├── .gitignore ├── LICENSE ├── README.md ├── config.ini ├── explorer.py ├── ioc.csv ├── logging.conf ├── pics └── illustration.png ├── relationship.py ├── results ├── 46173adc26721fb54f6e1a1091a892d4_depth_3_201907171121.json └── 46173adc26721fb54f6e1a1091a892d4_depth_3_201907171121.txt └── samples ├── 192.99.142.235_depth_3_201907171110.json ├── 192.99.142.235_depth_3_201907171110.txt ├── 373192510@qq.com_depth_3_201907171117.json ├── 373192510@qq.com_depth_3_201907171117.txt ├── 46173adc26721fb54f6e1a1091a892d4_depth_3_201907171121.json ├── 46173adc26721fb54f6e1a1091a892d4_depth_3_201907171121.txt ├── c0531f812a1ec5e825f7250f7b52db7621ecf93d973f0e3ba1aa0372e0f559f2_depth_3_201907171114.json ├── c0531f812a1ec5e825f7250f7b52db7621ecf93d973f0e3ba1aa0372e0f559f2_depth_3_201907171114.txt ├── c3f5add704f2c540f3dd345f853e2d84_depth_3_201907171114.json ├── c3f5add704f2c540f3dd345f853e2d84_depth_3_201907171114.txt ├── e889544aff85ffaf8b0d0da705105dee7c97fe26_depth_3_201907171120.json ├── e889544aff85ffaf8b0d0da705105dee7c97fe26_depth_3_201907171120.txt ├── xnz.freetzi.com_depth_3_201907171113.json └── xnz.freetzi.com_depth_3_201907171113.txt /.gitignore: -------------------------------------------------------------------------------- 1 | # Byte-compiled / optimized / DLL files 2 | __pycache__/ 3 | *.py[cod] 4 | *$py.class 5 | 6 | # C extensions 7 | *.so 8 | 9 | # Distribution / packaging 10 | .Python 11 | build/ 12 | develop-eggs/ 13 | dist/ 14 | downloads/ 15 | eggs/ 16 | .eggs/ 17 | lib/ 18 | lib64/ 19 | parts/ 20 | sdist/ 21 | var/ 22 | wheels/ 23 | *.egg-info/ 24 | .installed.cfg 25 | *.egg 26 | MANIFEST 27 | 28 | # PyInstaller 29 | # Usually these files are written by a python script from a template 30 | # before PyInstaller builds the exe, so as to inject date/other infos into it. 31 | *.manifest 32 | *.spec 33 | 34 | # Installer logs 35 | pip-log.txt 36 | pip-delete-this-directory.txt 37 | 38 | # Unit test / coverage reports 39 | htmlcov/ 40 | .tox/ 41 | .coverage 42 | .coverage.* 43 | .cache 44 | nosetests.xml 45 | coverage.xml 46 | *.cover 47 | .hypothesis/ 48 | .pytest_cache/ 49 | 50 | # Translations 51 | *.mo 52 | *.pot 53 | 54 | # Django stuff: 55 | *.log 56 | local_settings.py 57 | db.sqlite3 58 | 59 | # Flask stuff: 60 | instance/ 61 | .webassets-cache 62 | 63 | # Scrapy stuff: 64 | .scrapy 65 | 66 | # Sphinx documentation 67 | docs/_build/ 68 | 69 | # PyBuilder 70 | target/ 71 | 72 | # Jupyter Notebook 73 | .ipynb_checkpoints 74 | 75 | # pyenv 76 | .python-version 77 | 78 | # celery beat schedule file 79 | celerybeat-schedule 80 | 81 | # SageMath parsed files 82 | *.sage.py 83 | 84 | # Environments 85 | .env 86 | .venv 87 | env/ 88 | venv/ 89 | ENV/ 90 | env.bak/ 91 | venv.bak/ 92 | 93 | # Spyder project settings 94 | .spyderproject 95 | .spyproject 96 | 97 | # Rope project settings 98 | .ropeproject 99 | 100 | # mkdocs documentation 101 | /site 102 | 103 | # mypy 104 | .mypy_cache/ 105 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2019 lion-gu 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # IOC Explorer - Explore IOCs Automatically 2 | 3 | ![illustration](pics/illustration.png) 4 | 5 | ## Introduction 6 | 7 | Correlating Indicator of Compromise (IOC) is a key part of incident investigation even threat hunting. Finding one IP address hosting several known malicious files would help SOC teams to implement more effective countermeasure by blocking that IP address. However, building a correlation usually means a lot of manual work, like searching multiple IOCs across different threat intelligence sources (community sources or private sources). Sometimes, correlation can only be found after several iterative queries. 8 | 9 | IOC Explorer aims to execute iterative queries across multiple threat intelligence sources automatically. It may assist security analyst to find more clues for investigation. 10 | 11 | ## Requirements 12 | 13 | IOC Explorer is written in Python 3. It is *not* tested in other Python versions. 14 | 15 | Please make sure you have installed following libraries prior to start: 16 | 17 | 1. requests 2.20.1 18 | 2. anytree 2.4.3 19 | 20 | ## Quick Start 21 | 22 | 1. Open config.ini file, and type in your API Key of VirusTotal or QiAnXin_TI section 23 | 2. Open ioc.csv file, and type in your query IOC (eg., 'domain, xnz.freetzi.com') 24 | 3. Run the tool in command line 25 | ``` 26 | $python explorer.py 27 | ``` 28 | 4. Go to './results' directory to check your query result 29 | 30 | ## Usage in Details 31 | 32 | ### Initial Configuration 33 | 34 | There are some settings to configure before first run. Basiclly, all settings stored in 'config.ini' file can be splitted into two categories: query behavior setting and threat intelligence setting. 35 | 36 | 'depth' setting in 'general' section is an important query behavior setting. It defines the times of iterative queries, which will query intelligence sources based on IOCs returned on previous queries. Default setting is 'depth=3'. If user increases the value, the tool carries additional queries on previous returned IOCs. 37 | 38 | Each threat intelligence has its own but different settings. However, API key is the most common setting for intelligence sources, which is also required. 39 | 40 | ### Input IOC 41 | 42 | Currently, 4 IOC types are supported, namely as followings, 43 | 44 | - email address (ioc_type='email') 45 | - file hash (ioc_type='file') Note: md5/sha1/sha256 are supported 46 | - ip address (ioc_type='ip_address') 47 | - domain name (ioc_type='domain') 48 | 49 | CSV file (by default, ./ioc.csv) is the place to input IOC for query. The CSV file has following format for data, 50 | 51 | ``` 52 | IOC_type, IOC_value 53 | ``` 54 | 55 | For example, 56 | 57 | ``` 58 | domain, xnz.freetzi.com 59 | file, c0531f812a1ec5e825f7250f7b52db7621ecf93d973f0e3ba1aa0372e0f559f2 60 | email, 373192510@qq.com 61 | ip_address, 192.99.142.235 62 | ``` 63 | 64 | ### Output Result 65 | 66 | After querying multiple threat intelligence sources, IOC Explorer will collect all returned IOCs and output them in a well-organized way. 67 | 68 | This tool supports two output formats: plain-text and JSON. 69 | 70 | IOCs in plain-text is organized in tree style, like followings: 71 | 72 | ``` 73 | AnyNode(id='373192510@qq.com', type='email') 74 | ├── AnyNode(id='qq758.com', relation='QAX: Whois email to domain', type='domain') 75 | │ ├── AnyNode(id='5292086@qq.com', relation='QAX: domain to whois email', type='email') 76 | │ │ ├── AnyNode(id='ltcp3.com', relation='QAX: Whois email to domain', type='domain') 77 | │ │ ├── AnyNode(id='lzskqc.com', relation='QAX: Whois email to domain', type='domain') 78 | │ │ ├── AnyNode(id='df796.com', relation='QAX: Whois email to domain', type='domain') 79 | │ │ ├── AnyNode(id='mir900.com', relation='QAX: Whois email to domain', type='domain') 80 | │ │ ├── AnyNode(id='888hl.com', relation='QAX: Whois email to domain', type='domain') 81 | │ │ ├── AnyNode(id='jiemianpaomo.com', relation='QAX: Whois email to domain', type='domain') 82 | │ │ ├── AnyNode(id='qx969.com', relation='QAX: Whois email to domain', type='domain') 83 | │ │ ├── AnyNode(id='c888c.com', relation='QAX: Whois email to domain', type='domain') 84 | │ │ ├── AnyNode(id='982307.com', relation='QAX: Whois email to domain', type='domain') 85 | │ │ └── AnyNode(id='ac0028.com', relation='QAX: Whois email to domain', type='domain') 86 | │ ├── AnyNode(id='47.91.202.66', relation='VT: domain to resolution ip', type='ip_address') 87 | │ │ ├── AnyNode(id='4bf7e7e6c78c1a69def4beef216ad52dbabae1f831f49067e3b29f8a7a62d71e', relation='VT: IP to downloaded file', type='file') 88 | │ │ ├── AnyNode(id='e682dfcdde010f6e15bae0d843696f6ae8d5a85e75441660b782789ee747f075', relation='VT: IP to downloaded file', type='file') 89 | │ │ ├── AnyNode(id='88f089e2e069ca698fa498fb5ba5f46fd95d3c8ee5b4c5c6587eae8d2db43fe7', relation='VT: IP to downloaded file', type='file') 90 | │ │ ├── AnyNode(id='39a75a83af8d38202ab05de7ac9beae6e00d21501867601cc2a86094c79d6f16', relation='VT: IP to downloaded file', type='file') 91 | │ │ ├── AnyNode(id='1630ab0121c4df64230045ef86ee54e5ee05bd371c2b3c26bcdb0ef3a0d2360f', relation='VT: IP to downloaded file', type='file') 92 | │ │ ├── AnyNode(id='7d04f7431bbfa41a04bcc7e6b98b9de0d919756c4c671c5785c99fff45f16402', relation='VT: IP to downloaded file', type='file') 93 | │ │ ├── AnyNode(id='9b342ae7f25d65bdb817d8c995f3211ac398e41575fc5d149d994c1dcb008f0a', relation='VT: IP to downloaded file', type='file') 94 | │ │ ├── AnyNode(id='39d6bba9f294f11f84933e48483aff12a9efc5c7d6eb4f57a8d36ef8bd71823e', relation='VT: IP to downloaded file', type='file') 95 | │ │ ├── AnyNode(id='d37608c9b93ae18c5ed5d376e32449f95358f708a35cd8b06431ca2be733f87e', relation='VT: IP to downloaded file', type='file') 96 | │ │ └── AnyNode(id='fb7595b2d6f1cc89cca75ec06186c228274e95fb6c3e233e8de2e804284ab8c1', relation='VT: IP to downloaded file', type='file') 97 | ``` 98 | 99 | Default output directory is './results'. Filename follows this naming rule: {ioc_value}_depth_{depth_value}_{timestamp}, like '192.99.142.235_depth_3_201907171110.txt' 100 | 101 | More sample results are given in './samples' directory for reference. 102 | 103 | ## Threat Intelligence Sources 104 | 105 | A plenty of TI sources exist in cybersecurity field. As a start, IOC Explorer supports following sources: 106 | 107 | - VirusTotal, both public and private data available 108 | - QiAnXin, only private data 109 | 110 | A summary of IOC relations is following, 111 | 112 | | Source | Type | Relation | Explanation | 113 | | ---------- | ------------------ | --------------- | ----------------------------------------------- | 114 | | VirusTotal | Public and private | Ip -> file | Files downloaded from the IP address | 115 | | VirusTotal | Public and private | Domain -> file | Files downloaded from the domain | 116 | | VirusTotal | Public and private | Domain -> ip | DNS resolutions for the domain | 117 | | VirusTotal | Public and private | File -> ip | IP addresses contacted by the file | 118 | | VirusTotal | Public and private | File -> domain | Domains contacted by the file | 119 | | VirusTotal | Public and private | File -> file | Files that executed the file | 120 | | QiAnXin | Private | Domain -> ip | DNS resolutions (A record) for the domain | 121 | | QiAnXin | Private | Domain -> email | Registrant email for the domain in Whois record | 122 | | QiAnXin | Private | Email -> domain | Domain names registered in the same email | 123 | | QiAnXin | Private | File -> ip | IP addresses contacted by the file | 124 | | QiAnXin | Private | File -> domain | Domains contacted by the file | 125 | 126 | You can can contact me for public available sources. Or you add your private sources by yourself. 127 | 128 | ## Future Plan 129 | 130 | During tests, some known good IOCs (like CDN ip addresses) are listed results. If there is a tag attached to the IOCs, that would bring additional hints for analysis. But such data enrichment requires more reliable data sources. Searching data sources is one (probably long-term) item of future plan. 131 | 132 | Any ideas or suggestions are appreciated, and feel free to contact me: lion.gu@gmail.com -------------------------------------------------------------------------------- /config.ini: -------------------------------------------------------------------------------- 1 | [general] 2 | 3 | #################### 4 | # Depth is the count of iterative queries 5 | # Default value is 3 6 | 7 | depth=3 8 | 9 | [VirusTotal] 10 | 11 | # API Key 12 | api_key = xxxxxxxxxxxxxxxxxxxxxx 13 | 14 | # Relationship 15 | ip_downloaded_files = https://www.virustotal.com/api/v3/ip_addresses/{ip}/downloaded_files 16 | domain_downloaded_files = https://www.virustotal.com/api/v3/domains/{domain}/downloaded_files 17 | domain_resolutions = https://www.virustotal.com/api/v3/domains/{domain}/resolutions 18 | file_contacted_ips = https://www.virustotal.com/api/v3/files/{file}/contacted_ips 19 | file_contacted_domains = https://www.virustotal.com/api/v3/files/{file}/contacted_domains 20 | file_execution_parents = https://www.virustotal.com/api/v3/files/{file}/execution_parents 21 | 22 | # Query Params 23 | # Maximum number of related objects to retrieve 24 | limit = 10 25 | 26 | [QiAnXin_TI] 27 | 28 | api_key = xxxxxxxxxxxxxxxxxx 29 | 30 | file_reputation = https://ti.qianxin.com/api/v2/malfile_pro 31 | 32 | [QiAnXin_Whoisdb] 33 | 34 | registrant_email = http://fdp.example.cn/whois/detail/{domain} 35 | 36 | reverse_email = http://fdp.example.cn/whois/reverse/email/{email} 37 | 38 | reverse_email_limit = 10 39 | 40 | [QiAnXin_PDNS] 41 | 42 | flint = http://fdp.example.cn/flint/rrset/{domain}/ 43 | 44 | # Maximum number of related records to retrieve 45 | limit = 10 46 | 47 | # Time interval 48 | start = 20190101000000 49 | end = 20200101000000 50 | 51 | # Relationship between time interval and record time range (time_first, time_last) 52 | mode = 5 53 | 54 | # Record type 55 | # A = 1, NS = 2, CNAME = 5, SOA = 6, MX = 15, TXT = 16, AAAA = 28, SRV = 33 56 | rtype = 1 57 | -------------------------------------------------------------------------------- /explorer.py: -------------------------------------------------------------------------------- 1 | # coding: utf-8 2 | #!/usr/bin/env python 3 | 4 | import requests 5 | import logging 6 | from logging.config import fileConfig 7 | import configparser 8 | from anytree import AnyNode, RenderTree 9 | from anytree.exporter import DotExporter, JsonExporter 10 | import csv 11 | import relationship 12 | import argparse 13 | from datetime import datetime 14 | 15 | fileConfig('logging.conf') 16 | logger = logging.getLogger() 17 | 18 | config = configparser.ConfigParser() 19 | config.read('config.ini') 20 | 21 | def build_ioc_relation(root): 22 | """ 23 | 24 | """ 25 | ioc_list = [root] 26 | query_queue = [root] 27 | ioc_value_list = [root.id] 28 | 29 | relation_list = [ 30 | relationship.qax_domain_to_ip, 31 | relationship.qax_domain_to_email, 32 | relationship.qax_email_to_domain, 33 | relationship.qax_file_to_ip, 34 | relationship.qax_file_to_domain, 35 | relationship.vt_ip_to_file, 36 | relationship.vt_domain_to_file, 37 | relationship.vt_domain_to_ip, 38 | relationship.vt_file_to_ip, 39 | relationship.vt_file_to_domain, 40 | relationship.vt_file_to_file 41 | ] 42 | 43 | query_depth = int(config.get('general','depth')) 44 | 45 | for seed in range(query_depth): 46 | 47 | queue_temp = [] 48 | 49 | for ioc in query_queue: 50 | 51 | for relation in relation_list: 52 | result_list = relation(ioc) 53 | 54 | for r in result_list: 55 | if r.id not in ioc_value_list: 56 | ioc_value_list.append(r.id) 57 | ioc_list.append(r) 58 | queue_temp.append(r) 59 | 60 | query_queue = queue_temp 61 | 62 | return ioc_list 63 | 64 | 65 | def main(ioc_file, output_dir): 66 | 67 | with open(ioc_file) as csvfile: 68 | iocreader = csv.reader(csvfile, delimiter=',') 69 | for row in iocreader: 70 | root = AnyNode(id=row[1], type=row[0]) 71 | 72 | logger.info('=========Start to explore IOC: %s', root.id) 73 | 74 | ioc_list = build_ioc_relation(root) 75 | 76 | timestamp = datetime.now().strftime('%Y%m%d%H%M') 77 | query_depth = config.get('general','depth') 78 | 79 | txtfile = output_dir + root.id + '_depth_'+ query_depth + '_'+timestamp + '.txt' 80 | file = open(txtfile, "w") 81 | file.write(str(RenderTree(root))) 82 | file.close() 83 | 84 | logger.info('Export IOCs to TXT file: %s', txtfile) 85 | 86 | jsonfile = output_dir + root.id + '_depth_'+ query_depth + '_'+timestamp + '.json' 87 | file = open(jsonfile, "w") 88 | exporter = JsonExporter(indent=2, sort_keys=False) 89 | exporter.write(root, file) 90 | file.close() 91 | 92 | logger.info('Export IOCs to JSON file: %s', jsonfile) 93 | 94 | logger.info('=========Done exploration for IOC: %s', root.id) 95 | 96 | return 97 | 98 | if __name__ == '__main__': 99 | 100 | parser = argparse.ArgumentParser(prog='ioc_explorer', 101 | description='Explorer IOCs across multiple sources in iterative way') 102 | parser.add_argument('-v', '--version', action='version', version='%(prog)s 1.0') 103 | parser.add_argument('-i', dest='ioc_file', default='./ioc.csv', 104 | help="""input csv file. Default file: ./ioc.csv. 105 | Format of csv file: ioc type, ioc value. For example: domain, google.com""") 106 | parser.add_argument('-o', dest='out_dir', default='./results/', 107 | help='output directory. Default directory: ./results') 108 | args = parser.parse_args() 109 | 110 | main(args.ioc_file, args.out_dir) 111 | 112 | -------------------------------------------------------------------------------- /ioc.csv: -------------------------------------------------------------------------------- 1 | ip_address,192.99.142.235 2 | domain,xnz.freetzi.com 3 | file,c3f5add704f2c540f3dd345f853e2d84 4 | file,c0531f812a1ec5e825f7250f7b52db7621ecf93d973f0e3ba1aa0372e0f559f2 5 | email,373192510@qq.com 6 | file,e889544aff85ffaf8b0d0da705105dee7c97fe26 7 | file,46173adc26721fb54f6e1a1091a892d4 8 | -------------------------------------------------------------------------------- /logging.conf: -------------------------------------------------------------------------------- 1 | [loggers] 2 | keys=root 3 | 4 | [handlers] 5 | keys=stream_handler 6 | 7 | [formatters] 8 | keys=formatter 9 | 10 | [logger_root] 11 | level=DEBUG 12 | handlers=stream_handler 13 | 14 | [handler_stream_handler] 15 | class=StreamHandler 16 | level=DEBUG 17 | formatter=formatter 18 | args=(sys.stderr,) 19 | 20 | [formatter_formatter] 21 | format=%(asctime)s %(name)-12s %(levelname)-8s %(message)s 22 | -------------------------------------------------------------------------------- /pics/illustration.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lion-gu/ioc-explorer/f7c812f300d22371ce773be784c60e164eb5f02f/pics/illustration.png -------------------------------------------------------------------------------- /relationship.py: -------------------------------------------------------------------------------- 1 | # coding: utf-8 2 | #!/usr/bin/env python 3 | 4 | import requests 5 | import logging 6 | from logging.config import fileConfig 7 | from datetime import datetime, date, time, timedelta 8 | import configparser 9 | from anytree import AnyNode 10 | import re 11 | 12 | fileConfig('logging.conf') 13 | logger = logging.getLogger() 14 | 15 | config = configparser.ConfigParser() 16 | config.read('config.ini') 17 | 18 | regex_email = r"(^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+$)" 19 | 20 | def vt_ip_to_file(parent): 21 | """ 22 | Files downloaded from the IP address 23 | 24 | Output is a list of file nodes with sha256 value 25 | 26 | Example: 192.99.142.235 27 | 28 | https://developers.virustotal.com/v3.0/reference#domains-relationships 29 | 30 | """ 31 | 32 | result = [] 33 | 34 | if parent.type != 'ip_address': 35 | return result 36 | 37 | ip_address = parent.id 38 | 39 | headers = {'x-apikey': config.get('VirusTotal','api_key')} 40 | params = {'limit': int(config.get('VirusTotal', 'limit'))} 41 | re_url = config.get('VirusTotal', 'ip_downloaded_files').replace('{ip}', ip_address) 42 | 43 | try: 44 | logger.debug('[Processing] Relationship query - VT: IP to downloaded files - %s', ip_address) 45 | r = requests.get(re_url, headers=headers, params=params, timeout=5) 46 | 47 | except: 48 | logger.debug('[Error] Relationship query - VT: IP to downloaded files - %s', ip_address) 49 | return result 50 | 51 | logger.debug('[Done] Relationship query - VT: IP to downloaded files - %s', ip_address) 52 | 53 | if r.status_code == 200 and len(r.json()['data']) > 0: 54 | for i in r.json()['data']: 55 | 56 | if 'attributes' in i: 57 | child_node = AnyNode(id=i['attributes']['sha256'], 58 | type='file', 59 | relation='VT: IP to downloaded file', 60 | parent=parent) 61 | 62 | result.append(child_node) 63 | 64 | return result 65 | 66 | def vt_domain_to_file(parent): 67 | """ 68 | Files downloaded from the domain 69 | 70 | Output is a list of file nodes with sha256 value 71 | 72 | Example: xnz.freetzi.com 73 | 74 | https://developers.virustotal.com/v3.0/reference#domains-relationships 75 | 76 | """ 77 | 78 | result = [] 79 | 80 | if parent.type != 'domain': 81 | return result 82 | 83 | domain = parent.id 84 | 85 | headers = {'x-apikey': config.get('VirusTotal','api_key')} 86 | params = {'limit': int(config.get('VirusTotal', 'limit'))} 87 | re_url = config.get('VirusTotal', 'domain_downloaded_files').replace('{domain}', domain) 88 | 89 | try: 90 | logger.debug('[Processing] Relationship query - VT: domain to downloaded files - %s', domain) 91 | r = requests.get(re_url, headers=headers, params=params, timeout=5) 92 | 93 | except: 94 | logger.debug('[Error] Relationship query - VT: domain to downloaded files - %s', domain) 95 | return result 96 | 97 | logger.debug('[Done] Relationship query - VT: domain to downloaded files - %s', domain) 98 | 99 | if r.status_code == 200 and len(r.json()['data']) > 0: 100 | for i in r.json()['data']: 101 | 102 | if 'attributes' in i: 103 | child_node = AnyNode(id=i['attributes']['sha256'], 104 | type='file', 105 | relation='VT: domain to downloaded file', 106 | parent=parent) 107 | 108 | result.append(child_node) 109 | 110 | return result 111 | 112 | 113 | def vt_domain_to_ip(parent): 114 | """ 115 | DNS resolutions for the domain 116 | 117 | Output is a list of IP address nodes 118 | 119 | Example: xnz.freetzi.com 120 | 121 | https://developers.virustotal.com/v3.0/reference#domains-relationships 122 | 123 | """ 124 | 125 | result = [] 126 | 127 | if parent.type != 'domain': 128 | return result 129 | 130 | domain = parent.id 131 | 132 | headers = {'x-apikey': config.get('VirusTotal','api_key')} 133 | params = {'limit': int(config.get('VirusTotal', 'limit'))} 134 | re_url = config.get('VirusTotal', 'domain_resolutions').replace('{domain}', domain) 135 | 136 | try: 137 | logger.debug('[Processing] Relationship query - VT: domain to resolution ip - %s', domain) 138 | r = requests.get(re_url, headers=headers, params=params, timeout=5) 139 | 140 | except: 141 | logger.debug('[Error] Relationship query - VT: domain to resolution ip - %s', domain) 142 | return result 143 | 144 | logger.debug('[Done] Relationship query - VT: domain to resolution ip - %s', domain) 145 | 146 | if r.status_code == 200 and len(r.json()['data']) > 0: 147 | for i in r.json()['data']: 148 | 149 | if 'attributes' in i: 150 | child_node = AnyNode(id=i['attributes']['ip_address'], 151 | type='ip_address', 152 | relation='VT: domain to resolution ip', 153 | parent=parent) 154 | 155 | result.append(child_node) 156 | 157 | return result 158 | 159 | 160 | def vt_file_to_ip(parent): 161 | """ 162 | IP addresses contacted by the file 163 | 164 | Output is a list of IP address nodes 165 | 166 | Example: c3f5add704f2c540f3dd345f853e2d84 167 | 168 | https://developers.virustotal.com/v3.0/reference#domains-relationships 169 | 170 | """ 171 | 172 | result = [] 173 | 174 | if parent.type != 'file': 175 | return result 176 | 177 | 178 | file_hash = parent.id 179 | 180 | headers = {'x-apikey': config.get('VirusTotal','api_key')} 181 | params = {'limit': int(config.get('VirusTotal', 'limit'))} 182 | re_url = config.get('VirusTotal', 'file_contacted_ips').replace('{file}', file_hash) 183 | 184 | try: 185 | logger.debug('[Processing] Relationship query - VT: file to contacted ip - %s', file_hash) 186 | r = requests.get(re_url, headers=headers, params=params, timeout=5) 187 | 188 | except: 189 | logger.debug('[Error] Relationship query - VT: file to contacted ip - %s', file_hash) 190 | return result 191 | 192 | logger.debug('[Done] Relationship query - VT: file to contacted ip - %s', file_hash) 193 | 194 | if r.status_code == 200 and len(r.json()['data']) > 0: 195 | for i in r.json()['data']: 196 | 197 | child_node = AnyNode(id=i['id'], 198 | type='ip_address', 199 | relation='VT: file to contacted ip', 200 | parent=parent) 201 | 202 | result.append(child_node) 203 | 204 | return result 205 | 206 | 207 | def vt_file_to_domain(parent): 208 | """ 209 | Domains contacted by the file. 210 | 211 | Output is a list of domains 212 | 213 | Example: c3f5add704f2c540f3dd345f853e2d84 214 | 215 | https://developers.virustotal.com/v3.0/reference#domains-relationships 216 | 217 | """ 218 | 219 | result = [] 220 | 221 | if parent.type != 'file': 222 | return result 223 | 224 | 225 | file_hash = parent.id 226 | 227 | headers = {'x-apikey': config.get('VirusTotal','api_key')} 228 | params = {'limit': int(config.get('VirusTotal', 'limit'))} 229 | re_url = config.get('VirusTotal', 'file_contacted_domains').replace('{file}', file_hash) 230 | 231 | try: 232 | logger.debug('[Processing] Relationship query - VT: file to contacted domains - %s', file_hash) 233 | r = requests.get(re_url, headers=headers, params=params, timeout=5) 234 | 235 | except: 236 | logger.debug('[Error] Relationship query - VT: file to contacted domains - %s', file_hash) 237 | return result 238 | 239 | logger.debug('[Done] Relationship query - VT: file to contacted domains - %s', file_hash) 240 | 241 | if r.status_code == 200 and len(r.json()['data']) > 0: 242 | for i in r.json()['data']: 243 | 244 | child_node = AnyNode(id=i['id'], 245 | type='domain', 246 | relation='VT: file to contacted domain', 247 | parent=parent) 248 | 249 | result.append(child_node) 250 | 251 | return result 252 | 253 | 254 | def vt_file_to_file(parent): 255 | """ 256 | Files that executed the file. 257 | 258 | Output is a list of file hashes 259 | 260 | Example: c0531f812a1ec5e825f7250f7b52db7621ecf93d973f0e3ba1aa0372e0f559f2 261 | 262 | https://developers.virustotal.com/v3.0/reference#domains-relationships 263 | 264 | """ 265 | 266 | result = [] 267 | 268 | if parent.type != 'file': 269 | return result 270 | 271 | 272 | file_hash = parent.id 273 | 274 | headers = {'x-apikey': config.get('VirusTotal','api_key')} 275 | params = {'limit': int(config.get('VirusTotal', 'limit'))} 276 | re_url = config.get('VirusTotal', 'file_execution_parents').replace('{file}', file_hash) 277 | 278 | try: 279 | logger.debug('[Processing] Relationship query - VT: file to execution parents - %s', file_hash) 280 | r = requests.get(re_url, headers=headers, params=params, timeout=5) 281 | 282 | except: 283 | logger.debug('[Error] Relationship query - VT: file to execution parents - %s', file_hash) 284 | return result 285 | 286 | logger.debug('[Done] Relationship query - VT: file to execution parents - %s', file_hash) 287 | 288 | if r.status_code == 200 and len(r.json()['data']) > 0: 289 | for i in r.json()['data']: 290 | 291 | if 'attributes' in i: 292 | child_node = AnyNode(id=i['attributes']['sha256'], 293 | type='file', 294 | relation='VT: file to execution parent', 295 | parent=parent) 296 | 297 | result.append(child_node) 298 | 299 | return result 300 | 301 | 302 | def qax_domain_to_ip(parent): 303 | """ 304 | Private data source of QiAnXin 305 | 306 | DNS resolutions (A record) for the domain 307 | 308 | Output is a list of IP addresses 309 | 310 | Example: xnz.freetzi.com 311 | 312 | https://wiki.example.cn/display/360JSYJ/flint 313 | 314 | """ 315 | 316 | result = [] 317 | 318 | if parent.type != 'domain': 319 | return result 320 | 321 | 322 | domain = parent.id 323 | 324 | params = {'limit': int(config.get('QiAnXin_PDNS', 'limit')), 325 | 'start': int(config.get('QiAnXin_PDNS', 'start')), 326 | 'end': int(config.get('QiAnXin_PDNS', 'end')), 327 | 'mode': int(config.get('QiAnXin_PDNS', 'mode')), 328 | 'rtype': int(config.get('QiAnXin_PDNS', 'rtype'))} 329 | 330 | re_url = config.get('QiAnXin_PDNS', 'flint').replace('{domain}', domain) 331 | 332 | try: 333 | logger.debug('[Processing] Relationship query - QAX: domain to resolution ip - %s', domain) 334 | r = requests.get(re_url, params=params, timeout=5) 335 | 336 | except: 337 | logger.debug('[Error] Relationship query - QAX: domain to resolution ip - %s', domain) 338 | return result 339 | 340 | logger.debug('[Done] Relationship query - QAX: domain to resolution ip - %s', domain) 341 | 342 | if r.status_code == 200 and len(r.json()['data']) > 0: 343 | for i in r.json()['data']: 344 | 345 | for j in i['rdata'].split(';'): 346 | if j != '': 347 | child_node = AnyNode(id=j, 348 | type='ip_address', 349 | relation='QAX: domain to resolution ip', 350 | parent=parent) 351 | 352 | result.append(child_node) 353 | 354 | return result 355 | 356 | def qax_domain_to_email(parent): 357 | """ 358 | Private data source of QiAnXin 359 | 360 | Registrant email for the domain in Whois record 361 | 362 | Output is a list of emails 363 | 364 | Example: freetzi.com 365 | 366 | https://wiki.example.cn/display/360JSYJ/detail 367 | 368 | """ 369 | 370 | result = [] 371 | 372 | if parent.type != 'domain': 373 | return result 374 | 375 | domain = parent.id 376 | 377 | re_url = config.get('QiAnXin_Whoisdb', 'registrant_email').replace('{domain}', domain) 378 | 379 | try: 380 | logger.debug('[Processing] Relationship query - QAX: domain to whois email - %s', domain) 381 | r = requests.get(re_url, timeout=5) 382 | 383 | except: 384 | logger.debug('[Error] Relationship query - QAX: domain to whois email - %s', domain) 385 | return result 386 | 387 | logger.debug('[Done] Relationship query - QAX: domain to registrant email - %s', domain) 388 | 389 | if r.json()['code'] == 200 and 'registrantEmail' in r.json()['data']: 390 | 391 | email = r.json()['data']['registrantEmail'][0] 392 | if re.search(regex_email, email): 393 | child_node = AnyNode(id=email, 394 | type='email', 395 | relation='QAX: domain to whois email', 396 | parent=parent) 397 | 398 | result.append(child_node) 399 | 400 | return result 401 | 402 | def qax_email_to_domain(parent): 403 | """ 404 | Private data source of QiAnXin 405 | 406 | Domain names registered in the same email 407 | 408 | Output is a list of domains 409 | 410 | Example: 373192510@qq.com 411 | 412 | https://wiki.example.cn/display/360JSYJ/reverse 413 | 414 | """ 415 | 416 | result = [] 417 | 418 | if parent.type != 'email': 419 | return result 420 | 421 | email = parent.id 422 | 423 | params = {'limit': int(config.get('QiAnXin_Whoisdb', 'reverse_email_limit'))} 424 | re_url = config.get('QiAnXin_Whoisdb', 'reverse_email').replace('{email}', email) 425 | 426 | try: 427 | logger.debug('[Processing] Relationship query - QAX: Whois email to domains - %s', email) 428 | r = requests.get(re_url, params=params, timeout=5) 429 | 430 | except: 431 | logger.debug('[Error] Relationship query - QAX: Whois email to domains - %s', email) 432 | return result 433 | 434 | logger.debug('[Done] Relationship query - QAX: Whois email to domains - %s', email) 435 | 436 | if r.json()['code'] == 200 and len(r.json()['data']) > 0: 437 | for i in r.json()['data']: 438 | child_node = AnyNode(id=i, 439 | type='domain', 440 | relation='QAX: Whois email to domain', 441 | parent=parent) 442 | 443 | result.append(child_node) 444 | 445 | return result 446 | 447 | 448 | def qax_file_to_ip(parent): 449 | """ 450 | Private data source of QiAnXin 451 | 452 | IP addresses contacted by the file 453 | 454 | Output is a list of IP addresses 455 | 456 | Example: e889544aff85ffaf8b0d0da705105dee7c97fe26 457 | 458 | https://wiki.example.cn/display/360JSYJ/reverse 459 | 460 | """ 461 | 462 | result = [] 463 | 464 | if parent.type != 'file': 465 | return result 466 | 467 | file_hash = parent.id 468 | 469 | params = {'apikey': config.get('QiAnXin_TI', 'api_key'), 470 | 'param':file_hash} 471 | re_url = config.get('QiAnXin_TI', 'file_reputation') 472 | 473 | try: 474 | logger.debug('[Processing] Relationship query - QAX: file to contacted IPs - %s', file_hash) 475 | r = requests.get(re_url, params=params, timeout=5) 476 | 477 | except: 478 | logger.debug('[Error] Relationship query - QAX: file to contacted IPs - %s', file_hash) 479 | return result 480 | 481 | logger.debug('[Done] Relationship query - QAX: file to contacted IPs - %s', file_hash) 482 | 483 | if r.json()['status'] == 10000 and len(r.json()['data']) > 0: 484 | for i in r.json()['data']: 485 | if 'network' in i and 'ip' in i['network']: 486 | for j in i['network']['ip']: 487 | child_node = AnyNode(id=j, 488 | type='ip_address', 489 | relation='QAX: file to contacted ip', 490 | parent=parent) 491 | 492 | result.append(child_node) 493 | 494 | return result 495 | 496 | def qax_file_to_domain(parent): 497 | """ 498 | Private data source of QiAnXin 499 | 500 | Domains contacted by the file 501 | 502 | Output is a list of domains 503 | 504 | Example: 46173adc26721fb54f6e1a1091a892d4 505 | 506 | https://wiki.example.cn/display/360JSYJ/reverse 507 | 508 | """ 509 | 510 | result = [] 511 | 512 | if parent.type != 'file': 513 | return result 514 | 515 | file_hash = parent.id 516 | 517 | params = {'apikey': config.get('QiAnXin_TI', 'api_key'), 518 | 'param':file_hash} 519 | re_url = config.get('QiAnXin_TI', 'file_reputation') 520 | 521 | try: 522 | logger.debug('[Processing] Relationship query - QAX: file to contacted domains - %s', file_hash) 523 | r = requests.get(re_url, params=params, timeout=5) 524 | 525 | except: 526 | logger.debug('[Error] Relationship query - QAX: file to contacted domains - %s', file_hash) 527 | return result 528 | 529 | logger.debug('[Done] Relationship query - QAX: file to contacted domains - %s', file_hash) 530 | 531 | if r.json()['status'] == 10000 and len(r.json()['data']) > 0: 532 | for i in r.json()['data']: 533 | if 'network' in i and 'domain' in i['network']: 534 | for j in i['network']['domain']: 535 | child_node = AnyNode(id=j, 536 | type='domain', 537 | relation='QAX: file to contacted domain', 538 | parent=parent) 539 | 540 | result.append(child_node) 541 | 542 | 543 | return result 544 | 545 | -------------------------------------------------------------------------------- /results/46173adc26721fb54f6e1a1091a892d4_depth_3_201907171121.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": "46173adc26721fb54f6e1a1091a892d4", 3 | "type": "file", 4 | "children": [ 5 | { 6 | "id": "79.124.60.40", 7 | "type": "ip_address", 8 | "relation": "QAX: file to contacted ip" 9 | }, 10 | { 11 | "id": "smartweb9.com", 12 | "type": "domain", 13 | "relation": "QAX: file to contacted domain", 14 | "children": [ 15 | { 16 | "id": "79.124.60.40", 17 | "type": "ip_address", 18 | "relation": "QAX: domain to resolution ip" 19 | }, 20 | { 21 | "id": "198.54.117.244", 22 | "type": "ip_address", 23 | "relation": "QAX: domain to resolution ip" 24 | }, 25 | { 26 | "id": "7f283bb7679949d2bdacd6e1d582ddd0.protect@whoisguard.com", 27 | "type": "email", 28 | "relation": "QAX: domain to whois email", 29 | "children": [ 30 | { 31 | "id": "smartweb9.com", 32 | "type": "domain", 33 | "relation": "QAX: Whois email to domain" 34 | } 35 | ] 36 | }, 37 | { 38 | "id": "79.124.60.40", 39 | "type": "ip_address", 40 | "relation": "VT: domain to resolution ip" 41 | }, 42 | { 43 | "id": "198.54.117.244", 44 | "type": "ip_address", 45 | "relation": "VT: domain to resolution ip" 46 | } 47 | ] 48 | }, 49 | { 50 | "id": "198.54.117.244", 51 | "type": "ip_address", 52 | "relation": "VT: file to contacted ip", 53 | "children": [ 54 | { 55 | "id": "7921a6035cc8a0981a5dee737dd3d29b150ddd48407717d3fca4b6376f2b0e70", 56 | "type": "file", 57 | "relation": "VT: IP to downloaded file", 58 | "children": [ 59 | { 60 | "id": "be8b49e1cd6d568e4fea1df4b9ad6e99d83d8ac47cfd07b5855735e9a283e94e", 61 | "type": "file", 62 | "relation": "VT: file to execution parent" 63 | } 64 | ] 65 | }, 66 | { 67 | "id": "e0e9d15d594c80f0f0a76a38953ce2d3cb140155825a648f3aa2d30f25ec61bf", 68 | "type": "file", 69 | "relation": "VT: IP to downloaded file", 70 | "children": [ 71 | { 72 | "id": "134.170.185.211", 73 | "type": "ip_address", 74 | "relation": "VT: file to contacted ip" 75 | } 76 | ] 77 | }, 78 | { 79 | "id": "c3d584acd99412018465495a621887e4d607c624a64495e63ec88017105788ff", 80 | "type": "file", 81 | "relation": "VT: IP to downloaded file" 82 | }, 83 | { 84 | "id": "9d04c80599f014cb52b9809e7b98f03878f256e306d1b26b5ae8347f55678c0f", 85 | "type": "file", 86 | "relation": "VT: IP to downloaded file" 87 | }, 88 | { 89 | "id": "dd78bafb88a959c38416d8361048c3805bad6d07b340a25d2836c384b26c0a26", 90 | "type": "file", 91 | "relation": "VT: IP to downloaded file" 92 | }, 93 | { 94 | "id": "d465172175d35d493fb1633e237700022bd849fa123164790b168b8318acb090", 95 | "type": "file", 96 | "relation": "VT: IP to downloaded file", 97 | "children": [ 98 | { 99 | "id": "7db3588024f268116114ad53801cb41daaa4c22c984dc1ed93ad054f349e0550", 100 | "type": "file", 101 | "relation": "VT: file to execution parent" 102 | }, 103 | { 104 | "id": "bca8f55d2b82962767c0ba2eeb55bc3d5706b427aa63718a033b8c604230c84c", 105 | "type": "file", 106 | "relation": "VT: file to execution parent" 107 | }, 108 | { 109 | "id": "bb93442c20c387e4d235d705d5b7a2850a67cae86df451a603fa9c1bd3a30366", 110 | "type": "file", 111 | "relation": "VT: file to execution parent" 112 | } 113 | ] 114 | }, 115 | { 116 | "id": "cab538fd1647961eb35348c1bd84e1fde389ad89672587d2fe3c007a0bc9e67f", 117 | "type": "file", 118 | "relation": "VT: IP to downloaded file", 119 | "children": [ 120 | { 121 | "id": "6466726e1ffe0d52ec2c532937919fc2d367b531e732f22ab9d4007746410d0e", 122 | "type": "file", 123 | "relation": "VT: file to execution parent" 124 | }, 125 | { 126 | "id": "41f0bd37e78641d5fe7a19f4d3b071ee5cbd4776ae413034c6bc02bb5063f3c6", 127 | "type": "file", 128 | "relation": "VT: file to execution parent" 129 | } 130 | ] 131 | }, 132 | { 133 | "id": "92b80355721d862bbefa5692c656cc6dafc518651524dc9a68875f9b91effa8f", 134 | "type": "file", 135 | "relation": "VT: IP to downloaded file", 136 | "children": [ 137 | { 138 | "id": "7c55fe9268d3cfa8ab57c4ac65c90bcef6c8d2baa75ac91a7208f3af4a40dd38", 139 | "type": "file", 140 | "relation": "VT: file to execution parent" 141 | }, 142 | { 143 | "id": "460f4112083c5738e3a8e089afb99f54659c58c8794686cd566051bd2e91c0d9", 144 | "type": "file", 145 | "relation": "VT: file to execution parent" 146 | } 147 | ] 148 | }, 149 | { 150 | "id": "41c7189d602cedc31b61c5aab0a8a5fab40bdd35770dc1b9fd8ec09f719e5298", 151 | "type": "file", 152 | "relation": "VT: IP to downloaded file" 153 | }, 154 | { 155 | "id": "8f30c9591ebcc91228a3e9885e91617f8fd06c43be6cda5220553575e02f8732", 156 | "type": "file", 157 | "relation": "VT: IP to downloaded file" 158 | } 159 | ] 160 | }, 161 | { 162 | "id": "79.124.60.40", 163 | "type": "ip_address", 164 | "relation": "VT: file to contacted ip" 165 | }, 166 | { 167 | "id": "smartweb9.com", 168 | "type": "domain", 169 | "relation": "VT: file to contacted domain" 170 | } 171 | ] 172 | } -------------------------------------------------------------------------------- /results/46173adc26721fb54f6e1a1091a892d4_depth_3_201907171121.txt: -------------------------------------------------------------------------------- 1 | AnyNode(id='46173adc26721fb54f6e1a1091a892d4', type='file') 2 | ├── AnyNode(id='79.124.60.40', relation='QAX: file to contacted ip', type='ip_address') 3 | ├── AnyNode(id='smartweb9.com', relation='QAX: file to contacted domain', type='domain') 4 | │ ├── AnyNode(id='79.124.60.40', relation='QAX: domain to resolution ip', type='ip_address') 5 | │ ├── AnyNode(id='198.54.117.244', relation='QAX: domain to resolution ip', type='ip_address') 6 | │ ├── AnyNode(id='7f283bb7679949d2bdacd6e1d582ddd0.protect@whoisguard.com', relation='QAX: domain to whois email', type='email') 7 | │ │ └── AnyNode(id='smartweb9.com', relation='QAX: Whois email to domain', type='domain') 8 | │ ├── AnyNode(id='79.124.60.40', relation='VT: domain to resolution ip', type='ip_address') 9 | │ └── AnyNode(id='198.54.117.244', relation='VT: domain to resolution ip', type='ip_address') 10 | ├── AnyNode(id='198.54.117.244', relation='VT: file to contacted ip', type='ip_address') 11 | │ ├── AnyNode(id='7921a6035cc8a0981a5dee737dd3d29b150ddd48407717d3fca4b6376f2b0e70', relation='VT: IP to downloaded file', type='file') 12 | │ │ └── AnyNode(id='be8b49e1cd6d568e4fea1df4b9ad6e99d83d8ac47cfd07b5855735e9a283e94e', relation='VT: file to execution parent', type='file') 13 | │ ├── AnyNode(id='e0e9d15d594c80f0f0a76a38953ce2d3cb140155825a648f3aa2d30f25ec61bf', relation='VT: IP to downloaded file', type='file') 14 | │ │ └── AnyNode(id='134.170.185.211', relation='VT: file to contacted ip', type='ip_address') 15 | │ ├── AnyNode(id='c3d584acd99412018465495a621887e4d607c624a64495e63ec88017105788ff', relation='VT: IP to downloaded file', type='file') 16 | │ ├── AnyNode(id='9d04c80599f014cb52b9809e7b98f03878f256e306d1b26b5ae8347f55678c0f', relation='VT: IP to downloaded file', type='file') 17 | │ ├── AnyNode(id='dd78bafb88a959c38416d8361048c3805bad6d07b340a25d2836c384b26c0a26', relation='VT: IP to downloaded file', type='file') 18 | │ ├── AnyNode(id='d465172175d35d493fb1633e237700022bd849fa123164790b168b8318acb090', relation='VT: IP to downloaded file', type='file') 19 | │ │ ├── AnyNode(id='7db3588024f268116114ad53801cb41daaa4c22c984dc1ed93ad054f349e0550', relation='VT: file to execution parent', type='file') 20 | │ │ ├── AnyNode(id='bca8f55d2b82962767c0ba2eeb55bc3d5706b427aa63718a033b8c604230c84c', relation='VT: file to execution parent', type='file') 21 | │ │ └── AnyNode(id='bb93442c20c387e4d235d705d5b7a2850a67cae86df451a603fa9c1bd3a30366', relation='VT: file to execution parent', type='file') 22 | │ ├── AnyNode(id='cab538fd1647961eb35348c1bd84e1fde389ad89672587d2fe3c007a0bc9e67f', relation='VT: IP to downloaded file', type='file') 23 | │ │ ├── AnyNode(id='6466726e1ffe0d52ec2c532937919fc2d367b531e732f22ab9d4007746410d0e', relation='VT: file to execution parent', type='file') 24 | │ │ └── AnyNode(id='41f0bd37e78641d5fe7a19f4d3b071ee5cbd4776ae413034c6bc02bb5063f3c6', relation='VT: file to execution parent', type='file') 25 | │ ├── AnyNode(id='92b80355721d862bbefa5692c656cc6dafc518651524dc9a68875f9b91effa8f', relation='VT: IP to downloaded file', type='file') 26 | │ │ ├── AnyNode(id='7c55fe9268d3cfa8ab57c4ac65c90bcef6c8d2baa75ac91a7208f3af4a40dd38', relation='VT: file to execution parent', type='file') 27 | │ │ └── AnyNode(id='460f4112083c5738e3a8e089afb99f54659c58c8794686cd566051bd2e91c0d9', relation='VT: file to execution parent', type='file') 28 | │ ├── AnyNode(id='41c7189d602cedc31b61c5aab0a8a5fab40bdd35770dc1b9fd8ec09f719e5298', relation='VT: IP to downloaded file', type='file') 29 | │ └── AnyNode(id='8f30c9591ebcc91228a3e9885e91617f8fd06c43be6cda5220553575e02f8732', relation='VT: IP to downloaded file', type='file') 30 | ├── AnyNode(id='79.124.60.40', relation='VT: file to contacted ip', type='ip_address') 31 | └── AnyNode(id='smartweb9.com', relation='VT: file to contacted domain', type='domain') -------------------------------------------------------------------------------- /samples/192.99.142.235_depth_3_201907171110.txt: -------------------------------------------------------------------------------- 1 | AnyNode(id='192.99.142.235', type='ip_address') 2 | ├── AnyNode(id='39259979b4228899c0ef985bcfc283e169afd44323eedb0341144dbc0c0f30e9', relation='VT: IP to downloaded file', type='file') 3 | ├── AnyNode(id='ffd5abdeb6c452b8ae3823ce48f2760c6ca1bfbcf74b942b789a55e20755546e', relation='VT: IP to downloaded file', type='file') 4 | ├── AnyNode(id='23dcec192b14055e2bb75bb3d36ce05a19fc919db69d02107bc6ed3132288c9a', relation='VT: IP to downloaded file', type='file') 5 | ├── AnyNode(id='3a88a145df3dc50f318b844774babbeee23b02be3c0a5318f6e3b827a5b03ddc', relation='VT: IP to downloaded file', type='file') 6 | ├── AnyNode(id='9c89f80e21db906439a7a1b333b8215dbe07d8e42f98a63f6c10c954288a7108', relation='VT: IP to downloaded file', type='file') 7 | │ ├── AnyNode(id='62afdd17937be05f63d9d4d2da53c59cb78413460d6303d10baac3ca9574a83d', relation='VT: file to execution parent', type='file') 8 | │ └── AnyNode(id='cad573aaeec74a0f08f7ba285a0cc1587f347b5020ef4b5daeb2ba6674345c52', relation='VT: file to execution parent', type='file') 9 | ├── AnyNode(id='5cd20ba92fca6f1ee77742620f1a3fe84187e4a487d485b06d8e04544e5b9a43', relation='VT: IP to downloaded file', type='file') 10 | │ └── AnyNode(id='192.99.142.235', relation='VT: file to contacted ip', type='ip_address') 11 | ├── AnyNode(id='510e37d37c8956bc52bb54ee686cbde8cd5757e1c7d585d97596e7b42907029e', relation='VT: IP to downloaded file', type='file') 12 | ├── AnyNode(id='67df8b89714e2921931092861361dbae4716c4ab872c767c92adae24dca01514', relation='VT: IP to downloaded file', type='file') 13 | │ ├── AnyNode(id='c8cf6ad1ea2cd55e1ebdd4a87c2e8d445ea3ede671b3aca3443687edd39b41cd', relation='VT: file to execution parent', type='file') 14 | │ └── AnyNode(id='60cf210565781a5032338cea3e468c03f1ebaf8686e4320fdb1bdd44043ffdf7', relation='VT: file to execution parent', type='file') 15 | │ ├── AnyNode(id='144.217.73.200', relation='VT: file to contacted ip', type='ip_address') 16 | │ ├── AnyNode(id='158.69.254.234', relation='VT: file to contacted ip', type='ip_address') 17 | │ ├── AnyNode(id='172.217.20.110', relation='VT: file to contacted ip', type='ip_address') 18 | │ ├── AnyNode(id='172.217.17.67', relation='VT: file to contacted ip', type='ip_address') 19 | │ ├── AnyNode(id='172.217.20.106', relation='VT: file to contacted ip', type='ip_address') 20 | │ ├── AnyNode(id='172.217.17.68', relation='VT: file to contacted ip', type='ip_address') 21 | │ ├── AnyNode(id='172.217.20.99', relation='VT: file to contacted ip', type='ip_address') 22 | │ ├── AnyNode(id='172.217.17.72', relation='VT: file to contacted ip', type='ip_address') 23 | │ ├── AnyNode(id='85.17.26.67', relation='VT: file to contacted ip', type='ip_address') 24 | │ ├── AnyNode(id='212.32.255.4', relation='VT: file to contacted ip', type='ip_address') 25 | │ ├── AnyNode(id='mine7.12finance.com', relation='VT: file to contacted domain', type='domain') 26 | │ ├── AnyNode(id='www.vpntop.com', relation='VT: file to contacted domain', type='domain') 27 | │ ├── AnyNode(id='apps.identrust.com', relation='VT: file to contacted domain', type='domain') 28 | │ ├── AnyNode(id='isrg.trustid.ocsp.identrust.com', relation='VT: file to contacted domain', type='domain') 29 | │ ├── AnyNode(id='ocsp.int-x3.letsencrypt.org', relation='VT: file to contacted domain', type='domain') 30 | │ ├── AnyNode(id='minerapi.12finance.com', relation='VT: file to contacted domain', type='domain') 31 | │ ├── AnyNode(id='browsermine.12finance.com', relation='VT: file to contacted domain', type='domain') 32 | │ ├── AnyNode(id='redirector.gvt1.com', relation='VT: file to