From d03f9395c1353c8dea9c1a2e29b3a8fa958b6be5 Mon Sep 17 00:00:00 2001 From: Jieyab89 Date: Fri, 8 May 2026 01:25:53 +0700 Subject: [PATCH] audit 1 --- .../OSINT/Darkweb-Intel/SKILL.md | 229 ------------- .../references/breach-leak-intel.md | 276 --------------- .../references/crypto-tracing.md | 249 -------------- .../references/cti-feeds-platforms.md | 319 ------------------ .../references/darkweb-search.md | 212 ------------ .../references/malware-ioc-intel.md | 281 --------------- .../Darkweb-Intel/references/opsec-darkweb.md | 277 --------------- .../references/osint-darkweb-intel.skill | Bin 35240 -> 0 bytes .../references/paste-leak-monitoring.md | 263 --------------- .../references/ransomware-tracking.md | 237 ------------- .../references/threat-actor-profiling.md | 247 -------------- Jieyab-Claude-Skills/README.md | 14 +- README.md | 1 + 13 files changed, 4 insertions(+), 2601 deletions(-) delete mode 100644 Jieyab-Claude-Skills/OSINT/Darkweb-Intel/SKILL.md delete mode 100644 Jieyab-Claude-Skills/OSINT/Darkweb-Intel/references/breach-leak-intel.md delete mode 100644 Jieyab-Claude-Skills/OSINT/Darkweb-Intel/references/crypto-tracing.md delete mode 100644 Jieyab-Claude-Skills/OSINT/Darkweb-Intel/references/cti-feeds-platforms.md delete mode 100644 Jieyab-Claude-Skills/OSINT/Darkweb-Intel/references/darkweb-search.md delete mode 100644 Jieyab-Claude-Skills/OSINT/Darkweb-Intel/references/malware-ioc-intel.md delete mode 100644 Jieyab-Claude-Skills/OSINT/Darkweb-Intel/references/opsec-darkweb.md delete mode 100644 Jieyab-Claude-Skills/OSINT/Darkweb-Intel/references/osint-darkweb-intel.skill delete mode 100644 Jieyab-Claude-Skills/OSINT/Darkweb-Intel/references/paste-leak-monitoring.md delete mode 100644 Jieyab-Claude-Skills/OSINT/Darkweb-Intel/references/ransomware-tracking.md delete mode 100644 Jieyab-Claude-Skills/OSINT/Darkweb-Intel/references/threat-actor-profiling.md diff --git a/Jieyab-Claude-Skills/OSINT/Darkweb-Intel/SKILL.md b/Jieyab-Claude-Skills/OSINT/Darkweb-Intel/SKILL.md deleted file mode 100644 index fcd5a1b..0000000 --- a/Jieyab-Claude-Skills/OSINT/Darkweb-Intel/SKILL.md +++ /dev/null @@ -1,229 +0,0 @@ ---- -name: osint-darkweb-intel -description: > - Comprehensive guide for Dark Web OSINT Intelligence — monitoring threat actor activity, - ransomware group tracking, leak site enumeration, IOC collection from dark web sources, - breach data discovery, paste site monitoring, CTI (Cyber Threat Intelligence) from - underground forums, cryptocurrency transaction tracing, and dark web search techniques. - All methods are PASSIVE and use publicly accessible intelligence feeds, clearnet proxies, - and monitoring services — no illegal access required. Use this skill WHENEVER the user - asks about dark web monitoring, threat intel, ransomware tracking, underground forum - intelligence, dark web OSINT, CTI from dark sources, leak site monitoring, stealer - log analysis, threat actor profiling, or any investigation involving dark web content. ---- - -# OSINT Dark Web Intelligence Skill - -> **Credits**: Tool references and methodology sourced from the -> [OSINT Cheat Sheet](https://github.com/Jieyab89/OSINT-Cheat-sheet) by -> **[Jieyab89](https://github.com/Jieyab89)** — a comprehensive, community-driven -> OSINT resource covering tools, datasets, techniques, and tips for security -> researchers, journalists, investigators, and CTF players. All credit for the -> tool collection goes to him. Please use responsibly and wisely. - -This skill covers **passive** dark web intelligence gathering — all techniques -access dark web content through clearnet proxies, monitoring services, aggregators, -and indexed feeds. **No Tor browser required for most techniques.** - -> ⚠️ **Ethics & Legal Notice** -> - Use ONLY for legitimate purposes: threat intelligence, authorized research, -> investigative journalism, incident response, CTF, and law enforcement support -> - Do NOT join, register, purchase, or interact with criminal forums/markets -> - Do NOT facilitate, assist, or enable any illegal activity -> - Comply with local law: Indonesia UU ITE, US CFAA 18 U.S.C. § 1030, EU GDPR -> - Use a sandbox VM + VPN for any active browsing; never from your real identity -> - Following Jieyab89's tip: use fake accounts, sandbox machines, enable AV/firewall - ---- - -## INTELLIGENCE MODULES — Read Reference Files as Needed - -| Module | Reference File | When to Use | -|--------|---------------|-------------| -| Dark Web Search & Indexing | `references/darkweb-search.md` | Search dark web content from clearnet | -| Ransomware Group Tracking | `references/ransomware-tracking.md` | Monitor ransomware gangs, victim lists | -| Breach & Leak Intelligence | `references/breach-leak-intel.md` | Breach forums, stealer logs, dump sites | -| Threat Actor Profiling | `references/threat-actor-profiling.md` | APT groups, TTPs, attribution | -| Cryptocurrency Tracing | `references/crypto-tracing.md` | Trace crypto payments, wallet clustering | -| Malware & IOC Intelligence | `references/malware-ioc-intel.md` | Malware samples, C2, IOC feeds | -| CTI Feeds & Platforms | `references/cti-feeds-platforms.md` | Threat intel feeds, MISP, OTX, etc. | -| Paste & Leak Monitoring | `references/paste-leak-monitoring.md` | Monitor paste sites and public leaks | -| OPSEC for Dark Web OSINT | `references/opsec-darkweb.md` | Safe investigation procedures | - ---- - -## INVESTIGATION WORKFLOW - -### Phase 1 — Define Intelligence Requirement - -Before starting, clarify: -1. **Target**: Threat actor? Ransomware group? Specific breach? Organization exposure? -2. **Type**: Passive monitoring? Historical research? Incident response? -3. **Timeframe**: Recent (last 30 days)? Historical? Ongoing? -4. **Output**: IOC list? Threat report? Executive summary? Timeline? - -### Phase 2 — Clearnet First (Safe, No Tor Needed) - -``` -Start with public intelligence aggregators: - -1. Search dark web indexes (Ahmia, DarkSearch via clearnet) -2. Check ransomware tracking dashboards -3. Query breach/leak intelligence platforms -4. Pull IOC feeds from threat intel services -5. Check paste site aggregators -6. Query cryptocurrency explorer (if financial traces needed) -7. Cross-reference APT group databases -``` - -### Phase 3 — Specialized Intelligence Platforms - -``` -8. Stealthmole / Flare / Recorded Future (commercial dark web monitoring) -9. Hudson Rock (stealer log intelligence) -10. IntelX (dark web indexed content) -11. DeepDark CTI feeds -12. Ransomware.live / ransomwatch (gang tracking) -``` - -### Phase 4 — Structured Report - -``` -INTELLIGENCE REPORT -=================== -Date : [date] -Target / Actor : [name / group] -Confidence : [Low / Medium / High] - -[EXECUTIVE SUMMARY] - -[ACTOR PROFILE] - - Known aliases - - Affiliated groups - - TTPs (MITRE ATT&CK) - - Active since - -[TECHNICAL INDICATORS] - - IOCs (IPs, domains, hashes, URLs) - - Malware families - - Infrastructure - -[DARK WEB PRESENCE] - - Forums mentioned - - Leak sites - - Victim claims - -[CRYPTOCURRENCY] - - Wallet addresses - - Transaction patterns - -[TIMELINE OF ACTIVITY] - -[SOURCES] - -[RECOMMENDED ACTIONS] -``` - ---- - -## QUICK REFERENCE — Clearnet Dark Web Intelligence - -### Dark Web Search (No Tor Required) -``` -https://ahmia.fi → Tor hidden service search engine -https://darksearch.io → Dark web search engine (clearnet) -https://www.osintframework.com → OSINT framework with dark web section -https://osint.rocks → Multi-source OSINT including dark sources -``` - -### Ransomware Tracking -``` -https://www.ransomware.live → Live ransomware victim tracker -https://ransomwatch.telemetry.ltd → Ransomwatch group monitoring -https://www.ransom-db.com → Ransomware database -https://ransom.privtools.eu → Ransomware posts aggregator -https://id-ransomware.malwarehunterteam.com → Ransomware identification -https://www.nomoreransom.org → Decryption tools -https://watchguard.com/wgrd-security-hub/ransomware-tracker → Watchguard tracker -``` - -### Breach & Leak Intelligence -``` -https://intelx.io → Intelligence X (dark web indexed) -https://breachdirectory.org → Breach directory -https://search.0t.rocks → Open breach database -https://leakix.net → Exposed service & leak intelligence -https://www.hudsonrock.com/threat-intelligence-cybercrime-tools → Stealer intel -https://whiteintel.io → Stealer log intelligence -https://breach.house → Stealer/breach aggregator -``` - -### CTI Platforms -``` -https://otx.alienvault.com → AlienVault OTX (free, community) -https://www.talosintelligence.com → Cisco Talos -https://pulsedive.com → Pulsedive CTI -https://www.threatminer.org → ThreatMiner -https://threatfox.abuse.ch → ThreatFox IOC database -https://www.virustotal.com → VirusTotal intelligence -https://malpedia.caad.fkie.fraunhofer.de → Malware encyclopedia -https://attack.mitre.org → MITRE ATT&CK framework -``` - -### Malware & IOC Feeds -``` -https://bazaar.abuse.ch/browse → MalwareBazaar samples -https://urlhaus.abuse.ch → Malicious URL feed -https://threatfox.abuse.ch → IOC feed -https://vx-underground.org → Malware sample archive -https://malpedia.caad.fkie.fraunhofer.de → Malware families -https://www.malware-traffic-analysis.net → PCAP & malware traffic analysis -``` - -### Crypto Tracing -``` -https://www.blockchain.com/explorer → Bitcoin explorer -https://etherscan.io → Ethereum explorer -https://www.arkham.io → Crypto intelligence (Jieyab89's tip) -https://explorer.btc.com → BTC explorer -https://tronscan.org → TRON explorer -https://breadcrumbs.app → Crypto wallet graph -``` - ---- - -## OPSEC QUICK CHECKLIST - -- [ ] Use isolated sandbox VM (not your main machine) -- [ ] Route through VPN before any browsing -- [ ] Use Tor Browser for any .onion access (separate from daily browser) -- [ ] Use fake/throwaway accounts — never your real identity -- [ ] Enable antivirus + firewall on sandbox -- [ ] Do not download files from dark web to your host machine -- [ ] Do not screenshot content that could identify you -- [ ] Never interact with, purchase from, or register on criminal forums -- [ ] Keep notes in encrypted container (VeraCrypt recommended) -- [ ] Disconnect VM from network when not actively investigating - ---- - -## REFERENCE FILES - -Load relevant reference based on investigation type: - -- `references/darkweb-search.md` → Search & indexing techniques -- `references/ransomware-tracking.md` → Ransomware group intelligence -- `references/breach-leak-intel.md` → Breach & stealer log analysis -- `references/threat-actor-profiling.md` → APT/actor attribution & TTPs -- `references/crypto-tracing.md` → Cryptocurrency transaction analysis -- `references/malware-ioc-intel.md` → Malware samples & IOC collection -- `references/cti-feeds-platforms.md` → CTI platforms & feed integration -- `references/paste-leak-monitoring.md` → Paste & public leak monitoring -- `references/opsec-darkweb.md` → Full OPSEC procedures - ---- - -*Tool list and methodology sourced from the -[OSINT Cheat Sheet](https://github.com/Jieyab89/OSINT-Cheat-sheet) -by [Jieyab89](https://github.com/Jieyab89). -Use responsibly, ethically, and legally.* diff --git a/Jieyab-Claude-Skills/OSINT/Darkweb-Intel/references/breach-leak-intel.md b/Jieyab-Claude-Skills/OSINT/Darkweb-Intel/references/breach-leak-intel.md deleted file mode 100644 index c261dff..0000000 --- a/Jieyab-Claude-Skills/OSINT/Darkweb-Intel/references/breach-leak-intel.md +++ /dev/null @@ -1,276 +0,0 @@ -# Breach & Leak Intelligence - -> *Tools sourced from [OSINT Cheat Sheet](https://github.com/Jieyab89/OSINT-Cheat-sheet) by [Jieyab89](https://github.com/Jieyab89)* - -## Objective -Identify, analyze, and monitor data breaches and leaks related to a target — -including credential dumps, database leaks, stealer logs, and sensitive document -disclosures originating from dark web sources. All via clearnet services. - ---- - -## 1. Breach Search Platforms - -### HaveIBeenPwned (HIBP) -``` -https://haveibeenpwned.com → Single email check -https://haveibeenpwned.com/DomainSearch → All emails at a domain (verify ownership) - -# API -curl -s "https://haveibeenpwned.com/api/v3/breachedaccount/user@target.com" \ - -H "hibp-api-key: YOUR_KEY" \ - -H "User-Agent: investigator-tool" | python3 -m json.tool - -# List all known breaches -curl -s "https://haveibeenpwned.com/api/v3/breaches" | \ - python3 -c "import sys,json; [print(b['Name'],'|',b['BreachDate'],'|',b['PwnCount']) for b in json.load(sys.stdin)]" -``` - -### Intelligence X -``` -https://intelx.io/?s=target.com -https://intelx.io/?s=email@target.com -https://intelx.io/?s=TARGET_IP - -# Indexes: Tor, I2P, paste sites, public leaks, documents, dark web forums -# Historical search — finds content from years back -# API (paid plan for full access) -curl -X POST "https://2.intelx.io/intelligent/search" \ - -H "x-key: YOUR_API_KEY" \ - -H "Content-Type: application/json" \ - -d '{"term":"target.com","maxresults":10,"media":0,"target":0,"timeout":10}' -``` - -### Breach Directory -``` -https://breachdirectory.org -https://search.0t.rocks -https://osintleak.com -https://leakcheck.io → Free tier available -https://snusbase.com → Paid -https://dehashed.com → Paid, limited free -https://leakpeek.com -https://9ghz.com -https://weleakinfo.io -https://leakradar.io -https://exposed.lol -https://bf.based.re → BF database search -https://osintleak.com -``` - ---- - -## 2. Stealer Log Intelligence - -Malware stealers (RedLine, Raccoon, Vidar, etc.) exfiltrate browser credentials, -cookies, crypto wallets. Their dumps appear on dark web markets and Telegram channels. - -### Clearnet Monitoring Services -``` -https://www.hudsonrock.com/threat-intelligence-cybercrime-tools -# Free search: enter domain to see if employee credentials were stolen -# by info-stealers and circulating in criminal markets - -https://whiteintel.io -# Stealer log intelligence platform -# Check if domain credentials appear in stealer data - -https://breach.house/all_stealers -# Aggregated stealer data viewer - -https://www.infostealers.com -# Infostealer intelligence and research -``` - -### Hudson Rock — Free Domain Check -```python -import requests - -domain = "target.com" -url = f"https://cavalier.hudsonrock.com/api/json/v2/osint-tools/search-by-domain?domain={domain}" -headers = {"User-Agent": "osint-research/1.0"} -resp = requests.get(url, headers=headers) -data = resp.json() - -print(f"Employees in stealer logs: {data.get('total_employees', 0)}") -print(f"Users in stealer logs: {data.get('total_users', 0)}") -``` - ---- - -## 3. Paste Site Monitoring - -Breached data often first appears on paste sites before being sold: - -``` -# Search -https://pastebin.com/search?q=target.com -https://psbdmp.ws → Pastebin dump search -https://cybdetective.com/pastebin.html → Multi-paste aggregator - -# Google dorks for paste sites -site:pastebin.com "target.com" -site:pastebin.com "@target.com" password OR credentials OR dump -site:pastebin.com "target.com" database -site:gist.github.com "target.com" password -site:paste.centos.org "target.com" -site:justpaste.it "target.com" - -# Telegra.ph (Telegram's paste service) -site:telegra.ph "target.com" -``` - -### Automated Paste Monitoring -```python -import requests, time - -def monitor_pastebin(keyword, interval=300): - """Poll Pastebin scraping API for keyword matches""" - seen = set() - while True: - try: - # Pastebin scraping API (requires Pastebin Pro) - r = requests.get("https://scrape.pastebin.com/api_scraping.php?limit=100") - pastes = r.json() - for paste in pastes: - pid = paste["key"] - if pid in seen: - continue - seen.add(pid) - content = requests.get(f"https://scrape.pastebin.com/api_scrape_item.php?i={pid}").text - if keyword.lower() in content.lower(): - print(f"[MATCH] https://pastebin.com/{pid}") - except Exception as e: - print(f"Error: {e}") - time.sleep(interval) -``` - ---- - -## 4. Dark Web Breach Forum Intelligence (Clearnet Monitoring) - -Monitor without directly accessing forums: - -``` -# DDO Secrets — public leak publishing -https://ddosecrets.com/wiki/Distributed_Denial_of_Secrets -# Contains government, corporate, and organizational leaks -# Accessible via clearnet - -# Breach House -https://breach.house -# Aggregates publicly known breach data - -# LeakIX — exposed services that may lead to breaches -https://leakix.net -# Indexes exposed databases, services, and leaked data - -# Commercial dark web monitoring (passive intelligence) -https://www.stealthmole.com → Dark web tracker -https://flare.io → Dark web monitoring platform -https://cyble.com → Cyble threat intelligence -https://cybersixgill.com → Deep/dark web intelligence -https://darktrace.com → AI-powered dark web monitoring -https://darkradar.io → Dark radar -``` - ---- - -## 5. Database Leak Analysis - -When a leak dataset is available for analysis: - -```python -import gzip, json - -def analyze_leak(filepath, search_term): - """Search a leak file for specific term""" - opener = gzip.open if filepath.endswith('.gz') else open - mode = 'rt' if filepath.endswith('.gz') else 'r' - - matches = [] - with opener(filepath, mode, encoding='utf-8', errors='ignore') as f: - for i, line in enumerate(f): - if search_term.lower() in line.lower(): - matches.append({"line": i, "content": line.strip()}) - return matches - -# Example usage -results = analyze_leak("breach_dump.txt", "target.com") -for r in results[:10]: - print(r) -``` - -### Common Leak File Formats -``` -Format 1 — email:password - user@domain.com:Password123 - -Format 2 — email:hash - user@domain.com:5f4dcc3b5aa765d61d8327deb882cf99 - -Format 3 — JSON structured - {"email":"user@domain.com","password":"...","name":"..."} - -Format 4 — SQL dump - INSERT INTO users VALUES (1,'user@domain.com','hash','name'); -``` - ---- - -## 6. COMB & Large Dataset Search - -``` -https://proxynova.com/tools/comb/ -# Search in "Collection of Many Breaches" — 3.2B+ records -# Free search by email or domain - -https://www.proxynova.com/tools/comb/ -# Alternative mirror -``` - ---- - -## 7. Library of Leaks - -``` -https://search.libraryofleaks.org -# Searchable archive of public leaks -# Includes: Wikileaks, Panama Papers, Pandora Papers, etc. - -https://aleph.occrp.org -# OCCRP's investigative data platform -# Leaked documents, corporate records, court data -# Used by professional investigative journalists -``` - ---- - -## Analyzing a Breach Report - -When you find a breach record, extract: - -``` -1. Breach date → When did it occur vs. when discovered? -2. Data types exposed → Passwords? PII? Financial? Health? -3. Number of records → Scale of exposure -4. Source → Which company/service was breached? -5. Format → Plaintext passwords = high risk -6. Validation → Cross-check against HIBP for confirmation -7. Related breaches → Same actor? Same infrastructure? -``` - ---- - -## Tips - -- **Hudson Rock free tool** is one of the most powerful for corporate exposure assessment -- **IntelX** has the deepest dark web index — essential for any serious investigation -- **DDO Secrets** is the best clearnet source for large-scale organizational leaks -- **HIBP Domain Search** requires ownership verification — useful for incident responders -- Always **validate** breach data before reporting — not all claimed breaches are real -- **Stealer logs** are more dangerous than traditional breaches — they include live session cookies - ---- - -*Reference: [OSINT Cheat Sheet — Data Breached OSINT section](https://github.com/Jieyab89/OSINT-Cheat-sheet) by [Jieyab89](https://github.com/Jieyab89)* diff --git a/Jieyab-Claude-Skills/OSINT/Darkweb-Intel/references/crypto-tracing.md b/Jieyab-Claude-Skills/OSINT/Darkweb-Intel/references/crypto-tracing.md deleted file mode 100644 index cf514a4..0000000 --- a/Jieyab-Claude-Skills/OSINT/Darkweb-Intel/references/crypto-tracing.md +++ /dev/null @@ -1,249 +0,0 @@ -# Cryptocurrency Transaction Tracing - -> *Tools sourced from [OSINT Cheat Sheet](https://github.com/Jieyab89/OSINT-Cheat-sheet) by [Jieyab89](https://github.com/Jieyab89)* - -## Objective -Trace cryptocurrency payments associated with ransomware, dark web markets, -extortion, and other illicit activity — using public blockchain explorers, -graph analysis tools, and exchange intelligence. - -> **Note**: All tools listed here use publicly available blockchain data. -> Blockchain transactions are fully public — tracing is legal OSINT. -> Do not attempt to seize, redirect, or interfere with any funds. - ---- - -## 1. Blockchain Explorers (Per Chain) - -### Bitcoin (BTC) -``` -https://www.blockchain.com/explorer → General purpose BTC explorer -https://explorer.btc.com → BTC explorer -https://mempool.space → Mempool + UTXO explorer (very detailed) -https://blockchair.com/bitcoin → Multi-chain explorer with analytics -https://btcscan.org → Clean BTC scanner - -# Search by: wallet address, TXID, block number -``` - -### Ethereum (ETH) & ERC-20 -``` -https://etherscan.io → Standard ETH explorer -https://etherscam.com → Known scam addresses -https://blocksec.com → Blockchain security analytics -``` - -### Monero (XMR) — Privacy Coin (Limited Tracing) -``` -https://xmrchain.net → Monero explorer (limited, privacy-focused) -# Note: Monero is designed for privacy — tracing is very limited -# Ring signatures and stealth addresses obscure sender/receiver -``` - -### USDT / Tron (TRC-20) -``` -https://tronscan.org → TRON/USDT TRC-20 explorer -# Popular in ransomware payments and dark web markets -``` - -### Other Chains -``` -https://blockchair.com → Multi-chain: BTC, ETH, BCH, LTC, etc. -https://www.coingecko.com → Market data + contract addresses -``` - ---- - -## 2. Crypto Intelligence Platforms - -### Arkham Intelligence -``` -# From Jieyab89's OSINT Cheat Sheet tips -https://platform.arkhamintelligence.com - -# Features: -# - Wallet entity labeling (exchange, mixer, ransomware group, etc.) -# - Transaction graph visualization -# - Portfolio tracking -# - On-chain intelligence with AI entity identification -# - Links wallets to known entities (Binance, Coinbase, dark web markets) -``` - -### Breadcrumbs -``` -https://breadcrumbs.app -# Free crypto investigation tool -# Visual graph: trace funds through multiple hops -# Label known entities (exchanges, mixing services) -# Export graph for reports - -# How to use: -# 1. Input wallet address -# 2. Click "Investigate" -# 3. Expand transaction nodes -# 4. Look for connections to labeled entities (exchanges = on/off ramps) -``` - -### Crystal Blockchain (Commercial) -``` -https://crystalblockchain.com -# Professional-grade crypto tracing -# Used by law enforcement and compliance teams -# Risk scoring for wallet addresses -``` - -### Chainalysis (Commercial, Free Tools Available) -``` -https://www.chainalysis.com -# Industry standard for crypto compliance and investigations -# Free tool: https://www.chainalysis.com/free-cryptocurrency-sanctions-screening-tools/ -``` - ---- - -## 3. Ransomware Wallet Tracking - -Known ransomware wallets are often publicly documented: - -``` -# Ransomwhere — ransomware payment tracker -https://ransomwhe.re -https://ransomwhe.re/browse → Browse reported ransomware payments - -# From Jieyab89's Dataset list: -# "Browse ransomware data" → https://ransomwhe.re/#report - -# Features: -# - Known ransomware payment addresses -# - Total amounts paid per group -# - Timeline of payments -# - Submit newly discovered wallets -``` - -### Searching Ransomware Wallets -```python -import requests - -def check_ransomwhere(address): - """Check if a Bitcoin address appears in ransomwhere.re""" - url = f"https://api.ransomwhe.re/export" - resp = requests.get(url) - data = resp.json() - for entry in data.get("result", []): - if address in entry.get("address", ""): - return entry - return None - -# Usage -result = check_ransomwhere("1BitcoinAddressHere") -if result: - print(f"Ransomware family: {result.get('family')}") - print(f"Total received: {result.get('balance')} BTC") -``` - ---- - -## 4. Blockchain Analytics Techniques - -### Address Clustering -Multiple addresses controlled by same entity are often linked through: -- Common-input ownership (UTXO model) -- Change address patterns -- Timing correlation -- Dust attacks - -``` -# Blockchair supports basic clustering -https://blockchair.com/bitcoin/address/ADDRESS#cluster - -# OXT — Bitcoin UTXO analytics -https://oxt.me/address/BITCOIN_ADDRESS -# Shows: cluster, related addresses, entity if known -``` - -### Following the Money (Step-by-Step) -``` -1. Get starting address (from ransom note, report, payment screenshot) -2. Open in mempool.space or blockchain.com -3. Trace outgoing transactions -4. Look for consolidation points (many inputs → one output = aggregation wallet) -5. Check if final destination is a labeled exchange -6. Large exchange deposit → potential KYC record exists -7. Check Arkham/Breadcrumbs for entity labels -8. Cross-reference with known ransomware wallet databases -``` - -### Mixer / Tumbler Detection -``` -Indicators of mixing services: -- Many equal-value outputs (e.g., 10x 0.1 BTC) -- Coinjoin transactions (many inputs, many outputs, equal amounts) -- Wasabi Wallet patterns -- Known mixer addresses: - -# Sanction screening (OFAC SDN list) -https://sanctionssearch.ofac.treas.gov -# Check if wallet is under US Treasury sanctions (many ransomware wallets are) - -# Chainalysis free screening -https://www.chainalysis.com/free-cryptocurrency-sanctions-screening-tools/ -``` - ---- - -## 5. OFAC Sanctioned Crypto Addresses - -Many ransomware operators have sanctioned wallets: - -``` -https://sanctionssearch.ofac.treas.gov -# US Treasury Office of Foreign Assets Control -# Search: individual name, entity name, or cryptocurrency address - -# Also check: -https://home.treasury.gov/policy-issues/financial-sanctions/recent-actions -# Latest sanction actions — often includes crypto wallet addresses - -# Blockchain analytics APIs that include OFAC checks: -https://www.chainalysis.com -https://crystalblockchain.com -``` - ---- - -## 6. Exchange Intelligence - -When funds reach an exchange, there may be a KYC record: - -``` -# Identify exchange from address -https://www.blockchain.com/explorer → Tagged addresses -https://blockchair.com → Entity labels -https://arkhamintelligence.com → Exchange identification - -# Known exchange deposit address patterns: -# - Binance: cluster of many deposit addresses pointing to hot wallet -# - Coinbase: tagged in blockchain.com -# - Kraken: similar clustering patterns - -# If you identify an exchange: -# → Law enforcement can subpoena KYC records -# → Document the evidence trail before reporting -``` - ---- - -## Tips - -- **Breadcrumbs** is the best free visual tool for quick crypto tracing -- **Arkham** is most powerful for entity identification — often labels wallets automatically -- **Mempool.space** gives the deepest BTC UTXO analysis for free -- **Ransomwhe.re** is the definitive database of known ransomware payment addresses -- **Always document** wallet addresses, transaction IDs, and block heights for evidence -- **Monero** tracing is severely limited by design — pivot to any BTC payments instead -- **OFAC sanctions list** is essential for identifying if a wallet is already flagged by US Treasury -- Blockchain analysis is a specialized field — for serious investigations, use **Chainalysis** or **Crystal** - ---- - -*Reference: [OSINT Cheat Sheet — tips on crypto tracking & Collection Dataset sections](https://github.com/Jieyab89/OSINT-Cheat-sheet) by [Jieyab89](https://github.com/Jieyab89)* diff --git a/Jieyab-Claude-Skills/OSINT/Darkweb-Intel/references/cti-feeds-platforms.md b/Jieyab-Claude-Skills/OSINT/Darkweb-Intel/references/cti-feeds-platforms.md deleted file mode 100644 index 15a5476..0000000 --- a/Jieyab-Claude-Skills/OSINT/Darkweb-Intel/references/cti-feeds-platforms.md +++ /dev/null @@ -1,319 +0,0 @@ -# CTI Feeds & Platforms - -> *Tools sourced from [OSINT Cheat Sheet](https://github.com/Jieyab89/OSINT-Cheat-sheet) by [Jieyab89](https://github.com/Jieyab89)* - -## Objective -Integrate structured threat intelligence feeds and platforms into an investigation -or detection workflow — covering open-source, community, and commercial CTI sources. - ---- - -## 1. Open-Source CTI Platforms - -### MISP — Malware Information Sharing Platform -``` -https://www.misp-project.org -# Industry-standard open-source CTI sharing