{ "type": "Domain", "indicator": "value.name", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/value.name", "alexa": "http://www.alexa.com/siteinfo/value.name", "indicator": "value.name", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3162388553, "indicator": "value.name", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 19, "pulses": [ { "id": "69f46a108000bd36fe90d5be", "name": "APT29", "description": "In the latest episode of the LNK forensic analysis series, we look at how a malicious file was linked to a Chinese-speaking threat actor, who then modified the file to target a powershell program.", "modified": "2026-05-31T06:03:25.904000", "created": "2026-05-01T08:53:34.200000", "tags": [ "sha1", "ipv4", "sha256", "n cobalt", "n https", "strong", "rararchive", "backdoor", "n c2", "cobalt strike", "guloader", "cobaltstrike", "cobalt", "downloader", "april", "icedid", "dropper", "june", "trickbot", "donut", "fast", "payload", "unknown", "delphi", "noname", "anydesk", "blister", "quasar", "winnti", "somnia", "qakbot", "gogo", "netwire", "chrysalis", "download", "exploit", "netspy", "loader", "ursnif", "themida", "vidar", "doublezero", "voldemort", "next", "meterpreter", "tencent", "plugx", "shadow", "batloader", "redline stealer", "havoc", "resident", "decoy", "dump", "shellcode", "infostealer", "appe", "bumblebee", "emotet", "syscall", "acidrain", "credomap", "cozyduke", "ukraine", "daveshell", "cont", "refer", "fail", "first", "snake", "mega", "onlin", "grayrabbit", "open", "power", "august", "test", "path", "mimikatz", "nbtscan", "impacket", "comment", "install", "redline", "comet", "autoit", "wiper", "endurance", "sharphound", "psexec", "malicious", "service", "wind", "installer", "info", "confi", "remcosrat", "hermeticwiper", "isaacwiper", "graphsteel", "caddywiper", "grimplant", "industroyer2", "defense", "energy", "telecom", "media", "grapeloader", "wineloader", "envyscout", "sunburst", "panda", "metasploit", "sparkrat", "zbot", "darkgate", "finspy", "rhadamanthys", "warmcookie", "trojanspy", "diceloader", "asyncrat", "esxiargs", "webshell", "cerber", "azorult", "lokibot", "blackcat", "poortry", "cuba", "malcat", "ctrlt", "transform", "bazaar", "virustotal", "window", "pdf document", "iit app", "tools", "lucky", "injector", "handleref", "temp", "conti", "groupexchange", "group400", "grouprevil", "revilconti", "providerpath", "regexpandsz", "minidump", "groupuchebkac", "malware", "bypass", "adfind", "threat", "command", "procdump", "seatbelt", "below", "anydesk remote", "lsass", "powershell", "cookie", "android", "null", "sliver", "initial access", "code", "defender", "defense evasion", "enterprise", "powerview", "pipes", "cloud", "date", "poison", "advantage", "mind", "designer", "shell", "projector libra", "bazarloader", "figure", "file size", "transferxl", "palo alto", "iso image", "windows", "wildfire", "february", "alliance", "bazarbackdoor", "bokbot", "diavol", "shown", "hook", "threat spotlight", "manjusaka", "c2 server", "appliance", "cisco talos", "golang", "haixi mongol", "prefecture", "talos", "rust", "agent", "win64", "hello", "xor algorithms", "z85 ascii85", "base85", "ascii85", "compile", "z85 https", "threat analysis", "primary threat", "elf", "strike payload", "uri http", "post body", "lockbit", "sentinellabs", "c curl", "ip address", "lockbit black", "cyber threats", "investigations", "research", "expert perspective", "articles", "news", "reports", "learn", "trend vision", "vision one", "gootkit", "trend micro", "amsi telemetry", "micro", "gootkit loader", "security", "stop", "find", "life", "operations", "protect", "small", "carriers", "voice", "attack", "suncrypt", "revil", "sodinokibi", "kronos", "korean", "createobject", "javascript", "ascii value", "opens", "urls", "color1", "python script", "gootloader", "twitter", "python", "unc1151", "microbackdoor", "beacon", "base64", "github", "run registry", "putty", "persistence", "discord", "blackenergy", "state", "uac0056", "detection", "threatdown", "cybercrime has", "machinescale", "response", "nebula", "indirizzo", "il file", "questo cert", "italia", "il messaggio", "allegato", "covid19", "file pdf", "html", "serbia", "stata", "file location", "https traffic", "thursday", "windows host", "wireshark", "emotet run", "pakistan", "ttps", "shadowpad", "plugx backdoor", "kaspersky ics", "afghanistan", "malaysia", "march", "cert", "ntlm", "winrar", "assembly", "china chopper", "microsoft", "fancybear", "cozybear", "december", "strontium", "ransomhub", "matrix", "raspberry robin", "sofacy", "beatdrop", "quietexit", "cyclops", "knight", "bank", "facebook", "beer", "worm", "threat advisory", "ransomware", "threats", "securex", "avos", "unified access", "gateways", "avoslocker", "cisco secure", "vmware horizon", "darkcomet", "apt29", "nobelium", "stellarparticle", "shadow chaser", "file type", "sha256 hash", "html file", "pe32", "intel", "matanbuchus", "confluence", "data center", "server", "waf rule", "confluence data", "shut", "jars", "cvss", "update", "centerall", "mustang panda", "vietnam", "analyze", "dll file", "summary", "vincss", "vietnamese", "english", "unc2165", "evil corp", "fakeupdates", "dridex", "hades", "colorfake", "bitpaymer", "doppelpaymer", "wastedlocker", "megasync", "trojan", "payloadbin", "macaw", "cuba ransomware", "tor directory", "bughatch", "iis worker", "mare", "team", "zenpak", "impact", "mosquito", "exfiltration", "execution", "masquerading", "netsupport rat", "select", "script", "hash", "press enter", "http", "activexobject", "lnk file", "socgholish", "servhelper", "fakeupdate", "model", "socgholish netsupport", "netsupport", "ta551", "ryuk", "threat actor", "hta file", "trickbot c2", "sonatype", "drops cobalt", "strike", "pymafka", "open source", "contact us", "macos", "nexus", "demo", "protected", "friday", "gold blackburn", "ahnlab", "was1", "was2", "dc server", "coinminer", "ntlm hash", "january", "ad group", "darkside", "miner", "win32.bitcoinminer", "win32.agent", "frp", "transferxl url", "iso file", "bumblebee c2", "file name", "exotic lily", "transferxl urls", "function", "dropbox", "c2 dropbox", "c2clientmain", "filename", "av evasion", "syswhispers2", "dropbox loader", "stream", "mark", "back", "pcap", "ta578", "contact forms", "images evidence", "windows service", "main entry", "a service", "service main", "entry point", "windows context", "administrator", "concept", "https", "lazagne", "setmppreference", "use ie", "msie", "windows nt", "bloodhound", "wmiexec", "covenant", "empire", "poshc2", "organization", "cleanup", "winscp", "dword", "netscan", "http c2", "base64url", "c2 traffic", "netbios", "teamserver", "mask", "legezo", "windows event", "denis legezo", "september", "silent break", "windows system", "rc4 encryption", "sysdig", "plugx implant", "myanmar", "russia", "hong kong", "reddelta", "belarus", "digital certificates", "fileless malware", "malware descriptions", "malware technologies", "rat trojan", "targeted attacks", "silentbreak", "throwback", "linode", "slingshot", "inject", "patch", "magic", "mozilla", "false", "\u30b5\u30a4\u30d0\u30fc\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3", "\u30de\u30af\u30cb\u30ab\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u30b9", "word", "stager", "url https", "windows10", "dll sideloading", "ida pro", "darkhotel", "oceanlotus", "mandiant", "boommic", "group policy", "smb beacon", "trello", "kerberos", "pass", "vaporrage", "platform sha256", "urls http", "unc2452", "opsec", "scale", "apt29 activity", "apt29 conduct", "global func", "vmware xfer", "edrepp", "vmware command", "dfir team", "abcd", "stealbit", "stdout", "hooks", "logic", "dfir report", "icedid malware", "icedid payload", "pty ltd", "goodware", "string", "desktop", "morphisec", "vmware identity", "morphisec labs", "core impact", "vmware", "workspace one", "access", "cve202222957", "cve202222958", "fortune", "jssloader", "stark", "moving", "please", "virtualbox", "registry", "windows logon", "hive", "varonis", "ai security", "proxyshell", "detect", "data risk", "google cloud", "trust", "varonis threat", "contact", "qbot", "void", "police", "pysa", "chisel", "files", "where", "pysa ransomware", "redacted", "force", "getchilditem", "aes key", "szdrf", "mespinoza", "target", "winapi", "edr hooks", "winapi call", "endpoint", "tracing", "api call", "direct system", "phase", "import", "outflank", "dll payload", "bumblebee dll", "programdata", "orion", "strings", "example", "zloader", "eset research", "atera agent", "eset", "aitb", "eset security", "tips", "silent", "night", "botnet", "teamviewer", "atera", "capture", "grantedaccess", "computer", "lsass memory", "targetimage", "sourceimage", "simulate", "atomic", "karakurt", "view", "hacking team", "sign", "contributors", "from karakurt", "appearance", "manage", "write", "star", "stars", "ruby", "footer", "birdwatch", "fin7", "easylook", "unc3381", "powerplant", "crowview", "boatlaunch", "stoneboat", "fowlgaze", "uuid variant", "hell", "ipfuscation", "james haughom", "ipfuscated", "gate variant", "gate", "rubeus", "wow64", "cp1250", "uuids", "touch", "blob", "hwinithlw", "sphw", "shathak", "conti affiliate", "valentine", "favorite", "rats", "ragnarlocker", "hellokitty", "squirrelwaffle", "uris", "http get", "post", "http post", "c2 profile", "accept", "vnc activity", "ms windows", "go downloader", "unc2589", "ta471", "sentinelone", "module stomp", "return address", "cobalt strikes", "rtlallocateheap", "use section", "dlls", "first detection", "apt41", "dustpan", "cve202144207", "cve202144228", "log4shell", "vmprotect", "deadeye", "keyplug", "filler", "confuserex", "badpotato", "task manager", "lsass process", "cisa", "bazar", "hancitor", "splashtop", "kportscan", "story", "emotet payload", "excel", "appdatalocal", "november", "emotet campaign", "vba macro", "cybercrime", "cybersecurity architect", "threat research", "jarm signature", "sha2", "jarm", "salesforce", "epoch", "emotet core", "epochs", "conti group", "emotet epoch", "trickbot group", "prior", "threat response", "unit", "socs", "hunters", "cyber", "mssql", "mssql server", "lemon duck", "asec analysis", "account", "kingminer", "vollgar", "mssql process", "cve20201472", "reg add", "regdword", "makes", "et exploit", "core", "possible", "comspec", "tracker", "userdomain", "appdata", "hide", "vbscript", "exclusionpath", "userpcname", "ipcount", "gozi", "cybereason", "exchange", "datoploader", "cybereason xdr", "report", "phishing", "pinkslipbot", "theft", "beyond", "never", "malwarebazaar", "strike activity", "filejust", "file contentsi", "vscode", "sublime editor", "windows exe", "utf8", "turla", "root", "msoffice", "nativezone", "kazuar", "bluenoroff", "customerloader", "muddywater", "chat", "overwatch", "aquatic panda", "log4j", "linux", "apache tomcat", "crowdstrike", "github project", "click", "fishmaster", "yanluowang", "thieflock", "scanner", "canthroid", "grabff", "symantec", "connectwise", "screenconnect", "fivehands", "browserpassview", "rundll32", "sharefinder", "wmic", "ping", "rollcoast", "south africa", "unc2190", "july", "tycoon", "unc2190 beacon", "latin", "arcane", "sabbath", "slovak", "slovakia", "albanian", "albania", "swedish", "turkish", "indonesia", "estonia", "armenia", "c2 data", "cyberchef", "javascript code", "rsa key", "remove", "get request", "xor key", "exploits & vulnerabilities", "managed xdr", "one marketplace", "lockfile", "attack overview", "stage", "conti gang", "datop", "handover", "kazakhstan", "os version", "winrm", "protocol", "enterpssession", "psrp", "windows remote", "source process", "stack", "rita", "threat feed", "myrtus", "harvester", "c activity", "artefactsfolder", "identity", "infectionid", "october", "main", "ad environment", "bazar c2", "networks", "d3desdecrypt", "nim malware", "jason", "part", "reaves6 min", "nimrodnimza", "rustybuer", "nimgrabber", "caesar", "file encryption", "nimrev", "discovery", "data", "mitre att", "powersploit", "leverage", "beaconloader", "doorme backdoor", "issuer cus", "apt group", "chamelgang", "doorme", "mcafee", "timestomp", "copy", "oilrig", "error", "body", "eternalblue", "zip file", "enable", "content", "vbs script", "word document", "maldoc", "form", "win api", "bazarloader dll", "intro conti", "coveware", "raas", "ransom", "ryuk ransomware", "cve202140444", "multiple", "north america", "europe", "asia", "html object", "mshtml engine", "sidewalk", "crosswalk", "c server", "sparklinggoblin", "google docs", "winnti group", "format", "darkshell", "motnug", "threat-intelligence", "apt", "nsa", "def con", "iso filesystem", "iocs", "recon village", "leviathan", "encrypt", "prophet spider", "oracle weblogic", "exception", "weblogic access", "class", "linux system", "egregor", "mountlocker", "radar", "front", "gotroj", "encoder", "stealer", "soar", "speed", "prophet", "classloader", "reconnaissance", "tech", "recon", "et cnc", "feodo tracker", "cnc server", "trigger", "alive", "spawn", "method", "http method", "jitter", "port", "beacon type", "later", "close", "browser", "chinese-speaking cybercrime", "google chrome", "microsoft word", "spear phishing", "luminousmoth", "honeymyte", "assistant", "username", "motc", "ministry", "local", "xll file", "docusign", "hancitor dll", "hancitor exe", "ficker stealer", "api hashing", "api hash", "monpass", "avast", "monpass client", "monpass web", "mongolia", "jan rubn", "discovered", "initial contact", "final", "watermark", "chanitor", "pony", "vawtrak", "uwaga", "falcon complete", "falcon", "wizard spider", "lime", "easy", "flex", "yahxz", "efno", "unc2465", "ngrok", "ultravnc", "methodology", "ngrok tunnel", "smokedham", "guard", "dllstageless", "submission", "size", "noblebaron", "itw name", "scout", "elite", "containedwithin", "withheld", "relatedto", "strike beacon", "matches no", "privacy", "description", "entropy", "restrict", "host ip", "owner", "igos", "germany", "file", "type", "artemis", "rozena", "razy", "khalesi", "\u30c7\u30b8\u30bf\u30eb\u7f72\u540d", "cobalt strike loader", "\u6a19\u7684\u578b\u653b\u6483", "strike loader", "iocindicator", "microsoft docs", "2 cobalt", "3 sigcheck", "1 microsoftdll", "powershell rat", "macro", "progression", "hackerman", "robinhood", "scan behavioral", "unusual port", "potential scan", "campo loader", "dfdownloader", "japan", "post method", "openfield", "blacktds", "public", "behaviour", "variant", "malicious file", "transfer", "control", "feature", "fireeye", "plink", "campo", "bazarcall", "xyzcampobb hxxp", "ioc510", "urlcampo", "20214", "headlines", "tlds", "duck", "beapy", "prometei", "umbrella", "wdigest", "iceid", "networkminer", "caploader", "network forensics", "ja3", "x.509", "sslbl", "1768.py", "didier stevens", "8da75e1f974d1011c91ed3110a4ded38", "e9b5e549363fa9fcb362b606b75d131dec6c020e", "0314b8cd45b636f38d07032dc8ed463295710460ea7a4e214c1de7b0e817aab6", "banusdona.top", "172.67.188.12", "f98711dfeeab9c8b4975b2f9a88d8fea", "c2bdc885083696b877ab6f0e05a9d968fd7cc2bb", "213e9c8bf7f6d0113193f785cb407f0e8900ba75b9131475796445c11f3ff37c", "momenturede.fun", "104.236.115.181", "96a535122aba4240e2c6370d0c9a09d3", "485ba347cf898e34a7455e0fd36b0bcf8b03ffd8", "11965662e146d97d3fa3288e119aefb2", "b63d7ad26df026f6cca07eae14bb10a0ddb77f41", "d45b3f9d93171c29a51f9c8011cd61aa44fcb474d59a0b68181bb690dbbf2ef5", "vaccnavalcod.website", "mazzappa.fun", "ameripermanentno.website", "odichaly.space", "83.97.20.176", "452e969c51882628dac65e38aff0f8e5ebee6e6b", "lesti.net", "185.141.26.140", "449c1967d1708d7056053bedb9e45781", "1ab39f1c8fb3f2af47b877cafda4ee09374d7bd3", "c7da494880130cdb52bd75dae1556a78f2298a8cc9a2e75ece8a57ca290880d3", "45.147.229.157", "1580103814", "luckymouse", "emissary panda", "apt 27", "apt27", "a0e9f5d64349fb13191bc781f81f42e1", "3b5074b1b5d032e5620f69f9f700ff0e", "erik hjelmvik", "monday", "openssl", "michael", "bazaloader", "anchor", "alex", "header", "getoperandvalue", "win32", "build", "trickbot crews", "cs loader", "trickbots cs", "trickbots crew", "google drive", "hancitor c2", "icmp", "dcdomainname", "dclocal", "base", "cnbuiltin", "cnusers", "security groups", "bitcoin", "sage", "svchost", "bits", "beacon dll", "started service", "beacon payload", "process hacker", "sleepex", "identifies", "crph", "smadavprotect32", "cec list", "meeting", "dll library", "ta800", "nim programming", "nimzaloader", "doesn", "json object", "c url", "trustinfo", "displayname", "dpiaware", "anchordns", "enjoy", "nimrod", "gecko", "khtml", "offensivenim", "sharpkatz", "crypter", "done", "sprite spider", "carbon spider", "esxi", "spider", "defray777", "pyxie", "hypervisor", "defray", "ransomexx", "sekur", "anunak", "harpy", "griffon", "unc2198", "maze", "maze ransomware", "file transfer", "mouseisland", "koadic", "photoloader", "ocean lotus", "mac os", "kerrdown", "human", "kerrdown sample", "macho", "tcp port", "systembc", "http traffic", "hatching triage", "directory", "endpoint1", "ryuk threat", "raindrop", "teardrop", "decrypt", "raindrop loader", "name file", "pl shellcode", "funnyswitch", "chm file", "config", "frombase64", "azaz09", "nltest", "regwrite", "exitendifif", "sleep", "regsz", "stwashington", "lredmond", "dircreate", "protection", "defenderspynet", "john", "doublepulsar", "amadey", "zeppelin", "apt & targeted attacks", "earth wendigo", "service worker", "xss attack", "domain", "learn more", "ck technique", "techniques", "emerging threat", "solarwinds", "breach", "dora", "pioneer", "solarstorm", "cortex xdr", "iot security", "atom", "supernova", "yara", "snort", "gap analysis", "keefarce", "safetykatz", "gadgettojscript", "sharpzerologon", "tuesday", "qakbot binary", "qakbot malspam", "qakbot malware", "windows binary", "malspam", "egregor payload", "threat alert", "sekhmet", "platform", "monitoring", "chacha", "notpetya", "bad rabbit", "internet", "tls server", "tls client", "server hello", "ja3s", "hello packet", "apache", "random", "vatet", "localappdata", "epochtime", "rapid7", "cash", "logmein", "swift", "radmin", "bazar loader", "highest", "certificate", "issuer org", "over", "ryuk domain", "infrastructure", "namecheap", "ryuk host", "monovm", "olol", "gnu c", "o2 o2", "marchx8664 g", "g o2", "sttx", "ltexas", "ooffice", "name", "basecamp", "userinit", "hack", "snow", "apt19", "yara rule", "chimera", "pe header", "vhash", "lpwstr lpbuffer", "startw", "request", "netwalker", "neshta", "mailto", "thor", "xmrig", "teamt5", "threatsonar anti-ransomware", "threatsonar", "threatvision", "cyber espionage", "ransom virus", "tt", "cyber threat hunters", "cyber espionage solutions", "threat analysis service", "incident response", "investigation services", "threat intelligence", "md5 hash", "softether", "domain teamt5", "teamt5 teamt5", "plead", "pastebin", "travelex", "pos software", "gandcrab", "rat", "indigodrop", "msf shellcode", "msf downloader", "urlshxxp", "stages", "threatlabz", "india-china", "zscaler cloud", "dkmc framework", "gif header", "dkmc", "sandbox report", "publickey", "sandbox", "ntds", "beacon version", "console", "file creation", "file deletion", "rename", "or filefullname", "coronavirus", "tvrat", "gozi malware", "js file", "wscript", "msbuild", "msbuild project", "silent trinity", "threat grid", "lolbins", "cisco threat", "msbuild process", "naga", "trinity", "dos header", "sfx code", "sfx file", "export function", "mz header", "open process", "set current", "create", "apt2019", "2019 payload", "lnklnklnklnk", "1 docvbavbavba", "dllentry rat", "operation pawn", "storm", "midst intrusion", "pawn storm", "xtunnel", "hidedrv", "aurora", "blackshades", "conficker", "chapro", "dark comet", "dexter", "duqu", "gauss", "bridge", "hikit", "makadocs", "medre", "morto", "narilam", "onionduke", "rustock", "dorkbot", "spyeye", "stabuniq", "stuxnet", "tinba", "vobfus", "zeroaccess", "zeus", "zusy", "committee", "dnc network", "trump", "dnc hack", "donald trump", "neither", "general", "hill", "magazine", "mexico", "winids", "foozer", "downrage", "hydra", "remcom", "inc\\.", "bear", "wirelurker", "generic.933739", "python code", "zxkbdklakv", "seaduke", "cookie value", "bookmark server", "p4bnzr0", "duke" ], "references": [ "https://malcat.fr/blog/lnk-forensic-and-config-extraction-of-a-cobalt-strike-beacon/", "https://mp.weixin.qq.com/s/cGS8FocPnUdBconLbbaG-g", "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", "https://unit42.paloaltonetworks.com/bumblebee-malware-projector-libra/", "https://blog.talosintelligence.com/manjusaka-offensive-framework/", "https://cocomelonc.github.io/malware/2022/07/30/malware-av-evasion-8.html", "https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/", "https://www.trendmicro.com/en_us/research/22/g/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike.html", "https://blog.nviso.eu/2022/07/20/analysis-of-a-trojanized-jquery-script-gootloader-unleashed/", "https://cloud.google.com/blog/topics/threat-intelligence/spear-phish-ukrainian-entities/", "https://www.threatdown.com/blog/cobalt-strikes-again-uac-0056-continues-to-target-ukraine-in-its-latest-campaign/", "https://cert.gov.ua/article/703548", "https://cert-agid.gov.it/news/il-malware-envyscout-apt29-e-stato-veicolato-anche-in-italia/", "https://isc.sans.edu/diary/Emotet%20infection%20with%20Cobalt%20Strike/28824", "https://cert.gov.ua/article/619229", "https://ics-cert.kaspersky.com/publications/reports/2022/06/27/attacks-on-industrial-control-systems-using-shadowpad/", "https://blog.bushidotoken.net/2022/06/overview-of-russian-gru-and-svr.html", "https://blog.talosintelligence.com/avoslocker-new-arsenal/", "https://isc.sans.edu/diary/rss/28752", "https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html", "https://kienmanowar.wordpress.com/2022/06/04/quicknote-cobaltstrike-smb-beacon-analysis-2/", "https://cloud.google.com/blog/topics/threat-intelligence/unc2165-shifts-to-evade-sanctions", "https://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis", "https://medium.com/walmartglobaltech/socgholish-campaigns-and-initial-access-kit-4c4283fea8ee", "https://thehackernews.com/2022/05/malware-analysis-trickbot.html", "https://www.sonatype.com/blog/new-pymafka-malicious-package-drops-cobalt-strike-on-macos-windows-linux", "https://asec.ahnlab.com/en/34549/", "https://isc.sans.edu/diary/Bumblebee+Malware+from+TransferXL+URLs/28664", "https://raw.githubusercontent.com/Dump-GUY/Malware-analysis-and-Reverse-engineering/refs/heads/main/APT29_C2-Client_Dropbox_Loader/APT29-DropboxLoader_analysis.md", "https://redcanary.com/wp-content/uploads/2022/05/Gootloader.pdf", "https://i.blackhat.com/Asia-22/Thursday-Materials/AS-22-LeonSilvia-NextGenPlugXShadowPad.pdf", "https://isc.sans.edu/diary/28636", "https://cocomelonc.github.io/tutorial/2022/05/09/malware-pers-4.html", "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", "https://unit42.paloaltonetworks.com/cobalt-strike-metadata-encoding-decoding/", "https://thehackernews.com/2022/05/this-new-fileless-malware-hides.html", "https://blog.talosintelligence.com/mustang-panda-targets-europe/", "https://securelist.com/a-new-secret-stash-for-fileless-malware/106393/", "https://security.macnica.co.jp/blog/2022/05/iso.html", "https://cloud.google.com/blog/topics/threat-intelligence/tracking-apt29-phishing-campaigns/", "https://documents.trendmicro.com/assets/txt/earth-berberoka-windows-iocs-2.txt", "https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf", "https://cloud.google.com/blog/topics/threat-intelligence/unc2452-merged-into-apt29/", "https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/", "https://thedfirreport.com/2022/04/25/quantum-ransomware/", "https://www.morphisec.com/blog/vmware-identity-manager-attack-backdoor/", "https://cocomelonc.github.io/tutorial/2022/04/20/malware-pers-1.html", "https://www.varonis.com/blog/hive-ransomware-analysis", "https://www.sentinelone.com/blog/from-the-front-lines-peering-into-a-pysa-ransomware-attack/", "https://vanmieghem.io/blueprint-for-evading-edr-in-2022/", "https://www.cynet.com/blog/orion-threat-alert-flight-of-the-bumblebee/", "https://www.welivesecurity.com/2022/04/13/eset-takes-part-global-operation-disrupt-zloader-botnets/", "https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html", "https://github.com/infinitumitlabs/Karakurt-Hacking-Team-CTI", "https://cloud.google.com/blog/topics/threat-intelligence/evolution-of-fin7/", "https://www.sentinelone.com/blog/hive-ransomware-deploys-novel-ipfuscation-technique/", "https://medium.com/walmartglobaltech/cobaltstrike-uuid-stager-ca7e82f7bb64", "https://resource.redcanary.com/rs/003-YRU-314/images/2022_ThreatDetectionReport_RedCanary.pdf", "https://www.esentire.com/blog/conti-affiliate-exposed-new-domain-names-ip-addresses-and-email-addresses-uncovered-by-esentire", "https://unit42.paloaltonetworks.com/cobalt-strike-malleable-c2-profile/", "https://isc.sans.edu/diary/Qakbot+infection+with+Cobalt+Strike+and+VNC+activity/28448", "https://www.sentinelone.com/blog/threat-actor-uac-0056-targeting-ukraine-with-fake-translation-software/", "https://www.arashparsa.com/catching-a-malware-with-no-name/", "https://cert.gov.ua/article/37704", "https://cloud.google.com/blog/topics/threat-intelligence/apt41-us-state-governments/", "https://thedfirreport.com/2022/03/07/2021-year-in-review/", "https://www.cynet.com/security-foundations/attack-techniques/new-wave-of-emotet-when-project-x-turns-into-y/", "https://www.fortinet.com/blog/threat-research/nobelium-returns-to-the-political-world-stage", "https://cyber.wtf/2022/03/23/what-the-packer/", "https://www.esentire.com/blog/icedid-to-cobalt-strike-in-under-20-minutes", "https://asec.ahnlab.com/en/31811/", "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", "https://medium.com/walmartglobaltech/signed-dll-campaigns-as-a-service-7760ac676489", "https://www.cybereason.com/blog/research/threat-analysis-report-datoploader-exploits-proxyshell-to-deliver-qbot-and-cobalt-strike", "https://forensicitguy.github.io/inspecting-powershell-cobalt-strike-beacon/", "https://blog.sekoia.io/nobeliums-envyscout-infection-chain-goes-in-the-registry-targeting-embassies/", "https://www.crowdstrike.com/en-us/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/", "https://www.security.com/threat-intelligence/yanluowang-ransomware-attacks-continue", "https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/", "https://cloud.google.com/blog/topics/threat-intelligence/sabbath-ransomware-affiliate/", "https://blog.nviso.eu/2021/11/17/cobalt-strike-decrypting-obfuscated-traffic-part-4/", "https://www.trendmicro.com/en_gb/research/21/k/analyzing-proxyshell-related-incidents-via-trend-micro-managed-x.html", "https://www.truesec.com/hub/blog/proxyshell-qbot-and-conti-ransomware-combined-in-a-series-of-cyber-attacks", "https://www.threatdown.com/blog/a-multi-stage-powershell-based-attack-targets-kazakhstan/", "https://www.unh4ck.com/detection-engineering-and-threat-hunting/lateral-movement/detecting-conti-cobaltstrike-lateral-movement-techniques-part-1", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf", "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://www.security.com/threat-intelligence/harvester-new-apt-attacks-asia", "https://unit42.paloaltonetworks.com/bazarloader-network-reconnaissance/", "https://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-part-2-a28bffffa671", "https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/", "https://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/new-apt-group-chamelgang/#id3", "https://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/new-apt-group-chamelgang/", "https://www.cynet.com/security-foundations/attack-techniques/understanding-squirrelwaffle/", "https://thedfirreport.com/2021/09/13/bazarloader-to-conti-ransomware-in-32-hours/", "https://blog.gigamon.com/2021/09/10/rendering-threats-a-network-perspective/", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", "https://documents.trendmicro.com/assets/white_papers/wp-earth-baku-an-apt-group-targeting-indo-pacific-countries.pdf", "https://www.welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/", "https://istrosec.com/blog/apt-sk-cobalt/", "https://www.crowdstrike.com/en-us/blog/prophet-spider-exploits-oracle-weblogic-to-facilitate-ransomware-activity/", "https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/", "https://thedfirreport.com/2021/07/19/icedid-and-cobalt-strike-vs-antivirus/", "https://securelist.com/apt-luminousmoth/103332/", "https://isc.sans.edu/diary/rss/27618", "https://www.gendigital.com/blog/insights/research/decoding-cobalt-strike-understanding-payloads", "https://www.gendigital.com/blog/insights/research/backdoored-client-from-mongolian-ca-monpass", "https://thedfirreport.com/2021/06/28/hancitor-continues-to-push-cobalt-strike/", "https://www.crowdstrike.com/en-us/blog/how-falcon-complete-disrupts-ecrime-operators-wizard-spider/", "https://thedfirreport.com/2021/06/20/from-word-to-lateral-movement-in-1-hour/", "https://cloud.google.com/blog/topics/threat-intelligence/darkside-affiliate-supply-chain-software-compromise", "https://www.sentinelone.com/labs/noblebaron-new-poisoned-installers-could-be-used-in-supply-chain-attacks/", "https://www.cisa.gov/news-events/analysis-reports/ar21-148a", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-148a", "https://www.lac.co.jp/lacwatch/report/20210521_002618.html", "https://www.ncsc.gov.ie/pdfs/HSE_Conti_140521_UPDATE.pdf", "https://www.guidepointsecurity.com/blog/from-zloader-to-darkside-a-ransomware-story/", "https://thedfirreport.com/2021/05/12/conti-ransomware/", "https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/", "https://cloud.google.com/blog/topics/threat-intelligence/shining-a-light-on-darkside-ransomware-operations/", "https://mal-eats.net/2021/05/10/campo_new_attack_campaign_targeting_japan/", "https://blog.talosintelligence.com/lemon-duck-spreads-wings/", "https://thedfirreport.com/2021/05/02/trickbot-brief-creds-and-beacons/", "https://www.netresec.com/?page=Blog&month=2021-04&post=Analysing-a-malware-PCAP-with-IcedID-and-Cobalt-Strike-traff", "https://isc.sans.edu/diary/27308", "https://medium.com/walmartglobaltech/trickbot-crews-new-cobaltstrike-loader-32c72b78e81c", "https://unit42.paloaltonetworks.com/hancitor-infections-cobalt-strike/", "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures", "https://www.qurium.org/alerts/targeted-malware-against-crph/", "https://www.proofpoint.com/us/blog/threat-insight/nimzaloader-ta800s-new-initial-access-malware", "https://thedfirreport.com/2021/03/08/bazar-drops-the-anchor/", "https://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-14cc543af811", "https://www.crowdstrike.com/en-us/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout", "https://cloud.google.com/blog/topics/threat-intelligence/melting-unc2198-icedid-to-ransomware-operations/", "https://raw.githubusercontent.com/AmnestyTech/investigations/refs/heads/master/2021-02-24_vietnam/README.md", "https://isc.sans.edu/diary/Excel+spreadsheets+push+SystemBC+malware/27060", "https://thedfirreport.com/2021/01/31/bazar-no-ryuk/", "https://www.security.com/threat-intelligence/solarwinds-raindrop-malware", "https://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", "https://medium.com/walmartglobaltech/man1-moskal-hancitor-and-a-side-of-ransomware-d77b4d991618", "https://www.trendmicro.com/en_us/research/21/a/earth-wendigo-injects-javascript-backdoor-to-service-worker-for-.html", "https://www.picussecurity.com/resource/blog/ttps-used-in-the-solarwinds-breach", "https://unit42.paloaltonetworks.com/fireeye-solarstorm-sunburst/", "https://unit42.paloaltonetworks.com/fireeye-red-team-tool-breach/", "https://isc.sans.edu/diary/rss/26862", "https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations-wp.pdf", "https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations.pdf", "https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware", "https://engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a/", "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/5/", "https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/", "https://raw.githubusercontent.com/ThreatConnect-Inc/research-team/refs/heads/master/IOCs/WizardSpider-UNC1878-Ryuk.csv", "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", "https://cloud.google.com/blog/topics/threat-intelligence/kegtap-and-singlemalt-with-a-ransomware-chaser/", "https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/refs/heads/master/China/APT/Chimera/Analysis.md", "https://thedfirreport.com/2020/10/08/ryuks-return/", "https://thedfirreport.com/2020/08/31/netwalker-ransomware-in-1-hour/", "https://teamt5.org/tw/posts/mjib-holds-briefing-on-chinese-hackers-attacks-on-taiwanese-government-agencies/", "https://i.blackhat.com/USA-20/Thursday/us-20-Chen-Operation-Chimera-APT-Operation-Targets-Semiconductor-Vendors.pdf", "https://www.security.com/threat-intelligence/sodinokibi-ransomware-cobalt-strike-pos", "https://blog.talosintelligence.com/indigodrop-maldocs-cobalt-strike/", "https://www.zscaler.com/blogs/security-research/targeted-attack-leverages-india-china-border-dispute-lure-victims", "https://www.sentinelone.com/labs/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/", "https://thedfirreport.com/2020/04/24/ursnif-via-lolbins/", "https://blog.talosintelligence.com/building-bypass-with-msbuild/", "https://tccontre.blogspot.com/2019/11/cobaltstrike-beacondll-your-not.html", "https://web-assets.esetstatic.com/wls/2019/10/ESET_Operation_Ghost_Dukes.pdf", "https://mp.weixin.qq.com/s/xPsEXp2J5IE7wNSMEVC24A", "https://contagiodump.blogspot.com/2017/02/russian-apt-apt28-collection-of-samples.html", "https://www.cisa.gov/sites/default/files/publications/AR-17-20045_Enhanced_Analysis_of_GRIZZLY_STEPPE_Activity.pdf", "https://www.crowdstrike.com/en-us/blog/bears-midst-intrusion-democratic-national-committee/", "https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf", "https://contagiodump.blogspot.com/2014/11/onionduke-samples.html", "https://unit42.paloaltonetworks.com/unit-42-technical-analysis-seaduke/" ], "public": 