{ "type": "Domain", "indicator": "this.id", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/this.id", "alexa": "http://www.alexa.com/siteinfo/this.id", "indicator": "this.id", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 9504630, "indicator": "this.id", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 50, "pulses": [ { "id": "69eb254f17eb4a2a990f07e5", "name": "LevelBlue - Open Threat Exchange", "description": "[ As part of security research, we look at some of the most well-known vulnerabilities in the PDF ecosystem, and how they can be identified and mitigated, with the help of a simple hash.] [64xxxx]", "modified": "2026-05-28T07:10:11.800000", "created": "2026-04-24T08:09:51.488000", "tags": [ "pdfkit", "cve202225765", "exploit script", "github", "unicordev", "cves", "xml external", "entity", "pdfs", "knowledge base", "python", "mozilla", "virustotal", "cisa", "apple", "microsoft", "pdfkit ruby", "remote code", "execution", "urls", "malware", "raid", "caddywiper", "wipes", "cve202543529", "webkit", "february", "cve202620643", "bypass", "march", "webkit bug", "command", "control", "levelblue", "open threat" ], "references": [ "https://otx.alienvault.com/indicator/ip/198.49.23.145#:~:text=CIDR:%206%20%7C%20CVE:%20107,infrastructure%20into%20global%20botnet%20clusters." ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Wipes", "display_name": "Wipes", "target": null } ], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1084, "FileHash-SHA1": 874, "FileHash-SHA256": 3052, "CVE": 36, "domain": 437, "hostname": 1086, "URL": 1411, "CIDR": 15, "email": 13 }, "indicator_count": 8008, "is_author": false, "is_subscribing": null, "subscriber_count": 70, "modified_text": "4 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69e1e3701bff1800614838dc", "name": "wireshark", "description": "", "modified": "2026-05-17T08:02:15.940000", "created": "2026-04-17T07:38:24.668000", "tags": [ "wireshark pcap", "next generation", "dump file", "format", "little endian", "pcap" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 707, "FileHash-MD5": 281, "FileHash-SHA1": 271, "URL": 123, "domain": 69, "hostname": 608, "email": 1 }, "indicator_count": 2060, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "15 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69db4698d0cd0d278dc7ebac", "name": "VirusTotal report\n for base.apk", "description": "A sample of malicious code has been found on an Android phone running on the operating system, and it is believed to have been installed on a device that is currently running in the UK and Ireland.", "modified": "2026-05-12T07:29:56.598000", "created": "2026-04-12T07:15:36.900000", "tags": [ "mitre attack", "network info", "file type", "loads", "has permission", "accesses", "sim provider", "mccmnc", "mobile", "t1430 location", "persistence", "fraud", "cloud", "malicious", "next", "performs dns", "processes extra", "sigma", "overview", "overview zenbox", "verdict", "guest system", "ultimate file", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "hybrid analysis", "api key", "vetting process", "please note", "please", "script", "navigation", "doctype html", "public", "w3cdtd html", "transitionalen", "canceled", "title", "head", "body", "span", "refresh", "urls", "https", "united", "may check", "tls version", "xffxf0 xffxf0", "xffxee xffxee", "xffxef xffxef", "xffxeb xffxeb", "px9d", "xe4x84", "fxf8", "x94 x94", "xc1 xc1", "xffxf1 xffxf1", "info", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "text", "json", "in a", "accept", "estonia", "shutdown", "back" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0000d7e596a5738d6310974ef61ee238316ed03bc97d4cb358617932ad8d1ef2_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775977719&Signature=nkKRbhcDpxdw98on7aVclCyF9iaYOrdx7xghDa6jjq48R1HK6lCpP2H%2Fv6rxdPNWs11JoBFgE3MwA1ZYRN8Agx6yaHEpe7UOXVn2H3IXFXu5iRM5sSelXe0sVXAZNiCnIpmLyM8VdDWBLCF6TJhhCNb%2BA7JeJFY4BXuE0JCylFC6IfrK2KyhsCqwoOPL%2BxBN22zBWM88MDh7fIROoVS%2BgBZTK6Ae1KM9I0JmsvqNh%2BZskj06IC", "https://vtbehaviour.commondatastorage.googleapis.com/d45818a5cd5d41133eeb2bb915b70591823526786936d1ff425c82957057a080_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775977759&Signature=NBaN%2BKLt4kQxB6lxMAKf0PJGXB22KDgo54085YsLIZeKYr%2FZMbLuFYa65quTdyB8OT20aOMsT%2Bx7n2Nv%2BpBu9tlcAvqR27Q83JBzoWGOiDxS79sdgdFXXcK1fvBAY1%2BjtLvoBhQMAK7BZO3%2BuKbWEabvTF9p9Cwjhp%2FMQXMHRl%2BuPqE6REp29LQImSxPlNb5PmpRdhhhBX877q%2F6YPIpViq1j4uEa5xeFaF%2BLHuli03Gs93pzj", "https://hybrid-analysis.com/sample/4e4fa68c1c4d2cfee133c31432dd303bb5746f7094b5a6832a25e47e6279171c", "https://vtbehaviour.commondatastorage.googleapis.com/00000048b1c9e60c14a6619f0292dea96df7f10c11cfa9ae28693219c0ae844b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775977932&Signature=PwcvGhj2aoTTZWuXQAV%2Fk5iqc79LFl%2F4vKRmiwCg0lEljeWcXw48JPCdvRXB9d8jKJ3YlawrM8K3jVgBiRkawNtXHGkhIZp3kMOBGXmjii0zJ%2B%2BFryjqy3dSwsNCbzYOZqPvS38JrUto12cWGOcLXru%2F%2FaLJkK%2F5LZojEPdv487hPxxjaJl3q6IRjJ7RCeN6j7Rm9uA2EA2m0Di4VgQGK9uqgl04AslRkB8MiwSQ4TaGSHjp", "https://vtbehaviour.commondatastorage.googleapis.com/00000722ff984d5cd9cd766d12c70eecc7a2ad7502999c5a99d582c79b92c1a6_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775978086&Signature=WBIzRJW%2FxjBBOf%2F0opd6hlj72t0fu7SbhJLmf%2FDLtoe3li5SgoZEYUg2Ogq0NvkC4WzbpRmzXeV1QmUY%2BooYwl%2BVNRjyw6fZqkbp%2FboMFSfQmgHU%2FQfi99Ch5BqGcNZge1bx9lbHBAP%2BY3QDDA3xzFU9c9aMJAaBlGjFT4TeXALcU00PEYHA95tX7zddbMc5uQhfHfn7fKlyKlmRq25jp6vA4xQImQFJc3s3pQ7WePxp", "https://vtbehaviour.commondatastorage.googleapis.com/3b145ee102848506dc7551758ee869b43a1753f06fabcbcf9ca574cb7843d60e_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775978167&Signature=ukCrMHPUqB9sAvA3sCKxfTpKsnpIxfU1vyE1t7AsEZ2JBslXLn0KOjAMFlqSS33UscXS2xVpcOB1wOgX5ZbIlIX0m19OZ79aq1QXdbgZcRdsQ%2B07tzoo82jk6i7wuXsvtA8Lg1oPdLiq15X99Ey1Q4Qu%2F0YpJnHHOQ8zJCsmJIL%2BCV7ZRaam44zjH9hrfu2RFHKg7UN%2F%2BePHS%2FGSY3JiZ4dG10ymuI%2BSbNuvxnx4LIP9iAnFi", "https://vtbehaviour.commondatastorage.googleapis.com/3b145ee102848506dc7551758ee869b43a1753f06fabcbcf9ca574cb7843d60e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775978199&Signature=N0Ry%2FbV%2BEAaGir5ToqgdLRpeg4LWS2qRlbG%2BPBgtoRM6IQyD7i%2FhtGHNcbCN9KZuxWP1kCJkqKu4dA%2BNcMjY450Zs5KmCD%2B78YZCte4YHq%2F3f2T0AuO7ero3nBCqlX8fVA62q8eDZQiroHG4hX0gMIaxBXDwUeQa0F%2FQpNa72K2aN4rAajClR%2BuBVPy1fnaokrr7bsvK6JvnhFwrTdLQq6%2Fd%2BulnVIbTCK1oSGXF", "https://vtbehaviour.commondatastorage.googleapis.com/00000722ff984d5cd9cd766d12c70eecc7a2ad7502999c5a99d582c79b92c1a6_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775978364&Signature=yFKLOW7cLGxEDj33tw1mRKNjyzUXQUuQpv%2FrA3D2X5q8rw9kMCREsBLs%2F%2FNYRFxARS3RB5Lk4O6CmSWhNnG3A6HL18Gz6MgwskKshWmxISeMPsHS3bV%2F%2FfnGBWAext5N5I8M1E3kyouF%2FSW3NwXOVYP%2FTI%2BQ1I%2FDzIIYwu8Da44roDqJL3wQaxKZjyUAXa6fTXFaFor%2FO9DxLhb3cHkFxY9PbZuvVGjWowadR80d" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1422", "name": "System Network Configuration Discovery", "display_name": "T1422 - System Network Configuration Discovery" }, { "id": "T1424", "name": "Process Discovery", "display_name": "T1424 - Process Discovery" }, { "id": "T1426", "name": "System Information Discovery", "display_name": "T1426 - System Information Discovery" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1409", "name": "Access Stored Application Data", "display_name": "T1409 - Access Stored Application Data" }, { "id": "T1418", "name": "Application Discovery", "display_name": "T1418 - Application Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 91, "FileHash-SHA1": 86, "FileHash-SHA256": 101, "URL": 271, "domain": 43, "hostname": 306 }, "indicator_count": 898, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "20 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69db469af0e341420764ab93", "name": "VirusTotal report\n for base.apk", "description": "A sample of malicious code has been found on an Android phone running on the operating system, and it is believed to have been installed on a device that is currently running in the UK and Ireland.", "modified": "2026-05-12T07:29:56.598000", "created": "2026-04-12T07:15:38.372000", "tags": [ "mitre attack", "network info", "file type", "loads", "has permission", "accesses", "sim provider", "mccmnc", "mobile", "t1430 location", "persistence", "fraud", "cloud", "malicious", "next", "performs dns", "processes extra", "sigma", "overview", "overview zenbox", "verdict", "guest system", "ultimate file", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "hybrid analysis", "api key", "vetting process", "please note", "please", "script", "navigation", "doctype html", "public", "w3cdtd html", "transitionalen", "canceled", "title", "head", "body", "span", "refresh", "urls", "https", "united", "may check", "tls version", "xffxf0 xffxf0", "xffxee xffxee", "xffxef xffxef", "xffxeb xffxeb", "px9d", "xe4x84", "fxf8", "x94 x94", "xc1 xc1", "xffxf1 xffxf1", "info", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "text", "json", "in a", "accept", "estonia", "shutdown", "back" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0000d7e596a5738d6310974ef61ee238316ed03bc97d4cb358617932ad8d1ef2_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775977719&Signature=nkKRbhcDpxdw98on7aVclCyF9iaYOrdx7xghDa6jjq48R1HK6lCpP2H%2Fv6rxdPNWs11JoBFgE3MwA1ZYRN8Agx6yaHEpe7UOXVn2H3IXFXu5iRM5sSelXe0sVXAZNiCnIpmLyM8VdDWBLCF6TJhhCNb%2BA7JeJFY4BXuE0JCylFC6IfrK2KyhsCqwoOPL%2BxBN22zBWM88MDh7fIROoVS%2BgBZTK6Ae1KM9I0JmsvqNh%2BZskj06IC", "https://vtbehaviour.commondatastorage.googleapis.com/d45818a5cd5d41133eeb2bb915b70591823526786936d1ff425c82957057a080_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775977759&Signature=NBaN%2BKLt4kQxB6lxMAKf0PJGXB22KDgo54085YsLIZeKYr%2FZMbLuFYa65quTdyB8OT20aOMsT%2Bx7n2Nv%2BpBu9tlcAvqR27Q83JBzoWGOiDxS79sdgdFXXcK1fvBAY1%2BjtLvoBhQMAK7BZO3%2BuKbWEabvTF9p9Cwjhp%2FMQXMHRl%2BuPqE6REp29LQImSxPlNb5PmpRdhhhBX877q%2F6YPIpViq1j4uEa5xeFaF%2BLHuli03Gs93pzj", "https://hybrid-analysis.com/sample/4e4fa68c1c4d2cfee133c31432dd303bb5746f7094b5a6832a25e47e6279171c", "https://vtbehaviour.commondatastorage.googleapis.com/00000048b1c9e60c14a6619f0292dea96df7f10c11cfa9ae28693219c0ae844b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775977932&Signature=PwcvGhj2aoTTZWuXQAV%2Fk5iqc79LFl%2F4vKRmiwCg0lEljeWcXw48JPCdvRXB9d8jKJ3YlawrM8K3jVgBiRkawNtXHGkhIZp3kMOBGXmjii0zJ%2B%2BFryjqy3dSwsNCbzYOZqPvS38JrUto12cWGOcLXru%2F%2FaLJkK%2F5LZojEPdv487hPxxjaJl3q6IRjJ7RCeN6j7Rm9uA2EA2m0Di4VgQGK9uqgl04AslRkB8MiwSQ4TaGSHjp", "https://vtbehaviour.commondatastorage.googleapis.com/00000722ff984d5cd9cd766d12c70eecc7a2ad7502999c5a99d582c79b92c1a6_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775978086&Signature=WBIzRJW%2FxjBBOf%2F0opd6hlj72t0fu7SbhJLmf%2FDLtoe3li5SgoZEYUg2Ogq0NvkC4WzbpRmzXeV1QmUY%2BooYwl%2BVNRjyw6fZqkbp%2FboMFSfQmgHU%2FQfi99Ch5BqGcNZge1bx9lbHBAP%2BY3QDDA3xzFU9c9aMJAaBlGjFT4TeXALcU00PEYHA95tX7zddbMc5uQhfHfn7fKlyKlmRq25jp6vA4xQImQFJc3s3pQ7WePxp", "https://vtbehaviour.commondatastorage.googleapis.com/3b145ee102848506dc7551758ee869b43a1753f06fabcbcf9ca574cb7843d60e_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775978167&Signature=ukCrMHPUqB9sAvA3sCKxfTpKsnpIxfU1vyE1t7AsEZ2JBslXLn0KOjAMFlqSS33UscXS2xVpcOB1wOgX5ZbIlIX0m19OZ79aq1QXdbgZcRdsQ%2B07tzoo82jk6i7wuXsvtA8Lg1oPdLiq15X99Ey1Q4Qu%2F0YpJnHHOQ8zJCsmJIL%2BCV7ZRaam44zjH9hrfu2RFHKg7UN%2F%2BePHS%2FGSY3JiZ4dG10ymuI%2BSbNuvxnx4LIP9iAnFi", "https://vtbehaviour.commondatastorage.googleapis.com/3b145ee102848506dc7551758ee869b43a1753f06fabcbcf9ca574cb7843d60e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775978199&Signature=N0Ry%2FbV%2BEAaGir5ToqgdLRpeg4LWS2qRlbG%2BPBgtoRM6IQyD7i%2FhtGHNcbCN9KZuxWP1kCJkqKu4dA%2BNcMjY450Zs5KmCD%2B78YZCte4YHq%2F3f2T0AuO7ero3nBCqlX8fVA62q8eDZQiroHG4hX0gMIaxBXDwUeQa0F%2FQpNa72K2aN4rAajClR%2BuBVPy1fnaokrr7bsvK6JvnhFwrTdLQq6%2Fd%2BulnVIbTCK1oSGXF", "https://vtbehaviour.commondatastorage.googleapis.com/00000722ff984d5cd9cd766d12c70eecc7a2ad7502999c5a99d582c79b92c1a6_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775978364&Signature=yFKLOW7cLGxEDj33tw1mRKNjyzUXQUuQpv%2FrA3D2X5q8rw9kMCREsBLs%2F%2FNYRFxARS3RB5Lk4O6CmSWhNnG3A6HL18Gz6MgwskKshWmxISeMPsHS3bV%2F%2FfnGBWAext5N5I8M1E3kyouF%2FSW3NwXOVYP%2FTI%2BQ1I%2FDzIIYwu8Da44roDqJL3wQaxKZjyUAXa6fTXFaFor%2FO9DxLhb3cHkFxY9PbZuvVGjWowadR80d" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1422", "name": "System Network Configuration Discovery", "display_name": "T1422 - System Network Configuration Discovery" }, { "id": "T1424", "name": "Process Discovery", "display_name": "T1424 - Process Discovery" }, { "id": "T1426", "name": "System Information Discovery", "display_name": "T1426 - System Information Discovery" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1409", "name": "Access Stored Application Data", "display_name": "T1409 - Access Stored Application Data" }, { "id": "T1418", "name": "Application Discovery", "display_name": "T1418 - Application Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 91, "FileHash-SHA1": 86, "FileHash-SHA256": 101, "URL": 271, "domain": 43, "hostname": 306 }, "indicator_count": 898, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "20 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d79c38e0a059039b475ebe", "name": "CAPE Sandbox", "description": "Email today from them on my line. Very wild things happening here. trying to close my line", "modified": "2026-05-09T12:10:59.635000", "created": "2026-04-09T12:31:52.495000", "tags": [ "html document", "unicode text", "utf8 text", "crlf", "lf line", "site", "meta", "verizon", "wireless", "internet", "phone services", "official", "shop verizon", "lte network", "get fios", "title", "code", "error", "utc na", "utc google", "tag manager", "gtmw2vn2cq", "utc dc9849921", "utc dc685973", "utc g12r1dx1lx7", "utc aw647962234", "utc aw2761768", "utc aw685973", "verizon business", "verizon for business", "verizon business account", "verizon business phone", "verizon wireless for business", "verizon business service", "verizon business plan", "business internet services", "learn", "gartner", "contact", "find", "discover", "support", "close log", "shop", "upgrade", "small", "voice", "chat", "mitre attack", "network info", "program", "html page", "t1055 process", "overview", "processes extra", "overview zenbox", "verdict", "guest system", "phishing", "next", "ver2", "msclkidn", "utc amazon", "analytics na", "utc bing", "vids1", "vids0", "gdlname" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/edb4c21d60daa44b3429e7ba9bfa342759ebef23c136c934f74aef145453ce19_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775737365&Signature=S%2B7RcHYjab1hbKlKwFfvUbDirFPJS1A2TJQ3bVIObMcON4PD9pRDvhMtYMCnEBrYsICi0UJCFW5eUDolL5Jlbngsc587kF36vvuhlkPprbkSOY1jOyDTpe3Qsb6jRFz3xwOfZc9S5QervoLnRKb%2FyGSyZE6ZK6TxzBrOPczPtZ7sLf9NfD6E%2B2gMRXaRjEqVwVITLG7YqCiiNuohFOuNlK3uNHFpIk53viKvBSAIqLtSklH9bHW4q1DX", "https://www.verizon.com/business/", "https://vtbehaviour.commondatastorage.googleapis.com/edb4c21d60daa44b3429e7ba9bfa342759ebef23c136c934f74aef145453ce19_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775737710&Signature=fbsokraSd7lsYmUfaTEl8Phs2K3hp7AtVmQU9axeEBcYmYbrrYrrfpP5lPEQaE%2Fh3%2BEP9Rn8mD8D1haqQVXCN0VVlxJ4sddjWmyC5USsgBsvUb0%2F72h1WHDS2KXHlteZWE%2Bauckabain9D5kX501AnqFY38s77OIqO6SMOkQ%2BvXiDSSRK%2FZhbfradBnei3ZLHsXGxkoshTyvB0%2BC%2F8SiUzdVsqSjik0Bn2r%2BIlLpDQK90GlZTD0N" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 772, "hostname": 706, "domain": 875, "FileHash-SHA256": 2348, "FileHash-MD5": 2237, "FileHash-SHA1": 2260, "CVE": 1, "email": 9 }, "indicator_count": 9208, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d7a3f4d72c30f9586634b9", "name": "VirusTotal report\n for flow-browser-main.zip", "description": "A sample of flow-browser-main, an unauthorised version of the web browser, has been detected by researchers at the University of California, Los Angeles, and the National Security Agency (NSA). myvzw.com after an email on ending a #", "modified": "2026-05-09T12:10:59.635000", "created": "2026-04-09T13:04:52.444000", "tags": [ "file type", "png image", "ascii", "ascii text", "java source", "json", "rgba", "creates", "crlf line", "mac os", "date", "malicious", "next", "button", "span", "edit3icon", "rotateccwicon", "xicon", "htmldivelement", "react", "saveicon", "null", "shortcutitem", "click", "zip archive", "png multimedia", "graphics" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739500&Signature=r1pLCgJf%2FQK8TvenCwXy9bnghFzjJ5QssdQSLP37SLv6EkA3WXuFUIvKrsXKokco7bMfQUy%2FArk8F6aP%2Bhaj16Jv7P%2FGB%2Blf7mPvs47VjwfBJRCP8AZLlWvO45%2BjC68v798csdJFPTP31O4yDOE3pXZ3EThm4nSrIwLPhTSPfi3cPlEh2wLSzcySW7BYLw%2BqCoawFCxeLUz7hIV0vC89Mlwi3DeS%2BEnWFF%2FsvT9lVJjdbLoJLEeO", "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739700&Signature=bOTo%2FxCpGDGOsIKJDZjBBhLZRg8UiOGi%2FvVr47Xpmh7tOh9dez7911bi%2F9SUdu4ATLhzRVog%2BdVP%2BUPwTuEfIdEcPuGRGVc1KOSP3fTQrKhRjF3x2dqykxVCH%2B1iqBmCgod%2B1uAdlraxqSOeOgst1l%2Bk250uXff4axktE%2BfGjeNDeGJao%2FfOMktqIL7zU8%2BIQYTObwelnnYx45FBSiXI1bWM4vhdgIX4cs2cT%2F" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 220, "FileHash-MD5": 562, "FileHash-SHA1": 566, "FileHash-SHA256": 1011, "URL": 125, "hostname": 139, "email": 4 }, "indicator_count": 2627, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d7a3f511d0121d253b753d", "name": "VirusTotal report\n for flow-browser-main.zip", "description": "A sample of flow-browser-main, an unauthorised version of the web browser, has been detected by researchers at the University of California, Los Angeles, and the National Security Agency (NSA). myvzw.com after an email on ending a #", "modified": "2026-05-09T12:10:59.635000", "created": "2026-04-09T13:04:53.436000", "tags": [ "file type", "png image", "ascii", "ascii text", "java source", "json", "rgba", "creates", "crlf line", "mac os", "date", "malicious", "next", "button", "span", "edit3icon", "rotateccwicon", "xicon", "htmldivelement", "react", "saveicon", "null", "shortcutitem", "click", "zip archive", "png multimedia", "graphics" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739500&Signature=r1pLCgJf%2FQK8TvenCwXy9bnghFzjJ5QssdQSLP37SLv6EkA3WXuFUIvKrsXKokco7bMfQUy%2FArk8F6aP%2Bhaj16Jv7P%2FGB%2Blf7mPvs47VjwfBJRCP8AZLlWvO45%2BjC68v798csdJFPTP31O4yDOE3pXZ3EThm4nSrIwLPhTSPfi3cPlEh2wLSzcySW7BYLw%2BqCoawFCxeLUz7hIV0vC89Mlwi3DeS%2BEnWFF%2FsvT9lVJjdbLoJLEeO", "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739700&Signature=bOTo%2FxCpGDGOsIKJDZjBBhLZRg8UiOGi%2FvVr47Xpmh7tOh9dez7911bi%2F9SUdu4ATLhzRVog%2BdVP%2BUPwTuEfIdEcPuGRGVc1KOSP3fTQrKhRjF3x2dqykxVCH%2B1iqBmCgod%2B1uAdlraxqSOeOgst1l%2Bk250uXff4axktE%2BfGjeNDeGJao%2FfOMktqIL7zU8%2BIQYTObwelnnYx45FBSiXI1bWM4vhdgIX4cs2cT%2F" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 224, "FileHash-MD5": 558, "FileHash-SHA1": 564, "FileHash-SHA256": 558, "URL": 140, "hostname": 166, "email": 2, "CVE": 8 }, "indicator_count": 2220, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d7a3f6657dd0c212d8344a", "name": "VirusTotal report\n for flow-browser-main.zip", "description": "A sample of flow-browser-main, an unauthorised version of the web browser, has been detected by researchers at the University of California, Los Angeles, and the National Security Agency (NSA). myvzw.com after an email on ending a #", "modified": "2026-05-09T12:10:59.635000", "created": "2026-04-09T13:04:54.060000", "tags": [ "file type", "png image", "ascii", "ascii text", "java source", "json", "rgba", "creates", "crlf line", "mac os", "date", "malicious", "next", "button", "span", "edit3icon", "rotateccwicon", "xicon", "htmldivelement", "react", "saveicon", "null", "shortcutitem", "click", "zip archive", "png multimedia", "graphics" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739500&Signature=r1pLCgJf%2FQK8TvenCwXy9bnghFzjJ5QssdQSLP37SLv6EkA3WXuFUIvKrsXKokco7bMfQUy%2FArk8F6aP%2Bhaj16Jv7P%2FGB%2Blf7mPvs47VjwfBJRCP8AZLlWvO45%2BjC68v798csdJFPTP31O4yDOE3pXZ3EThm4nSrIwLPhTSPfi3cPlEh2wLSzcySW7BYLw%2BqCoawFCxeLUz7hIV0vC89Mlwi3DeS%2BEnWFF%2FsvT9lVJjdbLoJLEeO", "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739700&Signature=bOTo%2FxCpGDGOsIKJDZjBBhLZRg8UiOGi%2FvVr47Xpmh7tOh9dez7911bi%2F9SUdu4ATLhzRVog%2BdVP%2BUPwTuEfIdEcPuGRGVc1KOSP3fTQrKhRjF3x2dqykxVCH%2B1iqBmCgod%2B1uAdlraxqSOeOgst1l%2Bk250uXff4axktE%2BfGjeNDeGJao%2FfOMktqIL7zU8%2BIQYTObwelnnYx45FBSiXI1bWM4vhdgIX4cs2cT%2F" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 217, "FileHash-MD5": 558, "FileHash-SHA1": 564, "FileHash-SHA256": 558, "URL": 118, "hostname": 133, "email": 2 }, "indicator_count": 2150, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d7a3f683111bbbe1c9ae35", "name": "VirusTotal report\n for flow-browser-main.zip", "description": "A sample of flow-browser-main, an unauthorised version of the web browser, has been detected by researchers at the University of California, Los Angeles, and the National Security Agency (NSA). myvzw.com after an email on ending a #", "modified": "2026-05-09T12:10:59.635000", "created": "2026-04-09T13:04:54.775000", "tags": [ "file type", "png image", "ascii", "ascii text", "java source", "json", "rgba", "creates", "crlf line", "mac os", "date", "malicious", "next", "button", "span", "edit3icon", "rotateccwicon", "xicon", "htmldivelement", "react", "saveicon", "null", "shortcutitem", "click", "zip archive", "png multimedia", "graphics" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739500&Signature=r1pLCgJf%2FQK8TvenCwXy9bnghFzjJ5QssdQSLP37SLv6EkA3WXuFUIvKrsXKokco7bMfQUy%2FArk8F6aP%2Bhaj16Jv7P%2FGB%2Blf7mPvs47VjwfBJRCP8AZLlWvO45%2BjC68v798csdJFPTP31O4yDOE3pXZ3EThm4nSrIwLPhTSPfi3cPlEh2wLSzcySW7BYLw%2BqCoawFCxeLUz7hIV0vC89Mlwi3DeS%2BEnWFF%2FsvT9lVJjdbLoJLEeO", "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739700&Signature=bOTo%2FxCpGDGOsIKJDZjBBhLZRg8UiOGi%2FvVr47Xpmh7tOh9dez7911bi%2F9SUdu4ATLhzRVog%2BdVP%2BUPwTuEfIdEcPuGRGVc1KOSP3fTQrKhRjF3x2dqykxVCH%2B1iqBmCgod%2B1uAdlraxqSOeOgst1l%2Bk250uXff4axktE%2BfGjeNDeGJao%2FfOMktqIL7zU8%2BIQYTObwelnnYx45FBSiXI1bWM4vhdgIX4cs2cT%2F" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 218, "FileHash-MD5": 558, "FileHash-SHA1": 564, "FileHash-SHA256": 558, "URL": 119, "hostname": 133, "email": 4 }, "indicator_count": 2154, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d7a3f6f81dc2388c0fa027", "name": "VirusTotal report\n for flow-browser-main.zip", "description": "A sample of flow-browser-main, an unauthorised version of the web browser, has been detected by researchers at the University of California, Los Angeles, and the National Security Agency (NSA). myvzw.com after an email on ending a #", "modified": "2026-05-09T12:10:59.635000", "created": "2026-04-09T13:04:54.563000", "tags": [ "file type", "png image", "ascii", "ascii text", "java source", "json", "rgba", "creates", "crlf line", "mac os", "date", "malicious", "next", "button", "span", "edit3icon", "rotateccwicon", "xicon", "htmldivelement", "react", "saveicon", "null", "shortcutitem", "click", "zip archive", "png multimedia", "graphics" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739500&Signature=r1pLCgJf%2FQK8TvenCwXy9bnghFzjJ5QssdQSLP37SLv6EkA3WXuFUIvKrsXKokco7bMfQUy%2FArk8F6aP%2Bhaj16Jv7P%2FGB%2Blf7mPvs47VjwfBJRCP8AZLlWvO45%2BjC68v798csdJFPTP31O4yDOE3pXZ3EThm4nSrIwLPhTSPfi3cPlEh2wLSzcySW7BYLw%2BqCoawFCxeLUz7hIV0vC89Mlwi3DeS%2BEnWFF%2FsvT9lVJjdbLoJLEeO", "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739700&Signature=bOTo%2FxCpGDGOsIKJDZjBBhLZRg8UiOGi%2FvVr47Xpmh7tOh9dez7911bi%2F9SUdu4ATLhzRVog%2BdVP%2BUPwTuEfIdEcPuGRGVc1KOSP3fTQrKhRjF3x2dqykxVCH%2B1iqBmCgod%2B1uAdlraxqSOeOgst1l%2Bk250uXff4axktE%2BfGjeNDeGJao%2FfOMktqIL7zU8%2BIQYTObwelnnYx45FBSiXI1bWM4vhdgIX4cs2cT%2F" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 218, "FileHash-MD5": 558, "FileHash-SHA1": 564, "FileHash-SHA256": 558, "URL": 119, "hostname": 133, "email": 4 }, "indicator_count": 2154, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d4f2d9ce86a445b484593b", "name": "VirusTotal report\n for sample.crx", "description": "A small sample of malware has been identified by researchers at the University of Oregon in the US, and the results are published on the web, as well as on Google's Chrome extension and other sites.", "modified": "2026-05-07T12:05:50.774000", "created": "2026-04-07T12:04:41.097000", "tags": [ "file type", "json", "ascii text", "png image", "crlf line", "ascii", "rgba", "unicode text", "utf8 text", "defense evasion", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 668, "FileHash-MD5": 668, "FileHash-SHA1": 675, "URL": 153, "domain": 230, "hostname": 177, "email": 2 }, "indicator_count": 2573, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "25 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d4f2db0b3448671adcce16", "name": "VirusTotal report\n for sample.crx", "description": "A small sample of malware has been identified by researchers at the University of Oregon in the US, and the results are published on the web, as well as on Google's Chrome extension and other sites.", "modified": "2026-05-07T12:05:50.774000", "created": "2026-04-07T12:04:43.156000", "tags": [ "file type", "json", "ascii text", "png image", "crlf line", "ascii", "rgba", "unicode text", "utf8 text", "defense evasion", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 668, "FileHash-MD5": 668, "FileHash-SHA1": 675, "URL": 153, "domain": 230, "hostname": 177, "email": 2 }, "indicator_count": 2573, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "25 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d4f2dd828bbf0ac5efaa23", "name": "VirusTotal report\n for sample.crx", "description": "A small sample of malware has been identified by researchers at the University of Oregon in the US, and the results are published on the web, as well as on Google's Chrome extension and other sites.", "modified": "2026-05-07T12:05:50.774000", "created": "2026-04-07T12:04:44.957000", "tags": [ "file type", "json", "ascii text", "png image", "crlf line", "ascii", "rgba", "unicode text", "utf8 text", "defense evasion", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 668, "FileHash-MD5": 668, "FileHash-SHA1": 675, "URL": 153, "domain": 230, "hostname": 177, "email": 2 }, "indicator_count": 2573, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "25 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d0ac884cb646fac0b8d3d4", "name": "VirusTotal report\n for Other-20230212T074754Z-001.zip", "description": "com - is the name of a German domain registered with the United-Domains AG.\n\n3 hearts\npure bleeds. sigma shields. commander hunts.\nlegacy puppetmaster suppresses.\nthe octopus is forever tangled.", "modified": "2026-05-04T06:35:28.490000", "created": "2026-04-04T06:15:36.916000", "tags": [ "date", "server", "registrar abuse", "postal code", "registrant name", "expiration date", "registry domain", "registrar iana", "registrar url", "registrant city", "ascii text", "javascript", "mitre attack", "network info", "dropped info", "file type", "processes extra", "overview zenbox", "linux verdict", "guest system", "ultimate file", "info file", "persistence", "next", "pe file", "text format", "ansi", "ms windows", "zip archive", "found", "crlf line", "windows start", "default", "delphi", "code", "malicious", "windows sandbox", "calls clear", "ascii", "java source", "web open", "font format", "truetype", "version", "python", "cape sandbox", "machine summary", "report time", "machine name", "analysis id", "machine label", "duration", "machine manager", "kvm os", "shutdown", "https", "shpk", "performs dns", "t1055 process", "layer protocol", "overview", "title", "phishing", "loader", "script", "meta", "albania", "structured data", "artan lenja", "street", "building", "tiran", "body", "icloud", "free", "apple", "link", "style", "doctype html", "timestamp", "sectigo", "official", "disney", "walt disney", "countryus", "center", "head", "forbidden", "creates", "command", "clear filters", "sigma", "verdict" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/100a90c0ff019b19f0f2622cfa529d874f580b2ac6257d018e5eb9ab6d861f44_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775281711&Signature=G81N%2BSvpl7rLMvDIGLovzSBK8YJzNBOTs7Ycfze1L%2BdFheZX%2BS6EbtlDx545BRgefMUoJSwn%2BdK4eRpYlyMGmHvkv2tw3apezXxBF5J95vedk3RlOzXgGUAvJvewt0RBBR9f9hiVn9CuYTHvY3Cf%2BVog32%2BRLrv8sMhZ%2FeqX0%2FhraP6leNtAta5iUv73pYWeMmdsQ7nX2EvTO7uUvGggX6TmnBhiHHd8E9uCsoPHCTP4i0", "https://vtbehaviour.commondatastorage.googleapis.com/100a90c0ff019b19f0f2622cfa529d874f580b2ac6257d018e5eb9ab6d861f44_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775281734&Signature=3FFHeC27RvCC9623M2f8xoSU4fl9LBd%2FvI%2F98rUNvmdceN4AZjjw77yTU0ApUTXU5FbdCpODVhKi0X4pqDz1pqEP%2FBRLq%2FNhgoRliai6LlD4yhdTtKNi4zrfCDG%2Bd4dRzD5y674IfEPynxGiFOWxc6wiCtl3rhwTPEqisyDqFbvnF57SxrcPoVSzVO3wEtxpCOIw8iAFXdW2zgnnYYbSrbaQBfghKLtFA6r2vP%2Bmrd33YSUiH%2Fe2EqBz", "https://vtbehaviour.commondatastorage.googleapis.com/100a90c0ff019b19f0f2622cfa529d874f580b2ac6257d018e5eb9ab6d861f44_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775281812&Signature=jttp%2BTn66O5EfEB%2FASdpjDONf%2BzydGtfIUy3AtwYz0ppPzVA88%2BzZ8LtzV0TDhkMiju4oLHr%2BauJnKYexqnF0MfNTXGKPfj3ux9oZ2%2Baqve%2B3xgapdwdz0N64RgWo3SBqCKFBOQmi57mqIy%2F8qgnAfdVX99BwF2BuRSYSbIjNW5NHjir1JrAAKwOHZFyNsKj99PImyug2FPpRnss8VrJvDyYdnaGLHIAbZMRl72V", "https://vtbehaviour.commondatastorage.googleapis.com/100a90c0ff019b19f0f2622cfa529d874f580b2ac6257d018e5eb9ab6d861f44_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775281904&Signature=B9x8BUVCeldkVImU%2Bb%2B7d97Q9Y2suAJFE1HvxBCu6MQUOt52HrgAUTBIeXPKgNP0gKiqrr%2BwDvN7q637Ht6n5C9QhuTPI%2FhWTub0F22jsp8lU2Pvp2bS%2FlaSchLRN5gDngyPABgnaqYERICP8QQkwfaB9pY%2Bii1%2FAeel%2BIDGYwxPPfIcYevejNv2O%2F0J6qYRftrtXwa95pbsecrfOzH6bpF3AzHQrTLJAuZ%2B%2BykW", "https://vtbehaviour.commondatastorage.googleapis.com/bc3cc97398d5f56a4731085e8a385694f6ef1ab37243c6c00deed4a1335ced55_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775281954&Signature=Tythlx%2B0x7Dzf2SYvJDgwby2Ifinb7IbK5GTx%2ByqvqVc1r4cz7rhoVD3NZqUAgUpxSkIAsRAK5WV5tMXUGiiB6JWp8Y9YmaL7Zhb5NxMBcodk57r7XhYzEbDxYg%2Fh1ChwMliA5cBr%2BXbUcW4q2aA4xQeNE1XVNpalGtyHh8bsDTKgQG0Ch1gikPF%2BeKc2ANprXe6z%2FJBXtqJBxh6%2Bem6fGON6%2BpRP1%2BgmNg4%2FtFnlQ", "https://vtbehaviour.commondatastorage.googleapis.com/bc3cc97398d5f56a4731085e8a385694f6ef1ab37243c6c00deed4a1335ced55_CAPE%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775281979&Signature=LrquDQAOc%2Bf90O7wkZ9lRNx5uIZopS4VL7qYn7UKkzTI19c7sNJWNdGeBPtnE%2FG4yxsv1tBxkoojr78E808e78vceGG2xskRT6tUTjtDo2c8JW%2FD9Mr5ZAVe8Cn%2BP%2BpCbBkZXbtaceCtVq0b9zVWx9YstN2ju69uofX50LbI%2FgmHh%2Bghta79DgdBrNmkcQEXDu7t%2FqSZSozfso9i%2BoSZdHXEfsU59hoc%2FhUSoPMEPGFU", "https://vtbehaviour.commondatastorage.googleapis.com/fa8a59149604c73572bf92b42640de49faa7e8f16cd4bc18345d3e6a16378744_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775282019&Signature=VwsuvdyY52E5jzftipHSNWVrwmO7YUwSQa9yHiMIgbsXcJDnDNcdELamMXjmvzDn%2FT6L5HguJFyj%2F4DHLmPfddzVphNAKCPvz3IRVae2piJ%2B8VWa2%2B98W3RjMft93LZhdNHwxeEYM8oJ%2FOjAjw%2FIicginJBUwlGeHX3kfTJieSEC7SYf6BkJ4UNfnF2pPQjiaAqG9mop%2FPKsB%2FF1K%2FrL7Rpsxwhl1rGglHYPM4%2BtJj6zDYx%2F", "https://vtbehaviour.commondatastorage.googleapis.com/fa8a59149604c73572bf92b42640de49faa7e8f16cd4bc18345d3e6a16378744_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775282044&Signature=Y%2FEJZwm3h4tUuhn9%2FgO7QDcTnUoojZIDnoL%2FuGaoe0o5h%2FPUEiZpyFQLH9JfrvNN0h58UWlcJNCMxaSZl%2BZDvBDliVat0wDr0fE35mo0jGTK3uwa7DykFrjyI0NAVFlzkVSyxC0euM4lSJaw9PqyJGgLb4FfaztkzK7ZQYTIsGMYWSsCAKzatCObwK%2B8nqV63M9VXUeJy8ZQx7IwbttNffD6FQUaPbtCwlsywb%2Bu7NVqkFSG", "https://www.icloud.com/attachment/?u=https%3a%2f%2f%cvws.icloud-content.com", "https://vtbehaviour.commondatastorage.googleapis.com/ba49f65ef5d694311c535991812ee2fa8f0c639f4e053d136c1161b8b1bfaf8f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775282803&Signature=CE28%2B8Orp96YBz3AWi4L4LJoj5B677T4lpyJl4VIG%2BN68qLtOorzpmY%2BdQgPcKJxqxcvmf3JmeA2zAZFyVdmEzznUnaiSY6xhbkbZ8nrReWLN9MBQZJuFd6by3aYlQoYFg2Bxu5d%2FLEAxWm4ljnJApBcv1csUNbJ8KxjkdXXAyPkiWPwMc4JDmXrnH5%2FXBQ7Tf1qxmze1lX2S5QvktDVUA3Bdn67nGtMvguY5EIl7tj1AezbuTFM", "https://vtbehaviour.commondatastorage.googleapis.com/68e1e958d101feb1044553d3e8ba341448a17d917e4b613cb05873814159ed40_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775282913&Signature=TKCWJVTu8VHNWLhsI%2BkIN06KJgV4R1%2F2oO9G3V2x%2Bdxi14E9JDPHosmNkN%2Fk02BRc0I8Yg4HJPmcxjdAvb8mTCZjA10bizFznZC3epwH0hmoxTVgryMxpD%2B7zTQqKIRpE9UGGC1WSu0CTJ3rI9dCyopLkmeiyJPVw%2BIuERp37p2MEwzwwIPRuYpB190GfOdCkGt6TuMjDG6cVa%2BxvJlEdoEw8US6W8WPaioxSu1KVCoKjwky", "https://vtbehaviour.commondatastorage.googleapis.com/ffe3319990984c10c84fc18f6c1d40b2c7ad44666ebc2b54368bd96327ec6abc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775283093&Signature=GU02WhsC3g0ztmDdXDNuqx9T9POv8DnaMp7NQX%2B70%2FybCmZtbIpyPiUCOuYG5ZD1RY8bCIR9k%2F%2BGsKSwWLVUNNih3CgvqShoWsNfLKvtS%2BDRbmV6G4ohLWIP0xPHJOCA%2FWvnSdblJ%2FdibwXFCT851RdpfK3f6ph2EPHXIq%2FBwhSc28%2BJfFSMK%2B1toESpR7COi%2FUwpnMfcoSpcIMZudaaU8JrTvEVLgtJ%2FAgHjmfoXxvJlD", "https://vtbehaviour.commondatastorage.googleapis.com/02b1749e96b257099d5bafaeb1fc502442b4e064cca63fbcf4fc52af34b6435d_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775283154&Signature=m%2BGdulpws9rcUoJIzr45sR5qJdIxK89UYb6GUJL6p7n4mgYV69NJWbc3Jslcn117UKHnbSYYtRZSBRhviHhLuWsbhUG199mW8iGDiwaarp%2BbvmEIw6OXF2MgVIh%2FrJYr8slRZbUwjd9t8dMWwn%2FM5DNq6AzLyBqpznrBoVrvlibZuA9pWsHraA3P24WyEGUlbWN3NqLfmJ6gDeCKRfG7zhubGI%2Bb8Wl8GaBCodOtX2LlrA", "https://vtbehaviour.commondatastorage.googleapis.com/3e6e0898a7b1b297d2b9322f5f578b02e2fd5d5647dbeef6b9273cda383e1547_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775283189&Signature=PtLPpZoeHrLkYIaV2etyfYslOxR9PtxqmjNNDdMHoJjBUuweFaoOVGyfkf%2BUGEiGQCogCu7az%2B4btIJ3frL%2BEdzwNV7Ufeb24KQqbVUQrVITPGPCW42mMdsKdDoNQsqLooDqFsjxRGt2meZgP3F3roSTIWDEJPwr35bBBkdANOOdXZG1mg3O8JHm35%2BBQMkSxOiAxeftigjPK7On%2Fk%2FvMli1USxDUfi2eRlkRaL090nKenRXt3cz4FEBe8" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 359, "email": 2, "hostname": 664, "URL": 794, "FileHash-SHA256": 827, "FileHash-MD5": 21, "FileHash-SHA1": 17 }, "indicator_count": 2684, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "28 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cf461ceb2e58f5e3c0a44d", "name": "VirusTotal Droidy Android Sandbox", "description": "Here is the full list of results from the second day of the 2016 Android World Championship, held at 22:00 BST on Tuesday, 1 July.. . and \u00c2\u00a31.\n\ni cant add this one - legacy - http://100tosdefotos.com/", "modified": "2026-05-03T04:09:43.062000", "created": "2026-04-03T04:46:20.102000", "tags": [ "process", "current object", "android sandbox", "europemadrid", "windows sandbox", "clear filters", "has permission", "file type", "apks", "accesses", "sim provider", "name", "may check", "mitre attack", "network info", "malicious", "persistence", "cloud", "chrome cache", "png image", "cache entry", "rgba", "entry", "web open", "font format", "version", "truetype", "next", "detail info", "text", "classname", "window", "static", "behaviour", "filename", "offset", "class", "button", "mozilla", "shell", "nsis", "find", "back", "state", "connecting", "connected", "suspended", "disconnected", "unknown", "shell folders", "default", "inprocserver32", "new roman", "registry keys", "nothing", "shell dlg", "roman baltic186", "roman cyr204", "roman tur162", "xffxfea xffxfea", "xffu xffu", "xffxfcs xffxfcs", "x8af x8af", "xb6p xb6p", "xb6y xb6y", "x88g x88g", "xb6xf2 xb6xf2", "xfft", "xc1xe7 xc1xe7", "axec", "programfiles", "allusersprofile", "windir", "protocol level", "application", "previous", "next connection", "address", "full path", "behavior", "bits", "dump", "path", "calls clear", "eandroidruntime", "pufwifi", "flag", "networkinfo", "action", "extras", "start", "componentname", "write", "calls process", "cname", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "address virtual", "path c", "sha256", "accept", "shutdown", "error", "sandbox", "stack", "win32 exe", "pe32", "intel", "ms windows", "win16 ne", "os2 executable", "generic windos", "executable", "dos executable", "generic", "processes extra", "performs dns", "t1055 process", "overview", "overview zenbox", "verdict", "guest system", "ultimate file", "android", "zip archive", "xapk android", "android package", "java archive", "sweet home", "design", "html document", "unicode text", "utf8 text", "crlf", "lf line", "language", "date mon", "gmt contenttype", "connection", "link", "json", "xlitespeedcache", "reportto", "server", "contentencoding", "cfray", "king88", "ch cng", "c thit", "c bit", "iu hp", "trang ch", "king88 com", "ci ng", "cp s", "c vit", "object", "string", "number", "null", "function", "g5wmgjr5qk4", "cssselector", "regexp", "date", "void", "trident", "mini", "meta", "please", "javascript", "members", "staff", "inspection", "abip", "local broadcast", "newsletter fcc", "resource center", "marshfield high", "school", "localism join", "facebook", "contact", "summer", "grave", "email", "photo", "strong", "peter deftos", "sign", "learn", "memorial", "leave", "problem", "done", "already", "close", "verify", "twitter", "details", "full", "persist", "editorimpl" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/a0fb314babd51dbc460ab126b615da4c6f9481f5d1225d0ac189da9d99923bb3_VirusTotal%20Droidy.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775189779&Signature=KfMCCyf96T3bMlo9SpmV1KGK0zKBbkhhSc6Ig5Hvwfx%2FTKTqEVBDXB28XNeWzWbCRTwCNnYlHV3Ed%2BMjcd%2B1aCTDYi5GH9Qw3msxqk5iKwRhzDIhfpM98SwOLC%2B7xZUAC60ecDmVDsjA9OOwOkJe87q3Rrx2lrU9%2BjuSJ1EdwI16qoJyd29sLcX7STTqAMHuzCjIixIOre64HAjpH4lt%2F8tSgE1A5Rs2V7PRHSX6ibKLD", "https://vtbehaviour.commondatastorage.googleapis.com/a0fb314babd51dbc460ab126b615da4c6f9481f5d1225d0ac189da9d99923bb3_VirusTotal%20R2DBox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775189811&Signature=O96heM5BVAaltXSZInHXgIgK35KjLrLg%2FfKtFXVS%2BoRHTlfpZtn4LpFvolATpK7dED66Ms7SXpn8nX0i7j1IpuDOXOXSm112TOKIKVVPZJH5ppCD6uFYvhkfNcQGa%2FXK%2BDixyM%2BuqwGoJSFD6QzP8J2Iz1GyU4RYYWuB2C7ZD7LOWKlvxF%2F9LTAX8jFDLgFVsE3Og3cU8y3jK%2BenDPthRM6YFu3qewxpti7KVNwKeMJ", "https://vtbehaviour.commondatastorage.googleapis.com/a0fb314babd51dbc460ab126b615da4c6f9481f5d1225d0ac189da9d99923bb3_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775189872&Signature=P%2Fa2KXhuVwj4RO8cyfIpkYofLKzsLiKRPHuVAi7hjApskLh84OqCfKuK51z7bTKZd8lCCiQ7XuIaxWQDR7qzDFvuCWutobNhKDdHSDLrTMtqqX3o5RmBpSzMUw3jQJcbxsYWqaOMHy8ZeWEVRuB9orvLwMZbJMMIJM8GhUVHZ6%2BwciVIoj0lYTCb%2FEEkQWTV4g3hs9l8KRzbEfvJGja6ANuv1OtdFLk8pejrraAJMB7ThsjINOXbJb", "https://vtbehaviour.commondatastorage.googleapis.com/5dae281deccea2c5229861b4f2ff8c386da1726a836839961311896a6c9f5a69_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775189913&Signature=KduKv0QQf8IKhUUAV%2F0zpzpUmIU%2BEctpJKxUJlyu0Myu11iCQCXfXPprtMBAv5ifc4GLTHDiIuEAJwg%2B%2BHGWjun5ZKLKzoz8Ot2udHqFxvy6ZToPEC4Iui9vdRDHqosVaT77R1Tm1TGuyKVmwYTcow4klVAcpzEWanzWx1jHS42ARepJVrS3AFXHMaaBdTgr23jXcbmly1t3b8lwVilcsk2itdoprPpClQTzwYr1y7YV1%2FbYTDGocHnDwCYy", "https://vtbehaviour.commondatastorage.googleapis.com/37efacb8411234dd9882d8d3a8709f492eb2ed252132da099a11be07c0b4ccb0_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775189954&Signature=2gy%2BsyEM78P6orDGWKQU%2FFPSIdVK9X7o8Nkcwb%2BY4r%2FCb%2Bo9JmA9T%2Bfonw9IqbojQSIK%2BNShZUJJ9GV4wWT5l1QfkYfZP0MJ91%2BkDw39PLOc4VVgmBApIQJRTIlgSlI020YfOeIPoIYH8yuCF2dJ32zKg87g0dDFkg4zbExGDJB3%2BGDxX5MJ6hHuzVrwxm7E1L%2F%2FffKQ%2B9rXqoT0hRHEdPSaXSydmnqfMfnjCv", "https://vtbehaviour.commondatastorage.googleapis.com/970fdc4da66bc8fff977698c150fc6ebdf9488356ed41ded52d2659830ec5353_VirusTotal%20Droidy.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775189984&Signature=f%2FZZkKTu5zUihkCuCj%2F0pEGmBjWWBiZRDmREgGkkkKvTyR7M5iC0oLGYfaL6WibiUB6pQirxgBtEcS2JtupD291Or3j7%2BKoyngW7R9uf%2FjjWQwfC5YHKjNutT6K5TYuEmzySVs9onhIBSjj4U%2Bi2q%2FMJmQFiDtFZHfcyy00LYqbAbBwEAUnVJZUdH6FvNBu4ArU26VDLDwv1nMSgEjxUWBCwiP4HXlwL5%2BxU6y0eTc2", "https://vtbehaviour.commondatastorage.googleapis.com/37efacb8411234dd9882d8d3a8709f492eb2ed252132da099a11be07c0b4ccb0_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775190004&Signature=Nzt9YHY3Ji2VsLO1kvr7%2FyWWwOgo%2BCIoXyjtyshhzTGRxGzhcNdyKU9byPqyv%2F5YAzj%2BmNnDego3ImYeToBCbgyY%2BJJMmUKX6ZrUT1a2O4gv9eMyysIFgYhJ7ZpzyGIvHR5VSJlzPX0AWS81Ml7syDCjTGHikZ9G%2B%2B0cfDA0dhp%2FR7zhAp7yxB2jsDhz1kDY3nncYpjeVtj2o02Nt4JxPa5ML%2FvKBF%2FBHtOtBCqh%2", "https://vtbehaviour.commondatastorage.googleapis.com/1256f3aa5f091ac40a573113fcc1a4d0e320af5ee363b0eca79618602cb7dc66_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775190083&Signature=a1bnyt5OUcTN8ONeNVqbY%2Fe%2FDVJ2N3olQ9r59dijMLLegF84xQDghj0r6VPdFB8fc%2B3QTcJqhpm6vag1pK9us%2F3UqDJ3Yubf%2FukjL4GMKXDdMSggljB7d%2FpkTraQysnttspVal56LzXitjgIEGYZTidKcIv5LM6YH4zCAXn%2BVueaBNIgpcDS0RuX8fVAQYOeftW9AiEz2TZzx1BT6KUgoj0Tzetn4k541357bb58K1w9n9QV1", "https://vtbehaviour.commondatastorage.googleapis.com/1256f3aa5f091ac40a573113fcc1a4d0e320af5ee363b0eca79618602cb7dc66_Dr.Web%20vxCube.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775190146&Signature=3XpRLUQ3g712Vw0Gv1aflVxZs7RKpzIhEK8giO9ydwOrOGjLnAK89Y%2BmEf4g2U2YbO04EE%2BcdR5xPgcch1%2B1Gf4thYCgBcbKEEIfNK5UrJwBpAkYRm3D9xsnD%2FVxZt26yLC6aQy87D%2FKNC9aLvViRHGxuFgOp4zkcU%2BRD6mmpIB8SpX5%2BDpocWc4s9R%2BywRPXZ2U2E49g81i%2B5io3Ycqe8ikdjbPlZo9R0KEFLaDQtH", "https://vtbehaviour.commondatastorage.googleapis.com/37efacb8411234dd9882d8d3a8709f492eb2ed252132da099a11be07c0b4ccb0_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775190199&Signature=RiO2p%2BBvc38TqeTuiMJNxoT6Jr3JfHvTQFQIk94ZaRY%2FPP5yEPSH45GncMCh4GqP1%2F%2BNLR2IVm5Z2svEWojLwxq%2Fl0eIAWy1chUQmg2GcEg5YoaEEnXpWjb1er08EIYwV0ZC8parFwVrr194MKeUmZYo5NLYk4%2BCim9ipnxYse12eROsMSXZtyS4daGivzQzihRqTUU9iEn%2FxAKEOI%2F3V8JRrqNy3nDqmo1mdoVr", "https://vtbehaviour.commondatastorage.googleapis.com/bc20f137a2281fae2ee13f698e613e72c37f6b4eb6784653f284f11f4d83ba77_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775190236&Signature=Fg7jPZWmHQO%2BH8GRQx%2FxSMq5Na7Oo9cN0HR99DHFY8svYTkPoerGELKx7Sf906aTDq2Rer45ajXeYPzzHTiab9NKqWR1JGHbaq0WapVqsRzvXz2QLuBhHoz50tIoVKnx8ZrN9HqHBQweg8nfN%2FWEoaHVlSgav3jhoNTnZAC%2Fa%2BsTLexjXFBIP2v4jpISAl82ESU%2FGZH64BtZpgIJz7RZXdDqZ3LF7JTgwG2JX94%2BOOSn3G14", "https://vtbehaviour.commondatastorage.googleapis.com/5dae281deccea2c5229861b4f2ff8c386da1726a836839961311896a6c9f5a69_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775190298&Signature=eEF6m7QHRnKk%2FYB374HxqU2TE0p8gXC9CWwIHPT7M6fEZKjeFUEmUEbqdupsD2hQQbkW%2Fmijo2rSEQ30q3EAyR9aQO3m6L91A6osc3kDipeyZqFrIqoj6wIe8MJGuRf4OC9cVAWipGYXPG5bqc3v6RUHir9MeLOggoGjalexCwBgs3SsGyhqU1uWZdJ%2Fs4nUbHyIJGc3FB9OrnhDRuGPdkfPSOA09hfujcul91zQNws4dznvmM", "https://vtbehaviour.commondatastorage.googleapis.com/a0fb314babd51dbc460ab126b615da4c6f9481f5d1225d0ac189da9d99923bb3_VirusTotal%20Droidy.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775190345&Signature=33%2BM36uNOvEfi8bNtJvnbxcTgcnoIlIO2vBglXpCJFNwC8HAewGOF91Q26TOAsw4sbmtTxQ2F5Q2jv2V3ULV8MAxxgYVptJ69SusRt7qZeBDUpMY%2BOdTYqjkdBuYUqYiCvM756aQheS1KvDepeD64x8e%2FivWkpm%2BZ9yDaKUc7w2143zYkc8kpyBSsO8rJI9vyoHYvbr4sfZOowoUWK7yMjQD9SN5bL%2FFABbMrPEOMyobApm", "https://vtbehaviour.commondatastorage.googleapis.com/06b6d62477011fa63fdb44046351fbe574391916a4f3ea0486b3e3498145a7d7_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775190407&Signature=Y3EAa%2Fwo4ligJHfBUxkzWLjU9FPLyNmsxeNdcPCIPQBYTTGUIaFddrFIYHFhawxMDvixd7uA0qGc0zVDWgbStf2qhTOU1D0aF%2F%2BSLSXEY3VB8oWRXZCEI12zrSd5P4lHInxRS3CJKbNnJP4GvYx20ctpNSo4u%2FvVMLM%2B92TiYCunAVTquDVrFNNim6LJTEz2ucjhcgF2gKn%2FF0f9ALEheC1lk4omwpcYEPQLNX0wNsxNC%2BWQ", "https://vtbehaviour.commondatastorage.googleapis.com/bb46c18b5b2c98937c8fdfb7acd3e0fa4d0534cfc44d4b41ccd6db9198266fbf_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775190605&Signature=Rcvj5v%2By7yAX52ap8q3zDGTMjVRQm1LkjuWyhDQUaO6QXR1Ld%2F1dD2QjluOGOuXNiW%2FMNP%2Bqj%2Bx6KtYCvttE847keFo1Em2Bm%2F8bv4vK%2FJL0nGIiz%2FatgO7O78LZZ1wkYwcfG5JZAj8VdjDlHQbuOIUz8Nahqt2JUyQ84z3OeH5d3%2BjV8NKW5SjGWQw4mcmjPQXUznoCsysLbjCd5sgZTpyLUdeFJcNKQPiNBURsJeiyCI5llz0j", "https://www.googletagmanager.com/gtag/js?id=GT-NNS2QH6C", "https://www.googletagmanager.com/ns.html?id=GTM-PHWTRTJ", "https://www.virustotal.com/gui/url/f6db0235760bd467ca822ad515a8410121fde4713501b3e718b8fb127dfa259c?nocache=1", "https://www.massbroadcasters.org/eeo-organizations/marshfield-high-school", "https://www.findagrave.com/memorial/139047900/peter-deftos", "https://vtbehaviour.commondatastorage.googleapis.com/a041cbdeb64c802bde90e06f25213524b2eac500d6000da7e4caeb96e5de1991_VirusTotal%20Droidy.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775191439&Signature=evxsL1kaOuLe5KziYCSqZ56H%2FqXRQgEN0tkJo0j5G7JQ3mmO0Kav5K9LCz%2FUEzi%2BdtB%2B3%2B7VM6r9pC%2BMh7nHxT%2Bs8UAYuVXPE%2FUbBdHWMjvZQuqrZ0hHqIR2xHVB132HiYQWLo%2FgS1QATOfAcHci3X4FqmqvUp7A%2FmNsE1aVFbLc971RHQOuTapOGhiDZlVUyA9KvpMDKw0DzdeHFSlayBSrDDsWL7xW06XOf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1409", "name": "Access Stored Application Data", "display_name": "T1409 - Access Stored Application Data" }, { "id": "T1412", "name": "Capture SMS Messages", "display_name": "T1412 - Capture SMS Messages" }, { "id": "T1413", "name": "Access Sensitive Data in Device Logs", "display_name": "T1413 - Access Sensitive Data in Device Logs" }, { "id": "T1414", "name": "Capture Clipboard Data", "display_name": "T1414 - Capture Clipboard Data" }, { "id": "T1418", "name": "Application Discovery", "display_name": "T1418 - Application Discovery" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1422", "name": "System Network Configuration Discovery", "display_name": "T1422 - System Network Configuration Discovery" }, { "id": "T1424", "name": "Process Discovery", "display_name": "T1424 - Process Discovery" }, { "id": "T1426", "name": "System Information Discovery", "display_name": "T1426 - System Information Discovery" }, { "id": "T1429", "name": "Capture Audio", "display_name": "T1429 - Capture Audio" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" }, { "id": "T1432", "name": "Access Contact List", "display_name": "T1432 - Access Contact List" }, { "id": "T1439", "name": "Eavesdrop on Insecure Network Communication", "display_name": "T1439 - Eavesdrop on Insecure Network Communication" }, { "id": "T1447", "name": "Delete Device Data", "display_name": "T1447 - Delete Device Data" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1507", "name": "Network Information Discovery", "display_name": "T1507 - Network Information Discovery" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1523", "name": "Evade Analysis Environment", "display_name": "T1523 - Evade Analysis Environment" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 70, "FileHash-SHA1": 40, "FileHash-SHA256": 549, "URL": 344, "domain": 293, "hostname": 443 }, "indicator_count": 1739, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "29 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cf461ebc1a9bcfbffa2aad", "name": "VirusTotal Droidy Android Sandbox", "description": "Here is the full list of results from the second day of the 2016 Android World Championship, held at 22:00 BST on Tuesday, 1 July.. . and \u00c2\u00a31.