{ "type": "Domain", "indicator": "this.name", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/this.name", "alexa": "http://www.alexa.com/siteinfo/this.name", "indicator": "this.name", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 323665869, "indicator": "this.name", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 50, "pulses": [ { "id": "69eb254f17eb4a2a990f07e5", "name": "LevelBlue - Open Threat Exchange", "description": "[ As part of security research, we look at some of the most well-known vulnerabilities in the PDF ecosystem, and how they can be identified and mitigated, with the help of a simple hash.] [64xxxx]", "modified": "2026-05-28T07:10:11.800000", "created": "2026-04-24T08:09:51.488000", "tags": [ "pdfkit", "cve202225765", "exploit script", "github", "unicordev", "cves", "xml external", "entity", "pdfs", "knowledge base", "python", "mozilla", "virustotal", "cisa", "apple", "microsoft", "pdfkit ruby", "remote code", "execution", "urls", "malware", "raid", "caddywiper", "wipes", "cve202543529", "webkit", "february", "cve202620643", "bypass", "march", "webkit bug", "command", "control", "levelblue", "open threat" ], "references": [ "https://otx.alienvault.com/indicator/ip/198.49.23.145#:~:text=CIDR:%206%20%7C%20CVE:%20107,infrastructure%20into%20global%20botnet%20clusters." ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Wipes", "display_name": "Wipes", "target": null } ], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1084, "FileHash-SHA1": 874, "FileHash-SHA256": 3052, "CVE": 36, "domain": 437, "hostname": 1086, "URL": 1411, "CIDR": 15, "email": 13 }, "indicator_count": 8008, "is_author": false, "is_subscribing": null, "subscriber_count": 70, "modified_text": "4 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a16a621eac2621d97ca6596", "name": "Credit Q.Vashti [\"Device Isolation | Lumen Technologies | Palantir and\"] clone by Q Vashti (researcher)", "description": "", "modified": "2026-05-27T08:25:07.936000", "created": "2026-05-27T08:06:57.005000", "tags": [ "url https", "url http", "tlsv1", "whitelisted", "united", "read c", "as15169", "stcalifornia", "execution", "dock", "write", "persistence", "malware", "encrypt", "active", "lumen technologies", "number", "error", "regexp", "sxa0", "amptoken", "optout", "retrieving", "notfound", "unknown", "form", "flash", "backdoor", "writeconsolew", "yara detections", "command line", "pdb path", "pe resource", "internalname", "windows command", "A", "aws", "name servers", "url analysis", "passive dns", "urls", "data upload", "extraction", "palantir", "c2", "aerospace", "tracking", "spywatchdog", "palapa-c2", "communications satellite", "amazon", "hughesnet", "icmp traffic", "washington c", "washington ou", "mopr", "mon jul", "local", "dynamic", "apple", "network", "t1057", "discovery", "t1069", "t1071", "protocol", "t1105", "tool transfer", "t1480", "guardrails", "t1566", "present jan", "unknown ns", "ip address", "dnssec", "domain", "dynamic dns", "government", "pcup", "germany unknown", "link", "dns hosting", "cloudns", "cloud dns", "a domains", "ipv4 add", "title", "meta", "class", "servers", "present aug", "aaaa", "present sep", "present nov", "present jul", "present may", "moved", "canada unknown", "begin", "record value", "gmt content", "type", "hostname add", "files", "ascii text", "pattern match", "href", "mitre att", "ck id", "ck matrix", "network traffic", "et info", "general", "path", "click", "learn", "command", "name tactics", "suspicious", "informative", "adversaries", "input url", "defense evasion", "france", "ireland", "netherlands", "denmark", "united kingdom", "type indicator", "role title", "added active", "savvis", "centurylinktechnology", "hybrid analysis", "monitoring tools", "monitored target", "triangulation", "worm", "intel", "ms windows", "pe32", "write c", "delete c", "show", "russia as47764", "unix", "lsan jose", "odigicert inc", "markus", "url add", "http", "related nids", "files location", "russia flag", "russia hostname", "russia", "russia unknown", "hosting", "federation flag", "body", "gmt vary", "accept encoding", "gmt cache", "certificate", "pulse submit", "unknown aaaa", "search", "entries", "script domains", "script urls", "pdx cf" ], "references": [ "\u2018Lumen Technologies\u2019 Acting as administrator of a targeted Apple IOS device", "Yare: compromised_site_redirector_fromcharcode", "Alerts: network_icmp nolookup_communication js_eval recon_fingerprint", "Alerts: console_output has_pdb pe_unknown_resource_name", "File Type PEXE - PE32+ executable (console) x86-64, for MS Windows ..", "Tipped: A targets AI and other cyber research findings.", "A \u2018Target\u2019 became a \u2018Target\u2019 vja close association to main Target of predatory retaliation campaign.", "track.spywarewatchdog.org \u2022 https://track.spywarewatchdog.org - monitoring software", "https://palapa.c.id\t (c.id)", "Containers-Pecorino.PalantirGov.com -pecorino.palantirgov.com", "cedevice.io \u2022 decagonsoftware.com", "http://applevless.dns-dynamic.net/\t\u2022 dns-dynamic.net", "http://www.pcup.gov.ph/images/2018/pdf/ComEnBancReso/Commission_Resolution_07s2018.PDF", "pcup.gov.ph:", "http://www.pcup.gov.ph/images/pdf/Contract_of_SecurityServices2013.pdf pcup.gov.ph:", "https://pcup.gov.ph/375 pcup.gov.ph: | https://www.pcup.gov.ph/ pcup.gov.ph:", "https://elegantcosmedampyeah.pages.dev/", "https://www.ptv.vic.gov.au/more/travelling-on-the-network/lets-go/", "inst.govelopscold.com", "https://feedback.ptv.vic.gov.au/360", "nginx-php.7d4jelnf.trdlpbvl.sdp3.sdp.vic.gov.au", "nginx-php.standby.content-premier-vic-gov-au.sdp3.sdp.vic.gov.au", "https://hybrid-analysis.com/sample/a16d11910953b800369dbb667f178b3cc45cb8e3315217c0e6ceac68eeba206d", "https://brand.centurylinktechnology.com", "https://prod.centurylinktechnology.com", "https://brand2.centurylinktechnology.com", "https://mobile-pocket-guide.centurylinktechnology.com", "UPX_OEP_place", "Russia or Muskware? URL http://store.7box.vip/ad/C467F60A1AD6.Jpeg", "ASP. NET", "https://connect.facebook.net/en_US/sdk.js#xfbml=1&version=v4.0&appId=705930270206797&autoLogAppEvents=1 Akamai rank:", "7box.vip" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan.Tofsee/Botx", "display_name": "Trojan.Tofsee/Botx", "target": null }, { "id": "ALF:JASYP:Trojan:Win32/IRCbot!atmn", "display_name": "ALF:JASYP:Trojan:Win32/IRCbot!atmn", "target": null }, { "id": "PWS:Win32/Axespec.A", "display_name": "PWS:Win32/Axespec.A", "target": "/malware/PWS:Win32/Axespec.A" }, { "id": "Worm:Win32/Lightmoon.H", "display_name": "Worm:Win32/Lightmoon.H", "target": "/malware/Worm:Win32/Lightmoon.H" } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1439", "name": "Eavesdrop on Insecure Network Communication", "display_name": "T1439 - Eavesdrop on Insecure Network Communication" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1069.003", "name": "Cloud Groups", "display_name": "T1069.003 - Cloud Groups" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "green", "cloned_from": "697cdce9ec418c422eee2054", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 102, "FileHash-SHA1": 59, "FileHash-SHA256": 1929, "domain": 854, "hostname": 2156, "URL": 4475, "SSLCertFingerprint": 9, "email": 8, "CVE": 2 }, "indicator_count": 9594, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "5 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "698e93e1ab02db8c49e8c3ed", "name": "\u201cBroken Seal\u201d DocuSign-themed Delivery with Fileless Process Hollowing (Zeppelin/Bloat-A)", "description": "Forensic analysis indicates a DocuSign-themed phishing campaign using a deliberately invalid X.509 PKI seal (\u201cBroken Seal\u201d) to trigger fail-open verification logic in automated handlers. The delivery mechanism bypasses Secure Email Gateway (SEG) reputation checks by using encrypted channels and human-gated infrastructure. The payload is a fileless Process Hollowing (RunPE) malware that injects into RWX memory of legitimate processes to evade disk-based EDR.", "modified": "2026-05-17T15:52:35.396000", "created": "2026-02-13T03:00:49.872000", "tags": [ "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi", "9698f46495ce9401c8bcaf9a2afe1598", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)", "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71", "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link", "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)" ], "references": [ "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "Verification failure observed in automated verification handlers during sandbox replay.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr", "My Independent research finds an intersect between different pdf DV versions being able to connect to Raspberry Pi devices as it was the FCC application document. Risk: Mac ID connectivity to all." ], "public": 1, "adversary": "", "targeted_countries": [ "China", "United States of America", "Spain", "Japan", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In" ], "TLP": "green", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 28000, "FileHash-SHA256": 48374, "FileHash-MD5": 42596, "FileHash-SHA1": 23243, "hostname": 35654, "URL": 75758, "SSLCertFingerprint": 30, "CVE": 7585, "email": 316, "FileHash-IMPHASH": 8, "CIDR": 26205, "JA3": 1, "URI": 5, "IPv4": 574, "Mutex": 1 }, "indicator_count": 288350, "is_author": false, "is_subscribing": null, "subscriber_count": 92, "modified_text": "14 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d79c38e0a059039b475ebe", "name": "CAPE Sandbox", "description": "Email today from them on my line. Very wild things happening here. trying to close my line", "modified": "2026-05-09T12:10:59.635000", "created": "2026-04-09T12:31:52.495000", "tags": [ "html document", "unicode text", "utf8 text", "crlf", "lf line", "site", "meta", "verizon", "wireless", "internet", "phone services", "official", "shop verizon", "lte network", "get fios", "title", "code", "error", "utc na", "utc google", "tag manager", "gtmw2vn2cq", "utc dc9849921", "utc dc685973", "utc g12r1dx1lx7", "utc aw647962234", "utc aw2761768", "utc aw685973", "verizon business", "verizon for business", "verizon business account", "verizon business phone", "verizon wireless for business", "verizon business service", "verizon business plan", "business internet services", "learn", "gartner", "contact", "find", "discover", "support", "close log", "shop", "upgrade", "small", "voice", "chat", "mitre attack", "network info", "program", "html page", "t1055 process", "overview", "processes extra", "overview zenbox", "verdict", "guest system", "phishing", "next", "ver2", "msclkidn", "utc amazon", "analytics na", "utc bing", "vids1", "vids0", "gdlname" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/edb4c21d60daa44b3429e7ba9bfa342759ebef23c136c934f74aef145453ce19_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775737365&Signature=S%2B7RcHYjab1hbKlKwFfvUbDirFPJS1A2TJQ3bVIObMcON4PD9pRDvhMtYMCnEBrYsICi0UJCFW5eUDolL5Jlbngsc587kF36vvuhlkPprbkSOY1jOyDTpe3Qsb6jRFz3xwOfZc9S5QervoLnRKb%2FyGSyZE6ZK6TxzBrOPczPtZ7sLf9NfD6E%2B2gMRXaRjEqVwVITLG7YqCiiNuohFOuNlK3uNHFpIk53viKvBSAIqLtSklH9bHW4q1DX", "https://www.verizon.com/business/", "https://vtbehaviour.commondatastorage.googleapis.com/edb4c21d60daa44b3429e7ba9bfa342759ebef23c136c934f74aef145453ce19_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775737710&Signature=fbsokraSd7lsYmUfaTEl8Phs2K3hp7AtVmQU9axeEBcYmYbrrYrrfpP5lPEQaE%2Fh3%2BEP9Rn8mD8D1haqQVXCN0VVlxJ4sddjWmyC5USsgBsvUb0%2F72h1WHDS2KXHlteZWE%2Bauckabain9D5kX501AnqFY38s77OIqO6SMOkQ%2BvXiDSSRK%2FZhbfradBnei3ZLHsXGxkoshTyvB0%2BC%2F8SiUzdVsqSjik0Bn2r%2BIlLpDQK90GlZTD0N" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 772, "hostname": 706, "domain": 875, "FileHash-SHA256": 2348, "FileHash-MD5": 2237, "FileHash-SHA1": 2260, "CVE": 1, "email": 9 }, "indicator_count": 9208, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d7a3f4d72c30f9586634b9", "name": "VirusTotal report\n for flow-browser-main.zip", "description": "A sample of flow-browser-main, an unauthorised version of the web browser, has been detected by researchers at the University of California, Los Angeles, and the National Security Agency (NSA). myvzw.com after an email on ending a #", "modified": "2026-05-09T12:10:59.635000", "created": "2026-04-09T13:04:52.444000", "tags": [ "file type", "png image", "ascii", "ascii text", "java source", "json", "rgba", "creates", "crlf line", "mac os", "date", "malicious", "next", "button", "span", "edit3icon", "rotateccwicon", "xicon", "htmldivelement", "react", "saveicon", "null", "shortcutitem", "click", "zip archive", "png multimedia", "graphics" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739500&Signature=r1pLCgJf%2FQK8TvenCwXy9bnghFzjJ5QssdQSLP37SLv6EkA3WXuFUIvKrsXKokco7bMfQUy%2FArk8F6aP%2Bhaj16Jv7P%2FGB%2Blf7mPvs47VjwfBJRCP8AZLlWvO45%2BjC68v798csdJFPTP31O4yDOE3pXZ3EThm4nSrIwLPhTSPfi3cPlEh2wLSzcySW7BYLw%2BqCoawFCxeLUz7hIV0vC89Mlwi3DeS%2BEnWFF%2FsvT9lVJjdbLoJLEeO", "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739700&Signature=bOTo%2FxCpGDGOsIKJDZjBBhLZRg8UiOGi%2FvVr47Xpmh7tOh9dez7911bi%2F9SUdu4ATLhzRVog%2BdVP%2BUPwTuEfIdEcPuGRGVc1KOSP3fTQrKhRjF3x2dqykxVCH%2B1iqBmCgod%2B1uAdlraxqSOeOgst1l%2Bk250uXff4axktE%2BfGjeNDeGJao%2FfOMktqIL7zU8%2BIQYTObwelnnYx45FBSiXI1bWM4vhdgIX4cs2cT%2F" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 220, "FileHash-MD5": 562, "FileHash-SHA1": 566, "FileHash-SHA256": 1011, "URL": 125, "hostname": 139, "email": 4 }, "indicator_count": 2627, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d7a3f511d0121d253b753d", "name": "VirusTotal report\n for flow-browser-main.zip", "description": "A sample of flow-browser-main, an unauthorised version of the web browser, has been detected by researchers at the University of California, Los Angeles, and the National Security Agency (NSA). myvzw.com after an email on ending a #", "modified": "2026-05-09T12:10:59.635000", "created": "2026-04-09T13:04:53.436000", "tags": [ "file type", "png image", "ascii", "ascii text", "java source", "json", "rgba", "creates", "crlf line", "mac os", "date", "malicious", "next", "button", "span", "edit3icon", "rotateccwicon", "xicon", "htmldivelement", "react", "saveicon", "null", "shortcutitem", "click", "zip archive", "png multimedia", "graphics" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739500&Signature=r1pLCgJf%2FQK8TvenCwXy9bnghFzjJ5QssdQSLP37SLv6EkA3WXuFUIvKrsXKokco7bMfQUy%2FArk8F6aP%2Bhaj16Jv7P%2FGB%2Blf7mPvs47VjwfBJRCP8AZLlWvO45%2BjC68v798csdJFPTP31O4yDOE3pXZ3EThm4nSrIwLPhTSPfi3cPlEh2wLSzcySW7BYLw%2BqCoawFCxeLUz7hIV0vC89Mlwi3DeS%2BEnWFF%2FsvT9lVJjdbLoJLEeO", "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739700&Signature=bOTo%2FxCpGDGOsIKJDZjBBhLZRg8UiOGi%2FvVr47Xpmh7tOh9dez7911bi%2F9SUdu4ATLhzRVog%2BdVP%2BUPwTuEfIdEcPuGRGVc1KOSP3fTQrKhRjF3x2dqykxVCH%2B1iqBmCgod%2B1uAdlraxqSOeOgst1l%2Bk250uXff4axktE%2BfGjeNDeGJao%2FfOMktqIL7zU8%2BIQYTObwelnnYx45FBSiXI1bWM4vhdgIX4cs2cT%2F" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 224, "FileHash-MD5": 558, "FileHash-SHA1": 564, "FileHash-SHA256": 558, "URL": 140, "hostname": 166, "email": 2, "CVE": 8 }, "indicator_count": 2220, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d7a3f6657dd0c212d8344a", "name": "VirusTotal report\n for flow-browser-main.zip", "description": "A sample of flow-browser-main, an unauthorised version of the web browser, has been detected by researchers at the University of California, Los Angeles, and the National Security Agency (NSA). myvzw.com after an email on ending a #", "modified": "2026-05-09T12:10:59.635000", "created": "2026-04-09T13:04:54.060000", "tags": [ "file type", "png image", "ascii", "ascii text", "java source", "json", "rgba", "creates", "crlf line", "mac os", "date", "malicious", "next", "button", "span", "edit3icon", "rotateccwicon", "xicon", "htmldivelement", "react", "saveicon", "null", "shortcutitem", "click", "zip archive", "png multimedia", "graphics" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739500&Signature=r1pLCgJf%2FQK8TvenCwXy9bnghFzjJ5QssdQSLP37SLv6EkA3WXuFUIvKrsXKokco7bMfQUy%2FArk8F6aP%2Bhaj16Jv7P%2FGB%2Blf7mPvs47VjwfBJRCP8AZLlWvO45%2BjC68v798csdJFPTP31O4yDOE3pXZ3EThm4nSrIwLPhTSPfi3cPlEh2wLSzcySW7BYLw%2BqCoawFCxeLUz7hIV0vC89Mlwi3DeS%2BEnWFF%2FsvT9lVJjdbLoJLEeO", "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739700&Signature=bOTo%2FxCpGDGOsIKJDZjBBhLZRg8UiOGi%2FvVr47Xpmh7tOh9dez7911bi%2F9SUdu4ATLhzRVog%2BdVP%2BUPwTuEfIdEcPuGRGVc1KOSP3fTQrKhRjF3x2dqykxVCH%2B1iqBmCgod%2B1uAdlraxqSOeOgst1l%2Bk250uXff4axktE%2BfGjeNDeGJao%2FfOMktqIL7zU8%2BIQYTObwelnnYx45FBSiXI1bWM4vhdgIX4cs2cT%2F" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 217, "FileHash-MD5": 558, "FileHash-SHA1": 564, "FileHash-SHA256": 558, "URL": 118, "hostname": 133, "email": 2 }, "indicator_count": 2150, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d7a3f683111bbbe1c9ae35", "name": "VirusTotal report\n for flow-browser-main.zip", "description": "A sample of flow-browser-main, an unauthorised version of the web browser, has been detected by researchers at the University of California, Los Angeles, and the National Security Agency (NSA). myvzw.com after an email on ending a #", "modified": "2026-05-09T12:10:59.635000", "created": "2026-04-09T13:04:54.775000", "tags": [ "file type", "png image", "ascii", "ascii text", "java source", "json", "rgba", "creates", "crlf line", "mac os", "date", "malicious", "next", "button", "span", "edit3icon", "rotateccwicon", "xicon", "htmldivelement", "react", "saveicon", "null", "shortcutitem", "click", "zip archive", "png multimedia", "graphics" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739500&Signature=r1pLCgJf%2FQK8TvenCwXy9bnghFzjJ5QssdQSLP37SLv6EkA3WXuFUIvKrsXKokco7bMfQUy%2FArk8F6aP%2Bhaj16Jv7P%2FGB%2Blf7mPvs47VjwfBJRCP8AZLlWvO45%2BjC68v798csdJFPTP31O4yDOE3pXZ3EThm4nSrIwLPhTSPfi3cPlEh2wLSzcySW7BYLw%2BqCoawFCxeLUz7hIV0vC89Mlwi3DeS%2BEnWFF%2FsvT9lVJjdbLoJLEeO", "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739700&Signature=bOTo%2FxCpGDGOsIKJDZjBBhLZRg8UiOGi%2FvVr47Xpmh7tOh9dez7911bi%2F9SUdu4ATLhzRVog%2BdVP%2BUPwTuEfIdEcPuGRGVc1KOSP3fTQrKhRjF3x2dqykxVCH%2B1iqBmCgod%2B1uAdlraxqSOeOgst1l%2Bk250uXff4axktE%2BfGjeNDeGJao%2FfOMktqIL7zU8%2BIQYTObwelnnYx45FBSiXI1bWM4vhdgIX4cs2cT%2F" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 218, "FileHash-MD5": 558, "FileHash-SHA1": 564, "FileHash-SHA256": 558, "URL": 119, "hostname": 133, "email": 4 }, "indicator_count": 2154, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d7a3f6f81dc2388c0fa027", "name": "VirusTotal report\n for flow-browser-main.zip", "description": "A sample of flow-browser-main, an unauthorised version of the web browser, has been detected by researchers at the University of California, Los Angeles, and the National Security Agency (NSA). myvzw.com after an email on ending a #", "modified": "2026-05-09T12:10:59.635000", "created": "2026-04-09T13:04:54.563000", "tags": [ "file type", "png image", "ascii", "ascii text", "java source", "json", "rgba", "creates", "crlf line", "mac os", "date", "malicious", "next", "button", "span", "edit3icon", "rotateccwicon", "xicon", "htmldivelement", "react", "saveicon", "null", "shortcutitem", "click", "zip archive", "png multimedia", "graphics" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739500&Signature=r1pLCgJf%2FQK8TvenCwXy9bnghFzjJ5QssdQSLP37SLv6EkA3WXuFUIvKrsXKokco7bMfQUy%2FArk8F6aP%2Bhaj16Jv7P%2FGB%2Blf7mPvs47VjwfBJRCP8AZLlWvO45%2BjC68v798csdJFPTP31O4yDOE3pXZ3EThm4nSrIwLPhTSPfi3cPlEh2wLSzcySW7BYLw%2BqCoawFCxeLUz7hIV0vC89Mlwi3DeS%2BEnWFF%2FsvT9lVJjdbLoJLEeO", "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739700&Signature=bOTo%2FxCpGDGOsIKJDZjBBhLZRg8UiOGi%2FvVr47Xpmh7tOh9dez7911bi%2F9SUdu4ATLhzRVog%2BdVP%2BUPwTuEfIdEcPuGRGVc1KOSP3fTQrKhRjF3x2dqykxVCH%2B1iqBmCgod%2B1uAdlraxqSOeOgst1l%2Bk250uXff4axktE%2BfGjeNDeGJao%2FfOMktqIL7zU8%2BIQYTObwelnnYx45FBSiXI1bWM4vhdgIX4cs2cT%2F" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 218, "FileHash-MD5": 558, "FileHash-SHA1": 564, "FileHash-SHA256": 558, "URL": 119, "hostname": 133, "email": 4 }, "indicator_count": 2154, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69fda935d86fd4e7e3fb7893", "name": "[Targeted Attack: Windows Virtual Interface Machine] {credit ilyailya} - usernote: falseflagdragon", "description": "", "modified": "2026-05-08T12:22:01.570000", "created": "2026-05-08T09:13:25.760000", "tags": [ "code", "range", "file offset", "ecxedi20xa", "edi0x6d", "ebp20x20", "esi0x67", "edx0x6f", "esi0x61", "ebp20x62", "hopper", "cve20072438", "normally", "use vim", "checkfile", "vimruntime", "checkdir", "vim project", "https", "bram moolenaar", "bram", "files", "silent", "insert mode", "down", "pumvisible", "vim script", "evim", "maintainer", "spellpopupmenu", "aunmenu", "tlunmenu", "loadbuffermenu", "revert", "difforig", "show", "ctrlu", "diffthis", "bail", "win32", "vim support", "remove", "comment", "genericname", "name", "keywords", "gvim", "edit", "zhcn", "editor", "metin", "rediger", "loadftplugin", "filetype", "expand", "amatch", "make", "sinsert", "middlemouse", "unix", "amiga", "mswindows", "loadindent", "end def", "visual mode", "shiftdel", "copy", "vim default", "selectmode", "insert", "load", "detectfiletype", "addoption", "optiong", "binoptiong", "optionl", "binoptionl", "header", "space", "python", "find", "open", "mark", "shell", "ruby", "install", "vim desktop", "substitute", "vunmenu", "paste", "script", "selectall", "word", "popup", "menu", "line", "close", "window", "back", "toolbar", "compiler", "next", "hack", "vimvimrc", "haiku", "openvms", "setsyn", "lang", "syntax menu", "description", "define", "setsyn function", "assembly", "maya", "bufnewfile", "bufread", "starsetf", "setf", "language", "visual basic", "xml au", "latex", "setfiletypesh", "endif", "lilo", "apache", "postscript", "rexx", "atom", "meta", "clipper", "desktop", "gift", "hercules", "julia", "mercurial", "pacman", "trigger", "puppet", "path", "powershell", "info", "ziggy", "speedup", "systemd", "form", "format", "calendar", "dracula", "config", "sfile", "esc", "iconv", "psflags", "if defined", "newitem force", "itemtype file", "iso88591 t", "utf8", "utf8 t", "iconvpath", "t iso88591", "makefile", "converted", "bob ware", "colorado school", "mines", "vim editor", "on your", "original copy", "please", "golden", "translation", "lesson", "enter", "type", "filename", "press", "normal mode", "repeat", "summary", "notice", "ruler", "test", "letzn", "mrkl", "zeil", "strg", "bewg nn", "end von", "druck", "dautticht", "zipf", "zaichen", "netty", "moveu el", "entrar", "premeu", "fitxer", "normal", "prova", "repetiu", "sumari", "desprs", "ara premeu", "cont", "ctrl", "ctrld", "append", "ctrlr", "ctrli", "shift", "backspace", "lekce", "napi", "dek oznaen", "normlnm mdu", "pesu", "stla", "soubor", "pesu kurzor", "opakuj", "toto", "lektion", "flyt", "skriv", "tryk p", "gentag", "bemrk", "filnavn", "nr der", "tryk", "zeile", "bewege den", "tippe", "zeichen", "cursor zu", "cursor zum", "kommandos", "cursor", "null", "tutor", "ctrlg", "shiftg", "shiftn", "msdos", "vimtutor", "capslock", "michael", "movu la", "leciono", "enenklavo", "kursoron al", "tajpu", "kursoron e", "testo", "premu", "dosiernomo", "resumo", "nova", "anon", "leccin", "mueva el", "intro", "pulse", "escriba", "para", "ahora", "insertar", "esto", "repita", "antes", "tenga", "como", "este", "leon", "tapez", "dplacez", "entre", "chap", "insertion", "puis tapez", "rptez", "appuyez", "lekcija", "otipkajte", "pritisnite", "ponovite", "kako bi", "insert mod", "prijeite", "saetak", "imedatoteke", "note", "windows", "yank", "mozgassuk", "fjlnv", "parancs", "lecke", "teszt", "j sort", "nyomja meg", "norml mdban", "ismtelje", "muovi il", "batti", "lezione", "invio", "premi", "ripeti i", "nomefile", "modalit normale", "adesso batti", "nota", "alla", "stata", "replace", "change", "subtitute", "school", "emiau", "spustelkite", "testas", "pirmj", "failovardas", "fail", "normalij", "santrauka", "ymeklis", "raid", "ramen", "tagad", "ievadiet", "piemram", "apkopojums", "lai izdzstu", "lai ievietotu", "ievadot", "ievrojiet", "js varat", "macos", "leksjon", "flytt", "trykk", "slette", "repeter", "erstatte", "sette", "kommandoen", "sett", "tips", "vise", "druk", "het commando", "herhaal de", "als je", "deze", "de cursor", "gebruik", "voeg", "bestandsnaam", "zorg", "mova", "digite", "teste", "agora", "pressione", "insero", "mais", "lekcja", "przenie kursor", "wcinij", "vima", "wpisz", "teraz", "powtarzaj", "nazwapliku", "uwaga", "jest", "dmesine", "ders", "ilk satra", "bu satrda", "normal kipe", "normal kipte", "daha fazla", "pomerite kursor", "otkucajte", "preite", "imefajla", "rezime lekcije", "za zamenu", "flytta", "filnamn", "normallge", "tryck", "om du", "sammanfattning", "genom", "lekcia", "presu kurzor", "presu", "napsanie", "zopakuj", "poznmka", "lcmessages", "lcall", "slovak tutor", "vim tutor", "amatria", "thevimproject", "slovak", "czech", "number", "motion", "ignore", "hjkl", "by gi", "di chuyn", "cu lnh", "u tin", "thay", "tntptin", "nu bn", "tng kt", "vim c", "lodi", "caps", "lock", "abc de", "command", "krishna", "spellerrors", "display dpy", "none", "false", "xfree", "sendinit", "isserialname", "staticspace", "xsync", "sendtovim", "main", "k command", "shell script", "vt100", "term vt100w", "dec locator", "vsnet", "tools", "external tools", "title", "arguments", "curline", "itempath", "init dir", "empty", "fbshtagsfp", "create", "options", "tags", "bourne shell", "perl", "fbkshfp korn", "tcl shell", "tk windowing", "parse", "new buffer", "buildcasetable", "printf", "buildwidthtable", "keys", "parsefoldprops", "parsewidthprops", "variabletags", "argv", "stephen riehm", "david woodfall", "getopt", "v include", "print version", "suppress", "reason", "file", "severity", "o ccfilter", "following", "this first", "ccfilter", "quickfix format", "though", "start", "john lange", "primitivem", "errorformat", "perl script", "executecore", "aerts", "sw developer", "sony telecom", "europe", "b1130 brussels", "belgium", "port", "host", "server", "vim channel", "chopen", "localhost8765", "json message", "linelength", "compilernames", "irix", "solaris", "hpux", "pablo ariel", "c compiler", "compilerqty", "usage", "project", "collector", "written", "ives aerts", "notes", "r decrement", "v verbose", "outputs", "o treat", "program", "q errorfile", "stdout", "copyright", "joerg ziefle", "perl w", "first", "maketag", "version", "exuberant ctags", "statement", "loop", "michael schaap", "support", "packagename", "look", "february", "push", "sgi mipspro", "error int", "error", "doit", "vim9 function", "nr2char", "c program", "vim quickfix", "awk script", "dec terminal", "make vim", "errors", "begin", "kirchgatterer", "opcodes syn", "addresses", "numbers", "types syn", "blocks syn", "strings syn", "program counter", "hilo byte", "quit", "todo todo", "aappythonscript", "python line", "python block", "blockline", "abap", "statement hi", "string hi", "structure", "vim abap", "abapr4", "marius piedallu", "james allwright", "april", "klmpqwvw", "comment hi", "type hi", "identifier hi", "constant let", "abel", "john cook", "johncook3", "a bunch", "todo xxx", "fixme", "c style", "abaqus", "carl osterwisch", "costerwi", "remark", "abaqus comment", "abaqus keyword", "include hi", "todo hi", "acedb model", "stewart morris", "thu apr", "syntax file", "acedb software", "xref syn", "rest", "preproc hi", "delimiter hi", "nikolai weibull", "include", "useroption", "options medium", "defaultprinter", "outputfirstline", "filecommand", "todo fixme", "martin krischik", "kind", "keyword", "mk bram", "standard", "character", "stype", "date", "vim syn", "altera ahdl", "x syn", "todo", "xnor syn", "specialchar hi", "builtin", "define hi", "builtin rect", "operator hi", "special hi", "dbus", "g3drop", "builtin dump", "builtin number", "builtin call", "redir", "stream", "screen", "function hi", "aflex", "lex syntax", "mathieu clabaut", "lastchange", "ada syntax", "aflex stuff", "patterns", "dominique pelle", "storageclass hi", "keyword let", "endlet", "htmlformat", "htmlcolor", "span", "htmlformatn", "foldcolumnbuild", "css1", "foldedid", "html", "generator", "fixme todo", "xxx note", "spell", "amigados", "campbell", "former url", "syntaxamiga", "krief david", "display drop", "beta cauchy", "irand224 syn", "normal poisson", "antlr4", "another tool", "yinzuo jiang", "jiangyinzuo", "july", "option value", "ben rubson", "hammers", "changelog", "option value1", "option", "value1", "david necas", "yeti", "base", "xxx not", "core", "antlr", "javacc parser", "azaz09", "parserend", "parserbegin", "token skip", "antsyntaxscript", "doug kearns", "zellner", "xmlcdatastart", "xmlcdataend", "xmltag", "xmlendtag", "ayer", "atch", "orkspace", "ngle", "rity", "mbol", "ffset", "istory", "osition", "xport", "stack", "tack", "digi", "flip", "shade", "cluster", "keyb", "arch", "moran", "ecode", "gnu arch", "source", "keyword hi", "simulate", "aptitude", "state", "yann amar", "quidame", "aptconf", "incomplete", "ebug", "autodetect", "fast", "marker", "score", "arduino", "hoff", "october", "license", "vim license", "arduino ide", "erik nomitch", "adam obeng", "artenterprise", "dorai sitaram", "ds26", "thilo six", "number hi", "edfghprs", "gnu assembler", "erik wognsen", "kdahlhaus", "kevin", "label hi", "macro hi", "title hi", "deprecated", "skip", "none hi", "claudio fleiner", "claudio", "end imports", "exports from", "implicitstags", "explicitstags", "absent present", "size universal", "strings", "aspperlscript", "perlscript", "aaron hope", "constant hi", "bwlsdxp", "macro", "specialchar", "error hi", "aspvbserror", "aspvbsfunction", "aspvbsmethods", "aspvbsstatement", "aspvbsnumber", "aspvbscript", "aspvbscomment", "aspvbs", "exits", "floating point", "asterisk", "tilghman lesher", "corydon76", "zonemessages", "atlas", "inaki saez", "jisaez", "flags bef", "orange syn", "containsasytodo", "asymptote", "avid seeker", "c syntax", "autodoc", "berg", "xml dl", "display", "contains", "borz", "kdpds", "oneline", "hotstring", "comspec", "hotkey", "reload", "common", "autoit", "soundplay", "autoit v3", "jared breland", "ping", "shutdown", "vim maintainers", "john williams", "action", "makefile syntax", "avenue", "arcview", "wagner", "esri", "string", "integer number", "operator syn", "xor mod", "hitachi h8300h", "xorc syn", "identifier let", "avr assembler", "avra", "avra home", "avra version", "marius ghita", "mhitza", "gawk ref", "functions syn", "awk ref", "effective awk", "programming", "keeps", "astro", "style", "fold", "enable", "astrojavascript", "htmlpreproc", "wuelner martnez", "html tag", "azaz", "ayaccuniongroup", "ayacc", "clusters", "aunis", "bash", "a formal", "method", "contributor", "csaba hoch", "undef", "defaultchar", "startstartfont", "bdfboundingbox", "containsbdftodo", "bibtex", "bernd feige", "ignore case", "xdata customa", "xref", "ams mref", "data", "basic", "quickbasic", "trim", "metacommands", "kill", "zonenumber", "bind zone", "mehnle", "slava gorbanev", "generates syn", "bcall", "vlado", "keywords syn", "string syn", "comment syn", "parent", "sulejman", "blank", "xspo", "bitbake", "chris larson", "kergoth", "daniel kho", "bsdl", "vhdl syntax", "tim pope", "vimnospam", "highlight", "imperfect", "bstnumber", "entry function", "integers macro", "bazel", "david barnett", "label", "digit", "john leo", "spetz", "boolean", "statuses", "bazaar", "dmitry vasiliev", "dima", "diff", "nospell", "synchronization", "baanerror", "selecteos", "updateerror", "d rows", "default", "selectempty", "selecterror", "updateempty", "union", "hooks", "normal hi", "case", "haskell cabal", "build file", "profunctor", "benchmark", "import", "cabalconfigpath", "cabal config", "original author", "cabalconfigkey", "false ghc", "cabal project", "true false", "cabalprojectnat", "boolean hi", "cparengroup", "cstringgroup", "ccommentgroup", "clabelgroup", "iso c99", "elifs", "ifndef", "ccppoutingroup", "optional", "accept", "public dtddecl", "entity catalog", "errormsg hi", "cdlcommentgroup", "raul segura", "acevedo", "xcheck", "childsname", "parentsname", "grpsdescription", "fixme xxx", "fullburn", "readdriver", "writedevice", "readdevice", "cfgcomment", "uncpath", "cfgstring", "cfgsection", "prischepoff", "on off", "yes no", "dos drive", "zhenyu", "documentation", "and fold", "operator", "punctuation", "transparent", "region and", "cfmlcorekeyword", "linden", "coldfusion", "skipwhite", "nextgroup", "cdrtoctrack", "cdtext", "performer", "silence", "zero", "softintegration", "cc interpreter", "declspec", "exception hi", "structure let", "built", "chaiscript", "jason turner", "lefticus", "escape", "web changes", "andreas scherer", "details", "cweb", "knuth", "silvio levy", "webcweb", "november", "haskell", "armin sander", "changelog file", "menesis", "vinschen", "june", "chatito", "observeroftime", "import syn", "intent syn", "slot syn", "cheetah", "max ischenko", "matches", "precondit hi", "evan hanson", "scheme", "chicken", "repository", "scheme syntax", "lighten", "heredocs", "cc syntax", "hse1", "chorus", "startofverse", "startofbridge", "startoftab", "startofabc", "startofly", "chordfont", "chill", "repeat hi", "avoid", "youngsang yoon", "image", "ccitt high", "this", "ember", "sifs0", "sinclude", "calendarinclude", "andrea callea", "chuck", "object event", "ugen array", "pieter van", "engelen", "arthur van", "leeuwen", "start syn", "int real", "char bool", "zamana", "flagship", "mario eusebio", "accept append", "blank from", "highlight value", "cmake", "comments", "match key", "cmakecachekey", "advanced", "highlight str", "stringstr", "nickspoons", "internal", "clever language", "clever", "multibase", "philip uren", "philuspax", "cmod", "cmodautodoc", "supports", "init init", "exit gcrecurse", "browser", "cocor", "shukla", "any characters", "context end", "from if", "nested pragmas", "to tokens", "cword", "fnameescape", "supplement", "must", "dgacfbe", "clojuretop", "arraychunk", "vecnode", "vecseq", "x00x7f", "partstart", "gondi", "inst", "etcdisktab", "acmsg", "acmsgtype", "hammesr", "yngve inntjore", "levinsen", "khym chanur", "james mccoy", "well", "anything", "conary recipe", "addallflags syn", "run automake", "makeinstall syn", "install copy", "move symlink", "link remove", "doc syn", "crm114", "modemsg hi", "imported", "target", "true", "interface", "quiet", "private", "write", "multi", "never", "unknown", "fatalerror", "sensitive", "android", "download", "guard", "exact", "locale", "trace", "alphabet", "john hoelzel", "hours days", "commands", "llll", "hminsmsusnsi", "ffll", "ken shan", "ccshan", "context", "synname", "startstartz", "endstopz1", "mptop", "luatop", "csccommentgroup", "if else", "endif elseif", "lev sy", "iallancestors", "curgen sy", "warningmsg hi", "essbase", "prior", "descendants", "cshell", "syntaxcsh", "variables", "luul", "csall", "srecord", "az09", "processes", "amsettimer", "sdlmatch", "default hi", "fdr input", "maxim kim", "habamax", "functions", "predefined term", "end predefined", "term variables", "century term", "csdl", "jacek artymiak", "c22032019", "call", "replacing", "comp", "recognize", "ascii", "existing syntax", "ctrlhbold", "ctrlh", "module level", "prop", "media", "cuda", "nvidia compute", "unified device", "architecture", "terriberry", "device global", "host managed", "shared syn", "restrict", "cupl simulation", "cupl syntax", "matt dunford", "sat nov", "statement let", "tex syntax", "cweb source", "cc material", "webincludedc", "double", "rc file", "dada", "dadas", "etant", "scen", "regel", "pero", "esquema", "tapi", "kada", "dados", "maka", "fono", "cupl", "valid integer", "signal", "phil derrick", "phild", "cynpp", "cynlib", "cynlib syntax", "posedge negedge", "changed syn", "instantiate", "out inst", "url http", "default cynscon", "standard syntax", "include debian", "match uri", "addremove", "byhash", "christopher", "dcod trts", "tnxt crlf", "labl syn", "cequ cneq", "cgte clte", "cbit clse", "dcomment", "jason", "pragma", "4857", "digital command", "sword", "mine", "conditional hi", "dart", "eugene pr3d4t0r", "ciurana", "former", "gerfried fuchs", "alpha", "rust", "datascript", "dscommentgroup", "comment let", "debcopyright", "orig author", "rob brady", "robb", "wu yongwei", "library stub", "code windows", "dos syn", "exports imports", "dep3 patch", "gabriel filion", "gabster", "specification", "authorfrom", "adminemail", "lockfile", "matthijs", "match", "ttext", "ccategory", "fflag", "llicense", "rock linux", "ren rebe", "spell syn", "lastline syn", "filter", "disablestrat", "s un", "r en", "jakson alves", "ansi sgr", "ansi sgr8", "jan larres", "term left", "black", "green", "contact", "charityware", "uganda", "entry", "block", "parasitic", "parameter", "devicemos", "rules", "device", "diva", "toby schaffer", "categories", "exectryexec", "unmounticon", "at wp", "chat", "django", "django template", "dave hodder", "dnsbind zone", "docbook sgml", "cest let", "docbook xml", "docbook", "devin weaver", "shlomi fish", "auto detect", "syntax xml", "sgml", "syntax sgml", "rory hunter", "json", "dockerfiles", "honza pokorny", "onbuilds", "from", "add arg", "cmd copy", "mike williams", "mrmrdubya", "windows nt", "msdosms windows", "mckee", "nima talebi", "hong xu", "sept", "keyword hilink", "hilink", "error hilink", "nargs hilink", "markus mottl", "enclosing", "scott bordelon", "wed apr", "cadence", "automation", "design rule", "checking", "layout", "schematic", "dsssl", "cest", "example", "xmlregionhook", "dtml", "dtml syntax", "zope", "markup language", "jordaan", "doxygenhtmltop", "synlink", "link", "syncolor", "strong", "reflink", "cpreprocgroup", "actions", "dtrace d", "d script", "solaris dynamic", "tracing guide", "nicolas weber", "nicolasweber", "first line", "probe", "turn", "entity", "matchgroupnone", "document type", "definition", "brabandt", "dune", "anton kochkov", "samuel hym", "simon cruanes", "kawahara satoru", "urkedal", "etienne millon", "dylan", "justus", "fri sep", "include let", "dylan library", "interface files", "brent fulgham", "bfulgham", "string let", "fulgham", "dnsmasqkeyword", "dnsmasqrange", "editorconfig", "anders", "edif version", "edif", "artem zankovich", "zartem", "5481988", "john beppu", "beppu", "ecd file", "embedix linux", "elm filter", "syntaxelmfilt", "elmfiltnumber", "brssow", "environments", "wraparound", "elinksnumber", "elinkscolor", "savingstylew", "imagelinksuffix", "homepage", "current void", "selse", "sthen", "eiffel", "joseph hager", "ajhager", "typedef hi", "lambda", "xxxx", "kresimir marzic", "oscar hellstrm", "oscar", "kornel", "syntax", "label highlight", "type highlight", "identifier", "george", "exec sql", "preproc let", "esterel", "luca necchi", "nikos andrikos", "esterel regions", "esterel types", "esterel comment", "identifiers", "euphoria", "builtins", "function", "reset", "should suffice", "etermgeneral", "d0xx", "mod5", "rubytop", "eruby", "erubysubtypezsw", "conventional", "text", "generated file", "david nev", "setup", "expect", "normal expect", "ralph jennings", "knowbudy", "user", "sysv", "bsd isms", "syntaxexports", "optset", "eviews", "vaidotas zemlys", "zemlys", "az4857", "assembler", "fasm", "ron aaron", "vim url", "fasm home", "fasm version", "xmm0 xmm1", "xmm2 xmm3", "dwayne bailey", "dwayne", "fdcc", "definitions", "iso tr", "unicode", "shell command", "output", "array", "fantom", "service", "bridle", "informix", "update", "abort abs", "absolute accept", "access acos", "add after", "allocate