contacted domain', type='domain') 33 | │ ├── AnyNode(id='r1---sn-5hne6n7e.gvt1.com', relation='VT: file to contacted domain', type='domain') 34 | │ └── AnyNode(id='r2---sn-5hne6nse.gvt1.com', relation='VT: file to contacted domain', type='domain') 35 | ├── AnyNode(id='e2a28a51dae1627a4eb76d25dafd6140c52a88885e3cca66309e70cf7fa65cdd', relation='VT: IP to downloaded file', type='file') 36 | └── AnyNode(id='d11fa31a1c19a541b51fcc3ff837cd3eec419403619769b3ca69c4137ba41cf3', relation='VT: IP to downloaded file', type='file') 37 | ├── AnyNode(id='fb9cf3837dcf42ac763d7471b67184e4b85a7b4aed24727a6d58c2ad32d2fd3d', relation='VT: file to execution parent', type='file') 38 | │ ├── AnyNode(id='23.73.156.158', relation='VT: file to contacted ip', type='ip_address') 39 | │ ├── AnyNode(id='23.13.230.180', relation='VT: file to contacted ip', type='ip_address') 40 | │ ├── AnyNode(id='72.21.91.29', relation='VT: file to contacted ip', type='ip_address') 41 | │ ├── AnyNode(id='23.73.157.23', relation='VT: file to contacted ip', type='ip_address') 42 | │ ├── AnyNode(id='23.73.143.233', relation='VT: file to contacted ip', type='ip_address') 43 | │ ├── AnyNode(id='192.99.142.235', relation='VT: file to contacted ip', type='ip_address') 44 | │ ├── AnyNode(id='e6987.a.akamaiedge.net', relation='VT: file to contacted domain', type='domain') 45 | │ ├── AnyNode(id='e6987.e9.akamaiedge.net', relation='VT: file to contacted domain', type='domain') 46 | │ ├── AnyNode(id='e5153.e9.akamaiedge.net', relation='VT: file to contacted domain', type='domain') 47 | │ └── AnyNode(id='gspe1-ssl.ls.apple.com', relation='VT: file to contacted domain', type='domain') 48 | ├── AnyNode(id='1ac5b9a643470e175759e0002775c30e5351ac1d824400be9be3001a24c043ea', relation='VT: file to execution parent', type='file') 49 | │ ├── AnyNode(id='74.125.21.113', relation='VT: file to contacted ip', type='ip_address') 50 | │ ├── AnyNode(id='74.125.21.139', relation='VT: file to contacted ip', type='ip_address') 51 | │ ├── AnyNode(id='74.125.196.102', relation='VT: file to contacted ip', type='ip_address') 52 | │ ├── AnyNode(id='74.125.196.101', relation='VT: file to contacted ip', type='ip_address') 53 | │ ├── AnyNode(id='74.125.196.138', relation='VT: file to contacted ip', type='ip_address') 54 | │ ├── AnyNode(id='23.73.143.233', relation='VT: file to contacted ip', type='ip_address') 55 | │ ├── AnyNode(id='72.21.91.29', relation='VT: file to contacted ip', type='ip_address') 56 | │ ├── AnyNode(id='192.99.142.235', relation='VT: file to contacted ip', type='ip_address') 57 | │ ├── AnyNode(id='74.125.21.100', relation='VT: file to contacted ip', type='ip_address') 58 | │ ├── AnyNode(id='23.73.157.39', relation='VT: file to contacted ip', type='ip_address') 59 | │ ├── AnyNode(id='cs9.wac.phicdn.net', relation='VT: file to contacted domain', type='domain') 60 | │ ├── AnyNode(id='safebrowsing-cache.google.com', relation='VT: file to contacted domain', type='domain') 61 | │ ├── AnyNode(id='safebrowsing.clients.google.com', relation='VT: file to contacted domain', type='domain') 62 | │ ├── AnyNode(id='safebrowsing.cache.l.google.com', relation='VT: file to contacted domain', type='domain') 63 | │ ├── AnyNode(id='clients.l.google.com', relation='VT: file to contacted domain', type='domain') 64 | │ ├── AnyNode(id='e5977.e9.akamaiedge.net', relation='VT: file to contacted domain', type='domain') 65 | │ ├── AnyNode(id='e6987.e9.akamaiedge.net', relation='VT: file to contacted domain', type='domain') 66 | │ └── AnyNode(id='swscan.apple.com', relation='VT: file to contacted domain', type='domain') 67 | ├── AnyNode(id='77f5e0a99d98c90c50ab3a71e28830890d49ca2f4d126d7a461e53072c897246', relation='VT: file to execution parent', type='file') 68 | │ ├── AnyNode(id='23.73.143.233', relation='VT: file to contacted ip', type='ip_address') 69 | │ ├── AnyNode(id='72.21.91.29', relation='VT: file to contacted ip', type='ip_address') 70 | │ ├── AnyNode(id='23.73.157.23', relation='VT: file to contacted ip', type='ip_address') 71 | │ ├── AnyNode(id='23.73.156.158', relation='VT: file to contacted ip', type='ip_address') 72 | │ ├── AnyNode(id='192.99.142.232', relation='VT: file to contacted ip', type='ip_address') 73 | │ ├── AnyNode(id='8.8.4.4', relation='VT: file to contacted ip', type='ip_address') 74 | │ ├── AnyNode(id='5.9.70.44', relation='VT: file to contacted ip', type='ip_address') 75 | │ ├── AnyNode(id='193.29.187.78', relation='VT: file to contacted ip', type='ip_address') 76 | │ ├── AnyNode(id='14.161.3.136', relation='VT: file to contacted ip', type='ip_address') 77 | │ ├── AnyNode(id='76.174.26.91', relation='VT: file to contacted ip', type='ip_address') 78 | │ ├── AnyNode(id='e6987.a.akamaiedge.net', relation='VT: file to contacted domain', type='domain') 79 | │ ├── AnyNode(id='e6987.e9.akamaiedge.net', relation='VT: file to contacted domain', type='domain') 80 | │ ├── AnyNode(id='time-osx.g.aaplimg.com', relation='VT: file to contacted domain', type='domain') 81 | │ ├── AnyNode(id='e5153.e9.akamaiedge.net', relation='VT: file to contacted domain', type='domain') 82 | │ ├── AnyNode(id='valid-apple.g.aaplimg.com', relation='VT: file to contacted domain', type='domain') 83 | │ └── AnyNode(id='gspe1-ssl.ls.apple.com', relation='VT: file to contacted domain', type='domain') 84 | ├── AnyNode(id='bd81406556f213fff8d83c212036fab33044fe9e7379725842cf48d1d5191e6f', relation='VT: file to execution parent', type='file') 85 | │ ├── AnyNode(id='172.217.3.238', relation='VT: file to contacted ip', type='ip_address') 86 | │ ├── AnyNode(id='64.233.177.101', relation='VT: file to contacted ip', type='ip_address') 87 | │ ├── AnyNode(id='172.224.164.58', relation='VT: file to contacted ip', type='ip_address') 88 | │ ├── AnyNode(id='72.21.91.29', relation='VT: file to contacted ip', type='ip_address') 89 | │ ├── AnyNode(id='192.99.142.248', relation='VT: file to contacted ip', type='ip_address') 90 | │ ├── AnyNode(id='cs9.wac.phicdn.net', relation='VT: file to contacted domain', type='domain') 91 | │ ├── AnyNode(id='safebrowsing-cache.google.com', relation='VT: file to contacted domain', type='domain') 92 | │ ├── AnyNode(id='safebrowsing.clients.google.com', relation='VT: file to contacted domain', type='domain') 93 | │ ├── AnyNode(id='safebrowsing.cache.l.google.com', relation='VT: file to contacted domain', type='domain') 94 | │ ├── AnyNode(id='clients.l.google.com', relation='VT: file to contacted domain', type='domain') 95 | │ └── AnyNode(id='e6987.e9.akamaiedge.net', relation='VT: file to contacted domain', type='domain') 96 | ├── AnyNode(id='f6702c46bcf1d60bdcff6dac330c5e9e9d599231e2dc104c186063ab0dba0e49', relation='VT: file to execution parent', type='file') 97 | │ ├── AnyNode(id='172.217.4.14', relation='VT: file to contacted ip', type='ip_address') 98 | │ ├── AnyNode(id='216.58.193.174', relation='VT: file to contacted ip', type='ip_address') 99 | │ ├── AnyNode(id='23.73.143.233', relation='VT: file to contacted ip', type='ip_address') 100 | │ ├── AnyNode(id='72.21.91.29', relation='VT: file to contacted ip', type='ip_address') 101 | │ ├── AnyNode(id='192.99.142.248', relation='VT: file to contacted ip', type='ip_address') 102 | │ ├── AnyNode(id='cs9.wac.phicdn.net', relation='VT: file to contacted domain', type='domain') 103 | │ ├── AnyNode(id='safebrowsing-cache.google.com', relation='VT: file to contacted domain', type='domain') 104 | │ ├── AnyNode(id='safebrowsing.clients.google.com', relation='VT: file to contacted domain', type='domain') 105 | │ ├── AnyNode(id='safebrowsing.cache.l.google.com', relation='VT: file to contacted domain', type='domain') 106 | │ ├── AnyNode(id='clients.l.google.com', relation='VT: file to contacted domain', type='domain') 107 | │ └── AnyNode(id='e6987.e9.akamaiedge.net', relation='VT: file to contacted domain', type='domain') 108 | ├── AnyNode(id='4a57ce0a2e0ee341b10056d20595d5a4cc2f8aeacf34ed3f411f745f69a09f06', relation='VT: file to execution parent', type='file') 109 | │ ├── AnyNode(id='23.46.185.42', relation='VT: file to contacted ip', type='ip_address') 110 | │ ├── AnyNode(id='23.13.230.180', relation='VT: file to contacted ip', type='ip_address') 111 | │ ├── AnyNode(id='72.21.91.29', relation='VT: file to contacted ip', type='ip_address') 112 | │ ├── AnyNode(id='23.46.189.111', relation='VT: file to contacted ip', type='ip_address') 113 | │ ├── AnyNode(id='23.11.224.194', relation='VT: file to contacted ip', type='ip_address') 114 | │ ├── AnyNode(id='192.99.142.235', relation='VT: file to contacted ip', type='ip_address') 115 | │ ├── AnyNode(id='74.125.21.139', relation='VT: file to contacted ip', type='ip_address') 116 | │ ├── AnyNode(id='74.125.196.102', relation='VT: file to contacted ip', type='ip_address') 117 | │ ├── AnyNode(id='172.224.164.58', relation='VT: file to contacted ip', type='ip_address') 118 | │ ├── AnyNode(id='e6987.a.akamaiedge.net', relation='VT: file to contacted domain', type='domain') 119 | │ ├── AnyNode(id='e6987.e9.akamaiedge.net', relation='VT: file to contacted domain', type='domain') 120 | │ ├── AnyNode(id='time-osx.g.aaplimg.com', relation='VT: file to contacted domain', type='domain') 121 | │ ├── AnyNode(id='e5153.e9.akamaiedge.net', relation='VT: file to contacted domain', type='domain') 122 | │ ├── AnyNode(id='cs9.wac.phicdn.net', relation='VT: file to contacted domain', type='domain') 123 | │ ├── AnyNode(id='safebrowsing-cache.google.com', relation='VT: file to contacted domain', type='domain') 124 | │ ├── AnyNode(id='safebrowsing.clients.google.com', relation='VT: file to contacted domain', type='domain') 125 | │ ├── AnyNode(id='safebrowsing.cache.l.google.com', relation='VT: file to contacted domain', type='domain') 126 | │ ├── AnyNode(id='clients.l.google.com', relation='VT: file to contacted domain', type='domain') 127 | │ └── AnyNode(id='gspe1-ssl.ls.apple.com', relation='VT: file to contacted domain', type='domain') 128 | ├── AnyNode(id='15fef99be8cb958c0dd0bdeccc579810f61c57d106cc3da87276057cae1a3bbb', relation='VT: file to execution parent', type='file') 129 | │ ├── AnyNode(id='64.233.177.101', relation='VT: file to contacted ip', type='ip_address') 130 | │ ├── AnyNode(id='172.224.164.58', relation='VT: file to contacted ip', type='ip_address') 131 | │ ├── AnyNode(id='72.21.91.29', relation='VT: file to contacted ip', type='ip_address') 132 | │ ├── AnyNode(id='74.125.138.138', relation='VT: file to contacted ip', type='ip_address') 133 | │ ├── AnyNode(id='8.8.4.4', relation='VT: file to contacted ip', type='ip_address') 134 | │ ├── AnyNode(id='192.99.142.248', relation='VT: file to contacted ip', type='ip_address') 135 | │ ├── AnyNode(id='255.255.255.255', relation='VT: file to contacted ip', type='ip_address') 136 | │ ├── AnyNode(id='172.224.192.121', relation='VT: file to contacted ip', type='ip_address') 137 | │ ├── AnyNode(id='23.73.143.233', relation='VT: file to contacted ip', type='ip_address') 138 | │ ├── AnyNode(id='172.224.189.213', relation='VT: file to contacted ip', type='ip_address') 139 | │ ├── AnyNode(id='cs9.wac.phicdn.net', relation='VT: file to contacted domain', type='domain') 140 | │ ├── AnyNode(id='e6987.e9.akamaiedge.net', relation='VT: file to contacted domain', type='domain') 141 | │ ├── AnyNode(id='world-gen.g.aaplimg.com', relation='VT: file to contacted domain', type='domain') 142 | │ ├── AnyNode(id='valid-apple.g.aaplimg.com', relation='VT: file to contacted domain', type='domain') 143 | │ ├── AnyNode(id='e6858.dsce9.akamaiedge.net', relation='VT: file to contacted domain', type='domain') 144 | │ ├── AnyNode(id='e5486.g.akamaiedge.net', relation='VT: file to contacted domain', type='domain') 145 | │ ├── AnyNode(id='javadl-esd-secure.oracle.com', relation='VT: file to contacted domain', type='domain') 146 | │ ├── AnyNode(id='java.com', relation='VT: file to contacted domain', type='domain') 147 | │ ├── AnyNode(id='radarsubmissions.apple.com.akadns.net', relation='VT: file to contacted domain', type='domain') 148 | │ └── AnyNode(id='29.courier-push-apple.com.akadns.net', relation='VT: file to contacted domain', type='domain') 149 | ├── AnyNode(id='4881d1193e8f501cfc30a7d22b812c5c623d4b131d7c5d9438b94afe134162aa', relation='VT: file to execution parent', type='file') 150 | │ ├── AnyNode(id='96.17.70.41', relation='VT: file to contacted ip', type='ip_address') 151 | │ ├── AnyNode(id='104.192.83.154', relation='VT: file to contacted ip', type='ip_address') 152 | │ ├── AnyNode(id='17.253.14.125', relation='VT: file to contacted ip', type='ip_address') 153 | │ ├── AnyNode(id='17.253.24.253', relation='VT: file to contacted ip', type='ip_address') 154 | │ ├── AnyNode(id='17.253.12.125', relation='VT: file to contacted ip', type='ip_address') 155 | │ ├── AnyNode(id='17.249.137.246', relation='VT: file to contacted ip', type='ip_address') 156 | │ ├── AnyNode(id='17.253.25.207', relation='VT: file to contacted ip', type='ip_address') 157 | │ ├── AnyNode(id='init-p01st.push.apple.com', relation='VT: file to contacted domain', type='domain') 158 | │ ├── AnyNode(id='valid-apple.g.aaplimg.com', relation='VT: file to contacted domain', type='domain') 159 | │ ├── AnyNode(id='time-osx.g.aaplimg.com', relation='VT: file to contacted domain', type='domain') 160 | │ └── AnyNode(id='world-gen.g.aaplimg.com', relation='VT: file to contacted domain', type='domain') 161 | ├── AnyNode(id='cfdee84680d67d4203ccd1f32faf3f13e6e7185072968d5823c1200444fdd53e', relation='VT: file to execution parent', type='file') 162 | │ ├── AnyNode(id='17.253.26.125', relation='VT: file to contacted ip', type='ip_address') 163 | │ ├── AnyNode(id='23.75.177.154', relation='VT: file to contacted ip', type='ip_address') 164 | │ ├── AnyNode(id='17.253.27.206', relation='VT: file to contacted ip', type='ip_address') 165 | │ ├── AnyNode(id='72.21.91.29', relation='VT: file to contacted ip', type='ip_address') 166 | │ ├── AnyNode(id='65.200.22.248', relation='VT: file to contacted ip', type='ip_address') 167 | │ ├── AnyNode(id='192.99.142.248', relation='VT: file to contacted ip', type='ip_address') 168 | │ ├── AnyNode(id='17.249.156.70', relation='VT: file to contacted ip', type='ip_address') 169 | │ ├── AnyNode(id='17.249.156.11', relation='VT: file to contacted ip', type='ip_address') 170 | │ ├── AnyNode(id='17.249.140.16', relation='VT: file to contacted ip', type='ip_address') 171 | │ ├── AnyNode(id='17.249.140.24', relation='VT: file to contacted ip', type='ip_address') 172 | │ ├── AnyNode(id='world-gen.g.aaplimg.com', relation='VT: file to contacted domain', type='domain') 173 | │ ├── AnyNode(id='43.courier-push-apple.com.akadns.net', relation='VT: file to contacted domain', type='domain') 174 | │ ├── AnyNode(id='24.courier-push-apple.com.akadns.net', relation='VT: file to contacted domain', type='domain') 175 | │ ├── AnyNode(id='39.courier-push-apple.com.akadns.net', relation='VT: file to contacted domain', type='domain') 176 | │ ├── AnyNode(id='4.courier-push-apple.com.akadns.net', relation='VT: file to contacted domain', type='domain') 177 | │ ├── AnyNode(id='20.courier-push-apple.com.akadns.net', relation='VT: file to contacted domain', type='domain') 178 | │ ├── AnyNode(id='3.courier-push-apple.com.akadns.net', relation='VT: file to contacted domain', type='domain') 179 | │ ├── AnyNode(id='21.courier-push-apple.com.akadns.net', relation='VT: file to contacted domain', type='domain') 180 | │ ├── AnyNode(id='2.courier-push-apple.com.akadns.net', relation='VT: file to contacted domain', type='domain') 181 | │ └── AnyNode(id='9.courier-push-apple.com.akadns.net', relation='VT: file to contacted domain', type='domain') 182 | └── AnyNode(id='8ddb32b2778ee5a02ad4b8b5334a53337c6ef7b31868c7ff52e32ed0a70fa72c', relation='VT: file to execution parent', type='file') 183 | ├── AnyNode(id='52.84.155.252', relation='VT: file to contacted ip', type='ip_address') 184 | ├── AnyNode(id='52.84.133.134', relation='VT: file to contacted ip', type='ip_address') 185 | ├── AnyNode(id='172.224.164.58', relation='VT: file to contacted ip', type='ip_address') 186 | ├── AnyNode(id='72.21.91.29', relation='VT: file to contacted ip', type='ip_address') 187 | ├── AnyNode(id='172.224.194.133', relation='VT: file to contacted ip', type='ip_address') 188 | ├── AnyNode(id='192.99.142.248', relation='VT: file to contacted ip', type='ip_address') 189 | ├── AnyNode(id='172.224.194.203', relation='VT: file to contacted ip', type='ip_address') 190 | ├── AnyNode(id='52.84.133.122', relation='VT: file to contacted ip', type='ip_address') 191 | ├── AnyNode(id='52.84.133.87', relation='VT: file to contacted ip', type='ip_address') 192 | ├── AnyNode(id='63.251.240.12', relation='VT: file to contacted ip', type='ip_address') 193 | ├── AnyNode(id='e6987.a.akamaiedge.net', relation='VT: file to contacted domain', type='domain') 194 | ├── AnyNode(id='cs9.wac.phicdn.net', relation='VT: file to contacted domain', type='domain') 195 | ├── AnyNode(id='e6987.e9.akamaiedge.net', relation='VT: file to contacted domain', type='domain') 196 | ├── AnyNode(id='e5153.dsce9.akamaiedge.net', relation='VT: file to contacted domain', type='domain') 197 | ├── AnyNode(id='43.courier-push-apple.com.akadns.net', relation='VT: file to contacted domain', type='domain') 198 | ├── AnyNode(id='24.courier-push-apple.com.akadns.net', relation='VT: file to contacted domain', type='domain') 199 | ├── AnyNode(id='13.courier-push-apple.com.akadns.net', relation='VT: file to contacted domain', type='domain') 200 | ├── AnyNode(id='4.courier-push-apple.com.akadns.net', relation='VT: file to contacted domain', type='domain') 201 | ├── AnyNode(id='1.courier-push-apple.com.akadns.net', relation='VT: file to contacted domain', type='domain') 202 | └── AnyNode(id='3.courier-push-apple.com.akadns.net', relation='VT: file to contacted domain', type='domain') -------------------------------------------------------------------------------- /samples/373192510@qq.com_depth_3_201907171117.txt: -------------------------------------------------------------------------------- 1 | AnyNode(id='373192510@qq.com', type='email') 2 | ├── AnyNode(id='qq758.com', relation='QAX: Whois email to domain', type='domain') 3 | │ ├── AnyNode(id='5292086@qq.com', relation='QAX: domain to whois email', type='email') 4 | │ │ ├── AnyNode(id='ltcp3.com', relation='QAX: Whois email to domain', type='domain') 5 | │ │ ├── AnyNode(id='lzskqc.com', relation='QAX: Whois email to domain', type='domain') 6 | │ │ ├── AnyNode(id='df796.com', relation='QAX: Whois email to domain', type='domain') 7 | │ │ ├── AnyNode(id='mir900.com', relation='QAX: Whois email to domain', type='domain') 8 | │ │ ├── AnyNode(id='888hl.com', relation='QAX: Whois email to domain', type='domain') 9 | │ │ ├── AnyNode(id='jiemianpaomo.com', relation='QAX: Whois email to domain', type='domain') 10 | │ │ ├── AnyNode(id='qx969.com', relation='QAX: Whois email to domain', type='domain') 11 | │ │ ├── AnyNode(id='c888c.com', relation='QAX: Whois email to domain', type='domain') 12 | │ │ ├── AnyNode(id='982307.com', relation='QAX: Whois email to domain', type='domain') 13 | │ │ └── AnyNode(id='ac0028.com', relation='QAX: Whois email to domain', type='domain') 14 | │ ├── AnyNode(id='47.91.202.66', relation='VT: domain to resolution ip', type='ip_address') 15 | │ │ ├── AnyNode(id='4bf7e7e6c78c1a69def4beef216ad52dbabae1f831f49067e3b29f8a7a62d71e', relation='VT: IP to downloaded file', type='file') 16 | │ │ ├── AnyNode(id='e682dfcdde010f6e15bae0d843696f6ae8d5a85e75441660b782789ee747f075', relation='VT: IP to downloaded file', type='file') 17 | │ │ ├── AnyNode(id='88f089e2e069ca698fa498fb5ba5f46fd95d3c8ee5b4c5c6587eae8d2db43fe7', relation='VT: IP to downloaded file', type='file') 18 | │ │ ├── AnyNode(id='39a75a83af8d38202ab05de7ac9beae6e00d21501867601cc2a86094c79d6f16', relation='VT: IP to downloaded file', type='file') 19 | │ │ ├── AnyNode(id='1630ab0121c4df64230045ef86ee54e5ee05bd371c2b3c26bcdb0ef3a0d2360f', relation='VT: IP to downloaded file', type='file') 20 | │ │ ├── AnyNode(id='7d04f7431bbfa41a04bcc7e6b98b9de0d919756c4c671c5785c99fff45f16402', relation='VT: IP to downloaded file', type='file') 21 | │ │ ├── AnyNode(id='9b342ae7f25d65bdb817d8c995f3211ac398e41575fc5d149d994c1dcb008f0a', relation='VT: IP to downloaded file', type='file') 22 | │ │ ├── AnyNode(id='39d6bba9f294f11f84933e48483aff12a9efc5c7d6eb4f57a8d36ef8bd71823e', relation='VT: IP to downloaded file', type='file') 23 | │ │ ├── AnyNode(id='d37608c9b93ae18c5ed5d376e32449f95358f708a35cd8b06431ca2be733f87e', relation='VT: IP to downloaded file', type='file') 24 | │ │ └── AnyNode(id='fb7595b2d6f1cc89cca75ec06186c228274e95fb6c3e233e8de2e804284ab8c1', relation='VT: IP to downloaded file', type='file') 25 | │ ├── AnyNode(id='43.243.94.40', relation='VT: domain to resolution ip', type='ip_address') 26 | │ └── AnyNode(id='172.247.250.196', relation='VT: domain to resolution ip', type='ip_address') 27 | ├── AnyNode(id='bancai.org', relation='QAX: Whois email to domain', type='domain') 28 | │ └── AnyNode(id='203.78.142.12', relation='VT: domain to resolution ip', type='ip_address') 29 | ├── AnyNode(id='nanwa.net', relation='QAX: Whois email to domain', type='domain') 30 | │ └── AnyNode(id='203.78.142.12', relation='VT: domain to resolution ip', type='ip_address') 31 | ├── AnyNode(id='baiduqun.net', relation='QAX: Whois email to domain', type='domain') 32 | │ ├── AnyNode(id='180.131.42.115', relation='VT: domain to resolution ip', type='ip_address') 33 | │ └── AnyNode(id='124.16.31.156', relation='VT: domain to resolution ip', type='ip_address') 34 | │ ├── AnyNode(id='0031ac87d8b67d608bf586ee097204782580ee645891c5d3d05591ae00f47953', relation='VT: IP to downloaded file', type='file') 35 | │ ├── AnyNode(id='8c0ff4e683507327e74a8a7b852fbbd25fdf32e315791378b3da2bfa394ae8d2', relation='VT: IP to downloaded file', type='file') 36 | │ ├── AnyNode(id='bbf9fab3d8b792c3bad1d2c8bc984472087f775e12fb3e87c41822a11c0af83c', relation='VT: IP to downloaded file', type='file') 37 | │ ├── AnyNode(id='e353d959d8f15b7bea4def92b8469d615fb0a404f275fce03d6c9efdd54d7781', relation='VT: IP to downloaded file', type='file') 38 | │ ├── AnyNode(id='c74db0e5f1cea9d9a9587c1a4c8e7b3a483dc5b4e20c2c5ca44bbe11e32f11a2', relation='VT: IP to downloaded file', type='file') 39 | │ ├── AnyNode(id='0102c9e050cbe8d41bf035cb554dfe6a96de44361723b022cd3546013a505f7a', relation='VT: IP to downloaded file', type='file') 40 | │ ├── AnyNode(id='9adc9f40113162163aaa9c2e3a2f928dbec33036752fe3b5e999f2c232222b80', relation='VT: IP to downloaded file', type='file') 41 | │ ├── AnyNode(id='1760b78e8e2847d2fe6ea56904be4eceaa7b3d8846d872c10adf05fd1142d427', relation='VT: IP to downloaded file', type='file') 42 | │ ├── AnyNode(id='e7e2fe0a0fe7075d06b8b21c661129f05e662df2aa7d6d22ec11c1aaf54a575e', relation='VT: IP to downloaded file', type='file') 43 | │ └── AnyNode(id='5dcec035d0b3e013b13a8c9b8228d258ad3ff21e395ad44583f8ac26c4ac2944', relation='VT: IP to downloaded file', type='file') 44 | ├── AnyNode(id='haohg.net', relation='QAX: Whois email to domain', type='domain') 45 | │ ├── AnyNode(id='184.168.221.75', relation='QAX: domain to resolution ip', type='ip_address') 46 | │ │ ├── AnyNode(id='90b2d35cd5e08370ed20db81197dd9da1a4dbb421f71293fd5733ea49eb7b3e1', relation='VT: IP to downloaded file', type='file') 47 | │ │ ├── AnyNode(id='5a05dc39d65e045540d07e18117ca444522b82e3c725dad1bdf3482e390eadf9', relation='VT: IP to downloaded file', type='file') 48 | │ │ ├── AnyNode(id='6468ac9f9bca964f3910fc967b80781c1c8634300e36f95ae49056d91a2734bf', relation='VT: IP to downloaded file', type='file') 49 | │ │ ├── AnyNode(id='0ff0b7fcb090c65d0bdcb2af4bbd2c30f33356b3ce9b117186fa20391ef840a3', relation='VT: IP to downloaded file', type='file') 50 | │ │ ├── AnyNode(id='881d6350e5a1d1b91eaadf005cb0bb52bfd7066ad2cf572bfc28b81bc50fc19b', relation='VT: IP to downloaded file', type='file') 51 | │ │ ├── AnyNode(id='ba5b150535bd3c1ad00be2ed8d5fb319a32b75bc2b8c22c7dbb9bd2147419627', relation='VT: IP to downloaded file', type='file') 52 | │ │ ├── AnyNode(id='657ad4c44439651924425d61a87a121cc05950b11ff40377509b110333cba510', relation='VT: IP to downloaded file', type='file') 53 | │ │ ├── AnyNode(id='0d3e98ca727fc1201b436170af5a63f23348aaf146a3ac6234f6c4da283e8b34', relation='VT: IP to downloaded file', type='file') 54 | │ │ ├── AnyNode(id='b1442e85b03bdcaf66dc58c7abb98745dd2687d86350be9a298a1d9382ac849b', relation='VT: IP to downloaded file', type='file') 55 | │ │ └── AnyNode(id='573dc2494db643814cd6ee8e183693711bfc93129637721eb83553d52a9385d8', relation='VT: IP to downloaded file', type='file') 56 | │ ├── AnyNode(id='184.168.221.81', relation='QAX: domain to resolution ip', type='ip_address') 57 | │ │ ├── AnyNode(id='0ff0b7fcb090c65d0bdcb2af4bbd2c30f33356b3ce9b117186fa20391ef840a3', relation='VT: IP to downloaded file', type='file') 58 | │ │ ├── AnyNode(id='4680c5c3f878d0bb110f5f586f6d1222a0309440d38b5a2947d13e77ee3fdeaf', relation='VT: IP to downloaded file', type='file') 59 | │ │ ├── AnyNode(id='90b2d35cd5e08370ed20db81197dd9da1a4dbb421f71293fd5733ea49eb7b3e1', relation='VT: IP to downloaded file', type='file') 60 | │ │ ├── AnyNode(id='73b7904131cd159f430fd1cdc05fe8533181f2c920a6424e14e809635d3a3b52', relation='VT: IP to downloaded file', type='file') 61 | │ │ ├── AnyNode(id='e719fa84f633c6815ffe6064d1ec9606f0b3473714ecb5064c5466d9629263d9', relation='VT: IP to downloaded file', type='file') 62 | │ │ ├── AnyNode(id='7daa670891a3cf42dea072d3a41eb66282a3e579d95759b1b8229b81d566a153', relation='VT: IP to downloaded file', type='file') 63 | │ │ ├── AnyNode(id='9769d8451b16306002c30edf61f5d78819b4060a58f2ef930a471fd185672ece', relation='VT: IP to downloaded file', type='file') 64 | │ │ ├── AnyNode(id='ce7127c38e30e92a021ed2bd09287713c6a923db9ffdb43f126e8965d777fbf0', relation='VT: IP to downloaded file', type='file') 65 | │ │ ├── AnyNode(id='5a32d8e7628a1a7e2f1eb70c145b094baa25a9876dd34eea04aaed349c1b5cf2', relation='VT: IP to downloaded file', type='file') 66 | │ │ └── AnyNode(id='f70b370debd085dd9e9fb6495c796cdccf41c44574cc185dbe124f3ea8237623', relation='VT: IP to downloaded file', type='file') 67 | │ ├── AnyNode(id='174.139.156.150', relation='QAX: domain to resolution ip', type='ip_address') 68 | │ ├── AnyNode(id='50.63.202.74', relation='QAX: domain to resolution ip', type='ip_address') 69 | │ │ ├── AnyNode(id='90b2d35cd5e08370ed20db81197dd9da1a4dbb421f71293fd5733ea49eb7b3e1', relation='VT: IP to downloaded file', type='file') 70 | │ │ ├── AnyNode(id='0ff0b7fcb090c65d0bdcb2af4bbd2c30f33356b3ce9b117186fa20391ef840a3', relation='VT: IP to downloaded file', type='file') 71 | │ │ ├── AnyNode(id='cdc8b52c9402b72ef9c698027c0d2ea63058ed98b832a31d3ac57c9e7f8b35ed', relation='VT: IP to downloaded file', type='file') 72 | │ │ ├── AnyNode(id='ce7127c38e30e92a021ed2bd09287713c6a923db9ffdb43f126e8965d777fbf0', relation='VT: IP to downloaded file', type='file') 73 | │ │ ├── AnyNode(id='fc063971c647272d73459eab44d0235c72e7f4a20b72fc17b0b4eabf97d6fedf', relation='VT: IP to downloaded file', type='file') 74 | │ │ ├── AnyNode(id='0d3e98ca727fc1201b436170af5a63f23348aaf146a3ac6234f6c4da283e8b34', relation='VT: IP to downloaded file', type='file') 75 | │ │ ├── AnyNode(id='57559551c35735c4acd1ede5a7d3df31a3f9b55acc087fdbb0811813b13d63d3', relation='VT: IP to downloaded file', type='file') 76 | │ │ ├── AnyNode(id='b1442e85b03bdcaf66dc58c7abb98745dd2687d86350be9a298a1d9382ac849b', relation='VT: IP to downloaded file', type='file') 77 | │ │ ├── AnyNode(id='f70b370debd085dd9e9fb6495c796cdccf41c44574cc185dbe124f3ea8237623', relation='VT: IP to downloaded file', type='file') 78 | │ │ └── AnyNode(id='573dc2494db643814cd6ee8e183693711bfc93129637721eb83553d52a9385d8', relation='VT: IP to downloaded file', type='file') 79 | │ ├── AnyNode(id='174.139.156.150', relation='VT: domain to resolution ip', type='ip_address') 80 | │ ├── AnyNode(id='104.148.25.39', relation='VT: domain to resolution ip', type='ip_address') 81 | │ │ ├── AnyNode(id='9221cfedfc5e03790f46c7890bca21fcc47c5788d89dab0aa0799c492b6ae78a', relation='VT: IP to downloaded file', type='file') 82 | │ │ ├── AnyNode(id='0b52c5338af355699530a47683420e48c7344e779d3e815ff9943cbfdc153cf2', relation='VT: IP to downloaded file', type='file') 83 | │ │ └── AnyNode(id='cab538fd1647961eb35348c1bd84e1fde389ad89672587d2fe3c007a0bc9e67f', relation='VT: IP to downloaded file', type='file') 84 | │ ├── AnyNode(id='104.148.25.54', relation='VT: domain to resolution ip', type='ip_address') 85 | │ │ └── AnyNode(id='0b52c5338af355699530a47683420e48c7344e779d3e815ff9943cbfdc153cf2', relation='VT: IP to downloaded file', type='file') 86 | │ └── AnyNode(id='98.124.243.37', relation='VT: domain to resolution ip', type='ip_address') 87 | │ ├── AnyNode(id='f1945cd6c19e56b3c1c78943ef5ec18116907a4ca1efc40a57d48ab1db7adfc5', relation='VT: IP to downloaded file', type='file') 88 | │ ├── AnyNode(id='259977f242c3039ab41f8289efb39ebe883969405d6939a9ed27f7ea8734cae4', relation='VT: IP to downloaded file', type='file') 89 | │ ├── AnyNode(id='0b52c5338af355699530a47683420e48c7344e779d3e815ff9943cbfdc153cf2', relation='VT: IP to downloaded file', type='file') 90 | │ ├── AnyNode(id='d51db41fab46ee52428760ca1fe639a97a7f811295c83528a88a5a6eb3f8f533', relation='VT: IP to downloaded file', type='file') 91 | │ ├── AnyNode(id='391d38e5c266135ba90a09691edacd2bda7830e329e413e1e8d93739649c26c2', relation='VT: IP to downloaded file', type='file') 92 | │ ├── AnyNode(id='6b7ce6651a944c231db65320442607e86117a7773b0abcd64c9c5522f35ffebe', relation='VT: IP to downloaded file', type='file') 93 | │ ├── AnyNode(id='14c08afc15e276b96c48de6598e86fcc933f3b105a2a18667d395d82c1ea97d5', relation='VT: IP to downloaded file', type='file') 94 | │ ├── AnyNode(id='504ffbb8da702ea6c75bde29a0a3af380ccbda8562572d001b5bb23f344a1390', relation='VT: IP to downloaded file', type='file') 95 | │ ├── AnyNode(id='31e40edda6563ce57ec502c8905e4bbe7d22fce0ce62ed43fd2e6240884dfd77', relation='VT: IP to downloaded file', type='file') 96 | │ └── AnyNode(id='523c572bf0923a73264b1ef08e1623b936baae0921d94ff0afa4ba6e71e602d1', relation='VT: IP to downloaded file', type='file') 97 | ├── AnyNode(id='diban.tv', relation='QAX: Whois email to domain', type='domain') 98 | │ └── AnyNode(id='373192510@qq.com', relation='QAX: domain to whois email', type='email') 99 | ├── AnyNode(id='yuju.com.cn', relation='QAX: Whois email to domain', type='domain') 100 | │ ├── AnyNode(id='373192510@qq.com', relation='QAX: domain to whois email', type='email') 101 | │ └── AnyNode(id='70.39.84.249', relation='VT: domain to resolution ip', type='ip_address') 102 | │ ├── AnyNode(id='ba9d257c7c8cdf6b96f9493d2aa5bf82e64d14d2f1d0051b53a854c221420a05', relation='VT: IP to downloaded file', type='file') 103 | │ ├── AnyNode(id='19a44739955218d4514ca6ec892d67f385ad3d2ab9bf4934d716bde2541801cf', relation='VT: IP to downloaded file', type='file') 104 | │ ├── AnyNode(id='d452c2fc8c52b81a472d6db2090cd896b67ba4a8e4dbecda452e029e54bb2be8', relation='VT: IP to downloaded file', type='file') 105 | │ ├── AnyNode(id='d32467448fcdc3148cccf7acb6e62d09662c274c93a7c7fc3d4b9ee9b9d1f30f', relation='VT: IP to downloaded file', type='file') 106 | │ ├── AnyNode(id='c26c951fefd04faa667a715cca56e4ace58dbf8e2c3e3cb90d66a38fe44d75da', relation='VT: IP to downloaded file', type='file') 107 | │ ├── AnyNode(id='5b3d1fc477b0a8edb869a3483d315a7107250a1b25a208370ed932afcedc4df9', relation='VT: IP to downloaded file', type='file') 108 | │ ├── AnyNode(id='44a56b88ceb111a99f5ce821bbbf74a4e8d8c80d374928dff8eae00e5793f53f', relation='VT: IP to downloaded file', type='file') 109 | │ ├── AnyNode(id='3a60b86da4e5f43cb2f0d2a1352e7a87af452beead7cb1dc85757fd58bc59467', relation='VT: IP to downloaded file', type='file') 110 | │ ├── AnyNode(id='b3ab190ddb57d52ee50e532fb3c1186e2635ee85180516685e7db3006956e62e', relation='VT: IP to downloaded file', type='file') 111 | │ └── AnyNode(id='4f67d76919eff1c95d193a9d9d6e06756044682705f8699337af181c2059e72c', relation='VT: IP to downloaded file', type='file') 112 | ├── AnyNode(id='5jj.net', relation='QAX: Whois email to domain', type='domain') 113 | │ ├── AnyNode(id='211.149.206.203', relation='QAX: domain to resolution ip', type='ip_address') 114 | │ ├── AnyNode(id='211.149.206.203', relation='VT: domain to resolution ip', type='ip_address') 115 | │ ├── AnyNode(id='211.149.227.87', relation='VT: domain to resolution ip', type='ip_address') 116 | │ ├── AnyNode(id='185.53.179.8', relation='VT: domain to resolution ip', type='ip_address') 117 | │ │ ├── AnyNode(id='7921a6035cc8a0981a5dee737dd3d29b150ddd48407717d3fca4b6376f2b0e70', relation='VT: IP to downloaded file', type='file') 118 | │ │ ├── AnyNode(id='6c09a3f77e8a1ce36ffdf1bf0cff8aa9bb5c17616ba8f31db31d8b5946245362', relation='VT: IP to downloaded file', type='file') 119 | │ │ ├── AnyNode(id='9d04c80599f014cb52b9809e7b98f03878f256e306d1b26b5ae8347f55678c0f', relation='VT: IP to downloaded file', type='file') 120 | │ │ ├── AnyNode(id='c477bda8237a5799bf520bc7ca317da8811a903837030748cf7c16c404cc4297', relation='VT: IP to downloaded file', type='file') 121 | │ │ ├── AnyNode(id='b3786d78a5f75ceb953aa75406ab7d8710bd13dddd6ff4d98a58ffc5d11b1691', relation='VT: IP to downloaded file', type='file') 122 | │ │ ├── AnyNode(id='ca4389b3d6ec4e04b998a687eee1ff3f2b97204b8a78f2a1d198e63d1f6986ee', relation='VT: IP to downloaded file', type='file') 123 | │ │ ├── AnyNode(id='3eb63eaed5307955a5d5f00034383a610a5dc935206df5b5daf85550c84032bb', relation='VT: IP to downloaded file', type='file') 124 | │ │ ├── AnyNode(id='b4684d11746a67475f6b9521e302b71ccba203e535934e7fa12885a64f8e1155', relation='VT: IP to downloaded file', type='file') 125 | │ │ ├── AnyNode(id='a1d3423abcb8c7afc6a9f10ce02d4897be234ee5427b80015d5c2a067de575dd', relation='VT: IP to downloaded file', type='file') 126 | │ │ └── AnyNode(id='d2352b9cd9fbebe108723a5cfc87ca7ee4ade009ffb873e08c62fd954de03270', relation='VT: IP to downloaded file', type='file') 127 | │ └── AnyNode(id='46.19.34.155', relation='VT: domain to resolution ip', type='ip_address') 128 | ├── AnyNode(id='dibeng.com.cn', relation='QAX: Whois email to domain', type='domain') 129 | │ ├── AnyNode(id='623960678@qq.com', relation='QAX: domain to whois email', type='email') 130 | │ │ ├── AnyNode(id='fangdiw.com', relation='QAX: Whois email to domain', type='domain') 131 | │ │ ├── AnyNode(id='aosi.org.cn', relation='QAX: Whois email to domain', type='domain') 132 | │ │ ├── AnyNode(id='bqbox.cn', relation='QAX: Whois email to domain', type='domain') 133 | │ │ ├── AnyNode(id='ruibowen.com', relation='QAX: Whois email to domain', type='domain') 134 | │ │ ├── AnyNode(id='949600.com', relation='QAX: Whois email to domain', type='domain') 135 | │ │ ├── AnyNode(id='douban888.com', relation='QAX: Whois email to domain', type='domain') 136 | │ │ ├── AnyNode(id='yimaiba.cn', relation='QAX: Whois email to domain', type='domain') 137 | │ │ ├── AnyNode(id='860853.com', relation='QAX: Whois email to domain', type='domain') 138 | │ │ ├── AnyNode(id='laxs.com.cn', relation='QAX: Whois email to domain', type='domain') 139 | │ │ └── AnyNode(id='yy315.cn', relation='QAX: Whois email to domain', type='domain') 140 | │ ├── AnyNode(id='107.167.19.74', relation='VT: domain to resolution ip', type='ip_address') 141 | │ │ ├── AnyNode(id='0b52c5338af355699530a47683420e48c7344e779d3e815ff9943cbfdc153cf2', relation='VT: IP to downloaded file', type='file') 142 | │ │ ├── AnyNode(id='cab538fd1647961eb35348c1bd84e1fde389ad89672587d2fe3c007a0bc9e67f', relation='VT: IP to downloaded file', type='file') 143 | │ │ ├── AnyNode(id='8a482f2271a42c5f54c96e816a84340a6f2357a5b81f927d07d00788f5140a41', relation='VT: IP to downloaded file', type='file') 144 | │ │ ├── AnyNode(id='ecb916133a9376911f10bc5c659952eb0031e457f5df367cde560edbfba38fb8', relation='VT: IP to downloaded file', type='file') 145 | │ │ ├── AnyNode(id='9b342ae7f25d65bdb817d8c995f3211ac398e41575fc5d149d994c1dcb008f0a', relation='VT: IP to downloaded file', type='file') 146 | │ │ ├── AnyNode(id='083d15a07f8702e1216f5ec39ee1879d1459e307a6ee7ae223651fed856dae93', relation='VT: IP to downloaded file', type='file') 147 | │ │ ├── AnyNode(id='bc354d5a1fe3e1362fcb84c3792bef4e836815d1ce6b983339459bad12bf5cc4', relation='VT: IP to downloaded file', type='file') 148 | │ │ ├── AnyNode(id='afc62a39420c5a5ea6d5e05ac72510cdf8b4163cfadf136d2483967e2f808ef0', relation='VT: IP to downloaded file', type='file') 149 | │ │ └── AnyNode(id='c477bda8237a5799bf520bc7ca317da8811a903837030748cf7c16c404cc4297', relation='VT: IP to downloaded file', type='file') 150 | │ └── AnyNode(id='107.167.19.75', relation='VT: domain to resolution ip', type='ip_address') 151 | └── AnyNode(id='chinagaoyao.com', relation='QAX: Whois email to domain', type='domain') 152 | ├── AnyNode(id='154.211.214.114', relation='QAX: domain to resolution ip', type='ip_address') 153 | └── AnyNode(id='154.211.214.114', relation='VT: domain to resolution ip', type='ip_address') -------------------------------------------------------------------------------- /samples/46173adc26721fb54f6e1a1091a892d4_depth_3_201907171121.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": "46173adc26721fb54f6e1a1091a892d4", 3 | "type": "file", 4 | "children": [ 5 | { 6 | "id": "79.124.60.40", 7 | "type": "ip_address", 8 | "relation": "QAX: file to contacted ip" 9 | }, 10 | { 11 | "id": "smartweb9.com", 12 | "type": "domain", 13 | "relation": "QAX: file to contacted domain", 14 | "children": [ 15 | { 16 | "id": "79.124.60.40", 17 | "type": "ip_address", 18 | "relation": "QAX: domain to resolution ip" 19 | }, 20 | { 21 | "id": "198.54.117.244", 22 | "type": "ip_address", 23 | "relation": "QAX: domain to resolution ip" 24 | }, 25 | { 26 | "id": "7f283bb7679949d2bdacd6e1d582ddd0.protect@whoisguard.com", 27 | "type": "email", 28 | "relation": "QAX: domain to whois email", 29 | "children": [ 30 | { 31 | "id": "smartweb9.com", 32 | "type": "domain", 33 | "relation": "QAX: Whois email to domain" 34 | } 35 | ] 36 | }, 37 | { 38 | "id": "79.124.60.40", 39 | "type": "ip_address", 40 | "relation": "VT: domain to resolution ip" 41 | }, 42 | { 43 | "id": "198.54.117.244", 44 | "type": "ip_address", 45 | "relation": "VT: domain to resolution ip" 46 | } 47 | ] 48 | }, 49 | { 50 | "id": "198.54.117.244", 51 | "type": "ip_address", 52 | "relation": "VT: file to contacted ip", 53 | "children": [ 54 | { 55 | "id": "7921a6035cc8a0981a5dee737dd3d29b150ddd48407717d3fca4b6376f2b0e70", 56 | "type": "file", 57 | "relation": "VT: IP to downloaded file", 58 | "children": [ 59 | { 60 | "id": "be8b49e1cd6d568e4fea1df4b9ad6e99d83d8ac47cfd07b5855735e9a283e94e", 61 | "type": "file", 62 | "relation": "VT: file to execution parent" 63 | } 64 | ] 65 | }, 66 | { 67 | "id": "e0e9d15d594c80f0f0a76a38953ce2d3cb140155825a648f3aa2d30f25ec61bf", 68 | "type": "file", 69 | "relation": "VT: IP to downloaded file", 70 | "children": [ 71 | { 72 | "id": "134.170.185.211", 73 | "type": "ip_address", 74 | "relation": "VT: file to contacted ip" 75 | } 76 | ] 77 | }, 78 | { 79 | "id": "c3d584acd99412018465495a621887e4d607c624a64495e63ec88017105788ff", 80 | "type": "file", 81 | "relation": "VT: IP to downloaded file" 82 | }, 83 | { 84 | "id": "9d04c80599f014cb52b9809e7b98f03878f256e306d1b26b5ae8347f55678c0f", 85 | "type": "file", 86 | "relation": "VT: IP to downloaded file" 87 | }, 88 | { 89 | "id": "dd78bafb88a959c38416d8361048c3805bad6d07b340a25d2836c384b26c0a26", 90 | "type": "file", 91 | "relation": "VT: IP to downloaded file" 92 | }, 93 | { 94 | "id": "d465172175d35d493fb1633e237700022bd849fa123164790b168b8318acb090", 95 | "type": "file", 96 | "relation": "VT: IP to downloaded file", 97 | "children": [ 98 | { 99 | "id": "7db3588024f268116114ad53801cb41daaa4c22c984dc1ed93ad054f349e0550", 100 | "type": "file", 101 | "relation": "VT: file to execution parent" 102 | }, 103 | { 104 | "id": "bca8f55d2b82962767c0ba2eeb55bc3d5706b427aa63718a033b8c604230c84c", 105 | "type": "file", 106 | "relation": "VT: file to execution parent" 107 | }, 108 | { 109 | "id": "bb93442c20c387e4d235d705d5b7a2850a67cae86df451a603fa9c1bd3a30366", 110 | "type": "file", 111 | "relation": "VT: file to execution parent" 112 | } 113 | ] 114 | }, 115 | { 116 | "id": "cab538fd1647961eb35348c1bd84e1fde389ad89672587d2fe3c007a0bc9e67f", 117 | "type": "file", 118 | "relation": "VT: IP to downloaded file", 119 | "children": [ 120 | { 121 | "id": "6466726e1ffe0d52ec2c532937919fc2d367b531e732f22ab9d4007746410d0e", 122 | "type": "file", 123 | "relation": "VT: file to execution parent" 124 | }, 125 | { 126 | "id": "41f0bd37e78641d5fe7a19f4d3b071ee5cbd4776ae413034c6bc02bb5063f3c6", 127 | "type": "file", 128 | "relation": "VT: file to execution parent" 129 | } 130 | ] 131 | }, 132 | { 133 | "id": "92b80355721d862bbefa5692c656cc6dafc518651524dc9a68875f9b91effa8f", 134 | "type": "file", 135 | "relation": "VT: IP to downloaded file", 136 | "children": [ 137 | { 138 | "id": "7c55fe9268d3cfa8ab57c4ac65c90bcef6c8d2baa75ac91a7208f3af4a40dd38", 139 | "type": "file", 140 | "relation": "VT: file to execution parent" 141 | }, 142 | { 143 | "id": "460f4112083c5738e3a8e089afb99f54659c58c8794686cd566051bd2e91c0d9", 144 | "type": "file", 145 | "relation": "VT: file to execution parent" 146 | } 147 | ] 148 | }, 149 | { 150 | "id": "41c7189d602cedc31b61c5aab0a8a5fab40bdd35770dc1b9fd8ec09f719e5298", 151 | "type": "file", 152 | "relation": "VT: IP to downloaded file" 153 | }, 154 | { 155 | "id": "8f30c9591ebcc91228a3e9885e91617f8fd06c43be6cda5220553575e02f8732", 156 | "type": "file", 157 | "relation": "VT: IP to downloaded file" 158 | } 159 | ] 160 | }, 161 | { 162 | "id": "79.124.60.40", 163 | "type": "ip_address", 164 | "relation": "VT: file to contacted ip" 165 | }, 166 | { 167 | "id": "smartweb9.com", 168 | "type": "domain", 169 | "relation": "VT: file to contacted domain" 170 | } 171 | ] 172 | } -------------------------------------------------------------------------------- /samples/46173adc26721fb54f6e1a1091a892d4_depth_3_201907171121.txt: -------------------------------------------------------------------------------- 1 | AnyNode(id='46173adc26721fb54f6e1a1091a892d4', type='file') 2 | ├── AnyNode(id='79.124.60.40', relation='QAX: file to contacted ip', type='ip_address') 3 | ├── AnyNode(id='smartweb9.com', relation='QAX: file to contacted domain', type='domain') 4 | │ ├── AnyNode(id='79.124.60.40', relation='QAX: domain to resolution ip', type='ip_address') 5 | │ ├── AnyNode(id='198.54.117.244', relation='QAX: domain to resolution ip', type='ip_address') 6 | │ ├── AnyNode(id='7f283bb7679949d2bdacd6e1d582ddd0.protect@whoisguard.com', relation='QAX: domain to whois email', type='email') 7 | │ │ └── AnyNode(id='smartweb9.com', relation='QAX: Whois email to domain', type='domain') 8 | │ ├── AnyNode(id='79.124.60.40', relation='VT: domain to resolution ip', type='ip_address') 9 | │ └── AnyNode(id='198.54.117.244', relation='VT: domain to resolution ip', type='ip_address') 10 | ├── AnyNode(id='198.54.117.244', relation='VT: file to contacted ip', type='ip_address') 11 | │ ├── AnyNode(id='7921a6035cc8a0981a5dee737dd3d29b150ddd48407717d3fca4b6376f2b0e70', relation='VT: IP to downloaded file', type='file') 12 | │ │ └── AnyNode(id='be8b49e1cd6d568e4fea1df4b9ad6e99d83d8ac47cfd07b5855735e9a283e94e', relation='VT: file to execution parent', type='file') 13 | │ ├── AnyNode(id='e0e9d15d594c80f0f0a76a38953ce2d3cb140155825a648f3aa2d30f25ec61bf', relation='VT: IP to downloaded file', type='file') 14 | │ │ └── AnyNode(id='134.170.185.211', relation='VT: file to contacted ip', type='ip_address') 15 | │ ├── AnyNode(id='c3d584acd99412018465495a621887e4d607c624a64495e63ec88017105788ff', relation='VT: IP to downloaded file', type='file') 16 | │ ├── AnyNode(id='9d04c80599f014cb52b9809e7b98f03878f256e306d1b26b5ae8347f55678c0f', relation='VT: IP to downloaded file', type='file') 17 | │ ├── AnyNode(id='dd78bafb88a959c38416d8361048c3805bad6d07b340a25d2836c384b26c0a26', relation='VT: IP to downloaded file', type='file') 18 | │ ├── AnyNode(id='d465172175d35d493fb1633e237700022bd849fa123164790b168b8318acb090', relation='VT: IP to downloaded file', type='file') 19 | │ │ ├── AnyNode(id='7db3588024f268116114ad53801cb41daaa4c22c984dc1ed93ad054f349e0550', relation='VT: file to execution parent', type='file') 20 | │ │ ├── AnyNode(id='bca8f55d2b82962767c0ba2eeb55bc3d5706b427aa63718a033b8c604230c84c', relation='VT: file to execution parent', type='file') 21 | │ │ └── AnyNode(id='bb93442c20c387e4d235d705d5b7a2850a67cae86df451a603fa9c1bd3a30366', relation='VT: file to execution parent', type='file') 22 | │ ├── AnyNode(id='cab538fd1647961eb35348c1bd84e1fde389ad89672587d2fe3c007a0bc9e67f', relation='VT: IP to downloaded file', type='file') 23 | │ │ ├── AnyNode(id='6466726e1ffe0d52ec2c532937919fc2d367b531e732f22ab9d4007746410d0e', relation='VT: file to execution parent', type='file') 24 | │ │ └── AnyNode(id='41f0bd37e78641d5fe7a19f4d3b071ee5cbd4776ae413034c6bc02bb5063f3c6', relation='VT: file to execution parent', type='file') 25 | │ ├── AnyNode(id='92b80355721d862bbefa5692c656cc6dafc518651524dc9a68875f9b91effa8f', relation='VT: IP to downloaded file', type='file') 26 | │ │ ├── AnyNode(id='7c55fe9268d3cfa8ab57c4ac65c90bcef6c8d2baa75ac91a7208f3af4a40dd38', relation='VT: file to execution parent', type='file') 27 | │ │ └── AnyNode(id='460f4112083c5738e3a8e089afb99f54659c58c8794686cd566051bd2e91c0d9', relation='VT: file to execution parent', type='file') 28 | │ ├── AnyNode(id='41c7189d602cedc31b61c5aab0a8a5fab40bdd35770dc1b9fd8ec09f719e5298', relation='VT: IP to downloaded file', type='file') 29 | │ └── AnyNode(id='8f30c9591ebcc91228a3e9885e91617f8fd06c43be6cda5220553575e02f8732', relation='VT: IP to downloaded file', type='file') 30 | ├── AnyNode(id='79.124.60.40', relation='VT: file to contacted ip', type='ip_address') 31 | └── AnyNode(id='smartweb9.com', relation='VT: file to contacted domain', type='domain') -------------------------------------------------------------------------------- /samples/c0531f812a1ec5e825f7250f7b52db7621ecf93d973f0e3ba1aa0372e0f559f2_depth_3_201907171114.