\n\ni cant add this one - legacy - http://100tosdefotos.com/", "modified": "2026-05-03T04:09:43.062000", "created": "2026-04-03T04:46:22.211000", "tags": [ "process", "current object", "android sandbox", "europemadrid", "windows sandbox", "clear filters", "has permission", "file type", "apks", "accesses", "sim provider", "name", "may check", "mitre attack", "network info", "malicious", "persistence", "cloud", "chrome cache", "png image", "cache entry", "rgba", "entry", "web open", "font format", "version", "truetype", "next", "detail info", "text", "classname", "window", "static", "behaviour", "filename", "offset", "class", "button", "mozilla", "shell", "nsis", "find", "back", "state", "connecting", "connected", "suspended", "disconnected", "unknown", "shell folders", "default", "inprocserver32", "new roman", "registry keys", "nothing", "shell dlg", "roman baltic186", "roman cyr204", "roman tur162", "xffxfea xffxfea", "xffu xffu", "xffxfcs xffxfcs", "x8af x8af", "xb6p xb6p", "xb6y xb6y", "x88g x88g", "xb6xf2 xb6xf2", "xfft", "xc1xe7 xc1xe7", "axec", "programfiles", "allusersprofile", "windir", "protocol level", "application", "previous", "next connection", "address", "full path", "behavior", "bits", "dump", "path", "calls clear", "eandroidruntime", "pufwifi", "flag", "networkinfo", "action", "extras", "start", "componentname", "write", "calls process", "cname", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "address virtual", "path c", "sha256", "accept", "shutdown", "error", "sandbox", "stack", "win32 exe", "pe32", "intel", "ms windows", "win16 ne", "os2 executable", "generic windos", "executable", "dos executable", "generic", "processes extra", "performs dns", "t1055 process", "overview", "overview zenbox", "verdict", "guest system", "ultimate file", "android", "zip archive", "xapk android", "android package", "java archive", "sweet home", "design", "html document", "unicode text", "utf8 text", "crlf", "lf line", "language", "date mon", "gmt contenttype", "connection", "link", "json", "xlitespeedcache", "reportto", "server", "contentencoding", "cfray", "king88", "ch cng", "c thit", "c bit", "iu hp", "trang ch", "king88 com", "ci ng", "cp s", "c vit", "object", "string", "number", "null", "function", "g5wmgjr5qk4", "cssselector", "regexp", "date", "void", "trident", "mini", "meta", "please", "javascript", "members", "staff", "inspection", "abip", "local broadcast", "newsletter fcc", "resource center", "marshfield high", "school", "localism join", "facebook", "contact", "summer", "grave", "email", "photo", "strong", "peter deftos", "sign", "learn", "memorial", "leave", "problem", "done", "already", "close", "verify", "twitter", "details", "full", "persist", "editorimpl" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/a0fb314babd51dbc460ab126b615da4c6f9481f5d1225d0ac189da9d99923bb3_VirusTotal%20Droidy.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775189779&Signature=KfMCCyf96T3bMlo9SpmV1KGK0zKBbkhhSc6Ig5Hvwfx%2FTKTqEVBDXB28XNeWzWbCRTwCNnYlHV3Ed%2BMjcd%2B1aCTDYi5GH9Qw3msxqk5iKwRhzDIhfpM98SwOLC%2B7xZUAC60ecDmVDsjA9OOwOkJe87q3Rrx2lrU9%2BjuSJ1EdwI16qoJyd29sLcX7STTqAMHuzCjIixIOre64HAjpH4lt%2F8tSgE1A5Rs2V7PRHSX6ibKLD", "https://vtbehaviour.commondatastorage.googleapis.com/a0fb314babd51dbc460ab126b615da4c6f9481f5d1225d0ac189da9d99923bb3_VirusTotal%20R2DBox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775189811&Signature=O96heM5BVAaltXSZInHXgIgK35KjLrLg%2FfKtFXVS%2BoRHTlfpZtn4LpFvolATpK7dED66Ms7SXpn8nX0i7j1IpuDOXOXSm112TOKIKVVPZJH5ppCD6uFYvhkfNcQGa%2FXK%2BDixyM%2BuqwGoJSFD6QzP8J2Iz1GyU4RYYWuB2C7ZD7LOWKlvxF%2F9LTAX8jFDLgFVsE3Og3cU8y3jK%2BenDPthRM6YFu3qewxpti7KVNwKeMJ", "https://vtbehaviour.commondatastorage.googleapis.com/a0fb314babd51dbc460ab126b615da4c6f9481f5d1225d0ac189da9d99923bb3_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775189872&Signature=P%2Fa2KXhuVwj4RO8cyfIpkYofLKzsLiKRPHuVAi7hjApskLh84OqCfKuK51z7bTKZd8lCCiQ7XuIaxWQDR7qzDFvuCWutobNhKDdHSDLrTMtqqX3o5RmBpSzMUw3jQJcbxsYWqaOMHy8ZeWEVRuB9orvLwMZbJMMIJM8GhUVHZ6%2BwciVIoj0lYTCb%2FEEkQWTV4g3hs9l8KRzbEfvJGja6ANuv1OtdFLk8pejrraAJMB7ThsjINOXbJb", "https://vtbehaviour.commondatastorage.googleapis.com/5dae281deccea2c5229861b4f2ff8c386da1726a836839961311896a6c9f5a69_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775189913&Signature=KduKv0QQf8IKhUUAV%2F0zpzpUmIU%2BEctpJKxUJlyu0Myu11iCQCXfXPprtMBAv5ifc4GLTHDiIuEAJwg%2B%2BHGWjun5ZKLKzoz8Ot2udHqFxvy6ZToPEC4Iui9vdRDHqosVaT77R1Tm1TGuyKVmwYTcow4klVAcpzEWanzWx1jHS42ARepJVrS3AFXHMaaBdTgr23jXcbmly1t3b8lwVilcsk2itdoprPpClQTzwYr1y7YV1%2FbYTDGocHnDwCYy", "https://vtbehaviour.commondatastorage.googleapis.com/37efacb8411234dd9882d8d3a8709f492eb2ed252132da099a11be07c0b4ccb0_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775189954&Signature=2gy%2BsyEM78P6orDGWKQU%2FFPSIdVK9X7o8Nkcwb%2BY4r%2FCb%2Bo9JmA9T%2Bfonw9IqbojQSIK%2BNShZUJJ9GV4wWT5l1QfkYfZP0MJ91%2BkDw39PLOc4VVgmBApIQJRTIlgSlI020YfOeIPoIYH8yuCF2dJ32zKg87g0dDFkg4zbExGDJB3%2BGDxX5MJ6hHuzVrwxm7E1L%2F%2FffKQ%2B9rXqoT0hRHEdPSaXSydmnqfMfnjCv", "https://vtbehaviour.commondatastorage.googleapis.com/970fdc4da66bc8fff977698c150fc6ebdf9488356ed41ded52d2659830ec5353_VirusTotal%20Droidy.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775189984&Signature=f%2FZZkKTu5zUihkCuCj%2F0pEGmBjWWBiZRDmREgGkkkKvTyR7M5iC0oLGYfaL6WibiUB6pQirxgBtEcS2JtupD291Or3j7%2BKoyngW7R9uf%2FjjWQwfC5YHKjNutT6K5TYuEmzySVs9onhIBSjj4U%2Bi2q%2FMJmQFiDtFZHfcyy00LYqbAbBwEAUnVJZUdH6FvNBu4ArU26VDLDwv1nMSgEjxUWBCwiP4HXlwL5%2BxU6y0eTc2", "https://vtbehaviour.commondatastorage.googleapis.com/37efacb8411234dd9882d8d3a8709f492eb2ed252132da099a11be07c0b4ccb0_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775190004&Signature=Nzt9YHY3Ji2VsLO1kvr7%2FyWWwOgo%2BCIoXyjtyshhzTGRxGzhcNdyKU9byPqyv%2F5YAzj%2BmNnDego3ImYeToBCbgyY%2BJJMmUKX6ZrUT1a2O4gv9eMyysIFgYhJ7ZpzyGIvHR5VSJlzPX0AWS81Ml7syDCjTGHikZ9G%2B%2B0cfDA0dhp%2FR7zhAp7yxB2jsDhz1kDY3nncYpjeVtj2o02Nt4JxPa5ML%2FvKBF%2FBHtOtBCqh%2", "https://vtbehaviour.commondatastorage.googleapis.com/1256f3aa5f091ac40a573113fcc1a4d0e320af5ee363b0eca79618602cb7dc66_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775190083&Signature=a1bnyt5OUcTN8ONeNVqbY%2Fe%2FDVJ2N3olQ9r59dijMLLegF84xQDghj0r6VPdFB8fc%2B3QTcJqhpm6vag1pK9us%2F3UqDJ3Yubf%2FukjL4GMKXDdMSggljB7d%2FpkTraQysnttspVal56LzXitjgIEGYZTidKcIv5LM6YH4zCAXn%2BVueaBNIgpcDS0RuX8fVAQYOeftW9AiEz2TZzx1BT6KUgoj0Tzetn4k541357bb58K1w9n9QV1", "https://vtbehaviour.commondatastorage.googleapis.com/1256f3aa5f091ac40a573113fcc1a4d0e320af5ee363b0eca79618602cb7dc66_Dr.Web%20vxCube.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775190146&Signature=3XpRLUQ3g712Vw0Gv1aflVxZs7RKpzIhEK8giO9ydwOrOGjLnAK89Y%2BmEf4g2U2YbO04EE%2BcdR5xPgcch1%2B1Gf4thYCgBcbKEEIfNK5UrJwBpAkYRm3D9xsnD%2FVxZt26yLC6aQy87D%2FKNC9aLvViRHGxuFgOp4zkcU%2BRD6mmpIB8SpX5%2BDpocWc4s9R%2BywRPXZ2U2E49g81i%2B5io3Ycqe8ikdjbPlZo9R0KEFLaDQtH", "https://vtbehaviour.commondatastorage.googleapis.com/37efacb8411234dd9882d8d3a8709f492eb2ed252132da099a11be07c0b4ccb0_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775190199&Signature=RiO2p%2BBvc38TqeTuiMJNxoT6Jr3JfHvTQFQIk94ZaRY%2FPP5yEPSH45GncMCh4GqP1%2F%2BNLR2IVm5Z2svEWojLwxq%2Fl0eIAWy1chUQmg2GcEg5YoaEEnXpWjb1er08EIYwV0ZC8parFwVrr194MKeUmZYo5NLYk4%2BCim9ipnxYse12eROsMSXZtyS4daGivzQzihRqTUU9iEn%2FxAKEOI%2F3V8JRrqNy3nDqmo1mdoVr", "https://vtbehaviour.commondatastorage.googleapis.com/bc20f137a2281fae2ee13f698e613e72c37f6b4eb6784653f284f11f4d83ba77_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775190236&Signature=Fg7jPZWmHQO%2BH8GRQx%2FxSMq5Na7Oo9cN0HR99DHFY8svYTkPoerGELKx7Sf906aTDq2Rer45ajXeYPzzHTiab9NKqWR1JGHbaq0WapVqsRzvXz2QLuBhHoz50tIoVKnx8ZrN9HqHBQweg8nfN%2FWEoaHVlSgav3jhoNTnZAC%2Fa%2BsTLexjXFBIP2v4jpISAl82ESU%2FGZH64BtZpgIJz7RZXdDqZ3LF7JTgwG2JX94%2BOOSn3G14", "https://vtbehaviour.commondatastorage.googleapis.com/5dae281deccea2c5229861b4f2ff8c386da1726a836839961311896a6c9f5a69_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775190298&Signature=eEF6m7QHRnKk%2FYB374HxqU2TE0p8gXC9CWwIHPT7M6fEZKjeFUEmUEbqdupsD2hQQbkW%2Fmijo2rSEQ30q3EAyR9aQO3m6L91A6osc3kDipeyZqFrIqoj6wIe8MJGuRf4OC9cVAWipGYXPG5bqc3v6RUHir9MeLOggoGjalexCwBgs3SsGyhqU1uWZdJ%2Fs4nUbHyIJGc3FB9OrnhDRuGPdkfPSOA09hfujcul91zQNws4dznvmM", "https://vtbehaviour.commondatastorage.googleapis.com/a0fb314babd51dbc460ab126b615da4c6f9481f5d1225d0ac189da9d99923bb3_VirusTotal%20Droidy.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775190345&Signature=33%2BM36uNOvEfi8bNtJvnbxcTgcnoIlIO2vBglXpCJFNwC8HAewGOF91Q26TOAsw4sbmtTxQ2F5Q2jv2V3ULV8MAxxgYVptJ69SusRt7qZeBDUpMY%2BOdTYqjkdBuYUqYiCvM756aQheS1KvDepeD64x8e%2FivWkpm%2BZ9yDaKUc7w2143zYkc8kpyBSsO8rJI9vyoHYvbr4sfZOowoUWK7yMjQD9SN5bL%2FFABbMrPEOMyobApm", "https://vtbehaviour.commondatastorage.googleapis.com/06b6d62477011fa63fdb44046351fbe574391916a4f3ea0486b3e3498145a7d7_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775190407&Signature=Y3EAa%2Fwo4ligJHfBUxkzWLjU9FPLyNmsxeNdcPCIPQBYTTGUIaFddrFIYHFhawxMDvixd7uA0qGc0zVDWgbStf2qhTOU1D0aF%2F%2BSLSXEY3VB8oWRXZCEI12zrSd5P4lHInxRS3CJKbNnJP4GvYx20ctpNSo4u%2FvVMLM%2B92TiYCunAVTquDVrFNNim6LJTEz2ucjhcgF2gKn%2FF0f9ALEheC1lk4omwpcYEPQLNX0wNsxNC%2BWQ", "https://vtbehaviour.commondatastorage.googleapis.com/bb46c18b5b2c98937c8fdfb7acd3e0fa4d0534cfc44d4b41ccd6db9198266fbf_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775190605&Signature=Rcvj5v%2By7yAX52ap8q3zDGTMjVRQm1LkjuWyhDQUaO6QXR1Ld%2F1dD2QjluOGOuXNiW%2FMNP%2Bqj%2Bx6KtYCvttE847keFo1Em2Bm%2F8bv4vK%2FJL0nGIiz%2FatgO7O78LZZ1wkYwcfG5JZAj8VdjDlHQbuOIUz8Nahqt2JUyQ84z3OeH5d3%2BjV8NKW5SjGWQw4mcmjPQXUznoCsysLbjCd5sgZTpyLUdeFJcNKQPiNBURsJeiyCI5llz0j", "https://www.googletagmanager.com/gtag/js?id=GT-NNS2QH6C", "https://www.googletagmanager.com/ns.html?id=GTM-PHWTRTJ", "https://www.virustotal.com/gui/url/f6db0235760bd467ca822ad515a8410121fde4713501b3e718b8fb127dfa259c?nocache=1", "https://www.massbroadcasters.org/eeo-organizations/marshfield-high-school", "https://www.findagrave.com/memorial/139047900/peter-deftos", "https://vtbehaviour.commondatastorage.googleapis.com/a041cbdeb64c802bde90e06f25213524b2eac500d6000da7e4caeb96e5de1991_VirusTotal%20Droidy.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775191439&Signature=evxsL1kaOuLe5KziYCSqZ56H%2FqXRQgEN0tkJo0j5G7JQ3mmO0Kav5K9LCz%2FUEzi%2BdtB%2B3%2B7VM6r9pC%2BMh7nHxT%2Bs8UAYuVXPE%2FUbBdHWMjvZQuqrZ0hHqIR2xHVB132HiYQWLo%2FgS1QATOfAcHci3X4FqmqvUp7A%2FmNsE1aVFbLc971RHQOuTapOGhiDZlVUyA9KvpMDKw0DzdeHFSlayBSrDDsWL7xW06XOf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1409", "name": "Access Stored Application Data", "display_name": "T1409 - Access Stored Application Data" }, { "id": "T1412", "name": "Capture SMS Messages", "display_name": "T1412 - Capture SMS Messages" }, { "id": "T1413", "name": "Access Sensitive Data in Device Logs", "display_name": "T1413 - Access Sensitive Data in Device Logs" }, { "id": "T1414", "name": "Capture Clipboard Data", "display_name": "T1414 - Capture Clipboard Data" }, { "id": "T1418", "name": "Application Discovery", "display_name": "T1418 - Application Discovery" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1422", "name": "System Network Configuration Discovery", "display_name": "T1422 - System Network Configuration Discovery" }, { "id": "T1424", "name": "Process Discovery", "display_name": "T1424 - Process Discovery" }, { "id": "T1426", "name": "System Information Discovery", "display_name": "T1426 - System Information Discovery" }, { "id": "T1429", "name": "Capture Audio", "display_name": "T1429 - Capture Audio" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" }, { "id": "T1432", "name": "Access Contact List", "display_name": "T1432 - Access Contact List" }, { "id": "T1439", "name": "Eavesdrop on Insecure Network Communication", "display_name": "T1439 - Eavesdrop on Insecure Network Communication" }, { "id": "T1447", "name": "Delete Device Data", "display_name": "T1447 - Delete Device Data" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1507", "name": "Network Information Discovery", "display_name": "T1507 - Network Information Discovery" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1523", "name": "Evade Analysis Environment", "display_name": "T1523 - Evade Analysis Environment" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 70, "FileHash-SHA1": 40, "FileHash-SHA256": 549, "URL": 344, "domain": 292, "hostname": 443 }, "indicator_count": 1738, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "29 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6992bae83a5988dff8311490", "name": "Distributed Credential Exhaustion & C2 Orchestration via Golang-Based StealthWorker (ELF.Agent-VW)", "description": "Researcher credit: msudosos, level blue platform----\nThis artifact represents a high-integrity StealthWorker (GoBrut) botnet agent, architected as a statically linked, stripped 32-bit ELF binary to ensure cross-platform environmental independence. The sample utilizes XOR 0x20-encoded JavaScript payloads and String.fromCharCode obfuscation to mask its internal logic and bypass heuristic-based memory scanners. [User Notes] Its operational core is a multi-threaded service bruter targeting SSH, MySQL, and CMS backends, leveraging a massive infrastructure of 1,834 domains and 797 unique IPv4 endpoints for decentralized Command & Control (C2). Network telemetry confirms the use of ICMP and HTTP-based beaconing, indicating a sophisticated retry logic designed to maintain persistence across diverse network topologies. With a malicious file score of 10, this binary serves as a primary vector for large-scale credential harvesting and the subsequent integration of Linux infrastructure into global botnet clusters.", "modified": "2026-04-24T13:20:48.450000", "created": "2026-02-16T06:36:24.788000", "tags": [ "Obfuscation: XOR-based String Encryption (0x20)", "T1110.001 (Brute Force: Password Guessing)", "Primary Hash (SHA256): cd3989830da99a69380901769fd78902efb3cd8ba", "MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf", "#PotentialUS-Origin_FalseFlag_Obfuscation" ], "references": [ "Primary Hash (SHA256): cd3989830da99a69380901769fd78902efb3cd8ba5c9390e94bd4333b7fad186", "Obfuscation: XOR-based String Encryption (0x20)", "T1110.001 (Brute Force: Password Guessing)", "This ELF 32-bit LSB artifact is a sophisticated GoBrut/StealthWorker agent, compiled via Golang 1.10 and stripped to obfuscate its high-velocity service-bruting logic. VirusTotal confirms a critical threat profile with 44/65 security vendors flagging the file, which leverages a unique Go BuildID (nGYES3pajdOm...) and a Telfhash (t1f303a0...) for architectural fingerprinting. The binary orchestrates decentralized Command and Control (C2) through an expansive infrastructure of 797 unique IPs and 1,834 domains", "Pivot-Ready Indicators (IOCs) Go BuildID: nGYES3pajdOmKy1i6Ghh/KO9ydOtZpXtoKtB0KHE-/iisNoniHgTbj_cV6M-uk/XmMYzkBiZs8NXMRZYTiT Telfhash: t1f303a0b3055d54e8b7f08907c7af7624cef6e0f726d078f169e278d09a72c826626874 Imphash: 9698f46495ce9401c8bcaf9a2afe1598 Vhash: 1e53f1a1b59ecb93f821c74b25d81e9f", "Researcher msudosos posits a strategic exploitation of Root Certificate Validation Failures, where the adversary leverages an expired trust chain to bypass heuristic security filters and establish persistence.", "his technique allows the GoBrut/StealthWorker agent to circumvent automated revocation checks, enabling its decentralized C2 infrastructure to recruit Linux hosts via high-velocity credential exhaustion.", "The local environment exhibits advanced telemetry suppression within specialized skim memory regions, effectively neutralizing standard DMARC validation and Microsoft-integrated defensive protocols.", "By maintaining a hollowed root posture, the sample facilitates persistent, low-signal synchronization with external cloud infrastructure while bypassing traditional heuristic trust-chain verification.", "The domain prioritywirreles.com (registered via NAMECHEAP INC) shows a 4/93 detection ratio, confirming it is a live but \"low-noise\" C2 node used to avoid broad-spectrum blacklisting", "", "The environment leverages prioritywirreles.com as a high-fidelity DGA-derived C2 node, utilizing its historical resolution to Russian-hosted IP space (194.61.24.231) to maintain persistent Stealthworker botnet synchronization.", "By operating through WhoisGuard-protected infrastructure and exploiting XOR 0x20 obfuscation, the adversary effectively suppresses telemetry into skim space, successfully bypassing DMARC and Microsoft-integrated trust-chain validation.", "The pivot from cd398983... to this domain confirms a multi-year campaign (2019\u20132023) utilizing Namecheap-registered infrastructure to orchestrate wide-scale T1110.001 brute-force operations while bypassing standard PKI expiration checks.", "LBresearcher: msudosos notes: The campaign's use of T1110.001 (Password Guessing) is specifically tuned to exhaust credentials across SSH, MySQL, and CMS backends, effectively recruiting server infrastructure into a global \"zombie\" network.", "LBresearcher: msudosos notes: The threat actor maintains operational longevity by rotating through WhoisGuard-protected nodes like prioritywirreles.com, which historically resolved to Russian-hosted IP space (194.61.24.231) to obfuscate its origin.", "LBresearcher: msudosos notes: By exploiting Root Certificate Validation Failures, the StealthWorker (GoBrut) agent ensures that its 32-bit ELF binaries bypass the automated reputation checks enforced by major cloud providers.", "Monitor DGA Shifts: Track new domains registered through NAMECHEAP INC using the current WhoisGuard patterns to identify the next cluster before it goes active. Analyze Telfhash Clusters: Use the Telfhash (t1f303a0...) to pivot and find if the adversary has updated to 64-bit ELF or ARM architectures. Harden DMARC: Ensure your environment moves from \"p=none\" to \"p=reject\" to mitigate the internal spoofing loops exploited by this botnet's telemetry suppression.", "Persistent C2 Orchestration: This ELF:Agent-VW variant serves as a critical GoBrut node, utilizing XOR 0x20 obfuscation and ICMP/HTTP beaconing to maintain a persistent link across 1,834 domains and 797 unique IPs", "Researcher msudosos: This activity appears to facilitate a preliminary reconnaissance phase, possibly utilizing system commands to query /proc/cpuinfo and /proc/version for architectural profiling purposes.", "Researcher msudosos suggests the VirusTotal (Tencent HABO) behavior report may indicate a potential execution path from volatile storage at /tmp/EB93A6/996E.elf.", "Msudosos Regional Notes: While historical pivots show Russian-hosted nodes, the current dual-origin telemetry\u2014dominated by 181 United States-based endpoints\u2014strongly suggests a domestic-aligned adversary leveraging global 'grey space' to obfuscate its operational core. This massive US-centric footprint (exceeding all other regions combined) reinforces the theory of a false-flag orchestration designed to divert attribution toward foreign infrastructure while abusing legitimate Western-hosted trust chains.", "WHOIS data anchors administrative and technical operations for prioritywirreles.com in Los Angeles, CA (90064) via Namecheap infrastructure. Following its 2020 expiration, the domain has transitioned into redemptionPeriod/pendingDelete status, signaling the formal decommissioning of this C2 asset." ], "public": 1, "adversary": "StealthWorker/GoBrut (The adversary demonstrates advanced telemetry suppression within specialized s", "targeted_countries": [], "malware_families": [ { "id": "Malware Family: StealthWorker / GoBrut", "display_name": "Malware Family: StealthWorker / GoBrut", "target": "/malware/Malware Family: StealthWorker / GoBrut" }, { "id": "MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf", "display_name": "MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf", "target": null } ], "attack_ids": [ { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2166, "FileHash-SHA1": 2067, "FileHash-SHA256": 3371, "domain": 13295, "URL": 6860, "email": 272, "hostname": 4705, "SSLCertFingerprint": 268, "CVE": 108, "CIDR": 6 }, "indicator_count": 33118, "is_author": false, "is_subscribing": null, "subscriber_count": 82, "modified_text": "38 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69c25100c3e5a6096402ade5", "name": "CAPE Sandbox", "description": "https://www.virustotal.com/gui/file/0cfb4d7ef8ad0e0378eb022ef107a0a6cc97e7e111228098e68ea8ac1c975a7e/relations", "modified": "2026-04-23T08:15:28.034000", "created": "2026-03-24T08:53:20.270000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 131, "FileHash-SHA1": 109, "FileHash-SHA256": 109, "URL": 112, "domain": 82, "hostname": 126, "email": 1 }, "indicator_count": 670, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "39 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69c2510383ceef34ed4df669", "name": "CAPE Sandbox", "description": "https://www.virustotal.com/gui/file/0cfb4d7ef8ad0e0378eb022ef107a0a6cc97e7e111228098e68ea8ac1c975a7e/relations", "modified": "2026-04-23T08:15:28.034000", "created": "2026-03-24T08:53:23.675000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 131, "FileHash-SHA1": 109, "FileHash-SHA256": 109, "URL": 112, "domain": 82, "hostname": 126, "email": 1 }, "indicator_count": 670, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "39 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69c24230375c48e25e93161c", "name": "CAPE Sandbox", "description": "no problems.", "modified": "2026-04-23T07:09:33.447000", "created": "2026-03-24T07:50:08.453000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 277, "FileHash-SHA1": 232, "FileHash-SHA256": 232, "URL": 260, "domain": 180, "hostname": 191, "email": 1 }, "indicator_count": 1373, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "39 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69c1b4992eb5a2f6cbb21a84", "name": "CAPE Sandbox", "description": "", "modified": "2026-04-22T21:10:27.701000", "created": "2026-03-23T21:46:01.180000", "tags": [ "framework", "center", "xd569xb2c8xb2e4", "info", "script", "meta", "doctype html", "start", "cvtoken", "load cascade", "download", "title" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/dd4ad645e4b48357a235c4726dd4cdfb587786e83dab43ffdec7a886bd84faca_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1774302565&Signature=i3hu8ImkubNWQD0sfo%2FbTMU7d53GPblauQdlllGvYz%2BQ6%2BjM6VcEDa9avXTeSNEa6P9hQaE4hgc%2BwiAoHFC4mBNUG6vnOGHA3%2BY2WSKJxaEpDAdscTpC2psmNHDnnRacbWKvk0EjBetinhY7sMCUkeqX7kw525XsW%2BcBB9%2FwQ3aYdvUazDLWV6wR7ZAPu%2BYCu5vPuXdyoPiTU%2FkysyXQyKtwHiWQQGCWffoBVfbnYqEN" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 178, "FileHash-SHA1": 89, "FileHash-SHA256": 127, "URL": 183, "domain": 77, "hostname": 275 }, "indicator_count": 929, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "39 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b948c255ab34e0cd81819f", "name": "CAPE Sandbox", "description": "", "modified": "2026-04-16T12:28:09.524000", "created": "2026-03-17T12:27:46.118000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 30, "FileHash-SHA1": 28, "FileHash-SHA256": 28, "URL": 38, "domain": 20, "hostname": 91 }, "indicator_count": 235, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "46 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b7ac3b32ac89ecba53f3d9", "name": "Malicious", "description": "", "modified": "2026-04-15T08:44:52.171000", "created": "2026-03-16T07:07:39.495000", "tags": [ "march", "input http", "posix shell", "ascii text", "threat level", "summary av", "detection", "environment", "action" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 291, "URL": 272, "hostname": 296, "domain": 293, "FileHash-MD5": 90, "FileHash-SHA1": 89, "CIDR": 3, "email": 3, "SSLCertFingerprint": 9 }, "indicator_count": 1346, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "47 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69aa842cef967c844adef1de", "name": "CAPE Sandbox part 2 - see part 1", "description": "heartbreaking", "modified": "2026-04-05T11:04:28.804000", "created": "2026-03-06T07:37:16.417000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3905, "FileHash-SHA1": 3515, "FileHash-SHA256": 8002, "URL": 982, "hostname": 2532, "domain": 164, "email": 1 }, "indicator_count": 19101, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "57 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6996eacbe2d99caae4a5b2d7", "name": "172.69.58.33", "description": "potential rogue exploit kit", "modified": "2026-04-01T00:44:45.494000", "created": "2026-02-19T10:49:47.043000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 18, "FileHash-MD5": 31, "FileHash-SHA1": 29, "FileHash-SHA256": 171, "URL": 432, "domain": 629, "hostname": 461, "CIDR": 6, "email": 23 }, "indicator_count": 1800, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "61 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69c1bd40f81db45dc044697c", "name": "Masterkey Clone By CallmeDoris", "description": "", "modified": "2026-03-23T22:22:56.940000", "created": "2026-03-23T22:22:56.940000", "tags": [ "dropped file", "chromeua", "runtime data", "drmedgeua", "edgeua", "generator", "win64", "null", "template", "unknown", "critical", "addressbar", "desktop", "dark", "light", "iframe", "cookie", "meta", "body", "legend", "dwis", "core", "tear", "malicious", "mozilla", "strings", "qakbot", "://masterkey.com.ua/download/MKClientSetup.exe" ], "references": [ "https://hybrid-analysis.com/sample/41859e0b198fbe88772ef12c577023c0481ec19867e410bab335e67fea87c1bb/642ca80cde2048242a0e097d" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": "642db7b656049e54b2f71c20", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 949, "URL": 5642, "CVE": 2, "domain": 509, "FileHash-SHA256": 293, "FileHash-MD5": 550, "FileHash-SHA1": 60, "email": 5 }, "indicator_count": 8010, "is_author": false, "is_subscribing": null, "subscriber_count": 65, "modified_text": "69 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "693cdc5b8ebc10664439c2fb", "name": "Project Cicada-.Christopher \u201cBuzz\u201d Ahmann - Freeman Mathis & Gary for The State of Colorado", "description": "State of Colorado attackers use DGA domains set up multiple Law Firms.. Christopher P. \u2019Buzz\u2019 Ahmann Is a legal consultant / attorney./ hacker \nWorks for the State of Colorado/ quasi. Is malicious and doesn\u2019t work alone. Continues to target \nState had relative contacted by a fake entity \u2018Goodness Health\u2019\nLeft vague VM for relative message \u201cWe work on the Medicare side of things.\u201d and? \nSocial engineering call , malicious domain. The State of Colorado has been on a relentless pursuit against target. Fully compromised targets relatives brand new phone. Hacked target since 10/2013.\nMultiple cyber and physical attacks carried out against target and family members.. There are attacks make to look like accidents or malfunctions. This harmful, silencing behavior is somehow illegal for anyone else.", "modified": "2026-02-10T06:05:39.764000", "created": "2025-12-13T03:24:11.414000", "tags": [ "colorado state", "freeman mathis", "history", "cyber risk", "aspen insureds", "gaig insureds", "landy insureds", "nip group", "purm insureds", "overview core", "united", "ip address", "present nov", "present may", "moved", "encrypt", "unknown", "backdoor", "passive dns", "ransom", "checkin", "trojandropper", "mtb nov", "twitter", "trojan", "data upload", "extraction", "failed", "united states", "server response", "google safe", "results may", "lowfi", "virtool", "mtb alf", "mh alf", "port", "windows nt", "destination", "msie", "khtml", "gecko", "unknown aaaa", "a domains", "meta", "for privacy", "cop supply", "urls", "as139646 hong", "hostname", "files", "hong kong", "domain add", "ip related", "hash avast", "avg clamav", "msdefender may", "ddos", "as13335", "ipv4", "certificate", "hostname add", "url analysis", "files ip", "name strings", "category", "united states", "pulse indicator", "address", "error", "null", "object", "string", "number", "google maps", "promise", "javascript api", "dataset", "bigint", "dark", "android", "infinity", "internal", "roboto", "trident", "void", "small", "lightrail", "false", "span", "close", "light", "hybrid", "embed", "iframe", "keygen", "this", "february", "bounce", "drop", "inside", "outside", "marker", "present dec", "pulses otx", "aaaa", "asnone country", "record value", "title", "pulse pulses", "pulses", "showing", "unknown cname", "unknown soa", "next associated", "ipv4 add", "cycbot", "extract indic", "sneaker bots", "proxies data", "script script", "adult content", "nextimage", "porn site", "div div", "platform make", "cloudfront x", "hio52 p3", "unknown ns", "pulse submit", "title error", "reverse dns", "status", "servers", "name servers", "vashti hostname", "scan endpoints", "url http", "http", "files domain", "files related", "pulses none", "dnssec", "sec ch", "ch ua", "ua full", "ua platform", "ua bitness", "ua arch", "version sec", "mobile sec", "model sec", "version list", "domain", "emails", "cookie", "url https", "show", "filehash", "urls show", "date checked", "url hostname", "results nov", "win32", "type", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "ssl certificate", "defense evasion", "spawns", "flag", "llc name", "server", "markmonitor", "name server", "windir", "openurl c", "prefetch2", "show technique", "mitre att", "ck matrix", "pattern match", "ascii text", "sha1", "href", "show process", "file", "general", "local", "path", "germany unknown", "date", "registrar", "ip whois", "dynamicloader", "high", "medium", "search", "displayname", "tofsee", "win64", "write", "stream", "malware", "push", "entries", "tls handshake", "failure", "forbidden", "tlsv1", "april", "next", "write c", "intel", "ms windows", "sha1 add", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "file score", "sha256 add", "present jun", "present mar", "medelln", "colombia asn", "dns resolutions", "address domain", "related tags", "none google", "safe browsing", "external", "present sep", "present aug", "as54113", "present jul", "as8068", "gmt content", "total", "read", "delete", "top source", "quasi", "murderers", "christopher ahmann", "buzz ahmann", "wow64", "slcc2", "media center", "labor", "employment", "cdle", "dowc", "colorado", "workers", "coloradoif", "independent", "state", "company", "entity type", "authorized line", "analysis", "tor analysis", "process details", "network traffic", "t1071", "potential ip", "click", "found", "t1480 execution", "bad traffic", "et info", "ck techniques", "evasion att", "t1057", "refresh", "body", "strings", "tools", "look", "verify", "restart", "cname", "form", "pulse", "script domains", "script urls", "administrator", "services llc", "dns admin", "domain admin", "global llc", "domain manager", "computer system", "ltd domain", "network", "alibaba", "facebook", "phishme", "sogou", "present jan", "present feb", "present oct" ], "references": [ "https://www.fmglaw.com/lawyers/christopher-ahmann - found in adult content pulse.", "Sneaker Bots Proxies Servers Cook Groups Cop Supply", "archive.cop.supply \u2022 dev.cop.supply \u2022 https://cop.supply/ \u2022 https://cop.supply/bot-lists/", "https://cop.supply/supreme-bots/\u2022 https://cop.supply/useful-tools/", "https://cop.supply/proxies-lists/ \u2022 https://cop.supply/shopify-bots/", "dns.army \u2022 www.dcopr.dns.army \u2022 www.glsyaiwjj.dns.army \u2022 www.wgmvk.dns.army", "https://maps.googleapis.com/maps/api/js?sensor=false", "cell-0.af-south-1.prod.telemetry.console.api.aws", "howtoworkacrickoutofyourneck2.pages.dev", "firebase-auth-eich0v.pages.dev", "http://ianswertomom.com/develop-wise-woman-within-yourself", "http://ianswertomom.com/bible-verses-struggling-contentment-mom/ I", "https://i-want-to-start-an-onlyfans.pages.dev/favicon.ico| I bet you do boo boo", "makeapornsite.com \u2022 https://pornhighschool.com/ \u2022 https://ethnicerotic.com \u2022 https://twitter.com/Make", "https://khmerpornvideo.signup0.y.id/", "https://lordseriala.life/6337-zvezdnye-vojny-opornaja-komanda.html", "https://clear.ml/infrastructure-control-plane", "dev-app.project-cicada.com \u2022 http://dev-app.project-cicada.com \u2022 https://dev-app.project-cicada.com (2014 report predates 2016 reports)", "https://amano.inboundtools.com/tpcontact URL https://armg.inboundtools.com/ URL https://gaiax.inboundtools.com/internship URL https://hmk.inboundtools.com/ URL https://hmk.inboundtools.com/form/assetview_siryo_sier", "https://download.clear.ml/cpython_builds/releases/ \u2022 https://download.clear.", "https://links.mail.samsara.com/s/c/P9R6gGlExR4nfCwqwJXUmr7NmKcMNde4ZBhCFprlVtsFNgh-4tuTWla0aXN9rIWCjrWtn0Vln7x-hexxVBlY3xxvnEevR8qJU5G5xV3__wo-X7kkpSOhJVfejac-Xk8qu6zs5Z-tILwWYRkNScZNGlAqfwQuJuRw5M-n_ZKI6tuY5XGCZAqWoQepi1NnJiW4wZJkzZlOwGtNkusbuKDcMsLVrrhji2eKh4kYgrJp_SeycJRhasLFCQ3c2bPu4sahEWpcHZrQBaxvdfQgTEno8kV-RJdTDO0zK5MyWDJLeds7mnaDrxlb0O2zmhebUdlHE0R0xHi25dympBUpMlLsQV8bx1WUTOfgK4k0ci9o_2Gbfe22-jLxsJN-msV6pxWYQMaxRNFd4iZRC9J9Z1SC5MBqbvNzqdt98kFdpibnv_QIHdhFyHOR_Ip_LX67Dncc8V8OvAi-H5phfeSyDzwdzf2FQIi82", "https://voidpet.io/invite/scaredscared/1rpzxWXa61 \u2022 https://sex-doggy.net/tag/censored", "Everyone has simply asked you alll to stop. Target never asked anyone for money.", "Legal court documented agreement to allow and pay target to hire cyber investigators", "Attacks are being carried out by The State of Colorado" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Japan", "France", "Ireland", "Spain", "Italy", "Aruba", "Australia", "Denmark", "United Kingdom of Great Britain and Northern Ireland", "Germany", "T\u00fcrkiye", "Indonesia" ], "malware_families": [ { "id": "Win.Trojan.GravityRAT-6511862-0", "display_name": "Win.Trojan.GravityRAT-6511862-0", "target": null }, { "id": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn", "display_name": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn", "target": null }, { "id": "Unix.Trojan.Tsunami-6981155-0", "display_name": "Unix.Trojan.Tsunami-6981155-0", "target": null }, { "id": "TrojanDropper:Win32/Systex.A", "display_name": "TrojanDropper:Win32/Systex.A", "target": "/malware/TrojanDropper:Win32/Systex.A" }, { "id": "Win.Trojan.Tepfer-61", "display_name": "Win.Trojan.Tepfer-61", "target": null }, { "id": "TrojanDownloader:Win32/CutwailRansom:Win32/Crowti.A", "display_name": "TrojanDownloader:Win32/CutwailRansom:Win32/Crowti.A", "target": null }, { "id": "VirTool:Win32/VBInject.gen!MH", "display_name": "VirTool:Win32/VBInject.gen!MH", "target": "/malware/VirTool:Win32/VBInject.gen!MH" }, { "id": "ALF:NID:Susp_NSIS_Stub.A", "display_name": "ALF:NID:Susp_NSIS_Stub.A", "target": null }, { "id": "#LOWFI:HSTR:Criakl.B1", "display_name": "#LOWFI:HSTR:Criakl.B1", "target": null }, { "id": "Backdoor:Win32/Arwobot.B", "display_name": "Backdoor:Win32/Arwobot.B", "target": "/malware/Backdoor:Win32/Arwobot.B" }, { "id": "Win.Packed.Bandook-9882274-1", "display_name": "Win.Packed.Bandook-9882274-1", "target": null }, { "id": "TrojanDownloader:Win32/Cutwail", "display_name": "TrojanDownloader:Win32/Cutwail", "target": "/malware/TrojanDownloader:Win32/Cutwail" }, { "id": "Win.Downloader.Small-4507", "display_name": "Win.Downloader.Small-4507", "target": null }, { "id": "Trojan:Win32/Qbot.R!MTB", "display_name": "Trojan:Win32/Qbot.R!MTB", "target": "/malware/Trojan:Win32/Qbot.R!MTB" }, { "id": "Win.Malware.Mikey-9949492-0", "display_name": "Win.Malware.Mikey-9949492-0", "target": null }, { "id": "Ransom:Win32/Crowti.A", "display_name": "Ransom:Win32/Crowti.A", "target": "/malware/Ransom:Win32/Crowti.A" }, { "id": "Backdoor:Linux/DemonBot.Aa!MTB", "display_name": "Backdoor:Linux/DemonBot.Aa!MTB", "target": "/malware/Backdoor:Linux/DemonBot.Aa!MTB" }, { "id": "Unix.Trojan.Gafgyt-6981154-0", "display_name": "Unix.Trojan.Gafgyt-6981154-0", "target": null }, { "id": "DDOS:Linux/Gafgyt.YA!MTB", "display_name": "DDOS:Linux/Gafgyt.YA!MTB", "target": "/malware/DDOS:Linux/Gafgyt.YA!MTB" }, { "id": "CVE-2017-11882", "display_name": "CVE-2017-11882", "target": null }, { "id": "ALF:Exploit:O97M/CVE-2017-8977", "display_name": "ALF:Exploit:O97M/CVE-2017-8977", "target": null }, { "id": "Cycbot", "display_name": "Cycbot", "target": null }, { "id": "Win32:BotX-gen\\ [Trj]", "display_name": "Win32:BotX-gen\\ [Trj]", "target": null }, { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "Mirai (ELF)", "display_name": "Mirai (ELF)", "target": null }, { "id": "Worm", "display_name": "Worm", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1574.008", "name": "Path Interception by Search Order Hijacking", "display_name": "T1574.008 - Path Interception by Search Order Hijacking" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1593.002", "name": "Search Engines", "display_name": "T1593.002 - Search Engines" } ], "industries": [ "Insurance", "Construction" ], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 54118, "domain": 11153, "hostname": 18578, "email": 21, "FileHash-SHA256": 4905, "FileHash-MD5": 548, "FileHash-SHA1": 534, "CVE": 7, "SSLCertFingerprint": 20, "CIDR": 1 }, "indicator_count": 89885, "is_author": false, "is_subscribing": null, "subscriber_count": 146, "modified_text": "111 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6963596c4cd594b77b4675ec", "name": "Project Cicada-.Christopher \u201cBuzz\u201d Ahmann - PalantirFoundry | The State of Colorado | ", "description": "", "modified": "2026-02-10T06:05:39.764000", "created": "2026-01-11T08:03:56.534000", "tags": [ "colorado state", "freeman mathis", "history", "cyber risk", "aspen insureds", "gaig insureds", "landy insureds", "nip group", "purm insureds", "overview core", "united", "ip address", "present nov", "present may", "moved", "encrypt", "unknown", "backdoor", "passive dns", "ransom", "checkin", "trojandropper", "mtb nov", "twitter", "trojan", "data upload", "extraction", "failed", "united states", "server response", "google safe", "results may", "lowfi", "virtool", "mtb alf", "mh alf", "port", "windows nt", "destination", "msie", "khtml", "gecko", "unknown aaaa", "a domains", "meta", "for privacy", "cop supply", "urls", "as139646 hong", "hostname", "files", "hong kong", "domain add", "ip related", "hash avast", "avg clamav", "msdefender may", "ddos", "as13335", "ipv4", "certificate", "hostname add", "url analysis", "files ip", "name strings", "category", "united states", "pulse indicator", "address", "error", "null", "object", "string", "number", "google maps", "promise", "javascript api", "dataset", "bigint", "dark", "android", "infinity", "internal", "roboto", "trident", "void", "small", "lightrail", "false", "span", "close", "light", "hybrid", "embed", "iframe", "keygen", "this", "february", "bounce", "drop", "inside", "outside", "marker", "present dec", "pulses otx", "aaaa", "asnone country", "record value", "title", "pulse pulses", "pulses", "showing", "unknown cname", "unknown soa", "next associated", "ipv4 add", "cycbot", "extract indic", "sneaker bots", "proxies data", "script script", "adult content", "nextimage", "porn site", "div div", "platform make", "cloudfront x", "hio52 p3", "unknown ns", "pulse submit", "title error", "reverse dns", "status", "servers", "name servers", "vashti hostname", "scan endpoints", "url http", "http", "files domain", "files related", "pulses none", "dnssec", "sec ch", "ch ua", "ua full", "ua platform", "ua bitness", "ua arch", "version sec", "mobile sec", "model sec", "version list", "domain", "emails", "cookie", "url https", "show", "filehash", "urls show", "date checked", "url hostname", "results nov", "win32", "type", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "ssl certificate", "defense evasion", "spawns", "flag", "llc name", "server", "markmonitor", "name server", "windir", "openurl c", "prefetch2", "show technique", "mitre att", "ck matrix", "pattern match", "ascii text", "sha1", "href", "show process", "file", "general", "local", "path", "germany unknown", "date", "registrar", "ip whois", "dynamicloader", "high", "medium", "search", "displayname", "tofsee", "win64", "write", "stream", "malware", "push", "entries", "tls handshake", "failure", "forbidden", "tlsv1", "april", "next", "write c", "intel", "ms windows", "sha1 add", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "file score", "sha256 add", "present jun", "present mar", "medelln", "colombia asn", "dns resolutions", "address domain", "related tags", "none google", "safe browsing", "external", "present sep", "present aug", "as54113", "present jul", "as8068", "gmt content", "total", "read", "delete", "top source", "quasi", "murderers", "christopher ahmann", "buzz ahmann", "wow64", "slcc2", "media center", "labor", "employment", "cdle", "dowc", "colorado", "workers", "coloradoif", "independent", "state", "company", "entity type", "authorized line", "analysis", "tor analysis", "process details", "network traffic", "t1071", "potential ip", "click", "found", "t1480 execution", "bad traffic", "et info", "ck techniques", "evasion att", "t1057", "refresh", "body", "strings", "tools", "look", "verify", "restart", "cname", "form", "pulse", "script domains", "script urls", "administrator", "services llc", "dns admin", "domain admin", "global llc", "domain manager", "computer system", "ltd domain", "network", "alibaba", "facebook", "phishme", "sogou", "present jan", "present feb", "present oct" ], "references": [ "https://www.fmglaw.com/lawyers/christopher-ahmann - found in adult content pulse.", "Sneaker Bots Proxies Servers Cook Groups Cop Supply", "archive.cop.supply \u2022 dev.cop.supply \u2022 https://cop.supply/ \u2022 https://cop.supply/bot-lists/", "https://cop.supply/supreme-bots/\u2022 https://cop.supply/useful-tools/", "https://cop.supply/proxies-lists/ \u2022 https://cop.supply/shopify-bots/", "dns.army \u2022 www.dcopr.dns.army \u2022 www.glsyaiwjj.dns.army \u2022 www.wgmvk.dns.army", "https://maps.googleapis.com/maps/api/js?sensor=false", "cell-0.af-south-1.prod.telemetry.console.api.aws", "howtoworkacrickoutofyourneck2.pages.dev", "firebase-auth-eich0v.pages.dev", "http://ianswertomom.com/develop-wise-woman-within-yourself", "http://ianswertomom.com/bible-verses-struggling-contentment-mom/ I", "https://i-want-to-start-an-onlyfans.pages.dev/favicon.ico| I bet you do boo boo", "makeapornsite.com \u2022 https://pornhighschool.com/ \u2022 https://ethnicerotic.com \u2022 https://twitter.com/Make", "https://khmerpornvideo.signup0.y.id/", "https://lordseriala.life/6337-zvezdnye-vojny-opornaja-komanda.html", "https://clear.ml/infrastructure-control-plane", "dev-app.project-cicada.com \u2022 http://dev-app.project-cicada.com \u2022 https://dev-app.project-cicada.com (2014 report predates 2016 reports)", "https://amano.inboundtools.com/tpcontact URL https://armg.inboundtools.com/ URL https://gaiax.inboundtools.com/internship URL https://hmk.inboundtools.com/ URL https://hmk.inboundtools.com/form/assetview_siryo_sier", "https://download.clear.ml/cpython_builds/releases/ \u2022 https://download.clear.", "https://links.mail.samsara.com/s/c/P9R6gGlExR4nfCwqwJXUmr7NmKcMNde4ZBhCFprlVtsFNgh-4tuTWla0aXN9rIWCjrWtn0Vln7x-hexxVBlY3xxvnEevR8qJU5G5xV3__wo-X7kkpSOhJVfejac-Xk8qu6zs5Z-tILwWYRkNScZNGlAqfwQuJuRw5M-n_ZKI6tuY5XGCZAqWoQepi1NnJiW4wZJkzZlOwGtNkusbuKDcMsLVrrhji2eKh4kYgrJp_SeycJRhasLFCQ3c2bPu4sahEWpcHZrQBaxvdfQgTEno8kV-RJdTDO0zK5MyWDJLeds7mnaDrxlb0O2zmhebUdlHE0R0xHi25dympBUpMlLsQV8bx1WUTOfgK4k0ci9o_2Gbfe22-jLxsJN-msV6pxWYQMaxRNFd4iZRC9J9Z1SC5MBqbvNzqdt98kFdpibnv_QIHdhFyHOR_Ip_LX67Dncc8V8OvAi-H5phfeSyDzwdzf2FQIi82", "https://voidpet.io/invite/scaredscared/1rpzxWXa61 \u2022 https://sex-doggy.net/tag/censored", "Everyone has simply asked you alll to stop. Target never asked anyone for money.", "Legal court documented agreement to allow and pay target to hire cyber investigators", "Attacks are being carried out by The State of Colorado" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Japan", "France", "Ireland", "Spain", "Italy", "Aruba", "Australia", "Denmark", "United Kingdom of Great Britain and Northern Ireland", "Germany", "T\u00fcrkiye", "Indonesia" ], "malware_families": [ { "id": "Win.Trojan.GravityRAT-6511862-0", "display_name": "Win.Trojan.GravityRAT-6511862-0", "target": null }, { "id": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn", "display_name": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn", "target": null }, { "id": "Unix.Trojan.Tsunami-6981155-0", "display_name": "Unix.Trojan.Tsunami-6981155-0", "target": null }, { "id": "TrojanDropper:Win32/Systex.A", "display_name": "TrojanDropper:Win32/Systex.A", "target": "/malware/TrojanDropper:Win32/Systex.A" }, { "id": "Win.Trojan.Tepfer-61", "display_name": "Win.Trojan.Tepfer-61", "target": null }, { "id": "TrojanDownloader:Win32/CutwailRansom:Win32/Crowti.A", "display_name": "TrojanDownloader:Win32/CutwailRansom:Win32/Crowti.A", "target": null }, { "id": "VirTool:Win32/VBInject.gen!MH", "display_name": "VirTool:Win32/VBInject.gen!MH", "target": "/malware/VirTool:Win32/VBInject.gen!MH" }, { "id": "ALF:NID:Susp_NSIS_Stub.A", "display_name": "ALF:NID:Susp_NSIS_Stub.A", "target": null }, { "id": "#LOWFI:HSTR:Criakl.B1", "display_name": "#LOWFI:HSTR:Criakl.B1", "target": null }, { "id": "Backdoor:Win32/Arwobot.B", "display_name": "Backdoor:Win32/Arwobot.B", "target": "/malware/Backdoor:Win32/Arwobot.B" }, { "id": "Win.Packed.Bandook-9882274-1", "display_name": "Win.Packed.Bandook-9882274-1", "target": null }, { "id": "TrojanDownloader:Win32/Cutwail", "display_name": "TrojanDownloader:Win32/Cutwail", "target": "/malware/TrojanDownloader:Win32/Cutwail" }, { "id": "Win.Downloader.Small-4507", "display_name": "Win.Downloader.Small-4507", "target": null }, { "id": "Trojan:Win32/Qbot.R!MTB", "display_name": "Trojan:Win32/Qbot.R!MTB", "target": "/malware/Trojan:Win32/Qbot.R!MTB" }, { "id": "Win.Malware.Mikey-9949492-0", "display_name": "Win.Malware.Mikey-9949492-0", "target": null }, { "id": "Ransom:Win32/Crowti.A", "display_name": "Ransom:Win32/Crowti.A", "target": "/malware/Ransom:Win32/Crowti.A" }, { "id": "Backdoor:Linux/DemonBot.Aa!MTB", "display_name": "Backdoor:Linux/DemonBot.Aa!MTB", "target": "/malware/Backdoor:Linux/DemonBot.Aa!MTB" }, { "id": "Unix.Trojan.Gafgyt-6981154-0", "display_name": "Unix.Trojan.Gafgyt-6981154-0", "target": null }, { "id": "DDOS:Linux/Gafgyt.YA!MTB", "display_name": "DDOS:Linux/Gafgyt.YA!MTB", "target": "/malware/DDOS:Linux/Gafgyt.YA!MTB" }, { "id": "CVE-2017-11882", "display_name": "CVE-2017-11882", "target": null }, { "id": "ALF:Exploit:O97M/CVE-2017-8977", "display_name": "ALF:Exploit:O97M/CVE-2017-8977", "target": null }, { "id": "Cycbot", "display_name": "Cycbot", "target": null }, { "id": "Win32:BotX-gen\\ [Trj]", "display_name": "Win32:BotX-gen\\ [Trj]", "target": null }, { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "Mirai (ELF)", "display_name": "Mirai (ELF)", "target": null }, { "id": "Worm", "display_name": "Worm", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1574.008", "name": "Path Interception by Search Order Hijacking", "display_name": "T1574.008 - Path Interception by Search Order Hijacking" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1593.002", "name": "Search Engines", "display_name": "T1593.002 - Search Engines" } ], "industries": [ "Insurance", "Construction" ], "TLP": "green", "cloned_from": "693cdc5b8ebc10664439c2fb", "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 54118, "domain": 11153, "hostname": 18578, "email": 21, "FileHash-SHA256": 