alter", "drop", "fishnext", "fishstatement", "fishterminator", "fishargument", "nicholas boyle", "flexwiki", "reilly", "home", "fuse", "modify", "table", "pascal makefile", "sections", "comments syn", "forth79", "forth83", "char", "forth83 syn", "body", "noname", "class", "local", "tung", "thu oct", "thomas reiter", "manipulation", "book", "document", "textfile", "apply", "formats", "popu", "crea", "modi", "memo", "defi", "disp", "dele", "appe", "repl", "proj", "alia", "cmon", "nvert", "mwin", "uniq", "blin", "carr", "story", "mult", "rator", "fortran", "ends", "cray", "ulllull", "stop", "fvwmm4", "mainsyntax", "fvwm2m4", "include m4", "include fvwm2", "fvwm1", "hss1", "general syn", "szsw", "check", "journal", "hold", "fvwm", "cursormove", "edgeresistance", "modulepath", "noborder", "windowlistskip", "backcolor", "sticky", "refresh", "buttons", "exclam", "slash", "gdmo", "iso101654", "guidelines", "managed object", "gyuman", "chester", "godot resource", "section syn", "ssss", "gdb command", "simon sobisch", "isplay", "unset", "linkurl", "gemtext markup", "suneel freimuth", "heading", "list", "quote", "heading special", "list statement", "godot", "bug hack", "gitdiff", "dddd", "endt", "commit", "question hi", "giftcef", "linenr hi", "giftceffw", "giftce", "conceal hi", "gedcom", "paul johnson", "december", "abbr addr", "adop adr1", "adr2 afn", "godot gdscript", "website", "pattern", "attribute syn", "macro syn", "gitcommitdiff", "your", "todo let", "crrw", "creator", "xexec", "syn match", "az4857 syn", "adam monsen", "opengl shading", "modified", "godoc", "title let", "gocommentgroup", "chan", "foldenable", "packagecomment", "integer hi", "todo regexp", "todos", "josh wainwright", "dot ja", "at gmail", "dot com", "karim belabas", "texstyle syntax", "todo syntax", "todd zullinger", "daniel kahn", "gillmor", "containsgpgtodo", "gprof output", "flat profile", "gretl", "gretl genr", "variable", "grads", "fronzek", "grid analysis", "display system", "grads scripting", "variables syn", "gnashkeyword", "gnashcomment", "gnashtodo", "solreadonly", "solsafedir", "john marshall", "jmarshall", "pedro alejandro", "lpezvalencia", "ddd0xx", "pager", "terminal", "chainloader", "groovytop", "exception", "groovy", "debug hi", "gtk theme", "packer", "conceal", "json syntax", "single", "trailing commas", "fixme note", "gnu server", "pages", "source html", "include java", "redefine", "argc argv", "begin begg", "end endg", "graph", "vim source", "matchlist", "vimsrcdir", "both", "getqflist", "cent", "kword", "c function", "small", "light", "vimcontinue", "endstr", "gensynvim", "vim9 syn", "vimexprlist", "magic", "hamlrubytop", "hamlcomponent", "hamltop", "haml", "hamlhtmltop", "david fishburn", "sun oct", "hamster classic", "hamster", "harepostfix", "hare", "vim syntax", "amelia clarke", "selene", "haredoc", "miscellaneous", "haste", "vlsi ic", "c preprocessor", "09afaf", "treat", "varid", "error let", "hbfilename", "hbhtmlstring", "hbhtmltagn", "hbhtmltag", "hbdirectivelib", "hbdirectiveset", "hbdirectiveout", "kkmmgg", "upstream", "a block", "szskkzes", "vim program", "restorer", "defunct", "aprl", "helplang", "intel hex", "sams ricahrd", "data digit", "folding data", "records", "record syn", "ignore hi", "vim help", "ident", "dana edwards", "danaedwards", "ic design", "preprocessor", "spacings", "resolutions", "ranges", "slhg", "hgcommitdiff", "sapling", "ken takata", "kentkt", "max coplan", "float hi", "hls playlist", "benot ryder", "comment line", "hogvar", "hogopnot", "hognumber", "hogipaddr", "hogcomment", "hogport", "hogoprange", "hogcomment syn", "hogstring", "bind", "elseif", "html template", "dennis", "htmltop", "htmljavascript", "onas", "htmlxml", "idem", "aria", "m4top", "htmlm4", "htmlos", "repeat syn", "aestiva", "jason rust", "jrust", "django html", "scomment", "i3configident", "i3configstrin", "i3configvalue", "focus", "i3configsh", "i3configstrvar", "i3configcommand", "i3configcolvar", "moving", "itanium", "parth malwankar", "pmalwankar", "file version", "masm syntax", "mark manning", "markem", "allan kelly", "ibasic file", "icewm menu", "james mahler", "fri apr", "icewm", "ids menu", "icon special", "icemenu", "data language", "ajelenak", "paren hi", "paren", "billshannon", "nlps", "npro", "graphics", "iconpregroup", "icon", "wendell turner", "prelude", "inbpc", "ddspe", "leaderscopy", "fontname", "badness", "elan ruusame", "shtop", "value", "args", "substituted", "macros", "ipfspecial", "ipftodo todo", "hendrik scholz", "hendrik", "openbsd pf", "ipfcomment", "xxx fixme", "donovan keohane", "syndisplay", "global", "verbextend", "double2", "snote", "david brgin", "dbuergin", "continuedoelse", "argv binpath", "cr crlf", "del debug", "eav empty", "inno setup", "my innosetup", "jason mills", "enterdisk syn", "sdsetuptype syn", "ifdef", "elif", "else", "cortopassi", "istoutspec", "peter meszaros", "pmeszaros", "istinpspec", "istcharacter", "istnumber", "istcomment", "jamcommentgroup", "jamparengroup", "ralf lemke", "xxx syn", "jargon file", "dan church", "label let", "javascript", "jls17", "see https", "javatop", "javadoctags", "javahtml", "tx0cr", "javamarkdown", "markdowninline", "jinja", "jinja template", "names syn", "standard jess", "jess", "paul baleme", "pbaleme", "jonas munsin", "xaxis yaxis", "x cross", "number let", "javacc", "java compiler", "javasoft", "vim compiler", "vito", "doc comment", "note xxx", "jspjava", "java server", "rgarciasuarez", "darren greaves", "patch", "thomas kimpton", "software", "eli parra", "json keywords", "jsonc", "izhak jakov", "izhak724", "acknowledgement", "kevin locke", "remove syntax", "json5", "mazunki hoksaas", "guten ye", "ywzhaifei", "syntax setup", "endz1", "kconfigconfigif", "abstract", "juliaexprsnodot", "regex", "naninf", "kdlnumber", "kdlnumber d", "aram drevekenin", "kotlin", "generated", "annotation syn", "kix2001 syn", "kixtart", "handle", "trap", "michael piefel", "entwurf", "cpp mode", "preproc", "error highlight", "storageclass", "delimiter", "sysvars", "false true", "kivy", "corey prophitt", "corey", "load python", "kivy language", "define kivy", "lace", "jocelyn fiat", "constants syn", "latte", "nick moffitt", "pre tag", "elsa", "glapagrossklag", "riley bruins", "ribru17", "keywords syntax", "sections memory", "overlay phdrs", "version include", "absolute addr", "names", "ldapconfcomment", "iso dialect", "modula2 dialect", "modula2 input", "styles", "error endif", "august", "pim dialect", "modula2", "longbitset", "procedure", "r10 dialect", "sto dos", "ldap ldif", "zak johnson", "zakj", "less", "jenoma", "todo optimize", "orce", "arset", "prox", "cache", "agent", "haskelltop", "lhstexcontainer", "ian lynagh", "tex markup", "bird style", "markdown style", "tex style", "lexccode", "user code", "flex", "van engelen", "patrick texier", "lifelines", "xref tag", "liquid", "liquidstatement", "yaml front", "matter", "liquidyamltop", "acdfmnrstuklp", "lilonumber hi", "number list", "niels horn", "lite", "liteinside", "lutz eymers", "ixtab", "email", "sql syntax", "errmsg", "livebook syntax", "lisplistcluster", "clisp ffi", "standard lisp", "keyword lispkey", "litestepdir", "litestep rc", "nethood", "winnt", "lotos", "is8807 syn", "specifications", "is8807", "daniel amyot", "damyot", "wed aug", "except", "logtalk", "logtalk entity", "term", "logic", "chfnauth", "chshauth", "createhome", "defaulthome", "lout", "report", "lambdaprolog", "teyjus", "vim version", "general", "lpccommentgroup", "lpcefungroup", "nodule", "lpcparengroup", "lpcpreprocgroup", "echo", "poet", "timo frenay", "timo", "labels syn", "lotusscript", "taryn east", "ultraedit", "textpad", "activateapp as", "base beep", "call case", "scott bigham", "colorterm", "luau", "marcus aurelius", "farias", "carlos augusto", "collapsebrtags", "lynx web", "lynx", "todo note", "uploader", "lyrics", "lrcnumber", "quake", "operators", "hascbackend", "pkg syn", "definelib syn", "definepgm syn", "importm3lib syn", "fleiner", "mainsyntaxm4", "mailquoteexps", "mail", "felix von", "leitner", "am est", "ascii character", "froms", "mallard", "jhradilek", "mallard markup", "draft", "skipnl", "roland hieber", "overrule", "ostype", "manconfcomment", "build", "suffix", "mason", "perltop", "hinrik rn", "sigursson", "pentium", "abgl", "ceopsz", "offset", "align", "floatingpoint", "vpmaxsq syn", "integer", "maple", "release", "focus master", "define syntax", "filename suffix", "segname segtype", "mtaddon", "matlab", "alex burka", "bbddeess", "all functions", "except keywords", "maxima", "robert dodier", "mermaid", "craig maceahern", "4857192255", "self", "accdescr", "click", "meson", "liam beguin", "zpetkovic", "disabler", "wikitop", "containshtmltag", "wikitableformat", "mediawiki", "yakov lerner", "rfc3339", "james vega", "zsdze", "melgroup", "maya extension", "robert minsk", "jason franklin", "sunghyun nam", "goweol", "mudunuri", "version info", "ctrlh syntax", "markdown", "matchstr", "metafont", "page", "latest revision", "magic point", "spam", "xfont vfont", "gero kuhlmann", "gero", "snmpv1", "snmpv2 mib", "martin smat", "msmat", "david pascoe", "pascoedj", "ax16", "donald knuth", "taocp", "mmix", "dirk hsken", "knuthstyle", "precondit endif", "pcimapfile", "parportmapfile", "model", "nil nil", "true syn", "symbols", "mmatop", "stub", "peter funk", "getdialect", "timo pedersen", "dat97tpe", "whitespace", "any array", "mookeyword", "dilnt", "multiplication", "mojonumber", "mojo", "stuff", "monk", "seebeyond", "mike litherland", "dirk van", "deun", "metapost", "manual", "autosync", "dumpvideo", "loadidx", "rawvideo", "tsprog", "color", "tabtitle", "am cdt", "pm est", "dummy", "ms message", "kwl7", "common ms", "messages", "ms idl", "vadim zeitlin", "vadim", "msql", "env variables", "inlclude", "modsim iii", "philipp jocham", "march", "actid all", "and as", "murphi model", "diego ongaro", "integers", "nspemit", "switch", "mushcode syntax", "rick bird", "clock", "dbck", "dump", "hook", "motd", "notify", "nuke", "restart", "snoop", "stats", "teleport", "attributes", "prettyprint", "libpath", "promylibdir", "attributes syn", "mupad source", "dave silvia", "dsilvia", "ymwd", "cciskaf", "float", "mysql", "pronovici", "encrypt", "namednotnumber", "nick hibma", "location", "marcin", "chaos", "dmap", "modules", "control section", "nastran", "tom kowalski", "any integer", "n1ql", "eugene ciurana", "merge syn", "nest syn", "pr3d4t0r", "vim command", "natural", "nasm", "iend", "movs", "time", "interval", "size", "directory cache", "cache buffers", "minimum file", "count", "daylight", "miner", "keith smiley", "login", "netrwtreegroup", "diffchange hi", "netrw listing", "toplevel", "readtoken", "nixexpr", "daiderd jordan", "daiderd", "region match", "bufenter", "syntax event", "synset", "checked", "muttvars", "neomutt", "bounce", "nsisanyopt", "statements", "nsis", "music", "rcx2", "scout syn", "rcx2 syn", "nqcparengroup", "rcx syn", "nqccommentgroup", "modes", "scout", "stefan", "module", "nginx module", "nginx", "http", "gost", "comet", "speed", "sphinx", "curv", "mtllibs", "exmaintainer", "anthony hodsdon", "objc syntax", "odin", "ms44", "and or", "occamnumber", "group", "omnimark", "paul terray", "mailto", "activate again", "catch clear", "close copy", "ocamltypeexpr", "ocamlallerrs", "jon parise", "ondirshell", "operator let", "objc type", "smes12", "qualifiers", "smes7", "smes19", "preparation", "protected", "structure hi", "openscad", "niklas adam", "luis moreno", "abort all", "alter and", "any as", "asc at", "oplstatement", "oplnumber", "open psion", "epoc16epoc32", "af09", "openvpn", "openvpnnumber", "openvpnsignal", "hupinttermuser", "containstop", "keepend", "eval", "menumode", "endurance", "blade", "illusion", "sneak", "onload", "disablemouse", "getclass", "notes todo", "containsallbut", "spells", "ronan pigott", "ronan", "alpm", "tcpip", "gclckprocs syn", "oracle config", "sandor kopanyi", "oraall", "protocol syn", "bequeath syn", "latest change", "haochen tong", "withconceal", "inlinecode", "super", "pappperl", "papphtml", "cdata", "perlinterpdq", "marc lehmann", "perlexpr", "config file", "lennart schultz", "string keywords", "protobuf text", "lakshay garg", "crgut", "tim chase", "austin", "pcctsinrule", "cpptoplevel", "pccts", "nextstep syn", "openbsd packet", "lauri tirkkonen", "sloadsanchor", "phtml", "perlinterpsq", "perlinterpmatch", "perlinterpslash", "perldata", "portb syn", "intcon syn", "gie eeie", "t0ie inte", "rbie t0if", "intf rbif", "microchip", "pdfxml", "nrtbf", "font", "palm os", "schau", "font id", "beware", "data syn", "postfix", "kelemen peter", "peter", "kelemen", "anton shestakov", "pikestmt", "pikebadgroup", "pike", "pine", "thu feb", "macro let", "httpviewer", "infopath", "longmanuallinks", "filter0xb7", "plaintexmath", "glue", "acute", "cdhoopstuvijll", "rrowvert", "skewsqrt", "mega", "phpinnerhtmltop", "phpclfunction", "phpcltop", "refer", "cphil", "number support", "c language", "does", "address and", "dword", "juerd", "plpperl", "plpend syn", "counter syn", "pl1commentgroup", "pl1parengroup", "declare dcl", "procedure proc", "loops", "podformat", "ibsclfx", "perl pod", "poe item", "show hide", "minimal", "address", "obsolete", "openclose", "bjoern jacke", "bjacke", "povray", "syntax syn", "off true", "false yes", "ppwizard", "dennis bareis", "ppwizargval", "constants", "plsqlparengroup", "oracle", "plsql", "klaus muth", "klaus", "altf amcr", "arc asfn", "astk barc", "blk box", "call syn", "cass cir", "melchior franz", "mfranz", "sonia heimann", "todo tbd", "privoxy", "prolog", "promela", "mon oct", "thu aug", "promela types", "class linking", "ps ll3", "dsc comment", "device gstate", "ps level", "postscrstring", "escaped", "matrix", "courier", "buffers", "redistributions", "this software", "including", "but not", "limited to", "pbcommentgrp", "google", "az09az", "posix", "rex barzee", "rexbarzee", "aclqrv", "a af", "ag ax", "e ef", "eg ex", "certain", "ps1comment", "purify header", "informational", "warning", "corrupting", "fatal", "haakon riiser", "hakonrk", "c syn", "pypa", "commands syn", "globs", "line break", "pyrex", "marco barisione", "python syntax", "olor", "chars", "progress", "ation", "progressdebug", "progressnumber", "edure", "progresstodo", "eter", "daniel", "sage", "widget", "rage", "python library", "reference", "quarto", "aquino", "vim runtime", "quickfix", "directory hi", "hee1", "lookdown lookup", "quakeoctalerror", "quake12command", "noprefix", "console", "onoff", "qb64", "z2z1", "qmlexpr", "radiance scene", "georg mischler", "radiance", "greg ward", "surface", "raccruby", "rule", "racc input", "dobie", "xdobie", "handling", "vector", "types syntax", "raml", "restful api", "hopkins", "rofi advanced", "pierguill", "common rc", "resource", "heiko erhardt", "language syn", "bitmap icon", "cursor cursor", "cmash", "ratpoison", "magnus woldrich", "djkea2", "bulls eye", "force control", "number syn", "rapid", "azazxc0xff", "azazxc0xff09", "rakuinterpqq", "rakuregexen", "rakuregexp5", "rcs log", "joe karthauser", "rcs file", "revision", "yyyy", "rebol", "yer todo", "words syn", "view", "view tabs", "spaces", "vicharsearch", "viprevword", "viendword", "visearchagain", "vinextword", "registry key", "registry export", "ulitin", "head", "regedit4", "win9", "bytes", "paths", "xxx bug", "davide alberani", "remind", "ben orchard", "rem omit", "mit license", "raimon49", "permission", "software is", "resolvipcluster", "ipv6 support", "09azaz", "radu dineiu", "hidesymbol", "r help", "r code", "epsilon", "kappa", "slabelsk", "over", "relax ng", "containsrnctodo", "rnoweb", "highlighting", "rnowebr", "ranke", "ferraz pereira", "rosa", "extension", "bytestream", "andrew bromage", "frameend", "worldbegin", "worldend", "attributebegin", "attributeend", "todo improve", "handles", "todo are", "redif", "axel castellane", "templatetype", "and add", "alex zvoleff", "configuration", "r syntax", "syntaxrpcgen", "mikrotik", "cidr notation", "cycle", "exit", "catch", "rpl2", "rmdlatex", "yaml header", "highlight code", "rmdr", "text format", "rich text", "control words", "new control", "rstcruft", "salt state", "jinja runtime", "star", "disallow syn", "disallow", "samba", "new maintainer", "ntlmv2 syn", "synfold", "rubymodifier", "sasbasicsyntax", "add syntax", "sasgraph", "yrdif yyq", "template", "mixin", "extend", "return", "steven dobay", "stevendobay", "sather", "science", "institute", "dede", "scilab", "benoit hamelin", "containedgroup", "preproc syn", "aclchg", "acldel", "aclgrp", "aclumask", "lockscreen", "zombie", "scss", "puria nafisi", "azizi", "always", "ip adresses", "verify", "synopsys design", "constraints", "tcl vim", "thu mar", "tcl syntax", "tcl extension", "xor syn", "task else", "nextstate syn", "in out", "with from", "ebcdic", "closedelay", "txtrigger", "spdnormal", "portd", "comment hilink", "sexplib", "atoms syn", "lists", "clst", "sgml charset", "capacity scope", "features", "baseset descset", "simple", "shfoldheredoc", "shfoldifdofor", "shlooplist", "shfunctionlist", "shidlist", "shecholist", "shcaselist", "shdblquotelist", "provides", "sgml specific", "space crlf", "dquote syn", "percent", "mp luacall", "alephversion", "uchar", "udelimiterunder", "umathchardef", "umathruleheight", "umathstackvgap", "umathxscale", "uoverwithdelims", "hai tp", "bestanden", "hanya dalam", "fiierele", "tp tin", "aemacron amstex", "aacute", "abrevehook", "afterpar", "agrave ahook", "amstex amacron", "atilde", "beforepar beta", "bigm", "delta", "oldstable", "experimental", "bullseye", "trixie", "forky", "focal", "jammy", "devel", "buzz", "maverick", "keyword syntax", "typescriptvalue", "title syntax", "typescripttype", "blabla", "sicad", "zbranyiczky", "irpt", "irptl", "mes1", "swift project", "simula", "simula syn", "keyword end", "when", "nagle", "main url", "comparison", "load sinda", "on si", "off eng", "sieve", "skill", "nsqn", "dirfile", "pnamestring", "pathversion", "schemeskill", "afterbefore", "tolist", "renderman", "dan piponi", "specialkey hi", "headers", "nontext hi", "jan hlavacek", "xuserblock", "for loop", "userblock", "null syn", "tracedrop", "daheartbeat", "slpregcomment", "spi file", "private public", "slrn score", "preben peppe", "guldberg", "age bytes", "syntaxsm", "smarty", "mon nov", "constant", "slice", "zeroc", "morel bodin", "smcl", "stata markup", "jeff pitblado", "jpitblado", "statasmcl", "directive", "smith", "smil", "herve foucher", "smil boston", "animation syn", "smlallerrs", "smlaenoparen", "fabrizio zeno", "cornelli", "zeno", "snns network", "snns http", "lln lun", "toff soff", "ctype syn", "snns", "maximum", "maximum output", "stringcomment", "initvalvalstr", "mono", "snobol4", "rafal sulejman", "site", "csnobol", "parens", "cothi", "afpnumkg", "spice circuit", "noam halevy", "insensitive syn", "spice", "splintallstuff", "splintannotelem", "ralf wildenhues", "splint home", "c code", "purpose", "buildinstall", "linux rpm", "freund", "ormeir", "wed oct", "spyce", "rimon barr", "rimon", "spupordinary", "input output", "spuptextproc", "type stream", "bugs", "execution", "snns result", "fishburn", "thu sep", "sqloracle", "buffer", "sqlforms", "austin ziegler", "prev change", "todo find", "xpos", "java syntax", "sqlj", "sap hana", "upper case", "upper", "schema syn", "user syn", "memory database", "sql syn", "spl syn", "comment syntax", "query language", "adaptive server", "anywhere", "xpscanf syn", "methods syn", "starea syn", "stcentroid syn", "stperimeter syn", "paul moore", "oracle nquote", "diffadd hi", "diffchange let", "section", "query report", "writer", "nathan stratton", "treadway", "jeff lanzarotta", "squid", "thanksto", "ilya sher", "iso8601", "subrip", "range syn", "ddd skipwhite", "bold", "sections syn", "override", "smalltalk", "arndt hesse", "hesse", "openssh client", "jakub jelen", "jakuje", "dominik fischer", "openssh server", "conditional", "repeats", "types", "globals", "statafuncgroup", "statamacrogroup", "stataparengroup", "rmcoll syn", "invftail", "invibeta", "haseprop", "mata", "structurizr dsl", "venthur", "hsiaoming yang", "lepture", "marc harter", "sudoersuser", "lazy", "generic", "swig", "julien marrec", "apache license", "runtime library", "vim maintainer", "emir sari", "nowarn", "i3confignumvar", "endze", "josef litos", "james eapen", "nargs syncolor", "nargs synlink", "syncolor type", "syncolor ignore", "syncolor added", "preproc synlink", "type synlink", "special synlink", "budden", "ingo karkat", "myk taylor", "install syntax", "syntax au", "systemverilog", "verilog syntax", "tads", "amir karger", "karger", "history info", "syntaxtags", "tak2", "tak3", "tak2000", "tak compare", "tak output", "load tak", "tar listing", "type let", "john florian", "wed jul", "key names", "values", "characters", "uuids syn", "rufus cable", "verbose tap", "rufus", "tap output", "pass", "foolman", "cmovsetj", "borland", "united force", "vector graphics", "verbose", "known template", "xfire user", "tcshvarlist", "tcsh", "gautam iyer", "ttlconstant", "term language", "tera term", "kcpy kcrt", "eenlrtbfs", "xhp xhpa", "xt xenl", "msgr", "tclspecialc", "tcltk", "taylor venable", "taylor", "system", "geometry", "tss syn", "typescript", "kao weiko", "jose elera", "campana", "zhao yi", "scott shattuck", "irc channel", "freenode", "vim filetype", "andy lester", "tt2topcluster", "typescriptreact", "react", "strpart", "include perl", "rawperl", "moriki", "atsushi", "ucnumber", "unrealscript", "openwrt unified", "colin caine", "fancy", "normal let", "typstcode", "matchgroupnoise", "noise highlight", "hashtag", "typstmarkup", "noise", "motif uil", "user interface", "thomas koehler", "september", "import hi", "anton", "prunefs", "prunenames", "prunepaths", "prunebindmounts", "upstart", "upstart job", "michael biebl", "biebl", "james hunt", "archivebit syn", "datelimit syn", "daysold syn", "deleted syn", "destination syn", "dirsonly syn", "drivealias syn", "filedate syn", "filedelete syn", "files syn", "msid", "innovation data", "rob owens", "ull ulls", "msg types", "ip address", "agtpcsrv", "profile", "version date", "ms windows", "action devpath", "valgrind memory", "debugger output", "roger luethi", "program url", "christoph gysin", "valve data", "tag syn", "wend", "prather", "pratam", "minor", "iskeyword", "xnor xor", "veraparengroup", "veralabelgroup", "vhdl", "linting", "vhsic", "high speed", "new style", "verilog", "mun johl", "485763", "vos cm", "andrew mcgill", "az syn", "bwlfdgh", "fdgh", "bwlqofdgh", "psect", "virata aconfig", "virata", "viratahexnumber", "execoptions", "ewind", "uffer", "malt", "wind", "vrmlevents", "vrmlfields", "vrmlcomment", "vrmlprotos", "vrmlnodes start", "externproto", "proto", "vgrindefs", "vgrindefs file", "profilesetzss", "java source", "parmp", "novimmain", "extern", "mswin", "featguimswin", "vimdll", "editnone", "level", "heading level", "vimtestsetup", "noop", "java language", "nontext", "returns", "chapter", "annotations", "labels", "text text", "tag head", "void", "htmlsnippets", "object", "object apply", "object bb", "no operation", "u003b", "n value", "pair", "long", "generics", "predicate", "vimtestsetup hi", "error import", "nontext class", "see jls", "declaration", "taggable", "binaryoperator", "i1 x", "i1 y", "string str", "taggable i1", "letters", "letters alpha", "letters beta", "tag tail", "use identity", "supplier", "tests", "identity", "comparable", "intfunction", "a dummy", "tggabl", "string s", "string tostring", "do not", "this file", "indent4", "indent2", "indent8", "tggabls", "fields", "classlock", "defines demo", "testable", "serviceloader", "malformed", "woof", "string s1", "string s2", "browns", "jumpss", "string s4", "string s6", "string apply", "string bay", "as quick", "woofs", "beta", "yieldable", "t yield", "other", "colon", "arrow", "unfoldenable", "italic", "strikethrough", "bold italic", "foobar", "modula2 pim", "test file", "colouring", "is licensed", "under the", "from system", "modula2 iso", "retain", "to do", "modula2 r10", "unsafe", "cardinal", "var abc", "variableb", "variablec", "var3", "var4", "var5", "var6", "variablea", "variabled", "variablee", "variable3", "varb", "variable1", "variable2", "varc", "vard", "variable4", "function1", "function4", "function2", "function3", "eq ne", "gt ge", "le lt", "ne gt", "ge le", "variableathis", "valsubfunc", "below", "reply", "issue", "cfoo", "ifoo", "interrupt", "ctrlc", "e123 catch", "varvalue", "cdpath", "backuptype", "defaultdevice", "executefbackup", "shall", "please wait", "buffer foo", "nargs range", "completer1 foo", "completer2 foo", "foo2", "bang", "nargs foo", "foo delcommand", "multiline", "commenttitle", "end augroup", "autocmd", "fixme call", "matched", "start not", "end not", "end call", "xterm call", "givename", "vim9", "test const", "foo def", "ex command", "dict", "end endfunction", "end enddef", "answer", "warningmsg", "endwhile", "dotest3", "dotest4", "dotest5", "dotest6", "test1", "test2", "test3", "test4", "test5", "funa", "dofuna", "funb", "dofunb", "func", "dofunc", "fund", "dofund", "foo delfunction", "foo function", "foo comment", "foo none", "guifg", "comment none", "ctermfgcyan", "end end", "end let", "end line", "end line1", "a basic", "rhs map", "foo bar", "fubar", "needle", "foogroup foo", "foogroup", "homeinclude", "defabc", "snomagicfoobar", "smagicfoobar", "special", "line comment", "b special", "char0x0044", "testcluster", "cchar", "keywords list", "vim line", "element", "x1f xf", "31 3", "u02a4 u000002a4", "string escape", "hexadecimal", "0xff echo", "decimal", "octal echo", "0377 echo", "vim shebang", "instance", "pairclasstest", "vim keymap", "end const", "expr", "foo unlet", "vim comment", "vim9 ex", "end foo", "xterm foo", "eof foo", "vim9script", "s vim9script", "12345", "0b10101010", "192939", "0777", "0o777", "0xabcdef00", "0x12345678", "runtest", "rticle", "syntax test", "file 0", "dougkearns", "2024 jun", "13 0", "test failures", "when comparing", "italicized text", "eading level", "igure", "eader", "frame", "diomatic text", "nput", "utput", "icture", "rogres", "cript", "earch", "ection", "elect", "reformat", "failure 0", "egend", "oscript", "bject", "ptgroup", "ption", "trong", "tyle", "able", "emplate", "extarea", "itle", "ource", "olgroup", "atalist", "etails", "ialog", "ieldset", "igcaption", "eleted text", "mphasis", "mbed", "side", "udio", "lockquote", "anvas", "aption", "ring at", "ideo", "cronym", "rame", "rameset", "arque", "enuitem", "rack", "narticulated an", "oframes", "trike", "ortal", "aram", "trikethrough", "highlighted", "elements have", "never be", "mage", "interface 0", "efault 0", "mport 0", "redundant", "tail", "alue", "nterface 0", "primer", "label 0", "tatic 0", "oid 0", "edundant", "identity cast", "expres", "to nest", "typeuse an", "htmlcom", "here is", "snip", "tmlsnip", "egion 0", "literal", "html com", "no entry", "point method", "code main", "return 0", "code nul", "eturn 0", "noop1", "may be", "used after", "noop2", "literalu0", "is proces", "return 8", "noop5", "nbsp", "noop6", "noop7", "link j0", "javaignorej0", "vimtestsetup s0", "fen 0", "nt 0", "majorversion", "empty string", "rotected 0", "compares this", "instance with", "the pas", "code that", "no period", "for the", "above sum", "rivate 0", "htmlsnip", "return an", "link m0", "execute", "match visual", "fen c0", "ref0", "literals", "clas", "tostring", "start 0", "ostring 0", "replace 0", "ubstring 0", "noop8", "noop9", "markdowncom", "arkdownsnip", "markdown com", "code public", "the method", "must be", "declared", "code 0", "the major", "java version", "used with", "inal 0", "markdownsnip", "blanks and", "re 0", "static void", "param a0", "rgs 0", "optional c0", "arguments 0", "invoke", "nontext 0", "hrow 0", "ew 0", "object module", "object open", "exports opens", "requires", "bject 0", "eplacement 0", "ar 0", "opens", "object opens", "object provides", "object requires", "object to", "uses", "xtends 0", "mplements 0", "ealed 0", "ermits 0", "bstract 0", "c1 i0", "noop3", "noop4", "a sum", "foldingtests", "static", "object b", "escapestests", "static final", "string hel", "har 0", "0ffffff0", "1200", "1210", "1230", "1240", "1250", "1260", "1270", "1300", "1310", "2040", "3240", "0100", "0120", "0130", "0140", "0150", "0160", "0170", "0200", "0210", "0230", "biginteger", "t1 x", "uper 0", "e element", "radix", "ecord 0", "tatic", "t dum", "isempty", "ublic 0", "ase 0", "ong 0", "witch 0", "genericstests", "todo 0", "3400", "3410", "3420", "3430", "3450", "3460", "3470", "3500", "3510", "3520", "sempty", "opal", "opsome", "ushal", "ushsome", "adix", "romdecimal", "lambdaexpres", "leftconst07", "leftconst08", "leftconst09", "i1 0", "leftconst10", "leftconst1", "leftconst01", "leftconst02", "leftconst03", "leftconst04", "leftconst05", "leftconst06", "leftconst", "const1", "const2", "witch", "hen 0", "alpha w0", "beta w0", "equals", "leftconst12", "typearguments", "identifier 0", "nteger", "ashcode", "omparable", "ry 0", "atch 0", "unction", "tring", "length", "ntfunction", "intsup", "clone", "naryoperator", "alueof", "quals", "redicate", "equalist", "gymnastics for", "ipredicate", "superequalist", "ethodhandle", "invokepredicate", "methodhandle mh", "throwable th", "a dum", "b dum", "t extends", "stringer", "ostring", "ntvalue", "onsumer", "println", "uperequalist", "nvokepredicate", "ethodhandle mh", "remember", "num 0", "asci", "stylable", "t e0", "tringer", "ative 0", "ynchronized 0", "trictfp 0", "thread", "qualist", "ransient 0", "methodstests", "string t0", "la s", "string name", "equires 0", "odule 0", "this module", "to the", "sample project", "published at", "mport m0", "related sup", "ransitive 0", "xports 0", "pens 0", "jdk 23", "ses 0", "rovides 0", "ith 0", "doautocmd", "syntax 0", "0xp0", "ouble 0", "minusoned", "xap1", "doto", "numberstests", "ouble", "loat 0", "maxdecf", "maxhexf", "mindecf", "minhexfa", "minhexfb", "maxdecd", "maxhexd", "minhex", "minoct", "minbin", "minusonehex", "minusoneoct", "minusonebin", "maxhexl", "maxoctl", "minusonehexl", "minusoneoctl", "minusonebinl", "jdk 21", "object o", "rue 0", "alse 0", "stringtests", "a quick", "brown fox", "jumps over", "the lazy", "there are", "lf after", "jumps0", "ver the0", "a nested", "string ap", "brown", "jumps", "over the", "nested com", "switchtests", "ield", "a or", "ield 0", "yte 0", "1let", "hort", "hort 0", "nofoldenable 0", "0000 0", "unfoldingtests", "reak 0", "old italic", "s1024", "talic", "inheritdoc", "object ap", "hile 0", "for vim", "file is", "licensed under", "the vim", "license 0", "efinition 0", "rom 0", "predefined", "ype 0", "ointer 0", "il 0", "nter", "ninter", "octal", "pragmas", "with emphasis", "opyright 0", "uthor 0", "fred flintstone", "icense 0", "baz bam", "ispose 0", "oc 0", "ord 0", "dr 0", "ast 0", "size 0", "rocedure 0", "egin 0", "nd 0", "ixme 0", "eprecated 0", "procedures", "ewfo", "nteger 0", "disabled", "hile fo", "do 0", "while", "synonyms", "itset 0", "roc 0", "roces", "ewproces", "ransfer 0", "ystem 0", "ongcard 0", "bozo bim", "dada jingle", "etbar", "lias 0", "defined pragmas", "numeric", "xcafed0", "inline", "noinline", "implementation", "cho 0", "this for", "done", "is a", "very handy", "solution and", "no real", "replacement", "available", "unction1", "a text", "shel", "his is", "home 0", "ariable10", "this is", "with a", "nset 0", "962 0", "f true", "unab", "abclear 0", "bclear 0", "java module", "changefilename", "restorefilename", "todo highlight", "author", "antonio colombo", "delete", "processing", "hebrew" ], "references": [ "vimrc", "bugreport.vim", "evim.vim", "delmenu.vim", "defaults.vim", "ftplugof.vim", "ftoff.vim", "gvim.desktop", "ftplugin.vim", "gvimrc_example.vim", "indent.vim", "indoff.vim", "mswin.vim", "scripts.vim", "optwin.vim", "vim.desktop", "menu.vim", "vimrc_example.vim", "synmenu.vim", "filetype.vim", "Make_mvc.mak", "Make_all.mak", "README.ru.utf-8.txt", "README.txt", "tutor", "tutor.bar.utf-8", "tutor.ca.utf-8", "tutor.bg.utf-8", "tutor.cs.utf-8", "tutor.da.utf-8", "tutor.de.utf-8", "tutor.el.utf-8", "tutor.eo.utf-8", "tutor.es.utf-8", "tutor.fr.utf-8", "tutor.hr.utf-8", "tutor.ja.utf-8", "tutor.hu.utf-8", "tutor.it.utf-8", "tutor.ko", "tutor.ko.utf-8", "tutor.lt.utf-8", "tutor.lv.utf-8", "tutor.nb.utf-8", "tutor.nl.utf-8", "tutor.no.utf-8", "tutor.pt.utf-8", "tutor.pl.utf-8", "tutor.ru.utf-8", "tutor.tr.utf-8", "tutor.sr.utf-8", "tutor.sv.utf-8", "tutor.sk.utf-8", "tutor.vim", "tutor.zh_cn.utf-8", "tutor.utf-8", "tutor.vi.utf-8", "tutor.uk.utf-8", "tutor.zh_tw.utf-8", "tutor.zh.utf-8", "vimspell.txt", "xcmdsrv_client.c", "ref", "vim132", "vimm", "vim_vs_net.cmd", "shtags.1", "unicode.vim", "shtags.pl", "ccfilter_README.txt", "blink.c", "efm_filter.txt", "demoserver.py", "ccfilter.c", "efm_filter.pl", "ccfilter.1", "efm_perl.pl", "pltags.pl", "mve.txt", "emoji_list.vim", "mve.awk", "a65.vim", "aap.vim", "abap.vim", "abc.vim", "abel.vim", "abaqus.vim", "acedb.vim", "a2ps.vim", "ada.vim", "ahdl.vim", "8th.vim", "aflex.vim", "aidl.vim", "2html.vim", "alsaconf.vim", "amiga.vim", "ampl.vim", "antlr4.vim", "apachestyle.vim", "apache.vim", "antlr.vim", "ant.vim", "aml.vim", "arch.vim", "aptconf.vim", "arduino.vim", "art.vim", "asm.vim", "asciidoc.vim", "asn.vim", "aspperl.vim", "asm68k.vim", "aspvbs.vim", "asteriskvm.vim", "atlas.vim", "asy.vim", "autodoc.vim", "autohotkey.vim", "autoit.vim", "automake.vim", "ave.vim", "asmh8300.vim", "avra.vim", "awk.vim", "astro.vim", "ayacc.vim", "asterisk.vim", "bash.vim", "b.vim", "bdf.vim", "bib.vim", "basic.vim", "bindzone.vim", "bc.vim", "blank.vim", "bitbake.vim", "bsdl.vim", "bst.vim", "bzl.vim", "btm.vim", "bzr.vim", "baan.vim", "cabal.vim", "cabalconfig.vim", "cabalproject.vim", "c.vim", "catalog.vim", "cdl.vim", "cdrdaoconf.vim", "cfg.vim", "cgdbrc.vim", "cf.vim", "cdrtoc.vim", "ch.vim", "chaiscript.vim", "change.vim", "chaskell.vim", "changelog.vim", "chatito.vim", "cheetah.vim", "chicken.vim", "chordpro.vim", "chill.vim", "calendar.vim", "chuck.vim", "clean.vim", "clipper.vim", "cmakecache.vim", "cl.vim", "cmod.vim", "cmusrc.vim", "coco.vim", "colortest.vim", "clojure.vim", "conf.vim", "config.vim", "confini.vim", "conaryrecipe.vim", "crm.vim", "cmake.vim", "crontab.vim", "cpp.vim", "context.vim", "csc.vim", "csh.vim", "cs.vim", "csp.vim", "csv.vim", "cterm.vim", "csdl.vim", "cobol.vim", "ctrlh.vim", "css.vim", "cuda.vim", "cuplsim.vim", "cvs.vim", "cweb.vim", "cvsrc.vim", "cucumber.vim", "cupl.vim", "cynpp.vim", "cynlib.vim", "deb822sources.vim", "dcd.vim", "d.vim", "dcl.vim", "dart.vim", "debchangelog.vim", "debcontrol.vim", "datascript.vim", "debcopyright.vim", "def.vim", "dep3patch.vim", "denyhosts.vim", "debsources.vim", "desc.vim", "dictconf.vim", "dictdconf.vim", "diff.vim", "dircolors.vim", "dirpager.vim", "diva.vim", "desktop.vim", "django.vim", "dns.vim", "docbksgml.vim", "docbkxml.vim", "docbk.vim", "dockerfile.vim", "dosbatch.vim", "dosini.vim", "dot.vim", "dracula.vim", "dsl.vim", "dtml.vim", "doxygen.vim", "dts.vim", "dtrace.vim", "dtd.vim", "dune.vim", "dylanintr.vim", "dylanlid.vim", "dylan.vim", "dnsmasq.vim", "editorconfig.vim", "edif.vim", "ecd.vim", "elmfilt.vim", "elf.vim", "elinks.vim", "eiffel.vim", "elm.vim", "erlang.vim", "esmtprc.vim", "esqlc.vim", "esterel.vim", "euphoria3.vim", "eterm.vim", "eruby.vim", "euphoria4.vim", "exim.vim", "expect.vim", "exports.vim", "eviews.vim", "fasm.vim", "fdcc.vim", "falcon.vim", "fan.vim", "fetchmail.vim", "fgl.vim", "fish.vim", "flexwiki.vim", "focexec.vim", "fpcmake.vim", "forth.vim", "form.vim", "framescript.vim", "foxpro.vim", "fortran.vim", "freebasic.vim", "fvwm2m4.vim", "fstab.vim", "fvwm.vim", "gdmo.vim", "gdresource.vim", "gdb.vim", "gemtext.vim", "gdshader.vim", "git.vim", "gift.vim", "gedcom.vim", "gdscript.vim", "gitattributes.vim", "gitcommit.vim", "gitconfig.vim", "gitignore.vim", "gitolite.vim", "gitrebase.vim", "gitsendemail.vim", "gkrellmrc.vim", "goaccess.vim", "glsl.vim", "godoc.vim", "go.vim", "gnuplot.vim", "gp.vim", "gpg.vim", "gprof.vim", "gretl.vim", "grads.vim", "gnash.vim", "groff.vim", "grub.vim", "groovy.vim", "gtkrc.vim", "group.vim", "gyp.vim", "gsp.vim", "gvpr.vim", "update_date.vim", "README.md", "gen_syntax_vim.vim", "vim.vim.base", "haml.vim", "hamster.vim", "hare.vim", "haredoc.vim", "haste.vim", "haskell.vim", "hastepreproc.vim", "hb.vim", "hcl.vim", "help_ru.vim", "hex.vim", "help.vim", "hercules.vim", "hgcommit.vim", "hitest.vim", "hlsplaylist.vim", "hog.vim", "hostsaccess.vim", "hostconf.vim", "htmlcheetah.vim", "htmlangular.vim", "html.vim", "htmlm4.vim", "htmlos.vim", "htmldjango.vim", "i3config.vim", "ia64.vim", "ibasic.vim", "icemenu.vim", "idlang.vim", "idl.vim", "icon.vim", "initex.vim", "initng.vim", "ipfilter.vim", "inittab.vim", "inform.vim", "j.vim", "iss.vim", "ishd.vim", "jal.vim", "ist.vim", "jam.vim", "jargon.vim", "javascript.vim", "javascriptreact.vim", "java.vim", "jinja.vim", "jess.vim", "jgraph.vim", "javacc.vim", "jq.vim", "jsp.vim", "json.vim", "jsonc.vim", "json5.vim", "kconfig.vim", "julia.vim", "kdl.vim", "kotlin.vim", "kix.vim", "kwt.vim", "krl.vim", "kscript.vim", "kivy.vim", "lace.vim", "latte.vim", "lc.vim", "ld.vim", "ldapconf.vim", "iso.vim", "pim.vim", "r10.vim", "ldif.vim", "less.vim", "lftp.vim", "lhaskell.vim", "libao.vim", "lex.vim", "lifelines.vim", "liquid.vim", "limits.vim", "lilo.vim", "lite.vim", "livebook.vim", "lisp.vim", "litestep.vim", "lotos.vim", "loginaccess.vim", "logtalk.vim", "logindefs.vim", "lout.vim", "lprolog.vim", "lpc.vim", "lsl.vim", "lscript.vim", "lss.vim", "luau.vim", "lua.vim", "lynx.vim", "lyrics.vim", "m3quake.vim", "m3build.vim", "m4.vim", "mailaliases.vim", "mail.vim", "mailcap.vim", "mallard.vim", "make.vim", "manual.vim", "manconf.vim", "mason.vim", "masm.vim", "maple.vim", "master.vim", "matlab.vim", "maxima.vim", "mermaid.vim", "meson.vim", "mediawiki.vim", "messages.vim", "mel.vim", "man.vim", "markdown.vim", "mf.vim", "mgp.vim", "mgl.vim", "mib.vim", "mix.vim", "mmix.vim", "mmp.vim", "modconf.vim", "model.vim", "mma.vim", "modula2.vim", "modula3.vim", "moo.vim", "mojo.vim", "monk.vim", "mp.vim", "mplayerconf.vim", "mrxvtrc.vim", "msmessages.vim", "msidl.vim", "msql.vim", "modsim3.vim", "murphi.vim", "mush.vim", "mupad.vim", "muttrc.vim", "mysql.vim", "named.vim", "nanorc.vim", "nastran.vim", "n1ql.vim", "natural.vim", "nasm.vim", "ncf.vim", "netrc.vim", "netrw.vim", "ninja.vim", "nix.vim", "nosyntax.vim", "nroff.vim", "neomuttrc.vim", "nsis.vim", "nqc.vim", "nginx.vim", "obj.vim", "objcpp.vim", "odin.vim", "occam.vim", "omnimark.vim", "ocaml.vim", "ondir.vim", "objc.vim", "openscad.vim", "openroad.vim", "opl.vim", "openvpn.vim", "obse.vim", "opam.vim", "pamenv.vim", "pacmanlog.vim", "ora.vim", "pamconf.vim", "pandoc.vim", "papp.vim", "pcap.vim", "pbtxt.vim", "pascal.vim", "passwd.vim", "pccts.vim", "pf.vim", "phtml.vim", "perl.vim", "pic.vim", "pdf.vim", "pilrc.vim", "pfmain.vim", "pike.vim", "pine.vim", "pinfo.vim", "plaintex.vim", "php.vim", "plm.vim", "plp.vim", "pli.vim", "pod.vim", "poefilter.vim", "po.vim", "ppd.vim", "pov.vim", "povini.vim", "ppwiz.vim", "plsql.vim", "prescribe.vim", "procmail.vim", "privoxy.vim", "prolog.vim", "promela.vim", "postscr.vim", "protocols.vim", "proto.vim", "psf.vim", "psl.vim", "ps1.vim", "purifylog.vim", "ptcap.vim", "pymanifest.vim", "pyrex.vim", "progress.vim", "python.vim", "python2.vim", "quarto.vim", "qf.vim", "quake.vim", "qb64.vim", "r.vim", "qml.vim", "radiance.vim", "racc.vim", "racket.vim", "raml.vim", "rasi.vim", "rc.vim", "ratpoison.vim", "rapid.vim", "raku.vim", "rcslog.vim", "rcs.vim", "rebol.vim