display_name": "Racoon Stealer", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "njRAT - S0385", "display_name": "njRAT - S0385", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Bazaar Loader", "display_name": "Bazaar Loader", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Detplock", "display_name": "Detplock", "target": null }, { "id": "WannaCry Kill Switch", "display_name": "WannaCry Kill Switch", "target": null }, { "id": "Ghandi", "display_name": "Ghandi", "target": null }, { "id": "Systweak", "display_name": "Systweak", "target": null }, { "id": "Swort", "display_name": "Swort", "target": null }, { "id": "Silk Road", "display_name": "Silk Road", "target": null }, { "id": "ALF:HeraklezEval:PUA:Win32/SpyrixKeylogger", "display_name": "ALF:HeraklezEval:PUA:Win32/SpyrixKeylogger", "target": null }, { "id": "Trojan:Win32/Wacatac", "display_name": "Trojan:Win32/Wacatac", "target": "/malware/Trojan:Win32/Wacatac" }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "noname057", "display_name": "noname057", "target": null }, { "id": "Nanocore RAT", "display_name": "Nanocore RAT", "target": null }, { "id": "Worm:VBS/Dapato", "display_name": "Worm:VBS/Dapato", "target": "/malware/Worm:VBS/Dapato" }, { "id": "Kraddare", "display_name": "Kraddare", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" } ], "industries": [], "TLP": "green", "cloned_from": "654a7a53317c717d1f4fee7f", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2522, "FileHash-SHA1": 862, "FileHash-SHA256": 2855, "URL": 7963, "domain": 1168, "hostname": 3181, "CVE": 13, "email": 2 }, "indicator_count": 18566, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "12 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "698e93e1ab02db8c49e8c3ed", "name": "\u201cBroken Seal\u201d DocuSign-themed Delivery with Fileless Process Hollowing (Zeppelin/Bloat-A)", "description": "Forensic analysis indicates a DocuSign-themed phishing campaign using a deliberately invalid X.509 PKI seal (\u201cBroken Seal\u201d) to trigger fail-open verification logic in automated handlers. The delivery mechanism bypasses Secure Email Gateway (SEG) reputation checks by using encrypted channels and human-gated infrastructure. The payload is a fileless Process Hollowing (RunPE) malware that injects into RWX memory of legitimate processes to evade disk-based EDR.", "modified": "2026-05-17T15:52:35.396000", "created": "2026-02-13T03:00:49.872000", "tags": [ "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi", "9698f46495ce9401c8bcaf9a2afe1598", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)", "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71", "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link", "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)" ], "references": [ "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "Verification failure observed in automated verification handlers during sandbox replay.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr", "My Independent research finds an intersect between different pdf DV versions being able to connect to Raspberry Pi devices as it was the FCC application document. Risk: Mac ID connectivity to all." ], "public": 1, "adversary": "", "targeted_countries": [ "China", "United States of America", "Spain", "Japan", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In" ], "TLP": "green", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 28000, "FileHash-SHA256": 48374, "FileHash-MD5": 42596, "FileHash-SHA1": 23243, "hostname": 35654, "URL": 75758, "SSLCertFingerprint": 30, "CVE": 7585, "email": 316, "FileHash-IMPHASH": 8, "CIDR": 26205, "JA3": 1, "URI": 5, "IPv4": 574, "Mutex": 1 }, "indicator_count": 288350, "is_author": false, "is_subscribing": null, "subscriber_count": 