4905, "FileHash-MD5": 548, "FileHash-SHA1": 534, "CVE": 7, "SSLCertFingerprint": 20, "CIDR": 1 }, "indicator_count": 89885, "is_author": false, "is_subscribing": null, "subscriber_count": 145, "modified_text": "111 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69236dd13572ff133083fc04", "name": "IPTV.exe The Darknet Trojan Spyware with FAKE365", "description": "The activity observed indicates the presence of multiple malware families and behaviors, primarily associated with Neshta, WSHRAT, and AutoIT-based droppers, along with several malicious techniques commonly used by infostealers, spyware, and persistence-focused trojans.", "modified": "2025-12-23T22:03:53.839000", "created": "2025-11-23T20:25:50.899000", "tags": [ "sha1", "sha256", "sha512", "ssdeep" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Virus:Win32/Neshta", "display_name": "Virus:Win32/Neshta", "target": "/malware/Virus:Win32/Neshta" }, { "id": "WSHRAT", "display_name": "WSHRAT", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "r0b1nh0od", "id": "320328", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_320328/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 516, "FileHash-SHA1": 458, "FileHash-SHA256": 447, "domain": 8, "hostname": 20, "URL": 53 }, "indicator_count": 1502, "is_author": false, "is_subscribing": null, "subscriber_count": 26, "modified_text": "159 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6608aaf7ca0e965e593ed1d4", "name": "MUI programu Microsoft Office Access (w j\u0119zyku angielskim) zosta\u0142o u\u017cyte do wys\u0142ania z\u0142o\u015bliwego oprogramowania na serwer w Czechach jest to pierwszy tego typu atak na komputer. e", "description": "A look back at some of the key words and phrases used to describe the situation in Italy, as \"probacja\" (or \"democrata), as they were translated into English.", "modified": "2025-10-17T11:03:07.034000", "created": "2024-03-31T00:14:47.183000", "tags": [ "sha256", "ssdeep", "reputacja", "tworzy pliki", "informacje", "bardzo duga", "tworzy", "adresy url", "tworzy katalog", "win64", "ameryki", "typ pliku", "serwer nazw", "san jose", "adres", "digital", "data wyganicia", "csc corporate", "domains", "ca data", "data utworzenia", "dnssec" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6432, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 3, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2140, "hostname": 5874, "FileHash-SHA256": 12539, "FileHash-MD5": 3686, "FileHash-SHA1": 2751, "IPv4": 503, "URL": 10770, "email": 26, "CVE": 88, "YARA": 6, "JA3": 2, "IPv6": 28, "SSLCertFingerprint": 5, "BitcoinAddress": 3, "CIDR": 1 }, "indicator_count": 38422, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "227 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68c954a80675ccc89b0e9b63", "name": "Trump #45470 | Palantir container | virus:DOS/Hellspawn + ioS (compromised)", "description": "Overt. Trump support campaign text message from #45470. Malicious. Received on a victims hyper compromised iPhone. Attempts to or did take CnC of device. Stutters device, changed App Store , has delete service, device sweep, shuts down service , halts all pages, denial of service, throttles service, steals\npasswords, bots , I don\u2019t know if device can be refurbished or research purposes - Palantir DC DGA domains - Trump. Multiple IoC\u2019s , malware with code overlap, it appears to be from a legitimate text for updates #. Visibly affected all aspects of device and software. Commands device shut down. \n[OTX populated: Failed to retrieve suggested indicator for beta-ui, according to the latest results from the Welsh Government's Office for National Statistics (ONS) and the National Data Centre (NDS))", "modified": "2025-10-16T12:03:14.279000", "created": "2025-09-16T12:14:32.327000", "tags": [ "ttl value", "extraction", "data upload", "failed", "extra data", "include review", "exclude sugges", "stop", "line", "path", "polyline", "getprocaddress", "circle", "span", "ck id", "mitre att", "ck matrix", "null", "error", "open", "spinner", "title", "code", "iframe", "window", "void", "infinity", "crypto", "footer", "generator", "general", "format", "click", "strings", "meta", "install", "encoder", "learn", "command", "name tactics", "suspicious", "informative", "spawns", "evasion att", "t1480 execution", "file defense", "adversaries", "calls", "reads", "defense evasion", "model", "server", "registrar abuse", "ascio", "contact phone", "admin city", "admin country", "admin postal", "dnssec", "http", "ip address", "passive dns", "related nids", "urls", "files location", "united", "flag united", "a domains", "search", "unknown aaaa", "certificate", "yara detections", "av detections", "ids detections", "alerts", "entries elf", "filehash", "name servers", "servers", "moved", "script script", "aaaa", "unknown ns", "domain add", "formbook cnc", "checkin", "lowfi", "mtb jun", "github pages", "twitter", "accept", "cryptobit", "extra", "referen data", "trojanproxy", "dynamicloader", "high", "write c", "medium", "intel", "ms windows", "entries", "pe32", "explorer", "worm", "write", "next", "trojan", "hellspawn", "md5 add", "malware", "data", "included iocs", "script urls", "script domains", "gmt content", "cash amtincart", "expirestue", "domain related", "sea x", "accept encoding", "request id", "body doctype", "apache", "encrypt", "skynet", "third eye tv", "calling", "delete app", "potus", "mtb aug", "backdoor", "gmt cache", "sameorigin", "443 ma2592000", "ipv4 add", "utilads", "trojandropper", "mtb sep", "win32upatre aug", "yara rule", "as15169", "guard", "smartassembly", "associated urls", "date checked", "url hostname", "server response", "domain", "url analysis", "files", "date", "delete service", "45470", "text", "hybrid", "present sep", "body", "fastly error", "please", "xor xor", "sha256 add", "analysis date", "file score", "detections alf", "june", "delphi", "attempts", "yara", "high security", "file type", "pe packer", "ransom" ], "references": [ "skynet-dev.tcxn.net tcxn.net Registrar Ascio Technologies, Inc - connection to cloud proxy", "TrojanProxy:Win32/Malynfits CodeOverlap TrojanSpy:Win32/Nivdort CodeOverlap virus:Win32/Lywer CodeOverlap", "https://cryptobit.live/build/assets/app-CkRYqsKL.js \u2022 cryptobit.live \u2022 t.page \u2022 cdn.wallets.cryptobit.live", "Trump Support campaign \u2022_\u2022 lantana-mgmt.washington.palantircloud.com \u2022 containers-reishi.palantirfedstart.com", "Virus:DOS/Hellspawn 192.168.122.49 10/16/25\t\u2022 IPv4 142.251.9.105", "IDS Detections: Win32/Enosch.A gtalk connectivity check | W32/MoonLight.worm User-Agent (HellSpawn)", "PWS:Win32/Ymacco.AA50 Win.Trojan.Generic-9959068-0\t SLF:MSIL/PSTAnomaly.A Win.Dropper.Shakblades-7614016-0\t#LowFI:VBExpensiveLoop Win.Packed.Barys-10031677-0\tTEL:Trojan:MSIL/AgentTesla.VPA!MTB Win.Trojan. Backdoor:MSIL/Remcos!MTB", "hasownproperty.call \u2022 fireeye.grhd.", "Apple Store verified drop down breach \u2018Apple took a screenshot of pages\u201d" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "TrojanProxy:Win32/Malynfits", "display_name": "TrojanProxy:Win32/Malynfits", "target": "/malware/TrojanProxy:Win32/Malynfits" }, { "id": "Virus:Win32/Lywer", "display_name": "Virus:Win32/Lywer", "target": "/malware/Virus:Win32/Lywer" }, { "id": "Worm:Win32/Lightmoon.H", "display_name": "Worm:Win32/Lightmoon.H", "target": "/malware/Worm:Win32/Lightmoon.H" }, { "id": "Virus:DOS/Hellspawn", "display_name": "Virus:DOS/Hellspawn", "target": "/malware/Virus:DOS/Hellspawn" }, { "id": "Win.Trojan.Dialer-266", "display_name": "Win.Trojan.Dialer-266", "target": null }, { "id": "AgentTesla", "display_name": "AgentTesla", "target": null }, { "id": "Backdoor:MSIL/Remcos", "display_name": "Backdoor:MSIL/Remcos", "target": "/malware/Backdoor:MSIL/Remcos" }, { "id": "ALF:JASYP:Trojan:Win32/IRCbot!atmn", "display_name": "ALF:JASYP:Trojan:Win32/IRCbot!atmn", "target": null }, { "id": "Trojandropper:Win32/Muldrop.V!MTB", "display_name": "Trojandropper:Win32/Muldrop.V!MTB", "target": "/malware/Trojandropper:Win32/Muldrop.V!MTB" }, { "id": "#LowFI:VBExpensiveLoop", "display_name": "#LowFI:VBExpensiveLoop", "target": null }, { "id": "TEL:Trojan:MSIL/AgentTesla.VPA!MTB", "display_name": "TEL:Trojan:MSIL/AgentTesla.VPA!MTB", "target": null }, { "id": "PWS:Win32/VB.CU", "display_name": "PWS:Win32/VB.CU", "target": "/malware/PWS:Win32/VB.CU" }, { "id": "ALF:Ransom:Win32/Babax.SG!MTB", "display_name": "ALF:Ransom:Win32/Babax.SG!MTB", "target": null } ], "attack_ids": [ { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 690, "URL": 1479, "domain": 476, "FileHash-MD5": 526, "FileHash-SHA1": 505, "FileHash-SHA256": 1509, "email": 6 }, "indicator_count": 5191, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "228 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6892e73b32af18aa302df0dc", "name": "Part 1.5", "description": "Dark web media \u2022 Political news \u2022 Malvertizing\nlocate \u2022\ntrack [stalk] \u2022 record calls \u2022 control media [youtube , etc] http://t.name?n[++i]=e:this.removeEventListener\t\t\nJeeng &\nPowebox [ accidentally left out in original post pulse]", "modified": "2025-09-05T04:03:06.929000", "created": "2025-08-06T05:25:15.369000", "tags": [ "chromeua", "optout", "object", "path", "value", "access type", "setval", "windir", "localappdata", "null", "win64", "error", "generator", "close", "roboto", "date", "format", "light", "span", "template", "void", "android", "body", "trident", "mexico", "sonic", "black", "critical", "desktop", "dark", "meta", "this", "june", "hybrid", "apache", "write", "crypto", "autodetect", "face", "courier", "gigi", "impact", "shadow", "click", "strings", "cray", "smwg", "eret", "footer", "infinity", "window", "canvas", "legend", "nuke", "lion", "4629", "ahav", "olsa", "false", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "spawns", "defense evasion", "t1480 execution", "file defense", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "script", "mitre att", "pattern match", "show technique", "iframe", "refresh", "august", "general", "local", "tools", "demo", "look", "verify", "restart", "url http", "small", "pulses url", "tellyoun", "showing", "entries", "url https", "indicator role", "title added", "active related", "type indicator", "role title", "added active", "related pulses", "cc08", "f06a6b", "sfurl", "filehashsha256", "types", "indicators show", "search", "pulses", "filehashsha1", "adversaries", "found", "webp image", "ascii text", "riff", "size", "encrypt", "legacy", "filehashmd5", "united", "flag", "server", "markmonitor", "name server", "llc name", "overview dns", "requests domain", "country", "win32", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "file score", "medium risk", "yara", "detections", "malware", "copy", "show", "icmp traffic", "packing t1045", "t1045", "pdb path", "pe resource", "extraction", "data upload", "enter sc", "type", "extra data", "please", "failed", "review", "exclude data", "included review", "ic data", "suggeste", "stop", "type onow", "domain", "passive dns", "urls", "files related", "pulses none", "related tags", "none google", "safe browsing", "sc data", "extr amanuav", "review included", "manualy", "sugges excluded", "filehash", "md5 add", "pulse pulses", "url add", "http", "hostname", "files domain", "pulses otx", "virustotal", "hsmi192547107", "pulses hostname", "r dec", "customer dec", "iski dec", "decision dec", "va dec", "bitcoin", "bitcoin dec", "petra", "torstatus dec", "paul dec", "sodesc", "planet dec", "emilia", "heroin dec", "difference dec", "palantir dec", "loraxlive dec", "chaturbate dec", "sandra", "free dec", "marvel dec", "benjis dec", "fresh dec", "sodesc dec", "srdirport", "srhostname", "link dec", "types of", "italy", "china", "australia", "france", "turkey", "discovery", "information", "ck ids", "t1005", "local system", "t1007", "system service", "part", "track", "locate", "political", "civil society", "news", "created", "hours ago", "report spam", "t1555", "password", "t1560", "collected data", "t1573", "channel", "t1574", "execution flow", "scan", "iocs", "t1497", "u0lhmq", "mtawmq", "t1480", "guardrails", "t1486", "data encrypted", "learn more", "unsubscribe aug", "protocol", "t1074", "staged", "t1083", "t1102", "web service", "t1105", "tool transfer", "t1140", "data engineer", "candidate", "tlsv1", "odigicert inc", "stcalifornia", "lsan jose", "oadobe systems", "incorporated", "cndigicert sha2", "push", "next", "high", "write c", "ireland as16509", "delete", "dirty", "tags", "t1012", "flow endpoint", "security scan", "t1106", "copyright", "levelblue" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 608, "FileHash-SHA1": 433, "FileHash-SHA256": 3663, "URL": 17104, "domain": 1316, "email": 39, "hostname": 4208, "SSLCertFingerprint": 17 }, "indicator_count": 27388, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "269 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6892a73593f73dfc969779b0", "name": "Part I | Track | Locate | Political & Civil society \u2018news\u2019 campaigns", "description": "Part I | Track | Locate | Political & Civil society \u2018news\u2019 campaigns\n*[ddddd.msg]\n[http://tracking.eu1.glintinc.com]\n[stormer5v52vjsw66jmds7ndeecudq444woadhzr2plxlaayexnh6eqd]\n[stackstorm.ops.dev.az.glintinc.com]\n\u2022 http://stormer5v52vjsw66jmds7ndeecudq444woadhzr2plxlaayexnh6eqd.onion/peter-thiel-running-database-to-root-out-those-disloyal-to-the-leader/\\n \u2022\n[http://pixelrz.com/lists/keywords/tsara-brashears-assaulted-at-concentra/360]\n[http://pixelrz.com/lists/keywords/tsara-brashears-dead/360]", "modified": "2025-09-05T00:03:23.223000", "created": "2025-08-06T00:52:05.051000", "tags": [ "url http", "small", "indicator role", "title added", "active related", "pulses hostname", "tellyoun", "n aug", "entries", "data upload", "extraction", "windows error", "june", "fwd urgent", "justice czech", "copy sha256", "rejectedfailed", "timestamp input", "message status", "actions august", "file", "actions june", "actions may", "cta4 https", "context related", "associated urls", "campaigncodedsc", "language", "uid http", "community", "sha256", "size42b type", "submitted", "august", "april", "internal error", "previous1", "iframe", "community score", "scan analysis", "malicious", "intelligence", "learn", "falcon sandbox", "submissions", "status", "adversaries", "ck id", "name tactics", "suspicious", "informative", "defense evasion", "windows folder", "found", "dlls", "impact", "chromeua", "optout", "object", "path", "value", "access type", "setval", "windir", "localappdata", "null", "win64", "error", "generator", "close", "roboto", "date", "format", "light", "span", "template", "void", "android", "body", "trident", "mexico", "sonic", "black", "critical", "desktop", "dark", "meta", "this", "hybrid", "apache", "write", "crypto", "autodetect", "face", "courier", "gigi", "shadow", "click", "strings", "cray", "smwg", "eret", "footer", "infinity", "window", "canvas", "legend", "nuke", "lion", "4629", "ahav", "olsa", "false" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 9062, "domain": 707, "hostname": 2318, "FileHash-MD5": 86, "FileHash-SHA1": 26, "FileHash-SHA256": 2096, "email": 5, "FilePath": 2, "URI": 1 }, "indicator_count": 14303, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "269 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68038f7eb6f6810aa6d6439f", "name": "\"+g+\"", "description": "https://aplikacja.ceidg.gov.pl/CEIDG/CEIDG.Public.UI/EntryChangeHistory.aspx?Id=855bdfc1-7dbc-4a86-9d27-89ebb0ecf166&archival=False", "modified": "2025-09-01T08:05:25.121000", "created": "2025-04-19T11:56:46.933000", "tags": [ "copyright", "customevent", "typeof e", "boomerang", "typeof t", "macintosh", "os x", "post", "typeof", "iframe", "date", "poka menu", "nie znaleziono", "poka start", "poka", "max dostpnych", "pierwsza", "ostatnia", "nastpna", "poprzednia", "brak danych", "first", "ceidg", "wystpi bd", "error", "true", "null", "linkdownload", "show", "ctrlmappings", "version", "versionchange", "body", "false", "span", "input", "paginate", "next", "last", "selectstart", "loop", "function", "bootstrap", "datatables", "responsive", "2016 sprymedia", "amd define", "object", "commonjs", "window", "browser", "button", "datatable", "sprymedia ltd", "columns", "colidx", "column", "parent", "child", "param", "display", "click", "middle", "class", "target", "never", "find", "footer", "close", "regexp", "matches", "cookie", "inputmask", "input mask", "robin herbots", "mit license", "xmlhttprequest", "left", "month", "boolean", "maxdate", "right", "daterangepicker", "yyyymmdd", "calendar", "jquery", "webpackrequire", "typeof symbol", "type", "setprototypeof", "maskpos", "wrapnativesuper", "backspace", "insert", "internal", "mask", "void", "this", "nie mona", "array", "nonmsdombrowser", "horizontal", "leftarrow", "uparrow", "rightarrow", "downarrow", "explorer", "form", "legend", "hmmss", "mmmm d", "yyyy h", "typeof define", "number", "locale", "character", "seeknext", "masked", "input plugin", "josh bush", "azaz", "azaz09", "black", "kontrast", "arrcookies", "getcookielang", "and information", "on business", "sign", "twoja", "opinia", "informacja o", "notify ui", "widget", "eric hynds", "dual", "name", "dtopt", "example", "using", "open", "adata", "hungarian", "aria", "legacy", "trident", "format", "nuke", "apos", "bitcoin", "outer", "mark", "info", "reload", "behaviour", "write", "buttons", "anything", "prop", "thecookie", "create", "thevalue", "string name", "pluginscookie", "author", "eventkey", "datakey", "default", "dataapikey", "defaulttype", "config", "shown", "trigger", "delta", "guard", "arrow", "leave", "scroll", "dataspy", "sessiontimeout", "return", "settimeout", "mytimerid", "requestcounter", "starttimer", "stop", "typeof n", "adminlte", "typeof o", "main", "js application", "adminlte v2", "colorlib", "ui date", "written", "jacek wysocki", "poprzedni", "marzec", "kwiecie", "czerwiec", "lipiec", "sierpie", "wrzesie", "openpopup", "href", "toggle", "msviewport", "popover", "json", "json text", "string", "otherwise", "holder", "mind", "copy", "meta", "third", "text", "choice", "confirm", "nie pytaj", "site", "title", "value", "alert", "warn", "migrate", "foundation", "see http", "forget", "newvalue", "nones5", "fall", "wrongvalid", "onerror", "year", "fast", "argument", "popper", "method", "data", "html", "flip", "factory", "onload", "tbody", "courier", "elem", "handle", "expando", "match", "selector", "sizzle", "android", "capture", "seed", "pass", "enough", "code", "bind", "core", "local", "verify", "accept", "done", "override", "inject", "possible", "hold", "45deg", "larger", "screen styling", "90deg", "support", "sidebar mini", "e1f0ff", "font awesome", "free", "autocomplete", "folder", "expanded folder", "tabela", "sorting", "xform", "nadpisane style", "menlo", "monaco", "consolas", "mono", "courier new", "browse", "twitter", "pt serif", "georgia", "times new", "roman", "times", "typetime", "import", "roboto", "http", "label", "demos", "effect", "inst", "super", "speed", "bounce", "hack", "logic", "shift", "double", "february", "april", "june", "august", "friday", "erase", "atom", "caja", "spinner", "refresh", "alpha", "sentinel", "back", "blind", "drop", "ceidg.gov.pl - centralna ewidencja i informacja o dzia\u0142alno\u015bci g", "prosz czeka", "pobierz plik" ], "references": [ "https://aplikacja.ceidg.gov.pl/CEIDG/CEIDG.Public.UI/EntryChangeHistory.aspx?Id=855bdfc1-7dbc-4a86-9d27-89ebb0ecf166&archival=False", "UE_pl_top.svg", "UE_pl_top_sm.svg", "XZ4AH-ABKPW-SQPBC-CYWES-BCG6V", "dataTables.lang.js.pobrane", "EntryChangeHistory.aspx.js.pobrane", "dataTables.input.js.pobrane", "responsive.bootstrap4.js.pobrane", "dataTables.bootstrap4.js.pobrane", "dataTables.responsive.js.pobrane", "jquery.session.js.pobrane", "inputmask.binding.js.pobrane", "daterangepicker.js.pobrane", "jquery.inputmask.min.js.pobrane", "ScriptResource.axd", "moment-with-locales.min.js.pobrane", "jquery.maskedinput-1.2.2.js.pobrane", "feedback.js.pobrane", "jquery.notify.min.js.pobrane", "jquery.dataTables.js.pobrane", "jquery.cookie.js.pobrane", "bootstrap.js.pobrane", "SessionTimeout.js.pobrane", "adminlte.min.js.pobrane", "jquery.easing.1.3.js.pobrane", "jquery.feedbackBadge.min.js.pobrane", "ui.datepicker-pl.js.pobrane", "ceidg-master.js.pobrane", "CommonResponsive.js.pobrane", "json2.js.pobrane", "jquery.alerts.js.pobrane", "jquery-migrate-1.2.1.js.pobrane", "dataTables.bootstrap4.css", "CommonScripts.js.pobrane", "popper.js.pobrane", "responsive.bootstrap4.css", "jquery-3.0.0.js.pobrane", "daterangepicker.css", "AdminLTE.css", "ui.notify.css", "ceidg.css", "bootstrap-gov-pl.css", "biznes.css", "jquery-ui.js.pobrane", "saved_resource.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 4, "FileHash-SHA256": 25, "URL": 165, "domain": 353, "hostname": 215, "email": 2 }, "indicator_count": 767, "is_author": false, "is_subscribing": null, "subscriber_count": 123, "modified_text": "273 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68abf75bf3b03b94a6762409", "name": "(Repost) How to connect listeners to e.intercom | serverhub.com eonix.net", "description": "", "modified": "2025-08-25T05:40:43.552000", "created": "2025-08-25T05:40:43.552000", "tags": [ "context", "error", "ajaxupdate", "request", "requestdata", "name", "xoctoberassets", "datarequest", "typesubmit", "typetext", "click", "function", "typeof c", "bootstrap", "javascript", "azaz", "popover", "typeof f", "typeof g", "typeof h", "vui", "anda", "tente", "outubro", "trackingclient", "srpanj", "rabu", "vasaris", "image", "typeof atrkopts", "800px", "40px", "i18n", "blockedemail", "typeof i18n", "hubspot", "captcha", "date", "please", "april", "august", "close", "february", "june", "form", "klik", "download", "window", "this", "next", "null", "blank", "este", "anna", "rserver", "mais", "void", "object", "typeerror", "array", "symbol", "bound", "typeof window", "typeof t", "invalid path", "unknown method", "phonenumber", "ninja", "typeof e", "edge", "dataname", "intercom", "typeof symbol", "apple", "webkiti", "criosi", "trident" ], "references": [ "xfe-URL-Eonix.net-stix2-2.1-export.json", "xfe-URL-Serverhub.com-stix2-2.1-export.json", "xfe-URL-Enom.com-stix2-2.1-export 2.json", "https://widget.intercom.io/widget/rbc8ok9w", "https://js.hscollectedforms.net/collectedforms.js", "https://js.hsleadflows.net/leadflows.js", "https://d31qbv1cthcecs.cloudfront.net/atrk.js", "https://serverhub.com/combine/a059fe7a562c0b582328162f0ee69fda-1426025688", "https://serverhub.com/modules/system/assets/js/framework.js", "https://js.hs-scripts.com/3844463.js", "xfe-URL-Cloudfront.net-stix2-2.1-export.json", "xfe-URL-Intercom.io-stix2-2.1-export.json" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Vui", "display_name": "Vui", "target": null }, { "id": "Outubro", "display_name": "Outubro", "target": null }, { "id": "Tente", "display_name": "Tente", "target": null }, { "id": "Anda", "display_name": "Anda", "target": null }, { "id": "Vasaris", "display_name": "Vasaris", "target": null }, { "id": "Rabu", "display_name": "Rabu", "target": null }, { "id": "Srpanj", "display_name": "Srpanj", "target": null }, { "id": "TrackingClient", "display_name": "TrackingClient", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [], "TLP": "white", "cloned_from": "62719a4dec6d0aa4631b9b2f", "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5708, "hostname": 1541, "FileHash-SHA256": 876, "domain": 915, "CVE": 1, "FileHash-MD5": 1 }, "indicator_count": 9042, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "280 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6842489989d6db4d41fd8322", "name": "Vulnerable Driver Load", "description": "Here is the full list of malicious Windows drivers, which can be blocked with the help of a special tool, or a built-in system, if you want to know what to do with it.", "modified": "2025-07-06T01:00:17.231000", "created": "2025-06-06T01:47:05.317000", "tags": [ "malicious", "vulnerable", "living", "land drivers", "premium", "windows", "feel", "strong", "json", "sysmon", "subdomains", "whasz", "html internet", "magia dokument", "html", "ascii", "z bardzo", "triid plik", "magika html", "rozmiar", "zgoszenie", "error", "100255", "255100", "number", "e100", "100i100n", "65535255", "25565535", "mmm d", "typeof window", "null", "bubble", "radar", "false", "click", "isitem", "dark", "copy", "shell", "panelbox", "document", "code", "body", "light", "mark", "date", "scroll", "target", "blank", "back", "main", "lowfi" ], "references": [ "https://loldrivers.io/", "https://www.loldrivers.io/js/chart.min.js", "https://www.loldrivers.io/js/bundle.7cd1a644ff4540d19bfa43f193df74afce746a0213920f45d73bf720542f682d81b6ad0320242744d332512cfb63eac5790fab1a240d6e6c8cb89f25fcacfbd7.js", "https://www.loldrivers.io/favicons/browserconfig.xml" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1885, "FileHash-SHA1": 1367, "FileHash-SHA256": 1615, "hostname": 214, "domain": 52, "URL": 468, "CVE": 2 }, "indicator_count": 5603, "is_author": false, "is_subscribing": null, "subscriber_count": 124, "modified_text": "330 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "684c65464466dd19b089f325", "name": "Zesp\u00f3\u0142 Profilaktyki i Rehabilitacji w Janowicach Wielkich - YouTube", "description": "If d=void 0===c,w(\"trustedResourceUrl\",d: \"Trusted resourceUrl,\" thend=c.src,d, c.js, then d:", "modified": "2025-06-13T17:56:28.689000", "created": "2025-06-13T17:52:06.399000", "tags": [ "rehabilitacji w", "youtube tv", "dami jelenia", "tv dami", "jelenia gra", "zakupy wycz", "jeli", "nie korzystasz", "filmy", "aby tego", "copyright", "closure library", "argument", "ifunction", "error", "null", "type", "cast", "webchannel", "su2028u2029", "chrome", "xmlhttp", "kkvoid", "remotecontrol", "android", "unknown", "screen", "desktop", "function", "string", "array", "number", "vfunction", "f8192", "n432", "true", "j2048", "this", "window", "void", "date", "pokau017c", "pytfunction", "fe8function", "qgzfunction", "afunction", "hb28", "r150", "promise", "bigint", "post", "edge", "swhealthlog", "symbol", "trident", "infinity", "embed", "webkitkeyframes", "zoomin", "zoominx", "zoomoutx", "zoominy", "zoomouty", "2000px", "90deg", "20px", "30deg", "30px", "10px", "10deg", "3deg", "5deg", "djmegamenu", "use license", "tabindex", "menu", "close", "msie", "beforechange", "imagehassize", "buildcontrols", "magnific popup", "dmitry semenov", "http", "beforeclose", "afterclose", "open", "next", "open source", "bsd license", "george mcginley", "smith", "djimageslider", "subpackage", "webkit", "khtml", "icab", "countto", "callback", "handler", "object", "typeof", "method", "gnugplv2", "website", "set module", "height script", "regexp", "screenheight", "highcontrast2", "highcontrast3", "highcontrast", "wide", "night", "body", "normalbutton", "cookie plugin", "https", "klaus hartl", "mit license", "register", "nodecommonjs", "factory", "jquery", "write", "sticky bar", "stickybar", "count", "offcanvas", "html", "noscroll", "offcanvas var", "toggle nav", "click jquery", "ajax", "autocomplete", "tomas kirda", "typeof define", "esc27", "tab9", "return13", "left37", "up38", "twitter", "custom version", "joomla", "rolemenu", "boolean", "get adobe", "flash player", "title", "text", "typeof data", "typeof s", "accept", "width", "foundation", "backspace8", "comma188", "delete46", "down40", "end35", "enter13", "escape27", "value", "migrate", "backcompat", "quirks mode", "typeof f", "xtablet768", "document", "ui sortable", "leftright", "gnu general", "public license", "dddddd", "ffffcc", "eeeeee", "verdana", "geneva", "arial", "helvetica", "f0f0f0", "sans", "charset", "utf8", "fontawesome", "typeof b", "pseudo", "child", "sufeffxa0", "class", "attr", "general slider", "slide", "rgba", "navigation", "15deg", "300px", "20deg", "transition", "scale", "baskerville", "main image", "bdbdbd", "f3f3f3", "remove", "fontface", "woff2", "u0131", "u01520153", "u02bb02bc", "u02c6", "u02da", "u02dc", "u0304", "dirrtl", "msviewport", "href", "span", "legend", "halflings", "fieldset", "typeimage", "f2f2f2", "d9edf7", "dff0d8", "f2dede", "thead", "tbody", "tahoma", "00a0", "video", "script", "2500", "xnew ita", "dnew jta", "dataset", "orfunction", "prfunction", "nsafunction", "xsafunction", "vrfunction", "cakes", "ovbfunction", "pvbfunction", "rvbfunction", "qvbfunction", "tvbfunction", "uvbfunction", "vvbclass", "xvbclass", "yvbclass", "svbclass", "lvafunction", "ggfunction", "mvafunction", "ovafunction", "pvafunction", "uvafunction", "tvafunction", "qvafunction", "vvafunction", "nvaclass", "dark", "vector", "yy49", "raster", "roboto", "new tk", "qael", "przechyl", "mars", "mercury", "venus", "pluto", "titan", "weakset", "wfclass", "googlelayer", "uint8array", "weakmap", "5001", "mouseevent", "webassembly", "180180", "9090", "google maps", "javascript api", "internal", "small", "lightrail", "false", "february", "light", "hybrid", "bounce", "drop", "inside", "outside", "marker", "gc" ], "references": [ "embed.html", "ad_status.js.pobrane", "f5Y41t9wqY4.html", "cast_sender.js.pobrane", "remote.js.pobrane", "sw3VTUzeRvWIVwvWSyk6S5gHWPxOOwU1OxerozmN4Hw.js.pobrane", "embed.js.pobrane", "www-embed-player.js.pobrane", "animate.ext.css", "animate.min.css", "jquery.djmegamenu.js.pobrane", "jquery.djmobilemenu.js.pobrane", "magnific.js.pobrane", "jquery.easing.min.js.pobrane", "slider.js.pobrane", "jquery.countTo.js.pobrane", "scripts.js.pobrane", "magnific-init.js.pobrane", "pagesettings.js.pobrane", "jquery.cookie.js.pobrane", "stickybar.js.pobrane", "fontswitcher.js.pobrane", "offcanvas.js.pobrane", "jquery.autocomplete.min.js.pobrane", "bootstrap.min.js.pobrane", "jcemediabox.js.pobrane", "jquery.ui.core.min.js.pobrane", "jquery-migrate.min.js.pobrane", "layout.min.js.pobrane", "jquery.ui.sortable.min.js.pobrane", "caption.js.pobrane", "finder.css", "jquery-noconflict.js.pobrane", "djmegamenu.26.css", "animations.css", "djmobilemenu.css", "jquery.min.js.pobrane", "djimageslider.css", "offcanvas.css", "magnific.css", "font_switcher.26.css", "css", "template_responsive.26.css", "offcanvas.26.css", "bootstrap_responsive.26.css", "extended_layouts.26.css", "style.css", "content.css", "template.26.css", "bootstrap.26.css", "jcemediabox.css", "js", "onion.js.pobrane", "search_impl.js.pobrane", "overlay.js.pobrane", "map.js.pobrane", "util.js.pobrane", "search.js.pobrane", "common.js.pobrane", "geometry.js.pobrane", "main.js.pobrane" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Gc", "display_name": "Gc", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2779, "hostname": 661, "domain": 684, "email": 4, "FileHash-MD5": 1, "FileHash-SHA256": 689 }, "indicator_count": 4818, "is_author": false, "is_subscribing": null, "subscriber_count": 123, "modified_text": "353 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67f33233092ab19b74879403", "name": "MacOS M2 Chip Infiltration: Game Center & XBOX Pod Game & Chat Server", "description": "pulse explores a variety of files, objects, and functions that could be associated with different system components, libraries, and protocols. It highlights a wide range of potential vulnerabilities that may exist in software related to system functions, APIs, data handling, and device interactions, including issues in devices like game controllers, HID devices, and platform-specific services (such as Apple and Android). The pulse references several components across different platforms (macOS, iOS, ARM architectures, and others), with a focus on low-level code, encryption libraries, system utilities, and network protocols like TCP, IP, and Bluetooth. The identified vulnerabilities could involve buffer overflows, deprecated functions, improper memory handling, and potential exploit vectors related to system security, performance, and integrity.", "modified": "2025-05-07T02:03:20.735000", "created": "2025-04-07T02:02:27.322000", "tags": [ "helper macro", "param", "param inccache", "kerberos", "ccache", "api function", "ccapi", "api version", "param ioccache", "ccacheserver", "win32", "null", "code", "win64", "error", "union", "ccapideprecated", "ccacheapi", "ccapiv2h", "apple", "export", "united", "ccache api", "cplusplus", "x8664", "typedef", "patheq", "none", "popen", "terminate", "false", "winenv", "winexe", "frozen", "winservice", "python", "posixthreads", "pyhavecondvar", "ntthreads", "vista", "pyemulatedwincv", "ntddivista", "semaphore", "pycondt", "win7", "pybuildcore", "fall", "copyright", "technology", "all rights", "reserved", "america", "government", "within that", "klprincipal", "klloginoptions", "inpassword", "klboolean", "klindex inindex", "login", "klstatus", "kerberos login", "inst", "regexp", "typeof e", "function", "typeof t", "typeof o", "width", "typeof", "pseudo", "body", "sticky", "date", "class", "this", "void", "accept", "span", "krb5callconv", "apoptsreserved", "tktflgreserved", "kdcoptreserved", "krb5data", "eblock", "krb5address", "krb5keyblock", "service", "realm", "format", "general", "internal", "entropy", "mask", "mcpeerid", "mcsession", "property", "protocol", "create", "nsuinteger", "notifies", "mcsession api", "interface", "bonjour", "ascii lowercase", "abc company", "section", "bonjour txt", "mcextern", "attribute", "mcextern extern", "mcexternweak", "nsenum", "nsinteger", "mcerrorcode", "mcerrorunknown", "mcerrortimedout", "bonjour apis", "stop", "peer", "example", "tags", "session", "nsprogress", "nserror", "nsstring", "nsurl", "nsarray", "note", "ui element", "utf8 encoding", "nscopying", "nsdictionary", "webpackrequire", "webpackexports", "object", "adobe systems", "adobe", "incorporated", "dissemination", "touchmove", "window", "launch", "close", "core", "webview", "nwebpackrequire", "arraybuffer", "name", "typedarray", "prototype", "string", "number", "nvar", "meta", "infinity", "generator", "zero", "epsilon", "observer", "android", "freeze", "trim", "canvas", "simple", "bind", "fast", "next", "patch", "rest", "middle", "find", "enumerate", "facebook", "executor", "apiunavailable", "gamecontroller", "gcbuttoninput", "gcswitchinput", "nsobject", "apiavailable", "hid device", "cfstr", "iohiddeviceref", "boolean value", "c iohidmanager", "iohidmanager", "c iohiddevice", "issequential", "bool sequential", "bool canwrap", "nsset", "nsunavailable", "gcswitchelement", "bool", "share button", "xbox controller", "xbox elite", "xbox series", "gcxboxgamepad", "gcpoint2", "gcpoint2make", "gcpoint2 p", "cfinline bool", "gcpoint2equal", "gcpoint2 point1", "gcpoint2 point2", "gcrelativeinput", "isanalog", "bool analog", "hasinclude", "gcaxis2dinput", "gcpoint2 value", "gcaxiselement", "certain", "gcaxisinput", "gcbuttonelement", "gccontroller", "nsnotification", "chhapticengine", "gcmicrogamepad", "input", "menu button", "gcdevicelight", "gccolor", "x axis", "xvalue", "developers", "functionality", "options button", "sf symbols", "elements", "gcdevice", "gctouchstate", "gctouchstateup", "apideprecated", "gckeyboard", "gcmouse", "nsswiftname", "gcdevicebattery", "battery level", "direction pad", "directionapad", "thumbstick", "gcdevicecursor", "a controller", "gccolor color", "gcinputbuttona", "gcinputbuttonb", "button b", "check", "a element", "c nil", "nsenumerator", "siri remote", "equivalent", "down", "left", "right", "kindof", "handle button", "c device", "immediate input", "dualsense", "positional", "sony dualsense", "gcmotion", "dualshock", "uievent", "controllers", "uikit user", "uiview", "method", "nsdata", "axes", "nsdata source", "return", "nullable", "nsdata object", "button", "shoulder", "extended", "gamepad profile", "nsdata api", "gcgamepad", "sizeof", "standard", "gckeyboardinput", "keyboard", "nsstring const", "controller", "back buttons", "game controller", "back", "keypad", "delete", "insert", "home", "right arrow", "left arrow", "down arrow", "up arrow", "korean", "backspace", "alongside", "gckeyuparrow", "gckeycode const", "lang1", "gclinearinput", "gcquaternion", "gcacceleration", "y axis", "z axis", "gcmouse mouse", "gcmouse class", "mice", "gcmouseinput", "mouse profile", "scroll", "nsdata instance", "a alias", "press", "micro profile", "siri remotes", "b button", "a gcinput", "button a", "nsoptions", "examining", "c sfsymbolsname", "apple tv", "remote", "control center", "a set", "game", "gcracingwheel", "gcbundlewithpid", "gcinputbuttonx", "gcinputbuttony", "gcinputshifter", "gckeya", "gckeyb", "gckeybackslash", "rawvalue", "apple swift", "o librarylevel", "swift import", "element", "indices", "iterator", "subsequence", "kerberoscomerr", "const", "permission", "mit software", "suitability", "athena", "openvision", "gssdllimp", "gssapigenerich", "this software", "purpose", "disclaims all", "warranties with", "regard to", "constraint", "kerberosprofile", "krb5profileh", "const names", "newvalue", "1429577728l", "gnuc", "mach", "omuint32", "gssapikrb5h", "form", "uid form", "client function", "asrep", "including", "preauth", "db entry", "free", "pointer", "rock", "neither", "direct", "damage", "minorstatus", "gssbuffert", "gssctxidt", "gssoid", "gssnamet", "gsscredidt", "gssoidset", "gssapi", "first", "alcapi", "alcapientry", "alcboolean", "targetosmac", "alcdevice", "alcenum param", "alalch", "alcchar", "alcsizei", "capture", "but not", "limited", "openal cross", "apple computer", "redistribution", "is provided", "type", "alvoid", "alint", "openal", "aluint sid", "alenum", "alint value", "aluint property", "alvoid nonnull", "alfloat", "write", "openalopenalh", "umbrella header", "alenum param", "alapi", "aluint bid", "alsizei", "alfloat value", "alapientry", "aluint", "verify", "play", "speed", "bits", "albuffer3i", "albufferdata", "albufferf", "albufferfv", "albufferi", "albufferiv", "aldistancemodel", "aldopplerfactor", "algetbooleanv", "algetbuffer3f", "iousbhostdevice", "iousbhostobject", "iousbhostpipe", "iousbhoststream", "iousbhost", "brief", "usb host", "bool yes", "bool no", "advance", "iousbhostfamily", "kernel", "ioreturn status", "nsnumber", "ioreturn error", "usb device", "select", "commands", "enqueue", "nsmutabledata", "field", "enum", "options", "retrieve", "iosource", "current address", "bos descriptor", "extract", "a descriptor", "license", "io request", "abort", "discussion", "stream", "please", "swift api", "iousbbitrange", "iousbbitrange64", "iousbbit", "client", "usb controller", "usb descriptor", "unknown", "critical", "refer", "link", "send", "same", "common ui", "bluetooth", "service browser", "option", "1001", "cfstringref", "deprecated", "macos", "returns", "abstract", "nswindow", "creates", "mac os", "uuids", "uuid", "sdp service", "nsimage", "nsview", "mpasskeystring", "nsmutablearray", "uuid array", "ioreturn", "runmodal", "group", "command", "byte", "masks", "pduid", "l2cap", "range", "opcode", "packet", "major", "local", "profiles", "iobluetooth", "framework", "support", "host controller", "rfcomm", "minor class", "pseudoclass", "specific device", "headset", "peripheral", "desktop", "glasses", "device reset", "no hci", "hci controller", "returns number", "variable number", "packdata", "cstring", "pass", "path", "deprecated in", "obex session", "obexsessionref", "rfcomm channel", "obex", "does not", "l2cap channel", "inrefcon", "device", "length", "obex spec", "error code", "make", "headerid", "april", "alarm", "avrcplog", "audiolog", "bccmd16touint16", "bccmd16touint8", "bccmd32touint32", "hfplog", "obexcreatevcard", "obexsessionget", "uint16tobccmd16", "intents", "created", "andrea gottardo", "inimage", "intentsui", "project version", "inshortcut", "ibdesignable", "invoiceshortcut", "nsbundle", "siri", "beralloct", "berbvarrayadd", "berbvarrayfree", "berbvdup", "berbvecadd", "berbvecfree", "berbvfree", "berdump", "berdup", "berdupbv", "ldap", "vdspinput1", "vectorsize", "iirchannel", "osvkerndsplib", "pragmaonce", "paul chang", "fri mar", "original code", "apple operating", "modifications", "apple public", "source license", "version", "lframesize", "i386", "picify", "callmcount", "nonlazystub", "align", "roundtostack", "leaf", "import", "carnegie mellon", "carnegie", "inline void", "software", "school", "august", "xnuarchi386selh", "next computer", "mike demoney", "bruce martin", "state segment", "nxswappedfloat", "osswapint32", "inline float", "inline double", "osswapint64", "armlimitsh", "arm64", "useclangtypes", "bsdarmtypesh", "int8t", "gnuc typedef", "uint8t", "ansi c", "ansi", "use wchart", "armmcontexth", "mcontextt", "armparamh", "round", "darwinsizet", "darwinalign", "uint32t", "darwinalign32", "warranties", "a particular", "university", "armarch6zk", "armarch6k", "armarch4t", "armarch4", "http", "capbitnb", "legacy", "armfeatureflag", "california", "notice", "berkeley", "limited to", "define", "useclanglimits", "lp64", "ansisource", "darwincsource", "longmin", "ulongmax", "parameter", "vmmemcoherent", "vmmemearlyack", "vmmeminner", "vmmemrt", "vmmemguarded", "armmemorytypesh", "armpalroutinesh", "read", "struct", "booleant", "cluster", "devbsize", "mclbytes", "unix system", "laboratories", "devbshift", "thumb", "armv5", "armv7", "cache", "neon", "swift", "bsdarmprofileh", "xxx todo", "block", "mcount", "mcountinit", "mcountenter", "splhigh", "armthreadh", "armtraph", "dflssiz", "targetososx", "maxssiz", "rliminfinity", "maxcsiz", "bsdarmvmparamh", "dfldsiz", "maxdsiz", "xxx stack", "armsignal", "int64t", "armmachtypesh", "int32t", "methods", "thread", "hasapplepac", "atmatmtypesh", "libkernlocksh", "fortifysource", "libkerncopyioh", "sizedby", "darwinosinline", "stdcversion", "osswapint16", "libkerncrch", "blockexport", "vaargs", "blockrelease", "blockh", "collection", "blockcopy", "ososbaseh", "base", "byteoffset", "host endianess", "generic host", "generic", "osmalloc", "osmalloctag tag", "osmalloctag", "pci device", "uint32", "uint32 mask", "safecastptr", "sint32", "osaddatomic64", "uint8", "libkern c", "internal error", "core osreturn", "libkern", "values", "pragmamark", "kexts", "kext", "c string", "grab", "osostypesh", "boolean", "unsignedwide", "uint32 hi", "buildtime value", "libkernversionh", "versionmajor", "versionminor", "versionvariant", "versionrevision", "ostype", "osrelease", "libkernsysctlh", "instructions", "data cache", "future", "rbleft", "rbright", "rbgetparent", "splayright", "splayleft", "rbsetcolor", "rbblack", "rbgetcolor", "comp", "main", "stdc", "msdos", "windows", "sys16bit", "zlibdll", "zextern", "zconfh", "model", "zextern int", "zstreamerror", "znull", "zbuferror", "zmemerror", "zstreamend", "zdataerror", "zfinish", "enough", "possible", "trailer", "compiler", "countedby", "sparta", "osatomic", "ipcipctypesh", "ipcobjectnull", "ipcobjectdead", "osreturn", "nfskrpch", "xdrbuf", "xdrbuf xbp", "xbptr", "xbleft", "tlen", "lval", "xbcleanup", "xbtype", "xbflags", "nfsargsversion", "file", "packed", "nfshz", "mount", "term", "restrict", "stats", "nfsbitmapset", "nfsver3", "nfsxunsigned", "attr", "nfsprogram", "nfssmallfh", "which", "from", "mark", "obsolete", "ip address", "iaddrt", "netinetbootph", "nvmaxtext", "magic", "etheraddrlen", "target", "byteorder", "bigendian", "littleendian", "dest", "igmp", "ushort", "inpcbptr", "inpcblistentry", "ipsec", "pcbs", "cookie", "netinetinstath", "minimal", "result", "arp packet", "icmpparamprob", "icmpredirect", "address", "ditto", "ip filter", "ipv4", "ip packet", "inject", "wifi", "server", "tcpmaxnotifyack", "wired", "ecn setup", "notify", "slow", "definitions", "tcptmax", "retransmit", "mptcp", "tcpsclosewait", "tcpsestablished", "tcpstimewait", "tcpseq", "timer drift", "sack", "char", "icmp", "synack", "tcpoptnop", "syndata", "ver", "internet", "iopcidevice", "constant", "perst", "localonly", "iooptionbits", "optional access", "ioservice", "open", "pcidriverkith", "osmetaclassbase", "iorpc rpc", "auditpipeiobase", "auditsdeviobase", "ioctls", "data", "the software", "stdargh", "hasincludenext", "eli friedman", "as is", "hack", "atomic", "atomicseqcst", "clangstdatomich", "stdchosted", "stdboolh", "needwintt", "stddefh", "hasbuiltin", "const src", "xnumembersize", "const dst", "wcharmax", "wcharmin", "limits", "kernelstdinth", "lp64 typedef", "intmaxc", "uintmaxc", "ptrauth", "olddata", "value", "declkey", "abi pointer", "c function", "float16", "fltevalmethod", "legacy bsd", "c standard", "sincospi", "cosp", "x8664monotonich", "staticifentry", "hasmte", "vmmemorytypesh", "vmwimgdefault", "wimg", "extvectortype", "utilfunction", "aligned", "srcptr", "vmpmaph", "vmdyldpagerh", "vmvmfaulth", "vmvmmaph", "development", "debug", "vmvmoptionsh", "vmvmpageouth", "kasantbi", "machvmmemtagh", "given", "vmmemtagptrsize", "vmmemtagtagsize", "copy", "vmsharedregionh", "vfsvfssupporth", "veclib", "master", "world wide", "various", "veclibtypes", "carbonlib", "availability", "carbon", "noncarbon cfm", "vbasicops", "shift", "vforceh", "vdsplength n", "realp", "nonnull", "vector", "dspsplitcomplex", "ieee", "dspcomplex", "uuiduuidh", "uuiddefine", "public", "uuid library", "kernelserver", "simpleroutine", "undkey", "execution", "strings array", "user", "title string", "info", "1024", "xmldatat", "undreplyref", "kernsuccess", "osaction", "targetosiphone", "istargetvendor", "targetcpux8664", "targetosunix", "targetcpuppc", "targetcpuppc64", "targetcpux86", "targetrtmaccfm", "bridge", "svflags", "svpavreal", "svpavreify", "xpvav", "svany", "avfillp", "for apidoc", "mutableav", "avrealoff", "pltopenv", "stmtstart", "stmtend", "copfile", "plcurstackinfo", "copfilegv", "cophinthashget", "loop", "stack", "beware", "orig", "loops", "this file", "the build", "plbitcount", "u8 value", "cvflags", "xpvcv", "mutableptr", "perlcore", "cvgv", "cvfile", "cvfmethod", "cvflvalue", "cvfconst", "anon", "doinit extconst", "ebcdic", "extconst u8", "index", "ascii platform", "confusingly", "u8 pla2e", "pla2e", "u8 ple2a", "guard", "declspec", "extconst", "ext externc", "init", "larry wall", "gnu general", "readme file", "multiplicity", "plsawampersand", "do not", "perliogetc", "perlioputc", "perliostdoutf", "perlio", "perlfeatureh", "featuresubbit", "featuremyrefbit", "featurefcbit", "featureisabit", "featuresaybit", "featurestatebit", "featuretrybit", "hintfeaturemask", "ffspace", "process", "ffdecimal", "ffend", "gvgp", "gvflags", "gvnamehek", "svtype", "gvegv", "gvstash", "gvxpvgv", "svtpvgv", "svtpvlv", "super", "edit directly", "djgpp", "bitbucket", "perlsysinitbody", "perlioinit", "perlsystermbody", "w macros", "wexitstatus", "shpath", "mkdir", "rotl64", "rotl32", "rotate x", "rotr32", "can64bithash", "rotr64", "ivsize", "u8to16le", "rotluv", "rotruv", "sbox32maxlen", "plhashstate", "perlhash", "perl", "usehashseed", "perlseenhvfunch", "perlhashseed", "siphash24", "siphash13", "seed", "c program", "c type", "c compiler", "gcc attribute", "longsize", "c preprocessor", "install", "kill", "cont", "thus", "ext declspec", "dext", "for apidocitem", "utf8", "ascii", "fitsin8bits", "nativetolatin1", "strwithlen", "u8 end", "test", "poison", "february", "cray", "prior", "behaviour", "except", "alpha", "perlvar", "perlvari", "perlvara", "padoffset", "true", "pmop", "hooks", "hook", "sv