{ "type": "Domain", "indicator": "v.data", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/v.data", "alexa": "http://www.alexa.com/siteinfo/v.data", "indicator": "v.data", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 2252717304, "indicator": "v.data", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 38, "pulses": [ { "id": "698e93e1ab02db8c49e8c3ed", "name": "\u201cBroken Seal\u201d DocuSign-themed Delivery with Fileless Process Hollowing (Zeppelin/Bloat-A)", "description": "Forensic analysis indicates a DocuSign-themed phishing campaign using a deliberately invalid X.509 PKI seal (\u201cBroken Seal\u201d) to trigger fail-open verification logic in automated handlers. The delivery mechanism bypasses Secure Email Gateway (SEG) reputation checks by using encrypted channels and human-gated infrastructure. The payload is a fileless Process Hollowing (RunPE) malware that injects into RWX memory of legitimate processes to evade disk-based EDR.", "modified": "2026-04-19T08:11:41.130000", "created": "2026-02-13T03:00:49.872000", "tags": [ "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi", "9698f46495ce9401c8bcaf9a2afe1598", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)", "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71", "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link", "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)" ], "references": [ "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "Verification failure observed in automated verification handlers during sandbox replay.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr" ], "public": 1, "adversary": "", "targeted_countries": [ "China", "United States of America", "Spain", "Japan", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In" ], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 27678, "FileHash-SHA256": 47676, "FileHash-MD5": 42534, "FileHash-SHA1": 23213, "hostname": 33703, "URL": 75433, "SSLCertFingerprint": 30, "CVE": 7582, "email": 313, "FileHash-IMPHASH": 8, "CIDR": 26205, "JA3": 1, "IPv4": 80, "URI": 5 }, "indicator_count": 284461, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "10 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69bf64eccb5d39a90a3c391e", "name": "Spam \u201cBroken Seal\u201d DocuSign-themed Delivery w/Fileless Process Hollowing (Zeppelin/Bloat-A) by msudosos", "description": "", "modified": "2026-03-27T00:30:39.055000", "created": "2026-03-22T03:41:32.565000", "tags": [ "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi", "9698f46495ce9401c8bcaf9a2afe1598", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)", "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71", "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link", "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)" ], "references": [ "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "Verification failure observed in automated verification handlers during sandbox replay.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr" ], "public": 1, "adversary": "", "targeted_countries": [ "China", "United States of America", "Spain", "Japan", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In" ], "TLP": "green", "cloned_from": "698e93e1ab02db8c49e8c3ed", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 27572, "FileHash-SHA256": 46076, "FileHash-MD5": 42177, "FileHash-SHA1": 22874, "hostname": 33438, "URL": 74810, "SSLCertFingerprint": 21, "CVE": 7579, "email": 297, "FileHash-IMPHASH": 8, "CIDR": 26203, "JA3": 1 }, "indicator_count": 281056, "is_author": false, "is_subscribing": null, "subscriber_count": 145, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69bf64e1d5e06aa6207f78de", "name": "Spam \u201cBroken Seal\u201d DocuSign-themed Delivery w/Fileless Process Hollowing (Zeppelin/Bloat-A) by msudosos", "description": "", "modified": "2026-03-27T00:30:39.055000", "created": "2026-03-22T03:41:21.863000", "tags": [ "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi", "9698f46495ce9401c8bcaf9a2afe1598", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)", "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71", "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link", "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)" ], "references": [ "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "Verification failure observed in automated verification handlers during sandbox replay.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr" ], "public": 1, "adversary": "", "targeted_countries": [ "China", "United States of America", "Spain", "Japan", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In" ], "TLP": "green", "cloned_from": "698e93e1ab02db8c49e8c3ed", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 27572, "FileHash-SHA256": 46076, "FileHash-MD5": 42177, "FileHash-SHA1": 22874, "hostname": 33438, "URL": 74810, "SSLCertFingerprint": 21, "CVE": 7579, "email": 297, "FileHash-IMPHASH": 8, "CIDR": 26203, "JA3": 1 }, "indicator_count": 281056, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68732869bad70de69c45c1b3", "name": "Denver Post - Custom Malware | Xord", "description": "YARA Detections:\n\u2022 xord_nopsled_in_jquery\ncompromised_site_redirector_fromcharcode\n\u2022 KnownMaliciousObfuscationPattern\n\u2022 WebExploit | \nAlerts:\n\u2022 ransomware_file_modifications\n\u2022 script_created_process\n\u2022 antivm_generic_disk\n\u2022 infostealer_cookies\n\u2022 suspicious_command\n\u2022 dead_host\n\u2022 suspicious_write_exe\n\u2022 network_icmp\n\u2022 modifies_certificates\n\u2022 process_martian\n* Malware IP - \n142.251.215.232", "modified": "2025-08-12T03:05:26.037000", "created": "2025-07-13T03:30:49.347000", "tags": [ "url https", "indicator role", "title added", "active related", "pulses", "entries", "url http", "domain", "ipv4", "filehashsha256", "hostname", "types of", "united kingdom", "united", "germany", "france", "type indicator", "role title", "added active", "related pulses", "extraction", "data upload", "failed", "se extraction", "enter sc", "type", "extra data", "please", "include review", "exclude sugges", "type ol", "please sub", "langes", "include", "review data", "extrad", "manually add", "indicator", "sc type", "included iocs", "se extr", "review exclude", "sugges", "extract data", "add indicator", "domain related", "showing", "tewdida data", "present jul", "script urls", "a domains", "present jun", "search", "accept encoding", "unknown aaaa", "present may", "date", "meta", "body", "ipv6", "role", "present jan", "next associated", "urls show", "date checked", "url hostname", "server response", "ip address", "regexp", "typeof e", "typeof t", "function", "width", "error", "object", "x20trnf", "pseudo", "child", "form", "class", "null", "write", "this", "void", "accept", "copy", "extr please", "typ data", "indicalok no", "gmt max", "reverse dns", "location united", "america flag", "ashburn", "america asn", "dns resolutions", "domains top", "extri please", "review", "sugges data", "find suxesteu", "typ indical", "on hos", "dynamicloader", "medium", "show", "high", "windows", "cmd c", "delete", "next", "unknown", "msie", "windows nt", "wow64", "slcc2", "media center", "read c", "as15169", "execution", "dock", "persistence", "malware", "roboto", "fwlink", "powershell", "delete c", "guard", "win32", "passive dns", "ransom", "trojan", "gmt cache", "sameorigin", "443 ma2592000", "pulse", "trojandropper", "worm", "ur extraction", "find", "types", "seard data", "source se", "url toi", "ela