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": "c0531f812a1ec5e825f7250f7b52db7621ecf93d973f0e3ba1aa0372e0f559f2", 3 | "type": "file", 4 | "children": [ 5 | { 6 | "id": "0146a167e27d4245a1843f2e583f024d36ae9760faf94aa95ab2c751b99806b1", 7 | "type": "file", 8 | "relation": "VT: file to execution parent", 9 | "children": [ 10 | { 11 | "id": "111.90.158.225", 12 | "type": "ip_address", 13 | "relation": "VT: file to contacted ip", 14 | "children": [ 15 | { 16 | "id": "ae74a671f376fbe12bc09bc77a7e81a754ece5267bb9e481f691210aba7e8f89", 17 | "type": "file", 18 | "relation": "VT: IP to downloaded file" 19 | }, 20 | { 21 | "id": "65de00e9f262ff62c91c5ec494cb399b8a1de349e05e5dd2d3bd90006d3f141e", 22 | "type": "file", 23 | "relation": "VT: IP to downloaded file" 24 | }, 25 | { 26 | "id": "45b96f3d8b6a7e9225485d42dedf7fe6f164405707668d8a40f35a52b9130b23", 27 | "type": "file", 28 | "relation": "VT: IP to downloaded file" 29 | }, 30 | { 31 | "id": "1ecb94b101c6229a60475748fee4ecbf656e6d77722d7b422378d47c9510d293", 32 | "type": "file", 33 | "relation": "VT: IP to downloaded file" 34 | }, 35 | { 36 | "id": "a0f65bb0de9caddcc1d31e65f7184677909ab2ebffd5a28aed91a5f7cca15cff", 37 | "type": "file", 38 | "relation": "VT: IP to downloaded file" 39 | }, 40 | { 41 | "id": "8ab9de549f6d824b2b02971c8c98aa035719e10fd8c784e8a79f672d8a93582a", 42 | "type": "file", 43 | "relation": "VT: IP to downloaded file" 44 | }, 45 | { 46 | "id": "fc245df4f5feeabe28bac64949a502ea9d431d9c648b45e5042ec5e77da68278", 47 | "type": "file", 48 | "relation": "VT: IP to downloaded file" 49 | }, 50 | { 51 | "id": "f3b5aa8c014cf9fbb35062a663cd40d5e845a98e48819a3f488755d0ba6f08b1", 52 | "type": "file", 53 | "relation": "VT: IP to downloaded file" 54 | }, 55 | { 56 | "id": "97f9c8f59717c376c334e955737f8d1d94375f5692a4a062c06ba5511fa561a4", 57 | "type": "file", 58 | "relation": "VT: IP to downloaded file" 59 | }, 60 | { 61 | "id": "bfc55c309f7d7573fe1c8e693c6645b755033bd45bf1c4586ff485c7484290a3", 62 | "type": "file", 63 | "relation": "VT: IP to downloaded file" 64 | } 65 | ] 66 | }, 67 | { 68 | "id": "107.179.65.195", 69 | "type": "ip_address", 70 | "relation": "VT: file to contacted ip", 71 | "children": [ 72 | { 73 | "id": "987a46bb093ccd4d23b6fee98474a00557a2ce4c531f294e57091f455435c928", 74 | "type": "file", 75 | "relation": "VT: IP to downloaded file" 76 | }, 77 | { 78 | "id": "bfc55c309f7d7573fe1c8e693c6645b755033bd45bf1c4586ff485c7484290a3", 79 | "type": "file", 80 | "relation": "VT: IP to downloaded file" 81 | }, 82 | { 83 | "id": "cdf9d8eee8c4fe967fac3aa9218a7227647ae7aaaa4221c688e1aab7a9180f69", 84 | "type": "file", 85 | "relation": "VT: IP to downloaded file" 86 | } 87 | ] 88 | }, 89 | { 90 | "id": "23.247.83.135", 91 | "type": "ip_address", 92 | "relation": "VT: file to contacted ip" 93 | }, 94 | { 95 | "id": "111.90.158.224", 96 | "type": "ip_address", 97 | "relation": "VT: file to contacted ip", 98 | "children": [ 99 | { 100 | "id": "ae74a671f376fbe12bc09bc77a7e81a754ece5267bb9e481f691210aba7e8f89", 101 | "type": "file", 102 | "relation": "VT: IP to downloaded file" 103 | }, 104 | { 105 | "id": "9278d16ed2fdcd5dc651615b0b8adc6b55fb667a9d106a9891b861d4561d9a24", 106 | "type": "file", 107 | "relation": "VT: IP to downloaded file" 108 | }, 109 | { 110 | "id": "2c92d62d55c5949f7087c3e309644399ccaea198ea6645919ec9db347c7b9437", 111 | "type": "file", 112 | "relation": "VT: IP to downloaded file" 113 | } 114 | ] 115 | } 116 | ] 117 | }, 118 | { 119 | "id": "4d935d56592d4a5513dd6e4182aaec3422205dc9d8dcc4f17eaa7a6b194b9624", 120 | "type": "file", 121 | "relation": "VT: file to execution parent", 122 | "children": [ 123 | { 124 | "id": "111.90.158.225", 125 | "type": "ip_address", 126 | "relation": "VT: file to contacted ip" 127 | }, 128 | { 129 | "id": "9e7506cba90222f6a786387832a419d4f680faddc9cde8e784cd93577b88dc66", 130 | "type": "file", 131 | "relation": "VT: file to execution parent", 132 | "children": [ 133 | { 134 | "id": "111.90.158.225", 135 | "type": "ip_address", 136 | "relation": "VT: file to contacted ip" 137 | }, 138 | { 139 | "id": "111.90.158.224", 140 | "type": "ip_address", 141 | "relation": "VT: file to contacted ip" 142 | }, 143 | { 144 | "id": "10.0.0.0", 145 | "type": "ip_address", 146 | "relation": "VT: file to contacted ip" 147 | }, 148 | { 149 | "id": "10.0.0.1", 150 | "type": "ip_address", 151 | "relation": "VT: file to contacted ip" 152 | }, 153 | { 154 | "id": "10.0.0.2", 155 | "type": "ip_address", 156 | "relation": "VT: file to contacted ip" 157 | }, 158 | { 159 | "id": "10.0.0.3", 160 | "type": "ip_address", 161 | "relation": "VT: file to contacted ip" 162 | }, 163 | { 164 | "id": "10.0.0.4", 165 | "type": "ip_address", 166 | "relation": "VT: file to contacted ip" 167 | }, 168 | { 169 | "id": "10.0.0.5", 170 | "type": "ip_address", 171 | "relation": "VT: file to contacted ip" 172 | }, 173 | { 174 | "id": "10.0.0.6", 175 | "type": "ip_address", 176 | "relation": "VT: file to contacted ip" 177 | }, 178 | { 179 | "id": "10.0.0.7", 180 | "type": "ip_address", 181 | "relation": "VT: file to contacted ip" 182 | }, 183 | { 184 | "id": "f3b5aa8c014cf9fbb35062a663cd40d5e845a98e48819a3f488755d0ba6f08b1", 185 | "type": "file", 186 | "relation": "VT: file to execution parent" 187 | }, 188 | { 189 | "id": "d7ab78ce470e7e7f745d06f364a88c3e8b04cc649324380497d9faf4aa93c009", 190 | "type": "file", 191 | "relation": "VT: file to execution parent" 192 | }, 193 | { 194 | "id": "f6d6708d1ff12797129295fc4b7e8a0790ca2ecb7a5ac8a2df2a5ab8b8ff7efd", 195 | "type": "file", 196 | "relation": "VT: file to execution parent" 197 | }, 198 | { 199 | "id": "c7b0383d57f62498d27ff8b673d4b3ccac9836f82931aa0f48f84e7edb093d58", 200 | "type": "file", 201 | "relation": "VT: file to execution parent" 202 | }, 203 | { 204 | "id": "83afed2247fd1edf14593c15d4111c181179f75b163c5ea5a1db7a30f2cbf5ae", 205 | "type": "file", 206 | "relation": "VT: file to execution parent" 207 | }, 208 | { 209 | "id": "4474c94a893c04db25155caa0b7410dee4a1993c41f292620ed4d81b97c05d3e", 210 | "type": "file", 211 | "relation": "VT: file to execution parent" 212 | }, 213 | { 214 | "id": "6f69d97a8407fe9bab7cbb068386e7af2ff805d9509c0061c876a94d30a3f809", 215 | "type": "file", 216 | "relation": "VT: file to execution parent" 217 | }, 218 | { 219 | "id": "2931d33d746ee5d9301fcb51863a60ca510e8fe4538c0efaaddc35d3da514b84", 220 | "type": "file", 221 | "relation": "VT: file to execution parent" 222 | } 223 | ] 224 | } 225 | ] 226 | } 227 | ] 228 | } -------------------------------------------------------------------------------- /samples/c0531f812a1ec5e825f7250f7b52db7621ecf93d973f0e3ba1aa0372e0f559f2_depth_3_201907171114.txt: -------------------------------------------------------------------------------- 1 | AnyNode(id='c0531f812a1ec5e825f7250f7b52db7621ecf93d973f0e3ba1aa0372e0f559f2', type='file') 2 | ├── AnyNode(id='0146a167e27d4245a1843f2e583f024d36ae9760faf94aa95ab2c751b99806b1', relation='VT: file to execution parent', type='file') 3 | │ ├── AnyNode(id='111.90.158.225', relation='VT: file to contacted ip', type='ip_address') 4 | │ │ ├── AnyNode(id='ae74a671f376fbe12bc09bc77a7e81a754ece5267bb9e481f691210aba7e8f89', relation='VT: IP to downloaded file', type='file') 5 | │ │ ├── AnyNode(id='65de00e9f262ff62c91c5ec494cb399b8a1de349e05e5dd2d3bd90006d3f141e', relation='VT: IP to downloaded file', type='file') 6 | │ │ ├── AnyNode(id='45b96f3d8b6a7e9225485d42dedf7fe6f164405707668d8a40f35a52b9130b23', relation='VT: IP to downloaded file', type='file') 7 | │ │ ├── AnyNode(id='1ecb94b101c6229a60475748fee4ecbf656e6d77722d7b422378d47c9510d293', relation='VT: IP to downloaded file', type='file') 8 | │ │ ├── AnyNode(id='a0f65bb0de9caddcc1d31e65f7184677909ab2ebffd5a28aed91a5f7cca15cff', relation='VT: IP to downloaded file', type='file') 9 | │ │ ├── AnyNode(id='8ab9de549f6d824b2b02971c8c98aa035719e10fd8c784e8a79f672d8a93582a', relation='VT: IP to downloaded file', type='file') 10 | │ │ ├── AnyNode(id='fc245df4f5feeabe28bac64949a502ea9d431d9c648b45e5042ec5e77da68278', relation='VT: IP to downloaded file', type='file') 11 | │ │ ├── AnyNode(id='f3b5aa8c014cf9fbb35062a663cd40d5e845a98e48819a3f488755d0ba6f08b1', relation='VT: IP to downloaded file', type='file') 12 | │ │ ├── AnyNode(id='97f9c8f59717c376c334e955737f8d1d94375f5692a4a062c06ba5511fa561a4', relation='VT: IP to downloaded file', type='file') 13 | │ │ └── AnyNode(id='bfc55c309f7d7573fe1c8e693c6645b755033bd45bf1c4586ff485c7484290a3', relation='VT: IP to downloaded file', type='file') 14 | │ ├── AnyNode(id='107.179.65.195', relation='VT: file to contacted ip', type='ip_address') 15 | │ │ ├── AnyNode(id='987a46bb093ccd4d23b6fee98474a00557a2ce4c531f294e57091f455435c928', relation='VT: IP to downloaded file', type='file') 16 | │ │ ├── AnyNode(id='bfc55c309f7d7573fe1c8e693c6645b755033bd45bf1c4586ff485c7484290a3', relation='VT: IP to downloaded file', type='file') 17 | │ │ └── AnyNode(id='cdf9d8eee8c4fe967fac3aa9218a7227647ae7aaaa4221c688e1aab7a9180f69', relation='VT: IP to downloaded file', type='file') 18 | │ ├── AnyNode(id='23.247.83.135', relation='VT: file to contacted ip', type='ip_address') 19 | │ └── AnyNode(id='111.90.158.224', relation='VT: file to contacted ip', type='ip_address') 20 | │ ├── AnyNode(id='ae74a671f376fbe12bc09bc77a7e81a754ece5267bb9e481f691210aba7e8f89', relation='VT: IP to downloaded file', type='file') 21 | │ ├── AnyNode(id='9278d16ed2fdcd5dc651615b0b8adc6b55fb667a9d106a9891b861d4561d9a24', relation='VT: IP to downloaded file', type='file') 22 | │ └── AnyNode(id='2c92d62d55c5949f7087c3e309644399ccaea198ea6645919ec9db347c7b9437', relation='VT: IP to downloaded file', type='file') 23 | └── AnyNode(id='4d935d56592d4a5513dd6e4182aaec3422205dc9d8dcc4f17eaa7a6b194b9624', relation='VT: file to execution parent', type='file') 24 | ├── AnyNode(id='111.90.158.225', relation='VT: file to contacted ip', type='ip_address') 25 | └── AnyNode(id='9e7506cba90222f6a786387832a419d4f680faddc9cde8e784cd93577b88dc66', relation='VT: file to execution parent', type='file') 26 | ├── AnyNode(id='111.90.158.225', relation='VT: file to contacted ip', type='ip_address') 27 | ├── AnyNode(id='111.90.158.224', relation='VT: file to contacted ip', type='ip_address') 28 | ├── AnyNode(id='10.0.0.0', relation='VT: file to contacted ip', type='ip_address') 29 | ├── AnyNode(id='10.0.0.1', relation='VT: file to contacted ip', type='ip_address') 30 | ├── AnyNode(id='10.0.0.2', relation='VT: file to contacted ip', type='ip_address') 31 | ├── AnyNode(id='10.0.0.3', relation='VT: file to contacted ip', type='ip_address') 32 | ├── AnyNode(id='10.0.0.4', relation='VT: file to contacted ip', type='ip_address') 33 | ├── AnyNode(id='10.0.0.5', relation='VT: file to contacted ip', type='ip_address') 34 | ├── AnyNode(id='10.0.0.6', relation='VT: file to contacted ip', type='ip_address') 35 | ├── AnyNode(id='10.0.0.7', relation='VT: file to contacted ip', type='ip_address') 36 | ├── AnyNode(id='f3b5aa8c014cf9fbb35062a663cd40d5e845a98e48819a3f488755d0ba6f08b1', relation='VT: file to execution parent', type='file') 37 | ├── AnyNode(id='d7ab78ce470e7e7f745d06f364a88c3e8b04cc649324380497d9faf4aa93c009', relation='VT: file to execution parent', type='file') 38 | ├── AnyNode(id='f6d6708d1ff12797129295fc4b7e8a0790ca2ecb7a5ac8a2df2a5ab8b8ff7efd', relation='VT: file to execution parent', type='file') 39 | ├── AnyNode(id='c7b0383d57f62498d27ff8b673d4b3ccac9836f82931aa0f48f84e7edb093d58', relation='VT: file to execution parent', type='file') 40 | ├── AnyNode(id='83afed2247fd1edf14593c15d4111c181179f75b163c5ea5a1db7a30f2cbf5ae', relation='VT: file to execution parent', type='file') 41 | ├── AnyNode(id='4474c94a893c04db25155caa0b7410dee4a1993c41f292620ed4d81b97c05d3e', relation='VT: file to execution parent', type='file') 42 | ├── AnyNode(id='6f69d97a8407fe9bab7cbb068386e7af2ff805d9509c0061c876a94d30a3f809', relation='VT: file to execution parent', type='file') 43 | └── AnyNode(id='2931d33d746ee5d9301fcb51863a60ca510e8fe4538c0efaaddc35d3da514b84', relation='VT: file to execution parent', type='file') -------------------------------------------------------------------------------- /samples/c3f5add704f2c540f3dd345f853e2d84_depth_3_201907171114.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": "c3f5add704f2c540f3dd345f853e2d84", 3 | "type": "file", 4 | "children": [ 5 | { 6 | "id": "86.106.93.230", 7 | "type": "ip_address", 8 | "relation": "VT: file to contacted ip", 9 | "children": [ 10 | { 11 | "id": "f6bf8088338180e1bd8f8fb878798627efb96ec2547fea4800983a2af346a853", 12 | "type": "file", 13 | "relation": "VT: IP to downloaded file", 14 | "children": [ 15 | { 16 | "id": "6471a9ce27b911413cad59b5bc9b569ce9102395e63f8b51c89caac6076bbea4", 17 | "type": "file", 18 | "relation": "VT: file to execution parent" 19 | } 20 | ] 21 | }, 22 | { 23 | "id": "7ec4aa7ccf17892e10064d38b0d2eb9e86cd667af2f018638a3935e0d4d5f160", 24 | "type": "file", 25 | "relation": "VT: IP to downloaded file" 26 | }, 27 | { 28 | "id": "54186b22560ff9f1faee2a802874d5366a8e397c4779648a27f5fb9d3a6785fe", 29 | "type": "file", 30 | "relation": "VT: IP to downloaded file" 31 | }, 32 | { 33 | "id": "978ea3e7e800bd7871919098cd03e50e79efee28acf66b3df34746b9fb6a7526", 34 | "type": "file", 35 | "relation": "VT: IP to downloaded file" 36 | }, 37 | { 38 | "id": "e1c67c166eec69079b8cd5d9cb134aa0f42f2c097a7cb24cf317b04fead27ec8", 39 | "type": "file", 40 | "relation": "VT: IP to downloaded file" 41 | }, 42 | { 43 | "id": "74625e8221ecd9281220ca042a0a991d2281fe2214f9e27be4194d3c596b3ee8", 44 | "type": "file", 45 | "relation": "VT: IP to downloaded file", 46 | "children": [ 47 | { 48 | "id": "208.91.197.13", 49 | "type": "ip_address", 50 | "relation": "VT: file to contacted ip" 51 | }, 52 | { 53 | "id": "148.66.136.190", 54 | "type": "ip_address", 55 | "relation": "VT: file to contacted ip" 56 | }, 57 | { 58 | "id": "198.57.199.56", 59 | "type": "ip_address", 60 | "relation": "VT: file to contacted ip" 61 | }, 62 | { 63 | "id": "212.1.211.181", 64 | "type": "ip_address", 65 | "relation": "VT: file to contacted ip" 66 | }, 67 | { 68 | "id": "154.208.235.97", 69 | "type": "ip_address", 70 | "relation": "VT: file to contacted ip" 71 | }, 72 | { 73 | "id": "96.62.7.155", 74 | "type": "ip_address", 75 | "relation": "VT: file to contacted ip" 76 | }, 77 | { 78 | "id": "www.angletradings.com", 79 | "type": "domain", 80 | "relation": "VT: file to contacted domain" 81 | }, 82 | { 83 | "id": "www.download.windowsupdate.com", 84 | "type": "domain", 85 | "relation": "VT: file to contacted domain" 86 | }, 87 | { 88 | "id": "www.mdyasin.com", 89 | "type": "domain", 90 | "relation": "VT: file to contacted domain" 91 | }, 92 | { 93 | "id": "www.ivpnsymposium.org", 94 | "type": "domain", 95 | "relation": "VT: file to contacted domain" 96 | }, 97 | { 98 | "id": "www.valteragrupa.com", 99 | "type": "domain", 100 | "relation": "VT: file to contacted domain" 101 | }, 102 | { 103 | "id": "prosaledom.su", 104 | "type": "domain", 105 | "relation": "VT: file to contacted domain" 106 | }, 107 | { 108 | "id": "www.arammatrimony.in", 109 | "type": "domain", 110 | "relation": "VT: file to contacted domain" 111 | } 112 | ] 113 | }, 114 | { 115 | "id": "8b1068cb9a6fb6b9c3813dc920608bf850dbe397ba9b040b009e74fc1ba382d3", 116 | "type": "file", 117 | "relation": "VT: IP to downloaded file" 118 | }, 119 | { 120 | "id": "db04c81d6ac0d620bc587d69a5825c6c09e4b3d2bce986e4fff63afc638b3dc8", 121 | "type": "file", 122 | "relation": "VT: IP to downloaded file" 123 | }, 124 | { 125 | "id": "def56d664e202d0a6a51a0a28e102bf4a500463f301312ad371380cbb6d70dec", 126 | "type": "file", 127 | "relation": "VT: IP to downloaded file" 128 | }, 129 | { 130 | "id": "b05c63a25e3541fe0773f15f5d5b9ea43a4b1b4773c957bdacffbab6bcc84c46", 131 | "type": "file", 132 | "relation": "VT: IP to downloaded file", 133 | "children": [ 134 | { 135 | "id": "3a3a27db08a33f5123a7982440180a621ce13903aa08d801ff08234f49af47e9", 136 | "type": "file", 137 | "relation": "VT: file to execution parent" 138 | }, 139 | { 140 | "id": "47c21dd3eb16107a8bfd2ae9f01a875e304a489a0c9779980e26db0be2d0d17c", 141 | "type": "file", 142 | "relation": "VT: file to execution parent" 143 | }, 144 | { 145 | "id": "b75f46e19caac819974fa7e59606b4d8d55fb63f4e1270c6686074e7c3d5a840", 146 | "type": "file", 147 | "relation": "VT: file to execution parent" 148 | }, 149 | { 150 | "id": "476eb8897ca499fd2ed6d11e1b8cd3aa01f1c5780e7dec42a1f13d7e4a5afbcc", 151 | "type": "file", 152 | "relation": "VT: file to execution parent" 153 | }, 154 | { 155 | "id": "b44872e5e11ca13c0db360b52e1455d697112267cfc7026ddeb893e5fa28a9b7", 156 | "type": "file", 157 | "relation": "VT: file to execution parent" 158 | }, 159 | { 160 | "id": "22b32dd5593c3702a6113ff2d274720f0ead1f535ee1d787ddcdeda72b935f32", 161 | "type": "file", 162 | "relation": "VT: file to execution parent" 163 | }, 164 | { 165 | "id": "df33cbdaaee86944bf474aedacd2d61af666d825425d6258af8764a3895235d2", 166 | "type": "file", 167 | "relation": "VT: file to execution parent" 168 | }, 169 | { 170 | "id": "236cc61e28dde445f2f215a8a4616fec67be62dc3758edac4e84bb0a4c0680fd", 171 | "type": "file", 172 | "relation": "VT: file to execution parent" 173 | }, 174 | { 175 | "id": "bf1afecd30fe8fdc1ddb897a90e95ab35dde0191461b5fb8e572df63ab9c71bf", 176 | "type": "file", 177 | "relation": "VT: file to execution parent" 178 | }, 179 | { 180 | "id": "016c78b035d6d0d06de993b0d39108e504ddeb75f4710d40c897dcaf87d6b512", 181 | "type": "file", 182 | "relation": "VT: file to execution parent" 183 | } 184 | ] 185 | } 186 | ] 187 | }, 188 | { 189 | "id": "nethosttalk.com", 190 | "type": "domain", 191 | "relation": "VT: file to contacted domain", 192 | "children": [ 193 | { 194 | "id": "86.106.93.230", 195 | "type": "ip_address", 196 | "relation": "QAX: domain to resolution ip" 197 | }, 198 | { 199 | "id": "123.59.120.219", 200 | "type": "ip_address", 201 | "relation": "QAX: domain to resolution ip" 202 | }, 203 | { 204 | "id": "info@qhoster.com", 205 | "type": "email", 206 | "relation": "QAX: domain to whois email", 207 | "children": [ 208 | { 209 | "id": "stdfile.org", 210 | "type": "domain", 211 | "relation": "QAX: Whois email to domain" 212 | }, 213 | { 214 | "id": "4uid.net", 215 | "type": "domain", 216 | "relation": "QAX: Whois email to domain" 217 | }, 218 | { 219 | "id": "smartcoinminers.com", 220 | "type": "domain", 221 | "relation": "QAX: Whois email to domain" 222 | }, 223 | { 224 | "id": "navsitar.com", 225 | "type": "domain", 226 | "relation": "QAX: Whois email to domain" 227 | }, 228 | { 229 | "id": "ir1x.net", 230 | "type": "domain", 231 | "relation": "QAX: Whois email to domain" 232 | }, 233 | { 234 | "id": "mybecoma.com", 235 | "type": "domain", 236 | "relation": "QAX: Whois email to domain" 237 | }, 238 | { 239 | "id": "parsib90.net", 240 | "type": "domain", 241 | "relation": "QAX: Whois email to domain" 242 | }, 243 | { 244 | "id": "cliniqueambassadeurs.com", 245 | "type": "domain", 246 | "relation": "QAX: Whois email to domain" 247 | }, 248 | { 249 | "id": "revenuehyip.com", 250 | "type": "domain", 251 | "relation": "QAX: Whois email to domain" 252 | }, 253 | { 254 | "id": "sahugroups.com", 255 | "type": "domain", 256 | "relation": "QAX: Whois email to domain" 257 | } 258 | ] 259 | }, 260 | { 261 | "id": "f6bf8088338180e1bd8f8fb878798627efb96ec2547fea4800983a2af346a853", 262 | "type": "file", 263 | "relation": "VT: domain to downloaded file" 264 | }, 265 | { 266 | "id": "f3ca5bf5696f6a54f11eaee98e43d0d3604b4d0a62d59b03d1fd65f25f7779e4", 267 | "type": "file", 268 | "relation": "VT: domain to downloaded file" 269 | }, 270 | { 271 | "id": "78342a0905a72ce44da083dcb5d23b8ea0c16992ba2a82eece97e033d76ba3d3", 272 | "type": "file", 273 | "relation": "VT: domain to downloaded file" 274 | }, 275 | { 276 | "id": "86.106.93.230", 277 | "type": "ip_address", 278 | "relation": "VT: domain to resolution ip" 279 | } 280 | ] 281 | } 282 | ] 283 | } -------------------------------------------------------------------------------- /samples/c3f5add704f2c540f3dd345f853e2d84_depth_3_201907171114.txt: -------------------------------------------------------------------------------- 1 | AnyNode(id='c3f5add704f2c540f3dd345f853e2d84', type='file') 2 | ├── AnyNode(id='86.106.93.230', relation='VT: file to contacted ip', type='ip_address') 3 | │ ├── AnyNode(id='f6bf8088338180e1bd8f8fb878798627efb96ec2547fea4800983a2af346a853', relation='VT: IP to downloaded file', type='file') 4 | │ │ └── AnyNode(id='6471a9ce27b911413cad59b5bc9b569ce9102395e63f8b51c89caac6076bbea4', relation='VT: file to execution parent', type='file') 5 | │ ├── AnyNode(id='7ec4aa7ccf17892e10064d38b0d2eb9e86cd667af2f018638a3935e0d4d5f160', relation='VT: IP to downloaded file', type='file') 6 | │ ├── AnyNode(id='54186b22560ff9f1faee2a802874d5366a8e397c4779648a27f5fb9d3a6785fe', relation='VT: IP to downloaded file', type='file') 7 | │ ├── AnyNode(id='978ea3e7e800bd7871919098cd03e50e79efee28acf66b3df34746b9fb6a7526', relation='VT: IP to downloaded file', type='file') 8 | │ ├── AnyNode(id='e1c67c166eec69079b8cd5d9cb134aa0f42f2c097a7cb24cf317b04fead27ec8', relation='VT: IP to downloaded file', type='file') 9 | │ ├── AnyNode(id='74625e8221ecd9281220ca042a0a991d2281fe2214f9e27be4194d3c596b3ee8', relation='VT: IP to downloaded file', type='file') 10 | │ │ ├── AnyNode(id='208.91.197.13', relation='VT: file to contacted ip', type='ip_address') 11 | │ │ ├── AnyNode(id='148.66.136.190', relation='VT: file to contacted ip', type='ip_address') 12 | │ │ ├── AnyNode(id='198.57.199.56', relation='VT: file to contacted ip', type='ip_address') 13 | │ │ ├── AnyNode(id='212.1.211.181', relation='VT: file to contacted ip', type='ip_address') 14 | │ │ ├── AnyNode(id='154.208.235.97', relation='VT: file to contacted ip', type='ip_address') 15 | │ │ ├── AnyNode(id='96.62.7.155', relation='VT: file to contacted ip', type='ip_address') 16 | │ │ ├── AnyNode(id='www.angletradings.com', relation='VT: file to contacted domain', type='domain') 17 | │ │ ├── AnyNode(id='www.download.windowsupdate.com', relation='VT: file to contacted domain', type='domain') 18 | │ │ ├── AnyNode(id='www.mdyasin.com', relation='VT: file to contacted domain', type='domain') 19 | │ │ ├── AnyNode(id='www.ivpnsymposium.org', relation='VT: file to contacted domain', type='domain') 20 | │ │ ├── AnyNode(id='www.valteragrupa.com', relation='VT: file to contacted domain', type='domain') 21 | │ │ ├── AnyNode(id='prosaledom.su', relation='VT: file to contacted domain', type='domain') 22 | │ │ └── AnyNode(id='www.arammatrimony.in', relation='VT: file to contacted domain', type='domain') 23 | │ ├── AnyNode(id='8b1068cb9a6fb6b9c3813dc920608bf850dbe397ba9b040b009e74fc1ba382d3', relation='VT: IP to downloaded file', type='file') 24 | │ ├── AnyNode(id='db04c81d6ac0d620bc587d69a5825c6c09e4b3d2bce986e4fff63afc638b3dc8', relation='VT: IP to downloaded file', type='file') 25 | │ ├── AnyNode(id='def56d664e202d0a6a51a0a28e102bf4a500463f301312ad371380cbb6d70dec', relation='VT: IP to downloaded file', type='file') 26 | │ └── AnyNode(id='b05c63a25e3541fe0773f15f5d5b9ea43a4b1b4773c957bdacffbab6bcc84c46', relation='VT: IP to downloaded file', type='file') 27 | │ ├── AnyNode(id='3a3a27db08a33f5123a7982440180a621ce13903aa08d801ff08234f49af47e9', relation='VT: file to execution parent', type='file') 28 | │ ├── AnyNode(id='47c21dd3eb16107a8bfd2ae9f01a875e304a489a0c9779980e26db0be2d0d17c', relation='VT: file to execution parent', type='file') 29 | │ ├── AnyNode(id='b75f46e19caac819974fa7e59606b4d8d55fb63f4e1270c6686074e7c3d5a840', relation='VT: file to execution parent', type='file') 30 | │ ├── AnyNode(id='476eb8897ca499fd2ed6d11e1b8cd3aa01f1c5780e7dec42a1f13d7e4a5afbcc', relation='VT: file to execution parent', type='file') 31 | │ ├── AnyNode(id='b44872e5e11ca13c0db360b52e1455d697112267cfc7026ddeb893e5fa28a9b7', relation='VT: file to execution parent', type='file') 32 | │ ├── AnyNode(id='22b32dd5593c3702a6113ff2d274720f0ead1f535ee1d787ddcdeda72b935f32', relation='VT: file to execution parent', type='file') 33 | │ ├── AnyNode(id='df33cbdaaee86944bf474aedacd2d61af666d825425d6258af8764a3895235d2', relation='VT: file to execution parent', type='file') 34 | │ ├── AnyNode(id='236cc61e28dde445f2f215a8a4616fec67be62dc3758edac4e84bb0a4c0680fd', relation='VT: file to execution parent', type='file') 35 | │ ├── AnyNode(id='bf1afecd30fe8fdc1ddb897a90e95ab35dde0191461b5fb8e572df63ab9c71bf', relation='VT: file to execution parent', type='file') 36 | │ └── AnyNode(id='016c78b035d6d0d06de993b0d39108e504ddeb75f4710d40c897dcaf87d6b512', relation='VT: file to execution parent', type='file') 37 | └── AnyNode(id='nethosttalk.com', relation='VT: file to contacted domain', type='domain') 38 | ├── AnyNode(id='86.106.93.230', relation='QAX: domain to resolution ip', type='ip_address') 39 | ├── AnyNode(id='123.59.120.219', relation='QAX: domain to resolution ip', type='ip_address') 40 | ├── AnyNode(id='info@qhoster.com', relation='QAX: domain to whois email', type='email') 41 | │ ├── AnyNode(id='stdfile.org', relation='QAX: Whois email to domain', type='domain') 42 | │ ├── AnyNode(id='4uid.net', relation='QAX: Whois email to domain', type='domain') 43 | │ ├── AnyNode(id='smartcoinminers.com', relation='QAX: Whois email to domain', type='domain') 44 | │ ├── AnyNode(id='navsitar.com', relation='QAX: Whois email to domain', type='domain') 45 | │ ├── AnyNode(id='ir1x.net', relation='QAX: Whois email to domain', type='domain') 46 | │ ├── AnyNode(id='mybecoma.com', relation='QAX: Whois email to domain', type='domain') 47 | │ ├── AnyNode(id='parsib90.net', relation='QAX: Whois email to domain', type='domain') 48 | │ ├── AnyNode(id='cliniqueambassadeurs.com', relation='QAX: Whois email to domain', type='domain') 49 | │ ├── AnyNode(id='revenuehyip.com', relation='QAX: Whois email to domain', type='domain') 50 | │ └── AnyNode(id='sahugroups.com', relation='QAX: Whois email to domain', type='domain') 51 | ├── AnyNode(id='f6bf8088338180e1bd8f8fb878798627efb96ec2547fea4800983a2af346a853', relation='VT: domain to downloaded file', type='file') 52 | ├── AnyNode(id='f3ca5bf5696f6a54f11eaee98e43d0d3604b4d0a62d59b03d1fd65f25f7779e4', relation='VT: domain to downloaded file', type='file') 53 | ├── AnyNode(id='78342a0905a72ce44da083dcb5d23b8ea0c16992ba2a82eece97e033d76ba3d3', relation='VT: domain to downloaded file', type='file') 54 | └── AnyNode(id='86.106.93.230', relation='VT: domain to resolution ip', type='ip_address') -------------------------------------------------------------------------------- /samples/e889544aff85ffaf8b0d0da705105dee7c97fe26_depth_3_201907171120.