", "readline.vim", "registry.vim", "rego.vim", "remind.vim", "requirements.vim", "reva.vim", "resolv.vim", "rhelp.vim", "rexx.vim", "rnc.vim", "rng.vim", "rnoweb.vim", "rib.vim", "redif.vim", "rrst.vim", "rpcgen.vim", "routeros.vim", "rpl.vim", "rmd.vim", "rtf.vim", "rst.vim", "salt.vim", "robots.vim", "samba.vim", "ruby.vim", "sas.vim", "sass.vim", "rust.vim", "sbt.vim", "scdoc.vim", "sather.vim", "scilab.vim", "scala.vim", "scheme.vim", "screen.vim", "scss.vim", "sd.vim", "sdc.vim", "sdl.vim", "sensors.vim", "sed.vim", "services.vim", "sendpr.vim", "setserial.vim", "sexplib.vim", "sgmldecl.vim", "sgmllnx.vim", "sh.vim", "sgml.vim", "context-data-metafun.vim", "context-data-tex.vim", "hgcommitDiff.vim", "context-data-context.vim", "context-data-interfaces.vim", "debversions.vim", "typescriptcommon.vim", "sicad.vim", "sil.vim", "simula.vim", "sinda.vim", "sindacmp.vim", "sindaout.vim", "sieve.vim", "skill.vim", "sl.vim", "sisu.vim", "slang.vim", "slpconf.vim", "slpreg.vim", "slpspi.vim", "slrnsc.vim", "sm.vim", "smarty.vim", "slice.vim", "smcl.vim", "smith.vim", "smil.vim", "sml.vim", "snnsnet.vim", "snnspat.vim", "slrnrc.vim", "snobol4.vim", "solidity.vim", "spice.vim", "splint.vim", "spec.vim", "specman.vim", "spyce.vim", "spup.vim", "snnsres.vim", "sql.vim", "sqlforms.vim", "sqlj.vim", "sqlhana.vim", "sqlinformix.vim", "sqlanywhere.vim", "sqloracle.vim", "srec.vim", "sqr.vim", "squirrel.vim", "squid.vim", "srt.vim", "ssa.vim", "st.vim", "sshconfig.vim", "sshdconfig.vim", "stp.vim", "stata.vim", "strace.vim", "structurizr.vim", "stylus.vim", "sudoers.vim", "swift.vim", "swig.vim", "swiftgyb.vim", "swayconfig.vim", "syncolor.vim", "svn.vim", "synload.vim", "sysctl.vim", "systemverilog.vim", "tads.vim", "tags.vim", "tak.vim", "takcmp.vim", "takout.vim", "tar.vim", "taskdata.vim", "taskedit.vim", "tap.vim", "tasm.vim", "svg.vim", "syntax.vim", "template.vim", "tcsh.vim", "teraterm.vim", "terminfo.vim", "terraform.vim", "systemd.vim", "tcl.vim", "tssgm.vim", "typescript.vim", "tsv.vim", "tt2js.vim", "tssop.vim", "typescriptreact.vim", "tt2.vim", "tt2html.vim", "uc.vim", "uci.vim", "typst.vim", "udevconf.vim", "udevperm.vim", "uil.vim", "unison.vim", "updatedb.vim", "upstart.vim", "upstreamdat.vim", "upstreaminstalllog.vim", "upstreamlog.vim", "upstreamrpt.vim", "usw2kagtlog.vim", "urlshortcut.vim", "udevrules.vim", "valgrind.vim", "vdf.vim", "vb.vim", "verilogams.vim", "vera.vim", "vhdl.vim", "viminfo.vim", "verilog.vim", "voscm.vim", "vmasm.vim", "virata.vim", "vim.vim", "vrml.vim", "vgrindefs.vim", "usserverlog.vim", "c.c", "html.html", "java_comments_markdown.java", "java_annotations_signature.java", "java_comments.java", "java_enfoldment.java", "java_escapes.java", "java_generics_signature.java", "java_generics.java", "java_contextual_keywords.java", "java_lambda_expressions_signature.java", "java_annotations.java", "java_lambda_expressions.java", "java_method_references_signature.java", "java_methods_indent4.java", "java_methods_indent2.java", "java_methods_indent4_signature.java", "java_methods_indent2_signature.java", "java_methods_indent8_signature.java", "java_methods_style.java", "java_module_info.java", "java_methods_style_signature.java", "java_numbers.java", "java_previews_430.java", "java_string.java", "java_previews_455.java", "java_switch.java", "java_methods_indent8.java", "java_unfoldment.java", "markdown_conceal.markdown", "modula2_pim.def", "modula2_iso.def", "modula2_r10.def", "progress_comments.p", "sh_02.sh", "sh_01.sh", "sh_04.sh", "sh_03.sh", "sh_05.sh", "sh_07.sh", "sh_09.sh", "sh_08.sh", "sh_10.sh", "sh_11.sh", "vim_ex_abbreviate.vim", "vim_ex_behave.vim", "vim_ex_call.vim", "vim_ex_catch.vim", "sh_06.sh", "vim_ex_command.vim", "vim_ex_comment_strings.vim", "vim_ex_comment-vim9.vim", "vim_ex_comment.vim", "vim_ex_augroup.vim", "vim_ex_commands.vim", "vim_ex_def_nested.vim", "vim_ex_def_nested_fold.vim", "vim_ex_def_fold.vim", "vim_ex_def.vim", "vim_ex_echo.vim", "vim_ex_execute.vim", "vim_ex_function_def_tail_comment_errors.vim", "vim_ex_function_def_tail_comments.vim", "vim_ex_function_nested_fold.vim", "vim_ex_function_nested.vim", "vim_ex_function_fold.vim", "vim_ex_highlight.vim", "vim_ex_let_heredoc.vim", "vim_ex_loadkeymap_after_bar.vim", "vim_ex_loadkeymap_after_colon.vim", "vim_ex_map.vim", "vim_ex_function.vim", "vim_ex_menu.vim", "vim_ex_menutranslate.vim", "vim_ex_no_comment_strings.vim", "vim_ex_match.vim", "vim_ex_range.vim", "vim_ex_set.vim", "vim_ex_sleep.vim", "vim_ex_substitute.vim", "vim_ex_throw.vim", "vim_keymap.vim", "vim_ex_syntax.vim", "vim_key_notation.vim", "vim_line_continuation.vim", "vim_expr.vim", "vim_new.vim", "vim_shebang.vim", "vim_object_methods.vim", "vim_variables.vim", "vim9_ex_comment_strings.vim", "vim9_ex_commands.vim", "vim9_ex_no_comment_strings.vim", "vim9_ex_function_def_tail_comments.vim", "vim9_expr.vim", "vim9_keymap.vim", "vim9_ex_function_def_tail_comment_errors.vim", "vim9_legacy_header_fold.vim", "vim9_legacy_header.vim", "vim9_shebang.vim", "yaml.yaml", "dots_03", "dots_05", "dots_02", "dots_04", "dots_01", "dots_06", "dots_08", "dots_09", "dots_10", "dots_07", "dots_11", "dots_12", "dots_14", "dots_13", "dots_15", "dots_16", "dots_17", "dots_18", "dots_19", "dots_20", "html_00.dump", "html_03.dump", "html_05.dump", "html_04.dump", "html_06.dump", "html_02.dump", "html_01.dump", "html_07.dump", "html_08.dump", "java_annotations_01.dump", "java_annotations_00.dump", "java_annotations_02.dump", "java_annotations_03.dump", "java_annotations_04.dump", "java_annotations_signature_00.dump", "java_annotations_signature_02.dump", "java_annotations_signature_01.dump", "java_annotations_signature_03.dump", "java_annotations_signature_04.dump", "java_comments_html_01.dump", "java_comments_html_02.dump", "java_comments_html_03.dump", "java_comments_html_00.dump", "java_comments_html_04.dump", "java_comments_html_05.dump", "java_comments_markdown_00.dump", "java_comments_html_07.dump", "java_comments_markdown_03.dump", "java_comments_markdown_01.dump", "java_comments_html_06.dump", "java_comments_markdown_04.dump", "java_comments_markdown_02.dump", "java_comments_markdown_05.dump", "java_comments_markdown_06.dump", "java_comments_markdown_07.dump", "java_contextual_keywords_00.dump", "java_comments_markdown_08.dump", "java_contextual_keywords_01.dump", "java_contextual_keywords_02.dump", "java_enfoldment_01.dump", "java_contextual_keywords_03.dump", "java_enfoldment_00.dump", "java_enfoldment_02.dump", "java_escapes_00.dump", "java_escapes_01.dump", "java_escapes_03.dump", "java_escapes_05.dump", "java_escapes_07.dump", "java_escapes_02.dump", "java_escapes_06.dump", "java_generics_01.dump", "java_generics_03.dump", "java_generics_02.dump", "java_generics_04.dump", "java_generics_05.dump", "java_generics_07.dump", "java_generics_00.dump", "java_generics_06.dump", "java_escapes_04.dump", "java_generics_signature_00.dump", "java_generics_signature_01.dump", "java_generics_signature_02.dump", "java_generics_signature_03.dump", "java_generics_signature_04.dump", "java_generics_signature_05.dump", "java_generics_signature_07.dump", "java_generics_signature_06.dump", "java_lambda_expressions_00.dump", "java_lambda_expressions_01.dump", "java_lambda_expressions_03.dump", "java_lambda_expressions_02.dump", "java_lambda_expressions_04.dump", "java_lambda_expressions_05.dump", "java_lambda_expressions_06.dump", "java_lambda_expressions_07.dump", "java_lambda_expressions_08.dump", "java_lambda_expressions_signature_00.dump", "java_lambda_expressions_signature_01.dump", "java_lambda_expressions_signature_02.dump", "java_lambda_expressions_signature_03.dump", "java_lambda_expressions_signature_04.dump", "java_lambda_expressions_signature_05.dump", "java_lambda_expressions_signature_06.dump", "java_lambda_expressions_signature_07.dump", "java_lambda_expressions_signature_08.dump", "java_method_references_00.dump", "java_method_references_01.dump", "java_method_references_03.dump", "java_method_references_04.dump", "java_method_references_06.dump", "java_method_references_05.dump", "java_method_references_07.dump", "java_method_references_08.dump", "java_method_references_09.dump", "java_method_references_10.dump", "java_method_references_signature_00.dump", "java_method_references_signature_01.dump", "java_method_references_02.dump", "java_method_references_signature_02.dump", "java_method_references_signature_03.dump", "java_method_references_signature_04.dump", "java_method_references_signature_05.dump", "java_method_references_signature_07.dump", "java_method_references_signature_08.dump", "java_method_references_signature_09.dump", "java_methods_indent2_00.dump", "java_methods_indent2_00.vim", "java_methods_indent2_01.dump", "java_methods_indent2_01.vim", "java_methods_indent2_02.dump", "java_methods_indent2_02.vim", "java_method_references_signature_10.dump", "java_methods_indent2_03.vim", "java_methods_indent2_03.dump", "java_methods_indent2_04.dump", "java_methods_indent2_04.vim", "java_methods_indent2_05.dump", "java_methods_indent2_05.vim", "java_method_references_signature_06.dump", "java_methods_indent2_signature_00.vim", "java_methods_indent2_signature_01.dump", "java_methods_indent2_signature_01.vim", "java_methods_indent2_signature_02.dump", "java_methods_indent2_signature_02.vim", "java_methods_indent2_signature_03.dump", "java_methods_indent2_signature_03.vim", "java_methods_indent2_signature_04.dump", "java_methods_indent2_signature_04.vim", "java_methods_indent2_signature_05.dump", "java_methods_indent2_signature_05.vim", "java_methods_indent4_00.vim", "java_methods_indent4_01.vim", "java_methods_indent4_01.dump", "java_methods_indent4_02.dump", "java_methods_indent2_signature_00.dump", "java_methods_indent4_02.vim", "java_methods_indent4_03.vim", "java_methods_indent4_03.dump", "java_methods_indent4_04.dump", "java_methods_indent4_04.vim", "java_methods_indent4_05.dump", "java_methods_indent4_06.dump", "java_methods_indent4_05.vim", "java_methods_indent4_signature_00.dump", "java_methods_indent4_signature_01.dump", "java_methods_indent4_signature_01.vim", "java_methods_indent4_signature_02.dump", "java_methods_indent4_signature_02.vim", "java_methods_indent4_signature_03.dump", "java_methods_indent4_signature_03.vim", "java_methods_indent4_signature_04.dump", "java_methods_indent4_signature_04.vim", "java_methods_indent4_signature_05.dump", "java_methods_indent4_signature_05.vim", "java_methods_indent8_00.dump", "java_methods_indent4_signature_06.dump", "java_methods_indent8_00.vim", "java_methods_indent8_01.dump", "java_methods_indent8_01.vim", "java_methods_indent4_signature_00.vim", "java_methods_indent8_02.dump", "java_methods_indent8_02.vim", "java_methods_indent8_03.dump", "java_methods_indent8_03.vim", "java_methods_indent8_04.dump", "java_methods_indent8_05.dump", "java_methods_indent8_06.dump", "java_methods_indent8_05.vim", "java_methods_indent8_signature_00.dump", "java_methods_indent8_signature_01.dump", "java_methods_indent8_signature_01.vim", "java_methods_indent8_signature_02.dump", "java_methods_indent8_signature_02.vim", "java_methods_indent8_signature_00.vim", "java_methods_indent8_signature_03.dump", "java_methods_indent8_signature_03.vim", "java_methods_indent8_signature_04.dump", "java_methods_indent8_signature_04.vim", "java_methods_indent8_signature_05.vim", "java_methods_indent8_signature_05.dump", "java_methods_indent8_signature_06.dump", "java_methods_indent8_signature_06.vim", "java_methods_style_00.dump", "java_methods_style_00.vim", "java_methods_style_01.vim", "java_methods_style_02.vim", "java_methods_indent8_04.vim", "java_methods_style_03.dump", "java_methods_style_04.dump", "java_methods_style_02.dump", "java_methods_style_signature_00.dump", "java_methods_style_signature_00.vim", "java_methods_style_signature_01.vim", "java_methods_style_03.vim", "java_methods_style_signature_02.vim", "java_methods_style_01.dump", "java_methods_style_signature_03.dump", "java_methods_style_signature_03.vim", "java_methods_style_signature_04.dump", "java_methods_style_signature_01.dump", "java_module_info_00.dump", "java_methods_style_04.vim", "java_module_info_01.dump", "java_module_info_02.dump", "java_numbers_01.dump", "java_numbers_02.dump", "java_methods_style_signature_04.vim", "java_numbers_00.dump", "java_numbers_03.dump", "java_numbers_04.dump", "java_numbers_05.dump", "java_previews_430_00.dump", "java_previews_455_00.dump", "java_previews_455_01.dump", "java_previews_455_02.dump", "java_previews_455_03.dump", "java_methods_style_signature_02.dump", "java_methods_indent4_00.dump", "java_string_00.dump", "java_string_01.dump", "java_string_02.dump", "java_string_04.dump", "java_string_03.dump", "java_string_05.dump", "java_switch_00.dump", "java_switch_02.dump", "java_switch_01.dump", "java_switch_04.dump", "java_switch_03.dump", "java_switch_05.dump", "java_switch_07.dump", "java_unfoldment_00.dump", "java_switch_06.dump", "java_unfoldment_01.dump", "java_unfoldment_05.dump", "java_unfoldment_02.dump", "markdown_conceal_00.dump", "java_unfoldment_03.dump", "modula2_iso_00.dump", "modula2_iso_01.dump", "modula2_iso_03.dump", "modula2_iso_02.dump", "modula2_iso_04.dump", "modula2_iso_05.dump", "modula2_pim_00.dump", "modula2_iso_06.dump", "modula2_pim_01.dump", "modula2_pim_02.dump", "modula2_pim_03.dump", "modula2_pim_04.dump", "modula2_pim_06.dump", "modula2_pim_05.dump", "modula2_r10_00.dump", "modula2_r10_03.dump", "sh_07_01.dump", "sh_08_02.dump", "sh_11_00.dump", "vim_ex_abbreviate_01.dump", "vim_ex_command_00.dump", "java_module_info.vim", "markdown_conceal.vim", "cleanadd.vim", "yi.vim", "he.vim" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Esc", "display_name": "Esc", "target": null }, { "id": "SelectAll", "display_name": "SelectAll", "target": null }, { "id": "Vim Tutor", "display_name": "Vim Tutor", "target": null }, { "id": "Todo", "display_name": "Todo", "target": null } ], "attack_ids": [ { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1030", "name": "Data Transfer Size Limits", "display_name": "T1030 - Data Transfer Size Limits" } ], "industries": [], "TLP": "white", "cloned_from": "67a7efe28a685d9a19cc0417", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "email": 520, "hostname": 407, "URL": 1044, "FileHash-SHA1": 8, "domain": 244, "FileHash-SHA256": 375, "FileHash-MD5": 4 }, "indicator_count": 2603, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "24 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d4f2d9ce86a445b484593b", "name": "VirusTotal report\n for sample.crx", "description": "A small sample of malware has been identified by researchers at the University of Oregon in the US, and the results are published on the web, as well as on Google's Chrome extension and other sites.", "modified": "2026-05-07T12:05:50.774000", "created": "2026-04-07T12:04:41.097000", "tags": [ "file type", "json", "ascii text", "png image", "crlf line", "ascii", "rgba", "unicode text", "utf8 text", "defense evasion", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 668, "FileHash-MD5": 668, "FileHash-SHA1": 675, "URL": 153, "domain": 230, "hostname": 177, "email": 2 }, "indicator_count": 2573, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "25 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d4f2db0b3448671adcce16", "name": "VirusTotal report\n for sample.crx", "description": "A small sample of malware has been identified by researchers at the University of Oregon in the US, and the results are published on the web, as well as on Google's Chrome extension and other sites.", "modified": "2026-05-07T12:05:50.774000", "created": "2026-04-07T12:04:43.156000", "tags": [ "file type", "json", "ascii text", "png image", "crlf line", "ascii", "rgba", "unicode text", "utf8 text", "defense evasion", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 668, "FileHash-MD5": 668, "FileHash-SHA1": 675, "URL": 153, "domain": 230, "hostname": 177, "email": 2 }, "indicator_count": 2573, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "25 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d4f2dd828bbf0ac5efaa23", "name": "VirusTotal report\n for sample.crx", "description": "A small sample of malware has been identified by researchers at the University of Oregon in the US, and the results are published on the web, as well as on Google's Chrome extension and other sites.", "modified": "2026-05-07T12:05:50.774000", "created": "2026-04-07T12:04:44.957000", "tags": [ "file type", "json", "ascii text", "png image", "crlf line", "ascii", "rgba", "unicode text", "utf8 text", "defense evasion", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 668, "FileHash-MD5": 668, "FileHash-SHA1": 675, "URL": 153, "domain": 230, "hostname": 177, "email": 2 }, "indicator_count": 2573, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "25 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d43ac218b1452b90077c29", "name": "VirusTotal report\n for addon.crx", "description": "<<< This is the full list of results from this year's \u00c2\u00a31.2bn (1bn euros) Google search, which includes the results of the search for the world's most popular search engine.>>", "modified": "2026-05-06T22:12:40.990000", "created": "2026-04-06T22:59:14.467000", "tags": [ "zip archive", "opera widget", "vym mind", "sweet home", "design", "mozilla firefox", "mozilla archive", "format", "file type", "php script", "ascii", "ascii text", "unicode text", "utf8 text", "crlf line", "json", "java source", "extra info" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 316, "FileHash-SHA1": 314, "FileHash-SHA256": 1415, "hostname": 132, "domain": 50, "URL": 86 }, "indicator_count": 2313, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "25 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d43acb355ea778bf740a6d", "name": "VirusTotal report\n for addon.crx", "description": "<<< This is the full list of results from this year's \u00c2\u00a31.2bn (1bn euros) Google search, which includes the results of the search for the world's most popular search engine.>>", "modified": "2026-05-06T22:12:40.990000", "created": "2026-04-06T22:59:23.936000", "tags": [ "zip archive", "opera widget", "vym mind", "sweet home", "design", "mozilla firefox", "mozilla archive", "format", "file type", "php script", "ascii", "ascii text", "unicode text", "utf8 text", "crlf line", "json", "java source", "extra info" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 316, "FileHash-SHA1": 314, "FileHash-SHA256": 1415, "hostname": 132, "domain": 50, "URL": 86 }, "indicator_count": 2313, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "25 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d43ad5128bbd414bbd946f", "name": "VirusTotal report\n for addon.crx", "description": "<<< This is the full list of results from this year's \u00c2\u00a31.2bn (1bn euros) Google search, which includes the results of the search for the world's most popular search engine.>>", "modified": "2026-05-06T22:12:40.990000", "created": "2026-04-06T22:59:33.569000", "tags": [ "zip archive", "opera widget", "vym mind", "sweet home", "design", "mozilla firefox", "mozilla archive", "format", "file type", "php script", "ascii", "ascii text", "unicode text", "utf8 text", "crlf line", "json", "java source", "extra info" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 316, "FileHash-SHA1": 314, "FileHash-SHA256": 1415, "hostname": 132, "domain": 50, "URL": 86 }, "indicator_count": 2313, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "25 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d43ad5541cf4a7ee45cef5", "name": "VirusTotal report\n for addon.crx", "description": "<<< This is the full list of results from this year's \u00c2\u00a31.2bn (1bn euros) Google search, which includes the results of the search for the world's most popular search engine.>>", "modified": "2026-05-06T22:12:40.990000", "created": "2026-04-06T22:59:33.577000", "tags": [ "zip archive", "opera widget", "vym mind", "sweet home", "design", "mozilla firefox", "mozilla archive", "format", "file type", "php script", "ascii", "ascii text", "unicode text", "utf8 text", "crlf line", "json", "java source", "extra info" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 316, "FileHash-SHA1": 314, "FileHash-SHA256": 1415, "hostname": 132, "domain": 50, "URL": 86 }, "indicator_count": 2313, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "25 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d43ada131daf14003078c7", "name": "VirusTotal report\n for addon.crx", "description": "<<< This is the full list of results from this year's \u00c2\u00a31.2bn (1bn euros) Google search, which includes the results of the search for the world's most popular search engine.>>", "modified": "2026-05-06T22:12:40.990000", "created": "2026-04-06T22:59:38.191000", "tags": [ "zip archive", "opera widget", "vym mind", "sweet home", "design", "mozilla firefox", "mozilla archive", "format", "file type", "php script", "ascii", "ascii text", "unicode text", "utf8 text", "crlf line", "json", "java source", "extra info" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 316, "FileHash-SHA1": 314, "FileHash-SHA256": 1415, "hostname": 132, "domain": 50, "URL": 86 }, "indicator_count": 2313, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "25 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d43adaef39c73f026077c0", "name": "VirusTotal report\n for addon.crx", "description": "<<< This is the full list of results from this year's \u00c2\u00a31.2bn (1bn euros) Google search, which includes the results of the search for the world's most popular search engine.>>", "modified": "2026-05-06T22:12:40.990000", "created": "2026-04-06T22:59:38.174000", "tags": [ "zip archive", "opera widget", "vym mind", "sweet home", "design", "mozilla firefox", "mozilla archive", "format", "file type", "php script", "ascii", "ascii text", "unicode text", "utf8 text", "crlf line", "json", "java source", "extra info" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 316, "FileHash-SHA1": 314, "FileHash-SHA256": 1415, "hostname": 132, "domain": 50, "URL": 86 }, "indicator_count": 2313, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "25 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d43adce952052db1643eb1", "name": "VirusTotal report\n for addon.crx", "description": "<<< This is the full list of results from this year's \u00c2\u00a31.2bn (1bn euros) Google search, which includes the results of the search for the world's most popular search engine.>>", "modified": "2026-05-06T22:12:40.990000", "created": "2026-04-06T22:59:40.683000", "tags": [ "zip archive", "opera widget", "vym mind", "sweet home", "design", "mozilla firefox", "mozilla archive", "format", "file type", "php script", "ascii", "ascii text", "unicode text", "utf8 text", "crlf line", "json", "java source", "extra info" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 316, "FileHash-SHA1": 314, "FileHash-SHA256": 1415, "hostname": 132, "domain": 50, "URL": 86 }, "indicator_count": 2313, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "25 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cc5323b73b229c433015b3", "name": "CAPE Sandbox", "description": "tmptigu40dy", "modified": "2026-04-30T23:10:15.978000", "created": "2026-03-31T23:05:07.234000", "tags": [ "eaaa", "maaa", "kaca", "kaaa", "eaca", "uaaa", "yaaa", "iaca", "eaei", "waaa", "dino", "cheat", "twitter", "null", "span", "title", "roboto", "false", "error", "kerm", "import", "click", "mono", "cloud", "accept", "manipulator", "restart", "runner", "factory", "checkbox", "star", "egdi", "canvas", "window", "shutdown", "win64", "small", "override", "install", "meta", "body", "project", "outer", "scroll", "speed", "score" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0e93e52376dcfb8eab491737c187ad68d786fab0005bbf9d2ffab78ba19db907_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1774998466&Signature=Y4QdGLgX1a6Ct5CMRDpH9RdwtjTzLLVBFFtxY64ZOhJ4cyy5f3YP7kNt%2Bu9euHjYaM5LUKHRWbswYwhD%2BbmD8KZT57GNGNGF4xYoyqPgzPY1AQodW%2BZx5f3iJqPbAZq9pUjOzXtm22B%2FEx7BVn5qcm86M9I6BaNp8%2FJW2vSfzsewT0w5WhMAjuB84fIG4LrKD2X46mnchNmREfC3GQtUPwzIIkj7IIv7xyHtwbu%2Fwyg8Ib1VFz" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 141, "FileHash-SHA1": 141, "FileHash-SHA256": 142, "URL": 26, "domain": 19, "hostname": 69 }, "indicator_count": 538, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "31 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cc5324a3e01fc39bd2905c", "name": "CAPE Sandbox", "description": "tmptigu40dy", "modified": "2026-04-30T23:10:15.978000", "created": "2026-03-31T23:05:08.976000", "tags": [ "eaaa", "maaa", "kaca", "kaaa", "eaca", "uaaa", "yaaa", "iaca", "eaei", "waaa", "dino", "cheat", "twitter", "null", "span", "title", "roboto", "false", "error", "kerm", "import", "click", "mono", "cloud", "accept", "manipulator", "restart", "runner", "factory", "checkbox", "star", "egdi", "canvas", "window", "shutdown", "win64", "small", "override", "install", "meta", "body", "project", "outer", "scroll", "speed", "score" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0e93e52376dcfb8eab491737c187ad68d786fab0005bbf9d2ffab78ba19db907_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1774998466&Signature=Y4QdGLgX1a6Ct5CMRDpH9RdwtjTzLLVBFFtxY64ZOhJ4cyy5f3YP7kNt%2Bu9euHjYaM5LUKHRWbswYwhD%2BbmD8KZT57GNGNGF4xYoyqPgzPY1AQodW%2BZx5f3iJqPbAZq9pUjOzXtm22B%2FEx7BVn5qcm86M9I6BaNp8%2FJW2vSfzsewT0w5WhMAjuB84fIG4LrKD2X46mnchNmREfC3GQtUPwzIIkj7IIv7xyHtwbu%2Fwyg8Ib1VFz" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 141, "FileHash-SHA1": 141, "FileHash-SHA256": 142, "URL": 26, "domain": 19, "hostname": 69 }, "indicator_count": 538, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "31 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69c2972ecff7f021de5be0d9", "name": "CAPE Sandbox", "description": "traffic manager atm", "modified": "2026-04-23T13:04:04.453000", "created": "2026-03-24T13:52:46.060000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 141, "FileHash-SHA1": 141, "FileHash-SHA256": 142, "URL": 26, "domain": 19, "hostname": 69 }, "indicator_count": 538, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "39 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69c25100c3e5a6096402ade5", "name": "CAPE Sandbox", "description": "https://www.virustotal.com/gui/file/0cfb4d7ef8ad0e0378eb022ef107a0a6cc97e7e111228098e68ea8ac1c975a7e/relations", "modified": "2026-04-23T08:15:28.034000", "created": "2026-03-24T08:53:20.270000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 131, "FileHash-SHA1": 109, "FileHash-SHA256": 109, "URL": 112, "domain": 82, "hostname": 126, "email": 1 }, "indicator_count": 670, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "39 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69c2510383ceef34ed4df669", "name": "CAPE Sandbox", "description": "https://www.virustotal.com/gui/file/0cfb4d7ef8ad0e0378eb022ef107a0a6cc97e7e111228098e68ea8ac1c975a7e/relations", "modified": "2026-04-23T08:15:28.034000", "created": "2026-03-24T08:53:23.675000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 131, "FileHash-SHA1": 109, "FileHash-SHA256": 109, "URL": 112, "domain": 82, "hostname": 126, "email": 1 }, "indicator_count": 670, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "39 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69c24230375c48e25e93161c", "name": "CAPE Sandbox", "description": "no problems.", "modified": "2026-04-23T07:09:33.447000", "created": "2026-03-24T07:50:08.453000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 277, "FileHash-SHA1": 232, "FileHash-SHA256": 232, "URL": 260, "domain": 180, "hostname": 191, "email": 1 }, "indicator_count": 1373, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "39 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69c1b4992eb5a2f6cbb21a84", "name": "CAPE Sandbox", "description": "", "modified": "2026-04-22T21:10:27.701000", "created": "2026-03-23T21:46:01.180000", "tags": [ "framework", "center", "xd569xb2c8xb2e4", "info", "script", "meta", "doctype html", "start", "cvtoken", "load cascade", "download", "title" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/dd4ad645e4b48357a235c4726dd4cdfb587786e83dab43ffdec7a886bd84faca_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1774302565&Signature=i3hu8ImkubNWQD0sfo%2FbTMU7d53GPblauQdlllGvYz%2BQ6%2BjM6VcEDa9avXTeSNEa6P9hQaE4hgc%2BwiAoHFC4mBNUG6vnOGHA3%2BY2WSKJxaEpDAdscTpC2psmNHDnnRacbWKvk0EjBetinhY7sMCUkeqX7kw525XsW%2BcBB9%2FwQ3aYdvUazDLWV6wR7ZAPu%2BYCu5vPuXdyoPiTU%2FkysyXQyKtwHiWQQGCWffoBVfbnYqEN" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 178, "FileHash-SHA1": 89, "FileHash-SHA256": 127, "URL": 183, "domain": 77, "hostname": 275 }, "indicator_count": 929, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "39 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b7ac3b32ac89ecba53f3d9", "name": "Malicious", "description": "", "modified": "2026-04-15T08:44:52.171000", "created": "2026-03-16T07:07:39.495000", "tags": [ "march", "input http", "posix shell", "ascii text", "threat level", "summary av", "detection", "environment", "action" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 291, "URL": 272, "hostname": 296, "domain": 293, "FileHash-MD5": 90, "FileHash-SHA1": 89, "CIDR": 3, "email": 3, "SSLCertFingerprint": 9 }, "indicator_count": 1346, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "47 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69aa842cef967c844adef1de", "name": "CAPE Sandbox part 2 - see part 1", "description": "heartbreaking", "modified": "2026-04-05T11:04:28.804000", "created": "2026-03-06T07:37:16.417000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3905, "FileHash-SHA1": 3515, "FileHash-SHA256": 8002, "URL": 982, "hostname": 2532, "domain": 164, "email": 1 }, "indicator_count": 19101, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "57 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6996eacbe2d99caae4a5b2d7", "name": "172.69.58.33", "description": "potential rogue exploit kit", "modified": "2026-04-01T00:44:45.494000", "created": "2026-02-19T10:49:47.043000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 18, "FileHash-MD5": 31, "FileHash-SHA1": 29, "FileHash-SHA256": 171, "URL": 432, "domain": 629, "hostname": 461, "CIDR": 6, "email": 23 }, "indicator_count": 1800, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "61 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "698904c316bc7710b967d01d", "name": "Rare Tier 1 Persistence - Critical \"Patched\", Non Patched Vulnerabilities Remain bypassing Lockdown Mode", "description": "Researcher Note (Feb 08, 2026):\nThis artifact represents a sophisticated Cross-Protocol Mesh. Observations confirm that the Cymt/Nemucod wrapper is being utilized as a delivery vehicle for a Firmware-resident ELF binary (Mirai variant).\nThe persistence is notable for its ability to survive Full DFU Restores and Faraday-isolated states, likely due to JTAG-level interaction with the Power Management IC (Chip 4799). This is not a standard opportunistic infection; it is a targeted provisioning event leveraging IDMSA (Identity Management) bridges and Verizon/Akamai Edge infrastructure.\nThe integration with CalendarKit and Maps for geofenced execution suggests a highly coordinated surveillance objective. Forensic analysts should pay specific attention to the sizeofrawdata_antidbg anomalies, which indicate a focus on bypassing Apple Lockdown Mode and Secure Enclave. \nresearcher credit: msudoSOS", "modified": "2026-03-27T09:05:26.285000", "created": "2026-02-08T21:48:49.147000", "tags": [ "#supportsitewebsiteabuse #rootcertificatefailure #cryptographicf" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 909, "URL": 1779, "CVE": 126, "domain": 659, "email": 23, "JA3": 1, "FileHash-MD5": 230, "FileHash-SHA1": 227, "FileHash-SHA256": 934, "CIDR": 13 }, "indicator_count": 4901, "is_author": false, "is_subscribing": null, "subscriber_count": 74, "modified_text": "66 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69bf64e1d5e06aa6207f78de", "name": "Spam \u201cBroken Seal\u201d DocuSign-themed Delivery w/Fileless Process Hollowing (Zeppelin/Bloat-A) by msudosos", "description": "", "modified": "2026-03-27T00:30:39.055000", "created": "2026-03-22T03:41:21.863000", "tags": [ "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi", "9698f46495ce9401c8bcaf9a2afe1598", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)", "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71", "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link", "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)" ], "references": [ "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "Verification failure observed in automated verification handlers during sandbox replay.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr" ], "public": 1, "adversary": "", "targeted_countries": [ "China", "United States of America", "Spain", "Japan", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In" ], "TLP": "green", "cloned_from": "698e93e1ab02db8c49e8c3ed", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 27572, "FileHash-SHA256": 46076, "FileHash-MD5": 42177, "FileHash-SHA1": 22874, "hostname": 33438, "URL": 74810, "SSLCertFingerprint": 21, "CVE": 7579, "email": 297, "FileHash-IMPHASH": 8, "CIDR": 26203, "JA3": 1 }, "indicator_count": 281056, "is_author": false, "is_subscribing": null, "subscriber_count": 149, "modified_text": "66 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69bf64eccb5d39a90a3c391e", "name": "Spam \u201cBroken Seal\u201d DocuSign-themed Delivery w/Fileless Process Hollowing (Zeppelin/Bloat-A) by msudosos", "description": "", "modified": "2026-03-27T00:30:39.055000", "created": "2026-03-22T03:41:32.565000", "tags": [ "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi", "9698f46495ce9401c8bcaf9a2afe1598", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)", "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71", "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link", "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)" ], "references": [ "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "Verification failure observed in automated verification handlers during sandbox replay.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr" ], "public": 1, "adversary": "", "targeted_countries": [ "China", "United States of America", "Spain", "Japan", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In" ], "TLP": "green", "cloned_from": "698e93e1ab02db8c49e8c3ed", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 27572, "FileHash-SHA256": 46076, "FileHash-MD5": 42177, "FileHash-SHA1": 22874, "hostname": 33438, "URL": 74810, "SSLCertFingerprint": 21, "CVE": 7579, "email": 297, "FileHash-IMPHASH": 8, "CIDR": 26203, "JA3": 1 }, "indicator_count": 281056, "is_author": false, "is_subscribing": null, "subscriber_count": 152, "modified_text": "66 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69c1bd40f81db45dc044697c", "name": "Masterkey Clone By CallmeDoris", "description": "", "modified": "2026-03-23T22:22:56.940000", "created": "2026-03-23T22:22:56.940000", "tags": [ "dropped file", "chromeua", "runtime data", "drmedgeua", "edgeua", "generator", "win64", "null", "template", "unknown", "critical", "addressbar", "desktop", "dark", "light", "iframe", "cookie", "meta", "body", "legend", "dwis", "core", "tear", "malicious", "mozilla", "strings", "qakbot", "://masterkey.com.ua/download/MKClientSetup.exe" ], "references": [ "https://hybrid-analysis.com/sample/41859e0b198fbe88772ef12c577023c0481ec19867e410bab335e67fea87c1bb/642ca80cde2048242a0e097d" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": "642db7b656049e54b2f71c20", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 949, "URL": 5642, "CVE": 2, "domain": 509, "FileHash-SHA256": 293, "FileHash-MD5": 550, "FileHash-SHA1": 60, "email": 5 }, "indicator_count": 8010, "is_author": false, "is_subscribing": null, "subscriber_count": 65, "modified_text": "69 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b23473c8e69c7f51c63ce9", "name": "#fp539598-VBS/LoveLetter.BT via (Drive by Compromise", "description": "Malware found in pulses listed below. It appears threat actors , likely a legal team is abusing Palantir tools against targeted individuals , devices and or networks. \nMalware identified found in a malicious link when user apparently suffered a drive by compromised when utilizing built in AI feature on an iOS device.\n#loveLetter #mass-mailing-worms", "modified": "2026-03-12T03:35:15.757000", "created": "2026-03-12T03:35:15.757000", "tags": [ "#fp539598-VBS/LoveLetter.BT", "palantir", "prometheus intelligence technology", "dll read", "function read", "total", "read", "write", "delete", "file behavior", "apple", "ios", "quantum fiber", "lumen technologies", "malware", "drive by compromise", "vbs", "ai", "browser", "regexp", "function", "width", "error", "pseudo", "child", "with", "array", "tbody", "sufeffxa0", "class", "null", "date", "void", "accept", "js_eval", "recon_fingerprint", "mass-mailing worms" ], "references": [ "https://otx.alienvault.com/pulse/69b1f368db0d00947ef729c2", "https://otx.alienvault.com/pulse/69af3fd8db2ede31abda6c14" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "#fp539598-VBS/LoveLetter.BT", "display_name": "#fp539598-VBS/LoveLetter.BT", "target": null } ], "attack_ids": [ { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 3, "hostname": 23, "domain": 55, "URL": 1 }, "indicator_count": 86, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "81 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "697cdce9ec418c422eee2054", "name": "Device Isolation: Lumen Technologies | Palantir and \u2018Boots on the Ground Operations\u2019", "description": "Device Isolation: Lumen Technologies (formerly CenturyLink) deployed as an admin on iOS devices. Standard factory resets may prove ineffective. Complete hardware \"air-gap\" or clean devices that have never touched your home network may be best option for deeply monitored targets.\n\nSummary of the Campaign:\nThe involvement of Lumen Technologies (as an unwanted admin), Foundry (Palantir) for data mapping, and Mirai Botnet for network disruption represents a \"scorched earth\" approach to digital destruction. Target treated as a criminal through Cellebrite, implicates specific attackers attempted to legalize what was actually a predatory stalking campaign/s.