92, "modified_text": "13 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d79c38e0a059039b475ebe", "name": "CAPE Sandbox", "description": "Email today from them on my line. Very wild things happening here. trying to close my line", "modified": "2026-05-09T12:10:59.635000", "created": "2026-04-09T12:31:52.495000", "tags": [ "html document", "unicode text", "utf8 text", "crlf", "lf line", "site", "meta", "verizon", "wireless", "internet", "phone services", "official", "shop verizon", "lte network", "get fios", "title", "code", "error", "utc na", "utc google", "tag manager", "gtmw2vn2cq", "utc dc9849921", "utc dc685973", "utc g12r1dx1lx7", "utc aw647962234", "utc aw2761768", "utc aw685973", "verizon business", "verizon for business", "verizon business account", "verizon business phone", "verizon wireless for business", "verizon business service", "verizon business plan", "business internet services", "learn", "gartner", "contact", "find", "discover", "support", "close log", "shop", "upgrade", "small", "voice", "chat", "mitre attack", "network info", "program", "html page", "t1055 process", "overview", "processes extra", "overview zenbox", "verdict", "guest system", "phishing", "next", "ver2", "msclkidn", "utc amazon", "analytics na", "utc bing", "vids1", "vids0", "gdlname" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/edb4c21d60daa44b3429e7ba9bfa342759ebef23c136c934f74aef145453ce19_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775737365&Signature=S%2B7RcHYjab1hbKlKwFfvUbDirFPJS1A2TJQ3bVIObMcON4PD9pRDvhMtYMCnEBrYsICi0UJCFW5eUDolL5Jlbngsc587kF36vvuhlkPprbkSOY1jOyDTpe3Qsb6jRFz3xwOfZc9S5QervoLnRKb%2FyGSyZE6ZK6TxzBrOPczPtZ7sLf9NfD6E%2B2gMRXaRjEqVwVITLG7YqCiiNuohFOuNlK3uNHFpIk53viKvBSAIqLtSklH9bHW4q1DX", "https://www.verizon.com/business/", "https://vtbehaviour.commondatastorage.googleapis.com/edb4c21d60daa44b3429e7ba9bfa342759ebef23c136c934f74aef145453ce19_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775737710&Signature=fbsokraSd7lsYmUfaTEl8Phs2K3hp7AtVmQU9axeEBcYmYbrrYrrfpP5lPEQaE%2Fh3%2BEP9Rn8mD8D1haqQVXCN0VVlxJ4sddjWmyC5USsgBsvUb0%2F72h1WHDS2KXHlteZWE%2Bauckabain9D5kX501AnqFY38s77OIqO6SMOkQ%2BvXiDSSRK%2FZhbfradBnei3ZLHsXGxkoshTyvB0%2BC%2F8SiUzdVsqSjik0Bn2r%2BIlLpDQK90GlZTD0N" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 772, "hostname": 706, "domain": 875, "FileHash-SHA256": 2348, "FileHash-MD5": 2237, "FileHash-SHA1": 2260, "CVE": 1, "email": 9 }, "indicator_count": 9208, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "22 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d7a3f4d72c30f9586634b9", "name": "VirusTotal report\n for flow-browser-main.zip", "description": "A sample of flow-browser-main, an unauthorised version of the web browser, has been detected by researchers at the University of California, Los Angeles, and the National Security Agency (NSA). myvzw.com after an email on ending a #", "modified": "2026-05-09T12:10:59.635000", "created": "2026-04-09T13:04:52.444000", "tags": [ "file type", "png image", "ascii", "ascii text", "java source", "json", "rgba", "creates", "crlf line", "mac os", "date", "malicious", "next", "button", "span", "edit3icon", "rotateccwicon", "xicon", "htmldivelement", "react", "saveicon", "null", "shortcutitem", "click", "zip archive", "png multimedia", "graphics" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739500&Signature=r1pLCgJf%2FQK8TvenCwXy9bnghFzjJ5QssdQSLP37SLv6EkA3WXuFUIvKrsXKokco7bMfQUy%2FArk8F6aP%2Bhaj16Jv7P%2FGB%2Blf7mPvs47VjwfBJRCP8AZLlWvO45%2BjC68v798csdJFPTP31O4yDOE3pXZ3EThm4nSrIwLPhTSPfi3cPlEh2wLSzcySW7BYLw%2BqCoawFCxeLUz7hIV0vC89Mlwi3DeS%2BEnWFF%2FsvT9lVJjdbLoJLEeO", "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739700&Signature=bOTo%2FxCpGDGOsIKJDZjBBhLZRg8UiOGi%2FvVr47Xpmh7tOh9dez7911bi%2F9SUdu4ATLhzRVog%2BdVP%2BUPwTuEfIdEcPuGRGVc1KOSP3fTQrKhRjF3x2dqykxVCH%2B1iqBmCgod%2B1uAdlraxqSOeOgst1l%2Bk250uXff4axktE%2BfGjeNDeGJao%2FfOMktqIL7zU8%2BIQYTObwelnnYx45FBSiXI1bWM4vhdgIX4cs2cT%2F" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 