fer", "iocs", "search otx", "extr", "indicators h", "weall", "indica", "sc data", "data u", "extre", "find s", "onv incmde", "exclude data", "suggested", "typ no" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3107, "domain": 526, "hostname": 940, "FileHash-SHA256": 2209, "email": 2, "FileHash-MD5": 80, "FileHash-SHA1": 31, "SSLCertFingerprint": 11 }, "indicator_count": 6906, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "250 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68732864356c4353e0b1efe2", "name": "Denver Post - Custom Malware | Xord", "description": "YARA Detections:\n\u2022 xord_nopsled_in_jquery\ncompromised_site_redirector_fromcharcode\n\u2022 KnownMaliciousObfuscationPattern\n\u2022 WebExploit | \nAlerts:\n\u2022 ransomware_file_modifications\n\u2022 script_created_process\n\u2022 antivm_generic_disk\n\u2022 infostealer_cookies\n\u2022 suspicious_command\n\u2022 dead_host\n\u2022 suspicious_write_exe\n\u2022 network_icmp\n\u2022 modifies_certificates\n\u2022 process_martian\n* Malware IP - \n142.251.215.232", "modified": "2025-08-12T03:05:26.037000", "created": "2025-07-13T03:30:44.589000", "tags": [ "url https", "indicator role", "title added", "active related", "pulses", "entries", "url http", "domain", "ipv4", "filehashsha256", "hostname", "types of", "united kingdom", "united", "germany", "france", "type indicator", "role title", "added active", "related pulses", "extraction", "data upload", "failed", "se extraction", "enter sc", "type", "extra data", "please", "include review", "exclude sugges", "type ol", "please sub", "langes", "include", "review data", "extrad", "manually add", "indicator", "sc type", "included iocs", "se extr", "review exclude", "sugges", "extract data", "add indicator", "domain related", "showing", "tewdida data", "present jul", "script urls", "a domains", "present jun", "search", "accept encoding", "unknown aaaa", "present may", "date", "meta", "body", "ipv6", "role", "present jan", "next associated", "urls show", "date checked", "url hostname", "server response", "ip address", "regexp", "typeof e", "typeof t", "function", "width", "error", "object", "x20trnf", "pseudo", "child", "form", "class", "null", "write", "this", "void", "accept", "copy", "extr please", "typ data", "indicalok no", "gmt max", "reverse dns", "location united", "america flag", "ashburn", "america asn", "dns resolutions", "domains top", "extri please", "review", "sugges data", "find suxesteu", "typ indical", "on hos", "dynamicloader", "medium", "show", "high", "windows", "cmd c", "delete", "next", "unknown", "msie", "windows nt", "wow64", "slcc2", "media center", "read c", "as15169", "execution", "dock", "persistence", "malware", "roboto", "fwlink", "powershell", "delete c", "guard", "win32", "passive dns", "ransom", "trojan", "gmt cache", "sameorigin", "443 ma2592000", "pulse", "trojandropper", "worm", "ur extraction", "find", "types", "seard data", "source se", "url toi", "ela fer", "iocs", "search otx", "extr", "indicators h", "weall", "indica", "sc data", "data u", "extre", "find s", "onv incmde", "exclude data", "suggested", "typ no" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3107, "domain": 526, "hostname": 940, "FileHash-SHA256": 2209, "email": 2, "FileHash-MD5": 80, "FileHash-SHA1": 31, "SSLCertFingerprint": 11 }, "indicator_count": 6906, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "250 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67f33233092ab19b74879403", "name": "MacOS M2 Chip Infiltration: Game Center & XBOX Pod Game & Chat Server", "description": "pulse explores a variety of files, objects, and functions that could be associated with different system components, libraries, and protocols. It highlights a wide range of potential vulnerabilities that may exist in software related to system functions, APIs, data handling, and device interactions, including issues in devices like game controllers, HID devices, and platform-specific services (such as Apple and Android). The pulse references several components across different platforms (macOS, iOS, ARM architectures, and others), with a focus on low-level code, encryption libraries, system utilities, and network protocols like TCP, IP, and Bluetooth. The identified vulnerabilities could involve buffer overflows, deprecated functions, improper memory handling, and potential exploit vectors related to system security, performance, and integrity.", "modified": "2025-05-07T02:03:20.735000", "created": "2025-04-07T02:02:27.322000", "tags": [ "helper macro", "param", "param inccache", "kerberos", "ccache", "api function", "ccapi", "api version", "param ioccache", "ccacheserver", "win32", "null", "code", "win64", "error", "union", "ccapideprecated", "ccacheapi", "ccapiv2h", "apple", "export", "united", "ccache api", "cplusplus", "x8664", "typedef", "patheq", "none", "popen", "terminate", "false", "winenv", "winexe", "frozen", "winservice", "python", "posixthreads", "pyhavecondvar", "ntthreads", "vista", "pyemulatedwincv", "ntddivista", "semaphore", "pycondt", "win7", "pybuildcore", "fall", "copyright", "technology", "all rights", "reserved", "america", "government", "within that", "klprincipal", "klloginoptions", "inpassword", "klboolean", "klindex inindex", "login", "klstatus", "kerberos login", "inst", "regexp", "typeof e", "function", "typeof t", "typeof o", "width", "typeof", "pseudo", "body", "sticky", "date", "class", "this", "void", "accept", "span", "krb5callconv", "apoptsreserved", "tktflgreserved", "kdcoptreserved", "krb5data", "eblock", "krb5address", "krb5keyblock", "service", "realm", "format", "general", "internal", "entropy", "mask", "mcpeerid", "mcsession", "property", "protocol", "create", "nsuinteger", "notifies", "mcsession api", "interface", "bonjour", "ascii lowercase", "abc company", "section", "bonjour txt", "mcextern", "attribute", "mcextern extern", "mcexternweak", "nsenum", "nsinteger", "mcerrorcode", "mcerrorunknown", "mcerrortimedout", "bonjour apis", "stop", "peer", "example", "tags", "session", "nsprogress", "nserror", "nsstring", "nsurl", "nsarray", "note", "ui element", "utf8 encoding", "nscopying", "nsdictionary", "webpackrequire", "webpackexports", "object", "adobe systems", "adobe", "incorporated", "dissemination", "touchmove", "window", "launch", "close", "core", "webview", "nwebpackrequire", "arraybuffer", "name", "typedarray", "prototype", "string", "number", "nvar", "meta", "infinity", "generator", "zero", "epsilon", "observer", "android", "freeze", "trim", "canvas", "simple", "bind", "fast", "next", "patch", "rest", "middle", "find", "enumerate", "facebook", "executor", "apiunavailable", "gamecontroller", "gcbuttoninput", "gcswitchinput", "nsobject", "apiavailable", "hid device", "cfstr", "iohiddeviceref", "boolean value", "c iohidmanager", "iohidmanager", "c iohiddevice", "issequential", "bool sequential", "bool canwrap", "nsset", "nsunavailable", "gcswitchelement", "bool", "share button", "xbox controller", "xbox elite", "xbox series", "gcxboxgamepad", "gcpoint2", "gcpoint2make", "gcpoint2 p", "cfinline bool", "gcpoint2equal", "gcpoint2 point1", "gcpoint2 point2", "gcrelativeinput", "isanalog", "bool analog", "hasinclude", "gcaxis2dinput", "gcpoint2 value", "gcaxiselement", "certain", "gcaxisinput", "gcbuttonelement", "gccontroller", "nsnotification", "chhapticengine", "gcmicrogamepad", "input", "menu button", "gcdevicelight", "gccolor", "x axis", "xvalue", "developers", "functionality", "options button", "sf