\n\n\nSurveillance Overlap: The use of Lumen Technologies and Palantir, tools allows for real-time tracking of a target's physical location\u2014explains how \u2018boots on the ground\u2019 offenders can stalk , surveillance , confront, assault and engage in various damaging attacks of specific monitored targets.", "modified": "2026-03-01T16:05:57.375000", "created": "2026-01-30T16:31:37.011000", "tags": [ "url https", "url http", "tlsv1", "whitelisted", "united", "read c", "as15169", "stcalifornia", "execution", "dock", "write", "persistence", "malware", "encrypt", "active", "lumen technologies", "number", "error", "regexp", "sxa0", "amptoken", "optout", "retrieving", "notfound", "unknown", "form", "flash", "backdoor", "writeconsolew", "yara detections", "command line", "pdb path", "pe resource", "internalname", "windows command", "A", "aws", "name servers", "url analysis", "passive dns", "urls", "data upload", "extraction", "palantir", "c2", "aerospace", "tracking", "spywatchdog", "palapa-c2", "communications satellite", "amazon", "hughesnet", "icmp traffic", "washington c", "washington ou", "mopr", "mon jul", "local", "dynamic", "apple", "network", "t1057", "discovery", "t1069", "t1071", "protocol", "t1105", "tool transfer", "t1480", "guardrails", "t1566", "present jan", "unknown ns", "ip address", "dnssec", "domain", "dynamic dns", "government", "pcup", "germany unknown", "link", "dns hosting", "cloudns", "cloud dns", "a domains", "ipv4 add", "title", "meta", "class", "servers", "present aug", "aaaa", "present sep", "present nov", "present jul", "present may", "moved", "canada unknown", "begin", "record value", "gmt content", "type", "hostname add", "files", "ascii text", "pattern match", "href", "mitre att", "ck id", "ck matrix", "network traffic", "et info", "general", "path", "click", "learn", "command", "name tactics", "suspicious", "informative", "adversaries", "input url", "defense evasion", "france", "ireland", "netherlands", "denmark", "united kingdom", "type indicator", "role title", "added active", "savvis", "centurylinktechnology", "hybrid analysis", "monitoring tools", "monitored target", "triangulation", "worm", "intel", "ms windows", "pe32", "write c", "delete c", "show", "russia as47764", "unix", "lsan jose", "odigicert inc", "markus", "url add", "http", "related nids", "files location", "russia flag", "russia hostname", "russia", "russia unknown", "hosting", "federation flag", "body", "gmt vary", "accept encoding", "gmt cache", "certificate", "pulse submit", "unknown aaaa", "search", "entries", "script domains", "script urls", "pdx cf" ], "references": [ "\u2018Lumen Technologies\u2019 Acting as administrator of a targeted Apple IOS device", "Yare: compromised_site_redirector_fromcharcode", "Alerts: network_icmp nolookup_communication js_eval recon_fingerprint", "Alerts: console_output has_pdb pe_unknown_resource_name", "File Type PEXE - PE32+ executable (console) x86-64, for MS Windows ..", "Tipped: A targets AI and other cyber research findings.", "A \u2018Target\u2019 became a \u2018Target\u2019 vja close association to main Target of predatory retaliation campaign.", "track.spywarewatchdog.org \u2022 https://track.spywarewatchdog.org - monitoring software", "https://palapa.c.id\t (c.id)", "Containers-Pecorino.PalantirGov.com -pecorino.palantirgov.com", "cedevice.io \u2022 decagonsoftware.com", "http://applevless.dns-dynamic.net/\t\u2022 dns-dynamic.net", "http://www.pcup.gov.ph/images/2018/pdf/ComEnBancReso/Commission_Resolution_07s2018.PDF", "pcup.gov.ph:", "http://www.pcup.gov.ph/images/pdf/Contract_of_SecurityServices2013.pdf pcup.gov.ph:", "https://pcup.gov.ph/375 pcup.gov.ph: | https://www.pcup.gov.ph/ pcup.gov.ph:", "https://elegantcosmedampyeah.pages.dev/", "https://www.ptv.vic.gov.au/more/travelling-on-the-network/lets-go/", "inst.govelopscold.com", "https://feedback.ptv.vic.gov.au/360", "nginx-php.7d4jelnf.trdlpbvl.sdp3.sdp.vic.gov.au", "nginx-php.standby.content-premier-vic-gov-au.sdp3.sdp.vic.gov.au", "https://hybrid-analysis.com/sample/a16d11910953b800369dbb667f178b3cc45cb8e3315217c0e6ceac68eeba206d", "https://brand.centurylinktechnology.com", "https://prod.centurylinktechnology.com", "https://brand2.centurylinktechnology.com", "https://mobile-pocket-guide.centurylinktechnology.com", "UPX_OEP_place", "Russia or Muskware? URL http://store.7box.vip/ad/C467F60A1AD6.Jpeg", "ASP. NET", "https://connect.facebook.net/en_US/sdk.js#xfbml=1&version=v4.0&appId=705930270206797&autoLogAppEvents=1 Akamai rank:", "7box.vip" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan.Tofsee/Botx", "display_name": "Trojan.Tofsee/Botx", "target": null }, { "id": "ALF:JASYP:Trojan:Win32/IRCbot!atmn", "display_name": "ALF:JASYP:Trojan:Win32/IRCbot!atmn", "target": null }, { "id": "PWS:Win32/Axespec.A", "display_name": "PWS:Win32/Axespec.A", "target": "/malware/PWS:Win32/Axespec.A" }, { "id": "Worm:Win32/Lightmoon.H", "display_name": "Worm:Win32/Lightmoon.H", "target": "/malware/Worm:Win32/Lightmoon.H" } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1439", "name": "Eavesdrop on Insecure Network Communication", "display_name": "T1439 - Eavesdrop on Insecure Network Communication" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1069.003", "name": "Cloud Groups", "display_name": "T1069.003 - Cloud Groups" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 102, "FileHash-SHA1": 59, "FileHash-SHA256": 1929, "domain": 854, "hostname": 2156, "URL": 4475, "SSLCertFingerprint": 9, "email": 7, "CVE": 1 }, "indicator_count": 9592, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "91 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "693cdc5b8ebc10664439c2fb", "name": "Project Cicada-.Christopher \u201cBuzz\u201d Ahmann - Freeman Mathis & Gary for The State of Colorado", "description": "State of Colorado attackers use DGA domains set up multiple Law Firms.. Christopher P. \u2019Buzz\u2019 Ahmann Is a legal consultant / attorney./ hacker \nWorks for the State of Colorado/ quasi. Is malicious and doesn\u2019t work alone. Continues to target \nState had relative contacted by a fake entity \u2018Goodness Health\u2019\nLeft vague VM for relative message \u201cWe work on the Medicare side of things.\u201d and? \nSocial engineering call , malicious domain. The State of Colorado has been on a relentless pursuit against target. Fully compromised targets relatives brand new phone. Hacked target since 10/2013.\nMultiple cyber and physical attacks carried out against target and family members.. There are attacks make to look like accidents or malfunctions. This harmful, silencing behavior is somehow illegal for anyone else.", "modified": "2026-02-10T06:05:39.764000", "created": "2025-12-13T03:24:11.414000", "tags": [ "colorado state", "freeman mathis", "history", "cyber risk", "aspen insureds", "gaig insureds", "landy insureds", "nip group", "purm insureds", "overview core", "united", "ip address", "present nov", "present may", "moved", "encrypt", "unknown", "backdoor", "passive dns", "ransom", "checkin", "trojandropper", "mtb nov", "twitter", "trojan", "data upload", "extraction", "failed", "united states", "server response", "google safe", "results may", "lowfi", "virtool", "mtb alf", "mh alf", "port", "windows nt", "destination", "msie", "khtml", "gecko", "unknown aaaa", "a domains", "meta", "for privacy", "cop supply", "urls", "as139646 hong", "hostname", "files", "hong kong", "domain add", "ip related", "hash avast", "avg clamav", "msdefender may", "ddos", "as13335", "ipv4", "certificate", "hostname add", "url analysis", "files ip", "name strings", "category", "united states", "pulse indicator", "address", "error", "null", "object", "string", "number", "google maps", "promise", "javascript api", "dataset", "bigint", "dark", "android", "infinity", "internal", "roboto", "trident", "void", "small", "lightrail", "false", "span", "close", "light", "hybrid", "embed", "iframe", "keygen", "this", "february", "bounce", "drop", "inside", "outside", "marker", "present dec", "pulses otx", "aaaa", "asnone country", "record value", "title", "pulse pulses", "pulses", "showing", "unknown cname", "unknown soa", "next associated", "ipv4 add", "cycbot", "extract indic", "sneaker bots", "proxies data", "script script", "adult content", "nextimage", "porn site", "div div", "platform make", "cloudfront x", "hio52 p3", "unknown ns", "pulse submit", "title error", "reverse dns", "status", "servers", "name servers", "vashti hostname", "scan endpoints", "url http", "http", "files domain", "files related", "pulses none", "dnssec", "sec ch", "ch ua", "ua full", "ua platform", "ua bitness", "ua arch", "version sec", "mobile sec", "model sec", "version list", "domain", "emails", "cookie", "url https", "show", "filehash", "urls show", "date checked", "url hostname", "results nov", "win32", "type", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "ssl certificate", "defense evasion", "spawns", "flag", "llc name", "server", "markmonitor", "name server", "windir", "openurl c", "prefetch2", "show technique", "mitre att", "ck matrix", "pattern match", "ascii text", "sha1", "href", "show process", "file", "general", "local", "path", "germany unknown", "date", "registrar", "ip whois", "dynamicloader", "high", "medium", "search", "displayname", "tofsee", "win64", "write", "stream", "malware", "push", "entries", "tls handshake", "failure", "forbidden", "tlsv1", "april", "next", "write c", "intel", "ms windows", "sha1 add", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "file score", "sha256 add", "present jun", "present mar", "medelln", "colombia asn", "dns resolutions", "address domain", "related tags", "none google", "safe browsing", "external", "present sep", "present aug", "as54113", "present jul", "as8068", "gmt content", "total", "read", "delete", "top source", "quasi", "murderers", "christopher ahmann", "buzz ahmann", "wow64", "slcc2", "media center", "labor", "employment", "cdle", "dowc", "colorado", "workers", "coloradoif", "independent", "state", "company", "entity type", "authorized line", "analysis", "tor analysis", "process details", "network traffic", "t1071", "potential ip", "click", "found", "t1480 execution", "bad traffic", "et info", "ck techniques", "evasion att", "t1057", "refresh", "body", "strings", "tools", "look", "verify", "restart", "cname", "form", "pulse", "script domains", "script urls", "administrator", "services llc", "dns admin", "domain admin", "global llc", "domain manager", "computer system", "ltd domain", "network", "alibaba", "facebook", "phishme", "sogou", "present jan", "present feb", "present oct" ], "references": [ "https://www.fmglaw.com/lawyers/christopher-ahmann - found in adult content pulse.", "Sneaker Bots Proxies Servers Cook Groups Cop Supply", "archive.cop.supply \u2022 dev.cop.supply \u2022 https://cop.supply/ \u2022 https://cop.supply/bot-lists/", "https://cop.supply/supreme-bots/\u2022 https://cop.supply/useful-tools/", "https://cop.supply/proxies-lists/ \u2022 https://cop.supply/shopify-bots/", "dns.army \u2022 www.dcopr.dns.army \u2022 www.glsyaiwjj.dns.army \u2022 www.wgmvk.dns.army", "https://maps.googleapis.com/maps/api/js?sensor=false", "cell-0.af-south-1.prod.telemetry.console.api.aws", "howtoworkacrickoutofyourneck2.pages.dev", "firebase-auth-eich0v.pages.dev", "http://ianswertomom.com/develop-wise-woman-within-yourself", "http://ianswertomom.com/bible-verses-struggling-contentment-mom/ I", "https://i-want-to-start-an-onlyfans.pages.dev/favicon.ico| I bet you do boo boo", "makeapornsite.com \u2022 https://pornhighschool.com/ \u2022 https://ethnicerotic.com \u2022 https://twitter.com/Make", "https://khmerpornvideo.signup0.y.id/", "https://lordseriala.life/6337-zvezdnye-vojny-opornaja-komanda.html", "https://clear.ml/infrastructure-control-plane", "dev-app.project-cicada.com \u2022 http://dev-app.project-cicada.com \u2022 https://dev-app.project-cicada.com (2014 report predates 2016 reports)", "https://amano.inboundtools.com/tpcontact URL https://armg.inboundtools.com/ URL https://gaiax.inboundtools.com/internship URL https://hmk.inboundtools.com/ URL https://hmk.inboundtools.com/form/assetview_siryo_sier", "https://download.clear.ml/cpython_builds/releases/ \u2022 https://download.clear.", "https://links.mail.samsara.com/s/c/P9R6gGlExR4nfCwqwJXUmr7NmKcMNde4ZBhCFprlVtsFNgh-4tuTWla0aXN9rIWCjrWtn0Vln7x-hexxVBlY3xxvnEevR8qJU5G5xV3__wo-X7kkpSOhJVfejac-Xk8qu6zs5Z-tILwWYRkNScZNGlAqfwQuJuRw5M-n_ZKI6tuY5XGCZAqWoQepi1NnJiW4wZJkzZlOwGtNkusbuKDcMsLVrrhji2eKh4kYgrJp_SeycJRhasLFCQ3c2bPu4sahEWpcHZrQBaxvdfQgTEno8kV-RJdTDO0zK5MyWDJLeds7mnaDrxlb0O2zmhebUdlHE0R0xHi25dympBUpMlLsQV8bx1WUTOfgK4k0ci9o_2Gbfe22-jLxsJN-msV6pxWYQMaxRNFd4iZRC9J9Z1SC5MBqbvNzqdt98kFdpibnv_QIHdhFyHOR_Ip_LX67Dncc8V8OvAi-H5phfeSyDzwdzf2FQIi82", "https://voidpet.io/invite/scaredscared/1rpzxWXa61 \u2022 https://sex-doggy.net/tag/censored", "Everyone has simply asked you alll to stop. Target never asked anyone for money.", "Legal court documented agreement to allow and pay target to hire cyber investigators", "Attacks are being carried out by The State of Colorado" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Japan", "France", "Ireland", "Spain", "Italy", "Aruba", "Australia", "Denmark", "United Kingdom of Great Britain and Northern Ireland", "Germany", "T\u00fcrkiye", "Indonesia" ], "malware_families": [ { "id": "Win.Trojan.GravityRAT-6511862-0", "display_name": "Win.Trojan.GravityRAT-6511862-0", "target": null }, { "id": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn", "display_name": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn", "target": null }, { "id": "Unix.Trojan.Tsunami-6981155-0", "display_name": "Unix.Trojan.Tsunami-6981155-0", "target": null }, { "id": "TrojanDropper:Win32/Systex.A", "display_name": "TrojanDropper:Win32/Systex.A", "target": "/malware/TrojanDropper:Win32/Systex.A" }, { "id": "Win.Trojan.Tepfer-61", "display_name": "Win.Trojan.Tepfer-61", "target": null }, { "id": "TrojanDownloader:Win32/CutwailRansom:Win32/Crowti.A", "display_name": "TrojanDownloader:Win32/CutwailRansom:Win32/Crowti.A", "target": null }, { "id": "VirTool:Win32/VBInject.gen!MH", "display_name": "VirTool:Win32/VBInject.gen!MH", "target": "/malware/VirTool:Win32/VBInject.gen!MH" }, { "id": "ALF:NID:Susp_NSIS_Stub.A", "display_name": "ALF:NID:Susp_NSIS_Stub.A", "target": null }, { "id": "#LOWFI:HSTR:Criakl.B1", "display_name": "#LOWFI:HSTR:Criakl.B1", "target": null }, { "id": "Backdoor:Win32/Arwobot.B", "display_name": "Backdoor:Win32/Arwobot.B", "target": "/malware/Backdoor:Win32/Arwobot.B" }, { "id": "Win.Packed.Bandook-9882274-1", "display_name": "Win.Packed.Bandook-9882274-1", "target": null }, { "id": "TrojanDownloader:Win32/Cutwail", "display_name": "TrojanDownloader:Win32/Cutwail", "target": "/malware/TrojanDownloader:Win32/Cutwail" }, { "id": "Win.Downloader.Small-4507", "display_name": "Win.Downloader.Small-4507", "target": null }, { "id": "Trojan:Win32/Qbot.R!MTB", "display_name": "Trojan:Win32/Qbot.R!MTB", "target": "/malware/Trojan:Win32/Qbot.R!MTB" }, { "id": "Win.Malware.Mikey-9949492-0", "display_name": "Win.Malware.Mikey-9949492-0", "target": null }, { "id": "Ransom:Win32/Crowti.A", "display_name": "Ransom:Win32/Crowti.A", "target": "/malware/Ransom:Win32/Crowti.A" }, { "id": "Backdoor:Linux/DemonBot.Aa!MTB", "display_name": "Backdoor:Linux/DemonBot.Aa!MTB", "target": "/malware/Backdoor:Linux/DemonBot.Aa!MTB" }, { "id": "Unix.Trojan.Gafgyt-6981154-0", "display_name": "Unix.Trojan.Gafgyt-6981154-0", "target": null }, { "id": "DDOS:Linux/Gafgyt.YA!MTB", "display_name": "DDOS:Linux/Gafgyt.YA!MTB", "target": "/malware/DDOS:Linux/Gafgyt.YA!MTB" }, { "id": "CVE-2017-11882", "display_name": "CVE-2017-11882", "target": null }, { "id": "ALF:Exploit:O97M/CVE-2017-8977", "display_name": "ALF:Exploit:O97M/CVE-2017-8977", "target": null }, { "id": "Cycbot", "display_name": "Cycbot", "target": null }, { "id": "Win32:BotX-gen\\ [Trj]", "display_name": "Win32:BotX-gen\\ [Trj]", "target": null }, { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "Mirai (ELF)", "display_name": "Mirai (ELF)", "target": null }, { "id": "Worm", "display_name": "Worm", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1574.008", "name": "Path Interception by Search Order Hijacking", "display_name": "T1574.008 - Path Interception by Search Order Hijacking" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1593.002", "name": "Search Engines", "display_name": "T1593.002 - Search Engines" } ], "industries": [ "Insurance", "Construction" ], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 54118, "domain": 11153, "hostname": 18578, "email": 21, "FileHash-SHA256": 4905, "FileHash-MD5": 548, "FileHash-SHA1": 534, "CVE": 7, "SSLCertFingerprint": 20, "CIDR": 1 }, "indicator_count": 89885, "is_author": false, "is_subscribing": null, "subscriber_count": 146, "modified_text": "111 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6963596c4cd594b77b4675ec", "name": "Project Cicada-.Christopher \u201cBuzz\u201d Ahmann - PalantirFoundry | The State of Colorado | ", "description": "", "modified": "2026-02-10T06:05:39.764000", "created": "2026-01-11T08:03:56.534000", "tags": [ "colorado state", "freeman mathis", "history", "cyber risk", "aspen insureds", "gaig insureds", "landy insureds", "nip group", "purm insureds", "overview core", "united", "ip address", "present nov", "present may", "moved", "encrypt", "unknown", "backdoor", "passive dns", "ransom", "checkin", "trojandropper", "mtb nov", "twitter", "trojan", "data upload", "extraction", "failed", "united states", "server response", "google safe", "results may", "lowfi", "virtool", "mtb alf", "mh alf", "port", "windows nt", "destination", "msie", "khtml", "gecko", "unknown aaaa", "a domains", "meta", "for privacy", "cop supply", "urls", "as139646 hong", "hostname", "files", "hong kong", "domain add", "ip related", "hash avast", "avg clamav", "msdefender may", "ddos", "as13335", "ipv4", "certificate", "hostname add", "url analysis", "files ip", "name strings", "category", "united states", "pulse indicator", "address", "error", "null", "object", "string", "number", "google maps", "promise", "javascript api", "dataset", "bigint", "dark", "android", "infinity", "internal", "roboto", "trident", "void", "small", "lightrail", "false", "span", "close", "light", "hybrid", "embed", "iframe", "keygen", "this", "february", "bounce", "drop", "inside", "outside", "marker", "present dec", "pulses otx", "aaaa", "asnone country", "record value", "title", "pulse pulses", "pulses", "showing", "unknown cname", "unknown soa", "next associated", "ipv4 add", "cycbot", "extract indic", "sneaker bots", "proxies data", "script script", "adult content", "nextimage", "porn site", "div div", "platform make", "cloudfront x", "hio52 p3", "unknown ns", "pulse submit", "title error", "reverse dns", "status", "servers", "name servers", "vashti hostname", "scan endpoints", "url http", "http", "files domain", "files related", "pulses none", "dnssec", "sec ch", "ch ua", "ua full", "ua platform", "ua bitness", "ua arch", "version sec", "mobile sec", "model sec", "version list", "domain", "emails", "cookie", "url https", "show", "filehash", "urls show", "date checked", "url hostname", "results nov", "win32", "type", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "ssl certificate", "defense evasion", "spawns", "flag", "llc name", "server", "markmonitor", "name server", "windir", "openurl c", "prefetch2", "show technique", "mitre att", "ck matrix", "pattern match", "ascii text", "sha1", "href", "show process", "file", "general", "local", "path", "germany unknown", "date", "registrar", "ip whois", "dynamicloader", "high", "medium", "search", "displayname", "tofsee", "win64", "write", "stream", "malware", "push", "entries", "tls handshake", "failure", "forbidden", "tlsv1", "april", "next", "write c", "intel", "ms windows", "sha1 add", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "file score", "sha256 add", "present jun", "present mar", "medelln", "colombia asn", "dns resolutions", "address domain", "related tags", "none google", "safe browsing", "external", "present sep", "present aug", "as54113", "present jul", "as8068", "gmt content", "total", "read", "delete", "top source", "quasi", "murderers", "christopher ahmann", "buzz ahmann", "wow64", "slcc2", "media center", "labor", "employment", "cdle", "dowc", "colorado", "workers", "coloradoif", "independent", "state", "company", "entity type", "authorized line", "analysis", "tor analysis", "process details", "network traffic", "t1071", "potential ip", "click", "found", "t1480 execution", "bad traffic", "et info", "ck techniques", "evasion att", "t1057", "refresh", "body", "strings", "tools", "look", "verify", "restart", "cname", "form", "pulse", "script domains", "script urls", "administrator", "services llc", "dns admin", "domain admin", "global llc", "domain manager", "computer system", "ltd domain", "network", "alibaba", "facebook", "phishme", "sogou", "present jan", "present feb", "present oct" ], "references": [ "https://www.fmglaw.com/lawyers/christopher-ahmann - found in adult content pulse.", "Sneaker Bots Proxies Servers Cook Groups Cop Supply", "archive.cop.supply \u2022 dev.cop.supply \u2022 https://cop.supply/ \u2022 https://cop.supply/bot-lists/", "https://cop.supply/supreme-bots/\u2022 https://cop.supply/useful-tools/", "https://cop.supply/proxies-lists/ \u2022 https://cop.supply/shopify-bots/", "dns.army \u2022 www.dcopr.dns.army \u2022 www.glsyaiwjj.dns.army \u2022 www.wgmvk.dns.army", "https://maps.googleapis.com/maps/api/js?sensor=false", "cell-0.af-south-1.prod.telemetry.console.api.aws", "howtoworkacrickoutofyourneck2.pages.dev", "firebase-auth-eich0v.pages.dev", "http://ianswertomom.com/develop-wise-woman-within-yourself", "http://ianswertomom.com/bible-verses-struggling-contentment-mom/ I", "https://i-want-to-start-an-onlyfans.pages.dev/favicon.ico| I bet you do boo boo", "makeapornsite.com \u2022 https://pornhighschool.com/ \u2022 https://ethnicerotic.com \u2022 https://twitter.com/Make", "https://khmerpornvideo.signup0.y.id/", "https://lordseriala.life/6337-zvezdnye-vojny-opornaja-komanda.html", "https://clear.ml/infrastructure-control-plane", "dev-app.project-cicada.com \u2022 http://dev-app.project-cicada.com \u2022 https://dev-app.project-cicada.com (2014 report predates 2016 reports)", "https://amano.inboundtools.com/tpcontact URL https://armg.inboundtools.com/ URL https://gaiax.inboundtools.com/internship URL https://hmk.inboundtools.com/ URL https://hmk.inboundtools.com/form/assetview_siryo_sier", "https://download.clear.ml/cpython_builds/releases/ \u2022 https://download.clear.", "https://links.mail.samsara.com/s/c/P9R6gGlExR4nfCwqwJXUmr7NmKcMNde4ZBhCFprlVtsFNgh-4tuTWla0aXN9rIWCjrWtn0Vln7x-hexxVBlY3xxvnEevR8qJU5G5xV3__wo-X7kkpSOhJVfejac-Xk8qu6zs5Z-tILwWYRkNScZNGlAqfwQuJuRw5M-n_ZKI6tuY5XGCZAqWoQepi1NnJiW4wZJkzZlOwGtNkusbuKDcMsLVrrhji2eKh4kYgrJp_SeycJRhasLFCQ3c2bPu4sahEWpcHZrQBaxvdfQgTEno8kV-RJdTDO0zK5MyWDJLeds7mnaDrxlb0O2zmhebUdlHE0R0xHi25dympBUpMlLsQV8bx1WUTOfgK4k0ci9o_2Gbfe22-jLxsJN-msV6pxWYQMaxRNFd4iZRC9J9Z1SC5MBqbvNzqdt98kFdpibnv_QIHdhFyHOR_Ip_LX67Dncc8V8OvAi-H5phfeSyDzwdzf2FQIi82", "https://voidpet.io/invite/scaredscared/1rpzxWXa61 \u2022 https://sex-doggy.net/tag/censored", "Everyone has simply asked you alll to stop. Target never asked anyone for money.", "Legal court documented agreement to allow and pay target to hire cyber investigators", "Attacks are being carried out by The State of Colorado" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Japan", "France", "Ireland", "Spain", "Italy", "Aruba", "Australia", "Denmark", "United Kingdom of Great Britain and Northern Ireland", "Germany", "T\u00fcrkiye", "Indonesia" ], "malware_families": [ { "id": "Win.Trojan.GravityRAT-6511862-0", "display_name": "Win.Trojan.GravityRAT-6511862-0", "target": null }, { "id": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn", "display_name": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn", "target": null }, { "id": "Unix.Trojan.Tsunami-6981155-0", "display_name": "Unix.Trojan.Tsunami-6981155-0", "target": null }, { "id": "TrojanDropper:Win32/Systex.A", "display_name": "TrojanDropper:Win32/Systex.A", "target": "/malware/TrojanDropper:Win32/Systex.A" }, { "id": "Win.Trojan.Tepfer-61", "display_name": "Win.Trojan.Tepfer-61", "target": null }, { "id": "TrojanDownloader:Win32/CutwailRansom:Win32/Crowti.A", "display_name": "TrojanDownloader:Win32/CutwailRansom:Win32/Crowti.A", "target": null }, { "id": "VirTool:Win32/VBInject.gen!MH", "display_name": "VirTool:Win32/VBInject.gen!MH", "target": "/malware/VirTool:Win32/VBInject.gen!MH" }, { "id": "ALF:NID:Susp_NSIS_Stub.A", "display_name": "ALF:NID:Susp_NSIS_Stub.A", "target": null }, { "id": "#LOWFI:HSTR:Criakl.B1", "display_name": "#LOWFI:HSTR:Criakl.B1", "target": null }, { "id": "Backdoor:Win32/Arwobot.B", "display_name": "Backdoor:Win32/Arwobot.B", "target": "/malware/Backdoor:Win32/Arwobot.B" }, { "id": "Win.Packed.Bandook-9882274-1", "display_name": "Win.Packed.Bandook-9882274-1", "target": null }, { "id": "TrojanDownloader:Win32/Cutwail", "display_name": "TrojanDownloader:Win32/Cutwail", "target": "/malware/TrojanDownloader:Win32/Cutwail" }, { "id": "Win.Downloader.Small-4507", "display_name": "Win.Downloader.Small-4507", "target": null }, { "id": "Trojan:Win32/Qbot.R!MTB", "display_name": "Trojan:Win32/Qbot.R!MTB", "target": "/malware/Trojan:Win32/Qbot.R!MTB" }, { "id": "Win.Malware.Mikey-9949492-0", "display_name": "Win.Malware.Mikey-9949492-0", "target": null }, { "id": "Ransom:Win32/Crowti.A", "display_name": "Ransom:Win32/Crowti.A", "target": "/malware/Ransom:Win32/Crowti.A" }, { "id": "Backdoor:Linux/DemonBot.Aa!MTB", "display_name": "Backdoor:Linux/DemonBot.Aa!MTB", "target": "/malware/Backdoor:Linux/DemonBot.Aa!MTB" }, { "id": "Unix.Trojan.Gafgyt-6981154-0", "display_name": "Unix.Trojan.Gafgyt-6981154-0", "target": null }, { "id": "DDOS:Linux/Gafgyt.YA!MTB", "display_name": "DDOS:Linux/Gafgyt.YA!MTB", "target": "/malware/DDOS:Linux/Gafgyt.YA!MTB" }, { "id": "CVE-2017-11882", "display_name": "CVE-2017-11882", "target": null }, { "id": "ALF:Exploit:O97M/CVE-2017-8977", "display_name": "ALF:Exploit:O97M/CVE-2017-8977", "target": null }, { "id": "Cycbot", "display_name": "Cycbot", "target": null }, { "id": "Win32:BotX-gen\\ [Trj]", "display_name": "Win32:BotX-gen\\ [Trj]", "target": null }, { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "Mirai (ELF)", "display_name": "Mirai (ELF)", "target": null }, { "id": "Worm", "display_name": "Worm", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1574.008", "name": "Path Interception by Search Order Hijacking", "display_name": "T1574.008 - Path Interception by Search Order Hijacking" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1593.002", "name": "Search Engines", "display_name": "T1593.002 - Search Engines" } ], "industries": [ "Insurance", "Construction" ], "TLP": "green", "cloned_from": "693cdc5b8ebc10664439c2fb", "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 54118, "domain": 11153, "hostname": 18578, "email": 21, "FileHash-SHA256": 4905, "FileHash-MD5": 548, "FileHash-SHA1": 534, "CVE": 7, "SSLCertFingerprint": 20, "CIDR": 1 }, "indicator_count": 89885, "is_author": false, "is_subscribing": null, "subscriber_count": 145, "modified_text": "111 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "694b02eb945649ff909f06d5", "name": "$RECYCLE . BIN\\ -> Part 2", "description": "E:\\Suss-SG2\\$RECYCLE.BIN\\\n\nVictim Google Pixel Telus ISP Norton AV Device\nDevice connected to AHS/Covenant Health, University of Alberta, Government of Alberta", "modified": "2026-01-28T02:03:16.337000", "created": "2025-12-23T21:00:27.029000", "tags": [ "Telus", "YEG", "AHS", "Pixel", "ConnectCare", "Norton", "UAlberta", "Google" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Government", "Education", "Technology", "Telecommunications", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 65761, "FileHash-SHA1": 56561, "FileHash-SHA256": 43672, "domain": 1373, "email": 39, "URL": 466, "hostname": 818, "CVE": 3, "CIDR": 2 }, "indicator_count": 168695, "is_author": false, "is_subscribing": null, "subscriber_count": 130, "modified_text": "124 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "693b7dc3cf1996347652ef92", "name": "Google Site Redirector - Tesla Hackers", "description": "Silencing. By Tesla hackers. Awful example of how any victim of a crime; can become a target of the government..\nThis is especially true when the actual perpetrators work for the government are government affiliated, very wealthy, a celebrity or someone who is deemed important. In this instance the Quasi government sought to keep target seeking and obtaining life saving medical treatment, financial settlement that she was entitled to from assault, injuries from assault, false imprisonment, punitive damgages, pain and suffering, humiliation, premise liability, permanent (whole body disability @MMI ), many other crimes. The victims suffered from a great sadness and betrayal. \n\nObviously racist Elon Musk and crew have access to all government tools. Musk, All things cyber are at his disposal as \ncontinues to abuse privilege.\n They keep playing a God they don\u2019t believe in. God is the Ultimate Avenger.", "modified": "2026-01-11T00:03:08.581000", "created": "2025-12-12T02:28:19.107000", "tags": [ "compromised_site_redirector_fromcharcode", "site_redirector", "string", "regexp", "error", "number", "sxa0", "amptoken", "optout", "retrieving", "notfound", "write", "form", "flash", "vd", "tesla hackers", "nxdomain", "passive dns", "ip address", "domain", "a nxdomain", "urls", "files", "ip related", "pulses otx", "google", "unknown", "oracle", "dynamicloader", "medium", "high", "windows", "rndhex", "write c", "rndchar", "displayname", "tofsee", "yara rule", "stream", "strings", "push", "lte all", "search otx", "ource url", "or text", "paste", "data upload", "extraction", "elon musk", "indicator role", "active related", "ipv4", "exploitsource", "url https", "url http", "desktopinternet", "title added", "pulses ipv4", "less see", "ids detections", "vuze bt", "udp connection", "contacted", "filehash", "av detections", "yara detections", "alerts", "0x8aa42", "0xe3107", "upnp", "http request", "bittorrent", "file", "module load", "t1129", "post http", "install", "execution", "malware", "hostile", "crawl", "windows nt", "wow64", "get zona", "get httpget", "hash", "entries", "read c", "suspicious", "next", "united" ], "references": [ "Tesla Hackers | https://www.teslarati.com/spacex", "Yara Detections :compromised_site_redirector_fromcharcode Alerts network_icmp js_eval recon_fingerprint", "142.250.74.142.250.74.138 _exploit_source | 142.250.74.138 _exploit_source | 142.250.74.142_exploit_source", "IDS Detections Win32/ZonaInstaller Install Beacon", "https://www.google \u2022 https://ampcid.google.com/v1/publisher \u2022\u2019https://ampcid.google.com/v1/publisher:getClientId\\", "https://tagassistant.google.com/ \u2022 https://www.google-analytics.com/debug/bootstrap?id=", "https://www.google-analytics.com/debug/bootstrap?id=\\", "https://stats.g.doubleclick.net/j/collect\\ \u2022 https://tagassistant.google.com/ \u2022 https://www.google.com/ads/ga", "https://www.google-analytics.com/gtm/js?id=\\ \u2022 https://www.googletagmanager.com/gtag/js?id= \u2022", "https://www.googletagmanager.com/gtag/js?id=\\ \u2022 https://www.google-analytics.com/gtm/js?id=", "This is why our team tells a back story. It can and does happen to anyone.", "We apologize for so may typos and errors. We strive to do better at that." ], "public": 1, "adversary": "Tesla Hackers", "targeted_countries": [], "malware_families": [ { "id": "Vd", "display_name": "Vd", "target": null }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" }, { "id": "Win.Trojan.12382640-1", "display_name": "Win.Trojan.12382640-1", "target": null } ], "attack_ids": [ { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 65, "FileHash-SHA1": 34, "FileHash-SHA256": 2032, "URL": 4921, "domain": 567, "hostname": 1586, "SSLCertFingerprint": 4 }, "indicator_count": 9209, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "141 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65eea19a23474b8c7dca351f", "name": "All Items - find from the UA archive disk", "description": "Again have zero idea 'what these are' - just uploading from the 'archives' as I sort through things", "modified": "2025-12-24T08:28:47.628000", "created": "2024-03-11T06:15:54.351000", "tags": [], "references": [ "https://www.virustotal.com/gui/collection/09af9ef0b7b23d2dc73d83858106ae4fc97a352dbb521ac04493a0e79095ac69/iocs", "https://www.virustotal.com/gui/collection/79c25168b2f93d9730a56b8d2b834cbfb2752b63b21b9dd51109416fbaa676d8/iocs", "https://www.virustotal.com/graph/embed/g8726609a12794ebeb59edd531961a233068149bcdf994b428f20141be6111551?theme=dark", "https://www.virustotal.com/graph/embed/g365a82115f934e31a69118715695c91c231f66cda9084c9389e56afb985a243e?theme=dark", "", "https://www.virustotal.com/gui/collection/6a8d582df4fe5a29885dad4074236bc9e4ed445aaf0cc00702d45963fb0459bb/iocs" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1165, "hostname": 866, "URL": 657, "FileHash-SHA256": 26, "email": 337, "FileHash-MD5": 12, "FileHash-SHA1": 8, "CIDR": 1 }, "indicator_count": 3072, "is_author": false, "is_subscribing": null, "subscriber_count": 129, "modified_text": "159 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6608aaf7ca0e965e593ed1d4", "name": "MUI programu Microsoft Office Access (w j\u0119zyku angielskim) zosta\u0142o u\u017cyte do wys\u0142ania z\u0142o\u015bliwego oprogramowania na serwer w Czechach jest to pierwszy tego typu atak na komputer. e", "description": "A look back at some of the key words and phrases used to describe the situation in Italy, as \"probacja\" (or \"democrata), as they were translated into English.", "modified": "2025-10-17T11:03:07.034000", "created": "2024-03-31T00:14:47.183000", "tags": [ "sha256", "ssdeep", "reputacja", "tworzy pliki", "informacje", "bardzo duga", "tworzy", "adresy url", "tworzy katalog", "win64", "ameryki", "typ pliku", "serwer nazw", "san jose", "adres", "digital", "data wyganicia", "csc corporate", "domains", "ca data", "data utworzenia", "dnssec" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6432, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 3, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2140, "hostname": 5874, "FileHash-SHA256": 12539, "FileHash-MD5": 3686, "FileHash-SHA1": 2751, "IPv4": 503, "URL": 10770, "email": 26, "CVE": 88, "YARA": 6, "JA3": 2, "IPv6": 28, "SSLCertFingerprint": 5, "BitcoinAddress": 3, "CIDR": 1 }, "indicator_count": 38422, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "227 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68c954a80675ccc89b0e9b63", "name": "Trump #45470 | Palantir container | virus:DOS/Hellspawn + ioS (compromised)", "description": "Overt. Trump support campaign text message from #45470. Malicious. Received on a victims hyper compromised iPhone. Attempts to or did take CnC of device. Stutters device, changed App Store , has delete service, device sweep, shuts down service , halts all pages, denial of service, throttles service, steals\npasswords, bots , I don\u2019t know if device can be refurbished or research purposes - Palantir DC DGA domains - Trump. Multiple IoC\u2019s , malware with code overlap, it appears to be from a legitimate text for updates #. Visibly affected all aspects of device and software. Commands device shut down. \n[OTX populated: Failed to retrieve suggested indicator for beta-ui, according to the latest results from the Welsh Government's Office for National Statistics (ONS) and the National Data Centre (NDS))", "modified": "2025-10-16T12:03:14.279000", "created": "2025-09-16T12:14:32.327000", "tags": [ "ttl value", "extraction", "data upload", "failed", "extra data", "include review", "exclude sugges", "stop", "line", "path", "polyline", "getprocaddress", "circle", "span", "ck id", "mitre att", "ck matrix", "null", "error", "open", "spinner", "title", "code", "iframe", "window", "void", "infinity", "crypto", "footer", "generator", "general", "format", "click", "strings", "meta", "install", "encoder", "learn", "command", "name tactics", "suspicious", "informative", "spawns", "evasion att", "t1480 execution", "file defense", "adversaries", "calls", "reads", "defense evasion", "model", "server", "registrar abuse", "ascio", "contact phone", "admin city", "admin country", "admin postal", "dnssec", "http", "ip address", "passive dns", "related nids", "urls", "files location", "united", "flag united", "a domains", "search", "unknown aaaa", "certificate", "yara detections", "av detections", "ids detections", "alerts", "entries elf", "filehash", "name servers", "servers", "moved", "script script", "aaaa", "unknown ns", "domain add", "formbook cnc", "checkin", "lowfi", "mtb jun", "github pages", "twitter", "accept", "cryptobit", "extra", "referen data", "trojanproxy", "dynamicloader", "high", "write c", "medium", "intel", "ms windows", "entries", "pe32", "explorer", "worm", "write", "next", "trojan", "hellspawn", "md5 add", "malware", "data", "included iocs", "script urls", "script domains", "gmt content", "cash amtincart", "expirestue", "domain related", "sea x", "accept encoding", "request id", "body doctype", "apache", "encrypt", "skynet", "third eye tv", "calling", "delete app", "potus", "mtb aug", "backdoor", "gmt cache", "sameorigin", "443 ma2592000", "ipv4 add", "utilads", "trojandropper", "mtb sep", "win32upatre aug", "yara rule", "as15169", "guard", "smartassembly", "associated urls", "date checked", "url hostname", "server response", "domain", "url analysis", "files", "date", "delete service", "45470", "text", "hybrid", "present sep", "body", "fastly error", "please", "xor xor", "sha256 add", "analysis date", "file score", "detections alf", "june", "delphi", "attempts", "yara", "high security", "file type", "pe packer", "ransom" ], "references": [ "skynet-dev.tcxn.net tcxn.net Registrar Ascio Technologies, Inc - connection to cloud proxy", "TrojanProxy:Win32/Malynfits CodeOverlap TrojanSpy:Win32/Nivdort CodeOverlap virus:Win32/Lywer CodeOverlap", "https://cryptobit.live/build/assets/app-CkRYqsKL.js \u2022 cryptobit.live \u2022 t.page \u2022 cdn.wallets.cryptobit.live", "Trump Support campaign \u2022_\u2022 lantana-mgmt.washington.palantircloud.com \u2022 containers-reishi.palantirfedstart.com", "Virus:DOS/Hellspawn 192.168.122.49 10/16/25\t\u2022 IPv4 142.251.9.105", "IDS Detections: Win32/Enosch.A gtalk connectivity check | W32/MoonLight.worm User-Agent (HellSpawn)", "PWS:Win32/Ymacco.AA50 Win.Trojan.Generic-9959068-0\t SLF:MSIL/PSTAnomaly.A Win.Dropper.Shakblades-7614016-0\t#LowFI:VBExpensiveLoop Win.Packed.Barys-10031677-0\tTEL:Trojan:MSIL/AgentTesla.VPA!MTB Win.Trojan. Backdoor:MSIL/Remcos!MTB", "hasownproperty.call \u2022 fireeye.grhd.", "Apple Store verified drop down breach \u2018Apple took a screenshot of pages\u201d" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "TrojanProxy:Win32/Malynfits", "display_name": "TrojanProxy:Win32/Malynfits", "target": "/malware/TrojanProxy:Win32/Malynfits" }, { "id": "Virus:Win32/Lywer", "display_name": "Virus:Win32/Lywer", "target": "/malware/Virus:Win32/Lywer" }, { "id": "Worm:Win32/Lightmoon.H", "display_name": "Worm:Win32/Lightmoon.H", "target": "/malware/Worm:Win32/Lightmoon.H" }, { "id": "Virus:DOS/Hellspawn", "display_name": "Virus:DOS/Hellspawn", "target": "/malware/Virus:DOS/Hellspawn" }, { "id": "Win.Trojan.Dialer-266", "display_name": "Win.Trojan.Dialer-266", "target": null }, { "id": "AgentTesla", "display_name": "AgentTesla", "target": null }, { "id": "Backdoor:MSIL/Remcos", "display_name": "Backdoor:MSIL/Remcos", "target": "/malware/Backdoor:MSIL/Remcos" }, { "id": "ALF:JASYP:Trojan:Win32/IRCbot!atmn", "display_name": "ALF:JASYP:Trojan:Win32/IRCbot!atmn", "target": null }, { "id": "Trojandropper:Win32/Muldrop.V!MTB", "display_name": "Trojandropper:Win32/Muldrop.V!MTB", "target": "/malware/Trojandropper:Win32/Muldrop.V!MTB" }, { "id": "#LowFI:VBExpensiveLoop", "display_name": "#LowFI:VBExpensiveLoop", "target": null }, { "id": "TEL:Trojan:MSIL/AgentTesla.VPA!MTB", "display_name": "TEL:Trojan:MSIL/AgentTesla.VPA!MTB", "target": null }, { "id": "PWS:Win32/VB.CU", "display_name": "PWS:Win32/VB.CU", "target": "/malware/PWS:Win32/VB.CU" }, { "id": "ALF:Ransom:Win32/Babax.SG!MTB", "display_name": "ALF:Ransom:Win32/Babax.SG!MTB", "target": null } ], "attack_ids": [ { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 690, "URL": 1479, "domain": 476, "FileHash-MD5": 526, "FileHash-SHA1": 505, "FileHash-SHA256": 1509, "email": 6 }, "indicator_count": 5191, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "228 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6892e73b32af18aa302df0dc", "name": "Part 1.5", "description": "Dark web media \u2022 Political news \u2022 Malvertizing\nlocate \u2022\ntrack [stalk] \u2022 record calls \u2022 control media [youtube , etc] http://t.name?n[++i]=e:this.removeEventListener\t\t\nJeeng &\nPowebox [ accidentally left out in original post pulse]", "modified": "2025-09-05T04:03:06.929000", "created": "2025-08-06T05:25:15.369000", "tags": [ "chromeua", "optout", "object", "path", "value", "access type", "setval", "windir", "localappdata", "null", "win64", "error", "generator", "close", "roboto", "date", "format", "light", "span", "template", "void", "android", "body", "trident", "mexico", "sonic", "black", "critical", "desktop", "dark", "meta", "this", "june", "hybrid", "apache", "write", "crypto", "autodetect", "face", "courier", "gigi", "impact", "shadow", "click", "strings", "cray", "smwg", "eret", "footer", "infinity", "window", "canvas", "legend", "nuke", "lion", "4629", "ahav", "olsa", "false", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "spawns", "defense evasion", "t1480 execution", "file defense", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "script", "mitre att", "pattern match", "show technique", "iframe", "refresh", "august", "general", "local", "tools", "demo", "look", "verify", "restart", "url http", "small", "pulses url", "tellyoun", "showing", "entries", "url https", "indicator role", "title added", "active related", "type indicator", "role title", "added active", "related pulses", "cc08", "f06a6b", "sfurl", "filehashsha256", "types", "indicators show", "search", "pulses", "filehashsha1", "adversaries", "found", "webp image", "ascii text", "riff", "size", "encrypt", "legacy", "filehashmd5", "united", "flag", "server", "markmonitor", "name server", "llc name", "overview dns", "requests domain", "country", "win32", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "file score", "medium risk", "yara", "detections", "malware", "copy", "show", "icmp traffic", "packing t1045", "t1045", "pdb path", "pe resource", "extraction", "data upload", "enter sc", "type", "extra data", "please", "failed", "review", "exclude data", "included review", "ic data", "suggeste", "stop", "type onow", "domain", "passive dns", "urls", "files related", "pulses none", "related tags", "none google", "safe browsing", "sc data", "extr amanuav", "review included", "manualy", "sugges excluded", "filehash", "md5 add", "pulse pulses", "url add", "http", "hostname", "files domain", "pulses otx", "virustotal", "hsmi192547107", "pulses hostname", "r dec", "customer dec", "iski dec", "decision dec", "va dec", "bitcoin", "bitcoin dec", "petra", "torstatus dec", "paul dec", "sodesc", "planet dec", "emilia", "heroin dec", "difference dec", "palantir dec", "loraxlive dec", "chaturbate dec", "sandra", "free dec", "marvel dec", "benjis dec", "fresh dec", "sodesc dec", "srdirport", "srhostname", "link dec", "types of", "italy", "china", "australia", "france", "turkey", "discovery", "information", "ck ids", "t1005", "local system", "t1007", "system service", "part", "track", "locate", "political", "civil society", "news", "created", "hours ago", "report spam", "t1555", "password", "t1560", "collected data", "t1573", "channel", "t1574", "execution flow", "scan", "iocs", "t1497", "u0lhmq", "mtawmq", "t1480", "guardrails", "t1486", "data encrypted", "learn more", "unsubscribe aug", "protocol", "t1074", "staged", "t1083", "t1102", "web service", "t1105", "tool transfer", "t1140", "data engineer", "candidate", "tlsv1", "odigicert inc", "stcalifornia", "lsan jose", "oadobe systems", "incorporated", "cndigicert sha2", "push", "next", "high", "write c", "ireland as16509", "delete", "dirty", "tags", "t1012", "flow endpoint", "security scan", "t1106", "copyright", "levelblue" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 608, "FileHash-SHA1": 433, "FileHash-SHA256": 3663, "URL": 17104, "domain": 1316, "email": 39, "hostname": 4208, "SSLCertFingerprint": 17 }, "indicator_count": 27388, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "269 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6892a73593f73dfc969779b0", "name": "Part I | Track | Locate | Political & Civil society \u2018news\u2019 campaigns", "description": "Part I | Track | Locate | Political & Civil society \u2018news\u2019 campaigns\n*[ddddd.msg]\n[http://tracking.eu1.glintinc.com]\n[stormer5v52vjsw66jmds7ndeecudq444woadhzr2plxlaayexnh6eqd]\n[stackstorm.ops.dev.az.glintinc.com]\n\u2022 http://stormer5v52vjsw66jmds7ndeecudq444woadhzr2plxlaayexnh6eqd.onion/peter-thiel-running-database-to-root-out-those-disloyal-to-the-leader/\\n \u2022\n[http://pixelrz.com/lists/keywords/tsara-brashears-assaulted-at-concentra/360]\n[http://pixelrz.com/lists/keywords/tsara-brashears-dead/360]", "modified": "2025-09-05T00:03:23.223000", "created": "2025-08-06T00:52:05.051000", "tags": [ "url http", "small", "indicator role", "title added", "active related", "pulses hostname", "tellyoun", "n aug", "entries", "data upload", "extraction", "windows error", "june", "fwd urgent", "justice czech", "copy sha256", "rejectedfailed", "timestamp input", "message status", "actions august", "file", "actions june", "actions may", "cta4 https", "context related", "associated urls", "campaigncodedsc", "language", "uid http", "community", "sha256", "size42b type", "submitted", "august", "april", "internal error", "previous1", "iframe", "community score", "scan analysis", "malicious", "intelligence", "learn", "falcon sandbox", "submissions", "status", "adversaries", "ck id", "name tactics", "suspicious", "informative", "defense evasion", "windows folder", "found", "dlls", "impact", "chromeua", "optout", "object", "path", "value", "access type", "setval", "windir", "localappdata", "null", "win64", "error", "generator", "close", "roboto", "date", "format", "light", "span", "template", "void", "android", "body", "trident", "mexico", "sonic", "black", "critical", "desktop", "dark", "meta", "this", "hybrid", "apache", "write", "crypto", "autodetect", "face", "courier", "gigi", "shadow", "click", "strings", "cray", "smwg", "eret", "footer", "infinity", "window", "canvas", "legend", "nuke", "lion", "4629", "ahav", "olsa", "false" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 9062, "domain": 707, "hostname": 2318, "FileHash-MD5": 86, "FileHash-SHA1": 26, "FileHash-SHA256": 2096, "email": 5, "FilePath": 2, "URI": 1 }, "indicator_count": 14303, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "269 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68038f7eb6f6810aa6d6439f", "name": "\"+g+\"", "description": "https://aplikacja.ceidg.gov.pl/CEIDG/CEIDG.Public.UI/EntryChangeHistory.aspx?Id=855bdfc1-7dbc-4a86-9d27-89ebb0ecf166&archival=False", "modified": "2025-09-01T08:05:25.121000", "created": "2025-04-19T11:56:46.933000", "tags": [ "copyright", "customevent", "typeof e", "boomerang", "typeof t", "macintosh", "os x", "post", "typeof", "iframe", "date", "poka menu", "nie znaleziono", "poka start", "poka", "max dostpnych", "pierwsza", "ostatnia", "nastpna", "poprzednia", "brak danych", "first", "ceidg", "wystpi bd", "error", "true", "null", "linkdownload", "show", "ctrlmappings", "version", "versionchange", "body", "false", "span", "input", "paginate", "next", "last", "selectstart", "loop", "function", "bootstrap", "datatables", "responsive", "2016 sprymedia", "amd define", "object", "commonjs", "window", "browser", "button", "datatable", "sprymedia ltd", "columns", "colidx", "column", "parent", "child", "param", "display", "click", "middle", "class", "target", "never", "find", "footer", "close", "regexp", "matches", "cookie", "inputmask", "input mask", "robin herbots", "mit license", "xmlhttprequest", "left", "month", "boolean", "maxdate", "right", "daterangepicker", "yyyymmdd", "calendar", "jquery", "webpackrequire", "typeof symbol", "type", "setprototypeof", "maskpos", "wrapnativesuper", "backspace", "insert", "internal", "mask", "void", "this", "nie mona", "array", "nonmsdombrowser", "horizontal", "leftarrow", "uparrow", "rightarrow", "downarrow", "explorer", "form", "legend", "hmmss", "mmmm d", "yyyy h", "typeof define", "number", "locale", "character", "seeknext", "masked", "input plugin", "josh bush", "azaz", "azaz09", "black", "kontrast", "arrcookies", "getcookielang", "and information", "on business", "sign", "twoja", "opinia", "informacja o", "notify ui", "widget", "eric hynds", "dual", "name", "dtopt", "example", "using", "open", "adata", "hungarian", "aria", "legacy", "trident", "format", "nuke", "apos", "bitcoin", "outer", "mark", "info", "reload", "behaviour", "write", "buttons", "anything", "prop", "thecookie", "create", "thevalue", "string name", "pluginscookie", "author", "eventkey", "datakey", "default", "dataapikey", "defaulttype", "config", "shown", "trigger", "delta", "guard", "arrow", "leave", "scroll", "dataspy", "sessiontimeout", "return", "settimeout", "mytimerid", "requestcounter", "starttimer", "stop", "typeof n", "adminlte", "typeof o", "main", "js application", "adminlte v2", "colorlib", "ui date", "written", "jacek wysocki", "poprzedni", "marzec", "kwiecie", "czerwiec", "lipiec", "sierpie", "wrzesie", "openpopup", "href", "toggle", "msviewport", "popover", "json", "json text", "string", "otherwise", "holder", "mind", "copy", "meta", "third", "text", "choice", "confirm", "nie pytaj", "site", "title", "value", "alert", "warn", "migrate", "foundation", "see http", "forget", "newvalue", "nones5", "fall", "wrongvalid", "onerror", "year", "fast", "argument", "popper", "method", "data", "html", "flip", "factory", "onload", "tbody", "courier", "elem", "handle", "expando", "match", "selector", "sizzle", "android", "capture", "seed", "pass", "enough", "code", "bind", "core", "local", "verify", "accept", "done", "override", "inject", "possible", "hold", "45deg", "larger", "screen styling", "90deg", "support", "sidebar mini", "e1f0ff", "font awesome", "free", "autocomplete", "folder", "expanded folder", "tabela", "sorting", "xform", "nadpisane style", "menlo", "monaco", "consolas", "mono", "courier new", "browse", "twitter", "pt serif", "georgia", "times new", "roman", "times", "typetime", "import", "roboto", "http", "label", "demos", "effect", "inst", "super", "speed", "bounce", "hack", "logic", "shift", "double", "february", "april", "june", "august", "friday", "erase", "atom", "caja", "spinner", "refresh", "alpha", "sentinel", "back", "blind", "drop", "ceidg.gov.pl - centralna ewidencja i informacja o dzia\u0142alno\u015bci g", "prosz czeka", "pobierz plik" ], "references": [ "https://aplikacja.ceidg.gov.pl/CEIDG/CEIDG.Public.UI/EntryChangeHistory.aspx?Id=855bdfc1-7dbc-4a86-9d27-89ebb0ecf166&archival=False", "UE_pl_top.svg", "UE_pl_top_sm.svg", "XZ4AH-ABKPW-SQPBC-CYWES-BCG6V", "dataTables.lang.js.pobrane", "EntryChangeHistory.aspx.js.pobrane", "dataTables.input.js.pobrane", "responsive.bootstrap4.js.pobrane", "dataTables.bootstrap4.js.pobrane", "dataTables.responsive.js.pobrane", "jquery.session.js.pobrane", "inputmask.binding.js.pobrane", "daterangepicker.js.pobrane", "jquery.inputmask.min.js.pobrane", "ScriptResource.axd", "moment-with-locales.min.js.pobrane", "jquery.maskedinput-1.2.2.js.pobrane", "feedback.js.pobrane", "jquery.notify.min.js.pobrane", "jquery.dataTables.js.pobrane", "jquery.cookie.js.pobrane", "bootstrap.js.pobrane", "SessionTimeout.js.pobrane", "adminlte.min.js.pobrane", "jquery.easing.1.3.js.pobrane", "jquery.feedbackBadge.min.js.pobrane", "ui.datepicker-pl.js.pobrane", "ceidg-master.js.pobrane", "CommonResponsive.js.pobrane", "json2.js.pobrane", "jquery.alerts.js.pobrane", "jquery-migrate-1.2.1.js.pobrane", "dataTables.bootstrap4.css", "CommonScripts.js.pobrane", "popper.js.pobrane", "responsive.bootstrap4.css", "jquery-3.0.0.js.pobrane", "daterangepicker.css", "AdminLTE.css", "ui.notify.css", "ceidg.css", "bootstrap-gov-pl.css", "biznes.css", "jquery-ui.js.pobrane", "saved_resource.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 4, "FileHash-SHA256": 25, "URL": 165, "domain": 353, "hostname": 215, "email": 2 }, "indicator_count": 767, "is_author": false, "is_subscribing": null, "subscriber_count": 123, "modified_text": "273 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68abf75bf3b03b94a6762409", "name": "(Repost) How to connect listeners to e.intercom | serverhub.com eonix.net", "description": "", "modified": "2025-08-25T05:40:43.552000", "created": "2025-08-25T05:40:43.552000", "tags": [ "context", "error", "ajaxupdate", "request", "requestdata", "name", "xoctoberassets", "datarequest", "typesubmit", "typetext", "click", "function", "typeof c", "bootstrap", "javascript", "azaz", "popover", "typeof f", "typeof g", "typeof h", "vui", "anda", "tente", "outubro", "trackingclient", "srpanj", "rabu", "vasaris", "image", "typeof atrkopts", "800px", "40px", "i18n", "blockedemail", "typeof i18n", "hubspot", "captcha", "date", "please", "april", "august", "close", "february", "june", "form", "klik", "download", "window", "this", "next", "null", "blank", "este", "anna", "rserver", "mais", "void", "object", "typeerror", "array", "symbol", "bound", "typeof window", "typeof t", "invalid path", "unknown method", "phonenumber", "ninja", "typeof e", "edge", "dataname", "intercom", "typeof symbol", "apple", "webkiti", "criosi", "trident" ], "references": [ "xfe-URL-Eonix.net-stix2-2.1-export.json", "xfe-URL-Serverhub.com-stix2-2.1-export.json", "xfe-URL-Enom.com-stix2-2.1-export 2.json", "https://widget.intercom.io/widget/rbc8ok9w", "https://js.hscollectedforms.net/collectedforms.js", "https://js.hsleadflows.net/leadflows.js", "https://d31qbv1cthcecs.cloudfront.net/atrk.js", "https://serverhub.com/combine/a059fe7a562c0b582328162f0ee69fda-1426025688", "https://serverhub.com/modules/system/assets/js/framework.js", "https://js.hs-scripts.com/3844463.js", "xfe-URL-Cloudfront.net-stix2-2.1-export.json", "xfe-URL-Intercom.io-stix2-2.1-export.json" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Vui", "display_name": "Vui", "target": null }, { "id": "Outubro", "display_name": "Outubro", "target": null }, { "id": "Tente", "display_name": "Tente", "target": null }, { "id": "Anda", "display_name": "Anda", "target": null }, { "id": "Vasaris", "display_name": "Vasaris", "target": null }, { "id": "Rabu", "display_name": "Rabu", "target": null }, { "id": "Srpanj", "display_name": "Srpanj", "target": null }, { "id": "TrackingClient", "display_name": "TrackingClient", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [], "TLP": "white", "cloned_from": "62719a4dec6d0aa4631b9b2f", "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5708, "hostname": 1541, "FileHash-SHA256": 876, "domain": 915, "CVE": 1, "FileHash-MD5": 1 }, "indicator_count": 9042, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "280 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68732864356c4353e0b1efe2", "name": "Denver Post - Custom Malware | Xord", "description": "YARA Detections:\n\u2022 xord_nopsled_in_jquery\ncompromised_site_redirector_fromcharcode\n\u2022 KnownMaliciousObfuscationPattern\n\u2022 WebExploit | \nAlerts:\n\u2022 ransomware_file_modifications\n\u2022 script_created_process\n\u2022 antivm_generic_disk\n\u2022 infostealer_cookies\n\u2022 suspicious_command\n\u2022 dead_host\n\u2022 suspicious_write_exe\n\u2022 network_icmp\n\u2022 modifies_certificates\n\u2022 process_martian\n* Malware IP - \n142.251.215.232", "modified": "2025-08-12T03:05:26.037000", "created": "2025-07-13T03:30:44.589000", "tags": [ "url https", "indicator role", "title added", "active related", "pulses", "entries", "url http", "domain", "ipv4", "filehashsha256", "hostname", "types of", "united kingdom", "united", "germany", "france", "type indicator", "role title", "added active", "related pulses", "extraction", "data upload", "failed", "se extraction", "enter sc", "type", "extra data", "please", "include review", "exclude sugges", "type ol", "please sub", "langes", "include", "review data", "extrad", "manually add", "indicator", "sc type", "included iocs", "se extr", "review exclude", "sugges", "extract data", "add indicator", "domain related", "showing", "tewdida data", "present jul", "script urls", "a domains", "present jun", "search", "accept encoding", "unknown aaaa", "present may", "date", "meta", "body", "ipv6", "role", "present jan", "next associated", "urls show", "date checked", "url hostname", "server response", "ip address", "regexp", "typeof e", "typeof t", "function", "width", "error", "object", "x20trnf", "pseudo", "child", "form", "class", "null", "write", "this", "void", "accept", "copy", "extr please", "typ data", "indicalok no", "gmt max", "reverse dns", "location united", "america flag", "ashburn", "america asn", "dns resolutions", "domains top", "extri please", "review", "sugges data", "find suxesteu", "typ indical", "on hos", "dynamicloader", "medium", "show", "high", "windows", "cmd c", "delete", "next", "unknown", "msie", "windows nt", "wow64", "slcc2", "media center", "read c", "as15169", "execution", "dock", "persistence", "malware", "roboto", "fwlink", "powershell", "delete c", "guard", "win32", "passive dns", "ransom", "trojan", "gmt cache", "sameorigin", "443 ma2592000", "pulse", "trojandropper", "worm", "ur extraction", "find", "types", "seard data", "source se", "url toi", "ela fer", "iocs", "search otx", "extr", "indicators h", "weall", "indica", "sc data", "data u", "extre", "find s", "onv incmde", "exclude data", "suggested", "typ no" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3107, "domain": 526, "hostname": 940, "FileHash-SHA256": 2209, "email": 2, "FileHash-MD5": 80, "FileHash-SHA1": 31, "SSLCertFingerprint": 11 }, "indicator_count": 6906, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "293 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68732869bad70de69c45c1b3", "name": "Denver Post - Custom Malware | Xord", "description": "YARA Detections:\n\u2022 xord_nopsled_in_jquery\ncompromised_site_redirector_fromcharcode\n\u2022 KnownMaliciousObfuscationPattern\n\u2022 WebExploit | \nAlerts:\n\u2022 ransomware_file_modifications\n\u2022 script_created_process\n\u2022 antivm_generic_disk\n\u2022 infostealer_cookies\n\u2022 suspicious_command\n\u2022 dead_host\n\u2022 suspicious_write_exe\n\u2022 network_icmp\n\u2022 modifies_certificates\n\u2022 process_martian\n* Malware IP - \n142.251.215.232", "modified": "2025-08-12T03:05:26.037000", "created": "2025-07-13T03:30:49.347000", "tags": [ "url https", "indicator role", "title added", "active related", "pulses", "entries", "url http", "domain", "ipv4", "filehashsha256", "hostname", "types of", "united kingdom", "united", "germany", "france", "type indicator", "role title", "added active", "related pulses", "extraction", "data upload", "failed", "se extraction", "enter sc", "type", "extra data", "please", "include review", "exclude sugges", "type ol", "please sub", "langes", "include", "review data", "extrad", "manually add", "indicator", "sc type", "included iocs", "se extr", "review exclude", "sugges", "extract data", "add indicator", "domain related", "showing", "tewdida data", "present jul", "script urls", "a domains", "present jun", "search", "accept encoding", "unknown aaaa", "present may", "date", "meta", "body", "ipv6", "role", "present jan", "next associated", "urls show", "date checked", "url hostname", "server response", "ip address", "regexp", "typeof e", "typeof t", "function", "width", "error", "object", "x20trnf", "pseudo", "child", "form", "class", "null", "write", "this", "void", "accept", "copy", "extr please", "typ data", "indicalok no", "gmt max", "reverse dns", "location united", "america flag", "ashburn", "america asn", "dns resolutions", "domains top", "extri please", "review", "sugges data", "find suxesteu", "typ indical", "on hos", "dynamicloader", "medium", "show", "high", "windows", "cmd c", "delete", "next", "unknown", "msie", "windows nt", "wow64", "slcc2", "media center", "read c", "as15169", "execution", "dock", "persistence", "malware", "roboto", "fwlink", "powershell", "delete c", "guard", "win32", "passive dns", "ransom", "trojan", "gmt cache", "sameorigin", "443 ma2592000", "pulse", "trojandropper", "worm", "ur extraction", "find", "types", "seard data", "source se", "url toi", "ela fer", "iocs", "search otx", "extr", "indicators h", "weall", "indica", "sc data", "data u", "extre", "find s", "onv incmde", "exclude data", "suggested", "typ no" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3107, "domain": 526, "hostname": 940, "FileHash-SHA256": 2209, "email": 2, "FileHash-MD5": 80, "FileHash-SHA1": 31, "SSLCertFingerprint": 11 }, "indicator_count": 6906, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "293 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "684c65464466dd19b089f325", "name": "Zesp\u00f3\u0142 Profilaktyki i Rehabilitacji w Janowicach Wielkich - YouTube", "description": "If d=void 0===c,w(\"trustedResourceUrl\",d: \"Trusted resourceUrl,\" thend=c.src,d, c.js, then d:", "modified": "2025-06-13T17:56:28.689000", "created": "2025-06-13T17:52:06.399000", "tags": [ "rehabilitacji w", "youtube tv", "dami jelenia", "tv dami", "jelenia gra", "zakupy wycz", "jeli", "nie korzystasz", "filmy", "aby tego", "copyright", "closure library", "argument", "ifunction", "error", "null", "type", "cast", "webchannel", "su2028u2029", "chrome", "xmlhttp", "kkvoid", "remotecontrol", "android", "unknown", "screen", "desktop", "function", "string", "array", "number", "vfunction", "f8192", "n432", "true", "j2048", "this", "window", "void", "date", "pokau017c", "pytfunction", "fe8function", "qgzfunction", "afunction", "hb28", "r150", "promise", "bigint", "post", "edge", "swhealthlog", "symbol", "trident", "infinity", "embed", "webkitkeyframes", "zoomin", "zoominx", "zoomoutx", "zoominy", "zoomouty", "2000px", "90deg", "20px", "30deg", "30px", "10px", "10deg", "3deg", "5deg", "djmegamenu", "use license", "tabindex", "menu", "close", "msie", "beforechange", "imagehassize", "buildcontrols", "magnific popup", "dmitry semenov", "http", "beforeclose", "afterclose", "open", "next", "open source", "bsd license", "george mcginley", "smith", "djimageslider", "subpackage", "webkit", "khtml", "icab", "countto", "callback", "handler", "object", "typeof", "method", "gnugplv2", "website", "set module", "height script", "regexp", "screenheight", "highcontrast2", "highcontrast3", "highcontrast", "wide", "night", "body", "normalbutton", "cookie plugin", "https", "klaus hartl", "mit license", "register", "nodecommonjs", "factory", "jquery", "write", "sticky bar", "stickybar", "count", "offcanvas", "html", "noscroll", "offcanvas var", "toggle nav", "click jquery", "ajax", "autocomplete", "tomas kirda", "typeof define", "esc27", "tab9", "return13", "left37", "up38", "twitter", "custom version", "joomla", "rolemenu", "boolean", "get adobe", "flash player", "title", "text", "typeof data", "typeof s", "accept", "width", "foundation", "backspace8", "comma188", "delete46", "down40", "end35", "enter13", "escape27", "value", "migrate", "backcompat", "quirks mode", "typeof f", "xtablet768", "document", "ui sortable", "leftright", "gnu general", "public license", "dddddd", "ffffcc", "eeeeee", "verdana", "geneva", "arial", "helvetica", "f0f0f0", "sans", "charset", "utf8", "fontawesome", "typeof b", "pseudo", "child", "sufeffxa0", "class", "attr", "general slider", "slide", "rgba", "navigation", "15deg", "300px", "20deg", "transition", "scale", "baskerville", "main image", "bdbdbd", "f3f3f3", "remove", "fontface", "woff2", "u0131", "u01520153", "u02bb02bc", "u02c6", "u02da", "u02dc", "u0304", "dirrtl", "msviewport", "href", "span", "legend", "halflings", "fieldset", "typeimage", "f2f2f2", "d9edf7", "dff0d8", "f2dede", "thead", "tbody", "tahoma", "00a0", "video", "script", "2500", "xnew ita", "dnew jta", "dataset", "orfunction", "prfunction", "nsafunction", "xsafunction", "vrfunction", "cakes", "ovbfunction", "pvbfunction", "rvbfunction", "qvbfunction", "tvbfunction", "uvbfunction", "vvbclass", "xvbclass", "yvbclass", "svbclass", "lvafunction", "ggfunction", "mvafunction", "ovafunction", "pvafunction", "uvafunction", "tvafunction", "qvafunction", "vvafunction", "nvaclass", "dark", "vector", "yy49", "raster", "roboto", "new tk", "qael", "przechyl", "mars", "mercury", "venus", "pluto", "titan", "weakset", "wfclass", "googlelayer", "uint8array", "weakmap", "5001", "mouseevent", "webassembly", "180180", "9090", "google maps", "javascript api", "internal", "small", "lightrail", "false", "february", "light", "hybrid", "bounce", "drop", "inside", "outside", "marker", "gc" ], "references": [ "embed.html", "ad_status.js.pobrane", "f5Y41t9wqY4.html", "cast_sender.js.pobrane", "remote.js.pobrane", "sw3VTUzeRvWIVwvWSyk6S5gHWPxOOwU1OxerozmN4Hw.js.pobrane", "embed.js.pobrane", "www-embed-player.js.pobrane", "animate.ext.css", "animate.min.css", "jquery.djmegamenu.js.pobrane", "jquery.djmobilemenu.js.pobrane", "magnific.js.pobrane", "jquery.easing.min.js.pobrane", "slider.js.pobrane", "jquery.countTo.js.pobrane", "scripts.js.pobrane", "magnific-init.js.pobrane", "pagesettings.js.pobrane", "jquery.cookie.js.pobrane", "stickybar.js.pobrane", "fontswitcher.js.pobrane", "offcanvas.js.pobrane", "jquery.autocomplete.min.js.pobrane", "bootstrap.min.js.pobrane", "jcemediabox.js.pobrane", "jquery.ui.core.min.js.pobrane", "jquery-migrate.min.js.pobrane", "layout.min.js.pobrane", "jquery.ui.sortable.min.js.pobrane", "caption.js.pobrane", "finder.css", "jquery-noconflict.js.pobrane", "djmegamenu.26.css", "animations.css", "djmobilemenu.css", "jquery.min.js.pobrane", "djimageslider.css", "offcanvas.css", "magnific.css", "font_switcher.26.css", "css", "template_responsive.26.css", "offcanvas.26.css", "bootstrap_responsive.26.css", "extended_layouts.26.css", "style.css", "content.css", "template.26.css", "bootstrap.26.css", "jcemediabox.css", "js", "onion.js.pobrane", "search_impl.js.pobrane", "overlay.js.pobrane", "map.js.pobrane", "util.js.pobrane", "search.js.pobrane", "common.js.pobrane", "geometry.js.pobrane", "main.js.pobrane" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Gc", "display_name": "Gc", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2779, "hostname": 661, "domain": 684, "email": 4, "FileHash-MD5": 1, "FileHash-SHA256": 689 }, "indicator_count": 4818, "is_author": false, "is_subscribing": null, "subscriber_count": 123, "modified_text": "352 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "", "maxima.vim", "Make_mvc.mak", "java_methods_indent2_03.dump", "denyhosts.vim", "java_previews_455_03.dump", "java_generics_signature.java", "vim_ex_behave.vim", "java_methods_indent2_02.vim", "cpp.vim", "tutor.zh_tw.utf-8", "lite.vim", "efm_perl.pl", "chicken.vim", "terraform.vim", "java_methods_indent8_03.dump", "elf.vim", "dots_13", "rpl.vim", "java_lambda_expressions_05.dump", "java_methods_indent8_signature_03.vim", "java_methods_indent8_signature_06.dump", "java_methods_indent4_signature_01.dump", "smith.vim", "java_numbers_04.dump", "java_generics.java", "squirrel.vim", "ipfilter.vim", "context-data-tex.vim", "cobol.vim", "jquery.inputmask.min.js.pobrane", "inittab.vim", "dots_11", "tutor.pl.utf-8", "https://js.hs-scripts.com/3844463.js", "robots.vim", "htmlcheetah.vim", "obse.vim", "java_comments_html_01.dump", "https://www.virustotal.com/gui/collection/79c25168b2f93d9730a56b8d2b834cbfb2752b63b21b9dd51109416fbaa676d8/iocs", "pfmain.vim", "pltags.pl", "passwd.vim", "upstreamdat.vim", "cgdbrc.vim", "cabal.vim", "java_methods_style_signature_04.dump", "edif.vim", "csv.vim", "vim_expr.vim", "rust.vim", "ftplugin.vim", "godoc.vim", "cast_sender.js.pobrane", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "jinja.vim", "sqlanywhere.vim", "vim_ex_comment.vim", "My Independent research finds an intersect between different pdf DV versions being able to connect to Raspberry Pi devices as it was the FCC application document. Risk: Mac ID connectivity to all.", "tutor.bar.utf-8", "vim_ex_syntax.vim", "vim_ex_let_heredoc.vim", "https://cryptobit.live/build/assets/app-CkRYqsKL.js \u2022 cryptobit.live \u2022 t.page \u2022 cdn.wallets.cryptobit.live", "nanorc.vim", "search.js.pobrane", "dart.vim", "defaults.vim", "sw3VTUzeRvWIVwvWSyk6S5gHWPxOOwU1OxerozmN4Hw.js.pobrane", "https://elegantcosmedampyeah.pages.dev/", "dcl.vim", "xfe-URL-Serverhub.com-stix2-2.1-export.json", "rhelp.vim", "java_comments.java", "java_methods_indent4_signature_01.vim", "verilogams.vim", "ad_status.js.pobrane", "SessionTimeout.js.pobrane", "sysctl.vim", "clojure.vim", "setserial.vim", "java_generics_04.dump", "forth.vim", "lifelines.vim", "tutor.hr.utf-8", "vim_shebang.vim", "btm.vim", "racket.vim", "hamster.vim", "gitignore.vim", "https://brand2.centurylinktechnology.com", "moment-with-locales.min.js.pobrane", "plm.vim", "finder.css", "vim_ex_menu.vim", "pacmanlog.vim", "ccfilter.1", "java_methods_indent8_signature_04.vim", "scala.vim", "jquery.easing.1.3.js.pobrane", "rmd.vim", "dots_08", "dataTables.bootstrap4.css", "java_lambda_expressions_00.dump", "diff.vim", "gdscript.vim", "common.js.pobrane", "framescript.vim", "java_methods_indent8_04.dump", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "html_06.dump", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "jquery.notify.min.js.pobrane", "142.250.74.142.250.74.138 _exploit_source | 142.250.74.138 _exploit_source | 142.250.74.142_exploit_source", "java_switch_06.dump", "java_methods_indent4_03.dump", "vim_vs_net.cmd", "docbk.vim", "Containers-Pecorino.PalantirGov.com -pecorino.palantirgov.com", "java_switch_00.dump", "java_methods_indent8_signature_01.vim", "sh_07.sh", "java_annotations_signature_00.dump", "docbksgml.vim", "howtoworkacrickoutofyourneck2.pages.dev", "eterm.vim", "ctrlh.vim", "modula2_pim_01.dump", "dots_18", "salt.vim", "vimm", "pcup.gov.ph:", "jargon.vim", "java_method_references_08.dump", "tutor.cs.utf-8", "muttrc.vim", "html_04.dump", "objc.vim", "vim_new.vim", "java_enfoldment_02.dump", "tsv.vim", "dev-app.project-cicada.com \u2022 http://dev-app.project-cicada.com \u2022 https://dev-app.project-cicada.com (2014 report predates 2016 reports)", "java_methods_style_signature_03.vim", "java_generics_signature_00.dump", "IDS Detections: Win32/Enosch.A gtalk connectivity check | W32/MoonLight.worm User-Agent (HellSpawn)", "confini.vim", "css.vim", "debsources.vim", "tags.vim", "form.vim", "java_methods_indent4_signature_02.vim", "overlay.js.pobrane", "flexwiki.vim", "diva.vim", "nix.vim", "pike.vim", "sinda.vim", "systemd.vim", "java_lambda_expressions_signature_06.dump", "dns.vim", "natural.vim", "cuplsim.vim", "tutor.ko", "registry.vim", "ldif.vim", "ccfilter.c", "tutor.ca.utf-8", "ishd.vim", "arch.vim", "idl.vim", "java_methods_indent8_05.dump", "java_methods_indent8_signature_05.vim", "cheetah.vim", "java_lambda_expressions_08.dump", "sqlforms.vim", "java_escapes_03.dump", "jal.vim", "offcanvas.26.css", "vim_ex_def_fold.vim", "rnoweb.vim", "java_lambda_expressions_signature_05.dump", "openroad.vim", "taskedit.vim", "jquery-ui.js.pobrane", "crm.vim", "animate.min.css", "expect.vim", "monk.vim", "dots_06", "vim_ex_menutranslate.vim", "grads.vim", "htmlos.vim", "virata.vim", "magnific.css", "sudoers.vim", "vim_ex_def_nested.vim", "ceidg-master.js.pobrane", "eruby.vim", "takout.vim", "tutor.ru.utf-8", "java_previews_430.java", "atlas.vim", "Attacks are being carried out by The State of Colorado", "cfg.vim", "dcd.vim", "java_previews_455_01.dump", "modula2_pim_03.dump", "mojo.vim", "PWS:Win32/Ymacco.AA50 Win.Trojan.Generic-9959068-0\t SLF:MSIL/PSTAnomaly.A Win.Dropper.Shakblades-7614016-0\t#LowFI:VBExpensiveLoop Win.Packed.Barys-10031677-0\tTEL:Trojan:MSIL/AgentTesla.VPA!MTB Win.Trojan. Backdoor:MSIL/Remcos!MTB", "gdmo.vim", "hgcommit.vim", "prescribe.vim", "xfe-URL-Enom.com-stix2-2.1-export 2.json", "snnsres.vim", "java_string_00.dump", "slpspi.vim", "cmakecache.vim", "ninja.vim", "modula2_r10.def", "java_numbers_03.dump", "hasownproperty.call \u2022 fireeye.grhd.", "hb.vim", "mysql.vim", "iss.vim", "java_methods_indent2_signature_00.dump", "bootstrap.js.pobrane", "main.js.pobrane", "modula2_iso_06.dump", "fan.vim", "tutor.it.utf-8", "java_module_info_00.dump", "rpcgen.vim", "raku.vim", "bib.vim", "nginx.vim", "java_methods_indent4_02.dump", "vim_ex_command_00.dump", "phtml.vim", "update_date.vim", "java_methods_indent8_signature_03.dump", "slang.vim", "vim_ex_augroup.vim", "stata.vim", "postscr.vim", "java_contextual_keywords.java", "pinfo.vim", "swayconfig.vim", "tutor.sr.utf-8", "ant.vim", "delmenu.vim", "cedevice.io \u2022 decagonsoftware.com", "maple.vim", "inst.govelopscold.com", "eviews.vim", "java_contextual_keywords_00.dump", "strace.vim", "pbtxt.vim", "vim132", "moo.vim", "https://otx.alienvault.com/pulse/69b1f368db0d00947ef729c2", "help.vim", "smil.vim", "debchangelog.vim", "bootstrap_responsive.26.css", "debcopyright.vim", "dylan.vim", "modula2_pim_04.dump", "vim_ex_map.vim", "quake.vim", "offcanvas.js.pobrane", "vhdl.vim", "apache.vim", "java_methods_indent4_signature_05.vim", "evim.vim", "sh_11.sh", "https://www.google-analytics.com/debug/bootstrap?id=\\", "java_methods_indent4_02.vim", "saved_resource.html", "Alerts: console_output has_pdb pe_unknown_resource_name", "java_methods_indent8_signature_02.vim", "cmake.vim", "autodoc.vim", "fontswitcher.js.pobrane", "java_methods_style_signature_01.vim", "tutor.hu.utf-8", "xfe-URL-Eonix.net-stix2-2.1-export.json", "occam.vim", "jquery.djmegamenu.js.pobrane", "gift.vim", "AdminLTE.css", "st.vim", "sbt.vim", "mediawiki.vim", "kscript.vim", "uc.vim", "skynet-dev.tcxn.net tcxn.net Registrar Ascio Technologies, Inc - connection to cloud proxy", "ecd.vim", "sil.vim", "daterangepicker.js.pobrane", "http://applevless.dns-dynamic.net/\t\u2022 dns-dynamic.net", "dylanintr.vim", "java_annotations_signature_02.dump", "https://cop.supply/proxies-lists/ \u2022 https://cop.supply/shopify-bots/", "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739700&Signature=bOTo%2FxCpGDGOsIKJDZjBBhLZRg8UiOGi%2FvVr47Xpmh7tOh9dez7911bi%2F9SUdu4ATLhzRVog%2BdVP%2BUPwTuEfIdEcPuGRGVc1KOSP3fTQrKhRjF3x2dqykxVCH%2B1iqBmCgod%2B1uAdlraxqSOeOgst1l%2Bk250uXff4axktE%2BfGjeNDeGJao%2FfOMktqIL7zU8%2BIQYTObwelnnYx45FBSiXI1bWM4vhdgIX4cs2cT%2F", "vmasm.vim", "syntax.vim", "responsive.bootstrap4.css", "html_05.dump", "File Type PEXE - PE32+ executable (console) x86-64, for MS Windows ..", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "java_generics_03.dump", "html_03.dump", "java_methods_indent4_01.dump", "po.vim", "named.vim", "uci.vim", "Tipped: A targets AI and other cyber research findings.", "Everyone has simply asked you alll to stop. Target never asked anyone for money.", "caption.js.pobrane", "spup.vim", "initex.vim", "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739500&Signature=r1pLCgJf%2FQK8TvenCwXy9bnghFzjJ5QssdQSLP37SLv6EkA3WXuFUIvKrsXKokco7bMfQUy%2FArk8F6aP%2Bhaj16Jv7P%2FGB%2Blf7mPvs47VjwfBJRCP8AZLlWvO45%2BjC68v798csdJFPTP31O4yDOE3pXZ3EThm4nSrIwLPhTSPfi3cPlEh2wLSzcySW7BYLw%2BqCoawFCxeLUz7hIV0vC89Mlwi3DeS%2BEnWFF%2FsvT9lVJjdbLoJLEeO", "aptconf.vim", "ld.vim", "xcmdsrv_client.c", "slpreg.vim", "java_comments_html_02.dump", "java_methods_style_signature.java", "catalog.vim", "tutor.es.utf-8", "vdf.vim", "blank.vim", "fvwm2m4.vim", "nginx-php.7d4jelnf.trdlpbvl.sdp3.sdp.vic.gov.au", "java_previews_430_00.dump", "squid.vim", "teraterm.vim", "java_annotations_00.dump", "ps1.vim", "markdown.vim", "tcsh.vim", "stp.vim", "slrnrc.vim", "IDS Detections Win32/ZonaInstaller Install Beacon", "samba.vim", "htmlangular.vim", "promela.vim", "java_methods_style_02.vim", "modula2_iso_01.dump", "aidl.vim", "ondir.vim", "java_unfoldment_02.dump", "kdl.vim", "html.html", "font_switcher.26.css", "arduino.vim", "luau.vim", "cs.vim", "antlr.vim", "opam.vim", "modula2_pim_06.dump", "chordpro.vim", "indent.vim", "vim_ex_function_fold.vim", "unison.vim", "djmegamenu.26.css", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "voscm.vim", "java_methods_indent2_signature_05.vim", "https://vtbehaviour.commondatastorage.googleapis.com/edb4c21d60daa44b3429e7ba9bfa342759ebef23c136c934f74aef145453ce19_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775737365&Signature=S%2B7RcHYjab1hbKlKwFfvUbDirFPJS1A2TJQ3bVIObMcON4PD9pRDvhMtYMCnEBrYsICi0UJCFW5eUDolL5Jlbngsc587kF36vvuhlkPprbkSOY1jOyDTpe3Qsb6jRFz3xwOfZc9S5QervoLnRKb%2FyGSyZE6ZK6TxzBrOPczPtZ7sLf9NfD6E%2B2gMRXaRjEqVwVITLG7YqCiiNuohFOuNlK3uNHFpIk53viKvBSAIqLtSklH9bHW4q1DX", "msmessages.vim", "java_switch_01.dump", "indoff.vim", "extended_layouts.26.css", "srec.vim", "java_method_references_signature_08.dump", "dots_02", "bootstrap.min.js.pobrane", "markdown_conceal.vim", "2html.vim", "lotos.vim", "udevrules.vim", "java_methods_style_03.dump", "qb64.vim", "povini.vim", "upstart.vim", "dots_03", "gen_syntax_vim.vim", "java_methods_indent8_signature_04.dump", "netrc.vim", "ibasic.vim", "layout.min.js.pobrane", "vgrindefs.vim", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "csc.vim", "automake.vim", "java_lambda_expressions_signature_01.dump", "tasm.vim", "https://brand.centurylinktechnology.com", "bzl.vim", "java_switch_02.dump", "java_generics_00.dump", "java_lambda_expressions_03.dump", "java_methods_indent8_05.vim", "pf.vim", "awk.vim", "ASP. NET", "cabalproject.vim", "spice.vim", "java_methods_style_04.vim", "omnimark.vim", "vim9_legacy_header_fold.vim", "rebol.vim", "sed.vim", "java_comments_markdown.java", "java_methods_indent4_05.vim", "java_string_05.dump", "java_comments_markdown_01.dump", "julia.vim", "gdresource.vim", "mix.vim", "java_methods_indent2_01.vim", "https://otx.alienvault.com/indicator/ip/198.49.23.145#:~:text=CIDR:%206%20%7C%20CVE:%20107,infrastructure%20into%20global%20botnet%20clusters.", "rexx.vim", "antlr4.vim", "hlsplaylist.vim", "typescriptcommon.vim", "https://serverhub.com/combine/a059fe7a562c0b582328162f0ee69fda-1426025688", "java_module_info_01.dump", "lsl.vim", "verilog.vim", "modula2_iso_04.dump", "jsonc.vim", "Sneaker Bots Proxies Servers Cook Groups Cop Supply", "loginaccess.vim", "java_methods_indent2.java", "tutor.da.utf-8", "esterel.vim", "context-data-interfaces.vim", "https://www.virustotal.com/gui/collection/6a8d582df4fe5a29885dad4074236bc9e4ed445aaf0cc00702d45963fb0459bb/iocs", "gitconfig.vim", "vim.vim.base", "simula.vim", "sm.vim", "dosini.vim", "solidity.vim", "euphoria4.vim", "tutor.no.utf-8", "lex.vim", "java_generics_07.dump", "https://voidpet.io/invite/scaredscared/1rpzxWXa61 \u2022 https://sex-doggy.net/tag/censored", "ppwiz.vim", "pymanifest.vim", "vim_ex_echo.vim", "jquery.min.js.pobrane", "nroff.vim", "java_method_references_signature_02.dump", "javacc.vim", "https://www.googletagmanager.com/gtag/js?id=\\ \u2022 https://www.google-analytics.com/gtm/js?id=", "UPX_OEP_place", "http://ianswertomom.com/develop-wise-woman-within-yourself", "msql.vim", "tutor.nl.utf-8", "foxpro.vim", "https://otx.alienvault.com/pulse/69af3fd8db2ede31abda6c14", "typst.vim", "svg.vim", "remind.vim", "php.vim", "java_switch_07.dump", "java_lambda_expressions_04.dump", "config.vim", "jquery.maskedinput-1.2.2.js.pobrane", "https://connect.facebook.net/en_US/sdk.js#xfbml=1&version=v4.0&appId=705930270206797&autoLogAppEvents=1 Akamai