{ "type": "URL", "indicator": "https://js.monitor.azure.com/scripts/a/ai.0.js", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://js.monitor.azure.com/scripts/a/ai.0.js", "type": "url", "type_title": "URL", "validation": [ { "source": "akamai", "message": "Akamai rank: #45", "name": "Akamai Popular Domain" }, { "source": "whitelist", "message": "Whitelisted domain azure.com", "name": "Whitelisted domain" }, { "source": "majestic", "message": "Whitelisted domain azure.com", "name": "Whitelisted domain" } ], "base_indicator": { "id": 4241291567, "indicator": "https://js.monitor.azure.com/scripts/a/ai.0.js", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 14, "pulses": [ { "id": "69e940361a6e8be7e02ffe5d", "name": "URL_File_Delivery clone by octoseek", "description": "", "modified": "2026-05-22T23:04:42.859000", "created": "2026-04-22T21:40:06.671000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "64d9d1b920c9b43c1885b2e4", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1644, "domain": 386, "hostname": 535, "FileHash-SHA256": 609, "email": 5, "URI": 9, "FilePath": 1, "FileHash-SHA1": 8, "FileHash-MD5": 24 }, "indicator_count": 3221, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "8 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a03cc521e13c5d6d34555d0", "name": "Judgement Day. VirusTotal report for index.html", "description": "[Apple.com has sent a series of \"fl flushMessages\" to its servers, but what exactly is the data and what is it going to get out of the system and how does it feel?]", "modified": "2026-05-15T10:22:00.139000", "created": "2026-05-13T00:56:50.182000", "tags": [ "darwin kernel", "version", "wed feb", "apfs4kobjs", "instagram", "mosaic", "free", "get http", "dns resolutions", "ip traffic", "pattern domains", "memory pattern", "urls https", "tls sni", "algorithm", "key identifier", "x509v3 subject", "v3 serial", "number", "cus olet", "encrypt cnr13", "validity", "subject public", "key info", "performs dns", "https", "urls", "united", "mitre attack", "network info", "processes extra", "t1055 process", "layer protocol", "overview", "phishing", "defense evasion", "next", "default", "parent pid", "full path", "command line", "k netsvcs", "k localservice", "s w32time", "event provider", "device", "registry keys" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 132, "FileHash-MD5": 43, "FileHash-SHA1": 6, "hostname": 364, "IPv4": 75, "URL": 574, "Mutex": 1, "FileHash-SHA256": 404 }, "indicator_count": 1599, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "16 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69dbeabd47b6e788ecf7fc32", "name": "CAPE Sandbox", "description": "A full report on Google Tag Manager for GA4, available to download on the web at any time, here is the full set of key points and key details for the report: .", "modified": "2026-05-12T18:44:07.582000", "created": "2026-04-12T18:55:57.872000", "tags": [ "default", "typelib", "parent pid", "full path", "command line", "inprocserver32", "accept", "shell folders", "host", "cname", "install", "agent", "shutdown", "win64", "back", "info", "file type", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "text", "json", "in a", "estonia", "body", "performs dns", "https", "mitre attack", "network info", "processes extra", "t1055 process", "layer protocol", "overview", "overview zenbox", "verdict", "phishing", "next", "xffxf0 xffxf0", "xffxee xffxee", "xffxef xffxef", "xffxeb xffxeb", "px9d", "xe4x84", "fxf8", "x94 x94", "xc1 xc1", "xffxf1 xffxf1", "urls", "has permission", "united", "sim provider", "may check", "tls version", "persistence", "pe file", "pe32", "intel", "ms windows", "sample", "spawns", "found", "drops pe", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "download", "trojan", "apt", "hybrid analysis", "api key", "vetting