symbols", "elements", "gcdevice", "gctouchstate", "gctouchstateup", "apideprecated", "gckeyboard", "gcmouse", "nsswiftname", "gcdevicebattery", "battery level", "direction pad", "directionapad", "thumbstick", "gcdevicecursor", "a controller", "gccolor color", "gcinputbuttona", "gcinputbuttonb", "button b", "check", "a element", "c nil", "nsenumerator", "siri remote", "equivalent", "down", "left", "right", "kindof", "handle button", "c device", "immediate input", "dualsense", "positional", "sony dualsense", "gcmotion", "dualshock", "uievent", "controllers", "uikit user", "uiview", "method", "nsdata", "axes", "nsdata source", "return", "nullable", "nsdata object", "button", "shoulder", "extended", "gamepad profile", "nsdata api", "gcgamepad", "sizeof", "standard", "gckeyboardinput", "keyboard", "nsstring const", "controller", "back buttons", "game controller", "back", "keypad", "delete", "insert", "home", "right arrow", "left arrow", "down arrow", "up arrow", "korean", "backspace", "alongside", "gckeyuparrow", "gckeycode const", "lang1", "gclinearinput", "gcquaternion", "gcacceleration", "y axis", "z axis", "gcmouse mouse", "gcmouse class", "mice", "gcmouseinput", "mouse profile", "scroll", "nsdata instance", "a alias", "press", "micro profile", "siri remotes", "b button", "a gcinput", "button a", "nsoptions", "examining", "c sfsymbolsname", "apple tv", "remote", "control center", "a set", "game", "gcracingwheel", "gcbundlewithpid", "gcinputbuttonx", "gcinputbuttony", "gcinputshifter", "gckeya", "gckeyb", "gckeybackslash", "rawvalue", "apple swift", "o librarylevel", "swift import", "element", "indices", "iterator", "subsequence", "kerberoscomerr", "const", "permission", "mit software", "suitability", "athena", "openvision", "gssdllimp", "gssapigenerich", "this software", "purpose", "disclaims all", "warranties with", "regard to", "constraint", "kerberosprofile", "krb5profileh", "const names", "newvalue", "1429577728l", "gnuc", "mach", "omuint32", "gssapikrb5h", "form", "uid form", "client function", "asrep", "including", "preauth", "db entry", "free", "pointer", "rock", "neither", "direct", "damage", "minorstatus", "gssbuffert", "gssctxidt", "gssoid", "gssnamet", "gsscredidt", "gssoidset", "gssapi", "first", "alcapi", "alcapientry", "alcboolean", "targetosmac", "alcdevice", "alcenum param", "alalch", "alcchar", "alcsizei", "capture", "but not", "limited", "openal cross", "apple computer", "redistribution", "is provided", "type", "alvoid", "alint", "openal", "aluint sid", "alenum", "alint value", "aluint property", "alvoid nonnull", "alfloat", "write", "openalopenalh", "umbrella header", "alenum param", "alapi", "aluint bid", "alsizei", "alfloat value", "alapientry", "aluint", "verify", "play", "speed", "bits", "albuffer3i", "albufferdata", "albufferf", "albufferfv", "albufferi", "albufferiv", "aldistancemodel", "aldopplerfactor", "algetbooleanv", "algetbuffer3f", "iousbhostdevice", "iousbhostobject", "iousbhostpipe", "iousbhoststream", "iousbhost", "brief", "usb host", "bool yes", "bool no", "advance", "iousbhostfamily", "kernel", "ioreturn status", "nsnumber", "ioreturn error", "usb device", "select", "commands", "enqueue", "nsmutabledata", "field", "enum", "options", "retrieve", "iosource", "current address", "bos descriptor", "extract", "a descriptor", "license", "io request", "abort", "discussion", "stream", "please", "swift api", "iousbbitrange", "iousbbitrange64", "iousbbit", "client", "usb controller", "usb descriptor", "unknown", "critical", "refer", "link", "send", "same", "common ui", "bluetooth", "service browser", "option", "1001", "cfstringref", "deprecated", "macos", "returns", "abstract", "nswindow", "creates", "mac os", "uuids", "uuid", "sdp service", "nsimage", "nsview", "mpasskeystring", "nsmutablearray", "uuid array", "ioreturn", "runmodal", "group", "command", "byte", "masks", "pduid", "l2cap", "range", "opcode", "packet", "major", "local", "profiles", "iobluetooth", "framework", "support", "host controller", "rfcomm", "minor class", "pseudoclass", "specific device", "headset", "peripheral", "desktop", "glasses", "device reset", "no hci", "hci controller", "returns number", "variable number", "packdata", "cstring", "pass", "path", "deprecated in", "obex session", "obexsessionref", "rfcomm channel", "obex", "does not", "l2cap channel", "inrefcon", "device", "length", "obex spec", "error code", "make", "headerid", "april", "alarm", "avrcplog", "audiolog", "bccmd16touint16", "bccmd16touint8", "bccmd32touint32", "hfplog", "obexcreatevcard", "obexsessionget", "uint16tobccmd16", "intents", "created", "andrea gottardo", "inimage", "intentsui", "project version", "inshortcut", "ibdesignable", "invoiceshortcut", "nsbundle", "siri", "beralloct", "berbvarrayadd", "berbvarrayfree", "berbvdup", "berbvecadd", "berbvecfree", "berbvfree", "berdump", "berdup", "berdupbv", "ldap", "vdspinput1", "vectorsize", "iirchannel", "osvkerndsplib", "pragmaonce", "paul chang", "fri mar", "original code", "apple operating", "modifications", "apple public", "source license", "version", "lframesize", "i386", "picify", "callmcount", "nonlazystub", "align", "roundtostack", "leaf", "import", "carnegie mellon", "carnegie", "inline void", "software", "school", "august", "xnuarchi386selh", "next computer", "mike demoney", "bruce martin", "state segment", "nxswappedfloat", "osswapint32", "inline float", "inline double", "osswapint64", "armlimitsh", "arm64", "useclangtypes", "bsdarmtypesh", "int8t", "gnuc typedef", "uint8t", "ansi c", "ansi", "use wchart", "armmcontexth", "mcontextt", "armparamh", "round", "darwinsizet", "darwinalign", "uint32t", "darwinalign32", "warranties", "a particular", "university", "armarch6zk", "armarch6k", "armarch4t", "armarch4", "http", "capbitnb", "legacy", "armfeatureflag", "california", "notice", "berkeley", "limited to", "define", "useclanglimits", "lp64", "ansisource", "darwincsource", "longmin", "ulongmax", "parameter", "vmmemcoherent", "vmmemearlyack", "vmmeminner", "vmmemrt", "vmmemguarded", "armmemorytypesh", "armpalroutinesh", "read", "struct", "booleant", "cluster", "devbsize", "mclbytes", "unix system", "laboratories", "devbshift", "thumb", "armv5", "armv7", "cache", "neon", "swift", "bsdarmprofileh", "xxx todo", "block", "mcount", "mcountinit", "mcountenter", "splhigh", "armthreadh", "armtraph", "dflssiz", "targetososx", "maxssiz", "rliminfinity", "maxcsiz", "bsdarmvmparamh", "dfldsiz", "maxdsiz", "xxx stack", "armsignal", "int64t", "armmachtypesh", "int32t", "methods", "thread", "hasapplepac", "atmatmtypesh", "libkernlocksh", "fortifysource", "libkerncopyioh", "sizedby", "darwinosinline", "stdcversion", "osswapint16", "libkerncrch", "blockexport", "vaargs", "blockrelease", "blockh", "collection", "blockcopy", "ososbaseh", "base", "byteoffset", "host endianess", "generic host", "generic", "osmalloc", "osmalloctag tag", "osmalloctag", "pci device", "uint32", "uint32 mask", "safecastptr", "sint32", "osaddatomic64", "uint8", "libkern c", "internal error", "core osreturn", "libkern", "values", "pragmamark", "kexts", "kext", "c string", "grab", "osostypesh", "boolean", "unsignedwide", "uint32 hi", "buildtime value", "libkernversionh", "versionmajor", "versionminor", "versionvariant", "versionrevision", "ostype", "osrelease", "libkernsysctlh", "instructions", "data cache", "future", "rbleft", "rbright", "rbgetparent", "splayright", "splayleft", "rbsetcolor", "rbblack", "rbgetcolor", "comp", "main", "stdc", "msdos", "windows", "sys16bit", "zlibdll", "zextern", "zconfh", "model", "zextern