rank:", "java_comments_markdown_06.dump", "Alerts: network_icmp nolookup_communication js_eval recon_fingerprint", "resolv.vim", "rib.vim", "fetchmail.vim", "java_generics_06.dump", "demoserver.py", "exports.vim", "jcemediabox.css", "java_enfoldment.java", "lprolog.vim", "java_comments_markdown_03.dump", "pamenv.vim", "java_methods_indent2_signature_03.vim", "lua.vim", "ScriptResource.axd", "cvsrc.vim", "bash.vim", "java_methods_indent8_signature_02.dump", "modula3.vim", "jq.vim", "java_numbers_01.dump", "java_methods_indent2_01.dump", "vim_keymap.vim", "java_method_references_signature_06.dump", "util.js.pobrane", "modula2_iso_05.dump", "fish.vim", "java_lambda_expressions_signature_07.dump", "java_unfoldment_05.dump", "help_ru.vim", "reva.vim", "tcl.vim", "java_methods_indent8_signature_06.vim", "https://hybrid-analysis.com/sample/a16d11910953b800369dbb667f178b3cc45cb8e3315217c0e6ceac68eeba206d", "markdown_conceal_00.dump", "https://www.virustotal.com/gui/collection/09af9ef0b7b23d2dc73d83858106ae4fc97a352dbb521ac04493a0e79095ac69/iocs", "n1ql.vim", "template.26.css", "asterisk.vim", "tutor.vim", "jquery.alerts.js.pobrane", "swiftgyb.vim", "esmtprc.vim", "jquery.ui.sortable.min.js.pobrane", "lilo.vim", "sh_05.sh", "modula2.vim", "javascriptreact.vim", "hitest.vim", "bc.vim", "html_02.dump", "pandoc.vim", "dots_04", "jquery-migrate.min.js.pobrane", "java_generics_signature_06.dump", "sh_02.sh", "vim.vim", "python2.vim", "sendpr.vim", "conaryrecipe.vim", "We apologize for so may typos and errors. We strive to do better at that.", "gretl.vim", "iso.vim", "def.vim", "java_comments_markdown_00.dump", "clean.vim", "rasi.vim", "tutor.ko.utf-8", "aspperl.vim", "vim_ex_set.vim", "java_methods_style_03.vim", "masm.vim", "css", "java_comments_markdown_05.dump", "java_methods_indent2_signature_01.vim", "scheme.vim", "sqlinformix.vim", "java_annotations_02.dump", "docbkxml.vim", "shtags.1", "m3build.vim", "sshdconfig.vim", "ayacc.vim", "vim9_ex_comment_strings.vim", "editorconfig.vim", "vim_ex_catch.vim", "modula2_pim.def", "odin.vim", "ftplugof.vim", "java_methods_indent8_signature_00.dump", "java_numbers_00.dump", "tutor", "hostconf.vim", "m4.vim", "sqlj.vim", "java_contextual_keywords_03.dump", "abap.vim", "datascript.vim", "yaml.yaml", "ch.vim", "java_methods_indent8_00.dump", "gp.vim", "jquery.countTo.js.pobrane", "spyce.vim", "sicad.vim", "java_methods_indent4_06.dump", "java_methods_indent4_04.vim", "euphoria3.vim", "java_unfoldment_00.dump", "sql.vim", "java_string_02.dump", "mgl.vim", "dnsmasq.vim", "changelog.vim", "gitcommit.vim", "java_method_references_signature_07.dump", "java_methods_indent4_00.vim", "java_generics_signature_04.dump", "sdl.vim", "scdoc.vim", "java_methods_indent2_03.vim", "raml.vim", "java_methods_indent2_signature_04.vim", "gyp.vim", "dsl.vim", "7box.vip", "java_generics_signature_07.dump", "haskell.vim", "java_methods_style_signature_00.dump", "modula2_pim_02.dump", "java_contextual_keywords_02.dump", "TrojanProxy:Win32/Malynfits CodeOverlap TrojanSpy:Win32/Nivdort CodeOverlap virus:Win32/Lywer CodeOverlap", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "java_lambda_expressions_signature_02.dump", "group.vim", "mf.vim", "rnc.vim", "snnsnet.vim", "tt2js.vim", "he.vim", "mplayerconf.vim", "aml.vim", "rc.vim", "skill.vim", "vim_ex_abbreviate_01.dump", "hastepreproc.vim", "http://www.pcup.gov.ph/images/2018/pdf/ComEnBancReso/Commission_Resolution_07s2018.PDF", "java_escapes_07.dump", "meson.vim", "java_method_references_04.dump", "java_methods_style_01.dump", "smarty.vim", "tutor.uk.utf-8", "vrml.vim", "protocols.vim", "java_methods_indent4_signature_05.dump", "java_methods_indent2_00.vim", "java_methods_style_02.dump", "java_methods_indent2_signature_00.vim", "java.vim", "sieve.vim", "cell-0.af-south-1.prod.telemetry.console.api.aws", "sl.vim", "vim9_ex_function_def_tail_comments.vim", "synload.vim", "ceidg.css", "java_enfoldment_01.dump", "java_methods_indent2_signature_04.dump", "java_escapes_01.dump", "Legal court documented agreement to allow and pay target to hire cyber investigators", "java_generics_signature_05.dump", "svn.vim", "objcpp.vim", "java_methods_indent8.java", "java_methods_indent8_02.vim", "java_lambda_expressions_signature_03.dump", "baan.vim", "groff.vim", "sd.vim", "rng.vim", "java_comments_markdown_08.dump", "ist.vim", "mel.vim", "pod.vim", "java_comments_markdown_07.dump", "https://amano.inboundtools.com/tpcontact URL https://armg.inboundtools.com/ URL https://gaiax.inboundtools.com/internship URL https://hmk.inboundtools.com/ URL https://hmk.inboundtools.com/form/assetview_siryo_sier", "dtrace.vim", "bootstrap-gov-pl.css", "deb822sources.vim", "jsp.vim", "snnspat.vim", "https://vtbehaviour.commondatastorage.googleapis.com/dd4ad645e4b48357a235c4726dd4cdfb587786e83dab43ffdec7a886bd84faca_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1774302565&Signature=i3hu8ImkubNWQD0sfo%2FbTMU7d53GPblauQdlllGvYz%2BQ6%2BjM6VcEDa9avXTeSNEa6P9hQaE4hgc%2BwiAoHFC4mBNUG6vnOGHA3%2BY2WSKJxaEpDAdscTpC2psmNHDnnRacbWKvk0EjBetinhY7sMCUkeqX7kw525XsW%2BcBB9%2FwQ3aYdvUazDLWV6wR7ZAPu%2BYCu5vPuXdyoPiTU%2FkysyXQyKtwHiWQQGCWffoBVfbnYqEN", "cynlib.vim", "amiga.vim", "java_lambda_expressions_signature_08.dump", "dts.vim", "mve.awk", "java_method_references_10.dump", "vim_ex_comment_strings.vim", "jquery.ui.core.min.js.pobrane", "java_methods_indent4_00.dump", "www-embed-player.js.pobrane", "libao.vim", "radiance.vim", "dots_01", "asn.vim", "chatito.vim", "elm.vim", "vim_ex_no_comment_strings.vim", "hercules.vim", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "ldapconf.vim", "tutor.sk.utf-8", "cdrtoc.vim", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "java_method_references_03.dump", "menu.vim", "asmh8300.vim", "java_methods_indent4_signature_03.vim", "https://www.google \u2022 https://ampcid.google.com/v1/publisher \u2022\u2019https://ampcid.google.com/v1/publisher:getClientId\\", "java_methods_style_signature_04.vim", "bootstrap.26.css", "java_method_references_signature_01.dump", "java_comments_html_07.dump", "pilrc.vim", "pyrex.vim", "redif.vim", "README.txt", "vim_ex_function_def_tail_comments.vim", "dataTables.responsive.js.pobrane", "java_generics_02.dump", "ora.vim", "sisu.vim", "xfe-URL-Cloudfront.net-stix2-2.1-export.json", "aspvbs.vim", "ampl.vim", "nsis.vim", "java_unfoldment_03.dump", "Virus:DOS/Hellspawn 192.168.122.49 10/16/25\t\u2022 IPv4 142.251.9.105", "java_string_03.dump", "tssop.vim", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "java_previews_455_02.dump", "coco.vim", "vim9_keymap.vim", "markdown_conceal.markdown", "java_module_info.java", "tutor.utf-8", "https://pcup.gov.ph/375 pcup.gov.ph: | https://www.pcup.gov.ph/ pcup.gov.ph:", "https://serverhub.com/modules/system/assets/js/framework.js", "upstreamrpt.vim", "https://feedback.ptv.vic.gov.au/360", "java_method_references_signature_10.dump", "java_methods_style_signature_01.dump", "java_lambda_expressions_06.dump", "dots_15", "java_method_references_signature_09.dump", "mailcap.vim", "java_methods_indent4_03.vim", "lynx.vim", "bst.vim", "https://aplikacja.ceidg.gov.pl/CEIDG/CEIDG.Public.UI/EntryChangeHistory.aspx?Id=855bdfc1-7dbc-4a86-9d27-89ebb0ecf166&archival=False", "sh_04.sh", "java_method_references_signature_04.dump", "biznes.css", "modsim3.vim", "ruby.vim", "splint.vim", "embed.js.pobrane", "CommonScripts.js.pobrane", "pim.vim", "sh_09.sh", "gpg.vim", "pcap.vim", "java_method_references_signature_03.dump", "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "f5Y41t9wqY4.html", "popper.js.pobrane", "java_comments_html_06.dump", "java_contextual_keywords_01.dump", "dtd.vim", "context-data-metafun.vim", "qf.vim", "fstab.vim", "vb.vim", "https://palapa.c.id\t (c.id)", "sh_08.sh", "jquery.feedbackBadge.min.js.pobrane", "gemtext.vim", "csh.vim", "vim_ex_highlight.vim", "html_01.dump", "privoxy.vim", "swift.vim", "viminfo.vim", "java_methods_indent4_signature_06.dump", "ocaml.vim", "java_lambda_expressions_signature_00.dump", "modula2_pim_00.dump", "java_methods_indent8_signature.java", "https://stats.g.doubleclick.net/j/collect\\ \u2022 https://tagassistant.google.com/ \u2022 https://www.google.com/ads/ga", "dots_12", "desktop.vim", "nasm.vim", "chaskell.vim", "java_methods_style_00.vim", "java_methods_style_04.dump", "java_comments_html_05.dump", "slrnsc.vim", "http://www.pcup.gov.ph/images/pdf/Contract_of_SecurityServices2013.pdf pcup.gov.ph:", "tutor.tr.utf-8", "java_string_04.dump", "Tesla Hackers | https://www.teslarati.com/spacex", "pamconf.vim", "art.vim", "ia64.vim", "sh_07_01.dump", "https://mobile-pocket-guide.centurylinktechnology.com", "cynpp.vim", "dots_19", "plp.vim", "XZ4AH-ABKPW-SQPBC-CYWES-BCG6V", "c.vim", "sh_06.sh", "https://lordseriala.life/6337-zvezdnye-vojny-opornaja-komanda.html", "tt2.vim", "m3quake.vim", "ui.notify.css", "terminfo.vim", "modula2_r10_00.dump", "Verification failure observed in automated verification handlers during sandbox replay.", "dracula.vim", "scss.vim", "pascal.vim", "updatedb.vim", "freebasic.vim", "dots_14", "java_methods_indent4_05.dump", "sindaout.vim", "fdcc.vim", "cweb.vim", "dots_09", "tutor.pt.utf-8", "java_switch_03.dump", "daterangepicker.css", "tar.vim", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr", "sh.vim", "dataTables.lang.js.pobrane", "java_method_references_signature.java", "hex.vim", "sqlhana.vim", "README.ru.utf-8.txt", "inform.vim", "java_lambda_expressions_signature_04.dump", "colortest.vim", "ssa.vim", "smcl.vim", "procmail.vim", "magnific-init.js.pobrane", "dosbatch.vim", "ada.vim", "efm_filter.txt", "gvpr.vim", "vim_ex_def.vim", "animations.css", "java_generics_signature_02.dump", "java_module_info_02.dump", "asm68k.vim", "csp.vim", "java_methods_indent2_04.dump", "modula2_pim_05.dump", "desc.vim", "tutor.de.utf-8", "j.vim", "java_lambda_expressions_signature.java", "xfe-URL-Intercom.io-stix2-2.1-export.json", "tssgm.vim", "r10.vim", "js", "java_generics_signature_03.dump", "vim_ex_loadkeymap_after_colon.vim", "vim_ex_abbreviate.vim", "java_methods_style_signature_03.dump", "manconf.vim", "html_07.dump", "java_methods_indent2_signature_02.dump", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "neomuttrc.vim", "java_escapes_00.dump", "doxygen.vim", "messages.vim", "r.vim", "make.vim", "java_methods_style_signature_00.vim", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "snobol4.vim", "java_method_references_02.dump", "java_annotations.java", "java_annotations_01.dump", "dircolors.vim", "java_methods_style_signature_02.vim", "responsive.bootstrap4.js.pobrane", "ftoff.vim", "valgrind.vim", "style.css", "html.vim", "python.vim", "dtml.vim", "sh_01.sh", "cupl.vim", "jquery.dataTables.js.pobrane", "elinks.vim", "i3config.vim", "template.vim", "mve.txt", "mmix.vim", "netrw.vim", "java_methods_indent8_signature_00.vim", "htmldjango.vim", "java_methods_indent8_signature_05.dump", "spec.vim", "dot.vim", "qml.vim", "ui.datepicker-pl.js.pobrane", "hcl.vim", "msidl.vim", "Make_all.mak", "mermaid.vim", "initng.vim", "syncolor.vim", "conf.vim", "java_comments_html_03.dump", "idlang.vim", "README.md", "acedb.vim", "slider.js.pobrane", "tutor.bg.utf-8", "java_methods_indent4.java", "jess.vim", "jquery.cookie.js.pobrane", "quarto.vim", "livebook.vim", "pccts.vim", "srt.vim", "java_escapes.java", "ccfilter_README.txt", "lpc.vim", "gprof.vim", "hostsaccess.vim", "vim_ex_sleep.vim", "java_methods_indent2_02.dump", "gitolite.vim", "java_comments_markdown_04.dump", "uil.vim", "ppd.vim", "murphi.vim", "usw2kagtlog.vim", "perl.vim", "java_methods_style_00.dump", "vimspell.txt", "icemenu.vim", "psl.vim", "specman.vim", "java_lambda_expressions.java", "calendar.vim", "java_annotations_signature_03.dump", "haml.vim", "jquery-noconflict.js.pobrane", "mmp.vim", "sqloracle.vim", "modula2_iso_02.dump", "gnuplot.vim", "efm_filter.pl", "vim_ex_comment-vim9.vim", "change.vim", "java_previews_455.java", "unicode.vim", "swig.vim", "template_responsive.26.css", "https://www.virustotal.com/graph/embed/g8726609a12794ebeb59edd531961a233068149bcdf994b428f20141be6111551?theme=dark", "vim9_shebang.vim", "opl.vim", "scripts.js.pobrane", "autoit.vim", "cuda.vim", "vim9_ex_no_comment_strings.vim", "https://www.google-analytics.com/gtm/js?id=\\ \u2022 https://www.googletagmanager.com/gtag/js?id= \u2022", "less.vim", "ptcap.vim", "vim_ex_function_nested.vim", "vim_ex_def_nested_fold.vim", "dots_05", "logtalk.vim", "dots_20", "java_enfoldment_00.dump", "tutor.lt.utf-8", "https://js.hsleadflows.net/leadflows.js", "java_methods_indent2_signature_03.dump", "gkrellmrc.vim", "alsaconf.vim", "java_escapes_04.dump", "requirements.vim", "eiffel.vim", "nosyntax.vim", "rapid.vim", "java_generics_01.dump", "fpcmake.vim", "vim_ex_execute.vim", "grub.vim", "modula2_iso_00.dump", "stickybar.js.pobrane", "java_methods_indent2_signature_05.dump", "lc.vim", "shtags.pl", "scripts.vim", "java_methods_indent4_signature_03.dump", "java_methods_indent2_05.dump", "b.vim", "abc.vim", "scilab.vim", "sh_11_00.dump", "slice.vim", "lss.vim", "java_annotations_03.dump", "matlab.vim", "java_switch_05.dump", "cdrdaoconf.vim", "aflex.vim", "jquery.autocomplete.min.js.pobrane", "sexplib.vim", "https://js.hscollectedforms.net/collectedforms.js", "gitrebase.vim", "html_00.dump", "java_comments_html_04.dump", "vim9_legacy_header.vim", "mailaliases.vim", "liquid.vim", "vim_key_notation.vim", "dns.army \u2022 www.dcopr.dns.army \u2022 www.glsyaiwjj.dns.army \u2022 www.wgmvk.dns.army", "sgmldecl.vim", "kconfig.vim", "jquery.session.js.pobrane", "purifylog.vim", "aap.vim", "inputmask.binding.js.pobrane", "html_08.dump", "debversions.vim", "tutor.lv.utf-8", "tutor.zh.utf-8", "Yara Detections :compromised_site_redirector_fromcharcode Alerts network_icmp js_eval recon_fingerprint", "mma.vim", "lout.vim", "upstreamlog.vim", "jquery-3.0.0.js.pobrane", "sensors.vim", "abaqus.vim", "d.vim", "java_method_references_07.dump", "vim_ex_match.vim", "Apple Store verified drop down breach \u2018Apple took a screenshot of pages\u201d", "java_lambda_expressions_07.dump", "java_methods_indent4_01.vim", "java_numbers_02.dump", "asteriskvm.vim", "java_numbers_05.dump", "java_unfoldment.java", "haste.vim", "autohotkey.vim", "https://vtbehaviour.commondatastorage.googleapis.com/0e93e52376dcfb8eab491737c187ad68d786fab0005bbf9d2ffab78ba19db907_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1774998466&Signature=Y4QdGLgX1a6Ct5CMRDpH9RdwtjTzLLVBFFtxY64ZOhJ4cyy5f3YP7kNt%2Bu9euHjYaM5LUKHRWbswYwhD%2BbmD8KZT57GNGNGF4xYoyqPgzPY1AQodW%2BZx5f3iJqPbAZq9pUjOzXtm22B%2FEx7BVn5qcm86M9I6BaNp8%2FJW2vSfzsewT0w5WhMAjuB84fIG4LrKD2X46mnchNmREfC3GQtUPwzIIkj7IIv7xyHtwbu%2Fwyg8Ib1VFz", "sather.vim", "ratpoison.vim", "optwin.vim", "erlang.vim", "taskdata.vim", "https://clear.ml/infrastructure-control-plane", "gvim.desktop", "a65.vim", "jquery-migrate-1.2.1.js.pobrane", "hog.vim", "kivy.vim", "sas.vim", "java_generics_signature_01.dump", "crontab.vim", "gitsendemail.vim", "screen.vim", "mgp.vim", "gitattributes.vim", "java_methods_indent2_05.vim", "java_methods_indent2_04.vim", "java_escapes_02.dump", "filetype.vim", "bdf.vim", "lscript.vim", "emoji_list.vim", "vim_ex_commands.vim", "mason.vim", "routeros.vim", "slpconf.vim", "java_string_01.dump", "java_method_references_signature_05.dump", "cleanadd.vim", "modula2_iso_03.dump", "glsl.vim", "dep3patch.vim", "htmlm4.vim", "kix.vim", "https://i-want-to-start-an-onlyfans.pages.dev/favicon.ico| I bet you do boo boo", "proto.vim", "jam.vim", "makeapornsite.com \u2022 https://pornhighschool.com/ \u2022 https://ethnicerotic.com \u2022 https://twitter.com/Make", "https://maps.googleapis.com/maps/api/js?sensor=false", "a2ps.vim", "dictdconf.vim", "sdc.vim", "stylus.vim", "tt2html.vim", "java_unfoldment_01.dump", "limits.vim", "rtf.vim", "vera.vim", "json.vim", "vim_ex_command.vim", "content.css", "java_methods_indent8_01.dump", "java_methods_indent4_signature_00.vim", "yi.vim", "java_methods_indent8_00.vim", "dockerfile.vim", "pov.vim", "focexec.vim", "groovy.vim", "usserverlog.vim", "modconf.vim", "sass.vim", "falcon.vim", "chill.vim", "dots_10", "CommonResponsive.js.pobrane", "java_method_references_01.dump", "tutor.vi.utf-8", "hare.vim", "gdb.vim", "archive.cop.supply \u2022 dev.cop.supply \u2022 https://cop.supply/ \u2022 https://cop.supply/bot-lists/", "jcemediabox.js.pobrane", "tutor.fr.utf-8", "https://vtbehaviour.commondatastorage.googleapis.com/edb4c21d60daa44b3429e7ba9bfa342759ebef23c136c934f74aef145453ce19_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775737710&Signature=fbsokraSd7lsYmUfaTEl8Phs2K3hp7AtVmQU9axeEBcYmYbrrYrrfpP5lPEQaE%2Fh3%2BEP9Rn8mD8D1haqQVXCN0VVlxJ4sddjWmyC5USsgBsvUb0%2F72h1WHDS2KXHlteZWE%2Bauckabain9D5kX501AnqFY38s77OIqO6SMOkQ%2BvXiDSSRK%2FZhbfradBnei3ZLHsXGxkoshTyvB0%2BC%2F8SiUzdVsqSjik0Bn2r%2BIlLpDQK90GlZTD0N", "dots_07", "context-data-context.vim", "vim9_ex_function_def_tail_comment_errors.vim", "djmobilemenu.css", "remote.js.pobrane", "psf.vim", "obj.vim", "mail.vim", "racc.vim", "java_methods_indent4_signature_04.dump", "astro.vim", "This is why our team tells a back story. It can and does happen to anyone.", "debcontrol.vim", "sh_08_02.dump", "Russia or Muskware? URL http://store.7box.vip/ad/C467F60A1AD6.Jpeg", "dots_17", "lftp.vim", "java_methods_indent8_02.dump", "java_methods_indent8_04.vim", "cabalconfig.vim", "lace.vim", "tads.vim", "java_escapes_05.dump", "java_comments_html_00.dump", "java_annotations_signature_01.dump", "sgmllnx.vim", "https://widget.intercom.io/widget/rbc8ok9w", "tak.vim", "papp.vim", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "clipper.vim", "plsql.vim", "java_method_references_05.dump", "jquery.djmobilemenu.js.pobrane", "context.vim", "java_switch_04.dump", "manual.vim", "esqlc.vim", "tutor.zh_cn.utf-8", "animate.ext.css", "abel.vim", "vim_variables.vim", "tutor.ja.utf-8", "vim_line_continuation.vim", "vim_object_methods.vim", "mib.vim", "man.vim", "https://download.clear.ml/cpython_builds/releases/ \u2022 https://download.clear.", "map.js.pobrane", "vim_ex_throw.vim", "java_escapes_06.dump", "java_module_info.vim", "java_lambda_expressions_01.dump", "upstreaminstalllog.vim", "magnific.js.pobrane", "vim_ex_function.vim", "Trump Support campaign \u2022_\u2022 lantana-mgmt.washington.palantircloud.com \u2022 containers-reishi.palantirfedstart.com", "nqc.vim", "java_comments_markdown_02.dump", "java_methods_indent8_03.vim", "https://hybrid-analysis.com/sample/41859e0b198fbe88772ef12c577023c0481ec19867e410bab335e67fea87c1bb/642ca80cde2048242a0e097d", "https://khmerpornvideo.signup0.y.id/", "java_generics_05.dump", "sh_03.sh", "UE_pl_top_sm.svg", "tutor.eo.utf-8", "haredoc.vim", "vim_ex_call.vim", "litestep.vim", "java_method_references_09.dump", "EntryChangeHistory.aspx.js.pobrane", "fasm.vim", "java_methods_indent4_signature.java", "https://links.mail.samsara.com/s/c/P9R6gGlExR4nfCwqwJXUmr7NmKcMNde4ZBhCFprlVtsFNgh-4tuTWla0aXN9rIWCjrWtn0Vln7x-hexxVBlY3xxvnEevR8qJU5G5xV3__wo-X7kkpSOhJVfejac-Xk8qu6zs5Z-tILwWYRkNScZNGlAqfwQuJuRw5M-n_ZKI6tuY5XGCZAqWoQepi1NnJiW4wZJkzZlOwGtNkusbuKDcMsLVrrhji2eKh4kYgrJp_SeycJRhasLFCQ3c2bPu4sahEWpcHZrQBaxvdfQgTEno8kV-RJdTDO0zK5MyWDJLeds7mnaDrxlb0O2zmhebUdlHE0R0xHi25dympBUpMlLsQV8bx1WUTOfgK4k0ci9o_2Gbfe22-jLxsJN-msV6pxWYQMaxRNFd4iZRC9J9Z1SC5MBqbvNzqdt98kFdpibnv_QIHdhFyHOR_Ip_LX67Dncc8V8OvAi-H5phfeSyDzwdzf2FQIi82", "vim_ex_loadkeymap_after_bar.vim", "logindefs.vim", "takcmp.vim", "dirpager.vim", "vim_ex_range.vim", "java_methods_indent2_signature_01.dump", "hgcommitDiff.vim", "cl.vim", "mswin.vim", "java_methods_indent2_signature_02.vim", "fortran.vim", "https://cop.supply/supreme-bots/\u2022 https://cop.supply/useful-tools/", "vimrc_example.vim", "java_methods_style.java", "https://www.verizon.com/business/", "java_methods_indent2_00.dump", "java_methods_indent8_01.vim", "gedcom.vim", "urlshortcut.vim", "cdl.vim", "elmfilt.vim", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "vim_ex_function_def_tail_comment_errors.vim", "cterm.vim", "goaccess.vim", "java_methods_indent4_signature_02.dump", "jquery.easing.min.js.pobrane", "djimageslider.css", "latte.vim", "dataTables.input.js.pobrane", "mp.vim", "tutor.el.utf-8", "rego.vim", "kwt.vim", "json2.js.pobrane", "asciidoc.vim", "avra.vim", "rcs.vim", "sgml.vim", "java_string.java", "mush.vim", "\u2018Lumen Technologies\u2019 Acting as administrator of a targeted Apple IOS device", "bindzone.vim", "ref", "udevconf.vim", "csdl.vim", "gvimrc_example.vim", "poefilter.vim", "java_methods_style_01.vim", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "systemverilog.vim", "cmod.vim", "mupad.vim", "openscad.vim", "go.vim", "java_previews_455_00.dump", "java_numbers.java", "tutor.sv.utf-8", "rcslog.vim", "ncf.vim", "json5.vim", "pine.vim", "https://www.fmglaw.com/lawyers/christopher-ahmann - found in adult content pulse.", "plaintex.vim", "exim.vim", "pli.vim", "vimrc", "java_methods_indent8_06.dump", "rst.vim", "services.vim", "gdshader.vim", "vim9_ex_commands.vim", "mallard.vim", "track.spywarewatchdog.org \u2022 https://track.spywarewatchdog.org - monitoring software", "dune.vim", "tap.vim", "java_annotations_signature_04.dump", "progress_comments.p", "java_method_references_signature_00.dump", "https://d31qbv1cthcecs.cloudfront.net/atrk.js", "sml.vim", "lisp.vim", "vim_ex_substitute.vim", "udevperm.vim", "modula2_iso.def", "blink.c", "jgraph.vim", "pic.vim", "master.vim", "onion.js.pobrane", "typescriptreact.vim", "fgl.vim", "progress.vim", "c.c", "8th.vim", "Yare: compromised_site_redirector_fromcharcode", "java_annotations_04.dump", "chaiscript.vim", "adminlte.min.js.pobrane", "cvs.vim", "java_lambda_expressions_02.dump", "offcanvas.css", "javascript.vim", "bitbake.vim", "A \u2018Target\u2019 became a \u2018Target\u2019 vja close association to main Target of predatory retaliation campaign.", "pagesettings.js.pobrane", "java_methods_style_signature_02.dump", "dots_16", "gsp.vim", "dataTables.bootstrap4.js.pobrane", "ave.vim", "apachestyle.vim", "sindacmp.vim", "http://ianswertomom.com/bible-verses-struggling-contentment-mom/ I", "basic.vim", "django.vim", "tutor.nb.utf-8", "vim.desktop", "java_method_references_00.dump", "https://www.ptv.vic.gov.au/more/travelling-on-the-network/lets-go/", "modula2_r10_03.dump", "vim_ex_function_nested_fold.vim", "pdf.vim", "asm.vim", "prolog.vim", "lhaskell.vim", "chuck.vim", "embed.html", "bzr.vim", "java_methods_indent4_04.dump", "cf.vim", "https://tagassistant.google.com/ \u2022 https://www.google-analytics.com/debug/bootstrap?id=", "java_methods_indent8_signature_01.dump", "cucumber.vim", "mrxvtrc.vim", "kotlin.vim", "asy.vim", "fvwm.vim", "https://prod.centurylinktechnology.com", "vim9_expr.vim", "dictconf.vim", "gnash.vim", "bsdl.vim", "sh_10.sh", "UE_pl_top.svg", "krl.vim", "https://www.virustotal.com/graph/embed/g365a82115f934e31a69118715695c91c231f66cda9084c9389e56afb985a243e?theme=dark", "git.vim", "java_methods_indent2_signature.java", "bugreport.vim", "dylanlid.vim", "lyrics.vim", "cmusrc.vim", "geometry.js.pobrane", "java_method_references_06.dump", "typescript.vim", "firebase-auth-eich0v.pages.dev", "structurizr.vim", "model.vim", "sqr.vim", "readline.vim", "nastran.vim", "nginx-php.standby.content-premier-vic-gov-au.sdp3.sdp.vic.gov.au", "java_methods_indent4_signature_04.vim", "synmenu.vim", "ahdl.vim", "search_impl.js.pobrane", "java_annotations_signature.java", "openvpn.vim", "java_methods_indent4_signature_00.dump", "rrst.vim", "java_switch.java", "feedback.js.pobrane", "icon.vim", "sshconfig.vim", "gtkrc.vim" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "Tesla Hackers" ], "malware_families": [ "Cycbot", "Worm", "Rabu", "Tente", "Alf:nid:susp_nsis_stub.a", "Alf:ransom:win32/babax.sg!mtb", "Virus:dos/hellspawn", "Win.trojan.tepfer-61", "Virtool:win32/vbinject.gen!mh", "Win32:botx-gen\\ [trj]", "Esc", "Win.trojan.dialer-266", "Unix.trojan.tsunami-6981155-0", "Ransom:win32/crowti.a", "Unix.trojan.gafgyt-6981154-0", "Trojandownloader:win32/cutwailransom:win32/crowti.a", "Agenttesla", "Alf:heraklezeval:trojan:msil/gravityrat!rfn", "Backdoor:msil/remcos", "Pws:win32/axespec.a", "Backdoor:win32/arwobot.b", "Win.trojan.gravityrat-6511862-0", "Worm:win32/lightmoon.h", "Vim tutor", "Alf:exploit:o97m/cve-2017-8977", "Vd", "Win.trojan.12382640-1", "Outubro", "Win.packed.bandook-9882274-1", "Trojandropper:win32/muldrop.v!mtb", "#lowfi:hstr:criakl.b1", "Win.malware.mikey-9949492-0", "Tel:trojan:msil/agenttesla.vpa!mtb", "Trackingclient", "Gc", "Trojandownloader:win32/cutwail", "Vasaris", "Wipes", "Vui", "Selectall", "Backdoor:win32/tofsee.t", "#lowfi:vbexpensiveloop", "Trojanspy:win32/nivdort", "Trojan.tofsee/botx", "Srpanj", "Backdoor:linux/demonbot.aa!mtb", "Trojandropper:win32/systex.a", "Cve-2017-11882", "Mirai (elf)", "Trojanproxy:win32/malynfits", "Trojan:win32/qbot.r!mtb", "Pws:win32/vb.cu", "Win.downloader.small-4507", "#fp539598-vbs/loveletter.bt", "Ddos:linux/gafgyt.ya!mtb", "Nids", "Todo", "Virus:win32/lywer", "Anda", "Alf:jasyp:trojan:win32/ircbot!atmn" ], "industries": [ "Construction", "Technology", "Legal, financial, healthcare, government, municipal, real-estate, enterprise-technology, critical-in", "Healthcare", "Government", "Insurance", "Education", "Telecommunications" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 50, "pulses": [ { "id": "69eb254f17eb4a2a990f07e5", "name": "LevelBlue - Open Threat Exchange", "description": "[ As part of security research, we look at some of the most well-known vulnerabilities in the PDF ecosystem, and how they can be identified and mitigated, with the help of a simple hash.] [64xxxx]", "modified": "2026-05-28T07:10:11.800000", "created": "2026-04-24T08:09:51.488000", "tags": [ "pdfkit", "cve202225765", "exploit script", "github", "unicordev", "cves", "xml external", "entity", "pdfs", "knowledge base", "python", "mozilla", "virustotal", "cisa", "apple", "microsoft", "pdfkit ruby", "remote code", "execution", "urls", "malware", "raid", "caddywiper", "wipes", "cve202543529", "webkit", "february", "cve202620643", "bypass", "march", "webkit bug", "command", "control", "levelblue", "open threat" ], "references": [ "https://otx.alienvault.com/indicator/ip/198.49.23.145#:~:text=CIDR:%206%20%7C%20CVE:%20107,infrastructure%20into%20global%20botnet%20clusters." ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Wipes", "display_name": "Wipes", "target": null } ], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1084, "FileHash-SHA1": 874, "FileHash-SHA256": 3052, "CVE": 36, "domain": 437, "hostname": 1086, "URL": 1411, "CIDR": 15, "email": 13 }, "indicator_count": 8008, "is_author": false, "is_subscribing": null, "subscriber_count": 70, "modified_text": "4 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a16a621eac2621d97ca6596", "name": "Credit Q.Vashti [\"Device Isolation | Lumen Technologies | Palantir and\"] clone by Q Vashti (researcher)", "description": "", "modified": "2026-05-27T08:25:07.936000", "created": "2026-05-27T08:06:57.005000", "tags": [ "url https", "url http", "tlsv1", "whitelisted", "united", "read c", "as15169", "stcalifornia", "execution", "dock", "write", "persistence", "malware", "encrypt", "active", "lumen technologies", "number", "error", "regexp", "sxa0", "amptoken", "optout", "retrieving", "notfound", "unknown", "form", "flash", "backdoor", "writeconsolew", "yara detections", "command line", "pdb path", "pe resource", "internalname", "windows command", "A", "aws", "name servers", "url analysis", "passive dns", "urls", "data upload", "extraction", "palantir", "c2", "aerospace", "tracking", "spywatchdog", "palapa-c2", "communications satellite", "amazon", "hughesnet", "icmp traffic", "washington c", "washington ou", "mopr", "mon jul", "local", "dynamic", "apple", "network", "t1057", "discovery", "t1069", "t1071", "protocol", "t1105", "tool transfer", "t1480", "guardrails", "t1566", "present jan", "unknown ns", "ip address", "dnssec", "domain", "dynamic dns", "government", "pcup", "germany unknown", "link", "dns hosting", "cloudns", "cloud dns", "a domains", "ipv4 add", "title", "meta", "class", "servers", "present aug", "aaaa", "present sep", "present nov", "present jul", "present may", "moved", "canada unknown", "begin", "record value", "gmt content", "type", "hostname add", "files", "ascii text", "pattern match", "href", "mitre att", "ck id", "ck matrix", "network traffic", "et info", "general", "path", "click", "learn", "command", "name tactics", "suspicious", "informative", "adversaries", "input url", "defense evasion", "france", "ireland", "netherlands", "denmark", "united kingdom", "type indicator", "role title", "added active", "savvis", "centurylinktechnology", "hybrid analysis", "monitoring tools", "monitored target", "triangulation", "worm", "intel", "ms windows", "pe32", "write c", "delete c", "show", "russia as47764", "unix", "lsan jose", "odigicert inc", "markus", "url add", "http", "related nids", "files location", "russia flag", "russia hostname", "russia", "russia unknown", "hosting", "federation flag", "body", "gmt vary", "accept encoding", "gmt cache", "certificate", "pulse submit", "unknown aaaa", "search", "entries", "script domains", "script urls", "pdx cf" ], "references": [ "\u2018Lumen Technologies\u2019 Acting as administrator of a targeted Apple IOS device", "Yare: compromised_site_redirector_fromcharcode", "Alerts: network_icmp nolookup_communication js_eval recon_fingerprint", "Alerts: console_output has_pdb pe_unknown_resource_name", "File Type PEXE - PE32+ executable (console) x86-64, for MS Windows ..", "Tipped: A targets AI and other cyber research findings.", "A \u2018Target\u2019 became a \u2018Target\u2019 vja close association to main Target of predatory retaliation campaign.", "track.spywarewatchdog.org \u2022 https://track.spywarewatchdog.org - monitoring software", "https://palapa.c.id\t (c.id)", "Containers-Pecorino.PalantirGov.com -pecorino.palantirgov.com", "cedevice.io \u2022 decagonsoftware.com", "http://applevless.dns-dynamic.net/\t\u2022 dns-dynamic.net", "http://www.pcup.gov.ph/images/2018/pdf/ComEnBancReso/Commission_Resolution_07s2018.PDF", "pcup.gov.ph:", "http://www.pcup.gov.ph/images/pdf/Contract_of_SecurityServices2013.pdf pcup.gov.ph:", "https://pcup.gov.ph/375 pcup.gov.ph: | https://www.pcup.gov.ph/ pcup.gov.ph:", "https://elegantcosmedampyeah.pages.dev/", "https://www.ptv.vic.gov.au/more/travelling-on-the-network/lets-go/", "inst.govelopscold.com", "https://feedback.ptv.vic.gov.au/360", "nginx-php.7d4jelnf.trdlpbvl.sdp3.sdp.vic.gov.au", "nginx-php.standby.content-premier-vic-gov-au.sdp3.sdp.vic.gov.au", "https://hybrid-analysis.com/sample/a16d11910953b800369dbb667f178b3cc45cb8e3315217c0e6ceac68eeba206d", "https://brand.centurylinktechnology.com", "https://prod.centurylinktechnology.com", "https://brand2.centurylinktechnology.com", "https://mobile-pocket-guide.centurylinktechnology.com", "UPX_OEP_place", "Russia or Muskware? URL http://store.7box.vip/ad/C467F60A1AD6.Jpeg", "ASP. NET", "https://connect.facebook.net/en_US/sdk.js#xfbml=1&version=v4.0&appId=705930270206797&autoLogAppEvents=1 Akamai rank:", "7box.vip" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan.Tofsee/Botx", "display_name": "Trojan.Tofsee/Botx", "target": null }, { "id": "ALF:JASYP:Trojan:Win32/IRCbot!atmn", "display_name": "ALF:JASYP:Trojan:Win32/IRCbot!atmn", "target": null }, { "id": "PWS:Win32/Axespec.A", "display_name": "PWS:Win32/Axespec.A", "target": "/malware/PWS:Win32/Axespec.A" }, { "id": "Worm:Win32/Lightmoon.H", "display_name": "Worm:Win32/Lightmoon.H", "target": "/malware/Worm:Win32/Lightmoon.H" } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1439", "name": "Eavesdrop on Insecure Network Communication", "display_name": "T1439 - Eavesdrop on Insecure Network Communication" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1069.003", "name": "Cloud Groups", "display_name": "T1069.003 - Cloud Groups" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "green", "cloned_from": "697cdce9ec418c422eee2054", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 102, "FileHash-SHA1": 59, "FileHash-SHA256": 1929, "domain": 854, "hostname": 2156, "URL": 4475, "SSLCertFingerprint": 9, "email": 8, "CVE": 2 }, "indicator_count": 9594, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "5 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "698e93e1ab02db8c49e8c3ed", "name": "\u201cBroken Seal\u201d DocuSign-themed Delivery with Fileless Process Hollowing (Zeppelin/Bloat-A)", "description": "Forensic analysis indicates a DocuSign-themed phishing campaign using a deliberately invalid X.509 PKI seal (\u201cBroken Seal\u201d) to trigger fail-open verification logic in automated handlers. The delivery mechanism bypasses Secure Email Gateway (SEG) reputation checks by using encrypted channels and human-gated infrastructure. The payload is a fileless Process Hollowing (RunPE) malware that injects into RWX memory of legitimate processes to evade disk-based EDR.", "modified": "2026-05-17T15:52:35.396000", "created": "2026-02-13T03:00:49.872000", "tags": [ "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi", "9698f46495ce9401c8bcaf9a2afe1598", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)", "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71", "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link", "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)" ], "references": [ "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "Verification failure observed in automated verification handlers during sandbox replay.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr", "My Independent research finds an intersect between different pdf DV versions being able to connect to Raspberry Pi devices as it was the FCC application document. Risk: Mac ID connectivity to all." ], "public": 1, "adversary": "", "targeted_countries": [ "China", "United States of America", "Spain", "Japan", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In" ], "TLP": "green", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 28000, "FileHash-SHA256": 48374, "FileHash-MD5": 42596, "FileHash-SHA1": 23243, "hostname": 35654, "URL": 75758, "SSLCertFingerprint": 30, "CVE": 7585, "email": 316, "FileHash-IMPHASH": 8, "CIDR": 26205, "JA3": 1, "URI": 5, "IPv4": 574, "Mutex": 1 }, "indicator_count": 288350, "is_author": false, "is_subscribing": null, "subscriber_count": 92, "modified_text": "14 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d79c38e0a059039b475ebe", "name": "CAPE Sandbox", "description": "Email today from them on my line. Very wild things happening here. trying to close my line", "modified": "2026-05-09T12:10:59.635000", "created": "2026-04-09T12:31:52.495000", "tags": [ "html document", "unicode text", "utf8 text", "crlf", "lf line", "site", "meta", "verizon", "wireless", "internet", "phone services", "official", "shop verizon", "lte network", "get fios", "title", "code", "error", "utc na", "utc google", "tag manager", "gtmw2vn2cq", "utc dc9849921", "utc dc685973", "utc g12r1dx1lx7", "utc aw647962234", "utc aw2761768", "utc aw685973", "verizon business", "verizon for business", "verizon business account", "verizon business phone", "verizon wireless for business", "verizon business service", "verizon business plan", "business internet services", "learn", "gartner", "contact", "find", "discover", "support", "close log", "shop", "upgrade", "small", "voice", "chat", "mitre attack", "network info", "program", "html page", "t1055 process", "overview", "processes extra", "overview zenbox", "verdict", "guest system", "phishing", "next", "ver2", "msclkidn", "utc amazon", "analytics na", "utc bing", "vids1", "vids0", "gdlname" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/edb4c21d60daa44b3429e7ba9bfa342759ebef23c136c934f74aef145453ce19_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775737365&Signature=S%2B7RcHYjab1hbKlKwFfvUbDirFPJS1A2TJQ3bVIObMcON4PD9pRDvhMtYMCnEBrYsICi0UJCFW5eUDolL5Jlbngsc587kF36vvuhlkPprbkSOY1jOyDTpe3Qsb6jRFz3xwOfZc9S5QervoLnRKb%2FyGSyZE6ZK6TxzBrOPczPtZ7sLf9NfD6E%2B2gMRXaRjEqVwVITLG7YqCiiNuohFOuNlK3uNHFpIk53viKvBSAIqLtSklH9bHW4q1DX", "https://www.verizon.com/business/", "https://vtbehaviour.commondatastorage.googleapis.com/edb4c21d60daa44b3429e7ba9bfa342759ebef23c136c934f74aef145453ce19_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775737710&Signature=fbsokraSd7lsYmUfaTEl8Phs2K3hp7AtVmQU9axeEBcYmYbrrYrrfpP5lPEQaE%2Fh3%2BEP9Rn8mD8D1haqQVXCN0VVlxJ4sddjWmyC5USsgBsvUb0%2F72h1WHDS2KXHlteZWE%2Bauckabain9D5kX501AnqFY38s77OIqO6SMOkQ%2BvXiDSSRK%2FZhbfradBnei3ZLHsXGxkoshTyvB0%2BC%2F8SiUzdVsqSjik0Bn2r%2BIlLpDQK90GlZTD0N" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 772, "hostname": 706, "domain": 875, "FileHash-SHA256": 2348, "FileHash-MD5": 2237, "FileHash-SHA1": 2260, "CVE": 1, "email": 9 }, "indicator_count": 9208, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d7a3f4d72c30f9586634b9", "name": "VirusTotal report\n for flow-browser-main.zip", "description": "A sample of flow-browser-main, an unauthorised version of the web browser, has been detected by researchers at the University of California, Los Angeles, and the National Security Agency (NSA). myvzw.com after an email on ending a #", "modified": "2026-05-09T12:10:59.635000", "created": "2026-04-09T13:04:52.444000", "tags": [ "file type", "png image", "ascii", "ascii text", "java source", "json", "rgba", "creates", "crlf line", "mac os", "date", "malicious", "next", "button", "span", "edit3icon", "rotateccwicon", "xicon", "htmldivelement", "react", "saveicon", "null", "shortcutitem", "click", "zip archive", "png multimedia", "graphics" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739500&Signature=r1pLCgJf%2FQK8TvenCwXy9bnghFzjJ5QssdQSLP37SLv6EkA3WXuFUIvKrsXKokco7bMfQUy%2FArk8F6aP%2Bhaj16Jv7P%2FGB%2Blf7mPvs47VjwfBJRCP8AZLlWvO45%2BjC68v798csdJFPTP31O4yDOE3pXZ3EThm4nSrIwLPhTSPfi3cPlEh2wLSzcySW7BYLw%2BqCoawFCxeLUz7hIV0vC89Mlwi3DeS%2BEnWFF%2FsvT9lVJjdbLoJLEeO", "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739700&Signature=bOTo%2FxCpGDGOsIKJDZjBBhLZRg8UiOGi%2FvVr47Xpmh7tOh9dez7911bi%2F9SUdu4ATLhzRVog%2BdVP%2BUPwTuEfIdEcPuGRGVc1KOSP3fTQrKhRjF3x2dqykxVCH%2B1iqBmCgod%2B1uAdlraxqSOeOgst1l%2Bk250uXff4axktE%2BfGjeNDeGJao%2FfOMktqIL7zU8%2BIQYTObwelnnYx45FBSiXI1bWM4vhdgIX4cs2cT%2F" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 220, "FileHash-MD5": 562, "FileHash-SHA1": 566, "FileHash-SHA256": 1011, "URL": 125, "hostname": 139, "email": 4 }, "indicator_count": 2627, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d7a3f511d0121d253b753d", "name": "VirusTotal report\n for flow-browser-main.zip", "description": "A sample of flow-browser-main, an unauthorised version of the web browser, has been detected by researchers at the University of California, Los Angeles, and the National Security Agency (NSA). myvzw.com after an email on ending a #", "modified": "2026-05-09T12:10:59.635000", "created": "2026-04-09T13:04:53.436000", "tags": [ "file type", "png image", "ascii", "ascii text", "java source", "json", "rgba", "creates", "crlf line", "mac os", "date", "malicious", "next", "button", "span", "edit3icon", "rotateccwicon", "xicon", "htmldivelement", "react", "saveicon", "null", "shortcutitem", "click", "zip archive", "png