platform -# Self-hosted: share IOCs within a trusted community or organization -# Integrates with: Splunk, TheHive, Cortex, QRadar, etc. - -# Public MISP instances (read access) -https://www.circl.lu/doc/misp/ → CIRCL MISP (Luxembourg CSIRT) - -# MISP feed consumption -# Most major feeds (OTX, abuse.ch, etc.) have MISP format exports -``` - -### OpenCTI -``` -# From Jieyab89's list -https://github.com/OpenCTI-Platform/opencti -# Open-source CTI platform — store, analyze, and share intelligence -# Knowledge graph: actor → campaign → malware → IOC → victim -# Integrates with MISP, STIX/TAXII, TheHive -# Self-host via Docker: docker-compose up -d (demo.opencti.io no longer reliable) -``` - -### IntelOwl -``` -# From Jieyab89's list -https://github.com/intelowlproject/IntelOwl/ -# Aggregates results from 50+ analyzers (VT, OTX, Shodan, etc.) -# Single API call → enriched IOC from all sources simultaneously -# Self-hosted, free, open-source -``` - ---- - -## 2. Community Intelligence Feeds - -### AlienVault OTX -``` -https://otx.alienvault.com -# Free, community-driven threat intelligence -# "Pulses" = collections of IOCs around a specific threat - -# Subscribe to relevant pulses -# Follow actors: APT28, LockBit, Emotet, etc. - -# DirectConnect API -curl "https://otx.alienvault.com/api/v1/pulses/subscribed" \ - -H "X-OTX-API-KEY: YOUR_KEY" - -# Pull IOCs from a pulse -curl "https://otx.alienvault.com/api/v1/pulses/PULSE_ID/indicators" \ - -H "X-OTX-API-KEY: YOUR_KEY" - -# Python SDK -pip install OTXv2 -from OTXv2 import OTXv2 -otx = OTXv2("YOUR_API_KEY") -pulse = otx.get_pulse_details("PULSE_ID") -indicators = otx.get_pulse_indicator_details("PULSE_ID") -``` - -### Pulsedive -``` -# From Jieyab89's list -https://pulsedive.com/dashboard/ -# Free tier available -# IOC enrichment, threat feeds, risk scoring - -# API -curl "https://pulsedive.com/api/?indicator=suspicious.com&key=YOUR_KEY" -``` - -### ThreatMiner -``` -# From Jieyab89's list -https://www.threatminer.org -# Passive threat intelligence — no API key needed for basic use - -# Lookups: -https://www.threatminer.org/domain.php?q=suspicious.com -https://www.threatminer.org/ip.php?q=1.2.3.4 -https://www.threatminer.org/sample.php?q=SHA256_HASH -``` - ---- - -## 3. Commercial CTI Platforms (Free Tiers Available) - -### Recorded Future -``` -https://www.recordedfuture.com/vulnerability-database -# Free risk score lookup for IPs, domains, CVEs - -# Risk API (limited free access) -curl "https://api.recordedfuture.com/v2/ip/1.2.3.4" \ - -H "X-RFToken: YOUR_TOKEN" -``` - -### Flare -``` -# From Jieyab89's list -https://flare.io -# Dark web monitoring + CTI platform -# Monitors: paste sites, dark web forums, leak sites, Telegram -``` - -### Stealthmole -``` -# From Jieyab89's list -https://www.stealthmole.com -# Dark web tracker with CTI focus -``` - -### Cybersixgill -``` -# From Jieyab89's list -https://cybersixgill.com -# Deep and dark web intelligence -# Real-time monitoring of underground forums -``` - -### Darkfeed -``` -# From Jieyab89's list -https://darkfeed.io -# Dark web IOC feed -``` - -### Falcon Feeds -``` -# From Jieyab89's list -https://falconfeeds.io -# Threat intelligence from dark web sources -``` - ---- - -## 4. STIX/TAXII — Structured Intelligence Sharing - -Standard format for machine-readable threat intelligence: - -```python -# Install dependencies -pip install taxii2-client stix2 - -from taxii2client.v21 import Server - -# MITRE ATT&CK TAXII (confirmed active) -server = Server("https://cti-taxii.mitre.org/taxii/") -for api_root in server.api_roots: - for collection in api_root.collections: - print(collection.title, collection.id) - -# Note: CISA TAXII (ais.cisa.gov) and Anomali Limo (limo.anomali.com) -# are no longer resolving as of 2025 — use alternatives above instead -``` - -### Active Public TAXII Servers -``` -https://cti-taxii.mitre.org/taxii/ → MITRE ATT&CK (confirmed active) - -# Note: limo.anomali.com and ais.cisa.gov/taxii2/ no longer resolve (dead) -# Use MITRE ATT&CK TAXII or self-hosted MISP feeds instead -``` - -### Alternative — MITRE ATT&CK via GitHub JSON (Simpler, No TAXII Client) -```python -import requests - -# Fetch all ATT&CK groups directly -url = "https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.json" -data = requests.get(url).json() - -groups = [obj for obj in data["objects"] if obj["type"] == "intrusion-set"] -for g in groups: - print(g.get("name"), "|", g.get("aliases", [])) -``` - -### CISA KEV Feed (Replaces CISA TAXII) -```python -import requests - -# CISA Known Exploited Vulnerabilities — always updated JSON feed -url = "https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json" -data = requests.get(url).json() - -vulns = data.get("vulnerabilities", []) -print(f"Total KEVs: {len(vulns)}") -for v in vulns[-5:]: # Latest 5 - print(v.get("cveID"), "|", v.get("vendorProject"), "|", v.get("dueDate")) -``` - ---- - -## 5. Threat Hunting Platforms - -### Splunk (SIEM) -``` -# From Jieyab89's list -https://www.splunk.com -# Leading SIEM for log analysis and threat hunting - -# Free: Splunk Free (500MB/day) -# Useful SPL for hunting: -# index=* sourcetype=* [inputlookup ioc_list.csv] -``` - -### Wazuh (Open-Source SIEM/XDR) -``` -# From Jieyab89's list -https://wazuh.com -# Free, open-source security monitoring -# Integrates with MISP and threat intel feeds -``` - -### Grafana -``` -# From Jieyab89's list -https://grafana.com -# Visualization for threat intelligence dashboards -# Connect to MISP, OpenCTI, or custom CTI databases -``` - ---- - -## 6. Integrating Feeds into a Pipeline - -### Simple IOC Aggregation Pipeline -```python -import requests, json -from datetime import datetime - -class CTIPipeline: - def __init__(self, otx_key): - self.otx_key = otx_key - self.iocs = {"domains": [], "ips": [], "hashes": [], "urls": []} - - def pull_threatfox(self, days=1): - """Pull recent IOCs from ThreatFox""" - resp = requests.post("https://threatfox-api.abuse.ch/api/v1/", - json={"query": "get_iocs", "days": days}) - for ioc in resp.json().get("data", []): - ioc_type = ioc.get("ioc_type") - value = ioc.get("ioc") - if ioc_type == "domain": - self.iocs["domains"].append(value) - elif ioc_type in ("ip:port", "ip"): - self.iocs["ips"].append(value.split(":")[0]) - elif ioc_type in ("sha256_hash", "md5_hash"): - self.iocs["hashes"].append(value) - elif ioc_type == "url": - self.iocs["urls"].append(value) - - def pull_urlhaus(self): - """Pull malicious URLs from URLhaus""" - resp = requests.get("https://urlhaus.abuse.ch/downloads/csv_online/") - for line in resp.text.split("\n"): - if line.startswith("#") or not line.strip(): - continue - parts = line.split(",") - if len(parts) > 2: - self.iocs["urls"].append(parts[2].strip('"')) - - def deduplicate(self): - for key in self.iocs: - self.iocs[key] = list(set(self.iocs[key])) - - def export(self, path): - self.deduplicate() - with open(path, "w") as f: - json.dump({"generated": str(datetime.now()), "iocs": self.iocs}, f, indent=2) - print(f"Exported {sum(len(v) for v in self.iocs.values())} IOCs to {path}") - -# Usage -pipeline = CTIPipeline(otx_key="YOUR_KEY") -pipeline.pull_threatfox(days=1) -pipeline.pull_urlhaus() -pipeline.export("daily_iocs.json") -``` - ---- - -## Tips - -- **IntelOwl** gives the broadest enrichment with a single API call — deploy it first -- **OpenCTI** is the best self-hosted platform — run via Docker, the public demo is unreliable -- **ThreatFox + URLhaus** from abuse.ch are the highest-quality free IOC feeds -- **MITRE ATT&CK GitHub JSON** is more reliable than their TAXII endpoint for automation -- **CISA KEV JSON feed** is the best free vulnerability intelligence — no auth needed -- **Pulsedive** is excellent for quick IOC risk scoring without many API keys -- Automate daily feed pulls and delta-compare against your existing blocklists - ---- - -## Removed / Dead Links (Verified April 2025) - -| Site | Status | Reason | -|------|--------|--------| -| `misp.seccodeid.com` | Offline | DNS does not resolve | -| `limo.anomali.com` | Offline | DNS does not resolve — Anomali shut down free Limo service | -| `ais.cisa.gov/taxii2/` | Offline | DNS does not resolve | -| `demo.opencti.io` | Removed | Public demo unreliable — self-host via Docker instead | - ---- - -*Reference: [OSINT Cheat Sheet — SOC & Threat Hunting, Researching Cyber Threats sections](https://github.com/Jieyab89/OSINT-Cheat-sheet) by [Jieyab89](https://github.com/Jieyab89)* \ No newline at end of file diff --git a/Jieyab-Claude-Skills/OSINT/Darkweb-Intel/references/darkweb-search.md b/Jieyab-Claude-Skills/OSINT/Darkweb-Intel/references/darkweb-search.md deleted file mode 100644 index 08c7833..0000000 --- a/Jieyab-Claude-Skills/OSINT/Darkweb-Intel/references/darkweb-search.md +++ /dev/null @@ -1,212 +0,0 @@ -# Dark Web Search & Indexing - -> *Tools sourced from [OSINT Cheat Sheet](https://github.com/Jieyab89/OSINT-Cheat-sheet) by [Jieyab89](https://github.com/Jieyab89)* - -## Objective -Search and index dark web content using clearnet-accessible tools, proxies, -and aggregators — without requiring a Tor browser for most operations. - ---- - -## 1. Clearnet Dark Web Search Engines - -These index .onion content and are accessible from a regular browser: - -``` -https://ahmia.fi → Most established Tor search engine - accessible via clearnet -https://darksearch.io → Dark web search via clearnet API -https://lolarchiver.com → Archived dark web content -https://osint.lolarchiver.com → OSINT-focused dark archive -https://open-search.aleph-networks.eu → Open search with dark web data -``` - -### Ahmia.fi Usage -``` -# Basic search -https://ahmia.fi/search/?q=ransomware+group - -# Search for specific onion addresses -https://ahmia.fi/search/?q=site:ONIONADDRESS.onion - -# API -curl "https://ahmia.fi/api/query?q=keyword&limit=10" -``` - -### DarkSearch.io API -```bash -# Search via API (free tier available) -curl "https://darksearch.io/api/search?query=keyword&page=1" - -# Python -import requests -resp = requests.get("https://darksearch.io/api/search", - params={"query": "ransomware group", "page": 1}) -print(resp.json()) -``` - ---- - -## 2. Intelligence X (IntelX) - -One of the most powerful dark web indexing platforms — indexes Tor, I2P, paste -sites, public leaks, and document archives: - -``` -https://intelx.io/?s=keyword -https://intelx.io/?s=email@target.com -https://intelx.io/?s=target.com -https://intelx.io/?s=BITCOIN_WALLET_ADDRESS - -# Selectors to search: -# - Email addresses -# - Domains -# - IP addresses -# - Bitcoin addresses -# - IPFS hashes -# - URLs -# - Phone numbers -``` - ---- - -## 3. Tor Hidden Service Search (Requires Tor Browser) - -> Only use this for authorized research. Use a dedicated sandbox VM + Tor Browser. -> Never access from your real machine or identity. - -``` -# Popular .onion search engines (access via Tor Browser only) -DuckDuckGo onion : https://3g2upl4pq6kufc4m.onion -Torch : http://xmh57jrknzkhv6y3ls3ubitzfqnkrwxhopf5ayieeo2through7sh6turd.onion -Not Evil : http://notevilmtxf25uw7tskqxj6njlpebyrmlrerfv5hc4tuq7c7hilbyiqd.onion -Haystak : http://haystak5njsmn2hqkewecpaxetahtwhsbsa64jom2k22z5afxhnpxfid.onion -``` - ---- - -## 4. Specialized Dark Web Index Tools - -### DeepDarkCTI -Threat intelligence from deep and dark web sources: -```bash -# From Jieyab89's list -git clone https://github.com/fastfire/deepdarkCTI -# Contains curated .onion links categorized by type: -# - Forums, markets, ransomware leak sites, paste services -# - Updated list of active dark web resources for CTI -cat deepdarkCTI/ransomware.md # Ransomware sites list -cat deepdarkCTI/forum.md # Forum list -cat deepdarkCTI/combolist.md # Combo/leak list sites -``` - -### OnionSearch -```bash -pip install onionsearch -onionsearch "keyword" -# Searches across multiple .onion search engines simultaneously -``` - ---- - -## 5. OSINT Framework — Dark Web Section - -``` -https://osintframework.com -# Navigate to: Digital Footprint → Dark Web -# Contains categorized links to: -# - Dark web search engines -# - Forums (indexed/cached versions) -# - Cryptocurrency tracking -# - Paste services -``` - ---- - -## 6. Cached & Archived Dark Web Content - -Access dark web content without connecting to Tor: - -``` -https://osint.lolarchiver.com → Cached dark web content -https://lolarchiver.com → Dark web archiver -https://www.libraryofleaks.org → Leaked document library -https://search.libraryofleaks.org → Search leaked documents - -# DDO Secrets (Distributed Denial of Secrets) — public leak archive -https://ddosecrets.com/wiki/Distributed_Denial_of_Secrets -# Contains: government leaks, corporate data, hacked datasets -# Browse without accessing dark web directly - -# ALEPH (OCCRP) -https://aleph.occrp.org -# Investigative journalism data repository -# Contains leaked documents, corporate records, court data -``` - ---- - -## 7. I2P & Freenet Monitoring (Passive) - -``` -# I2P eepsites search (passive indexing services) -https://i2psearch.com -http://i2pforum.i2p (requires I2P) - -# Freenet content search (passive) -# Use Freenet indexes accessible via clearnet bridges -``` - ---- - -## 8. Darkweb Academy - -``` -# From Jieyab89's OSINT Academy list -https://www.darkwebacademy.com/labs/ -# Provides labs and training for dark web OSINT -# Safe, sandboxed environments for learning -``` - ---- - -## Search Strategies - -### Finding Specific Content -``` -# Entity-based search -"company name" site:ransomgroup.onion (via Ahmia) -"email@domain.com" intext:password (via IntelX) -"domain.com" leak OR breach OR dump (via DarkSearch) - -# Hash-based search -"MD5HASH" OR "SHA256HASH" (malware samples) -"bitcoin:WALLETADDRESS" (crypto payment traces) - -# Forum activity -"threat actor alias" forum (track actor across platforms) -``` - -### Building a Search Query -``` -1. Start broad: target name, domain, or keyword -2. Narrow with context: + "breach" / "leaked" / "sale" / "dump" -3. Add time filter if available -4. Cross-reference hits across multiple platforms -5. Extract and pivot from any new selectors found (emails, wallets, aliases) -``` - ---- - -## Tips - -- **Ahmia** is the most reliable clearnet index for general .onion