process", "please note", "please" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/007b0aa19218de7fe7b47dc785b345e4e09f8c8a133c689dafc778cf793e3ce0_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776019916&Signature=xU%2B28g7ql0wStAL7V97bG%2Bu0WHtev4OIGz8U3iqDKd%2FVNVlrDQ3vuAEteGPtDDR7qOlLSsItJmNBqGgWLySJ6U0nGICmzJVo0byP8H6%2Fd3HprkIH74LXAL%2FamR8rSKAlS1VWW%2FnGofIVc0zLtQeJdz%2BAMpNC0WX4pzvsIv2uagnjpUxUyVUykArW18%2FIapRYlTQZ0g4MdrwH%2FZ7h%2F0u9jGUM6rAiCBz33EYObn4aNb", "https://vtbehaviour.commondatastorage.googleapis.com/3b145ee102848506dc7551758ee869b43a1753f06fabcbcf9ca574cb7843d60e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776019946&Signature=JcVZlsCApsz0O52G3FOi%2BaimamYfGaduCcu4UnDC9VmXvZgqZ7fDxGeCnZM9NPUhmq0561rZ8PRIqA52RiBX3KnC7vhJa9PFjro5MHPo48Ypu9wL0RVB7C0RmZ3osycpkpyxEhtxKbIBAhFSEeMaEF%2F1BQw5%2BiCzEgPRP4X89bIAzw2EDpi3ulfCz8hms3FgCvWD6JMXBGKQJt1aE58BlUPY7ZhwLtbK4kOd4wzZjtfRjMqcTIEH7E0l", "https://vtbehaviour.commondatastorage.googleapis.com/3aebd918df444e5261a70a7b9957a04b62899583cca94cb90078ee348988691e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776020086&Signature=vMuNzon2yUMc%2F5PXmshAS3lf0MVaReBDP3dcoOo82NLL71xjFa%2F0VIEFo55JjUmKlOHvhj6b0rJp8aIUUpsBDR%2FLZqmeDT44n0TYUkzfcIlLutGzkvs51q5mrJeeemJL6QT8bKwOFyLEXXO4SZPPduUilqL%2B1j79%2BDUni60qslB23F%2FgjYjG0edIuIfW6yq1yjBgsR34RyCGI5Lc8I%2FVLrF4ZjzIswsIHyhorBolKc7rKhoDz6masxaT", "https://vtbehaviour.commondatastorage.googleapis.com/3b145ee102848506dc7551758ee869b43a1753f06fabcbcf9ca574cb7843d60e_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776020136&Signature=H%2FVhg6NRizidJvYP4bRaC%2B%2Fuh8%2F0Z5Rd0CKbYgwrqTxA%2B2BloALbxPU70bhu3eDWE1sqvRizm6xer2MkUeNtxL9kjtBPDD7Vpxe6Oq6R6o22ZN5vWg%2BqZnbM3PVA3wfuJwZ1sZaO7gv79Bd4iyuD9687aMdFTrD5BJ%2Fbd2rKn063HRKOwRubgTuKJwxXlPjVI0ocAdDIvmmDac1rsWOYTbcHVCIKUVrpUCmnjpXsSag%2BZTA", "https://vtbehaviour.commondatastorage.googleapis.com/00000722ff984d5cd9cd766d12c70eecc7a2ad7502999c5a99d582c79b92c1a6_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776020243&Signature=H1wTQxzrttgLCjJhjhriXYwMDCRB5ydjPUCYh9LS7Sqr42Y7WZzXZe0hC7YLFaTXYy2N3AsSr89gjIRZR80Jda4iLYyDlgohE9qQ3kFeKNZ%2FNp7IQu5FZY%2FpXRI7rsIlJnvlZmpbI006al7O0LQV5CrC797x%2FTp6jmAxmP5TS7NA%2BGfaDL14G7dIIeHtBoHxi7cbP%2Fe3qT1q3LcRk5oN%2FRV8TXEhpggMmbhYUEmK6ATwmwrh", "https://vtbehaviour.commondatastorage.googleapis.com/005fdc2438f1b1e58ea5e4d9c396feea40ad8a4788e90da06ecea60c5a8d79c2_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776020323&Signature=Mogy01Itx6r1B%2BxNe8ittQgO%2FxZRRAb%2F9lJynhxwSVOzHX7CsWRLBNEGHRp0B9k%2Bg%2FHO2jb5K65QRLLPyqkoA45n8CsH6T5790n7E0fsbYtOvp04eV28khNlOt2b%2Feh0a3nwcC%2BNAmxEHgqzaCfQlHBqBjk2ErpfhlpC5uQJchq%2BBgGeuPcFc8YRy4RCmaBiaTeD2V%2FJD7lssTzQfnZhLNMSLqEISDCN7TYsfL1%2BJREl4wSO7C", "https://hybrid-analysis.com/sample/4e4fa68c1c4d2cfee133c31432dd303bb5746f7094b5a6832a25e47e6279171c" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1409", "name": "Access Stored Application Data", "display_name": "T1409 - Access Stored Application Data" }, { "id": "T1418", "name": "Application Discovery", "display_name": "T1418 - Application Discovery" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1422", "name": "System Network Configuration Discovery", "display_name": "T1422 - System Network Configuration Discovery" }, { "id": "T1424", "name": "Process Discovery", "display_name": "T1424 - Process Discovery" }, { "id": "T1426", "name": "System Information Discovery", "display_name": "T1426 - System Information Discovery" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 302, "FileHash-SHA1": 71, "FileHash-SHA256": 78, "URL": 181, "domain": 34, "hostname": 237 }, "indicator_count": 903, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "18 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69dbeabe5c5690d468b08e7a", "name": "CAPE Sandbox", "description": "A