invlist", "perlinregcompc", "svcur", "perlinopc", "tointernalsize", "svtinvlist", "invlistlen", "strlen", "hvaux", "heklen", "svook", "hekutf8", "hekkey", "hekflags", "mutablehv", "hvnameheknn", "gosh", "leave", "iperlsock", "plsock", "iperlstdio", "plstdio", "iperlproc", "plproc", "iperllio", "pllio", "perlimplicitsys", "plink", "keypackage", "keyend", "keysub", "keydump", "keylog", "keysend", "keystate", "perlioclose", "perlmemcollxfrm", "nativetoneed", "plclocaleobj", "plno", "plwarnall", "plwarnnone", "plyes", "plzero", "plc9utf8dfatab", "nomathoms", "perlintokec", "perlinutf8c", "perlinsvc", "perlinregexecc", "debugging", "perlinlocalec", "pfinet", "snoop", "ccprint", "ccgraph", "cccharnamecont", "ccascii", "ccwordchar", "ccalphanumeric", "ccidfirst", "ccquotemeta", "ccalpha", "cccased", "ordinal", "magicvtablemax", "extra", "regex match", "env hash", "isa array", "debugger", "sig hash", "available", "shadow", "array length", "magic mg", "sv sv", "mgftainteddir", "hefsvkey", "mutablesv", "ssizet", "mgvtbl entry", "mgfbytes", "perlmagicsv 0", "special", "perlmagicarylen", "perlmagicrhash", "extra data", "perlmagicpos", "perlmagicsymtab", "provides", "dtrace probes", "stdioh", "stdioincluded", "sfioversion", "rxfpmfcharset", "rxfpmfmultiline", "rxfpmffold", "rxfpmfextended", "rxfpmfnocapture", "rxfpmfkeepcopy", "flags", "rxfpmfstrict", "ocshift", "plop", "perlbitfield16", "baseop op", "useithreads", "pmfonce", "padop", "perlcknull", "perlckfun", "opparg1mask", "opparg4mask", "opparg2mask", "perlckftst", "perlppftrowned", "perlckbitop", "perlckcmp", "perlcklfun", "dump", "chroot", "syscall", "flip", "undef", "crypt", "push", "stub", "trans", "predec", "flop", "prtf", "shutdown", "perlcontext cx", "perlmemlog", "c pointer", "cxtype", "logic", "toavamg", "tohvamg", "opftrread", "oplt", "opincmp", "opbitand", "opsbitor", "opsend", "opgetpeername", "opfteexec", "opftbinary", "opclose", "plparser", "yylex", "lexshared", "position", "repl", "memsize", "malloct", "perlmallocctlh", "uv nfree", "uv ntotal", "iv topbucket", "iv totalsbrk", "iv minbucket", "level", "plcomppad", "plcurpad", "uvxf", "ptr2uv", "avarray", "padnameflags", "plcopseqmax", "padlistarray", "c array", "padnametype", "incpushperl5lib", "appllibexp", "privlibexp", "defineincmacros", "perlfsversion", "perl5lib", "sitearchexp", "perllanginfoh", "hasnllanginfo", "ilanginfo", "codeset", "codeset 1", "dtfmt", "dtfmt 2", "dfmt", "dfmt 3", "sipround", "u8to64le", "fallthrough", "uint64c", "perlsiphashfnc", "siprounds", "strlen inlen", "sipfinalrounds", "could", "configure", "plout", "mine001", "argv", "plin", "localpatchcount", "perlapih", "xs code", "portingglossary", "first version", "brand", "symbols", "haswcrtomb", "perlionotstdio", "perlcallconv", "perlio f", "perlioh", "usestdio", "case", "bufsiz", "sizet", "perlstability", "perltypedefs", "perldtracehin", "perlloadedfile", "perlloadingfile", "perlopentry", "perlphasechange", "perlsubentry", "perlsubreturn", "generated", "perlcallconv iv", "sizet count", "sv arg", "mode", "perliofuncs tab", "stdchar", "perliolistt", "sv args", "mutex", "perlinterpreter", "sigsize", "perlioisstdio", "perlcallconv op", "perldokv", "perlppaassign", "perlppabs", "perlppaccept", "perlppadd", "perlppaeach", "perlppaelem", "public license", "free software", "foundation", "yydebug", "bison", "bareword", "funcmeth", "arrow", "targ", "pushs", "tops", "does", "xsub", "pops", "xpushs", "erange", "perlreentrapi", "perlreentrapi0", "hostentsize", "getgrentrproto", "getpwentrproto", "getnetentrproto", "grentbuffer", "grentsize", "hostenterrno", "redebugflag", "debugvtest", "debugr", "u16 nextoff", "argset", "u8 type", "nextoff", "strings", "problem", "june", "invert", "perlfpclass", "longdoublekind", "plstatusvalue", "pldebug", "numclasses", "locale", "grok", "pragma", "dword", "attack", "little", "lynx", "done", "reany", "rxpextflags", "rxextflags", "checkpoint cp", "rxftaintedseen", "rxfcopydone", "plsavestackix", "plsavestack", "plsavestackmax", "ssmaxpush", "enter", "debugscope", "state", "u32 state", "debugsbox32hash", "sbox32warn5", "line", "mutexunlock", "mutexinit", "noop", "mutexlock", "condinit", "detach", "panic", "usetm64", "should", "bsd extension", "configuration", "time64debug", "int64t nv", "gnu extension", "perltime64h", "time64t", "int64t int64", "int64 time64t", "i32 year", "tm64", "hastmtmgmtoff", "decide", "svpvx", "svgmagic", "bonk", "anything", "turn", "crash", "fstat", "perlmicro", "hasioctl", "hasutime", "hasgroup", "haspasswd", "usemybinmode", "idirent", "likely", "generated code", "utfebcdic", "unicode", "step", "ufeff", "u00a0", "u00df", "u00b5", "ufffd", "u017f", "u0300", "unlikely", "nativeutf8toi8", "utf8skip", "nativetouni", "lazy", "extrasize", "regnodemax", "exact", "match", "whilem", "anyof", "curly", "trie", "curlym", "eval", "star", "perlutilh", "hsmapiverlen", "hsxsverlenmax", "hskeyp", "tools", "sv vs", "perlversionlt", "svpvxnolenconst", "perlckwarner", "u32 err", "scroakxsusage", "pluumap", "warnings", "categories", "plcurcop", "perlckwarn", "perlckwarnd", "perlwarnisset", "perlwarnoff", "perlwarnbit", "xsversion", "xsreturn", "perlxshandshake", "plstackbase", "hskey", "zaphod32mix", "u8to32le", "zaphod32warn4", "zaphod32warn3", "zaphod32warn6", "perlform", "i8tonativeutf8", "warnutf8", "myshift", "c extension", "libs", "cflags", "afkuserlog", "kafkeventcancel", "kafkeventerror", "adamsbagmanager", "adjinglerequest", "isinternalbuild", "kickmcxdforuid", "loadappkit", "ardconfig", "authenticator", "dsauthenticator", "dsnode", "dsrecord", "hostconfig", "addtofront", "calcslope", "copyarray", "createcachenode", "defaultebecurve", "deletecache", "disablehcucache", "dumpcache", "dumpoutputhcu", "enablet1sim", "ascagent", "ascagentproxy", "asdevice", "ddrangecompare", "wdosloglauncher", "wdoslogprotocol", "findchar", "ddasllogger", "ddfilelogger", "ddlog", "ddlogfileinfo", "ddlogmessage", "ddloggernode", "mkurlparser", "mkerrordomain", "mkintegerhash", "mklonghash", "mkmaprectinset", "mkmaprectnull", "mkmaprectoffset", "mkmaprectworld", "mkmapsizeworld", "kextensionnonui", "wkarraycreate", "wkbooleancreate", "wkcontextcreate", "wkdatacreate", "wkdatagettypeid", "wkdoublecreate", "wkframecopyurl", "wkgettypeid", "wkimagecreate", "wkpagecandelete", "webkit", "methodkind", "wkerrordomain", "by apple", "document", "a block", "wkcontentworld", "wkwebview", "javascript", "wkerrorcode", "wkerrorunknown", "nsswiftasync", "wkswiftasync", "wkcookiepolicy", "nshttpcookie", "whether", "wknavigation", "wkdownload", "decides", "mime type", "wkscriptmessage", "wkframeinfo", "information", "url scheme", "wkcontentmode", "wkuserscript", "wkextern", "media", "promise", "fulfill", "cgfloat", "targetoswatch", "sign", "password", "provider", "uicontrol", "nscontrol", "opaque user", "apple id", "nsstring user", "asuseragerange", "initiate", "asauthorization", "confirms", "apple upgrade", "nserrorenum", "operation", "relying party", "targetosvision", "a byte", "nsdata userid", "relying", "a string", "asapiavailable", "http response", "authorization", "oauth", "saml", "nsdata readdata", "bool didwrite", "a cose", "nsstring name", "bool appid", "targetosxr", "a state", "a json", "web token", "private seckeys", "nsstring appid", "mdm profile", "nsurl url", "returns yes", "lacontext", "asswiftsendable", "keychain", "cose algorithm", "ecdsa", "sha256", "cose curve", "p256", "nsinteger rank", "enables", "bool success", "remove", "call", "complete", "prepare", "attempt", "list", "nsextension", "settings", "initializes", "a key", "extensions", "hash", "json", "initialize", "nsstring origin", "settings app", "urls", "https urls", "safari", "cancel", "nsuuid uuid", "asextern extern", "asextern", "nsswiftsendable", "uiwindow", "propertykind", "gkplayer", "n tags", "gkerrordomain", "gamecenter", "targetosios", "targetostv", "nsavailable", "gkachievement", "local player", "view", "present", "optional", "gkbaseplayer", "game center", "uiimage", "app store", "gkchallenge", "gklocalplayer", "nsdeprecated", "a singleton", "gkcloudplayer", "returns nil", "nsdeprecatedmac", "internal2", "internal3", "internal4", "gkscore", "gkextern", "gkextern extern", "gkexternweak", "gkerrorcode", "gkerrorunknown", "gkerrorunderage", "friendplayer", "standard view", "nsresponder", "parentwindow", "ibaction", "gkgamesession", "apis", "gkplayer player", "nsinteger score", "nsdate date", "gkleaderboard", "connect", "nsinteger value", "load", "gktransporttype", "nsstring title", "loads array", "localized", "gkmatch", "gkmatchrequest", "gkinvite", "gksession", "gksession api", "gamekit", "asynchronously", "welcome", "nstimeinterval", "delegate", "delivery", "gksenddatamode", "gksessionmode", "gkphotosize", "callbacks", "gkmatchdelegate", "gksavedgame", "default value", "gksessionerror", "gkvoicechat", "participant", "voice chat", "clienta" ], "references": [ "CredentialsCache.h", "CredentialsCache2.h", "config.xml", "popen_spawn_win32.py", "pycore_condvar.h", "Kerberos.h", "KerberosLogin.h", "plugin.js", "krb5.h", "MultipeerConnectivity.tbd", "MCBrowserViewController.h", "MCNearbyServiceAdvertiser.h", "MCError.h", "MCAdvertiserAssistant.h", "MCNearbyServiceBrowser.h", "MultipeerConnectivity.apinotes", "MultipeerConnectivity.h", "MCSession.h", "MCPeerID.h", "canvas.html", "capture_0.bundle.js", "capture_resize.js", "GCRacingWheelInput.h", "GCSyntheticDeviceKeys.h", "GCSwitchPositionInput.h", "GCSteeringWheelElement.h", "GCSwitchElement.h", "GCTouchedStateInput.h", "GCXboxGamepad.h", "GCTypes.h", "GCRelativeInput.h", "GameController.h", "GCAxis2DInput.h", "GCAxisElement.h", "GCAxisInput.h", "GCButtonElement.h", "GCController.h", "GCColor.h", "GCControllerAxisInput.h", "GCControllerDirectionPad.h", "GCControllerInput.h", "GCControllerElement.h", "GCControllerTouchpad.h", "GCDevice.h", "GCDeviceBattery.h", "GCDeviceCursor.h", "GCDeviceHaptics.h", "GCDeviceLight.h", "GCDevicePhysicalInputState.h", "GCDevicePhysicalInputStateDiff.h", "GCDirectionalGamepad.h", "GCDirectionPadElement.h", "GCDevicePhysicalInput.h", "GCDualSenseAdaptiveTrigger.h", "GCDualSenseGamepad.h", "GCDualShockGamepad.h", "GCEventViewController.h", "GCExtendedGamepadSnapshot.h", "GCExtern.h", "GCExtendedGamepad.h", "GCGamepadSnapshot.h", "GCGearShifterElement.h", "GCGamepad.h", "GCKeyboard.h", "GCInputNames.h", "GCControllerButtonInput.h", "GCKeyNames.h", "GCKeyboardInput.h", "GCKeyCodes.h", "GCLinearInput.h", "GCMotion.h", "GCMouse.h", "GCMouseInput.h", "GCMicroGamepadSnapshot.h", "GCPhysicalInputElement.h", "GCMicroGamepad.h", "GCPhysicalInputProfile.h", "GCPhysicalInputSource.h", "GCPressedStateInput.h", "GCProductCategories.h", "GCRacingWheel.h", "GameController.tbd", "arm64e-apple-macos.swiftinterface", "x86_64-apple-macos.swiftinterface", "module.modulemap", "com_err.h", "gssapi_generic.h", "locate_plugin.h", "profile.h", "gssapi_krb5.h", "preauth_plugin.h", "gssapi.h", "alc.h", "oalStaticBufferExtension.h", "oalMacOSX_OALExtensions.h", "OpenAL.h", "al.h", "OpenAL.tbd", "IOUSBHost.tbd", "IOUSBHostCIEndpointStateMachine.h", "IOUSBHostCIControllerStateMachine.h", "IOUSBHost.h", "IOUSBHostCIPortStateMachine.h", "IOUSBHostCIDeviceStateMachine.h", "IOUSBHostControllerInterfaceHelpers.h", "IOUSBHostDevice.h", "IOUSBHostControllerInterface.h", "IOUSBHostDefinitions.h", "IOUSBHostInterface.h", "IOUSBHostIOSource.h", "AppleUSBDescriptorParsing.h", "IOUSBHostStream.h", "IOUSBHostObject.h", "IOUSBHostControllerInterfaceDefinitions.h", "IOUSBHostPipe.h", "IOBluetoothUIUserLib.h", "IOBluetoothUI.h", "IOBluetoothObjectPushUIController.h", "IOBluetoothDeviceSelectorController.h", "IOBluetoothPasskeyDisplay.h", "IOBluetoothPairingController.h", "IOBluetoothServiceBrowserController.h", "IOBluetoothUI.tbd", "Bluetooth.h", "IOBluetooth.h", "BluetoothAssignedNumbers.h", "IOBluetoothTypes.h", "IOBluetoothUtilities.h", "OBEXBluetooth.h", "IOBluetoothUserLib.h", "OBEX.h", "IOBluetooth.tbd", "INImage+IntentsUI.h", "IntentsUI.h", "INUIAddVoiceShortcutButton.h", "IntentsUI.apinotes", "INUIEditVoiceShortcutViewController.h", "INUIAddVoiceShortcutViewController.h", "LDAP.tbd", "OSvKernDSPLib.h", "cpu.h", "asm_help.h", "desc.h", "pio.h", "io.h", "sel.h", "reg_help.h", "tss.h", "table.h", "byte_order.h", "_limits.h", "_types.h", "_mcontext.h", "_param.h", "_endian.h", "arch.h", "cpuid_internal.h", "cpu_capabilities_public.h", "arm_features.inc", "endian.h", "locks.h", "limits.h", "atomic.h", "machine_cpuid.h", "memory_types.h", "pal_routines.h", "machine_routines.h", "param.h", "cpuid.h", "thread.h", "trap.h", "vmparam.h", "signal.h", "types.h", "AFKMemoryDescriptorOptions.h", "machine_machdep.h", "atm_types.h", "copyio.h", "_OSByteOrder.h", "crc.h", "Block.h", "OSBase.h", "OSByteOrder.h", "OSDebug.h", "OSMalloc.h", "OSAtomic.h", "OSReturn.h", "OSKextLib.h", "OSTypes.h", "version.h", "sysctl.h", "tree.h", "zconf.h", "zlib.h", "libkern.h", "kdp_callout.h", "kdp_en_debugger.h", "ipc_types.h", "krpc.h", "rpcv2.h", "xdr_subs.h", "nfs.h", "nfsproto.h", "bootp.h", "if_ether.h", "icmp6.h", "icmp_var.h", "igmp_var.h", "igmp.h", "in_pcb.h", "in_stat.h", "in_private.h", "in_arp.h", "in_var.h", "in_systm.h", "ip_var.h", "ip_icmp.h", "kpi_ipfilter.h", "ip6.h", "tcp_private.h", "ip.h", "tcp_timer.h", "tcp_fsm.h", "udp_var.h", "tcp_seq.h", "tcpip.h", "udp.h", "tcp_var.h", "tcp.h", "IOPCIFamilyDefinitions.h", "IOPCIDevice.iig", "PCIDriverKit.h", "IOPCIDevice.h", "audit_ioctl.h", "stdarg.h", "stdatomic.h", "stdbool.h", "stddef.h", "string.h", "stdint.h", "ptrauth.h", "math.h", "monotonic.h", "static_if.h", "machine_kpc.h", "machine_remote_time.h", "ipc_pthread_priority_types.h", "lz4_assembly_select.h", "vm_compressor_algorithms.h", "lz4.h", "pmap.h", "vm_dyld_pager.h", "vm_far.h", "vm_fault.h", "vm_map.h", "lz4_constants.h", "vm_options.h", "vm_pageout.h", "vm_memtag.h", "vm_shared_region.h", "vm_kern.h", "vfs_support.h", "vecLib.h", "vecLibTypes.h", "vBasicOps.h", "vForce.h", "vDSP.h", "uuid.h", "UNDReply.defs", "UNDRequest.defs", "KUNCUserNotifications.h", "UNDTypes.defs", "UNDTypes.h", "TargetConditionals.h", "apfs_boot_mount.tbd", "av.h", "cop.h", "bitcount.h", "cv.h", "ebcdic_tables.h", "EXTERN.h", "embedvar.h", "fakesdio.h", "feature.h", "form.h", "gv.h", "git_version.h", "dosish.h", "hv_macro.h", "hv_func.h", "config.h", "INTERN.h", "handy.h", "intrpvar.h", "invlist_inline.h", "hv.h", "iperlsys.h", "keywords.h", "libperl.tbd", "embed.h", "l1_char_class_tab.h", "mg_data.h", "mg_raw.h", "mg.h", "mg_vtable.h", "mydtrace.h", "nostdio.h", "op_reg_common.h", "op.h", "opcode.h", "inline.h", "overload.h", "opnames.h", "parser.h", "malloc_ctl.h", "pad.h", "perl_inc_macro.h", "perl_langinfo.h", "perl_siphash.h", "patchlevel.h", "perlapi.h", "metaconfig.h", "perlio.h", "perldtrace.h", "perliol.h", "perlvars.h", "perlsdio.h", "pp_proto.h", "perly.h", "pp.h", "reentr.h", "regcomp.h", "perl.h", "regexp.h", "scope.h", "sbox32_hash.h", "time64_config.h", "time64.h", "sv.h", "unixish.h", "uconfig.h", "utfebcdic.h", "unicode_constants.h", "utf8.h", "regnodes.h", "util.h", "vutil.h", "uudmap.h", "warnings.h", "XSUB.h", "zaphod32_hash.h", "encode.h", "python-3.9.pc", "python-3.9-embed.pc", "python3-embed.pc", "python3.pc", "AFKUser.tbd", "AdID.tbd", "Admin.tbd", "AirPlayReceiver.tbd", "AppSandbox.tbd", "ASEProcessing.tbd", "AuthenticationServicesCore.tbd", "WebGPU.tbd", "WebDriver.tbd", "MapKit.tbd", "SwiftUI.swiftoverlay", "WebKit.tbd", "WebKit.apinotes", "WKBackForwardList.h", "NSAttributedString.h", "WebKit.h", "WKBackForwardListItem.h", "WKContentRuleList.h", "WKContentRuleListStore.h", "WKContextMenuElementInfo.h", "WKDataDetectorTypes.h", "WKContentWorld.h", "WKError.h", "WKFoundation.h", "WKFindResult.h", "WKHTTPCookieStore.h", "WKFrameInfo.h", "WKNavigation.h", "WKFindConfiguration.h", "WKNavigationDelegate.h", "WKNavigationResponse.h", "WKOpenPanelParameters.h", "WebKitLegacy.h", "WKPreviewActionItem.h", "WKNavigationAction.h", "WKPreferences.h", "WKPreviewActionItemIdentifiers.h", "WKPreviewElementInfo.h", "WKProcessPool.h", "WKDownload.h", "WKPDFConfiguration.h", "WKScriptMessage.h", "WKSecurityOrigin.h", "WKScriptMessageHandler.h", "WKSnapshotConfiguration.h", "WKUIDelegate.h", "WKURLSchemeTask.h", "WKWebpagePreferences.h", "WKUserContentController.h", "WKWebsiteDataStore.h", "WKWebsiteDataRecord.h", "WKUserScript.h", "WKURLSchemeHandler.h", "WKWebViewConfiguration.h", "WKWebView.h", "WKScriptMessageHandlerWithReply.h", "WKWindowFeatures.h", "WKDownloadDelegate.h", "ASAccountAuthenticationModificationController.h", "ASAccountAuthenticationModificationViewController.h", "ASAuthorization.h", "ASAuthorizationAppleIDButton.h", "ASAccountAuthenticationModificationRequest.h", "ASAuthorizationAppleIDProvider.h", "ASAuthorizationAppleIDRequest.h", "ASAuthorizationAppleIDCredential.h", "ASAuthorizationController.h", "ASAuthorizationCredential.h", "ASAccountAuthenticationModificationExtensionContext.h", "ASAuthorizationError.h", "ASAuthorizationCustomMethod.h", "ASAuthorizationPasswordRequest.h", "ASAuthorizationOpenIDRequest.h", "ASAuthorizationPlatformPublicKeyCredentialDescriptor.h", "ASAuthorizationPlatformPublicKeyCredentialProvider.h", "ASAccountAuthenticationModificationReplacePasswordWithSignInWithAppleRequest.h", "ASAccountAuthenticationModificationUpgradePasswordToStrongPasswordRequest.h", "ASAuthorizationPlatformPublicKeyCredentialRegistrationRequest.h", "ASAuthorizationPlatformPublicKeyCredentialRegistration.h", "ASAuthorizationProvider.h", "ASAuthorizationPlatformPublicKeyCredentialAssertion.h", "ASAuthorizationPublicKeyCredentialAssertion.h", "ASAuthorizationPublicKeyCredentialAssertionRequest.h", "ASAuthorizationPublicKeyCredentialConstants.h", "ASAuthorizationProviderExtensionAuthorizationResult.h", "ASAuthorizationPublicKeyCredentialDescriptor.h", "ASAuthorizationPublicKeyCredentialLargeBlobAssertionOutput.h", "ASAuthorizationPasswordProvider.h", "ASAuthorizationPublicKeyCredentialLargeBlobRegistrationInput.h", "ASAuthorizationPublicKeyCredentialParameters.h", "ASAuthorizationPublicKeyCredentialLargeBlobRegistrationOutput.h", "ASAuthorizationPublicKeyCredentialRegistration.h", "ASAuthorizationPublicKeyCredentialRegistrationRequest.h", "ASAuthorizationPublicKeyCredentialLargeBlobAssertionInput.h", "ASAuthorizationSecurityKeyPublicKeyCredentialAssertion.h", "ASAuthorizationRequest.h", "ASAuthorizationPlatformPublicKeyCredentialAssertionRequest.h", "ASAuthorizationSecurityKeyPublicKeyCredentialProvider.h", "ASAuthorizationSingleSignOnCredential.h", "ASAuthorizationSecurityKeyPublicKeyCredentialDescriptor.h", "ASAuthorizationSecurityKeyPublicKeyCredentialAssertionRequest.h", "ASAuthorizationSecurityKeyPublicKeyCredentialRegistration.h", "ASAuthorizationSingleSignOnProvider.h", "ASAuthorizationWebBrowserExternallyAuthenticatableRequest.h", "ASAuthorizationWebBrowserPlatformPublicKeyCredentialAssertionRequest.h", "ASAuthorizationWebBrowserPlatformPublicKeyCredentialRegistrationRequest.h", "ASAuthorizationWebBrowserPublicKeyCredentialManager.h", "ASAuthorizationWebBrowserPlatformPublicKeyCredential.h", "ASAuthorizationWebBrowserSecurityKeyPublicKeyCredentialAssertionRequest.h", "ASAuthorizationWebBrowserSecurityKeyPublicKeyCredentialRegistrationRequest.h", "ASCOSEConstants.h", "ASCredentialIdentity.h", "ASAuthorizationSingleSignOnRequest.h", "ASCredentialIdentityStore.h", "ASAuthorizationWebBrowserSecurityKeyPublicKeyCredentialProvider.h", "ASCredentialProviderExtensionContext.h", "ASCredentialProviderViewController.h", "ASAuthorizationSecurityKeyPublicKeyCredentialRegistrationRequest.h", "ASCredentialServiceIdentifier.h", "ASExtensionErrors.h", "ASAuthorizationProviderExtensionAuthorizationRequest.h", "ASCredentialRequest.h", "ASAuthorizationWebBrowserPlatformPublicKeyCredentialProvider.h", "ASPasskeyAssertionCredential.h", "ASPasskeyCredentialRequest.h", "ASPasskeyCredentialRequestParameters.h", "ASCredentialIdentityStoreState.h", "ASPasskeyRegistrationCredential.h", "ASPasswordCredential.h", "ASPublicKeyCredential.h", "ASPasskeyCredentialIdentity.h", "ASPublicKeyCredentialClientData.h", "ASSettingsHelper.h", "ASWebAuthenticationSessionCallback.h", "ASWebAuthenticationSession.h", "ASWebAuthenticationSessionRequest.h", "ASWebAuthenticationSessionWebBrowserSessionManager.h", "AuthenticationServices.h", "ASFoundation.h", "AuthenticationServices.apinotes", "ASWebAuthenticationSessionWebBrowserSessionHandling.h", "ASPasswordCredentialIdentity.h", "ASPasswordCredentialRequest.h", "GameKit.apinotes", "GKAccessPoint.h", "GameKit.h", "GKAchievement.h", "GKAchievementViewController.h", "GKBasePlayer.h", "GKAchievementDescription.h", "GKChallengeEventHandler.h", "GKCloudPlayer.h", "GKChallengesViewController.h", "GKChallenge.h", "GKDefines.h", "GKError.h", "GKEventListener.h", "GKFriendRequestComposeViewController.h", "GKDialogController.h", "GKGameSessionEventListener.h", "GKGameSessionError.h", "GKGameCenterViewController.h", "GKGameSessionSharingViewController.h", "GKLeaderboardEntry.h", "GKLeaderboard.h", "GKLeaderboardScore.h", "GKGameSession.h", "GKLeaderboardSet.h", "GKLocalPlayer.h", "GKLeaderboardViewController.h", "GKMatch.h", "GKMatchmaker.h", "GKMatchmakerViewController.h", "GKPeerPickerController.h", "GKNotificationBanner.h", "GKPublicConstants.h", "GKPlayer.h", "GKPublicProtocols.h", "GKSavedGameListener.h", "GKScore.h", "GKSessionError.h", "GKVoiceChat.h", "GKTurnBasedMatchmakerViewController.h", "GKSession.h", "GKTurnBasedMatch.h", "GKSavedGame.h", "GKVoiceChatService.h" ], "public": 1, "adversary": "Turla Group, FIN7, APT34, APT28, DragonForce Malaysia Hacker Group, Indonesia Islamic Warriors Counc", "targeted_countries": [ "United States of America", "India", "Australia" ], "malware_families": [ { "id": "OSAtomic", "display_name": "OSAtomic", "target": null }, { "id": "OSReturn", "display_name": "OSReturn", "target": null }, { "id": "Ver", "display_name": "Ver", "target": null }, { "id": "Internet", "display_name": "Internet", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 39, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ilyailya", "id": "298851", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1968, "domain": 526, "FileHash-SHA256": 207, "hostname": 972, "email": 55, "FileHash-SHA1": 9, "FileHash-MD5": 4, "CVE": 2, "CIDR": 10 }, "indicator_count": 3753, "is_author": false, "is_subscribing": null, "subscriber_count": 35, "modified_text": "390 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67733337db5a8443b67f42e7", "name": "Skontaktuj si\u0119 z nami http://www.AfterMarket.pl/contact.php", "description": "Wybodaeth wykonywania dzia\u0142alno\u015bci gospodarczej, P.H.U \"ADORNO\" \"adorno\"", "modified": "2025-01-29T22:06:14.067000", "created": "2024-12-30T23:56:39.367000", "tags": [ "vhash", "authentihash", "imphash", "rich pe", "ssdeep", "request http", "country pl", "aukcje", "skontaktuj", "twoje konto", "nie masz", "gieda", "szukaj", "kontakt z", "jeli", "dane", "chytron", "generator", "ntcreatefile", "droppedby", "upuszczony", "tree", "api behavior", "file activity", "details name", "sha1", "sha512", "zachowanie api", "entropy", "zapis", "typeerror", "typ symbolu", "nie mona", "przecz", "pasek", "number", "wstaw", "wyrwnaj tekst", "typeof symbol", "scal", "span", "mark", "error", "accept", "black", "groove", "shift", "solid", "open", "write", "path", "small", "null" ], "references": [ "http://ww53.cookiesinfo.com", "http://www.AfterMarket.pl/contact.php" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 45, "email": 2, "domain": 83, "URL": 103, "FileHash-SHA256": 61, "FileHash-SHA1": 11, "FileHash-MD5": 20, "CVE": 1 }, "indicator_count": 326, "is_author": false, "is_subscribing": null, "subscriber_count": 124, "modified_text": "487 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "670ffc8487aaf80605755b62", "name": "vgt.pl (VGT.pl) or plix.pl (plix.net) 104.21.40.140 172.67.186.229", "description": "You can get help with your computer problems using the Help and Support section or via Skype or Telegram, if you want to get in touch with the support team or use the help of the UK's TalkTalk service.", "modified": "2024-12-30T17:38:55.943000", "created": "2024-10-16T17:48:52.704000", "tags": [ "pe32", "intel", "ms windows", "plik", "trojandropper", "trojan", "win32", "msil", "sha1", "sha256", "imphasz", "tekst ascii", "dane obrazu", "crlf", "dokument html", "unicode", "z bom", "rgba", "z terminatorami", "z bardzo", "utf8 unicode", "sobota", "sie usertrust", "salford o", "comodo ca", "limited st", "salt lake", "city o", "wto cze", "worldsetup c", "il l", "error", "null", "mapa", "liczba", "string", "bigint", "obiekt", "prawa autorskie", "nieznanybd", "uint8array", "android", "void", "unknown", "false", "roboto", "body", "this", "infinity", "outside", "span", "as13335", "cloudflare", "datasheet", "arkusz", "wyszukiwarka", "control panel", "support", "email", "a letter", "help", "mail", "management", "jpeg", "jfif", "dane", "dpcm", "ascii z", "dane archiwalne", "windows" ], "references": [ "https://www.plix.pl/system/companies/logos/000/000/526/original/gigainternet-logo.png", "http://plix.net", "http://www.plix.net", "https://www.plix.pl", "http://www.plix.pl" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 291, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 516, "hostname": 705, "URL": 1831, "FileHash-SHA256": 3315, "CIDR": 4, "IPv6": 4, "IPv4": 49, "FileHash-MD5": 794, "FileHash-SHA1": 572, "email": 1, "CVE": 14 }, "indicator_count": 7805, "is_author": false, "is_subscribing": null, "subscriber_count": 128, "modified_text": "518 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "675127405277d037355e5db6", "name": "Beehive.Systems", "description": "#if PRAGMA_ONCE, which includes the word \"pagma\" and the term \"penet\", should not be used as part of any attempt to set a new code.", "modified": "2024-12-05T04:08:32.154000", "created": "2024-12-05T04:08:32.154000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "ilyailya", "id": "298851", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 16, "domain": 30, "hostname": 69 }, "indicator_count": 115, "is_author": false, "is_subscribing": null, "subscriber_count": 31, "modified_text": "543 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "663d2869e0f3a42bbddc42ff", "name": "UPX executable packer.", "description": "A new rule has been introduced a \"suspicious\" ELF binary that is packed with the UPX executable packer.\nSuggested ATT&CK IDs: rule SUSP_ELF_LNX_UPX_Compressed_File { meta: description = \"Detects a suspicious ELF binary with UPX compression\" author = \"Florian Roth (Nextron Systems)\" reference = \"Internal Research\" date = \"2018-12-12\" score = 40 hash1 = \"038ff8b2fef16f8ee9d70e6c219c5f380afe1a21761791e8cbda21fa4d09fdb4\" id = \"078937de-59b3-538e-a5c3-57f4e6050212\" strings: $s1 = \"PROT_EXEC|PROT_WRITE failed.\" fullword ascii $s2 = \"$Id: UPX\" fullword ascii $s3 = \"$Info: This file is packed with the UPX executable packer\" ascii $fp1 = \"check your UCL installation !\"", "modified": "2024-10-14T00:01:17.069000", "created": "2024-05-09T19:47:53.786000", "tags": [ "cioch adrian", "centrum usug", "sieciowych", "elf binary", "upx compression", "roth", "nextron", "info", "javascript", "html", "office open", "xml document", "network capture", "win32 exe", "xml pakietu", "pdf zestawy", "przechwytywanie", "office", "filehashsha1", "url https", "cve cve20201070", "cve cve20203153", "cve cve20201048", "cve cve20211732", "cve20201048 apr", "filehashmd5", "cve cve20010901", "cve cve20021841", "cve20153202 apr", "cve cve20160728", "cve cve20161807", "cve cve20175123", "cve20185407 apr", "cve cve20054605", "cve cve20060745", "cve cve20070452", "cve cve20070453", "cve cve20070454", "cve cve20071355", "cve cve20071358", "cve cve20071871", "cve20149614 apr", "cve cve20151503", "cve cve20152080", "cve cve20157377", "cve cve20170131", "cve20200796 may", "cve cve20113403" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6861, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 5771, "domain": 3139, "URL": 14525, "FileHash-SHA1": 2610, "IPv4": 108, "CIDR": 40, "FileHash-SHA256": 10705, "FileHash-MD5": 3373, "YARA": 2, "CVE": 148, "Mutex": 7, "FilePath": 3, "SSLCertFingerprint": 3, "email": 23, "JA3": 1, "IPv6": 2 }, "indicator_count": 40460, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "595 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "660ec2cd7185f30ee98e0406", "name": "TP-Link ER605 Firmware Image download", "description": "After downloading a new firmware image for my TPlink ER605 switch/vpn-router, and since TP-Link doesn't provide a checksum for it. I decided to hit it with binwalk out of curiosity since I've had multiple issues with it the past two years. Immediately binwalk had to /dev/null the /var directory and further it hit two ip's as exploit sources once uploaded to criminalip and otx so I decided to upload the entire squash-fs for posterity", "modified": "2024-05-04T06:04:15.503000", "created": "2024-04-04T15:10:05.285000", "tags": [ "binmount o", "syskerneldebug", "limit", "netmask", "broadcast", "network", "prefix", "argc", "start", "copyright", "etcpasswd", "failsafe", "login", "important", "binash", "sample", "attention", "maxfds1024", "etcfrr", "somename", "openwrt", "deviceproduct", "generic", "devicerevision", "dns server", "ipv6 prefix", "duid", "ipv6 address", "x5 x8", "xdxrn502j", "y1 y1s", "linkits7688d", "omega2p", "wrtnode2p", "s boot", "sample vpn", "olinux", "cnpeer name", "target", "change", "ldap", "text", "port", "priority", "a srv", "srv record", "ldap server", "dnssd", "ipsec", "yang xiaoqiang", "varlogwtmp", "unavailreturn", "distribid", "distribrelease", "barrier breaker", "distribrevision", "distribcodename", "distribtarget", "openwrt barrier", "breaker", "distribtaints", "overlay srcgz", "home", "etcbanner", "pathusrbin", "ps1u", "libmodules", "ulimit", "binmore", "usrbinvim", "kshversion", "etcmkshrc", "preinit", "pathbin", "ipv6", "protocol", "isis", "icmp", "cisco", "header", "skip", "path first", "internet", "iana", "devnull", "stop", "ipkginstroot", "allcommands", "term", "stop value", "sqlite", "dh exponent", "grep", "w processor", "begin", "fix bug129941", "xfrm", "ipsec tunnel", "bug97836", "cmdlistend", "bundle command", "cmdliststart", "list", "procname", "list procname", "zebra route", "frr support", "bgp support", "zebra support", "firewallrule", "firewallruleset", "httpport", "path wifidog", "redirectdomain", "clienttimeout", "public key", "info", "version", "node id", "menu", "wifidog", "status", "wifidog wifidog", "gnu gpl", "rt3x5x", "sbinswconfig", "power", "wifi", "ethernet", "wifi5g", "rssilow", "rssimedium", "rssihigh", "wan led", "devconsole cp", "conffiles", "file 99ensync", "abort", "ansert", "abort error", "atz say", "atcgmm", "atcgmr", "ok atcsq", "ok atcgmr", "ok atcgmi", "atgmm", "atgmr", "timeout", "abort busy", "carrier", "report connect", "ate1", "useapn", "dialnumber", "connect", "atcgmi", "ok atcgmm", "atgmi", "answer", "v1 e1", "d2 fclass0", "at ok", "abort no", "dialtone", "sierra wireless", "cdma", "sprint", "verizon", "dial tone", "certificate", "telnet 23", "http 80", "https 443", "ssh 22", "webtimeout", "010001", "admin", "airplay option", "afp option", "ftp option", "samba option", "scanners option", "ssh option", "lanv6", "brlan", "network1", "sigusr2", "passwordauth on", "port 22", "10000s", "12000s", "4000s", "6000s", "ikepro1", "modp1024", "ikepro2", "aes128", "ikeph1name", "ph2proposal1", "ph2proposal2", "ikeph2name", "combination", "ikev1", "google", "cloudflare", "cleanbrowsing", "quad9", "opendns", "quad91", "quad92", "ipaddresspurely", "fqdn", "peertopeer", "presharekey", "tplink", "wan1", "ipgroupany", "ipv6groupany", "roseville194", "openwrt system", "balance", "dhcpclient", "portal", "pppoeclient", "onlinedection", "auto", "flashkeep", "etcopenvpn", "etcconfig", "etcdropbear", "global", "natlanwan1", "accept option", "accept", "drop", "reject", "reject option", "ipv6 icmp", "sections", "wan2", "0000", "usb0", "password", "eth1", "wan1eth", "wan1poe", "wan2eth", "wan2poe", "wan3eth", "wan3poe", "wan4eth", "wan4poe", "4094409340920", "onlinecheck", "openvpn", "ip address", "openvpn server", "windows", "remember", "common name", "generate", "etcopenvpnccd", "thelonious", "silence", "push", "first", "advertisecfg", "ospfcfg", "dslite", "pppoeshare", "wan1v6", "wan2v6", "wan3v6", "wan4v6", "static", "dynamic", "radvdinterface", "advmanagedflag", "advsendadvert", "advrouteraddr", "advautonomous", "advonlink", "ssh config", "http list", "https list", "telnet list", "http", "telnet", "https", "tcpudp", "2121", "2222", "2323", "smtp", "2525", "5353", "pop3", "partitionuuid1", "16043212800", "devsda1", "partitionuuid2", "devsda2", "udp161 option", "er605", "vpn router", "maximum number", "http listen", "https listen", "server document", "rfc1918 ip", "dns rebinding", "tcp connection", "akroniteshare", "account", "4094", "switch0", "vlan1", "vlan4094", "vlan0", "vwan", "veth1", "1024", "gmt0800", "ledsys", "switchled1", "switchled2", "switchled3", "switchled4", "switchled5", "modem", "options", "devnull p", "name", "match", "pkix", "randfile", "cadefault", "ca certificate", "sha256", "t61string", "bmpstring", "utf8strings", "mask", "import", "easyrsa", "keydir", "openvpn package", "openssl", "pkcs11tool", "keyconfig", "easyrsakeys", "issue rm", "pkcs11", "scdftprof1m", "setapn", "setuser", "setpass", "setauth", "atcgdcont1", "qcpdpp1", "scact11m", "paul hardwick", "paul", "empty input", "command", "error", "atcops", "atcops10m", "atcops12m", "atim", "atcreg2m", "atcgreg2m", "atcgeqneg1m", "atcreg", "atcgreg", "atndisdup11", "atcgatt", "1 goto", "wwan error", "useauth", "useuser", "usepass", "qcpdpp3", "atcfun1m", "atcgdcont3", "scact13m", "scact03m", "wwan connection", "atcimim", "atcpin", "sim puk", "sim pin", "ready", "atcsqm", "atmode", "atband", "atcsnr", "atsysinfoexm", "atsyscfgex", "atsyscfg", "atsysinfom", "atltersrp", "atcnumm", "busy", "errorn", "atcops0m", "mccmnc", "atcops12", "atcmd", "atq0 v1", "e1 s00", "e1 z", "atcmgf1m", "atcmgf0m", "wwan mode", "mode", "atzpas", "atzrssim", "atzrssi", "atzsnt", "pincode", "sim readyn", "sim pin2", "pinn", "gstatus", "selrat", "car0", "atcnti0m", "atecio", "atrscp", "umtschan", "atcommandn", "atcommand", "atcmgs", "action", "delete", "wanmod", "acldeleterule", "acladdrule", "ipgrouplan", "i actiondelete", "hplog", "hotplog", "hotplog fi", "deleterule", "addrule", "natlan", "qosdeleterule", "interface", "devconsole uci", "devconsole", "wanhook", "onlinedelzone", "onlineaddzone", "shenzhen tplink", "create", "delayreboot", "vpn hook", "devconsole echo", "reboot delayed", "no vpn", "hook event", "return", "pppdconfigpath", "ifname", "grep q", "pppdtype", "pppdusername", "pppdpid", "ipremote", "iplocal", "tmpl2tp", "vpnfwmark", "vpnforwardtable", "t mangle", "chain", "m comment", "connmark", "mark", "device", "actionifup", "actionifdown", "exit", "routetableid", "cachetableid", "gateway", "yuan fengjia", "grep w", "not response", "check if", "interface init", "thus", "phddnsready", "phddns", "devconsole exit", "cmxddnsready", "cmxddns", "natready", "qosdeleteiface", "vnetlibdir", "procnumber", "w arpreq", "v grep", "procnumber le", "deviced", "ifnamefile", "zone", "ipv6addr", "ipv6addrlen", "delaycommit", "hotplugtypevnet", "zaction", "prerouting i", "dnat", "p tcp", "p udp", "q delete", "interface uci", "dhcpsconfigfile", "dhcpslibdir", "urlprefix", "device uci", "w nvl", "w nl", "vlan", "vlan fi", "usb auto", "scan", "devicename", "er605v2 usb", "no need", "omada gateway", "specialid", "usb modem", "1usb modem", "devconsole fi", "nat elif", "clean", "module", "napt", "snetmaskg", "snetworkg", "j masquerade", "masquerade", "hwnat", "x usrsbinxfwdm", "xfwdm f", "systemparams", "config", "l2tpname", "l2tpisserver", "l2tpmark", "l2tppppdpid", "l2tpaction", "l2tpremoteip", "q get", "6 route", "interface proto", "v6wan", "interface03", "t ifup", "skip interface", "devconsole res", "setup", "zonegetzonebyif", "imbprefix", "ipprefix", "usrsbinddns", "dyndns", "noip", "interface04", "interrface", "bridge", "m tcp", "j accept", "number", "shift", "ifup", "action ready", "lockfile", "ospfpipewrite", "ospfpiperead", "ospfpiperead fi", "lockfile fi", "zhu xianfeng", "params miss", "m multiport", "usbifs", "managedevschain", "zte tele2", "usbifname p", "modemlib", "firmware", "firmware bs1", "inicmacaddr", "please", "dts file", "tmpfileport", "checkports", "v6ports", "j v6plusoutput", "d zonewannat", "i zonewannat", "f v6plusoutput", "i v6plusoutput", "inputgrep", "input accept", "outputgrep", "output accept", "add filter", "forwardgrep", "forward accept", "confif2", "brif", "option", "option bindif", "rundir runfile", "confif1 confif2", "brif action", "addbr", "updbr", "delbr", "option zone", "ifpong", "where interface", "set interface", "update", "rundir", "runfile", "t backup", "p notice", "t fault", "ipt n", "ipt a", "ipt s", "prerouting grep", "tpsrhook", "tpsrposthook", "cut d", "ipt i", "prerouting", "tmpaccessctl", "varconffilepath", "conffilepath", "options fi", "tmpcrontabtmp", "binsh", "start80 start", "start99 start", "cmxddnxrule", "stop98", "e sbiniscal", "tmp insmod", "tmprsacheck", "pass", "ipt f", "ipt x", "start96 ipt", "ipt d", "prerouting j", "n1 ve", "etcdhcp6cctlkey", "duidll", "rfc3315", "x0ax00", "x00x03x00x06x", "using mac", "using user", "etcdhcp6sctlkey", "invalid proto", "usrsbindhcp6s c", "usrsbindhcp6s", "d tmproot", "filddpirunning", "usrlib", "dpimodule", "filepidpath", "start99", "nete", "vnl forward", "dpirestriction", "vardir", "pidvar", "confvar", "v grepawk", "etcdir", "confback", "cabundlepath", "bannerfile", "pidcount", "prog", "kill", "md5sum", "passwordauth", "configfile", "hostfile", "debugfile", "domain", "dfconfigfile", "dnsservers", "configfile fi", "xappend", "etccrontabsroot", "rulelibdir", "p varspoolcron", "s etccrontabs", "c etccrontabs", "start40 start", "usrsharextgeoip", "start20 stop91", "c etcgeoip", "s etcgeoipbe", "s etcgeoiple", "start71 stop71", "start97", "h webserverwww", "servicepidfile", "start95 start", "conffile", "lockfd", "prerouting p", "vnetconffile", "init process", "pidf", "rund", "detectdir", "backuplist", "gao jie", "start98 start", "p output", "start99 stop90", "input drop", "p forward", "etcconfigipstat", "usrsbinipstat", "sysclassleds", "brightness", "e sysclassleds", "usblteled", "usbstorageled", "check fan", "fannormalled", "fanerrorled", "devnull ps", "rf tmpl2tp", "i fi", "loadbalancepre", "usrsbinlldpd", "openwrt release", "sysclassnet", "groupadd", "p varrunlldp", "varrunlldp", "chen chen", "zhangzhongwei", "reorganize", "start46", "option ifname", "enable", "note", "varrun", "ndppdconffile", "usrsbinndppd p", "ndppdconffile d", "nginxbin s", "p varlognginx", "p varlibnginx", "procmeminfo", "memtotal", "nginxbin", "start68 start", "jophilipp wich", "gnu general", "public license", "see license", "start90 stop10", "extracommands", "openvpnsecrets", "phddnsinit", "prerouting m", "input m", "reject vnete", "vme dst", "j drop", "redirect", "start50 stop26", "bin rundvarrun", "vpnserverconfig", "default", "default mkdir", "start50 start", "radvdconfigfile", "radvdinterfaces", "langc", "afaf09", "base6interface", "getip6addr", "start22 start", "start97 start", "the author", "config sfe", "software is", "provided", "as is", "disclaims all", "warranties", "with regard", "direct", "runc", "runc configget", "libd", "logd", "rundvarrun pidf", "runc configload", "routenum", "rtnetlink", "existret", "routenum fi", "routestatefile", "e procnanduid", "procnanduid", "tmpspideviceid", "grep v", "rebootschedule", "tmptz", "sysparams", "fang zhao", "start21 tddpbin", "tddpbin", "libvnet", "uhttpdkey", "uhttpdcert", "uhttpdbin", "px5gbin", "uhttpdcert rm", "tmpuserconfig", "check", "tslibdirsettime", "start96 boot", "usrsbinupnpd", "urllibdir", "modemstorage", "p tmpmodem", "storagemodem", "usb modemusb", "start80 stop", "usrsbinusbmuxd", "vnet", "start70 debug", "tmppassword1", "f tmppassword", "f tmppassword1", "extrahelp", "print", "start91 start", "wanconfig", "vpnclientconfig", "start25 stop25", "zoneconfbuild", "wanmax", "zydas zd1211rw", "wlan usb", "variant", "option hso", "messagecontent", "option gi0643", "xyfi", "standardeject1", "configuration2", "netgear", "kobil midentity", "kobilmode1", "mobile action", "smart cable", "mediatek wimax", "usb card", "blackberry q10", "sony ericsson", "gw d301", "advinne amc", "configuration3", "c100", "c120", "c170", "c270", "c3xx", "needresponse1", "hummer dtm5731", "aircard", "alegro", "starcomms", "alcatel otx080c", "etcom e300", "haier evdo", "alcatel x602d", "archos g9", "alcatel otx220d", "alcatel ot", "prolink pcm100", "bsnl capitel", "explay slim", "telewell tw3g", "hspa", "fs01bu", "smartbro wm66e", "alcatel", "touch x020", "tu930", "ivio iv2010u", "vibe", "emobile d12lc", "mywave sw006", "emobile d21lc", "techfaith bsnl", "aiko", "qisda h21", "flying beetle", "qisdamode1", "wisue w340", "solomon s3gm660", "philips picopix", "option icon", "prolink phs100", "ph300", "hyundai mb810", "alink", "airplus mcd800", "onda mv815u", "onda mdc655", "onda mw833up", "mw835up", "onda mo835up", "onda mw836upk", "onda mw875up", "onda msa", "tim brasil", "onda tm201", "tim italy", "onda wm301", "cricket a600", "u210", "hp laserjet", "io data", "wmx2u wimax", "nexperia tm", "tdscdma", "samsung gtb1110", "samsung gtb3730", "samsung u209", "sunplus techn", "axesstel modems", "targetvendor", "anydata", "bless uc165", "celot k300", "techfaith venus", "celot ct680", "quirky option", "samsung sghz810", "prolink p2000", "vertex wireless", "various usb", "dlink dwm162u5", "dwm162 c1", "micromax mmx", "anydata ape540h", "tl131 tdlte", "siptune lm75", "linuxmodem", "qtronix evdo", "tianyi", "dlink dwm156", "hsupa", "rndis", "pantech lte", "huawei e173s", "huawei gp02", "e587 variant", "huawei e173", "moviestar", "huaweinewmode1", "huawei et302", "huawei et8282", "huawei et127", "huaweimode1", "huawei e353", "vodafone", "huawei kxxxx", "huawei k4203", "huawei e5377", "kddi", "huawei", "hwd12 lte", "huawei k3773", "vodafone k4305", "vodafone k5150", "vodafone k4201", "vodafone k4202", "vodafone k4606", "viettel", "huawei e173u2", "huawei k3770", "huawei e352", "huawei e3131", "huawei e3372", "huawei e3531", "huawei u7510", "u7517", "huawei e392u12", "e3131", "huawei e171", "huawei e3331", "huawei bm358", "huawei e169", "huawei e220", "e230", "e270", "huawei v725", "phone", "huawei ets1201", "huawei u8220", "tmobile pulse", "huawei u8110", "android sdk", "huawei ec168", "huawei e180", "huawei ec156", "huawei e372u8", "huawei k3765", "huawei k4505", "huawei r201", "huawei k3772", "huawei e1553", "huawei r215", "huawei w5101", "huawei u2800", "china telecom", "cdu680", "cnu680", "chu629s", "huawei generic", "linux", "cgu628", "cgu628a", "xs stick", "zte mu351", "zte ac581", "zte mf110", "zte mf112", "zte mf637", "orange france", "zte mf651", "ztet a356", "zte mf652", "zte mf190", "zte mf656a", "mf668a", "zte mf820", "zte a371b", "onda mt8205", "zte mf821d", "zte mf821dmf826", "zte mf90", "mobile hotspot", "telewell twlte", "vodafone k5006z", "mf821", "k5008z", "mf823", "vodafone k4607z", "zte k3770z", "zte mf691", "tmobile rocket", "zte mf192", "zte mf195", "zte mf668", "zte mf680", "zte mfxxx", "zte mf825a", "zte mf730", "zte mf591", "zte mf196", "zte mf190j", "zte mf710m", "zte mf60", "zte ax226", "zte ac682", "cricket a605", "zte generic", "uncomment", "intex", "tlaytech teu800", "strongrising", "china telcom", "air flexinet", "tata photon", "titan", "avm fritz", "stick n", "utstarcom um175", "alltel", "pantech", "pantech uml290", "option beemo", "p4200 lte", "hisense e910", "evdo phone", "sqn1210sqn1220", "sequansmode1", "motorola", "wlan", "tergusb3e", "joa telecom", "beceem bcsm250", "haier ce682", "evdo", "messagecontent2", "haier ce", "zoom", "intex speed", "bsnl teracom", "visiontek", "teracom lw272", "unknown", "quanta muq101", "message", "quanta", "yota router", "quantamode1", "speedup su8500u", "nokia cs10", "nokia cs11", "nokia cs19", "nokia cs15", "nokia cs12", "nokia cs17", "nokia cs18", "nokia cs7m01", "nokia cs21m02", "philips", "vodafone md950", "dragonfly", "kyocera w06k", "cdma modem", "hspa modem", "targetproduct", "toshiba g450", "lg vl600", "lg l02c", "lg sd711", "lg l08c", "ntt docomo", "lg hdm2100", "lg l05a", "lg luu2100ti", "t usbconnect", "turbo", "lg l07a", "lg ldu1900d", "lg luu2110ti", "lg ad600", "lg l03d", "huawei e630", "sagem f", "gctmode1", "sierra", "digicom", "pirelli", "experimental", "cisco am10", "valet connector", "novatel mc990d", "novatel mc996d", "novatel u760", "novatel mc760", "mifi", "novatel generic", "novatel mifi", "mc545 hspa", "u679 lte", "amoi h01", "amoi h02", "axesstel mu130", "dlink dwm157", "dlink dwm221", "messagecontent3", "dwp157 b1", "dlink dwm167", "dlink dwm158", "dlink dwr510", "mediatek mt6229", "olicard", "speedup su8000", "speedup su8000u", "changhong ch690", "dlink dwm163", "dwm168", "telenet", "w wu160", "viettel vt100", "tplink ma180", "tplink ma260", "exiss mobile", "e190 series", "cmotech", "xtcomment xtlog", "xtdscp xtlength", "xtecn xthl", "xtnat nfnatipv4", "querystring", "requestmethod", "contenttype", "contentlength", "scriptname", "requesturi", "documenturi", "documentroot", "serverprotocol", "requestscheme", "byelorussian", "a3 b8", "a4 ba", "a6 b3", "a7 bf", "ad b4", "ae a2", "b0 b0", "b3 a8", "yo b4", "apache", "weixin", "luci", "fastcgi", "sslv2 sslv3", "tlsv1", "high", "ssl1m", "e2809a", "e2809e", "e280a6", "e280a0", "e280a1", "e282ac", "e280b0", "e28098", "e28099", "e280a2", "c2a0", "c2b7", "a3 d191", "a4 d194", "a6 d196", "a7 d197", "ad d291", "private key", "vendor asnet", "attribute", "asnet attribute", "speedup", "asnet", "server secret", "microsoft", "values value", "mschapresponse", "mschaperror", "mschapcpw1", "mschapcpw2", "mschaplmencpw", "mschapntencpw", "plural", "value", "value authtype", "roaringpenguin", "cistronradiusd", "local", "translations", "valid", "example", "attribute value", "interfacemode", "wirelesshost", "wizard", "systemmode", "interfacemac", "wirelessmac", "timemngt", "service", "10000", "4096", "factory", "framedprotocol", "alive", "merit", "merit extension", "value sipmethod", "invite", "cancel", "obsolete", "move", "include", "vjtcpip", "shelluser", "unix", "radius", "radius server", "general", "radius client", "server name", "clientserver", "ascend", "jens glaser", "euraw", "euui", "comb", "frcir", "frdirectno", "frdirectyes", "type", "button", "pidfile", "seen", "usrbinlogsave", "rfkillstate1", "bseoe6fuwg", "amvzwg", "kwbqbm0", "qrbdj3nghvdjigc", "ihnzbm8m9yop5w", "okue6n36b9k", "tppdpfquww", "drw5visp", "ubkwb1whnw0a", "efcmq", "root ca", "traditional pem", "authority", "global root", "root", "ecc root", "bwme", "gts root", "sectigo public", "premium", "whether", "netlink message", "buffer size", "netlink", "pagesize", "firewall mark", "netlink route", "netlink xfrm", "ike xfrm", "attr", "engine id", "openssl plugin", "set openssl", "fips mode", "suite b", "file", "rngstrong class", "rngtrue class", "listen", "set source", "ipv4", "analyze", "treat", "socket", "disable