search -- **IntelX** has the deepest historical index — worth using for any serious investigation -- **DeepDarkCTI** repo is regularly updated with active dark web site links -- **DDO Secrets** is the best clearnet source for leaked government/corporate data -- **ALEPH/OCCRP** is excellent for cross-referencing against investigative journalism leaks -- Always **document your search queries** — reproducibility matters in investigations - ---- - -*Reference: [OSINT Cheat Sheet — Data Breached OSINT & Forums sections](https://github.com/Jieyab89/OSINT-Cheat-sheet) by [Jieyab89](https://github.com/Jieyab89)* diff --git a/Jieyab-Claude-Skills/OSINT/Darkweb-Intel/references/malware-ioc-intel.md b/Jieyab-Claude-Skills/OSINT/Darkweb-Intel/references/malware-ioc-intel.md deleted file mode 100644 index 9230ebe..0000000 --- a/Jieyab-Claude-Skills/OSINT/Darkweb-Intel/references/malware-ioc-intel.md +++ /dev/null @@ -1,281 +0,0 @@ -# Malware & IOC Intelligence - -> *Tools sourced from [OSINT Cheat Sheet](https://github.com/Jieyab89/OSINT-Cheat-sheet) by [Jieyab89](https://github.com/Jieyab89)* - -## Objective -Collect, analyze, and enrich malware samples and Indicators of Compromise (IOCs) -from threat intelligence feeds, sandboxes, and dark web-adjacent sources — for -detection engineering, incident response, and threat hunting. - ---- - -## 1. Malware Sample Repositories - -### MalwareBazaar (abuse.ch) -``` -https://bazaar.abuse.ch/browse/ - -# Search by hash, tag, file type, or malware family -https://bazaar.abuse.ch/browse/?q=ransomware -https://bazaar.abuse.ch/browse/?q=tag:emotet - -# API — download samples and query intel -curl -X POST "https://mb-api.abuse.ch/api/v1/" \ - -d "query=get_info&hash=HASH_VALUE" - -# Python -import requests -resp = requests.post("https://mb-api.abuse.ch/api/v1/", - data={"query": "get_info", "hash": "SHA256_HERE"}) -print(resp.json()) -``` - -### VX-Underground -``` -# From Jieyab89's list -https://vx-underground.org -# Largest public malware sample archive -# Categories: APT samples, ransomware, stealers, botnets -# WARNING: Only download to isolated sandbox — these are live malware - -# Also useful for: -# - Malware source code leaks -# - Threat actor communications -# - Historical campaign materials -``` - -### Malware Traffic Analysis -``` -# From Jieyab89's list -https://www.malware-traffic-analysis.net/2025/index.html -# PCAP files + malware samples from real infections -# Includes: traffic captures, IOCs, malware files -# Excellent for understanding C2 communication patterns -``` - -### VirusShare (Registration Required) -``` -https://virusshare.com -# Large malware sample collection — requires account -``` - -### Virus Exchange -``` -# From Jieyab89's list -https://virus.exchange -# Sample sharing platform -``` - ---- - -## 2. IOC Feeds - -### ThreatFox (abuse.ch) -``` -https://threatfox.abuse.ch/browse/ - -# API — get latest IOCs -curl -X POST "https://threatfox-api.abuse.ch/api/v1/" \ - -d '{"query":"get_iocs","days":1}' - -# Search by IOC value -curl -X POST "https://threatfox-api.abuse.ch/api/v1/" \ - -d '{"query":"search_ioc","search_term":"malware.com"}' - -# MISP feed format -https://threatfox.abuse.ch/export/misp/ -``` - -### URLhaus (abuse.ch) — Malicious URLs -``` -https://urlhaus.abuse.ch - -# API -curl -X POST "https://urlhaus-api.abuse.ch/v1/url/" \ - -d "url=https://suspicious.com/malware.exe" - -# Download daily feed -curl "https://urlhaus.abuse.ch/downloads/csv_online/" - -# Python query -import requests -resp = requests.post("https://urlhaus-api.abuse.ch/v1/host/", - data={"host": "suspicious-domain.com"}) -print(resp.json()) -``` - -### AlienVault OTX Feeds -``` -https://otx.alienvault.com/api/v1/pulses/subscribed -# Returns all IOCs from pulses you follow - -# Specific IOC lookup -curl -X GET "https://otx.alienvault.com/api/v1/indicators/domain/target.com/malware" \ - -H "X-OTX-API-KEY: YOUR_KEY" - -curl -X GET "https://otx.alienvault.com/api/v1/indicators/file/HASH/analysis" \ - -H "X-OTX-API-KEY: YOUR_KEY" -``` - -### Additional IOC Feeds -``` -https://rescure.me/feeds.html → Rescure.me curated feeds -https://www.spamhaus.org/drop/drop.txt → Spamhaus DROP list (BGP blocks) -https://feodotracker.abuse.ch/downloads/ → Feodo botnet C2 IPs -https://sslbl.abuse.ch/blacklist/ → SSL certificate blacklist -https://openphish.com/phishing_feeds.html → OpenPhish phishing URLs -https://phishstats.info:2096/api/phishing → PhishStats API -``` - ---- - -## 3. Malware Analysis Sandboxes - -Safe environments to analyze suspicious files: - -### Free Online Sandboxes -``` -https://app.any.run → Interactive (from Jieyab89's list) -https://www.hybrid-analysis.com → Free, Falcon Sandbox powered -https://tria.ge/reports/public → Tria.ge sandbox (from Jieyab89's list) -https://cuckoo.cert.ee → Cuckoo sandbox (Jieyab89's list) -https://capesandbox.com → CAPE sandbox (Jieyab89's list) -https://www.joesandbox.com → Joe Sandbox (from Jieyab89's list) -https://www.vmray.com → VMRay (commercial, limited free) -https://filescan.io → Filescan.io (from Jieyab89's list) -https://www.docguard.io → DocGuard for documents -https://analyze.intezer.com/scan → Intezer (code similarity analysis) -``` - -### API-Based Analysis -```python -import requests, time - -def submit_to_hybrid_analysis(filepath): - """Submit a file to Hybrid Analysis""" - url = "https://www.hybrid-analysis.com/api/v2/submit/file" - headers = {"api-key": "YOUR_API_KEY", "user-agent": "Falcon Sandbox"} - - with open(filepath, "rb") as f: - resp = requests.post(url, - headers=headers, - files={"file": f}, - data={"environment_id": 100}) # Windows 7 64-bit - return resp.json() -``` - ---- - -## 4. Hash & IOC Enrichment - -### VirusTotal -``` -# File hash lookup -https://www.virustotal.com/gui/file/SHA256_HASH - -# API -curl --request GET \ - --url "https://www.virustotal.com/api/v3/files/SHA256_HASH" \ - --header "x-apikey: YOUR_API_KEY" - -# Batch hash check (Python) -import requests - -def vt_check_hash(sha256, api_key): - url = f"https://www.virustotal.com/api/v3/files/{sha256}" - headers = {"x-apikey": api_key} - resp = requests.get(url, headers=headers) - data = resp.json() - stats = data.get("data", {}).get("attributes", {}).get("last_analysis_stats", {}) - return { - "malicious": stats.get("malicious", 0), - "suspicious": stats.get("suspicious", 0), - "undetected": stats.get("undetected", 0), - "total": sum(stats.values()) - } -``` - -### Malware Encyclopedia — Malpedia -``` -https://malpedia.caad.fkie.fraunhofer.de - -# Search by malware name -https://malpedia.caad.fkie.fraunhofer.de/details/win.emotet - -# Each entry contains: -# - YARA rules -# - Actor associations -# - Sample hashes -# - Technical references -# - Aliases across vendors -``` - -### pwnedOrNot -``` -# From Jieyab89's list -https://github.com/thewhiteh4t/pwnedOrNot -# Check if email has leaked and try to get plaintext password -``` - ---- - -## 5. YARA Rules - -YARA is the standard for malware pattern matching: - -### YARA Rule Sources -``` -# From Jieyab89's list -https://yaraify.abuse.ch/yarahub/ → Community YARA hub (abuse.ch) -https://github.com/Neo23x0/signature-base → Neo23x0 signature base -https://valhalla.nextron-systems.com → Valhalla YARA feed - -# Using YARA rules -pip install yara-python - -import yara -rules = yara.compile(filepath="rule.yar") -matches = rules.match("suspicious_file.exe") -for match in matches: - print(f"Rule: {match.rule}, Tags: {match.tags}") -``` - ---- - -## 6. C2 Tracking - -### C2-Tracker -``` -# From Jieyab89's list -https://github.com/montysecurity/C2-Tracker -# Tracks active C2 infrastructure for common RATs and botnets - -# Lists are updated regularly: -# - Cobalt Strike C2s -# - Metasploit listeners -# - Brute Ratel C2s -# - Sliver C2s -``` - -### Feodo Tracker (Emotet/TrickBot/etc.) -``` -https://feodotracker.abuse.ch -# Botnet C2 IP tracker -curl "https://feodotracker.abuse.ch/downloads/ipblocklist.txt" -``` - ---- - -## Tips - -- **MalwareBazaar** is the best free starting point for any hash lookup -- **any.run** provides the most interactive analysis experience for free -- **ThreatFox** API is easy to integrate into automated pipelines -- **Valhalla YARA** requires subscription but is the highest quality rule set -- **Malpedia** links malware → actor → campaign — critical for full context -- Never analyze malware on your main machine — always use an isolated sandbox -- **Hash pivoting**: if a hash is known, check its VirusTotal graph for related infrastructure - ---- - -*Reference: [OSINT Cheat Sheet — Researching Cyber Threats, SOC & Threat Hunting sections](https://github.com/Jieyab89/OSINT-Cheat-sheet) by [Jieyab89](https://github.com/Jieyab89)* diff --git a/Jieyab-Claude-Skills/OSINT/Darkweb-Intel/references/opsec-darkweb.md b/Jieyab-Claude-Skills/OSINT/Darkweb-Intel/references/opsec-darkweb.md deleted file mode 100644 index 745885c..0000000 --- a/Jieyab-Claude-Skills/OSINT/Darkweb-Intel/references/opsec-darkweb.md +++ /dev/null @@ -1,277 +0,0 @@ -# OPSEC for Dark Web OSINT Investigations - -> *Safety guidelines inspired by [OSINT Cheat Sheet](https://github.com/Jieyab89/OSINT-Cheat-sheet) by [Jieyab89](https://github.com/Jieyab89) — who emphasizes: "Please use it wisely"* - -## Objective -Protect your identity, devices, and legal standing while conducting dark web -intelligence investigations. Poor OPSEC can expose your real identity to threat -actors, compromise your organization, or create legal liability. - ---- - -## 1. Environment Setup - -### Recommended Stack (Layered Isolation) -``` -Layer 1 — Host Machine - └── Your regular computer (never used for OSINT) - -Layer 2 — Hypervisor - └── VirtualBox / VMware / Proxmox - └── Isolated OSINT VM (no shared clipboard, no shared folders) - -Layer 3 — Network - └── VPN (kill-switch enabled) → Tor (for .onion) or direct (for clearnet OSINT) - -Layer 4 — Browser - └── Tor Browser (for .onion access) - └── Firefox with hardened settings (for clearnet OSINT tools) - -Layer 5 — Identity - └── Throwaway accounts (not linked to real name/email/phone) - └── Dedicated OSINT email (ProtonMail, Tutanota) -``` - -### Recommended OSINT Linux Distros (from Jieyab89's list) -``` -https://github.com/tracelabs/tlosint-live → Trace Labs OSINT VM -https://tails.net → Amnesic OS (leaves no trace) -https://www.qubes-os.org → Compartmentalized OS -https://www.parrotsec.org → Parrot OS (security/OSINT) -https://csilinux.com → CSI Linux (OSINT-focused) -``` - ---- - -## 2. Network OPSEC - -### VPN Configuration -``` -Requirements for OSINT VPN: -✓ No-logs policy (independently audited) -✓ Kill switch enabled (cuts internet if VPN drops) -✓ DNS leak protection -✓ Jurisdiction outside 5/9/14-eyes if sensitive work - -# Test for leaks before starting -https://www.dnsleaktest.com -https://ipleak.net -https://browserleaks.com -``` - -### Tor Browser (for .onion access) -``` -Download: https://www.torproject.org/download/ -# Always use the latest version -# Never resize the window (browser fingerprinting) -# Never log into personal accounts inside Tor Browser -# Disable JavaScript for sensitive .onion sites (Security Level: Safest) -# Never download files directly — preview in sandbox first - -# Check your Tor exit node -https://check.torproject.org (accessible via Tor Browser) -``` - -### Network Isolation -```bash -# Linux: create isolated network namespace for OSINT tools -ip netns add osint-ns -ip netns exec osint-ns ip link set lo up -# Route all OSINT tool traffic through VPN interface only - -# Verify no direct connections from OSINT VM -# Disable all non-essential network interfaces in the VM -``` - ---- - -## 3. Identity OPSEC - -### Account Hygiene -``` -✓ Use throwaway/sock puppet accounts for any platform registration -✓ Never use real name, photo, or biographical info in OSINT accounts -✓ Use dedicated email (ProtonMail / Tutanota) created over Tor -✓ Never reuse usernames across platforms -✓ Use separate accounts for OSINT work vs personal use -✓ Generate usernames with no connection to your real identity - -# Jieyab89's tip on accounts: -# "Do a active on each platform example like post, follow, following to -# avoid bot detection or blocked by user (target)" -# "Use second account (not your real account)" -``` - -### Browser Fingerprinting Protection -``` -https://browserleaks.com → Test your browser fingerprint -https://coveryourtracks.eff.org → EFF Cover Your Tracks test - -# Key fingerprint vectors to neutralize: -# - Screen resolution (use common size: 1920x1080) -# - User agent (use common browser UA) -# - Timezone (match VPN exit location) -# - WebRTC leaks (disable WebRTC in browser) -# - Canvas fingerprinting (block or randomize) -``` - ---- - -## 4. Device OPSEC - -### Sandbox VM Rules -``` -✓ Snapshot the VM before each investigation session -✓ Revert snapshot after sensitive sessions -✓ No shared clipboard between host and OSINT VM -✓ No shared folders — transfer files through encrypted container only -✓ Disable USB passthrough -✓ Use separate VM for different investigation cases (no cross-contamination) -✓ Enable AV in VM (Jieyab89's tip: "Enable your firewall, AV and IDS") -``` - -### File Handling (from Jieyab89's tips) -``` -# Jieyab89's direct guidance: -"Dont upload your private files make sure you have clean personal file in folder" -"Scan the files will you download" -"Encrypt your network traffic, message and disk" -"Beware about attachments such as docx, xlsm or macro documents" -"Beware about malicious script like programm lang always check will you run it" -"beware with code with obfuscate (dont trust it)" - -# NEVER: -✗ Open malware samples on your host machine -✗ Click links from threat actors without sandbox isolation -✗ Download dark web files to your main machine -✗ Enable macros in Office documents from dark web sources -``` - -### File Analysis Before Opening -```bash -# Check file type (don't trust extension) -file suspicious_file.exe - -# Compute hashes before opening -sha256sum suspicious_file.exe -md5sum suspicious_file.exe - -# Check hash on VirusTotal before any local analysis -# Submit hash only (not the file itself) for initial check - -# Strings