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": "e889544aff85ffaf8b0d0da705105dee7c97fe26", 3 | "type": "file", 4 | "children": [ 5 | { 6 | "id": "217.79.179.177", 7 | "type": "ip_address", 8 | "relation": "QAX: file to contacted ip", 9 | "children": [ 10 | { 11 | "id": "0b52c5338af355699530a47683420e48c7344e779d3e815ff9943cbfdc153cf2", 12 | "type": "file", 13 | "relation": "VT: IP to downloaded file", 14 | "children": [ 15 | { 16 | "id": "c9890e0dac5ba69b0fd3b42cba7b8fad819bf754988cdf5279e58df6438cf805", 17 | "type": "file", 18 | "relation": "VT: file to execution parent" 19 | }, 20 | { 21 | "id": "04e78ccec8e29a677580700ec8076e39c367cbc7cd963b0cd1f33f92cce104e4", 22 | "type": "file", 23 | "relation": "VT: file to execution parent" 24 | }, 25 | { 26 | "id": "34aec2df8ef8cff006a304ac442cbe641800ecc416b078cf1ffec12951a4a1e8", 27 | "type": "file", 28 | "relation": "VT: file to execution parent" 29 | }, 30 | { 31 | "id": "1ccde96b2e2473ab0cca7672bac491bd2e2c54a749bf7d22d5d98b8325a4f365", 32 | "type": "file", 33 | "relation": "VT: file to execution parent" 34 | }, 35 | { 36 | "id": "71a49e3bdda1a8f0ef2c4e94d6ce7722e191c119be772385790ce3c6a9120a7a", 37 | "type": "file", 38 | "relation": "VT: file to execution parent" 39 | }, 40 | { 41 | "id": "c5393735aeca527c8b82e1ce63207a75665d075440730282e0235a3b5874719f", 42 | "type": "file", 43 | "relation": "VT: file to execution parent" 44 | } 45 | ] 46 | }, 47 | { 48 | "id": "319c6048e06a1baed3e90c749971da2e6fafbc360502660bf7f4b458e04619f7", 49 | "type": "file", 50 | "relation": "VT: IP to downloaded file" 51 | } 52 | ] 53 | }, 54 | { 55 | "id": "128.31.0.39", 56 | "type": "ip_address", 57 | "relation": "QAX: file to contacted ip", 58 | "children": [ 59 | { 60 | "id": "fadc7ddee27ac015df8d3f194a2f3e9d8ab4e263cc75dd0460983f54395e4c54", 61 | "type": "file", 62 | "relation": "VT: IP to downloaded file" 63 | }, 64 | { 65 | "id": "68169792dd35ed9d6fe652172397bed74031be79f7bf3dd07c9cc536aec70b2f", 66 | "type": "file", 67 | "relation": "VT: IP to downloaded file" 68 | } 69 | ] 70 | }, 71 | { 72 | "id": "213.61.66.116", 73 | "type": "ip_address", 74 | "relation": "QAX: file to contacted ip" 75 | }, 76 | { 77 | "id": "212.47.232.237", 78 | "type": "ip_address", 79 | "relation": "QAX: file to contacted ip" 80 | }, 81 | { 82 | "id": "81.30.158.223", 83 | "type": "ip_address", 84 | "relation": "QAX: file to contacted ip", 85 | "children": [ 86 | { 87 | "id": "a9bc1ab7f7c0c6bc5d097050968993474e32346cffa537be1e0335a19645f12e", 88 | "type": "file", 89 | "relation": "VT: IP to downloaded file" 90 | } 91 | ] 92 | }, 93 | { 94 | "id": "104.17.38.137", 95 | "type": "ip_address", 96 | "relation": "VT: file to contacted ip", 97 | "children": [ 98 | { 99 | "id": "5b17494a74770d5abe918c36e8dfc10a4ff0f46451cdbe19d779d19baf8e6385", 100 | "type": "file", 101 | "relation": "VT: IP to downloaded file" 102 | }, 103 | { 104 | "id": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b", 105 | "type": "file", 106 | "relation": "VT: IP to downloaded file", 107 | "children": [ 108 | { 109 | "id": "31.208.86.241", 110 | "type": "ip_address", 111 | "relation": "VT: file to contacted ip" 112 | }, 113 | { 114 | "id": "78.46.127.120", 115 | "type": "ip_address", 116 | "relation": "VT: file to contacted ip" 117 | }, 118 | { 119 | "id": "185.27.16.26", 120 | "type": "ip_address", 121 | "relation": "VT: file to contacted ip" 122 | }, 123 | { 124 | "id": "c24fe5fd66b65c5be70a853d8cd6ea94c6d3c8aac1fc3a97305b73aee0ca2786", 125 | "type": "file", 126 | "relation": "VT: file to execution parent" 127 | }, 128 | { 129 | "id": "6737c322d4179164e16250b662cce65b93467ee092bd23375d56226b5cb0368f", 130 | "type": "file", 131 | "relation": "VT: file to execution parent" 132 | }, 133 | { 134 | "id": "0aea03ba9b9c3dd3b9f7e5fbe5cb8add02b6d6aa4d27f75c9c762e01415e8a20", 135 | "type": "file", 136 | "relation": "VT: file to execution parent" 137 | }, 138 | { 139 | "id": "4c4064d5210807df3da72814ec5a4f21ec312d0c837914ac8cf74c026da29b79", 140 | "type": "file", 141 | "relation": "VT: file to execution parent" 142 | }, 143 | { 144 | "id": "cf308eef7fd9f5dc4dbc3677a61c13d4163830727a521886ec36f69e2a865be0", 145 | "type": "file", 146 | "relation": "VT: file to execution parent" 147 | }, 148 | { 149 | "id": "c00cc8edb4d707e982d3d9caa7bfb2f20f5e950faa060308b43e9bf816ceb779", 150 | "type": "file", 151 | "relation": "VT: file to execution parent" 152 | }, 153 | { 154 | "id": "dbd2efcc5b7307b68778ac15b58c167318b66ada7ec41e7b8006c15bea73f004", 155 | "type": "file", 156 | "relation": "VT: file to execution parent" 157 | }, 158 | { 159 | "id": "6e2c7f58eddfa76178c333e2712f88837d94f48fde85d9826f3d08925e263e14", 160 | "type": "file", 161 | "relation": "VT: file to execution parent" 162 | }, 163 | { 164 | "id": "773979638c3466443cd8724ad45047d3f69f8588e0b45800c1a7bbf134aafd17", 165 | "type": "file", 166 | "relation": "VT: file to execution parent" 167 | } 168 | ] 169 | }, 170 | { 171 | "id": "9aa12fc13c9dae634f66e3a8838e1c22cd4f4dbf631403f2a714fc3ad3cd642e", 172 | "type": "file", 173 | "relation": "VT: IP to downloaded file" 174 | }, 175 | { 176 | "id": "e6b809d5291adfbed287dede7810367738075c8a4a10cb317e143871f587ce3f", 177 | "type": "file", 178 | "relation": "VT: IP to downloaded file" 179 | }, 180 | { 181 | "id": "ce0f4ea813643de8177ba3edab79f5b48379e7a9a8426b69edf35d919036bb83", 182 | "type": "file", 183 | "relation": "VT: IP to downloaded file" 184 | } 185 | ] 186 | }, 187 | { 188 | "id": "104.17.41.137", 189 | "type": "ip_address", 190 | "relation": "VT: file to contacted ip", 191 | "children": [ 192 | { 193 | "id": "5b17494a74770d5abe918c36e8dfc10a4ff0f46451cdbe19d779d19baf8e6385", 194 | "type": "file", 195 | "relation": "VT: IP to downloaded file" 196 | }, 197 | { 198 | "id": "c29d5aa56a823b08f884ba37f00a7bab20171d3233dae96be560d0a881e3f105", 199 | "type": "file", 200 | "relation": "VT: IP to downloaded file" 201 | }, 202 | { 203 | "id": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b", 204 | "type": "file", 205 | "relation": "VT: IP to downloaded file" 206 | }, 207 | { 208 | "id": "628e57e73cd29aa4979fa6663dc1db927905e3c7c660ace22ec499d62f0f13d9", 209 | "type": "file", 210 | "relation": "VT: IP to downloaded file" 211 | } 212 | ] 213 | }, 214 | { 215 | "id": "104.17.40.137", 216 | "type": "ip_address", 217 | "relation": "VT: file to contacted ip", 218 | "children": [ 219 | { 220 | "id": "5b17494a74770d5abe918c36e8dfc10a4ff0f46451cdbe19d779d19baf8e6385", 221 | "type": "file", 222 | "relation": "VT: IP to downloaded file" 223 | }, 224 | { 225 | "id": "c29d5aa56a823b08f884ba37f00a7bab20171d3233dae96be560d0a881e3f105", 226 | "type": "file", 227 | "relation": "VT: IP to downloaded file" 228 | }, 229 | { 230 | "id": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b", 231 | "type": "file", 232 | "relation": "VT: IP to downloaded file" 233 | }, 234 | { 235 | "id": "ce0f4ea813643de8177ba3edab79f5b48379e7a9a8426b69edf35d919036bb83", 236 | "type": "file", 237 | "relation": "VT: IP to downloaded file" 238 | } 239 | ] 240 | }, 241 | { 242 | "id": "104.17.39.137", 243 | "type": "ip_address", 244 | "relation": "VT: file to contacted ip", 245 | "children": [ 246 | { 247 | "id": "5b17494a74770d5abe918c36e8dfc10a4ff0f46451cdbe19d779d19baf8e6385", 248 | "type": "file", 249 | "relation": "VT: IP to downloaded file" 250 | }, 251 | { 252 | "id": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b", 253 | "type": "file", 254 | "relation": "VT: IP to downloaded file" 255 | } 256 | ] 257 | }, 258 | { 259 | "id": "104.16.173.80", 260 | "type": "ip_address", 261 | "relation": "VT: file to contacted ip", 262 | "children": [ 263 | { 264 | "id": "5b17494a74770d5abe918c36e8dfc10a4ff0f46451cdbe19d779d19baf8e6385", 265 | "type": "file", 266 | "relation": "VT: IP to downloaded file" 267 | }, 268 | { 269 | "id": "7bfcab6db99d5cfbf1705ca0536ddc78585432cc5fa41bbd7ad0f009033b2979", 270 | "type": "file", 271 | "relation": "VT: IP to downloaded file", 272 | "children": [ 273 | { 274 | "id": "ae36e85ae18c12dd5c7c7dd291a37818e7bd92a182e375296e970877c2d827e5", 275 | "type": "file", 276 | "relation": "VT: file to execution parent" 277 | }, 278 | { 279 | "id": "b0e57659eca6d156125ee99590432938393d481468650f16f34c4bd0039a99f0", 280 | "type": "file", 281 | "relation": "VT: file to execution parent" 282 | }, 283 | { 284 | "id": "036be5f7495e609464e7b8fa1381b9ebe78e2ed183bbe354d4a49affed61363e", 285 | "type": "file", 286 | "relation": "VT: file to execution parent" 287 | }, 288 | { 289 | "id": "94301b82e308c3e176cb8e8ed3c49b83c49565174355417671a3c0952b4bfe91", 290 | "type": "file", 291 | "relation": "VT: file to execution parent" 292 | }, 293 | { 294 | "id": "9fe3fd2786bbf970dc2312df65341dc1140bcffd0fd21dbeac38e608c98d4d62", 295 | "type": "file", 296 | "relation": "VT: file to execution parent" 297 | }, 298 | { 299 | "id": "a50a52d013ad3b5de8edbff3150a4fc12847fcb57c36a7f6458f953b1b7a982e", 300 | "type": "file", 301 | "relation": "VT: file to execution parent" 302 | }, 303 | { 304 | "id": "0a7fff6560489b60125fc70a788e531125d5f781c8beac2e201f128fb3b35545", 305 | "type": "file", 306 | "relation": "VT: file to execution parent" 307 | }, 308 | { 309 | "id": "747af6bfa7297677147adc3e1153a1633b21cb4f12f0ab4503cffa7c6437fec9", 310 | "type": "file", 311 | "relation": "VT: file to execution parent" 312 | }, 313 | { 314 | "id": "d100c3fc5afa2e577ec864df638e0f620f7f417a9fa49aecbbfa7e8f22b52df0", 315 | "type": "file", 316 | "relation": "VT: file to execution parent" 317 | }, 318 | { 319 | "id": "00a72158d3cf315ecfddffeb31fa18b3bab64436bb21706bda3d9a1086e0ec61", 320 | "type": "file", 321 | "relation": "VT: file to execution parent" 322 | } 323 | ] 324 | }, 325 | { 326 | "id": "d41319c312eb46ad16affdfe1fc604b1b42a69f778264962e5968a0c9ee4652e", 327 | "type": "file", 328 | "relation": "VT: IP to downloaded file" 329 | }, 330 | { 331 | "id": "b5318ac100f7dc6756f712e319e37178338d0a63a4c1eff3ed41ef5c3c599138", 332 | "type": "file", 333 | "relation": "VT: IP to downloaded file" 334 | }, 335 | { 336 | "id": "dcb5e540e62fc85857254a1066afb6a7e8999279c6d4c583eef855d39f9289c0", 337 | "type": "file", 338 | "relation": "VT: IP to downloaded file", 339 | "children": [ 340 | { 341 | "id": "dd4038c149ea65780ef708260f4fddbcd82584b1b633c9eca63de603cacc95c1", 342 | "type": "file", 343 | "relation": "VT: file to execution parent" 344 | }, 345 | { 346 | "id": "b170e024b0c74b6c2f5702575dddc4cfe010c3d7665c502b142497068753ea88", 347 | "type": "file", 348 | "relation": "VT: file to execution parent" 349 | }, 350 | { 351 | "id": "d492f91e4ad09870eeffa1aea7a2886b26a431c116f2301f548e8e41c4f5c97d", 352 | "type": "file", 353 | "relation": "VT: file to execution parent" 354 | }, 355 | { 356 | "id": "cdf2ff7f3e3f80d6c04d6f597bec9a63904698e93867fd74f4c35e0e3a6320b5", 357 | "type": "file", 358 | "relation": "VT: file to execution parent" 359 | }, 360 | { 361 | "id": "0acde0082cd7c5da7f68f5080b4f56f25c79189bfa18c94fe7855740dfd782cc", 362 | "type": "file", 363 | "relation": "VT: file to execution parent" 364 | }, 365 | { 366 | "id": "e9e240e390c755e5fa0cdd75d4b41985b6bdc605a76918f6245f7145723f6828", 367 | "type": "file", 368 | "relation": "VT: file to execution parent" 369 | }, 370 | { 371 | "id": "61f9605e61e83b4f84afbdac9c177548254054203b6267a63ade0878f1ef52f6", 372 | "type": "file", 373 | "relation": "VT: file to execution parent" 374 | }, 375 | { 376 | "id": "d09304e76e53b44a7d89c7a9546191e60a152c053d636521ff858f19e7e5f557", 377 | "type": "file", 378 | "relation": "VT: file to execution parent" 379 | }, 380 | { 381 | "id": "493d86df35b5df2bab480fe03618681274a9e23e054ec07350cc3746e1a33c7f", 382 | "type": "file", 383 | "relation": "VT: file to execution parent" 384 | } 385 | ] 386 | }, 387 | { 388 | "id": "bfeb251407a9c774c52d9321bf6517bf435e61b8a9fa13df52d08fe602ab4b19", 389 | "type": "file", 390 | "relation": "VT: IP to downloaded file" 391 | }, 392 | { 393 | "id": "915e373ba1f0489ab8839bf07925df9fe3eb8ac5b2a57e6e83ba5589fe82c73b", 394 | "type": "file", 395 | "relation": "VT: IP to downloaded file" 396 | }, 397 | { 398 | "id": "228734750d1b7f3fd3cc48d38098ce2c4d3ef604503cd8f62ad4619763554fed", 399 | "type": "file", 400 | "relation": "VT: IP to downloaded file" 401 | }, 402 | { 403 | "id": "8bcf9a974ee29af449f89f721566a2abcf332324f76197c965cb4ecc1a89364d", 404 | "type": "file", 405 | "relation": "VT: IP to downloaded file" 406 | }, 407 | { 408 | "id": "719d73c9d00a42219c7045369394a5f49d1cedb4f6cd81f314c7dcb0106c9150", 409 | "type": "file", 410 | "relation": "VT: IP to downloaded file" 411 | } 412 | ] 413 | }, 414 | { 415 | "id": "104.17.244.81", 416 | "type": "ip_address", 417 | "relation": "VT: file to contacted ip", 418 | "children": [ 419 | { 420 | "id": "5b17494a74770d5abe918c36e8dfc10a4ff0f46451cdbe19d779d19baf8e6385", 421 | "type": "file", 422 | "relation": "VT: IP to downloaded file" 423 | } 424 | ] 425 | }, 426 | { 427 | "id": "217.79.179.177", 428 | "type": "ip_address", 429 | "relation": "VT: file to contacted ip" 430 | }, 431 | { 432 | "id": "128.31.0.39", 433 | "type": "ip_address", 434 | "relation": "VT: file to contacted ip" 435 | }, 436 | { 437 | "id": "213.61.66.116", 438 | "type": "ip_address", 439 | "relation": "VT: file to contacted ip" 440 | }, 441 | { 442 | "id": "212.47.232.237", 443 | "type": "ip_address", 444 | "relation": "VT: file to contacted ip" 445 | }, 446 | { 447 | "id": "www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com", 448 | "type": "domain", 449 | "relation": "VT: file to contacted domain", 450 | "children": [ 451 | { 452 | "id": "58baf5362b654c4baae7f957074cb37d.protect@whoisguard.com", 453 | "type": "email", 454 | "relation": "QAX: domain to whois email", 455 | "children": [ 456 | { 457 | "id": "iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com", 458 | "type": "domain", 459 | "relation": "QAX: Whois email to domain" 460 | } 461 | ] 462 | }, 463 | { 464 | "id": "5b17494a74770d5abe918c36e8dfc10a4ff0f46451cdbe19d779d19baf8e6385", 465 | "type": "file", 466 | "relation": "VT: domain to downloaded file" 467 | }, 468 | { 469 | "id": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b", 470 | "type": "file", 471 | "relation": "VT: domain to downloaded file" 472 | }, 473 | { 474 | "id": "e6b809d5291adfbed287dede7810367738075c8a4a10cb317e143871f587ce3f", 475 | "type": "file", 476 | "relation": "VT: domain to downloaded file" 477 | }, 478 | { 479 | "id": "ce0f4ea813643de8177ba3edab79f5b48379e7a9a8426b69edf35d919036bb83", 480 | "type": "file", 481 | "relation": "VT: domain to downloaded file" 482 | }, 483 | { 484 | "id": "e44976d6ac5083132104fe17171cbc2932b401d89cf5c2ba4a81909270c5c4f2", 485 | "type": "file", 486 | "relation": "VT: domain to downloaded file" 487 | }, 488 | { 489 | "id": "02d967bd338ba664eaeec3cfe1e80de212d6be075a68ceb69288e3f72312b9b9", 490 | "type": "file", 491 | "relation": "VT: domain to downloaded file" 492 | }, 493 | { 494 | "id": "4be9b4e7327041a75853cbe8abedf15ab049ceb16fa98f63b03a3b9aaa9b5075", 495 | "type": "file", 496 | "relation": "VT: domain to downloaded file" 497 | }, 498 | { 499 | "id": "d8799fe0e792eedf2b39cc2bce6f8025d6701f454a2ded0bfd9a569890ee8586", 500 | "type": "file", 501 | "relation": "VT: domain to downloaded file" 502 | }, 503 | { 504 | "id": "9894adc98f92418baa4cb0a888fe9cdc8e7cd0577880d0fe237f1194e4fcf82e", 505 | "type": "file", 506 | "relation": "VT: domain to downloaded file" 507 | }, 508 | { 509 | "id": "104.17.244.81", 510 | "type": "ip_address", 511 | "relation": "VT: domain to resolution ip" 512 | }, 513 | { 514 | "id": "104.16.173.80", 515 | "type": "ip_address", 516 | "relation": "VT: domain to resolution ip" 517 | }, 518 | { 519 | "id": "104.17.37.137", 520 | "type": "ip_address", 521 | "relation": "VT: domain to resolution ip", 522 | "children": [ 523 | { 524 | "id": "5b17494a74770d5abe918c36e8dfc10a4ff0f46451cdbe19d779d19baf8e6385", 525 | "type": "file", 526 | "relation": "VT: IP to downloaded file" 527 | }, 528 | { 529 | "id": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b", 530 | "type": "file", 531 | "relation": "VT: IP to downloaded file" 532 | }, 533 | { 534 | "id": "628e57e73cd29aa4979fa6663dc1db927905e3c7c660ace22ec499d62f0f13d9", 535 | "type": "file", 536 | "relation": "VT: IP to downloaded file" 537 | }, 538 | { 539 | "id": "4be9b4e7327041a75853cbe8abedf15ab049ceb16fa98f63b03a3b9aaa9b5075", 540 | "type": "file", 541 | "relation": "VT: IP to downloaded file" 542 | }, 543 | { 544 | "id": "e6b809d5291adfbed287dede7810367738075c8a4a10cb317e143871f587ce3f", 545 | "type": "file", 546 | "relation": "VT: IP to downloaded file" 547 | } 548 | ] 549 | }, 550 | { 551 | "id": "104.17.38.137", 552 | "type": "ip_address", 553 | "relation": "VT: domain to resolution ip" 554 | }, 555 | { 556 | "id": "104.17.40.137", 557 | "type": "ip_address", 558 | "relation": "VT: domain to resolution ip" 559 | }, 560 | { 561 | "id": "104.17.39.137", 562 | "type": "ip_address", 563 | "relation": "VT: domain to resolution ip" 564 | }, 565 | { 566 | "id": "104.17.41.137", 567 | "type": "ip_address", 568 | "relation": "VT: domain to resolution ip" 569 | }, 570 | { 571 | "id": "146.112.61.108", 572 | "type": "ip_address", 573 | "relation": "VT: domain to resolution ip", 574 | "children": [ 575 | { 576 | "id": "ce3fec9b8d13b726759ab548cd22f582fb7f4f3a496847a1ab4c8f3f6ee46b7f", 577 | "type": "file", 578 | "relation": "VT: IP to downloaded file" 579 | }, 580 | { 581 | "id": "6e581bb05b5d6a0c80a6b1d1a05a214f873475fe3001e231ed22bdbd11fcdac3", 582 | "type": "file", 583 | "relation": "VT: IP to downloaded file" 584 | }, 585 | { 586 | "id": "a1fc321c1f7c57f5e2e8a366b723ae00bc089b8927374d1e8e802ea39ea76f70", 587 | "type": "file", 588 | "relation": "VT: IP to downloaded file" 589 | } 590 | ] 591 | }, 592 | { 593 | "id": "144.217.254.91", 594 | "type": "ip_address", 595 | "relation": "VT: domain to resolution ip", 596 | "children": [ 597 | { 598 | "id": "371e1a097b46add664151fbaf02b60d015989db7be42b0c5ba571085c9af7ee1", 599 | "type": "file", 600 | "relation": "VT: IP to downloaded file" 601 | }, 602 | { 603 | "id": "e6b809d5291adfbed287dede7810367738075c8a4a10cb317e143871f587ce3f", 604 | "type": "file", 605 | "relation": "VT: IP to downloaded file" 606 | }, 607 | { 608 | "id": "1e58addbb0e48af9a9d00a453c588a6e62abed3942ee400cf309f414e3c688bc", 609 | "type": "file", 610 | "relation": "VT: IP to downloaded file" 611 | }, 612 | { 613 | "id": "4be9b4e7327041a75853cbe8abedf15ab049ceb16fa98f63b03a3b9aaa9b5075", 614 | "type": "file", 615 | "relation": "VT: IP to downloaded file" 616 | }, 617 | { 618 | "id": "ce0f4ea813643de8177ba3edab79f5b48379e7a9a8426b69edf35d919036bb83", 619 | "type": "file", 620 | "relation": "VT: IP to downloaded file" 621 | }, 622 | { 623 | "id": "02d967bd338ba664eaeec3cfe1e80de212d6be075a68ceb69288e3f72312b9b9", 624 | "type": "file", 625 | "relation": "VT: IP to downloaded file" 626 | }, 627 | { 628 | "id": "e44976d6ac5083132104fe17171cbc2932b401d89cf5c2ba4a81909270c5c4f2", 629 | "type": "file", 630 | "relation": "VT: IP to downloaded file" 631 | } 632 | ] 633 | }, 634 | { 635 | "id": "144.217.254.90", 636 | "type": "ip_address", 637 | "relation": "VT: domain to resolution ip", 638 | "children": [ 639 | { 640 | "id": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", 641 | "type": "file", 642 | "relation": "VT: IP to downloaded file" 643 | }, 644 | { 645 | "id": "e6b809d5291adfbed287dede7810367738075c8a4a10cb317e143871f587ce3f", 646 | "type": "file", 647 | "relation": "VT: IP to downloaded file" 648 | }, 649 | { 650 | "id": "371e1a097b46add664151fbaf02b60d015989db7be42b0c5ba571085c9af7ee1", 651 | "type": "file", 652 | "relation": "VT: IP to downloaded file" 653 | }, 654 | { 655 | "id": "1e58addbb0e48af9a9d00a453c588a6e62abed3942ee400cf309f414e3c688bc", 656 | "type": "file", 657 | "relation": "VT: IP to downloaded file" 658 | }, 659 | { 660 | "id": "ce0f4ea813643de8177ba3edab79f5b48379e7a9a8426b69edf35d919036bb83", 661 | "type": "file", 662 | "relation": "VT: IP to downloaded file" 663 | }, 664 | { 665 | "id": "4be9b4e7327041a75853cbe8abedf15ab049ceb16fa98f63b03a3b9aaa9b5075", 666 | "type": "file", 667 | "relation": "VT: IP to downloaded file" 668 | }, 669 | { 670 | "id": "d8799fe0e792eedf2b39cc2bce6f8025d6701f454a2ded0bfd9a569890ee8586", 671 | "type": "file", 672 | "relation": "VT: IP to downloaded file" 673 | }, 674 | { 675 | "id": "02d967bd338ba664eaeec3cfe1e80de212d6be075a68ceb69288e3f72312b9b9", 676 | "type": "file", 677 | "relation": "VT: IP to downloaded file" 678 | }, 679 | { 680 | "id": "c0b243b40f43a42ca0cb9b3af1de81522e688d5d700e5ad68507040c8d879875", 681 | "type": "file", 682 | "relation": "VT: IP to downloaded file" 683 | } 684 | ] 685 | } 686 | ] 687 | }, 688 | { 689 | "id": "a6f20e208551a644de2e4559e5484fc7930f06cea3477ecdacf940ab9e00f656", 690 | "type": "file", 691 | "relation": "VT: file to execution parent", 692 | "children": [ 693 | { 694 | "id": "104.17.39.137", 695 | "type": "ip_address", 696 | "relation": "VT: file to contacted ip" 697 | }, 698 | { 699 | "id": "104.17.37.137", 700 | "type": "ip_address", 701 | "relation": "VT: file to contacted ip" 702 | }, 703 | { 704 | "id": "www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com", 705 | "type": "domain", 706 | "relation": "VT: file to contacted domain" 707 | } 708 | ] 709 | } 710 | ] 711 | } -------------------------------------------------------------------------------- /samples/e889544aff85ffaf8b0d0da705105dee7c97fe26_depth_3_201907171120.txt: -------------------------------------------------------------------------------- 1 | AnyNode(id='e889544aff85ffaf8b0d0da705105dee7c97fe26', type='file') 2 | ├── AnyNode(id='217.79.179.177', relation='QAX: file to contacted ip', type='ip_address') 3 | │ ├── AnyNode(id='0b52c5338af355699530a47683420e48c7344e779d3e815ff9943cbfdc153cf2', relation='VT: IP to downloaded file', type='file') 4 | │ │ ├── AnyNode(id='c9890e0dac5ba69b0fd3b42cba7b8fad819bf754988cdf5279e58df6438cf805', relation='VT: file to execution parent', type='file') 5 | │ │ ├── AnyNode(id='04e78ccec8e29a677580700ec8076e39c367cbc7cd963b0cd1f33f92cce104e4', relation='VT: file to execution parent', type='file') 6 | │ │ ├── AnyNode(id='34aec2df8ef8cff006a304ac442cbe641800ecc416b078cf1ffec12951a4a1e8', relation='VT: file to execution parent', type='file') 7 | │ │ ├── AnyNode(id='1ccde96b2e2473ab0cca7672bac491bd2e2c54a749bf7d22d5d98b8325a4f365', relation='VT: file to execution parent', type='file') 8 | │ │ ├── AnyNode(id='71a49e3bdda1a8f0ef2c4e94d6ce7722e191c119be772385790ce3c6a9120a7a', relation='VT: file to execution parent', type='file') 9 | │ │ └── AnyNode(id='c5393735aeca527c8b82e1ce63207a75665d075440730282e0235a3b5874719f', relation='VT: file to execution parent', type='file') 10 | │ └── AnyNode(id='319c6048e06a1baed3e90c749971da2e6fafbc360502660bf7f4b458e04619f7', relation='VT: IP to downloaded file', type='file') 11 | ├── AnyNode(id='128.31.0.39', relation='QAX: file to contacted ip', type='ip_address') 12 | │ ├── AnyNode(id='fadc7ddee27ac015df8d3f194a2f3e9d8ab4e263cc75dd0460983f54395e4c54', relation='VT: IP to downloaded file', type='file') 13 | │ └── AnyNode(id='68169792dd35ed9d6fe652172397bed74031be79f7bf3dd07c9cc536aec70b2f', relation='VT: IP to downloaded file', type='file') 14 | ├── AnyNode(id='213.61.66.116', relation='QAX: file to contacted ip', type='ip_address') 15 | ├── AnyNode(id='212.47.232.237', relation='QAX: file to contacted ip', type='ip_address') 16 | ├── AnyNode(id='81.30.158.223', relation='QAX: file to contacted ip', type='ip_address') 17 | │ └── AnyNode(id='a9bc1ab7f7c0c6bc5d097050968993474e32346cffa537be1e0335a19645f12e', relation='VT: IP to downloaded file', type='file') 18 | ├── AnyNode(id='104.17.38.137', relation='VT: file to contacted ip', type='ip_address') 19 | │ ├── AnyNode(id='5b17494a74770d5abe918c36e8dfc10a4ff0f46451cdbe19d779d19baf8e6385', relation='VT: IP to downloaded file', type='file') 20 | │ ├── AnyNode(id='01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b', relation='VT: IP to downloaded file', type='file') 21 | │ │ ├── AnyNode(id='31.208.86.241', relation='VT: file to contacted ip', type='ip_address') 22 | │ │ ├── AnyNode(id='78.46.127.120', relation='VT: file to contacted ip', type='ip_address') 23 | │ │ ├── AnyNode(id='185.27.16.26', relation='VT: file to contacted ip', type='ip_address') 24 | │ │ ├── AnyNode(id='c24fe5fd66b65c5be70a853d8cd6ea94c6d3c8aac1fc3a97305b73aee0ca2786', relation='VT: file to execution parent', type='file') 25 | │ │ ├── AnyNode(id='6737c322d4179164e16250b662cce65b93467ee092bd23375d56226b5cb0368f', relation='VT: file to execution parent', type='file') 26 | │ │ ├── AnyNode(id='0aea03ba9b9c3dd3b9f7e5fbe5cb8add02b6d6aa4d27f75c9c762e01415e8a20', relation='VT: file to execution parent', type='file') 27 | │ │ ├── AnyNode(id='4c4064d5210807df3da72814ec5a4f21ec312d0c837914ac8cf74c026da29b79', relation='VT: file to execution parent', type='file') 28 | │ │ ├── AnyNode(id='cf308eef7fd9f5dc4dbc3677a61c13d4163830727a521886ec36f69e2a865be0', relation='VT: file to execution parent', type='file') 29 | │ │ ├── AnyNode(id='c00cc8edb4d707e982d3d9caa7bfb2f20f5e950faa060308b43e9bf816ceb779', relation='VT: file to execution parent', type='file') 30 | │ │ ├── AnyNode(id='dbd2efcc5b7307b68778ac15b58c167318b66ada7ec41e7b8006c15bea73f004', relation='VT: file to execution parent', type='file') 31 | │ │ ├── AnyNode(id='6e2c7f58eddfa76178c333e2712f88837d94f48fde85d9826f3d08925e263e14', relation='VT: file to execution parent', type='file') 32 | │ │ └── AnyNode(id='773979638c3466443cd8724ad45047d3f69f8588e0b45800c1a7bbf134aafd17', relation='VT: file to execution parent', type='file') 33 | │ ├── AnyNode(id='9aa12fc13c9dae634f66e3a8838e1c22cd4f4dbf631403f2a714fc3ad3cd642e', relation='VT: IP to downloaded file', type='file') 34 | │ ├── AnyNode(id='e6b809d5291adfbed287dede7810367738075c8a4a10cb317e143871f587ce3f', relation='VT: IP to downloaded file', type='file') 35 | │ └── AnyNode(id='ce0f4ea813643de8177ba3edab79f5b48379e7a9a8426b69edf35d919036bb83', relation='VT: IP to downloaded file', type='file') 36 | ├── AnyNode(id='104.17.41.137', relation='VT: file to contacted ip', type='ip_address') 37 | │ ├── AnyNode(id='5b17494a74770d5abe918c36e8dfc10a4ff0f46451cdbe19d779d19baf8e6385', relation='VT: IP to downloaded file', type='file') 38 | │ ├── AnyNode(id='c29d5aa56a823b08f884ba37f00a7bab20171d3233dae96be560d0a881e3f105', relation='VT: IP to downloaded file', type='file') 39 | │ ├── AnyNode(id='01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b', relation='VT: IP to downloaded file', type='file') 40 | │ └── AnyNode(id='628e57e73cd29aa4979fa6663dc1db927905e3c7c660ace22ec499d62f0f13d9', relation='VT: IP to downloaded file', type='file') 41 | ├── AnyNode(id='104.17.40.137', relation='VT: file to contacted ip', type='ip_address') 42 | │ ├── AnyNode(id='5b17494a74770d5abe918c36e8dfc10a4ff0f46451cdbe19d779d19baf8e6385', relation='VT: IP to downloaded file', type='file') 43 | │ ├── AnyNode(id='c29d5aa56a823b08f884ba37f00a7bab20171d3233dae96be560d0a881e3f105', relation='VT: IP to downloaded file', type='file') 44 | │ ├── AnyNode(id='01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b', relation='VT: IP to downloaded file', type='file') 45 | │ └── AnyNode(id='ce0f4ea813643de8177ba3edab79f5b48379e7a9a8426b69edf35d919036bb83', relation='VT: IP to downloaded file', type='file') 46 | ├── AnyNode(id='104.17.39.137', relation='VT: file to contacted ip', type='ip_address') 47 | │ ├── AnyNode(id='5b17494a74770d5abe918c36e8dfc10a4ff0f46451cdbe19d779d19baf8e6385', relation='VT: IP to downloaded file', type='file') 48 | │ └── AnyNode(id='01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b', relation='VT: IP to downloaded file', type='file') 49 | ├── AnyNode(id='104.16.173.80', relation='VT: file to contacted ip', type='ip_address') 50 | │ ├── AnyNode(id='5b17494a74770d5abe918c36e8dfc10a4ff0f46451cdbe19d779d19baf8e6385', relation='VT: IP to downloaded file', type='file') 51 | │ ├── AnyNode(id='7bfcab6db99d5cfbf1705ca0536ddc78585432cc5fa41bbd7ad0f009033b2979', relation='VT: IP to downloaded file', type='file') 52 | │ │ ├── AnyNode(id='ae36e85ae18c12dd5c7c7dd291a37818e7bd92a182e375296e970877c2d827e5', relation='VT: file to execution parent', type='file') 53 | │ │ ├── AnyNode(id='b0e57659eca6d156125ee99590432938393d481468650f16f34c4bd0039a99f0', relation='VT: file to execution parent', type='file') 54 | │ │ ├── AnyNode(id='036be5f7495e609464e7b8fa1381b9ebe78e2ed183bbe354d4a49affed61363e', relation='VT: file to execution parent', type='file') 55 | │ │ ├── AnyNode(id='94301b82e308c3e176cb8e8ed3c49b83c49565174355417671a3c0952b4bfe91', relation='VT: file to execution parent', type='file') 56 | │ │ ├── AnyNode(id='9fe3fd2786bbf970dc2312df65341dc1140bcffd0fd21dbeac38e608c98d4d62', relation='VT: file to execution parent', type='file') 57 | │ │ ├── AnyNode(id='a50a52d013ad3b5de8edbff3150a4fc12847fcb57c36a7f6458f953b1b7a982e', relation='VT: file to execution parent', type='file') 58 | │ │ ├── AnyNode(id='0a7fff6560489b60125fc70a788e531125d5f781c8beac2e201f128fb3b35545', relation='VT: file to execution parent', type='file') 59 | │ │ ├── AnyNode(id='747af6bfa7297677147adc3e1153a1633b21cb4f12f0ab4503cffa7c6437fec9', relation='VT: file to execution parent', type='file') 60 | │ │ ├── AnyNode(id='d100c3fc5afa2e577ec864df638e0f620f7f417a9fa49aecbbfa7e8f22b52df0', relation='VT: file to execution parent', type='file') 61 | │ │ └── AnyNode(id='00a72158d3cf315ecfddffeb31fa18b3bab64436bb21706bda3d9a1086e0ec61', relation='VT: file to execution parent', type='file') 62 | │ ├── AnyNode(id='d41319c312eb46ad16affdfe1fc604b1b42a69f778264962e5968a0c9ee4652e', relation='VT: IP to downloaded file', type='file') 63 | │ ├── AnyNode(id='b5318ac100f7dc6756f712e319e37178338d0a63a4c1eff3ed41ef5c3c599138', relation='VT: IP to downloaded file', type='file') 64 | │ ├── AnyNode(id='dcb5e540e62fc85857254a1066afb6a7e8999279c6d4c583eef855d39f9289c0', relation='VT: IP to downloaded file', type='file') 65 | │ │ ├── AnyNode(id='dd4038c149ea65780ef708260f4fddbcd82584b1b633c9eca63de603cacc95c1', relation='VT: file to execution parent', type='file') 66 | │ │ ├── AnyNode(id='b170e024b0c74b6c2f5702575dddc4cfe010c3d7665c502b142497068753ea88', relation='VT: file to execution parent', type='file') 67 | │ │ ├── AnyNode(id='d492f91e4ad09870eeffa1aea7a2886b26a431c116f2301f548e8e41c4f5c97d', relation='VT: file to execution parent', type='file') 68 | │ │ ├── AnyNode(id='cdf2ff7f3e3f80d6c04d6f597bec9a63904698e93867fd74f4c35e0e3a6320b5', relation='VT: file to execution parent', type='file') 69 | │ │ ├── AnyNode(id='0acde0082cd7c5da7f68f5080b4f56f25c79189bfa18c94fe7855740dfd782cc', relation='VT: file to execution parent', type='file') 70 | │ │ ├── AnyNode(id='e9e240e390c755e5fa0cdd75d4b41985b6bdc605a76918f6245f7145723f6828', relation='VT: file to execution parent', type='file') 71 | │ │ ├── AnyNode(id='61f9605e61e83b4f84afbdac9c177548254054203b6267a63ade0878f1ef52f6', relation='VT: file to execution parent', type='file') 72 | │ │ ├── AnyNode(id='d09304e76e53b44a7d89c7a9546191e60a152c053d636521ff858f19e7e5f557', relation='VT: file to execution parent', type='file') 73 | │ │ └── AnyNode(id='493d86df35b5df2bab480fe03618681274a9e23e054ec07350cc3746e1a33c7f', relation='VT: file to execution parent', type='file') 74 | │ ├── AnyNode(id='bfeb251407a9c774c52d9321bf6517bf435e61b8a9fa13df52d08fe602ab4b19', relation='VT: IP to downloaded file', type='file') 75 | │ ├── AnyNode(id='915e373ba1f0489ab8839bf07925df9fe3eb8ac5b2a57e6e83ba5589fe82c73b', relation='VT: IP to downloaded file', type='file') 76 | │ ├── AnyNode(id='228734750d1b7f3fd3cc48d38098ce2c4d3ef604503cd8f62ad4619763554fed', relation='VT: IP to downloaded file', type='file') 77 | │ ├── AnyNode(id='8bcf9a974ee29af449f89f721566a2abcf332324f76197c965cb4ecc1a89364d', relation='VT: IP to downloaded file', type='file') 78 | │ └── AnyNode(id='719d73c9d00a42219c7045369394a5f49d1cedb4f6cd81f314c7dcb0106c9150', relation='VT: IP to downloaded file', type='file') 79 | ├── AnyNode(id='104.17.244.81', relation='VT: file to contacted ip', type='ip_address') 80 | │ └── AnyNode(id='5b17494a74770d5abe918c36e8dfc10a4ff0f46451cdbe19d779d19baf8e6385', relation='VT: IP to downloaded file', type='file') 81 | ├── AnyNode(id='217.79.179.177', relation='VT: file to contacted ip', type='ip_address') 82 | ├── AnyNode(id='128.31.0.39', relation='VT: file to contacted ip', type='ip_address') 83 | ├── AnyNode(id='213.61.66.116', relation='VT: file to contacted ip', type='ip_address') 84 | ├── AnyNode(id='212.47.232.237', relation='VT: file to contacted ip', type='ip_address') 85 | ├── AnyNode(id='www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com', relation='VT: file to contacted domain', type='domain') 86 | │ ├── AnyNode(id='58baf5362b654c4baae7f957074cb37d.protect@whoisguard.com', relation='QAX: domain to whois email', type='email') 87 | │ │ └── AnyNode(id='iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com', relation='QAX: Whois email to domain', type='domain') 88 | │ ├── AnyNode(id='5b17494a74770d5abe918c36e8dfc10a4ff0f46451cdbe19d779d19baf8e6385', relation='VT: domain to downloaded file', type='file') 89 | │ ├── AnyNode(id='01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b', relation='VT: domain to downloaded file', type='file') 90 | │ ├── AnyNode(id='e6b809d5291adfbed287dede7810367738075c8a4a10cb317e143871f587ce3f', relation='VT: domain to downloaded file', type='file') 91 | │ ├── AnyNode(id='ce0f4ea813643de8177ba3edab79f5b48379e7a9a8426b69edf35d919036bb83', relation='VT: domain to downloaded file', type='file') 92 | │ ├── AnyNode(id='e44976d6ac5083132104fe17171cbc2932b401d89cf5c2ba4a81909270c5c4f2', relation='VT: domain to downloaded file', type='file') 93 | │ ├── AnyNode(id='02d967bd338ba664eaeec3cfe1e80de212d6be075a68ceb69288e3f72312b9b9', relation='VT: domain to downloaded file', type='file') 94 | │ ├── AnyNode(id='4be9b4e7327041a75853cbe8abedf15ab049ceb16fa98f63b03a3b9aaa9b5075', relation='VT: domain to downloaded file', type='file') 95 | │ ├── AnyNode(id='d8799fe0e792eedf2b39cc2bce6f8025d6701f454a2ded0bfd9a569890ee8586', relation='VT: domain to downloaded file', type='file') 96 | │ ├── AnyNode(id='9894adc98f92418baa4cb0a888fe9cdc8e7cd0577880d0fe237f1194e4fcf82e', relation='VT: domain to downloaded file', type='file') 97 | │ ├── AnyNode(id='104.17.244.81', relation='VT: domain to resolution ip', type='ip_address') 98 | │ ├── AnyNode(id='104.16.173.80', relation='VT: domain to resolution ip', type='ip_address') 99 | │ ├── AnyNode(id='104.17.37.137', relation='VT: domain to resolution ip', type='ip_address') 100 | │ │ ├── AnyNode(id='5b17494a74770d5abe918c36e8dfc10a4ff0f46451cdbe19d779d19baf8e6385', relation='VT: IP to downloaded file', type='file') 101 | │ │ ├── AnyNode(id='01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b', relation='VT: IP to downloaded file', type='file') 102 | │ │ ├── AnyNode(id='628e57e73cd29aa4979fa6663dc1db927905e3c7c660ace22ec499d62f0f13d9', relation='VT: IP to downloaded file', type='file') 103 | │ │ ├── AnyNode(id='4be9b4e7327041a75853cbe8abedf15ab049ceb16fa98f63b03a3b9aaa9b5075', relation='VT: IP to downloaded file', type='file') 104 | │ │ └── AnyNode(id='e6b809d5291adfbed287dede7810367738075c8a4a10cb317e143871f587ce3f', relation='VT: IP to downloaded file', type='file') 105 | │ ├── AnyNode(id='104.17.38.137', relation='VT: domain to resolution ip', type='ip_address') 106 | │ ├── AnyNode(id='104.17.40.137', relation='VT: domain to resolution ip', type='ip_address') 107 | │ ├── AnyNode(id='104.17.39.137', relation='VT: domain to resolution ip', type='ip_address') 108 | │ ├── AnyNode(id='104.17.41.137', relation='VT: domain to resolution ip', type='ip_address') 109 | │ ├── AnyNode(id='146.112.61.108', relation='VT: domain to resolution ip', type='ip_address') 110 | │ │ ├── AnyNode(id='ce3fec9b8d13b726759ab548cd22f582fb7f4f3a496847a1ab4c8f3f6ee46b7f', relation='VT: IP to downloaded file', type='file') 111 | │ │ ├── AnyNode(id='6e581bb05b5d6a0c80a6b1d1a05a214f873475fe3001e231ed22bdbd11fcdac3', relation='VT: IP to downloaded file', type='file') 112 | │ │ └── AnyNode(id='a1fc321c1f7c57f5e2e8a366b723ae00bc089b8927374d1e8e802ea39ea76f70', relation='VT: IP to downloaded file', type='file') 113 | │ ├── AnyNode(id='144.217.254.91', relation='VT: domain to resolution ip', type='ip_address') 114 | │ │ ├── AnyNode(id='371e1a097b46add664151fbaf02b60d015989db7be42b0c5ba571085c9af7ee1', relation='VT: IP to downloaded file', type='file') 115 | │ │ ├── AnyNode(id='e6b809d5291adfbed287dede7810367738075c8a4a10cb317e143871f587ce3f', relation='VT: IP to downloaded file', type='file') 116 | │ │ ├── AnyNode(id='1e58addbb0e48af9a9d00a453c588a6e62abed3942ee400cf309f414e3c688bc', relation='VT: IP to downloaded file', type='file') 117 | │ │ ├── AnyNode(id='4be9b4e7327041a75853cbe8abedf15ab049ceb16fa98f63b03a3b9aaa9b5075', relation='VT: IP to downloaded file', type='file') 118 | │ │ ├── AnyNode(id='ce0f4ea813643de8177ba3edab79f5b48379e7a9a8426b69edf35d919036bb83', relation='VT: IP to downloaded file', type='file') 119 | │ │ ├── AnyNode(id='02d967bd338ba664eaeec3cfe1e80de212d6be075a68ceb69288e3f72312b9b9', relation='VT: IP to downloaded file', type='file') 120 | │ │ └── AnyNode(id='e44976d6ac5083132104fe17171cbc2932b401d89cf5c2ba4a81909270c5c4f2', relation='VT: IP to downloaded file', type='file') 121 | │ └── AnyNode(id='144.217.254.90', relation='VT: domain to resolution ip', type='ip_address') 122 | │ ├── AnyNode(id='e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855', relation='VT: IP to downloaded file', type='file') 123 | │ ├── AnyNode(id='e6b809d5291adfbed287dede7810367738075c8a4a10cb317e143871f587ce3f', relation='VT: IP to downloaded file', type='file') 124 | │ ├── AnyNode(id='371e1a097b46add664151fbaf02b60d015989db7be42b0c5ba571085c9af7ee1', relation='VT: IP to downloaded file', type='file') 125 | │ ├── AnyNode(id='1e58addbb0e48af9a9d00a453c588a6e62abed3942ee400cf309f414e3c688bc', relation='VT: IP to downloaded file', type='file') 126 | │ ├── AnyNode(id='ce0f4ea813643de8177ba3edab79f5b48379e7a9a8426b69edf35d919036bb83', relation='VT: IP to downloaded file', type='file') 127 | │ ├── AnyNode(id='4be9b4e7327041a75853cbe8abedf15ab049ceb16fa98f63b03a3b9aaa9b5075', relation='VT: IP to downloaded file', type='file') 128 | │ ├── AnyNode(id='d8799fe0e792eedf2b39cc2bce6f8025d6701f454a2ded0bfd9a569890ee8586', relation='VT: IP to downloaded file', type='file') 129 | │ ├── AnyNode(id='02d967bd338ba664eaeec3cfe1e80de212d6be075a68ceb69288e3f72312b9b9', relation='VT: IP to downloaded file', type='file') 130 | │ └── AnyNode(id='c0b243b40f43a42ca0cb9b3af1de81522e688d5d700e5ad68507040c8d879875', relation='VT: IP to downloaded file', type='file') 131 | └── AnyNode(id='a6f20e208551a644de2e4559e5484fc7930f06cea3477ecdacf940ab9e00f656', relation='VT: file to execution parent', type='file') 132 | ├── AnyNode(id='104.17.39.137', relation='VT: file to contacted ip', type='ip_address') 133 | ├── AnyNode(id='104.17.37.137', relation='VT: file to contacted ip', type='ip_address') 134 | └── AnyNode(id='www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com', relation='VT: file to contacted domain', type='domain') -------------------------------------------------------------------------------- /samples/xnz.freetzi.com_depth_3_201907171113.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": "xnz.freetzi.com", 3 | "type": "domain", 4 | "children": [ 5 | { 6 | "id": "69.197.143.12", 7 | "type": "ip_address", 8 | "relation": "QAX: domain to resolution ip", 9 | "children": [ 10 | { 11 | "id": "b89e563d46e139b30d7752706cfe83f12043817a1b961d7a51c876e94990ba64", 12 | "type": "file", 13 | "relation": "VT: IP to downloaded file" 14 | }, 15 | { 16 | "id": "0fdc8c6babee59eb8eca74607eb311b8fe7e54ee6dbc315560acb1d1ebdd604a", 17 | "type": "file", 18 | "relation": "VT: IP to downloaded file" 19 | }, 20 | { 21 | "id": "c631bd8c64293d437f8a7ea78ec92881733cd2aca5333a996258eeb645a8887d", 22 | "type": "file", 23 | "relation": "VT: IP to downloaded file" 24 | }, 25 | { 26 | "id": "e84bb49ff6b3d06390061e3e998f03de69a6650ca3d7b9018bbf57469eada7a0", 27 | "type": "file", 28 | "relation": "VT: IP to downloaded file" 29 | }, 30 | { 31 | "id": "3d179d0ad96dc1327ba83700d384ea5a27450daa73c7f286f19e2cdd97a15570", 32 | "type": "file", 33 | "relation": "VT: IP to downloaded file" 34 | }, 35 | { 36 | "id": "d71f004012eb42bebabacd4f1cea530590f8efb13aae2f8b5945aca0f6370561", 37 | "type": "file", 38 | "relation": "VT: IP to downloaded file" 39 | }, 40 | { 41 | "id": "d5069c064651cdbfb0a9c669759855d8fb50fcb5c83b4d0ba9eb8a21d9b0283d", 42 | "type": "file", 43 | "relation": "VT: IP to downloaded file" 44 | }, 45 | { 46 | "id": "8f6780b77814175e777d08c7d6771b1f36e7100ec363e6a4577d5be8ee88ea5f", 47 | "type": "file", 48 | "relation": "VT: IP to downloaded file" 49 | }, 50 | { 51 | "id": "f4edc88549750626ac0ae7c3ee69644a9939354dfcff794d3fe4c4ff0079f7fd", 52 | "type": "file", 53 | "relation": "VT: IP to downloaded file" 54 | }, 55 | { 56 | "id": "858b948561fbdb35be8841f913a7a8171595549e0eb7f29b040e5a67bf9114cb", 57 | "type": "file", 58 | "relation": "VT: IP to downloaded file" 59 | } 60 | ] 61 | }, 62 | { 63 | "id": "support@freewha.com", 64 | "type": "email", 65 | "relation": "QAX: domain to whois email", 66 | "children": [ 67 | { 68 | "id": "fu7.org", 69 | "type": "domain", 70 | "relation": "QAX: Whois email to domain", 71 | "children": [ 72 | { 73 | "id": "72.9.150.244", 74 | "type": "ip_address", 75 | "relation": "VT: domain to resolution ip" 76 | }, 77 | { 78 | "id": "173.212.219.237", 79 | "type": "ip_address", 80 | "relation": "VT: domain to resolution ip" 81 | }, 82 | { 83 | "id": "64.31.54.150", 84 | "type": "ip_address", 85 | "relation": "VT: domain to resolution ip" 86 | } 87 | ] 88 | }, 89 | { 90 | "id": "s7.cc", 91 | "type": "domain", 92 | "relation": "QAX: Whois email to domain", 93 | "children": [ 94 | { 95 | "id": "47.244.125.155", 96 | "type": "ip_address", 97 | "relation": "VT: domain to resolution ip" 98 | }, 99 | { 100 | "id": "203.78.142.55", 101 | "type": "ip_address", 102 | "relation": "VT: domain to resolution ip" 103 | }, 104 | { 105 | "id": "103.100.238.180", 106 | "type": "ip_address", 107 | "relation": "VT: domain to resolution ip" 108 | }, 109 | { 110 | "id": "72.52.4.119", 111 | "type": "ip_address", 112 | "relation": "VT: domain to resolution ip" 113 | } 114 | ] 115 | }, 116 | { 117 | "id": "0b.biz", 118 | "type": "domain", 119 | "relation": "QAX: Whois email to domain", 120 | "children": [ 121 | { 122 | "id": "72.52.4.121", 123 | "type": "ip_address", 124 | "relation": "VT: domain to resolution ip" 125 | }, 126 | { 127 | "id": "82.98.86.178", 128 | "type": "ip_address", 129 | "relation": "VT: domain to resolution ip" 130 | }, 131 | { 132 | "id": "198.57.158.57", 133 | "type": "ip_address", 134 | "relation": "VT: domain to resolution ip" 135 | } 136 | ] 137 | }, 138 | { 139 | "id": "07am.net", 140 | "type": "domain", 141 | "relation": "QAX: Whois email to domain", 142 | "children": [ 143 | { 144 | "id": "69.64.147.243", 145 | "type": "ip_address", 146 | "relation": "QAX: domain to resolution ip" 147 | }, 148 | { 149 | "id": "gdpr-masking@gdpr-masked.com", 150 | "type": "email", 151 | "relation": "QAX: domain to whois email" 152 | }, 153 | { 154 | "id": "69.64.147.243", 155 | "type": "ip_address", 156 | "relation": "VT: domain to resolution ip" 157 | } 158 | ] 159 | }, 160 | { 161 | "id": "ueuo.com", 162 | "type": "domain", 163 | "relation": "QAX: Whois