charon", "configuration", "loglevel", "ikesa", "identifier", "ikesas", "ike daemon", "id payload", "childsa", "install", "path", "rsa private", "t timer", "active", "reset", "expire", "accesscontrol", "tmnglog", "rest", "reset event", "etcconfigfstab", "moving root", "hexdump e", "q batch", "eof exit", "thu oct", "fri oct", "in dnskey", "internet domain", "bind domain", "internic", "in ns", "by verisign", "by ripe", "by icann", "by wide", "huawei 0004", "huawei 0003", "huawei 0005", "huawei 0001", "zte 0001", "zte 0002", "zte 0003", "zte 0004", "huawei 0002", "versalink", "configname", "rulename", "zonenumber", "targetname", "require", "l accessctl", "lan2lan", "position", "aclkeys", "zonein", "ucir", "zonedict", "zonenoin", "acllog", "1acl", "come in", "oldifs", "configtype", "section", "fwlibdir", "fwacllibdir", "m udp", "sectionname", "zonesnil", "srcnetwork", "ctmarkshift", "ctmarkrelated", "ctmarknewbit", "ctmarkinvalid", "ctmarkdef", "ctmarknew", "name fi", "1acl j", "icmpall", "huang zhenwei", "adlibdir", "adinitialized", "noexport", "stretz", "configappend1", "configappend", "function", "output", "iface", "line", "setname", "m set", "input", "v incomplete", "v address", "tmparplist1", "procuptime", "routingmode", "routingmode1", "devnull uci", "timer", "rtfile", "rtret", "rtfile f", "rtflag", "n awk", "grep g", "h grep", "rtflag fi", "baifacefile", "bastatefile", "srcurid", "srinfaceid", "bastatedir", "baifacedir", "srdir", "srinfaceid grep", "retfile", "xujun", "invalid option", "invalid func", "usrsbinarpreq", "clicfgpath", "tmpaccessconfig", "cfgpath", "gettimerange", "getifall", "getif", "lanlan", "success", "failed", "result", "setlocalaccount", "getlanlist", "getipgroup", "accesslistnum", "servicetype", "ruleid", "getindex", "tonumber", "currenttime", "februarynum", "smallfebdaymax", "bigfebdaymax", "timezone", "date", "keyname", "interfaceerror", "assert", "tagtype", "setdesc", "submask", "para", "ipv4address", "ipv4netwknum", "insert", "copy", "ipsecfailstatus", "checkexist", "ipaddress", "optionname", "encmode1", "fail", "responder", "portid", "data", "mirrorport", "portend", "sourceport", "naterror", "natsuccess end", "natprompt", "prompt", "natdata", "selectedname", "portstart", "istart", "routingerror", "adddata", "index", "routingsuccess", "crud error", "ospfinterface", "ospf", "ospfretre", "ospfautotypemd5", "simple", "vlan type", "down", "wanport", "primary ip", "proto", "ipaddrbits", "ripv1", "duplex", "flowctrl", "activemedium", "linkup", "setsnmpv1v2", "snmpv3en", "username", "contact", "setsshserver", "equal", "time settings", "weekday1", "sectimenumhour", "timeslicepoint", "entryname", "calendar", "vlanfailstatus", "vconfig", "vlanform", "vlan id", "address", "optional", "time", "settings", "please enter", "comment", "telecom", "upgrade", "reboot", "refresh", "defense", "code", "tokyo", "armenia", "panama", "jakarta", "back", "next", "tips", "class", "flood", "flash", "speed", "download", "lockout", "belarus", "indonesia", "mexico", "paraguay", "philippines", "ukraine", "uruguay", "facebook", "middle", "bind", "tools", "period", "media", "ping", "death", "stream", "enterprise", "live", "maha", "mais", "adduser", "never", "format", "trace", "clock", "alma", "third", "multi", "little", "critical", "done", "false", "mainserver", "execution", "keepalive", "package", "uciconfigdir", "sbinuci", "configsection", "120m", "ippool", "config dnsmasq", "directoryd", "type1", "type28", "f2cut d", "xargs", "g nogroup", "ctlcmd c", "vardir cp", "switch", "fdlibdir", "fdinitialized", "j dosdefense", "j dosdrop", "t raw", "all fin", "forward", "j zone", "mssfix", "forward j", "input j", "output j", "accept accept", "drop drop", "need v6", "fwinitialized", "libnetwork", "i restarton", "t firewall", "snat", "dnated traffic", "sbinifconfig", "notrack", "notrack rule", "j return", "j connextmark", "a sfemark", "a hwnatmark", "a prerouting", "j extmark", "export", "fwicmp4types", "fwicmp6types", "fwruleofs", "fwzones4", "fwzones6", "stretz export", "fwaerror0", "m mac", "sadd", "sdel", "a flooddefense", "m conntrack", "new j", "extmark", "m extmark", "connextmark", "c tmp", "i prerouting", "d forwardauth", "s usr1", "xargs kill", "loadrule", "j freestrategy", "luo pei", "free", "pistacklist", "kernelvermajor", "part", "piran", "awk f", "o noatime", "n pihooksplice1", "networkifstatus", "addr", "ipv4 address", "ipv4 subnet", "servicesig", "exec", "servicewritepid", "args", "serviceusepid", "servicedebug", "servicequiet", "servicesigstop", "procdsetparam", "procdkill", "script", "complete", "procdcall", "procdwrapper", "procdubuscall", "saved", "strtype", "parentdir", "ramfsdirs", "file strlen", "strlen1", "strlen", "cfgsync", "prefixdevmtd", "d devmtd", "ne x", "configsections", "lock", "etcgroup", "tunnelname", "wanname", "tunnelname p", "greservicerule", "j ct", "j snat", "plutoverb", "plutoconnection", "exist anete", "include zone", "ripaddr", "effde", "effif", "imbprocfile", "tmpstateimb", "ifip", "imblibdir", "imbinitialized", "zones", "n members", "move handling", "i actionupdate", "me hash", "me zonelist", "ipgrplibdir", "me set", "processfailover", "autofailback", "failoverpids", "autopids", "onlinezones", "j connmark", "input p", "myecho", "usrsbintmngtd", "domainspecial", "dnsq", "oldaddr", "usage exit", "invalid command", "ipsecsection", "checking", "connectionname", "etcconfigipsec", "chen xing", "algorithm", "ipsecweblock", "remotenetwork", "j dnat", "c vpnpre", "chenxing", "targetchain", "nfqueue", "tmplogvnetclog", "vnetcexecinvnet", "wanpassthrough", "wantype", "lanpassthrough", "lantype", "ttadvrouteraddr", "wang wenjing", "ipv6grplibdir", "tmpipv6loggg", "aawk v", "xl2tp", "sname", "xname", "devnull fi", "32 fi", "ikeph1", "dut init", "plutopeer", "plutomarkout", "plutouniqueid", "devconsole kill", "l2tpcdistribute", "mtu1300", "loadglobal", "xl2tpd", "killxl2tpd", "search", "nettimeout", "configdir", "nettimeout3", "tlsreqcert", "allowg", "pptpconfigfile", "l2tpconfigfile", "usage", "rstart", "sessiontimeout", "ldapquery", "mediatek mt7621", "ramipsmodel", "snor", "zyxel keenetic", "ramipsboardname", "all0256n", "asl26555", "awm002 evb", "f5d8235", "nand", "omni", "mkdir", "luopei create", "o veth1", "mflibdir", "mfinitialized", "macgrplibdir", "backup", "blank", "pwr1", "pwr2", "tmpfanstate fi", "er8411", "tmpfanspeed", "modvpn", "natlogprint", "rewrite", "root chain", "modules chain", "modone", "moddmz", "rules", "build filter", "dnat j", "naptdevicechain", "naptdevicemark", "naptdevicecache", "modpt", "validptifaces", "j trigger", "port triggering", "return fi", "modvs", "loopback snat", "32 p", "natprint", "natfd", "wc l", "natready flock", "natlogfile", "natlogdir", "natlibdir", "nattmpdir", "natlogenable", "natlogfile fi", "natdebug", "natwritefile", "modnapt", "determine", "includeonly", "nowanlink", "missingaddress", "zone6rd", "hardversion", "iface6rd", "e usrsbinallifs", "usrsbinallifs", "sigusr1", "l sigusr1", "nodevice", "f sysclasstty", "noifname", "baddevice", "pinfailed", "logprotosetup", "loggetsignal", "getinfofailed", "logprotoinit", "control device", "no apn", "noapn", "devconsole eval", "usrsbindhcp6c", "authfailed", "invalidoptions", "l sigterm", "getmacaddrerror", "geteuiiderror", "nowanaddress", "logmoduleipv6", "logipv66to4up", "v zone", "jsongetvar", "usrsbinpppd", "etcpppfilter", "interval5", "usrsbinxl2tpd", "could", "lcp term", "stdout", "aftrname", "stdoutdevnull", "dnssnd", "stdout mtu65000", "rssi", "dhcppidfile", "x v6plusoutput", "6 tunnel", "legacy1", "invalidprefix", "promisc", "oifs", "xprefixlen", "todo", "preconfig", "xifname", "xipaddr", "netifdmaindir", "wdevnotifyinit", "wirelesssetup", "wirelesssetdata", "ccmp tkip", "ccmp", "tkip", "wiface setup", "device setup", "protoprefix6", "protokeep", "protonestedopen", "protodns", "protodnssearch", "protoipaddr", "protoip6addr", "protoroute", "protoroute6", "pppipparam", "dns1", "dns2", "lllocal", "llremote", "state", "logipv6dhcp6cup", "procnetifinet6", "size", "aftrname echo", "svar", "random", "dhcppidfilehgw", "d forward", "dhcpscript", "ifnamendiscmbit", "slaac", "lanphyportset", "lanportset", "lan2", "lan3", "lan4", "wanportset", "wanphyportset", "cpu phy", "s call", "onlinestatefile", "onlinedevfile", "onlinestatedir", "onlineblockfile", "omada", "onlinemodeid", "link backup", "dowmlogid", "ubusobject", "remoteip", "localdevnet", "vpnrulenum", "virtual", "openvpnfwmark", "reply m", "remtoeip", "devname", "actualip", "configfilename", "zonewanopenvpn", "vlocalip", "vpnrulenum fi", "vremoteip", "echo", "unknown option", "i nobindd", "i locald", "publicdnsserver", "usrsbinopenvpn", "tmpopenvpnpwd", "authretryd", "i proto", "chroot", "sectionname wan", "devconsole fw", "sectionname dev", "author", "secname", "interface flag0", "4 route", "tpprconnected", "t grep", "tmppolicyroute", "l2tp", "pptp", "configptah", "killpptpd", "echoinfo", "pppoxpptptype", "pppoxpath", "pppoxl2tptype", "v wan", "serverpath", "loadoneuser", "tmppppoxpptp", "beginloaduser", "endloaduser", "usertypematch1", "profile", "serveron", "serveron pns", "pppoxpppoetype", "loadonepppoe", "deladd", "isexist", "configmyconfig", "q tmppptp", "tmppptpserver", "i snoccp", "usepeerdns", "persist", "plugin", "zonex", "maxfail", "sigchild", "mgrfather", "mt7620", "board", "hexdump", "checksum", "jffs2 partition", "wnce2001", "signature", "asus rtn56u", "preinitn", "initramfs", "boothookadd", "failsafetrue", "press", "int trap", "usr1", "tmpdebuglevel", "failsafe grep", "q failsafe", "proccmdline", "please reboot", "procnetdev", "doing openwrt", "libsh", "qosready", "thismodule", "qosconfigdir", "qosuci", "qoslogprint", "qoslibdir", "qostmpdir", "qostmpdirready", "moduleuci", "styperule", "idxv4", "idxv6", "qosfile", "qosrulechain", "qoschain", "qosfileip4", "qosfileip6", "qosret", "if iface", "uci grep", "stypeiface", "qosmarkbitstart", "qosmarkbitlen2", "qosgmarkmask", "qosmarkmask", "qostcidfile", "tcidbase", "tcidspec", "qoswritefile", "qosinfoprint", "qoserror", "incqoscid", "tcidmax", "spec", "qospollingfile", "deal", "qosthreshold gt", "qosthreshold eq", "qosgrpmarkfile", "grpmarkbitbase", "grpmarkspec", "incqosgrpmark", "grpmarkbase", "insertrule", "qoswritelog", "iptprefix", "iptprefix nvl", "e 1d", "iptprefix l", "iptprefix n", "iptprefix a", "qosret 0", "qosstate", "qosconfiger", "wanall", "snameglobal", "ifacelist", "ruleoptlist", "stopflag", "stub", "qosmarkfile", "markspec", "markbitbase", "markbase", "incqosmark", "m mark", "o get", "zonelist", "wan3", "wan4", "linerate", "qosstatefile", "qosrulespec", "incqosstate", "lannetdev", "grplist", "tttt", "forward vn", "tc qdisc", "tc class", "r2qhtb", "filest", "qdiscl", "defaulthdl", "tc p", "this", "rmchain", "serverports", "rejectports", "m vlan", "routestatedir", "src6", "dst6", "exist", "servicelibdir", "ipset", "j reject", "m tpconnlimit", "restart", "t mirror", "egress", "maxportnum", "s state", "m mode", "p mirrorport", "m ingress", "maxportnum1", "s17p1statusreg", "led bling", "ar8337portsmax1", "portvlanmax", "memeber", "null", "p portsid", "o flush", "rxnormal", "rxall", "flush", "maxportnum5", "t pvlan", "portvidmem", "cpu port", "port vlan", "v vid", "s17phycontrol", "t para", "10mh", "100mf 1000mf", "check rsa", "flowlinken reg", "full", "half", "multicast", "mbps", "rate", "t control", "ingress", "i istate", "m imode", "mirror state", "10mh 10mf", "100mh 100mf", "1000mf", "f flowcontrol", "r irate", "rtl8367sled0reg", "rtl8367sled1reg", "sfp2", "maxportnum11", "sfp0", "sfp1", "uciconfigdir cd", "macflowa", "macflowon", "macflow0", "macflowoff", "wan port", "swconfig", "unicast", "write address", "vlanid", "tbopwrite", "tbtargetcvlan", "write command", "port4control", "port5control", "port3control", "port0control", "port1", "tmplanmac", "mac learning", "lan port", "port1control", "port2control", "mirror mode", "phycontrolreg", "txall", "mt7530", "tlwvr458l", "lanport", "lanend1", "maxportnum fi", "cpuport", "vlanidx", "cpuport1", "0x0de0", "msb bit01", "enable reg", "ifg reg", "phyresolvedreg", "tmpcfg", "realtek", "wvr458war458", "phy index", "copyight", "yuanfengjia", "ceate", "timeobjadd", "timeobjdelete", "etcprofile", "montbl", "tblstartmonth", "weekdaytbl", "yeardaytbl", "startweekday", "tblstartcount", "tblstartweekday", "d etcnixio", "invalid image", "argv", "sysupgrade", "devwatchdog", "ciubipart", "cikernpart", "remove volume", "n troot", "wc c", "n kernel", "n rootfsdata", "kernel", "ramrootlib64", "conftar", "ramroot", "binmount", "bindd", "proc", "modupnp", "ucitmppath", "ucitmpconfig", "ucitmpupuppath", "upnplanchain", "upnplock", "l urlfilter", "tmpcon", "original p", "m urlsetmatch", "url j", "m urldnsmatch", "a urlfilter", "websec", "zoneapireturn", "zonefilelock", "vneton", "logconsole", "vnetbootingy", "loadavvlan", "ipv6addr fi", "ipv6addrlen fi", "loadunload", "loadainterface", "cleanainterface", "vnetiflock", "vnetlock", "vifname", "ipv6prefixlen", "vipaddr", "vnetmask", "vipaddr6", "vprefixlen6", "t filter", "buildainterface", "cleanazone", "i forward", "a webfilter", "l webfilter", "a websec", "sec j", "j websec", "f websec", "ipt t", "tmpwebsecurity", "l websec", "fileexts", "allowip", "wireguardfwmark", "listenport", "ifname p", "method", "nvl inputrule", "nginxconf", "wifidogconf", "lan1", "liwei mkdir", "ruleknownip", "ruleknownmac", "ruleknownipmac", "ruleremind", "ruleremindmac", "ruleremindipmac", "ipsetlimit", "ipsetlimitip", "zonestart", "zonestop", "zonerestart", "get vpn", "get effect", "get normal", "normal", "groupvzones", "groupzones", "wanw", "zonevgname", "zonecreategroup", "configvpniface", "zonestateconfig", "vpn iface", "newmac", "newmac yes", "yes1", "current mac", "overwrite", "converthex", "new mac", "write", "eeprom", "hotplugtype", "path logname", "user export", "devpath", "ifdown", "ev wan", "s list", "brightness exit", "head", "tmplog", "tmplog fi", "devmtdblock", "reloading", "md5file", "md5file rm", "gmac", "updates", "overlay tar", "kill runramfs", "volatile", "snapshot", "verbose", "confrestore", "tarv", "confbackup", "confimage", "needimage1", "needimage", "meta", "drivers", "devices", "type case", "devices drivers", "libwifi", "devubi0 s", "n logrecovery", "n database", "usrbiniptables", "iptablesok", "testiptmac", "wddirwdctl", "scanning disk", "test", "kamikaze", "downloadser605", "build", "integer", "valuepair", "uint4", "namelength", "ipaddr", "radiusclientngh", "begindecls", "enddecls", "servermax", "prohibit", "void", "dpidatabaseram", "sigint", "dpiappdatabase", "dpitagdatabase", "gnu libtool", "please do", "linker", "directory", "free software", "foundation", "license", "without any", "warranty", "merchantability", "fitness", "ddnseventmodule", "ddnseventid", "guo dongxian", "april", "tp new", "ui status", "dns error", "dyndns state", "dynamic dns", "june", "common log", "service start", "service stop", "servicepath", "linevalue", "linevalue fi", "angus mackay", "offline", "noipretcodegood", "noipstaterunok0", "ddnsextver eq", "newlineifs", "r n1", "registeredip", "eric paul", "bishop", "leave", "written", "janary", "tp log", "myip", "column", "wildcardno", "mxnochg", "backmxnochg", "add yours", "here", "dpidbpath", "procdpiappstat", "procdpiappblock", "dbenv", "tostring", "tmpdpitmpstat", "tmpdpitmpblock", "plutopeerclient", "plutome", "plutomyclient", "plutopeerid", "tag p", "facprio", "plutomysourceip", "plutomyprotocol", "pluto", "authiplimit", "authiplimitip", "curauthnum", "auth num", "logmoduleportal", "authtypeweb", "authtyperadius", "authtypewifi", "loguserexpired", "authtypeonekey", "authtypeldap", "idlemintimesec", "authtypewechat", "useragent", "wportalradius", "cookie", "android", "varchar", "authressucc", "authsvrconn", "authresmacerr", "authlistconn", "select from", "label", "span", "strong", "zempty", "icons", "select", "striptags", "pcdata", "legend", "fieldset", "textarea", "replace entry", "steven barth", "apache license", "found", "sorry", "internal server", "footer", "indexer", "collectgarbage", "peak", "retval", "main", "vendor", "prodid", "cls02", "sub0e prot00", "modemtmp", "logallport", "searchtty", "alltty", "d dev", "busfile", "clsff", "clse0", "cls0a", "break", "vid pid", "unsuretty", "storage", "reinit usb", "modemliblogawk", "logmodeswitchs", "cls08", "atr03", "count", "driver", "usbport", "logunlockpin", "unlockpin", "puk code", "modem unlock", "loggetisp", "fileispjson", "findcountry", "location", "findisp", "usbmodemdebug1", "portfile", "usbport fi", "cfgfilepath", "tmpcsfilepath", "ubiquiti", "atheros", "powerstation2", "ralink", "subsystem", "powerstation5", "sr4c", "frequency", "jsonprefix", "jsoncur", "jsongetvar cur", "jsonunset", "keys", "jsonvar", "dest", "jsonseq", "cidr static", "routes", "document", "150px 524px", "46px 524px", "195px 524px", "150px 556px", "46px 556px", "195px 556px", "219px 309px", "219px 333px", "90px 36px", "f4f4f4", "f2f2f2", "151px 151px", "f9b61e", "80px 224px", "eaeae8", "f3f3f5", "verdana", "54px 36px", "geneva", "326px 54px", "329px 58px", "532px 85px", "ebebeb", "21px 21px", "chrome", "7px 7px", "219px 111px", "dd4040", "252px 54px", "220px 5px", "access control", "inner", "app dist", "arp scan", "bwlist qq", "location group", "switch ddm", "dns cache", "backup restore", "gre overipsec", "interface mac", "interface mode", "ipgroup address", "ipgroup group", "ipgroup view", "ipsids", "systemroutetbl", "ipv6group group", "l2tp client", "l2tp server", "l2tp tunnel", "ldap profiles", "mac filtering", "nat dmz", "online check", "pptp tunnel", "reserved", "login auth", "class inbound", "status outbound", "session limit", "switchportvlan", "syetem mode", "systemstate cpu", "url filter", "auto backup", "usb storage", "usermngr backup", "server", "port setting", "port pvid", "relation table", "vlan setting", "vpn user", "vpn wireguard", "website filter", "url set", "wizard wan", "advanced", "rngpptr", "array", "biginteger", "birc", "rsa encryption", "arcfour", "pkcs", "xhlhxl", "bits", "explorer", "canvas", "awidth", "aheight", "canvasgradient", "param", "arcscaley", "canvaspattern", "htmlelement", "without", "html5 shiv", "jdalton", "jonneal", "mitgpl2", "freebsdlicense", "examples", "arial", "alignoffset", "xalign", "point", "formatter", "flot plugin", "iola", "ole laursen", "mit license", "x axis", "otherps", "flot", "series", "axis", "angle", "coord", "axismargin", "width", "delta", "infinity", "zero", "shutdown", "trigger", "ftrue", "ystartangle", "lnull", "bnull", "oparsefloat", "m100", "pm100", "ffalse", "sfalse", "jsonobject", "json", "string", "typenumber", "syntaxerror", "typeof e", "regexp", "typeof n", "typeof t", "typeof r", "pseudo", "ariel flesler", "parseint", "scroll", "html", "toff", "borderbwidth", "targ", "round", "0xff", "transformbuffer", "i4offset", "i4joffset", "0xffffffff7", "0xffffffff1", "invalid type", "mapping", "typecheckbox", "valuearray", "vold", "numflag", "percolumnnum", "unselectable", "items", "store", "callback", "field", "xtype", "typefile", "getcontainer", "title", "params", "parentuuid", "keyproperty", "node", "nodes", "uuid", "form", "increase", "decrease", "encrypt", "charlength", "flagup", "flaglow", "trim", "property", "height", "dataname", "widthvalue", "heightvalue", "contentflag", "boxvalue", "abcd", "jkmn", "regchar", "efghi", "argentina", "australia", "classobj", "oneclass", "minvalue", "maxrange", "minrange", "range", "maxvalue", "invalid range", "caps lock", "sepmark", "separator", "azaz09", "len1", "week", "dataweek", "msgcontaienr", "datatimestart", "datatimeend", "timearray", "0 dismissdelay", "editingindex", "editortype", "invalid editor", "dataindex", "dindex", "jndex", "daindex", "totalpage", "currentpage", "minnum", "maxnum", "gap1", "keywordtype", "columns", "temp", "maxkeys", "inhtml", "alert", "case", "currentindex", "item", "nextindex", "previndex", "invalid step", "widget", "fieldlabel", "posx", "container", "inlineblock", "combinekey", "statustemp", "instance", "callbackfail", "callbackerror", "keyarray", "debug", "jlen", "ajax", "nodeid", "controller", "d1dd", "true", "iframe", "09afaf", "mind", "typeof symbol", "window", "math", "object", "typeerror", "reflect", "generator", "epsilon", "reset yui3", "typehidden", "ecf4d3", "opera", "cache manifest", "cache", "128c", "qrcode", "2g2g2q2q0g", "modenumber1", "modealphanum2", "mode8bitbyte4", "helvetica neue", "helvetica", "heiti sc", "hiragino sans", "microsoft yahei", "gradienttype0", "typesearch", "typebutton", "typereset", "typesubmit", "typeradio", "cbit", "cbid", "click", "checkbox", "xhrpollstatus", "xhrpollstatuson", "xmlhttprequest", "activexobject", "close" ], "references": [ "hwnat", "ipcalc.sh", "login.sh", "cli_accountmgnt_cmd.tree", "cli_base_cmd.tree", "cli_cmd.tree", "cli_clock_cmd.tree", "cli_access_cmd.tree", "cli_extra_cmd.tree", "cli_http_cmd.tree", "cli_ipsec_cmd.tree", "cli_nat_cmd.tree", "cli_show_iface_cmd.tree", "cli_ssh_cmd.tree", "cli_routing_cmd.tree", "cli_show_interface_status_cmd.tree", "cli_snmp_cmd.tree", "cli_interface_cmd.tree", "cli_time_range_cmd.tree", "daemons.conf", "daemons", "cli_vlan_cmd.tree", "dhcp6sctlkey", "device_info", "dhcp6s.conf", "diag.sh", "frr.conf", "filesystems", "firewall.user", "hosts", "group", "inittab", "ipsec.conf", "dnsmasq.conf", "ipsec.secrets", "mtab", "logrotate.conf", "nsswitch.conf", "openwrt_release", "openwrt_version", "passwd", "pptpd.conf", "opkg.conf", "profile", "preinit", "protocols", "rc.common", "shells", "services", "shadow", "strongswan.conf", "rc.local", "sysctl.conf", "sysupgrade.conf", "support_bundle_commands.conf", "vtysh.conf", "sys_monitor.conf", "wifidog.conf", "verify_pub.key", "wifidog-msg.html", "usb-mode.json", "02_network", "01_leds", "65_nginx_sync.sh", "00_start_sync.sh", "99_end_sync.sh", "chat-get-qualcomm_2", "chat-get", "chat-get-anydata_2", "chat-get-qualcomm_1", "3g.chat", "chat-gsm-test", "chat-gsm-test-anydata", "chat-get-anydata_1", "chat-gsm-test-qualcomm", "chat-modem-test", "chat-modem-configure", "disconn-script", "evdo.chat", "cloud_service.cfg", "cloud_config.cfg", "2048_newroot.cer", "access_ctl", "administration", "accountmgnt", "arp_scan_range", "auto_backup", "arp_defense", "avahi-daemon", "controller.lock", "cli_server", "controller.conf", "countrygroup", "cmxddns", "custom_dhcp", "customddns", "dhcp6s", "ddns", "dhcp", "dhcp6c", "dhcp_logrotate", "dos_defense", "dpi", "dynddns", "ecs", "ecsIfName", "filter_global", "freePolicy", "dropbear", "flood_defense", "freeStrategy", "gre", "imb", "ifstat-mini", "improxy", "ipsec", "ippool", "ipsec_failover", "dnsproxySecurity", "ipsec_secrets", "ipstat", "iptv", "ipgroup", "l2tp-global", "ipv6group", "l2tp-client", "l2tp-server", "ldap", "led_set", "line_backup", "l2tp-server.reference", "lldpd", "load_balance", "logger", "luci", "locale", "mac_filter", "nat", "firewall", "macgroup", "modem", "mwan3", "omada-tool.conf", "noipddns", "nwadditional", "omada-tool.lock", "network", "online", "openvpn_user", "openvpn", "phddns", "policy_route", "ospf", "pptp-client", "portal_mgmt", "pptp-client-global", "pptp-global", "protocol", "pptp-server-global", "qos_ctl", "radvd", "qos", "reference", "rip", "remote_mngt", "sdnInfo", "pptp-server", "session_limits", "service", "sfe", "sharecfg", "snmpd", "static_route", "splitaccess", "switch", "system_mode", "tddp", "time_mngt", "system_params", "uhttpd", "upnp", "url_filter", "usermngr", "usbshare", "user-secrets", "ucitrack", "vlan", "vnetwork", "vpnlog", "webfilter", "system", "webfilter_global", "websort", "web_security", "wireguard_interface", "wireguard_peers", "wportal", "zone", "user-secrets.reference", "dropbear_rsa_host_key", "serial", "index.txt", "openssl.cnf", "vars", "openssl-1.0.0.cnf", "connect-directip.gcom", "command.gcom", "baseinfo.gcom", "cellinfo.gcom", "connect-ncm.gcom", "getcarrier.gcom", "directip.gcom", "getcardinfo.gcom", "connect-ppp.gcom", "directip-stop.gcom", "getimsi.gcom", "getimsi_b.gcom", "getpinstatus.gcom", "getstrength.gcom", "huaweiinfo.gcom", "getcnum.gcom", "modem-gsm-test-anydata.gcom", "getregistestate.gcom", "lock-prov.gcom", "modem-gsm-test-qualcomm.gcom", "ncm.json", "run-at.gcom", "reset.gcom", "modem-configure.gcom", "sendsms-at.gcom", "setapn.gcom", "setmode.gcom", "zteinfo.gcom", "setpin.gcom", "sierrainfo.gcom", "runcommand.gcom", "smschk.gcom", "11-led", "10-firewall.sh", "22-access_ctl.sh", "25-pppox.sh", "22-imb.sh", "21-nat.sh", "40-qos.sh", "70-policy_route.sh", "26-openvpn.sh", "70-switch.sh", "89-remote_mngt.sh", "95-online.sh", "96-customddns.sh", "96-cmxddns.sh", "96-dynddns.sh", "96-noipddns.sh", "96-phddns.sh", "97-line_backup.sh", "97-route.sh", "98-ipsec.sh", "98-iptv.sh", "99-wan_hook.sh", "97-load_balance.sh", "97-upnp.sh", "12-netbios-passthrough", "10-pppox-if-up-down.sh", "30-policy_route.sh", "22-access_ctl", "29-static_route", "20-firewall", "02-split_access", "80-balance.sh", "40-qos", "00-vpn_hook.sh", "97-mwan3.sh", "99-vpn_hook.sh", "00-vnet_client.sh", "00-ecsIfChange", "1-vnet_lanhook.sh", "1-vnet_lanv6hook.sh", "05-vnet-lanv6", "20-upnp", "18-dnsproxyvnet.sh", "22-imb", "00-vnet.sh", "22-qos-tplink", "50-improxy", "40-remote_mngt", "60-dhcpsvnet.sh", "65-wifidog.sh", "92-pppox-vpn.sh", "99-mdns.sh", "90-portal_mgmt", "02-usb-auto-scan", "10-motion", "01-usb-led", "15-usb_mode", "30-3g", "20-firewall.sh", "10-pppox-response-nat.sh", "10-metric.sh", "50-l2tp-up-down.sh", "50-qos_ctl", "1-lanhook.sh", "1-lanv6hook.sh", "00-netstate", "01-zone", "03-vlan", "05-lanv6", "04-ipv6", "02-vnet.sh", "06-wan_log", "10-sysctl", "18-ipgroup", "15-online.sh", "18-ipv6group", "22-dos_defense", "25-ddns", "26-freeStrategy", "50-l2tp-lowerif-up-down.sh", "65-iptv", "70-pptp-ifdown.sh", "72-wan_ip_alias", "85-ntp", "92-dynamic_route", "90-vpn", "91-gre.sh", "99-hotplug_done", "99-vnet.sh", "99-z3g4g-connect", "60-dnsmasq", "10-rt2x00-eeprom", "30-v6plus", "60-pptp-reload-rules.sh", "10-l2tp-pptp.sh", "50-access_ctl.sh", "18-dnsproxy.sh", "40-imb.sh", "60-dnsmasq.sh", "46-nat.sh", "60-mac_filter.sh", "99-load_balance.sh", "97-qos.sh", "99-nginx.sh", "00-configlink.sh", "10-mount", "10-policy_route.sh", "70-backup", "15-mwan3", "40-load_balance", "backup", "bootcount", "boot", "default_balance", "done", "dnsproxy", "dnsmasq", "dynamic_route", "drop_caches", "cron", "fstab", "geoip", "gre_init", "enablemodem", "ipv6", "led", "l2tp", "led_early", "loggerd", "monitor", "netbios_passthrough", "ndppd", "nginx", "pppox", "pptpd", "queueventd", "qos-tplink", "rsa_check", "smp", "spi_device_id", "sys_monitor", "sysntpd", "tddpd", "sysctl", "tmngtd", "umount", "time_setting", "usbmodem", "usbmuxd", "vnet", "wifidog", "wireguard", "zbalance_loop_reset", "xl2tpd", "zero_boot_done", "zombie_monitor", "zzomada_server", "zzzzzsys_info", "zzzcloud_proc", "telnet", "zzddns", "rt_tables", "location.json", "0ace:20ff", "0ace:2011", "0af0:7a01", "0af0:7a05", "0af0:4007", "0af0:6711", "0af0:6731", "0af0:6751", "0af0:6771", "0af0:6791", "0af0:6811", "0af0:6911", "0af0:6951", "0af0:6971", "0af0:7011", "0af0:7031", "0af0:7051", "0af0:7071", "0af0:7111", "0af0:7211", "0af0:7251", "0af0:7271", "0af0:7301", "0af0:7311", "0af0:7361", "0af0:7381", "0af0:7401", "0af0:7501", "0af0:7601", "0af0:7701", "0af0:7706", "0af0:7801", "0af0:7901", "0af0:8006", "0af0:8200", "0af0:8201", "0af0:8300", "0af0:8302", "0af0:8304", "0af0:8400", "0af0:8600", "0af0:8700", "0af0:8800", "0af0:8900", "0af0:9000", "0af0:9200", "0af0:c031", "0af0:c100", "0af0:d001", "0af0:d013", "0af0:d031", "0af0:d033", "0af0:d035", "0af0:d055", "0af0:d057", "0af0:d058", "0af0:d155", "0af0:d157", "0af0:d255", "0af0:d257", "0af0:d357", "0b3c:c700", "0b3c:f000", "0b3c:f00c", "0b3c:f017", "0bdb:190d", "0bdb:1910", "0cf3:20ff", "0d46:45a1", "0d46:45a5", "0df7:0800", "0e8d:0002:uPr=MT", "0e8d:0002:uPr=Product", "0e8d:7109", "0fca:8020", "0fce:d0cf", "0fce:d0df", "0fce:d0e1", "0fce:d103", "0fd1:1000", "1a8d:1000", "1a8d:2000", "1ab7:5700", "1b7d:0700", "1bbb:00ca", "1bbb:000f", "1bbb:011f", "1bbb:022c", "1bbb:f000", "1bbb:f017", "1bbb:f052", "1c9e:9d00", "1c9e:9e00", "1c9e:9e08", "1c9e:98ff", "1c9e:1001", "1c9e:6000", "1c9e:6061:uPr=Storage", "1c9e:9101", "1c9e:9200", "1c9e:9401", "1c9e:9800", "1c9e:f000", "1c9e:f000:uMa=USB_Modem", "1d09:1000", "1d09:1021", "1d09:1025", "1da5:f000", "1dbc:0669", "1dd6:1000", "1de1:1101", "1e0e:f000", "1e89:f000", "1edf:6003", "1ee8:0003", "1ee8:004a", "1ee8:004f", "1ee8:0009", "1ee8:0013", "1ee8:0018", "1ee8:0040", "1ee8:0045", "1ee8:0054", "1ee8:0060", "1ee8:0063", "1ee8:0068", "1f28:0021", "1fac:0032", "1fac:0130", "1fac:0150", "1fac:0151", "03f0:002a", "04bb:bccd", "04cc:225c", "04cc:226e", "04cc:226f", "04cc:2251", "04e8:680c", "04e8:689a", "04e8:f000:sMo=U209", "04fc:2140", "05c6:0010", "05c6:1000:sVe=GT", "05c6:1000:sVe=Option", "05c6:1000:uMa=AnyDATA", "05c6:1000:uMa=CELOT", "05c6:1000:uMa=Co.,Ltd", "05c6:1000:uMa=DGT", "05c6:1000:uMa=Option", "05c6:1000:uMa=SAMSUNG", "05c6:1000:uMa=SSE", "05c6:1000:uMa=StrongRising", "05c6:1000:uMa=Vertex", "05c6:2000", "05c6:2001", "05c6:6503", "05c6:9024", "05c6:f000", "05c7:1000", "07d1:a800", "07d1:a804", "10a9:606f", "10a9:6080", "12d1:1c0b", "12d1:1c1b", "12d1:1c24", "12d1:1d50", "12d1:1da1", "12d1:1f01", "12d1:1f1b", "12d1:1f1c", "12d1:1f1d", "12d1:1f1e", "12d1:1f02", "12d1:1f03", "12d1:1f07", "12d1:1f09", "12d1:1f11", "12d1:1f15", "12d1:1f16", "12d1:1f17", "12d1:1f18", "12d1:1f19", "12d1:14ad", "12d1:14b5", "12d1:14b7", "12d1:14ba", "12d1:14c1", "12d1:14c3", "12d1:14c4", "12d1:14c5", "12d1:14d1", "12d1:14fe", "12d1:15ca", "12d1:15cd", "12d1:15cf", "12d1:15e7", "12d1:101e", "12d1:151a", "12d1:155a", "12d1:155b", "12d1:156a", "12d1:157c", "12d1:157d", "12d1:380b", "12d1:1001", "12d1:1003", "12d1:1009", "12d1:1010", "12d1:1030", "12d1:1031", "12d1:1413", "12d1:1414", "12d1:1446", "12d1:1449", "12d1:1505", "12d1:1520", "12d1:1521", "12d1:1523", "12d1:1526", "12d1:1553", "12d1:1557", "12d1:1582", "12d1:1583", "12d1:1805", "15eb:7153", "16d8:6803", "16d8:6281", "16d8:700b", "12d1:#android", "12d1:#linux", "16d8:6804", "16d8:700a", "16d8:f000", "19d2:0003", "19d2:0026", "19d2:0040", "19d2:0053", "19d2:0083:uPr=WCDMA", "19d2:0101", "19d2:0103", "19d2:0110", "19d2:0115", "19d2:0120", "19d2:0146", "19d2:0149", "19d2:0150", "19d2:0154", "19d2:0166", "19d2:0169", "19d2:0266", "19d2:0304", "19d2:0318", "19d2:0325", "19d2:0388", "19d2:0413", "19d2:1001", "19d2:1007", "19d2:1009", "19d2:1013", "19d2:1017", "19d2:1030", "19d2:1038", "19d2:1171", "19d2:1175", "19d2:1179", "19d2:1201", "19d2:1207", "19d2:1210", "19d2:1216", "19d2:1219", "19d2:1224", "19d2:1225", "19d2:1227", "19d2:1232", "19d2:1233", "19d2:1237", "19d2:1238", "19d2:1420", "19d2:1511", "19d2:1514", "19d2:1517", "19d2:1520", "19d2:1523", "19d2:1528", "19d2:1536", "19d2:1542", "19d2:1588", "19d2:2000", "19d2:2004", "19d2:bccd", "19d2:ffde", "19d2:ffe6", "19d2:fff5", "19d2:fff6", "19d2:#linux", "20a6:f00e", "20b9:1682", "21f5:1000", "21f5:3010", "22de:6801", "22de:6803", "22f4:0021", "23a2:1010", "057c:62ff", "057c:84ff", "072f:100d", "106c:3b03", "106c:3b05", "106c:3b06", "106c:3b11", "106c:3b14", "109b:f009", "148e:a000", "148f:2578", "198a:0003", "198f:bccd", "201e:1023", "201e:2009", "230d:000b", "230d:000d", "230d:0001", "230d:0003", "230d:0007", "230d:0101", "230d:0103", "257a:a000", "257a:b000", "257a:c000", "257a:d000", "0408:1000", "0408:ea17", "0408:ea25", "0408:ea43", "0408:f000", "0408:f001", "0421:060c", "0421:061d", "0421:062c", "0421:0610", "0421:0618", "0421:0622", "0421:0627", "0421:0632", "0421:0637", "0471:1210:uMa=Philips", "0471:1210:uMa=Wisue", "0471:1237", "0482:024d", "0685:2000", "0922:1001", "0922:1003", "0930:0d46", "1004:61aa", "1004:61dd", "1004:61e7", "1004:61eb", "1004:607f", "1004:613a", "1004:613f", "1004:614e", "1004:1000", "1004:6156", "1004:6190", "1004:6327", "1033:0035", "1076:7f40", "1199:0fff", "1266:1000", "1307:1169", "1410:5010", "1410:5020", "1410:5023", "1410:5030", "1410:5031", "1410:5041", "1410:5055", "1410:5059", "1410:7001", "1614:0800", "1614:0802", "1726:f00e", "1782:0003", "2001:00a6", "2001:98ff", "2001:a80b", "2001:a401", "2001:a403", "2001:a405", "2001:a706", "2001:a707", "2001:a708", "2001:a805", "2020:0002", "2020:f00e", "2020:f00f", "2077:1000", "2077:f000", "2262:0001", "2357:0200", "2357:f000", "8888:6500", "ed09:1021", "20-usb-core", "25-nls-cp437", "05-liblogger", "20-fs-exportfs", "25-nls-cp864", "25-nls-cp775", "25-nls-cp866", "15-mii", "25-nls-cp932", "25-nls-cp852", "25-nls-cp1250", "25-nls-cp850", "25-nls-cp1251", "25-nls-iso8859-1", "25-nls-iso8859-2", "25-nls-cp862", "25-nls-iso8859-6", "25-nls-iso8859-8", "25-nls-iso8859-13", "25-nls-iso8859-15", "25-nls-koi8r", "25-nls-utf8", "29-fs-fscache", "30-atm", "30-fs-autofs4", "30-fs-btrfs", "30-fs-cifs", "30-fs-configfs", "30-fs-cramfs", "30-fs-ext4", "30-fs-hfs", "30-fs-hfsplus", "30-fs-isofs", "30-fs-jfs", "30-fs-minix", "30-fs-nfs-common", "30-fs-ntfs", "30-fs-reiserfs", "30-fs-udf", "30-fs-vfat", "30-fs-xfs", "30-gpio-button-hotplug", "30-ipsec", "30-tun", "30-veth", "31-iptunnel", "31-iptunnel4", "31-iptunnel6", "32-ip6-tunnel", "32-ipsec4", "32-ipsec6", "32-l2tp", "32-sit", "39-gre", "40-bonding", "40-fs-msdos", "40-fs-nfs", "40-fs-nfsd", "40-pppoa", "40-scsi-core", "40-usb2", "42-ip6tables", "42-usb2-pci", "49-ipt-ipset-tplink", "50-usb-ohci", "50-usb-uhci", "54-usb3", "65-scsi-generic", "80-fuse", "89-portal", "90-urlset", "90-xt_CTSTATEMARK", "90-xt_dosdrop", "90-xt_doslogonly", "90-xt_ipsecmark", "90-xt_multinetdev", "90-xt_qoslimit", "90-xt_tplimit", "90-xt_vlan", "91-authlimit", "91-xt_authlimit", "98-ipt_url_dns_match", "98-ipt_urlset_match", "98-ipt_web_dns_match", "98-ipt_webfilter_match", "98-ipt_websec_match", "98-load_balance", "99-balance_route", "99-ipt_tpconnlimit", "99-ipt_TRIGGER", "99-ipt_urlset_target", "99-xt_l2tp", "crypto-hw-eip93", "fs-exfat", "ipt-account", "ipt-compat-xtables", "ipt-conntrack", "ipt-conntrack-extra", "ipt-core", "ipt-extra", "ipt-filter", "ipt-geoip", "ipt-ipopt", "ipt-iprange", "ipt-ipsec", "ipt-ipv4options", "ipt-nat", "ipt-nat-extra", "ipt-nathelper", "ipt-nathelper-extra", "ipt-nfqueue", "ipt-tproxy", "lib-crc-ccitt", "lib-textsearch", "mmc", "mppe", "nf-conntrack-netlink", "nfnetlink", "nfnetlink-queue", "ppp", "pppoe", "pppol2tp", "pptp", "sdhci-mt7621", "usb-acm", "usb-net", "usb-net-asix", "usb-net-cdc-ether", "usb-net-cdc-mbim", "usb-net-cdc-ncm", "usb-net-huawei-cdc-ncm", "usb-net-ipheth", "usb-net-qmi-wwan", "usb-net-rndis", "usb-printer", "usb-serial", "usb-serial-option", "usb-serial-wwan", "usb-storage", "usb-storage-extras", "usb-wdm", "cleanTMP.sh", "fastcgi_params", "koi-win", "nginx.conf", "mime.types", "win-utf", "koi-utf", "ldap.conf", "crt.sed", "client.crt", "client.key", "dictionary.asnet", "servers", "dictionary.microsoft", "dictionary", "options.default", "options.l2tp", "filter", "chap-secrets", "options.pptp", "options.pptpd", "options.xl2tpd", "radius.conf", "dictionary.merit", "dictionary.sip", "issue", "dictionary.compat", "port-id-map", "radiusclient.conf", "dictionary.ascend", "failsafe", "power", "reset", "rfkill", "K10improxy", "K10openvpn", "K10portal_mgmt", "K25zone", "K50dropbear", "K71hwnat", "K90ipv6", "K91network", "K91geoip", "K99umount", "K98boot", "S00zombie_monitor", "K26pppox", "S01spi_device_id", "S01led_early", "S10boot", "S15loggerd", "S19vnet", "S10system", "S20network", "S21tddpd", "S20geoip", "S25sysctl", "S26time_setting", "S25zone", "S22rsa_check", "S42ipgroup", "S31tmngtd", "S40fstab", "S42ipv6group", "S45firewall", "S42macgroup", "S46iptv", "S42service", "S46nat", "S46netbios_passthrough", "S47access_ctl", "S47administration", "S47dos_defense", "S42ippool", "S47flood_defense", "S47imb", "S47mac_filter", "S50cron", "S50dropbear", "S50pppox", "S50qos-tplink", "S50queueventd", "S50radvd", "S50snmpd", "S50uhttpd", "S60dnsmasq", "S60monitor", "S60pptpd", "S60url_filter", "S60xl2tpd", "S65wifidog", "S68online", "S70freeStrategy", "S70usbshare", "S71hwnat", "S72sfe", "S80usbmuxd", "S80websort", "S83web_security", "S85webfilter", "S89remote_mngt", "S90ndppd", "S90openvpn", "S90portal_mgmt", "S91wireguard", "S92qos_ctl", "S95done", "S95ifstat-mini", "S95ipstat", "S95l2tp", "S95mwan3", "S96backup", "S96cmxddns", "S96default_balance", "S96load_balance", "S96policy_route", "S96static_route", "S96sysntpd", "S96upnp", "S97gre_init", "S97ipsec", "S97session_limits", "S98ipsec_failover", "S98led", "S99avahi-daemon", "S99bootcount", "S99dnsproxy", "S99dpi", "S99drop_caches", "S99dynamic_route", "S99enablemodem", "S99improxy", "S99ipv6", "S99led_set", "S99lldpd", "S99phddns", "S99smp", "S99switch", "S99sys_monitor", "S99system_params", "S99usbmodem", "S99zbalance_loop_reset", "S99zero_boot_done", "S99zzddns", "S99zzomada_server", "S99zzzcloud_proc", "S99zzzzzsys_info", "0a775a30.0", "0b1b94ef.0", "0bf05006.0", "0f5dc4f3.0", "0f6fa695.0", "1d3472b9.0", "1e08bfd1.0", "1e09d511.0", "2ae6433e.0", "2b349938.0", "002c0b4f.0", "3bde41ac.0", "3e44d2f7.0", "3e45d192.0", "3fb36b73.0", "4a6481c9.0", "4b718d9b.0", "4bfab552.0", "4f316efb.0", "5ad8a5d6.0", "5cd81ad7.0", "5d3033c5.0", "5e98733a.0", "5f15c80c.0", "5f618aec.0", "6b99d060.0", "6d41d539.0", "06dc52d5.0", "6fa5da56.0", "7aaf71c0.0", "7f3d5d1d.0", "8cb5ee0f.0", "8d86cdd1.0", "8d89cda1.0", "9b5697b0.0", "9c8dfbd4.0", "9d04f354.0", "14bc7599.0", "48bec511.0", "57bcb2da.0", "062cdee6.0", "064e0aa9.0", "68dd7389.0", "75d1b2ed.0", "76cb8f92.0", "76faf6c0.0", "93bc0acc.0", "106f3e4d.0", "244b5494.0", "349f2832.0", "406c9bb1.0", "626dceaf.0", "653b494a.0", "706f604c.0", "749e9e03.0", "773e07ad.0", "930ac5d2.0", "988a38cb.0", "1001acf7.0", "2923b3f9.0", "03179a64.0", "4042bcee.0", "4304c5e5.0", "5273a94c.0", "5443e9e3.0", "7719f463.0", "8160b96c.0", "9482e63a.0", "18856ac4.0", "32888f65.0", "40547a79.0", "607986c7.0", "1636090b.0", "02265526.0", "3513523f.0", "09789157.0", "40193066.0", "54657681.0", "a94d09e5.0", "a3418fda.0", "ACCVRAIZ1.crt", "AC_RAIZ_FNMT-RCM.crt", "AC_RAIZ_FNMT-RCM_SERVIDORES_SEGUROS.crt", "Actalis_Authentication_Root_CA.crt", "aee5f10d.0", "AffirmTrust_Commercial.crt", "AffirmTrust_Networking.crt", "AffirmTrust_Premium.crt", "AffirmTrust_Premium_ECC.crt", "Amazon_Root_CA_1.crt", "Amazon_Root_CA_2.crt", "Amazon_Root_CA_3.crt", "Amazon_Root_CA_4.crt", "ANF_Secure_Server_Root_CA.crt", "Atos_TrustedRoot_2011.crt", "Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.crt", "b0e59380.0", "b7a5b843.0", "b81b93f0.0", "b1159c4c.0", "b66938e9.0", "b433981b.0", "b727005e.0", "Baltimore_CyberTrust_Root.crt", "bf53fb88.0", "Buypass_Class_2_Root_CA.crt", "Buypass_Class_3_Root_CA.crt", "c01eb047.0", "c28a8a30.0", "ca6e4ad9.0", "ca-certificates.crt", "CA_Disig_Root_R2.crt", "cbf06781.0", "cc450945.0", "cd8c0d63.0", "cd58d51e.0", "ce5e74ef.0", "Certigna.crt", "Certigna_Root_CA.crt", "certSIGN_ROOT_CA.crt", "certSIGN_Root_CA_G2.crt", "Certum_EC-384_CA.crt", "Certum_Trusted_Network_CA.crt", "Certum_Trusted_Network_CA_2.crt", "Certum_Trusted_Root_CA.crt", "CFCA_EV_ROOT.crt", "Comodo_AAA_Services_root.crt", "COMODO_Certification_Authority.crt", "COMODO_ECC_Certification_Authority.crt", "COMODO_RSA_Certification_Authority.crt", "Cybertrust_Global_Root.crt", "d4dae3dd.0", "d7e8dc79.0", "d887a5bb.0", "d6325660.0", "dc4d6a89.0", "dd8e9d41.0", "de6d66f3.0", "DigiCert_Assured_ID_Root_CA.crt", "DigiCert_Assured_ID_Root_G2.crt", "DigiCert_Assured_ID_Root_G3.crt", "DigiCert_Global_Root_CA.crt", "DigiCert_Global_Root_G2.crt", "DigiCert_Global_Root_G3.crt", "DigiCert_High_Assurance_EV_Root_CA.crt", "DigiCert_Trusted_Root_G4.crt", "D-TRUST_Root_Class_3_CA_2_2009.crt", "D-TRUST_Root_Class_3_CA_2_EV_2009.crt", "e8de2f56.0", "e18bfb83.0", "e36a6752.0", "e73d606e.0", "e113c810.0", "e868b802.0", "e35234b1.0", "EC-ACC.crt", "ee64a828.0", "eed8c118.0", "ef954a4e.0", "emSign_ECC_Root_CA_-_C3.crt", "emSign_ECC_Root_CA_-_G3.crt", "emSign_Root_CA_-_C1.crt", "emSign_Root_CA_-_G1.crt", "Entrust.net_Premium_2048_Secure_Server_CA.crt", "Entrust_Root_Certification_Authority.crt", "Entrust_Root_Certification_Authority_-_EC1.crt", "Entrust_Root_Certification_Authority_-_G2.crt", "Entrust_Root_Certification_Authority_-_G4.crt", "ePKI_Root_Certification_Authority.crt", "e-Szigno_Root_CA_2017.crt", "E-Tugra_Certification_Authority.crt", "f0c70a8d.0", "f30dd6ad.0", "f39fc864.0", "f51bb24c.0", "f249de83.0", "f3377b1b.0", "f081611a.0", "f387163d.0", "fa5da96b.0", "fc5a8f99.0", "fe8a2cd8.0", "feffd413.0", "ff34af3f.0", "GDCA_TrustAUTH_R5_ROOT.crt", "GlobalSign_ECC_Root_CA_-_R4.crt", "GlobalSign_ECC_Root_CA_-_R5.crt", "GlobalSign_Root_CA.crt", "GlobalSign_Root_CA_-_R2.crt", "GlobalSign_Root_CA_-_R3.crt", "GlobalSign_Root_CA_-_R6.crt", "GlobalSign_Root_E46.crt", "GlobalSign_Root_R46.crt", "GLOBALTRUST_2020.crt", "Go_Daddy_Class_2_CA.crt", "Go_Daddy_Root_Certificate_Authority_-_G2.crt", "GTS_Root_R1.crt", "GTS_Root_R2.crt", "GTS_Root_R3.crt", "GTS_Root_R4.crt", "Hellenic_Academic_and_Research_Institutions_ECC_RootCA_2015.crt", "Hellenic_Academic_and_Research_Institutions_RootCA_2011.crt", "Hellenic_Academic_and_Research_Institutions_RootCA_2015.crt", "Hongkong_Post_Root_CA_1.crt", "Hongkong_Post_Root_CA_3.crt", "IdenTrust_Commercial_Root_CA_1.crt", "IdenTrust_Public_Sector_Root_CA_1.crt", "ISRG_Root_X1.crt", "Izenpe.com.crt", "Microsec_e-Szigno_Root_CA_2009.crt", "Microsoft_ECC_Root_Certificate_Authority_2017.crt", "Microsoft_RSA_Root_Certificate_Authority_2017.crt", "NAVER_Global_Root_Certification_Authority.crt", "NetLock_Arany_=Class_Gold=_F?tan\u00fas\u00edtv\u00e1ny.crt", "Network_Solutions_Certificate_Authority.crt", "OISTE_WISeKey_Global_Root_GB_CA.crt", "OISTE_WISeKey_Global_Root_GC_CA.crt", "QuoVadis_Root_CA_1_G3.crt", "QuoVadis_Root_CA_2.crt", "QuoVadis_Root_CA_2_G3.crt", "QuoVadis_Root_CA_3.crt", "QuoVadis_Root_CA_3_G3.crt", "Secure_Global_CA.crt", "SecureSign_RootCA11.crt", "SecureTrust_CA.crt", "Security_Communication_Root_CA.crt", "Security_Communication_RootCA2.crt", "SSL.com_EV_Root_Certification_Authority_ECC.crt", "SSL.com_EV_Root_Certification_Authority_RSA_R2.crt", "SSL.com_Root_Certification_Authority_ECC.crt", "SSL.com_Root_Certification_Authority_RSA.crt", "Staat_der_Nederlanden_EV_Root_CA.crt", "Starfield_Class_2_CA.crt", "Starfield_Root_Certificate_Authority_-_G2.crt", "Starfield_Services_Root_Certificate_Authority_-_G2.crt", "SwissSign_Gold_CA_-_G2.crt", "SwissSign_Silver_CA_-_G2.crt", "SZAFIR_ROOT_CA2.crt", "TeliaSonera_Root_CA_v1.crt", "TrustCor_ECA-1.crt", "TrustCor_RootCert_CA-1.crt", "TrustCor_RootCert_CA-2.crt", "Trustwave_Global_Certification_Authority.crt", "Trustwave_Global_ECC_P256_Certification_Authority.crt", "Trustwave_Global_ECC_P384_Certification_Authority.crt", "T-TeleSec_GlobalRoot_Class_2.crt", "T-TeleSec_GlobalRoot_Class_3.crt", "TUBITAK_Kamu_SM_SSL_Kok_Sertifikasi_-_Surum_1.crt", "TWCA_Global_Root_CA.crt", "TWCA_Root_Certification_Authority.crt", "UCA_Extended_Validation_Root.crt", "UCA_Global_G2_Root.crt", "USERTrust_ECC_Certification_Authority.crt", "USERTrust_RSA_Certification_Authority.crt", "XRamp_Global_CA_Root.crt", "cert.pem", "dnskey.conf", "connmark.conf", "des.conf", "aes.conf", "kernel-netlink.conf", "constraints.conf", "md5.conf", "attr.conf", "nonce.conf", "gmp.conf", "openssl.conf", "fips-prf.conf", "pem.conf", "hmac.conf", "pgp.conf", "pkcs1.conf", "pkcs7.conf", "pkcs12.conf", "pubkey.conf", "random.conf", "rc2.conf", "resolve.conf", "revocation.conf", "sha1.conf", "sha2.conf", "socket-default.conf", "sshkey.conf", "stroke.conf", "updown.conf", "x509.conf", "xauth-generic.conf", "xcbc.conf", "pki.conf", "scepclient.conf", "starter.conf", "charon-logging.conf", "charon.conf", "priv-key.pem", "server-cert.pem", "access_control", "00_uhttpd_ubus", "10-fstab", "10_migrate-shadow", "11_migrate-sysctl", "09_fix-seama-header", "12_network-generate-ula", "root.key", "unbound.conf.back", "named.cache", "12d1_0004", "12d1_0003", "12d1_0005", "12d1_0001", "19d2_0001", "19d2_0002", "19d2_0003", "19d2_0004", "ffff_0001", "12d1_0002", "ffff_0002", "ffff_0003", "xl2tpd.conf", "xl2tp-secrets", "acl_timeobj.lua", "acl_timeobj_v6.lua", "acl_wanhook.lua", "access_func_v6.sh", "attach_timeobj.lua", "core.sh", "access_func.sh", "interface.sh", "acl_delete_rule.lua", "core_log.sh", "markdef.sh", "time.sh", "core_acl.sh", "config.sh", "core_global.sh", "arp.sh", "gettime.sh", "cmd.sh", "backup.sh", "ecmp.sh", "api.sh", "ecmp.lua", "dynanmic_arpreq.sh", "getVid.sh", "access_time_help.lua", "access_dir_help.lua", "accountmgnt.lua", "access_ip_help.lua", "access.lua", "clock.lua", "http.lua", "interface.lua", "dhcp.lua", "ipsec.lua", "monitor_port.lua", "nat.lua", "show_if_help.lua", "routing.lua", "cli_ospf.lua", "show_interface.lua", "rip.lua", "show_interface_status.lua", "snmp.lua", "ssh.lua", "time_range.lua", "vlan.lua", "lan.js", "uci.sh", "arping.sh", "get_option.lua", "dhcps.sh", "main.sh", "dnssecquery.sh", "core_forwarding.sh", "core_init.sh", "core_interface.sh", "core_redirect.sh", "core_rule.sh", "core_tpfirewall.sh", "uci_firewall.sh", "fw.sh", "tpcmd.sh", "freeStrategy_backup.sh", "add_delete_tuple.sh", "add_delete.sh", "getip.sh", "preinit.sh", "leds.sh", "network.sh", "service.sh", "switch_port.sh", "procd.sh", "userconfig.sh", "uci-defaults.sh", "system.sh", "functions.sh", "gre_common.sh", "gre-ipsec-up-down.sh", "delete_restart.sh", "core_ipgroup.sh", "ipsec_check_domain_wrap.sh", "ipsec_failover_process.sh", "ipsec_handle_iptables.sh", "ipsec_check_domain.sh", "ipsec_generate_domain.sh", "ipsec_execute_stroke.sh", "ipsec_monitor_tunnel.sh", "ipsec_vnet.sh", "pd_api.sh", "lanv6_server.sh", "pd_server.sh", "core_ipv6group.sh", "get-vpn-gw.sh", "ifup-l2tp.sh", "ifdown-l2tp.sh", "l2tp-get-tunnel-info.sh", "get-vpn-ip.sh", "l2tp-init.sh", "l2tp-ipsec-delete.lua", "l2tp-ipsec-setstatus.lua", "l2tp-doipsec.sh", "l2tp-ipsec-up-down.sh", "l2tp-functions.sh", "l2tp-reload.sh", "char_conv.sh", "api_VPN.sh", "ldap_check_result.sh", "ldap_query.sh", "pre_setting_config.sh", "net_share.sh", "ramips.sh", "lldp_get_wan_device.sh", "50-xt_flood", "50-arp_garp", "get_rps.sh", "get_temperature.sh", "set_fan.sh", "nat_alg.sh", "nat_config.sh", "nat_dmz.sh", "nat_common.sh", "nat_pt.sh", "nat_dmz_bypass.sh", "nat_vs.sh", "nat_core.sh", "nat_log.sh", "nat_one.sh", "nat_napt.sh", "6rd.sh", "dhcp.sh", "directip.sh", "3g.sh", "ncm.sh", "dhcp6c.sh", "6to4.sh", "ppp.sh", "l2tp.sh", "pppv6.sh", "dslite.sh", "qmi.sh", "v6plus.sh", "lanv6.sh", "passthrough.sh", "dhcp.script", "netifd-wireless.sh", "netifd-proto.sh", "if-do-timeobj.sh", "ppp-down", "ppp-up", "pppv6-share", "dslite-up.sh", "pppv6-up", "dhcp6c.script", "utils.sh", "v6plus-dial.sh", "ppp-dhcp6c.script", "switch.sh", "network_arch.sh", "online_api.sh", "online_reload.lua", "openvpn-client-disconnect.sh", "openvpn-client-routeup.sh", "openvpn-client-connect.sh", "openvpn-client-down.sh", "openvpn-server-up.sh", "openvpn-client-up.sh", "openvpn-common.sh", "openvpn-instance.sh", "openvpn-password.lua", "openvpn-server-down.sh", "pppox-default-variables.sh", "pppox-header.sh", "kill-pptpd-xl2tpd.sh", "pppox-reload-user.lua", "pppox-functions.sh", "pppox-reload-user.sh", "pppox-begin-reload-user.sh", "pppox-remote-management.sh", "pppox-load-user.lua", "pppox-pppoetimer.sh", "pppox-remote-management-get-ippool.lua", "pppox-wheader