multimedia", "graphics" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739500&Signature=r1pLCgJf%2FQK8TvenCwXy9bnghFzjJ5QssdQSLP37SLv6EkA3WXuFUIvKrsXKokco7bMfQUy%2FArk8F6aP%2Bhaj16Jv7P%2FGB%2Blf7mPvs47VjwfBJRCP8AZLlWvO45%2BjC68v798csdJFPTP31O4yDOE3pXZ3EThm4nSrIwLPhTSPfi3cPlEh2wLSzcySW7BYLw%2BqCoawFCxeLUz7hIV0vC89Mlwi3DeS%2BEnWFF%2FsvT9lVJjdbLoJLEeO", "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739700&Signature=bOTo%2FxCpGDGOsIKJDZjBBhLZRg8UiOGi%2FvVr47Xpmh7tOh9dez7911bi%2F9SUdu4ATLhzRVog%2BdVP%2BUPwTuEfIdEcPuGRGVc1KOSP3fTQrKhRjF3x2dqykxVCH%2B1iqBmCgod%2B1uAdlraxqSOeOgst1l%2Bk250uXff4axktE%2BfGjeNDeGJao%2FfOMktqIL7zU8%2BIQYTObwelnnYx45FBSiXI1bWM4vhdgIX4cs2cT%2F" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 224, "FileHash-MD5": 558, "FileHash-SHA1": 564, "FileHash-SHA256": 558, "URL": 140, "hostname": 166, "email": 2, "CVE": 8 }, "indicator_count": 2220, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d7a3f6657dd0c212d8344a", "name": "VirusTotal report\n for flow-browser-main.zip", "description": "A sample of flow-browser-main, an unauthorised version of the web browser, has been detected by researchers at the University of California, Los Angeles, and the National Security Agency (NSA). myvzw.com after an email on ending a #", "modified": "2026-05-09T12:10:59.635000", "created": "2026-04-09T13:04:54.060000", "tags": [ "file type", "png image", "ascii", "ascii text", "java source", "json", "rgba", "creates", "crlf line", "mac os", "date", "malicious", "next", "button", "span", "edit3icon", "rotateccwicon", "xicon", "htmldivelement", "react", "saveicon", "null", "shortcutitem", "click", "zip archive", "png multimedia", "graphics" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739500&Signature=r1pLCgJf%2FQK8TvenCwXy9bnghFzjJ5QssdQSLP37SLv6EkA3WXuFUIvKrsXKokco7bMfQUy%2FArk8F6aP%2Bhaj16Jv7P%2FGB%2Blf7mPvs47VjwfBJRCP8AZLlWvO45%2BjC68v798csdJFPTP31O4yDOE3pXZ3EThm4nSrIwLPhTSPfi3cPlEh2wLSzcySW7BYLw%2BqCoawFCxeLUz7hIV0vC89Mlwi3DeS%2BEnWFF%2FsvT9lVJjdbLoJLEeO", "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739700&Signature=bOTo%2FxCpGDGOsIKJDZjBBhLZRg8UiOGi%2FvVr47Xpmh7tOh9dez7911bi%2F9SUdu4ATLhzRVog%2BdVP%2BUPwTuEfIdEcPuGRGVc1KOSP3fTQrKhRjF3x2dqykxVCH%2B1iqBmCgod%2B1uAdlraxqSOeOgst1l%2Bk250uXff4axktE%2BfGjeNDeGJao%2FfOMktqIL7zU8%2BIQYTObwelnnYx45FBSiXI1bWM4vhdgIX4cs2cT%2F" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 217, "FileHash-MD5": 558, "FileHash-SHA1": 564, "FileHash-SHA256": 558, "URL": 118, "hostname": 133, "email": 2 }, "indicator_count": 2150, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d7a3f683111bbbe1c9ae35", "name": "VirusTotal report\n for flow-browser-main.zip", "description": "A sample of flow-browser-main, an unauthorised version of the web browser, has been detected by researchers at the University of California, Los Angeles, and the National Security Agency (NSA). myvzw.com after an email on ending a #", "modified": "2026-05-09T12:10:59.635000", "created": "2026-04-09T13:04:54.775000", "tags": [ "file type", "png image", "ascii", "ascii text", "java source", "json", "rgba", "creates", "crlf line", "mac os", "date", "malicious", "next", "button", "span", "edit3icon", "rotateccwicon", "xicon", "htmldivelement", "react", "saveicon", "null", "shortcutitem", "click", "zip archive", "png multimedia", "graphics" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739500&Signature=r1pLCgJf%2FQK8TvenCwXy9bnghFzjJ5QssdQSLP37SLv6EkA3WXuFUIvKrsXKokco7bMfQUy%2FArk8F6aP%2Bhaj16Jv7P%2FGB%2Blf7mPvs47VjwfBJRCP8AZLlWvO45%2BjC68v798csdJFPTP31O4yDOE3pXZ3EThm4nSrIwLPhTSPfi3cPlEh2wLSzcySW7BYLw%2BqCoawFCxeLUz7hIV0vC89Mlwi3DeS%2BEnWFF%2FsvT9lVJjdbLoJLEeO", "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739700&Signature=bOTo%2FxCpGDGOsIKJDZjBBhLZRg8UiOGi%2FvVr47Xpmh7tOh9dez7911bi%2F9SUdu4ATLhzRVog%2BdVP%2BUPwTuEfIdEcPuGRGVc1KOSP3fTQrKhRjF3x2dqykxVCH%2B1iqBmCgod%2B1uAdlraxqSOeOgst1l%2Bk250uXff4axktE%2BfGjeNDeGJao%2FfOMktqIL7zU8%2BIQYTObwelnnYx45FBSiXI1bWM4vhdgIX4cs2cT%2F" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 218, "FileHash-MD5": 558, "FileHash-SHA1": 564, "FileHash-SHA256": 558, "URL": 119, "hostname": 133, "email": 4 }, "indicator_count": 2154, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d7a3f6f81dc2388c0fa027", "name": "VirusTotal report\n for flow-browser-main.zip", "description": "A sample of flow-browser-main, an unauthorised version of the web browser, has been detected by researchers at the University of California, Los Angeles, and the National Security Agency (NSA). myvzw.com after an email on ending a #", "modified": "2026-05-09T12:10:59.635000", "created": "2026-04-09T13:04:54.563000", "tags": [ "file type", "png image", "ascii", "ascii text", "java source", "json", "rgba", "creates", "crlf line", "mac os", "date", "malicious", "next", "button", "span", "edit3icon", "rotateccwicon", "xicon", "htmldivelement", "react", "saveicon", "null", "shortcutitem", "click", "zip archive", "png multimedia", "graphics" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739500&Signature=r1pLCgJf%2FQK8TvenCwXy9bnghFzjJ5QssdQSLP37SLv6EkA3WXuFUIvKrsXKokco7bMfQUy%2FArk8F6aP%2Bhaj16Jv7P%2FGB%2Blf7mPvs47VjwfBJRCP8AZLlWvO45%2BjC68v798csdJFPTP31O4yDOE3pXZ3EThm4nSrIwLPhTSPfi3cPlEh2wLSzcySW7BYLw%2BqCoawFCxeLUz7hIV0vC89Mlwi3DeS%2BEnWFF%2FsvT9lVJjdbLoJLEeO", "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739700&Signature=bOTo%2FxCpGDGOsIKJDZjBBhLZRg8UiOGi%2FvVr47Xpmh7tOh9dez7911bi%2F9SUdu4ATLhzRVog%2BdVP%2BUPwTuEfIdEcPuGRGVc1KOSP3fTQrKhRjF3x2dqykxVCH%2B1iqBmCgod%2B1uAdlraxqSOeOgst1l%2Bk250uXff4axktE%2BfGjeNDeGJao%2FfOMktqIL7zU8%2BIQYTObwelnnYx45FBSiXI1bWM4vhdgIX4cs2cT%2F" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 218, "FileHash-MD5": 558, "FileHash-SHA1": 564, "FileHash-SHA256": 558, "URL": 119, "hostname": 133, "email": 4 }, "indicator_count": 2154, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69fda935d86fd4e7e3fb7893", "name": "[Targeted Attack: Windows Virtual Interface Machine] {credit ilyailya} - usernote: falseflagdragon", "description": "", "modified": "2026-05-08T12:22:01.570000", "created": "2026-05-08T09:13:25.760000", "tags": [ "code", "range", "file offset", "ecxedi20xa", "edi0x6d", "ebp20x20", "esi0x67", "edx0x6f", "esi0x61", "ebp20x62", "hopper", "cve20072438", "normally", "use vim", "checkfile", "vimruntime", "checkdir", "vim project", "https", "bram moolenaar", "bram", "files", "silent", "insert mode", "down", "pumvisible", "vim script", "evim", "maintainer", "spellpopupmenu", "aunmenu", "tlunmenu", "loadbuffermenu", "revert", "difforig", "show", "ctrlu", "diffthis", "bail", "win32", "vim support", "remove", "comment", "genericname", "name", "keywords", "gvim", "edit", "zhcn", "editor", "metin", "rediger", "loadftplugin", "filetype", "expand", "amatch", "make", "sinsert", "middlemouse", "unix", "amiga", "mswindows", "loadindent", "end def", "visual mode", "shiftdel", "copy", "vim default", "selectmode", "insert", "load", "detectfiletype", "addoption", "optiong", "binoptiong", "optionl", "binoptionl", "header", "space", "python", "find", "open", "mark", "shell", "ruby", "install", "vim desktop", "substitute", "vunmenu", "paste", "script", "selectall", "word", "popup", "menu", "line", "close", "window", "back", "toolbar", "compiler", "next", "hack", "vimvimrc", "haiku", "openvms", "setsyn", "lang", "syntax menu", "description", "define", "setsyn function", "assembly", "maya", "bufnewfile", "bufread", "starsetf", "setf", "language", "visual basic", "xml au", "latex", "setfiletypesh", "endif", "lilo", "apache", "postscript", "rexx", "atom", "meta", "clipper", "desktop", "gift", "hercules", "julia", "mercurial", "pacman", "trigger", "puppet", "path", "powershell", "info", "ziggy", "speedup", "systemd", "form", "format", "calendar", "dracula", "config", "sfile", "esc", "iconv", "psflags", "if defined", "newitem force", "itemtype file", "iso88591 t", "utf8", "utf8 t", "iconvpath", "t iso88591", "makefile", "converted", "bob ware", "colorado school", "mines", "vim editor", "on your", "original copy", "please", "golden", "translation", "lesson", "enter", "type", "filename", "press", "normal mode", "repeat", "summary", "notice", "ruler", "test", "letzn", "mrkl", "zeil", "strg", "bewg nn", "end von", "druck", "dautticht", "zipf", "zaichen", "netty", "moveu el", "entrar", "premeu", "fitxer", "normal", "prova", "repetiu", "sumari", "desprs", "ara premeu", "cont", "ctrl", "ctrld", "append", "ctrlr", "ctrli", "shift", "backspace", "lekce", "napi", "dek oznaen", "normlnm mdu", "pesu", "stla", "soubor", "pesu kurzor", "opakuj", "toto", "lektion", "flyt", "skriv", "tryk p", "gentag", "bemrk", "filnavn", "nr der", "tryk", "zeile", "bewege den", "tippe", "zeichen", "cursor zu", "cursor zum", "kommandos", "cursor", "null", "tutor", "ctrlg", "shiftg", "shiftn", "msdos", "vimtutor", "capslock", "michael", "movu la", "leciono", "enenklavo", "kursoron al", "tajpu", "kursoron e", "testo", "premu", "dosiernomo", "resumo", "nova", "anon", "leccin", "mueva el", "intro", "pulse", "escriba", "para", "ahora", "insertar", "esto", "repita", "antes", "tenga", "como", "este", "leon", "tapez", "dplacez", "entre", "chap", "insertion", "puis tapez", "rptez", "appuyez", "lekcija", "otipkajte", "pritisnite", "ponovite", "kako bi", "insert mod", "prijeite", "saetak", "imedatoteke", "note", "windows", "yank", "mozgassuk", "fjlnv", "parancs", "lecke", "teszt", "j sort", "nyomja meg", "norml mdban", "ismtelje", "muovi il", "batti", "lezione", "invio", "premi", "ripeti i", "nomefile", "modalit normale", "adesso batti", "nota", "alla", "stata", "replace", "change", "subtitute", "school", "emiau", "spustelkite", "testas", "pirmj", "failovardas", "fail", "normalij", "santrauka", "ymeklis", "raid", "ramen", "tagad", "ievadiet", "piemram", "apkopojums", "lai izdzstu", "lai ievietotu", "ievadot", "ievrojiet", "js varat", "macos", "leksjon", "flytt", "trykk", "slette", "repeter", "erstatte", "sette", "kommandoen", "sett", "tips", "vise", "druk", "het commando", "herhaal de", "als je", "deze", "de cursor", "gebruik", "voeg", "bestandsnaam", "zorg", "mova", "digite", "teste", "agora", "pressione", "insero", "mais", "lekcja", "przenie kursor", "wcinij", "vima", "wpisz", "teraz", "powtarzaj", "nazwapliku", "uwaga", "jest", "dmesine", "ders", "ilk satra", "bu satrda", "normal kipe", "normal kipte", "daha fazla", "pomerite kursor", "otkucajte", "preite", "imefajla", "rezime lekcije", "za zamenu", "flytta", "filnamn", "normallge", "tryck", "om du", "sammanfattning", "genom", "lekcia", "presu kurzor", "presu", "napsanie", "zopakuj", "poznmka", "lcmessages", "lcall", "slovak tutor", "vim tutor", "amatria", "thevimproject", "slovak", "czech", "number", "motion", "ignore", "hjkl", "by gi", "di chuyn", "cu lnh", "u tin", "thay", "tntptin", "nu bn", "tng kt", "vim c", "lodi", "caps", "lock", "abc de", "command", "krishna", "spellerrors", "display dpy", "none", "false", "xfree", "sendinit", "isserialname", "staticspace", "xsync", "sendtovim", "main", "k command", "shell script", "vt100", "term vt100w", "dec locator", "vsnet", "tools", "external tools", "title", "arguments", "curline", "itempath", "init dir", "empty", "fbshtagsfp", "create", "options", "tags", "bourne shell", "perl", "fbkshfp korn", "tcl shell", "tk windowing", "parse", "new buffer", "buildcasetable", "printf", "buildwidthtable", "keys", "parsefoldprops", "parsewidthprops", "variabletags", "argv", "stephen riehm", "david woodfall", "getopt", "v include", "print version", "suppress", "reason", "file", "severity", "o ccfilter", "following", "this first", "ccfilter", "quickfix format", "though", "start", "john lange", "primitivem", "errorformat", "perl script", "executecore", "aerts", "sw developer", "sony telecom", "europe", "b1130 brussels", "belgium", "port", "host", "server", "vim channel", "chopen", "localhost8765", "json message", "linelength", "compilernames", "irix", "solaris", "hpux", "pablo ariel", "c compiler", "compilerqty", "usage", "project", "collector", "written", "ives aerts", "notes", "r decrement", "v verbose", "outputs", "o treat", "program", "q errorfile", "stdout", "copyright", "joerg ziefle", "perl w", "first", "maketag", "version", "exuberant ctags", "statement", "loop", "michael schaap", "support", "packagename", "look", "february", "push", "sgi mipspro", "error int", "error", "doit", "vim9 function", "nr2char", "c program", "vim quickfix", "awk script", "dec terminal", "make vim", "errors", "begin", "kirchgatterer", "opcodes syn", "addresses", "numbers", "types syn", "blocks syn", "strings syn", "program counter", "hilo byte", "quit", "todo todo", "aappythonscript", "python line", "python block", "blockline", "abap", "statement hi", "string hi", "structure", "vim abap", "abapr4", "marius piedallu", "james allwright", "april", "klmpqwvw", "comment hi", "type hi", "identifier hi", "constant let", "abel", "john cook", "johncook3", "a bunch", "todo xxx", "fixme", "c style", "abaqus", "carl osterwisch", "costerwi", "remark", "abaqus comment", "abaqus keyword", "include hi", "todo hi", "acedb model", "stewart morris", "thu apr", "syntax file", "acedb software", "xref syn", "rest", "preproc hi", "delimiter hi", "nikolai weibull", "include", "useroption", "options medium", "defaultprinter", "outputfirstline", "filecommand", "todo fixme", "martin krischik", "kind", "keyword", "mk bram", "standard", "character", "stype", "date", "vim syn", "altera ahdl", "x syn", "todo", "xnor syn", "specialchar hi", "builtin", "define hi", "builtin rect", "operator hi", "special hi", "dbus", "g3drop", "builtin dump", "builtin number", "builtin call", "redir", "stream", "screen", "function hi", "aflex", "lex syntax", "mathieu clabaut", "lastchange", "ada syntax", "aflex stuff", "patterns", "dominique pelle", "storageclass hi", "keyword let", "endlet", "htmlformat", "htmlcolor", "span", "htmlformatn", "foldcolumnbuild", "css1", "foldedid", "html", "generator", "fixme todo", "xxx note", "spell", "amigados", "campbell", "former url", "syntaxamiga", "krief david", "display drop", "beta cauchy", "irand224 syn", "normal poisson", "antlr4", "another tool", "yinzuo jiang", "jiangyinzuo", "july", "option value", "ben rubson", "hammers", "changelog", "option value1", "option", "value1", "david necas", "yeti", "base", "xxx not", "core", "antlr", "javacc parser", "azaz09", "parserend", "parserbegin", "token skip", "antsyntaxscript", "doug kearns", "zellner", "xmlcdatastart", "xmlcdataend", "xmltag", "xmlendtag", "ayer", "atch", "orkspace", "ngle", "rity", "mbol", "ffset", "istory", "osition", "xport", "stack", "tack", "digi", "flip", "shade", "cluster", "keyb", "arch", "moran", "ecode", "gnu arch", "source", "keyword hi", "simulate", "aptitude", "state", "yann amar", "quidame", "aptconf", "incomplete", "ebug", "autodetect", "fast", "marker", "score", "arduino", "hoff", "october", "license", "vim license", "arduino ide", "erik nomitch", "adam obeng", "artenterprise", "dorai sitaram", "ds26", "thilo six", "number hi", "edfghprs", "gnu assembler", "erik wognsen", "kdahlhaus", "kevin", "label hi", "macro hi", "title hi", "deprecated", "skip", "none hi", "claudio fleiner", "claudio", "end imports", "exports from", "implicitstags", "explicitstags", "absent present", "size universal", "strings", "aspperlscript", "perlscript", "aaron hope", "constant hi", "bwlsdxp", "macro", "specialchar", "error hi", "aspvbserror", "aspvbsfunction", "aspvbsmethods", "aspvbsstatement", "aspvbsnumber", "aspvbscript", "aspvbscomment", "aspvbs", "exits", "floating point", "asterisk", "tilghman lesher", "corydon76", "zonemessages", "atlas", "inaki saez", "jisaez", "flags bef", "orange syn", "containsasytodo", "asymptote", "avid seeker", "c syntax", "autodoc", "berg", "xml dl", "display", "contains", "borz", "kdpds", "oneline", "hotstring", "comspec", "hotkey", "reload", "common", "autoit", "soundplay", "autoit v3", "jared breland", "ping", "shutdown", "vim maintainers", "john williams", "action", "makefile syntax", "avenue", "arcview", "wagner", "esri", "string", "integer number", "operator syn", "xor mod", "hitachi h8300h", "xorc syn", "identifier let", "avr assembler", "avra", "avra home", "avra version", "marius ghita", "mhitza", "gawk ref", "functions syn", "awk ref", "effective awk", "programming", "keeps", "astro", "style", "fold", "enable", "astrojavascript", "htmlpreproc", "wuelner martnez", "html tag", "azaz", "ayaccuniongroup", "ayacc", "clusters", "aunis", "bash", "a formal", "method", "contributor", "csaba hoch", "undef", "defaultchar", "startstartfont", "bdfboundingbox", "containsbdftodo", "bibtex", "bernd feige", "ignore case", "xdata customa", "xref", "ams mref", "data", "basic", "quickbasic", "trim", "metacommands", "kill", "zonenumber", "bind zone", "mehnle", "slava gorbanev", "generates syn", "bcall", "vlado", "keywords syn", "string syn", "comment syn", "parent", "sulejman", "blank", "xspo", "bitbake", "chris larson", "kergoth", "daniel kho", "bsdl", "vhdl syntax", "tim pope", "vimnospam", "highlight", "imperfect", "bstnumber", "entry function", "integers macro", "bazel", "david barnett", "label", "digit", "john leo", "spetz", "boolean", "statuses", "bazaar", "dmitry vasiliev", "dima", "diff", "nospell", "synchronization", "baanerror", "selecteos", "updateerror", "d rows", "default", "selectempty", "selecterror", "updateempty", "union", "hooks", "normal hi", "case", "haskell cabal", "build file", "profunctor", "benchmark", "import", "cabalconfigpath", "cabal config", "original author", "cabalconfigkey", "false ghc", "cabal project", "true false", "cabalprojectnat", "boolean hi", "cparengroup", "cstringgroup", "ccommentgroup", "clabelgroup", "iso c99", "elifs", "ifndef", "ccppoutingroup", "optional", "accept", "public dtddecl", "entity catalog", "errormsg hi", "cdlcommentgroup", "raul segura", "acevedo", "xcheck", "childsname", "parentsname", "grpsdescription", "fixme xxx", "fullburn", "readdriver", "writedevice", "readdevice", "cfgcomment", "uncpath", "cfgstring", "cfgsection", "prischepoff", "on off", "yes no", "dos drive", "zhenyu", "documentation", "and fold", "operator", "punctuation", "transparent", "region and", "cfmlcorekeyword", "linden", "coldfusion", "skipwhite", "nextgroup", "cdrtoctrack", "cdtext", "performer", "silence", "zero", "softintegration", "cc interpreter", "declspec", "exception hi", "structure let", "built", "chaiscript", "jason turner", "lefticus", "escape", "web changes", "andreas scherer", "details", "cweb", "knuth", "silvio levy", "webcweb", "november", "haskell", "armin sander", "changelog file", "menesis", "vinschen", "june", "chatito", "observeroftime", "import syn", "intent syn", "slot syn", "cheetah", "max ischenko", "matches", "precondit hi", "evan hanson", "scheme", "chicken", "repository", "scheme syntax", "lighten", "heredocs", "cc syntax", "hse1", "chorus", "startofverse", "startofbridge", "startoftab", "startofabc", "startofly", "chordfont", "chill", "repeat hi", "avoid", "youngsang yoon", "image", "ccitt high", "this", "ember", "sifs0", "sinclude", "calendarinclude", "andrea callea", "chuck", "object event", "ugen array", "pieter van", "engelen", "arthur van", "leeuwen", "start syn", "int real", "char bool", "zamana", "flagship", "mario eusebio", "accept append", "blank from", "highlight value", "cmake", "comments", "match key", "cmakecachekey", "advanced", "highlight str", "stringstr", "nickspoons", "internal", "clever language", "clever", "multibase", "philip uren", "philuspax", "cmod", "cmodautodoc", "supports", "init init", "exit gcrecurse", "browser", "cocor", "shukla", "any characters", "context end", "from if", "nested pragmas", "to tokens", "cword", "fnameescape", "supplement", "must", "dgacfbe", "clojuretop", "arraychunk", "vecnode", "vecseq", "x00x7f", "partstart", "gondi", "inst", "etcdisktab", "acmsg", "acmsgtype", "hammesr", "yngve inntjore", "levinsen", "khym chanur", "james mccoy", "well", "anything", "conary recipe", "addallflags syn", "run automake", "makeinstall syn", "install copy", "move symlink", "link remove", "doc syn", "crm114", "modemsg hi", "imported", "target", "true", "interface", "quiet", "private", "write", "multi", "never", "unknown", "fatalerror", "sensitive", "android", "download", "guard", "exact", "locale", "trace", "alphabet", "john hoelzel", "hours days", "commands", "llll", "hminsmsusnsi", "ffll", "ken shan", "ccshan", "context", "synname", "startstartz", "endstopz1", "mptop", "luatop", "csccommentgroup", "if else", "endif elseif", "lev sy", "iallancestors", "curgen sy", "warningmsg hi", "essbase", "prior", "descendants", "cshell", "syntaxcsh", "variables", "luul", "csall", "srecord", "az09", "processes", "amsettimer", "sdlmatch", "default hi", "fdr input", "maxim kim", "habamax", "functions", "predefined term", "end predefined", "term variables", "century term", "csdl", "jacek artymiak", "c22032019", "call", "replacing", "comp", "recognize", "ascii", "existing syntax", "ctrlhbold", "ctrlh", "module level", "prop", "media", "cuda", "nvidia compute", "unified device", "architecture", "terriberry", "device global", "host managed", "shared syn", "restrict", "cupl simulation", "cupl syntax", "matt dunford", "sat nov", "statement let", "tex syntax", "cweb source", "cc material", "webincludedc", "double", "rc file", "dada", "dadas", "etant", "scen", "regel", "pero", "esquema", "tapi", "kada", "dados", "maka", "fono", "cupl", "valid integer", "signal", "phil derrick", "phild", "cynpp", "cynlib", "cynlib syntax", "posedge negedge", "changed syn", "instantiate", "out inst", "url http", "default cynscon", "standard syntax", "include debian", "match uri", "addremove", "byhash", "christopher", "dcod trts", "tnxt crlf", "labl syn", "cequ cneq", "cgte clte", "cbit clse", "dcomment", "jason", "pragma", "4857", "digital command", "sword", "mine", "conditional hi", "dart", "eugene pr3d4t0r", "ciurana", "former", "gerfried fuchs", "alpha", "rust", "datascript", "dscommentgroup", "comment let", "debcopyright", "orig author", "rob brady", "robb", "wu yongwei", "library stub", "code windows", "dos syn", "exports imports", "dep3 patch", "gabriel filion", "gabster", "specification", "authorfrom", "adminemail", "lockfile", "matthijs", "match", "ttext", "ccategory", "fflag", "llicense", "rock linux", "ren rebe", "spell syn", "lastline syn", "filter", "disablestrat", "s un", "r en", "jakson alves", "ansi sgr", "ansi sgr8", "jan larres", "term left", "black", "green", "contact", "charityware", "uganda", "entry", "block", "parasitic", "parameter", "devicemos", "rules", "device", "diva", "toby schaffer", "categories", "exectryexec", "unmounticon", "at wp", "chat", "django", "django template", "dave hodder", "dnsbind zone", "docbook sgml", "cest let", "docbook xml", "docbook", "devin weaver", "shlomi fish", "auto detect", "syntax xml", "sgml", "syntax sgml", "rory hunter", "json", "dockerfiles", "honza pokorny", "onbuilds", "from", "add arg", "cmd copy", "mike williams", "mrmrdubya", "windows nt", "msdosms windows", "mckee", "nima talebi", "hong xu", "sept", "keyword hilink", "hilink", "error hilink", "nargs hilink", "markus mottl", "enclosing", "scott bordelon", "wed apr", "cadence", "automation", "design rule", "checking", "layout", "schematic", "dsssl", "cest", "example", "xmlregionhook", "dtml", "dtml syntax", "zope", "markup language", "jordaan", "doxygenhtmltop", "synlink", "link", "syncolor", "strong", "reflink", "cpreprocgroup", "actions", "dtrace d", "d script", "solaris dynamic", "tracing guide", "nicolas weber", "nicolasweber", "first line", "probe", "turn", "entity", "matchgroupnone", "document type", "definition", "brabandt", "dune", "anton kochkov", "samuel hym", "simon cruanes", "kawahara satoru", "urkedal", "etienne millon", "dylan", "justus", "fri sep", "include let", "dylan library", "interface files", "brent fulgham", "bfulgham", "string let", "fulgham", "dnsmasqkeyword", "dnsmasqrange", "editorconfig", "anders", "edif version", "edif", "artem zankovich", "zartem", "5481988", "john beppu", "beppu", "ecd file", "embedix linux", "elm filter", "syntaxelmfilt", "elmfiltnumber", "brssow", "environments", "wraparound", "elinksnumber", "elinkscolor", "savingstylew", "imagelinksuffix", "homepage", "current void", "selse", "sthen", "eiffel", "joseph hager", "ajhager", "typedef hi", "lambda", "xxxx", "kresimir marzic", "oscar hellstrm", "oscar", "kornel", "syntax", "label highlight", "type highlight", "identifier", "george", "exec sql", "preproc let", "esterel", "luca necchi", "nikos andrikos", "esterel regions", "esterel types", "esterel comment", "identifiers", "euphoria", "builtins", "function", "reset", "should suffice", "etermgeneral", "d0xx", "mod5", "rubytop", "eruby", "erubysubtypezsw", "conventional", "text", "generated file", "david nev", "setup", "expect", "normal expect", "ralph jennings", "knowbudy", "user", "sysv", "bsd isms", "syntaxexports", "optset", "eviews", "vaidotas zemlys", "zemlys", "az4857", "assembler", "fasm", "ron aaron", "vim url", "fasm home", "fasm version", "xmm0 xmm1", "xmm2 xmm3", "dwayne bailey", "dwayne", "fdcc", "definitions", "iso tr", "unicode", "shell command", "output", "array", "fantom", "service", "bridle", "informix", "update", "abort abs", "absolute accept", "access acos", "add after", "allocate alter", "drop", "fishnext", "fishstatement", "fishterminator", "fishargument", "nicholas boyle", "flexwiki", "reilly", "home", "fuse", "modify", "table", "pascal makefile", "sections", "comments syn", "forth79", "forth83", "char", "forth83 syn", "body", "noname", "class", "local", "tung", "thu oct", "thomas reiter", "manipulation", "book", "document", "textfile", "apply", "formats", "popu", "crea", "modi", "memo", "defi", "disp", "dele", "appe", "repl", "proj", "alia", "cmon", "nvert", "mwin", "uniq", "blin", "carr", "story", "mult", "rator", "fortran", "ends", "cray", "ulllull", "stop", "fvwmm4", "mainsyntax", "fvwm2m4", "include m4", "include fvwm2", "fvwm1", "hss1", "general syn", "szsw", "check", "journal", "hold", "fvwm", "cursormove", "edgeresistance", "modulepath", "noborder", "windowlistskip", "backcolor", "sticky", "refresh", "buttons", "exclam", "slash", "gdmo", "iso101654", "guidelines", "managed object", "gyuman", "chester", "godot resource", "section syn", "ssss", "gdb command", "simon sobisch", "isplay", "unset", "linkurl", "gemtext markup", "suneel freimuth", "heading", "list", "quote", "heading special", "list statement", "godot", "bug hack", "gitdiff", "dddd", "endt", "commit", "question hi", "giftcef", "linenr hi", "giftceffw", "giftce", "conceal hi", "gedcom", "paul johnson", "december", "abbr addr", "adop adr1", "adr2 afn", "godot gdscript", "website", "pattern", "attribute syn", "macro syn", "gitcommitdiff", "your", "todo let", "crrw", "creator", "xexec", "syn match", "az4857 syn", "adam monsen", "opengl shading", "modified", "godoc", "title let", "gocommentgroup", "chan", "foldenable", "packagecomment", "integer hi", "todo regexp", "todos", "josh wainwright", "dot ja", "at gmail", "dot com", "karim belabas", "texstyle syntax", "todo syntax", "todd zullinger", "daniel kahn", "gillmor", "containsgpgtodo", "gprof output", "flat profile", "gretl", "gretl genr", "variable", "grads", "fronzek", "grid analysis", "display system", "grads scripting", "variables syn", "gnashkeyword", "gnashcomment", "gnashtodo", "solreadonly", "solsafedir", "john marshall", "jmarshall", "pedro alejandro", "lpezvalencia", "ddd0xx", "pager", "terminal", "chainloader", "groovytop", "exception", "groovy", "debug hi", "gtk theme", "packer", "conceal", "json syntax", "single", "trailing commas", "fixme note", "gnu server", "pages", "source html", "include java", "redefine", "argc argv", "begin begg", "end endg", "graph", "vim source", "matchlist", "vimsrcdir", "both", "getqflist", "cent", "kword", "c function", "small", "light", "vimcontinue", "endstr", "gensynvim", "vim9 syn", "vimexprlist", "magic", "hamlrubytop", "hamlcomponent", "hamltop", "haml", "hamlhtmltop", "david fishburn", "sun oct", "hamster classic", "hamster", "harepostfix", "hare", "vim syntax", "amelia clarke", "selene", "haredoc", "miscellaneous", "haste", "vlsi ic", "c preprocessor", "09afaf", "treat", "varid", "error let", "hbfilename", "hbhtmlstring", "hbhtmltagn", "hbhtmltag", "hbdirectivelib", "hbdirectiveset", "hbdirectiveout", "kkmmgg", "upstream", "a block", "szskkzes", "vim program", "restorer", "defunct", "aprl", "helplang", "intel hex", "sams ricahrd", "data digit", "folding data", "records", "record syn", "ignore hi", "vim help", "ident", "dana edwards", "danaedwards", "ic design", "preprocessor", "spacings", "resolutions", "ranges", "slhg", "hgcommitdiff", "sapling", "ken takata", "kentkt", "max coplan", "float hi", "hls playlist", "benot ryder", "comment line", "hogvar", "hogopnot", "hognumber", "hogipaddr", "hogcomment", "hogport", "hogoprange", "hogcomment syn", "hogstring", "bind", "elseif", "html template", "dennis", "htmltop", "htmljavascript", "onas", "htmlxml", "idem", "aria", "m4top", "htmlm4", "htmlos", "repeat syn", "aestiva", "jason rust", "jrust", "django html", "scomment", "i3configident", "i3configstrin", "i3configvalue", "focus", "i3configsh", "i3configstrvar", "i3configcommand", "i3configcolvar", "moving", "itanium", "parth malwankar", "pmalwankar", "file version", "masm syntax", "mark manning", "markem", "allan kelly", "ibasic file", "icewm menu", "james mahler", "fri apr", "icewm", "ids menu", "icon special", "icemenu", "data language", "ajelenak", "paren hi", "paren", "billshannon", "nlps", "npro", "graphics", "iconpregroup", "icon", "wendell turner", "prelude", "inbpc", "ddspe", "leaderscopy", "fontname", "badness", "elan ruusame", "shtop", "value", "args", "substituted", "macros", "ipfspecial", "ipftodo todo", "hendrik scholz", "hendrik", "openbsd pf", "ipfcomment", "xxx fixme", "donovan keohane", "syndisplay", "global", "verbextend", "double2", "snote", "david brgin", "dbuergin", "continuedoelse", "argv binpath", "cr crlf", "del debug", "eav empty", "inno setup", "my innosetup", "jason mills", "enterdisk syn", "sdsetuptype syn", "ifdef", "elif", "else", "cortopassi", "istoutspec", "peter meszaros", "pmeszaros", "istinpspec", "istcharacter", "istnumber", "istcomment", "jamcommentgroup", "jamparengroup", "ralf lemke", "xxx syn", "jargon file", "dan church", "label let", "javascript", "jls17", "see https", "javatop", "javadoctags", "javahtml", "tx0cr", "javamarkdown", "markdowninline", "jinja", "jinja template", "names syn", "standard jess", "jess", "paul baleme", "pbaleme", "jonas munsin", "xaxis yaxis", "x cross", "number let", "javacc", "java compiler", "javasoft", "vim compiler", "vito", "doc comment", "note xxx", "jspjava", "java server", "rgarciasuarez", "darren greaves", "patch", "thomas kimpton", "software", "eli parra", "json keywords", "jsonc", "izhak jakov", "izhak724", "acknowledgement", "kevin locke", "remove syntax", "json5", "mazunki hoksaas", "guten ye", "ywzhaifei", "syntax setup", "endz1", "kconfigconfigif", "abstract", "juliaexprsnodot", "regex", "naninf", "kdlnumber", "kdlnumber d", "aram drevekenin", "kotlin", "generated", "annotation syn", "kix2001 syn", "kixtart", "handle", "trap", "michael piefel", "entwurf", "cpp mode", "preproc", "error highlight", "storageclass", "delimiter", "sysvars", "false true", "kivy", "corey prophitt", "corey", "load python", "kivy language", "define kivy", "lace", "jocelyn fiat", "constants syn", "latte", "nick moffitt", "pre tag", "elsa", "glapagrossklag", "riley bruins", "ribru17", "keywords syntax", "sections memory", "overlay phdrs", "version include", "absolute addr", "names", "ldapconfcomment", "iso dialect", "modula2 dialect", "modula2 input", "styles", "error endif", "august", "pim dialect", "modula2", "longbitset", "procedure", "r10 dialect", "sto dos", "ldap ldif", "zak johnson", "zakj", "less", "jenoma", "todo optimize", "orce", "arset", "prox", "cache", "agent", "haskelltop", "lhstexcontainer", "ian lynagh", "tex markup", "bird style", "markdown style", "tex style", "lexccode", "user code", "flex", "van engelen", "patrick texier", "lifelines", "xref tag", "liquid", "liquidstatement", "yaml front", "matter", "liquidyamltop", "acdfmnrstuklp", "lilonumber hi", "number list", "niels horn", "lite", "liteinside", "lutz eymers", "ixtab", "email", "sql syntax", "errmsg", "livebook syntax", "lisplistcluster", "clisp ffi", "standard lisp", "keyword lispkey", "litestepdir", "litestep rc", "nethood", "winnt", "lotos", "is8807 syn", "specifications", "is8807", "daniel amyot", "damyot", "wed aug", "except", "logtalk", "logtalk entity", "term", "logic", "chfnauth", "chshauth", "createhome", "defaulthome", "lout", "report", "lambdaprolog", "teyjus", "vim version", "general", "lpccommentgroup", "lpcefungroup", "nodule", "lpcparengroup", "lpcpreprocgroup", "echo", "poet", "timo frenay", "timo", "labels syn", "lotusscript", "taryn east", "ultraedit", "textpad", "activateapp as", "base beep", "call case", "scott bigham", "colorterm", "luau", "marcus aurelius", "farias", "carlos augusto", "collapsebrtags", "lynx web", "lynx", "todo note", "uploader", "lyrics", "lrcnumber", "quake", "operators", "hascbackend", "pkg syn", "definelib syn", "definepgm syn", "importm3lib syn", "fleiner", "mainsyntaxm4", "mailquoteexps", "mail", "felix von", "leitner", "am est", "ascii character", "froms", "mallard", "jhradilek", "mallard markup", "draft", "skipnl", "roland hieber", "overrule", "ostype", "manconfcomment", "build", "suffix", "mason", "perltop", "hinrik rn", "sigursson", "pentium", "abgl", "ceopsz", "offset", "align", "floatingpoint", "vpmaxsq syn", "integer", "maple", "release", "focus master", "define syntax", "filename suffix", "segname segtype", "mtaddon", "matlab", "alex burka", "bbddeess", "all functions", "except keywords", "maxima", "robert dodier", "mermaid", "craig maceahern", "4857192255", "self", "accdescr", "click", "meson", "liam beguin", "zpetkovic", "disabler", "wikitop", "containshtmltag", "wikitableformat", "mediawiki", "yakov lerner", "rfc3339", "james vega", "zsdze", "melgroup", "maya extension", "robert minsk", "jason franklin", "sunghyun nam", "goweol", "mudunuri", "version info", "ctrlh syntax", "markdown", "matchstr", "metafont", "page", "latest revision", "magic point", "spam", "xfont vfont", "gero kuhlmann", "gero", "snmpv1", "snmpv2 mib", "martin smat", "msmat", "david pascoe", "pascoedj", "ax16", "donald knuth", "taocp", "mmix", "dirk hsken", "knuthstyle", "precondit endif", "pcimapfile", "parportmapfile", "model", "nil nil", "true syn", "symbols", "mmatop", "stub", "peter funk", "getdialect", "timo pedersen", "dat97tpe", "whitespace", "any array", "mookeyword", "dilnt", "multiplication", "mojonumber", "mojo", "stuff", "monk", "seebeyond", "mike litherland", "dirk van", "deun", "metapost", "manual", "autosync", "dumpvideo", "loadidx", "rawvideo", "tsprog", "color", "tabtitle", "am cdt", "pm est", "dummy", "ms message", "kwl7", "common ms", "messages", "ms idl", "vadim zeitlin", "vadim", "msql", "env variables", "inlclude", "modsim iii", "philipp jocham", "march", "actid all", "and as", "murphi model", "diego ongaro", "integers", "nspemit", "switch", "mushcode syntax", "rick bird", "clock", "dbck", "dump", "hook", "motd", "notify", "nuke", "restart", "snoop", "stats", "teleport", "attributes", "prettyprint", "libpath", "promylibdir", "attributes syn", "mupad source", "dave silvia", "dsilvia", "ymwd", "cciskaf", "float", "mysql", "pronovici", "encrypt", "namednotnumber", "nick hibma", "location", "marcin", "chaos", "dmap", "modules", "control section", "nastran", "tom kowalski", "any integer", "n1ql", "eugene ciurana", "merge syn", "nest syn", "pr3d4t0r", "vim command", "natural", "nasm", "iend", "movs", "time", "interval", "size", "directory cache", "cache buffers", "minimum file", "count", "daylight", "miner", "keith smiley", "login", "netrwtreegroup", "diffchange hi", "netrw listing", "toplevel", "readtoken", "nixexpr", "daiderd jordan", "daiderd", "region match", "bufenter", "syntax event", "synset", "checked", "muttvars", "neomutt", "bounce", "nsisanyopt", "statements", "nsis", "music", "rcx2", "scout syn", "rcx2 syn", "nqcparengroup", "rcx syn", "nqccommentgroup", "modes", "scout", "stefan", "module", "nginx module", "nginx", "http", "gost", "comet", "speed", "sphinx", "curv", "mtllibs", "exmaintainer", "anthony hodsdon", "objc syntax", "odin", "ms44", "and or", "occamnumber", "group", "omnimark", "paul terray", "mailto", "activate again", "catch clear", "close copy", "ocamltypeexpr", "ocamlallerrs", "jon parise", "ondirshell", "operator let", "objc type", "smes12", "qualifiers", "smes7", "smes19", "preparation", "protected", "structure hi", "openscad", "niklas adam", "luis moreno", "abort all", "alter and", "any as", "asc at", "oplstatement", "oplnumber", "open psion", "epoc16epoc32", "af09", "openvpn", "openvpnnumber", "openvpnsignal", "hupinttermuser", "containstop", "keepend", "eval", "menumode", "endurance", "blade", "illusion", "sneak", "onload", "disablemouse", "getclass", "notes todo", "containsallbut", "spells", "ronan pigott", "ronan", "alpm", "tcpip", "gclckprocs syn", "oracle config", "sandor kopanyi", "oraall", "protocol syn", "bequeath syn", "latest change", "haochen tong", "withconceal", "inlinecode", "super", "pappperl", "papphtml", "cdata", "perlinterpdq", "marc lehmann", "perlexpr", "config file", "lennart schultz", "string keywords", "protobuf text", "lakshay garg", "crgut", "tim chase", "austin", "pcctsinrule", "cpptoplevel", "pccts", "nextstep syn", "openbsd packet", "lauri tirkkonen", "sloadsanchor", "phtml", "perlinterpsq", "perlinterpmatch", "perlinterpslash", "perldata", "portb syn", "intcon syn", "gie eeie", "t0ie inte", "rbie t0if", "intf rbif", "microchip", "pdfxml", "nrtbf", "font", "palm os", "schau", "font id", "beware", "data syn", "postfix", "kelemen peter", "peter", "kelemen", "anton shestakov", "pikestmt", "pikebadgroup", "pike", "pine", "thu feb", "macro let", "httpviewer", "infopath", "longmanuallinks", "filter0xb7", "plaintexmath", "glue", "acute", "cdhoopstuvijll", "rrowvert", "skewsqrt", "mega", "phpinnerhtmltop", "phpclfunction", "phpcltop", "refer", "cphil", "number support", "c language", "does", "address and", "dword", "juerd", "plpperl", "plpend syn", "counter syn", "pl1commentgroup", "pl1parengroup", "declare dcl", "procedure proc", "loops", "podformat", "ibsclfx", "perl pod", "poe item", "show hide", "minimal", "address", "obsolete", "openclose", "bjoern jacke", "bjacke", "povray", "syntax syn", "off true", "false yes", "ppwizard", "dennis bareis", "ppwizargval", "constants", "plsqlparengroup", "oracle", "plsql", "klaus muth", "klaus", "altf amcr", "arc asfn", "astk barc", "blk box", "call syn", "cass cir", "melchior franz", "mfranz", "sonia heimann", "todo tbd", "privoxy", "prolog", "promela", "mon oct", "thu aug", "promela types", "class linking", "ps ll3", "dsc comment", "device gstate", "ps level", "postscrstring", "escaped", "matrix", "courier", "buffers", "redistributions", "this software", "including", "but not", "limited to", "pbcommentgrp", "google", "az09az", "posix", "rex barzee", "rexbarzee", "aclqrv", "a af", "ag ax", "e ef", "eg ex", "certain", "ps1comment", "purify header", "informational", "warning", "corrupting", "fatal", "haakon riiser", "hakonrk", "c syn", "pypa", "commands syn", "globs", "line break", "pyrex", "marco barisione", "python syntax", "olor", "chars", "progress", "ation", "progressdebug", "progressnumber", "edure", "progresstodo", "eter", "daniel", "sage", "widget", "rage", "python library", "reference", "quarto", "aquino", "vim runtime", "quickfix", "directory hi", "hee1", "lookdown lookup", "quakeoctalerror", "quake12command", "noprefix", "console", "onoff", "qb64", "z2z1", "qmlexpr", "radiance scene", "georg mischler", "radiance", "greg ward", "surface", "raccruby", "rule", "racc input", "dobie", "xdobie", "handling", "vector", "types