int", "zstreamerror", "znull", "zbuferror", "zmemerror", "zstreamend", "zdataerror", "zfinish", "enough", "possible", "trailer", "compiler", "countedby", "sparta", "osatomic", "ipcipctypesh", "ipcobjectnull", "ipcobjectdead", "osreturn", "nfskrpch", "xdrbuf", "xdrbuf xbp", "xbptr", "xbleft", "tlen", "lval", "xbcleanup", "xbtype", "xbflags", "nfsargsversion", "file", "packed", "nfshz", "mount", "term", "restrict", "stats", "nfsbitmapset", "nfsver3", "nfsxunsigned", "attr", "nfsprogram", "nfssmallfh", "which", "from", "mark", "obsolete", "ip address", "iaddrt", "netinetbootph", "nvmaxtext", "magic", "etheraddrlen", "target", "byteorder", "bigendian", "littleendian", "dest", "igmp", "ushort", "inpcbptr", "inpcblistentry", "ipsec", "pcbs", "cookie", "netinetinstath", "minimal", "result", "arp packet", "icmpparamprob", "icmpredirect", "address", "ditto", "ip filter", "ipv4", "ip packet", "inject", "wifi", "server", "tcpmaxnotifyack", "wired", "ecn setup", "notify", "slow", "definitions", "tcptmax", "retransmit", "mptcp", "tcpsclosewait", "tcpsestablished", "tcpstimewait", "tcpseq", "timer drift", "sack", "char", "icmp", "synack", "tcpoptnop", "syndata", "ver", "internet", "iopcidevice", "constant", "perst", "localonly", "iooptionbits", "optional access", "ioservice", "open", "pcidriverkith", "osmetaclassbase", "iorpc rpc", "auditpipeiobase", "auditsdeviobase", "ioctls", "data", "the software", "stdargh", "hasincludenext", "eli friedman", "as is", "hack", "atomic", "atomicseqcst", "clangstdatomich", "stdchosted", "stdboolh", "needwintt", "stddefh", "hasbuiltin", "const src", "xnumembersize", "const dst", "wcharmax", "wcharmin", "limits", "kernelstdinth", "lp64 typedef", "intmaxc", "uintmaxc", "ptrauth", "olddata", "value", "declkey", "abi pointer", "c function", "float16", "fltevalmethod", "legacy bsd", "c standard", "sincospi", "cosp", "x8664monotonich", "staticifentry", "hasmte", "vmmemorytypesh", "vmwimgdefault", "wimg", "extvectortype", "utilfunction", "aligned", "srcptr", "vmpmaph", "vmdyldpagerh", "vmvmfaulth", "vmvmmaph", "development", "debug", "vmvmoptionsh", "vmvmpageouth", "kasantbi", "machvmmemtagh", "given", "vmmemtagptrsize", "vmmemtagtagsize", "copy", "vmsharedregionh", "vfsvfssupporth", "veclib", "master", "world wide", "various", "veclibtypes", "carbonlib", "availability", "carbon", "noncarbon cfm", "vbasicops", "shift", "vforceh", "vdsplength n", "realp", "nonnull", "vector", "dspsplitcomplex", "ieee", "dspcomplex", "uuiduuidh", "uuiddefine", "public", "uuid library", "kernelserver", "simpleroutine", "undkey", "execution", "strings array", "user", "title string", "info", "1024", "xmldatat", "undreplyref", "kernsuccess", "osaction", "targetosiphone", "istargetvendor", "targetcpux8664", "targetosunix", "targetcpuppc", "targetcpuppc64", "targetcpux86", "targetrtmaccfm", "bridge", "svflags", "svpavreal", "svpavreify", "xpvav", "svany", "avfillp", "for apidoc", "mutableav", "avrealoff", "pltopenv", "stmtstart", "stmtend", "copfile", "plcurstackinfo", "copfilegv", "cophinthashget", "loop", "stack", "beware", "orig", "loops", "this file", "the build", "plbitcount", "u8 value", "cvflags", "xpvcv", "mutableptr", "perlcore", "cvgv", "cvfile", "cvfmethod", "cvflvalue", "cvfconst", "anon", "doinit extconst", "ebcdic", "extconst u8", "index", "ascii platform", "confusingly", "u8 pla2e", "pla2e", "u8 ple2a", "guard", "declspec", "extconst", "ext externc", "init", "larry wall", "gnu general", "readme file", "multiplicity", "plsawampersand", "do not", "perliogetc", "perlioputc", "perliostdoutf", "perlio", "perlfeatureh", "featuresubbit", "featuremyrefbit", "featurefcbit", "featureisabit", "featuresaybit", "featurestatebit", "featuretrybit", "hintfeaturemask", "ffspace", "process", "ffdecimal", "ffend", "gvgp", "gvflags", "gvnamehek", "svtype", "gvegv", "gvstash", "gvxpvgv", "svtpvgv", "svtpvlv", "super", "edit directly", "djgpp", "bitbucket", "perlsysinitbody", "perlioinit", "perlsystermbody", "w macros", "wexitstatus", "shpath", "mkdir", "rotl64", "rotl32", "rotate x", "rotr32", "can64bithash", "rotr64", "ivsize", "u8to16le", "rotluv", "rotruv", "sbox32maxlen", "plhashstate", "perlhash", "perl", "usehashseed", "perlseenhvfunch", "perlhashseed", "siphash24", "siphash13", "seed", "c program", "c type", "c compiler", "gcc attribute", "longsize", "c preprocessor", "install", "kill", "cont", "thus", "ext declspec", "dext", "for apidocitem", "utf8", "ascii", "fitsin8bits", "nativetolatin1", "strwithlen", "u8 end", "test", "poison", "february", "cray", "prior", "behaviour", "except", "alpha", "perlvar", "perlvari", "perlvara", "padoffset", "true", "pmop", "hooks", "hook", "sv invlist", "perlinregcompc", "svcur", "perlinopc", "tointernalsize", "svtinvlist", "invlistlen", "strlen", "hvaux", "heklen", "svook", "hekutf8", "hekkey", "hekflags", "mutablehv", "hvnameheknn", "gosh", "leave", "iperlsock", "plsock", "iperlstdio", "plstdio", "iperlproc", "plproc", "iperllio", "pllio", "perlimplicitsys", "plink", "keypackage", "keyend", "keysub", "keydump", "keylog", "keysend", "keystate", "perlioclose", "perlmemcollxfrm", "nativetoneed", "plclocaleobj", "plno", "plwarnall", "plwarnnone", "plyes", "plzero", "plc9utf8dfatab", "nomathoms", "perlintokec", "perlinutf8c", "perlinsvc", "perlinregexecc", "debugging", "perlinlocalec", "pfinet", "snoop", "ccprint", "ccgraph", "cccharnamecont", "ccascii", "ccwordchar", "ccalphanumeric", "ccidfirst", "ccquotemeta", "ccalpha", "cccased", "ordinal", "magicvtablemax", "extra", "regex match", "env hash", "isa array", "debugger", "sig hash", "available", "shadow", "array length", "magic mg", "sv sv", "mgftainteddir", "hefsvkey", "mutablesv", "ssizet", "mgvtbl entry", "mgfbytes", "perlmagicsv 0", "special", "perlmagicarylen", "perlmagicrhash", "extra data", "perlmagicpos", "perlmagicsymtab", "provides", "dtrace probes", "stdioh", "stdioincluded", "sfioversion", "rxfpmfcharset", "rxfpmfmultiline", "rxfpmffold", "rxfpmfextended", "rxfpmfnocapture", "rxfpmfkeepcopy", "flags", "rxfpmfstrict", "ocshift", "plop", "perlbitfield16", "baseop op", "useithreads", "pmfonce", "padop", "perlcknull", "perlckfun", "opparg1mask", "opparg4mask", "opparg2mask", "perlckftst", "perlppftrowned", "perlckbitop", "perlckcmp", "perlcklfun", "dump", "chroot", "syscall", "flip", "undef", "crypt", "push", "stub", "trans", "predec", "flop", "prtf", "shutdown", "perlcontext cx", "perlmemlog", "c pointer", "cxtype", "logic", "toavamg", "tohvamg", "opftrread", "oplt", "opincmp", "opbitand", "opsbitor", "opsend", "opgetpeername", "opfteexec", "opftbinary", "opclose", "plparser", "yylex", "lexshared", "position", "repl", "memsize", "malloct", "perlmallocctlh", "uv nfree", "uv ntotal", "iv topbucket", "iv totalsbrk", "iv minbucket", "level", "plcomppad", "plcurpad", "uvxf", "ptr2uv", "avarray", "padnameflags", "plcopseqmax", "padlistarray", "c array", "padnametype", "incpushperl5lib", "appllibexp", "privlibexp", "defineincmacros", "perlfsversion", "perl5lib", "sitearchexp", "perllanginfoh", "hasnllanginfo", "ilanginfo", "codeset", "codeset 1", "dtfmt", "dtfmt 2", "dfmt", "dfmt 3", "sipround", "u8to64le", "fallthrough", "uint64c", "perlsiphashfnc", "siprounds", "strlen inlen", "sipfinalrounds", "could", "configure", "plout", "mine001", "argv", "plin", "localpatchcount", "perlapih", "xs code", "portingglossary", "first version", "brand", "symbols", "haswcrtomb", "perlionotstdio", "perlcallconv", "perlio