.sh", "pppox-killtunnel.sh", "ifup_down.sh", "add-service.sh", "enable_service.sh", "pptp-get-tuunel-info.sh", "delete-service.sh", "pptp-global-setting.sh", "pptp-client-add.sh", "pptp-ifdevice-info.sh", "pptp-client-update.sh", "pptp-option.sh", "pptp-startup.sh", "pptp-tunnel-action.sh", "test.sh", "pptp-client-delete.sh", "05_set_iface_mac_mediatek", "02_default_set_state", "07_set_preinit_iface_ramips", "40_run_failsafe_hook", "04_handle_checksumming", "50_indicate_regular_preinit", "10_indicate_failsafe", "70_initramfs_test", "03_preinit_do_ramips.sh", "80_mount_root", "98_10_mtk_failsafe_init", "30_failsafe_wait", "99_10_failsafe_login", "99_10_run_init", "10_indicate_preinit", "qos_config_sync.lua", "qos_nf.sh", "qos_api.sh", "qos_cid.sh", "qos_dpdk.sh", "qos_grpmark.sh", "find_index.lua", "qos_ifgroup.sh", "qos_core.sh", "qos_ipset.sh", "qos_mark.sh", "qos_polling.sh", "qos_public.sh", "qos_state.sh", "qos_tc.sh", "state_gen.lua", "zone-450", "qos_delete_rule.lua", "remote_mngt.sh", "route_api.sh", "core_service.sh", "session_limits.sh", "ar8327_switch_led", "ar8327_switch_portMirror", "ar8327_switch_init", "ar8327_switch_portStatistic", "ar8327_register", "ar8327_switch_portVlan", "ar8327_switch_portPara", "ar9533_register", "ar8327_switch_portState", "ar9533_switch_init", "ar8327_switch_portRateControl", "ar9533_switch_portMirror", "ar9533_switch_portPara", "ar9533_switch_portRateControl", "ar8327_switch_8021Qvlan", "ar9533_switch_portState", "ar9533_switch_portStatistic", "ar9533_switch_portVlan", "cn9130_register", "cn9130_switch_globalLed", "cn9130_switch_init", "cn9130_switch_portMirror", "cn9130_switch_portPara", "cn9130_switch_portRateControl", "cn9130_switch_portState", "cn9130_switch_portStatistic", "cn9130_switch_portVlan", "mt7621_register", "mt7621_switch_globalLed", "mt7621_switch_led", "mt7621_switch_portMirror", "mt7621_switch_portPara", "mt7621_switch_portRateControl", "mt7621_switch_portState", "mt7621_switch_portStatistic", "mt7621_switch_portVlan", "mt7628_register", "mt7628_switch_init", "mt7628_switch_led", "mt7628_switch_portMirror", "mt7628_switch_portPara", "mt7628_switch_portRateControl", "mt7628_switch_portState", "mt7628_switch_portStatistic", "mt7628_switch_portVlan", "rtl8367s_register", "rtl8367s_switch_globalLed", "rtl8367s_switch_init", "rtl8367s_switch_portMirror", "rtl8367s_switch_portPara", "rtl8367s_switch_portRateControl", "rtl8367s_switch_portState", "rtl8367s_switch_portStatistic", "rtl8367s_switch_portVlan", "switch_functions", "vlan_network", "sysparams_net.sh", "timeobj_cron_api.sh", "timeobj_api.sh", "boot_done", "led.sh", "set_time", "base-files-essential", "libopenldap", "base-files", "online_check", "mwan3-tplink", "openvpn-easy-rsa", "openvpn-mgmt", "portal-mgmt", "ppp-mod-radius", "snmpd-static", "https-dns-proxy", "luci-add-conffiles.sh", "platform.sh", "ubnt.sh", "nand.sh", "common.sh", "upnp_api.sh", "find_target.lua", "url_func.sh", "detach_timeobj.lua", "csv2db.sh", "vnet_zone_api.sh", "vnet_init.sh", "vnet.sh", "vnet_core.sh", "vnet_zone_init.sh", "webfilter_func.sh", "web_func.sh", "websec_timeobj.lua", "start_rule.sh", "wireguard-up.sh", "wireguard-down.sh", "auth_port_modify.sh", "core_wportal.sh", "zone_api.sh", "zone_core.sh", "zone_api_all.sh", "zone_conf.sh", "zone_init.sh", "zone_api_core.sh", "zone_init_all.sh", "note", "devstatus", "firstboot", "fixup-mac-address", "fw", "hotplug-call", "ifdown", "ifstart", "ifrestart", "ifstatus", "loadopenvpncert", "log_oops_recovery.sh", "luci-reload", "ifup", "reload_config", "restorefactory", "smp.sh", "snapshot", "sysupgrade", "wifi", "ubi_make_extra_volume.sh", "ipset.debug", "ipxd", "iptables.debug", "ipxr", "wifidog-init", "radiusclient-ng.h", "dpi.sh", "libradiusclient-ng.la", "libstdc++.so.6.0.21-gdb.py", "dynamic_dns_dyndns.sh", "dynamic_dns_log.sh", "customddns_set_url.sh", "url_escape.sed", "dynamic_dns_customddns.sh", "dynamic_dns_noip.sh", "dynamic_dns_updater.sh", "dynamic_dns_functions.sh", "dpi_log_database.lua", "dpi_log_database.sh", "dpi_tmngtd.sh", "_updown", "ngx_init.lua", "authlistCheck.lua", "ngx_wdas.lua", "ngx_sqlApi.lua", "cell_valueheader.htm", "cell_valuefooter.htm", "dvalue.htm", "compound.htm", "dynlist.htm", "browser.htm", "apply_xhr.htm", "firewall_zoneforwards.htm", "button.htm", "firewall_zonelist.htm", "delegator.htm", "footer.htm", "full_valuefooter.htm", "full_valueheader.htm", "fvalue.htm", "header.htm", "lvalue.htm", "map.htm", "mvalue.htm", "network_ifacelist.htm", "network_netinfo.htm", "network_netlist.htm", "nsection.htm", "nullsection.htm", "simpleform.htm", "tabcontainer.htm", "tabmenu.htm", "tblsection.htm", "tsection.htm", "tvalue.htm", "ucisection.htm", "upload.htm", "value.htm", "valuefooter.htm", "valueheader.htm", "error404.htm", "error500.htm", "indexer.htm", "sysauth.htm", "debug.lua", "mbimfind.lua", "log_awk", "modem_scan.sh", "check_switchmode.lua", "protofind.lua", "handle_card_process.sh", "search_tty.lua", "handle_card.sh", "unlock_pin.sh", "getisp.sh", "usbmodem_log.sh", "modemLedCtrl.sh", "portal_mgmt_monitor.lua", "portal_mgmt_monitor.sh", "rewrite.lua", "portal_status.sh", "hardware.txt", "jshn.sh", "default.script", "dbus-K5ae4EDHao", "osui.sock", "qipc_sharedmemory_xFMOjWbQizvIQbjaGodBkPpoECFzUYyznnjEncea48051f6b8a69e2450843f1f32c0bb393e04349", "qipc_systemsem_xFMOjWbQizvIQbjaGodBkPpoECFzUYyznnjEncea48051f6b8a69e2450843f1f32c0bb393e04349", "sddm-:0-BoTuTx", "sddm-auth-52b94a64-454a-4d7f-903e-32df6aac784a", "tmp.QMAjonKZB0", "xF43MOjWbQiz+vIQbjaGodBk4PpoECFzUYyznnj8Enc=", "about.svg", "about_hover.svg", "ie.css", "style.css", "widget.css", "access_control.html", "account_config.html", "account_mngt.html", "action_check.html", "alg.html", "appdist.html", "appdist_database.html", "appflow_statistics.html", "application_filter.html", "application_list.html", "arp_list.html", "arp_scan.html", "assign_restriction.html", "attack-defense.html", "balance_basic.html", "bridge.html", "bwlist_qq.html", "cmxddns.html", "controller_setting.html", "country_group.html", "custom_ddns.html", "ddm.html", "dhcp_client.html", "dhcp_lan_settings.html", "dhcp_lan_settings_standalone.html", "dhcp_server.html", "dhcp_static.html", "diagnostic.html", "dia_info.html", "dns_cache.html", "dns_doh.html", "dns_dot.html", "dnsproxy.html", "dnssec.html", "dyn3322ddns.html", "dynddns.html", "firmware_backuprestore.html", "firmware_factory.html", "firmware_managing.html", "firmware_reboot.html", "firmware_reseting.html", "firmware_upgrade.html", "gre_overipsec.html", "ifstat.html", "imb.html", "interface.html", "interface_mac.html", "interface_mode.html", "interface_wan.html", "interface_wan_standalone.html", "ipgroup_address.html", "ipgroup_group.html", "ipgroup_view.html", "ippool.html", "ips_blacklists.html", "ipsec_sa.html", "ipsec_tunnel.html", "ips_setting.html", "ips_signature_suppression.html", "ips_stats.html", "ip_stats.html", "ips_threat_management.html", "ips_whitelists.html", "iptv.html", "ipv6.html", "ipv6group_address.html", "ipv6group_group.html", "ipv6_lan.html", "isp_routing.html", "l2tp_client.html", "l2tp_global.html", "l2tp_server.html", "l2tp_tunnel.html", "ldap_profiles.html", "line_backup.html", "macFiltering.html", "mdns.html", "napt.html", "nat_dmz.html", "noipddns.html", "one_nat.html", "online.html", "openvpn_client.html", "openvpn_server.html", "openvpn_tunnel.html", "ospf.html", "phddns.html", "policy_routing.html", "port_trigger.html", "pptp_client.html", "pptp_global.html", "pptp_server.html", "pptp_tunnel.html", "preview_mobile_wifi.html", "preview_remind.html", "preview_wportal.html", "print_server.html", "qos.html", "qos_Band_ctrl.html", "qos_Class_role.html", "qos_Traffic.html", "qos_VoIP.html", "quick_setup.html", "reboot_schedule.html", "remote_mngt.html", "rip_routing.html", "rules.html", "service.html", "session_limits.html", "session_monitor.html", "sessmngr.html", "snmp.html", "ssl_vpn_auth.html", "ssl_vpn_auth_radius.html", "ssl_vpn_locked_user.html", "ssl_vpn_quicksetup.html", "ssl_vpn_server.html", "ssl_vpn_status.html", "ssl_vpn_tunnel.html", "ssl_vpn_tunnel_group.html", "ssl_vpn_user.html", "ssl_vpn_user_group.html", "static_routing.html", "switch_Parameter.html", "switch_portLimit.html", "switch_portMonitor.html", "switch_portStatistics.html", "switch_portStatus.html", "switch_portVlan.html", "sys_status.html", "system_log.html", "system_mode.html", "system_params.html", "system_routetbl.html", "system_state.html", "time_mngt.html", "time_setting.html", "upnp.html", "url_filtering.html", "usb_backup.html", "usb_firmware_upgrade.html", "usbModem.html", "usb_storage.html", "usermngr_backup.html", "usermngr_user.html", "virtual_server.html", "vlan_portSetting.html", "vlan_relationTbl.html", "vlan_vlanSetting.html", "vpn_general.html", "vpn_peers.html", "vpn_user.html", "vpn_wireguard.html", "web_filter.html", "web_group.html", "web_security.html", "wechat.html", "wechat_wifi.html", "wizard.html", "wportal.html", "wportal_free.html", "advanced.html", "basic.html", "encrypt.js", "excanvas.js", "html5.js", "jquery.flot.barnumbers.js", "jquery.flot.crosshair.js", "jquery.flot.fillbetween.js", "jquery.flot.js", "jquery.flot.pie.min.js", "jquery.json-2.4.min.js", "jquery.min.js", "jquery.scrollTo.min.js", "md5.js", "button.js", "buttongroup.js", "checkbox.js", "combobox.js", "fieldset.js", "file.js", "folderTree.js", "form.js", "number.js", "password.js", "portrange.js", "progressbar.js", "radio.js", "region.js", "slider.js", "status.js", "subnet.js", "switch.js", "textarea.js", "textbox.js", "time.js", "timepicker.js", "tip.js", "waitingbar.js", "editor.js", "grid.js", "paging.js", "chart.js", "foldertree.js", "keyword.js", "msg.js", "page.js", "panel.js", "wizard.js", "widget.js", "proxy.js", "store.js", "treestore.js", "controller.js", "su.full.min.js", "su.js", "account.2ca6a054.js", "chunk-vendors.0cdf10f0.js", "index.a415cbb4.js", "login.4f52b876.js", "chunk-common.72de4705.css", "account.html", "app.manifest", "cs_dis.html", "error.html", "index.html", "login.html", "mobile_wifi.html", "pcauth.js", "pc_wifi.html", "style-pcdemo.css", "style-simple-follow.css", "web_login.html", "cbi.js", "xhr.js" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1520", "name": "Domain Generation Algorithms", "display_name": "T1520 - Domain Generation Algorithms" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 38, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Merkd1904", "id": "196517", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 11, "hostname": 491, "FileHash-SHA256": 3479, "FileHash-MD5": 67, "domain": 312, "FileHash-SHA1": 61, "email": 20, "URL": 373 }, "indicator_count": 4814, "is_author": false, "is_subscribing": null, "subscriber_count": 72, "modified_text": "758 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66303f1c9212e2d44c9bf691", "name": "gmail for cloudflare", "description": "The following is the full text of the new code for the English language, which includes the word \"che2sf\" and \"ch 2sf\", as well as its full set of characters.", "modified": "2024-04-30T00:45:16.241000", "created": "2024-04-30T00:45:16.241000", "tags": [ "globalprefix", "null", "google inc", "error", "function", "void", "span", "ufe0f", "string", "ud83c", "u2695u2696u2708", "ud83d", "date", "slow", "code", "window", "acfyuc" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "phoenix-choi1", "id": "278628", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 136, "domain": 18 }, "indicator_count": 154, "is_author": false, "is_subscribing": null, "subscriber_count": 26, "modified_text": "762 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "661bad4ad408c8a6f4c4c136", "name": "(DUO) https://10.0.0.1:8001/webman/3rdparty/addon-azure_blob/style.css?v=1660890441", "description": "(DUO) https://10.0.0.1:8001/webman/3rdparty/addon-azure_blob/style.css?v=1660890441", "modified": "2024-04-14T10:17:46.865000", "created": "2024-04-14T10:17:46.865000", "tags": [ "desktop", "date", "shortcutitems", "post", "sdsshortcut", "synotoken", "ffffff", "appshortcut", "direct", "repositionokcls", "span", "blank", "error", "element", "roletooltip", "duo admin", "icons", "helvetica neue", "typesearch", "typecheckbox", "ssstandard", "webkitkeyframes", "button", "typeradio", "class" ], "references": [], "public": 1, "adversary": "Element", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "phoenix-choi1", "id": "278628", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 17, "hostname": 41 }, "indicator_count": 58, "is_author": false, "is_subscribing": null, "subscriber_count": 24, "modified_text": "778 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "661afd962ed1f89b54a92de9", "name": "Injection #1", "description": "Injection #1", "modified": "2024-04-13T21:48:06.480000", "created": "2024-04-13T21:48:06.480000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "phoenix-choi1", "id": "278628", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 11, "domain": 63, "hostname": 109 }, "indicator_count": 183, "is_author": false, "is_subscribing": null, "subscriber_count": 24, "modified_text": "778 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65ca2c15ef8b75bd6e216604", "name": "Does this help?", "description": "A guide to the key words and phrases used to describe a Facebook user's identity, as well as the language they use to express their desire to use the social networking site, and the answers to some of them.", "modified": "2024-03-13T14:03:24.834000", "created": "2024-02-12T14:32:53.743000", "tags": [ "your request", "email", "password forgot", "sign up", "return home", "english", "espaol franais", "france", "portugus", "brasil", "meta", "helvetica", "input", "neue", "arial", "neue medium", "neue light", "f7f8fa", "e4e6eb", "span", "fbpkgdelim", "https", "intlsavelocale", "help", "lite", "marketplace", "fundraisers", "careers", "facebook search", "clear", "facebook", "date", "null", "image", "math", "avozjyab7ng", "typesearch", "article", "sans", "helvetica neue", "sansseriflight", "symbol", "iterator", "fblogger", "typeerror", "sitedata", "errorguard", "timeslice", "typeof", "arbiter", "error", "blank", "phase", "firefox", "phone", "iemobile", "create", "connect", "forgot password", "page", "website", "cookie", "banzai", "falcoutils", "random", "cookiecore", "persistedqueue", "clock", "mcss", "mevent", "number", "urlsearchparams", "internalenum", "banzailogger", "97hz", "messagereceived", "mdom", "stratcom", "mviewport", "mhistory", "mpagecache", "muri", "scriptpath", "mvector", "keys", "kaioscontroller", "webstorage", "portaltv", "timesliceimpl", "serverjs", "mrun", "murigo", "promiseimpl", "mdatastore", "mdtsg", "mdtsgasync", "4328", "5540", "bigpipe", "5954", "6972", "usidmetadata", "ps8qy011yx6dcb", "5888", "3904", "4806", "6687", "eventconfig", "default5000", "zekacv", "fbtlogging", "dvatkzf", "banzaibase", "mgetfbtresult", "mfbjson", "meventlistener", "u0001", "i9zo81o", "5943", "addressbar", "banzaiadapter", "intlvariations", "uint8array", "websession", "boolean", "void", "shutdown", "mpagecontroller", "mstopngo", "javelinhistory", "mhome", "errorutils" ], "references": [ "https://static.xx.fbcdn.net/rsrc.php/v3/y7/l/0,cross/04QJzvjR9Wh.css", "https://static.xx.fbcdn.net/rsrc.php/v3/yw/l/0,cross/CXjTiRbc_8T.css?_nc_x=Ij3Wp8lg5Kz", "https://static.xx.fbcdn.net/rsrc.php/v3/y7/l/0,cross/04QJzvjR9Wh.css?_nc_x=Ij3Wp8lg5Kz", "https://static.xx.fbcdn.net/rsrc.php/v3/ys/r/3eq9Oo5XUhW.js?_nc_x=Ij3Wp8lg5Kz", "https://m.facebook.com/", "https://static.xx.fbcdn.net/rsrc.php/v3/ye/r/1pdBd6ULIhq.js?_nc_x=Ij3Wp8lg5Kz", "https://static.xx.fbcdn.net/rsrc.php/v3iLQG4/yB/l/en_US/ZrB35JaC5Ph.js?_nc_x=Ij3Wp8lg5Kz", "https://static.xx.fbcdn.net/rsrc.php/v3iLl54/yO/l/en_US/9t3PW1CRLNe.js?_nc_x=Ij3Wp8lg5Kz", "https://static.xx.fbcdn.net/rsrc.php/v3/ys/r/FtcggJWVWTF.js?_nc_x=Ij3Wp8lg5Kz", "https://static.xx.fbcdn.net/rsrc.php/v3/y3/r/U86edKxQdCC.js?_nc_x=Ij3Wp8lg5K", "https://static.xx.fbcdn.net/rsrc.php/v3/yO/r/FMIZEwefrSt.js?_nc_x=Ij3Wp8lg5Kz" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tyfdyT-3xafve-momsos", "id": "228887", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 94, "domain": 28, "hostname": 55, "FileHash-SHA1": 1, "FileHash-MD5": 1, "FileHash-SHA256": 2 }, "indicator_count": 181, "is_author": false, "is_subscribing": null, "subscriber_count": 25, "modified_text": "810 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64da05cdba55fc9cf872cb11", "name": "IOC's off of my personal devices Aug 14th - June 28th | Come one come all, something for everyone", "description": "Now that I've been able to get a pulse published I'm going to be recursively and actively updating this pulse with IOC's pulled off of files marked malicious, suspicious, ambigious, or clean with a threat score from my personal devices. I will also add files that have a high amount of indicators and no threat score as well and let AlienVault sort it out. Hopefully I'll be able i'll be able to fill the gap to my last Pulse the better part of a year ago. \n\nNearly all of these files are debug and VM aware, with a majority having a legitimate certificate chain. The ones that do run have been initialized in a live environment (aka my desktop, laptop, phone, etc).", "modified": "2024-02-14T21:44:01.779000", "created": "2023-08-14T10:45:33.014000", "tags": [ "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "falcon sandbox", "hybrid analysis", "sandbox files", "urls quick", "scans files", "urls file", "releases", "updates faq", "public api", "knowledge base" ], "references": [ "https://otx.alienvault.com/indicator/file/b197cf4cee44d52be11275f49f3143b4f7f8e735", "https://hybrid-analysis.com/sample/4dbe669e9b8b9cfe1bfa98019ccf2e56230ed136adce966649ee38e61e934303/64da0aedbe662a714b0480b1", "https://www.virustotal.com/gui/file/207bfec939e7c017c4704ba76172ee2c954f485ba593bc1bc8c7666e78251861/behavior", "https://www.virustotal.com/gui/file/3db36d262eb15c349b4b945e0b1d9772c262cd2b7d57c40ede429958daeab97e?nocache=1", "https://otx.alienvault.com/indicator/file/08515dcc6df957c9c5d4f00db4f568b3ee29c337", "https://www.joesandbox.com/analysis/1041402", "http://hybrid-analysis.com/sample/e9fc2ca7297a65937de9887be565eb5bbd149ba2c1a1ea4d3ca88302ede7ecac", "https://www.virustotal.com/gui/file/a7b4797c4a29864aacb7b40dd854adaf3936791d7c326d02d4aad37982d801a9/community", "http://hybrid-analysis.com/sample/e4db1656c4cfff0a4ced5a943b8433388c7b4935711d522014c819328f19001d/64da070d00534407c40c1034", "http://hybrid-analysis.com/sample/4dbe669e9b8b9cfe1bfa98019ccf2e56230ed136adce966649ee38e61e934303", "http://hybrid-analysis.com/sample/4cf079d4d7a154cd93f65934b5d115f07af8f25ee24930e6cc606dfb0aea2a4e", "https://otx.alienvault.com/indicator/file/1831d8972bfae639576d10903c2d586e", "https://hybrid-analysis.com/sample/beff391ce640cc8fdfcec22b77c5d2bc4776304e3a404e8168ce315226c4fc41/5eae8f731389173b4c432b17", "https://otx.alienvault.com/indicator/file/c85cc6f8ff7d69d7a7af9498d7d75bc05e35fb69f34d7b50d9057608f7b73f51", "", "https://tria.ge/230806-j3tdasgd72", "https://tria.ge/230806-j8mspsgd84", "https://tria.ge/230806-j8tk9ahg7t", "https://tria.ge/230809-vsggjadf59", "https://tria.ge/230809-vtdr2afd2t" ], "public": 1, "adversary": "Unknown - Most likely multiple spanning Cyrillic and Chinese in terms of artifacts", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "neshta", "display_name": "neshta", "target": null }, { "id": "Expiro", "display_name": "Expiro", "target": null }, { "id": "Win.Dropper.Gh0stRAT", "display_name": "Win.Dropper.Gh0stRAT", "target": null }, { "id": "Win.Malware.Eclz-9953021-0", "display_name": "Win.Malware.Eclz-9953021-0", "target": null }, { "id": "Win32:Farfli-BH", "display_name": "Win32:Farfli-BH", "target": null }, { "id": "TrojanDownloader:Win32/Nemucod", "display_name": "TrojanDownloader:Win32/Nemucod", "target": "/malware/TrojanDownloader:Win32/Nemucod" }, { "id": "Win.Malware.Snojan-6775202-0", "display_name": "Win.Malware.Snojan-6775202-0", "target": null }, { "id": "Win.Malware.Qshell-9875653-0", "display_name": "Win.Malware.Qshell-9875653-0", "target": null }, { "id": "TrojanDownloader:Win32/Zegost.E!bit", "display_name": "TrojanDownloader:Win32/Zegost.E!bit", "target": "/malware/TrojanDownloader:Win32/Zegost.E!bit" }, { "id": "Backdoor:Win32/Zegost.CQ!bit", "display_name": "Backdoor:Win32/Zegost.CQ!bit", "target": "/malware/Backdoor:Win32/Zegost.CQ!bit" }, { "id": "#Lowfi:SuspiciousSectionName", "display_name": "#Lowfi:SuspiciousSectionName", "target": null }, { "id": "Backdoor:Win32/Zegost.gen!B", "display_name": "Backdoor:Win32/Zegost.gen!B", "target": "/malware/Backdoor:Win32/Zegost.gen!B" }, { "id": "Win.Dropper.Gh0stRAT-7696262-0", "display_name": "Win.Dropper.Gh0stRAT-7696262-0", "target": null }, { "id": "Backdoor:Win32/Zegost.BU", "display_name": "Backdoor:Win32/Zegost.BU", "target": "/malware/Backdoor:Win32/Zegost.BU" }, { "id": "Trojan:Win32/Farfli.DSK!MTB", "display_name": "Trojan:Win32/Farfli.DSK!MTB", "target": "/malware/Trojan:Win32/Farfli.DSK!MTB" }, { "id": "Backdoor:Win32/Zegost.BK", "display_name": "Backdoor:Win32/Zegost.BK", "target": "/malware/Backdoor:Win32/Zegost.BK" }, { "id": "HackTool:Win32/Mimikatz.F", "display_name": "HackTool:Win32/Mimikatz.F", "target": "/malware/HackTool:Win32/Mimikatz.F" }, { "id": "Trojan:Win32/GhostRatCrypt.GA!MTB", "display_name": "Trojan:Win32/GhostRatCrypt.GA!MTB", "target": "/malware/Trojan:Win32/GhostRatCrypt.GA!MTB" }, { "id": "Backdoor:Win32/Zegost.CG", "display_name": "Backdoor:Win32/Zegost.CG", "target": "/malware/Backdoor:Win32/Zegost.CG" }, { "id": "Backdoor:Win32/Zegost.AD", "display_name": "Backdoor:Win32/Zegost.AD", "target": "/malware/Backdoor:Win32/Zegost.AD" }, { "id": "Worm:Win32/Sfone.A", "display_name": "Worm:Win32/Sfone.A", "target": "/malware/Worm:Win32/Sfone.A" }, { "id": "Backdoor:Win32/Zegost!atmn", "display_name": "Backdoor:Win32/Zegost!atmn", "target": "/malware/Backdoor:Win32/Zegost!atmn" }, { "id": "Backdoor:Win32/Zegost.H!dll", "display_name": "Backdoor:Win32/Zegost.H!dll", "target": "/malware/Backdoor:Win32/Zegost.H!dll" }, { "id": "Zeppelin_10", "display_name": "Zeppelin_10", "target": null }, { "id": "ALF:Trojan:Win32/Cipduk.D!dha", "display_name": "ALF:Trojan:Win32/Cipduk.D!dha", "target": null }, { "id": "Backdoor:Win32/Zegost.BR", "display_name": "Backdoor:Win32/Zegost.BR", "target": "/malware/Backdoor:Win32/Zegost.BR" }, { "id": "Backdoor:Win32/Farfli.AX", "display_name": "Backdoor:Win32/Farfli.AX", "target": "/malware/Backdoor:Win32/Farfli.AX" }, { "id": "ALF:HeraklezEval:Worm:Win32/Sfone", "display_name": "ALF:HeraklezEval:Worm:Win32/Sfone", "target": null }, { "id": "Backdoor:Win32/Zegost.L", "display_name": "Backdoor:Win32/Zegost.L", "target": "/malware/Backdoor:Win32/Zegost.L" }, { "id": "Backdoor:MSIL/Zegost.GG!MTB", "display_name": "Backdoor:MSIL/Zegost.GG!MTB", "target": "/malware/Backdoor:MSIL/Zegost.GG!MTB" }, { "id": "SLF:Win32/Dozlodz.A!MTB", "display_name": "SLF:Win32/Dozlodz.A!MTB", "target": "/malware/SLF:Win32/Dozlodz.A!MTB" }, { "id": "Win64:Xpirat\\ [Inf]", "display_name": "Win64:Xpirat\\ [Inf]", "target": null }, { "id": "Backdoor:Win32/Zegost.KM!MTB", "display_name": "Backdoor:Win32/Zegost.KM!MTB", "target": "/malware/Backdoor:Win32/Zegost.KM!MTB" }, { "id": "AdvancedInstaller", "display_name": "AdvancedInstaller", "target": null }, { "id": "TrojanDropper:Win32/Venik", "display_name": "TrojanDropper:Win32/Venik", "target": "/malware/TrojanDropper:Win32/Venik" }, { "id": "hacker87", "display_name": "hacker87", "target": null }, { "id": "PurpleFox", "display_name": "PurpleFox", "target": null }, { "id": "PCRat", "display_name": "PCRat", "target": null }, { "id": "Gh0stCringe", "display_name": "Gh0stCringe", "target": null } ], "attack_ids": [], "industries": [ "individuals" ], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Merkd1904", "id": "196517", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2387, "FileHash-SHA1": 2126, "FileHash-SHA256": 9395, "SSLCertFingerprint": 27, "domain": 88, "URL": 185, "hostname": 165, "email": 11 }, "indicator_count": 14384, "is_author": false, "is_subscribing": null, "subscriber_count": 82, "modified_text": "837 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65336ac2b48ca82aeb55aeed", "name": "Woodynet.net,Id3.net and me.", "description": "The saga continues - But without invoking the jinx I'll focus on the data: Woodynet.net and Id3.net have been my (notso)friendly unoptoutable-dns-resolvers i'm assuming since all of this kicked off now nearing over 1.5+ years ago. I was finally able to dump my iPhone12 in which I had had since this all started and with that really gain some leg and breathing room. But, I'm still being pumped malicious software in the form of ISO's, linux packages, Windows Updates, and so on. And these are the nexus right here. I was able to net a solid bounty from Hybrid-Analysis including 15+ trojans, about 10 different backdoors, and a slew of other collateral that honestly surprised me as Criminalip and OTX weren't wanting to speak the same language in terms of IOC translations from them to the pulse. I'm trying in vain to find the beacon(s) or whatever they're using to keep persistence.", "modified": "2024-02-14T21:43:43.324000", "created": "2023-10-21T06:08:02.798000", "tags": [ "ip lookup", "port check", "vulnerability scanner", "attack surface", "cyber threat intelligence", "cti", "asm", "domain", "exploit", "phishing", "ip address", "united", "criminal", "historical", "information", "ai spera", "search engine", "ip search", "english english", "franais", "contact", "china", "ip location", "ip owner", "internet", "ip locator", "remember", "dp ip", "ip checker", "lookup", "strong", "summary", "ip information", "pricing login", "score", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "ansi", "data", "decrypted ssl", "windows nt", "threat level", "runtime data", "okserver", "date", "ffffff", "plugin", "path", "stop", "mask", "accept", "click", "prop", "error", "template", "class", "core", "span", "body", "suspicious", "back", "cluster", "null", "form", "zbot", "bounce", "this", "linear", "window", "ticker", "tick", "import", "orbit", "config", "main", "android", "cookie", "trident", "vidc", "hybrid", "close", "hosts", "general", "local", "mozilla", "strings", "podcast", "team", "june", "criminal ip", "engine", "resource", "dropped file", "pattern match", "script", "noscript", "connectivity", "bare metal", "iframe", "enterprise", "discord", "twitter", "facebook", "meta", "media", "story", "tools", "tokyo", "rocket", "fullscreen", "next", "small", "bare", "font", "helvetica", "arial", "tbody", "dnssec", "woodynet", "paris", "hong", "hybrid analysis", "api key", "vetting process", "please note", "please" ], "references": [ "https://www.criminalip.io/asset/report/69.166.14.38", "https://www.criminalip.io/asset/report/114.215.222.125", "https://dnschecker.org/ip-location.php?ip=31.204.146.148", "https://www.criminalip.io/domain/report?scan_id=8544746", "https://hybrid-analysis.com/sample/ab4672795b872e01bc7411fec294eab22d54e97b133769a3de306d9633fa24d6/5efec3f6b03bcb74f200310b", "https://www.criminalip.io/images/search/domain/category/icon_page_redirections.svg", "https://www.criminalip.io/domain/report?scan_id=8544687", "https://hybrid-analysis.com/sample/ab4672795b872e01bc7411fec294eab22d54e97b133769a3de306d9633fa24d6/653366aac5f632cbbf0f0000", "https://hybrid-analysis.com/sample/020fe56e2d49ead60b67a1e20b43ee0846c493c7edb3118b34c5c964fc131794/6533667318fa4c29320ec174", "https://hybrid-analysis.com/sample/2acab1228e8935d5dfdd1756b8a19698b6c8b786c90f87993ce9799a67a96e4e" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Unknown", "display_name": "Unknown", "target": null } ], "attack_ids": [ { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" } ], "industries": [ "individuals" ], "TLP": "white", "cloned_from": null, "export_count": 42, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Merkd1904", "id": "196517", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 268, "hostname": 50, "domain": 61, "FileHash-MD5": 112, "FileHash-SHA1": 110, "FileHash-SHA256": 110, "email": 9 }, "indicator_count": 720, "is_author": false, "is_subscribing": null, "subscriber_count": 74, "modified_text": "837 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65b809ec9da9326e1bdf8743", "name": "Pegasus | Lazarus Group [Hallrender.com = safebae.oeg + rallypoint.com]", "description": "", "modified": "2024-01-29T20:26:20.769000", "created": "2024-01-29T20:26:20.769000", "tags": [ "united", "unknown", "as13335", "search", "showing", "aaaa", "emails", "name servers", "servers", "as54113", "body", "date", "as15169 google", "cname", "as393648", "moved", "creation date", "record value", "entries", "domain related", "domains show", "asn15169", "google", "frankfurt", "main", "germany", "http", "ashburn", "amazonaes", "asn16509", "facebook", "june", "general full", "url https", "reverse dns", "protocol h2", "security tls", "get h2", "software", "resource", "hash", "value", "search live", "api blog", "docs pricing", "login", "december", "variables", "paq object", "piwik", "matomo", "article", "join url", "facebook url", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "ip detail", "domains domain", "tree links", "certs frames", "cisco umbrella", "site", "alexa top", "safe site", "malware", "heur", "malware site", "malicious site", "million", "phishing site", "phishing", "unsafe", "applicunwnt", "artemis", "riskware", "revenue service", "iframe", "downldr", "agent", "presenoker", "vidar", "alexa", "ssl certificate", "whois record", "historical ssl", "urls http", "njrat", "ransomware", "communicating", "referrer", "whois whois", "hostname", "hostnames", "ip address", "javascript", "detections type", "name", "win32 exe", "email holokaust", "android", "files", "android file", "domains", "hashes", "westlaw njrat", "whois", "collections", "contacted", "pe resource", "threat roundup", "january", "collection", "august", "lolkek", "installer", "hacktool", "emotet", "lazarus", "makop", "core" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "657feca7df9ea6c21350c01a", "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 149, "FileHash-SHA1": 97, "URL": 15233, "domain": 3362, "email": 14, "hostname": 5001, "FileHash-SHA256": 2750, "CVE": 5 }, "indicator_count": 26611, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "854 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "", "GCGamepad.h", "lz4.h", "12d1:1583", "perldtrace.h", "19d2:0053", "0af0:d013", "dictionary.merit", "finder.css", "jquery.easing.min.js.pobrane", "cs_dis.html", "1edf:6003", "S31tmngtd", "76cb8f92.0", "10_migrate-shadow", "mt7621_switch_portVlan", "ASPasskeyCredentialIdentity.h", "S99zzddns", "customddns", "19d2:1238", "setapn.gcom", "usbmodem_log.sh", "getVid.sh", "80_mount_root", "4a6481c9.0", "dynamic_dns_dyndns.sh", "32-sit", "SSL.com_EV_Root_Certification_Authority_RSA_R2.crt", "zconf.h", "keywords.h", "search.js.pobrane", "folderTree.js", "intrpvar.h", "uuid.h", "22-dos_defense", "ip_var.h", "https://aplikacja.ceidg.gov.pl/CEIDG/CEIDG.Public.UI/EntryChangeHistory.aspx?Id=855bdfc1-7dbc-4a86-9d27-89ebb0ecf166&archival=False", "acl_delete_rule.lua", "session_limits.html", "sessmngr.html", "https://vtbehaviour.commondatastorage.googleapis.com/00000722ff984d5cd9cd766d12c70eecc7a2ad7502999c5a99d582c79b92c1a6_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775978364&Signature=yFKLOW7cLGxEDj33tw1mRKNjyzUXQUuQpv%2FrA3D2X5q8rw9kMCREsBLs%2F%2FNYRFxARS3RB5Lk4O6CmSWhNnG3A6HL18Gz6MgwskKshWmxISeMPsHS3bV%2F%2FfnGBWAext5N5I8M1E3kyouF%2FSW3NwXOVYP%2FTI%2BQ1I%2FDzIIYwu8Da44roDqJL3wQaxKZjyUAXa6fTXFaFor%2FO9DxLhb3cHkFxY9PbZuvVGjWowadR80d", "Block.h", "error500.htm", "in_stat.h", "sfe", "Buypass_Class_3_Root_CA.crt", "vnet_zone_init.sh", "serial", "50-improxy", "S99bootcount", "03f0:002a", "19d2:0040", "https://www.loldrivers.io/js/chart.min.js", "1ee8:0063", "https://vtbehaviour.commondatastorage.googleapis.com/06b6d62477011fa63fdb44046351fbe574391916a4f3ea0486b3e3498145a7d7_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775190407&Signature=Y3EAa%2Fwo4ligJHfBUxkzWLjU9FPLyNmsxeNdcPCIPQBYTTGUIaFddrFIYHFhawxMDvixd7uA0qGc0zVDWgbStf2qhTOU1D0aF%2F%2BSLSXEY3VB8oWRXZCEI12zrSd5P4lHInxRS3CJKbNnJP4GvYx20ctpNSo4u%2FvVMLM%2B92TiYCunAVTquDVrFNNim6LJTEz2ucjhcgF2gKn%2FF0f9ALEheC1lk4omwpcYEPQLNX0wNsxNC%2BWQ", "vBasicOps.h", "19d2:#linux", "07d1:a800", "shells", "65_nginx_sync.sh", "phddns", "store.js", "https://serverhub.com/combine/a059fe7a562c0b582328162f0ee69fda-1426025688", "xcbc.conf", "ASWebAuthenticationSessionCallback.h", "sel.h", "0af0:7a01", "client.key", "onion.js.pobrane", "96-dynddns.sh", "firmware_reseting.html", "emSign_Root_CA_-_C1.crt", "ASAuthorizationSecurityKeyPublicKeyCredentialRegistration.h", "ffff_0003", "nonce.conf", "WKUserContentController.h", "ASAuthorizationSecurityKeyPublicKeyCredentialAssertion.h", "monitor_port.lua", "230d:000b", "https://vtbehaviour.commondatastorage.googleapis.com/a0fb314babd51dbc460ab126b615da4c6f9481f5d1225d0ac189da9d99923bb3_VirusTotal%20Droidy.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775190345&Signature=33%2BM36uNOvEfi8bNtJvnbxcTgcnoIlIO2vBglXpCJFNwC8HAewGOF91Q26TOAsw4sbmtTxQ2F5Q2jv2V3ULV8MAxxgYVptJ69SusRt7qZeBDUpMY%2BOdTYqjkdBuYUqYiCvM756aQheS1KvDepeD64x8e%2FivWkpm%2BZ9yDaKUc7w2143zYkc8kpyBSsO8rJI9vyoHYvbr4sfZOowoUWK7yMjQD9SN5bL%2FFABbMrPEOMyobApm", "0421:0627", "https://m.facebook.com/", "hv_macro.h", "usb_backup.html", "session_limits.sh", "2020:f00e", "IOUSBHostObject.h", "1c9e:1001", "SessionTimeout.js.pobrane", "pptp_tunnel.html", "full_valuefooter.htm", "201e:2009", "xfe-URL-Eonix.net-stix2-2.1-export.json", "setpin.gcom", "0421:0632", "time.js", "S92qos_ctl", "ASCredentialIdentityStore.h", "pad.h", "firmware_backuprestore.html", "libradiusclient-ng.la", "widget.js", "PWS:Win32/Ymacco.AA50 Win.Trojan.Generic-9959068-0\t SLF:MSIL/PSTAnomaly.A Win.Dropper.Shakblades-7614016-0\t#LowFI:VBExpensiveLoop Win.Packed.Barys-10031677-0\tTEL:Trojan:MSIL/AgentTesla.VPA!MTB Win.Trojan. Backdoor:MSIL/Remcos!MTB", "0af0:c100", "0af0:7a05", "pem.conf", "style-pcdemo.css", "5f15c80c.0", "https://hybrid-analysis.com/sample/4dbe669e9b8b9cfe1bfa98019ccf2e56230ed136adce966649ee38e61e934303/64da0aedbe662a714b0480b1", "12-netbios-passthrough", "Security_Communication_Root_CA.crt", "time_mngt.html", "GKSession.h", "pptp-ifdevice-info.sh", "l2tp_global.html", "1d09:1000", "ASAccountAuthenticationModificationReplacePasswordWithSignInWithAppleRequest.h", "04fc:2140", "session_limits", "ipsec_failover", "nf-conntrack-netlink", "indexer.htm", "ASExtensionErrors.h", "ipt-filter", "By operating through WhoisGuard-protected infrastructure and exploiting XOR 0x20 obfuscation, the adversary effectively suppresses telemetry into skim space, successfully bypassing DMARC and Microsoft-integrated trust-chain validation.", "IOBluetoothDeviceSelectorController.h", "S95done", "jquery.min.js", "11_migrate-sysctl", "l2tp.sh", "ui.datepicker-pl.js.pobrane", "S50pppox", "nfnetlink", "portal_mgmt_monitor.sh", "T-TeleSec_GlobalRoot_Class_2.crt", "04e8:689a", "ppp-up", "Researcher msudosos posits a strategic exploitation of Root Certificate Validation Failures, where the adversary leverages an expired trust chain to bypass heuristic security filters and establish persistence.", "12d1:157d", "account_config.html", "pptp-server-global", "mppe", "jcemediabox.css", "ASPasswordCredentialRequest.h", "GKAchievementViewController.h", "106c:3b05", "KUNCUserNotifications.h", "GameKit.apinotes", "netbios_passthrough", "dslite-up.sh", "jquery.json-2.4.min.js", "koi-utf", "preview_mobile_wifi.html", "dynlist.htm", "mg_vtable.h", "stdarg.h", "30-fs-ntfs", "1004:6190", "GCControllerTouchpad.h", "tmngtd", "firewall", "98-ipsec.sh", "GCExtendedGamepadSnapshot.h", "IOUSBHostIOSource.h", "S95ipstat", "geoip", "12d1:1001", "IOUSBHostCIDeviceStateMachine.h", "COMODO_RSA_Certification_Authority.crt", "WKBackForwardList.h", "inline.h", "K10improxy", "f081611a.0", "https://cop.supply/proxies-lists/ \u2022 https://cop.supply/shopify-bots/", "skynet-dev.tcxn.net tcxn.net Registrar Ascio Technologies, Inc - connection to cloud proxy", "daemons.conf", "nat_dmz_bypass.sh", "qos_ipset.sh", "0e8d:0002:uPr=MT", "8cb5ee0f.0", "tabmenu.htm", "05c6:1000:uMa=CELOT", "sddm-:0-BoTuTx", "service.sh", "COMODO_Certification_Authority.crt", "12d1:1f11", "0ace:2011", "start_rule.sh", "cpu_capabilities_public.h", "NSAttributedString.h", "print_server.html", "8d89cda1.0", "controller_setting.html", "controller.js", "pptp-tunnel-action.sh", "switch_portVlan.html", "SSL.com_Root_Certification_Authority_RSA.crt", "S60pptpd", "offcanvas.26.css", "mt7628_switch_portStatistic", "https://vtbehaviour.commondatastorage.googleapis.com/edb4c21d60daa44b3429e7ba9bfa342759ebef23c136c934f74aef145453ce19_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775737365&Signature=S%2B7RcHYjab1hbKlKwFfvUbDirFPJS1A2TJQ3bVIObMcON4PD9pRDvhMtYMCnEBrYsICi0UJCFW5eUDolL5Jlbngsc587kF36vvuhlkPprbkSOY1jOyDTpe3Qsb6jRFz3xwOfZc9S5QervoLnRKb%2FyGSyZE6ZK6TxzBrOPczPtZ7sLf9NfD6E%2B2gMRXaRjEqVwVITLG7YqCiiNuohFOuNlK3uNHFpIk53viKvBSAIqLtSklH9bHW4q1DX", "70-policy_route.sh", "https://hybrid-analysis.com/sample/2acab1228e8935d5dfdd1756b8a19698b6c8b786c90f87993ce9799a67a96e4e", "70-switch.sh", "https://d31qbv1cthcecs.cloudfront.net/atrk.js", "19d2:0003", "21f5:1000", "bwlist_qq.html", "reset.gcom", "tddp", "WKHTTPCookieStore.h", "ASAuthorizationWebBrowserPlatformPublicKeyCredentialRegistrationRequest.h", "GlobalSign_Root_CA_-_R3.crt", "openvpn-client-down.sh", "mt7628_switch_portRateControl", "IOUSBHost.h", "ASFoundation.h", "widget.css", "umount", "mac_filter", "99-load_balance.sh", "ifdown-l2tp.sh", "chat-gsm-test", "dns_dot.html", "99-vpn_hook.sh", "luci", "Starfield_Services_Root_Certificate_Authority_-_G2.crt", "50-arp_garp", "netifd-wireless.sh", "ASPasskeyCredentialRequestParameters.h", "https://dnschecker.org/ip-location.php?ip=31.204.146.148", "pppox", "WKWebViewConfiguration.h", "19d2:1514", "1d3472b9.0", "ipt-conntrack-extra", "10_indicate_preinit", "ssl_vpn_user_group.html", "ipsec_check_domain_wrap.sh", "https://vtbehaviour.commondatastorage.googleapis.com/1256f3aa5f091ac40a573113fcc1a4d0e320af5ee363b0eca79618602cb7dc66_Dr.Web%20vxCube.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775190146&Signature=3XpRLUQ3g712Vw0Gv1aflVxZs7RKpzIhEK8giO9ydwOrOGjLnAK89Y%2BmEf4g2U2YbO04EE%2BcdR5xPgcch1%2B1Gf4thYCgBcbKEEIfNK5UrJwBpAkYRm3D9xsnD%2FVxZt26yLC6aQy87D%2FKNC9aLvViRHGxuFgOp4zkcU%2BRD6mmpIB8SpX5%2BDpocWc4s9R%2BywRPXZ2U2E49g81i%2B5io3Ycqe8ikdjbPlZo9R0KEFLaDQtH", "openvpn-password.lua", "foldertree.js", "Certum_Trusted_Root_CA.crt", "Virus:DOS/Hellspawn 192.168.122.49 10/16/25\t\u2022 IPv4 142.251.9.105", "thread.h", "Starfield_Root_Certificate_Authority_-_G2.crt", "e18bfb83.0", "30-fs-btrfs", "32888f65.0", "25-nls-cp866", "user-secrets.reference", "0af0:d031", "GCDualShockGamepad.h", "GKVoiceChat.h", "AFKMemoryDescriptorOptions.h", "root.key", "ipv6.html", "OSvKernDSPLib.h", "04-ipv6", "12d1:155b", "zero_boot_done", "xl2tpd.conf", "desc.h", "in_private.h", "zzzcloud_proc", "S60dnsmasq", "ipsec.conf", "filesystems", "ssl_vpn_status.html", "50-usb-ohci", "rsa_check", "ASAuthorizationWebBrowserSecurityKeyPublicKeyCredentialAssertionRequest.h", "b66938e9.0", "CredentialsCache2.h", "ASAccountAuthenticationModificationRequest.h", "directip.gcom", "web_security.html", "349f2832.0", "pptp_global.html", "timeobj_api.sh", "jcemediabox.js.pobrane", "capture_0.bundle.js", "vForce.h", "qos_dpdk.sh", "vfs_support.h", "sw3VTUzeRvWIVwvWSyk6S5gHWPxOOwU1OxerozmN4Hw.js.pobrane", "IOBluetoothUIUserLib.h", "cmd.sh", "web_func.sh", "GCDevicePhysicalInput.h", "ASAuthorizationAppleIDCredential.h", "19d2_0001", "UNDRequest.defs", "mt7628_switch_portMirror", "OBEXBluetooth.h", "AffirmTrust_Commercial.crt", "firmware_managing.html", "21-nat.sh", "time.sh", "jquery.autocomplete.min.js.pobrane", "http://hybrid-analysis.com/sample/e9fc2ca7297a65937de9887be565eb5bbd149ba2c1a1ea4d3ca88302ede7ecac", "ipt-ipv4options", "03_preinit_do_ramips.sh", "dhcp6c.script", "strongswan.conf", "ipt-ipsec", "openvpn-common.sh", "12d1:1805", "GKDialogController.h", "S46iptv", "connect-ncm.gcom", "openvpn-server-down.sh", "GCGamepadSnapshot.h", "22-access_ctl.sh", "openssl-1.0.0.cnf", "stickybar.js.pobrane", "04bb:bccd", "connmark.conf", "compound.htm", "65-scsi-generic", "6rd.sh", "1004:61eb", "22-qos-tplink", "usb-serial-option", "mt7621_register", "0af0:7271", "http://www.plix.pl", "sendsms-at.gcom", "https://vtbehaviour.commondatastorage.googleapis.com/3e6e0898a7b1b297d2b9322f5f578b02e2fd5d5647dbeef6b9273cda383e1547_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775283189&Signature=PtLPpZoeHrLkYIaV2etyfYslOxR9PtxqmjNNDdMHoJjBUuweFaoOVGyfkf%2BUGEiGQCogCu7az%2B4btIJ3frL%2BEdzwNV7Ufeb24KQqbVUQrVITPGPCW42mMdsKdDoNQsqLooDqFsjxRGt2meZgP3F3roSTIWDEJPwr35bBBkdANOOdXZG1mg3O8JHm35%2BBQMkSxOiAxeftigjPK7On%2Fk%2FvMli1USxDUfi2eRlkRaL090nKenRXt3cz4FEBe8", "servers", "DigiCert_Assured_ID_Root_G2.crt", "openvpn-client-connect.sh", "action_check.html", "ACCVRAIZ1.crt", "GDCA_TrustAUTH_R5_ROOT.crt", "ipt-account", "firewall_zoneforwards.htm", "ssl_vpn_quicksetup.html", "udp_var.h", "pptp-client-global", "25-nls-iso8859-13", "rip.lua", "openssl.conf", "1f28:0021", "passthrough.sh", "cn9130_switch_portState", "https://vtbehaviour.commondatastorage.googleapis.com/3b145ee102848506dc7551758ee869b43a1753f06fabcbcf9ca574cb7843d60e_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775978167&Signature=ukCrMHPUqB9sAvA3sCKxfTpKsnpIxfU1vyE1t7AsEZ2JBslXLn0KOjAMFlqSS33UscXS2xVpcOB1wOgX5ZbIlIX0m19OZ79aq1QXdbgZcRdsQ%2B07tzoo82jk6i7wuXsvtA8Lg1oPdLiq15X99Ey1Q4Qu%2F0YpJnHHOQ8zJCsmJIL%2BCV7ZRaam44zjH9hrfu2RFHKg7UN%2F%2BePHS%2FGSY3JiZ4dG10ymuI%2BSbNuvxnx4LIP9iAnFi", "GKPlayer.h", "dvalue.htm", "util.js.pobrane", "led.sh", "ip6.h", "jquery.dataTables.js.pobrane", "05c7:1000", "_updown", "cd8c0d63.0", "GlobalSign_Root_CA_-_R2.crt", "MCBrowserViewController.h", "core_redirect.sh", "25-nls-cp1251", "1dd6:1000", "12d1:1f01", "GCButtonElement.h", "95-online.sh", "pppol2tp", "K10portal_mgmt", "S50uhttpd", "0e8d:7109", "2001:a405", "cop.h", "vlan.lua", "arp.sh", "CommonResponsive.js.pobrane", "8888:6500", "ipsec_execute_stroke.sh", "ifstatus", "ssl_vpn_tunnel.html", "198a:0003", "2001:00a6", "tpcmd.sh", "http://hybrid-analysis.com/sample/4cf079d4d7a154cd93f65934b5d115f07af8f25ee24930e6cc606dfb0aea2a4e", "MCError.h", "sshkey.conf", "login.sh", "time64_config.h", "GKEventListener.h", "TrustCor_ECA-1.crt", "ScriptResource.axd", "dhcp_client.html", "detach_timeobj.lua", "Izenpe.com.crt", "98-ipt_websec_match", "preinit", "https://static.xx.fbcdn.net/rsrc.php/v3iLQG4/yB/l/en_US/ZrB35JaC5Ph.js?