email to domain", 164 | "children": [ 165 | { 166 | "id": "69.197.143.11", 167 | "type": "ip_address", 168 | "relation": "QAX: domain to resolution ip" 169 | }, 170 | { 171 | "id": "gdpr-masking@gdpr-masked.com", 172 | "type": "email", 173 | "relation": "QAX: domain to whois email" 174 | }, 175 | { 176 | "id": "69.197.143.11", 177 | "type": "ip_address", 178 | "relation": "VT: domain to resolution ip" 179 | }, 180 | { 181 | "id": "192.151.159.115", 182 | "type": "ip_address", 183 | "relation": "VT: domain to resolution ip" 184 | }, 185 | { 186 | "id": "173.208.215.99", 187 | "type": "ip_address", 188 | "relation": "VT: domain to resolution ip" 189 | }, 190 | { 191 | "id": "5.9.82.10", 192 | "type": "ip_address", 193 | "relation": "VT: domain to resolution ip" 194 | }, 195 | { 196 | "id": "5.9.82.7", 197 | "type": "ip_address", 198 | "relation": "VT: domain to resolution ip" 199 | } 200 | ] 201 | }, 202 | { 203 | "id": "noads.biz", 204 | "type": "domain", 205 | "relation": "QAX: Whois email to domain", 206 | "children": [ 207 | { 208 | "id": "69.197.143.11", 209 | "type": "ip_address", 210 | "relation": "QAX: domain to resolution ip" 211 | }, 212 | { 213 | "id": "69.197.143.11", 214 | "type": "ip_address", 215 | "relation": "VT: domain to resolution ip" 216 | }, 217 | { 218 | "id": "192.151.159.115", 219 | "type": "ip_address", 220 | "relation": "VT: domain to resolution ip" 221 | }, 222 | { 223 | "id": "173.208.215.99", 224 | "type": "ip_address", 225 | "relation": "VT: domain to resolution ip" 226 | }, 227 | { 228 | "id": "5.9.82.10", 229 | "type": "ip_address", 230 | "relation": "VT: domain to resolution ip" 231 | }, 232 | { 233 | "id": "5.9.82.7", 234 | "type": "ip_address", 235 | "relation": "VT: domain to resolution ip" 236 | }, 237 | { 238 | "id": "69.162.82.245", 239 | "type": "ip_address", 240 | "relation": "VT: domain to resolution ip" 241 | }, 242 | { 243 | "id": "69.162.86.180", 244 | "type": "ip_address", 245 | "relation": "VT: domain to resolution ip" 246 | } 247 | ] 248 | }, 249 | { 250 | "id": "freewebhostingarea.com", 251 | "type": "domain", 252 | "relation": "QAX: Whois email to domain", 253 | "children": [ 254 | { 255 | "id": "72.9.150.244", 256 | "type": "ip_address", 257 | "relation": "QAX: domain to resolution ip" 258 | }, 259 | { 260 | "id": "support@freewha.com", 261 | "type": "email", 262 | "relation": "QAX: domain to whois email" 263 | }, 264 | { 265 | "id": "72.9.150.244", 266 | "type": "ip_address", 267 | "relation": "VT: domain to resolution ip" 268 | }, 269 | { 270 | "id": "173.212.219.237", 271 | "type": "ip_address", 272 | "relation": "VT: domain to resolution ip" 273 | }, 274 | { 275 | "id": "64.31.54.150", 276 | "type": "ip_address", 277 | "relation": "VT: domain to resolution ip" 278 | }, 279 | { 280 | "id": "69.162.78.14", 281 | "type": "ip_address", 282 | "relation": "VT: domain to resolution ip" 283 | } 284 | ] 285 | }, 286 | { 287 | "id": "freewha.com", 288 | "type": "domain", 289 | "relation": "QAX: Whois email to domain", 290 | "children": [ 291 | { 292 | "id": "72.9.150.244", 293 | "type": "ip_address", 294 | "relation": "QAX: domain to resolution ip" 295 | }, 296 | { 297 | "id": "gdpr-masking@gdpr-masked.com", 298 | "type": "email", 299 | "relation": "QAX: domain to whois email" 300 | }, 301 | { 302 | "id": "72.9.150.244", 303 | "type": "ip_address", 304 | "relation": "VT: domain to resolution ip" 305 | }, 306 | { 307 | "id": "173.212.219.237", 308 | "type": "ip_address", 309 | "relation": "VT: domain to resolution ip" 310 | }, 311 | { 312 | "id": "64.31.54.150", 313 | "type": "ip_address", 314 | "relation": "VT: domain to resolution ip" 315 | } 316 | ] 317 | }, 318 | { 319 | "id": "freeoda.com", 320 | "type": "domain", 321 | "relation": "QAX: Whois email to domain", 322 | "children": [ 323 | { 324 | "id": "173.208.195.155", 325 | "type": "ip_address", 326 | "relation": "QAX: domain to resolution ip" 327 | }, 328 | { 329 | "id": "gdpr-masking@gdpr-masked.com", 330 | "type": "email", 331 | "relation": "QAX: domain to whois email" 332 | }, 333 | { 334 | "id": "173.208.195.155", 335 | "type": "ip_address", 336 | "relation": "VT: domain to resolution ip" 337 | }, 338 | { 339 | "id": "173.208.215.123", 340 | "type": "ip_address", 341 | "relation": "VT: domain to resolution ip" 342 | }, 343 | { 344 | "id": "144.76.99.198", 345 | "type": "ip_address", 346 | "relation": "VT: domain to resolution ip" 347 | }, 348 | { 349 | "id": "144.76.99.197", 350 | "type": "ip_address", 351 | "relation": "VT: domain to resolution ip" 352 | }, 353 | { 354 | "id": "74.63.241.180", 355 | "type": "ip_address", 356 | "relation": "VT: domain to resolution ip" 357 | } 358 | ] 359 | }, 360 | { 361 | "id": "eu5.org", 362 | "type": "domain", 363 | "relation": "QAX: Whois email to domain", 364 | "children": [ 365 | { 366 | "id": "69.197.143.11", 367 | "type": "ip_address", 368 | "relation": "QAX: domain to resolution ip" 369 | }, 370 | { 371 | "id": "69.197.143.11", 372 | "type": "ip_address", 373 | "relation": "VT: domain to resolution ip" 374 | }, 375 | { 376 | "id": "192.151.159.115", 377 | "type": "ip_address", 378 | "relation": "VT: domain to resolution ip" 379 | }, 380 | { 381 | "id": "173.208.215.99", 382 | "type": "ip_address", 383 | "relation": "VT: domain to resolution ip" 384 | }, 385 | { 386 | "id": "5.9.82.10", 387 | "type": "ip_address", 388 | "relation": "VT: domain to resolution ip" 389 | }, 390 | { 391 | "id": "5.9.82.7", 392 | "type": "ip_address", 393 | "relation": "VT: domain to resolution ip" 394 | }, 395 | { 396 | "id": "5.9.106.213", 397 | "type": "ip_address", 398 | "relation": "VT: domain to resolution ip" 399 | } 400 | ] 401 | } 402 | ] 403 | }, 404 | { 405 | "id": "d71f004012eb42bebabacd4f1cea530590f8efb13aae2f8b5945aca0f6370561", 406 | "type": "file", 407 | "relation": "VT: domain to downloaded file", 408 | "children": [ 409 | { 410 | "id": "3d179d0ad96dc1327ba83700d384ea5a27450daa73c7f286f19e2cdd97a15570", 411 | "type": "file", 412 | "relation": "VT: file to execution parent" 413 | } 414 | ] 415 | }, 416 | { 417 | "id": "3d179d0ad96dc1327ba83700d384ea5a27450daa73c7f286f19e2cdd97a15570", 418 | "type": "file", 419 | "relation": "VT: domain to downloaded file", 420 | "children": [ 421 | { 422 | "id": "69.197.143.12", 423 | "type": "ip_address", 424 | "relation": "VT: file to contacted ip" 425 | }, 426 | { 427 | "id": "xnz.freetzi.com", 428 | "type": "domain", 429 | "relation": "VT: file to contacted domain" 430 | }, 431 | { 432 | "id": "ocsp.digicert.com", 433 | "type": "domain", 434 | "relation": "VT: file to contacted domain", 435 | "children": [ 436 | { 437 | "id": "203.208.39.99", 438 | "type": "ip_address", 439 | "relation": "QAX: domain to resolution ip" 440 | }, 441 | { 442 | "id": "66.249.89.104", 443 | "type": "ip_address", 444 | "relation": "QAX: domain to resolution ip" 445 | }, 446 | { 447 | "id": "203.208.39.104", 448 | "type": "ip_address", 449 | "relation": "QAX: domain to resolution ip" 450 | }, 451 | { 452 | "id": "117.18.237.29", 453 | "type": "ip_address", 454 | "relation": "QAX: domain to resolution ip" 455 | }, 456 | { 457 | "id": "c477bda8237a5799bf520bc7ca317da8811a903837030748cf7c16c404cc4297", 458 | "type": "file", 459 | "relation": "VT: domain to downloaded file" 460 | }, 461 | { 462 | "id": "7921a6035cc8a0981a5dee737dd3d29b150ddd48407717d3fca4b6376f2b0e70", 463 | "type": "file", 464 | "relation": "VT: domain to downloaded file" 465 | }, 466 | { 467 | "id": "10433a2437f8fcd1a99330ea1c30fa53ee69b926c66a8b7f9c95cc714d5aea5c", 468 | "type": "file", 469 | "relation": "VT: domain to downloaded file" 470 | }, 471 | { 472 | "id": "5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9", 473 | "type": "file", 474 | "relation": "VT: domain to downloaded file" 475 | }, 476 | { 477 | "id": "93ca0855001ee8245ab17b4f0ee245ef4e41898030ee88fbd73ba41269d00c52", 478 | "type": "file", 479 | "relation": "VT: domain to downloaded file" 480 | }, 481 | { 482 | "id": "d19154c8ee3e18c98c2f3e1c38adb03513c7bca42d34a04d469283cf7302ce12", 483 | "type": "file", 484 | "relation": "VT: domain to downloaded file" 485 | }, 486 | { 487 | "id": "de99d586f0d4c4baf1a089eb6b39d64e11f132a9f6b730bcef2be34699cb67a5", 488 | "type": "file", 489 | "relation": "VT: domain to downloaded file" 490 | }, 491 | { 492 | "id": "98881805af50c26f79c1bc073dc578979c46bb4f86051011a3799fd8b6b01c63", 493 | "type": "file", 494 | "relation": "VT: domain to downloaded file" 495 | }, 496 | { 497 | "id": "3b1b4c39ba180f0a0fcab9cccf3a0b3facbb4767d2bebc50b82be9cbd6b50d59", 498 | "type": "file", 499 | "relation": "VT: domain to downloaded file" 500 | }, 501 | { 502 | "id": "5e729e47890b06b2525cd876500b5ac53ee72c15ede0c97e7aada6605548ae87", 503 | "type": "file", 504 | "relation": "VT: domain to downloaded file" 505 | }, 506 | { 507 | "id": "72.21.91.29", 508 | "type": "ip_address", 509 | "relation": "VT: domain to resolution ip" 510 | }, 511 | { 512 | "id": "93.184.220.29", 513 | "type": "ip_address", 514 | "relation": "VT: domain to resolution ip" 515 | }, 516 | { 517 | "id": "192.16.58.8", 518 | "type": "ip_address", 519 | "relation": "VT: domain to resolution ip" 520 | }, 521 | { 522 | "id": "192.229.254.6", 523 | "type": "ip_address", 524 | "relation": "VT: domain to resolution ip" 525 | }, 526 | { 527 | "id": "192.229.254.5", 528 | "type": "ip_address", 529 | "relation": "VT: domain to resolution ip" 530 | }, 531 | { 532 | "id": "72.21.80.6", 533 | "type": "ip_address", 534 | "relation": "VT: domain to resolution ip" 535 | }, 536 | { 537 | "id": "72.21.80.5", 538 | "type": "ip_address", 539 | "relation": "VT: domain to resolution ip" 540 | }, 541 | { 542 | "id": "117.18.237.29", 543 | "type": "ip_address", 544 | "relation": "VT: domain to resolution ip" 545 | }, 546 | { 547 | "id": "174.37.236.19", 548 | "type": "ip_address", 549 | "relation": "VT: domain to resolution ip" 550 | }, 551 | { 552 | "id": "174.37.236.20", 553 | "type": "ip_address", 554 | "relation": "VT: domain to resolution ip" 555 | } 556 | ] 557 | } 558 | ] 559 | }, 560 | { 561 | "id": "902bc1296618dc7db0b2ddf3d94fce169b48e8bccc7d2e3e7d07462e040cb914", 562 | "type": "file", 563 | "relation": "VT: domain to downloaded file", 564 | "children": [ 565 | { 566 | "id": "3d179d0ad96dc1327ba83700d384ea5a27450daa73c7f286f19e2cdd97a15570", 567 | "type": "file", 568 | "relation": "VT: file to execution parent" 569 | } 570 | ] 571 | }, 572 | { 573 | "id": "773a9ffbaf483776e2ffffdd7fd44209f558bbae1e179faeb824595b76ac3821", 574 | "type": "file", 575 | "relation": "VT: domain to downloaded file" 576 | }, 577 | { 578 | "id": "20d529ea8a9e04e621c1a8c952350dd0e5e8e2baa4ebba894e1113ae45bb5dd0", 579 | "type": "file", 580 | "relation": "VT: domain to downloaded file" 581 | }, 582 | { 583 | "id": "69.197.143.12", 584 | "type": "ip_address", 585 | "relation": "VT: domain to resolution ip" 586 | } 587 | ] 588 | } -------------------------------------------------------------------------------- /samples/xnz.freetzi.com_depth_3_201907171113.txt: -------------------------------------------------------------------------------- 1 | AnyNode(id='xnz.freetzi.com', type='domain') 2 | ├── AnyNode(id='69.197.143.12', relation='QAX: domain to resolution ip', type='ip_address') 3 | │ ├── AnyNode(id='b89e563d46e139b30d7752706cfe83f12043817a1b961d7a51c876e94990ba64', relation='VT: IP to downloaded file', type='file') 4 | │ ├── AnyNode(id='0fdc8c6babee59eb8eca74607eb311b8fe7e54ee6dbc315560acb1d1ebdd604a', relation='VT: IP to downloaded file', type='file') 5 | │ ├── AnyNode(id='c631bd8c64293d437f8a7ea78ec92881733cd2aca5333a996258eeb645a8887d', relation='VT: IP to downloaded file', type='file') 6 | │ ├── AnyNode(id='e84bb49ff6b3d06390061e3e998f03de69a6650ca3d7b9018bbf57469eada7a0', relation='VT: IP to downloaded file', type='file') 7 | │ ├── AnyNode(id='3d179d0ad96dc1327ba83700d384ea5a27450daa73c7f286f19e2cdd97a15570', relation='VT: IP to downloaded file', type='file') 8 | │ ├── AnyNode(id='d71f004012eb42bebabacd4f1cea530590f8efb13aae2f8b5945aca0f6370561', relation='VT: IP to downloaded file', type='file') 9 | │ ├── AnyNode(id='d5069c064651cdbfb0a9c669759855d8fb50fcb5c83b4d0ba9eb8a21d9b0283d', relation='VT: IP to downloaded file', type='file') 10 | │ ├── AnyNode(id='8f6780b77814175e777d08c7d6771b1f36e7100ec363e6a4577d5be8ee88ea5f', relation='VT: IP to downloaded file', type='file') 11 | │ ├── AnyNode(id='f4edc88549750626ac0ae7c3ee69644a9939354dfcff794d3fe4c4ff0079f7fd', relation='VT: IP to downloaded file', type='file') 12 | │ └── AnyNode(id='858b948561fbdb35be8841f913a7a8171595549e0eb7f29b040e5a67bf9114cb', relation='VT: IP to downloaded file', type='file') 13 | ├── AnyNode(id='support@freewha.com', relation='QAX: domain to whois email', type='email') 14 | │ ├── AnyNode(id='fu7.org', relation='QAX: Whois email to domain', type='domain') 15 | │ │ ├── AnyNode(id='72.9.150.244', relation='VT: domain to resolution ip', type='ip_address') 16 | │ │ ├── AnyNode(id='173.212.219.237', relation='VT: domain to resolution ip', type='ip_address') 17 | │ │ └── AnyNode(id='64.31.54.150', relation='VT: domain to resolution ip', type='ip_address') 18 | │ ├── AnyNode(id='s7.cc', relation='QAX: Whois email to domain', type='domain') 19 | │ │ ├── AnyNode(id='47.244.125.155', relation='VT: domain to resolution ip', type='ip_address') 20 | │ │ ├── AnyNode(id='203.78.142.55', relation='VT: domain to resolution ip', type='ip_address') 21 | │ │ ├── AnyNode(id='103.100.238.180', relation='VT: domain to resolution ip', type='ip_address') 22 | │ │ └── AnyNode(id='72.52.4.119', relation='VT: domain to resolution ip', type='ip_address') 23 | │ ├── AnyNode(id='0b.biz', relation='QAX: Whois email to domain', type='domain') 24 | │ │ ├── AnyNode(id='72.52.4.121', relation='VT: domain to resolution ip', type='ip_address') 25 | │ │ ├── AnyNode(id='82.98.86.178', relation='VT: domain to resolution ip', type='ip_address') 26 | │ │ └── AnyNode(id='198.57.158.57', relation='VT: domain to resolution ip', type='ip_address') 27 | │ ├── AnyNode(id='07am.net', relation='QAX: Whois email to domain', type='domain') 28 | │ │ ├── AnyNode(id='69.64.147.243', relation='QAX: domain to resolution ip', type='ip_address') 29 | │ │ ├── AnyNode(id='gdpr-masking@gdpr-masked.com', relation='QAX: domain to whois email', type='email') 30 | │ │ └── AnyNode(id='69.64.147.243', relation='VT: domain to resolution ip', type='ip_address') 31 | │ ├── AnyNode(id='ueuo.com', relation='QAX: Whois email to domain', type='domain') 32 | │ │ ├── AnyNode(id='69.197.143.11', relation='QAX: domain to resolution ip', type='ip_address') 33 | │ │ ├── AnyNode(id='gdpr-masking@gdpr-masked.com', relation='QAX: domain to whois email', type='email') 34 | │ │ ├── AnyNode(id='69.197.143.11', relation='VT: domain to resolution ip', type='ip_address') 35 | │ │ ├── AnyNode(id='192.151.159.115', relation='VT: domain to resolution ip', type='ip_address') 36 | │ │ ├── AnyNode(id='173.208.215.99', relation='VT: domain to resolution ip', type='ip_address') 37 | │ │ ├── AnyNode(id='5.9.82.10', relation='VT: domain to resolution ip', type='ip_address') 38 | │ │ └── AnyNode(id='5.9.82.7', relation='VT: domain to resolution ip', type='ip_address') 39 | │ ├── AnyNode(id='noads.biz', relation='QAX: Whois email to domain', type='domain') 40 | │ │ ├── AnyNode(id='69.197.143.11', relation='QAX: domain to resolution ip', type='ip_address') 41 | │ │ ├── AnyNode(id='69.197.143.11', relation='VT: domain to resolution ip', type='ip_address') 42 | │ │ ├── AnyNode(id='192.151.159.115', relation='VT: domain to resolution ip', type='ip_address') 43 | │ │ ├── AnyNode(id='173.208.215.99', relation='VT: domain to resolution ip', type='ip_address') 44 | │ │ ├── AnyNode(id='5.9.82.10', relation='VT: domain to resolution ip', type='ip_address') 45 | │ │ ├── AnyNode(id='5.9.82.7', relation='VT: domain to resolution ip', type='ip_address') 46 | │ │ ├── AnyNode(id='69.162.82.245', relation='VT: domain to resolution ip', type='ip_address') 47 | │ │ └── AnyNode(id='69.162.86.180', relation='VT: domain to resolution ip', type='ip_address') 48 | │ ├── AnyNode(id='freewebhostingarea.com', relation='QAX: Whois email to domain', type='domain') 49 | │ │ ├── AnyNode(id='72.9.150.244', relation='QAX: domain to resolution ip', type='ip_address') 50 | │ │ ├── AnyNode(id='support@freewha.com', relation='QAX: domain to whois email', type='email') 51 | │ │ ├── AnyNode(id='72.9.150.244', relation='VT: domain to resolution ip', type='ip_address') 52 | │ │ ├── AnyNode(id='173.212.219.237', relation='VT: domain to resolution ip', type='ip_address') 53 | │ │ ├── AnyNode(id='64.31.54.150', relation='VT: domain to resolution ip', type='ip_address') 54 | │ │ └── AnyNode(id='69.162.78.14', relation='VT: domain to resolution ip', type='ip_address') 55 | │ ├── AnyNode(id='freewha.com', relation='QAX: Whois email to domain', type='domain') 56 | │ │ ├── AnyNode(id='72.9.150.244', relation='QAX: domain to resolution ip', type='ip_address') 57 | │ │ ├── AnyNode(id='gdpr-masking@gdpr-masked.com', relation='QAX: domain to whois email', type='email') 58 | │ │ ├── AnyNode(id='72.9.150.244', relation='VT: domain to resolution ip', type='ip_address') 59 | │ │ ├── AnyNode(id='173.212.219.237', relation='VT: domain to resolution ip', type='ip_address') 60 | │ │ └── AnyNode(id='64.31.54.150', relation='VT: domain to resolution ip', type='ip_address') 61 | │ ├── AnyNode(id='freeoda.com', relation='QAX: Whois email to domain', type='domain') 62 | │ │ ├── AnyNode(id='173.208.195.155', relation='QAX: domain to resolution ip', type='ip_address') 63 | │ │ ├── AnyNode(id='gdpr-masking@gdpr-masked.com', relation='QAX: domain to whois email', type='email') 64 | │ │ ├── AnyNode(id='173.208.195.155', relation='VT: domain to resolution ip', type='ip_address') 65 | │ │ ├── AnyNode(id='173.208.215.123', relation='VT: domain to resolution ip', type='ip_address') 66 | │ │ ├── AnyNode(id='144.76.99.198', relation='VT: domain to resolution ip', type='ip_address') 67 | │ │ ├── AnyNode(id='144.76.99.197', relation='VT: domain to resolution ip', type='ip_address') 68 | │ │ └── AnyNode(id='74.63.241.180', relation='VT: domain to resolution ip', type='ip_address') 69 | │ └── AnyNode(id='eu5.org', relation='QAX: Whois email to domain', type='domain') 70 | │ ├── AnyNode(id='69.197.143.11', relation='QAX: domain to resolution ip', type='ip_address') 71 | │ ├── AnyNode(id='69.197.143.11', relation='VT: domain to resolution ip', type='ip_address') 72 | │ ├── AnyNode(id='192.151.159.115', relation='VT: domain to resolution ip', type='ip_address') 73 | │ ├── AnyNode(id='173.208.215.99', relation='VT: domain to resolution ip', type='ip_address') 74 | │ ├── AnyNode(id='5.9.82.10', relation='VT: domain to resolution ip', type='ip_address') 75 | │ ├── AnyNode(id='5.9.82.7', relation='VT: domain to resolution ip', type='ip_address') 76 | │ └── AnyNode(id='5.9.106.213', relation='VT: domain to resolution ip', type='ip_address') 77 | ├── AnyNode(id='d71f004012eb42bebabacd4f1cea530590f8efb13aae2f8b5945aca0f6370561', relation='VT: domain to downloaded file', type='file') 78 | │ └── AnyNode(id='3d179d0ad96dc1327ba83700d384ea5a27450daa73c7f286f19e2cdd97a15570', relation='VT: file to execution parent', type='file') 79 | ├── AnyNode(id='3d179d0ad96dc1327ba83700d384ea5a27450daa73c7f286f19e2cdd97a15570', relation='VT: domain to downloaded file', type='file') 80 | │ ├── AnyNode(id='69.197.143.12', relation='VT: file to contacted ip', type='ip_address') 81 | │ ├── AnyNode(id='xnz.freetzi.com', relation='VT: file to contacted domain', type='domain') 82 | │ └── AnyNode(id='ocsp.digicert.com', relation='VT: file to contacted domain', type='domain') 83 | │ ├── AnyNode(id='203.208.39.99', relation='QAX: domain to resolution ip', type='ip_address') 84 | │ ├── AnyNode(id='66.249.89.104', relation='QAX: domain to resolution ip', type='ip_address') 85 | │ ├── AnyNode(id='203.208.39.104', relation='QAX: domain to resolution ip', type='ip_address') 86 | │ ├── AnyNode(id='117.18.237.29', relation='QAX: domain to resolution ip', type='ip_address') 87 | │ ├── AnyNode(id='c477bda8237a5799bf520bc7ca317da8811a903837030748cf7c16c404cc4297', relation='VT: domain to downloaded file', type='file') 88 | │ ├── AnyNode(id='7921a6035cc8a0981a5dee737dd3d29b150ddd48407717d3fca4b6376f2b0e70', relation='VT: domain to downloaded file', type='file') 89 | │ ├── AnyNode(id='10433a2437f8fcd1a99330ea1c30fa53ee69b926c66a8b7f9c95cc714d5aea5c', relation='VT: domain to downloaded file', type='file') 90 | │ ├── AnyNode(id='5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9', relation='VT: domain to downloaded file', type='file') 91 | │ ├── AnyNode(id='93ca0855001ee8245ab17b4f0ee245ef4e41898030ee88fbd73ba41269d00c52', relation='VT: domain to downloaded file', type='file') 92 | │ ├── AnyNode(id='d19154c8ee3e18c98c2f3e1c38adb03513c7bca42d34a04d469283cf7302ce12', relation='VT: domain to downloaded file', type='file') 93 | │ ├── AnyNode(id='de99d586f0d4c4baf1a089eb6b39d64e11f132a9f6b730bcef2be34699cb67a5', relation='VT: domain to downloaded file', type='file') 94 | │ ├── AnyNode(id='98881805af50c26f79c1bc073dc578979c46bb4f86051011a3799fd8b6b01c63', relation='VT: domain to downloaded file', type='file') 95 | │ ├── AnyNode(id='3b1b4c39ba180f0a0fcab9cccf3a0b3facbb4767d2bebc50b82be9cbd6b50d59', relation='VT: domain to downloaded file', type='file') 96 | │ ├── AnyNode(id='5e729e47890b06b2525cd876500b5ac53ee72c15ede0c97e7aada6605548ae87', relation='VT: domain to downloaded file', type='file') 97 | │ ├── AnyNode(id='72.21.91.29', relation='VT: domain to resolution ip', type='ip_address') 98 | │ ├── AnyNode(id='93.184.220.29', relation='VT: domain to resolution ip', type='ip_address') 99 | │ ├── AnyNode(id='192.16.58.8', relation='VT: domain to resolution ip', type='ip_address') 100 | │ ├── AnyNode(id='192.229.254.6', relation='VT: domain to resolution ip', type='ip_address') 101 | │ ├── AnyNode(id='192.229.254.5', relation='VT: domain to resolution ip', type='ip_address') 102 | │ ├── AnyNode(id='72.21.80.6', relation='VT: domain to resolution ip', type='ip_address') 103 | │ ├── AnyNode(id='72.21.80.5', relation='VT: domain to resolution ip', type='ip_address') 104 | │ ├── AnyNode(id='117.18.237.29', relation='VT: domain to resolution ip', type='ip_address') 105 | │ ├── AnyNode(id='174.37.236.19', relation='VT: domain to resolution ip', type='ip_address') 106 | │ └── AnyNode(id='174.37.236.20', relation='VT: domain to resolution ip', type='ip_address') 107 | ├── AnyNode(id='902bc1296618dc7db0b2ddf3d94fce169b48e8bccc7d2e3e7d07462e040cb914', relation='VT: domain to downloaded file', type='file') 108 | │ └── AnyNode(id='3d179d0ad96dc1327ba83700d384ea5a27450daa73c7f286f19e2cdd97a15570', relation='VT: file to execution parent', type='file') 109 | ├── AnyNode(id='773a9ffbaf483776e2ffffdd7fd44209f558bbae1e179faeb824595b76ac3821', relation='VT: domain to downloaded file', type='file') 110 | ├── AnyNode(id='20d529ea8a9e04e621c1a8c952350dd0e5e8e2baa4ebba894e1113ae45bb5dd0', relation='VT: domain to downloaded file', type='file') 111 | └── AnyNode(id='69.197.143.12', relation='VT: domain to resolution ip', type='ip_address') --------------------------------------------------------------------------------