f", "perlioh", "usestdio", "case", "bufsiz", "sizet", "perlstability", "perltypedefs", "perldtracehin", "perlloadedfile", "perlloadingfile", "perlopentry", "perlphasechange", "perlsubentry", "perlsubreturn", "generated", "perlcallconv iv", "sizet count", "sv arg", "mode", "perliofuncs tab", "stdchar", "perliolistt", "sv args", "mutex", "perlinterpreter", "sigsize", "perlioisstdio", "perlcallconv op", "perldokv", "perlppaassign", "perlppabs", "perlppaccept", "perlppadd", "perlppaeach", "perlppaelem", "public license", "free software", "foundation", "yydebug", "bison", "bareword", "funcmeth", "arrow", "targ", "pushs", "tops", "does", "xsub", "pops", "xpushs", "erange", "perlreentrapi", "perlreentrapi0", "hostentsize", "getgrentrproto", "getpwentrproto", "getnetentrproto", "grentbuffer", "grentsize", "hostenterrno", "redebugflag", "debugvtest", "debugr", "u16 nextoff", "argset", "u8 type", "nextoff", "strings", "problem", "june", "invert", "perlfpclass", "longdoublekind", "plstatusvalue", "pldebug", "numclasses", "locale", "grok", "pragma", "dword", "attack", "little", "lynx", "done", "reany", "rxpextflags", "rxextflags", "checkpoint cp", "rxftaintedseen", "rxfcopydone", "plsavestackix", "plsavestack", "plsavestackmax", "ssmaxpush", "enter", "debugscope", "state", "u32 state", "debugsbox32hash", "sbox32warn5", "line", "mutexunlock", "mutexinit", "noop", "mutexlock", "condinit", "detach", "panic", "usetm64", "should", "bsd extension", "configuration", "time64debug", "int64t nv", "gnu extension", "perltime64h", "time64t", "int64t int64", "int64 time64t", "i32 year", "tm64", "hastmtmgmtoff", "decide", "svpvx", "svgmagic", "bonk", "anything", "turn", "crash", "fstat", "perlmicro", "hasioctl", "hasutime", "hasgroup", "haspasswd", "usemybinmode", "idirent", "likely", "generated code", "utfebcdic", "unicode", "step", "ufeff", "u00a0", "u00df", "u00b5", "ufffd", "u017f", "u0300", "unlikely", "nativeutf8toi8", "utf8skip", "nativetouni", "lazy", "extrasize", "regnodemax", "exact", "match", "whilem", "anyof", "curly", "trie", "curlym", "eval", "star", "perlutilh", "hsmapiverlen", "hsxsverlenmax", "hskeyp", "tools", "sv vs", "perlversionlt", "svpvxnolenconst", "perlckwarner", "u32 err", "scroakxsusage", "pluumap", "warnings", "categories", "plcurcop", "perlckwarn", "perlckwarnd", "perlwarnisset", "perlwarnoff", "perlwarnbit", "xsversion", "xsreturn", "perlxshandshake", "plstackbase", "hskey", "zaphod32mix", "u8to32le", "zaphod32warn4", "zaphod32warn3", "zaphod32warn6", "perlform", "i8tonativeutf8", "warnutf8", "myshift", "c extension", "libs", "cflags", "afkuserlog", "kafkeventcancel", "kafkeventerror", "adamsbagmanager", "adjinglerequest", "isinternalbuild", "kickmcxdforuid", "loadappkit", "ardconfig", "authenticator", "dsauthenticator", "dsnode", "dsrecord", "hostconfig", "addtofront", "calcslope", "copyarray", "createcachenode", "defaultebecurve", "deletecache", "disablehcucache", "dumpcache", "dumpoutputhcu", "enablet1sim", "ascagent", "ascagentproxy", "asdevice", "ddrangecompare", "wdosloglauncher", "wdoslogprotocol", "findchar", "ddasllogger", "ddfilelogger", "ddlog", "ddlogfileinfo", "ddlogmessage", "ddloggernode", "mkurlparser", "mkerrordomain", "mkintegerhash", "mklonghash", "mkmaprectinset", "mkmaprectnull", "mkmaprectoffset", "mkmaprectworld", "mkmapsizeworld", "kextensionnonui", "wkarraycreate", "wkbooleancreate", "wkcontextcreate", "wkdatacreate", "wkdatagettypeid", "wkdoublecreate", "wkframecopyurl", "wkgettypeid", "wkimagecreate", "wkpagecandelete", "webkit", "methodkind", "wkerrordomain", "by apple", "document", "a block", "wkcontentworld", "wkwebview", "javascript", "wkerrorcode", "wkerrorunknown", "nsswiftasync", "wkswiftasync", "wkcookiepolicy", "nshttpcookie", "whether", "wknavigation", "wkdownload", "decides", "mime type", "wkscriptmessage", "wkframeinfo", "information", "url scheme", "wkcontentmode", "wkuserscript", "wkextern", "media", "promise", "fulfill", "cgfloat", "targetoswatch", "sign", "password", "provider", "uicontrol", "nscontrol", "opaque user", "apple id", "nsstring user", "asuseragerange", "initiate", "asauthorization", "confirms", "apple upgrade", "nserrorenum", "operation", "relying party", "targetosvision", "a byte", "nsdata userid", "relying", "a string", "asapiavailable", "http response", "authorization", "oauth", "saml", "nsdata readdata", "bool didwrite", "a cose", "nsstring name", "bool appid", "targetosxr", "a state", "a json", "web token", "private seckeys", "nsstring appid", "mdm profile", "nsurl url", "returns yes", "lacontext", "asswiftsendable", "keychain", "cose algorithm", "ecdsa", "sha256", "cose curve", "p256", "nsinteger rank", "enables", "bool success", "remove", "call", "complete", "prepare", "attempt", "list", "nsextension", "settings", "initializes", "a key", "extensions", "hash", "json", "initialize", "nsstring origin", "settings app", "urls", "https urls", "safari", "cancel", "nsuuid uuid", "asextern extern", "asextern", "nsswiftsendable", "uiwindow", "propertykind", "gkplayer", "n tags", "gkerrordomain", "gamecenter", "targetosios", "targetostv", "nsavailable", "gkachievement", "local player", "view", "present", "optional", "gkbaseplayer", "game center", "uiimage", "app store", "gkchallenge", "gklocalplayer", "nsdeprecated", "a singleton", "gkcloudplayer", "returns nil", "nsdeprecatedmac", "internal2", "internal3", "internal4", "gkscore", "gkextern", "gkextern extern", "gkexternweak", "gkerrorcode", "gkerrorunknown", "gkerrorunderage", "friendplayer", "standard view", "nsresponder", "parentwindow", "ibaction", "gkgamesession", "apis", "gkplayer player", "nsinteger score", "nsdate date", "gkleaderboard", "connect", "nsinteger value", "load", "gktransporttype", "nsstring title", "loads array", "localized", "gkmatch", "gkmatchrequest", "gkinvite", "gksession", "gksession api", "gamekit", "asynchronously", "welcome", "nstimeinterval", "delegate", "delivery", "gksenddatamode", "gksessionmode", "gkphotosize", "callbacks", "gkmatchdelegate", "gksavedgame", "default value", "gksessionerror", "gkvoicechat", "participant", "voice chat", "clienta" ], "references": [ "CredentialsCache.h", "CredentialsCache2.h", "config.xml", "popen_spawn_win32.py", "pycore_condvar.h", "Kerberos.h", "KerberosLogin.h", "plugin.js", "krb5.h", "MultipeerConnectivity.tbd", "MCBrowserViewController.h", "MCNearbyServiceAdvertiser.h", "MCError.h", "MCAdvertiserAssistant.h", "MCNearbyServiceBrowser.h", "MultipeerConnectivity.apinotes", "MultipeerConnectivity.h", "MCSession.h", "MCPeerID.h", "canvas.html", "capture_0.bundle.js", "capture_resize.js", "GCRacingWheelInput.h", "GCSyntheticDeviceKeys.h", "GCSwitchPositionInput.h", "GCSteeringWheelElement.h", "GCSwitchElement.h", "GCTouchedStateInput.h", "GCXboxGamepad.h", "GCTypes.h", "GCRelativeInput.h", "GameController.h", "GCAxis2DInput.h", "GCAxisElement.h", "GCAxisInput.h", "GCButtonElement.h", "GCController.h", "GCColor.h", "GCControllerAxisInput.h", "GCControllerDirectionPad.h", "GCControllerInput.h", "GCControllerElement.h", "GCControllerTouchpad.h", "GCDevice.h", "GCDeviceBattery.h", "GCDeviceCursor.h", "GCDeviceHaptics.h", "GCDeviceLight.h", "GCDevicePhysicalInputState.h", "GCDevicePhysicalInputStateDiff.h", "GCDirectionalGamepad.h", "GCDirectionPadElement.h", "GCDevicePhysicalInput.h", "GCDualSenseAdaptiveTrigger.h", "GCDualSenseGamepad.h", "GCDualShockGamepad.h", "GCEventViewController.h", "GCExtendedGamepadSnapshot.h", "GCExtern.h", "GCExtendedGamepad.h", "GCGamepadSnapshot.h", "GCGearShifterElement.h", "GCGamepad.h", "GCKeyboard.h", "GCInputNames.h", "GCControllerButtonInput.h", "GCKeyNames.h", "GCKeyboardInput.h", "GCKeyCodes.h", "GCLinearInput.h", "GCMotion.h", "GCMouse.h", "GCMouseInput.h", "GCMicroGamepadSnapshot.h", "GCPhysicalInputElement.h", "GCMicroGamepad.h", "GCPhysicalInputProfile.h", "GCPhysicalInputSource.h", "GCPressedStateInput.h", "GCProductCategories.h", "GCRacingWheel.h", "GameController.tbd", "arm64e-apple-macos.swiftinterface", "x86_64-apple-macos.swiftinterface", "module.modulemap", "com_err.h", "gssapi_generic.h", "locate_plugin.h", "profile.h", "gssapi_krb5.h", "preauth_plugin.h", "gssapi.h", "alc.h", "oalStaticBufferExtension.h", "oalMacOSX_OALExtensions.h", "OpenAL.h", "al.h", "OpenAL.tbd", "IOUSBHost.tbd", "IOUSBHostCIEndpointStateMachine.h", "IOUSBHostCIControllerStateMachine.h", "IOUSBHost.h", "IOUSBHostCIPortStateMachine.h", "IOUSBHostCIDeviceStateMachine.h", "IOUSBHostControllerInterfaceHelpers.h", "IOUSBHostDevice.h", "IOUSBHostControllerInterface.h", "IOUSBHostDefinitions.h", "IOUSBHostInterface.h", "IOUSBHostIOSource.h", "AppleUSBDescriptorParsing.h", "IOUSBHostStream.h", "IOUSBHostObject.h", "IOUSBHostControllerInterfaceDefinitions.h", "IOUSBHostPipe.h", "IOBluetoothUIUserLib.h", "IOBluetoothUI.h", "IOBluetoothObjectPushUIController.h", "IOBluetoothDeviceSelectorController.h", "IOBluetoothPasskeyDisplay.h", "IOBluetoothPairingController.h", "IOBluetoothServiceBrowserController.h", "IOBluetoothUI.tbd", "Bluetooth.h", "IOBluetooth.h", "BluetoothAssignedNumbers.h", "IOBluetoothTypes.h", "IOBluetoothUtilities.h", "OBEXBluetooth.h", "IOBluetoothUserLib.h", "OBEX.h", "IOBluetooth.tbd", "INImage+IntentsUI.h", "IntentsUI.h", "INUIAddVoiceShortcutButton.h", "IntentsUI.apinotes", "INUIEditVoiceShortcutViewController.h", "INUIAddVoiceShortcutViewController.h", "LDAP.tbd", "OSvKernDSPLib.h", "cpu.h", "asm_help.h", "desc.h", "pio.h", "io.h", "sel.h", "reg_help.h", "tss.h", "table.h", "byte_order.h", "_limits.h", "_types.h", "_mcontext.h", "_param.h", "_endian.h", "arch.h", "cpuid_internal.h", "cpu_capabilities_public.h", "arm_features.inc", "endian.h", "locks.h", "limits.h", "atomic.h", "machine_cpuid.h", "memory_types.h", "pal_routines.h", "machine_routines.h", "param.h", "cpuid.h", "thread.h", "trap.h", "vmparam.h", "signal.h", "types.h", "AFKMemoryDescriptorOptions.h", "machine_machdep.h", "atm_types.h", "copyio.h", "_OSByteOrder.h", "crc.h", "Block.h", "OSBase.h", "OSByteOrder.h", "OSDebug.h", "OSMalloc.h", "OSAtomic.h", "OSReturn.h", "OSKextLib.h", "OSTypes.h", "version.h", "sysctl.h", "tree.h", "zconf.h", "zlib.h", "libkern.h", "kdp_callout.h", "kdp_en_debugger.h", "ipc_types.h", "krpc.h", "rpcv2.h", "xdr_subs.h", "nfs.h", "nfsproto.h", "bootp.h", "if_ether.h", "icmp6.h", "icmp_var.h", "igmp_var.h", "igmp.h", "in_pcb.h", "in_stat.h", "in_private.h", "in_arp.h", "in_var.h", "in_systm.h", "ip_var.h", "ip_icmp.h", "kpi_ipfilter.h", "ip6.h", "tcp_private.h", "ip.h", "tcp_timer.h", "tcp_fsm.h", "udp_var.h", "tcp_seq.h", "tcpip.h", "udp.h", "tcp_var.h", "tcp.h", "IOPCIFamilyDefinitions.h", "IOPCIDevice.iig", "PCIDriverKit.h", "IOPCIDevice.h", "audit_ioctl.h", "stdarg.h", "stdatomic.h", "stdbool.h", "stddef.h", "string.h", "stdint.h", "ptrauth.h", "math.h", "monotonic.h", "static_if.h", "machine_kpc.h", "machine_remote_time.h", "ipc_pthread_priority_types.h", "lz4_assembly_select.h", "vm_compressor_algorithms.h", "lz4.h", "pmap.h", "vm_dyld_pager.h", "vm_far.h", "vm_fault.h", "vm_map.h", "lz4_constants.h", "vm_options.h", "vm_pageout.h", "vm_memtag.h", "vm_shared_region.h", "vm_kern.h", "vfs_support.h", "vecLib.h", "vecLibTypes.h", "vBasicOps.h", "vForce.h", "vDSP.h", "uuid.h", "UNDReply.defs", "UNDRequest.defs", "KUNCUserNotifications.h", "UNDTypes.defs", "UNDTypes.h", "TargetConditionals.h", "apfs_boot_mount.tbd", "av.h", "cop.h", "bitcount.h", "cv.h", "ebcdic_tables.h", "EXTERN.h", "embedvar.h", "fakesdio.h", "feature.h", "form.h", "gv.h", "git_version.h", "dosish.h", "hv_macro.h", "hv_func.h", "config.h", "INTERN.h", "handy.h", "intrpvar.h", "invlist_inline.h", "hv.h", "iperlsys.h", "keywords.h", "libperl.tbd", "embed.h", "l1_char_class_tab.h", "mg_data.h", "mg_raw.h", "mg.h", "mg_vtable.h", "mydtrace.h", "nostdio.h", "op_reg_common.h", "op.h", "opcode.h", "inline.h", "overload.h", "opnames.h", "parser.h", "malloc_ctl.h", "pad.h", "perl_inc_macro.h", "perl_langinfo.h", "perl_siphash.h", "patchlevel.h", "perlapi.h", "metaconfig.h", "perlio.h", "perldtrace.h", "perliol.h", "perlvars.h", "perlsdio.h", "pp_proto.h", "perly.h", "pp.h", "reentr.h", "regcomp.h", "perl.h", "regexp.h", "scope.h", "sbox32_hash.h", "time64_config.h", "time64.h", "sv.h", "unixish.h", "uconfig.h", "utfebcdic.h", "unicode_constants.h", "utf8.h", "regnodes.h", "util.h", "vutil.h", "uudmap.h", "warnings.h", "XSUB.h", "zaphod32_hash.h", "encode.h", "python-3.9.pc", "python-3.9-embed.pc", "python3-embed.pc", "python3.pc", "AFKUser.tbd", "AdID.tbd", "Admin.tbd", "AirPlayReceiver.tbd", "AppSandbox.tbd", "ASEProcessing.tbd", "AuthenticationServicesCore.tbd", "WebGPU.tbd", "WebDriver.tbd", "MapKit.tbd", "SwiftUI.swiftoverlay", "WebKit.tbd", "WebKit.apinotes", "WKBackForwardList.h", "NSAttributedString.h", "WebKit.h", "WKBackForwardListItem.h", "WKContentRuleList.h", "WKContentRuleListStore.h", "WKContextMenuElementInfo.h", "WKDataDetectorTypes.h", "WKContentWorld.h", "WKError.h", "WKFoundation.h", "WKFindResult.h", "WKHTTPCookieStore.h", "WKFrameInfo.h", "WKNavigation.h", "WKFindConfiguration.h", "WKNavigationDelegate.h", "WKNavigationResponse.h", "WKOpenPanelParameters.h", "WebKitLegacy.h", "WKPreviewActionItem.h", "WKNavigationAction.h", "WKPreferences.h", "WKPreviewActionItemIdentifiers.h", "WKPreviewElementInfo.h", "WKProcessPool.h", "WKDownload.h", "WKPDFConfiguration.h", "WKScriptMessage.h", "WKSecurityOrigin.h", "WKScriptMessageHandler.h", "WKSnapshotConfiguration.h", "WKUIDelegate.h", "WKURLSchemeTask.h", "WKWebpagePreferences.h", "WKUserContentController.h", "WKWebsiteDataStore.h", "WKWebsiteDataRecord.h", "WKUserScript.h", "WKURLSchemeHandler.h", "WKWebViewConfiguration.h", "WKWebView.h", "WKScriptMessageHandlerWithReply.h", "WKWindowFeatures.h", "WKDownloadDelegate.h", "ASAccountAuthenticationModificationController.h", "ASAccountAuthenticationModificationViewController.h", "ASAuthorization.h", "ASAuthorizationAppleIDButton.h", "ASAccountAuthenticationModificationRequest.h", "ASAuthorizationAppleIDProvider.h", "ASAuthorizationAppleIDRequest.h", "ASAuthorizationAppleIDCredential.h", "ASAuthorizationController.h", "ASAuthorizationCredential.h", "ASAccountAuthenticationModificationExtensionContext.h", "ASAuthorizationError.h", "ASAuthorizationCustomMethod.h", "ASAuthorizationPasswordRequest.h", "ASAuthorizationOpenIDRequest.h", "ASAuthorizationPlatformPublicKeyCredentialDescriptor.h", "ASAuthorizationPlatformPublicKeyCredentialProvider.h", "ASAccountAuthenticationModificationReplacePasswordWithSignInWithAppleRequest.h", "ASAccountAuthenticationModificationUpgradePasswordToStrongPasswordRequest.h", "ASAuthorizationPlatformPublicKeyCredentialRegistrationRequest.h", "ASAuthorizationPlatformPublicKeyCredentialRegistration.h", "ASAuthorizationProvider.h", "ASAuthorizationPlatformPublicKeyCredentialAssertion.h", "ASAuthorizationPublicKeyCredentialAssertion.h", "ASAuthorizationPublicKeyCredentialAssertionRequest.h", "ASAuthorizationPublicKeyCredentialConstants.h", "ASAuthorizationProviderExtensionAuthorizationResult.h", "ASAuthorizationPublicKeyCredentialDescriptor.h", "ASAuthorizationPublicKeyCredentialLargeBlobAssertionOutput.h", "ASAuthorizationPasswordProvider.h", "ASAuthorizationPublicKeyCredentialLargeBlobRegistrationInput.h", "ASAuthorizationPublicKeyCredentialParameters.h", "ASAuthorizationPublicKeyCredentialLargeBlobRegistrationOutput.h", "ASAuthorizationPublicKeyCredentialRegistration.h", "ASAuthorizationPublicKeyCredentialRegistrationRequest.h", "ASAuthorizationPublicKeyCredentialLargeBlobAssertionInput.h", "ASAuthorizationSecurityKeyPublicKeyCredentialAssertion.h", "ASAuthorizationRequest.h", "ASAuthorizationPlatformPublicKeyCredentialAssertionRequest.h", "ASAuthorizationSecurityKeyPublicKeyCredentialProvider.h", "ASAuthorizationSingleSignOnCredential.h", "ASAuthorizationSecurityKeyPublicKeyCredentialDescriptor.h", "ASAuthorizationSecurityKeyPublicKeyCredentialAssertionRequest.h", "ASAuthorizationSecurityKeyPublicKeyCredentialRegistration.h", "ASAuthorizationSingleSignOnProvider.h", "ASAuthorizationWebBrowserExternallyAuthenticatableRequest.h", "ASAuthorizationWebBrowserPlatformPublicKeyCredentialAssertionRequest.h", "ASAuthorizationWebBrowserPlatformPublicKeyCredentialRegistrationRequest.h", "ASAuthorizationWebBrowserPublicKeyCredentialManager.h", "ASAuthorizationWebBrowserPlatformPublicKeyCredential.h", "ASAuthorizationWebBrowserSecurityKeyPublicKeyCredentialAssertionRequest.h", "ASAuthorizationWebBrowserSecurityKeyPublicKeyCredentialRegistrationRequest.h", "ASCOSEConstants.h", "ASCredentialIdentity.h", "ASAuthorizationSingleSignOnRequest.h", "ASCredentialIdentityStore.h", "ASAuthorizationWebBrowserSecurityKeyPublicKeyCredentialProvider.h", "ASCredentialProviderExtensionContext.h", "ASCredentialProviderViewController.h", "ASAuthorizationSecurityKeyPublicKeyCredentialRegistrationRequest.h", "ASCredentialServiceIdentifier.h", "ASExtensionErrors.h", "ASAuthorizationProviderExtensionAuthorizationRequest.h", "ASCredentialRequest.h", "ASAuthorizationWebBrowserPlatformPublicKeyCredentialProvider.h", "ASPasskeyAssertionCredential.h", "ASPasskeyCredentialRequest.h", "ASPasskeyCredentialRequestParameters.h", "ASCredentialIdentityStoreState.h", "ASPasskeyRegistrationCredential.h", "ASPasswordCredential.h", "ASPublicKeyCredential.h", "ASPasskeyCredentialIdentity.h", "ASPublicKeyCredentialClientData.h", "ASSettingsHelper.h", "ASWebAuthenticationSessionCallback.h", "ASWebAuthenticationSession.h", "ASWebAuthenticationSessionRequest.h", "ASWebAuthenticationSessionWebBrowserSessionManager.h", "AuthenticationServices.h", "ASFoundation.h", "AuthenticationServices.apinotes", "ASWebAuthenticationSessionWebBrowserSessionHandling.h", "ASPasswordCredentialIdentity.h", "ASPasswordCredentialRequest.h", "GameKit.apinotes", "GKAccessPoint.h", "GameKit.h", "GKAchievement.h", "GKAchievementViewController.h", "GKBasePlayer.h", "GKAchievementDescription.h", "GKChallengeEventHandler.h", "GKCloudPlayer.h", "GKChallengesViewController.h", "GKChallenge.h", "GKDefines.h", "GKError.h", "GKEventListener.h", "GKFriendRequestComposeViewController.h", "GKDialogController.h", "GKGameSessionEventListener.h", "GKGameSessionError.h", "GKGameCenterViewController.h", "GKGameSessionSharingViewController.h", "GKLeaderboardEntry.h", "GKLeaderboard.h", "GKLeaderboardScore.h", "GKGameSession.h", "GKLeaderboardSet.h", "GKLocalPlayer.h", "GKLeaderboardViewController.h", "GKMatch.h", "GKMatchmaker.h", "GKMatchmakerViewController.h", "GKPeerPickerController.h", "GKNotificationBanner.h", "GKPublicConstants.h", "GKPlayer.h", "GKPublicProtocols.h", "GKSavedGameListener.h", "GKScore.h", "GKSessionError.h", "GKVoiceChat.h", "GKTurnBasedMatchmakerViewController.h", "GKSession.h", "GKTurnBasedMatch.h", "GKSavedGame.h", "GKVoiceChatService.h" ], "public": 1, "adversary": "Turla Group, FIN7, APT34, APT28, DragonForce Malaysia Hacker Group, Indonesia Islamic Warriors Counc", "targeted_countries": [ "United States of America", "India", "Australia" ], "malware_families": [ { "id": "OSAtomic", "display_name": "OSAtomic", "target": null }, { "id": "OSReturn", "display_name": "OSReturn", "target": null }, { "id": "Ver", "display_name": "Ver", "target": null }, { "id": "Internet", "display_name": "Internet", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 39, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ilyailya", "id": "298851", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1968, "domain": 526, "FileHash-SHA256": 207, "hostname": 972, "email": 55, "FileHash-SHA1": 9, "FileHash-MD5": 4, "CVE": 2, "CIDR": 10 }, "indicator_count": 3753, "is_author": false, "is_subscribing": null, "subscriber_count": 34, "modified_text": "347 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "664b74b2683dec84891aef96", "name": "PrivateLoader is a malware with a module structure that has the capability is to download and execute one or several payloads", "description": "http://185.172.128.69/batushka/inte.exe \nhttp://185.172.128.69/allnewumm.exe\nhttp://185.172.128.69/brandumma.exe\nhttp://185.172.128.69/files\nhttp://185.172.128.69/files/US.file\nhttp://185.172.128.69/latestumma.exe\nhttp://185.172.128.69/newumma.exe\nhttp://185.172.128.69/sekundumma.exe\nhttp://185.172.128.69/ummanew.exe", "modified": "2024-10-14T20:36:05.361000", "created": "2024-05-20T16:05:06.313000", "tags": [ "stdin via", "nextron", "powershell id", "powershell", "tim rauch", "elastic", "script block", "logging", "pe32", "ms windows", "intel", "nazwa typ", "md5 nazwa", "procesu" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 7268, "domain": 1310, "URL": 8101, "FileHash-SHA1": 1615, "hostname": 2590, "FileHash-MD5": 1852, "email": 267, "SSLCertFingerprint": 3, "CIDR": 38, "CVE": 7, "IPv4": 15, "YARA": 4 }, "indicator_count": 23070, "is_author": false, "is_subscribing": null, "subscriber_count": 135, "modified_text": "551 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65709a384e3e8573cf5ecac4", "name": "v2 - kopat electronic door security with hybrid scan data", "description": "", "modified": "2023-12-06T15:58:48.938000", "created": "2023-12-06T15:58:48.938000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1569, "URL": 3824, "email": 8, "domain": 290, "hostname": 189, "FileHash-MD5": 576, "FileHash-SHA1": 52 }, "indicator_count": 6508, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65708ed8f7d4b5483117bb66", "name": "abuse.ch", "description": "", "modified": "2023-12-06T15:10:16.397000", "created": "2023-12-06T15:10:16.397000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 223, "domain": 383, "URL": 1639, "hostname": 560, "email": 1, "FileHash-MD5": 2 }, "indicator_count": 2808, "is_author": false, "is_subscribing": null, "subscriber_count": 114, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65708e456bdbf8ea8d0d504a", "name": "whitehouse.gov", "description": "", "modified": "2023-12-06T15:07:49.577000", "created": "2023-12-06T15:07:49.577000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 449, "hostname": 639, "domain": 245, "URL": 1609, "FileHash-MD5": 4 }, "indicator_count": 2946, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65708e2d7cb4228401888b63", "name": "possibly a central bank", "description": "", "modified": "2023-12-06T15:07:25.990000", "created": "2023-12-06T15:07:25.990000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 622, "domain": 2558, "URL": 4203, "hostname": 1221, "CVE": 1 }, "indicator_count": 8605, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65708c712f63f24552fa3e38", "name": "bgp.net malicious hosting", "description": "", "modified": "2023-12-06T15:00:01.600000", "created": "2023-12-06T15:00:01.600000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 