analysis (safe, no execution) -strings suspicious_file.exe | grep -E "(http|ftp|smtp|password|key|token)" - -# Only then: open in an isolated sandbox (AnyRun, Hybrid Analysis, or local Cuckoo) -``` - ---- - -## 5. Legal OPSEC - -### What Is Legal (OSINT) -``` -✓ Accessing publicly available information -✓ Using clearnet dark web monitoring services -✓ Searching indexed dark web content (Ahmia, IntelX, DarkSearch) -✓ Analyzing published breach data for defensive purposes -✓ Tracking ransomware groups through their public leak sites -✓ Researching threat actors using public reports and CTI feeds -✓ Accessing DDO Secrets / OCCRP ALEPH (public interest journalism) -``` - -### What Is NOT Legal (Do Not Do) -``` -✗ Registering accounts on criminal forums -✗ Purchasing stolen data, tools, or credentials -✗ Accessing systems without authorization -✗ Re-publishing stolen personal data of individuals -✗ Attempting to take down or interfere with criminal infrastructure -✗ Interacting with threat actors to elicit information (entrapment risk) -✗ Downloading CSAM or other illegal content (even for research) -``` - -### Jurisdiction Reference -``` -Indonesia → UU ITE No.11/2008 & No.19/2016 (amended) - → UU PDP No.27/2022 (Personal Data Protection) -USA → Computer Fraud and Abuse Act (18 U.S.C. § 1030) - → Electronic Communications Privacy Act -EU → GDPR (data handling), Directive on Attacks Against Information Systems -Global → ICCPR Article 17 (right to privacy) -``` - ---- - -## 6. Evidence Collection & Chain of Custody - -When findings may be used in legal proceedings or incident reports: - -``` -# Capture with timestamp -date && screenshot - -# Archive web pages with timestamp proof -https://archive.today → Submit URL → get archived link -https://web.archive.org/save/URL → Wayback Machine save - -# Hash all collected evidence -sha256sum evidence_file > evidence_file.sha256 - -# Maintain investigation log -[TIMESTAMP] [ACTION] [SOURCE] [FINDING] [HASH] - -# Never alter original evidence files -# Store in encrypted container (VeraCrypt) -# Maintain chain of custody documentation -``` - ---- - -## 7. Operational Security Checklist - -### Before Starting an Investigation -``` -[ ] OSINT VM is up-to-date and snapshoted -[ ] VPN is connected and verified (no leaks) -[ ] Tor Browser is latest version (if needed) -[ ] Throwaway accounts ready -[ ] AV/firewall enabled in sandbox -[ ] Investigation scope and legal boundaries are clear -[ ] Evidence folder created with encrypted container -``` - -### During Investigation -``` -[ ] No personal accounts used -[ ] All URLs previewed before clicking (urlscan.io) -[ ] Files scanned before analysis -[ ] Screenshots taken with timestamps -[ ] Sources documented as you go -[ ] No interaction with threat actors -``` - -### After Investigation -``` -[ ] Evidence archived and hashed -[ ] Investigation log complete -[ ] VM snapshot taken (or reverted if sensitive) -[ ] VPN disconnected after session -[ ] Report drafted with source citations -``` - ---- - -## Tips - -- **Tails OS** is the gold standard for leaving zero traces — use for most sensitive work -- **Qubes OS** provides the best compartmentalization if Tails is too limiting -- **Never combine** personal and OSINT activities in the same browser session -- **Document everything** as you go — memory is unreliable, investigations can take weeks -- Follow Jieyab89's golden rule: **"Use virtual machine, fake host or docker machine"** -- When in doubt about legality — **consult a lawyer before proceeding**, not after - ---- - -*Safety guidance informed by [OSINT Cheat Sheet — Tips & Trick Safe Guide](https://github.com/Jieyab89/OSINT-Cheat-sheet) by [Jieyab89](https://github.com/Jieyab89).* -*His words: "Please use it wisely."* diff --git a/Jieyab-Claude-Skills/OSINT/Darkweb-Intel/references/osint-darkweb-intel.skill b/Jieyab-Claude-Skills/OSINT/Darkweb-Intel/references/osint-darkweb-intel.skill deleted file mode 100644 index bbd31d772debeaa6638aad70f4869f82dba9fa70..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 35240 zcmagFQ?MvOn60^O^K9F;ZQHhSwr$(CZQHhO+s2&kj-ER)aXY#mGV-NXW=3UHt^ZqD z@>0McPyqjVIV5QRSLeT46aZ`hJ4Xv!CmLe|2P;<-Lz;hm6KgsZWk>*Eyo5uG`NTsD zXE$g7K#>2q;XfPs|5t7Q|EGrcKd3pFn3_14*czEQ{+ICZKhf#`yD-YXQ6K>RLpXFr zLbeSa0DzAO0D$g)7q+u^G%@<`RnXcP|K|$+hk=?kCmpcFQnnAN7|S5o#_$0ZTE6xQ zi16bQ&d~6L;+~w?v9E zCV`;S+3a>k+fR26pq-t0IIt?ysg}!W@s{9CD{4qjQ(G^%^)U3-+iR*Oy=z~^oayJ8 zlx&u|TFS?*ZMz!U>8vdjS+>jY27B%Y&Lm~fMwI!U(N$F568G(GD@Ay4h;2E(b~2)K zd_K43Q}D(gh-QyJ35(xL zmKPLsrTM; z6nlR^E^m8(aDL1ALO-W2rBe%BbqtjF*r>jM)rydG4z9m-QQj%Twopp6HEt(x{9jwD zEVH}+##)x$(5-YZzX7!J&~6i{KFGClmPIKEzHRI6nU{VEKJrSKMwTy{c$9U7GNl%m zJXJI5MKGq8Xm&mrs3l%XE&JAKxE!svNTN*~d1R!c?7znTDz>(%=DK3FWsw$YDH;PC zO5u`)jWDt;CwBUhjCNCOZ)9#qD(QRm(5Rn-_(OWPuJ#NIFsVa$(4gD|%MUDfmH)~8 z;Q&Q2p}n;I)?8wbC1|T01(G~#-nlbYJ54T?p$gLY@e@L*M(SzT&B)iV%!G{$o}8`; zC?#zkPcbsizhL^*_VJ$$y=V~)XqODt|0HG|?15*k#ak|aRylX0GY+=Y--E~He5btf z1*5G{BqLo^;;Ujjjjt5LK=9iadcBu=2Hb7QUz{k*%f*{>%Ka6>C?t`eBSpyjpl4mk z{YyG}(>kzn`MhWMy!1wN3NC&$3yDSK>ZHM-;|wNT2oddBmhhex$h)CaA8S zdUs7fqDMq|-v{+4ne@Xf6-#cW@c9$4(u~%CSIm`#|Iu>pNVczIPrPJi?U;$HR!RV6 z-O1=jmB`**WVas(J@?7yH}_XH^@iLLVt2rVb-k=d1Ro_Tq-z2p+S!sSXSUc^P_tsY zN%^~|Mm-6D|0z2=9Mj?)3Xe5gR~8`sLjW}&LY|KI7dPY~OpR9_P7q-F;`y#~|6WbZ zbWo5@$o6=rA%MI;dYV+t#?X54k)Hd5pwv^2B(+vf6D-AU+pGo?#fPj`^BJNDr(zKahV17vfu#+eH z5vYeGCN+dbRkdm#rB(I2tTbc42JFDV#cRW^wJ+W&SP8)W)&W2?k~9yN`EJF#4w^!i zuHyDtQZ8Wut-mFE{m|wf8G9jj=u8#QUel#OTowX!`hFTGUoYetFbz>yxVu2Op3Ukk zpIh<^g`Kmpxb{pL0ZCbyqGM^6J3!)ymPO~oz8^V~(d45aHpNw4quaZa#?MNzxVq`f zvf>*^OsXN9xpBp7`1*cof881?o-Q z9~Hm_@ln*mSeYz^o;4G2i(f{YM^Btq!gjhWaIz8h+SyK$YZKwc@ETZVLdcR}IDCbs z!-e-mqJ1(}pKb*YEzxcK1wb@>2#fV*Z#p%w#nJ|Nh8zT4e0Zw>Z34ICB^$(r+Fa;% zZ>xY7O1lSEEJNuOOQmn;t&2F*pnIN%SDV$iq|z%CN~G37aHM2qT1tmn{;u!hA-(Ws ze`A`Un$|)Kov%DhpTkBXN&&$2!FXsP1-G~yc#?*M*d9!>&~Ev5<^hZ(u)fK0IWJA! z^SJXWh8&HsOZ-1tl7%&$}V`Na(rUt+^VpO6<1#?r4APGW_z)%J(vbz~f&=xIXZ38&1tJY1f(W^8YNE^a9xk^hjxBa#Of z*IE#FmmD=r#x?Qn&*Wy54Z`a++)VjpO@MV{Z0T9ImSVBtn8j?KSt$Jzhg!Tie^mN3 z;h6l$`eticRTQwnPHTfGVzb2$U;1>5G(fu(N|UCoB?NI}9$5?u|4Lfc+)ab#)vB3x zydUJ0VK(Q_&GO{vVd`$rRw|9Fvc~MXymhS&ts@)Mr0w;B7YLE^cd@BAsRKmZ07rfI z9wT!mTkD}Z&!@#u$lFqj;ow32jM@fYIcu5V6B~{m(AYe^H?!Q?xEip$LW|3$K0|m} ztnGe@sJr>RVZ!AAQ7zE}GmFlEQ)#ylw)<}1Anam;V$XV&nYDk%1nTO?*k9grS$pZ` z5;`>NhBd#IwDwM-7Fxxjy~(Xv;vn@s%p_4VO%BI)9 zi=}@4m9s_J>H8oZp05v(8`c(3N&K_%*v(DuPPD_>kYq}Qo*oH0>$LQFTCr5bIPyNz zm@4~mSmu6@i{m@0>t2&!UpzfyLzi-$01#1MX5fB?A_skfg#vu%fIjxA9SDZ_;6w?k zUH0?`iokAOIuWYom3v&Q3hto^+M`&Ya#znUq}JCMGy($|O-Y$pKmH_U{UrN+C3C|U z9%TS^xD+I5Rzn00_|D^p`5seW3HiOofP0OasywK5 z!ZTzm%WJsiDt@a8ELQCxhk+u_`u+np9b8GyHP)c+i}-RE{6LH-yzS>zFI6Vux*N@u zRzbBS9tk1Y+qv6uE59W*ef#Ah5cdK1IcIcW@o9P^{XlB5`8R>~N#ghe*22N-Vc64F zEK~pXNyNYTZpN5rJcT_&v9RrO(1_-*$+M55ZX0qsg5hZX#Z^oQ`=etXgMfu)*X@A} z5Xfcy7C3g8st|5QuDxSwaON-AivXxPPG0 z7p7L*`||v-em(j0eA;8#T&VqVydzktH5XUK5%?6g7Y&7B7a^1A(E(C6s;&$Ryd$% z`gWQ6h8GXZk@EAP&)Tbe(|<%jSX)N4G$}V^>cr~Mdb}>f|19=?QZfTCKvGJ=E_$ey z@6iu&$mwo>BT?+m!%sKxcS|+@-N3((=k-3)=V~a^k_ie2_@TC}G|c0rjS4{^T>N3o zVg2tMm&V$R(}tfgV2e16&pC&zk-a3vpkN3`XB`UIrX=J*^U~eCp~Z7P=PAk~AG`?& zb_*y>YNoICv(Q|=aV(Z`^U>RhoW(7QoAgjItqxq+;`0THsC3 zQeP*gQIMSt7TY=U0@ey50Xp??4FMG6IxWT}!@nn@5Oaz|LYGB?!zdImMT(&q?bJKZ zIK)^h1(sZGDtK%nuf#?dNTBw<;A0e)+!#9Y$f0rmyc%g9tqL$N$x_rQ43;fjtxW6f z3Ca(GM~8OH+xm=u;Fo^C zYdL-1k0<5e`6lt(K|qL;nyVbK{$8rBBzTy)a%Jvh>+a?OD71P=K?+(-6Kr0ieS_q&28J;gbqw-as8&=gFjVrN{PaBv7rH0uD5KP4XHt`p> zA+)gwL?r7TgCFhC?;3d%EJ5Q%qqpg$~e!9AI;AO$HH;YBD)0dPJj58@uDeg z3)1X06FG?@fmA)NBf#{CBw>y%DyrbS`Qe7RB)hu0w3GzdOf^;A6`Flar*n6 z`0*D6q^DyjbbNVx`V9teCr2+QN3UnF^tEvOGuPwVUe+wieQ!lOu84!fp2Yy17>E6# z-L}LRJ__UU{-?!70-0F?A|s{W`S6tWp$8)_KNt{x#?CBUFz`*1pykK^OZq@K)!N{+ zxeVf4;d`mu6DYnsvTy=Nf}J5dvt+KQK{3R~hRx=Y1(P$L_TqvVBo?YQ8y%0|LaPyAsAm zfnrND1-52^i#IvR?RyKj(yMzdqEvzT~LN8kB5w@}1=8AC77gJe#<{0iZ1JKVU*F4Hh6LCG6 zAUVK`4et)OdjJl_TL+rum8B}!L=Z3t#N{{rfCWRV7(F1=)$f8Fq{?a`@NjE0!xri= zVb{9^^ZTx(V^qAaSi}x!L=Z)LEl28ppUYf7U=zLftx{m%-GQ(6pqXQ{-@4=aw|TF> z|3M!93lO0G0|fi{)npR?u*Nnz008~}4ha4ma5$P6I2f7#HzAPx$2k5kD56>YT9#-W z^?O%N!LlfPIw0EsY)w7G8bAm?12ACyO0v?tWJ|{d{pQB9qN1Khq3CM@SlE5QJ0VMJ zS&xov#orhUi2s0RItjKKuC-#Mv{?TRvXSn}i%|BYy~TaA)ss!UOg z(3Gi~@nv%Q=;9+MnYMMNTPPc<9D(#FH$`wf_<< z=hr#QE1@gg?GVLeL<>*+xkBlX(>Iw&N9pS5rGg=~A_)xuBm@5;q8+)H*e4`%BnF80 zYENrrEC&2qTBNu-Amr~mUe_{neb=j53zBy)i%OO<+-z+qH ziQ;SiuHAmtb&Z0JvBHH<>Sc}(@8|AK;Bl+W8uHAGZMA}0zaaz%a0P`hfl2+r{P1s8 zJcs^07HM>op_8Mxv!gd7?rydmDQ<;vdIM52r^$ZfcURotsNxw5HT4kYeAsRgW8%x; z=5FY<3B`FL7^X3NZOImK^==SwmwtCT8o5sR#-W^c2|(?c9Zs)5^J(DkOQ2)%-y(i} zzAo5vs8*{acigcm`3-cgivbV_seWGOU2sPO&t7-Qw$q7{y$rLHK|VoOb9O_6Ow^MG zq?`IUufERK-z#v?v*DMsvHm~>_uAc8z>4uBeE`Z9LYZUjqj-J3#+=U|M?MH!hyJCg zbzwJF$|c1!jr5kY1k}hz!ecc2G49^>(E<7M+xp5ttvLcVRgfgxgAt@H1cs$upxv+- z!zBKbw(-GTYlT?iR8^FCJZYTsRJ{n8^UuU%OoieMPxocJZocjgzRvcJpRdL7(b&`1 zTq=8yzEX1};UiTQ7N&tiZx>l`S9!VF5h!@a-}eib%j5E<_=NYB#mdb{NGX7Yi_chB zyzfvgeu=uSsS?4=Y3v>>_Jr=Fzc83-5Z}b{<4_0PT&u=jtZU_FFTBm$ncO;s@qn-4 z%r!yokbRc#sK!CCxWRc)O;Bi&>Y`f*(E{A>4dT1#v0{-9Xx+1vF8;9Uw_oo#YjqO|gNNYVW4*KqrG?L(OI=i@3qILAC(zy6 zBo%2m56vioIBOuwta33j4#rYAY9+PFCZ}=$15AtU4M22^of$aTDU(K4Xt9-{gPzrOKjsIR! zurh=)E*3+_yd#8qJ2IcnNbt+sjQ60`Rmp3&FoBkJfWnv`On^V2>#V@3Q+{Uz>#~X zZ510s=S~Ri(!%4}9@ch|m=CYc!y>u^&@1;IYdI`q2c*qhS2fT5IJboj-JYT~u57BE z+sV2+0dF#>-Rol_$)q}V15fsQ#mIewOahi;&Dk-3VyY4mw{Z`M*Q<8+ z+I&NG9?2jLWE;GPMv%yXm2}8Wbat(qiK=Y*s{%=5>8@UrdW)GWFP-v6JbHLW1|gy# zfb*n<2rfHC%sh0|n}n(r!~rT!<^xWMSAkg>+7J_oq(OIfGF5X~5jiTKEbI@;pVs-6 zVu{~!l%D1m=lA-O3egMRD(Z^eRCK#2qkC!U*_J%IYt}opX~E00ENfORPo4((&)r>b z#kf&$1Qe=msg-rEQHlOhzs&Ozf&(5_++BngX19RnkuqeOQWAzf^`kxM1HTLBUBCt+ zryR&ncGZzu=c1M*XpXD2uPYfJ)yCQ6akw8*>l%cVt=+lFGI5JB=>SHFA0G3tvG-WI zk=qxW#&IVW4TAaWIsnyZ>Wb*6*U`sKsg+I+uFlTuR?HmHIR6Mj9r?Ms8_H1aMrGk4 zZ+QGJ?CnA08)JEWz#)FR>dxavoXwioJAj~l++_Lb>n}y%Z#Vt~B=TNA)6(~AK1Yo|8=DNJ(JU+Ps6^R$9-ZGV1XOZUDByf@7Bu%1^&>V+*K>hP`O^y8|pFNNC z*D~6QYT)ud37O?d%k-~_s7MCwk;iM!U!T2;zy)Wddv)W>kDATwB_-qLvDQFaoZ%g) z*IOJ2hSxNLafa%gy!kkCZhIVTW@1MuRObdTx*L!J7hYt~W_n>mkssn_hr6fl+3hfO z>qAPFVi{@@A6k)O8d?N&PD@4jBo_B~s~oQLwpd(Y!==|OgdKEly+-UO+>RTThwkNR zVU^JQ-W;rV^Mot#d^|M6(gg~Dd}IbHu7V(i-HNbbn~Kqby3U>CmuVbD5`NDo3fjhk z#!4JP96{Q7j#lkoX5KFDbnTEPjx6mQY;4^3+f3i?s8U^oI~W~gb=Xp$fIsgP#h8jM zuk$No&nV()%|@dz#GGo{$tuh@w%C(QM-RXdz)%NT( zCYYaiZ57tP$zW=&do)9&UBI%EV@}?h_*<@- zb#}s4c6P!LX)=Xb`O65S!>YXDeUvTb^#+U5ZOE(4B!JUP8+19fi2n)b{3|8&g<+7| zdgxQAj4ANa>)5f5zy>5IImS?B$&N=EY3+Ifh|OOm2dCCcwveVFVUpTzlP!IGVUpCk z?6Ur{qvX)kUbDK)(kxGBfpuWti2Q-C$b{9Qdm6v&@g( zedp;$;y!OIhx365(t9F9!yKL3fAae=`Th&=e=O_3Kg;?SOqbXU3jnY{006-Dzgt#& z14kzl8fy~+D;gU+TMH*U2Mb%X|8}lX|Mw8BS@Y5sYZUdTSB@diKTUb4*qY2nlHb{Q z9KE=OMBM?KA0ci3CJx)m)vS?8D&sHglNw&$8S;t5M|S&_NI?dG$nzkv>q!g|^4 zw_moS4ajFiH`-T7w?Z&;MZz#+#LvVFZSn;3Vnq#7e1k}_gNw7v-;b9BoLUgJD?^f? zcHEjMif1QA4avre)4v4|D zv{Imiz{>*4L8aRFsgpU!lWM3A;*<$dgX6i4EV5H`O3^?;@XL(>RXJK=DC7SEYhett zGj(Y~4f=eJ_O5H|$LcT8>!=3&1N2T3Ez=9^5hI87D$fd6-+uwO*DUHs+AB5|Hh^7p z$FtP5TrActMWLLqUmj=q#QM`#_#HLkIM!o&cYogLUNY9q7a2^YYECV5N3gmhR}ynS ziK=A&=+RQuA0e0&7%Ukt-$}MO+U+*i?bsM=rE@!W?JT9o8_|W4m<<91gl6=Yn=Y-= z$c`~`sxCXE+K;O9bn3Iy)*9qhD>WG0*RPD!`wQJH$|XCGP>nDVRRn0swW=?Z+5&ba z{uDFUUU2a09~cxUnyZdA1RZLspe3V-T%dM@&MJ8R(5hj?hnox^Iym=M(r)K`86Xo@ zfk;C({{~KW=R&%``rwUT4ZPnDC_@Alqip!U7AsCl*CDHHgM_s{!LLDw$4yX7DCbka zcwgZcarWcR_b%eLf!h*!<6UX~^fby=J&CHE-`>@8=+89ko84yByfuvj=Q;+_4gKK2 zHItServ#3*Pn}6+iW7?YVu|sfY3lb9bYRsN$M!t&!0Z|Y+a_&oFZj#e>X#bKVcZza zQVuIAfTq32?21>;LDMw7KnpKe#Th$GE)yK{?~6`tH-KGZP0Z*A9(5HA#ppAUqX4!ymLADl^%YuoPg$Zn)d3_MNs%FB(8iUQer|1yPy=()P=G8xlrvJ+>|D5$3E_AtSIV zCB)RrJ{9BMEf|_m;P|a++-J3oGx*iiFk~@6zBX(KZ$zg+oErIK?5T528Bt5Fu@znYpN08DnSNz0Wva$^^{lZya5; z$!G49r)ajH8?tZg%7AbAR}Fi>ALY`--R8r1_-{pe&5F|alFV~L)XCi>j)^C3Z`|Tu z12?`Rf+iLK)fTV$ZSl2d@ba>^^$0y3&m@wTk79ef#KYZtJDI74i!%%k?_DgPAG3T$ z@u8V8$WJ4;z1=bN=9Pe25pv0rYnqR#D z4cg!BtF(@8!haL6h@VxQ3AEPs;DY)vXq1^@jo{9i2sjK5Y3jRurySS8vFLQaoM*PB zE7onxo^}76!?HN`FdReXv=qXK28Aret}|<)%SV>l7QAlbu3TWZPtRieC|ZOGd0-HR zKU5%Or#m*T51E$3vT>a>-Grgmp#QlR`K3ah?lEi?HMHzKq#$Nfd$Du8^5nCY_-en&FSXxcnb$o5Ih%h<$;uLUianw=eHSyjiNOXZi~5dlN~tI+A#l-N)|9FlZBTcNj(4d-JNzg)Xh2Bh zz3Yu$A0NlS79PxLaTOuUk!nkNloah|AeTwTLTFC*BC8QMRSH|C}>LoO+NqAh4ak$QpV2;u(hi{-@fN8Q( zG=M%-v{>Ia3T`bN>lR2NHb`8&ZW8O5X{b#ya18{;aTJAkr*KcU=pZlJBPdGlzWYY3 zTXEE$DZ;Xhg4Qkd}>9Cf!m+k^TycmN#{Xi4fvpIEZuu(r|JFEK_n7xYl`sP_a^( zmuah(;1z*oJwoglZyFEQd2evHA;FV}a!e+Fu%MOR0hnkC^l9^se$Sa$1xiO=Hq51A z)QqEyz#Ubcgwk}TP0=S4AN>biFK?_@4UV%leyx0?kwoO;(v@Qn;9eaFn{gN>EJH## zm88%WF=lm zSOs~#^_Dt9R8}Z~E38eS(IcH)F**QqNfAh#U1H&8P(H8BlcjFB_lb}+nc384Ez{SJ z`h*Ca5ehrj+IuV}sr~7h^_3Gc*+93wP`%kZxP6{Ko(>u?Fu-udnHVvhuhoEGX#rNM zBr8U5PU|hTS{OhV_cmCz1D80L;%{v45N2A6A3Um<&YLy<5l#c#zu zbjzD$rKv8NHdb(7C5Tx}V&L}SEmi6cPs`#t5`Yzc`WRktd)a|`LB-35gDfeADdW2E?cVHx=yf3TVbxo6Ck)iQ= zh{+5$M#9vaFnsgZ;vQmHwud}ql^&{XFg!Rf=!*!D3&NHH9Lw1c z(}))EdFFYVy<|~5JzXrQ@Eq`x728uRWH2BE(3}L4iR)^sL*f_T?vt`193V3YGE&?{ z>4sWlvB(Omk;0Ri&ps}m*58wYFB%W52u=l2j=?O(UHDI*t^?CTjaLT{Sk6DV!l+E(S(-_OsL z1_0=g{0=Cz`sYoLr9I%Z(49DjRyKAn25xA|w;zlW7r4>7n8vc77Kr)H%Nmw+J=!K? zB`>f%l}vXB2;?WEC5#xjA3D64Y(8Zvo8g9Lh{@>+=BSPt1QJOeXgQfWu|4cLw^kA% zlLcOWwyju&OVKhC*UFOYa3E&mofrtADvMEJlJT1~<}?8$Yn)401{1m(AJ$$gB0<5h zt}aX`LyrQBNb%@V%Ccb3E28_PzZE_?U6*1nq##KO7&bSd-T6e8tY2TOm7A6u-KnrC zm+6|NZRhM^GB+J`7Xkb(K;NRNC-wiN69o`!8)Mk17U*lKY)bdZUj*0NRb{qE$@Unr zP0l3~-NkKaa*=Tb%5IRx`E>|h6_|;!LJe@SCyHebpqmmKVoX#UML-l~9q%%g8f4|& za7Y_CNoK;dC9?*9#{;DVdk))R^zxG;EFrAB9$|j9dkzK+oGQw;>}yT0&}OnuyJSkz zWTujx-jcSIibmRztZ!y+u!4jL@qrl^dN&Sx_pX+?niR>#FosyooEM9W(&S!4h@(h) zoB@teCGQFWQ+=?-CUu*pW!=2NBiNc325JWbFkk0*Uogy{7{qke(d9LL>VbXye(;h0 z0RNvVk@8=acsFIEt?)0{=)eE~VENyxL`u=0|yftCkF!~tN%}pX#YQ?8yc6k zTO+7Hv!#Ek^7KjQ+8>G~I{cKz9%RBzAXheQ^#43ib4bOAIHaZT*RWam|6Bm0cn@$( z^fC$2N>pEglvncUCOFPyeZJ4!<9ZHD6-KbE2Jrl=2-mb9-!xM!5WGg=P9={+FjOwp ziLJ|3`u`(L?8$0Ol(wIwWg@uh{A+4sV!CKSX`@P4ppLqDTfBBR-0GXtahT7Ai^=KJ zhlcgi^8KT65IBgxwrO-42~XJKKoY>DB3a42n7ve%q;nR}frcft|0j&e0 zL^285YbvT~KOzF}(0<%Vd)l~tX-i#av<2)}@An;V6Qy~7DQ7y=< z(3-eg?2GgJz! zkX%NsMJwPY4bmm)b>4{M38Uzx))C@`S_kTXkcXOQG)m_K)P7Ws<1BcMDGWS!dDT`?q4@x!T&bP9!_FqJjptx|oDR@M|Z*uPi_PG6C z#sA(mY4qKZrCJ-ej})s(mKMHLrUv-vXjnKhWYi(L9b3{oz4aw7=oKrdjX2%pMKbCk zuN{izieJ(H-6<~n`}dMC2*|WQx-EXSAxh`H@Q){@BNcOj*U8}rvPK6H#Kd$&!|HRW z)&Xw-8kH0tk%E$SaXA_VdBQf-;>f2JQHt};0jE$3C5=(eVEBl|Quv+P!