220, "FileHash-MD5": 562, "FileHash-SHA1": 566, "FileHash-SHA256": 1011, "URL": 125, "hostname": 139, "email": 4 }, "indicator_count": 2627, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "22 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d7a3f511d0121d253b753d", "name": "VirusTotal report\n for flow-browser-main.zip", "description": "A sample of flow-browser-main, an unauthorised version of the web browser, has been detected by researchers at the University of California, Los Angeles, and the National Security Agency (NSA). myvzw.com after an email on ending a #", "modified": "2026-05-09T12:10:59.635000", "created": "2026-04-09T13:04:53.436000", "tags": [ "file type", "png image", "ascii", "ascii text", "java source", "json", "rgba", "creates", "crlf line", "mac os", "date", "malicious", "next", "button", "span", "edit3icon", "rotateccwicon", "xicon", "htmldivelement", "react", "saveicon", "null", "shortcutitem", "click", "zip archive", "png multimedia", "graphics" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739500&Signature=r1pLCgJf%2FQK8TvenCwXy9bnghFzjJ5QssdQSLP37SLv6EkA3WXuFUIvKrsXKokco7bMfQUy%2FArk8F6aP%2Bhaj16Jv7P%2FGB%2Blf7mPvs47VjwfBJRCP8AZLlWvO45%2BjC68v798csdJFPTP31O4yDOE3pXZ3EThm4nSrIwLPhTSPfi3cPlEh2wLSzcySW7BYLw%2BqCoawFCxeLUz7hIV0vC89Mlwi3DeS%2BEnWFF%2FsvT9lVJjdbLoJLEeO", "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739700&Signature=bOTo%2FxCpGDGOsIKJDZjBBhLZRg8UiOGi%2FvVr47Xpmh7tOh9dez7911bi%2F9SUdu4ATLhzRVog%2BdVP%2BUPwTuEfIdEcPuGRGVc1KOSP3fTQrKhRjF3x2dqykxVCH%2B1iqBmCgod%2B1uAdlraxqSOeOgst1l%2Bk250uXff4axktE%2BfGjeNDeGJao%2FfOMktqIL7zU8%2BIQYTObwelnnYx45FBSiXI1bWM4vhdgIX4cs2cT%2F" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 224, "FileHash-MD5": 558, "FileHash-SHA1": 564, "FileHash-SHA256": 558, "URL": 140, "hostname": 166, "email": 2, "CVE": 8 }, "indicator_count": 2220, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "22 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d7a3f6657dd0c212d8344a", "name": "VirusTotal report\n for flow-browser-main.zip", "description": "A sample of flow-browser-main, an unauthorised version of the web browser, has been detected by researchers at the University of California, Los Angeles, and the National Security Agency (NSA). myvzw.com after an email on ending a #", "modified": "2026-05-09T12:10:59.635000", "created": "2026-04-09T13:04:54.060000", "tags": [ "file type", "png image", "ascii", "ascii text", "java source", "json", "rgba", "creates", "crlf line", "mac os", "date", "malicious", "next", "button", "span", "edit3icon", "rotateccwicon", "xicon", "htmldivelement", "react", "saveicon", "null", "shortcutitem", "click", "zip archive", "png multimedia", "graphics" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739500&Signature=r1pLCgJf%2FQK8TvenCwXy9bnghFzjJ5QssdQSLP37SLv6EkA3WXuFUIvKrsXKokco7bMfQUy%2FArk8F6aP%2Bhaj16Jv7P%2FGB%2Blf7mPvs47VjwfBJRCP8AZLlWvO45%2BjC68v798csdJFPTP31O4yDOE3pXZ3EThm4nSrIwLPhTSPfi3cPlEh2wLSzcySW7BYLw%2BqCoawFCxeLUz7hIV0vC89Mlwi3DeS%2BEnWFF%2FsvT9lVJjdbLoJLEeO", "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739700&Signature=bOTo%2FxCpGDGOsIKJDZjBBhLZRg8UiOGi%2FvVr47Xpmh7tOh9dez7911bi%2F9SUdu4ATLhzRVog%2BdVP%2BUPwTuEfIdEcPuGRGVc1KOSP3fTQrKhRjF3x2dqykxVCH%2B1iqBmCgod%2B1uAdlraxqSOeOgst1l%2Bk250uXff4axktE%2BfGjeNDeGJao%2FfOMktqIL7zU8%2BIQYTObwelnnYx45FBSiXI1bWM4vhdgIX4cs2cT%2F" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 217, "FileHash-MD5": 558, "FileHash-SHA1": 