1, "adversary": "Threat", "targeted_countries": [ "Czechia", "Ukraine", "Russian Federation", "Poland", "Belarus", "Lithuania", "Latvia", "Germany", "Pakistan", "Afghanistan", "Malaysia", "Greece", "Italy", "T\u00fcrkiye", "Portugal", "Brazil", "China", "Japan", "Korea, Republic of", "United States of America", "Mexico", "New Zealand", "Canada", "Georgia", "Iran, Islamic Republic of" ], "malware_families": [ { "id": "HandleRef", "display_name": "HandleRef", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Threat", "display_name": "Threat", "target": null }, { "id": "Primary Threat", "display_name": "Primary Threat", "target": null }, { "id": "BazarLoader", "display_name": "BazarLoader", "target": null }, { "id": "Bumblebee", "display_name": "Bumblebee", "target": null }, { "id": "ELF", "display_name": "ELF", "target": null }, { "id": "GootLoader", "display_name": "GootLoader", "target": null }, { "id": "Kronos", "display_name": "Kronos", "target": null }, { "id": "BEACON", "display_name": "BEACON", "target": null }, { "id": "MICROBACKDOOR", "display_name": "MICROBACKDOOR", "target": null }, { "id": "GRIMPLANT", "display_name": "GRIMPLANT", "target": null }, { "id": "GRAPHSTEEL", "display_name": "GRAPHSTEEL", "target": null }, { "id": "Shadowpad", "display_name": "Shadowpad", "target": null }, { "id": "PlugX", "display_name": "PlugX", "target": null }, { "id": "ShadowPad", "display_name": "ShadowPad", "target": null }, { "id": "Threat Analysis", "display_name": "Threat Analysis", "target": null }, { "id": "CredoMap", "display_name": "CredoMap", "target": null }, { "id": "StellarParticle", "display_name": "StellarParticle", "target": null }, { "id": "CozyBear", "display_name": "CozyBear", "target": null }, { "id": "Shadow Chaser", "display_name": "Shadow Chaser", "target": null }, { "id": "Raspberry Robin", "display_name": "Raspberry Robin", "target": null }, { "id": "RansomHub", "display_name": "RansomHub", "target": null }, { "id": "Cyclops", "display_name": "Cyclops", "target": null }, { "id": "FancyBear", "display_name": "FancyBear", "target": null }, { "id": "APT29", "display_name": "APT29", "target": null }, { "id": "AvosLocker", "display_name": "AvosLocker", "target": null }, { "id": "Matanbuchus", "display_name": "Matanbuchus", "target": null }, { "id": "HADES", "display_name": "HADES", "target": null }, { "id": "SocGholish NetSupport", "display_name": "SocGholish NetSupport", "target": null }, { "id": "SocGholish", "display_name": "SocGholish", "target": null }, { "id": "NetSupport", "display_name": "NetSupport", "target": null }, { "id": "Gold Blackburn", "display_name": "Gold Blackburn", "target": null }, { "id": "Conti", "display_name": "Conti", "target": null }, { "id": "Ryuk", "display_name": "Ryuk", "target": null }, { "id": "Trickbot", "display_name": "Trickbot", "target": null }, { "id": "Darkside", "display_name": "Darkside", "target": null }, { "id": "Win32.BitCoinMiner", "display_name": "Win32.BitCoinMiner", "target": null }, { "id": "Win32.Agent", "display_name": "Win32.Agent", "target": null }, { "id": "NbtScan", "display_name": "NbtScan", "target": null }, { "id": "Frp", "display_name": "Frp", "target": null }, { "id": "Pcap", "display_name": "Pcap", "target": null }, { "id": "BeaconLoader", "display_name": "BeaconLoader", "target": null }, { "id": "DoorMe", "display_name": "DoorMe", "target": null }, { "id": "Win API", "display_name": "Win API", "target": null }, { "id": "Generic.933739", "display_name": "Generic.933739", "target": null } ], "attack_ids": [], "industries": [ "Gas", "Government", "Defense", "Media", "Telecommunications", "Logistics", "Industrial", "Manufacturing", "Transport", "Transportation", "Diplomatic", "Foreign Affairs", "Academics", "Banking", "Aviation", "Political", "Energy", "Military", "Financial", "Legal", "Pharmaceutical", "Technology", "Aerospace" ], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "kikinumpav", "id": "385742", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3082, "FileHash-SHA1": 2478, "FileHash-SHA256": 4182, "URL": 3155, "CVE": 190, "SSLCertFingerprint": 41, "domain": 2991, "email": 58, "hostname": 2130, "YARA": 95 }, "indicator_count": 18402, "is_author": false, "is_subscribing": null, "subscriber_count": 15, "modified_text": "15 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d7a3f6f81dc2388c0fa027", "name": "VirusTotal report\n for flow-browser-main.zip", "description": "A sample of flow-browser-main, an unauthorised version of the web browser, has been detected by researchers at the University of California, Los Angeles, and the National Security Agency (NSA). myvzw.com after an email on ending a #", "modified": "2026-05-09T12:10:59.635000", "created": "2026-04-09T13:04:54.563000", "tags": [ "file type", "png image", "ascii", "ascii text", "java source", "json", "rgba", "creates", "crlf line", "mac os", "date", "malicious", "next", "button", "span", "edit3icon", "rotateccwicon", "xicon", "htmldivelement", "react", "saveicon", "null", "shortcutitem", "click", "zip archive", "png multimedia", "graphics" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739500&Signature=r1pLCgJf%2FQK8TvenCwXy9bnghFzjJ5QssdQSLP37SLv6EkA3WXuFUIvKrsXKokco7bMfQUy%2FArk8F6aP%2Bhaj16Jv7P%2FGB%2Blf7mPvs47VjwfBJRCP8AZLlWvO45%2BjC68v798csdJFPTP31O4yDOE3pXZ3EThm4nSrIwLPhTSPfi3cPlEh2wLSzcySW7BYLw%2BqCoawFCxeLUz7hIV0vC89Mlwi3DeS%2BEnWFF%2FsvT9lVJjdbLoJLEeO", "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739700&Signature=bOTo%2FxCpGDGOsIKJDZjBBhLZRg8UiOGi%2FvVr47Xpmh7tOh9dez7911bi%2F9SUdu4ATLhzRVog%2BdVP%2BUPwTuEfIdEcPuGRGVc1KOSP3fTQrKhRjF3x2dqykxVCH%2B1iqBmCgod%2B1uAdlraxqSOeOgst1l%2Bk250uXff4axktE%2BfGjeNDeGJao%2FfOMktqIL7zU8%2BIQYTObwelnnYx45FBSiXI1bWM4vhdgIX4cs2cT%2F" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 218, "FileHash-MD5": 558, "FileHash-SHA1": 564, "FileHash-SHA256": 558, "URL": 119, "hostname": 133, "email": 4 }, "indicator_count": 2154, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "22 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d7a3f683111bbbe1c9ae35", "name": "VirusTotal report\n for flow-browser-main.zip", "description": "A sample of flow-browser-main, an unauthorised version of the web browser, has been detected by researchers at the University of California, Los Angeles, and the National Security Agency (NSA). myvzw.com after an email on ending a #", "modified": "2026-05-09T12:10:59.635000", "created": "2026-04-09T13:04:54.775000", "tags": [ "file type", "png image", "ascii", "ascii text", "java source", "json", "rgba", "creates", "crlf line", "mac os", "date", "malicious", "next", "button", "span", "edit3icon", "rotateccwicon", "xicon", "htmldivelement", "react", "saveicon", "null", "shortcutitem", "click", "zip archive", "png multimedia", "graphics" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739500&Signature=r1pLCgJf%2FQK8TvenCwXy9bnghFzjJ5QssdQSLP37SLv6EkA3WXuFUIvKrsXKokco7bMfQUy%2FArk8F6aP%2Bhaj16Jv7P%2FGB%2Blf7mPvs47VjwfBJRCP8AZLlWvO45%2BjC68v798csdJFPTP31O4yDOE3pXZ3EThm4nSrIwLPhTSPfi3cPlEh2wLSzcySW7BYLw%2BqCoawFCxeLUz7hIV0vC89Mlwi3DeS%2BEnWFF%2FsvT9lVJjdbLoJLEeO", "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739700&Signature=bOTo%2FxCpGDGOsIKJDZjBBhLZRg8UiOGi%2FvVr47Xpmh7tOh9dez7911bi%2F9SUdu4ATLhzRVog%2BdVP%2BUPwTuEfIdEcPuGRGVc1KOSP3fTQrKhRjF3x2dqykxVCH%2B1iqBmCgod%2B1uAdlraxqSOeOgst1l%2Bk250uXff4axktE%2BfGjeNDeGJao%2FfOMktqIL7zU8%2BIQYTObwelnnYx45FBSiXI1bWM4vhdgIX4cs2cT%2F" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 218, "FileHash-MD5": 558, "FileHash-SHA1": 564, "FileHash-SHA256": 558, "URL": 119, "hostname": 133, "email": 4 }, "indicator_count": 2154, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "22 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d7a3f6657dd0c212d8344a", "name": "VirusTotal report\n for flow-browser-main.zip", "description": "A sample of flow-browser-main, an unauthorised version of the web browser, has been detected by researchers at the University of California, Los Angeles, and the National Security Agency (NSA). myvzw.com after an email on ending a #", "modified": "2026-05-09T12:10:59.635000", "created": "2026-04-09T13:04:54.060000", "tags": [ "file type", "png image", "ascii", "ascii text", "java source", "json", "rgba", "creates", "crlf line", "mac os", "date", "malicious", "next", "button", "span", "edit3icon", "rotateccwicon", "xicon", "htmldivelement", "react", "saveicon", "null", "shortcutitem", "click", "zip archive", "png multimedia", "graphics" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739500&Signature=r1pLCgJf%2FQK8TvenCwXy9bnghFzjJ5QssdQSLP37SLv6EkA3WXuFUIvKrsXKokco7bMfQUy%2FArk8F6aP%2Bhaj16Jv7P%2FGB%2Blf7mPvs47VjwfBJRCP8AZLlWvO45%2BjC68v798csdJFPTP31O4yDOE3pXZ3EThm4nSrIwLPhTSPfi3cPlEh2wLSzcySW7BYLw%2BqCoawFCxeLUz7hIV0vC89Mlwi3DeS%2BEnWFF%2FsvT9lVJjdbLoJLEeO", "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739700&Signature=bOTo%2FxCpGDGOsIKJDZjBBhLZRg8UiOGi%2FvVr47Xpmh7tOh9dez7911bi%2F9SUdu4ATLhzRVog%2BdVP%2BUPwTuEfIdEcPuGRGVc1KOSP3fTQrKhRjF3x2dqykxVCH%2B1iqBmCgod%2B1uAdlraxqSOeOgst1l%2Bk250uXff4axktE%2BfGjeNDeGJao%2FfOMktqIL7zU8%2BIQYTObwelnnYx45FBSiXI1bWM4vhdgIX4cs2cT%2F" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 217, "FileHash-MD5": 558, "FileHash-SHA1": 564, "FileHash-SHA256": 558, "URL": 118, "hostname": 133, "email": 2 }, "indicator_count": 2150, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "22 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d7a3f511d0121d253b753d", "name": "VirusTotal report\n for flow-browser-main.zip", "description": "A sample of flow-browser-main, an unauthorised version of the web browser, has been detected by researchers at the University of California, Los Angeles, and the National Security Agency (NSA). myvzw.com after an email on ending a #", "modified": "2026-05-09T12:10:59.635000", "created": "2026-04-09T13:04:53.436000", "tags": [ "file type", "png image", "ascii", "ascii text", "java source", "json", "rgba", "creates", "crlf line", "mac os", "date", "malicious", "next", "button", "span", "edit3icon", "rotateccwicon", "xicon", "htmldivelement", "react", "saveicon", "null", "shortcutitem", "click", "zip archive", "png multimedia", "graphics" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739500&Signature=r1pLCgJf%2FQK8TvenCwXy9bnghFzjJ5QssdQSLP37SLv6EkA3WXuFUIvKrsXKokco7bMfQUy%2FArk8F6aP%2Bhaj16Jv7P%2FGB%2Blf7mPvs47VjwfBJRCP8AZLlWvO45%2BjC68v798csdJFPTP31O4yDOE3pXZ3EThm4nSrIwLPhTSPfi3cPlEh2wLSzcySW7BYLw%2BqCoawFCxeLUz7hIV0vC89Mlwi3DeS%2BEnWFF%2FsvT9lVJjdbLoJLEeO", "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739700&Signature=bOTo%2FxCpGDGOsIKJDZjBBhLZRg8UiOGi%2FvVr47Xpmh7tOh9dez7911bi%2F9SUdu4ATLhzRVog%2BdVP%2BUPwTuEfIdEcPuGRGVc1KOSP3fTQrKhRjF3x2dqykxVCH%2B1iqBmCgod%2B1uAdlraxqSOeOgst1l%2Bk250uXff4axktE%2BfGjeNDeGJao%2FfOMktqIL7zU8%2BIQYTObwelnnYx45FBSiXI1bWM4vhdgIX4cs2cT%2F" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 224, "FileHash-MD5": 558, "FileHash-SHA1": 564, "FileHash-SHA256": 558, "URL": 140, "hostname": 166, "email": 2, "CVE": 8 }, "indicator_count": 2220, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "22 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d7a3f4d72c30f9586634b9", "name": "VirusTotal report\n for flow-browser-main.zip", "description": "A sample of flow-browser-main, an unauthorised version of the web browser, has been detected by researchers at the University of California, Los Angeles, and the National Security Agency (NSA). myvzw.com after an email on ending a #", "modified": "2026-05-09T12:10:59.635000", "created": "2026-04-09T13:04:52.444000", "tags": [ "file type", "png image", "ascii", "ascii text", "java source", "json", "rgba", "creates", "crlf line", "mac os", "date", "malicious", "next", "button", "span", "edit3icon", "rotateccwicon", "xicon", "htmldivelement", "react", "saveicon", "null", "shortcutitem", "click", "zip archive", "png multimedia", "graphics" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739500&Signature=r1pLCgJf%2FQK8TvenCwXy9bnghFzjJ5QssdQSLP37SLv6EkA3WXuFUIvKrsXKokco7bMfQUy%2FArk8F6aP%2Bhaj16Jv7P%2FGB%2Blf7mPvs47VjwfBJRCP8AZLlWvO45%2BjC68v798csdJFPTP31O4yDOE3pXZ3EThm4nSrIwLPhTSPfi3cPlEh2wLSzcySW7BYLw%2BqCoawFCxeLUz7hIV0vC89Mlwi3DeS%2BEnWFF%2FsvT9lVJjdbLoJLEeO", "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739700&Signature=bOTo%2FxCpGDGOsIKJDZjBBhLZRg8UiOGi%2FvVr47Xpmh7tOh9dez7911bi%2F9SUdu4ATLhzRVog%2BdVP%2BUPwTuEfIdEcPuGRGVc1KOSP3fTQrKhRjF3x2dqykxVCH%2B1iqBmCgod%2B1uAdlraxqSOeOgst1l%2Bk250uXff4axktE%2BfGjeNDeGJao%2FfOMktqIL7zU8%2BIQYTObwelnnYx45FBSiXI1bWM4vhdgIX4cs2cT%2F" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 220, "FileHash-MD5": 562, "FileHash-SHA1": 566, "FileHash-SHA256": 1011, "URL": 125, "hostname": 139, "email": 4 }, "indicator_count": 2627, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "22 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d79c38e0a059039b475ebe", "name": "CAPE Sandbox", "description": "Email today from them on my line. Very wild things happening here. trying to close my line", "modified": "2026-05-09T12:10:59.635000", "created": "2026-04-09T12:31:52.495000", "tags": [ "html document", "unicode text", "utf8 text", "crlf", "lf line", "site", "meta", "verizon", "wireless", "internet", "phone services", "official", "shop verizon", "lte network", "get fios", "title", "code", "error", "utc na", "utc google", "tag manager", "gtmw2vn2cq", "utc dc9849921", "utc dc685973", "utc g12r1dx1lx7", "utc aw647962234", "utc aw2761768", "utc aw685973", "verizon business", "verizon for business", "verizon business account", "verizon business phone", "verizon wireless for business", "verizon business service", "verizon business plan", "business internet services", "learn", "gartner", "contact", "find", "discover", "support", "close log", "shop", "upgrade", "small", "voice", "chat", "mitre attack", "network info", "program", "html page", "t1055 process", "overview", "processes extra", "overview zenbox", "verdict", "guest system", "phishing", "next", "ver2", "msclkidn", "utc amazon", "analytics na", "utc bing", "vids1", "vids0", "gdlname" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/edb4c21d60daa44b3429e7ba9bfa342759ebef23c136c934f74aef145453ce19_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775737365&Signature=S%2B7RcHYjab1hbKlKwFfvUbDirFPJS1A2TJQ3bVIObMcON4PD9pRDvhMtYMCnEBrYsICi0UJCFW5eUDolL5Jlbngsc587kF36vvuhlkPprbkSOY1jOyDTpe3Qsb6jRFz3xwOfZc9S5QervoLnRKb%2FyGSyZE6ZK6TxzBrOPczPtZ7sLf9NfD6E%2B2gMRXaRjEqVwVITLG7YqCiiNuohFOuNlK3uNHFpIk53viKvBSAIqLtSklH9bHW4q1DX", "https://www.verizon.com/business/", "https://vtbehaviour.commondatastorage.googleapis.com/edb4c21d60daa44b3429e7ba9bfa342759ebef23c136c934f74aef145453ce19_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775737710&Signature=fbsokraSd7lsYmUfaTEl8Phs2K3hp7AtVmQU9axeEBcYmYbrrYrrfpP5lPEQaE%2Fh3%2BEP9Rn8mD8D1haqQVXCN0VVlxJ4sddjWmyC5USsgBsvUb0%2F72h1WHDS2KXHlteZWE%2Bauckabain9D5kX501AnqFY38s77OIqO6SMOkQ%2BvXiDSSRK%2FZhbfradBnei3ZLHsXGxkoshTyvB0%2BC%2F8SiUzdVsqSjik0Bn2r%2BIlLpDQK90GlZTD0N" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 772, "hostname": 706, "domain": 875, "FileHash-SHA256": 2348, "FileHash-MD5": 2237, "FileHash-SHA1": 2260, "CVE": 1, "email": 9 }, "indicator_count": 9208, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "22 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d4f2d9ce86a445b484593b", "name": "VirusTotal report\n for sample.crx", "description": "A small sample of malware has been identified by researchers at the University of Oregon in the US, and the results are published on the web, as well as on Google's Chrome extension and other sites.", "modified": "2026-05-07T12:05:50.774000", "created": "2026-04-07T12:04:41.097000", "tags": [ "file type", "json", "ascii text", "png image", "crlf line", "ascii", "rgba", "unicode text", "utf8 text", "defense evasion", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 668, "FileHash-MD5": 668, "FileHash-SHA1": 675, "URL": 153, "domain": 230, "hostname": 177, "email": 2 }, "indicator_count": 2573, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "24 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d4f2dd828bbf0ac5efaa23", "name": "VirusTotal report\n for sample.crx", "description": "A small sample of malware has been identified by researchers at the University of Oregon in the US, and the results are published on the web, as well as on Google's Chrome extension and other sites.", "modified": "2026-05-07T12:05:50.774000", "created": "2026-04-07T12:04:44.957000", "tags": [ "file type", "json", "ascii text", "png image", "crlf line", "ascii", "rgba", "unicode text", "utf8 text", "defense evasion", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 668, "FileHash-MD5": 668, "FileHash-SHA1": 675, "URL": 153, "domain": 230, "hostname": 177, "email": 2 }, "indicator_count": 2573, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "24 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d4f2db0b3448671adcce16", "name": "VirusTotal report\n for sample.crx", "description": "A small sample of malware has been identified by researchers at the University of Oregon in the US, and the results are published on the web, as well as on Google's Chrome extension and other sites.", "modified": "2026-05-07T12:05:50.774000", "created": "2026-04-07T12:04:43.156000", "tags": [ "file type", "json", "ascii text", "png image", "crlf line", "ascii", "rgba", "unicode text", "utf8 text", "defense evasion", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 668, "FileHash-MD5": 668, "FileHash-SHA1": 675, "URL": 153, "domain": 230, "hostname": 177, "email": 2 }, "indicator_count": 2573, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "24 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "660ec2cd7185f30ee98e0406", "name": "TP-Link ER605 Firmware Image download", "description": "After downloading a new firmware image for my TPlink ER605 switch/vpn-router, and since TP-Link doesn't provide a checksum for it. I decided to hit it with binwalk out of curiosity since I've had multiple issues with it the past two years. Immediately binwalk had to /dev/null the /var directory and further it hit two ip's as exploit sources once uploaded to criminalip and otx so I decided to upload the entire squash-fs for posterity", "modified": "2024-05-04T06:04:15.503000", "created": "2024-04-04T15:10:05.285000", "tags": [ "binmount o", "syskerneldebug", "limit", "netmask", "broadcast", "network", "prefix", "argc", "start", "copyright", "etcpasswd", "failsafe", "login", "important", "binash", "sample", "attention", "maxfds1024", "etcfrr", "somename", "openwrt", "deviceproduct", "generic", "devicerevision", "dns server", "ipv6 prefix", "duid", "ipv6 address", "x5 x8", "xdxrn502j", "y1 y1s", "linkits7688d", "omega2p", "wrtnode2p", "s boot", "sample vpn", "olinux", "cnpeer name", "target", "change", "ldap", "text", "port", "priority", "a srv", "srv record", "ldap server", "dnssd", "ipsec", "yang xiaoqiang", "varlogwtmp", "unavailreturn", "distribid", "distribrelease", "barrier breaker", "distribrevision", "distribcodename", "distribtarget", "openwrt barrier", "breaker", "distribtaints", "overlay srcgz", "home", "etcbanner", "pathusrbin", "ps1u", "libmodules", "ulimit", "binmore", "usrbinvim", "kshversion", "etcmkshrc", "preinit", "pathbin", "ipv6", "protocol", "isis", "icmp", "cisco", "header", "skip", "path first", "internet", "iana", "devnull", "stop", "ipkginstroot", "allcommands", "term", "stop value", "sqlite", "dh exponent", "grep", "w processor", "begin", "fix bug129941", "xfrm", "ipsec tunnel", "bug97836", "cmdlistend", "bundle command", "cmdliststart", "list", "procname", "list procname", "zebra route", "frr support", "bgp support", "zebra support", "firewallrule", "firewallruleset", "httpport", "path wifidog", "redirectdomain", "clienttimeout", "public key", "info", "version", "node id", "menu", "wifidog", "status", "wifidog wifidog", "gnu gpl", "rt3x5x", "sbinswconfig", "power", "wifi", "ethernet", "wifi5g", "rssilow", "rssimedium", "rssihigh", "wan led", "devconsole cp", "conffiles", "file 99ensync", "abort", "ansert", "abort error", "atz say", "atcgmm", "atcgmr", "ok atcsq", "ok atcgmr", "ok atcgmi", "atgmm", "atgmr", "timeout", "abort busy", "carrier", "report connect", "ate1", "useapn", "dialnumber", "connect", "atcgmi", "ok atcgmm", "atgmi", "answer", "v1 e1", "d2 fclass0", "at ok", "abort no", "dialtone", "sierra wireless", "cdma", "sprint", "verizon", "dial tone", "certificate", "telnet 23", "http 80", "https 443", "ssh 22", "webtimeout", "010001", "admin", "airplay option", "afp option", "ftp option", "samba option", "scanners option", "ssh option", "lanv6", "brlan", "network1", "sigusr2", "passwordauth on", "port 22", "10000s", "12000s", "4000s", "6000s", "ikepro1", "modp1024", "ikepro2", "aes128", "ikeph1name", "ph2proposal1", "ph2proposal2", "ikeph2name", "combination", "ikev1", "google", "cloudflare", "cleanbrowsing", "quad9", "opendns", "quad91", "quad92", "ipaddresspurely", "fqdn", "peertopeer", "presharekey", "tplink", "wan1", "ipgroupany", "ipv6groupany", "roseville194", "openwrt system", "balance", "dhcpclient", "portal", "pppoeclient", "onlinedection", "auto", "flashkeep", "etcopenvpn", "etcconfig", "etcdropbear", "global", "natlanwan1", "accept option", "accept", "drop", "reject", "reject option", "ipv6 icmp", "sections", "wan2", "0000", "usb0", "password", "eth1", "wan1eth", "wan1poe", "wan2eth", "wan2poe", "wan3eth", "wan3poe", "wan4eth", "wan4poe", "4094409340920", "onlinecheck", "openvpn", "ip address", "openvpn server", "windows", "remember", "common name", "generate", "etcopenvpnccd", "thelonious", "silence", "push", "first", "advertisecfg", "ospfcfg", "dslite", "pppoeshare", "wan1v6", "wan2v6", "wan3v6", "wan4v6", "static", "dynamic", "radvdinterface", "advmanagedflag", "advsendadvert", "advrouteraddr", "advautonomous", "advonlink", "ssh config", "http list", "https list", "telnet list", "http", "telnet", "https", "tcpudp", "2121", "2222", "2323", "smtp", "2525", "5353", "pop3", "partitionuuid1", "16043212800", "devsda1", "partitionuuid2", "devsda2", "udp161 option", "er605", "vpn router", "maximum number", "http listen", "https listen", "server document", "rfc1918 ip", "dns rebinding", "tcp connection", "akroniteshare", "account", "4094", "switch0", "vlan1", "vlan4094", "vlan0", "vwan", "veth1", "1024", "gmt0800", "ledsys", "switchled1", "switchled2", "switchled3", "switchled4", "switchled5", "modem", "options", "devnull p", "name", "match", "pkix", "randfile", "cadefault", "ca certificate", "sha256", "t61string", "bmpstring", "utf8strings", "mask", "import", "easyrsa", "keydir", "openvpn package", "openssl", "pkcs11tool", "keyconfig", "easyrsakeys", "issue rm", "pkcs11", "scdftprof1m", "setapn", "setuser", "setpass", "setauth", "atcgdcont1", "qcpdpp1", "scact11m", "paul hardwick", "paul", "empty input", "command", "error", "atcops", "atcops10m", "atcops12m", "atim", "atcreg2m", "atcgreg2m", "atcgeqneg1m", "atcreg", "atcgreg", "atndisdup11", "atcgatt", "1 goto", "wwan error", "useauth", "useuser", "usepass", "qcpdpp3", "atcfun1m", "atcgdcont3", "scact13m", "scact03m", "wwan connection", "atcimim", "atcpin", "sim puk", "sim pin", "ready", "atcsqm", "atmode", "atband", "atcsnr", "atsysinfoexm", "atsyscfgex", "atsyscfg", "atsysinfom", "atltersrp", "atcnumm", "busy", "errorn", "atcops0m", "mccmnc", "atcops12", "atcmd", "atq0 v1", "e1 s00", "e1 z", "atcmgf1m", "atcmgf0m", "wwan mode", "mode", "atzpas", "atzrssim", "atzrssi", "atzsnt", "pincode", "sim readyn", "sim pin2", "pinn", "gstatus", "selrat", "car0", "atcnti0m", "atecio", "atrscp", "umtschan", "atcommandn", "atcommand", "atcmgs", "action", "delete", "wanmod", "acldeleterule", "acladdrule", "ipgrouplan", "i actiondelete", "hplog", "hotplog", "hotplog fi", "deleterule", "addrule", "natlan", "qosdeleterule", "interface", "devconsole uci", "devconsole", "wanhook", "onlinedelzone", "onlineaddzone", "shenzhen tplink", "create", "delayreboot", "vpn hook", "devconsole echo", "reboot delayed", "no vpn", "hook event", "return", "pppdconfigpath", "ifname", "grep q", "pppdtype", "pppdusername", "pppdpid", "ipremote", "iplocal", "tmpl2tp", "vpnfwmark", "vpnforwardtable", "t mangle", "chain", "m comment", "connmark", "mark", "device", "actionifup", "actionifdown", "exit", "routetableid", "cachetableid", "gateway", "yuan fengjia", "grep w", "not response", "check if", "interface init", "thus", "phddnsready", "phddns", "devconsole exit", "cmxddnsready", "cmxddns", "natready", "qosdeleteiface", "vnetlibdir", "procnumber", "w arpreq", "v grep", "procnumber le", "deviced", "ifnamefile", "zone", "ipv6addr", "ipv6addrlen", "delaycommit", "hotplugtypevnet", "zaction", "prerouting i", "dnat", "p tcp", "p udp", "q delete", "interface uci", "dhcpsconfigfile", "dhcpslibdir", "urlprefix", "device uci", "w nvl", "w nl", "vlan", "vlan fi", "usb auto", "scan", "devicename", "er605v2 usb", "no need", "omada gateway", "specialid", "usb modem", "1usb modem", "devconsole fi", "nat elif", "clean", "module", "napt", "snetmaskg", "snetworkg", "j masquerade", "masquerade", "hwnat", "x usrsbinxfwdm", "xfwdm f", "systemparams", "config", "l2tpname", "l2tpisserver", "l2tpmark", "l2tppppdpid", "l2tpaction", "l2tpremoteip", "q get", "6 route", "interface proto", "v6wan", "interface03", "t ifup", "skip interface", "devconsole res", "setup", "zonegetzonebyif", "imbprefix", "ipprefix", "usrsbinddns", "dyndns", "noip", "interface04", "interrface", "bridge", "m tcp", "j accept", "number", "shift", "ifup", "action ready", "lockfile", "ospfpipewrite", "ospfpiperead", "ospfpiperead fi", "lockfile fi", "zhu xianfeng", "params miss", "m multiport", "usbifs", "managedevschain", "zte tele2", "usbifname p", "modemlib", "firmware", "firmware bs1", "inicmacaddr", "please", "dts file", "tmpfileport", "checkports", "v6ports", "j v6plusoutput", "d zonewannat", "i zonewannat", "f v6plusoutput", "i v6plusoutput", "inputgrep", "input accept", "outputgrep", "output accept", "add filter", "forwardgrep", "forward accept", "confif2", "brif", "option", "option bindif", "rundir runfile", "confif1 confif2", "brif action", "addbr", "updbr", "delbr", "option zone", "ifpong", "where interface", "set interface", "update", "rundir", "runfile", "t backup", "p notice", "t fault", "ipt n", "ipt a", "ipt s", "prerouting grep", "tpsrhook", "tpsrposthook", "cut d", "ipt i", "prerouting", "tmpaccessctl", "varconffilepath", "conffilepath", "options fi", "tmpcrontabtmp", "binsh", "start80 start", "start99 start", "cmxddnxrule", "stop98", "e sbiniscal", "tmp insmod", "tmprsacheck", "pass", "ipt f", "ipt x", "start96 ipt", "ipt d", "prerouting j", "n1 ve", "etcdhcp6cctlkey", "duidll", "rfc3315", "x0ax00", "x00x03x00x06x", "using mac", "using user", "etcdhcp6sctlkey", "invalid proto", "usrsbindhcp6s c", "usrsbindhcp6s", "d tmproot", "filddpirunning", "usrlib", "dpimodule", "filepidpath", "start99", "nete", "vnl forward", "dpirestriction", "vardir", "pidvar", "confvar", "v grepawk", "etcdir", "confback", "cabundlepath", "bannerfile", "pidcount", "prog", "kill", "md5sum", "passwordauth", "configfile", "hostfile", "debugfile", "domain", "dfconfigfile", "dnsservers", "configfile fi", "xappend", "etccrontabsroot", "rulelibdir", "p varspoolcron", "s etccrontabs", "c etccrontabs", "start40 start", "usrsharextgeoip", "start20 stop91", "c etcgeoip", "s etcgeoipbe", "s etcgeoiple", "start71 stop71", "start97", "h webserverwww", "servicepidfile", "start95 start", "conffile", "lockfd", "prerouting p", "vnetconffile", "init process", "pidf", "rund", "detectdir", "backuplist", "gao jie", "start98 start", "p output", "start99 stop90", "input drop", "p forward", "etcconfigipstat", "usrsbinipstat", "sysclassleds", "brightness", "e sysclassleds", "usblteled", "usbstorageled", "check fan", "fannormalled", "fanerrorled", "devnull ps", "rf tmpl2tp", "i fi", "loadbalancepre", "usrsbinlldpd", "openwrt release", "sysclassnet", "groupadd", "p varrunlldp", "varrunlldp", "chen chen", "zhangzhongwei", "reorganize", "start46", "option ifname", "enable", "note", "varrun", "ndppdconffile", "usrsbinndppd p", "ndppdconffile d", "nginxbin s", "p varlognginx", "p varlibnginx", "procmeminfo", "memtotal", "nginxbin", "start68 