_nc_x=Ij3Wp8lg5Kz", "230d:0007", "S96load_balance", "07_set_preinit_iface_ramips", "ipset.debug", "65-iptv", "IOBluetoothPasskeyDisplay.h", "checkbox.js", "IntentsUI.h", "GCXboxGamepad.h", "32-ipsec4", "GTS_Root_R2.crt", "0af0:d001", "regcomp.h", "opkg.conf", "TeliaSonera_Root_CA_v1.crt", "asm_help.h", "show_if_help.lua", "dataTables.lang.js.pobrane", "vnet", "jquery.notify.min.js.pobrane", "constraints.conf", "S99usbmodem", "verify_pub.key", "05-lanv6", "l2tp-ipsec-setstatus.lua", "arm64e-apple-macos.swiftinterface", "sharecfg", "wifidog.conf", "GCPhysicalInputProfile.h", "GKPublicProtocols.h", "issue", "97-qos.sh", "ipt-conntrack", "perlapi.h", "lanv6_server.sh", "GKGameCenterViewController.h", "nat_alg.sh", "hmac.conf", "rtl8367s_switch_portVlan", "ngx_sqlApi.lua", "options.default", "sysupgrade.conf", "mydtrace.h", "radiusclient.conf", "GTS_Root_R1.crt", "get-vpn-ip.sh", "109b:f009", "macgroup", "modem_scan.sh", "40-usb2", "12d1:15ca", "responsive.bootstrap4.js.pobrane", "dhcp6s.conf", "S20network", "1004:61dd", "0af0:7601", "https://static.xx.fbcdn.net/rsrc.php/v3/y7/l/0,cross/04QJzvjR9Wh.css", "d4dae3dd.0", "ffff_0001", "cli_vlan_cmd.tree", "06-wan_log", "30-fs-nfs-common", "vnet_core.sh", "SZAFIR_ROOT_CA2.crt", "isp_routing.html", "GKLeaderboardEntry.h", "wireguard_interface", "jquery.countTo.js.pobrane", "index.txt", "ipsec_secrets", "S25sysctl", "96-noipddns.sh", "12d1:1010", "1410:5010", "0d46:45a5", "GKScore.h", "WKScriptMessageHandler.h", "sv.h", "1199:0fff", "3g.sh", "12d1:1f07", "dynanmic_arpreq.sh", "ASCredentialServiceIdentifier.h", "c28a8a30.0", "mt7621_switch_portRateControl", "ifup", "pkcs7.conf", "19d2:0150", "delete_restart.sh", "pppox-load-user.lua", "0af0:d035", "aes.conf", "util.h", "5e98733a.0", "lldp_get_wan_device.sh", "GCExtern.h", "usb-net-cdc-ether", "OSMalloc.h", "25-nls-cp437", "ASAuthorizationWebBrowserPublicKeyCredentialManager.h", "USERTrust_ECC_Certification_Authority.crt", "ASWebAuthenticationSession.h", "ASCredentialIdentity.h", "https://amano.inboundtools.com/tpcontact URL https://armg.inboundtools.com/ URL https://gaiax.inboundtools.com/internship URL https://hmk.inboundtools.com/ URL https://hmk.inboundtools.com/form/assetview_siryo_sier", "dhcp_server.html", "ASAuthorizationPublicKeyCredentialParameters.h", "tsection.htm", "pppox-killtunnel.sh", "http://hybrid-analysis.com/sample/e4db1656c4cfff0a4ced5a943b8433388c7b4935711d522014c819328f19001d/64da070d00534407c40c1034", "0af0:7071", "2077:f000", "LBresearcher: msudosos notes: The campaign's use of T1110.001 (Password Guessing) is specifically tuned to exhaust credentials across SSH, MySQL, and CMS backends, effectively recruiting server infrastructure into a global \"zombie\" network.", "ssl_vpn_auth.html", "preauth_plugin.h", "40-remote_mngt", "Hellenic_Academic_and_Research_Institutions_RootCA_2011.crt", "jquery.ui.core.min.js.pobrane", "ippool", "usb-serial-wwan", "S97ipsec", "machine_remote_time.h", "S99system_params", "b727005e.0", "ASAuthorizationController.h", "19d2:0388", "Apple Store verified drop down breach \u2018Apple took a screenshot of pages\u201d", "OpenAL.h", "1ee8:0013", "chat-get-qualcomm_2", "https://vtbehaviour.commondatastorage.googleapis.com/37efacb8411234dd9882d8d3a8709f492eb2ed252132da099a11be07c0b4ccb0_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775190199&Signature=RiO2p%2BBvc38TqeTuiMJNxoT6Jr3JfHvTQFQIk94ZaRY%2FPP5yEPSH45GncMCh4GqP1%2F%2BNLR2IVm5Z2svEWojLwxq%2Fl0eIAWy1chUQmg2GcEg5YoaEEnXpWjb1er08EIYwV0ZC8parFwVrr194MKeUmZYo5NLYk4%2BCim9ipnxYse12eROsMSXZtyS4daGivzQzihRqTUU9iEn%2FxAKEOI%2F3V8JRrqNy3nDqmo1mdoVr", "led_set", "0af0:7401", "1bbb:f052", "GCRacingWheelInput.h", "_param.h", "19d2:0318", "a94d09e5.0", "DigiCert_Assured_ID_Root_CA.crt", "14bc7599.0", "ipt-geoip", "imb.html", "procd.sh", "dnsproxy", "qos_ctl", "GlobalSign_Root_E46.crt", "GCSyntheticDeviceKeys.h", "1-lanhook.sh", "chap-secrets", "win-utf", "qos_config_sync.lua", "vm_options.h", "protofind.lua", "30-fs-ext4", "zzomada_server", "0bdb:190d", "CA_Disig_Root_R2.crt", "x86_64-apple-macos.swiftinterface", "sysauth.htm", "GCSteeringWheelElement.h", "modem-configure.gcom", "3e45d192.0", "libopenldap", "K10openvpn", "system_log.html", "12d1:1f16", "limits.h", "IOUSBHostCIControllerStateMachine.h", "106c:3b03", "mobile_wifi.html", "ipxd", "header.htm", "7719f463.0", "0af0:7901", "radiusclient-ng.h", "ASAuthorizationRequest.h", "ipt-extra", "appdist.html", "22de:6803", "0af0:7361", "ucitrack", "https://tria.ge/230806-j3tdasgd72", "version.h", "04cc:226e", "90-xt_ipsecmark", "websec_timeobj.lua", "dpi_tmngtd.sh", "9b5697b0.0", "qos_core.sh", "30-fs-autofs4", "xfe-URL-Cloudfront.net-stix2-2.1-export.json", "cli_cmd.tree", "attr.conf", "WKUserScript.h", "GCSwitchPositionInput.h", "GCDeviceCursor.h", "12d1:1521", "30-tun", "1e0e:f000", "handle_card.sh", "dhcp_lan_settings.html", "S10boot", "1c9e:f000", "D-TRUST_Root_Class_3_CA_2_2009.crt", "ddns", "kill-pptpd-xl2tpd.sh", "about_hover.svg", "0af0:8304", "a3418fda.0", "vm_far.h", "luci-add-conffiles.sh", "biznes.css", "5443e9e3.0", "0b1b94ef.0", "20b9:1682", "SwiftUI.swiftoverlay", "GKGameSessionSharingViewController.h", "1004:6327", "ipv6group_group.html", "2ae6433e.0", "Monitor DGA Shifts: Track new domains registered through NAMECHEAP INC using the current WhoisGuard patterns to identify the next cluster before it goes active. Analyze Telfhash Clusters: Use the Telfhash (t1f303a0...) to pivot and find if the adversary has updated to 64-bit ELF or ARM architectures. Harden DMARC: Ensure your environment moves from \"p=none\" to \"p=reject\" to mitigate the internal spoofing loops exploited by this botnet's telemetry suppression.", "http://ianswertomom.com/develop-wise-woman-within-yourself", "pgp.conf", "zone_api_all.sh", "port_trigger.html", "gre-ipsec-up-down.sh", "CommonScripts.js.pobrane", "webfilter_func.sh", "nat_dmz.sh", "netifd-proto.sh", "19d2:1225", "ASCredentialProviderViewController.h", "perl_siphash.h", "libperl.tbd", "dhcp.script", "time_setting.html", "layout.min.js.pobrane", "S98led", "moment-with-locales.min.js.pobrane", "core.sh", "resolve.conf", "ipcalc.sh", "GCControllerElement.h", "pki.conf", "ifup_down.sh", "S96upnp", "The domain prioritywirreles.com (registered via NAMECHEAP INC) shows a 4/93 detection ratio, confirming it is a live but \"low-noise\" C2 node used to avoid broad-spectrum blacklisting", "firewall_zonelist.htm", "12d1:1553", "GameController.h", "0af0:8800", "ipv6", "iptv", "19d2:fff5", "time_mngt", "client.crt", "40-load_balance", "ips_threat_management.html", "IOUSBHostStream.h", "ASWebAuthenticationSessionWebBrowserSessionManager.h", "wireguard_peers", "S99enablemodem", "ipt-ipopt", "1410:5055", "OSDebug.h", "ldap_query.sh", "https://otx.alienvault.com/indicator/file/08515dcc6df957c9c5d4f00db4f568b3ee29c337", "1410:5031", "ipv6_lan.html", "progressbar.js", "dhcp6c", "dnskey.conf", "6b99d060.0", "getisp.sh", "GCDeviceHaptics.h", "12d1:1f1d", "02_network", "062cdee6.0", "ePKI_Root_Certification_Authority.crt", "TargetConditionals.h", "1004:607f", "GKNotificationBanner.h", "mt7628_switch_portVlan", "1-lanv6hook.sh", "crc.h", "50-usb-uhci", "dosish.h", "oalMacOSX_OALExtensions.h", "math.h", "policy_routing.html", "99-z3g4g-connect", "priv-key.pem", "stdint.h", "SecureTrust_CA.crt", "ASPasskeyRegistrationCredential.h", "230d:0103", "offcanvas.js.pobrane", "S95ifstat-mini", "988a38cb.0", "https://vtbehaviour.commondatastorage.googleapis.com/fa8a59149604c73572bf92b42640de49faa7e8f16cd4bc18345d3e6a16378744_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775282044&Signature=Y%2FEJZwm3h4tUuhn9%2FgO7QDcTnUoojZIDnoL%2FuGaoe0o5h%2FPUEiZpyFQLH9JfrvNN0h58UWlcJNCMxaSZl%2BZDvBDliVat0wDr0fE35mo0jGTK3uwa7DykFrjyI0NAVFlzkVSyxC0euM4lSJaw9PqyJGgLb4FfaztkzK7ZQYTIsGMYWSsCAKzatCObwK%2B8nqV63M9VXUeJy8ZQx7IwbttNffD6FQUaPbtCwlsywb%2Bu7NVqkFSG", "19d2:0146", "usb-wdm", "https://tria.ge/230809-vsggjadf59", "GKAccessPoint.h", "S60xl2tpd", "cn9130_switch_portVlan", "ff34af3f.0", "nsection.htm", "2020:f00f", "CredentialsCache.h", "static_routing.html", "ce5e74ef.0", "static_route", "_endian.h", "98-iptv.sh", "TWCA_Root_Certification_Authority.crt", "1614:0802", "20-upnp", "22f4:0021", "0af0:d058", "ipgroup_view.html", "0408:ea43", "arp_scan_range", "4b718d9b.0", "logger", "dynamic_dns_noip.sh", "l2tp_tunnel.html", "10_indicate_failsafe", "rtl8367s_switch_portRateControl", "lock-prov.gcom", "reentr.h", "0af0:c031", "https://www.virustotal.com/gui/file/a7b4797c4a29864aacb7b40dd854adaf3936791d7c326d02d4aad37982d801a9/community", "1a8d:2000", "50-access_ctl.sh", "12d1_0001", "pptp-client-delete.sh", "GCPhysicalInputElement.h", "12d1:380b", "pptp-client", "IOUSBHostDefinitions.h", "40193066.0", "GCLinearInput.h", "jquery.flot.pie.min.js", "GCAxisElement.h", "d7e8dc79.0", "chat-get-anydata_2", "GKCloudPlayer.h", "ASAuthorization.h", "50-xt_flood", "5ad8a5d6.0", "2001:a805", "qipc_sharedmemory_xFMOjWbQizvIQbjaGodBkPpoECFzUYyznnjEncea48051f6b8a69e2450843f1f32c0bb393e04349", "IOBluetoothUI.h", "GCDualSenseGamepad.h", "20-fs-exportfs", "sdnInfo", "djmegamenu.26.css", "80-balance.sh", "value.htm", "default_balance", "25-nls-cp1250", "getregistestate.gcom", "IOBluetooth.tbd", "tcp_var.h", "atm_types.h", "time_setting", "19d2:1536", "2357:f000", "S99dpi", "Amazon_Root_CA_1.crt", "test.sh", "0af0:8200", "WebKitLegacy.h", "zone", "f51bb24c.0", "nfnetlink-queue", "ar9533_switch_portRateControl", "vlan_portSetting.html", "modemLedCtrl.sh", "https://www.fmglaw.com/lawyers/christopher-ahmann - found in adult content pulse.", "230d:0001", "31-iptunnel6", "https://khmerpornvideo.signup0.y.id/", "pd_api.sh", "bitcount.h", "route_api.sh", "12d1_0004", "disconn-script", "https://vtbehaviour.commondatastorage.googleapis.com/d45818a5cd5d41133eeb2bb915b70591823526786936d1ff425c82957057a080_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775977759&Signature=NBaN%2BKLt4kQxB6lxMAKf0PJGXB22KDgo54085YsLIZeKYr%2FZMbLuFYa65quTdyB8OT20aOMsT%2Bx7n2Nv%2BpBu9tlcAvqR27Q83JBzoWGOiDxS79sdgdFXXcK1fvBAY1%2BjtLvoBhQMAK7BZO3%2BuKbWEabvTF9p9Cwjhp%2FMQXMHRl%2BuPqE6REp29LQImSxPlNb5PmpRdhhhBX877q%2F6YPIpViq1j4uEa5xeFaF%2BLHuli03Gs93pzj", "debug.lua", "dynamic_route", "19d2:0413", "ppp-dhcp6c.script", "WKDataDetectorTypes.h", "in_var.h", "gssapi.h", "balance_basic.html", "cli_snmp_cmd.tree", "vlan", "time_range.lua", "nginx", "USERTrust_RSA_Certification_Authority.crt", "0bf05006.0", "cn9130_switch_portPara", "1ee8:0054", "2923b3f9.0", "gre_overipsec.html", "ip_stats.html", "19d2:1227", "IOUSBHostCIEndpointStateMachine.h", "op_reg_common.h", "cli_nat_cmd.tree", "S47dos_defense", "WKPreviewActionItem.h", "30-fs-minix", "audit_ioctl.h", "sys_monitor", "av.h", "19d2:1233", "QuoVadis_Root_CA_2.crt", "10-rt2x00-eeprom", "led_early", "12d1:155a", "ncm.json", "1001acf7.0", "18856ac4.0", "Msudosos Regional Notes: While historical pivots show Russian-hosted nodes, the current dual-origin telemetry\u2014dominated by 181 United States-based endpoints\u2014strongly suggests a domestic-aligned adversary leveraging global 'grey space' to obfuscate its operational core. This massive US-centric footprint (exceeding all other regions combined) reinforces the theory of a false-flag orchestration designed to divert attribution toward foreign infrastructure while abusing legitimate Western-hosted trust chains.", "b1159c4c.0", "2262:0001", "djmobilemenu.css", "GKLeaderboardScore.h", "fa5da96b.0", "ASAuthorizationPublicKeyCredentialRegistrationRequest.h", "Certum_Trusted_Network_CA.crt", "72-wan_ip_alias", "locate_plugin.h", "85-ntp", "tvalue.htm", "core_service.sh", "ipstat", "region.js", "overlay.js.pobrane", "ptrauth.h", "assign_restriction.html", "pycore_condvar.h", "jquery.djmegamenu.js.pobrane", "fe8a2cd8.0", "GlobalSign_Root_CA_-_R6.crt", "02-vnet.sh", "92-dynamic_route", "Certum_Trusted_Network_CA_2.crt", "1004:614e", "GKGameSession.h", "0af0:d155", "20-usb-core", "b0e59380.0", "30-fs-udf", "arping.sh", "default.script", "0af0:7311", "AuthenticationServices.apinotes", "vm_dyld_pager.h", "jquery-migrate.min.js.pobrane", "pppox-pppoetimer.sh", "19d2:0149", "19d2:0026", "WKError.h", "GCAxisInput.h", "ASAuthorizationPlatformPublicKeyCredentialRegistrationRequest.h", "Microsoft_ECC_Root_Certificate_Authority_2017.crt", "main.js.pobrane", "ipsec_generate_domain.sh", "upnp.html", "GCPhysicalInputSource.h", "49-ipt-ipset-tplink", "openvpn-client-routeup.sh", "zombie_monitor", "b433981b.0", "cd58d51e.0", "crt.sed", "00-ecsIfChange", "ipsec.secrets", "sha2.conf", "uci.sh", "QuoVadis_Root_CA_3.crt", "19d2:1009", "30-3g", "0408:ea17", "ppp-mod-radius", "url_filtering.html", "style.css", "f387163d.0", "19d2:0101", "https://vtbehaviour.commondatastorage.googleapis.com/0000d7e596a5738d6310974ef61ee238316ed03bc97d4cb358617932ad8d1ef2_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775977719&Signature=nkKRbhcDpxdw98on7aVclCyF9iaYOrdx7xghDa6jjq48R1HK6lCpP2H%2Fv6rxdPNWs11JoBFgE3MwA1ZYRN8Agx6yaHEpe7UOXVn2H3IXFXu5iRM5sSelXe0sVXAZNiCnIpmLyM8VdDWBLCF6TJhhCNb%2BA7JeJFY4BXuE0JCylFC6IfrK2KyhsCqwoOPL%2BxBN22zBWM88MDh7fIROoVS%2BgBZTK6Ae1KM9I0JmsvqNh%2BZskj06IC", "Trustwave_Global_ECC_P384_Certification_Authority.crt", "cpuid_internal.h", "40-fs-msdos", "S99dynamic_route", "dataTables.responsive.js.pobrane", "udp.h", "usb-net-huawei-cdc-ncm", "handy.h", "https://www.joesandbox.com/analysis/1041402", "ar9533_switch_portVlan", "0d46:45a1", "12d1:1f09", "cleanTMP.sh", "jquery.cookie.js.pobrane", "S46nat", "su.js", "S99zbalance_loop_reset", "0af0:9000", "60-dnsmasq", "WKWebpagePreferences.h", "The environment leverages prioritywirreles.com as a high-fidelity DGA-derived C2 node, utilizing its historical resolution to Russian-hosted IP space (194.61.24.231) to maintain persistent Stealthworker botnet synchronization.", "30-fs-cramfs", "K50dropbear", "krpc.h", "99_10_run_init", "switch_portLimit.html", "alc.h", "12d1:1003", "preinit.sh", "logrotate.conf", "S47mac_filter", "l2tp-reload.sh", "dataTables.bootstrap4.js.pobrane", "25-nls-cp850", "network.sh", "1b7d:0700", "trap.h", "S47imb", "administration", "pkcs12.conf", "S99improxy", "perlsdio.h", "WebKit.h", "2001:a707", "0f6fa695.0", "if_ether.h", "0421:0622", "https://vtbehaviour.commondatastorage.googleapis.com/a041cbdeb64c802bde90e06f25213524b2eac500d6000da7e4caeb96e5de1991_VirusTotal%20Droidy.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775191439&Signature=evxsL1kaOuLe5KziYCSqZ56H%2FqXRQgEN0tkJo0j5G7JQ3mmO0Kav5K9LCz%2FUEzi%2BdtB%2B3%2B7VM6r9pC%2BMh7nHxT%2Bs8UAYuVXPE%2FUbBdHWMjvZQuqrZ0hHqIR2xHVB132HiYQWLo%2FgS1QATOfAcHci3X4FqmqvUp7A%2FmNsE1aVFbLc971RHQOuTapOGhiDZlVUyA9KvpMDKw0DzdeHFSlayBSrDDsWL7xW06XOf", "0af0:8400", "web_filter.html", "WKContextMenuElementInfo.h", "05c6:1000:uMa=AnyDATA", "5273a94c.0", "reload_config", "options.pptp", "0b3c:f017", "0af0:8700", "pptp-client-add.sh", "access_time_help.lua", "www-embed-player.js.pobrane", "rip_routing.html", "qos_public.sh", "30-atm", "pptp", "GTS_Root_R4.crt", "ipsec_monitor_tunnel.sh", "K91geoip", "EntryChangeHistory.aspx.js.pobrane", "0421:061d", "scope.h", "usb-storage-extras", "jquery.alerts.js.pobrane", "MCNearbyServiceBrowser.h", "19d2:0154", "0fce:d103", "07d1:a804", "des.conf", "1e09d511.0", "92-pppox-vpn.sh", "pmap.h", "libkern.h", "IOUSBHostControllerInterfaceDefinitions.h", "https://www.massbroadcasters.org/eeo-organizations/marshfield-high-school", "GKSavedGame.h", "S99lldpd", "vpn_user.html", "1e08bfd1.0", "https://vtbehaviour.commondatastorage.googleapis.com/100a90c0ff019b19f0f2622cfa529d874f580b2ac6257d018e5eb9ab6d861f44_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775281812&Signature=jttp%2BTn66O5EfEB%2FASdpjDONf%2BzydGtfIUy3AtwYz0ppPzVA88%2BzZ8LtzV0TDhkMiju4oLHr%2BauJnKYexqnF0MfNTXGKPfj3ux9oZ2%2Baqve%2B3xgapdwdz0N64RgWo3SBqCKFBOQmi57mqIy%2F8qgnAfdVX99BwF2BuRSYSbIjNW5NHjir1JrAAKwOHZFyNsKj99PImyug2FPpRnss8VrJvDyYdnaGLHIAbZMRl72V", "89-remote_mngt.sh", "dns_cache.html", "ASAuthorizationError.h", "https://hybrid-analysis.com/sample/beff391ce640cc8fdfcec22b77c5d2bc4776304e3a404e8168ce315226c4fc41/5eae8f731389173b4c432b17", "IOUSBHostCIPortStateMachine.h", "S68online", "ASAccountAuthenticationModificationUpgradePasswordToStrongPasswordRequest.h", "http://www.plix.net", "12d1:1c1b", "icmp_var.h", "jquery-ui.js.pobrane", "INUIEditVoiceShortcutViewController.h", "WHOIS data anchors administrative and technical operations for prioritywirreles.com in Los Angeles, CA (90064) via Namecheap infrastructure. Following its 2020 expiration, the domain has transitioned into redemptionPeriod/pendingDelete status, signaling the formal decommissioning of this C2 asset.", "sysctl", "04cc:226f", "GCKeyNames.h", "98-ipt_url_dns_match", "OISTE_WISeKey_Global_Root_GB_CA.crt", "utils.sh", "12d1:1c0b", "INUIAddVoiceShortcutViewController.h", "https://vtbehaviour.commondatastorage.googleapis.com/bc3cc97398d5f56a4731085e8a385694f6ef1ab37243c6c00deed4a1335ced55_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775281954&Signature=Tythlx%2B0x7Dzf2SYvJDgwby2Ifinb7IbK5GTx%2ByqvqVc1r4cz7rhoVD3NZqUAgUpxSkIAsRAK5WV5tMXUGiiB6JWp8Y9YmaL7Zhb5NxMBcodk57r7XhYzEbDxYg%2Fh1ChwMliA5cBr%2BXbUcW4q2aA4xQeNE1XVNpalGtyHh8bsDTKgQG0Ch1gikPF%2BeKc2ANprXe6z%2FJBXtqJBxh6%2Bem6fGON6%2BpRP1%2BgmNg4%2FtFnlQ", "state_gen.lua", "base-files", "406c9bb1.0", "https://hybrid-analysis.com/sample/41859e0b198fbe88772ef12c577023c0481ec19867e410bab335e67fea87c1bb/642ca80cde2048242a0e097d", "ASAuthorizationProviderExtensionAuthorizationResult.h", "boot", "MapKit.tbd", "hosts", "pptp_server.html", "openvpn_tunnel.html", "MCSession.h", "rtl8367s_switch_init", "sddm-auth-52b94a64-454a-4d7f-903e-32df6aac784a", "https://www.googletagmanager.com/gtag/js?id=GT-NNS2QH6C", "ndppd", "python3.pc", "12d1_0003", "1e89:f000", "12d1:1413", "profile", "vm_kern.h", "command.gcom", "Everyone has simply asked you alll to stop. Target never asked anyone for money.", "ppp.sh", "certSIGN_ROOT_CA.crt", "attach_timeobj.lua", "05c6:f000", "al.h", "pd_server.sh", "03179a64.0", "257a:d000", "power", "ANF_Secure_Server_Root_CA.crt", "https://static.xx.fbcdn.net/rsrc.php/v3/ys/r/FtcggJWVWTF.js?_nc_x=Ij3Wp8lg5Kz", "EXTERN.h", "number.js", "ssh.lua", "25-ddns", "IOBluetoothServiceBrowserController.h", "vars", "ceidg-master.js.pobrane", "nostdio.h", "11-led", "S65wifidog", "12d1:157c", "S99zzzcloud_proc", "jshn.sh", "tmp.QMAjonKZB0", "slider.js.pobrane", "12d1_0002", "sys_monitor.conf", "WKPreviewElementInfo.h", "get_option.lua", "pre_setting_config.sh", "ar8327_switch_8021Qvlan", "metaconfig.h", "K71hwnat", "1d09:1021", "0af0:8201", "md5.js", "enable_service.sh", "E-Tugra_Certification_Authority.crt", "archive.cop.supply \u2022 dev.cop.supply \u2022 https://cop.supply/ \u2022 https://cop.supply/bot-lists/", "1782:0003", "ldap_check_result.sh", "ips_whitelists.html", "S80websort", "system_params.html", "leds.sh", "31-iptunnel4", "dictionary.compat", "find_target.lua", "kdp_en_debugger.h", "15eb:7153", "ddm.html", "12d1:156a", "cn9130_switch_init", "animate.ext.css", "certSIGN_Root_CA_G2.crt", "options.pptpd", "unicode_constants.h", "09_fix-seama-header", "preview_wportal.html", "99-ipt_tpconnlimit", "qos_Class_role.html", "filter", "25-nls-iso8859-6", "advanced.html", "status.js", "ASAuthorizationWebBrowserSecurityKeyPublicKeyCredentialRegistrationRequest.h", "pppox-functions.sh", "pppv6-share", "ie.css", "ssl_vpn_auth_radius.html", "WebGPU.tbd", "ASAuthorizationPublicKeyCredentialAssertionRequest.h", "GKMatchmakerViewController.h", "05c6:1000:uMa=Co.,Ltd", "18-dnsproxyvnet.sh", "2001:a708", "customddns_set_url.sh", "97-upnp.sh", "qos_cid.sh", "12d1:1f02", "rt_tables", "runcommand.gcom", "filter_global", "b81b93f0.0", "cn9130_switch_portStatistic", "0421:062c", "0af0:7031", "GCDevicePhysicalInputState.h", "mt7628_register", "https://links.mail.samsara.com/s/c/P9R6gGlExR4nfCwqwJXUmr7NmKcMNde4ZBhCFprlVtsFNgh-4tuTWla0aXN9rIWCjrWtn0Vln7x-hexxVBlY3xxvnEevR8qJU5G5xV3__wo-X7kkpSOhJVfejac-Xk8qu6zs5Z-tILwWYRkNScZNGlAqfwQuJuRw5M-n_ZKI6tuY5XGCZAqWoQepi1NnJiW4wZJkzZlOwGtNkusbuKDcMsLVrrhji2eKh4kYgrJp_SeycJRhasLFCQ3c2bPu4sahEWpcHZrQBaxvdfQgTEno8kV-RJdTDO0zK5MyWDJLeds7mnaDrxlb0O2zmhebUdlHE0R0xHi25dympBUpMlLsQV8bx1WUTOfgK4k0ci9o_2Gbfe22-jLxsJN-msV6pxWYQMaxRNFd4iZRC9J9Z1SC5MBqbvNzqdt98kFdpibnv_QIHdhFyHOR_Ip_LX67Dncc8V8OvAi-H5phfeSyDzwdzf2FQIi82", "e868b802.0", "1fac:0151", "230d:0101", "2001:a403", "lan.js", "1fac:0032", "mt7621_switch_portState", "12d1:14d1", "https://vtbehaviour.commondatastorage.googleapis.com/00000722ff984d5cd9cd766d12c70eecc7a2ad7502999c5a99d582c79b92c1a6_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775978086&Signature=WBIzRJW%2FxjBBOf%2F0opd6hlj72t0fu7SbhJLmf%2FDLtoe3li5SgoZEYUg2Ogq0NvkC4WzbpRmzXeV1QmUY%2BooYwl%2BVNRjyw6fZqkbp%2FboMFSfQmgHU%2FQfi99Ch5BqGcNZge1bx9lbHBAP%2BY3QDDA3xzFU9c9aMJAaBlGjFT4TeXALcU00PEYHA95tX7zddbMc5uQhfHfn7fKlyKlmRq25jp6vA4xQImQFJc3s3pQ7WePxp", "locale", "19d2_0003", "mtab", "ee64a828.0", "zzzzzsys_info", "lz4_constants.h", "91-gre.sh", "OSBase.h", "support_bundle_commands.conf", "uconfig.h", "19d2:1171", "v6plus.sh", "WKNavigationAction.h", "99-ipt_TRIGGER", "30-policy_route.sh", "tddpd", "dpi_log_database.lua", "5f618aec.0", "jquery.easing.1.3.js.pobrane", "usb-printer", "aee5f10d.0", "failsafe", "Staat_der_Nederlanden_EV_Root_CA.crt", "access_ip_help.lua", "ramips.sh", "ar9533_register", "1004:61aa", "nginx.conf", "GCKeyboard.h", "types.h", "ar8327_switch_portMirror", "0408:f000", "page.js", "ar9533_switch_portStatistic", "2001:a80b", "remote_mngt.sh", "Obfuscation: XOR-based String Encryption (0x20)", "gre_common.sh", "https://vtbehaviour.commondatastorage.googleapis.com/a0fb314babd51dbc460ab126b615da4c6f9481f5d1225d0ac189da9d99923bb3_VirusTotal%20R2DBox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775189811&Signature=O96heM5BVAaltXSZInHXgIgK35KjLrLg%2FfKtFXVS%2BoRHTlfpZtn4LpFvolATpK7dED66Ms7SXpn8nX0i7j1IpuDOXOXSm112TOKIKVVPZJH5ppCD6uFYvhkfNcQGa%2FXK%2BDixyM%2BuqwGoJSFD6QzP8J2Iz1GyU4RYYWuB2C7ZD7LOWKlvxF%2F9LTAX8jFDLgFVsE3Og3cU8y3jK%2BenDPthRM6YFu3qewxpti7KVNwKeMJ", "base-files-essential", "12d1:1526", "19d2:1219", "2001:a706", "getcnum.gcom", "05c6:2001", "pppv6.sh", "0af0:d357", "Bluetooth.h", "S96policy_route", "ospf", "font_switcher.26.css", "login.4f52b876.js", "GCTouchedStateInput.h", "fakesdio.h", "cbf06781.0", "backup", "access.lua", "0af0:6791", "pptp-startup.sh", "S71hwnat", "uci_firewall.sh", "appdist_database.html", "https://www.virustotal.com/gui/file/207bfec939e7c017c4704ba76172ee2c954f485ba593bc1bc8c7666e78251861/behavior", "bootstrap.js.pobrane", "00-configlink.sh", "ASAuthorizationSingleSignOnCredential.h", "cli_base_cmd.tree", "106c:3b11", "19d2:1542", "l2tp-ipsec-delete.lua", "1a8d:1000", "0af0:6911", "ASSettingsHelper.h", "content.css", "Kerberos.h", "api_VPN.sh", "nat", "19d2:1420", "GCDeviceLight.h", "vm_memtag.h", "ASAuthorizationPublicKeyCredentialLargeBlobAssertionInput.h", "AdminLTE.css", "01-zone", "igmp_var.h", "protocol", "icmp6.h", "system_state.html", "chat-gsm-test-anydata", "nat_dmz.html", "GKSessionError.h", "40-qos.sh", "ASWebAuthenticationSessionWebBrowserSessionHandling.h", "note", "S85webfilter", "ip.h", "1d09:1025", "GKPeerPickerController.h", "Microsec_e-Szigno_Root_CA_2009.crt", "https://js.hscollectedforms.net/collectedforms.js", "1410:5041", "monitor", "firmware_upgrade.html", "html5.js", "jquery.ui.sortable.min.js.pobrane", "bootp.h", "WKPreviewActionItemIdentifiers.h", "getip.sh", "ubnt.sh", "cli_http_cmd.tree", "1bbb:011f", "vnet_init.sh", "sysupgrade", "dataTables.input.js.pobrane", "ipsec_vnet.sh", "nsswitch.conf", "GKLeaderboardSet.h", "19d2:1511", "0af0:7011", "zlib.h", "05c6:1000:uMa=DGT", "kpi_ipfilter.h", "K91network", "S89remote_mngt", "online_reload.lua", "qos_nf.sh", "AdID.tbd", "00-netstate", "https://hybrid-analysis.com/sample/4e4fa68c1c4d2cfee133c31432dd303bb5746f7094b5a6832a25e47e6279171c", "05c6:0010", "ipxr", "lz4_assembly_select.h", "GKLocalPlayer.h", "S96static_route", "fs-exfat", "signal.h", "12d1:1505", "90-vpn", "S42ippool", "10-firewall.sh", "chat-get-anydata_1", "portal_mgmt", "uhttpd", "mg_raw.h", "0af0:d257", "in_pcb.h", "core_forwarding.sh", "ASAuthorizationProvider.h", "acl_timeobj_v6.lua", "15-online.sh", "20-firewall", "cron", "GCControllerAxisInput.h", "howtoworkacrickoutofyourneck2.pages.dev", "Security_Communication_RootCA2.crt", "snmp.lua", "pcauth.js", "IOBluetoothUI.tbd", "19d2:0169", "99-vnet.sh", "string.h", "xl2tpd", "chat-gsm-test-qualcomm", "huaweiinfo.gcom", "50_indicate_regular_preinit", "25-nls-cp775", "switch_Parameter.html", "GKChallengesViewController.h", "IOBluetoothPairingController.h", "devstatus", "0af0:6751", "12d1:14b5", "LBresearcher: msudosos notes: The threat actor maintains operational longevity by rotating through WhoisGuard-protected nodes like prioritywirreles.com, which historically resolved to Russian-hosted IP space (194.61.24.231) to obfuscate its origin.", "getpinstatus.gcom", "zbalance_loop_reset", "cli_extra_cmd.tree", "tree.h", "https://www.googletagmanager.com/ns.html?id=GTM-PHWTRTJ", "S42service", "S46netbios_passthrough", "cbi.js", "ssl_vpn_server.html", "NAVER_Global_Root_Certification_Authority.crt", "web_group.html", "drop_caches", "Trustwave_Global_ECC_P256_Certification_Authority.crt", "0471:1210:uMa=Philips", "12d1:1031", "0471:1237", "773e07ad.0", "ASWebAuthenticationSessionRequest.h", "IOUSBHostInterface.h", "Persistent C2 Orchestration: This ELF:Agent-VW variant serves as a critical GoBrut node, utilizing XOR 0x20 obfuscation and ICMP/HTTP beaconing to maintain a persistent link across 1,834 domains and 797 unique IPs", "show_interface_status.lua", "sdhci-mt7621", "openvpn-instance.sh", "GCEventViewController.h", "cell-0.af-south-1.prod.telemetry.console.api.aws", "fieldset.js", "http://ww53.cookiesinfo.com", "smp.sh", "krb5.h", "qipc_systemsem_xFMOjWbQizvIQbjaGodBkPpoECFzUYyznnjEncea48051f6b8a69e2450843f1f32c0bb393e04349", "0fd1:1000", "0af0:8300", "e113c810.0", "proxy.js", "12d1:15cd", "60-dnsmasq.sh", "dnssecquery.sh", "controller.lock", "app.manifest", "https://www.plix.pl", "GCRelativeInput.h", "19d2:1232", "257a:a000", "module.modulemap", "e35234b1.0", "ASCredentialProviderExtensionContext.h", "api.sh", "map.htm", "ipgroup_group.html", "ipsec_sa.html", "one_nat.html", "cli_ospf.lua", "106f3e4d.0", "ASAuthorizationPublicKeyCredentialLargeBlobAssertionOutput.h", "05c6:1000:uMa=Option", "rules.html", "accountmgnt", "INUIAddVoiceShortcutButton.h", "https://www.criminalip.io/domain/report?scan_id=8544746", "cpuid.h", "unlock_pin.sh", "19d2:fff6", "chart.js", "l2tp-global", "01_leds", "DigiCert_Global_Root_G3.crt", "By maintaining a hollowed root posture, the sample facilitates persistent, low-signal synchronization with external cloud infrastructure while bypassing traditional heuristic trust-chain verification.", "zaphod32_hash.h", "getimsi_b.gcom", "99-wan_hook.sh", "vpn_peers.html", "e73d606e.0", "WKFindConfiguration.h", "D-TRUST_Root_Class_3_CA_2_EV_2009.crt", "rtl8367s_switch_portStatistic", "lvalue.htm", "perly.h", "_OSByteOrder.h", "diag.sh", "S42ipgroup", "0af0:7801", "usbmuxd", "unbound.conf.back", "time64.h", "https://vtbehaviour.commondatastorage.googleapis.com/a0fb314babd51dbc460ab126b615da4c6f9481f5d1225d0ac189da9d99923bb3_VirusTotal%20Droidy.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775189779&Signature=KfMCCyf96T3bMlo9SpmV1KGK0zKBbkhhSc6Ig5Hvwfx%2FTKTqEVBDXB28XNeWzWbCRTwCNnYlHV3Ed%2BMjcd%2B1aCTDYi5GH9Qw3msxqk5iKwRhzDIhfpM98SwOLC%2B7xZUAC60ecDmVDsjA9OOwOkJe87q3Rrx2lrU9%2BjuSJ1EdwI16qoJyd29sLcX7STTqAMHuzCjIixIOre64HAjpH4lt%2F8tSgE1A5Rs2V7PRHSX6ibKLD", "usb-net-asix", "setmode.gcom", "loadopenvpncert", "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739700&Signature=bOTo%2FxCpGDGOsIKJDZjBBhLZRg8UiOGi%2FvVr47Xpmh7tOh9dez7911bi%2F9SUdu4ATLhzRVog%2BdVP%2BUPwTuEfIdEcPuGRGVc1KOSP3fTQrKhRjF3x2dqykxVCH%2B1iqBmCgod%2B1uAdlraxqSOeOgst1l%2Bk250uXff4axktE%2BfGjeNDeGJao%2FfOMktqIL7zU8%2BIQYTObwelnnYx45FBSiXI1bWM4vhdgIX4cs2cT%2F", "GCDevice.h", "e-Szigno_Root_CA_2017.crt", "30_failsafe_wait", "embed.h", "ifstat-mini", "dos_defense", "4042bcee.0", "ipsec_failover_process.sh", "usermngr_backup.html", "shadow", "config.xml", "GCController.h", "mvalue.htm", "WKScriptMessage.h", "40-pppoa", "0ace:20ff", "pppoe", "19d2:ffe6", "3513523f.0", "2048_newroot.cer", "QuoVadis_Root_CA_1_G3.crt", "napt.html", "magnific.js.pobrane", "0408:1000", "GKGameSessionEventListener.h", "60-pptp-reload-rules.sh", "25-nls-koi8r", "mt7621_switch_globalLed", "106c:3b06", "AppleUSBDescriptorParsing.h", "ASAuthorizationPublicKeyCredentialAssertion.h", "cv.h", "access_dir_help.lua", "ifrestart", "2357:0200", "mg.h", "zone-450", "GCKeyCodes.h", "openvpn_client.html", "adminlte.min.js.pobrane", "https://static.xx.fbcdn.net/rsrc.php/v3/y7/l/0,cross/04QJzvjR9Wh.css?_nc_x=Ij3Wp8lg5Kz", "WKWindowFeatures.h", "0cf3:20ff", "tblsection.htm", "MultipeerConnectivity.h", "19d2:bccd", "12d1_0005", "cell_valueheader.htm", "smp", "usb_storage.html", "Entrust_Root_Certification_Authority_-_G2.crt", "S50qos-tplink", "url_filter", "template_responsive.26.css", "KerberosLogin.h", "99-nginx.sh", "INImage+IntentsUI.h", "basic.html", "8160b96c.0", "cpu.h", "get-vpn-gw.sh", "98_10_mtk_failsafe_init", "core_ipv6group.sh", "nat_config.sh", "90-xt_CTSTATEMARK", "0af0:4007", "653b494a.0", "freePolicy", "AppSandbox.tbd", "0af0:7301", "restorefactory", "22-imb.sh", "pagesettings.js.pobrane", "gmp.conf", "46-nat.sh", "ipt-tproxy", "257a:c000", "0af0:d255", "50-l2tp-lowerif-up-down.sh", "mt7621_switch_portPara", "arch.h", "ar9533_switch_portPara", "grid.js", "S42macgroup", "rc2.conf", "02265526.0", "ssl_vpn_tunnel_group.html", "http://ianswertomom.com/bible-verses-struggling-contentment-mom/ I", "S25zone", "0922:1003", "animations.css", "https://vtbehaviour.commondatastorage.googleapis.com/5dae281deccea2c5229861b4f2ff8c386da1726a836839961311896a6c9f5a69_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775189913&Signature=KduKv0QQf8IKhUUAV%2F0zpzpUmIU%2BEctpJKxUJlyu0Myu11iCQCXfXPprtMBAv5ifc4GLTHDiIuEAJwg%2B%2BHGWjun5ZKLKzoz8Ot2udHqFxvy6ZToPEC4Iui9vdRDHqosVaT77R1Tm1TGuyKVmwYTcow4klVAcpzEWanzWx1jHS42ARepJVrS3AFXHMaaBdTgr23jXcbmly1t3b8lwVilcsk2itdoprPpClQTzwYr1y7YV1%2FbYTDGocHnDwCYy", "dhcp.sh", "stdatomic.h", "AC_RAIZ_FNMT-RCM.crt", "19d2_0002", "OISTE_WISeKey_Global_Root_GC_CA.crt", "wizard.html", "0af0:6731", "vecLib.h", "vpn_wireguard.html", "S96backup", "S60monitor", "97-line_backup.sh", "70-backup", "WKDownloadDelegate.h", "hasownproperty.call \u2022 fireeye.grhd.", "http://www.AfterMarket.pl/contact.php", "76faf6c0.0", "ASAuthorizationWebBrowserExternallyAuthenticatableRequest.h", "26-openvpn.sh", "lanv6.sh", "hv.h", "pppox-reload-user.lua", "ASPasskeyAssertionCredential.h", "vpnlog", "S91wireguard", "ceidg.css", "de6d66f3.0", "1c9e:9800", "1ee8:0018", "qos_Band_ctrl.html", "static_if.h", "https://tria.ge/230809-vtdr2afd2t", "core_acl.sh", "invlist_inline.h", "70-pptp-ifdown.sh", "40547a79.0", "S50snmpd", "log_awk", "run-at.gcom", "10-policy_route.sh", "memory_types.h", "40-fs-nfs", "tcpip.h", "fontswitcher.js.pobrane", "42-ip6tables", "98-ipt_web_dns_match", "system.sh", "service.html", "bootstrap.min.js.pobrane", "S60url_filter", "openvpn_server.html", "ASAuthorizationSecurityKeyPublicKeyCredentialAssertionRequest.h", "12d1:#linux", "random.conf", "04e8:f000:sMo=U209", "interface.html", "pptpd", "account_mngt.html", "19d2:0304", "ASAuthorizationWebBrowserPlatformPublicKeyCredential.h", "https://vtbehaviour.commondatastorage.googleapis.com/bb46c18b5b2c98937c8fdfb7acd3e0fa4d0534cfc44d4b41ccd6db9198266fbf_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775190605&Signature=Rcvj5v%2By7yAX52ap8q3zDGTMjVRQm1LkjuWyhDQUaO6QXR1Ld%2F1dD2QjluOGOuXNiW%2FMNP%2Bqj%2Bx6KtYCvttE847keFo1Em2Bm%2F8bv4vK%2FJL0nGIiz%2FatgO7O78LZZ1wkYwcfG5JZAj8VdjDlHQbuOIUz8Nahqt2JUyQ84z3OeH5d3%2BjV8NKW5SjGWQw4mcmjPQXUznoCsysLbjCd5sgZTpyLUdeFJcNKQPiNBURsJeiyCI5llz0j", "mwan3", "ffff_0002", "getimsi.gcom", "functions.sh", "directip.sh", "98-ipt_webfilter_match", "sierrainfo.gcom", "05c6:1000:uMa=StrongRising", "log_oops_recovery.sh", "luci-reload", "jquery.min.js.pobrane", "chat-modem-test", "mt7628_switch_portState", "25-nls-cp932", "firstboot", "f249de83.0", "emSign_ECC_Root_CA_-_G3.crt", "sha1.conf", "ipgroup_address.html", "dataTables.bootstrap4.css", "dynddns", "GKChallenge.h", "WKWebsiteDataRecord.h", "GKError.h", "ar8327_switch_portPara", "257a:b000", "1410:5023", "00-vpn_hook.sh", "12d1:1f19", "AFKUser.tbd", "1ee8:0003", "dhcp_static.html", "virtual_server.html", "mg_data.h", "rtl8367s_switch_portState", "vlan_relationTbl.html", "connect-directip.gcom", "IdenTrust_Commercial_Root_CA_1.crt", "S01spi_device_id", "dhcp6sctlkey", "12d1:1c24", "l2tp-client", "WKURLSchemeHandler.h", "fstab", "0408:f001", "dhcp_logrotate", "04e8:680c", "12d1:1009", "6d41d539.0", "NetLock_Arany_=Class_Gold=_F?tan\u00fas\u00edtv\u00e1ny.crt", "nat_napt.sh", "89-portal", "WKBackForwardListItem.h", "0af0:7211", "1ee8:0045", "plugin.js", "DigiCert_Assured_ID_Root_G3.crt", "S99zzzzzsys_info", "f0c70a8d.0", "apply_xhr.htm", "portal_mgmt_monitor.lua", "https://tria.ge/230806-j8tk9ahg7t", "textarea.js", "TrustCor_RootCert_CA-1.crt", "S45firewall", "system_routetbl.html", "Go_Daddy_Class_2_CA.crt", "S96sysntpd", "1636090b.0", "cloud_service.cfg", "unixish.h", "LBresearcher: msudosos notes: By exploiting Root Certificate Validation Failures, the StealthWorker (GoBrut) agent ensures that its 32-bit ELF binaries bypass the automated reputation checks enforced by major cloud providers.", "GCKeyboardInput.h", "timepicker.js", "switch_portStatistics.html", "xfe-URL-Serverhub.com-stix2-2.1-export.json", "ed09:1021", "ASAuthorizationPublicKeyCredentialLargeBlobRegistrationInput.h", "15-usb_mode", "l2tp-doipsec.sh", "1726:f00e", "22de:6801", "The pivot from cd398983... to this domain confirms a multi-year campaign (2019\u20132023) utilizing Namecheap-registered infrastructure to orchestrate wide-scale T1110.001 brute-force operations while bypassing standard PKI expiration checks.", "reference", "gre_init", "ASPasswordCredentialIdentity.h", "0af0:7251", "dynamic_dns_updater.sh", "XZ4AH-ABKPW-SQPBC-CYWES-BCG6V", "12d1:1f1e", "improxy", "97-mwan3.sh", "switch_functions", "style-simple-follow.css", "PCIDriverKit.h", "WKFoundation.h", "91-authlimit", "f3377b1b.0", "line_backup.html", "policy_route", "19d2:1523", "switch.sh", "firebase-auth-eich0v.pages.dev", "S50cron", "10-pppox-response-nat.sh", "0b3c:c700", "ASAuthorizationWebBrowserPlatformPublicKeyCredentialAssertionRequest.h", "GKLeaderboardViewController.h", "S70freeStrategy", "machine_cpuid.h", "byte_order.h", "072f:100d", "about.svg", "mt7628_switch_led", "The local environment exhibits advanced telemetry suppression within specialized skim memory regions, effectively neutralizing standard DMARC validation and Microsoft-integrated defensive protocols.", "csv2db.sh", "osui.sock", "0930:0d46", "usbmodem", "zone_init.sh", "nat_pt.sh", "WKURLSchemeTask.h", "check_switchmode.lua", "cc450945.0", "smschk.gcom", "19d2:0115", "add-service.sh", "https://cop.supply/supreme-bots/\u2022 https://cop.supply/useful-tools/", "50-l2tp-up-down.sh", "COMODO_ECC_Certification_Authority.crt", "99_end_sync.sh", "connect-ppp.gcom", "S95l2tp", "01-usb-led", "12_network-generate-ula", "daterangepicker.js.pobrane", "GCMouse.h", "TrustCor_RootCert_CA-2.crt", "device_info", "15-mii", "ipt-nat-extra", "Pivot-Ready Indicators (IOCs) Go BuildID: nGYES3pajdOmKy1i6Ghh/KO9ydOtZpXtoKtB0KHE-/iisNoniHgTbj_cV6M-uk/XmMYzkBiZs8NXMRZYTiT Telfhash: t1f303a0b3055d54e8b7f08907c7af7624cef6e0f726d078f169e278d09a72c826626874 Imphash: 9698f46495ce9401c8bcaf9a2afe1598 Vhash: 1e53f1a1b59ecb93f821c74b25d81e9f", "39-gre", "OSAtomic.h", "fastcgi_params", "UCA_Global_G2_Root.crt", "l2tp-server", "ASAuthorizationSecurityKeyPublicKeyCredentialProvider.h", "websort", "1410:5020", "S50radvd", "jquery-migrate-1.2.1.js.pobrane", "1ee8:0040", "config.sh", "https://www.virustotal.com/gui/file/3db36d262eb15c349b4b945e0b1d9772c262cd2b7d57c40ede429958daeab97e?nocache=1", "12d1:1f18", "timeobj_cron_api.sh", "S21tddpd", "param.h", "crypto-hw-eip93", "opcode.h", "ip_icmp.h", "machine_kpc.h", "19d2:1207", "uci-defaults.sh", "mt7628_switch_portPara", "subnet.js", "f39fc864.0", "ASAuthorizationCustomMethod.h", "ldap", "18-dnsproxy.sh", "GlobalSign_Root_R46.crt", "0af0:7706", "sbox32_hash.h", "90-xt_tplimit", "location.json", "Sneaker Bots Proxies Servers Cook Groups Cop Supply", "GCDeviceBattery.h", "SecureSign_RootCA11.crt", "21f5:3010", "0af0:6951", "WKWebsiteDataStore.h", "python-3.9-embed.pc", "05c6:9024", "DigiCert_Global_Root_CA.crt", "mt7628_switch_init", "OpenAL.tbd", "1ee8:0009", "05c6:1000:uMa=SAMSUNG", "19d2:2004", "19d2:1175", "10-motion", "nullsection.htm", "IOPCIDevice.h", "https://lordseriala.life/6337-zvezdnye-vojny-opornaja-komanda.html", "io.h", "avahi-daemon", "90-xt_dosdrop", "https://static.xx.fbcdn.net/rsrc.php/v3/yO/r/FMIZEwefrSt.js?_nc_x=Ij3Wp8lg5Kz", "ASAuthorizationPlatformPublicKeyCredentialRegistration.h", "S99smp", "12d1:15cf", "MultipeerConnectivity.tbd", "25-nls-utf8", "cli_accountmgnt_cmd.tree", "002c0b4f.0", "12d1:1030", "ASAuthorizationProviderExtensionAuthorizationRequest.h", "GKAchievementDescription.h", "05c6:1000:sVe=GT", "https://vtbehaviour.commondatastorage.googleapis.com/dd4ad645e4b48357a235c4726dd4cdfb587786e83dab43ffdec7a886bd84faca_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1774302565&Signature=i3hu8ImkubNWQD0sfo%2FbTMU7d53GPblauQdlllGvYz%2BQ6%2BjM6VcEDa9avXTeSNEa6P9hQaE4hgc%2BwiAoHFC4mBNUG6vnOGHA3%2BY2WSKJxaEpDAdscTpC2psmNHDnnRacbWKvk0EjBetinhY7sMCUkeqX7kw525XsW%2BcBB9%2FwQ3aYdvUazDLWV6wR7ZAPu%2BYCu5vPuXdyoPiTU%2FkysyXQyKtwHiWQQGCWffoBVfbnYqEN", "ASAuthorizationPublicKeyCredentialConstants.h", "1ee8:004a", "S99drop_caches", "3g.chat", "70_initramfs_test", "network_netinfo.htm", "reboot_schedule.html", "19d2:1224", "css", "AffirmTrust_Premium.crt", "lldpd", "reg_help.h", "vtysh.conf", "IOBluetooth.h", "xfe-URL-Enom.com-stix2-2.1-export 2.json", "ldap.conf", "6fa5da56.0", "opnames.h", "pptp-global", "LDAP.tbd", "fw", "0421:060c", "19d2:1038", "30-ipsec", "dhcp_lan_settings_standalone.html", "pppox-header.sh", "Researcher msudosos suggests the VirusTotal (Tencent HABO) behavior report may indicate a potential execution path from volatile storage at /tmp/EB93A6/996E.elf.", "https://www.loldrivers.io/favicons/browserconfig.xml", "cli_time_range_cmd.tree", "qos-tplink", "set_time", "ASAuthorizationPublicKeyCredentialDescriptor.h", "IOUSBHostDevice.h", "jquery.djmobilemenu.js.pobrane", "getcarrier.gcom", "05-liblogger", "https://vtbehaviour.commondatastorage.googleapis.com/100a90c0ff019b19f0f2622cfa529d874f580b2ac6257d018e5eb9ab6d861f44_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775281904&Signature=B9x8BUVCeldkVImU%2Bb%2B7d97Q9Y2suAJFE1HvxBCu6MQUOt52HrgAUTBIeXPKgNP0gKiqrr%2BwDvN7q637Ht6n5C9QhuTPI%2FhWTub0F22jsp8lU2Pvp2bS%2FlaSchLRN5gDngyPABgnaqYERICP8QQkwfaB9pY%2Bii1%2FAeel%2BIDGYwxPPfIcYevejNv2O%2F0J6qYRftrtXwa95pbsecrfOzH6bpF3AzHQrTLJAuZ%2B%2BykW", "jquery.scrollTo.min.js", "options.xl2tpd", "WKContentRuleList.h", "imb", "usb-net-ipheth", "ipc_pthread_priority_types.h", "nat_vs.sh", "1410:7001", "0fca:8020", "pubkey.conf", "WebKit.apinotes", "02_default_set_state", "vlan_network", "GKTurnBasedMatchmakerViewController.h", "directip-stop.gcom", "40_run_failsafe_hook", "IntentsUI.apinotes", "system_params", "ar8327_switch_portVlan", "sysctl.conf", "wizard.js", "30-fs-cifs", "0af0:7111", "chunk-common.72de4705.css", "057c:62ff", "dia_info.html", "05c6:2000", "qos_api.sh", "ipsec_tunnel.html", "16d8:6281", "ipt-nfqueue", "firmware_reboot.html", "12d1:1d50", "bf53fb88.0", "pio.h", "ips_setting.html", "noipddns.html", "AC_RAIZ_FNMT-RCM_SERVIDORES_SEGUROS.crt", "https://otx.alienvault.com/indicator/file/1831d8972bfae639576d10903c2d586e", "dhcp.lua", "su.full.min.js", "1bbb:f000", "https://voidpet.io/invite/scaredscared/1rpzxWXa61 \u2022 https://sex-doggy.net/tag/censored", "eed8c118.0", "Go_Daddy_Root_Certificate_Authority_-_G2.crt", "ASAuthorizationPasswordRequest.h", "paging.js", "Hellenic_Academic_and_Research_Institutions_RootCA_2015.crt", "openvpn-mgmt", "web_login.html", "https://vtbehaviour.commondatastorage.googleapis.com/bc20f137a2281fae2ee13f698e613e72c37f6b4eb6784653f284f11f4d83ba77_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775190236&Signature=Fg7jPZWmHQO%2BH8GRQx%2FxSMq5Na7Oo9cN0HR99DHFY8svYTkPoerGELKx7Sf906aTDq2Rer45ajXeYPzzHTiab9NKqWR1JGHbaq0WapVqsRzvXz2QLuBhHoz50tIoVKnx8ZrN9HqHBQweg8nfN%2FWEoaHVlSgav3jhoNTnZAC%2Fa%2BsTLexjXFBIP2v4jpISAl82ESU%2FGZH64BtZpgIJz7RZXdDqZ3LF7JTgwG2JX94%2BOOSn3G14", "18-ipv6group", "S99phddns", "ar9533_switch_init", "platform.sh", "Trustwave_Global_Certification_Authority.crt", "ISRG_Root_X1.crt", "vm_map.h", "ar8327_switch_portStatistic", "bootstrap.26.css", "ar8327_register", "evdo.chat", "Primary Hash (SHA256): cd3989830da99a69380901769fd78902efb3cd8ba5c9390e94bd4333b7fad186", "https://vtbehaviour.commondatastorage.googleapis.com/02b1749e96b257099d5bafaeb1fc502442b4e064cca63fbcf4fc52af34b6435d_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775283154&Signature=m%2BGdulpws9rcUoJIzr45sR5qJdIxK89UYb6GUJL6p7n4mgYV69NJWbc3Jslcn117UKHnbSYYtRZSBRhviHhLuWsbhUG199mW8iGDiwaarp%2BbvmEIw6OXF2MgVIh%2FrJYr8slRZbUwjd9t8dMWwn%2FM5DNq6AzLyBqpznrBoVrvlibZuA9pWsHraA3P24WyEGUlbWN3NqLfmJ6gDeCKRfG7zhubGI%2Bb8Wl8GaBCodOtX2LlrA", "web_security", "S90ndppd", "ssl_vpn_locked_user.html", "IOPCIDevice.iig", "mt7621_switch_portStatistic", "access_ctl", "1614:0800", "keyword.js", "pptp-option.sh", "stroke.conf", "19d2:0325", "igmp.h", "GTS_Root_R3.crt", "pp.h", "0af0:8900", "cell_valuefooter.htm", "1410:5030", "https://www.verizon.com/business/", "dpi", "0af0:7381", "97-load_balance.sh", "30-fs-hfsplus", "xF43MOjWbQiz+vIQbjaGodBk4PpoECFzUYyznnj8Enc=", "1-vnet_lanv6hook.sh", "10a9:6080", "perliol.h", "GCDirectionPadElement.h", "pppox-default-variables.sh", "16d8:700a", "1c9e:9e00", "fc5a8f99.0", "0408:ea25", "GCPressedStateInput.h", "03-vlan", "delegator.htm", "12d1:1f17", "EC-ACC.crt", "Certum_EC-384_CA.crt", "com_err.h", "1004:61e7", "12d1:14ad", "e8de2f56.0", "1bbb:f017", "48bec511.0", "qos", "GlobalSign_ECC_Root_CA_-_R5.crt", "cli_ipsec_cmd.tree", "core_ipgroup.sh", "S22rsa_check", "firewall.user", "custom_ddns.html", "GKMatch.h", "core_wportal.sh", "tcp_seq.h", "op.h", "25-nls-iso8859-8", "dns.army \u2022 www.dcopr.dns.army \u2022 www.glsyaiwjj.dns.army \u2022 www.wgmvk.dns.army", "patchlevel.h", "user-secrets", "daterangepicker.css", "30-fs-isofs", "rc.local", "ldap_profiles.html", "GameKit.h", "modem", "getstrength.gcom", "https://vtbehaviour.commondatastorage.googleapis.com/37efacb8411234dd9882d8d3a8709f492eb2ed252132da099a11be07c0b4ccb0_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775190004&Signature=Nzt9YHY3Ji2VsLO1kvr7%2FyWWwOgo%2BCIoXyjtyshhzTGRxGzhcNdyKU9byPqyv%2F5YAzj%2BmNnDego3ImYeToBCbgyY%2BJJMmUKX6ZrUT1a2O4gv9eMyysIFgYhJ7ZpzyGIvHR5VSJlzPX0AWS81Ml7syDCjTGHikZ9G%2B%2B0cfDA0dhp%2FR7zhAp7yxB2jsDhz1kDY3nncYpjeVtj2o02Nt4JxPa5ML%2FvKBF%2FBHtOtBCqh%2", "https://vtbehaviour.commondatastorage.googleapis.com/bc3cc97398d5f56a4731085e8a385694f6ef1ab37243c6c00deed4a1335ced55_CAPE%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775281979&Signature=LrquDQAOc%2Bf90O7wkZ9lRNx5uIZopS4VL7qYn7UKkzTI19c7sNJWNdGeBPtnE%2FG4yxsv1tBxkoojr78E808e78vceGG2xskRT6tUTjtDo2c8JW%2FD9Mr5ZAVe8Cn%2BP%2BpCbBkZXbtaceCtVq0b9zVWx9YstN2ju69uofX50LbI%2FgmHh%2Bghta79DgdBrNmkcQEXDu7t%2FqSZSozfso9i%2BoSZdHXEfsU59hoc%2FhUSoPMEPGFU", "fixup-mac-address", "00-vnet.sh", "4304c5e5.0", "GKGameSessionError.h", "capture_resize.js", "nat.lua", "modem-gsm-test-qualcomm.gcom", "omada-tool.lock", "add_delete_tuple.sh", "gre", "Hellenic_Academic_and_Research_Institutions_ECC_RootCA_2015.crt", "pkcs1.conf", "ASAuthorizationCredential.h", "usb-net-qmi-wwan", "https://www.plix.pl/system/companies/logos/000/000/526/original/gigainternet-logo.png", "ips_stats.html", "https://vtbehaviour.commondatastorage.googleapis.com/100a90c0ff019b19f0f2622cfa529d874f580b2ac6257d018e5eb9ab6d861f44_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775281711&Signature=G81N%2BSvpl7rLMvDIGLovzSBK8YJzNBOTs7Ycfze1L%2BdFheZX%2BS6EbtlDx545BRgefMUoJSwn%2BdK4eRpYlyMGmHvkv2tw3apezXxBF5J95vedk3RlOzXgGUAvJvewt0RBBR9f9hiVn9CuYTHvY3Cf%2BVog32%2BRLrv8sMhZ%2FeqX0%2FhraP6leNtAta5iUv73pYWeMmdsQ7nX2EvTO7uUvGggX6TmnBhiHHd8E9uCsoPHCTP4i0", "https://www.criminalip.io/images/search/domain/category/icon_page_redirections.svg", "dc4d6a89.0", "OSTypes.h", "browser.htm", "GKMatchmaker.h", "12d1:#android", "DigiCert_Global_Root_G2.crt", "19d2:1013", "usb-net", "regexp.h", "vlan_vlanSetting.html", "ipsec_handle_iptables.sh", "diagnostic.html", "ipc_types.h", "AuthenticationServicesCore.tbd", "ASAuthorizationPlatformPublicKeyCredentialAssertion.h", "iptables.debug", "dpi_log_database.sh", "sysparams_net.sh", "ebcdic_tables.h", "90-xt_vlan", "wifidog-msg.html", "BluetoothAssignedNumbers.h", "S99zero_boot_done", "Comodo_AAA_Services_root.crt", "29-static_route", "userconfig.sh", "S20geoip", "90-xt_qoslimit", "jquery.maskedinput-1.2.2.js.pobrane", "pptp-client-update.sh", "1fac:0150", "system_mode.html", "daemons", "19d2:0110", "19d2:2000", "wifi", "pc_wifi.html", "https://vtbehaviour.commondatastorage.googleapis.com/68e1e958d101feb1044553d3e8ba341448a17d917e4b613cb05873814159ed40_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775282913&Signature=TKCWJVTu8VHNWLhsI%2BkIN06KJgV4R1%2F2oO9G3V2x%2Bdxi14E9JDPHosmNkN%2Fk02BRc0I8Yg4HJPmcxjdAvb8mTCZjA10bizFznZC3epwH0hmoxTVgryMxpD%2B7zTQqKIRpE9UGGC1WSu0CTJ3rI9dCyopLkmeiyJPVw%2BIuERp37p2MEwzwwIPRuYpB190GfOdCkGt6TuMjDG6cVa%2BxvJlEdoEw8US6W8WPaioxSu1KVCoKjwky", "c01eb047.0", "GCDevicePhysicalInputStateDiff.h", "e36a6752.0", "SSL.com_Root_Certification_Authority_ECC.crt", "msg.js", "ngx_init.lua", "usbModem.html", "dropbear_rsa_host_key", "GlobalSign_ECC_Root_CA_-_R4.crt", "19d2:1216", "S96cmxddns", "js", "ASAccountAuthenticationModificationViewController.h", "064e0aa9.0", "animate.min.css", "1266:1000", "zzddns", "makeapornsite.com \u2022 https://pornhighschool.com/ \u2022 https://ethnicerotic.com \u2022 https://twitter.com/Make", "pptp-get-tuunel-info.sh", "IOUSBHostControllerInterfaceHelpers.h", "https://vtbehaviour.commondatastorage.googleapis.com/1256f3aa5f091ac40a573113fcc1a4d0e320af5ee363b0eca79618602cb7dc66_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775190083&Signature=a1bnyt5OUcTN8ONeNVqbY%2Fe%2FDVJ2N3olQ9r59dijMLLegF84xQDghj0r6VPdFB8fc%2B3QTcJqhpm6vag1pK9us%2F3UqDJ3Yubf%2FukjL4GMKXDdMSggljB7d%2FpkTraQysnttspVal56LzXitjgIEGYZTidKcIv5LM6YH4zCAXn%2BVueaBNIgpcDS0RuX8fVAQYOeftW9AiEz2TZzx1BT6KUgoj0Tzetn4k541357bb58K1w9n9QV1", "quick_setup.html", "omada-tool.conf", "1bbb:00ca", "atomic.h", "GKDefines.h", "ipv6group_address.html", "vutil.h", "chat-get-qualcomm_1", "noipddns", "usb-net-cdc-ncm", "usb_firmware_upgrade.html", "popen_spawn_win32.py", "04cc:225c", "dynddns.html", "UNDTypes.defs", "0af0:8302", "9482e63a.0", "access_func_v6.sh", "url_escape.sed", "15-mwan3", "18-ipgroup", "19d2:1001", "057c:84ff", "pp_proto.h", "00_start_sync.sh", "30-fs-jfs", "authlistCheck.lua", "Attacks are being carried out by The State of Colorado", "sysctl.h", "WebDriver.tbd", "slider.js", "90-portal_mgmt", "30-veth", "ca-certificates.crt", "GCInputNames.h", "https://vtbehaviour.commondatastorage.googleapis.com/3b145ee102848506dc7551758ee869b43a1753f06fabcbcf9ca574cb7843d60e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775978199&Signature=N0Ry%2FbV%2BEAaGir5ToqgdLRpeg4LWS2qRlbG%2BPBgtoRM6IQyD7i%2FhtGHNcbCN9KZuxWP1kCJkqKu4dA%2BNcMjY450Zs5KmCD%2B78YZCte4YHq%2F3f2T0AuO7ero3nBCqlX8fVA62q8eDZQiroHG4hX0gMIaxBXDwUeQa0F%2FQpNa72K2aN4rAajClR%2BuBVPy1fnaokrr7bsvK6JvnhFwrTdLQq6%2Fd%2BulnVIbTCK1oSGXF", "ipt-nat", "04_handle_checksumming", "dyn3322ddns.html", "auto_backup", "12d1:1f1b", "S50queueventd", "GKFriendRequestComposeViewController.h", "upnp", "30-fs-configfs", "60-dhcpsvnet.sh", "xauth-generic.conf", "40-qos", "monotonic.h", "qos_ifgroup.sh", "rip", "12d1:14b7", "80-fuse", "1004:6156", "Network_Solutions_Certificate_Authority.crt", "responsive.bootstrap4.css", "0af0:6811", "openwrt_version", "dnsmasq.conf", "TUBITAK_Kamu_SM_SSL_Kok_Sertifikasi_-_Surum_1.crt", "05c6:1000:uMa=SSE", "socket-default.conf", "S96default_balance", "ASAuthorizationPublicKeyCredentialRegistration.h", "passwd", "91-xt_authlimit", "https://vtbehaviour.commondatastorage.googleapis.com/ba49f65ef5d694311c535991812ee2fa8f0c639f4e053d136c1161b8b1bfaf8f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775282803&Signature=CE28%2B8Orp96YBz3AWi4L4LJoj5B677T4lpyJl4VIG%2BN68qLtOorzpmY%2BdQgPcKJxqxcvmf3JmeA2zAZFyVdmEzznUnaiSY6xhbkbZ8nrReWLN9MBQZJuFd6by3aYlQoYFg2Bxu5d%2FLEAxWm4ljnJApBcv1csUNbJ8KxjkdXXAyPkiWPwMc4JDmXrnH5%2FXBQ7Tf1qxmze1lX2S5QvktDVUA3Bdn67nGtMvguY5EIl7tj1AezbuTFM", "MCNearbyServiceAdvertiser.h", "vecLibTypes.h", "GKTurnBasedMatch.h", "simpleform.htm", "dpi.sh", "network", "flood_defense", "xdr_subs.h", "16d8:700b", "WKWebView.h", "22-access_ctl", "S80usbmuxd", "_limits.h", "dhcps.sh", "19d2:1030", "embedvar.h", "T-TeleSec_GlobalRoot_Class_3.crt", "XSUB.h", "12d1:15e7", "Certigna_Root_CA.crt", "ASEProcessing.tbd", "0af0:7051", "config.h", "ASAuthorizationAppleIDButton.h", "dictionary.ascend", "ifstart", "mime.types", "S47flood_defense", "Amazon_Root_CA_4.crt", "Entrust.net_Premium_2048_Secure_Server_CA.crt", "textbox.js", "jquery-3.0.0.js.pobrane", "gv.h", "panel.js", "https://static.xx.fbcdn.net/rsrc.php/v3/ye/r/1pdBd6ULIhq.js?