173, "hostname": 417, "URL": 1208, "domain": 267, "CVE": 1 }, "indicator_count": 2066, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65708c68b4f63f4ac0d16ff5", "name": "egihosting.com - malware", "description": "", "modified": "2023-12-06T14:59:52.017000", "created": "2023-12-06T14:59:52.017000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 120, "hostname": 352, "domain": 115, "URL": 934 }, "indicator_count": 1521, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65708c45f8a517d76d776231", "name": "Malware - reliablesite.net", "description": "", "modified": "2023-12-06T14:59:17.346000", "created": "2023-12-06T14:59:17.346000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 238, "domain": 565, "hostname": 827, "URL": 2233 }, "indicator_count": 3863, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65708c37c54dd9e78f85c0fa", "name": "\u7ea2\u674f\u89c6\u9891 malware", "description": "", "modified": "2023-12-06T14:59:03.859000", "created": "2023-12-06T14:59:03.859000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1686, "hostname": 2218, "URL": 5740, "domain": 901, "FileHash-MD5": 3 }, "indicator_count": 10548, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65708c0791fece390b1a096e", "name": "Choopa.com - vultr", "description": "", "modified": "2023-12-06T14:58:15.734000", "created": "2023-12-06T14:58:15.734000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 453, "hostname": 1241, "domain": 430, "URL": 3454 }, "indicator_count": 5578, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65707fe17dfdfe16066d16de", "name": "Bexar.org", "description": "", "modified": "2023-12-06T14:06:25.800000", "created": "2023-12-06T14:06:25.800000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1735, "hostname": 1833, "domain": 1025, "URL": 4668, "email": 4, "FileHash-MD5": 133, "FileHash-SHA1": 6, "CIDR": 5 }, "indicator_count": 9409, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65707f7f79257c3b4f276f35", "name": "whitehouse.govapi_2.27.22", "description": "", "modified": "2023-12-06T14:04:47.874000", "created": "2023-12-06T14:04:47.874000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 489, "hostname": 405, "domain": 306, "URL": 1451, "email": 1, "FileHash-MD5": 4 }, "indicator_count": 2656, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65707e5b7df6f60133e8fb50", "name": "Jeeng / Powerbox", "description": "", "modified": "2023-12-06T13:59:55.129000", "created": "2023-12-06T13:59:55.129000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 3, "FileHash-SHA256": 9072, "domain": 2500, "hostname": 3584, "URL": 13548, "FileHash-MD5": 197, "FileHash-SHA1": 162, "email": 19, "CIDR": 20, "SSLCertFingerprint": 2, "BitcoinAddress": 1 }, "indicator_count": 29108, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "645932281e34157197d4cbe4", "name": "v2 - kopat electronic door security with hybrid scan data", "description": "", "modified": "2023-05-08T17:32:24.648000", "created": "2023-05-08T17:32:24.648000", "tags": [ "dropped file", "null", "varchar", "gecko", "pcap", "pcap processing", "win64", "khtml", "span", "cookie", "path", "mozi", "roboto", "class", "mozilla", "body", "form", "window", "accept", "meta", "iframe", "contact", "4629", "trim", "embed", "dwis", "test", "tear", "qakbot", "tecv", "1inb", "a3ob", "u9p10dkhttps", "windir", "openurl c", "l10dkhttps", "charset", "w6t2hm", "is6bi" ], "references": [ "https://www.hybrid-analysis.com/sample/5ea6b6bdf0a82359f7f73c6095b6c8891be485234e5544ef18a000136617a1b6/645767842cd19c9c560f0381" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "callmeDoris", "id": "205385", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3824, "hostname": 189, "domain": 290, "FileHash-SHA256": 1569, "email": 8, "IPv4": 27, "FileHash-MD5": 576, "FileHash-SHA1": 52 }, "indicator_count": 6535, "is_author": false, "is_subscribing": null, "subscriber_count": 95, "modified_text": "1077 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6368556744107705c1acb8ab", "name": "online file analysis results for 'jquery.min.js", "description": "oops", "modified": "2022-11-07T00:46:31.406000", "created": "2022-11-07T00:46:31.406000", "tags": [ "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "runtime data", "null", "ansi", "unicode", "regexp", "parsefloat", "width", "typeof", "sufeffxa0", "hybrid analysis", "path", "error", "date", "class", "hybrid", "close", "click", "ransomware", "alpha", "body", "accept", "strings", "malicious", "suspicious" ], "references": [ "https://hybrid-analysis.com/sample/61c6caebd23921741fb5ffe6603f16634fca9840c2bf56ac8201e9264d6daccf/56fbb445aac2ed6260ae9802" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dorkingbeauty1", "id": "80137", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 651, "FileHash-SHA256": 6, "domain": 71, "hostname": 185, "FileHash-MD5": 1, "FileHash-SHA1": 1 }, "indicator_count": 915, "is_author": false, "is_subscribing": null, "subscriber_count": 392, "modified_text": "1259 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62e80d56fba248bac0744780", "name": "\ud83e\udd14\ud83d\udea8 Could this be the source of all Evil? \ud83d\udea8\ud83e\udd14 Nubotnet - Team:KU Leuven/test2 - 2021.igem.org", "description": "", "modified": "2022-08-31T00:01:05.509000", "created": "2022-08-01T17:28:54.991000", "tags": [ "apt", "runtime data", "decrypted ssl", "pcap", "windows nt", "tops", "cookie", "typeof t", "element", "error", "matrix", "typeerror", "bmfloor", "frameelement", "null", "skew", "parade" ], "references": [ "https://2021.igem.org/Team:KU_Leuven/test2", "https://hybrid-analysis.com/sample/e126ff94aac3340dc05a27f062c4267cbfeaa998248bef0e72f000bba711aa76/62e6fb475edc950b894aa7b0" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dorkingbeauty1", "id": "80137", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1696, "domain": 586, "hostname": 613, "FileHash-SHA256": 533, "FileHash-MD5": 34, "FileHash-SHA1": 33, "email": 1 }, "indicator_count": 3496, "is_author": false, "is_subscribing": null, "subscriber_count": 393, "modified_text": "1327 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62e1ca167a1591e7b4ca1129", "name": "VirusTotal view-source on https://www.virustotal.com/en/file/undefined/analysis/", "description": "someone really needs to figure out wtf this is all doing it has to be part of the net.sh", "modified": "2022-07-28T02:05:04.183000", "created": "2022-07-27T23:28:22.504000", "tags": [ "array", "object", "typeof t", "layer1", "error", "path", "function", "typeerror", "date", "svg export", "span", "null", "unknown", "click", "february", "april", "june", "august", "this", "void", "bounce", "string", "regexp", "number", "sxa0", "amptoken", "optout", "notfound", "contenttype", "form", "copyright", "element", "polymer project", "authors", "bsd style", "code", "google", "software", "window", "generator", "comment", "trident", "typeof e", "typeof symbol", "typeof btoa", "btoa", "typeof reflect", "boolean", "customevent", "plugin", "build", "home", "intelligence", "graph", "report", "urls", "please", "javascript", "https://www.virustotal.com/en/file/undefined/analysis/", "net.sh" ], "references": [ "entity%3Aip%20whois%3Ainfo%40anodicnetwork.com.html", "14.main.bundle.91f9f7ff635e0b797de3.js", "5.main.bundle.e92e5e24e074f9c2a52b.js", "0.main.bundle.a9d68f5204cd3ac257b6.js", "webcomponent-polyfill.js", "analytics.js", "12.main.bundle.50be73a11d1d3745a5ee.js", "\" Page not found Page not found