start", "jophilipp wich", "gnu general", "public license", "see license", "start90 stop10", "extracommands", "openvpnsecrets", "phddnsinit", "prerouting m", "input m", "reject vnete", "vme dst", "j drop", "redirect", "start50 stop26", "bin rundvarrun", "vpnserverconfig", "default", "default mkdir", "start50 start", "radvdconfigfile", "radvdinterfaces", "langc", "afaf09", "base6interface", "getip6addr", "start22 start", "start97 start", "the author", "config sfe", "software is", "provided", "as is", "disclaims all", "warranties", "with regard", "direct", "runc", "runc configget", "libd", "logd", "rundvarrun pidf", "runc configload", "routenum", "rtnetlink", "existret", "routenum fi", "routestatefile", "e procnanduid", "procnanduid", "tmpspideviceid", "grep v", "rebootschedule", "tmptz", "sysparams", "fang zhao", "start21 tddpbin", "tddpbin", "libvnet", "uhttpdkey", "uhttpdcert", "uhttpdbin", "px5gbin", "uhttpdcert rm", "tmpuserconfig", "check", "tslibdirsettime", "start96 boot", "usrsbinupnpd", "urllibdir", "modemstorage", "p tmpmodem", "storagemodem", "usb modemusb", "start80 stop", "usrsbinusbmuxd", "vnet", "start70 debug", "tmppassword1", "f tmppassword", "f tmppassword1", "extrahelp", "print", "start91 start", "wanconfig", "vpnclientconfig", "start25 stop25", "zoneconfbuild", "wanmax", "zydas zd1211rw", "wlan usb", "variant", "option hso", "messagecontent", "option gi0643", "xyfi", "standardeject1", "configuration2", "netgear", "kobil midentity", "kobilmode1", "mobile action", "smart cable", "mediatek wimax", "usb card", "blackberry q10", "sony ericsson", "gw d301", "advinne amc", "configuration3", "c100", "c120", "c170", "c270", "c3xx", "needresponse1", "hummer dtm5731", "aircard", "alegro", "starcomms", "alcatel otx080c", "etcom e300", "haier evdo", "alcatel x602d", "archos g9", "alcatel otx220d", "alcatel ot", "prolink pcm100", "bsnl capitel", "explay slim", "telewell tw3g", "hspa", "fs01bu", "smartbro wm66e", "alcatel", "touch x020", "tu930", "ivio iv2010u", "vibe", "emobile d12lc", "mywave sw006", "emobile d21lc", "techfaith bsnl", "aiko", "qisda h21", "flying beetle", "qisdamode1", "wisue w340", "solomon s3gm660", "philips picopix", "option icon", "prolink phs100", "ph300", "hyundai mb810", "alink", "airplus mcd800", "onda mv815u", "onda mdc655", "onda mw833up", "mw835up", "onda mo835up", "onda mw836upk", "onda mw875up", "onda msa", "tim brasil", "onda tm201", "tim italy", "onda wm301", "cricket a600", "u210", "hp laserjet", "io data", "wmx2u wimax", "nexperia tm", "tdscdma", "samsung gtb1110", "samsung gtb3730", "samsung u209", "sunplus techn", "axesstel modems", "targetvendor", "anydata", "bless uc165", "celot k300", "techfaith venus", "celot ct680", "quirky option", "samsung sghz810", "prolink p2000", "vertex wireless", "various usb", "dlink dwm162u5", "dwm162 c1", "micromax mmx", "anydata ape540h", "tl131 tdlte", "siptune lm75", "linuxmodem", "qtronix evdo", "tianyi", "dlink dwm156", "hsupa", "rndis", "pantech lte", "huawei e173s", "huawei gp02", "e587 variant", "huawei e173", "moviestar", "huaweinewmode1", "huawei et302", "huawei et8282", "huawei et127", "huaweimode1", "huawei e353", "vodafone", "huawei kxxxx", "huawei k4203", "huawei e5377", "kddi", "huawei", "hwd12 lte", "huawei k3773", "vodafone k4305", "vodafone k5150", "vodafone k4201", "vodafone k4202", "vodafone k4606", "viettel", "huawei e173u2", "huawei k3770", "huawei e352", "huawei e3131", "huawei e3372", "huawei e3531", "huawei u7510", "u7517", "huawei e392u12", "e3131", "huawei e171", "huawei e3331", "huawei bm358", "huawei e169", "huawei e220", "e230", "e270", "huawei v725", "phone", "huawei ets1201", "huawei u8220", "tmobile pulse", "huawei u8110", "android sdk", "huawei ec168", "huawei e180", "huawei ec156", "huawei e372u8", "huawei k3765", "huawei k4505", "huawei r201", "huawei k3772", "huawei e1553", "huawei r215", "huawei w5101", "huawei u2800", "china telecom", "cdu680", "cnu680", "chu629s", "huawei generic", "linux", "cgu628", "cgu628a", "xs stick", "zte mu351", "zte ac581", "zte mf110", "zte mf112", "zte mf637", "orange france", "zte mf651", "ztet a356", "zte mf652", "zte mf190", "zte mf656a", "mf668a", "zte mf820", "zte a371b", "onda mt8205", "zte mf821d", "zte mf821dmf826", "zte mf90", "mobile hotspot", "telewell twlte", "vodafone k5006z", "mf821", "k5008z", "mf823", "vodafone k4607z", "zte k3770z", "zte mf691", "tmobile rocket", "zte mf192", "zte mf195", "zte mf668", "zte mf680", "zte mfxxx", "zte mf825a", "zte mf730", "zte mf591", "zte mf196", "zte mf190j", "zte mf710m", "zte mf60", "zte ax226", "zte ac682", "cricket a605", "zte generic", "uncomment", "intex", "tlaytech teu800", "strongrising", "china telcom", "air flexinet", "tata photon", "titan", "avm fritz", "stick n", "utstarcom um175", "alltel", "pantech", "pantech uml290", "option beemo", "p4200 lte", "hisense e910", "evdo phone", "sqn1210sqn1220", "sequansmode1", "motorola", "wlan", "tergusb3e", "joa telecom", "beceem bcsm250", "haier ce682", "evdo", "messagecontent2", "haier ce", "zoom", "intex speed", "bsnl teracom", "visiontek", "teracom lw272", "unknown", "quanta muq101", "message", "quanta", "yota router", "quantamode1", "speedup su8500u", "nokia cs10", "nokia cs11", "nokia cs19", "nokia cs15", "nokia cs12", "nokia cs17", "nokia cs18", "nokia cs7m01", "nokia cs21m02", "philips", "vodafone md950", "dragonfly", "kyocera w06k", "cdma modem", "hspa modem", "targetproduct", "toshiba g450", "lg vl600", "lg l02c", "lg sd711", "lg l08c", "ntt docomo", "lg hdm2100", "lg l05a", "lg luu2100ti", "t usbconnect", "turbo", "lg l07a", "lg ldu1900d", "lg luu2110ti", "lg ad600", "lg l03d", "huawei e630", "sagem f", "gctmode1", "sierra", "digicom", "pirelli", "experimental", "cisco am10", "valet connector", "novatel mc990d", "novatel mc996d", "novatel u760", "novatel mc760", "mifi", "novatel generic", "novatel mifi", "mc545 hspa", "u679 lte", "amoi h01", "amoi h02", "axesstel mu130", "dlink dwm157", "dlink dwm221", "messagecontent3", "dwp157 b1", "dlink dwm167", "dlink dwm158", "dlink dwr510", "mediatek mt6229", "olicard", "speedup su8000", "speedup su8000u", "changhong ch690", "dlink dwm163", "dwm168", "telenet", "w wu160", "viettel vt100", "tplink ma180", "tplink ma260", "exiss mobile", "e190 series", "cmotech", "xtcomment xtlog", "xtdscp xtlength", "xtecn xthl", "xtnat nfnatipv4", "querystring", "requestmethod", "contenttype", "contentlength", "scriptname", "requesturi", "documenturi", "documentroot", "serverprotocol", "requestscheme", "byelorussian", "a3 b8", "a4 ba", "a6 b3", "a7 bf", "ad b4", "ae a2", "b0 b0", "b3 a8", "yo b4", "apache", "weixin", "luci", "fastcgi", "sslv2 sslv3", "tlsv1", "high", "ssl1m", "e2809a", "e2809e", "e280a6", "e280a0", "e280a1", "e282ac", "e280b0", "e28098", "e28099", "e280a2", "c2a0", "c2b7", "a3 d191", "a4 d194", "a6 d196", "a7 d197", "ad d291", "private key", "vendor asnet", "attribute", "asnet attribute", "speedup", "asnet", "server secret", "microsoft", "values value", "mschapresponse", "mschaperror", "mschapcpw1", "mschapcpw2", "mschaplmencpw", "mschapntencpw", "plural", "value", "value authtype", "roaringpenguin", "cistronradiusd", "local", "translations", "valid", "example", "attribute value", "interfacemode", "wirelesshost", "wizard", "systemmode", "interfacemac", "wirelessmac", "timemngt", "service", "10000", "4096", "factory", "framedprotocol", "alive", "merit", "merit extension", "value sipmethod", "invite", "cancel", "obsolete", "move", "include", "vjtcpip", "shelluser", "unix", "radius", "radius server", "general", "radius client", "server name", "clientserver", "ascend", "jens glaser", "euraw", "euui", "comb", "frcir", "frdirectno", "frdirectyes", "type", "button", "pidfile", "seen", "usrbinlogsave", "rfkillstate1", "bseoe6fuwg", "amvzwg", "kwbqbm0", "qrbdj3nghvdjigc", "ihnzbm8m9yop5w", "okue6n36b9k", "tppdpfquww", "drw5visp", "ubkwb1whnw0a", "efcmq", "root ca", "traditional pem", "authority", "global root", "root", "ecc root", "bwme", "gts root", "sectigo public", "premium", "whether", "netlink message", "buffer size", "netlink", "pagesize", "firewall mark", "netlink route", "netlink xfrm", "ike xfrm", "attr", "engine id", "openssl plugin", "set openssl", "fips mode", "suite b", "file", "rngstrong class", "rngtrue class", "listen", "set source", "ipv4", "analyze", "treat", "socket", "disable charon", "configuration", "loglevel", "ikesa", "identifier", "ikesas", "ike daemon", "id payload", "childsa", "install", "path", "rsa private", "t timer", "active", "reset", "expire", "accesscontrol", "tmnglog", "rest", "reset event", "etcconfigfstab", "moving root", "hexdump e", "q batch", "eof exit", "thu oct", "fri oct", "in dnskey", "internet domain", "bind domain", "internic", "in ns", "by verisign", "by ripe", "by icann", "by wide", "huawei 0004", "huawei 0003", "huawei 0005", "huawei 0001", "zte 0001", "zte 0002", "zte 0003", "zte 0004", "huawei 0002", "versalink", "configname", "rulename", "zonenumber", "targetname", "require", "l accessctl", "lan2lan", "position", "aclkeys", "zonein", "ucir", "zonedict", "zonenoin", "acllog", "1acl", "come in", "oldifs", "configtype", "section", "fwlibdir", "fwacllibdir", "m udp", "sectionname", "zonesnil", "srcnetwork", "ctmarkshift", "ctmarkrelated", "ctmarknewbit", "ctmarkinvalid", "ctmarkdef", "ctmarknew", "name fi", "1acl j", "icmpall", "huang zhenwei", "adlibdir", "adinitialized", "noexport", "stretz", "configappend1", "configappend", "function", "output", "iface", "line", "setname", "m set", "input", "v incomplete", "v address", "tmparplist1", "procuptime", "routingmode", "routingmode1", "devnull uci", "timer", "rtfile", "rtret", "rtfile f", "rtflag", "n awk", "grep g", "h grep", "rtflag fi", "baifacefile", "bastatefile", "srcurid", "srinfaceid", "bastatedir", "baifacedir", "srdir", "srinfaceid grep", "retfile", "xujun", "invalid option", "invalid func", "usrsbinarpreq", "clicfgpath", "tmpaccessconfig", "cfgpath", "gettimerange", "getifall", "getif", "lanlan", "success", "failed", "result", "setlocalaccount", "getlanlist", "getipgroup", "accesslistnum", "servicetype", "ruleid", "getindex", "tonumber", "currenttime", "februarynum", "smallfebdaymax", "bigfebdaymax", "timezone", "date", "keyname", "interfaceerror", "assert", "tagtype", "setdesc", "submask", "para", "ipv4address", "ipv4netwknum", "insert", "copy", "ipsecfailstatus", "checkexist", "ipaddress", "optionname", "encmode1", "fail", "responder", "portid", "data", "mirrorport", "portend", "sourceport", "naterror", "natsuccess end", "natprompt", "prompt", "natdata", "selectedname", "portstart", "istart", "routingerror", "adddata", "index", "routingsuccess", "crud error", "ospfinterface", "ospf", "ospfretre", "ospfautotypemd5", "simple", "vlan type", "down", "wanport", "primary ip", "proto", "ipaddrbits", "ripv1", "duplex", "flowctrl", "activemedium", "linkup", "setsnmpv1v2", "snmpv3en", "username", "contact", "setsshserver", "equal", "time settings", "weekday1", "sectimenumhour", "timeslicepoint", "entryname", "calendar", "vlanfailstatus", "vconfig", "vlanform", "vlan id", "address", "optional", "time", "settings", "please enter", "comment", "telecom", "upgrade", "reboot", "refresh", "defense", "code", "tokyo", "armenia", "panama", "jakarta", "back", "next", "tips", "class", "flood", "flash", "speed", "download", "lockout", "belarus", "indonesia", "mexico", "paraguay", "philippines", "ukraine", "uruguay", "facebook", "middle", "bind", "tools", "period", "media", "ping", "death", "stream", "enterprise", "live", "maha", "mais", "adduser", "never", "format", "trace", "clock", "alma", "third", "multi", "little", "critical", "done", "false", "mainserver", "execution", "keepalive", "package", "uciconfigdir", "sbinuci", "configsection", "120m", "ippool", "config dnsmasq", "directoryd", "type1", "type28", "f2cut d", "xargs", "g nogroup", "ctlcmd c", "vardir cp", "switch", "fdlibdir", "fdinitialized", "j dosdefense", "j dosdrop", "t raw", "all fin", "forward", "j zone", "mssfix", "forward j", "input j", "output j", "accept accept", "drop drop", "need v6", "fwinitialized", "libnetwork", "i restarton", "t firewall", "snat", "dnated traffic", "sbinifconfig", "notrack", "notrack rule", "j return", "j connextmark", "a sfemark", "a hwnatmark", "a prerouting", "j extmark", "export", "fwicmp4types", "fwicmp6types", "fwruleofs", "fwzones4", "fwzones6", "stretz export", "fwaerror0", "m mac", "sadd", "sdel", "a flooddefense", "m conntrack", "new j", "extmark", "m extmark", "connextmark", "c tmp", "i prerouting", "d forwardauth", "s usr1", "xargs kill", "loadrule", "j freestrategy", "luo pei", "free", "pistacklist", "kernelvermajor", "part", "piran", "awk f", "o noatime", "n pihooksplice1", "networkifstatus", "addr", "ipv4 address", "ipv4 subnet", "servicesig", "exec", "servicewritepid", "args", "serviceusepid", "servicedebug", "servicequiet", "servicesigstop", "procdsetparam", "procdkill", "script", "complete", "procdcall", "procdwrapper", "procdubuscall", "saved", "strtype", "parentdir", "ramfsdirs", "file strlen", "strlen1", "strlen", "cfgsync", "prefixdevmtd", "d devmtd", "ne x", "configsections", "lock", "etcgroup", "tunnelname", "wanname", "tunnelname p", "greservicerule", "j ct", "j snat", "plutoverb", "plutoconnection", "exist anete", "include zone", "ripaddr", "effde", "effif", "imbprocfile", "tmpstateimb", "ifip", "imblibdir", "imbinitialized", "zones", "n members", "move handling", "i actionupdate", "me hash", "me zonelist", "ipgrplibdir", "me set", "processfailover", "autofailback", "failoverpids", "autopids", "onlinezones", "j connmark", "input p", "myecho", "usrsbintmngtd", "domainspecial", "dnsq", "oldaddr", "usage exit", "invalid command", "ipsecsection", "checking", "connectionname", "etcconfigipsec", "chen xing", "algorithm", "ipsecweblock", "remotenetwork", "j dnat", "c vpnpre", "chenxing", "targetchain", "nfqueue", "tmplogvnetclog", "vnetcexecinvnet", "wanpassthrough", "wantype", "lanpassthrough", "lantype", "ttadvrouteraddr", "wang wenjing", "ipv6grplibdir", "tmpipv6loggg", "aawk v", "xl2tp", "sname", "xname", "devnull fi", "32 fi", "ikeph1", "dut init", "plutopeer", "plutomarkout", "plutouniqueid", "devconsole kill", "l2tpcdistribute", "mtu1300", "loadglobal", "xl2tpd", "killxl2tpd", "search", "nettimeout", "configdir", "nettimeout3", "tlsreqcert", "allowg", "pptpconfigfile", "l2tpconfigfile", "usage", "rstart", "sessiontimeout", "ldapquery", "mediatek mt7621", "ramipsmodel", "snor", "zyxel keenetic", "ramipsboardname", "all0256n", "asl26555", "awm002 evb", "f5d8235", "nand", "omni", "mkdir", "luopei create", "o veth1", "mflibdir", "mfinitialized", "macgrplibdir", "backup", "blank", "pwr1", "pwr2", "tmpfanstate fi", "er8411", "tmpfanspeed", "modvpn", "natlogprint", "rewrite", "root chain", "modules chain", "modone", "moddmz", "rules", "build filter", "dnat j", "naptdevicechain", "naptdevicemark", "naptdevicecache", "modpt", "validptifaces", "j trigger", "port triggering", "return fi", "modvs", "loopback snat", "32 p", "natprint", "natfd", "wc l", "natready flock", "natlogfile", "natlogdir", "natlibdir", "nattmpdir", "natlogenable", "natlogfile fi", "natdebug", "natwritefile", "modnapt", "determine", "includeonly", "nowanlink", "missingaddress", "zone6rd", "hardversion", "iface6rd", "e usrsbinallifs", "usrsbinallifs", "sigusr1", "l sigusr1", "nodevice", "f sysclasstty", "noifname", "baddevice", "pinfailed", "logprotosetup", "loggetsignal", "getinfofailed", "logprotoinit", "control device", "no apn", "noapn", "devconsole eval", "usrsbindhcp6c", "authfailed", "invalidoptions", "l sigterm", "getmacaddrerror", "geteuiiderror", "nowanaddress", "logmoduleipv6", "logipv66to4up", "v zone", "jsongetvar", "usrsbinpppd", "etcpppfilter", "interval5", "usrsbinxl2tpd", "could", "lcp term", "stdout", "aftrname", "stdoutdevnull", "dnssnd", "stdout mtu65000", "rssi", "dhcppidfile", "x v6plusoutput", "6 tunnel", "legacy1", "invalidprefix", "promisc", "oifs", "xprefixlen", "todo", "preconfig", "xifname", "xipaddr", "netifdmaindir", "wdevnotifyinit", "wirelesssetup", "wirelesssetdata", "ccmp tkip", "ccmp", "tkip", "wiface setup", "device setup", "protoprefix6", "protokeep", "protonestedopen", "protodns", "protodnssearch", "protoipaddr", "protoip6addr", "protoroute", "protoroute6", "pppipparam", "dns1", "dns2", "lllocal", "llremote", "state", "logipv6dhcp6cup", "procnetifinet6", "size", "aftrname echo", "svar", "random", "dhcppidfilehgw", "d forward", "dhcpscript", "ifnamendiscmbit", "slaac", "lanphyportset", "lanportset", "lan2", "lan3", "lan4", "wanportset", "wanphyportset", "cpu phy", "s call", "onlinestatefile", "onlinedevfile", "onlinestatedir", "onlineblockfile", "omada", "onlinemodeid", "link backup", "dowmlogid", "ubusobject", "remoteip", "localdevnet", "vpnrulenum", "virtual", "openvpnfwmark", "reply m", "remtoeip", "devname", "actualip", "configfilename", "zonewanopenvpn", "vlocalip", "vpnrulenum fi", "vremoteip", "echo", "unknown option", "i nobindd", "i locald", "publicdnsserver", "usrsbinopenvpn", "tmpopenvpnpwd", "authretryd", "i proto", "chroot", "sectionname wan", "devconsole fw", "sectionname dev", "author", "secname", "interface flag0", "4 route", "tpprconnected", "t grep", "tmppolicyroute", "l2tp", "pptp", "configptah", "killpptpd", "echoinfo", "pppoxpptptype", "pppoxpath", "pppoxl2tptype", "v wan", "serverpath", "loadoneuser", "tmppppoxpptp", "beginloaduser", "endloaduser", "usertypematch1", "profile", "serveron", "serveron pns", "pppoxpppoetype", "loadonepppoe", "deladd", "isexist", "configmyconfig", "q tmppptp", "tmppptpserver", "i snoccp", "usepeerdns", "persist", "plugin", "zonex", "maxfail", "sigchild", "mgrfather", "mt7620", "board", "hexdump", "checksum", "jffs2 partition", "wnce2001", "signature", "asus rtn56u", "preinitn", "initramfs", "boothookadd", "failsafetrue", "press", "int trap", "usr1", "tmpdebuglevel", "failsafe grep", "q failsafe", "proccmdline", "please reboot", "procnetdev", "doing openwrt", "libsh", "qosready", "thismodule", "qosconfigdir", "qosuci", "qoslogprint", "qoslibdir", "qostmpdir", "qostmpdirready", "moduleuci", "styperule", "idxv4", "idxv6", "qosfile", "qosrulechain", "qoschain", "qosfileip4", "qosfileip6", "qosret", "if iface", "uci grep", "stypeiface", "qosmarkbitstart", "qosmarkbitlen2", "qosgmarkmask", "qosmarkmask", "qostcidfile", "tcidbase", "tcidspec", "qoswritefile", "qosinfoprint", "qoserror", "incqoscid", "tcidmax", "spec", "qospollingfile", "deal", "qosthreshold gt", "qosthreshold eq", "qosgrpmarkfile", "grpmarkbitbase", "grpmarkspec", "incqosgrpmark", "grpmarkbase", "insertrule", "qoswritelog", "iptprefix", "iptprefix nvl", "e 1d", "iptprefix l", "iptprefix n", "iptprefix a", "qosret 0", "qosstate", "qosconfiger", "wanall", "snameglobal", "ifacelist", "ruleoptlist", "stopflag", "stub", "qosmarkfile", "markspec", "markbitbase", "markbase", "incqosmark", "m mark", "o get", "zonelist", "wan3", "wan4", "linerate", "qosstatefile", "qosrulespec", "incqosstate", "lannetdev", "grplist", "tttt", "forward vn", "tc qdisc", "tc class", "r2qhtb", "filest", "qdiscl", "defaulthdl", "tc p", "this", "rmchain", "serverports", "rejectports", "m vlan", "routestatedir", "src6", "dst6", "exist", "servicelibdir", "ipset", "j reject", "m tpconnlimit", "restart", "t mirror", "egress", "maxportnum", "s state", "m mode", "p mirrorport", "m ingress", "maxportnum1", "s17p1statusreg", "led bling", "ar8337portsmax1", "portvlanmax", "memeber", "null", "p portsid", "o flush", "rxnormal", "rxall", "flush", "maxportnum5", "t pvlan", "portvidmem", "cpu port", "port vlan", "v vid", "s17phycontrol", "t para", "10mh", "100mf 1000mf", "check rsa", "flowlinken reg", "full", "half", "multicast", "mbps", "rate", "t control", "ingress", "i istate", "m imode", "mirror state", "10mh 10mf", "100mh 100mf", "1000mf", "f flowcontrol", "r irate", "rtl8367sled0reg", "rtl8367sled1reg", "sfp2", "maxportnum11", "sfp0", "sfp1", "uciconfigdir cd", "macflowa", "macflowon", "macflow0", "macflowoff", "wan port", "swconfig", "unicast", "write address", "vlanid", "tbopwrite", "tbtargetcvlan", "write command", "port4control", "port5control", "port3control", "port0control", "port1", "tmplanmac", "mac learning", "lan port", "port1control", "port2control", "mirror mode", "phycontrolreg", "txall", "mt7530", "tlwvr458l", "lanport", "lanend1", "maxportnum fi", "cpuport", "vlanidx", "cpuport1", "0x0de0", "msb bit01", "enable reg", "ifg reg", "phyresolvedreg", "tmpcfg", "realtek", "wvr458war458", "phy index", "copyight", "yuanfengjia", "ceate", "timeobjadd", "timeobjdelete", "etcprofile", "montbl", "tblstartmonth", "weekdaytbl", "yeardaytbl", "startweekday", "tblstartcount", "tblstartweekday", "d etcnixio", "invalid image", "argv", "sysupgrade", "devwatchdog", "ciubipart", "cikernpart", "remove volume", "n troot", "wc c", "n kernel", "n rootfsdata", "kernel", "ramrootlib64", "conftar", "ramroot", "binmount", "bindd", "proc", "modupnp", "ucitmppath", "ucitmpconfig", "ucitmpupuppath", "upnplanchain", "upnplock", "l urlfilter", "tmpcon", "original p", "m urlsetmatch", "url j", "m urldnsmatch", "a urlfilter", "websec", "zoneapireturn", "zonefilelock", "vneton", "logconsole", "vnetbootingy", "loadavvlan", "ipv6addr fi", "ipv6addrlen fi", "loadunload", "loadainterface", "cleanainterface", "vnetiflock", "vnetlock", "vifname", "ipv6prefixlen", "vipaddr", "vnetmask", "vipaddr6", "vprefixlen6", "t filter", "buildainterface", "cleanazone", "i forward", "a webfilter", "l webfilter", "a websec", "sec j", "j websec", "f websec", "ipt t", "tmpwebsecurity", "l websec", "fileexts", "allowip", "wireguardfwmark", "listenport", "ifname p", "method", "nvl inputrule", "nginxconf", "wifidogconf", "lan1", "liwei mkdir", "ruleknownip", "ruleknownmac", "ruleknownipmac", "ruleremind", "ruleremindmac", "ruleremindipmac", "ipsetlimit", "ipsetlimitip", "zonestart", "zonestop", "zonerestart", "get vpn", "get effect", "get normal", "normal", "groupvzones", "groupzones", "wanw", "zonevgname", "zonecreategroup", "configvpniface", "zonestateconfig", "vpn iface", "newmac", "newmac yes", "yes1", "current mac", "overwrite", "converthex", "new mac", "write", "eeprom", "hotplugtype", "path logname", "user export", "devpath", "ifdown", "ev wan", "s list", "brightness exit", "head", "tmplog", "tmplog fi", "devmtdblock", "reloading", "md5file", "md5file rm", "gmac", "updates", "overlay tar", "kill runramfs", "volatile", "snapshot", "verbose", "confrestore", "tarv", "confbackup", "confimage", "needimage1", "needimage", "meta", "drivers", "devices", "type case", "devices drivers", "libwifi", "devubi0 s", "n logrecovery", "n database", "usrbiniptables", "iptablesok", "testiptmac", "wddirwdctl", "scanning disk", "test", "kamikaze", "downloadser605", "build", "integer", "valuepair", "uint4", "namelength", "ipaddr", "radiusclientngh", "begindecls", "enddecls", "servermax", "prohibit", "void", "dpidatabaseram", "sigint", "dpiappdatabase", "dpitagdatabase", "gnu libtool", "please do", "linker", "directory", "free software", "foundation", "license", "without any", "warranty", "merchantability", "fitness", "ddnseventmodule", "ddnseventid", "guo dongxian", "april", "tp new", "ui status", "dns error", "dyndns state", "dynamic dns", "june", "common log", "service start", "service stop", "servicepath", "linevalue", "linevalue fi", "angus mackay", "offline", "noipretcodegood", "noipstaterunok0", "ddnsextver eq", "newlineifs", "r n1", "registeredip", "eric paul", "bishop", "leave", "written", "janary", "tp log", "myip", "column", "wildcardno", "mxnochg", "backmxnochg", "add yours", "here", "dpidbpath", "procdpiappstat", "procdpiappblock", "dbenv", "tostring", "tmpdpitmpstat", "tmpdpitmpblock", "plutopeerclient", "plutome", "plutomyclient", "plutopeerid", "tag p", "facprio", "plutomysourceip", "plutomyprotocol", "pluto", "authiplimit", "authiplimitip", "curauthnum", "auth num", "logmoduleportal", "authtypeweb", "authtyperadius", "authtypewifi", "loguserexpired", "authtypeonekey", "authtypeldap", "idlemintimesec", "authtypewechat", "useragent", "wportalradius", "cookie", "android", "varchar", "authressucc", "authsvrconn", "authresmacerr", "authlistconn", "select from", "label", "span", "strong", "zempty", "icons", "select", "striptags", "pcdata", "legend", "fieldset", "textarea", "replace entry", "steven barth", "apache license", "found", "sorry", "internal server", "footer", "indexer", "collectgarbage", "peak", "retval", "main", "vendor", "prodid", "cls02", "sub0e prot00", "modemtmp", "logallport", "searchtty", "alltty", "d dev", "busfile", "clsff", "clse0", "cls0a", "break", "vid pid", "unsuretty", "storage", "reinit usb", "modemliblogawk", "logmodeswitchs", "cls08", "atr03", "count", "driver", "usbport", "logunlockpin", "unlockpin", "puk code", "modem unlock", "loggetisp", "fileispjson", "findcountry", "location", "findisp", "usbmodemdebug1", "portfile", "usbport fi", "cfgfilepath", "tmpcsfilepath", "ubiquiti", "atheros", "powerstation2", "ralink", "subsystem", "powerstation5", "sr4c", "frequency", "jsonprefix", "jsoncur", "jsongetvar cur", "jsonunset", "keys", "jsonvar", "dest", "jsonseq", "cidr static", "routes", "document", "150px 524px", "46px 524px", "195px 524px", "150px 556px", "46px 556px", "195px 556px", "219px 309px", "219px 333px", "90px 36px", "f4f4f4", "f2f2f2", "151px 151px", "f9b61e", "80px 224px", "eaeae8", "f3f3f5", "verdana", "54px 36px", "geneva", "326px 54px", "329px 58px", "532px 85px", "ebebeb", "21px 21px", "chrome", "7px 7px", "219px 111px", "dd4040", "252px 54px", "220px 5px", "access control", "inner", "app dist", "arp scan", "bwlist qq", "location group", "switch ddm", "dns cache", "backup restore", "gre overipsec", "interface mac", "interface mode", "ipgroup address", "ipgroup group", "ipgroup view", "ipsids", "systemroutetbl", "ipv6group group", "l2tp client", "l2tp server", "l2tp tunnel", "ldap profiles", "mac filtering", "nat dmz", "online check", "pptp tunnel", "reserved", "login auth", "class inbound", "status outbound", "session limit", "switchportvlan", "syetem mode", "systemstate cpu", "url filter", "auto backup", "usb storage", "usermngr backup", "server", "port setting", "port pvid", "relation table", "vlan setting", "vpn user", "vpn wireguard", "website filter", "url set", "wizard wan", "advanced", "rngpptr", "array", "biginteger", "birc", "rsa encryption", "arcfour", "pkcs", "xhlhxl", "bits", "explorer", "canvas", "awidth", "aheight", "canvasgradient", "param", "arcscaley", "canvaspattern", "htmlelement", "without", "html5 shiv", "jdalton", "jonneal", "mitgpl2", "freebsdlicense", "examples", "arial", "alignoffset", "xalign", "point", "formatter", "flot plugin", "iola", "ole laursen", "mit license", "x axis", "otherps", "flot", "series", "axis", "angle", "coord", "axismargin", "width", "delta", "infinity", "zero", "shutdown", "trigger", "ftrue", "ystartangle", "lnull", "bnull", "oparsefloat", "m100", "pm100", "ffalse", "sfalse", "jsonobject", "json", "string", "typenumber", "syntaxerror", "typeof e", "regexp", "typeof n", "typeof t", "typeof r", "pseudo", "ariel flesler", "parseint", "scroll", "html", "toff", "borderbwidth", "targ", "round", "0xff", "transformbuffer", "i4offset", "i4joffset", "0xffffffff7", "0xffffffff1", "invalid type", "mapping", "typecheckbox", "valuearray", "vold", "numflag", "percolumnnum", "unselectable", "items", "store", "callback", "field", "xtype", "typefile", "getcontainer", "title", "params", "parentuuid", "keyproperty", "node", "nodes", "uuid", "form", "increase", "decrease", "encrypt", "charlength", "flagup", "flaglow", "trim", "property", "height", "dataname", "widthvalue", "heightvalue", "contentflag", "boxvalue", "abcd", "jkmn", "regchar", "efghi", "argentina", "australia", "classobj", "oneclass", "minvalue", "maxrange", "minrange", "range", "maxvalue", "invalid range", "caps lock", "sepmark", "separator", "azaz09", "len1", "week", "dataweek", "msgcontaienr", "datatimestart", "datatimeend", "timearray", "0 dismissdelay", "editingindex", "editortype", "invalid editor", "dataindex", "dindex", "jndex", "daindex", "totalpage", "currentpage", "minnum", "maxnum", "gap1", "keywordtype", "columns", "temp", "maxkeys", "inhtml", "alert", "case", "currentindex", "item", "nextindex", "previndex", "invalid step", "widget", "fieldlabel", "posx", "container", "inlineblock", "combinekey", "statustemp", "instance", "callbackfail", "callbackerror", "keyarray", "debug", "jlen", "ajax", "nodeid", "controller", "d1dd", "true", "iframe", "09afaf", "mind", "typeof symbol", "window", "math", "object", "typeerror", "reflect", "generator", "epsilon", "reset yui3", "typehidden", "ecf4d3", "opera", "cache manifest", "cache", "128c", "qrcode", "2g2g2q2q0g", "modenumber1", "modealphanum2", "mode8bitbyte4", "helvetica neue", "helvetica", "heiti sc", "hiragino sans", "microsoft yahei", "gradienttype0", "typesearch", "typebutton", "typereset", "typesubmit", "typeradio", "cbit", "cbid", "click", "checkbox", "xhrpollstatus", "xhrpollstatuson", "xmlhttprequest", "activexobject", "close" ], "references": [ "hwnat", "ipcalc.sh", "login.sh", "cli_accountmgnt_cmd.tree", "cli_base_cmd.tree", "cli_cmd.tree", "cli_clock_cmd.tree", "cli_access_cmd.tree", "cli_extra_cmd.tree", "cli_http_cmd.tree", "cli_ipsec_cmd.tree", "cli_nat_cmd.tree", "cli_show_iface_cmd.tree", "cli_ssh_cmd.tree", "cli_routing_cmd.tree", "cli_show_interface_status_cmd.tree", "cli_snmp_cmd.tree", "cli_interface_cmd.tree", "cli_time_range_cmd.tree", "daemons.conf", "daemons", "cli_vlan_cmd.tree", "dhcp6sctlkey", "device_info", "dhcp6s.conf", "diag.sh", "frr.conf", "filesystems", "firewall.user", "hosts", "group", "inittab", "ipsec.conf", "dnsmasq.conf", "ipsec.secrets", "mtab", "logrotate.conf", "nsswitch.conf", "openwrt_release", "openwrt_version", "passwd", "pptpd.conf", "opkg.conf", "profile", "preinit", "protocols", "rc.common", "shells", "services", "shadow", "strongswan.conf", "rc.local", "sysctl.conf", "sysupgrade.conf", "support_bundle_commands.conf", "vtysh.conf", "sys_monitor.conf", "wifidog.conf", "verify_pub.key", "wifidog-msg.html", "usb-mode.json", "02_network", "01_leds", "65_nginx_sync.sh", "00_start_sync.sh", "99_end_sync.sh", "chat-get-qualcomm_2", "chat-get", "chat-get-anydata_2", "chat-get-qualcomm_1", "3g.chat", "chat-gsm-test", "chat-gsm-test-anydata", "chat-get-anydata_1", "chat-gsm-test-qualcomm", "chat-modem-test", "chat-modem-configure", "disconn-script", "evdo.chat", "cloud_service.cfg", "cloud_config.cfg", "2048_newroot.cer", "access_ctl", "administration", "accountmgnt", "arp_scan_range", "auto_backup", "arp_defense", "avahi-daemon", "controller.lock", "cli_server", "controller.conf", "countrygroup", "cmxddns", "custom_dhcp", "customddns", "dhcp6s", "ddns", "dhcp", "dhcp6c", "dhcp_logrotate", "dos_defense", "dpi", "dynddns", "ecs", "ecsIfName", "filter_global", "freePolicy", "dropbear", "flood_defense", "freeStrategy", "gre", "imb", "ifstat-mini", "improxy", "ipsec", "ippool", "ipsec_failover", "dnsproxySecurity", "ipsec_secrets", "ipstat", "iptv", "ipgroup", "l2tp-global", "ipv6group", "l2tp-client", "l2tp-server", "ldap", "led_set", "line_backup", "l2tp-server.reference", "lldpd", "load_balance", "logger", "luci", "locale", "mac_filter", "nat", "firewall", "macgroup", "modem", "mwan3", "omada-tool.conf", "noipddns", "nwadditional", "omada-tool.lock", "network", "online", "openvpn_user", "openvpn", "phddns", "policy_route", "ospf", "pptp-client", "portal_mgmt", "pptp-client-global", "pptp-global", "protocol", "pptp-server-global", "qos_ctl", "radvd", "qos", "reference", "rip", "remote_mngt", "sdnInfo", "pptp-server", "session_limits", "service", "sfe", "sharecfg", "snmpd", "static_route", "splitaccess", "switch", "system_mode", "tddp", "time_mngt", "system_params", "uhttpd", "upnp", "url_filter", "usermngr", "usbshare", "user-secrets", "ucitrack", "vlan", "vnetwork", "vpnlog", "webfilter", "system", "webfilter_global", "websort", "web_security", "wireguard_interface", "wireguard_peers", "wportal", "zone", "user-secrets.reference", "dropbear_rsa_host_key", "serial", "index.txt", "openssl.cnf", "vars", "openssl-1.0.0.cnf", "connect-directip.gcom", "command.gcom", "baseinfo.gcom", "cellinfo.gcom", "connect-ncm.gcom", "getcarrier.gcom", "directip.gcom", "getcardinfo.gcom", "connect-ppp.gcom", "directip-stop.gcom", "getimsi.gcom", "getimsi_b.gcom", "getpinstatus.gcom", "getstrength.gcom", "huaweiinfo.gcom", "getcnum.gcom", "modem-gsm-test-anydata.gcom", "getregistestate.gcom", "lock-prov.gcom", "modem-gsm-test-qualcomm.gcom", "ncm.json", "run-at.gcom", "reset.gcom", "modem-configure.gcom", "sendsms-at.gcom", "setapn.gcom", "setmode.gcom", "zteinfo.gcom", "setpin.gcom", "sierrainfo.gcom", "runcommand.gcom", "smschk.gcom", "11-led", "10-firewall.sh", "22-access_ctl.sh", "25-pppox.sh", "22-imb.sh", "21-nat.sh", "40-qos.sh", "70-policy_route.sh", "26-openvpn.sh", "70-switch.sh", "89-remote_mngt.sh", "95-online.sh", "96-customddns.sh", "96-cmxddns.sh", "96-dynddns.sh", "96-noipddns.sh", "96-phddns.sh", "97-line_backup.sh", "97-route.sh", "98-ipsec.sh", "98-iptv.sh", "99-wan_hook.sh", "97-load_balance.sh", "97-upnp.sh", "12-netbios-passthrough", "10-pppox-if-up-down.sh", "30-policy_route.sh", "22-access_ctl", "29-static_route", "20-firewall", "02-split_access", "80-balance.sh", "40-qos", "00-vpn_hook.sh", "97-mwan3.sh", "99-vpn_hook.sh", "00-vnet_client.sh", "00-ecsIfChange", "1-vnet_lanhook.sh", "1-vnet_lanv6hook.sh", "05-vnet-lanv6", "20-upnp", "18-dnsproxyvnet.sh", "22-imb", "00-vnet.sh", "22-qos-tplink", "50-improxy", "40-remote_mngt", "60-dhcpsvnet.sh", "65-wifidog.sh", "92-pppox-vpn.sh", "99-mdns.sh", "90-portal_mgmt", "02-usb-auto-scan", "10-motion", "01-usb-led", "15-usb_mode", "30-3g", "20-firewall.sh", "10-pppox-response-nat.sh", "10-metric.sh", "50-l2tp-up-down.sh", "50-qos_ctl", "1-lanhook.sh", "1-lanv6hook.sh", "00-netstate", "01-zone", "03-vlan", "05-lanv6", "04-ipv6", "02-vnet.sh", "06-wan_log", "10-sysctl", "18-ipgroup", "15-online.sh", "18-ipv6group", "22-dos_defense", "25-ddns", "26-freeStrategy", "50-l2tp-lowerif-up-down.sh", "65-iptv", "70-pptp-ifdown.sh", "72-wan_ip_alias", "85-ntp", "92-dynamic_route", "90-vpn", "91-gre.sh", "99-hotplug_done", "99-vnet.sh", "99-z3g4g-connect", "60-dnsmasq", "10-rt2x00-eeprom", "30-v6plus", "60-pptp-reload-rules.sh", "10-l2tp-pptp.sh", "50-access_ctl.sh", "18-dnsproxy.sh", "40-imb.sh", "60-dnsmasq.sh", "46-nat.sh", "60-mac_filter.sh", "99-load_balance.sh", "97-qos.sh", "99-nginx.sh", "00-configlink.sh", "10-mount", "10-policy_route.sh", "70-backup", "15-mwan3", "40-load_balance", "backup", "bootcount", "boot", "default_balance", "done", "dnsproxy", "dnsmasq", "dynamic_route", "drop_caches", "cron", "fstab", "geoip", "gre_init", "enablemodem", "ipv6", "led", "l2tp", "led_early", "loggerd", "monitor", "netbios_passthrough", "ndppd", "nginx", "pppox", "pptpd", "queueventd", "qos-tplink", "rsa_check", "smp", "spi_device_id", "sys_monitor", "sysntpd", "tddpd", "sysctl", "tmngtd", "umount", "time_setting", "usbmodem", "usbmuxd", "vnet", "wifidog", "wireguard", "zbalance_loop_reset", "xl2tpd", "zero_boot_done", "zombie_monitor", "zzomada_server", "zzzzzsys_info", "zzzcloud_proc", "telnet", "zzddns", "rt_tables", "location.json", "0ace:20ff", "0ace:2011", "0af0:7a01", "0af0:7a05", "0af0:4007", "0af0:6711", "0af0:6731", "0af0:6751", "0af0:6771", "0af0:6791", "0af0:6811", "0af0:6911", "0af0:6951", "0af0:6971", "0af0:7011", "0af0:7031", "0af0:7051", "0af0:7071", "0af0:7111", "0af0:7211", "0af0:7251", "0af0:7271", "0af0:7301", "0af0:7311", "0af0:7361", "0af0:7381", "0af0:7401", "0af0:7501", "0af0:7601", "0af0:7701", "0af0:7706", "0af0:7801", "0af0:7901", "0af0:8006", "0af0:8200", "0af0:8201", "0af0:8300", "0af0:8302", "0af0:8304", "0af0:8400", "0af0:8600", "0af0:8700", "0af0:8800", "0af0:8900", "0af0:9000", "0af0:9200", "0af0:c031", "0af0:c100", "0af0:d001", "0af0:d013", "0af0:d031", "0af0:d033", "0af0:d035", "0af0:d055", "0af0:d057", "0af0:d058", "0af0:d155", "0af0:d157", "0af0:d255", "0af0:d257", "0af0:d357", "0b3c:c700", "0b3c:f000", "0b3c:f00c", "0b3c:f017", "0bdb:190d", "0bdb:1910", "0cf3:20ff", "0d46:45a1", "0d46:45a5", "0df7:0800", "0e8d:0002:uPr=MT", "0e8d:0002:uPr=Product", "0e8d:7109", "0fca:8020", "0fce:d0cf", "0fce:d0df", "0fce:d0e1", "0fce:d103", "0fd1:1000", "1a8d:1000", "1a8d:2000", "1ab7:5700", "1b7d:0700", "1bbb:00ca", "1bbb:000f", "1bbb:011f", "1bbb:022c", "1bbb:f000", "1bbb:f017", "1bbb:f052", "1c9e:9d00", "1c9e:9e00", "1c9e:9e08", "1c9e:98ff", "1c9e:1001", "1c9e:6000", "1c9e:6061:uPr=Storage", "1c9e:9101", "1c9e:9200", "1c9e:9401", "1c9e:9800", "1c9e:f000", "1c9e:f000:uMa=USB_Modem", "1d09:1000", "1d09:1021", "1d09:1025", "1da5:f000", "1dbc:0669", "1dd6:1000", "1de1:1101", "1e0e:f000", "1e89:f000", "1edf:6003", "1ee8:0003", "1ee8:004a", "1ee8:004f", "1ee8:0009", "1ee8:0013", "1ee8:0018", "1ee8:0040", "1ee8:0045", "1ee8:0054", "1ee8:0060", "1ee8:0063", "1ee8:0068", "1f28:0021", "1fac:0032", "1fac:0130", "1fac:0150", "1fac:0151", "03f0:002a", "04bb:bccd", "04cc:225c", "04cc:226e", "04cc:226f", "04cc:2251", "04e8:680c", "04e8:689a", "04e8:f000:sMo=U209", "04fc:2140", "05c6:0010", "05c6:1000:sVe=GT", "05c6:1000:sVe=Option", "05c6:1000:uMa=AnyDATA", "05c6:1000:uMa=CELOT", "05c6:1000:uMa=Co.,Ltd", "05c6:1000:uMa=DGT", "05c6:1000:uMa=Option", "05c6:1000:uMa=SAMSUNG", "05c6:1000:uMa=SSE", "05c6:1000:uMa=StrongRising", "05c6:1000:uMa=Vertex", "05c6:2000", "05c6:2001", "05c6:6503", "05c6:9024", "05c6:f000", "05c7:1000", "07d1:a800", "07d1:a804", "10a9:606f", "10a9:6080", "12d1:1c0b", "12d1:1c1b", "12d1:1c24", "12d1:1d50", "12d1:1da1", "12d1:1f01", "12d1:1f1b", "12d1:1f1c", "12d1:1f1d", "12d1:1f1e", "12d1:1f02", "12d1:1f03", "12d1:1f07", "12d1:1f09", "12d1:1f11", "12d1:1f15", "12d1:1f16", "12d1:1f17", "12d1:1f18", "12d1:1f19", "12d1:14ad", "12d1:14b5", "12d1:14b7", "12d1:14ba", "12d1:14c1", "12d1:14c3", "12d1:14c4", "12d1:14c5", "12d1:14d1", "12d1:14fe", "12d1:15ca", "12d1:15cd", "12d1:15cf", "12d1:15e7", "12d1:101e", "12d1:151a", "12d1:155a", "12d1:155b", "12d1:156a", "12d1:157c", "12d1:157d", "12d1:380b", "12d1:1001", "12d1:1003", "12d1:1009", "12d1:1010", "12d1:1030", "12d1:1031", "12d1:1413", "12d1:1414", "12d1:1446", "12d1:1449", "12d1:1505", "12d1:1520", "12d1:1521", "12d1:1523", "12d1:1526", "12d1:1553", "12d1:1557", "12d1:1582", "12d1:1583", "12d1:1805", "15eb:7153", "16d8:6803", "16d8:6281", "16d8:700b", "12d1:#android", "12d1:#linux", "16d8:6804", "16d8:700a", "16d8:f000", "19d2:0003", "19d2:0026", "19d2:0040", "19d2:0053", "19d2:0083:uPr=WCDMA", "19d2:0101", "19d2:0103", "19d2:0110", "19d2:0115", "19d2:0120", "19d2:0146", "19d2:0149", "19d2:0150", "19d2:0154", "19d2:0166", "19d2:0169", "19d2:0266", "19d2:0304", "19d2:0318", "19d2:0325", "19d2:0388", "19d2:0413", "19d2:1001", "19d2:1007", "19d2:1009", "19d2:1013", "19d2:1017", "19d2:1030", "19d2:1038", "19d2:1171", "19d2:1175", "19d2:1179", "19d2:1201", "19d2:1207", "19d2:1210", "19d2:1216", "19d2:1219", "19d2:1224", "19d2:1225", "19d2:1227", "19d2:1232", "19d2:1233", "19d2:1237", "19d2:1238", "19d2:1420", "19d2:1511", "19d2:1514", "19d2:1517", "19d2:1520", "19d2:1523", "19d2:1528", "19d2:1536", "19d2:1542", "19d2:1588", "19d2:2000", "19d2:2004", "19d2:bccd", "19d2:ffde", "19d2:ffe6", "19d2:fff5", "19d2:fff6", "19d2:#linux", "20a6:f00e", "20b9:1682", "21f5:1000", "21f5:3010", "22de:6801", "22de:6803", "22f4:0021", "23a2:1010", "057c:62ff", "057c:84ff", "072f:100d", "106c:3b03", "106c:3b05", "106c:3b06", "106c:3b11", "106c:3b14", "109b:f009", "148e:a000", "148f:2578", "198a:0003", "198f:bccd", "201e:1023", "201e:2009", "230d:000b", "230d:000d", "230d:0001", "230d:0003", "230d:0007", "230d:0101", "230d:0103", "257a:a000", "257a:b000", "257a:c000", "257a:d000", "0408:1000", "0408:ea17", "0408:ea25", "0408:ea43", "0408:f000", "0408:f001", "0421:060c", "0421:061d", "0421:062c", "0421:0610", "0421:0618", "0421:0622", "0421:0627", "0421:0632", "0421:0637", "0471:1210:uMa=Philips", "0471:1210:uMa=Wisue", "0471:1237", "0482:024d", "0685:2000", "0922:1001", "0922:1003", "0930:0d46", "1004:61aa", "1004:61dd", "1004:61e7", "1004:61eb", "1004:607f", "1004:613a", "1004:613f", "1004:614e", "1004:1000", "1004:6156", "1004:6190", "1004:6327", "1033:0035", "1076:7f40", "1199:0fff", "1266:1000", "1307:1169", "1410:5010", "1410:5020", "1410:5023", "1410:5030", "1410:5031", "1410:5041", "1410:5055", "1410:5059", "1410:7001", "1614:0800", "1614:0802", "1726:f00e", "1782:0003", "2001:00a6", "2001:98ff", "2001:a80b", "2001:a401", "2001:a403", "2001:a405", "2001:a706", "2001:a707", "2001:a708", "2001:a805", "2020:0002", "2020:f00e", "2020:f00f", "2077:1000", "2077:f000", "2262:0001", "2357:0200", "2357:f000", "8888:6500", "ed09:1021", "20-usb-core", "25-nls-cp437", "05-liblogger", "20-fs-exportfs", "25-nls-cp864", "25-nls-cp775", "25-nls-cp866", "15-mii", "25-nls-cp932", "25-nls-cp852", "25-nls-cp1250", "25-nls-cp850", "25-nls-cp1251", "25-nls-iso8859-1", "25-nls-iso8859-2", "25-nls-cp862", "25-nls-iso8859-6", "25-nls-iso8859-8", "25-nls-iso8859-13", "25-nls-iso8859-15", "25-nls-koi8r", "25-nls-utf8", "29-fs-fscache", "30-atm", "30-fs-autofs4", "30-fs-btrfs", "30-fs-cifs", "30-fs-configfs", "30-fs-cramfs", "30-fs-ext4", "30-fs-hfs", "30-fs-hfsplus", "30-fs-isofs", "30-fs-jfs", "30-fs-minix", "30-fs-nfs-common", "30-fs-ntfs", "30-fs-reiserfs", "30-fs-udf", "30-fs-vfat", "30-fs-xfs", "30-gpio-button-hotplug", "30-ipsec", "30-tun", "30-veth", "31-iptunnel", "31-iptunnel4", "31-iptunnel6", "32-ip6-tunnel", "32-ipsec4", "32-ipsec6", "32-l2tp", "32-sit", "39-gre", "40-bonding", "40-fs-msdos", "40-fs-nfs", "40-fs-nfsd", "40-pppoa", "40-scsi-core", "40-usb2", "42-ip6tables", "42-usb2-pci", "49-ipt-ipset-tplink", "50-usb-ohci", "50-usb-uhci", "54-usb3", "65-scsi-generic", "80-fuse", "89-portal", "90-urlset", "90-xt_CTSTATEMARK", "90-xt_dosdrop", "90-xt_doslogonly", "90-xt_ipsecmark", "90-xt_multinetdev", "90-xt_qoslimit", "90-xt_tplimit", "90-xt_vlan", "91-authlimit", "91-xt_authlimit", "98-ipt_url_dns_match", "98-ipt_urlset_match", "98-ipt_web_dns_match", "98-ipt_webfilter_match", "98-ipt_websec_match", "98-load_balance", "99-balance_route", "99-ipt_tpconnlimit", "99-ipt_TRIGGER", "99-ipt_urlset_target", "99-xt_l2tp", "crypto-hw-eip93", "fs-exfat", "ipt-account", "ipt-compat-xtables", "ipt-conntrack", "ipt-conntrack-extra", "ipt-core", "ipt-extra", "ipt-filter", "ipt-geoip", "ipt-ipopt", "ipt-iprange", "ipt-ipsec", "ipt-ipv4options", "ipt-nat", "ipt-nat-extra", "ipt-nathelper", "ipt-nathelper-extra", "ipt-nfqueue", "ipt-tproxy", "lib-crc-ccitt", "lib-textsearch", "mmc", "mppe", "nf-conntrack-netlink", "nfnetlink", "nfnetlink-queue", "ppp", "pppoe", "pppol2tp", "pptp", "sdhci-mt7621", "usb-acm", "usb-net", "usb-net-asix", "usb-net-cdc-ether", "usb-net-cdc-mbim", "usb-net-cdc-ncm", "usb-net-huawei-cdc-ncm", "usb-net-ipheth", "usb-net-qmi-wwan", "usb-net-rndis", "usb-printer", "usb-serial", "usb-serial-option", "usb-serial-wwan", "usb-storage", "usb-storage-extras", "usb-wdm", "cleanTMP.sh", "fastcgi_params", "koi-win", "nginx.conf", "mime.types", "win-utf", "koi-utf", "ldap.conf", "crt.sed", "client.crt", "client.key", "dictionary.asnet", "servers", "dictionary.microsoft", "dictionary", "options.default", "options.l2tp", "filter", "chap-secrets", "options.pptp", "options.pptpd", "options.xl2tpd", "radius.conf", "dictionary.merit", "dictionary.sip", "issue", "dictionary.compat", "port-id-map", "radiusclient.conf", "dictionary.ascend", "failsafe", "power", "reset", "rfkill", "K10improxy", "K10openvpn", "K10portal_mgmt", "K25zone", "K50dropbear", "K71hwnat", "K90ipv6", "K91network", "K91geoip", "K99umount", "K98boot", "S00zombie_monitor", "K26pppox", "S01spi_device_id", "S01led_early", "S10boot", "S15loggerd", "S19vnet", "S10system", "S20network", "S21tddpd", "S20geoip", "S25sysctl", "S26time_setting", "S25zone", "S22rsa_check", "S42ipgroup", "S31tmngtd", "S40fstab", "S42ipv6group", "S45firewall", "S42macgroup", "S46iptv", "S42service", "S46nat", "S46netbios_passthrough", "S47access_ctl", "S47administration", "S47dos_defense", "S42ippool", "S47flood_defense", "S47imb", "S47mac_filter", "S50cron", "S50dropbear", "S50pppox", "S50qos-tplink", "S50queueventd", "S50radvd", "S50snmpd", "S50uhttpd", "S60dnsmasq", "S60monitor", "S60pptpd", "S60url_filter", "S60xl2tpd", "S65wifidog", "S68online", "S70freeStrategy", "S70usbshare", "S71hwnat", "S72sfe", "S80usbmuxd", "S80websort", "S83web_security", "S85webfilter", "S89remote_mngt", "S90ndppd", "S90openvpn", "S90portal_mgmt", "S91wireguard", "S92qos_ctl", "S95done", "S95ifstat-mini", "S95ipstat", "S95l2tp", "S95mwan3", "S96backup", "S96cmxddns", "S96default_balance", "S96load_balance", "S96policy_route", "S96static_route", "S96sysntpd", "S96upnp", "S97gre_init", "S97ipsec", "S97session_limits", "S98ipsec_failover", "S98led", "S99avahi-daemon", "S99bootcount", "S99dnsproxy", "S99dpi", "S99drop_caches", "S99dynamic_route", "S99enablemodem", "S99improxy", "S99ipv6", "S99led_set", "S99lldpd", "S99phddns", "S99smp", "S99switch", "S99sys_monitor", "S99system_params", "S99usbmodem", "S99zbalance_loop_reset", "S99zero_boot_done", "S99zzddns", "S99zzomada_server", "S99zzzcloud_proc", "S99zzzzzsys_info", "0a775a30.0", "0b1b94ef.0", "0bf05006.0", "0f5dc4f3.0", "0f6fa695.0", "1d3472b9.0", "1e08bfd1.0", "1e09d511.0", "2ae6433e.0", "2b349938.0", "002c0b4f.0", "3bde41ac.0", "3e44d2f7.0", "3e45d192.0", "3fb36b73.0", "4a6481c9.0", "4b718d9b.0", "4bfab552.0", "4f316efb.0", "5ad8a5d6.0", "5cd81ad7.0", "5d3033c5.0", "5e98733a.0", "5f15c80c.0", "5f618aec.0", "6b99d060.0", "6d41d539.0", "06dc52d5.0", "6fa5da56.0", "7aaf71c0.0", "7f3d5d1d.0", "8cb5ee0f.0", "8d86cdd1.0", "8d89cda1.0", "9b5697b0.0", "9c8dfbd4.0", "9d04f354.0", "14bc7599.0", "48bec511.0", "57bcb2da.0", "062cdee6.0", "064e0aa9.0", "68dd7389.0", "75d1b2ed.0", "76cb8f92.0", "76faf6c0.0", "93bc0acc.0", "106f3e4d.0", "244b5494.0", "349f2832.0", "406c9bb1.0", "626dceaf.0", "653b494a.0", "706f604c.0", "749e9e03.0", "773e07ad.0", "930ac5d2.0", "988a38cb.0", "1001acf7.0", "2923b3f9.0", "03179a64.0", "4042bcee.0", "4304c5e5.0", "5273a94c.0", "5443e9e3.0", "7719f463.0", "8160b96c.0", "9482e63a.0", "18856ac4.0", "32888f65.0", "40547a79.0", "607986c7.0", "1636090b.0", "02265526.0", "3513523f.0", "09789157.0", "40193066.0", "54657681.0", "a94d09e5.0", "a3418fda.0", "ACCVRAIZ1.crt", "AC_RAIZ_FNMT-RCM.crt", "AC_RAIZ_FNMT-RCM_SERVIDORES_SEGUROS.crt", "Actalis_Authentication_Root_CA.crt", "aee5f10d.0", "AffirmTrust_Commercial.crt", "AffirmTrust_Networking.crt", "AffirmTrust_Premium.crt", "AffirmTrust_Premium_ECC.crt", "Amazon_Root_CA_1.crt", "Amazon_Root_CA_2.crt", "Amazon_Root_CA_3.crt", "Amazon_Root_CA_4.crt", "ANF_Secure_Server_Root_CA.crt", "Atos_TrustedRoot_2011.crt", "Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.crt", "b0e59380.0", "b7a5b843.0", "b81b93f0.0", "b1159c4c.0", "b66938e9.0", "b433981b.0", "b727005e.0", "Baltimore_CyberTrust_Root.crt", "bf53fb88.0", "Buypass_Class_2_Root_CA.crt", "Buypass_Class_3_Root_CA.crt", "c01eb047.0", "c28a8a30.0", "ca6e4ad9.0", "ca-certificates.crt", "CA_Disig_Root_R2.crt", "cbf06781.0", "cc450945.0", "cd8c0d63.0", "cd58d51e.0", "ce5e74ef.0", "Certigna.crt", "Certigna_Root_CA.crt", "certSIGN_ROOT_CA.crt", "certSIGN_Root_CA_G2.crt", "Certum_EC-384_CA.crt", "Certum_Trusted_Network_CA.crt", "Certum_Trusted_Network_CA_2.crt", "Certum_Trusted_Root_CA.crt", "CFCA_EV_ROOT.crt", "Comodo_AAA_Services_root.crt", "COMODO_Certification_Authority.crt", "COMODO_ECC_Certification_Authority.crt", "COMODO_RSA_Certification_Authority.crt", "Cybertrust_Global_Root.crt", "d4dae3dd.0", "d7e8dc79.0", "d887a5bb.0", "d6325660.0", "dc4d6a89.0", "dd8e9d41.0", "de6d66f3.0", "DigiCert_Assured_ID_Root_CA.crt", "DigiCert_Assured_ID_Root_G2.crt", "DigiCert_Assured_ID_Root_G3.crt", "DigiCert_Global_Root_CA.crt", "DigiCert_Global_Root_G2.crt", "DigiCert_Global_Root_G3.crt", "DigiCert_High_Assurance_EV_Root_CA.crt", "DigiCert_Trusted_Root_G4.crt", "D-TRUST_Root_Class_3_CA_2_2009.crt", "D-TRUST_Root_Class_3_CA_2_EV_2009.crt", "e8de2f56.0", "e18bfb83.0", "e36a6752.0", "e73d606e.0", "e113c810.0", "e868b802.0", "e35234b1.0", "EC-ACC.crt", "ee64a828.0", "eed8c118.0", "ef954a4e.0", "emSign_ECC_Root_CA_-_C3.crt", "emSign_ECC_Root_CA_-_G3.crt", "emSign_Root_CA_-_C1.crt", "emSign_Root_CA_-_G1.crt", "Entrust.net_Premium_2048_Secure_Server_CA.crt", "Entrust_Root_Certification_Authority.crt", "Entrust_Root_Certification_Authority_-_EC1.crt", "Entrust_Root_Certification_Authority_-_G2.crt", "Entrust_Root_Certification_Authority_-_G4.crt", "ePKI_Root_Certification_Authority.crt", "e-Szigno_Root_CA_2017.crt", "E-Tugra_Certification_Authority.crt", "f0c70a8d.0", "f30dd6ad.0", "f39fc864.0", "f51bb24c.0", "f249de83.0", "f3377b1b.0", "f081611a.0", "f387163d.0", "fa5da96b.0", "fc5a8f99.0", "fe8a2cd8.0", "feffd413.0", "ff34af3f.0", "GDCA_TrustAUTH_R5_ROOT.crt", "GlobalSign_ECC_Root_CA_-_R4.crt", "GlobalSign_ECC_Root_CA_-_R5.crt", "GlobalSign_Root_CA.crt", "GlobalSign_Root_CA_-_R2.crt", "GlobalSign_Root_CA_-_R3.crt", "GlobalSign_Root_CA_-_R6.crt", "GlobalSign_Root_E46.crt", "GlobalSign_Root_R46.crt", "GLOBALTRUST_2020.crt", "Go_Daddy_Class_2_CA.crt", "Go_Daddy_Root_Certificate_Authority_-_G2.crt", "GTS_Root_R1.crt", "GTS_Root_R2.crt", "GTS_Root_R3.crt", "GTS_Root_R4.crt", "Hellenic_Academic_and_Research_Institutions_ECC_RootCA_2015.crt", "Hellenic_Academic_and_Research_Institutions_RootCA_2011.crt", "Hellenic_Academic_and_Research_Institutions_RootCA_2015.crt", "Hongkong_Post_Root_CA_1.crt", "Hongkong_Post_Root_CA_3.crt", "IdenTrust_Commercial_Root_CA_1.crt", "IdenTrust_Public_Sector_Root_CA_1.crt", "ISRG_Root_X1.crt", "Izenpe.com.crt", "Microsec_e-Szigno_Root_CA_2009.crt", "Microsoft_ECC_Root_Certificate_Authority_2017.crt", "Microsoft_RSA_Root_Certificate_Authority_2017.crt", "NAVER_Global_Root_Certification_Authority.crt", "NetLock_Arany_=Class_Gold=_F?tan\u00fas\u00edtv\u00e1ny.crt", "Network_Solutions_Certificate_Authority.crt", "OISTE_WISeKey_Global_Root_GB_CA.crt", "OISTE_WISeKey_Global_Root_GC_CA.crt", "QuoVadis_Root_CA_1_G3.crt", "QuoVadis_Root_CA_2.crt", "QuoVadis_Root_CA_2_G3.crt", "QuoVadis_Root_CA_3.crt", "QuoVadis_Root_CA_3_G3.crt", "Secure_Global_CA.crt", "SecureSign_RootCA11.crt", "SecureTrust_CA.crt", "Security_Communication_Root_CA.crt", "Security_Communication_RootCA2.crt", "SSL.com_EV_Root_Certification_Authority_ECC.crt", "SSL.com_EV_Root_Certification_Authority_RSA_R2.crt", "SSL.com_Root_Certification_Authority_ECC.crt", "SSL.com_Root_Certification_Authority_RSA.crt", "Staat_der_Nederlanden_EV_Root_CA.crt", "Starfield_Class_2_CA.crt", "Starfield_Root_Certificate_Authority_-_G2.crt", "Starfield_Services_Root_Certificate_Authority_-_G2.crt", "SwissSign_Gold_CA_-_G2.crt", "SwissSign_Silver_CA_-_G2.crt", "SZAFIR_ROOT_CA2.crt", "TeliaSonera_Root_CA_v1.crt", "TrustCor_ECA-1.crt", "TrustCor_RootCert_CA-1.crt", "TrustCor_RootCert_CA-2.crt", "Trustwave_Global_Certification_Authority.crt", "Trustwave_Global_ECC_P256_Certification_Authority.crt", "Trustwave_Global_ECC_P384_Certification_Authority.crt", "T-TeleSec_GlobalRoot_Class_2.crt", "T-TeleSec_GlobalRoot_Class_3.crt", "TUBITAK_Kamu_SM_SSL_Kok_Sertifikasi_-_Surum_1.crt", "TWCA_Global_Root_CA.crt", "TWCA_Root_Certification_Authority.crt", "UCA_Extended_Validation_Root.crt", "UCA_Global_G2_Root.crt", "USERTrust_ECC_Certification_Authority.crt", "USERTrust_RSA_Certification_Authority.crt", "XRamp_Global_CA_Root.crt", "cert.pem", "dnskey.conf", "connmark.conf", "des.conf", "aes.conf", "kernel-netlink.conf", "constraints.conf", "md5.conf", "attr.conf", "nonce.conf", "gmp.conf", "openssl.conf", "fips-prf.conf", "pem.conf", "hmac.conf", "pgp.conf", "pkcs1.conf", "pkcs7.conf", "pkcs12.conf", "pubkey.conf", "random.conf", "rc2.conf", "resolve.conf", "revocation.conf", "sha1.conf", "sha2.conf", "socket-default.conf", "sshkey.conf", "stroke.conf", "updown.conf", "x509.conf", "xauth-generic.conf", "xcbc.conf", "pki.conf", "scepclient.conf", "starter.conf", "charon-logging.conf", "charon.conf", "priv-key.pem", "server-cert.pem", "access_control", "00_uhttpd_ubus", "10-fstab", "10_migrate-shadow", "11_migrate-sysctl", "09_fix-seama-header", "12_network-generate-ula", "root.key", "unbound.conf.back", "named.cache", "12d1_0004", "12d1_0003", "12d1_0005", "12d1_0001", "19d2_0001", "19d2_0002", "19d2_0003", "19d2_0004", "ffff_0001", "12d1_0002", "ffff_0002", "ffff_0003", "xl2tpd.conf", "xl2tp-secrets", "acl_timeobj.lua", "acl_timeobj_v6.lua", "acl_wanhook.lua", "access_func_v6.sh", "attach_timeobj.lua", "core.sh", "access_func.sh", "interface.sh", "acl_delete_rule.lua", "core_log.sh", "markdef.sh", "time.sh", "core_acl.sh", "config.sh", "core_global.sh", "arp.sh", "gettime.sh", "cmd.sh", "backup.sh", "ecmp.sh", "api.sh", "ecmp.lua", "dynanmic_arpreq.sh", "getVid.sh", "access_time_help.lua", "access_dir_help.lua", "accountmgnt.lua", "access_ip_help.lua", "access.lua", "clock.lua", "http.lua", "interface.lua", "dhcp.lua", "ipsec.lua", "monitor_port.lua", "nat.lua", "show_if_help.lua", "routing.lua", "cli_ospf.lua", "show_interface.lua", "rip.lua", "show_interface_status.lua", "snmp.lua", "ssh.lua", "time_range.lua", "vlan.lua", "lan.js", "uci.sh", "arping.sh", "get_option.lua", "dhcps.sh", "main.sh", "dnssecquery.sh", "core_forwarding.sh", "core_init.sh", "core_interface.sh", "core_redirect.sh", "core_rule.sh", "core_tpfirewall.sh", "uci_firewall.sh", "fw.sh", "tpcmd.sh", "freeStrategy_backup.sh", "add_delete_tuple.sh", "add_delete.sh", "getip.sh", "preinit.sh", "leds.sh", "network.sh", "service.sh", "switch_port.sh", "procd.sh", "userconfig.sh", "uci-defaults.sh", "system.sh", "functions.sh", "gre_common.sh", "gre-ipsec-up-down.sh", "delete_restart.sh", "core_ipgroup.sh", "ipsec_check_domain_wrap.sh", "ipsec_failover_process.sh", "ipsec_handle_iptables.sh", "ipsec_check_domain.sh", "ipsec_generate_domain.sh", "ipsec_execute_stroke.sh", "ipsec_monitor_tunnel.sh", "ipsec_vnet.sh", "pd_api.sh", "lanv6_server.sh", "pd_server.sh", "core_ipv6group.sh", "get-vpn-gw.sh", "ifup-l2tp.sh", "ifdown-l2tp.sh", "l2tp-get-tunnel-info.sh", "get-vpn-ip.sh", "l2tp-init.sh", "l2tp-ipsec-delete.lua", "l2tp-ipsec-setstatus.lua", "l2tp-doipsec.sh", "l2tp-ipsec-up-down.sh", "l2tp-functions.sh", "l2tp-reload.sh", "char_conv.sh", "api_VPN.sh", "ldap_check_result.sh", "ldap_query.sh", "pre_setting_config.sh", "net_share.sh", "ramips.sh", "lldp_get_wan_device.sh", "50-xt_flood", "50-arp_garp", "get_rps.sh", "get_temperature.sh", "set_fan.sh", "nat_alg.sh", "nat_config.sh", "nat_dmz.sh", "nat_common.sh", "nat_pt.sh", "nat_dmz_bypass.sh", "nat_vs.sh", "nat_core.sh", "nat_log.sh", "nat_one.sh", "nat_napt.sh", "6rd.sh", "dhcp.sh", "directip.sh", "3g.sh", "ncm.sh", "dhcp6c.sh", "6to4.sh", "ppp.sh", "l2tp.sh", "pppv6.sh", "dslite.sh", "qmi.sh", "v6plus.sh", "lanv6.sh", "passthrough.sh", "dhcp.script", "netifd-wireless.sh", "netifd-proto.sh", "if-do-timeobj.sh", "ppp-down", "ppp-up", "pppv6-share", "dslite-up.sh", "pppv6-up", "dhcp6c.script", "utils.sh", "v6plus-dial.sh", "ppp-dhcp6c.script", "switch.sh", "network_arch.sh", "online_api.sh", "online_reload.lua", "openvpn-client-disconnect.sh", "openvpn-client-routeup.sh", "openvpn-client-connect.sh", "openvpn-client-down.sh", "openvpn-server-up.sh", "openvpn-client-up.sh", "openvpn-common.sh", "openvpn-instance.sh", "openvpn-password.lua", "openvpn-server-down.sh", "pppox-default-variables.sh", "pppox-header.sh", "kill-pptpd-xl2tpd.sh", "pppox-reload-user.lua", "pppox-functions.sh", "pppox-reload-user.sh", "pppox-begin-reload-user.sh", "pppox-remote-management.sh", "pppox-load-user.lua", "pppox-pppoetimer.sh", "pppox-remote-management-get-ippool.lua", "pppox-wheader.sh", "pppox-killtunnel.sh", "ifup_down.sh", "add-service.sh", "enable_service.sh", "pptp-get-tuunel-info.sh", "delete-service.sh", "pptp-global-setting.sh", "pptp-client-add.sh", "pptp-ifdevice-info.sh", "pptp-client-update.sh", "pptp-option.sh", "pptp-startup.sh", "pptp-tunnel-action.sh", "test.sh", "pptp-client-delete.sh", "05_set_iface_mac_mediatek", "02_default_set_state", "07_set_preinit_iface_ramips", "40_run_failsafe_hook", "04_handle_checksumming", "50_indicate_regular_preinit", "10_indicate_failsafe", "70_initramfs_test", "03_preinit_do_ramips.sh", "80_mount_root", "98_10_mtk_failsafe_init", "30_failsafe_wait", "99_10_failsafe_login", "99_10_run_init", "10_indicate_preinit", "qos_config_sync.lua", "qos_nf.sh", "qos_api.sh", "qos_cid.sh", "qos_dpdk.sh", "qos_grpmark.sh", "find_index.lua", "qos_ifgroup.sh", "qos_core.sh", "qos_ipset.sh", "qos_mark.sh", "qos_polling.sh", "qos_public.sh", "qos_state.sh", "qos_tc.sh", "state_gen.lua", "zone-450", "qos_delete_rule.lua", "remote_mngt.sh", "route_api.sh", "core_service.sh", "session_limits.sh", "ar8327_switch_led", "ar8327_switch_portMirror", "ar8327_switch_init", "ar8327_switch_portStatistic", "ar8327_register", "ar8327_switch_portVlan", "ar8327_switch_portPara", "ar9533_register", "ar8327_switch_portState", "ar9533_switch_init", "ar8327_switch_portRateControl", "ar9533_switch_portMirror", "ar9533_switch_portPara", "ar9533_switch_portRateControl", "ar8327_switch_8021Qvlan", "ar9533_switch_portState", "ar9533_switch_portStatistic", "ar9533_switch_portVlan", "cn9130_register", "cn9130_switch_globalLed", "cn9130_switch_init", "cn9130_switch_portMirror", "cn9130_switch_portPara", "cn9130_switch_portRateControl", "cn9130_switch_portState", "cn9130_switch_portStatistic", "cn9130_switch_portVlan", "mt7621_register", "mt7621_switch_globalLed", "mt7621_switch_led", "mt7621_switch_portMirror", "mt7621_switch_portPara", "mt7621_switch_portRateControl", "mt7621_switch_portState", "mt7621_switch_portStatistic", "mt7621_switch_portVlan", "mt7628_register", "mt7628_switch_init", "mt7628_switch_led", "mt7628_switch_portMirror", "mt7628_switch_portPara", "mt7628_switch_portRateControl", "mt7628_switch_portState", "mt7628_switch_portStatistic", "mt7628_switch_portVlan", "rtl8367s_register", "rtl8367s_switch_globalLed", "rtl8367s_switch_init", "rtl8367s_switch_portMirror", "rtl8367s_switch_portPara", "rtl8367s_switch_portRateControl", "rtl8367s_switch_portState", "rtl8367s_switch_portStatistic", "rtl8367s_switch_portVlan", "switch_functions", "vlan_network", "sysparams_net.sh", "timeobj_cron_api.sh", "timeobj_api.sh", "boot_done", "led.sh", "set_time", "base-files-essential", "libopenldap", "base-files", "online_check", "mwan3-tplink", "openvpn-easy-rsa", "openvpn-mgmt", "portal-mgmt", "ppp-mod-radius", "snmpd-static", "https-dns-proxy", "luci-add-conffiles.sh", "platform.sh", "ubnt.sh", "nand.sh", "common.sh", "upnp_api.sh", "find_target.lua", "url_func.sh", "detach_timeobj.lua", "csv2db.sh", "vnet_zone_api.sh", "vnet_init.sh", "vnet.sh", "vnet_core.sh", "vnet_zone_init.sh", "webfilter_func.sh", "web_func.sh", "websec_timeobj.lua", "start_rule.sh", "wireguard-up.sh", "wireguard-down.sh", "auth_port_modify.sh", "core_wportal.sh", "zone_api.sh", "zone_core.sh", "zone_api_all.sh", "zone_conf.sh", "zone_init.sh", "zone_api_core.sh", "zone_init_all.sh", "note", "devstatus", "firstboot", "fixup-mac-address", "fw", "hotplug-call", "ifdown", "ifstart", "ifrestart", "ifstatus", "loadopenvpncert", "log_oops_recovery.sh", "luci-reload", "ifup", "reload_config", "restorefactory", "smp.sh", "snapshot", "sysupgrade", "wifi", "ubi_make_extra_volume.sh", "ipset.debug", "ipxd", "iptables.debug", "ipxr", "wifidog-init", "radiusclient-ng.h", "dpi.sh", "libradiusclient-ng.la", "libstdc++.so.6.0.21-gdb.py", "dynamic_dns_dyndns.sh", "dynamic_dns_log.sh", "customddns_set_url.sh", "url_escape.sed", "dynamic_dns_customddns.sh", "dynamic_dns_noip.sh", "dynamic_dns_updater.sh", "dynamic_dns_functions.sh", "dpi_log_database.lua", "dpi_log_database.sh", "dpi_tmngtd.sh", "_updown", "ngx_init.lua", "authlistCheck.lua", "ngx_wdas.lua", "ngx_sqlApi.lua", "cell_valueheader.htm", "cell_valuefooter.htm", "dvalue.htm", "compound.htm", "dynlist.htm", "browser.htm", "apply_xhr.htm", "firewall_zoneforwards.htm", "button.htm", "firewall_zonelist.htm", "delegator.htm", "footer.htm", "full_valuefooter.htm", "full_valueheader.htm", "fvalue.htm", "header.htm", "lvalue.htm", "map.htm", "mvalue.htm", "network_ifacelist.htm", "network_netinfo.htm", "network_netlist.htm", "nsection.htm", "nullsection.htm", "simpleform.htm", "tabcontainer.htm", "tabmenu.htm", "tblsection.htm", "tsection.htm", "tvalue.htm", "ucisection.htm", "upload.htm", "value.htm", "valuefooter.htm", "valueheader.htm", "error404.htm", "error500.htm", "indexer.htm", "sysauth.htm", "debug.lua", "mbimfind.lua", "log_awk", "modem_scan.sh", "check_switchmode.lua", "protofind.lua", "handle_card_process.sh", "search_tty.lua", "handle_card.sh", "unlock_pin.sh", "getisp.sh", "usbmodem_log.sh", "modemLedCtrl.sh", "portal_mgmt_monitor.lua", "portal_mgmt_monitor.sh", "rewrite.lua", "portal_status.sh", "hardware.txt", "jshn.sh", "default.script", "dbus-K5ae4EDHao", "osui.sock", "qipc_sharedmemory_xFMOjWbQizvIQbjaGodBkPpoECFzUYyznnjEncea48051f6b8a69e2450843f1f32c0bb393e04349", "qipc_systemsem_xFMOjWbQizvIQbjaGodBkPpoECFzUYyznnjEncea48051f6b8a69e2450843f1f32c0bb393e04349", "sddm-:0-BoTuTx", "sddm-auth-52b94a64-454a-4d7f-903e-32df6aac784a", "tmp.QMAjonKZB0", "xF43MOjWbQiz+vIQbjaGodBk4PpoECFzUYyznnj8Enc=", "about.svg", "about_hover.svg", "ie.css", "style.css", "widget.css", "access_control.html", "account_config.html", "account_mngt.html", "action_check.html", "alg.html", "appdist.html", "appdist_database.html", "appflow_statistics.html", "application_filter.html", "application_list.html", "arp_list.html", "arp_scan.html", "assign_restriction.html", "attack-defense.html", "balance_basic.html", "bridge.html", "bwlist_qq.html", "cmxddns.html", "controller_setting.html", "country_group.html", "custom_ddns.html", "ddm.html", "dhcp_client.html", "dhcp_lan_settings.html", "dhcp_lan_settings_standalone.html", "dhcp_server.html", "dhcp_static.html", "diagnostic.html", "dia_info.html", "dns_cache.html", "dns_doh.html", "dns_dot.html", "dnsproxy.html", "dnssec.html", "dyn3322ddns.html", "dynddns.html", "firmware_backuprestore.html", "firmware_factory.html", "firmware_managing.html", "firmware_reboot.html", "firmware_reseting.html", "firmware_upgrade.html", "gre_overipsec.html", "ifstat.html", "imb.html", "interface.html", "interface_mac.html", "interface_mode.html", "interface_wan.html", "interface_wan_standalone.html", "ipgroup_address.html", "ipgroup_group.html", "ipgroup_view.html", "ippool.html", "ips_blacklists.html", "ipsec_sa.html", "ipsec_tunnel.html", "ips_setting.html", "ips_signature_suppression.html", "ips_stats.html", "ip_stats.html", "ips_threat_management.html", "ips_whitelists.html", "iptv.html", "ipv6.html", "ipv6group_address.html", "ipv6group_group.html", "ipv6_lan.html", "isp_routing.html", "l2tp_client.html", "l2tp_global.html", "l2tp_server.html", "l2tp_tunnel.html", "ldap_profiles.html", "line_backup.html", "macFiltering.html", "mdns.html", "napt.html", "nat_dmz.html", "noipddns.html", "one_nat.html", "online.html", "openvpn_client.html", "openvpn_server.html", "openvpn_tunnel.html", "ospf.html", "phddns.html", "policy_routing.html", "port_trigger.html", "pptp_client.html", "pptp_global.html", "pptp_server.html", "pptp_tunnel.html", "preview_mobile_wifi.html", "preview_remind.html", "preview_wportal.html", "print_server.html", "qos.html", "qos_Band_ctrl.html", "qos_Class_role.html", "qos_Traffic.html", "qos_VoIP.html", "quick_setup.html", "reboot_schedule.html", "remote_mngt.html", "rip_routing.html", "rules.html", "service.html", "session_limits.html", "session_monitor.html", "sessmngr.html", "snmp.html", "ssl_vpn_auth.html", "ssl_vpn_auth_radius.html", "ssl_vpn_locked_user.html", "ssl_vpn_quicksetup.html", "ssl_vpn_server.html", "ssl_vpn_status.html", "ssl_vpn_tunnel.html", "ssl_vpn_tunnel_group.html", "ssl_vpn_user.html", "ssl_vpn_user_group.html", "static_routing.html", "switch_Parameter.html", "switch_portLimit.html", "switch_portMonitor.html", "switch_portStatistics.html", "switch_portStatus.html", "switch_portVlan.html", "sys_status.html", "system_log.html", "system_mode.html", "system_params.html", "system_routetbl.html", "system_state.html", "time_mngt.html", "time_setting.html", "upnp.html", "url_filtering.html", "usb_backup.html", "usb_firmware_upgrade.html", "usbModem.html", "usb_storage.html", "usermngr_backup.html", "usermngr_user.html", "virtual_server.html", "vlan_portSetting.html", "vlan_relationTbl.html", "vlan_vlanSetting.html", "vpn_general.html", "vpn_peers.html", "vpn_user.html", "vpn_wireguard.html", "web_filter.html", "web_group.html", "web_security.html", "wechat.html", "wechat_wifi.html", "wizard.html", "wportal.html", "wportal_free.html", "advanced.html", "basic.html", "encrypt.js", "excanvas.js", "html5.js", "jquery.flot.barnumbers.js", "jquery.flot.crosshair.js", "jquery.flot.fillbetween.js", "jquery.flot.js", "jquery.flot.pie.min.js", "jquery.json-2.4.min.js", "jquery.min.js", "jquery.scrollTo.min.js", "md5.js", "button.js", "buttongroup.js", "checkbox.js", "combobox.js", "fieldset.js", "file.js", "folderTree.js", "form.js", "number.js", "password.js", "portrange.js", "progressbar.js", "radio.js", "region.js", "slider.js", "status.js", "subnet.js", "switch.js", "textarea.js", "textbox.js", "time.js", "timepicker.js", "tip.js", "waitingbar.js", "editor.js", "grid.js", "paging.js", "chart.js", "foldertree.js", "keyword.js", "msg.js", "page.js", "panel.js", "wizard.js", "widget.js", "proxy.js", "store.js", "treestore.js", "controller.js", "su.full.min.js", "su.js", "account.2ca6a054.js", "chunk-vendors.0cdf10f0.js", "index.a415cbb4.js", "login.4f52b876.js", "chunk-common.72de4705.css", "account.html", "app.manifest", "cs_dis.html", "error.html", "index.html", "login.html", "mobile_wifi.html", "pcauth.js", "pc_wifi.html", "style-pcdemo.css", "style-simple-follow.css", "web_login.html", "cbi.js", "xhr.js" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1520", "name": "Domain