$c$IuzjgA zRJRe{>0pv97hbJWc94Aaia8oVfd0lf@e&z{I{ zzOcK&Xpb%Lqm0>?Bz15J)6T9ZxuN~I4l8frnkAf)VM;kbxIk5x{QWbL1=-cx@bDws zq8JA;=e`^7cBdWX@o_a<2rlPJwkKgW zR$O)uw}q}!Nq63blf-g)xy}-8S@5>CaQ!X((mvErK22)LV-DMNu&PvgVIOjAFuM^e@t-3UcVY@J37luZSPBPkgr0UUTE9zfWNlIu4 z`{t$_`U?O|`Kic=$tEYA<8d+W<0TazsT4CYvDaIf_||`+;_embZ~Eni8;LLad0@&D z(wJej)4fH7>W+mHdDunNsTOLP+IACbj~bzWG^EQD(31p)-GO$y9dIH#tN@B*j_{-v z1z}%m#}rBcv!t+@$JPqdTLL=cZqs)sQzsici38ysW$3mqw~zCbQ+6V}6V@k4b=eNR z)9qysv`?$?;z_`{W=dJb{j=Z(pJ-QJRCqg%>D#wJNUjF}7@WOn z)|oZ5vPOAT8Yr;TB=HrA+&)fv`&Ux{x(tV}&T#}86ByRHjL5&^1f~n8T=|}7G{|`K zlQ83rt*G*8I&7eUP#P727V}FsP|OOl$Nb%KlUH6R0NO;-~UhhWE0p0n+#30p%_|tS!WjWMF*APq`@Uj3BfX$E%0F8zmc!9Mc9zPX zQ1Ba*v-L4lk^@pZ0pYBWh88I3j%RhlcM#FP`f1Xj4buu(4Gb6RXh~GW&(?3bw~uK( zBY;Nr!%Y|PS>^{lL%~Ykm4u(0fCJzLvaKb&N!%#sz(38G10^}7wkkIBl^?GFQZwx# zVB7NZ-xqkn1qf53=ws0s3JxliZYEgX{tmF6?6bknVML4023=##2DZ3F7;=1|5>0h7 zuwR-(@bVh#!Hsg1v>J+RHG#U{C~IpqYaggr(hgYh@P?g{eOM|)!_zaeqplNtzFdNf ziGjz=VF3r(?Y5uF@r!-{pIzW?K`-_qARCMDVKaJhNf!OBRwXWU1xWbh3;7gj%dPu9 zZTxOr|1oLm#fCk?suR@=_;iid9kk-AC(<=Y6UU_9@Il5iQdlRD8D^ky6NI5Q5xO-R z7;L5D6N#=J2GgNEAIMuBb6=gvOphGZ#E2!$YW~qD_v)+tlO#4fsRh4UPA{4|W>v9=p*wtru%nn*)ramIL?kjU#E>`>eeCz7n|~xKnjV zl{^|wM-TBr2GUbPH@qQzi?i*?@8n3Iw{~5=R7(6) z^1FQONJo;Vn+{;I=oCJp-Lvm(yZ-)VS5@J7_)4@Su>gps_F^=2{uU9#l>=S9A}WoO z{QmExR&F<^ulN1K+ZANJ50U@rDb&JK#=ZO~Do(xAP`#8D$2E>K{kEC5?HQHA04{8!0j+8Pspo{&1~YsVL+aQP zzHw+MTM|3B@dA4)A+2KHcCh_0;2JE&IjgSilm@x8j=lG^-|wfj=G5Uk3ik|vuuxfi zn+;@qi7drx0%UFc7$xJt=qDm5%lxpSOCM{uA zPzq(fR=-Cj1I?UNy=^A8Fo6HvLhm_RkxyuhfC>VHIQ>F+P*MP7v5~l{E%k+RIh7!L zNHvoH)H3-7ES^4mP5&-zPCeZYCD2oO#xUcv}T=TtE!FQjlGtY zS?kws2wqku4$5#JWHhCW0PEQ59jGedwcV{B0lZjx+_(wZreB{A3%hiiseBs@ifQXgh- z)SeAC>HT@+i>F@bnlNTCD@T)Mp4CvLkz#UcDA|IbGaQRTdjmL=f@V2}Jplo6F6EC(QT#^e^~w@yBq8z#y5% z2W|xS{m*YZ(&-c^vJ|Z&*k>_YFM+;S6@4uP*#nR`Mk{7YYn|gsN!?HNTpL44ooZ$< zH8?vP7dKz{g5;^SvHBO*=bd7V-RsD{EK^QN1?5#+K>p7KT|&w56&|8d;VA-1=`lp4 zD4QXR0bfpcN88V4Bi`y^ZJoUn1b8blX{44xRhDDh%-F!9(F-({noE8J536QFt0*cY zPbqM&Bye%wfefGwCfO%m5`7bFcIi5$NxgQ8-o zzv&Or-9nGrpFT5feIce7znb>#VOT>gf1NuHH}VFNjtoqL+x@F0X6!cVXME1sql)rB zg)8p;*Y&jAAKN+~dVhARDhDI&a&&ZZvl40KBBZyVnGDn<;n&A+-s6(7?}rg&f%;Wc z7qv^A_m=yQ4H<BQH?t4=;@5QU+YmlFyszWQsECtdcm8N+ga|7&9Hh!NZq;n+4!b?lcn-0 zrI>i1R?ukUl0A2)F6xEP-I-3FrCMwXR6L9_PAB@HoFuZXO2OfH^-Dt8 z8$~l~n-QiY_b7UUfA1`4S3Xgb368ddl&v67+j>kTNYSvzO^Di@Q(-h{Qx`g{Nrg|B ziV<{Fa;DI4IpJ?WrW1#y1=?pcr}s0jLl1hC!N4Z~@uK6+AkULYG_84yxQ-WVSKCK3 ze~{5!*|bW-w}W&-V4N#X;2Gbcb9Vn)V>+Z6d_%`)PXL`i2H>lp3cX|pfeDdXXTYSj z<&JMz=E20tZUZuFVJyH9QMbpVRFvx`k5#zxiyFkw*Psbn<_eCt|Me<~aNeT52YuB3 z=n7ys&7h07c2fw;O2BQHzl5Jm>gLlk}iw`VV=Vh14p?wowJX)-wyW$ZZ-^1--GTJ z{=B2B#T8KN$=-%es2Pf`P{u{05eiZv8lRf@3ccQ(S8j7W17Y8eStD4bQlBK8oBJ7l zQUs*=Xlo~LMwc8&6qbw{5#4W}?^W+>F5UqI2x}qNj@hjiHDONO+GP1M_AT+|eJBK< z)Kv9s_Fj=Uw!>IJ*7qGpSXRD82?a8zCLYK**{{YIHG95=9u>nJq^I0v)>@8A%IRwJ zV8%|I4Lt8qpePj1YpgiFYP0UPe`+_#nFPfLlI&*06uAdxS-R^V79kg*pXH&HEFnxF zKUEJiB|tN<8i)vl!Ut=l_U;y-ew(amnv977oh-JS{@Khoaf_1m2I-qAGWljvU%Hw6 zMImEQapQpx%E9YZ>z=yFF0^}~bhVf+M(&`f1!0RGg@`rB66Oim17wutiR4|xU1DTDJGggoN}5&MDM-hwdbXnBrrxesz`ofuLs+;hdw#O;W$KOAj2>X9Rl4| z(~H1@_!6N|HB9~b-qvoOG-0RZzu37{bNwSm(iMQ%_G*MNPMroU{M($Oc%!xiir@r^ z0^+b+!1~->2a;+7QYCzqYL|FVt#NUb zb=a>l_g;u{Q1Wo^*FB#C4$8Ky-j6v<&w3t%ds5#m>?4UPw zz)#rFWC0Q$>_S42nFbyq7+&9EDiXT+vd>SahI|~GFduNGOJlbC%~3Qq9`Hg_mMVYfrI7*vR_*c? zCj`kt&?Y||n{|zCFl|{1$X^vqeL&&+ZtOlRx+5;NaQ~|Ig+#Y_KGupv+1!vhnza*- z`SNJ&N|{ROIp`GgS9l1ozyz{)~f; zc%?zU=DL6}gGEf}!}!Jp2gsZ&PJLJ%J*GR}W3UV7=J)M9AsC#_x=50>zpZeEOYYi} z!Yc7Qeo8A;W*n4>a?26f$<>R@No~o!csCo#4#LQ3weXyrO(K3jW1sC)kFmtSH{XnZb-Bv9q?i*}aL!bI-|MvamF3Rtalj-Q<$C=!1P#HRay*Go|@T ze_Be%ZMl>plxGlbYt|7P$|yw$$m{1rAioLIs@cSa<1q$OedyAAFY{HW^QopCB2y`m z)i)MfUOy{6I?&%$cw>$Bt#V7uE!oATSde0n+Qm^>qF+6ev!ihX>7fHO8+Q{QftJt~ z{3jY&C=*K(FyVtI(+bKEEck!rveMa-O%E@`uowx*Xj~UPC^pei<_w1QTS!FR(Co`;qzmQ;F zb92B8admnsbUU>+Cv^y8rFipxQcEp%pPy#=z7L#tonhY^k@4jW!3&QLw(-(}B@*`s2GEJT-RH-Dr6+p5zbeh1V{o~< zzh50d;i;M3bcJ}kx_w-%lU&}yc*47!!+I8B@QSw#RMArl!)U-KI+rJ=1WU1#1|ALsYbQ%^*GAb6H>AZaM zdFK#c#=LB@_I7o4cF<*}SxdZSMN(0wwVk^dSHB8-A2Pg@QX+<0w_);3^Ahm~U3MonErd%StF8m6A=$u6U+;pqc>)#niwktXe!Fc*v)I{N7g&X@F%E~otQU*j zu<1;{+$Cbf;~_-Khce^u(!p7@)kksKPhEUSt2=N&O~>>>Zm$3j!qDW81cE z+qP}nwt0{5v2EM7ZQJ(T=@%W{AEx8=Z>We}du3K;VypYll2DU7;9%auW?lfAgD|p3yKt}u6PIG%!;tb!%n$z2?@<>XS8!9uKuzvJp-+Bja;>I*nj%9MSY zZ448Hl1kDh`%|Y6RHj}}p4d^%Zs%)Pn=*mK(n_k0M7PhGaHC*?Dn819#bOIKK~ITQ z+l71QA-0Ab!O3cPAR=rX&xigcH0X~Y$NtF;Kt3L5JIDOs95GM)z5FG9`)^3;`VT1q z_WLtwVE_OO@%~p?4`U}!2N(PQutWZv8}j`>@TBHu9C0h6@2WZqO8_lphX?McBM3)d zjM-|Ahq*Z;@hCP%n5?TZl6yy{Z6a+f4#=3Y9x#aKgfbuT?jimd{SnH#x}+Wl1QUFx z61!#G~DB4c%|-1%i^ zc&56vmQAt4Q(ek}FY_8#+UC1Wi=v%&RY`)Jd9U&Vfm-gD*-4uG*F)s-v9K2I+2zGI zH#@v|_s%frcJ+?bSxXY{imcL-Dj#~dirGwJotn55$G<8A2BSik4s@|NO0<)N7bj6l zJ_++t-uI&>!{||xhQCdlQo>Y{Dn&T;^llTlXQTYT*-+5_3VKy{acYrqc!kvpnB%29 z^I}*Kn-~f9gyJONl{B0$+JC5X>o_(gl+u&_^aRd0P3(N%S+JB& zl0b4(DyCKkh#{3uK3p9M7?G4iWaGyWLKbCBbLgEx-OOzZ9~#f&X&oH1?Cwo5;c`M zCcV$tmV;NsFpq}rBw~;dUm8U z&NC@bLldLtF*evb+MboC#PaUs#qX?k*1FIQXs_|k^HZrfirywNdmG13N_K1q=I6T{ z2I?VmN-}7O@pwOP94o+_Gm$O40-)Gd9ELDi`AP4`EZXe2H zni!QpoFq#>g;=tdMu%uWohH>Rtdl-)pjzbZVc$!V`EP6oqs9lx*~ZP?iEjCL3;pe_ z-gH+HLH>9Mv{&^b5n>D*EsH%N-x8nLi&!T&{5hV5jd>`y`)UBtipKuU>H|51 z@PlNdH8CiTCIElLDOY%Mqj+8c6Hr|PXSgl1H$0ksrbmNzy%&S=Pj)mgrKs9zaaz}v zCOFdz-|Sh1+y&{^FUi4F5bO9rehQ=;l@pq-T#^krnx5Ez!xFv%9wYfyy}Z#y!0Q zgK!&z`bu$So0pu8eXfJ%p4 zW2EkeGUx+4Wwem%!-MAd5@Go9d3XhR;>RGdaq zFAo3E1p4Z$CEq4vicY^QWM$IORRJ$;Ry28;gGXz1G+bnpG^vI;G0mLgmQJl`u$?>I zMTV--n;8*z%@}+PDX(jyFaIHUg~dz8XsEhzrB8lDGg5g?=D%!C(i9Fg&YCg&bKj+I zq(`~2XjbE2N=j@X5pD9;gBavafl0w;|EB{64bCu68S z4+?c1_{338cI}_NJfJPBPy|*>eun-o0U zL8FMN`VJ+Bjs!aZK;hp7^?Uj6jC1YEMnR9MR#?12(5erno#jy`0e62HeSc-F0e>6e z^7e^=mbxyVsON7#YhMK@MtbyDEqJ{^*cTqP$k?mU$GqKg{?A#dTHP>VzR|&-I&j^A z5(gX&lM}E@Kk6Xsx*(9)0sKL(+Vju-{m()E=kRP_!fB}i418Oy$Pht@&c7PZ;kprT zWs9tOYC2h|OdDoV#)?Y03$D>15#*RQ-mR*>HWXE*np~1VLD~ruQP?bhf?WKEJ{u-x zypfG4R@Oz{AHuyu`AjOEu-;ziL^*}gWH7qh>uZhvI*-}}6#XDM{uF{?q=Vcr=3AeQ z>#_ojsYR%2TaBT$(+`2n1mf{pO?kO*a!}9ylfU$L`TafGDBPXcwz@UF2&(9!R)3rP zm*nj-CbZ_3r=1+#A1^kQ2wo$#`!RhyWyUpDL;y!DR z1%koJAIC2k_J4)H`q}t^nF{PMN2950;l7qAO&DfLzi@(ZS!)pKl5skh?bd)<+b2mI zg)ZD~+Wv|U<2O@GCAsXgZBVaeWIV;KMS+6G0_#uKV>n_J@jTse8u1!jPE8(Uy(bTu z8JkGn0g1qQ_hu-?>RH#6Z*}x<)Is40u!xiu@ps4PhyAm8y#AmJ`aqMM5Ib{##Dy2p z|J3b$mcZVs!j$#a$U(~vREermXH}GUUi%JwhqbsFk;uDRF@1aVka#;7yKUJerr$Yp zM-U_VbfnTL@brQ#g?P4s@f9}VFe>-Bv|h;t&_=Auk%%5kp9C#VyU5J)c@)5x%#OiF zlI7&|E{`_WxGD7cze`h^;h3m5$BX)qR%w(+g*DySQ-D{$Ju;d z+QqufHm0F(NHhyV_VamIB2o$RK4%b18#OC4l8c57C>U$JDLtNe&FQcTAULLL;6`0` zsX13FV=hs({khzx0XOSQpU_gNUf*C(ZL5rR|CS(iPJ(i7D|QYD*&tUrW-at6Q=QMthA;IQj%y(l^(lTxkwu;`PN&wBV%`3m z1id3rljSlhAViF3%0>!|8 zqT{FA;{GpQhbw)8x0#127A7FG?915Y%H%NaOdIfKu~gwvh&V_+sdfMTaED&Sq;54zQ=^>;+!NtsIdt5Z|Aic?h%>cg_|%vSE@z~GV&+bBNJ zYzy;YODB!rBQzJLC19tTI#LX?+n@?xTUf`M!$tO74=V<)zK!}6CKg`Bgq zAm_ItCVZtH{i?sJJXI$;m|kPOFF_-nO7wevON4D$og|AMT#I~POdwj#w4ZRaZX)om zYWgHGQ1`n}*n>1_?Q(iFaF0TFtlVxuoXLC1{o0C_ z4B0k#8ED<^=jw`bCA6GBNV{o~J4h1W8j@S5?>bLd9AZq)}#E z=V@Te#OQB&WSlD#>Z~aJEHf{ilWn5hDZUXi16j*J1`)I>30Zo2bi8_DzbU~7^8!N# zWs1L6?y;v8ypMmyqbB1`nAy#5(XvvUe($~Jma*e(;#(L7{qX3;cVRR;8+Udyt0U`A zE0lA$LiV80XhNN*T8L*tKS}lxRot@*X+9FAcR>|HfiA@Fl?*L!)O^IM7mKbXlCBk$e8S&fyA07j8QHc zVG!SMg8+{4_72u{*>;Y^_1HGm!@6W6H+^PvsD z+dDg(&(zQSleJ9LRUD?Um*Rt$kFn(CYx?CF`!t}8kNUMEB3uw)#6&WJ!m}~ z36gCn;ZkPuigk|-2T&<*bU0GilG&Jd@93% z5h`*PfG~e2P@c&TiexlVoH#_NHUi5l5HvK&ThN8{s(Y$`?hV+h4n5JTyjr4}v<)k~AQZiy*sSG7G zWPz9zOX}_$9Gj@=#VKQAF!JynN=(@W2H0R*pPeqzf8y}pxy|kQcE>yYbBcQ<+WntB zO%lHsJFnr@gKHf<-X=q1(X2ckevU5>A6xkhTvBI^Z8q7R&oat~fbOizPOgV(AI<=T z^ekP0BAR0A$Kd#gz1+veF92zrm#JL5Fvn~voD5Oj!TgpEPl!?@%Bqclk0e!#NK3sN zRV(a~x|1)%l*G2jW7Tw70*KPnBPTi%9!#5+=Rhu08-*^r39DEET*6(EImLy|%;QLN z8R-G2BIiijmm*yS&p1nmy^6@!VDf0us3HljfP{4i4w9hv!?ca7A)84&dd>Oeb*NWF zG=Y=U%7<=0z&NvLwHa+uXY^W~oaSs?2Q^OWO!ZO`rqsr{BV$n1`@QS^5-FQS!TITt zvgx}EVMY^dnhIP)X&1|T7q_o(Twim^y@n=cD1j#4PtU5{ar)uW`-JH@#H23*>>LV!-4Pj zFRq`>eZ17tqyuj3Hb;AQR@qptox8fbuaOYzWa*Zo7J`xZ66?p>Tlm986qwwy;dUC! zp`JlRs^r$Bb}_0B0Yh)DCT}j4B4@I5=BW~}5c)QTtx+>*g!Z#ghWPgJmC%|LCf~ft z8NZTjBNTv7dw7% z^!7za3HoZiR2bf7Dm*EVm*Q#}S6BtQ`AsNp~T`D0b zxd*CYi{h!o^q978BRx|zS>@8u21hvDKn7d-?R%*`_z1;K7VI!*ZXTi`mUuu(sI>UQ zDHGadB?ft&G1cts^nm8r*x`pp3CR#30mwo=L(olu_uOwW-Y=ybXah1pS( zNDoLWtM9W_0tE6Qf828q|03X)Q++Z z8(-M>a8!!ba`xa@W};@D=29gS#uPlf44s^evEGOAJtZ)c9{Qja)Z6AGpixO%WH?ej zMW*RiQfA}PbE}$VjH6T`72~6=NP|q2S4`j9{bxo8o&FilNC(tXKQfEfQ)Ucbk z!ct)7r6joX&iGfsyXkfLP=+zvnkN(XK)AW>*hC+8vaoTX3*(V=BV#^9WRx)WGkf0% zLa?4r0C~0OckSDacY*(k!NJtU?6Cv;4*WLRlrhb1Wi@o@w1MxZM@3(1x4CkuZRAe2#$pL2Y z>9L%TDqZ;;n0#ZDqqf;Dlf-B&lzOXOKMeXAIxq3ZMnDL+9}@t=Yj30eS@R4MBHq*) zZM3-Z*~6a&c;cB3UMDcz8tf4wPFJ8%IRvdV`+5U?W1LDhZ43U29FOu86$#CWz}|>c z)m?3csZV6zJDh`rJU4=MaOdWNQUT+40jzrA8EtaDo=Y;(ZBO%{a^rBTBxu&ZVbkjv zL%8!g7!w5?m54@&eptk8i>v7IIn#Z8Glss@bHRNN5nUO|%IF%8UBPa@#J8rDbG7j#R%q zMLJ7a&m_%(B}FnweoV#{uqL5nX<1(*V#3tX*98l1MW-pkTCQb(Agma z@W6a}ad#i)q8gG>3TA7V-w#~b>LZsDkCPG;1fozAp0J{kf2^4xj!fvvoc(gB=w^(- zc&1~|bHBH64R*xAd2Z8e$dIypQ3p>LnU12SEkLDS)GGaI&^GUwv|G&xf+3J4*xHxB z#xAP>m>6%8AWBJKhuqadbv7`KAR0qjzUjoSeAJC?p>}mCRHwaAxW`#)4L!hw_A~1@ zzp;(#P=`3?z17}rLx6V@0a%_MP+z@S*JU*Vd1VNR8k)jYcT96QzV~YcY<93h1Gi*x z%*aH!k`EQ0u$aX3jpvDGz*SCWzAlfTB-RyAO#|>ZC9=AD0MXm&GUF!Mu~`pTk(x1= zkC!IW-&pFRKZ@MJ#!;KMEj_5D`#b36r_-!nd4)UtG3oak%3zd63#nbb{gG+#m+OepT=EF*=x3&>t z$&MeU-LTnM?FRJlqNjZ;_FfZt4n~>mPcnu9)ziP9nxC=&is$ZlsC3!VmO*k4R%rg4{*m%x;E8((=C7`lk-N6$Z9&?5o2FRsR zNY9s0W4o%u6B}D2IhHXu^~V2m{1ZJGjRVaQuwg_tw&7 zoiz?VKd{4;*7fIQD`^_+iS|q3QA(ha9yJ!yg&@>46=S9X zAfHob6?Z-gObA}e$dml6I92xLEL_%wz${QLI+4yF#HMhv31C@fTWpO|R|MYEU=imw zG%txLobY^w#{9q-l@#B)-1?_F0Bgmya|K6>thBcNk_qi$LztxFWL9Pl27CLFxLn=! zeBPZ75w;u7wep=dA=eiSNqqW$N8bDY7on8>Bb4O9{4Umigrfh?IQd^>NsL`AY0XSc zO`K^RYz$q@?44|#|MNAT_W#f~ptW``M&_jA_O?2C^o~o;U32%3U2iD&Y*!kBNp*{f{F@}ja6_h>5 zQaQPv5<0?E4RoBSK9$6YvO%LRR5je(IaM7BF>rwVYZt=yC=t87K>*c;4(47Rvr~20 zE1^vL<&*z+(5M+PbShQmnCOz5`00*Sc2Xw8cDA8ZU2!Opd?hAMN?dU6_O<$MmdH); zbJT4ZsoBN{Ad0>4zL@t8R^HB&aE+o+l^Ty`sv2fFXD?0P50WbB-=Du&`I09;JxV%- z(l8T8-;XEcr_JYvfQa7ICKd-H@9G4{8VlNZL9fzA#CyGNI1ak-wB0^hI^&FigO&|U zp8*%n81s83GimnK_u&g}qhn6;ddDak^*t2aRee5HOxtCBufC(iit)e@!wO(0jrl*0 zqBRi<8jPs|o}Iyrzpv`#wi<1SNTQ$wcSeOD0|Qq3{{E@;Z`?n#^0;YpotflLn92J} zgdHuclpKtB5!D*1&w%DEoio1XHv-YFkg@|kf-KiL7YHxNvHfUk>< z?w=Vx;uSJgvqBuEE_Fz&eiQS+TUnObIKunqEN z8oj+x-)AD2C2j#8t-}RQxwSpBEQAt7oKCv79|&!M4sz29oV=9TCNt_mf$^K!H^eip zWL2G7%$hVc(^tZuTnR%L{`4m%l>G4gt0DZf=E3B}|2L}#KlZ|dP`VePyh6BO#WSup zL7gtKq8|HRj?ONL-;$$}Oyx11rECqR@6e^4W@sTw8$y>%jGMye=V@}n2o&erZoznE z{V*ltajG*z3A#KL!p(~_C^m6uL&zjFMjZm5DehQ|8jtU9DrMY$xa`WY8GqjrG}ZnmRqN6tk@Lh~TND(Hj=*jboK zT7D$pD}Y(HvnNIwF3yjZ(HYgQAHfVfZs`=n62TPohQ58_6w^0xIEaG=35~bW3OEls z@Jw@H_X7d-gDK$`=RS>JROsDT!+O5I&-%IFE>nIT9^S0O%4Y^JdQDPXxm@GFSLJE; zv!mvV^Uxy4IwM&wzDM`kjRghw2d;l6w@hI{2EwKl4M-c}WlBQWez=DM3$L8Xo38q{ z8m_?92&xjtqzy}6e4~QKO$)dUNhv6>75Ry4({8pk%xhpXI8DEamDp<|s^3p^YR#Zh z?Dm9HFe#x%*g0Znk)k9gnA2R!#}J74oMcz$-LUtMa zT)m#YGS4d)?<;i$J|_URDyJ*BDOT!tawLTI7ALlK&2Omz!xKUEQkN+GR=808d=1m8 z_1R5<*572v(2m;n>$1v%D&mm(k*tNSH|I%##?qnT2i?s<>aU_K#*wo{N*2~$Flj3E z%-GuyP;?fm@M9ky^9Cxyj;`00hDppI~`o`Kn{89Uc|>$Rj@&_rdl17ohG54H)-!+_w?M zu}t-qcET>q54X949a{L%jBnFY@QVi-WQvign_sywc{2H2gZK$>5Pzz<#>9c0 z%X8T5g71my0bs~N7mr;{IYw5-n)7gZ zFZ!~CZOGy+%p@2N{pHYbC$l;?!=&Brj+F0CNg}u-t;;ym<-OwZ|9F~)4=AOL<+N|s zNQT7L&(V(aJ7rXxqloNG5{}0;%Y^RInWUkQtu0gP|T6Y8kPQ=dop4%;i#$4hH9xO*t+n&Tz^G9B$QUYm<=67cwp);jJ zBB+CBmfTLKWnPAm5n2&}h4Vft+5;oYzd-f@?Qt+5DqJ|Ttav4eKo-E1)M9iA0BkZ* zo`PABDaDO#ZxufrLV>ky6-4>Kd!M!2$t&G99YUEV!WZ7n3?04tC>a$>UyY|;Q(dyR z7~gs<%}WKb^=ERW(=6krhX>Nj<*|-L4$IH}nj2J1u>=!H8>L^yrLeLp@`vlEvKHk$ z`2fqk9Q;^9RYMm?<$KRi_)f@{=L<7Xu_5%55Jo?b6+%o*eiQrUbG_6>G0G#DBjdEm zKXKT=Vo@REqtf;HI=DWWmF=eWty-`D5pybhCJ!FeVzk5BYcl>HaS@f8csO zfSpVv^4VoPyM7#vVdWU+$HBv2k_TPAI(QQ-uAp(%Kt7hNu+MR&$KU;)8-9*j`W|W& z1t)VlyZtyg`hnonWn{u6axwVQkl!`y%w8tga8TSr=qpd5yxoY5@9ph+Q-~?wbeylz z!dEM_jz14_k0UEz!0~~<_oZT*{2c7S&T+1dn=Q7LJ^{;b{#g>D8G&^ONFPJibQ1z@ znC8GB{CltpmF|9X4~V4?U_j}H=41royQSuCcl-DzE3#5wr2B%){ehfQmst~U*QKE! zqVJ;Z*Z=hI`oTbGzeQ_+G0eUm=Xu&dOZo8)_l7 zsxr7FQeA+%7OdJGIKvTi`oiQ8ePo*E#s`#H+9_BBB@%p>d&@ILrONdY*Rc` zju)h`!ew%HTEe->7#H<0GZk0=K?D{E=V>_CVzzaQL0R8ha_E(h0X%_b2kD9 zU)gy!DBO~a{X}X;x>hBCM|iB2rZq#4lk~dd%Y0Jb-d7ZO*PllU?Ls`X`U-16%`1OU znpt^r!Vcset}-#i7TfiGx!Lg}*te66u-kD~PftD8hj}BkL=0HC3wAb^q673J^Q(Rl zG#9mw*NJ7*Y%Ffv7jQBuw(yZg`zgFFMJbCu@?>1BneVw^YL^MCIi2FpM60~1j2f|d z5j5IRTZ@b9?ucG^OJuzu$8veUF|pV~*c7H#T+eRvl=EPtt=pL}S4x_}@R7dou?8ED z0$0*Z~N$VjP{JfwW<^d)9U5mT)Q_H{igZ^KP6911;@^%z@MgK9%!aqj&U*v^s4Q>7- z>~3jq{Qs>L{U@Q&{ZE8)>9qMDY4^2!GbANaKyAsbFlH-pH52JbTT77*SF&pcX#>eB zP@{zHP?C|t^nY=8myZz7M88uSfuN2xsnTco^u8S4S8lf<>vVm|$|3ZFqbG$d6uski zy)q)j?3vu*o1wp3kmgjGWhztEno+rOqvZBv2Mo#!(T*j_zuxqZJuZbDdKS5=jTDUk zrd-){VBDB(vz>Gw9n4$nVC3_Y+r@Q)wBv{iw7Kja3M4%{qKr1 zaVix<*ThIu+UTT7CiS>@xhNI#1?VsV9QkOLq;DTumgg)*^K0VkLHf z8lvoU>tmo|l?`aeVl&}%zdw;wKGoRd|F-~bcxz3rg6G}}%At8KR7njz8qk59i`1i1 z#}Z22Sx zmj8FlvWe?(v5Ygud_{*76*w4!+A^O_gE)x}8-l+7OeZ*1KgD2fty${Ssr+&I^v}<6 znlCl9d8*4PVjlsAlJsE;xf|S!oJMqcJCzghA}#li5@jb8+676<^zdCb2RE*~NGoAu zh@wg|0M*YjA)wT6@7BvZG!{rtP) zYsoI<{=ceikwW+xly1K|ip{U>&;3mzRX0Of)uJyy@h$>#JEIe6a;NJrt?#teK`Uos zCbvNB+9F*66h*a09r9Kp@ju!MP1g~^=gUF5b|9ZJSV=HLBQp_*wI($*J2Nr#C@3w& zKVA+$Cr8th2^_Q!%OgcQ5Z5wrRhGzFHqN<};x4Ejy(+N$SE%jGKpENUoWrXSwPBZY z5dGvxNe2aq=yCGogk>f{2L0>^}p zGp7m*fWqY7$Yy?I?8q0Z_duA(>5`4 zj@pwwi+{{na1Y5E^0fH-v{N}MuBF*-!Nl}(V`kfm5;qA~_=?$GW!KroQs@q2uXl5L zCrGM#=lQKs1S^nj9RL7YO_9bV*;gX0g?aJWK0YVxXA;<^QhJKIm=|j> zv`SS%?@!FFkpXX48|KzL*2|LHS?ynJ3BPAx0@Ou9xU6!kZJ5Y*QaGC;Rh!K#!zDpE zst1xJnB`Oxf`a*DWJ<-Ml#@yQ@}NYTk%-UfX*VURS`+*AP-c1<&N+9<#t4Trn!}W0 zuif$zWIXT79}*(`ws03-h%bIHy4ZTE{1sIEYP$I_@v?KOzSwR^%(UsD^ zF%dr9ml>5xbuyD$8Q1oB+v@)VonbEk`g5u@t=};wOtd*!k;jPcpq|ie!*RhzF=<3w6Kh^G&+REer z7b3#aLw)S=B}Fpf<%Bavu~LWaPphhEwqa_+_!FAQ*j>#h5vp*9(hM$#17;5kC4*CL4DqhTE{NM!2cL3GZ*z!8yB2>V1m-)7XAMYzeA24~dz`SY*? zh*;RDXQU;$jN`}_+)}b56PziJy~V49!F5r^e~__x?KTQSZNlq5`URmoN`mb z1-i9JE^qfCWB?@UC<;vXLy_aln`OBR>7%GlsD(S_7WU1BG>S2C>AHq^n*!l({qq-t z{?Y7(pmQE&w+UA}P;4$IZ=EYzDx7Fn=Cka1llHt$4c#4H=QCXU`+!$s{YXDl!-lxV zJKS)t>dZ+SzH@b2*x0q;SH~*`f<`2<{7C3YsByh_(Y(Q5|AR7E_FN3!8ASpPq)tAt z$L)Hr_EDVqhcU0c{jvsjm%&E%pu{=XKVQ}Owc}dp+tqt=4!d&Enr_TPel#ZkpS}cz zZ~w86`AGjU4+X6KX-k)_AO4(NA9C0d?W^NW9V?vwAQUwR!jLh28R)UF>)~Gcz0))2 z<$nn_ec$A!a{dy#@~O?fh6JKR>%9*oA0DUW1=QBw3C>BCsG3Oprc9f;9*y6!5o-F) zBvm9+_#Ub@zco=YHiaX}sk&)w*$7E-q{NFQ3X{*E-2MiYG;ZeaK@x~uZ>0{D4vi2B zy;*<{KLa09Jpg1v0p~$alFdwEpINQYjY-g214vFa4yA{z2|Ce)R>OFt#igg9ahTPn zGRE@nBTrcim6Ef;KEiJ%KEL7pDWhvz*1W#TXGgf6Z_7=jJR3UTkcgbrbt~k0K+7Z| z_MCSulrBvbU@<5y;bCgik-gUw8N@ZCiHrLaONSH!dK;MWv4K&d2RQFXlP}h6hrP-% z#BtS&Pkbh&ReoA2>n}%7;8n?eIzw@lr;wTs1+XEV=H2unmfl@klRG3w4<)%-yAN{$ zId;KZ&xh>NvJNi^GwMlK2t*}}i`kL#XtjPL*-lx}4PG<(g$P;A}haONH~PmyxD zp|y0F1Yl^9>preSe4j8&G~mIEfZXnI>5d1_zO9XVuPGwD5+cSdfnDX_#-0_TdF}r3 zisabt1a%B|602?D1_TO4nL{Li6r3np(5yOOmbu!gv%!idGaw#lwk;Das^HQkP&1Ki zu2zYLy3y%_n%I}0KE4&ri1Y!v51;Ubl|GcxE{HD1QwhWx44@{#pp$XJ{udKB42PVy5F5dm$JViKz;G3{aG*zJKk|rp8=9D*wtw} z7D<<1p1-!e{bASCxjFP3qXmC)Pl>ECd#PA>Da%OKS1lHPx1>zSki4REp#sVy{p9sk zT!IOisYJQtT3!X0yBd&W!C3I@hFWH!DwVh3C`Zf#ttB)^FVmR9F3m=7Bs;%!fib8S z05s_pu5+6#wL@2!