564, "FileHash-SHA256": 558, "URL": 118, "hostname": 133, "email": 2 }, "indicator_count": 2150, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "22 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d7a3f683111bbbe1c9ae35", "name": "VirusTotal report\n for flow-browser-main.zip", "description": "A sample of flow-browser-main, an unauthorised version of the web browser, has been detected by researchers at the University of California, Los Angeles, and the National Security Agency (NSA). myvzw.com after an email on ending a #", "modified": "2026-05-09T12:10:59.635000", "created": "2026-04-09T13:04:54.775000", "tags": [ "file type", "png image", "ascii", "ascii text", "java source", "json", "rgba", "creates", "crlf line", "mac os", "date", "malicious", "next", "button", "span", "edit3icon", "rotateccwicon", "xicon", "htmldivelement", "react", "saveicon", "null", "shortcutitem", "click", "zip archive", "png multimedia", "graphics" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739500&Signature=r1pLCgJf%2FQK8TvenCwXy9bnghFzjJ5QssdQSLP37SLv6EkA3WXuFUIvKrsXKokco7bMfQUy%2FArk8F6aP%2Bhaj16Jv7P%2FGB%2Blf7mPvs47VjwfBJRCP8AZLlWvO45%2BjC68v798csdJFPTP31O4yDOE3pXZ3EThm4nSrIwLPhTSPfi3cPlEh2wLSzcySW7BYLw%2BqCoawFCxeLUz7hIV0vC89Mlwi3DeS%2BEnWFF%2FsvT9lVJjdbLoJLEeO", "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739700&Signature=bOTo%2FxCpGDGOsIKJDZjBBhLZRg8UiOGi%2FvVr47Xpmh7tOh9dez7911bi%2F9SUdu4ATLhzRVog%2BdVP%2BUPwTuEfIdEcPuGRGVc1KOSP3fTQrKhRjF3x2dqykxVCH%2B1iqBmCgod%2B1uAdlraxqSOeOgst1l%2Bk250uXff4axktE%2BfGjeNDeGJao%2FfOMktqIL7zU8%2BIQYTObwelnnYx45FBSiXI1bWM4vhdgIX4cs2cT%2F" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 218, "FileHash-MD5": 558, "FileHash-SHA1": 564, "FileHash-SHA256": 558, "URL": 119, "hostname": 133, "email": 4 }, "indicator_count": 2154, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "22 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d7a3f6f81dc2388c0fa027", "name": "VirusTotal report\n for flow-browser-main.zip", "description": "A sample of flow-browser-main, an unauthorised version of the web browser, has been detected by researchers at the University of California, Los Angeles, and the National Security Agency (NSA). myvzw.com after an email on ending a #", "modified": "2026-05-09T12:10:59.635000", "created": "2026-04-09T13:04:54.563000", "tags": [ "file type", "png image", "ascii", "ascii text", "java source", "json", "rgba", "creates", "crlf line", "mac os", "date", "malicious", "next", "button", "span", "edit3icon", "rotateccwicon", "xicon", "htmldivelement", "react", "saveicon", "null", "shortcutitem", "click", "zip archive", "png multimedia", "graphics" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739500&Signature=r1pLCgJf%2FQK8TvenCwXy9bnghFzjJ5QssdQSLP37SLv6EkA3WXuFUIvKrsXKokco7bMfQUy%2FArk8F6aP%2Bhaj16Jv7P%2FGB%2Blf7mPvs47VjwfBJRCP8AZLlWvO45%2BjC68v798csdJFPTP31O4yDOE3pXZ3EThm4nSrIwLPhTSPfi3cPlEh2wLSzcySW7BYLw%2BqCoawFCxeLUz7hIV0vC89Mlwi3DeS%2BEnWFF%2FsvT9lVJjdbLoJLEeO", "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739700&Signature=bOTo%2FxCpGDGOsIKJDZjBBhLZRg8UiOGi%2FvVr47Xpmh7tOh9dez7911bi%2F9SUdu4ATLhzRVog%2BdVP%2BUPwTuEfIdEcPuGRGVc1KOSP3fTQrKhRjF3x2dqykxVCH%2B1iqBmCgod%2B1uAdlraxqSOeOgst1l%2Bk250uXff4axktE%2BfGjeNDeGJao%2FfOMktqIL7zU8%2BIQYTObwelnnYx45FBSiXI1bWM4vhdgIX4cs2cT%2F" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 218, "FileHash-MD5": 558, "FileHash-SHA1": 564, "FileHash-SHA256": 558, "URL": 119, "hostname": 133, "email": 4 }, "indicator_count": 2154, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "22 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "this.data", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "this.data", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780234564.0811508 }