Generation Algorithms", "display_name": "T1520 - Domain Generation Algorithms" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 38, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Merkd1904", "id": "196517", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 11, "hostname": 491, "FileHash-SHA256": 3479, "FileHash-MD5": 67, "domain": 312, "FileHash-SHA1": 61, "email": 20, "URL": 373 }, "indicator_count": 4814, "is_author": false, "is_subscribing": null, "subscriber_count": 72, "modified_text": "757 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65708ea5a3214f63e1d6d94f", "name": "lumen.me Honeybadger", "description": "", "modified": "2023-12-06T15:09:25.749000", "created": "2023-12-06T15:09:25.749000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 475, "hostname": 315, "domain": 233, "URL": 1133 }, "indicator_count": 2156, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "907 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65708beba2ba8bcfb1d10237", "name": "hostkey - Industroyer&ReduceRight", "description": "", "modified": "2023-12-06T14:57:47.430000", "created": "2023-12-06T14:57:47.430000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 304, "hostname": 563, "domain": 407, "URL": 1776, "FileHash-SHA1": 2 }, "indicator_count": 3052, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "907 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65708bbc4c8bf557c17688e1", "name": "\u9ad8\u5c71tv,\u9ad8\u5c71tv,\u9ad8\u5c71tv\u5f71\u9662,\u9ad8\u5c71tv\u770b\u7247\u7f51", "description": "", "modified": "2023-12-06T14:57:00.280000", "created": "2023-12-06T14:57:00.280000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-SHA256": 233, "domain": 361, "hostname": 563, "URL": 1374, "FileHash-SHA1": 1, "FileHash-MD5": 1 }, "indicator_count": 2534, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "907 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "651414d48fceb46344a66a3b", "name": "Earth Estries Targets Government, Tech for Cyberespionage", "description": "", "modified": "2023-10-04T12:03:03.227000", "created": "2023-09-27T11:41:08.679000", "tags": [ "apt & targeted attacks", "malware", "exploits & vulnerabilities", "cyber threats", "endpoints", "network", "articles", "news", "reports", "learn", "earth estries", "cobalt strike", "zingdoor", "trend micro", "cloud security", "earth", "ttps", "c server", "de wang", "alliance", "first", "tech", "hybrid", "stop", "leverage", "protect", "small", "attack", "august", "april", "june", "class", "plugx", "meterpreter", "heat", "find", "indonesia" ], "references": [ "https://www.trendmicro.com/en_us/research/23/h/earth-estries-targets-government-tech-for-cyberespionage.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Legion@2023", "id": "234229", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 1, "domain": 22, "hostname": 6 }, "indicator_count": 29, "is_author": false, "is_subscribing": null, "subscriber_count": 37, "modified_text": "970 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63f38f4fec4dfbc279a059d3", "name": "GootKit emerging threat activity", "description": ".zip downloaded from a compromised WordPress site that contained a .js file.\n\nDetected by end point protection", "modified": "2023-03-22T00:05:18.598000", "created": "2023-02-20T15:18:39.789000", "tags": [ "param", "array", "function", "returns", "example", "object", "index", "null", "length", "checks", "guard", "infinity", "stack", "false", "error", "date", "click", "hello", "pass", "bind", "fusion", "david", "later", "body", "target", "radix", "drop", "flip", "legacy", "lazy", "ruby", "restrict", "leverage", "mimic", "abcd", "stream", "restart", "scroll", "april", "prop", "find", "contact", "slice", "union", "trim", "push" ], "references": [ "service level agreement for insurance company 31941.js" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "GootKit", "display_name": "GootKit", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "nuckles", "id": "14505", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_14505/resized/80/avatar_7fdc1a630c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 1, "URL": 23, "domain": 37, "hostname": 5 }, "indicator_count": 66, "is_author": false, "is_subscribing": null, "subscriber_count": 98, "modified_text": "1166 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "628af7e3df399fbe9095245f", "name": "lumen.me Honeybadger", "description": "window.ju_sha256, a new type of code, is written by the same characters:var l,b,c,g,p,a,h,d, c.", "modified": "2022-06-21T00:01:09.886000", "created": "2022-05-23T02:56:35.154000", "tags": [ "reduceright", "lj", "number", "query", "string", "trackevent", "date", "u003e div", "simulator", "error", "regexp", "pageview", "path", "void", "code", "l420", "g5vs2ll0p80", "copyright", "json", "uint8array", "ssnull", "script", "closure library", "xdfunction", "adfunction", "typeof t", "typeof symbol", "typeof", "window", "value", "function", "customevent", "image", "null", "sbfu", "typeof n", "object", "array", "control", "other", "android", "x3e div", "gtmnwh4dh2", "host", "page title", "page path", "typeerror", "promise", "typeof e", "typeof window", "aggregateerror", "math", "target", "rangeerror", "buffer", "index", "attempt", "argument", "google", "link", "ad tech", "providers", "ffffff", "ip address", "combine", "accept", "save", "explorer", "cookie", "back", "iframe", "blank", "position", "juorderid", "justuno", "body", "juorigtop", "event", "follow", "post", "config", "click", "local", "fast", "comp", "form", "unknown", "push", "trcimpl", "trcwarn" ], "references": [ "https://cdn.taboola.com/scripts/cds-pips.js", "https://www.iubenda.com/cookie-solution/confs/js/53119375.js", "https://cdn.jst.ai/mwgt_4.1.js?v=5.28", "https://cdn.iubenda.com/cookie_solution/iubenda_cs/1.38.0/core-en.js", "https://s.pinimg.com/ct/lib/main.32155010.js", "https://analytics.tiktok.com/i18n/pixel/config.js?sdkid=C3I4VUA8DUF9JOO44QC0&hostname=lumen.me", "https://js.pvd.to/c/v1/pixel-1sdz.js?t=1653350400000", "https://cdn.jst.ai/vck.js", "https://www.googletagmanager.com/gtm.js?id=GTM-NWH4DH2", "https://analytics.tiktok.com/i18n/pixel/events.js?sdkid=C3I4VUA8DUF9JOO44QC0&lib=ttq", "https://cdn.taboola.com/libtrc/unip/1262365/tfa.js", "https://s.pinimg.com/ct/core.js", "https://www.googleoptimize.com/optimize.js?id=OPT-TQC6JW4", "https://www.googletagmanager.com/gtag/js?id=G-5VS2LL0P80&l=dataLayer&cx=c", "https://www.googletagmanager.com/gtm.js?id=GTM-PF3JNK2>m_auth=a6AgvzJ0SAOcyjADNwrdlQ>m_preview=env-1>m_cookies_win=x" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Lj", "display_name": "Lj", "target": null }, { "id": "ReduceRight", "display_name": "ReduceRight", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "adjadex1@gmail.com", "id": "187163", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1134, "hostname": 315, "domain": 233, "FileHash-SHA256": 475 }, "indicator_count": 2157, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "1440 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6256f92778c2f2177bdd4de9", "name": "\u9ad8\u5c71tv,\u9ad8\u5c71tv,\u9ad8\u5c71tv\u5f71\u9662,\u9ad8\u5c71tv\u770b\u7247\u7f51", "description": "Here is a full list of highlights from the Chinese TV series, which began in 2011 and has now been broadcast on Chinese television, online and mobile devices, and is now available to watch online.", "modified": "2022-05-13T00:03:35.765000", "created": "2022-04-13T16:24:07.391000", "tags": [ "date", "cnzzdata", "czuuid", "umdistinctid", "typeof symbol", "https", "zeno rocha", "typeof", "typeof define", "error", "array", "12863", "qrcode", "2g2g2h2h0g", "dhdh", "exptable", "logtable", "string", "typeof j", "regexp", "typeof e", "typeof t", "class", "attr", "pseudo", "child", "function", "typeof module", "ahgr", "0x40", "h0x1", "mm32", "indexof", "length", "h0x0", "0x248", "h0x2", "0x17b", "webpackrequire", "webpackexports", "object", "default", "hn return", "importsnvar", "truennnn", "iostf", "android", "nvar", "clickdownload", "this", "path", "service", "roboto", "boolean", "number", "createnamespace", "n default", "nn return", "null", "click", "void", "istanbul", "false", "close", "window", "info", "target", "find", "footer", "delta", "generator", "cascade", "code", "trigger", "next", "arrow", "slice", "checkbox", "body", "green", "phase", "copy", "infinity", "middle", "open", "calendar", "flex", "fail", "shift", "super", "internal", "form", "locale", "spinner", "spin", "multi", "mask", "write", "flip", "logic", "patch", "abcd", "skew", "main", "rest", "trim", "dark", "canvas", "facebook", "executor", "span", "tips", "sticky", "uploader", "bind", "config", "startpage", "speed", "toolbar", "refresh", "done", "format", "cardinal", "outside", "install", "public", "github", "vuejs", "jump", "browser", "sign", "view", "sponsor", "github sponsors", "mit license", "contact", "star", "stars", "javascript", "please", "strong", "\u9ad8\u5c71tv", "\u9ad8\u5c71tv\u5f71\u9662", "\u9ad8\u5c71tv\u770b\u7247\u7f51", "hd 20210830", "hd mu", "hd heydouga", "poro", "tv tv", "hd ok", "hd fol", "hd nanami2", "hd \uff13", "hd 20210927" ], "references": [ "http://www.bbbbop13.com:1313/", "xfe-URL-hyqxsnjj.com-stix2-2.1-export.json", "https://web.op39v.xyz/?channelCode=pingguo", "https://github.com/vuejs/vue-devtools", "https://web.op39v.xyz/js/chunk-vendors.js", "https://web.op39v.xyz/js/chunk-common.js", "https://res-1257422681.file.myqcloud.com/assets/yeyue/boinstall.js", "https://cdn.staticfile.org/jquery/3.6.0/jquery.min.js", "https://cdn.staticfile.org/qrcodejs/1.0.0/qrcode.min.js", "https://cdn.staticfile.org/clipboard.js/2.0.8/clipboard.min.js", "https://s9.cnzz.com/z_stat.php?id=1280740152&web_id=1280740152", "https://c.cnzz.com/core.php?web_id=1280740152&t=z" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "adjadex1@gmail.com", "id": "187163", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1374, "hostname": 563, "CVE": 1, "domain": 361, "FileHash-SHA256": 233, "FileHash-SHA1": 1, "FileHash-MD5": 1 }, "indicator_count": 2534, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "1479 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "625eecb6fbc4353a109fe71c", "name": "hostkey - Industroyer&ReduceRight", "description": "Fbevents-PostalCodeType:f.exports, f.1, is a new addition to the list of \"signals\" that can be added to phone numbers.", "modified": "2022-04-19T17:09:10.196000", "created": "2022-04-19T17:09:10.196000", "tags": [ "livechat", "sign up", "free", "grow", "policy", "sign", "strong", "sorry", "identify", "increase", "lzutf8", "typeerror", "uint8array", "array", "error", "typeof r", "class", "invalid", "post", "uint32array", "date", "null", "papvisitorid", "string", "regexp", "value", "property", "valuenumber", "activexobject", "postaffparams", "object", "number", "boolean", "typeof e", "math", "first", "raid", "window", "service", "ukraine", "epsilon", "arrow", "target", "keepalive", "void", "shell", "econnaborted", "hkwfunction", "typeof symbol", "function", "promise", "request", "network error", "livechatwidget", "ticket form", "prechat survey", "postchat survey", "typeof n", "chat", "blank", "win32", "iframe", "reduceright", "copyright", "closure library", "xdfunction", "adfunction", "cdfunction", "ddfunction", "bded", "x3e div", "trackevent", "landingpagegpu", "x3e table", "gpudraw", "path", "code", "functional", "member", "hnew regexp", "qfunction", "adview", "addbillinginfo", "addtocart", "addtolist", "contact", "download", "install", "symbol", "iterator", "extractor", "pixel", "facebook", "meta", "65535", "counter", "segoe ui", "lucida", "ecommerce", "ext link", "comic", "form", "impact", "light" ], "references": [ "https://mc.yandex.ru/metrika/watch.js", "https://connect.facebook.net/signals/config/785878845108827", "https://snap.licdn.com/li.lms-analytics/insight.min.js", "https://www.googletagmanager.com/gtm.js?id=GTM-M9D76H", "https://www.googletagmanager.com/gtag/js?id=UA-73589630-1", "https://cdn.livechatinc.com/tracking.js", "https://rec.smartlook.com/main-20220331074633.js", "https://hostkey.com/hk/widgets/ext/build/stock.bundle.js", "https://hostkey.com/hk/widgets/ext/src/hostkey.js", "https://hostkey.postaffiliatepro.com/scripts/Oy173jux8", "https://hostkey.postaffiliatepro.com/scripts/Oy173rux8?accountld=default1&url=S_hostkey.com%2F&referrer=&isInlframe=false&getParams=&anchor=", "https://widget.trustpilot.com/trustboxes/5613c9cde69ddc09340c6beb/index.html?templateld=5613c9cde69ddc09340c6beb&businessunitld=55e46b640000ff000582c91e#locale=en-GB&styleHeight=100%25&styleWidth=100%25&theme=light", "https://secure.livechatinc.com/" ], "public": 1, "adversary": "", "targeted_countries": [ "Tunisia" ], "malware_families": [ { "id": "ReduceRight", "display_name": "ReduceRight", "target": null }, { "id": "Industroyer - S0604", "display_name": "Industroyer - S0604", "target": null } ], "attack_ids": [ { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "adjadex1@gmail.com", "id": "187163", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1778, "hostname": 563, "FileHash-SHA256": 304, "domain": 407, "FileHash-SHA1": 2 }, "indicator_count": 3054, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "1503 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://unit42.paloaltonetworks.com/cobalt-strike-metadata-encoding-decoding/", "1e89:f000", "2077:f000", "S47dos_defense", "ffff_0002", "cell_valuefooter.htm", "https://www.guidepointsecurity.com/blog/from-zloader-to-darkside-a-ransomware-story/", "S96load_balance", "getregistestate.gcom", "rtl8367s_switch_globalLed", "devstatus", "ipsec.secrets", "653b494a.0", "service level agreement for insurance company 31941.js", "https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/", "mt7628_switch_portState", "90-xt_tplimit", "password.js", "modem_scan.sh", "S25sysctl", "inittab", "ipt-account", "xl2tpd", "l2tp-ipsec-delete.lua", "05c6:1000:uMa=DGT", "fstab", "57bcb2da.0", "ANF_Secure_Server_Root_CA.crt", "65_nginx_sync.sh", "ipsec_monitor_tunnel.sh", "ipsec_check_domain.sh", "socket-default.conf", "wifidog-init", "ipset.debug", "ar9533_switch_portRateControl", "ipt-ipopt", "mt7628_register", "gmp.conf", "wireguard-down.sh", "99-mdns.sh", "openvpn-easy-rsa", "sfe", "SecureTrust_CA.crt", "97-upnp.sh", "https://rec.smartlook.com/main-20220331074633.js", "core_global.sh", "05c6:1000:uMa=SSE", "cli_time_range_cmd.tree", "protocols", "0bdb:190d", "QuoVadis_Root_CA_1_G3.crt", "state_gen.lua", "https://www.varonis.com/blog/hive-ransomware-analysis", "https://thedfirreport.com/2021/05/12/conti-ransomware/", "02-vnet.sh", "ssl_vpn_quicksetup.html", "alg.html", "sys_monitor.conf", "S96policy_route", "12d1:155a", "https://blog.talosintelligence.com/building-bypass-with-msbuild/", "rt_tables", "19d2:0318", "filter", "988a38cb.0", "0af0:7251", "EC-ACC.crt", "Amazon_Root_CA_4.crt", "00-configlink.sh", "4042bcee.0", "COMODO_RSA_Certification_Authority.crt", "cbf06781.0", "SwissSign_Silver_CA_-_G2.crt", "12d1:1446", "05c6:1000:uMa=Co.,Ltd", "Security_Communication_RootCA2.crt", "mwan3", "cn9130_register", "12d1:1582", "S50snmpd", "webfilter", "244b5494.0", "https://thehackernews.com/2022/05/this-new-fileless-malware-hides.html", "openssl.cnf", "https://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-14cc543af811", "appdist_database.html", "zombie_monitor", "1c9e:6061:uPr=Storage", "arp_scan.html", "sysauth.htm", "add_delete.sh", "ifdown", "ospf.html", "19d2:1225", "1001acf7.0", "GTS_Root_R3.crt", "04cc:2251", "editor.js", "pptp-option.sh", "qos.html", "40-qos", "footer.htm", "40-scsi-core", "DigiCert_Assured_ID_Root_G3.crt", "if-do-timeobj.sh", "12d1:14c5", "lib-crc-ccitt", "2020:0002", "0af0:7701", "dnskey.conf", "qipc_systemsem_xFMOjWbQizvIQbjaGodBkPpoECFzUYyznnjEncea48051f6b8a69e2450843f1f32c0bb393e04349", "https://documents.trendmicro.com/assets/white_papers/wp-earth-baku-an-apt-group-targeting-indo-pacific-countries.pdf", "12d1:1553", "default.script", "d887a5bb.0", "mt7621_switch_portRateControl", "https://www.fortinet.com/blog/threat-research/nobelium-returns-to-the-political-world-stage", "pppox-remote-management.sh", "https://www.welivesecurity.com/2022/04/13/eset-takes-part-global-operation-disrupt-zloader-botnets/", "pptpd.conf", "GTS_Root_R2.crt", "ffff_0001", "openvpn", "0af0:d255", "ifstatus", "19d2:1219", "hotplug-call", "19d2:1013", "firmware_reboot.html", "error404.htm", "buttongroup.js", "usermngr_user.html", "https://unit42.paloaltonetworks.com/bazarloader-network-reconnaissance/", "05c6:1000:uMa=SAMSUNG", "v6plus-dial.sh", "zzddns", "https://thedfirreport.com/2022/04/25/quantum-ransomware/", "nat_pt.sh", "8cb5ee0f.0", "flood_defense", "ngx_init.lua", "wifidog-msg.html", "snmp.html", "openvpn-client-disconnect.sh", "rip.lua", "1c9e:9e08", "pppox-header.sh", "noipddns.html", "12d1:1523", "ssl_vpn_tunnel.html", "https://documents.trendmicro.com/assets/txt/earth-berberoka-windows-iocs-2.txt", "S31tmngtd", "switch_portVlan.html", "12d1_0005", "backup.sh", "https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf", "emSign_ECC_Root_CA_-_C3.crt", "05c6:1000:uMa=CELOT", "sysparams_net.sh", "port-id-map", "mt7628_switch_portPara", "cn9130_switch_globalLed", "macFiltering.html", "usb-net-cdc-mbim", "DigiCert_Trusted_Root_G4.crt", "Secure_Global_CA.crt", "main.sh", "https://unit42.paloaltonetworks.com/bumblebee-malware-projector-libra/", "S99zzddns", "https://cocomelonc.github.io/tutorial/2022/04/20/malware-pers-1.html", "qos_ifgroup.sh", "12d1:380b", "19d2:1238", "dhcp6s.conf", "91-authlimit", "b66938e9.0", "19d2:1588", "ipxd", "1ee8:0040", "2001:a805", "Cybertrust_Global_Root.crt", "1c9e:9200", "vnet_zone_api.sh", "nat_vs.sh", "chat-get-qualcomm_2", "40-fs-nfsd", "30-atm", "core_wportal.sh", "pppox-begin-reload-user.sh", "auth_port_modify.sh", "url_escape.sed", "country_group.html", "1c9e:9e00", "70-pptp-ifdown.sh", "https://ics-cert.kaspersky.com/publications/reports/2022/06/27/attacks-on-industrial-control-systems-using-shadowpad/", "dns_cache.html", "nat.lua", "48bec511.0", "pptp-client-update.sh", "https://cloud.google.com/blog/topics/threat-intelligence/kegtap-and-singlemalt-with-a-ransomware-chaser/", "70-backup", "19d2:1201", "31-iptunnel6", "wireguard-up.sh", "Microsec_e-Szigno_Root_CA_2009.crt", "balance_basic.html", "K99umount", "cli_clock_cmd.tree", "nat_dmz_bypass.sh", "http://www.bbbbop13.com:1313/", "ssh.lua", "40-imb.sh", "nginx", "19d2:0388", "https://security.macnica.co.jp/blog/2022/05/iso.html", "button.htm", "930ac5d2.0", "get_option.lua", "https://www.trendmicro.com/en_us/research/22/g/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike.html", "pppox-reload-user.lua", "usbModem.html", "95-online.sh", "40-fs-msdos", "mt7628_switch_portMirror", "Microsoft_ECC_Root_Certificate_Authority_2017.crt", "19d2:0110", "freeStrategy_backup.sh", "style-simple-follow.css", "ipt-extra", "pptp-server", "6to4.sh", "https://www.arashparsa.com/catching-a-malware-with-no-name/", "S96default_balance", "ldap_check_result.sh", "12d1:1da1", "03f0:002a", "https://engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a/", "40-bonding", "controller_setting.html", "3fb36b73.0", "radius.conf", "timepicker.js", "qos_dpdk.sh", "https://forensicitguy.github.io/inspecting-powershell-cobalt-strike-beacon/", "portal_mgmt_monitor.lua", "1004:61eb", "base-files", "Starfield_Root_Certificate_Authority_-_G2.crt", "acl_timeobj_v6.lua", "6d41d539.0", "imb", "5443e9e3.0", "19d2:1420", "https://cdn.staticfile.org/clipboard.js/2.0.8/clipboard.min.js", "https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/", "Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.crt", "QuoVadis_Root_CA_3.crt", "05c6:1000:uMa=Option", "connmark.conf", "cn9130_switch_portPara", "nat_one.sh", "snmpd-static", "TrustCor_RootCert_CA-2.crt", "fe8a2cd8.0", "dictionary.sip", "uhttpd", "ar8327_switch_init", "6fa5da56.0", "des.conf", "30-fs-cifs", "11-led", "f30dd6ad.0", "ifup_down.sh", "1307:1169", "show_interface.lua", "S60pptpd", "verify_pub.key", "98-ipt_urlset_match", "https://cyber.wtf/2022/03/23/what-the-packer/", "01_leds", "v6plus.sh", "dnsproxySecurity", "ubi_make_extra_volume.sh", "2020:f00e", "97-line_backup.sh", "radio.js", "keyword.js", "230d:0101", "10-l2tp-pptp.sh", "S20network", "8d89cda1.0", "qos_Traffic.html", "dhcp6c", "0685:2000", "3bde41ac.0", "40-pppoa", "2357:0200", "dynamic_route", "12d1:1f18", "assign_restriction.html", "advanced.html", "pptp-client", "12d1:15cf", "K10improxy", "12d1:1d50", "dc4d6a89.0", "gre_init", "1c9e:f000", "static_route", "1a8d:1000", "chat-gsm-test", "iptables.debug", "97-qos.sh", "OISTE_WISeKey_Global_Root_GB_CA.crt", "qos_config_sync.lua", "accountmgnt", "ppp", "portrange.js", "vnet_init.sh", "ipsec_sa.html", "S50cron", "nat_common.sh", "Comodo_AAA_Services_root.crt", "1004:61dd", "CFCA_EV_ROOT.crt", "switch", "1614:0800", "clock.lua", "rtl8367s_switch_portStatistic", "0af0:d257", "0421:0637", "d4dae3dd.0", "12d1:1001", "sysctl", "30-fs-xfs", "aee5f10d.0", "delete-service.sh", "S15loggerd", "ssl_vpn_server.html", "98-ipt_websec_match", "19d2:1207", "30-fs-hfsplus", "S97gre_init", "fips-prf.conf", "30-fs-autofs4", "rc.local", "0af0:7601", "ipt-nathelper", "dnsmasq.conf", "a94d09e5.0", "12d1:1f07", "https://cloud.google.com/blog/topics/threat-intelligence/tracking-apt29-phishing-campaigns/", "dnssec.html", "https://mal-eats.net/2021/05/10/campo_new_attack_campaign_targeting_japan/", "https://www.gendigital.com/blog/insights/research/decoding-cobalt-strike-understanding-payloads", "wizard.js", "upnp", "sha1.conf", "system_routetbl.html", "https://raw.githubusercontent.com/Dump-GUY/Malware-analysis-and-Reverse-engineering/refs/heads/main/APT29_C2-Client_Dropbox_Loader/APT29-DropboxLoader_analysis.md", "wireguard", "preview_remind.html", "https://isc.sans.edu/diary/27308", "wizard.html", "evdo.chat", "openvpn_server.html", "f0c70a8d.0", "19d2:0026", "0421:0627", "0df7:0800", "89-portal", "action_check.html", "S22rsa_check", "https://securelist.com/apt-luminousmoth/103332/", "pkcs12.conf", "queueventd", "04cc:225c", "01-zone", "https://tccontre.blogspot.com/2019/11/cobaltstrike-beacondll-your-not.html", "nat_log.sh", "aes.conf", "19d2:1017", "0af0:6751", "dhcp.sh", "0af0:7311", "91-xt_authlimit", "arp_scan_range", "dns_doh.html", "09_fix-seama-header", "nand.sh", "92-dynamic_route", "named.cache", "0fce:d103", "1de1:1101", "https://thedfirreport.com/2020/10/08/ryuks-return/", "qos_delete_rule.lua", "19d2:0040", "S50uhttpd", "230d:0103", "issue", "Hongkong_Post_Root_CA_3.crt", "remote_mngt", "zteinfo.gcom", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-148a", "ar8327_switch_portPara", "5ad8a5d6.0", "nwadditional", "https://cloud.google.com/blog/topics/threat-intelligence/unc2165-shifts-to-evade-sanctions", "072f:100d", "vlan_vlanSetting.html", "pptp-global", "2001:a80b", "rc.common", "https://www.security.com/threat-intelligence/yanluowang-ransomware-attacks-continue", "service.html", "full_valuefooter.htm", "delete_restart.sh", "dhcps.sh", "30-fs-hfs", "led_set", "12d1:15cd", "rtl8367s_switch_portMirror", "dpi.sh", "zzomada_server", "2001:a707", "controller.lock", "online_reload.lua", "GLOBALTRUST_2020.crt", "7aaf71c0.0", "1-vnet_lanhook.sh", "cc450945.0", "0af0:8304", "SecureSign_RootCA11.crt", "gre_common.sh", "00-ecsIfChange", "10-sysctl", "0af0:7501", "S20geoip", "pptp", "99-wan_hook.sh", "ospf", "25-nls-cp852", "qos_core.sh", "98-ipt_webfilter_match", "99-ipt_urlset_target", "1410:5010", "boot_done", "S99avahi-daemon", "pptp-client-add.sh", "progressbar.js", "frr.conf", "e36a6752.0", "firmware_upgrade.html", "setapn.gcom", "9b5697b0.0", "lldp_get_wan_device.sh", "99-vnet.sh", "ipsec_tunnel.html", "https://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-part-2-a28bffffa671", "ar8327_switch_portMirror", "imb.html", "https://kienmanowar.wordpress.com/2022/06/04/quicknote-cobaltstrike-smb-beacon-analysis-2/", "Hellenic_Academic_and_Research_Institutions_RootCA_2011.crt", "19d2:1528", "jquery.flot.crosshair.js", "dpi_log_database.lua", "debug.lua", "line_backup.html", "0af0:8201", "GTS_Root_R1.crt", "https://isc.sans.edu/diary/rss/28752", "05c6:1000:uMa=AnyDATA", "vnet_core.sh", "0b1b94ef.0", "2923b3f9.0", "system_params.html", "25-nls-iso8859-1", "1-vnet_lanv6hook.sh", "12d1:14c3", "netifd-wireless.sh", "2ae6433e.0", "folderTree.js", "mdns.html", "8888:6500", "usbmodem", "ipt-conntrack", "network_arch.sh", "0af0:6791", "network_ifacelist.htm", "SwissSign_Gold_CA_-_G2.crt", "AffirmTrust_Commercial.crt", "ppp-mod-radius", "qos_cid.sh", "AffirmTrust_Premium.crt", "map.htm", "ee64a828.0", "qipc_sharedmemory_xFMOjWbQizvIQbjaGodBkPpoECFzUYyznnjEncea48051f6b8a69e2450843f1f32c0bb393e04349", "administration", "1e0e:f000", "19d2:0149", "19d2:1542", "50-l2tp-up-down.sh", "https://cloud.google.com/blog/topics/threat-intelligence/unc2452-merged-into-apt29/", "21f5:1000", "ssl_vpn_auth_radius.html", "default_balance", "ipsec", "GlobalSign_Root_CA_-_R2.crt", "options.default", "dns_dot.html", "25-nls-koi8r", "https://cloud.google.com/blog/topics/threat-intelligence/shining-a-light-on-darkside-ransomware-operations/", "70_initramfs_test", "19d2_0003", "sddm-:0-BoTuTx", "group", "chat-get", "K71hwnat", "mt7628_switch_init", "profile", "1bbb:011f", "wechat_wifi.html", "cd58d51e.0", "https://c.cnzz.com/core.php?web_id=1280740152&t=z", "lldpd", "25-nls-cp866", "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/5/", "257a:d000", "S42ipv6group", "10-mount", "fieldset.js", "10a9:6080", "a3418fda.0", "rc2.conf", "openvpn-password.lua", "upnp.html", "97-mwan3.sh", "65-wifidog.sh", "wireguard_interface", "0f5dc4f3.0", "1e09d511.0", "pppoe", "quick_setup.html", "web_filter.html", "pubkey.conf", "https://www.netresec.com/?page=Blog&month=2021-04&post=Analysing-a-malware-PCAP-with-IcedID-and-Cobalt-Strike-traff", "60-dnsmasq.sh", "19d2:fff5", "dictionary.compat", "S47access_ctl", "snapshot", "dslite-up.sh", "load_balance", "89-remote_mngt.sh", "shadow", "99-ipt_TRIGGER", "b81b93f0.0", "148e:a000", "d6325660.0", "paging.js", "su.js", "dpi", "http.lua", "ippool.html", "30-fs-ext4", "logger", "usb-net-rndis", "geoip", "12d1:1c24", "S60url_filter", "directip-stop.gcom", "90-vpn", "cloud_service.cfg", "2020:f00f", "passwd", "system_params", "19d2:0083:uPr=WCDMA", "style-pcdemo.css", "706f604c.0", "ppp-dhcp6c.script", "nullsection.htm", "ifstat.html", "pki.conf", "12d1:101e", "25-nls-iso8859-8", "switch_Parameter.html", "slider.js", "18-ipv6group", "switch_portLimit.html", "S00zombie_monitor", "S65wifidog", "note", "mwan3-tplink", "dynamic_dns_functions.sh", "drop_caches", "S19vnet", "ldap.conf", "15-online.sh", "S99zzomada_server", "0af0:9200", "S99smp", "05-liblogger", "resolve.conf", "S99zzzzzsys_info", "22-dos_defense", "e73d606e.0", "https://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", "40-remote_mngt", "rip_routing.html", "25-nls-utf8", "authlistCheck.lua", "32-ip6-tunnel", "tip.js", "chat-modem-test", "constraints.conf", "https://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/new-apt-group-chamelgang/", "cli_ipsec_cmd.tree", "05c6:1000:sVe=GT", "DigiCert_Global_Root_CA.crt", "S99phddns", "S98ipsec_failover", "iptv.html", "getVid.sh", "https://www.cynet.com/blog/orion-threat-alert-flight-of-the-bumblebee/", "22-access_ctl", "show_interface_status.lua", "wechat.html", "e113c810.0", "12d1_0002", "system_log.html", "0fce:d0df", "ce5e74ef.0", "dynamic_dns_dyndns.sh", "https://www.crowdstrike.com/en-us/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/", "ipv6.html", "firewall_zoneforwards.htm", "12d1:1f17", "Trustwave_Global_ECC_P256_Certification_Authority.crt", "nonce.conf", "vpn_general.html", "c01eb047.0", "enablemodem", "https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/", "0af0:6951", "qos_tc.sh", "https://cloud.google.com/blog/topics/threat-intelligence/spear-phish-ukrainian-entities/", "mppe", "l2tp_tunnel.html", "99-xt_l2tp", "1-lanhook.sh", "https://blog.talosintelligence.com/indigodrop-maldocs-cobalt-strike/", "client.crt", "30-gpio-button-hotplug", "https://asec.ahnlab.com/en/31811/", "crt.sed", "https://www.trendmicro.com/en_us/research/23/h/earth-estries-targets-government-tech-for-cyberespionage.html", "pppox-functions.sh", "S46netbios_passthrough", "https://thedfirreport.com/2022/03/07/2021-year-in-review/", "4304c5e5.0", "GlobalSign_Root_E46.crt", "19d2:0166", "0af0:8300", "S45firewall", "https://www.threatdown.com/blog/a-multi-stage-powershell-based-attack-targets-kazakhstan/", "S95l2tp", "0af0:d033", "sysupgrade", "qos_VoIP.html", "97-load_balance.sh", "pptp-server-global", "sharecfg", "30-ipsec", "1636090b.0", "ifdown-l2tp.sh", "90-xt_CTSTATEMARK", "AffirmTrust_Premium_ECC.crt", "90-xt_doslogonly", "05-lanv6", "start_rule.sh", "f51bb24c.0", "https://contagiodump.blogspot.com/2017/02/russian-apt-apt28-collection-of-samples.html", "getstrength.gcom", "root.key", "11_migrate-sysctl", "vars", "snmpd", "fa5da96b.0", "fastcgi_params", "pppv6.sh", "vlan.lua", "S90ndppd", "cd8c0d63.0", "ipt-conntrack-extra", "QuoVadis_Root_CA_2.crt", "230d:0007", "https://cdn.iubenda.com/cookie_solution/iubenda_cs/1.38.0/core-en.js", "https://hostkey.com/hk/widgets/ext/src/hostkey.js", "ppp-up", "l2tp-client", "25-nls-cp437", "jquery.flot.fillbetween.js", "1bbb:00ca", "0471:1210:uMa=Wisue", "dhcp_client.html", "pd_api.sh", "12d1:1449", "unlock_pin.sh", "18-dnsproxy.sh", "4f316efb.0", "tddpd", "0af0:6711", "valuefooter.htm", "serial", "xhr.js", "dropbear_rsa_host_key", "02265526.0", "options.l2tp", "pppox-pppoetimer.sh", "20a6:f00e", "25-pppox.sh", "ndppd", "ed09:1021", "l2tp-ipsec-setstatus.lua", "portal_mgmt", "TUBITAK_Kamu_SM_SSL_Kok_Sertifikasi_-_Surum_1.crt", "ar8327_switch_portRateControl", "0af0:7706", "qos_ctl", "230d:0003", "portal_status.sh", "1c9e:f000:uMa=USB_Modem", "07d1:a800", "12d1:1f1b", "39-gre", "ssl_vpn_auth.html", "webfilter_global", "daemons.conf", "getisp.sh", "19d2:1520", "90-xt_dosdrop", "nat_napt.sh", "sysntpd", "12d1:1030", "interface.lua", "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "1004:6327", "chat-get-anydata_2", "30-fs-jfs", "12d1:1505", "10-pppox-response-nat.sh", "policy_routing.html", "10_indicate_failsafe", "1-lanv6hook.sh", "19d2:0146", "https://cdn.jst.ai/mwgt_4.1.js?v=5.28", "10-fstab", "1782:0003", "0af0:7071", "92-pppox-vpn.sh", "https://www.trendmicro.com/en_gb/research/21/k/analyzing-proxyshell-related-incidents-via-trend-micro-managed-x.html", "reset", "get_rps.sh", "42-ip6tables", "0e8d:7109", "https://res-1257422681.file.myqcloud.com/assets/yeyue/boinstall.js", "40-fs-nfs", "00_start_sync.sh", "find_target.lua", "wifidog", "12d1:14c1", "IdenTrust_Commercial_Root_CA_1.crt", "dhcp6sctlkey", "1c9e:9d00", "add_delete_tuple.sh", "0e8d:0002:uPr=MT", "2048_newroot.cer", "umount", "15-mii", "0421:0618", "_updown", "106c:3b03", "ipstat", "12d1:1f11", "05c6:1000:uMa=StrongRising", "qos-tplink", "nat_alg.sh", "diag.sh", "DigiCert_High_Assurance_EV_Root_CA.crt", "dynamic_dns_customddns.sh", "057c:84ff", "ucitrack", "0fce:d0e1", "19d2:1227", "S95mwan3", "Amazon_Root_CA_2.crt", "19d2:#linux", "22-qos-tplink", "05c6:1000:sVe=Option", "12d1:14ba", "230d:000b", "UCA_Global_G2_Root.crt", "1bbb:022c", "f387163d.0", "https://s.pinimg.com/ct/core.js", "25-nls-cp932", "qos_public.sh", "S99usbmodem", "led.sh", "smp.sh", "chunk-common.72de4705.css", "0d46:45a5", "0408:ea25", "customddns_set_url.sh", "S10boot", "mbimfind.lua", "cn9130_switch_portMirror", "bootcount", "S10system", "cli_base_cmd.tree", "19d2:0304", "0408:1000", "96-noipddns.sh", "1fac:0130", "K10openvpn", "GDCA_TrustAUTH_R5_ROOT.crt", "04_handle_checksumming", "96-cmxddns.sh", "options.xl2tpd", "S42macgroup", "delegator.htm", "https://istrosec.com/blog/apt-sk-cobalt/", "40_run_failsafe_hook", "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", "4a6481c9.0", "dslite.sh", "style.css", "session_limits.sh", "preview_wportal.html", "2001:a405", "https://www.morphisec.com/blog/vmware-identity-manager-attack-backdoor/", "1ee8:0045", "22-imb", "connect-ncm.gcom", "20-usb-core", "switch_portStatus.html", "websec_timeobj.lua", "time.js", "0af0:8600", "ncm.json", "vnetwork", "19d2:ffe6", "detach_timeobj.lua", "dhcp_lan_settings.html", "1004:61e7", "0af0:7211", "l2tp-get-tunnel-info.sh", "https://thedfirreport.com/2021/06/28/hancitor-continues-to-push-cobalt-strike/", "1c9e:98ff", "servers", "getimsi_b.gcom", "S60dnsmasq", "349f2832.0", "12d1:151a", "S70freeStrategy", "GlobalSign_Root_R46.crt", "l2tp-reload.sh", "98-ipsec.sh", "https://www.googletagmanager.com/gtm.js?id=GTM-M9D76H", "pptp_server.html", "1dbc:0669", "06dc52d5.0", "https://isc.sans.edu/diary/rss/26862", "5f618aec.0", "uci_firewall.sh", "1076:7f40", "1410:5031", "201e:1023", "reference", "19d2:1237", "usb-storage", "network.sh", "cert.pem", "openvpn-client-connect.sh", "65-scsi-generic", "print_server.html", "failsafe", "subnet.js", "https://cdn.staticfile.org/qrcodejs/1.0.0/qrcode.min.js", "19d2:1523", "xcbc.conf", "19d2:1171", "S26time_setting", "GlobalSign_ECC_Root_CA_-_R5.crt", "Entrust_Root_Certification_Authority_-_EC1.crt", "USERTrust_ECC_Certification_Authority.crt", "f081611a.0", "account.html", "mt7621_switch_led", "pptp-tunnel-action.sh", "1f28:0021", "file.js", "vlan_network", "97-route.sh", "42-usb2-pci", "12d1:14d1", "f39fc864.0", "Starfield_Class_2_CA.crt", "ipcalc.sh", "https://thedfirreport.com/2021/09/13/bazarloader-to-conti-ransomware-in-32-hours/", "log_awk", "switch_portStatistics.html", "find_index.lua", "99-balance_route", "kill-pptpd-xl2tpd.sh", "platform.sh", "S99zzzcloud_proc", "ar9533_switch_portStatistic", "50-improxy", "userconfig.sh", "16d8:6281", "markdef.sh", "12d1:14b7", "DigiCert_Global_Root_G3.crt", "1b7d:0700", "https://blog.gigamon.com/2021/09/10/rendering-threats-a-network-perspective/", "pppox-default-variables.sh", "cli_access_cmd.tree", "OISTE_WISeKey_Global_Root_GC_CA.crt", "ldap_profiles.html", "appdist.html", "libstdc++.so.6.0.21-gdb.py", "https://github.com/infinitumitlabs/Karakurt-Hacking-Team-CTI", "S46nat", "https://www.sentinelone.com/blog/hive-ransomware-deploys-novel-ipfuscation-technique/", "daemons", "ipt-filter", "vnet.sh", "230d:0001", "12d1:1521", "chat-gsm-test-anydata", "1ee8:0003", "ecsIfName", "ar8327_switch_portState", "30-fs-cramfs", "tmngtd", "arp_list.html", "32-ipsec6", "system_mode.html", "19d2:1517", "12d1:1031", "wportal", "qos_grpmark.sh", "omada-tool.conf", "pkcs7.conf", "bf53fb88.0", "00-netstate", "indexer.htm", "connect-directip.gcom", "65-iptv", "nat_config.sh", "e8de2f56.0", "wireguard_peers", "https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html", "2001:a401", "22de:6801", "ifup-l2tp.sh", "l2tp-doipsec.sh", "cn9130_switch_portVlan", "https://www.threatdown.com/blog/cobalt-strikes-again-uac-0056-continues-to-target-ukraine-in-its-latest-campaign/", "99_10_run_init", "l2tp_global.html", "S89remote_mngt", "1266:1000", "l2tp.sh", "S47mac_filter", "switch.sh", "dnsmasq", "1dd6:1000", "wifi", "static_routing.html", "0af0:d055", "netbios_passthrough", "S42ippool", "12d1:1f15", "0408:ea17", "12d1:1413", "gre_overipsec.html", "pppv6-share", "index.txt", "one_nat.html", "0cf3:20ff", "cli_ssh_cmd.tree", "zone_init_all.sh", "zzzcloud_proc", "dynamic_dns_log.sh", "Certum_Trusted_Root_CA.crt", "148f:2578", "https://medium.com/walmartglobaltech/man1-moskal-hancitor-and-a-side-of-ransomware-d77b4d991618", "https://mc.yandex.ru/metrika/watch.js", "cmxddns.html", "ipsec_handle_iptables.sh", "random.conf", "core_forwarding.sh", "pd_server.sh", "19d2:2004", "90-xt_qoslimit", "22f4:0021", "full_valueheader.htm", "tsection.htm", "char_conv.sh", "ipt-nat", "win-utf", "luci", "ips_whitelists.html", "sdhci-mt7621", "time_mngt", "0ace:20ff", "wportal.html", "https://blog.talosintelligence.com/avoslocker-new-arsenal/", "0af0:d058", "dnssecquery.sh", "ar9533_switch_portState", "S40fstab", "10-motion", "services", "telnet", "filter_global", "1410:5030", "openwrt_version", "gre", "50-usb-ohci", "https://www.googletagmanager.com/gtag/js?id=UA-73589630-1", "vlan_relationTbl.html", "Certum_Trusted_Network_CA.crt", "pkcs1.conf", "Hellenic_Academic_and_Research_Institutions_ECC_RootCA_2015.crt", "radvd", "access_ip_help.lua", "header.htm", "https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware", "set_time", "S96backup", "application_list.html", "50-usb-uhci", "Trustwave_Global_ECC_P384_Certification_Authority.crt", "acl_delete_rule.lua", "26-freeStrategy", "routing.lua", "ipsec_execute_stroke.sh", "S70usbshare", "https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/", "0af0:6971", "Entrust_Root_Certification_Authority_-_G4.crt", "dbus-K5ae4EDHao", "online.html", "S97ipsec", "dnsproxy.html", "16d8:f000", "30_failsafe_wait", "0bdb:1910", "vpnlog", "zero_boot_done", "policy_route", "30-tun", "pcauth.js", "mt7628_switch_portStatistic", "80-balance.sh", "cmxddns", "vnet_zone_init.sh", "device_info", "05c6:0010", "ipgroup_address.html", "257a:b000", "Hellenic_Academic_and_Research_Institutions_RootCA_2015.crt", "handle_card.sh", "0af0:8700", "2357:f000", "sdnInfo", "https://www.security.com/threat-intelligence/harvester-new-apt-attacks-asia", "QuoVadis_Root_CA_3_G3.crt", "https://vanmieghem.io/blueprint-for-evading-edr-in-2022/", "DigiCert_Assured_ID_Root_G2.crt", "https://mp.weixin.qq.com/s/cGS8FocPnUdBconLbbaG-g", "filesystems", "0408:f001", "0af0:6811", "76cb8f92.0", "config.sh", "simpleform.htm", "https://raw.githubusercontent.com/ThreatConnect-Inc/research-team/refs/heads/master/IOCs/WizardSpider-UNC1878-Ryuk.csv", "12d1:157d", "vpn_user.html", "core_service.sh", "Amazon_Root_CA_1.crt", "core_ipgroup.sh", "https://unit42.paloaltonetworks.com/unit-42-technical-analysis-seaduke/", "7719f463.0", "openssl-1.0.0.cnf", "hardware.txt", "hosts", "ie.css", "api_VPN.sh", "1da5:f000", "S99drop_caches", "openvpn-common.sh", "dictionary.merit", "25-nls-iso8859-13", "https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/", "core_rule.sh", "interface.html", "S60xl2tpd", "31-iptunnel4", "countrygroup", "30-fs-vfat", "dictionary.ascend", "ipsec_generate_domain.sh", "1004:61aa", "uci.sh", "https://cert.gov.ua/article/619229", "dictionary", "unbound.conf.back", "cleanTMP.sh", "firewall_zonelist.htm", "account.2ca6a054.js", "0af0:9000", "S90openvpn", "pre_setting_config.sh", "openvpn-client-up.sh", "rtl8367s_switch_init", "net_share.sh", "ca6e4ad9.0", "zone_api.sh", "ar9533_switch_init", "usb-net-huawei-cdc-ncm", "0af0:6771", "0af0:7a01", "switch_functions", "0d46:45a1", "nfnetlink-queue", "S68online", "omada-tool.lock", "b433981b.0", "gettime.sh", "dropbear", "SSL.com_Root_Certification_Authority_ECC.crt", "network", "1726:f00e", "S99zbalance_loop_reset", "firmware_backuprestore.html", "l2tp", "usb-net-cdc-ncm", "12d1:155b", "https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations.pdf", "Network_Solutions_Certificate_Authority.crt", "S50pppox", "19d2:1511", "https://www.proofpoint.com/us/blog/threat-insight/nimzaloader-ta800s-new-initial-access-malware", "12d1:1f16", "web_group.html", "dia_info.html", "16d8:6803", "modem", "pptp-startup.sh", "custom_dhcp", "usbshare", "20-fs-exportfs", "boot", "cli_ospf.lua", "1bbb:f052", "libopenldap", "arp_defense", "account_mngt.html", "protofind.lua", "dhcp6c.sh", "service.sh", "radiusclient.conf", "54-usb3", "options.pptp", "1004:1000", "https://www.googletagmanager.com/gtm.js?id=GTM-PF3JNK2>m_auth=a6AgvzJ0SAOcyjADNwrdlQ>m_preview=env-1>m_cookies_win=x", "32-l2tp", "1c9e:1001", "1ee8:004f", "acl_wanhook.lua", "Buypass_Class_3_Root_CA.crt", "0af0:7361", "pc_wifi.html", "login.4f52b876.js", "huaweiinfo.gcom", "10_migrate-shadow", "S99enablemodem", "backup", "05c7:1000", "cn9130_switch_portStatistic", "1410:5041", "sddm-auth-52b94a64-454a-4d7f-903e-32df6aac784a", "6rd.sh", "https://thedfirreport.com/2021/05/02/trickbot-brief-creds-and-beacons/", "05c6:f000", "pgp.conf", "xl2tpd.conf", "common.sh", "ucisection.htm", "Certigna_Root_CA.crt", "25-nls-iso8859-15", "25-nls-iso8859-6", "8d86cdd1.0", "230d:000d", "ipt-iprange", "99-z3g4g-connect", "https://mp.weixin.qq.com/s/xPsEXp2J5IE7wNSMEVC24A", "dynlist.htm", "leds.sh", "nsswitch.conf", "dynddns.html", "timeobj_api.sh", "rfkill", "04fc:2140", "K50dropbear", "browser.htm", "0af0:7271", "e35234b1.0", "Security_Communication_Root_CA.crt", "usb-net", "tpcmd.sh", "https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/", "72-wan_ip_alias", "cbi.js", "1edf:6003", "0af0:7401", "ippool", "nat", "b727005e.0", "rsa_check", "auto_backup", "https://www.cybereason.com/blog/research/threat-analysis-report-datoploader-exploits-proxyshell-to-deliver-qbot-and-cobalt-strike", "https://connect.facebook.net/signals/config/785878845108827", "19d2:1009", "valueheader.htm", "application_filter.html", "ipv6group_address.html", "CA_Disig_Root_R2.crt", "S90portal_mgmt", "jquery.flot.barnumbers.js", "0af0:7301", "96-dynddns.sh", "20-firewall", "certSIGN_Root_CA_G2.crt", "cell_valueheader.htm", "online_api.sh", "b1159c4c.0", "ifrestart", "1c9e:6000", "https://cloud.google.com/blog/topics/threat-intelligence/darkside-affiliate-supply-chain-software-compromise", "shells", "ldap_query.sh", "dhcp_static.html", "2001:a708", "system_state.html", "S98led", "12d1:14fe", "dpi_tmngtd.sh", "ncm.sh", "setpin.gcom", "online", "ipt-ipv4options", "S91wireguard", "ar8327_switch_led", "appflow_statistics.html", "30-fs-isofs", "02_default_set_state", "get-vpn-ip.sh", "1410:5055", "foldertree.js", "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", "nat_dmz.sh", "0af0:7011", "0482:024d", "dynamic_dns_noip.sh", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", "page.js", "70-switch.sh", "40-qos.sh", "S96sysntpd", "csv2db.sh", "0b3c:f017", "54657681.0", "qos_ipset.sh", "https://analytics.tiktok.com/i18n/pixel/events.js?sdkid=C3I4VUA8DUF9JOO44QC0&lib=ttq", "reboot_schedule.html", "60-pptp-reload-rules.sh", "04e8:689a", "GlobalSign_Root_CA.crt", "198f:bccd", "ACCVRAIZ1.crt", "Entrust_Root_Certification_Authority.crt", "19d2:0154", "panel.js", "dpi_log_database.sh", "S96cmxddns", "netifd-proto.sh", "25-nls-cp850", "vnet", "76faf6c0.0", "cli_nat_cmd.tree", "dvalue.htm", "https://blog.nviso.eu/2022/07/20/analysis-of-a-trojanized-jquery-script-gootloader-unleashed/", "rewrite.lua", "002c0b4f.0", "e868b802.0", "93bc0acc.0", "04cc:226f", "chat-get-anydata_1", "99-nginx.sh", "1199:0fff", "https://isc.sans.edu/diary/Emotet%20infection%20with%20Cobalt%20Strike/28824", "modem-gsm-test-qualcomm.gcom", "cli_interface_cmd.tree", "19d2:1001", "23a2:1010", "D-TRUST_Root_Class_3_CA_2_EV_2009.crt", "vlan_portSetting.html", "0421:061d", "usermngr", "ssl_vpn_user_group.html", "19d2:0115", "DigiCert_Assured_ID_Root_CA.crt", "75d1b2ed.0", "19d2:0169", "ppp-down", "ngx_wdas.lua", "access_control.html", "30-veth", "1c9e:9101", "snmp.lua", "fs-exfat", "ubnt.sh", "chunk-vendors.0cdf10f0.js", "dnsproxy", "ipt-ipsec", "splitaccess", "e18bfb83.0", "modem-gsm-test-anydata.gcom", "dhcp6c.script", "Baltimore_CyberTrust_Root.crt", "url_filter", "S92qos_ctl", "improxy", "50-l2tp-lowerif-up-down.sh", "12d1:14c4", "f3377b1b.0", "SZAFIR_ROOT_CA2.crt", "connect-ppp.gcom", "12d1:1414", "preinit", "usermngr_backup.html", "16d8:700b", "19d2:0266", "S99switch", "cli_show_interface_status_cmd.tree", "osui.sock", "70-policy_route.sh", "https://web.op39v.xyz/?channelCode=pingguo", "wifidog.conf", "time_range.lua", "https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures", "98-ipt_url_dns_match", "02_network", "log_oops_recovery.sh", "12d1:1009", "getcarrier.gcom", "revocation.conf", "ffff_0003", "ddm.html", "acl_timeobj.lua", "https://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis", "12d1:#android", "109b:f009", "ISRG_Root_X1.crt", "19d2_0002", "dhcp", "priv-key.pem", "index.a415cbb4.js", "00-vnet.sh", "40547a79.0", "257a:a000", "05c6:9024", "jquery.min.js", "3e44d2f7.0", "interface_wan.html", "zone-450", "12d1:1003", "S99dpi", "3513523f.0", "koi-utf", "0af0:8800", "106f3e4d.0", "search_tty.lua", "core_acl.sh", "vpn_wireguard.html", "line_backup", "12d1:1f02", "10-firewall.sh", "07d1:a804", "19d2:1179", "arping.sh", "https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf", "https://unit42.paloaltonetworks.com/cobalt-strike-malleable-c2-profile/", "3g.sh", "https://www.crowdstrike.com/en-us/blog/how-falcon-complete-disrupts-ecrime-operators-wizard-spider/", "fvalue.htm", "kernel-netlink.conf", "luci-add-conffiles.sh", "access_control", "S99ipv6", "9d04f354.0", "route_api.sh", "https://www.unh4ck.com/detection-engineering-and-threat-hunting/lateral-movement/detecting-conti-cobaltstrike-lateral-movement-techniques-part-1", "avahi-daemon", "index.html", "0af0:7901", "0af0:7051", "30-fs-reiserfs", "Amazon_Root_CA_3.crt", "TrustCor_RootCert_CA-1.crt", "https://cloud.google.com/blog/topics/threat-intelligence/melting-unc2198-icedid-to-ransomware-operations/", "18856ac4.0", "https://asec.ahnlab.com/en/34549/", "ipv6", "dhcp_logrotate", "preview_mobile_wifi.html", "access_time_help.lua", "257a:c000", "login.html", "30-policy_route.sh", "xfe-URL-hyqxsnjj.com-stix2-2.1-export.json", "19d2:1536", "30-fs-ntfs", "session_monitor.html", "https://thedfirreport.com/2020/04/24/ursnif-via-lolbins/", "base-files-essential", "99-ipt_tpconnlimit", "0a775a30.0", "https://analytics.tiktok.com/i18n/pixel/config.js?sdkid=C3I4VUA8DUF9JOO44QC0&hostname=lumen.me", "2001:98ff", "ipv6_lan.html", "usb-net-qmi-wwan", "D-TRUST_Root_Class_3_CA_2_2009.crt", "cn9130_switch_portState", "l2tp-server", "19d2:0413", "openvpn-mgmt", "dictionary.microsoft", "usb-wdm", "jquery.flot.pie.min.js", "749e9e03.0", "openvpn_user", "textbox.js", "textarea.js", "system", "0af0:6731", "S99dnsproxy", "19d2:1030", "xauth-generic.conf", "Certum_Trusted_Network_CA_2.crt", "ips_signature_suppression.html", "0421:0632", "https://hostkey.com/hk/widgets/ext/build/stock.bundle.js", "Entrust.net_Premium_2048_Secure_Server_CA.crt", "0ace:2011", "106c:3b14", "4b718d9b.0", "12d1:1c1b", "l2tp_server.html", "https://cert-agid.gov.it/news/il-malware-envyscout-apt29-e-stato-veicolato-anche-in-italia/", "12d1:1f09", "1fac:0150", "03-vlan", "https://cloud.google.com/blog/topics/threat-intelligence/apt41-us-state-governments/", "https://cdn.jst.ai/vck.js", "openwrt_release", "ssl_vpn_user.html", "98_10_mtk_failsafe_init", "access_ctl", "server-cert.pem", "https://i.blackhat.com/Asia-22/Thursday-Materials/AS-22-LeonSilvia-NextGenPlugXShadowPad.pdf", "reload_config", "96-customddns.sh", "updown.conf", "19d2:1514", "ipt-nathelper-extra", "fw", "0930:0d46", "1033:0035", "zone_api_all.sh", "S99dynamic_route", "dictionary.asnet", "12d1:1583", "1d3472b9.0", "98-iptv.sh", "https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html", "zbalance_loop_reset", "region.js", "https://www.esentire.com/blog/conti-affiliate-exposed-new-domain-names-ip-addresses-and-email-addresses-uncovered-by-esentire", "getcardinfo.gcom", "phddns", "stroke.conf", "062cdee6.0", "nf-conntrack-netlink", "dynanmic_arpreq.sh", "error500.htm", "about_hover.svg", "https://thedfirreport.com/2021/07/19/icedid-and-cobalt-strike-vs-antivirus/", "0af0:4007", "https://www.googleoptimize.com/optimize.js?id=OPT-TQC6JW4", "ipt-nfqueue", "ngx_sqlApi.lua", "18-dnsproxyvnet.sh", "ff34af3f.0", "controller.js", "arp.sh", "https://www.lac.co.jp/lacwatch/report/20210521_002618.html", "radiusclient-ng.h", "4bfab552.0", "web_func.sh", "ePKI_Root_Certification_Authority.crt", "nat_core.sh", "12d1:1f03", "https://i.blackhat.com/USA-20/Thursday/us-20-Chen-Operation-Chimera-APT-Operation-Targets-Semiconductor-Vendors.pdf", "98-load_balance", "https://www.qurium.org/alerts/targeted-malware-against-crph/", "pppox-load-user.lua", "05c6:2000", "usb-net-ipheth", "12d1:15ca", "https://web.op39v.xyz/js/chunk-common.js", "sha2.conf", "10-rt2x00-eeprom", "nat_dmz.html", "form.js", "SSL.com_Root_Certification_Authority_RSA.crt", "91-gre.sh", "sys_monitor", "https://www.cisa.gov/news-events/analysis-reports/ar21-148a", "https://blog.talosintelligence.com/lemon-duck-spreads-wings/", "S99zero_boot_done", "40193066.0", "12d1:1557", "l2tp-init.sh", "0421:0610", "https://blog.bushidotoken.net/2022/06/overview-of-russian-gru-and-svr.html", "TeliaSonera_Root_CA_v1.crt", "https://www.gendigital.com/blog/insights/research/backdoored-client-from-mongolian-ca-monpass", "qos_Band_ctrl.html", "getip.sh", "client.key", "dyn3322ddns.html", "05_set_iface_mac_mediatek", "19d2:0103", "12d1_0004", "2001:a706", "21f5:3010", "25-nls-iso8859-2", "system.sh", "set_fan.sh", "network_netlist.htm", "1004:607f", "qos_nf.sh", "Certigna.crt", "0922:1001", "ar9533_switch_portPara", "90-xt_ipsecmark", "mmc", "web_security", "add-service.sh", "mt7621_register", "https://isc.sans.edu/diary/Bumblebee+Malware+from+TransferXL+URLs/28664", "koi-win", "emSign_Root_CA_-_G1.crt", "l2tp-functions.sh", "core_interface.sh", "K91network", "firmware_reseting.html", "rules.html", "0fd1:1000", "1e08bfd1.0", "openvpn-server-up.sh", "00-vpn_hook.sh", "0408:ea43", "rtl8367s_switch_portState", "1614:0802", "passthrough.sh", "GTS_Root_R4.crt", "09789157.0", "zone", "cn9130_switch_init", "60-dnsmasq", "session_limits", "https://www.ncsc.gov.ie/pdfs/HSE_Conti_140521_UPDATE.pdf", "04e8:f000:sMo=U209", "qos_state.sh", "usb-net-asix", "interface_wan_standalone.html", "05c6:1000:uMa=Vertex", "usb_storage.html", "0af0:d031", "10-metric.sh", "0b3c:f00c", "05c6:2001", "S95ifstat-mini", "interface.sh", "service", "30-fs-nfs-common", "S50qos-tplink", "web_login.html", "0bf05006.0", "getimsi.gcom", "cli_cmd.tree", "cron", "ifstart", "run-at.gcom", "l2tp_client.html", "ips_threat_management.html", "timeobj_cron_api.sh", "0471:1237", "firewall.user", "usb_backup.html", "S01spi_device_id", "AC_RAIZ_FNMT-RCM.crt", "x509.conf", "50-xt_flood", "nginx.conf", "phddns.html", "reset.gcom", "https://www.zscaler.com/blogs/security-research/targeted-attack-leverages-india-china-border-dispute-lure-victims", "utils.sh", "lvalue.htm", "S80usbmuxd", "00-vnet_client.sh", "napt.html", "crypto-hw-eip93", "99_end_sync.sh", "ipsec_secrets", "fixup-mac-address", "pppox-reload-user.sh", "cli_extra_cmd.tree", "protocol", "check_switchmode.lua", "XRamp_Global_CA_Root.crt", "chat-modem-configure", "lanv6.sh", "19d2:1210", "mt7621_switch_portPara", "9482e63a.0", "e-Szigno_Root_CA_2017.crt", "checkbox.js", "21-nat.sh", "html5.js", "1004:613a", "8160b96c.0", "firmware_factory.html", "15-usb_mode", "https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/", "0af0:c100", "Certum_EC-384_CA.crt", "https://isc.sans.edu/diary/rss/27618", "compound.htm", "tabcontainer.htm", "ipsec_vnet.sh", "3e45d192.0", "cli_show_iface_cmd.tree", "04cc:226e", "vtysh.conf", "widget.css", "0af0:8302", "mt7621_switch_portMirror", "starter.conf", "90-urlset", "https://www.truesec.com/hub/blog/proxyshell-qbot-and-conti-ransomware-combined-in-a-series-of-cyber-attacks", "SSL.com_EV_Root_Certification_Authority_ECC.crt", "ecmp.sh", "runcommand.gcom", "90-xt_multinetdev", "26-openvpn.sh", "626dceaf.0", "0af0:d035", "1410:5023", "04e8:680c", "gre-ipsec-up-down.sh", "https://web.op39v.xyz/js/chunk-vendors.js", "50_indicate_regular_preinit", "12d1:156a", "12d1:1f1e", "S50dropbear", "S25zone", "GlobalSign_Root_CA_-_R6.crt", "firmware_managing.html", "su.full.min.js", "99-load_balance.sh", "mt7628_switch_portVlan", "05-vnet-lanv6", "0fca:8020", "core.sh", "logrotate.conf", "Actalis_Authentication_Root_CA.crt", "https://thedfirreport.com/2021/01/31/bazar-no-ryuk/", "loggerd", "xl2tp-secrets", "15eb:7153", "sys_status.html", "https://raw.githubusercontent.com/AmnestyTech/investigations/refs/heads/master/2021-02-24_vietnam/README.md", "https://www.picussecurity.com/resource/blog/ttps-used-in-the-solarwinds-breach", "19d2:1038", "port_trigger.html", "19d2_0001", "openvpn_tunnel.html", "access_func.sh", "pppv6-up", "ar9533_switch_portVlan", "0af0:7a05", "libradiusclient-ng.la", "6b99d060.0", "https://contagiodump.blogspot.com/2014/11/onionduke-samples.html", "treestore.js", "10a9:606f", "50-arp_garp", "19d2:ffde", "02-split_access", "0af0:8006", "9c8dfbd4.0", "98-ipt_web_dns_match", "charon-logging.conf", "https://cdn.staticfile.org/jquery/3.6.0/jquery.min.js", "b0e59380.0", "network_netinfo.htm", "qos", "106c:3b06", "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739500&Signature=r1pLCgJf%2FQK8TvenCwXy9bnghFzjJ5QssdQSLP37SLv6EkA3WXuFUIvKrsXKokco7bMfQUy%2FArk8F6aP%2Bhaj16Jv7P%2FGB%2Blf7mPvs47VjwfBJRCP8AZLlWvO45%2BjC68v798csdJFPTP31O4yDOE3pXZ3EThm4nSrIwLPhTSPfi3cPlEh2wLSzcySW7BYLw%2BqCoawFCxeLUz7hIV0vC89Mlwi3DeS%2BEnWFF%2FsvT9lVJjdbLoJLEeO", "emSign_ECC_Root_CA_-_G3.crt", "status.js", "https://hostkey.postaffiliatepro.com/scripts/Oy173jux8", "luci-reload", "25-ddns", "c28a8a30.0", "portal_mgmt_monitor.sh", "https://www.crowdstrike.com/en-us/blog/bears-midst-intrusion-democratic-national-committee/", "1bbb:f017", "pppox-killtunnel.sh", "S83web_security", "https://isc.sans.edu/diary/Excel+spreadsheets+push+SystemBC+malware/27060", "12d1:1f1d", "hmac.conf", "AffirmTrust_Networking.crt", "tvalue.htm", "attach_timeobj.lua", "80-fuse", "baseinfo.gcom", "https://isc.sans.edu/diary/28636", "openvpn-client-routeup.sh", "https://www.sentinelone.com/blog/from-the-front-lines-peering-into-a-pysa-ransomware-attack/", "cs_dis.html", "0af0:7031", "5273a94c.0", "rtl8367s_register", "S99sys_monitor", "store.js", "power", "20-firewall.sh", "1ee8:0013", "apply_xhr.htm", "0af0:d155", "25-nls-cp1250", "ar9533_switch_portMirror", "pppox-remote-management-get-ippool.lua", "90-xt_vlan", "qos_polling.sh", "button.js", "https://unit42.paloaltonetworks.com/hancitor-infections-cobalt-strike/", "session_limits.html", "options.pptpd", "https://blog.nviso.eu/2021/11/17/cobalt-strike-decrypting-obfuscated-traffic-part-4/", "S85webfilter", "3g.chat", "ipt-nat-extra", "ips_stats.html", "ipsec_failover", "spi_device_id", "19d2:fff6", "usb-mode.json", "106c:3b11", "hwnat", "198a:0003", "getcnum.gcom", "19d2:0053", "dhcp_server.html", "https://www.crowdstrike.com/en-us/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout", "Buypass_Class_2_Root_CA.crt", "https://www.verizon.com/business/", "value.htm", "1d09:1025", "S47flood_defense", "core_init.sh", "https://thedfirreport.com/2021/06/20/from-word-to-lateral-movement-in-1-hour/", "S47administration", "0af0:d001", "certSIGN_ROOT_CA.crt", "https://unit42.paloaltonetworks.com/fireeye-solarstorm-sunburst/", "cli_routing_cmd.tree", "test.sh", "DigiCert_Global_Root_G2.crt", "7f3d5d1d.0", "lan.js", "ipv6group", "0af0:8900", "access_dir_help.lua", "TWCA_Global_Root_CA.crt", "1ee8:004a", "https://cert.gov.ua/article/703548", "ssl_vpn_tunnel_group.html", "iptv", "widget.js", "https://www.cynet.com/security-foundations/attack-techniques/new-wave-of-emotet-when-project-x-turns-into-y/", "1ee8:0009", "chat-gsm-test-qualcomm", "https://unit42.paloaltonetworks.com/fireeye-red-team-tool-breach/", "10-pppox-if-up-down.sh", "pptp-client-delete.sh", "80_mount_root", "19d2:1216", "https://www.trendmicro.com/en_us/research/21/a/earth-wendigo-injects-javascript-backdoor-to-service-worker-for-.html", "d7e8dc79.0", "1ee8:0054", "12d1:1f01", "30-v6plus", "time_setting.html", "TrustCor_ECA-1.crt", "32888f65.0", "tmp.QMAjonKZB0", "websort", "04-ipv6", "mobile_wifi.html", "jquery.flot.js", "https://securelist.com/a-new-secret-stash-for-fileless-malware/106393/", "app.manifest", "85-ntp", "scepclient.conf", "K98boot", "S97session_limits", "19d2:1224", "96-phddns.sh", "106c:3b05", "1d09:1000", "rtl8367s_switch_portVlan", "waitingbar.js", "S50radvd", "https://blog.sekoia.io/nobeliums-envyscout-infection-chain-goes-in-the-registry-targeting-embassies/", "https://cocomelonc.github.io/malware/2022/07/30/malware-av-evasion-8.html", "46-nat.sh", "access_func_v6.sh", "strongswan.conf", "chart.js", "usbmodem_log.sh", "19d2:bccd", "web_security.html", "https://isc.sans.edu/diary/Qakbot+infection+with+Cobalt+Strike+and+VNC+activity/28448", "K10portal_mgmt", "S01led_early", "USERTrust_RSA_Certification_Authority.crt", "S71hwnat", "get_temperature.sh", "user-secrets", "l2tp-ipsec-up-down.sh", "https://cocomelonc.github.io/tutorial/2022/05/09/malware-pers-4.html", "10-policy_route.sh", "20-upnp", "qos_mark.sh", "0b3c:c700", "webfilter_func.sh", "enable_service.sh", "01-usb-led", "f249de83.0", "30-fs-udf", "zone_api_core.sh", "pptp_client.html", "ssl_vpn_locked_user.html", "NetLock_Arany_=Class_Gold=_F?tan\u00fas\u00edtv\u00e1ny.crt", "ipsec_failover_process.sh", "https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations-wp.pdf", "14bc7599.0", "ar9533_register", "pptp-ifdevice-info.sh", "proxy.js", "https://www.welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/", "vpn_peers.html", "SSL.com_EV_Root_Certification_Authority_RSA_R2.crt", "2001:a403", "https://www.sentinelone.com/labs/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/", "dynddns", "https://medium.com/walmartglobaltech/cobaltstrike-uuid-stager-ca7e82f7bb64", "68dd7389.0", "0af0:d057", "openvpn_client.html", "vlan", "https-dns-proxy", "freeStrategy", "19d2:1007", "ssl_vpn_status.html", "usbmuxd", "S47imb", "modemLedCtrl.sh", "1004:613f", "upload.htm", "99-hotplug_done", "chat-get-qualcomm_1", "https://www.cisa.gov/sites/default/files/publications/AR-17-20045_Enhanced_Analysis_of_GRIZZLY_STEPPE_Activity.pdf", "30-3g", "T-TeleSec_GlobalRoot_Class_2.crt", "05c6:6503", "06-wan_log", "https://cloud.google.com/blog/topics/threat-intelligence/evolution-of-fin7/", "https://www.sentinelone.com/labs/noblebaron-new-poisoned-installers-could-be-used-in-supply-chain-attacks/", "noipddns", "773e07ad.0", "NAVER_Global_Root_Certification_Authority.crt", "sysctl.conf", "usb-printer", "accountmgnt.lua", "30-fs-configfs", "22de:6803", "openvpn-server-down.sh", "https://cert.gov.ua/article/37704", "16d8:6804", "S46iptv", "ca-certificates.crt", "attack-defense.html", "25-nls-cp775", "18-ipgroup", "usb-storage-extras", "Entrust_Root_Certification_Authority_-_G2.crt", "smp", "19d2:0325", "pem.conf", "https://www.esentire.com/blog/icedid-to-cobalt-strike-in-under-20-minutes", "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "1a8d:2000", "uci-defaults.sh", "19d2:1175", "ipt-tproxy", "2b349938.0", "pptpd", "switch_portMonitor.html", "openvpn-instance.sh", "jquery.scrollTo.min.js", "S60monitor", "cellinfo.gcom", "0af0:c031", "19d2:0003", "usb-acm", "https://web-assets.esetstatic.com/wls/2019/10/ESET_Operation_Ghost_Dukes.pdf", "1ab7:5700", "procd.sh", "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", "core_ipv6group.sh", "19d2_0004", "ipgroup_group.html", "freePolicy", "led", "tddp", "0e8d:0002:uPr=Product", "ipgroup", "dhcp_lan_settings_standalone.html", "S99bootcount", "1fac:0032", "40-usb2", "03_preinit_do_ramips.sh", "1fac:0151", "https://teamt5.org/tw/posts/mjib-holds-briefing-on-chinese-hackers-attacks-on-taiwanese-government-agencies/", "md5.conf", "ipt-compat-xtables", "https://medium.com/walmartglobaltech/trickbot-crews-new-cobaltstrike-loader-32c72b78e81c", "1bbb:000f", "04bb:bccd", "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", "607986c7.0", "handle_card_process.sh", "25-nls-cp862", "K91geoip", "https://www.googletagmanager.com/gtag/js?id=G-5VS2LL0P80&l=dataLayer&cx=c", "macgroup", "pptp-get-tuunel-info.sh", "ddns", "1410:5059", "UCA_Extended_Validation_Root.crt", "90-portal_mgmt", "excanvas.js", "Izenpe.com.crt", "firstboot", "lib-textsearch", "ipsec_check_domain_wrap.sh", "406c9bb1.0", "isp_routing.html", "zone_core.sh", "rtl8367s_switch_portPara", "time.sh", "account_config.html", "nsection.htm", "https://thehackernews.com/2022/05/malware-analysis-trickbot.html", "Go_Daddy_Root_Certificate_Authority_-_G2.crt", "1c9e:9800", "user-secrets.reference", "dynamic_dns_updater.sh", "location.json", "0f6fa695.0", "COMODO_ECC_Certification_Authority.crt", "https://www.cynet.com/security-foundations/attack-techniques/understanding-squirrelwaffle/", "0af0:7111", "https://vtbehaviour.commondatastorage.googleapis.com/edb4c21d60daa44b3429e7ba9bfa342759ebef23c136c934f74aef145453ce19_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775737710&Signature=fbsokraSd7lsYmUfaTEl8Phs2K3hp7AtVmQU9axeEBcYmYbrrYrrfpP5lPEQaE%2Fh3%2BEP9Rn8mD8D1haqQVXCN0VVlxJ4sddjWmyC5USsgBsvUb0%2F72h1WHDS2KXHlteZWE%2Bauckabain9D5kX501AnqFY38s77OIqO6SMOkQ%2BvXiDSSRK%2FZhbfradBnei3ZLHsXGxkoshTyvB0%2BC%2F8SiUzdVsqSjik0Bn2r%2BIlLpDQK90GlZTD0N", "mt7621_switch_globalLed", "0922:1003", "2077:1000", "mvalue.htm", "https://js.pvd.to/c/v1/pixel-1sdz.js?t=1653350400000", "https://vtbehaviour.commondatastorage.googleapis.com/edb4c21d60daa44b3429e7ba9bfa342759ebef23c136c934f74aef145453ce19_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775737365&Signature=S%2B7RcHYjab1hbKlKwFfvUbDirFPJS1A2TJQ3bVIObMcON4PD9pRDvhMtYMCnEBrYsICi0UJCFW5eUDolL5Jlbngsc587kF36vvuhlkPprbkSOY1jOyDTpe3Qsb6jRFz3xwOfZc9S5QervoLnRKb%2FyGSyZE6ZK6TxzBrOPczPtZ7sLf9NfD6E%2B2gMRXaRjEqVwVITLG7YqCiiNuohFOuNlK3uNHFpIk53viKvBSAIqLtSklH9bHW4q1DX", "22-imb.sh", "tabmenu.htm", "ips_blacklists.html", "5f15c80c.0", "mt7621_switch_portState", "xF43MOjWbQiz+vIQbjaGodBk4PpoECFzUYyznnj8Enc=", "de6d66f3.0", "TWCA_Root_Certification_Authority.crt", "https://blog.talosintelligence.com/manjusaka-offensive-framework/", "https://www.sonatype.com/blog/new-pymafka-malicious-package-drops-cobalt-strike-on-macos-windows-linux", "COMODO_Certification_Authority.crt", "dos_defense", "12d1:1520", "19d2:1233", "https://cloud.google.com/blog/topics/threat-intelligence/sabbath-ransomware-affiliate/", "19d2:0120", "cli_vlan_cmd.tree", "access.lua", "00_uhttpd_ubus", "pppox", "E-Tugra_Certification_Authority.crt", "login.sh", "mtab", "msg.js", "1ee8:0018", "usb-serial-option", "S99lldpd", "ppp.sh", "directip.gcom", "0421:060c", "api.sh", "0421:0622", "49-ipt-ipset-tplink", "T-TeleSec_GlobalRoot_Class_3.crt", "switch.js", "about.svg", "https://hostkey.postaffiliatepro.com/scripts/Oy173rux8?accountld=default1&url=S_hostkey.com%2F&referrer=&isInlframe=false&getParams=&anchor=", "https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/refs/heads/master/China/APT/Chimera/Analysis.md", "pppox-wheader.sh", "32-sit", "99_10_failsafe_login", "ar8327_register", "0471:1210:uMa=Philips", "usb_firmware_upgrade.html", "cn9130_switch_portRateControl", "K25zone", "sierrainfo.gcom", "cli_accountmgnt_cmd.tree", "combobox.js", "pptp-global-setting.sh", "b7a5b843.0", "https://medium.com/walmartglobaltech/socgholish-campaigns-and-initial-access-kit-4c4283fea8ee", "getpinstatus.gcom", "201e:2009", "l2tp-global", "12d1:14b5", "lock-prov.gcom", "0421:062c", "disconn-script", "cmd.sh", "time_setting", "10_indicate_preinit", "1ee8:0068", "ips_setting.html", "command.gcom", "S21tddpd", "basic.html", "ip_stats.html", "l2tp-server.reference", "https://www.crowdstrike.com/en-us/blog/prophet-spider-exploits-oracle-weblogic-to-facilitate-ransomware-activity/", "S96upnp", "60-mac_filter.sh", "interface_mac.html", "smschk.gcom", "attr.conf", "50-access_ctl.sh", "31-iptunnel", "5d3033c5.0", "https://widget.trustpilot.com/trustboxes/5613c9cde69ddc09340c6beb/index.html?templateld=5613c9cde69ddc09340c6beb&businessunitld=55e46b640000ff000582c91e#locale=en-GB&styleHeight=100%25&styleWidth=100%25&theme=light", "25-nls-cp864", "rip", "12d1:1010", "057c:62ff", "jquery.json-2.4.min.js", "core_log.sh", "loadopenvpncert", "tblsection.htm", "12d1_0001", "time_mngt.html", "1ee8:0063", "12d1:1f19", "switch_port.sh", "cli_server", "IdenTrust_Public_Sector_Root_CA_1.crt", "dhcp6s", "Hongkong_Post_Root_CA_1.crt", "monitor_port.lua", "https://snap.licdn.com/li.lms-analytics/insight.min.js", "openvpn-client-down.sh", "remote_mngt.html", "dd8e9d41.0", "cli_snmp_cmd.tree", "GlobalSign_ECC_Root_CA_-_R4.crt", "https://secure.livechatinc.com/", "system_mode", "ipgroup_view.html", "19d2:0101", "done", "https://medium.com/walmartglobaltech/signed-dll-campaigns-as-a-service-7760ac676489", "22-access_ctl.sh", "pppol2tp", "12d1:1c0b", "K90ipv6", "03179a64.0", "S95ipstat", "12_network-generate-ula", "dhcp.lua", "zone_init.sh", "19d2:0150", "interface_mode.html", "https://resource.redcanary.com/rs/003-YRU-314/images/2022_ThreatDetectionReport_RedCanary.pdf", "mt7628_switch_portRateControl", "https://blog.talosintelligence.com/mustang-panda-targets-europe/", "error.html", "https://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/new-apt-group-chamelgang/#id3", "directip.sh", "jshn.sh", "ar8327_switch_portStatistic", "1004:614e", "encrypt.js", "mt7621_switch_portVlan", "https://s9.cnzz.com/z_stat.php?id=1280740152&web_id=1280740152", "https://thedfirreport.com/2021/03/08/bazar-drops-the-anchor/", "fc5a8f99.0", "customddns", "40-load_balance", "ipsec.lua", "monitor", "nfnetlink", "grid.js", "ipv6group_group.html", "30-fs-minix", "Trustwave_Global_Certification_Authority.crt", "core_redirect.sh", "QuoVadis_Root_CA_2_G3.crt", "sessmngr.html", "99-vpn_hook.sh", "S96static_route", "support_bundle_commands.conf", "12d1_0003", "0af0:6911", "https://github.com/vuejs/vue-devtools", "064e0aa9.0", "https://malcat.fr/blog/lnk-forensic-and-config-extraction-of-a-cobalt-strike-beacon/", "mt7621_switch_portStatistic", "mt7628_switch_led", "5cd81ad7.0", "19d2:1232", "https://thedfirreport.com/2020/08/31/netwalker-ransomware-in-1-hour/", "0408:f000", "url_func.sh", "12d1:157c", "S80websort", "https://cdn.taboola.com/scripts/cds-pips.js", "https://s.pinimg.com/ct/lib/main.32155010.js", "12d1:#linux", "0af0:7801", "custom_ddns.html", "number.js", "https://www.security.com/threat-intelligence/sodinokibi-ransomware-cobalt-strike-pos", "Go_Daddy_Class_2_CA.crt", "https://www.security.com/threat-intelligence/solarwinds-raindrop-malware", "https://redcanary.com/wp-content/uploads/2022/05/Gootloader.pdf", "12d1:15e7", "lanv6_server.sh", "ar8327_switch_8021Qvlan", "feffd413.0", "pptp_tunnel.html", "1ee8:0060", "1410:5020", "Atos_TrustedRoot_2011.crt", "pptp_global.html", "usb-serial", "0af0:7381", "https://cdn.livechatinc.com/tracking.js", "sshkey.conf", "ifup", "pptp-client-global", "ldap", "modem-configure.gcom", "0af0:d357", "12d1:1805", "S99improxy", "1410:7001", "02-usb-auto-scan", "32-ipsec4", "1bbb:f000", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf", "sysupgrade.conf", "30-fs-btrfs", "12-netbios-passthrough", "ramips.sh", "5e98733a.0", "charon.conf", "2262:0001", "mac_filter", "S50queueventd", "online_check", "restorefactory", "https://www.iubenda.com/cookie-solution/confs/js/53119375.js", "0af0:8400", "AC_RAIZ_FNMT-RCM_SERVIDORES_SEGUROS.crt", "16d8:700a", "preinit.sh", "19d2:2000", "core_tpfirewall.sh", "remote_mngt.sh", "2001:00a6", "07_set_preinit_iface_ramips", "S72sfe", "dhcp.script", "0fce:d0cf", "opkg.conf", "Starfield_Services_Root_Certificate_Authority_-_G2.crt", "1004:6190", "emSign_Root_CA_-_C1.crt", "https://cdn.taboola.com/libtrc/unip/1262365/tfa.js", "qmi.sh", "ipsec.conf", "60-dhcpsvnet.sh", "locale", "29-static_route", "eed8c118.0", "led_early", "upnp_api.sh", "ecmp.lua", "diagnostic.html", "K26pppox", "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", "zzzzzsys_info", "29-fs-fscache", "usb-net-cdc-ether", "ipxr", "ecs", "S99system_params", "qos_api.sh", "https://www.sentinelone.com/blog/threat-actor-uac-0056-targeting-ukraine-with-fake-translation-software/", "mime.types", "S95done", "Staat_der_Nederlanden_EV_Root_CA.crt", "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739700&Signature=bOTo%2FxCpGDGOsIKJDZjBBhLZRg8UiOGi%2FvVr47Xpmh7tOh9dez7911bi%2F9SUdu4ATLhzRVog%2BdVP%2BUPwTuEfIdEcPuGRGVc1KOSP3fTQrKhRjF3x2dqykxVCH%2B1iqBmCgod%2B1uAdlraxqSOeOgst1l%2Bk250uXff4axktE%2BfGjeNDeGJao%2FfOMktqIL7zU8%2BIQYTObwelnnYx45FBSiXI1bWM4vhdgIX4cs2cT%2F", "ipt-geoip", "15-mwan3", "fw.sh", "qos_Class_role.html", "cli_http_cmd.tree", "wportal_free.html", "50-qos_ctl", "openssl.conf", "virtual_server.html", "0af0:d013", "S42service", "chap-secrets", "zone_conf.sh", "0b3c:f000", "usb-serial-wwan", "md5.js", "bwlist_qq.html", "controller.conf", "12d1:1f1c", "ifstat-mini", "functions.sh", "show_if_help.lua", "firewall", "ef954a4e.0", "0af0:8200", "sendsms-at.gcom", "S42ipgroup", "https://www.googletagmanager.com/gtm.js?id=GTM-NWH4DH2", "portal-mgmt", "setmode.gcom", "S99led_set", "25-nls-cp1251", "Microsoft_RSA_Root_Certificate_Authority_2017.crt", "url_filtering.html", "1004:6156", "20b9:1682", "0af0:d157", "1d09:1021", "12d1:14ad", "bridge.html", "12d1:1526", "1c9e:9401", "GlobalSign_Root_CA_-_R3.crt", "rtl8367s_switch_portRateControl", "ar8327_switch_portVlan", "get-vpn-gw.sh", "cloud_config.cfg", "ipt-core" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "Threat" ], "malware_families": [ "Primary threat", "Handleref", "Threat analysis", "Trickbot", "Bazarloader", "Netsupport", "Kronos", "Win32.bitcoinminer", "Darkside", "Stellarparticle", "Industroyer - s0604", "Ransomhub", "Matanbuchus", "Doorme", "Socgholish netsupport", "Fancybear", "Bumblebee", "Frp", "Microbackdoor", "Gold blackburn", "Cyclops", "Socgholish", "Threat", "Graphsteel", "Win api", "Conti", "Shadowpad", "Cobalt strike", "Raspberry robin", "Win32.agent", "Lj", "Beacon", "Plugx", "Avoslocker", "Apt29", "Pcap", "Elf", "Cozybear", "Nbtscan", "Gootloader", "Hades", "Gootkit", "Shadow chaser", "Generic.933739", "Credomap", "Ryuk", "Reduceright", "Grimplant", "Beaconloader" ], "industries": [ "Gas", "Energy", "Aerospace", "Defense", "Banking", "Political", "Diplomatic", "Technology", "Media", "Pharmaceutical", "Financial", "Legal", "Academics", "Foreign affairs", "Logistics", "Industrial", "Government", "Military", "Transportation", "Aviation", "Transport", "Manufacturing", "Telecommunications" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 19, "pulses": [ { "id": "69f46a108000bd36fe90d5be", "name": "APT29", "description": "In the latest episode of the LNK forensic analysis series, we look at how a malicious file was linked to a Chinese-speaking threat actor, who then modified the file to target a powershell program.", "modified": "2026-05-31T06:03:25.904000", "created": "2026-05-01T08:53:34.200000", "tags": [ "sha1", "ipv4", "sha256", "n cobalt", "n https", "strong", "rararchive", "backdoor", "n c2", "cobalt strike", "guloader", "cobaltstrike", "cobalt", "downloader", "april", "icedid", "dropper", "june", "trickbot", "donut", "fast", "payload", "unknown", "delphi", "noname", "anydesk", "blister", "quasar", "winnti", "somnia", "qakbot", "gogo", "netwire", "chrysalis", "download", "exploit", "netspy", "loader", "ursnif", "themida", "vidar", "doublezero", "voldemort", "next", "meterpreter", "tencent", "plugx", "shadow", "batloader", "redline stealer", "havoc", "resident", "decoy", "dump", "shellcode", "infostealer", "appe", "bumblebee", "emotet", "syscall", "acidrain", "credomap", "cozyduke", "ukraine", "daveshell", "cont", "refer", "fail", "first", "snake", "mega", "onlin", "grayrabbit", "open", "power", "august", "test", "path", "mimikatz", "nbtscan", "impacket", "comment", "install", "redline", "comet", "autoit", "wiper", "endurance", "sharphound", "psexec", "malicious", "service", "wind", "installer", "info", "confi", "remcosrat", "hermeticwiper", "isaacwiper", "graphsteel", "caddywiper", "grimplant", "industroyer2", "defense", "energy", "telecom", "media", "grapeloader", "wineloader", "envyscout", "sunburst", "panda", "metasploit", "sparkrat", "zbot", "darkgate", "finspy", "rhadamanthys", "warmcookie", "trojanspy", "diceloader", "asyncrat", "esxiargs", "webshell", "cerber", "azorult", "lokibot", "blackcat", "poortry", "cuba", "malcat", "ctrlt", "transform", "bazaar", "virustotal", "window", "pdf document", "iit app", "tools", "lucky", "injector", "handleref", "temp", "conti", "groupexchange", "group400", "grouprevil", "revilconti", "providerpath", "regexpandsz", "minidump", "groupuchebkac", "malware", "bypass", "adfind", "threat", "command", "procdump", "seatbelt", "below", "anydesk remote", "lsass", "powershell", "cookie", "android", "null", "sliver", "initial access", "code", "defender", "defense evasion", "enterprise", "powerview", "pipes", "cloud", "date", "poison", "advantage", "mind", "designer", "shell", "projector libra", "bazarloader", "figure", "file size", "transferxl", "palo alto", "iso image", "windows", "wildfire", "february", "alliance", "bazarbackdoor", "bokbot", "diavol", "shown", "hook", "threat spotlight", "manjusaka", "c2 server", "appliance", "cisco talos", "golang", "haixi mongol", "prefecture", "talos", "rust", "agent", "win64", "hello", "xor algorithms", "z85 ascii85", "base85", "ascii85", "compile", "z85 https", "threat analysis", "primary threat", "elf", "strike payload", "uri http", "post body", "lockbit", "sentinellabs", "c curl", "ip address", "lockbit black", "cyber threats", "investigations", "research", "expert perspective", "articles", "news", "reports", "learn", "trend vision", "vision one", "gootkit", "trend micro", "amsi telemetry", "micro", "gootkit loader", "security", "stop", "find", "life", "operations", "protect", "small", "carriers", "voice", "attack", "suncrypt", "revil", "sodinokibi", "kronos", "korean", "createobject", "javascript", "ascii value", "opens", "urls", "color1", "python script", "gootloader", "twitter", "python", "unc1151", "microbackdoor", "beacon", "base64", "github", "run registry", "putty", "persistence", "discord", "blackenergy", "state", "uac0056", "detection", "threatdown", "cybercrime has", "machinescale", "response", "nebula", "indirizzo", "il file", "questo cert", "italia", "il messaggio", "allegato", "covid19", "file pdf", "html", "serbia", "stata", "file location", "https traffic", "thursday", "windows host", "wireshark", "emotet run", "pakistan", "ttps", "shadowpad", "plugx backdoor", "kaspersky ics", "afghanistan", "malaysia", "march", "cert", "ntlm", "winrar", "assembly", "china chopper", "microsoft", "fancybear", "cozybear", "december", "strontium", "ransomhub", "matrix", "raspberry robin", "sofacy", "beatdrop", "quietexit", "cyclops", "knight", "bank", "facebook", "beer", "worm", "threat advisory", "ransomware", "threats", "securex", "avos", "unified access", "gateways", "avoslocker", "cisco secure", "vmware horizon", "darkcomet", "apt29", "nobelium", "stellarparticle", "shadow chaser", "file type", "sha256 hash", "html file", "pe32", "intel", "matanbuchus", "confluence", "data center", "server", "waf rule", "confluence data", "shut", "jars", "cvss", "update", "centerall", "mustang panda", "vietnam", "analyze", "dll file", "summary", "vincss", "vietnamese", "english", "unc2165", "evil corp", "fakeupdates", "dridex", "hades", "colorfake", "bitpaymer", "doppelpaymer", "wastedlocker", "megasync", "trojan", "payloadbin", "macaw", "cuba ransomware", "tor directory", "bughatch", "iis worker", "mare", "team", "zenpak", "impact", "mosquito", "exfiltration", "execution", "masquerading", "netsupport rat", "select", "script", "hash", "press enter", "http", "activexobject", "lnk file", "socgholish", "servhelper", "fakeupdate", "model", "socgholish netsupport", "netsupport", "ta551", "ryuk", "threat actor", "hta file", "trickbot c2", "sonatype", "drops cobalt", "strike", "pymafka", "open source", "contact us", "macos", "nexus", "demo", "protected", "friday", "gold blackburn", "ahnlab", "was1", "was2", "dc server", "coinminer", "ntlm hash", "january", "ad group", "darkside", "miner", "win32.bitcoinminer", "win32.agent", "frp", "transferxl url", "iso file", "bumblebee c2", "file name", "exotic lily", "transferxl urls", "function", "dropbox", "c2 dropbox", "c2clientmain", "filename", "av evasion", "syswhispers2", "dropbox loader", "stream", "mark", "back", "pcap", "ta578", "contact forms", "images evidence", "windows service", "main entry", "a service", "service main", "entry point", "windows context", "administrator", "concept", "https", "lazagne", "setmppreference", "use ie", "msie", "windows nt", "bloodhound", "wmiexec", "covenant", "empire", "poshc2", "organization", "cleanup", "winscp", "dword", "netscan", "http c2", "base64url", "c2 traffic", "netbios", "teamserver", "mask", "legezo", "windows event", "denis legezo", "september", "silent break", "windows system", "rc4 encryption", "sysdig", "plugx implant", "myanmar", "russia", "hong kong", "reddelta", "belarus", "digital certificates", "fileless malware", "malware descriptions", "malware technologies", "rat trojan", "targeted attacks", "silentbreak", "throwback", "linode", "slingshot", "inject", "patch", "magic", "mozilla", "false", "\u30b5\u30a4\u30d0\u30fc\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3", "\u30de\u30af\u30cb\u30ab\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u30b9", "word", "stager", "url https", "windows10", "dll sideloading", "ida pro", "darkhotel", "oceanlotus", "mandiant", "boommic", "group policy", "smb beacon", "trello", "kerberos", "pass", "vaporrage", "platform sha256", "urls http", "unc2452", "opsec", "scale", "apt29 activity", "apt29 conduct", "global func", "vmware xfer", "edrepp", "vmware command", "dfir team", "abcd", "stealbit", "stdout", "hooks", "logic", "dfir report", "icedid malware", "icedid payload", "pty ltd", "goodware", "string", "desktop", "morphisec", "vmware identity", "morphisec labs", "core impact", "vmware", "workspace one", "access", "cve202222957", "cve202222958", "fortune", "jssloader", "stark", "moving", "please", "virtualbox", "registry", "windows logon", "hive", "varonis", "ai security", "proxyshell", "detect", "data risk", "google cloud", "trust", "varonis threat", "contact", "qbot", "void", "police", "pysa", "chisel", "files", "where", "pysa ransomware", "redacted", "force", "getchilditem", "aes key", "szdrf", "mespinoza", "target", "winapi", "edr hooks", "winapi call", "endpoint", "tracing", "api call", "direct system", "phase", "import", "outflank", "dll payload", "bumblebee dll", "programdata", "orion", "strings", "example", "zloader", "eset research", "atera agent", "eset", "aitb", "eset security", "tips", "silent", "night", "botnet", "teamviewer", "atera", "capture", "grantedaccess", "computer", "lsass memory", "targetimage", "sourceimage", "simulate", "atomic", "karakurt", "view", "hacking team", "sign", "contributors", "from karakurt", "appearance", "manage", "write", "star", "stars", "ruby", "footer", "birdwatch", "fin7", "easylook", "unc3381", "powerplant", "crowview", "boatlaunch", "stoneboat", "fowlgaze", "uuid variant", "hell", "ipfuscation", "james haughom", "ipfuscated", "gate variant", "gate", "rubeus", "wow64", "cp1250", "uuids", "touch", "blob", "hwinithlw", "sphw", "shathak", "conti affiliate", "valentine", "favorite", "rats", "ragnarlocker", "hellokitty", "squirrelwaffle", "uris", "http get", "post", "http post", "c2 profile", "accept", "vnc activity", "ms windows", "go downloader", "unc2589", "ta471", "sentinelone", "module stomp", "return address", "cobalt strikes", "rtlallocateheap", "use section", "dlls", "first detection", "apt41", "dustpan", "cve202144207", "cve202144228", "log4shell", "vmprotect", "deadeye", "keyplug", "filler", "confuserex", "badpotato", "task manager", "lsass process", "cisa", "bazar", "hancitor", "splashtop", "kportscan", "story", "emotet payload", "excel", "appdatalocal", "november", "emotet campaign", "vba macro", "cybercrime", "cybersecurity architect", "threat research", "jarm signature", "sha2", "jarm", "salesforce", "epoch", "emotet core", "epochs", "conti group", "emotet epoch", "trickbot group", "prior", "threat response", "unit", "socs", "hunters", "cyber", "mssql", "mssql server", "lemon duck", "asec analysis", "account", "kingminer", "vollgar", "mssql process", "cve20201472", "reg add", "regdword", "makes", "et exploit", "core", "possible", "comspec", "tracker", "userdomain", "appdata", "hide", "vbscript", "exclusionpath", "userpcname", "ipcount", "gozi", "cybereason", "exchange", "datoploader", "cybereason xdr", "report", "phishing", "pinkslipbot", "theft", "beyond", "never", "malwarebazaar", "strike activity", "filejust", "file contentsi", "vscode", "sublime editor", "windows exe", "utf8", "turla", "root", "msoffice", "nativezone", "kazuar", "bluenoroff", "customerloader", "muddywater", "chat", "overwatch", "aquatic panda", "log4j", "linux", "apache tomcat", "crowdstrike", "github project", "click", "fishmaster", "yanluowang", "thieflock", "scanner", "canthroid", "grabff", "symantec", "connectwise", "screenconnect", "fivehands", "browserpassview", "rundll32", "sharefinder", "wmic", "ping", "rollcoast", "south africa", "unc2190", "july", "tycoon", "unc2190 beacon", "latin", "arcane", "sabbath", "slovak", "slovakia", "albanian", "albania", "swedish", "turkish", "indonesia", "estonia", "armenia", "c2 data", "cyberchef", "javascript code", "rsa key", "remove", "get request", "xor key", "exploits & vulnerabilities", "managed xdr", "one marketplace", "lockfile", "attack overview", "stage", "conti gang", "datop", "handover", "kazakhstan", "os version", "winrm", "protocol", "enterpssession", "psrp", "windows remote", "source process", "stack", "rita", "threat feed", "myrtus", "harvester", "c activity", "artefactsfolder", "identity", "infectionid", "october", "main", "ad environment", "bazar c2", "networks", "d3desdecrypt", "nim malware", "jason", "part", "reaves6 min", "nimrodnimza", "rustybuer", "nimgrabber", "caesar", "file encryption", "nimrev", "discovery", "data", "mitre att", "powersploit", "leverage", "beaconloader", "doorme backdoor", "issuer cus", "apt group", "chamelgang", "doorme", "mcafee", "timestomp", "copy", "oilrig", "error", "body", "eternalblue", "zip file", "enable", "content", "vbs script", "word document", "maldoc", "form", "win api", "bazarloader dll", "intro conti", "coveware", "raas", "ransom", "ryuk ransomware", "cve202140444", "multiple", "north america", "europe", "asia", "html object", "mshtml engine", "sidewalk", "crosswalk", "c server", "sparklinggoblin", "google docs", "winnti group", "format", "darkshell", "motnug", "threat-intelligence", "apt", "nsa", "def con", "iso filesystem", "iocs", "recon village", "leviathan", "encrypt", "prophet spider", "oracle weblogic", "exception", "weblogic access", "class", "linux system", "egregor", "mountlocker", "radar", "front", "gotroj", "encoder", "stealer", "soar", "speed", "prophet", "classloader", "reconnaissance", "tech", "recon", "et cnc", "feodo tracker", "cnc server", "trigger", "alive", "spawn", "method", "http method", "jitter", "port", "beacon type", "later", "close", "browser", "chinese-speaking cybercrime", "google chrome", "microsoft word", "spear phishing", "luminousmoth", "honeymyte", "assistant", "username", "motc", "ministry", "local", "xll file", "docusign", "hancitor dll", "hancitor exe", "ficker stealer", "api hashing", "api hash", "monpass", "avast", "monpass client", "monpass web", "mongolia", "jan rubn", "discovered", "initial contact", "final", "watermark", "chanitor", "pony", "vawtrak", "uwaga", "falcon complete", "falcon", "wizard spider", "lime", "easy", "flex", "yahxz", "efno", "unc2465", "ngrok", "ultravnc", "methodology", "ngrok tunnel", "smokedham", "guard", "dllstageless", "submission", "size", "noblebaron", "itw name", "scout", "elite", "containedwithin", "withheld", "relatedto", "strike beacon", "matches no", "privacy", "description", "entropy", "restrict", "host ip", "owner", "igos", "germany", "file", "type", "artemis", "rozena", "razy", "khalesi", "\u30c7\u30b8\u30bf\u30eb\u7f72\u540d", "cobalt strike loader", "\u6a19\u7684\u578b\u653b\u6483", "strike loader", "iocindicator", "microsoft docs", "2 cobalt", "3 sigcheck", "1 microsoftdll", "powershell rat", "macro", "progression", "hackerman", "robinhood", "scan behavioral", "unusual port", "potential scan", "campo loader", "dfdownloader", "japan", "post method", "openfield", "blacktds", "public", "behaviour", "variant", "malicious file", "transfer", "control", "feature", "fireeye", "plink", "campo", "bazarcall", "xyzcampobb hxxp", "ioc510", "urlcampo", "20214", "headlines", "tlds", "duck", "beapy", "prometei", "umbrella", "wdigest", "iceid", "networkminer", "caploader", "network forensics", "ja3", "x.509", "sslbl", "1768.py", "didier stevens", "8da75e1f974d1011c91ed3110a4ded38", "e9b5e549363fa9fcb362b606b75d131dec6c020e", "0314b8cd45b636f38d07032dc8ed463295710460ea7a4e214c1de7b0e817aab6", "banusdona.top", "172.67.188.12", "f98711dfeeab9c8b4975b2f9a88d8fea", "c2bdc885083696b877ab6f0e05a9d968fd7cc2bb", "213e9c8bf7f6d0113193f785cb407f0e8900ba75b9131475796445c11f3ff37c", "momenturede.fun", "104.236.115.181", "96a535122aba4240e2c6370d0c9a09d3", "485ba347cf898e34a7455e0fd36b0bcf8b03ffd8", "11965662e146d97d3fa3288e119aefb2", "b63d7ad26df026f6cca07eae14bb10a0ddb77f41", "d45b3f9d93171c29a51f9c8011cd61aa44fcb474d59a0b68181bb690dbbf2ef5", "vaccnavalcod.website", "mazzappa.fun", "ameripermanentno.website", "odichaly.space", "83.97.20.176", "452e969c51882628dac65e38aff0f8e5ebee6e6b", "lesti.net", "185.141.26.140", "449c1967d1708d7056053bedb9e45781", "1ab39f1c8fb3f2af47b877cafda4ee09374d7bd3", "c7da494880130cdb52bd75dae1556a78f2298a8cc9a2e75ece8a57ca290880d3", "45.147.229.157", "1580103814", "luckymouse", "emissary panda", "apt 27", "apt27", "a0e9f5d64349fb13191bc781f81f42e1", "3b5074b1b5d032e5620f69f9f700ff0e", "erik hjelmvik", "monday", "openssl", "michael", "bazaloader", "anchor", "alex", "header", "getoperandvalue", "win32", "build", "trickbot crews", "cs loader", "trickbots cs", "trickbots crew", "google drive", "hancitor c2", "icmp", "dcdomainname", "dclocal", "base", "cnbuiltin", "cnusers", "security groups", "bitcoin", "sage", "svchost", "bits", "beacon dll", "started service", "beacon payload", "process hacker", "sleepex", "identifies", "crph", "smadavprotect32", "cec list", "meeting", "dll library", "ta800", "nim programming", "nimzaloader", "doesn", "json object", "c url", "trustinfo", "displayname", "dpiaware", "anchordns", "enjoy", "nimrod", "gecko", "khtml", "offensivenim", "sharpkatz", "crypter", "done", "sprite spider", "carbon spider", "esxi", "spider", "defray777", "pyxie", "hypervisor", "defray", "ransomexx", "sekur", "anunak", "harpy", "griffon", "unc2198", "maze", "maze ransomware", "file transfer", "mouseisland", "koadic", "photoloader", "ocean lotus", "mac os", "kerrdown", "human", "kerrdown sample", "macho", "tcp port", "systembc", "http traffic", "hatching triage", "directory", "endpoint1", "ryuk threat", "raindrop", "teardrop", "decrypt", "raindrop loader", "name file", "pl shellcode", "funnyswitch", "chm file", "config", "frombase64", "azaz09", "nltest", "regwrite", "exitendifif", "sleep", "regsz", "stwashington", "lredmond", "dircreate", "protection", "defenderspynet", "john", "doublepulsar", "amadey", "zeppelin", "apt & targeted attacks", "earth wendigo", "service worker", "xss attack", "domain", "learn more", "ck technique", "techniques", "emerging threat", "solarwinds", "breach", "dora", "pioneer", "solarstorm", "cortex xdr", "iot security", "atom", "supernova", "yara", "snort", "gap analysis", "keefarce", "safetykatz", "gadgettojscript", "sharpzerologon", "tuesday", "qakbot binary", "qakbot malspam", "qakbot malware", "windows binary", "malspam", "egregor payload", "threat alert", "sekhmet", "platform", "monitoring", "chacha", "notpetya", "bad rabbit", "internet", "tls server", "tls client", "server hello", "ja3s", "hello packet", "apache", "random", "vatet", "localappdata", "epochtime", "rapid7", "cash", "logmein", "swift", "radmin", "bazar loader", "highest", "certificate", "issuer org", "over", "ryuk domain", "infrastructure", "namecheap", "ryuk host", "monovm", "olol", "gnu c", "o2 o2", "marchx8664 g", "g o2", "sttx", "ltexas", "ooffice", "name", "basecamp", "userinit", "hack", "snow", "apt19", "yara rule", "chimera", "pe header", "vhash", "lpwstr lpbuffer", "startw", "request", "netwalker", "neshta", "mailto", "thor", "xmrig", "teamt5", "threatsonar anti-ransomware", "threatsonar", "threatvision", "cyber espionage", "ransom virus", "tt", "cyber threat hunters", "cyber espionage solutions", "threat analysis service", "incident response", "investigation services", "threat intelligence", "md5 hash", "softether", "domain teamt5", "teamt5 teamt5", "plead", "pastebin", "travelex", "pos software", "gandcrab", "rat", "indigodrop", "msf shellcode", "msf downloader", "urlshxxp", "stages", "threatlabz", "india-china", "zscaler cloud", "dkmc framework", "gif header", "dkmc", "sandbox report", "publickey", "sandbox", "ntds", "beacon version", "console", "file creation", "file deletion", "rename", "or filefullname", "coronavirus", "tvrat", "gozi malware", "js file", "wscript", "msbuild", "msbuild project", "silent trinity", "threat grid", "lolbins", "cisco threat", "msbuild process", "naga", "trinity", "dos header", "sfx code", "sfx file", "export function", "mz header", "open process", "set current", "create", "apt2019", "2019 payload", "lnklnklnklnk", "1 docvbavbavba", "dllentry rat", "operation pawn", "storm", "midst intrusion", "pawn storm", "xtunnel", "hidedrv", "aurora", "blackshades", "conficker", "chapro", "dark comet", "dexter", "duqu", "gauss", "bridge", "hikit", "makadocs", "medre", "morto", "narilam", "onionduke", "rustock", "dorkbot", "spyeye", "stabuniq", "stuxnet", "tinba", "vobfus", "zeroaccess", "zeus", "zusy", "committee", "dnc network", "trump", "dnc hack", "donald trump", "neither", "general", "hill", "magazine", "mexico", "winids", "foozer", "downrage", "hydra", "remcom", "inc\\.", "bear", "wirelurker", "generic.933739", "python code", "zxkbdklakv", "seaduke", "cookie value", "bookmark server", "p4bnzr0", "duke" ], "references": [ "https://malcat.fr/blog/lnk-forensic-and-config-extraction-of-a-cobalt-strike-beacon/", "https://mp.weixin.qq.com/s/cGS8FocPnUdBconLbbaG-g", "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", "https://unit42.paloaltonetworks.com/bumblebee-malware-projector-libra/", "https://blog.talosintelligence.com/manjusaka-offensive-framework/", "https://cocomelonc.github.io/malware/2022/07/30/malware-av-evasion-8.html", "https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/", "https://www.trendmicro.com/en_us/research/22/g/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike.html", "https://blog.nviso.eu/2022/07/20/analysis-of-a-trojanized-jquery-script-gootloader-unleashed/", "https://cloud.google.com/blog/topics/threat-intelligence/spear-phish-ukrainian-entities/", "https://www.threatdown.com/blog/cobalt-strikes-again-uac-0056-continues-to-target-ukraine-in-its-latest-campaign/", "https://cert.gov.ua/article/703548", "https://cert-agid.gov.it/news/il-malware-envyscout-apt29-e-stato-veicolato-anche-in-italia/", "https://isc.sans.edu/diary/Emotet%20infection%20with%20Cobalt%20Strike/28824", "https://cert.gov.ua/article/619229", "https://ics-cert.kaspersky.com/publications/reports/2022/06/27/attacks-on-industrial-control-systems-using-shadowpad/", "https://blog.bushidotoken.net/2022/06/overview-of-russian-gru-and-svr.html", "https://blog.talosintelligence.com/avoslocker-new-arsenal/", "https://isc.sans.edu/diary/rss/28752", "https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html", "https://kienmanowar.wordpress.com/2022/06/04/quicknote-cobaltstrike-smb-beacon-analysis-2/", "https://cloud.google.com/blog/topics/threat-intelligence/unc2165-shifts-to-evade-sanctions", "https://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis", "https://medium.com/walmartglobaltech/socgholish-campaigns-and-initial-access-kit-4c4283fea8ee", "https://thehackernews.com/2022/05/malware-analysis-trickbot.html", "https://www.sonatype.com/blog/new-pymafka-malicious-package-drops-cobalt-strike-on-macos-windows-linux", "https://asec.ahnlab.com/en/34549/", "https://isc.sans.edu/diary/Bumblebee+Malware+from+TransferXL+URLs/28664", "https://raw.githubusercontent.com/Dump-GUY/Malware-analysis-and-Reverse-engineering/refs/heads/main/APT29_C2-Client_Dropbox_Loader/APT29-DropboxLoader_analysis.md", "https://redcanary.com/wp-content/uploads/2022/05/Gootloader.pdf", "https://i.blackhat.com/Asia-22/Thursday-Materials/AS-22-LeonSilvia-NextGenPlugXShadowPad.pdf", "https://isc.sans.edu/diary/28636", "https://cocomelonc.github.io/tutorial/2022/05/09/malware-pers-4.html", "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", "https://unit42.paloaltonetworks.com/cobalt-strike-metadata-encoding-decoding/", "https://thehackernews.com/2022/05/this-new-fileless-malware-hides.html", "https://blog.talosintelligence.com/mustang-panda-targets-europe/", "https://securelist.com/a-new-secret-stash-for-fileless-malware/106393/", "https://security.macnica.co.jp/blog/2022/05/iso.html", "https://cloud.google.com/blog/topics/threat-intelligence/tracking-apt29-phishing-campaigns/", "https://documents.trendmicro.com/assets/txt/earth-berberoka-windows-iocs-2.txt", "https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf", "https://cloud.google.com/blog/topics/threat-intelligence/unc2452-merged-into-apt29/", "https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/", "https://thedfirreport.com/2022/04/25/quantum-ransomware/", "https://www.morphisec.com/blog/vmware-identity-manager-attack-backdoor/", "https://cocomelonc.github.io/tutorial/2022/04/20/malware-pers-1.html", "https://www.varonis.com/blog/hive-ransomware-analysis", "https://www.sentinelone.com/blog/from-the-front-lines-peering-into-a-pysa-ransomware-attack/", "https://vanmieghem.io/blueprint-for-evading-edr-in-2022/", "https://www.cynet.com/blog/orion-threat-alert-flight-of-the-bumblebee/", "https://www.welivesecurity.com/2022/04/13/eset-takes-part-global-operation-disrupt-zloader-botnets/", "https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html", "https://github.com/infinitumitlabs/Karakurt-Hacking-Team-CTI", "https://cloud.google.com/blog/topics/threat-intelligence/evolution-of-fin7/", "https://www.sentinelone.com/blog/hive-ransomware-deploys-novel-ipfuscation-technique/", "https://medium.com/walmartglobaltech/cobaltstrike-uuid-stager-ca7e82f7bb64", "https://resource.redcanary.com/rs/003-YRU-314/images/2022_ThreatDetectionReport_RedCanary.pdf", "https://www.esentire.com/blog/conti-affiliate-exposed-new-domain-names-ip-addresses-and-email-addresses-uncovered-by-esentire", "https://unit42.paloaltonetworks.com/cobalt-strike-malleable-c2-profile/", "https://isc.sans.edu/diary/Qakbot+infection+with+Cobalt+Strike+and+VNC+activity/28448", "https://www.sentinelone.com/blog/threat-actor-uac-0056-targeting-ukraine-with-fake-translation-software/", "https://www.arashparsa.com/catching-a-malware-with-no-name/", "https://cert.gov.ua/article/37704", "https://cloud.google.com/blog/topics/threat-intelligence/apt41-us-state-governments/", "https://thedfirreport.com/2022/03/07/2021-year-in-review/", "https://www.cynet.com/security-foundations/attack-techniques/new-wave-of-emotet-when-project-x-turns-into-y/", "https://www.fortinet.com/blog/threat-research/nobelium-returns-to-the-political-world-stage", "https://cyber.wtf/2022/03/23/what-the-packer/", "https://www.esentire.com/blog/icedid-to-cobalt-strike-in-under-20-minutes", "https://asec.ahnlab.com/en/31811/", "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", "https://medium.com/walmartglobaltech/signed-dll-campaigns-as-a-service-7760ac676489", "https://www.cybereason.com/blog/research/threat-analysis-report-datoploader-exploits-proxyshell-to-deliver-qbot-and-cobalt-strike", "https://forensicitguy.github.io/inspecting-powershell-cobalt-strike-beacon/", "https://blog.sekoia.io/nobeliums-envyscout-infection-chain-goes-in-the-registry-targeting-embassies/", "https://www.crowdstrike.com/en-us/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/", "https://www.security.com/threat-intelligence/yanluowang-ransomware-attacks-continue", "https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/", "https://cloud.google.com/blog/topics/threat-intelligence/sabbath-ransomware-affiliate/", "https://blog.nviso.eu/2021/11/17/cobalt-strike-decrypting-obfuscated-traffic-part-4/", "https://www.trendmicro.com/en_gb/research/21/k/analyzing-proxyshell-related-incidents-via-trend-micro-managed-x.html", "https://www.truesec.com/hub/blog/proxyshell-qbot-and-conti-ransomware-combined-in-a-series-of-cyber-attacks", "https://www.threatdown.com/blog/a-multi-stage-powershell-based-attack-targets-kazakhstan/", "https://www.unh4ck.com/detection-engineering-and-threat-hunting/lateral-movement/detecting-conti-cobaltstrike-lateral-movement-techniques-part-1", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf", "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://www.security.com/threat-intelligence/harvester-new-apt-attacks-asia", "https://unit42.paloaltonetworks.com/bazarloader-network-reconnaissance/", "https://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-part-2-a28bffffa671", "https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/", "https://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/new-apt-group-chamelgang/#id3", "https://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/new-apt-group-chamelgang/", "https://www.cynet.com/security-foundations/attack-techniques/understanding-squirrelwaffle/", "https://thedfirreport.com/2021/09/13/bazarloader-to-conti-ransomware-in-32-hours/", "https://blog.gigamon.com/2021/09/10/rendering-threats-a-network-perspective/", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", "https://documents.trendmicro.com/assets/white_papers/wp-earth-baku-an-apt-group-targeting-indo-pacific-countries.pdf", "https://www.welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/", "https://istrosec.com/blog/apt-sk-cobalt/", "https://www.crowdstrike.com/en-us/blog/prophet-spider-exploits-oracle-weblogic-to-facilitate-ransomware-activity/", "https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/", "https://thedfirreport.com/2021/07/19/icedid-and-cobalt-strike-vs-antivirus/", "https://securelist.com/apt-luminousmoth/103332/", "https://isc.sans.edu/diary/rss/27618", "https://www.gendigital.com/blog/insights/research/decoding-cobalt-strike-understanding-payloads", "https://www.gendigital.com/blog/insights/research/backdoored-client-from-mongolian-ca-monpass", "https://thedfirreport.com/2021/06/28/hancitor-continues-to-push-cobalt-strike/", "https://www.crowdstrike.com/en-us/blog/how-falcon-complete-disrupts-ecrime-operators-wizard-spider/", "https://thedfirreport.com/2021/06/20/from-word-to-lateral-movement-in-1-hour/", "https://cloud.google.com/blog/topics/threat-intelligence/darkside-affiliate-supply-chain-software-compromise", "https://www.sentinelone.com/labs/noblebaron-new-poisoned-installers-could-be-used-in-supply-chain-attacks/", "https://www.cisa.gov/news-events/analysis-reports/ar21-148a", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-148a", "https://www.lac.co.jp/lacwatch/report/20210521_002618.html", "https://www.ncsc.gov.ie/pdfs/HSE_Conti_140521_UPDATE.pdf", "https://www.guidepointsecurity.com/blog/from-zloader-to-darkside-a-ransomware-story/", "https://thedfirreport.com/2021/05/12/conti-ransomware/", "https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/", "https://cloud.google.com/blog/topics/threat-intelligence/shining-a-light-on-darkside-ransomware-operations/", "https://mal-eats.net/2021/05/10/campo_new_attack_campaign_targeting_japan/", "https://blog.talosintelligence.com/lemon-duck-spreads-wings/", "https://thedfirreport.com/2021/05/02/trickbot-brief-creds-and-beacons/", "https://www.netresec.com/?page=Blog&month=2021-04&post=Analysing-a-malware-PCAP-with-IcedID-and-Cobalt-Strike-traff", "https://isc.sans.edu/diary/27308", "https://medium.com/walmartglobaltech/trickbot-crews-new-cobaltstrike-loader-32c72b78e81c", "https://unit42.paloaltonetworks.com/hancitor-infections-cobalt-strike/", "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures", "https://www.qurium.org/alerts/targeted-malware-against-crph/", "https://www.proofpoint.com/us/blog/threat-insight/nimzaloader-ta800s-new-initial-access-malware", "https://thedfirreport.com/2021/03/08/bazar-drops-the-anchor/", "https://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-14cc543af811", "https://www.crowdstrike.com/en-us/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout", "https://cloud.google.com/blog/topics/threat-intelligence/melting-unc2198-icedid-to-ransomware-operations/", "https://raw.githubusercontent.com/AmnestyTech/investigations/refs/heads/master/2021-02-24_vietnam/README.md", "https://isc.sans.edu/diary/Excel+spreadsheets+push+SystemBC+malware/27060", "https://thedfirreport.com/2021/01/31/bazar-no-ryuk/", "https://www.security.com/threat-intelligence/solarwinds-raindrop-malware", "https://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", "https://medium.com/walmartglobaltech/man1-moskal-hancitor-and-a-side-of-ransomware-d77b4d991618", "https://www.trendmicro.com/en_us/research/21/a/earth-wendigo-injects-javascript-backdoor-to-service-worker-for-.html", "https://www.picussecurity.com/resource/blog/ttps-used-in-the-solarwinds-breach", "https://unit42.paloaltonetworks.com/fireeye-solarstorm-sunburst/", "https://unit42.paloaltonetworks.com/fireeye-red-team-tool-breach/", "https://isc.sans.edu/diary/rss/26862", "https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations-wp.pdf", "https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations.pdf", "https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware", "https://engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a/", "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/5/", "https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/", "https://raw.githubusercontent.com/ThreatConnect-Inc/research-team/refs/heads/master/IOCs/WizardSpider-UNC1878-Ryuk.csv", "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", "https://cloud.google.com/blog/topics/threat-intelligence/kegtap-and-singlemalt-with-a-ransomware-chaser/", "https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/refs/heads/master/China/APT/Chimera/Analysis.md", "https://thedfirreport.com/2020/10/08/ryuks-return/", "https://thedfirreport.com/2020/08/31/netwalker-ransomware-in-1-hour/", "https://teamt5.org/tw/posts/mjib-holds-briefing-on-chinese-hackers-attacks-on-taiwanese-government-agencies/", "https://i.blackhat.com/USA-20/Thursday/us-20-Chen-Operation-Chimera-APT-Operation-Targets-Semiconductor-Vendors.pdf", "https://www.security.com/threat-intelligence/sodinokibi-ransomware-cobalt-strike-pos", "https://blog.talosintelligence.com/indigodrop-maldocs-cobalt-strike/", "https://www.zscaler.com/blogs/security-research/targeted-attack-leverages-india-china-border-dispute-lure-victims", "https://www.sentinelone.com/labs/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/", "https://thedfirreport.com/2020/04/24/ursnif-via-lolbins/", "https://blog.talosintelligence.com/building-bypass-with-msbuild/", "https://tccontre.blogspot.com/2019/11/cobaltstrike-beacondll-your-not.html", "https://web-assets.esetstatic.com/wls/2019/10/ESET_Operation_Ghost_Dukes.pdf", "https://mp.weixin.qq.com/s/xPsEXp2J5IE7wNSMEVC24A", "https://contagiodump.blogspot.com/2017/02/russian-apt-apt28-collection-of-samples.html", "https://www.cisa.gov/sites/default/files/publications/AR-17-20045_Enhanced_Analysis_of_GRIZZLY_STEPPE_Activity.pdf", "https://www.crowdstrike.com/en-us/blog/bears-midst-intrusion-democratic-national-committee/", "https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf", "https://contagiodump.blogspot.com/2014/11/onionduke-samples.html", "https://unit42.paloaltonetworks.com/unit-42-technical-analysis-seaduke/" ], "public": 1, "adversary": "Threat", "targeted_countries": [ "Czechia", "Ukraine", "Russian Federation", "Poland", "Belarus", "Lithuania", "Latvia", "Germany", "Pakistan", "Afghanistan", "Malaysia", "Greece", "Italy", "T\u00fcrkiye", "Portugal", "Brazil", "China", "Japan", "Korea, Republic of", "United States of America", "Mexico", "New Zealand", "Canada", "Georgia", "Iran, Islamic Republic of" ], "malware_families": [ { "id": "HandleRef", "display_name": "HandleRef", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Threat", "display_name": "Threat", "target": null }, { "id": "Primary Threat", "display_name": "Primary Threat", "target": null }, { "id": "BazarLoader", "display_name": "BazarLoader", "target": null }, { "id": "Bumblebee", "display_name": "Bumblebee", "target": null }, { "id": "ELF", "display_name": "ELF", "target": null }, { "id": "GootLoader", "display_name": "GootLoader", "target": null }, { "id": "Kronos", "display_name": "Kronos", "target": null }, { "id": "BEACON", "display_name": "BEACON", "target": null }, { "id": "MICROBACKDOOR", "display_name": "MICROBACKDOOR", "target": null }, { "id": "GRIMPLANT", "display_name": "GRIMPLANT", "target": null }, { "id": "GRAPHSTEEL", "display_name": "GRAPHSTEEL", "target": null }, { "id": "Shadowpad", "display_name": "Shadowpad", "target": null }, { "id": "PlugX", "display_name": "PlugX", "target": null }, { "id": "ShadowPad", "display_name": "ShadowPad", "target": null }, { "id": "Threat Analysis", "display_name": "Threat Analysis", "target": null }, { "id": "CredoMap", "display_name": "CredoMap", "target": null }, { "id": "StellarParticle", "display_name": "StellarParticle", "target": null }, { "id": "CozyBear", "display_name": "CozyBear", "target": null }, { "id": "Shadow Chaser", "display_name": "Shadow Chaser", "target": null }, { "id": "Raspberry Robin", "display_name": "Raspberry Robin", "target": null }, { "id": "RansomHub", "display_name": "RansomHub", "target": null }, { "id": "Cyclops", "display_name": "Cyclops", "target": null }, { "id": "FancyBear", "display_name": "FancyBear", "target": null }, { "id": "APT29", "display_name": "APT29", "target": null }, { "id": "AvosLocker", "display_name": "AvosLocker", "target": null }, { "id": "Matanbuchus", "display_name": "Matanbuchus", "target": null }, { "id": "HADES", "display_name": "HADES", "target": null }, { "id": "SocGholish NetSupport", "display_name": "SocGholish NetSupport", "target": null }, { "id": "SocGholish", "display_name": "SocGholish", "target": null }, { "id": "NetSupport", "display_name": "NetSupport", "target": null }, { "id": "Gold Blackburn", "display_name": "Gold Blackburn", "target": null }, { "id": "Conti", "display_name": "Conti", "target": null }, { "id": "Ryuk", "display_name": "Ryuk", "target": null }, { "id": "Trickbot", "display_name": "Trickbot", "target": null }, { "id": "Darkside", "display_name": "Darkside", "target": null }, { "id": "Win32.BitCoinMiner", "display_name": "Win32.BitCoinMiner", "target": null }, { "id": "Win32.Agent", "display_name": "Win32.Agent", "target": null }, { "id": "NbtScan", "display_name": "NbtScan", "target": null }, { "id": "Frp", "display_name": "Frp", "target": null }, { "id": "Pcap", "display_name": "Pcap", "target": null }, { "id": "BeaconLoader", "display_name": "BeaconLoader", "target": null }, { "id": "DoorMe", "display_name": "DoorMe", "target": null }, { "id": "Win API", "display_name": "Win API", "target": null }, { "id": "Generic.933739", "display_name": "Generic.933739", "target": null } ], "attack_ids": [], "industries": [ "Gas", "Government", "Defense", "Media", "Telecommunications", "Logistics", "Industrial", "Manufacturing", "Transport", "Transportation", "Diplomatic", "Foreign Affairs", "Academics", "Banking", "Aviation", "Political", "Energy", "Military", "Financial", "Legal", "Pharmaceutical", "Technology", "Aerospace" ], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "kikinumpav", "id": "385742", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3082, "FileHash-SHA1": 2478, "FileHash-SHA256": 4182, "URL": 3155, "CVE": 190, "SSLCertFingerprint": 41, "domain": 2991, "email": 58, "hostname": 2130, "YARA": 95 }, "indicator_count": 18402, "is_author": false, "is_subscribing": null, "subscriber_count": 15, "modified_text": "15 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d7a3f6f81dc2388c0fa027", "name": "VirusTotal report\n for flow-browser-main.zip", "description": "A sample of flow-browser-main, an unauthorised version of the web browser, has been detected by researchers at the University of California, Los Angeles, and the National Security Agency (NSA). myvzw.com after an email on ending a #", "modified": "2026-05-09T12:10:59.635000", "created": "2026-04-09T13:04:54.563000", "tags": [ "file type", "png image", "ascii", "ascii text", "java source", "json", "rgba", "creates", "crlf line", "mac os", "date", "malicious", "next", "button", "span", "edit3icon", "rotateccwicon", "xicon", "htmldivelement", "react", "saveicon", "null", "shortcutitem", "click", "zip archive", "png multimedia", "graphics" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739500&Signature=r1pLCgJf%2FQK8TvenCwXy9bnghFzjJ5QssdQSLP37SLv6EkA3WXuFUIvKrsXKokco7bMfQUy%2FArk8F6aP%2Bhaj16Jv7P%2FGB%2Blf7mPvs47VjwfBJRCP8AZLlWvO45%2BjC68v798csdJFPTP31O4yDOE3pXZ3EThm4nSrIwLPhTSPfi3cPlEh2wLSzcySW7BYLw%2BqCoawFCxeLUz7hIV0vC89Mlwi3DeS%2BEnWFF%2FsvT9lVJjdbLoJLEeO", "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739700&Signature=bOTo%2FxCpGDGOsIKJDZjBBhLZRg8UiOGi%2FvVr47Xpmh7tOh9dez7911bi%2F9SUdu4ATLhzRVog%2BdVP%2BUPwTuEfIdEcPuGRGVc1KOSP3fTQrKhRjF3x2dqykxVCH%2B1iqBmCgod%2B1uAdlraxqSOeOgst1l%2Bk250uXff4axktE%2BfGjeNDeGJao%2FfOMktqIL7zU8%2BIQYTObwelnnYx45FBSiXI1bWM4vhdgIX4cs2cT%2F" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 218, "FileHash-MD5": 558, "FileHash-SHA1": 564, "FileHash-SHA256": 558, "URL": 119, "hostname": 133, "email": 4 }, "indicator_count": 2154, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "22 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d7a3f683111bbbe1c9ae35", "name": "VirusTotal report\n for flow-browser-main.zip", "description": "A sample of flow-browser-main, an unauthorised version of the web browser, has been detected by researchers at the University of California, Los Angeles, and the National Security Agency (NSA). myvzw.com after an email on ending a #", "modified": "2026-05-09T12:10:59.635000", "created": "2026-04-09T13:04:54.775000", "tags": [ "file type", "png image", "ascii", "ascii text", "java source", "json", "rgba", "creates", "crlf line", "mac os", "date", "malicious", "next", "button", "span", "edit3icon", "rotateccwicon", "xicon", "htmldivelement", "react", "saveicon", "null", "shortcutitem", "click", "zip archive", "png multimedia", "graphics" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739500&Signature=r1pLCgJf%2FQK8TvenCwXy9bnghFzjJ5QssdQSLP37SLv6EkA3WXuFUIvKrsXKokco7bMfQUy%2FArk8F6aP%2Bhaj16Jv7P%2FGB%2Blf7mPvs47VjwfBJRCP8AZLlWvO45%2BjC68v798csdJFPTP31O4yDOE3pXZ3EThm4nSrIwLPhTSPfi3cPlEh2wLSzcySW7BYLw%2BqCoawFCxeLUz7hIV0vC89Mlwi3DeS%2BEnWFF%2FsvT9lVJjdbLoJLEeO", "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739700&Signature=bOTo%2FxCpGDGOsIKJDZjBBhLZRg8UiOGi%2FvVr47Xpmh7tOh9dez7911bi%2F9SUdu4ATLhzRVog%2BdVP%2BUPwTuEfIdEcPuGRGVc1KOSP3fTQrKhRjF3x2dqykxVCH%2B1iqBmCgod%2B1uAdlraxqSOeOgst1l%2Bk250uXff4axktE%2BfGjeNDeGJao%2FfOMktqIL7zU8%2BIQYTObwelnnYx45FBSiXI1bWM4vhdgIX4cs2cT%2F" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 218, "FileHash-MD5": 558, "FileHash-SHA1": 564, "FileHash-SHA256": 558, "URL": 119, "hostname": 133, "email": 4 }, "indicator_count": 2154, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "22 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d7a3f6657dd0c212d8344a", "name": "VirusTotal report\n for flow-browser-main.zip", "description": "A sample of flow-browser-main, an unauthorised version of the web browser, has been detected by researchers at the University of California, Los Angeles, and the National Security Agency (NSA). myvzw.com after an email on ending a #", "modified": "2026-05-09T12:10:59.635000", "created": "2026-04-09T13:04:54.060000", "tags": [ "file type", "png image", "ascii", "ascii text", "java source", "json", "rgba", "creates", "crlf line", "mac os", "date", "malicious", "next", "button", "span", "edit3icon", "rotateccwicon", "xicon", "htmldivelement", "react", "saveicon", "null", "shortcutitem", "click", "zip archive", "png multimedia", "graphics" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739500&Signature=r1pLCgJf%2FQK8TvenCwXy9bnghFzjJ5QssdQSLP37SLv6EkA3WXuFUIvKrsXKokco7bMfQUy%2FArk8F6aP%2Bhaj16Jv7P%2FGB%2Blf7mPvs47VjwfBJRCP8AZLlWvO45%2BjC68v798csdJFPTP31O4yDOE3pXZ3EThm4nSrIwLPhTSPfi3cPlEh2wLSzcySW7BYLw%2BqCoawFCxeLUz7hIV0vC89Mlwi3DeS%2BEnWFF%2FsvT9lVJjdbLoJLEeO", "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739700&Signature=bOTo%2FxCpGDGOsIKJDZjBBhLZRg8UiOGi%2FvVr47Xpmh7tOh9dez7911bi%2F9SUdu4ATLhzRVog%2BdVP%2BUPwTuEfIdEcPuGRGVc1KOSP3fTQrKhRjF3x2dqykxVCH%2B1iqBmCgod%2B1uAdlraxqSOeOgst1l%2Bk250uXff4axktE%2BfGjeNDeGJao%2FfOMktqIL7zU8%2BIQYTObwelnnYx45FBSiXI1bWM4vhdgIX4cs2cT%2F" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 217, "FileHash-MD5": 558, "FileHash-SHA1": 564, "FileHash-SHA256": 558, "URL": 118, "hostname": 133, "email": 2 }, "indicator_count": 2150, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "22 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d7a3f511d0121d253b753d", "name": "VirusTotal report\n for flow-browser-main.zip", "description": "A sample of flow-browser-main, an unauthorised version of the web browser, has been detected by researchers at the University of California, Los Angeles, and the National Security Agency (NSA). myvzw.com after an email on ending a #", "modified": "2026-05-09T12:10:59.635000", "created": "2026-04-09T13:04:53.436000", "tags": [ "file type", "png image", "ascii", "ascii text", "java source", "json", "rgba", "creates", "crlf line", "mac os", "date", "malicious", "next", "button", "span", "edit3icon", "rotateccwicon", "xicon", "htmldivelement", "react", "saveicon", "null", "shortcutitem", "click", "zip archive", "png multimedia", "graphics" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739500&Signature=r1pLCgJf%2FQK8TvenCwXy9bnghFzjJ5QssdQSLP37SLv6EkA3WXuFUIvKrsXKokco7bMfQUy%2FArk8F6aP%2Bhaj16Jv7P%2FGB%2Blf7mPvs47VjwfBJRCP8AZLlWvO45%2BjC68v798csdJFPTP31O4yDOE3pXZ3EThm4nSrIwLPhTSPfi3cPlEh2wLSzcySW7BYLw%2BqCoawFCxeLUz7hIV0vC89Mlwi3DeS%2BEnWFF%2FsvT9lVJjdbLoJLEeO", "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739700&Signature=bOTo%2FxCpGDGOsIKJDZjBBhLZRg8UiOGi%2FvVr47Xpmh7tOh9dez7911bi%2F9SUdu4ATLhzRVog%2BdVP%2BUPwTuEfIdEcPuGRGVc1KOSP3fTQrKhRjF3x2dqykxVCH%2B1iqBmCgod%2B1uAdlraxqSOeOgst1l%2Bk250uXff4axktE%2BfGjeNDeGJao%2FfOMktqIL7zU8%2BIQYTObwelnnYx45FBSiXI1bWM4vhdgIX4cs2cT%2F" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 224, "FileHash-MD5": 558, "FileHash-SHA1": 564, "FileHash-SHA256": 558, "URL": 140, "hostname": 166, "email": 2, "CVE": 8 }, "indicator_count": 2220, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "22 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d7a3f4d72c30f9586634b9", "name": "VirusTotal report\n for flow-browser-main.zip", "description": "A sample of flow-browser-main, an unauthorised version of the web browser, has been detected by researchers at the University of California, Los Angeles, and the National Security Agency (NSA). myvzw.com after an email on ending a #", "modified": "2026-05-09T12:10:59.635000", "created": "2026-04-09T13:04:52.444000", "tags": [ "file type", "png image", "ascii", "ascii text", "java source", "json", "rgba", "creates", "crlf line", "mac os", "date", "malicious", "next", "button", "span", "edit3icon", "rotateccwicon", "xicon", "htmldivelement", "react", "saveicon", "null", "shortcutitem", "click", "zip archive", "png multimedia", "graphics" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739500&Signature=r1pLCgJf%2FQK8TvenCwXy9bnghFzjJ5QssdQSLP37SLv6EkA3WXuFUIvKrsXKokco7bMfQUy%2FArk8F6aP%2Bhaj16Jv7P%2FGB%2Blf7mPvs47VjwfBJRCP8AZLlWvO45%2BjC68v798csdJFPTP31O4yDOE3pXZ3EThm4nSrIwLPhTSPfi3cPlEh2wLSzcySW7BYLw%2BqCoawFCxeLUz7hIV0vC89Mlwi3DeS%2BEnWFF%2FsvT9lVJjdbLoJLEeO", "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739700&Signature=bOTo%2FxCpGDGOsIKJDZjBBhLZRg8UiOGi%2FvVr47Xpmh7tOh9dez7911bi%2F9SUdu4ATLhzRVog%2BdVP%2BUPwTuEfIdEcPuGRGVc1KOSP3fTQrKhRjF3x2dqykxVCH%2B1iqBmCgod%2B1uAdlraxqSOeOgst1l%2Bk250uXff4axktE%2BfGjeNDeGJao%2FfOMktqIL7zU8%2BIQYTObwelnnYx45FBSiXI1bWM4vhdgIX4cs2cT%2F" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 220, "FileHash-MD5": 562, "FileHash-SHA1": 566, "FileHash-SHA256": 1011, "URL": 125, "hostname": 139, "email": 4 }, "indicator_count": 2627, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "22 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d79c38e0a059039b475ebe", "name": "CAPE Sandbox", "description": "Email today from them on my line. Very wild things happening here. trying to close my line", "modified": "2026-05-09T12:10:59.635000", "created": "2026-04-09T12:31:52.495000", "tags": [ "html document", "unicode text", "utf8 text", "crlf", "lf line", "site", "meta", "verizon", "wireless", "internet", "phone services", "official", "shop verizon", "lte network", "get fios", "title", "code", "error", "utc na", "utc google", "tag manager", "gtmw2vn2cq", "utc dc9849921", "utc dc685973", "utc g12r1dx1lx7", "utc aw647962234", "utc aw2761768", "utc aw685973", "verizon business", "verizon for business", "verizon business account", "verizon business phone", "verizon wireless for business", "verizon business service", "verizon business plan", "business internet services", "learn", "gartner", "contact", "find", "discover", "support", "close log", "shop", "upgrade", "small", "voice", "chat", "mitre attack", "network info", "program", "html page", "t1055 process", "overview", "processes extra", "overview zenbox", "verdict", "guest system", "phishing", "next", "ver2", "msclkidn", "utc amazon", "analytics na", "utc bing", "vids1", "vids0", "gdlname" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/edb4c21d60daa44b3429e7ba9bfa342759ebef23c136c934f74aef145453ce19_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775737365&Signature=S%2B7RcHYjab1hbKlKwFfvUbDirFPJS1A2TJQ3bVIObMcON4PD9pRDvhMtYMCnEBrYsICi0UJCFW5eUDolL5Jlbngsc587kF36vvuhlkPprbkSOY1jOyDTpe3Qsb6jRFz3xwOfZc9S5QervoLnRKb%2FyGSyZE6ZK6TxzBrOPczPtZ7sLf9NfD6E%2B2gMRXaRjEqVwVITLG7YqCiiNuohFOuNlK3uNHFpIk53viKvBSAIqLtSklH9bHW4q1DX", "https://www.verizon.com/business/", "https://vtbehaviour.commondatastorage.googleapis.com/edb4c21d60daa44b3429e7ba9bfa342759ebef23c136c934f74aef145453ce19_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775737710&Signature=fbsokraSd7lsYmUfaTEl8Phs2K3hp7AtVmQU9axeEBcYmYbrrYrrfpP5lPEQaE%2Fh3%2BEP9Rn8mD8D1haqQVXCN0VVlxJ4sddjWmyC5USsgBsvUb0%2F72h1WHDS2KXHlteZWE%2Bauckabain9D5kX501AnqFY38s77OIqO6SMOkQ%2BvXiDSSRK%2FZhbfradBnei3ZLHsXGxkoshTyvB0%2BC%2F8SiUzdVsqSjik0Bn2r%2BIlLpDQK90GlZTD0N" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 772, "hostname": 706, "domain": 875, "FileHash-SHA256": 2348, "FileHash-MD5": 2237, "FileHash-SHA1": 2260, "CVE": 1, "email": 9 }, "indicator_count": 9208, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "22 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d4f2d9ce86a445b484593b", "name": "VirusTotal report\n for sample.crx", "description": "A small sample of malware has been identified by researchers at the University of Oregon in the US, and the results are published on the web, as well as on Google's Chrome extension and other sites.", "modified": "2026-05-07T12:05:50.774000", "created": "2026-04-07T12:04:41.097000", "tags": [ "file type", "json", "ascii text", "png image", "crlf line", "ascii", "rgba", "unicode text", "utf8 text", "defense evasion", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 668, "FileHash-MD5": 668, "FileHash-SHA1": 675, "URL": 153, "domain": 230, "hostname": 177, "email": 2 }, "indicator_count": 2573, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "24 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d4f2dd828bbf0ac5efaa23", "name": "VirusTotal report\n for sample.crx", "description": "A small sample of malware has been identified by researchers at the University of Oregon in the US, and the results are published on the web, as well as on Google's Chrome extension and other sites.", "modified": "2026-05-07T12:05:50.774000", "created": "2026-04-07T12:04:44.957000", "tags": [ "file type", "json", "ascii text", "png image", "crlf line", "ascii", "rgba", "unicode text", "utf8 text", "defense evasion", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 668, "FileHash-MD5": 668, "FileHash-SHA1": 675, "URL": 153, "domain": 230, "hostname": 177, "email": 2 }, "indicator_count": 2573, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "24 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d4f2db0b3448671adcce16", "name": "VirusTotal report\n for sample.crx", "description": "A small sample of malware has been identified by researchers at the University of Oregon in the US, and the results are published on the web, as well as on Google's Chrome extension and other sites.", "modified": "2026-05-07T12:05:50.774000", "created": "2026-04-07T12:04:43.156000", "tags": [ "file type", "json", "ascii text", "png image", "crlf line", "ascii", "rgba", "unicode text", "utf8 text", "defense evasion", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 668, "FileHash-MD5": 668, "FileHash-SHA1": 675, "URL": 153, "domain": 230, "hostname": 177, "email": 2 }, "indicator_count": 2573, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "24 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "value.name", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "value.name", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780262102.364488 }