$Ub1^m5|WYt5P-~!HNPukpE{1>Hr8tgaEMCrh)J{=uR`xubLlE zfe{38wmFEj@(*Ac1Ysq>A-1UBqRas-6GM~G14@(K0KQahl;ZsR#Jo8CR{LXj2EK4Zoyea0=r=>8#D6LydGmp(uGFZh2E3&1~OK_`2_NrnRe_#^@N z_v-8aJ)x>BEh!`OpJ?)br&RwRGb6=X({{w8h&{8)ECvR`<3|>&Zb;&SG!B##lT{=O zM-tY?^?h*W8Ch{=CFePqk}NNOlxqNkvYaMpYyUXo4b%ToA5&j`lvc7PUk{d5++KeE zTwYzqf&r7eAb(IflPP{Dc$(f0)`7dz9Fe1F>?@P4aq*(+aSFjWH!(ILS(Mq9uBTI> z7?#3zjI%w6)rmSca=MO$ypCJeDhWj4|GBRvnlGPdRy@}_N=Wdd`vTx!^k43tX!RXq z^UF9t>Ssr=aj8dazYpfNIgi%(a3@l3M`5Bxvh-OfqbFNTfN;T?4DdsvE<_dtgU}#g z()}x7M&cQX91PJr;fq*7Gxxe+^J#Qw{%6bx`}@P_NLIwYNmq)Pr_y>eiwlL<`pYkiNR(g#?^F;j%nvo9etdSbXE4N|%| z*A$4SF`EtzS*!7mriqeGlxbCv2lQ=!pA4-rrOM_ZHKp(Zm>qNZ)bPlexT&rnlUDy& zQM)?AfS^>fg2Ty1y!80M*e$fF$ypS3R;D-=@;dHH1bgks>fz=+&aULb_@A>YxDPtl z1ooHaZ!NGK*6Y^7?IF+EQiRQxs$Gc_k;ZMxJX@~T}~ zNe=5`BRzS@47>dP?kT6{ld8g87a#eVN>@l07a8YO%)E>&`3a&j>jGt1=!e`xAJVvZ z@w=*t#=}G9eM{WIO=`)=Uj32L_eprg(3%#D2LMr6(pKG|b)qFmYyJ{CGR;_UxfLo`)X+-% zDWu1=)*O1sV%8aA>OfEsn)iviD!EW0QHia9UJ2RQ(zs6;ZOW2MN$XY>esl4u^fUN( zvo$=03S&{LEE1E#_6I`K*0Lf^1He54w=6GD&q%tYwmP1@{Y`ut?fw4V{rzHYiBtR% zB+H4E9tpS3K2)fBmx95-E?G_6t;g95pHMwG4N*2LWKPd^lj@~2?G^CDeg;M<6WR*r znXh4IN#{C%1mzJJ4YZ!vlK={U#(rP(7jO@N3Y4*sRI_2*II7xjM_W~fFF@%4%L;i) zD3ON(OORK}Z{FvrxYMsDxXTGx3e1>!hRi|7K)(@6TUx?c08opN}&FEhQB{} zKb`$F@*(cw%bm8q{Ui#8PW@2a(u+ zD&7Z;66RNMQf>Z?j-h%?zBD@CmArrlu&n66*aN{;D^3nC1`cZ_r#4v)mUl1@yhjGq zz|hx|>%r5HA33n{@^j|YbC8@W#y{XE1&D%1MTRmvz-p%!9(^aManTUC3eQ%3JAloL zp!&;m-~Y})@wILZUkW6q67k4}tarOcs1S z7{6RHm!#m|Ya5}%CBt#~Rf3rCL1jT1KBX6z#q_SA)TKcGoMURm<_?ZZwpdHnfOQ$y zm8+?oG$}M4c&H~0SJ9X3w3c=9IJ_rgK5j4p)?}#7^M2j5wZ(7K@E;C55#QV4`llAK9Mb2-<$obNpj@$ z74H2InS$sUh7SAV+ztfbO3dC$8wYgDK~IVj%Gqx3bmA^}h26Z7!$n`l?bV|>nYFGF z4WH9onTGrTQh3zV%z)xwE_*l z98!h$4hHOsrJecI8LbGZovE!dp{X6lLXuuAWaxA@P-ye2j21zv*jl!fLx1kZGQl3I zB~B@E@1Uw-QNk+O+~^BpVR)N}8i}QgR&7rPg<8d;{gc`4wM?iD+B8o%{$L%Qbhxh0 z_lV5Y3*`l>()+&&pGV%xjQB(JxoITE{uwPgC$3@g4h%t&Q8I zJ)n(7%W5|Sv;8p>NWG8AkK9N5>`WyMkJDZ)pq4dM$LUUuRt;zB-LzQX(rTS)_FdKW zZblT55}BAa_N+Wb0PRx(@Cf7_u5)oAy*JFIu+c_AT`f3gsyr=1ZiLQW^wK#Ft&~Os zrM_A&bcw;l__>&RC4wg(Hi#+HsQ z?CI`&+F$~EcJ#WB7h^k4@8GZ-fnMnc;V`POBhwuFAgZg51#)V3YHzU_wU;`wJs+Cz ztT&sNuZg<$07L_ZMAlxccx?@N;XbLu8_w^jC$u*L6%Y{FQiE{z8`UuQ8*{;mJ9F<; zRa*sh%@>GNGM20ofTkKJPH7hWY3*?4z4Tuuy+4)Li0D&-ApPurPWh7NxXzp&wh}9<0p&xRR%Yie%!-3fd z-7qcaMV6Z4L)+e{wYucq&FNC!ANAt@KB4d6mm_eh0jjdPC7xrg>HS+Lq{ggSkdNZt zP1n^V3<$;wqxOV{ho_TAZMWvNa25v+)%8rJUy`=TwSXPt5NMW3Jq;oc2;i}OP(=(D zO<4r@23X*v8}PDGmW#rouyB2k%69jW9r=r!yw3lY*kk9Ko0!e~B%us#9hel20>D2$ zy%PIaM{Khb!~p#O+l4o0jX>xA-AN8br5bA_j_Gc^#5-%Qqv@jqbOw8aC97XaTJA9C zq&S{b7(}-c@DtL!nP5tvv!~=oK4qd>fqW6E#%;R-uB7OMe|%46xno0~TMf7|d`z$KW|qwe|;g1vdD460(eW7!X$p{Fd8S`b3vcY(j@ zD_+;7)b6F(-CcEhD!&S|x(Bv5myziH5WJS)sl-W440p@L}!~W zgiA9bn`NpZ8=uSHWj@Q)>lU~O4uvM0p$N3KDWJx!pp~hC*Wy~p=4Lb|s+rR^pTt%~ z9&ez~^m#-UkyuNhGWd_8U6yL}Sk6s4P7O$(JzQEzx0cR)kXPY$(}F`E5}ez9XDOTB znYh`O_qas(E_HBbXV|uU+ifbEN7J6e-#{7cwd2mf+whwUIZ5>IQVC*Mz3Z@rmp_SZ z2!ilN)7Tj^nWq8Z?24QLcD*E%bV~VgsXy>N_EzTEYwg!Jglc2b zdfL-?R*0dI#JyuVP9C&EpirFhO|g>C{^$)CRw}n0{y0r~PB{TpH*F#aGK7mitr*Kk z4cTPNSzr=yKsYcJuXtiia<}siV5e!9BJDMP=vJzY*#s#`rMy~oF@Z*cAYfApYWgQu z%K8;NeX3nOC(E6r-B2chxqdLsBTW(qbak!SaN>s%b6W7Xrx&dg?lrC5HwLZ!Nf!|A z>EQB-k!d>?`e|Ed$+Vm*u*-7xeBC>{QXE)d1|QNS7iN!&%oFR|8*iCq((Tt26G*r7 zmG@`Q$0qyxs|VE{qlJbk=YQ!1t2I68m)miJ7ePy~jPO%BPddg-zhQ)xpNnw`=MB0u z%39?JO1>L>bjnX|=_s(@B;Q9CCyz$hT~ulCX;r(bcZ}n-5-rB$hD-6k!2Px3H?Ns# z;qTz5ZmwS(pMM1G;rayc%gavgfTEH|(xPXZ3E)H8m_|0>>l06Iw!>XKvf-o8Ld%{M z+`ZBA_=`0|;-@!L)#PRQw^+Yq^EE^#lo+tI$=SVw}1lIDueMG6nT2UZ|4)qnXljVK97Rym8_!){8?!>wPhgRj)Xxc#r z=f6}Gyt?=D9zAoJ>Yw#sv~b8b8oL&hk1Yw#{UqxHu{g<2_9tBMg7p{?j>eS)C;R`^2K9GEH0mDo>Zq^yhz@>#nW- zf30Qh?{gMEIu`=hjf$Im-Ll};nWv}M*gxAJzCiJl|No_j{{JuMI#;A!_w2sLj&r`> zU(TE7sx+(pvU{D{GVz-gujQ=&GX{7wGRZLmkDmqsU|$!)fRG{#5>T!H!&^rXGrt&k zWS=hVZcXs=7C#I;K$yzPz@Xa#;sF4) C*VGjN diff --git a/Jieyab-Claude-Skills/OSINT/Darkweb-Intel/references/paste-leak-monitoring.md b/Jieyab-Claude-Skills/OSINT/Darkweb-Intel/references/paste-leak-monitoring.md deleted file mode 100644 index 244a8e0..0000000 --- a/Jieyab-Claude-Skills/OSINT/Darkweb-Intel/references/paste-leak-monitoring.md +++ /dev/null @@ -1,263 +0,0 @@ -# Paste & Leak Monitoring - -> *Tools sourced from [OSINT Cheat Sheet](https://github.com/Jieyab89/OSINT-Cheat-sheet) by [Jieyab89](https://github.com/Jieyab89)* - -## Objective -Monitor paste sites, anonymous publishing services, and public leak channels -for early detection of data disclosures, credential dumps, and sensitive -information related to a target — before it spreads or is sold. - ---- - -## 1. Paste Site Inventory - -### Primary Targets for Monitoring -``` -https://pastebin.com → Largest paste site -https://psbdmp.ws → Pastebin dump aggregator/search -https://cybdetective.com/pastebin.html → Multi-paste search (Jieyab89's list) -https://paste.centos.org → CentOS community paste -https://justpaste.it → Popular alternative -https://gist.github.com → GitHub Gist (code snippets) -https://friendpaste.com → Alternative paste site -https://telegra.ph → Telegram's publish platform -https://psbdmp.ws → Pastebin dump search -``` - ---- - -## 2. Search Strategies - -### Google Dork Paste Search -``` -# Find mentions of target on paste sites -site:pastebin.com "target.com" -site:pastebin.com "@target.com" password -site:pastebin.com "target.com" database OR dump OR leak OR breach -site:pastebin.com "target.com" username OR email OR credential - -site:gist.github.com "target.com" secret OR key OR password -site:justpaste.it "target.com" -site:paste.centos.org "target.com" -site:telegra.ph "target.com" breach OR leak - -# Broader search -"target.com" site:pastebin.com OR site:gist.github.com OR site:justpaste.it -``` - -### Intelligence X Paste Search -``` -https://intelx.io/?s=target.com -# IntelX indexes many paste sites including dark web pastes -# More comprehensive than Google for paste monitoring -``` - ---- - -## 3. Automated Paste Monitoring - -### Pastebin Scraping API (Requires Pastebin Pro Account) -```python -import requests, time, hashlib, json -from datetime import datetime - -class PasteMonitor: - """Monitor Pastebin scraping API for keyword matches""" - - def __init__(self, keywords, scraping_key=None): - self.keywords = [k.lower() for k in keywords] - self.scraping_key = scraping_key - self.seen = set() - self.hits = [] - - def fetch_recent(self): - """Get recent public pastes via scraping API""" - url = "https://scrape.pastebin.com/api_scraping.php?limit=100" - if self.scraping_key: - url += f"&scraping_key={self.scraping_key}" - try: - resp = requests.get(url, timeout=10) - return resp.json() - except: - return [] - - def fetch_content(self, paste_key): - """Fetch raw content of a paste""" - url = f"https://scrape.pastebin.com/api_scrape_item.php?i={paste_key}" - try: - resp = requests.get(url, timeout=10) - return resp.text - except: - return "" - - def scan(self): - """One monitoring cycle""" - pastes = self.fetch_recent() - for paste in pastes: - key = paste.get("key") - if not key or key in self.seen: - continue - self.seen.add(key) - - content = self.fetch_content(key) - content_lower = content.lower() - - matched = [kw for kw in self.keywords if kw in content_lower] - if matched: - hit = { - "time": datetime.now().isoformat(), - "url": f"https://pastebin.com/{key}", - "keywords": matched, - "size": paste.get("size"), - "title": paste.get("title", ""), - "content_preview": content[:200] - } - self.hits.append(hit) - print(f"[HIT] {hit['url']} | Keywords: {matched}") - - def run(self, interval=300): - """Continuous monitoring loop""" - print(f"Monitoring for: {self.keywords}") - while True: - self.scan() - time.sleep(interval) - -# Usage -monitor = PasteMonitor(keywords=["target.com", "targetcompany", "@target.com"]) -monitor.run(interval=300) # Check every 5 minutes -``` - ---- - -## 4. Telegram Channel Monitoring - -Many breach actors publish on Telegram before or instead of dark web forums: - -``` -# Search Telegram content (clearnet) -https://www.tgstat.com → Telegram channel statistics & search -https://telemetr.io → Telegram analytics -https://www.telegramchannels.me → Channel directory - -# Search for relevant channels -# Keywords: "leaks", "breach", "database", "credentials", "combolist" - -# Telegram web search (no account needed) -https://t.me/s/CHANNEL_NAME → View channel posts in browser - -# Archive Telegram content -# Reference from Jieyab89: -https://www.bellingcat.com/resources/how-tos/2022/03/08/how-to-archive-telegram-content-to-document-russias-invasion-of-ukraine/ -``` - ---- - -## 5. DDO Secrets — Document & Leak Archive - -``` -https://ddosecrets.com/wiki/Distributed_Denial_of_Secrets -# Clearnet accessible archive of major leaks -# Categories: government leaks, corporate data, hacked datasets -# Contains: BlueLeaks (US law enforcement), Epik (hosting), ransomware dumps, etc. - -# How to use: -# - Browse by category or search by organization name -# - Download index files to understand scope before downloading full datasets -# - All content is legally accessible via clearnet -``` - ---- - -## 6. Library of Leaks - -``` -https://search.libraryofleaks.org -# Searchable archive of public interest leaks -# Includes: Wikileaks, Panama Papers, Pandora Papers, FinCEN Files, etc. - -https://aleph.occrp.org -# OCCRP investigative data platform -# Cross-reference leaked documents with corporate registries and court data -``` - ---- - -## 7. Early Warning Intelligence - -### Signals to Watch For -``` -Indicators that a breach may be incoming or just happened: - -1. Threat actor posts "we are selling [company] data" in forums - → Monitor via: ransomware.live, darkfeed.io, flare.io - -2. Internal credentials appearing on paste sites - → Monitor via: pastebin scraping + IntelX - -3. Domain mentioned in stealer log markets - → Monitor via: Hudson Rock, whiteintel.io - -4. Company name appears in Telegram breach channels - → Monitor via: tgstat.com search - -5. Unusual volume of mentions in dark web search results - → Monitor via: IntelX, Ahmia, darksearch.io -``` - -### Building a Keyword Watchlist -```python -# Keywords to monitor for a target organization -WATCHLIST = { - "company_names": ["Target Corp", "TargetCo", "target-corp"], - "domains": ["target.com", "targetcorp.com"], - "email_patterns": ["@target.com", "@targetcorp.com"], - "brand_names": ["TargetProduct", "TargetBrand"], - "executive_names": ["John CEO Smith", "Jane CFO Doe"], # Key executives - "internal_terms": ["internal_system_name", "product_codename"] -} -``` - ---- - -## 8. Breach Validation - -Before escalating or reporting a potential breach find: - -``` -Step 1: Verify the data is real - - Check sample records against known public info (are names/emails plausible?) - - Check date fields — are they consistent with claimed breach date? - - Do NOT contact individuals in the dataset to verify - -Step 2: Determine if already known - - Cross-check against HIBP: https://haveibeenpwned.com/PwnedWebsites - - Check databreaches.net: https://databreaches.net - - Search intelx.io for the same dataset - -Step 3: Assess severity - - What data types: passwords? PII? financial? health? - - Plaintext vs hashed passwords? - - Volume of records? - - Date of the data (older = lower risk of active exploitation) - -Step 4: Document and report - - Screenshot with timestamps - - Archive the paste/post URL (use archive.today) - - Preserve hash of any downloaded evidence files - - Report to affected organization's security team (responsible disclosure) -``` - ---- - -## Tips - -- **Monitor daily** — paste site data disappears quickly (Pastebin auto-deletes) -- **Archive immediately** when you find something relevant — use archive.today -- **IntelX** is the most reliable for historical paste search and dark web content -- **Telegram** is now a primary distribution channel for breach data — don't ignore it -- **False positives** are common — always validate before escalating -- **GDPR/legal caution**: in some jurisdictions, downloading breach data may have legal implications — consult your legal counsel - ---- - -*Reference: [OSINT Cheat Sheet — Data Breached OSINT, Forums & Sites sections](https://github.com/Jieyab89/OSINT-Cheat-sheet) by [Jieyab89](https://github.com/Jieyab89)* diff --git a/Jieyab-Claude-Skills/OSINT/Darkweb-Intel/references/ransomware-tracking.md b/Jieyab-Claude-Skills/OSINT/Darkweb-Intel/references/ransomware-tracking.md deleted file mode 100644 index 395ec85..0000000 --- a/Jieyab-Claude-Skills/OSINT/Darkweb-Intel/references/ransomware-tracking.md +++ /dev/null @@ -1,237 +0,0 @@ -# Ransomware Group Tracking - -> *Tools sourced from [OSINT Cheat Sheet](https://github.com/Jieyab89/OSINT-Cheat-sheet) by [Jieyab89](https://github.com/Jieyab89)* - -## Objective -Monitor ransomware group activity, track victim postings on leak sites, -identify which groups are active, understand their TTPs, and collect -intelligence from their public-facing infrastructure — all via clearnet. - ---- - -## 1. Ransomware Tracking Dashboards - -### ransomware.live (Primary Source) -``` -https://www.ransomware.live -# Real-time tracking of ransomware group victim posts -# Covers 100+ active ransomware groups -# Shows: victim name, country, sector, date posted, group name -# Includes screenshots of leak site posts - -# Features: -# - Timeline of attacks -# - Group statistics -# - Sector/country breakdown -# - Search by victim name or group -``` - -### ransomwatch -``` -https://ransomwatch.telemetry.ltd -# Monitors ransomware leak site posts -# Structured JSON data available for programmatic use -# Open source: https://github.com/joshhighet/ransomwatch - -# API / Data access -curl https://raw.githubusercontent.com/joshhighet/ransomwatch/main/posts.json -curl https://raw.githubusercontent.com/joshhighet/ransomwatch/main/groups.json - -# Python -import requests -posts = requests.get("https://raw.githubusercontent.com/joshhighet/ransomwatch/main/posts.json").json() -for post in posts: - if "target_org" in post.get("post_title", "").lower(): - print(post) -``` - -### Ransom DB -``` -https://www.ransom-db.com -# Searchable database of ransomware incidents -# Filter by: group, country, sector, date -``` - -### Ransom Private Tools -``` -https://ransom.privtools.eu -# Aggregated ransomware group posts -# Useful for historical research -``` - -### WatchGuard Ransomware Tracker -``` -https://www.watchguard.com/wgrd-security-hub/ransomware-tracker -# Curated ransomware incident tracker -``` - ---- - -## 2. Ransomware Group Intelligence - -### Known Active Groups (Reference) -``` -# Tier 1 (Most Active / Dangerous): -LockBit, ALPHV/BlackCat, Cl0p, Play, Akira, Black Basta, -Hunters International, RansomHub, Medusa, INC Ransom - -# Leak Site Monitoring via ransomware.live covers all major groups -``` - -### Group Profiles via MITRE ATT&CK -``` -https://attack.mitre.org/groups/ -# Search for specific ransomware group -# Contains: TTPs, techniques, software used, campaigns - -# Examples: -https://attack.mitre.org/groups/G0032/ → Lazarus Group -https://attack.mitre.org/groups/G0034/ → Sandworm -https://attack.mitre.org/software/ → Malware used by groups -``` - -### Malpedia — Ransomware Encyclopedia -``` -https://malpedia.caad.fkie.fraunhofer.de -# Search by ransomware family name -# Contains: technical details, YARA rules, references, actor links - -# Example -https://malpedia.caad.fkie.fraunhofer.de/details/win.lockbit -https://malpedia.caad.fkie.fraunhofer.de/details/win.blackcat -``` - ---- - -## 3. Ransomware Identification - -If you have a sample or ransom note: - -``` -https://id-ransomware.malwarehunterteam.com -# Upload: encrypted file, ransom note, or file extension -# Identifies ransomware family - -https://www.nomoreransom.org/en/identification-tool.html -# Ransomware identification + decryption tools if available -# Maintained by Europol + cybersecurity vendors -``` - ---- - -## 4. Ransomware Decryption Tools - -``` -https://www.nomoreransom.org/en/decryption-tools.html -# Free decryptors for many ransomware families -# Organized by ransomware name - -https://github.com/erasmus-dsg-university/ransomware-decryptors -# Community collection of decryptors -``` - ---- - -## 5. Programmatic Data Collection - -### Fetch ransomwatch JSON Data -```python -import requests -import json -from datetime import datetime - -def get_recent_ransomware_posts(days=7): - """Get ransomware posts from the last N days""" - url = "https://raw.githubusercontent.com/joshhighet/ransomwatch/main/posts.json" - posts = requests.get(url).json() - - cutoff = datetime.now().timestamp() - (days * 86400) - recent = [] - for post in posts: - try: - ts = datetime.strptime(post["discovered"], "%Y-%m-%d %H:%M:%S.%f").timestamp() - if ts > cutoff: - recent.append(post) - except: - pass - return recent - -def search_victim(keyword): - """Search for a specific victim across all posts""" - url = "https://raw.githubusercontent.com/joshhijom/ransomwatch/main/posts.json" - posts = requests.get(url).json() - return [p for p in posts if keyword.lower() in p.get("post_title", "").lower()] - -# Usage -recent = get_recent_ransomware_posts(days=30) -print(f"Posts in last 30 days: {len(recent)}") - -victim_hits = search_victim("target company name") -for hit in victim_hits: - print(hit.get("group_name"), "|", hit.get("post_title"), "|", hit.get("discovered")) -``` - -### Fetch Group List from ransomware.live -```python -import requests - -# Get all tracked groups -resp = requests.get("https://api.ransomware.live/v2/groups") -groups = resp.json() -for g in groups: - print(g.get("name"), "|", g.get("location")) -``` - ---- - -## 6. Cross-Reference with Threat Intelligence - -After identifying a ransomware group, pivot to: - -``` -# CISA advisories -https://www.cisa.gov/known-exploited-vulnerabilities-catalog - -# FBI flash alerts -https://www.ic3.gov/Media/News/2024 - -# Talos intelligence -https://www.talosintelligence.com/ransomware_roundup - -# AlienVault OTX pulse for the group -https://otx.alienvault.com/browse/pulses?q=GROUPNAME - -# VirusTotal collections -https://www.virustotal.com/gui/collections → search group name -``` - ---- - -## 7. Sector & Country Statistics - -``` -# From ransomware.live statistics -https://www.ransomware.live/charts - -# Useful for: -# - Identifying most targeted sectors -# - Country-specific threat landscape -# - Time-based trend analysis -# - Executive-level reporting -``` - ---- - -## Tips - -- **ransomware.live** is the single best free resource — bookmark it -- **ransomwatch JSON** is machine-readable — great for automated monitoring and alerting -- **MITRE ATT&CK** group pages have the most authoritative TTP mappings -- **Malpedia** is the best technical reference for malware family details and YARA rules -- Set up **automated alerts**: scrape ransomwatch JSON periodically and alert on new keyword matches -- **Victim names are often redacted** initially — monitor for updates where full names appear -- Cross-reference group names across **Malpedia + MITRE + VirusTotal** for complete picture - ---- - -*Reference: [OSINT Cheat Sheet — Researching Cyber Threats & SOC/Threat Hunting sections](https://github.com/Jieyab89/OSINT-Cheat-sheet) by [Jieyab89](https://github.com/Jieyab89)* diff --git a/Jieyab-Claude-Skills/OSINT/Darkweb-Intel/references/threat-actor-profiling.md b/Jieyab-Claude-Skills/OSINT/Darkweb-Intel/references/threat-actor-profiling.md deleted file mode 100644 index d757f6e..0000000 --- a/Jieyab-Claude-Skills/OSINT/Darkweb-Intel/references/threat-actor-profiling.md +++ /dev/null @@ -1,247 +0,0 @@ -# Threat Actor Profiling & Attribution - -> *Tools sourced from [OSINT Cheat Sheet](https://github.com/Jieyab89/OSINT-Cheat-sheet) by [Jieyab89](https://github.com/Jieyab89)* - -## Objective -Build structured intelligence profiles on threat actors — including APT groups, -ransomware operators, hacktivists, and cybercriminals — using public sources, -CTI frameworks, and dark web intelligence feeds. - ---- - -## 1. MITRE ATT&CK Framework - -The gold standard for mapping threat actor behavior: - -``` -https://attack.mitre.org/groups/ → All documented threat groups -https://attack.mitre.org/techniques/ → Full technique catalog -https://attack.mitre.org/software/ → Malware & tools per group -https://attack.mitre.org/campaigns/ → Campaign-level attribution - -# Useful group pages -https://attack.mitre.org/groups/G0032/ → Lazarus Group (DPRK) -https://attack.mitre.org/groups/G0034/ → Sandworm (Russia) -https://attack.mitre.org/groups/G0007/ → APT28 / Fancy Bear -https://attack.mitre.org/groups/G0016/ → APT41 (China) -``` - -### ATT&CK Navigator — Visualize Group TTPs -``` -https://mitre-attack.github.io/attack-navigator/ -# Load a group's technique layer to visualize which TTPs they use -# Useful for: detection gap analysis, hunting hypothesis generation -``` - ---- - -## 2. APT Group Databases - -### Google APT Search CSE -``` -# From Jieyab89's SOC & Threat Hunting list -https://cse.google.com/cse?cx=003248445720253387346:turlh5vi4xc -# Search across multiple APT reporting sources simultaneously -``` - -### APT Group Spreadsheet -``` -# From Jieyab89's list -https://docs.google.com/spreadsheets/u/1/d/1H9_xaxQHpWaa4O_Son4Gx0YOIzlcBWMsdvePFX68EKU/pubhtml -# Comprehensive APT group list with: -# - Group names and aliases -# - Nation-state attribution -# - Target sectors -# - Active years -``` - -### Malpedia — Actor Profiles -``` -https://malpedia.caad.fkie.fraunhofer.de/actors -# Threat actor profiles linked to malware families -# Each actor page contains: -# - Aliases (different vendor names for same group) -# - Associated malware families -# - References to reporting -# - Country attribution -``` - ---- - -## 3. Threat Intelligence Platforms - -### AlienVault OTX (Free, Community-Driven) -``` -https://otx.alienvault.com - -# Search by actor/group name -https://otx.alienvault.com/browse/pulses?q=APT28 - -# Get pulses for a domain/IP/hash -https://otx.alienvault.com/indicator/domain/target.com -https://otx.alienvault.com/indicator/ip/1.2.3.4 -https://otx.alienvault.com/indicator/file/HASH - -# API -curl -X GET "https://otx.alienvault.com/api/v1/indicators/domain/target.com/general" \ - -H "X-OTX-API-KEY: YOUR_KEY" -``` - -### Talos Intelligence (Cisco) -``` -https://www.talosintelligence.com -https://www.talosintelligence.com/reputation_center - -# Actor-specific reporting -https://blog.talosintelligence.com/?q=APT → Search for APT blog posts -``` - -### Recorded Future (Commercial) -``` -https://www.recordedfuture.com/vulnerability-database -# Free tier: some intelligence available without subscription -``` - -### Mandiant / Google TI -``` -https://www.mandiant.com/advantage/threat-intelligence -https://cloud.google.com/security/products/threat-intelligence - -# Free access to some reports and IOCs -# APT naming convention: APT1, APT28, etc. -``` - -### Falcon Feeds -``` -# From Jieyab89's list -https://falconfeeds.io -# Dark web threat intelligence feeds -# Actor profiles and IOC collections -``` - ---- - -## 4. Building an Actor Profile - -### Profile Template -```markdown -## Threat Actor Profile - -**Name**: [Primary name] -**Aliases**: [Vendor-specific names — different vendors name same group differently] -**Attribution**: [Suspected nation-state or criminal group] -**Active Since**: [Year] -**Motivation**: [Financial / Espionage / Hacktivism / Disruption] - -### Targeting -- **Sectors**: [Finance, Healthcare, Government, etc.] -- **Regions**: [Geographic focus] -- **Typical Victims**: [Organization types] - -### TTPs (MITRE ATT&CK) -- Initial Access: [T1566 Phishing / T1190 Exploit Public-Facing Application] -- Execution: [T1059 Command and Scripting Interpreter] -- Persistence: [T1053 Scheduled Task/Job] -- C2: [T1071 Application Layer Protocol] -- Exfiltration: [T1041 Exfiltration Over C2 Channel] - -### Malware & Tools -- [Malware family 1] — [description, Malpedia link] -- [Malware family 2] -- [Custom tooling] - -### Infrastructure -- [Known C2 domains/IPs] -- [Hosting patterns] -- [Certificate patterns] - -### Dark Web Presence -- [Forum aliases if known] -- [Ransomware leak site if applicable] -- [Communication channels] - -### Key Reports -- [Vendor report 1 — link] -- [Vendor report 2 — link] - -### IOCs -- Domains: [] -- IPs: [] -- Hashes: [] -- YARA: [] -``` - ---- - -## 5. Alias Resolution — Same Actor, Different Names - -Vendors name the same group differently. Always cross-reference: - -``` -# APT28 aka: -# Fancy Bear (CrowdStrike), Sofacy (Kaspersky), Pawn Storm (Trend Micro), -# STRONTIUM (Microsoft), BlueDelta (Recorded Future), TA422 (Proofpoint) - -# Lookup tool — resolve aliases -https://apt.etda.or.th/cgi-bin/listgroups.cgi → ETDA APT alias resolver -https://malpedia.caad.fkie.fraunhofer.de/actors → Malpedia with aliases -``` - ---- - -## 6. Dark Web Forum Actor Tracking - -Track threat actor aliases across underground forums (clearnet intelligence): - -``` -# Search actor alias on clearnet -site:github.com "actor_alias" -site:pastebin.com "actor_alias" -"actor_alias" site:twitter.com OR site:x.com - -# Threat intelligence reports mentioning the alias -"actor_alias" filetype:pdf site:mandiant.com -"actor_alias" filetype:pdf site:crowdstrike.com -"actor_alias" site:securelist.com - -# Searchable CTI sources -https://otx.alienvault.com/browse/pulses?q=actor_alias -https://www.talosintelligence.com/ → Blog search -https://www.group-ib.com/resources/ → Group-IB reports -``` - ---- - -## 7. CTI Report Aggregators - -``` -https://www.cisa.gov/news-events/cybersecurity-advisories → CISA advisories -https://www.ic3.gov/Media/News → FBI alerts -https://www.ncsc.gov.uk/section/reports-advisories/ → UK NCSC -https://www.cyber.gov.au/about-us/advisories → Australian ASD -https://seclists.org/fulldisclosure/ → Full disclosure list - -# Community feeds -https://otx.alienvault.com → OTX Pulses -https://www.virustotal.com/gui/collections → VT collections -https://yaraify.abuse.ch/yarahub/ → YARA rules from community - -# Indonesian context -https://bssn.go.id → BSSN (ID national cyber agency) -https://www.idsirtii.or.id → ID-SIRTII national CSIRT -``` - ---- - -## Tips - -- **Malpedia** is the best single source for actor ↔ malware ↔ alias mapping -- **MITRE ATT&CK** is authoritative for TTP mapping — always map to it for consistency -- **APT alias confusion** is common — always check multiple vendor names before concluding -- **OTX Pulses** are often the fastest community source for newly emerging actor intelligence -- **ETDA APT list** is excellent for quickly resolving vendor naming differences -- **Attribution** should always include a confidence level — it's rarely 100% certain - ---- - -*Reference: [OSINT Cheat Sheet — SOC & Threat Hunting & Researching Cyber Threats sections](https://github.com/Jieyab89/OSINT-Cheat-sheet) by [Jieyab89](https://github.com/Jieyab89)* diff --git a/Jieyab-Claude-Skills/README.md b/Jieyab-Claude-Skills/README.md index 6042224..4d68808 100644 --- a/Jieyab-Claude-Skills/README.md +++ b/Jieyab-Claude-Skills/README.md @@ -1,13 +1,5 @@ -# Usage +# NOTES -You can use claude desktop or claude cli, but in this case i use claude cli. Import the skills on this path +On maintence, Jieyab under review for better result and do something research. I will update soon -``` -/home//.claude/skills/Darkweb-Intel -``` - -Then in claude run /skills or u can call the skills path for claude - -# Read the Claude Doc - -https://code.claude.com/docs/en/skills \ No newline at end of file +Thank u \ No newline at end of file diff --git a/README.md b/README.md index a5ab694..7abd3d1 100644 --- a/README.md +++ b/README.md @@ -1764,6 +1764,7 @@ If you has found the person phone number you can check at data breach, e wallet, - [usersearch](https://usersearch.com/) - [blackbird (mostly Indonesia)](https://blackbird.mom/) - [user-scanner](https://github.com/kaifcodec/user-scanner/releases/tag/v1.1.0) +- [maigret 2 made by Rust](https://github.com/krishpranav/maigret/blob/master/data.json) # Social Networks