_nc_x=Ij3Wp8lg5Kz", "libstdc++.so.6.0.21-gdb.py", "S98ipsec_failover", "WKFindResult.h", "md5.conf", "cn9130_switch_globalLed", "tcp_timer.h", "wifidog-init", "embed.html", "mmc", "interface_wan_standalone.html", "0fce:d0e1", "ar8327_switch_portRateControl", "cli_show_iface_cmd.tree", "96-phddns.sh", "30-fs-hfs", "99-balance_route", "nat_common.sh", "UNDTypes.h", "GCDualSenseAdaptiveTrigger.h", "password.js", "0af0:6771", "0fce:d0cf", "lib-textsearch", "wireguard", "wportal.html", "dropbear", "https://www.criminalip.io/asset/report/69.166.14.38", "upnp_api.sh", "pptp_client.html", "ASPublicKeyCredential.h", "Entrust_Root_Certification_Authority.crt", "button.js", "uudmap.h", "16d8:6804", "GCMouseInput.h", "WKContentRuleListStore.h", "54-usb3", "GCControllerDirectionPad.h", "19d2:0103", "ipt-iprange", "protocols", "WKPreferences.h", "tabcontainer.htm", "1c9e:9401", "ips_signature_suppression.html", "2001:98ff", "OBEX.h", "WKNavigationResponse.h", "1de1:1101", "jquery-noconflict.js.pobrane", "30-fs-vfat", "19d2:1520", "usb-mode.json", "ASAuthorizationWebBrowserSecurityKeyPublicKeyCredentialProvider.h", "arp_list.html", "vm_fault.h", "scripts.js.pobrane", "vpn_general.html", "WKFrameInfo.h", "ASAuthorizationAppleIDProvider.h", "75d1b2ed.0", "network_arch.sh", "openvpn_user", "f30dd6ad.0", "ASAuthorizationPasswordProvider.h", "vm_pageout.h", "firmware_factory.html", "10-mount", "wechat_wifi.html", "Amazon_Root_CA_3.crt", "arp_defense", "ASAuthorizationPlatformPublicKeyCredentialProvider.h", "2077:1000", "add_delete.sh", "switch_portMonitor.html", "switch_portStatus.html", "https://www.findagrave.com/memorial/139047900/peter-deftos", "bootcount", "usermngr_user.html", "modem-gsm-test-anydata.gcom", "12d1:14c4", "nand.sh", "json2.js.pobrane", "1da5:f000", "rc.common", "30-fs-xfs", "ar8327_switch_led", "set_fan.sh", "4bfab552.0", "S26time_setting", "qos_state.sh", "UNDReply.defs", "freeStrategy", "cli_interface_cmd.tree", "cn9130_switch_portRateControl", "https://js.hs-scripts.com/3844463.js", "99-ipt_urlset_target", "encode.h", "remote.js.pobrane", "form.h", "IOBluetoothObjectPushUIController.h", "GKChallengeEventHandler.h", "delete-service.sh", "locks.h", "10-fstab", "remote_mngt", "https://vtbehaviour.commondatastorage.googleapis.com/edb4c21d60daa44b3429e7ba9bfa342759ebef23c136c934f74aef145453ce19_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775737710&Signature=fbsokraSd7lsYmUfaTEl8Phs2K3hp7AtVmQU9axeEBcYmYbrrYrrfpP5lPEQaE%2Fh3%2BEP9Rn8mD8D1haqQVXCN0VVlxJ4sddjWmyC5USsgBsvUb0%2F72h1WHDS2KXHlteZWE%2Bauckabain9D5kX501AnqFY38s77OIqO6SMOkQ%2BvXiDSSRK%2FZhbfradBnei3ZLHsXGxkoshTyvB0%2BC%2F8SiUzdVsqSjik0Bn2r%2BIlLpDQK90GlZTD0N", "WKProcessPool.h", "dns_doh.html", "switch_port.sh", "zone_conf.sh", "230d:000d", "230d:0003", "kernel-netlink.conf", "application_filter.html", "19d2:1528", "12d1:101e", "utfebcdic.h", "25-nls-iso8859-2", "1076:7f40", "_types.h", "1bbb:022c", "GCSwitchElement.h", "S42ipv6group", "6to4.sh", "0af0:6971", "GCRacingWheel.h", "WKNavigation.h", "7aaf71c0.0", "0b3c:f000", "12d1:14c3", "magnific.css", "90-urlset", "session_monitor.html", "S00zombie_monitor", "12d1:14c5", "29-fs-fscache", "Cybertrust_Global_Root.crt", "search_impl.js.pobrane", "GKSavedGameListener.h", "S01led_early", "acl_wanhook.lua", "pptp-global-setting.sh", "GCExtendedGamepad.h", "0df7:0800", "https://maps.googleapis.com/maps/api/js?sensor=false", "0af0:d033", "60-mac_filter.sh", "04cc:2251", "nat_log.sh", "phddns.html", "GCGearShifterElement.h", "S70usbshare", "apfs_boot_mount.tbd", "Entrust_Root_Certification_Authority_-_G4.crt", "K26pppox", "dynamic_dns_log.sh", "9c8dfbd4.0", "waitingbar.js", "OSByteOrder.h", "custom_dhcp", "30-gpio-button-hotplug", "ipt-nathelper-extra", "0fce:d0df", "ipv6group", "editor.js", "19d2:1179", "Admin.tbd", "25-nls-cp864", "wechat.html", "16d8:f000", "19d2:0083:uPr=WCDMA", "99-hotplug_done", "05c6:1000:sVe=Option", "dynamic_dns_functions.sh", "d6325660.0", "led", "30-fs-reiserfs", "l2tp_client.html", "02-usb-auto-scan", "extended_layouts.26.css", "dhcp6c.sh", "106c:3b14", "K90ipv6", "oalStaticBufferExtension.h", "1c9e:9e08", "19d2:ffde", "S40fstab", "usb-net-rndis", "his technique allows the GoBrut/StealthWorker agent to circumvent automated revocation checks, enabling its decentralized C2 infrastructure to recruit Linux hosts via high-velocity credential exhaustion.", "snmpd-static", "Legal court documented agreement to allow and pay target to hire cyber investigators", "UE_pl_top_sm.svg", "d887a5bb.0", "markdef.sh", "AffirmTrust_Premium_ECC.crt", "system", "pptp-server", "ca6e4ad9.0", "bridge.html", "qos_VoIP.html", "IOUSBHostControllerInterface.h", "rtl8367s_register", "2020:0002", "12d1:14fe", "hv_func.h", "switch", "ASPasskeyCredentialRequest.h", "20-firewall.sh", "32-ip6-tunnel", "core_global.sh", "3bde41ac.0", "l2tp-functions.sh", "GCMicroGamepadSnapshot.h", "hotplug-call", "regnodes.h", "dnsproxySecurity", "splitaccess", "inittab", "portrange.js", "dhcp6s", "countrygroup", "access_control.html", "S47administration", "ASCredentialIdentityStoreState.h", "options.l2tp", "interface_mac.html", "25-nls-iso8859-1", "queueventd", "cloud_config.cfg", "ar9533_switch_portState", "rtl8367s_switch_portPara", "20a6:f00e", "ipt-compat-xtables", "cn9130_switch_portMirror", "40-bonding", "emSign_ECC_Root_CA_-_C3.crt", "INTERN.h", "GLOBALTRUST_2020.crt", "12d1:1f1c", "popper.js.pobrane", "ipt-core", "tcp.h", "S99ipv6", "url_func.sh", "chat-modem-configure", "tip.js", "gssapi_krb5.h", "1c9e:6000", "https://static.xx.fbcdn.net/rsrc.php/v3iLl54/yO/l/en_US/9t3PW1CRLNe.js?_nc_x=Ij3Wp8lg5Kz", "snmpd", "IOBluetoothUtilities.h", "https://otx.alienvault.com/indicator/ip/198.49.23.145#:~:text=CIDR:%206%20%7C%20CVE:%20107,infrastructure%20into%20global%20botnet%20clusters.", "WKNavigationDelegate.h", "usbshare", "ar9533_switch_portMirror", "ASCOSEConstants.h", "done", "54657681.0", "607986c7.0", "S15loggerd", "19d2_0004", "S90portal_mgmt", "96-cmxddns.sh", "S83web_security", "b7a5b843.0", "19d2:1517", "openvpn-server-up.sh", "chunk-vendors.0cdf10f0.js", "rtl8367s_switch_portMirror", "valueheader.htm", "1ee8:004f", "GCColor.h", "3e44d2f7.0", "1c9e:98ff", "https://i-want-to-start-an-onlyfans.pages.dev/favicon.ico| I bet you do boo boo", "99-mdns.sh", "core_interface.sh", "02-split_access", "online.html", "dnssec.html", "WKSnapshotConfiguration.h", "https://static.xx.fbcdn.net/rsrc.php/v3/y3/r/U86edKxQdCC.js?_nc_x=Ij3Wp8lg5K", "IOUSBHostPipe.h", "32-ipsec6", "geometry.js.pobrane", "network_netlist.htm", "12d1:1446", "ecs", "dictionary.microsoft", "40-fs-nfsd", "DigiCert_Trusted_Root_G4.crt", "services", "90-xt_multinetdev", "auth_port_modify.sh", "ifdown", "embed.js.pobrane", "core_init.sh", "cli_ssh_cmd.tree", "buttongroup.js", "login.html", "19d2:1007", "https://vtbehaviour.commondatastorage.googleapis.com/fa8a59149604c73572bf92b42640de49faa7e8f16cd4bc18345d3e6a16378744_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775282019&Signature=VwsuvdyY52E5jzftipHSNWVrwmO7YUwSQa9yHiMIgbsXcJDnDNcdELamMXjmvzDn%2FT6L5HguJFyj%2F4DHLmPfddzVphNAKCPvz3IRVae2piJ%2B8VWa2%2B98W3RjMft93LZhdNHwxeEYM8oJ%2FOjAjw%2FIicginJBUwlGeHX3kfTJieSEC7SYf6BkJ4UNfnF2pPQjiaAqG9mop%2FPKsB%2FF1K%2FrL7Rpsxwhl1rGglHYPM4%2BtJj6zDYx%2F", "loggerd", "error404.htm", "0af0:7501", "K25zone", "12d1:14c1", "https://www.loldrivers.io/js/bundle.7cd1a644ff4540d19bfa43f193df74afce746a0213920f45d73bf720542f682d81b6ad0320242744d332512cfb63eac5790fab1a240d6e6c8cb89f25fcacfbd7.js", "portal_status.sh", "https://vtbehaviour.commondatastorage.googleapis.com/5dae281deccea2c5229861b4f2ff8c386da1726a836839961311896a6c9f5a69_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775190298&Signature=eEF6m7QHRnKk%2FYB374HxqU2TE0p8gXC9CWwIHPT7M6fEZKjeFUEmUEbqdupsD2hQQbkW%2Fmijo2rSEQ30q3EAyR9aQO3m6L91A6osc3kDipeyZqFrIqoj6wIe8MJGuRf4OC9cVAWipGYXPG5bqc3v6RUHir9MeLOggoGjalexCwBgs3SsGyhqU1uWZdJ%2Fs4nUbHyIJGc3FB9OrnhDRuGPdkfPSOA09hfujcul91zQNws4dznvmM", "1fac:0130", "dhcp", "05c6:6503", "Buypass_Class_2_Root_CA.crt", "https://www.criminalip.io/domain/report?scan_id=8544687", "GlobalSign_Root_CA.crt", "tcp_private.h", "25-nls-cp852", "19d2:1588", "1ab7:5700", "S99sys_monitor", "cli_access_cmd.tree", "00-vnet_client.sh", "routing.lua", "wireguard-down.sh", "0421:0610", "freeStrategy_backup.sh", "S95mwan3", "https://www.icloud.com/attachment/?u=https%3a%2f%2f%cvws.icloud-content.com", "kdp_callout.h", "jquery.session.js.pobrane", "GCTypes.h", "jquery.feedbackBadge.min.js.pobrane", "hardware.txt", "remote_mngt.html", "98-ipt_urlset_match", "_mcontext.h", "https://vtbehaviour.commondatastorage.googleapis.com/970fdc4da66bc8fff977698c150fc6ebdf9488356ed41ded52d2659830ec5353_VirusTotal%20Droidy.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775189984&Signature=f%2FZZkKTu5zUihkCuCj%2F0pEGmBjWWBiZRDmREgGkkkKvTyR7M5iC0oLGYfaL6WibiUB6pQirxgBtEcS2JtupD291Or3j7%2BKoyngW7R9uf%2FjjWQwfC5YHKjNutT6K5TYuEmzySVs9onhIBSjj4U%2Bi2q%2FMJmQFiDtFZHfcyy00LYqbAbBwEAUnVJZUdH6FvNBu4ArU26VDLDwv1nMSgEjxUWBCwiP4HXlwL5%2BxU6y0eTc2", "0471:1210:uMa=Wisue", "cli_show_interface_status_cmd.tree", "v6plus-dial.sh", "12d1:1582", "GKLeaderboard.h", "ppp", "0922:1001", "cn9130_register", "Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.crt", "Amazon_Root_CA_2.crt", "revocation.conf", "99-xt_l2tp", "Trump Support campaign \u2022_\u2022 lantana-mgmt.washington.palantircloud.com \u2022 containers-reishi.palantirfedstart.com", "UE_pl_top.svg", "ASAuthorizationOpenIDRequest.h", "l2tp-server.reference", "40-scsi-core", "4f316efb.0", "https://serverhub.com/modules/system/assets/js/framework.js", "lib-crc-ccitt", "snmp.html", "online_check", "encrypt.js", "MCPeerID.h", "pal_routines.h", "dictionary", "ecmp.sh", "ASAuthorizationAppleIDRequest.h", "https://loldrivers.io/", "ips_blacklists.html", "S97session_limits", "12d1:1414", "pppox-remote-management-get-ippool.lua", "cmxddns", "dnsmasq", "rpcv2.h", "198f:bccd", "treestore.js", "68dd7389.0", "usermngr", "19d2:0266", "search_tty.lua", "backup.sh", "65-wifidog.sh", "https://js.hsleadflows.net/leadflows.js", "19d2:0166", "radius.conf", "244b5494.0", "feature.h", "7f3d5d1d.0", "nat_one.sh", "0af0:8006", "Secure_Global_CA.crt", "19d2:1237", "T1110.001 (Brute Force: Password Guessing)", "ecsIfName", "interface_mode.html", "error.html", "930ac5d2.0", "canvas.html", "GCDirectionalGamepad.h", "access_control", "jquery.inputmask.min.js.pobrane", "201e:1023", "account.2ca6a054.js", "99_10_failsafe_login", "qos_delete_rule.lua", "snapshot", "https://hybrid-analysis.com/sample/ab4672795b872e01bc7411fec294eab22d54e97b133769a3de306d9633fa24d6/5efec3f6b03bcb74f200310b", "25-nls-cp862", "05c6:1000:uMa=Vertex", "ipgroup", "626dceaf.0", "pppox-begin-reload-user.sh", "ar8327_switch_portState", "98-load_balance", "ippool.html", "12d1:1520", "1c9e:9d00", "mbimfind.lua", "https://cryptobit.live/build/assets/app-CkRYqsKL.js \u2022 cryptobit.live \u2022 t.page \u2022 cdn.wallets.cryptobit.live", "WebKit.tbd", "mwan3-tplink", "30-v6plus", "charon.conf", "cast_sender.js.pobrane", "common.sh", "0af0:d055", "SSL.com_EV_Root_Certification_Authority_ECC.crt", "1004:613f", "interface.lua", "openwrt_release", "fips-prf.conf", "perl.h", "12d1:1da1", "starter.conf", "S99switch", "ssl_vpn_user.html", "feffd413.0", "enablemodem", "vm_compressor_algorithms.h", "TWCA_Global_Root_CA.crt", "IOBluetoothUserLib.h", "qos_polling.sh", "10-sysctl", "12d1:14ba", "Hongkong_Post_Root_CA_3.crt", "parser.h", "8d86cdd1.0", "ef954a4e.0", "https://www.criminalip.io/asset/report/114.215.222.125", "usb-net-cdc-mbim", "cli_server", "1bbb:000f", "main.sh", "online_api.sh", "S99zzomada_server", "https://clear.ml/infrastructure-control-plane", "radvd", "controller.conf", "l2tp_server.html", "ASAuthorizationPlatformPublicKeyCredentialDescriptor.h", "excanvas.js", "cli_routing_cmd.tree", "getcardinfo.gcom", "mdns.html", "S10system", "nfsproto.h", "l2tp-ipsec-up-down.sh", "TrojanProxy:Win32/Malynfits CodeOverlap TrojanSpy:Win32/Nivdort CodeOverlap virus:Win32/Lywer CodeOverlap", "frr.conf", "97-route.sh", "ncm.sh", "perl_inc_macro.h", "sys_status.html", "Entrust_Root_Certification_Authority_-_EC1.crt", "S99dnsproxy", "valuefooter.htm", "148e:a000", "ASAuthorizationPlatformPublicKeyCredentialAssertionRequest.h", "saved_resource.html", "inputmask.binding.js.pobrane", "OSReturn.h", "0af0:d057", "dynamic_dns_customddns.sh", "12d1:1557", "WKPDFConfiguration.h", "zone_core.sh", "AuthenticationServices.h", "template.26.css", "l1_char_class_tab.h", "1-vnet_lanhook.sh", "iperlsys.h", "0e8d:0002:uPr=Product", "country_group.html", "dbus-K5ae4EDHao", "dictionary.sip", "macFiltering.html", "ubi_make_extra_volume.sh", "qos_mark.sh", "wireguard-up.sh", "1ee8:0068", "ASAccountAuthenticationModificationExtensionContext.h", "utf8.h", "vnetwork", "ui.notify.css", "1004:613a", "1410:5059", "Researcher msudosos: This activity appears to facilitate a preliminary reconnaissance phase, possibly utilizing system commands to query /proc/cpuinfo and /proc/version for architectural profiling purposes.", "line_backup", "GKVoiceChatService.h", "account.html", "0482:024d", "tss.h", "ASAuthorizationPublicKeyCredentialLargeBlobRegistrationOutput.h", "arp_scan.html", "GKAchievement.h", "GCProductCategories.h", "spi_device_id", "cert.pem", "chat-get", "attack-defense.html", "3fb36b73.0", "combobox.js", "table.h", "12d1:1523", "alg.html", "l2tp", "42-usb2-pci", "index.html", "feedback.js.pobrane", "online", "webfilter_global", "qos_grpmark.sh", "rtl8367s_switch_globalLed", "25-nls-iso8859-15", "10-l2tp-pptp.sh", "1c9e:6061:uPr=Storage", "749e9e03.0", "core_rule.sh", "MCAdvertiserAssistant.h", "wifidog", "https://vtbehaviour.commondatastorage.googleapis.com/ffe3319990984c10c84fc18f6c1d40b2c7ad44666ebc2b54368bd96327ec6abc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775283093&Signature=GU02WhsC3g0ztmDdXDNuqx9T9POv8DnaMp7NQX%2B70%2FybCmZtbIpyPiUCOuYG5ZD1RY8bCIR9k%2F%2BGsKSwWLVUNNih3CgvqShoWsNfLKvtS%2BDRbmV6G4ohLWIP0xPHJOCA%2FWvnSdblJ%2FdibwXFCT851RdpfK3f6ph2EPHXIq%2FBwhSc28%2BJfFSMK%2B1toESpR7COi%2FUwpnMfcoSpcIMZudaaU8JrTvEVLgtJ%2FAgHjmfoXxvJlD", "load_balance", "S50dropbear", "ASAuthorizationSingleSignOnRequest.h", "1c9e:f000:uMa=USB_Modem", "0af0:6711", "ar8327_switch_init", "12d1:1f15", "Atos_TrustedRoot_2011.crt", "S90openvpn", "S19vnet", "5cd81ad7.0", "XRamp_Global_CA_Root.crt", "full_valueheader.htm", "core_log.sh", "gettime.sh", "network_ifacelist.htm", "overload.h", "nat_core.sh", "interface_wan.html", "index.a415cbb4.js", "http://plix.net", "perlvars.h", "MultipeerConnectivity.apinotes", "zone_api_core.sh", "ASAuthorizationSecurityKeyPublicKeyCredentialDescriptor.h", "preview_remind.html", "dslite.sh", "button.htm", "hwnat", "IDS Detections: Win32/Enosch.A gtalk connectivity check | W32/MoonLight.worm User-Agent (HellSpawn)", "http.lua", "05-vnet-lanv6", "ospf.html", "vm_shared_region.h", "interface.sh", "https://vtbehaviour.commondatastorage.googleapis.com/00000048b1c9e60c14a6619f0292dea96df7f10c11cfa9ae28693219c0ae844b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775977932&Signature=PwcvGhj2aoTTZWuXQAV%2Fk5iqc79LFl%2F4vKRmiwCg0lEljeWcXw48JPCdvRXB9d8jKJ3YlawrM8K3jVgBiRkawNtXHGkhIZp3kMOBGXmjii0zJ%2B%2BFryjqy3dSwsNCbzYOZqPvS38JrUto12cWGOcLXru%2F%2FaLJkK%2F5LZojEPdv487hPxxjaJl3q6IRjJ7RCeN6j7Rm9uA2EA2m0Di4VgQGK9uqgl04AslRkB8MiwSQ4TaGSHjp", "1dbc:0669", "core_tpfirewall.sh", "pppox-remote-management.sh", "ad_status.js.pobrane", "31-iptunnel", "malloc_ctl.h", "S72sfe", "CFCA_EV_ROOT.crt", "acl_timeobj.lua", "dnsproxy.html", "ngx_wdas.lua", "IOPCIFamilyDefinitions.h", "WKOpenPanelParameters.h", "0af0:8600", "cmxddns.html", "radio.js", "server-cert.pem", "ASAuthorizationSingleSignOnProvider.h", "ASAuthorizationWebBrowserPlatformPublicKeyCredentialProvider.h", "file.js", "xhr.js", "ASAccountAuthenticationModificationController.h", "S99led_set", "GCAxis2DInput.h", "22-imb", "openvpn", "fvalue.htm", "ppp-down", "named.cache", "50-qos_ctl", "IOBluetoothTypes.h", "vDSP.h", "warnings.h", "show_interface.lua", "updown.conf", "dev-app.project-cicada.com \u2022 http://dev-app.project-cicada.com \u2022 https://dev-app.project-cicada.com (2014 report predates 2016 reports)", "0b3c:f00c", "16d8:6803", "find_index.lua", "http://hybrid-analysis.com/sample/4dbe669e9b8b9cfe1bfa98019ccf2e56230ed136adce966649ee38e61e934303", "form.js", "boot_done", "usb-acm", "vmparam.h", "ifup-l2tp.sh", "machine_machdep.h", "zone_init_all.sh", "10-pppox-if-up-down.sh", "system_mode", "stdbool.h", "05_set_iface_mac_mediatek", "clock.lua", "dictionary.asnet", "2001:a401", "emSign_Root_CA_-_G1.crt", "service", "port-id-map", "access_func.sh", "application_list.html", "GCControllerButtonInput.h", "common.js.pobrane", "0421:0637", "1307:1169", "pppv6-up", "gssapi_generic.h", "WKUIDelegate.h", "usb-storage", "get_rps.sh", "GCMotion.h", "1033:0035", "2b349938.0", "0f5dc4f3.0", "openvpn-client-disconnect.sh", "cli_clock_cmd.tree", "portal-mgmt", "jquery.flot.fillbetween.js", "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739500&Signature=r1pLCgJf%2FQK8TvenCwXy9bnghFzjJ5QssdQSLP37SLv6EkA3WXuFUIvKrsXKokco7bMfQUy%2FArk8F6aP%2Bhaj16Jv7P%2FGB%2Blf7mPvs47VjwfBJRCP8AZLlWvO45%2BjC68v798csdJFPTP31O4yDOE3pXZ3EThm4nSrIwLPhTSPfi3cPlEh2wLSzcySW7BYLw%2BqCoawFCxeLUz7hIV0vC89Mlwi3DeS%2BEnWFF%2FsvT9lVJjdbLoJLEeO", "K99umount", "https://widget.intercom.io/widget/rbc8ok9w", "qmi.sh", "baseinfo.gcom", "S99avahi-daemon", "0af0:9200", "57bcb2da.0", "ASAuthorizationSecurityKeyPublicKeyCredentialRegistrationRequest.h", "cellinfo.gcom", "l2tp-get-tunnel-info.sh", "96-customddns.sh", "19d2:1201", "https://otx.alienvault.com/indicator/file/b197cf4cee44d52be11275f49f3143b4f7f8e735", "in_systm.h", "stddef.h", "telnet", "WKSecurityOrigin.h", "accountmgnt.lua", "openvpn-client-up.sh", "19d2:0120", "5d3033c5.0", "wportal", "map.js.pobrane", "https://hybrid-analysis.com/sample/020fe56e2d49ead60b67a1e20b43ee0846c493c7edb3118b34c5c964fc131794/6533667318fa4c29320ec174", "https://static.xx.fbcdn.net/rsrc.php/v3/yw/l/0,cross/CXjTiRbc_8T.css?_nc_x=Ij3Wp8lg5Kz", "K98boot", "12d1:151a", "tcp_fsm.h", "https://vtbehaviour.commondatastorage.googleapis.com/100a90c0ff019b19f0f2622cfa529d874f580b2ac6257d018e5eb9ab6d861f44_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775281734&Signature=3FFHeC27RvCC9623M2f8xoSU4fl9LBd%2FvI%2F98rUNvmdceN4AZjjw77yTU0ApUTXU5FbdCpODVhKi0X4pqDz1pqEP%2FBRLq%2FNhgoRliai6LlD4yhdTtKNi4zrfCDG%2Bd4dRzD5y674IfEPynxGiFOWxc6wiCtl3rhwTPEqisyDqFbvnF57SxrcPoVSzVO3wEtxpCOIw8iAFXdW2zgnnYYbSrbaQBfghKLtFA6r2vP%2Bmrd33YSUiH%2Fe2EqBz", "bootstrap_responsive.26.css", "9d04f354.0", "switch.js", "ASPasswordCredential.h", "ifstat.html", "mt7621_switch_led", "https://www.virustotal.com/gui/url/f6db0235760bd467ca822ad515a8410121fde4713501b3e718b8fb127dfa259c?nocache=1", "git_version.h", "footer.htm", "qos.html", "https://static.xx.fbcdn.net/rsrc.php/v3/ys/r/3eq9Oo5XUhW.js?_nc_x=Ij3Wp8lg5Kz", "xl2tp-secrets", "AffirmTrust_Networking.crt", "pppox-wheader.sh", "19d2:1210", "QuoVadis_Root_CA_2_G3.crt", "1ee8:0060", "pppox-reload-user.sh", "Starfield_Class_2_CA.crt", "offcanvas.css", "Actalis_Authentication_Root_CA.crt", "19d2:1017", "char_conv.sh", "Hongkong_Post_Root_CA_1.crt", "bootstrap-gov-pl.css", "pptpd.conf", "S97gre_init", "06dc52d5.0", "AirPlayReceiver.tbd", "23a2:1010", "ipsec", "10-metric.sh", "GCControllerInput.h", "caption.js.pobrane", "rfkill", "fw.sh", "appflow_statistics.html", "26-freeStrategy", "charon-logging.conf", "1004:1000", "iptv.html", "IdenTrust_Public_Sector_Root_CA_1.crt", "Certigna.crt", "GCMicroGamepad.h", "25-pppox.sh", "0685:2000", "l2tp-init.sh", "WKDownload.h", "10a9:606f", "ipt-nathelper", "GKPublicConstants.h", "python-3.9.pc", "GKBasePlayer.h", "arm_features.inc", "SwissSign_Gold_CA_-_G2.crt", "0bdb:1910", "40-imb.sh", "https://hybrid-analysis.com/sample/ab4672795b872e01bc7411fec294eab22d54e97b133769a3de306d9633fa24d6/653366aac5f632cbbf0f0000", "qos_tc.sh", "https://otx.alienvault.com/indicator/file/c85cc6f8ff7d69d7a7af9498d7d75bc05e35fb69f34d7b50d9057608f7b73f51", "webfilter", "zteinfo.gcom", "This ELF 32-bit LSB artifact is a sophisticated GoBrut/StealthWorker agent, compiled via Golang 1.10 and stripped to obfuscate its high-velocity service-bruting logic. VirusTotal confirms a critical threat profile with 44/65 security vendors flagging the file, which leverages a unique Go BuildID (nGYES3pajdOm...) and a Telfhash (t1f303a0...) for architectural fingerprinting. The binary orchestrates decentralized Command and Control (C2) through an expansive infrastructure of 797 unique IPs and 1,834 domains", "nwadditional", "WKScriptMessageHandlerWithReply.h", "perl_langinfo.h", "https://vtbehaviour.commondatastorage.googleapis.com/a0fb314babd51dbc460ab126b615da4c6f9481f5d1225d0ac189da9d99923bb3_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775189872&Signature=P%2Fa2KXhuVwj4RO8cyfIpkYofLKzsLiKRPHuVAi7hjApskLh84OqCfKuK51z7bTKZd8lCCiQ7XuIaxWQDR7qzDFvuCWutobNhKDdHSDLrTMtqqX3o5RmBpSzMUw3jQJcbxsYWqaOMHy8ZeWEVRuB9orvLwMZbJMMIJM8GhUVHZ6%2BwciVIoj0lYTCb%2FEEkQWTV4g3hs9l8KRzbEfvJGja6ANuv1OtdFLk8pejrraAJMB7ThsjINOXbJb", "openvpn-easy-rsa", "openssl.cnf", "xfe-URL-Intercom.io-stix2-2.1-export.json", "1c9e:9200", "https://tria.ge/230806-j8mspsgd84", "https://vtbehaviour.commondatastorage.googleapis.com/37efacb8411234dd9882d8d3a8709f492eb2ed252132da099a11be07c0b4ccb0_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775189954&Signature=2gy%2BsyEM78P6orDGWKQU%2FFPSIdVK9X7o8Nkcwb%2BY4r%2FCb%2Bo9JmA9T%2Bfonw9IqbojQSIK%2BNShZUJJ9GV4wWT5l1QfkYfZP0MJ91%2BkDw39PLOc4VVgmBApIQJRTIlgSlI020YfOeIPoIYH8yuCF2dJ32zKg87g0dDFkg4zbExGDJB3%2BGDxX5MJ6hHuzVrwxm7E1L%2F%2FffKQ%2B9rXqoT0hRHEdPSaXSydmnqfMfnjCv", "706f604c.0", "nfs.h", "vnet.sh", "93bc0acc.0", "mt7621_switch_portMirror", "copyio.h", "f5Y41t9wqY4.html", "jquery.flot.barnumbers.js", "qos_Traffic.html", "https://download.clear.ml/cpython_builds/releases/ \u2022 https://download.clear.", "magnific-init.js.pobrane", "DigiCert_High_Assurance_EV_Root_CA.crt", "1c9e:9101", "djimageslider.css", "ipsec.lua", "koi-win", "https-dns-proxy", "net_share.sh", "12d1:1449", "12d1:1f03", "handle_card_process.sh", "QuoVadis_Root_CA_3_G3.crt", "dd8e9d41.0", "in_arp.h", "machine_routines.h", "sysntpd", "00_uhttpd_ubus", "32-l2tp", "ipsec_check_domain.sh", "profile.h", "jquery.flot.js", "Baltimore_CyberTrust_Root.crt", "vnet_zone_api.sh", "if-do-timeobj.sh", "upload.htm", "get_temperature.sh", "GameController.tbd", "jquery.flot.crosshair.js", "0421:0618", "wportal_free.html", "ASPublicKeyCredentialClientData.h", "90-xt_doslogonly", "OSKextLib.h", "SwissSign_Silver_CA_-_G2.crt", "148f:2578", "09789157.0", "x509.conf", "scepclient.conf", "ecmp.lua", "UCA_Extended_Validation_Root.crt", "WKContentWorld.h", "Microsoft_RSA_Root_Certificate_Authority_2017.crt", "usb-serial", "0af0:7701", "group", "0af0:d157", "0a775a30.0", "reset", "python3-embed.pc", "ASCredentialRequest.h", "zone_api.sh", "ucisection.htm", "endian.h", "IOUSBHost.tbd", "rewrite.lua", "perlio.h", "S47access_ctl" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "Unknown - Most likely multiple spanning Cyrillic and Chinese in terms of artifacts", "StealthWorker/GoBrut (The adversary demonstrates advanced telemetry suppression within specialized s", "Turla Group, FIN7, APT34, APT28, DragonForce Malaysia Hacker Group, Indonesia Islamic Warriors Counc", "Element" ], "malware_families": [ "Trojandropper:win32/systex.a", "Backdoor:msil/zegost.gg!mtb", "Cycbot", "Win.malware.qshell-9875653-0", "Win.packed.bandook-9882274-1", "Alf:ransom:win32/babax.sg!mtb", "Tel:trojan:msil/agenttesla.vpa!mtb", "Hacktool:win32/mimikatz.f", "Virus:dos/hellspawn", "Wshrat", "Backdoor:msil/remcos", "Trojanproxy:win32/malynfits", "Internet", "Virus:win32/neshta", "Win.downloader.small-4507", "Backdoor:win32/zegost.bu", "Cve-2017-11882", "Win.dropper.gh0strat", "Trojan:win32/farfli.dsk!mtb", "Md5 hash: f8add7e7161460ea2b1970cf4ca535bf", "Wipes", "Backdoor:win32/zegost.gen!b", "Win.trojan.dialer-266", "Alf:nid:susp_nsis_stub.a", "Trackingclient", "Alf:heraklezeval:trojan:msil/gravityrat!rfn", "Virus:win32/lywer", "Win.trojan.tepfer-61", "Unix.trojan.tsunami-6981155-0", "Trojandropper:win32/muldrop.v!mtb", "Pws:win32/vb.cu", "Tente", "Malware family: stealthworker / gobrut", "Trojandownloader:win32/zegost.e!bit", "Backdoor:win32/zegost.cg", "Srpanj", "Trojanspy:win32/nivdort", "Alf:exploit:o97m/cve-2017-8977", "Backdoor:win32/zegost.km!mtb", "Advancedinstaller", "Outubro", "Pcrat", "Alf:heraklezeval:worm:win32/sfone", "Slf:win32/dozlodz.a!mtb", "Win64:xpirat\\ [inf]", "Purplefox", "Ransom:win32/crowti.a", "Ddos:linux/gafgyt.ya!mtb", "Gc", "Backdoor:win32/zegost!atmn", "Backdoor:win32/zegost.l", "Virtool:win32/vbinject.gen!mh", "Win.trojan.gravityrat-6511862-0", "Rabu", "Backdoor:win32/zegost.bk", "Trojandownloader:win32/cutwailransom:win32/crowti.a", "#lowfi:vbexpensiveloop", "Worm:win32/sfone.a", "Worm:win32/lightmoon.h", "Alf:jasyp:trojan:win32/ircbot!atmn", "Unknown", "Trojan:win32/ghostratcrypt.ga!mtb", "Zeppelin_10", "Nids", "Gh0stcringe", "Win32:botx-gen\\ [trj]", "Backdoor:linux/demonbot.aa!mtb", "Backdoor:win32/farfli.ax", "Neshta", "Ver", "Backdoor:win32/zegost.br", "Osatomic", "Trojandownloader:win32/cutwail", "Osreturn", "Alf:trojan:win32/cipduk.d!dha", "Trojan:win32/qbot.r!mtb", "Backdoor:win32/zegost.ad", "Unix.trojan.gafgyt-6981154-0", "Win32:farfli-bh", "Hacker87", "Win.malware.mikey-9949492-0", "Anda", "Expiro", "Win.malware.eclz-9953021-0", "Backdoor:win32/zegost.h!dll", "Backdoor:win32/zegost.cq!bit", "Trojandropper:win32/venik", "Win.dropper.gh0strat-7696262-0", "Agenttesla", "Mirai (elf)", "Vui", "#lowfi:suspicioussectionname", "Backdoor:win32/arwobot.b", "#lowfi:hstr:criakl.b1", "Win.malware.snojan-6775202-0", "Worm", "Trojandownloader:win32/nemucod", "Vasaris" ], "industries": [ "Construction", "Individuals", "Insurance" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 50, "pulses": [ { "id": "69eb254f17eb4a2a990f07e5", "name": "LevelBlue - Open Threat Exchange", "description": "[ As part of security research, we look at some of the most well-known vulnerabilities in the PDF ecosystem, and how they can be identified and mitigated, with the help of a simple hash.] [64xxxx]", "modified": "2026-05-28T07:10:11.800000", "created": "2026-04-24T08:09:51.488000", "tags": [ "pdfkit", "cve202225765", "exploit script", "github", "unicordev", "cves", "xml external", "entity", "pdfs", "knowledge base", "python", "mozilla", "virustotal", "cisa", "apple", "microsoft", "pdfkit ruby", "remote code", "execution", "urls", "malware", "raid", "caddywiper", "wipes", "cve202543529", "webkit", "february", "cve202620643", "bypass", "march", "webkit bug", "command", "control", "levelblue", "open threat" ], "references": [ "https://otx.alienvault.com/indicator/ip/198.49.23.145#:~:text=CIDR:%206%20%7C%20CVE:%20107,infrastructure%20into%20global%20botnet%20clusters." ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Wipes", "display_name": "Wipes", "target": null } ], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1084, "FileHash-SHA1": 874, "FileHash-SHA256": 3052, "CVE": 36, "domain": 437, "hostname": 1086, "URL": 1411, "CIDR": 15, "email": 13 }, "indicator_count": 8008, "is_author": false, "is_subscribing": null, "subscriber_count": 70, "modified_text": "4 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69e1e3701bff1800614838dc", "name": "wireshark", "description": "", "modified": "2026-05-17T08:02:15.940000", "created": "2026-04-17T07:38:24.668000", "tags": [ "wireshark pcap", "next generation", "dump file", "format", "little endian", "pcap" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 707, "FileHash-MD5": 281, "FileHash-SHA1": 271, "URL": 123, "domain": 69, "hostname": 608, "email": 1 }, "indicator_count": 2060, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "15 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69db4698d0cd0d278dc7ebac", "name": "VirusTotal report\n for base.apk", "description": "A sample of malicious code has been found on an Android phone running on the operating system, and it is believed to have been installed on a device that is currently running in the UK and Ireland.", "modified": "2026-05-12T07:29:56.598000", "created": "2026-04-12T07:15:36.900000", "tags": [ "mitre attack", "network info", "file type", "loads", "has permission", "accesses", "sim provider", "mccmnc", "mobile", "t1430 location", "persistence", "fraud", "cloud", "malicious", "next", "performs dns", "processes extra", "sigma", "overview", "overview zenbox", "verdict", "guest system", "ultimate file", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "hybrid analysis", "api key", "vetting process", "please note", "please", "script", "navigation", "doctype html", "public", "w3cdtd html", "transitionalen", "canceled", "title", "head", "body", "span", "refresh", "urls", "https", "united", "may check", "tls version", "xffxf0 xffxf0", "xffxee xffxee", "xffxef xffxef", "xffxeb xffxeb", "px9d", "xe4x84", "fxf8", "x94 x94", "xc1 xc1", "xffxf1 xffxf1", "info", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "text", "json", "in a", "accept", "estonia", "shutdown", "back" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0000d7e596a5738d6310974ef61ee238316ed03bc97d4cb358617932ad8d1ef2_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775977719&Signature=nkKRbhcDpxdw98on7aVclCyF9iaYOrdx7xghDa6jjq48R1HK6lCpP2H%2Fv6rxdPNWs11JoBFgE3MwA1ZYRN8Agx6yaHEpe7UOXVn2H3IXFXu5iRM5sSelXe0sVXAZNiCnIpmLyM8VdDWBLCF6TJhhCNb%2BA7JeJFY4BXuE0JCylFC6IfrK2KyhsCqwoOPL%2BxBN22zBWM88MDh7fIROoVS%2BgBZTK6Ae1KM9I0JmsvqNh%2BZskj06IC", "https://vtbehaviour.commondatastorage.googleapis.com/d45818a5cd5d41133eeb2bb915b70591823526786936d1ff425c82957057a080_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775977759&Signature=NBaN%2BKLt4kQxB6lxMAKf0PJGXB22KDgo54085YsLIZeKYr%2FZMbLuFYa65quTdyB8OT20aOMsT%2Bx7n2Nv%2BpBu9tlcAvqR27Q83JBzoWGOiDxS79sdgdFXXcK1fvBAY1%2BjtLvoBhQMAK7BZO3%2BuKbWEabvTF9p9Cwjhp%2FMQXMHRl%2BuPqE6REp29LQImSxPlNb5PmpRdhhhBX877q%2F6YPIpViq1j4uEa5xeFaF%2BLHuli03Gs93pzj", "https://hybrid-analysis.com/sample/4e4fa68c1c4d2cfee133c31432dd303bb5746f7094b5a6832a25e47e6279171c", "https://vtbehaviour.commondatastorage.googleapis.com/00000048b1c9e60c14a6619f0292dea96df7f10c11cfa9ae28693219c0ae844b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775977932&Signature=PwcvGhj2aoTTZWuXQAV%2Fk5iqc79LFl%2F4vKRmiwCg0lEljeWcXw48JPCdvRXB9d8jKJ3YlawrM8K3jVgBiRkawNtXHGkhIZp3kMOBGXmjii0zJ%2B%2BFryjqy3dSwsNCbzYOZqPvS38JrUto12cWGOcLXru%2F%2FaLJkK%2F5LZojEPdv487hPxxjaJl3q6IRjJ7RCeN6j7Rm9uA2EA2m0Di4VgQGK9uqgl04AslRkB8MiwSQ4TaGSHjp", "https://vtbehaviour.commondatastorage.googleapis.com/00000722ff984d5cd9cd766d12c70eecc7a2ad7502999c5a99d582c79b92c1a6_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775978086&Signature=WBIzRJW%2FxjBBOf%2F0opd6hlj72t0fu7SbhJLmf%2FDLtoe3li5SgoZEYUg2Ogq0NvkC4WzbpRmzXeV1QmUY%2BooYwl%2BVNRjyw6fZqkbp%2FboMFSfQmgHU%2FQfi99Ch5BqGcNZge1bx9lbHBAP%2BY3QDDA3xzFU9c9aMJAaBlGjFT4TeXALcU00PEYHA95tX7zddbMc5uQhfHfn7fKlyKlmRq25jp6vA4xQImQFJc3s3pQ7WePxp", "https://vtbehaviour.commondatastorage.googleapis.com/3b145ee102848506dc7551758ee869b43a1753f06fabcbcf9ca574cb7843d60e_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775978167&Signature=ukCrMHPUqB9sAvA3sCKxfTpKsnpIxfU1vyE1t7AsEZ2JBslXLn0KOjAMFlqSS33UscXS2xVpcOB1wOgX5ZbIlIX0m19OZ79aq1QXdbgZcRdsQ%2B07tzoo82jk6i7wuXsvtA8Lg1oPdLiq15X99Ey1Q4Qu%2F0YpJnHHOQ8zJCsmJIL%2BCV7ZRaam44zjH9hrfu2RFHKg7UN%2F%2BePHS%2FGSY3JiZ4dG10ymuI%2BSbNuvxnx4LIP9iAnFi", "https://vtbehaviour.commondatastorage.googleapis.com/3b145ee102848506dc7551758ee869b43a1753f06fabcbcf9ca574cb7843d60e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775978199&Signature=N0Ry%2FbV%2BEAaGir5ToqgdLRpeg4LWS2qRlbG%2BPBgtoRM6IQyD7i%2FhtGHNcbCN9KZuxWP1kCJkqKu4dA%2BNcMjY450Zs5KmCD%2B78YZCte4YHq%2F3f2T0AuO7ero3nBCqlX8fVA62q8eDZQiroHG4hX0gMIaxBXDwUeQa0F%2FQpNa72K2aN4rAajClR%2BuBVPy1fnaokrr7bsvK6JvnhFwrTdLQq6%2Fd%2BulnVIbTCK1oSGXF", "https://vtbehaviour.commondatastorage.googleapis.com/00000722ff984d5cd9cd766d12c70eecc7a2ad7502999c5a99d582c79b92c1a6_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775978364&Signature=yFKLOW7cLGxEDj33tw1mRKNjyzUXQUuQpv%2FrA3D2X5q8rw9kMCREsBLs%2F%2FNYRFxARS3RB5Lk4O6CmSWhNnG3A6HL18Gz6MgwskKshWmxISeMPsHS3bV%2F%2FfnGBWAext5N5I8M1E3kyouF%2FSW3NwXOVYP%2FTI%2BQ1I%2FDzIIYwu8Da44roDqJL3wQaxKZjyUAXa6fTXFaFor%2FO9DxLhb3cHkFxY9PbZuvVGjWowadR80d" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1422", "name": "System Network Configuration Discovery", "display_name": "T1422 - System Network Configuration Discovery" }, { "id": "T1424", "name": "Process Discovery", "display_name": "T1424 - Process Discovery" }, { "id": "T1426", "name": "System Information Discovery", "display_name": "T1426 - System Information Discovery" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1409", "name": "Access Stored Application Data", "display_name": "T1409 - Access Stored Application Data" }, { "id": "T1418", "name": "Application Discovery", "display_name": "T1418 - Application Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 91, "FileHash-SHA1": 86, "FileHash-SHA256": 101, "URL": 271, "domain": 43, "hostname": 306 }, "indicator_count": 898, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "20 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69db469af0e341420764ab93", "name": "VirusTotal report\n for base.apk", "description": "A sample of malicious code has been found on an Android phone running on the operating system, and it is believed to have been installed on a device that is currently running in the UK and Ireland.", "modified": "2026-05-12T07:29:56.598000", "created": "2026-04-12T07:15:38.372000", "tags": [ "mitre attack", "network info", "file type", "loads", "has permission", "accesses", "sim provider", "mccmnc", "mobile", "t1430 location", "persistence", "fraud", "cloud", "malicious", "next", "performs dns", "processes extra", "sigma", "overview", "overview zenbox", "verdict", "guest system", "ultimate file", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "hybrid analysis", "api key", "vetting process", "please note", "please", "script", "navigation", "doctype html", "public", "w3cdtd html", "transitionalen", "canceled", "title", "head", "body", "span", "refresh", "urls", "https", "united", "may check", "tls version", "xffxf0 xffxf0", "xffxee xffxee", "xffxef xffxef", "xffxeb xffxeb", "px9d", "xe4x84", "fxf8", "x94 x94", "xc1 xc1", "xffxf1 xffxf1", "info", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "text", "json", "in a", "accept", "estonia", "shutdown", "back" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0000d7e596a5738d6310974ef61ee238316ed03bc97d4cb358617932ad8d1ef2_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775977719&Signature=nkKRbhcDpxdw98on7aVclCyF9iaYOrdx7xghDa6jjq48R1HK6lCpP2H%2Fv6rxdPNWs11JoBFgE3MwA1ZYRN8Agx6yaHEpe7UOXVn2H3IXFXu5iRM5sSelXe0sVXAZNiCnIpmLyM8VdDWBLCF6TJhhCNb%2BA7JeJFY4BXuE0JCylFC6IfrK2KyhsCqwoOPL%2BxBN22zBWM88MDh7fIROoVS%2BgBZTK6Ae1KM9I0JmsvqNh%2BZskj06IC", "https://vtbehaviour.commondatastorage.googleapis.com/d45818a5cd5d41133eeb2bb915b70591823526786936d1ff425c82957057a080_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775977759&Signature=NBaN%2BKLt4kQxB6lxMAKf0PJGXB22KDgo54085YsLIZeKYr%2FZMbLuFYa65quTdyB8OT20aOMsT%2Bx7n2Nv%2BpBu9tlcAvqR27Q83JBzoWGOiDxS79sdgdFXXcK1fvBAY1%2BjtLvoBhQMAK7BZO3%2BuKbWEabvTF9p9Cwjhp%2FMQXMHRl%2BuPqE6REp29LQImSxPlNb5PmpRdhhhBX877q%2F6YPIpViq1j4uEa5xeFaF%2BLHuli03Gs93pzj", "https://hybrid-analysis.com/sample/4e4fa68c1c4d2cfee133c31432dd303bb5746f7094b5a6832a25e47e6279171c", "https://vtbehaviour.commondatastorage.googleapis.com/00000048b1c9e60c14a6619f0292dea96df7f10c11cfa9ae28693219c0ae844b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775977932&Signature=PwcvGhj2aoTTZWuXQAV%2Fk5iqc79LFl%2F4vKRmiwCg0lEljeWcXw48JPCdvRXB9d8jKJ3YlawrM8K3jVgBiRkawNtXHGkhIZp3kMOBGXmjii0zJ%2B%2BFryjqy3dSwsNCbzYOZqPvS38JrUto12cWGOcLXru%2F%2FaLJkK%2F5LZojEPdv487hPxxjaJl3q6IRjJ7RCeN6j7Rm9uA2EA2m0Di4VgQGK9uqgl04AslRkB8MiwSQ4TaGSHjp", "https://vtbehaviour.commondatastorage.googleapis.com/00000722ff984d5cd9cd766d12c70eecc7a2ad7502999c5a99d582c79b92c1a6_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775978086&Signature=WBIzRJW%2FxjBBOf%2F0opd6hlj72t0fu7SbhJLmf%2FDLtoe3li5SgoZEYUg2Ogq0NvkC4WzbpRmzXeV1QmUY%2BooYwl%2BVNRjyw6fZqkbp%2FboMFSfQmgHU%2FQfi99Ch5BqGcNZge1bx9lbHBAP%2BY3QDDA3xzFU9c9aMJAaBlGjFT4TeXALcU00PEYHA95tX7zddbMc5uQhfHfn7fKlyKlmRq25jp6vA4xQImQFJc3s3pQ7WePxp", "https://vtbehaviour.commondatastorage.googleapis.com/3b145ee102848506dc7551758ee869b43a1753f06fabcbcf9ca574cb7843d60e_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775978167&Signature=ukCrMHPUqB9sAvA3sCKxfTpKsnpIxfU1vyE1t7AsEZ2JBslXLn0KOjAMFlqSS33UscXS2xVpcOB1wOgX5ZbIlIX0m19OZ79aq1QXdbgZcRdsQ%2B07tzoo82jk6i7wuXsvtA8Lg1oPdLiq15X99Ey1Q4Qu%2F0YpJnHHOQ8zJCsmJIL%2BCV7ZRaam44zjH9hrfu2RFHKg7UN%2F%2BePHS%2FGSY3JiZ4dG10ymuI%2BSbNuvxnx4LIP9iAnFi", "https://vtbehaviour.commondatastorage.googleapis.com/3b145ee102848506dc7551758ee869b43a1753f06fabcbcf9ca574cb7843d60e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775978199&Signature=N0Ry%2FbV%2BEAaGir5ToqgdLRpeg4LWS2qRlbG%2BPBgtoRM6IQyD7i%2FhtGHNcbCN9KZuxWP1kCJkqKu4dA%2BNcMjY450Zs5KmCD%2B78YZCte4YHq%2F3f2T0AuO7ero3nBCqlX8fVA62q8eDZQiroHG4hX0gMIaxBXDwUeQa0F%2FQpNa72K2aN4rAajClR%2BuBVPy1fnaokrr7bsvK6JvnhFwrTdLQq6%2Fd%2BulnVIbTCK1oSGXF", "https://vtbehaviour.commondatastorage.googleapis.com/00000722ff984d5cd9cd766d12c70eecc7a2ad7502999c5a99d582c79b92c1a6_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775978364&Signature=yFKLOW7cLGxEDj33tw1mRKNjyzUXQUuQpv%2FrA3D2X5q8rw9kMCREsBLs%2F%2FNYRFxARS3RB5Lk4O6CmSWhNnG3A6HL18Gz6MgwskKshWmxISeMPsHS3bV%2F%2FfnGBWAext5N5I8M1E3kyouF%2FSW3NwXOVYP%2FTI%2BQ1I%2FDzIIYwu8Da44roDqJL3wQaxKZjyUAXa6fTXFaFor%2FO9DxLhb3cHkFxY9PbZuvVGjWowadR80d" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1422", "name": "System Network Configuration Discovery", "display_name": "T1422 - System Network Configuration Discovery" }, { "id": "T1424", "name": "Process Discovery", "display_name": "T1424 - Process Discovery" }, { "id": "T1426", "name": "System Information Discovery", "display_name": "T1426 - System Information Discovery" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1409", "name": "Access Stored Application Data", "display_name": "T1409 - Access Stored Application Data" }, { "id": "T1418", "name": "Application Discovery", "display_name": "T1418 - Application Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 91, "FileHash-SHA1": 86, "FileHash-SHA256": 101, "URL": 271, "domain": 43, "hostname": 306 }, "indicator_count": 898, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "20 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d79c38e0a059039b475ebe", "name": "CAPE Sandbox", "description": "Email today from them on my line. Very wild things happening here. trying to close my line", "modified": "2026-05-09T12:10:59.635000", "created": "2026-04-09T12:31:52.495000", "tags": [ "html document", "unicode text", "utf8 text", "crlf", "lf line", "site", "meta", "verizon", "wireless", "internet", "phone services", "official", "shop verizon", "lte network", "get fios", "title", "code", "error", "utc na", "utc google", "tag manager", "gtmw2vn2cq", "utc dc9849921", "utc dc685973", "utc g12r1dx1lx7", "utc aw647962234", "utc aw2761768", "utc aw685973", "verizon business", "verizon for business", "verizon business account", "verizon business phone", "verizon wireless for business", "verizon business service", "verizon business plan", "business internet services", "learn", "gartner", "contact", "find", "discover", "support", "close log", "shop", "upgrade", "small", "voice", "chat", "mitre attack", "network info", "program", "html page", "t1055 process", "overview", "processes extra", "overview zenbox", "verdict", "guest system", "phishing", "next", "ver2", "msclkidn", "utc amazon", "analytics na", "utc bing", "vids1", "vids0", "gdlname" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/edb4c21d60daa44b3429e7ba9bfa342759ebef23c136c934f74aef145453ce19_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775737365&Signature=S%2B7RcHYjab1hbKlKwFfvUbDirFPJS1A2TJQ3bVIObMcON4PD9pRDvhMtYMCnEBrYsICi0UJCFW5eUDolL5Jlbngsc587kF36vvuhlkPprbkSOY1jOyDTpe3Qsb6jRFz3xwOfZc9S5QervoLnRKb%2FyGSyZE6ZK6TxzBrOPczPtZ7sLf9NfD6E%2B2gMRXaRjEqVwVITLG7YqCiiNuohFOuNlK3uNHFpIk53viKvBSAIqLtSklH9bHW4q1DX", "https://www.verizon.com/business/", "https://vtbehaviour.commondatastorage.googleapis.com/edb4c21d60daa44b3429e7ba9bfa342759ebef23c136c934f74aef145453ce19_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775737710&Signature=fbsokraSd7lsYmUfaTEl8Phs2K3hp7AtVmQU9axeEBcYmYbrrYrrfpP5lPEQaE%2Fh3%2BEP9Rn8mD8D1haqQVXCN0VVlxJ4sddjWmyC5USsgBsvUb0%2F72h1WHDS2KXHlteZWE%2Bauckabain9D5kX501AnqFY38s77OIqO6SMOkQ%2BvXiDSSRK%2FZhbfradBnei3ZLHsXGxkoshTyvB0%2BC%2F8SiUzdVsqSjik0Bn2r%2BIlLpDQK90GlZTD0N" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 772, "hostname": 706, "domain": 875, "FileHash-SHA256": 2348, "FileHash-MD5": 2237, "FileHash-SHA1": 2260, "CVE": 1, "email": 9 }, "indicator_count": 9208, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d7a3f4d72c30f9586634b9", "name": "VirusTotal report\n for flow-browser-main.zip", "description": "A sample of flow-browser-main, an unauthorised version of the web browser, has been detected by researchers at the University of California, Los Angeles, and the National Security Agency (NSA). myvzw.com after an email on ending a #", "modified": "2026-05-09T12:10:59.635000", "created": "2026-04-09T13:04:52.444000", "tags": [ "file type", "png image", "ascii", "ascii text", "java source", "json", "rgba", "creates", "crlf line", "mac os", "date", "malicious", "next", "button", "span", "edit3icon", "rotateccwicon", "xicon", "htmldivelement", "react", "saveicon", "null", "shortcutitem", "click", "zip archive", "png multimedia", "graphics" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739500&Signature=r1pLCgJf%2FQK8TvenCwXy9bnghFzjJ5QssdQSLP37SLv6EkA3WXuFUIvKrsXKokco7bMfQUy%2FArk8F6aP%2Bhaj16Jv7P%2FGB%2Blf7mPvs47VjwfBJRCP8AZLlWvO45%2BjC68v798csdJFPTP31O4yDOE3pXZ3EThm4nSrIwLPhTSPfi3cPlEh2wLSzcySW7BYLw%2BqCoawFCxeLUz7hIV0vC89Mlwi3DeS%2BEnWFF%2FsvT9lVJjdbLoJLEeO", "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739700&Signature=bOTo%2FxCpGDGOsIKJDZjBBhLZRg8UiOGi%2FvVr47Xpmh7tOh9dez7911bi%2F9SUdu4ATLhzRVog%2BdVP%2BUPwTuEfIdEcPuGRGVc1KOSP3fTQrKhRjF3x2dqykxVCH%2B1iqBmCgod%2B1uAdlraxqSOeOgst1l%2Bk250uXff4axktE%2BfGjeNDeGJao%2FfOMktqIL7zU8%2BIQYTObwelnnYx45FBSiXI1bWM4vhdgIX4cs2cT%2F" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 220, "FileHash-MD5": 562, "FileHash-SHA1": 566, "FileHash-SHA256": 1011, "URL": 125, "hostname": 139, "email": 4 }, "indicator_count": 2627, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d7a3f511d0121d253b753d", "name": "VirusTotal report\n for flow-browser-main.zip", "description": "A sample of flow-browser-main, an unauthorised version of the web browser, has been detected by researchers at the University of California, Los Angeles, and the National Security Agency (NSA). myvzw.com after an email on ending a #", "modified": "2026-05-09T12:10:59.635000", "created": "2026-04-09T13:04:53.436000", "tags": [ "file type", "png image", "ascii", "ascii text", "java source", "json", "rgba", "creates", "crlf line", "mac os", "date", "malicious", "next", "button", "span", "edit3icon", "rotateccwicon", "xicon", "htmldivelement", "react", "saveicon", "null", "shortcutitem", "click", "zip archive", "png multimedia", "graphics" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739500&Signature=r1pLCgJf%2FQK8TvenCwXy9bnghFzjJ5QssdQSLP37SLv6EkA3WXuFUIvKrsXKokco7bMfQUy%2FArk8F6aP%2Bhaj16Jv7P%2FGB%2Blf7mPvs47VjwfBJRCP8AZLlWvO45%2BjC68v798csdJFPTP31O4yDOE3pXZ3EThm4nSrIwLPhTSPfi3cPlEh2wLSzcySW7BYLw%2BqCoawFCxeLUz7hIV0vC89Mlwi3DeS%2BEnWFF%2FsvT9lVJjdbLoJLEeO", "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739700&Signature=bOTo%2FxCpGDGOsIKJDZjBBhLZRg8UiOGi%2FvVr47Xpmh7tOh9dez7911bi%2F9SUdu4ATLhzRVog%2BdVP%2BUPwTuEfIdEcPuGRGVc1KOSP3fTQrKhRjF3x2dqykxVCH%2B1iqBmCgod%2B1uAdlraxqSOeOgst1l%2Bk250uXff4axktE%2BfGjeNDeGJao%2FfOMktqIL7zU8%2BIQYTObwelnnYx45FBSiXI1bWM4vhdgIX4cs2cT%2F" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 224, "FileHash-MD5": 558, "FileHash-SHA1": 564, "FileHash-SHA256": 558, "URL": 140, "hostname": 166, "email": 2, "CVE": 8 }, "indicator_count": 2220, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d7a3f6657dd0c212d8344a", "name": "VirusTotal report\n for flow-browser-main.zip", "description": "A sample of flow-browser-main, an unauthorised version of the web browser, has been detected by researchers at the University of California, Los Angeles, and the National Security Agency (NSA). myvzw.com after an email on ending a #", "modified": "2026-05-09T12:10:59.635000", "created": "2026-04-09T13:04:54.060000", "tags": [ "file type", "png image", "ascii", "ascii text", "java source", "json", "rgba", "creates", "crlf line", "mac os", "date", "malicious", "next", "button", "span", "edit3icon", "rotateccwicon", "xicon", "htmldivelement", "react", "saveicon", "null", "shortcutitem", "click", "zip archive", "png multimedia", "graphics" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739500&Signature=r1pLCgJf%2FQK8TvenCwXy9bnghFzjJ5QssdQSLP37SLv6EkA3WXuFUIvKrsXKokco7bMfQUy%2FArk8F6aP%2Bhaj16Jv7P%2FGB%2Blf7mPvs47VjwfBJRCP8AZLlWvO45%2BjC68v798csdJFPTP31O4yDOE3pXZ3EThm4nSrIwLPhTSPfi3cPlEh2wLSzcySW7BYLw%2BqCoawFCxeLUz7hIV0vC89Mlwi3DeS%2BEnWFF%2FsvT9lVJjdbLoJLEeO", "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739700&Signature=bOTo%2FxCpGDGOsIKJDZjBBhLZRg8UiOGi%2FvVr47Xpmh7tOh9dez7911bi%2F9SUdu4ATLhzRVog%2BdVP%2BUPwTuEfIdEcPuGRGVc1KOSP3fTQrKhRjF3x2dqykxVCH%2B1iqBmCgod%2B1uAdlraxqSOeOgst1l%2Bk250uXff4axktE%2BfGjeNDeGJao%2FfOMktqIL7zU8%2BIQYTObwelnnYx45FBSiXI1bWM4vhdgIX4cs2cT%2F" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 217, "FileHash-MD5": 558, "FileHash-SHA1": 564, "FileHash-SHA256": 558, "URL": 118, "hostname": 133, "email": 2 }, "indicator_count": 2150, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d7a3f683111bbbe1c9ae35", "name": "VirusTotal report\n for flow-browser-main.zip", "description": "A sample of flow-browser-main, an unauthorised version of the web browser, has been detected by researchers at the University of California, Los Angeles, and the National Security Agency (NSA). myvzw.com after an email on ending a #", "modified": "2026-05-09T12:10:59.635000", "created": "2026-04-09T13:04:54.775000", "tags": [ "file type", "png image", "ascii", "ascii text", "java source", "json", "rgba", "creates", "crlf line", "mac os", "date", "malicious", "next", "button", "span", "edit3icon", "rotateccwicon", "xicon", "htmldivelement", "react", "saveicon", "null", "shortcutitem", "click", "zip archive", "png multimedia", "graphics" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739500&Signature=r1pLCgJf%2FQK8TvenCwXy9bnghFzjJ5QssdQSLP37SLv6EkA3WXuFUIvKrsXKokco7bMfQUy%2FArk8F6aP%2Bhaj16Jv7P%2FGB%2Blf7mPvs47VjwfBJRCP8AZLlWvO45%2BjC68v798csdJFPTP31O4yDOE3pXZ3EThm4nSrIwLPhTSPfi3cPlEh2wLSzcySW7BYLw%2BqCoawFCxeLUz7hIV0vC89Mlwi3DeS%2BEnWFF%2FsvT9lVJjdbLoJLEeO", "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739700&Signature=bOTo%2FxCpGDGOsIKJDZjBBhLZRg8UiOGi%2FvVr47Xpmh7tOh9dez7911bi%2F9SUdu4ATLhzRVog%2BdVP%2BUPwTuEfIdEcPuGRGVc1KOSP3fTQrKhRjF3x2dqykxVCH%2B1iqBmCgod%2B1uAdlraxqSOeOgst1l%2Bk250uXff4axktE%2BfGjeNDeGJao%2FfOMktqIL7zU8%2BIQYTObwelnnYx45FBSiXI1bWM4vhdgIX4cs2cT%2F" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 218, "FileHash-MD5": 558, "FileHash-SHA1": 564, "FileHash-SHA256": 558, "URL": 119, "hostname": 133, "email": 4 }, "indicator_count": 2154, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d7a3f6f81dc2388c0fa027", "name": "VirusTotal report\n for flow-browser-main.zip", "description": "A sample of flow-browser-main, an unauthorised version of the web browser, has been detected by researchers at the University of California, Los Angeles, and the National Security Agency (NSA). myvzw.com after an email on ending a #", "modified": "2026-05-09T12:10:59.635000", "created": "2026-04-09T13:04:54.563000", "tags": [ "file type", "png image", "ascii", "ascii text", "java source", "json", "rgba", "creates", "crlf line", "mac os", "date", "malicious", "next", "button", "span", "edit3icon", "rotateccwicon", "xicon", "htmldivelement", "react", "saveicon", "null", "shortcutitem", "click", "zip archive", "png multimedia", "graphics" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739500&Signature=r1pLCgJf%2FQK8TvenCwXy9bnghFzjJ5QssdQSLP37SLv6EkA3WXuFUIvKrsXKokco7bMfQUy%2FArk8F6aP%2Bhaj16Jv7P%2FGB%2Blf7mPvs47VjwfBJRCP8AZLlWvO45%2BjC68v798csdJFPTP31O4yDOE3pXZ3EThm4nSrIwLPhTSPfi3cPlEh2wLSzcySW7BYLw%2BqCoawFCxeLUz7hIV0vC89Mlwi3DeS%2BEnWFF%2FsvT9lVJjdbLoJLEeO", "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739700&Signature=bOTo%2FxCpGDGOsIKJDZjBBhLZRg8UiOGi%2FvVr47Xpmh7tOh9dez7911bi%2F9SUdu4ATLhzRVog%2BdVP%2BUPwTuEfIdEcPuGRGVc1KOSP3fTQrKhRjF3x2dqykxVCH%2B1iqBmCgod%2B1uAdlraxqSOeOgst1l%2Bk250uXff4axktE%2BfGjeNDeGJao%2FfOMktqIL7zU8%2BIQYTObwelnnYx45FBSiXI1bWM4vhdgIX4cs2cT%2F" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 218, "FileHash-MD5": 558, "FileHash-SHA1": 564, "FileHash-SHA256": 558, "URL": 119, "hostname": 133, "email": 4 }, "indicator_count": 2154, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "this.id", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "this.id", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780347524.4141252 }