syntax", "raml", "restful api", "hopkins", "rofi advanced", "pierguill", "common rc", "resource", "heiko erhardt", "language syn", "bitmap icon", "cursor cursor", "cmash", "ratpoison", "magnus woldrich", "djkea2", "bulls eye", "force control", "number syn", "rapid", "azazxc0xff", "azazxc0xff09", "rakuinterpqq", "rakuregexen", "rakuregexp5", "rcs log", "joe karthauser", "rcs file", "revision", "yyyy", "rebol", "yer todo", "words syn", "view", "view tabs", "spaces", "vicharsearch", "viprevword", "viendword", "visearchagain", "vinextword", "registry key", "registry export", "ulitin", "head", "regedit4", "win9", "bytes", "paths", "xxx bug", "davide alberani", "remind", "ben orchard", "rem omit", "mit license", "raimon49", "permission", "software is", "resolvipcluster", "ipv6 support", "09azaz", "radu dineiu", "hidesymbol", "r help", "r code", "epsilon", "kappa", "slabelsk", "over", "relax ng", "containsrnctodo", "rnoweb", "highlighting", "rnowebr", "ranke", "ferraz pereira", "rosa", "extension", "bytestream", "andrew bromage", "frameend", "worldbegin", "worldend", "attributebegin", "attributeend", "todo improve", "handles", "todo are", "redif", "axel castellane", "templatetype", "and add", "alex zvoleff", "configuration", "r syntax", "syntaxrpcgen", "mikrotik", "cidr notation", "cycle", "exit", "catch", "rpl2", "rmdlatex", "yaml header", "highlight code", "rmdr", "text format", "rich text", "control words", "new control", "rstcruft", "salt state", "jinja runtime", "star", "disallow syn", "disallow", "samba", "new maintainer", "ntlmv2 syn", "synfold", "rubymodifier", "sasbasicsyntax", "add syntax", "sasgraph", "yrdif yyq", "template", "mixin", "extend", "return", "steven dobay", "stevendobay", "sather", "science", "institute", "dede", "scilab", "benoit hamelin", "containedgroup", "preproc syn", "aclchg", "acldel", "aclgrp", "aclumask", "lockscreen", "zombie", "scss", "puria nafisi", "azizi", "always", "ip adresses", "verify", "synopsys design", "constraints", "tcl vim", "thu mar", "tcl syntax", "tcl extension", "xor syn", "task else", "nextstate syn", "in out", "with from", "ebcdic", "closedelay", "txtrigger", "spdnormal", "portd", "comment hilink", "sexplib", "atoms syn", "lists", "clst", "sgml charset", "capacity scope", "features", "baseset descset", "simple", "shfoldheredoc", "shfoldifdofor", "shlooplist", "shfunctionlist", "shidlist", "shecholist", "shcaselist", "shdblquotelist", "provides", "sgml specific", "space crlf", "dquote syn", "percent", "mp luacall", "alephversion", "uchar", "udelimiterunder", "umathchardef", "umathruleheight", "umathstackvgap", "umathxscale", "uoverwithdelims", "hai tp", "bestanden", "hanya dalam", "fiierele", "tp tin", "aemacron amstex", "aacute", "abrevehook", "afterpar", "agrave ahook", "amstex amacron", "atilde", "beforepar beta", "bigm", "delta", "oldstable", "experimental", "bullseye", "trixie", "forky", "focal", "jammy", "devel", "buzz", "maverick", "keyword syntax", "typescriptvalue", "title syntax", "typescripttype", "blabla", "sicad", "zbranyiczky", "irpt", "irptl", "mes1", "swift project", "simula", "simula syn", "keyword end", "when", "nagle", "main url", "comparison", "load sinda", "on si", "off eng", "sieve", "skill", "nsqn", "dirfile", "pnamestring", "pathversion", "schemeskill", "afterbefore", "tolist", "renderman", "dan piponi", "specialkey hi", "headers", "nontext hi", "jan hlavacek", "xuserblock", "for loop", "userblock", "null syn", "tracedrop", "daheartbeat", "slpregcomment", "spi file", "private public", "slrn score", "preben peppe", "guldberg", "age bytes", "syntaxsm", "smarty", "mon nov", "constant", "slice", "zeroc", "morel bodin", "smcl", "stata markup", "jeff pitblado", "jpitblado", "statasmcl", "directive", "smith", "smil", "herve foucher", "smil boston", "animation syn", "smlallerrs", "smlaenoparen", "fabrizio zeno", "cornelli", "zeno", "snns network", "snns http", "lln lun", "toff soff", "ctype syn", "snns", "maximum", "maximum output", "stringcomment", "initvalvalstr", "mono", "snobol4", "rafal sulejman", "site", "csnobol", "parens", "cothi", "afpnumkg", "spice circuit", "noam halevy", "insensitive syn", "spice", "splintallstuff", "splintannotelem", "ralf wildenhues", "splint home", "c code", "purpose", "buildinstall", "linux rpm", "freund", "ormeir", "wed oct", "spyce", "rimon barr", "rimon", "spupordinary", "input output", "spuptextproc", "type stream", "bugs", "execution", "snns result", "fishburn", "thu sep", "sqloracle", "buffer", "sqlforms", "austin ziegler", "prev change", "todo find", "xpos", "java syntax", "sqlj", "sap hana", "upper case", "upper", "schema syn", "user syn", "memory database", "sql syn", "spl syn", "comment syntax", "query language", "adaptive server", "anywhere", "xpscanf syn", "methods syn", "starea syn", "stcentroid syn", "stperimeter syn", "paul moore", "oracle nquote", "diffadd hi", "diffchange let", "section", "query report", "writer", "nathan stratton", "treadway", "jeff lanzarotta", "squid", "thanksto", "ilya sher", "iso8601", "subrip", "range syn", "ddd skipwhite", "bold", "sections syn", "override", "smalltalk", "arndt hesse", "hesse", "openssh client", "jakub jelen", "jakuje", "dominik fischer", "openssh server", "conditional", "repeats", "types", "globals", "statafuncgroup", "statamacrogroup", "stataparengroup", "rmcoll syn", "invftail", "invibeta", "haseprop", "mata", "structurizr dsl", "venthur", "hsiaoming yang", "lepture", "marc harter", "sudoersuser", "lazy", "generic", "swig", "julien marrec", "apache license", "runtime library", "vim maintainer", "emir sari", "nowarn", "i3confignumvar", "endze", "josef litos", "james eapen", "nargs syncolor", "nargs synlink", "syncolor type", "syncolor ignore", "syncolor added", "preproc synlink", "type synlink", "special synlink", "budden", "ingo karkat", "myk taylor", "install syntax", "syntax au", "systemverilog", "verilog syntax", "tads", "amir karger", "karger", "history info", "syntaxtags", "tak2", "tak3", "tak2000", "tak compare", "tak output", "load tak", "tar listing", "type let", "john florian", "wed jul", "key names", "values", "characters", "uuids syn", "rufus cable", "verbose tap", "rufus", "tap output", "pass", "foolman", "cmovsetj", "borland", "united force", "vector graphics", "verbose", "known template", "xfire user", "tcshvarlist", "tcsh", "gautam iyer", "ttlconstant", "term language", "tera term", "kcpy kcrt", "eenlrtbfs", "xhp xhpa", "xt xenl", "msgr", "tclspecialc", "tcltk", "taylor venable", "taylor", "system", "geometry", "tss syn", "typescript", "kao weiko", "jose elera", "campana", "zhao yi", "scott shattuck", "irc channel", "freenode", "vim filetype", "andy lester", "tt2topcluster", "typescriptreact", "react", "strpart", "include perl", "rawperl", "moriki", "atsushi", "ucnumber", "unrealscript", "openwrt unified", "colin caine", "fancy", "normal let", "typstcode", "matchgroupnoise", "noise highlight", "hashtag", "typstmarkup", "noise", "motif uil", "user interface", "thomas koehler", "september", "import hi", "anton", "prunefs", "prunenames", "prunepaths", "prunebindmounts", "upstart", "upstart job", "michael biebl", "biebl", "james hunt", "archivebit syn", "datelimit syn", "daysold syn", "deleted syn", "destination syn", "dirsonly syn", "drivealias syn", "filedate syn", "filedelete syn", "files syn", "msid", "innovation data", "rob owens", "ull ulls", "msg types", "ip address", "agtpcsrv", "profile", "version date", "ms windows", "action devpath", "valgrind memory", "debugger output", "roger luethi", "program url", "christoph gysin", "valve data", "tag syn", "wend", "prather", "pratam", "minor", "iskeyword", "xnor xor", "veraparengroup", "veralabelgroup", "vhdl", "linting", "vhsic", "high speed", "new style", "verilog", "mun johl", "485763", "vos cm", "andrew mcgill", "az syn", "bwlfdgh", "fdgh", "bwlqofdgh", "psect", "virata aconfig", "virata", "viratahexnumber", "execoptions", "ewind", "uffer", "malt", "wind", "vrmlevents", "vrmlfields", "vrmlcomment", "vrmlprotos", "vrmlnodes start", "externproto", "proto", "vgrindefs", "vgrindefs file", "profilesetzss", "java source", "parmp", "novimmain", "extern", "mswin", "featguimswin", "vimdll", "editnone", "level", "heading level", "vimtestsetup", "noop", "java language", "nontext", "returns", "chapter", "annotations", "labels", "text text", "tag head", "void", "htmlsnippets", "object", "object apply", "object bb", "no operation", "u003b", "n value", "pair", "long", "generics", "predicate", "vimtestsetup hi", "error import", "nontext class", "see jls", "declaration", "taggable", "binaryoperator", "i1 x", "i1 y", "string str", "taggable i1", "letters", "letters alpha", "letters beta", "tag tail", "use identity", "supplier", "tests", "identity", "comparable", "intfunction", "a dummy", "tggabl", "string s", "string tostring", "do not", "this file", "indent4", "indent2", "indent8", "tggabls", "fields", "classlock", "defines demo", "testable", "serviceloader", "malformed", "woof", "string s1", "string s2", "browns", "jumpss", "string s4", "string s6", "string apply", "string bay", "as quick", "woofs", "beta", "yieldable", "t yield", "other", "colon", "arrow", "unfoldenable", "italic", "strikethrough", "bold italic", "foobar", "modula2 pim", "test file", "colouring", "is licensed", "under the", "from system", "modula2 iso", "retain", "to do", "modula2 r10", "unsafe", "cardinal", "var abc", "variableb", "variablec", "var3", "var4", "var5", "var6", "variablea", "variabled", "variablee", "variable3", "varb", "variable1", "variable2", "varc", "vard", "variable4", "function1", "function4", "function2", "function3", "eq ne", "gt ge", "le lt", "ne gt", "ge le", "variableathis", "valsubfunc", "below", "reply", "issue", "cfoo", "ifoo", "interrupt", "ctrlc", "e123 catch", "varvalue", "cdpath", "backuptype", "defaultdevice", "executefbackup", "shall", "please wait", "buffer foo", "nargs range", "completer1 foo", "completer2 foo", "foo2", "bang", "nargs foo", "foo delcommand", "multiline", "commenttitle", "end augroup", "autocmd", "fixme call", "matched", "start not", "end not", "end call", "xterm call", "givename", "vim9", "test const", "foo def", "ex command", "dict", "end endfunction", "end enddef", "answer", "warningmsg", "endwhile", "dotest3", "dotest4", "dotest5", "dotest6", "test1", "test2", "test3", "test4", "test5", "funa", "dofuna", "funb", "dofunb", "func", "dofunc", "fund", "dofund", "foo delfunction", "foo function", "foo comment", "foo none", "guifg", "comment none", "ctermfgcyan", "end end", "end let", "end line", "end line1", "a basic", "rhs map", "foo bar", "fubar", "needle", "foogroup foo", "foogroup", "homeinclude", "defabc", "snomagicfoobar", "smagicfoobar", "special", "line comment", "b special", "char0x0044", "testcluster", "cchar", "keywords list", "vim line", "element", "x1f xf", "31 3", "u02a4 u000002a4", "string escape", "hexadecimal", "0xff echo", "decimal", "octal echo", "0377 echo", "vim shebang", "instance", "pairclasstest", "vim keymap", "end const", "expr", "foo unlet", "vim comment", "vim9 ex", "end foo", "xterm foo", "eof foo", "vim9script", "s vim9script", "12345", "0b10101010", "192939", "0777", "0o777", "0xabcdef00", "0x12345678", "runtest", "rticle", "syntax test", "file 0", "dougkearns", "2024 jun", "13 0", "test failures", "when comparing", "italicized text", "eading level", "igure", "eader", "frame", "diomatic text", "nput", "utput", "icture", "rogres", "cript", "earch", "ection", "elect", "reformat", "failure 0", "egend", "oscript", "bject", "ptgroup", "ption", "trong", "tyle", "able", "emplate", "extarea", "itle", "ource", "olgroup", "atalist", "etails", "ialog", "ieldset", "igcaption", "eleted text", "mphasis", "mbed", "side", "udio", "lockquote", "anvas", "aption", "ring at", "ideo", "cronym", "rame", "rameset", "arque", "enuitem", "rack", "narticulated an", "oframes", "trike", "ortal", "aram", "trikethrough", "highlighted", "elements have", "never be", "mage", "interface 0", "efault 0", "mport 0", "redundant", "tail", "alue", "nterface 0", "primer", "label 0", "tatic 0", "oid 0", "edundant", "identity cast", "expres", "to nest", "typeuse an", "htmlcom", "here is", "snip", "tmlsnip", "egion 0", "literal", "html com", "no entry", "point method", "code main", "return 0", "code nul", "eturn 0", "noop1", "may be", "used after", "noop2", "literalu0", "is proces", "return 8", "noop5", "nbsp", "noop6", "noop7", "link j0", "javaignorej0", "vimtestsetup s0", "fen 0", "nt 0", "majorversion", "empty string", "rotected 0", "compares this", "instance with", "the pas", "code that", "no period", "for the", "above sum", "rivate 0", "htmlsnip", "return an", "link m0", "execute", "match visual", "fen c0", "ref0", "literals", "clas", "tostring", "start 0", "ostring 0", "replace 0", "ubstring 0", "noop8", "noop9", "markdowncom", "arkdownsnip", "markdown com", "code public", "the method", "must be", "declared", "code 0", "the major", "java version", "used with", "inal 0", "markdownsnip", "blanks and", "re 0", "static void", "param a0", "rgs 0", "optional c0", "arguments 0", "invoke", "nontext 0", "hrow 0", "ew 0", "object module", "object open", "exports opens", "requires", "bject 0", "eplacement 0", "ar 0", "opens", "object opens", "object provides", "object requires", "object to", "uses", "xtends 0", "mplements 0", "ealed 0", "ermits 0", "bstract 0", "c1 i0", "noop3", "noop4", "a sum", "foldingtests", "static", "object b", "escapestests", "static final", "string hel", "har 0", "0ffffff0", "1200", "1210", "1230", "1240", "1250", "1260", "1270", "1300", "1310", "2040", "3240", "0100", "0120", "0130", "0140", "0150", "0160", "0170", "0200", "0210", "0230", "biginteger", "t1 x", "uper 0", "e element", "radix", "ecord 0", "tatic", "t dum", "isempty", "ublic 0", "ase 0", "ong 0", "witch 0", "genericstests", "todo 0", "3400", "3410", "3420", "3430", "3450", "3460", "3470", "3500", "3510", "3520", "sempty", "opal", "opsome", "ushal", "ushsome", "adix", "romdecimal", "lambdaexpres", "leftconst07", "leftconst08", "leftconst09", "i1 0", "leftconst10", "leftconst1", "leftconst01", "leftconst02", "leftconst03", "leftconst04", "leftconst05", "leftconst06", "leftconst", "const1", "const2", "witch", "hen 0", "alpha w0", "beta w0", "equals", "leftconst12", "typearguments", "identifier 0", "nteger", "ashcode", "omparable", "ry 0", "atch 0", "unction", "tring", "length", "ntfunction", "intsup", "clone", "naryoperator", "alueof", "quals", "redicate", "equalist", "gymnastics for", "ipredicate", "superequalist", "ethodhandle", "invokepredicate", "methodhandle mh", "throwable th", "a dum", "b dum", "t extends", "stringer", "ostring", "ntvalue", "onsumer", "println", "uperequalist", "nvokepredicate", "ethodhandle mh", "remember", "num 0", "asci", "stylable", "t e0", "tringer", "ative 0", "ynchronized 0", "trictfp 0", "thread", "qualist", "ransient 0", "methodstests", "string t0", "la s", "string name", "equires 0", "odule 0", "this module", "to the", "sample project", "published at", "mport m0", "related sup", "ransitive 0", "xports 0", "pens 0", "jdk 23", "ses 0", "rovides 0", "ith 0", "doautocmd", "syntax 0", "0xp0", "ouble 0", "minusoned", "xap1", "doto", "numberstests", "ouble", "loat 0", "maxdecf", "maxhexf", "mindecf", "minhexfa", "minhexfb", "maxdecd", "maxhexd", "minhex", "minoct", "minbin", "minusonehex", "minusoneoct", "minusonebin", "maxhexl", "maxoctl", "minusonehexl", "minusoneoctl", "minusonebinl", "jdk 21", "object o", "rue 0", "alse 0", "stringtests", "a quick", "brown fox", "jumps over", "the lazy", "there are", "lf after", "jumps0", "ver the0", "a nested", "string ap", "brown", "jumps", "over the", "nested com", "switchtests", "ield", "a or", "ield 0", "yte 0", "1let", "hort", "hort 0", "nofoldenable 0", "0000 0", "unfoldingtests", "reak 0", "old italic", "s1024", "talic", "inheritdoc", "object ap", "hile 0", "for vim", "file is", "licensed under", "the vim", "license 0", "efinition 0", "rom 0", "predefined", "ype 0", "ointer 0", "il 0", "nter", "ninter", "octal", "pragmas", "with emphasis", "opyright 0", "uthor 0", "fred flintstone", "icense 0", "baz bam", "ispose 0", "oc 0", "ord 0", "dr 0", "ast 0", "size 0", "rocedure 0", "egin 0", "nd 0", "ixme 0", "eprecated 0", "procedures", "ewfo", "nteger 0", "disabled", "hile fo", "do 0", "while", "synonyms", "itset 0", "roc 0", "roces", "ewproces", "ransfer 0", "ystem 0", "ongcard 0", "bozo bim", "dada jingle", "etbar", "lias 0", "defined pragmas", "numeric", "xcafed0", "inline", "noinline", "implementation", "cho 0", "this for", "done", "is a", "very handy", "solution and", "no real", "replacement", "available", "unction1", "a text", "shel", "his is", "home 0", "ariable10", "this is", "with a", "nset 0", "962 0", "f true", "unab", "abclear 0", "bclear 0", "java module", "changefilename", "restorefilename", "todo highlight", "author", "antonio colombo", "delete", "processing", "hebrew" ], "references": [ "vimrc", "bugreport.vim", "evim.vim", "delmenu.vim", "defaults.vim", "ftplugof.vim", "ftoff.vim", "gvim.desktop", "ftplugin.vim", "gvimrc_example.vim", "indent.vim", "indoff.vim", "mswin.vim", "scripts.vim", "optwin.vim", "vim.desktop", "menu.vim", "vimrc_example.vim", "synmenu.vim", "filetype.vim", "Make_mvc.mak", "Make_all.mak", "README.ru.utf-8.txt", "README.txt", "tutor", "tutor.bar.utf-8", "tutor.ca.utf-8", "tutor.bg.utf-8", "tutor.cs.utf-8", "tutor.da.utf-8", "tutor.de.utf-8", "tutor.el.utf-8", "tutor.eo.utf-8", "tutor.es.utf-8", "tutor.fr.utf-8", "tutor.hr.utf-8", "tutor.ja.utf-8", "tutor.hu.utf-8", "tutor.it.utf-8", "tutor.ko", "tutor.ko.utf-8", "tutor.lt.utf-8", "tutor.lv.utf-8", "tutor.nb.utf-8", "tutor.nl.utf-8", "tutor.no.utf-8", "tutor.pt.utf-8", "tutor.pl.utf-8", "tutor.ru.utf-8", "tutor.tr.utf-8", "tutor.sr.utf-8", "tutor.sv.utf-8", "tutor.sk.utf-8", "tutor.vim", "tutor.zh_cn.utf-8", "tutor.utf-8", "tutor.vi.utf-8", "tutor.uk.utf-8", "tutor.zh_tw.utf-8", "tutor.zh.utf-8", "vimspell.txt", "xcmdsrv_client.c", "ref", "vim132", "vimm", "vim_vs_net.cmd", "shtags.1", "unicode.vim", "shtags.pl", "ccfilter_README.txt", "blink.c", "efm_filter.txt", "demoserver.py", "ccfilter.c", "efm_filter.pl", "ccfilter.1", "efm_perl.pl", "pltags.pl", "mve.txt", "emoji_list.vim", "mve.awk", "a65.vim", "aap.vim", "abap.vim", "abc.vim", "abel.vim", "abaqus.vim", "acedb.vim", "a2ps.vim", "ada.vim", "ahdl.vim", "8th.vim", "aflex.vim", "aidl.vim", "2html.vim", "alsaconf.vim", "amiga.vim", "ampl.vim", "antlr4.vim", "apachestyle.vim", "apache.vim", "antlr.vim", "ant.vim", "aml.vim", "arch.vim", "aptconf.vim", "arduino.vim", "art.vim", "asm.vim", "asciidoc.vim", "asn.vim", "aspperl.vim", "asm68k.vim", "aspvbs.vim", "asteriskvm.vim", "atlas.vim", "asy.vim", "autodoc.vim", "autohotkey.vim", "autoit.vim", "automake.vim", "ave.vim", "asmh8300.vim", "avra.vim", "awk.vim", "astro.vim", "ayacc.vim", "asterisk.vim", "bash.vim", "b.vim", "bdf.vim", "bib.vim", "basic.vim", "bindzone.vim", "bc.vim", "blank.vim", "bitbake.vim", "bsdl.vim", "bst.vim", "bzl.vim", "btm.vim", "bzr.vim", "baan.vim", "cabal.vim", "cabalconfig.vim", "cabalproject.vim", "c.vim", "catalog.vim", "cdl.vim", "cdrdaoconf.vim", "cfg.vim", "cgdbrc.vim", "cf.vim", "cdrtoc.vim", "ch.vim", "chaiscript.vim", "change.vim", "chaskell.vim", "changelog.vim", "chatito.vim", "cheetah.vim", "chicken.vim", "chordpro.vim", "chill.vim", "calendar.vim", "chuck.vim", "clean.vim", "clipper.vim", "cmakecache.vim", "cl.vim", "cmod.vim", "cmusrc.vim", "coco.vim", "colortest.vim", "clojure.vim", "conf.vim", "config.vim", "confini.vim", "conaryrecipe.vim", "crm.vim", "cmake.vim", "crontab.vim", "cpp.vim", "context.vim", "csc.vim", "csh.vim", "cs.vim", "csp.vim", "csv.vim", "cterm.vim", "csdl.vim", "cobol.vim", "ctrlh.vim", "css.vim", "cuda.vim", "cuplsim.vim", "cvs.vim", "cweb.vim", "cvsrc.vim", "cucumber.vim", "cupl.vim", "cynpp.vim", "cynlib.vim", "deb822sources.vim", "dcd.vim", "d.vim", "dcl.vim", "dart.vim", "debchangelog.vim", "debcontrol.vim", "datascript.vim", "debcopyright.vim", "def.vim", "dep3patch.vim", "denyhosts.vim", "debsources.vim", "desc.vim", "dictconf.vim", "dictdconf.vim", "diff.vim", "dircolors.vim", "dirpager.vim", "diva.vim", "desktop.vim", "django.vim", "dns.vim", "docbksgml.vim", "docbkxml.vim", "docbk.vim", "dockerfile.vim", "dosbatch.vim", "dosini.vim", "dot.vim", "dracula.vim", "dsl.vim", "dtml.vim", "doxygen.vim", "dts.vim", "dtrace.vim", "dtd.vim", "dune.vim", "dylanintr.vim", "dylanlid.vim", "dylan.vim", "dnsmasq.vim", "editorconfig.vim", "edif.vim", "ecd.vim", "elmfilt.vim", "elf.vim", "elinks.vim", "eiffel.vim", "elm.vim", "erlang.vim", "esmtprc.vim", "esqlc.vim", "esterel.vim", "euphoria3.vim", "eterm.vim", "eruby.vim", "euphoria4.vim", "exim.vim", "expect.vim", "exports.vim", "eviews.vim", "fasm.vim", "fdcc.vim", "falcon.vim", "fan.vim", "fetchmail.vim", "fgl.vim", "fish.vim", "flexwiki.vim", "focexec.vim", "fpcmake.vim", "forth.vim", "form.vim", "framescript.vim", "foxpro.vim", "fortran.vim", "freebasic.vim", "fvwm2m4.vim", "fstab.vim", "fvwm.vim", "gdmo.vim", "gdresource.vim", "gdb.vim", "gemtext.vim", "gdshader.vim", "git.vim", "gift.vim", "gedcom.vim", "gdscript.vim", "gitattributes.vim", "gitcommit.vim", "gitconfig.vim", "gitignore.vim", "gitolite.vim", "gitrebase.vim", "gitsendemail.vim", "gkrellmrc.vim", "goaccess.vim", "glsl.vim", "godoc.vim", "go.vim", "gnuplot.vim", "gp.vim", "gpg.vim", "gprof.vim", "gretl.vim", "grads.vim", "gnash.vim", "groff.vim", "grub.vim", "groovy.vim", "gtkrc.vim", "group.vim", "gyp.vim", "gsp.vim", "gvpr.vim", "update_date.vim", "README.md", "gen_syntax_vim.vim", "vim.vim.base", "haml.vim", "hamster.vim", "hare.vim", "haredoc.vim", "haste.vim", "haskell.vim", "hastepreproc.vim", "hb.vim", "hcl.vim", "help_ru.vim", "hex.vim", "help.vim", "hercules.vim", "hgcommit.vim", "hitest.vim", "hlsplaylist.vim", "hog.vim", "hostsaccess.vim", "hostconf.vim", "htmlcheetah.vim", "htmlangular.vim", "html.vim", "htmlm4.vim", "htmlos.vim", "htmldjango.vim", "i3config.vim", "ia64.vim", "ibasic.vim", "icemenu.vim", "idlang.vim", "idl.vim", "icon.vim", "initex.vim", "initng.vim", "ipfilter.vim", "inittab.vim", "inform.vim", "j.vim", "iss.vim", "ishd.vim", "jal.vim", "ist.vim", "jam.vim", "jargon.vim", "javascript.vim", "javascriptreact.vim", "java.vim", "jinja.vim", "jess.vim", "jgraph.vim", "javacc.vim", "jq.vim", "jsp.vim", "json.vim", "jsonc.vim", "json5.vim", "kconfig.vim", "julia.vim", "kdl.vim", "kotlin.vim", "kix.vim", "kwt.vim", "krl.vim", "kscript.vim", "kivy.vim", "lace.vim", "latte.vim", "lc.vim", "ld.vim", "ldapconf.vim", "iso.vim", "pim.vim", "r10.vim", "ldif.vim", "less.vim", "lftp.vim", "lhaskell.vim", "libao.vim", "lex.vim", "lifelines.vim", "liquid.vim", "limits.vim", "lilo.vim", "lite.vim", "livebook.vim", "lisp.vim", "litestep.vim", "lotos.vim", "loginaccess.vim", "logtalk.vim", "logindefs.vim", "lout.vim", "lprolog.vim", "lpc.vim", "lsl.vim", "lscript.vim", "lss.vim", "luau.vim", "lua.vim", "lynx.vim", "lyrics.vim", "m3quake.vim", "m3build.vim", "m4.vim", "mailaliases.vim", "mail.vim", "mailcap.vim", "mallard.vim", "make.vim", "manual.vim", "manconf.vim", "mason.vim", "masm.vim", "maple.vim", "master.vim", "matlab.vim", "maxima.vim", "mermaid.vim", "meson.vim", "mediawiki.vim", "messages.vim", "mel.vim", "man.vim", "markdown.vim", "mf.vim", "mgp.vim", "mgl.vim", "mib.vim", "mix.vim", "mmix.vim", "mmp.vim", "modconf.vim", "model.vim", "mma.vim", "modula2.vim", "modula3.vim", "moo.vim", "mojo.vim", "monk.vim", "mp.vim", "mplayerconf.vim", "mrxvtrc.vim", "msmessages.vim", "msidl.vim", "msql.vim", "modsim3.vim", "murphi.vim", "mush.vim", "mupad.vim", "muttrc.vim", "mysql.vim", "named.vim", "nanorc.vim", "nastran.vim", "n1ql.vim", "natural.vim", "nasm.vim", "ncf.vim", "netrc.vim", "netrw.vim", "ninja.vim", "nix.vim", "nosyntax.vim", "nroff.vim", "neomuttrc.vim", "nsis.vim", "nqc.vim", "nginx.vim", "obj.vim", "objcpp.vim", "odin.vim", "occam.vim", "omnimark.vim", "ocaml.vim", "ondir.vim", "objc.vim", "openscad.vim", "openroad.vim", "opl.vim", "openvpn.vim", "obse.vim", "opam.vim", "pamenv.vim", "pacmanlog.vim", "ora.vim", "pamconf.vim", "pandoc.vim", "papp.vim", "pcap.vim", "pbtxt.vim", "pascal.vim", "passwd.vim", "pccts.vim", "pf.vim", "phtml.vim", "perl.vim", "pic.vim", "pdf.vim", "pilrc.vim", "pfmain.vim", "pike.vim", "pine.vim", "pinfo.vim", "plaintex.vim", "php.vim", "plm.vim", "plp.vim", "pli.vim", "pod.vim", "poefilter.vim", "po.vim", "ppd.vim", "pov.vim", "povini.vim", "ppwiz.vim", "plsql.vim", "prescribe.vim", "procmail.vim", "privoxy.vim", "prolog.vim", "promela.vim", "postscr.vim", "protocols.vim", "proto.vim", "psf.vim", "psl.vim", "ps1.vim", "purifylog.vim", "ptcap.vim", "pymanifest.vim", "pyrex.vim", "progress.vim", "python.vim", "python2.vim", "quarto.vim", "qf.vim", "quake.vim", "qb64.vim", "r.vim", "qml.vim", "radiance.vim", "racc.vim", "racket.vim", "raml.vim", "rasi.vim", "rc.vim", "ratpoison.vim", "rapid.vim", "raku.vim", "rcslog.vim", "rcs.vim", "rebol.vim", "readline.vim", "registry.vim", "rego.vim", "remind.vim", "requirements.vim", "reva.vim", "resolv.vim", "rhelp.vim", "rexx.vim", "rnc.vim", "rng.vim", "rnoweb.vim", "rib.vim", "redif.vim", "rrst.vim", "rpcgen.vim", "routeros.vim", "rpl.vim", "rmd.vim", "rtf.vim", "rst.vim", "salt.vim", "robots.vim", "samba.vim", "ruby.vim", "sas.vim", "sass.vim", "rust.vim", "sbt.vim", "scdoc.vim", "sather.vim", "scilab.vim", "scala.vim", "scheme.vim", "screen.vim", "scss.vim", "sd.vim", "sdc.vim", "sdl.vim", "sensors.vim", "sed.vim", "services.vim", "sendpr.vim", "setserial.vim", "sexplib.vim", "sgmldecl.vim", "sgmllnx.vim", "sh.vim", "sgml.vim", "context-data-metafun.vim", "context-data-tex.vim", "hgcommitDiff.vim", "context-data-context.vim", "context-data-interfaces.vim", "debversions.vim", "typescriptcommon.vim", "sicad.vim", "sil.vim", "simula.vim", "sinda.vim", "sindacmp.vim", "sindaout.vim", "sieve.vim", "skill.vim", "sl.vim", "sisu.vim", "slang.vim", "slpconf.vim", "slpreg.vim", "slpspi.vim", "slrnsc.vim", "sm.vim", "smarty.vim", "slice.vim", "smcl.vim", "smith.vim", "smil.vim", "sml.vim", "snnsnet.vim", "snnspat.vim", "slrnrc.vim", "snobol4.vim", "solidity.vim", "spice.vim", "splint.vim", "spec.vim", "specman.vim", "spyce.vim", "spup.vim", "snnsres.vim", "sql.vim", "sqlforms.vim", "sqlj.vim", "sqlhana.vim", "sqlinformix.vim", "sqlanywhere.vim", "sqloracle.vim", "srec.vim", "sqr.vim", "squirrel.vim", "squid.vim", "srt.vim", "ssa.vim", "st.vim", "sshconfig.vim", "sshdconfig.vim", "stp.vim", "stata.vim", "strace.vim", "structurizr.vim", "stylus.vim", "sudoers.vim", "swift.vim", "swig.vim", "swiftgyb.vim", "swayconfig.vim", "syncolor.vim", "svn.vim", "synload.vim", "sysctl.vim", "systemverilog.vim", "tads.vim", "tags.vim", "tak.vim", "takcmp.vim", "takout.vim", "tar.vim", "taskdata.vim", "taskedit.vim", "tap.vim", "tasm.vim", "svg.vim", "syntax.vim", "template.vim", "tcsh.vim", "teraterm.vim", "terminfo.vim", "terraform.vim", "systemd.vim", "tcl.vim", "tssgm.vim", "typescript.vim", "tsv.vim", "tt2js.vim", "tssop.vim", "typescriptreact.vim", "tt2.vim", "tt2html.vim", "uc.vim", "uci.vim", "typst.vim", "udevconf.vim", "udevperm.vim", "uil.vim", "unison.vim", "updatedb.vim", "upstart.vim", "upstreamdat.vim", "upstreaminstalllog.vim", "upstreamlog.vim", "upstreamrpt.vim", "usw2kagtlog.vim", "urlshortcut.vim", "udevrules.vim", "valgrind.vim", "vdf.vim", "vb.vim", "verilogams.vim", "vera.vim", "vhdl.vim", "viminfo.vim", "verilog.vim", "voscm.vim", "vmasm.vim", "virata.vim", "vim.vim", "vrml.vim", "vgrindefs.vim", "usserverlog.vim", "c.c", "html.html", "java_comments_markdown.java", "java_annotations_signature.java", "java_comments.java", "java_enfoldment.java", "java_escapes.java", "java_generics_signature.java", "java_generics.java", "java_contextual_keywords.java", "java_lambda_expressions_signature.java", "java_annotations.java", "java_lambda_expressions.java", "java_method_references_signature.java", "java_methods_indent4.java", "java_methods_indent2.java", "java_methods_indent4_signature.java", "java_methods_indent2_signature.java", "java_methods_indent8_signature.java", "java_methods_style.java", "java_module_info.java", "java_methods_style_signature.java", "java_numbers.java", "java_previews_430.java", "java_string.java", "java_previews_455.java", "java_switch.java", "java_methods_indent8.java", "java_unfoldment.java", "markdown_conceal.markdown", "modula2_pim.def", "modula2_iso.def", "modula2_r10.def", "progress_comments.p", "sh_02.sh", "sh_01.sh", "sh_04.sh", "sh_03.sh", "sh_05.sh", "sh_07.sh", "sh_09.sh", "sh_08.sh", "sh_10.sh", "sh_11.sh", "vim_ex_abbreviate.vim", "vim_ex_behave.vim", "vim_ex_call.vim", "vim_ex_catch.vim", "sh_06.sh", "vim_ex_command.vim", "vim_ex_comment_strings.vim", "vim_ex_comment-vim9.vim", "vim_ex_comment.vim", "vim_ex_augroup.vim", "vim_ex_commands.vim", "vim_ex_def_nested.vim", "vim_ex_def_nested_fold.vim", "vim_ex_def_fold.vim", "vim_ex_def.vim", "vim_ex_echo.vim", "vim_ex_execute.vim", "vim_ex_function_def_tail_comment_errors.vim", "vim_ex_function_def_tail_comments.vim", "vim_ex_function_nested_fold.vim", "vim_ex_function_nested.vim", "vim_ex_function_fold.vim", "vim_ex_highlight.vim", "vim_ex_let_heredoc.vim", "vim_ex_loadkeymap_after_bar.vim", "vim_ex_loadkeymap_after_colon.vim", "vim_ex_map.vim", "vim_ex_function.vim", "vim_ex_menu.vim", "vim_ex_menutranslate.vim", "vim_ex_no_comment_strings.vim", "vim_ex_match.vim", "vim_ex_range.vim", "vim_ex_set.vim", "vim_ex_sleep.vim", "vim_ex_substitute.vim", "vim_ex_throw.vim", "vim_keymap.vim", "vim_ex_syntax.vim", "vim_key_notation.vim", "vim_line_continuation.vim", "vim_expr.vim", "vim_new.vim", "vim_shebang.vim", "vim_object_methods.vim", "vim_variables.vim", "vim9_ex_comment_strings.vim", "vim9_ex_commands.vim", "vim9_ex_no_comment_strings.vim", "vim9_ex_function_def_tail_comments.vim", "vim9_expr.vim", "vim9_keymap.vim", "vim9_ex_function_def_tail_comment_errors.vim", "vim9_legacy_header_fold.vim", "vim9_legacy_header.vim", "vim9_shebang.vim", "yaml.yaml", "dots_03", "dots_05", "dots_02", "dots_04", "dots_01", "dots_06", "dots_08", "dots_09", "dots_10", "dots_07", "dots_11", "dots_12", "dots_14", "dots_13", "dots_15", "dots_16", "dots_17", "dots_18", "dots_19", "dots_20", "html_00.dump", "html_03.dump", "html_05.dump", "html_04.dump", "html_06.dump", "html_02.dump", "html_01.dump", "html_07.dump", "html_08.dump", "java_annotations_01.dump", "java_annotations_00.dump", "java_annotations_02.dump", "java_annotations_03.dump", "java_annotations_04.dump", "java_annotations_signature_00.dump", "java_annotations_signature_02.dump", "java_annotations_signature_01.dump", "java_annotations_signature_03.dump", "java_annotations_signature_04.dump", "java_comments_html_01.dump", "java_comments_html_02.dump", "java_comments_html_03.dump", "java_comments_html_00.dump", "java_comments_html_04.dump", "java_comments_html_05.dump", "java_comments_markdown_00.dump", "java_comments_html_07.dump", "java_comments_markdown_03.dump", "java_comments_markdown_01.dump", "java_comments_html_06.dump", "java_comments_markdown_04.dump", "java_comments_markdown_02.dump", "java_comments_markdown_05.dump", "java_comments_markdown_06.dump", "java_comments_markdown_07.dump", "java_contextual_keywords_00.dump", "java_comments_markdown_08.dump", "java_contextual_keywords_01.dump", "java_contextual_keywords_02.dump", "java_enfoldment_01.dump", "java_contextual_keywords_03.dump", "java_enfoldment_00.dump", "java_enfoldment_02.dump", "java_escapes_00.dump", "java_escapes_01.dump", "java_escapes_03.dump", "java_escapes_05.dump", "java_escapes_07.dump", "java_escapes_02.dump", "java_escapes_06.dump", "java_generics_01.dump", "java_generics_03.dump", "java_generics_02.dump", "java_generics_04.dump", "java_generics_05.dump", "java_generics_07.dump", "java_generics_00.dump", "java_generics_06.dump", "java_escapes_04.dump", "java_generics_signature_00.dump", "java_generics_signature_01.dump", "java_generics_signature_02.dump", "java_generics_signature_03.dump", "java_generics_signature_04.dump", "java_generics_signature_05.dump", "java_generics_signature_07.dump", "java_generics_signature_06.dump", "java_lambda_expressions_00.dump", "java_lambda_expressions_01.dump", "java_lambda_expressions_03.dump", "java_lambda_expressions_02.dump", "java_lambda_expressions_04.dump", "java_lambda_expressions_05.dump", "java_lambda_expressions_06.dump", "java_lambda_expressions_07.dump", "java_lambda_expressions_08.dump", "java_lambda_expressions_signature_00.dump", "java_lambda_expressions_signature_01.dump", "java_lambda_expressions_signature_02.dump", "java_lambda_expressions_signature_03.dump", "java_lambda_expressions_signature_04.dump", "java_lambda_expressions_signature_05.dump", "java_lambda_expressions_signature_06.dump", "java_lambda_expressions_signature_07.dump", "java_lambda_expressions_signature_08.dump", "java_method_references_00.dump", "java_method_references_01.dump", "java_method_references_03.dump", "java_method_references_04.dump", "java_method_references_06.dump", "java_method_references_05.dump", "java_method_references_07.dump", "java_method_references_08.dump", "java_method_references_09.dump", "java_method_references_10.dump", "java_method_references_signature_00.dump", "java_method_references_signature_01.dump", "java_method_references_02.dump", "java_method_references_signature_02.dump", "java_method_references_signature_03.dump", "java_method_references_signature_04.dump", "java_method_references_signature_05.dump", "java_method_references_signature_07.dump", "java_method_references_signature_08.dump", "java_method_references_signature_09.dump", "java_methods_indent2_00.dump", "java_methods_indent2_00.vim", "java_methods_indent2_01.dump", "java_methods_indent2_01.vim", "java_methods_indent2_02.dump", "java_methods_indent2_02.vim", "java_method_references_signature_10.dump", "java_methods_indent2_03.vim", "java_methods_indent2_03.dump", "java_methods_indent2_04.dump", "java_methods_indent2_04.vim", "java_methods_indent2_05.dump", "java_methods_indent2_05.vim", "java_method_references_signature_06.dump", "java_methods_indent2_signature_00.vim", "java_methods_indent2_signature_01.dump", "java_methods_indent2_signature_01.vim", "java_methods_indent2_signature_02.dump", "java_methods_indent2_signature_02.vim", "java_methods_indent2_signature_03.dump", "java_methods_indent2_signature_03.vim", "java_methods_indent2_signature_04.dump", "java_methods_indent2_signature_04.vim", "java_methods_indent2_signature_05.dump", "java_methods_indent2_signature_05.vim", "java_methods_indent4_00.vim", "java_methods_indent4_01.vim", "java_methods_indent4_01.dump", "java_methods_indent4_02.dump", "java_methods_indent2_signature_00.dump", "java_methods_indent4_02.vim", "java_methods_indent4_03.vim", "java_methods_indent4_03.dump", "java_methods_indent4_04.dump", "java_methods_indent4_04.vim", "java_methods_indent4_05.dump", "java_methods_indent4_06.dump", "java_methods_indent4_05.vim", "java_methods_indent4_signature_00.dump", "java_methods_indent4_signature_01.dump", "java_methods_indent4_signature_01.vim", "java_methods_indent4_signature_02.dump", "java_methods_indent4_signature_02.vim", "java_methods_indent4_signature_03.dump", "java_methods_indent4_signature_03.vim", "java_methods_indent4_signature_04.dump", "java_methods_indent4_signature_04.vim", "java_methods_indent4_signature_05.dump", "java_methods_indent4_signature_05.vim", "java_methods_indent8_00.dump", "java_methods_indent4_signature_06.dump", "java_methods_indent8_00.vim", "java_methods_indent8_01.dump", "java_methods_indent8_01.vim", "java_methods_indent4_signature_00.vim", "java_methods_indent8_02.dump", "java_methods_indent8_02.vim", "java_methods_indent8_03.dump", "java_methods_indent8_03.vim", "java_methods_indent8_04.dump", "java_methods_indent8_05.dump", "java_methods_indent8_06.dump", "java_methods_indent8_05.vim", "java_methods_indent8_signature_00.dump", "java_methods_indent8_signature_01.dump", "java_methods_indent8_signature_01.vim", "java_methods_indent8_signature_02.dump", "java_methods_indent8_signature_02.vim", "java_methods_indent8_signature_00.vim", "java_methods_indent8_signature_03.dump", "java_methods_indent8_signature_03.vim", "java_methods_indent8_signature_04.dump", "java_methods_indent8_signature_04.vim", "java_methods_indent8_signature_05.vim", "java_methods_indent8_signature_05.dump", "java_methods_indent8_signature_06.dump", "java_methods_indent8_signature_06.vim", "java_methods_style_00.dump", "java_methods_style_00.vim", "java_methods_style_01.vim", "java_methods_style_02.vim", "java_methods_indent8_04.vim", "java_methods_style_03.dump", "java_methods_style_04.dump", "java_methods_style_02.dump", "java_methods_style_signature_00.dump", "java_methods_style_signature_00.vim", "java_methods_style_signature_01.vim", "java_methods_style_03.vim", "java_methods_style_signature_02.vim", "java_methods_style_01.dump", "java_methods_style_signature_03.dump", "java_methods_style_signature_03.vim", "java_methods_style_signature_04.dump", "java_methods_style_signature_01.dump", "java_module_info_00.dump", "java_methods_style_04.vim", "java_module_info_01.dump", "java_module_info_02.dump", "java_numbers_01.dump", "java_numbers_02.dump", "java_methods_style_signature_04.vim", "java_numbers_00.dump", "java_numbers_03.dump", "java_numbers_04.dump", "java_numbers_05.dump", "java_previews_430_00.dump", "java_previews_455_00.dump", "java_previews_455_01.dump", "java_previews_455_02.dump", "java_previews_455_03.dump", "java_methods_style_signature_02.dump", "java_methods_indent4_00.dump", "java_string_00.dump", "java_string_01.dump", "java_string_02.dump", "java_string_04.dump", "java_string_03.dump", "java_string_05.dump", "java_switch_00.dump", "java_switch_02.dump", "java_switch_01.dump", "java_switch_04.dump", "java_switch_03.dump", "java_switch_05.dump", "java_switch_07.dump", "java_unfoldment_00.dump", "java_switch_06.dump", "java_unfoldment_01.dump", "java_unfoldment_05.dump", "java_unfoldment_02.dump", "markdown_conceal_00.dump", "java_unfoldment_03.dump", "modula2_iso_00.dump", "modula2_iso_01.dump", "modula2_iso_03.dump", "modula2_iso_02.dump", "modula2_iso_04.dump", "modula2_iso_05.dump", "modula2_pim_00.dump", "modula2_iso_06.dump", "modula2_pim_01.dump", "modula2_pim_02.dump", "modula2_pim_03.dump", "modula2_pim_04.dump", "modula2_pim_06.dump", "modula2_pim_05.dump", "modula2_r10_00.dump", "modula2_r10_03.dump", "sh_07_01.dump", "sh_08_02.dump", "sh_11_00.dump", "vim_ex_abbreviate_01.dump", "vim_ex_command_00.dump", "java_module_info.vim", "markdown_conceal.vim", "cleanadd.vim", "yi.vim", "he.vim" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Esc", "display_name": "Esc", "target": null }, { "id": "SelectAll", "display_name": "SelectAll", "target": null }, { "id": "Vim Tutor", "display_name": "Vim Tutor", "target": null }, { "id": "Todo", "display_name": "Todo", "target": null } ], "attack_ids": [ { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1030", "name": "Data Transfer Size Limits", "display_name": "T1030 - Data Transfer Size Limits" } ], "industries": [], "TLP": "white", "cloned_from": "67a7efe28a685d9a19cc0417", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "email": 520, "hostname": 407, "URL": 1044, "FileHash-SHA1": 8, "domain": 244, "FileHash-SHA256": 375, "FileHash-MD5": 4 }, "indicator_count": 2603, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "24 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "this.name", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "this.name", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780328041.2004602 }