full report on Google Tag Manager for GA4, available to download on the web at any time, here is the full set of key points and key details for the report: .", "modified": "2026-05-12T18:44:07.582000", "created": "2026-04-12T18:55:58.319000", "tags": [ "default", "typelib", "parent pid", "full path", "command line", "inprocserver32", "accept", "shell folders", "host", "cname", "install", "agent", "shutdown", "win64", "back", "info", "file type", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "text", "json", "in a", "estonia", "body", "performs dns", "https", "mitre attack", "network info", "processes extra", "t1055 process", "layer protocol", "overview", "overview zenbox", "verdict", "phishing", "next", "xffxf0 xffxf0", "xffxee xffxee", "xffxef xffxef", "xffxeb xffxeb", "px9d", "xe4x84", "fxf8", "x94 x94", "xc1 xc1", "xffxf1 xffxf1", "urls", "has permission", "united", "sim provider", "may check", "tls version", "persistence", "pe file", "pe32", "intel", "ms windows", "sample", "spawns", "found", "drops pe", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "download", "trojan", "apt", "hybrid analysis", "api key", "vetting process", "please note", "please" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/007b0aa19218de7fe7b47dc785b345e4e09f8c8a133c689dafc778cf793e3ce0_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776019916&Signature=xU%2B28g7ql0wStAL7V97bG%2Bu0WHtev4OIGz8U3iqDKd%2FVNVlrDQ3vuAEteGPtDDR7qOlLSsItJmNBqGgWLySJ6U0nGICmzJVo0byP8H6%2Fd3HprkIH74LXAL%2FamR8rSKAlS1VWW%2FnGofIVc0zLtQeJdz%2BAMpNC0WX4pzvsIv2uagnjpUxUyVUykArW18%2FIapRYlTQZ0g4MdrwH%2FZ7h%2F0u9jGUM6rAiCBz33EYObn4aNb", "https://vtbehaviour.commondatastorage.googleapis.com/3b145ee102848506dc7551758ee869b43a1753f06fabcbcf9ca574cb7843d60e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776019946&Signature=JcVZlsCApsz0O52G3FOi%2BaimamYfGaduCcu4UnDC9VmXvZgqZ7fDxGeCnZM9NPUhmq0561rZ8PRIqA52RiBX3KnC7vhJa9PFjro5MHPo48Ypu9wL0RVB7C0RmZ3osycpkpyxEhtxKbIBAhFSEeMaEF%2F1BQw5%2BiCzEgPRP4X89bIAzw2EDpi3ulfCz8hms3FgCvWD6JMXBGKQJt1aE58BlUPY7ZhwLtbK4kOd4wzZjtfRjMqcTIEH7E0l", "https://vtbehaviour.commondatastorage.googleapis.com/3aebd918df444e5261a70a7b9957a04b62899583cca94cb90078ee348988691e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776020086&Signature=vMuNzon2yUMc%2F5PXmshAS3lf0MVaReBDP3dcoOo82NLL71xjFa%2F0VIEFo55JjUmKlOHvhj6b0rJp8aIUUpsBDR%2FLZqmeDT44n0TYUkzfcIlLutGzkvs51q5mrJeeemJL6QT8bKwOFyLEXXO4SZPPduUilqL%2B1j79%2BDUni60qslB23F%2FgjYjG0edIuIfW6yq1yjBgsR34RyCGI5Lc8I%2FVLrF4ZjzIswsIHyhorBolKc7rKhoDz6masxaT", "https://vtbehaviour.commondatastorage.googleapis.com/3b145ee102848506dc7551758ee869b43a1753f06fabcbcf9ca574cb7843d60e_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776020136&Signature=H%2FVhg6NRizidJvYP4bRaC%2B%2Fuh8%2F0Z5Rd0CKbYgwrqTxA%2B2BloALbxPU70bhu3eDWE1sqvRizm6xer2MkUeNtxL9kjtBPDD7Vpxe6Oq6R6o22ZN5vWg%2BqZnbM3PVA3wfuJwZ1sZaO7gv79Bd4iyuD9687aMdFTrD5BJ%2Fbd2rKn063HRKOwRubgTuKJwxXlPjVI0ocAdDIvmmDac1rsWOYTbcHVCIKUVrpUCmnjpXsSag%2BZTA", "https://vtbehaviour.commondatastorage.googleapis.com/00000722ff984d5cd9cd766d12c70eecc7a2ad7502999c5a99d582c79b92c1a6_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776020243&Signature=H1wTQxzrttgLCjJhjhriXYwMDCRB5ydjPUCYh9LS7Sqr42Y7WZzXZe0hC7YLFaTXYy2N3AsSr89gjIRZR80Jda4iLYyDlgohE9qQ3kFeKNZ%2FNp7IQu5FZY%2FpXRI7rsIlJnvlZmpbI006al7O0LQV5CrC797x%2FTp6jmAxmP5TS7NA%2BGfaDL14G7dIIeHtBoHxi7cbP%2Fe3qT1q3LcRk5oN%2FRV8TXEhpggMmbhYUEmK6ATwmwrh", "https://vtbehaviour.commondatastorage.googleapis.com/005fdc2438f1b1e58ea5e4d9c396feea40ad8a4788e90da06ecea60c5a8d79c2_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776020323&Signature=Mogy01Itx6r1B%2BxNe8ittQgO%2FxZRRAb%2F9lJynhxwSVOzHX7CsWRLBNEGHRp0B9k%2Bg%2FHO2jb5K65QRLLPyqkoA45n8CsH6T5790n7E0fsbYtOvp04eV28khNlOt2b%2Feh0a3nwcC%2BNAmxEHgqzaCfQlHBqBjk2ErpfhlpC5uQJchq%2BBgGeuPcFc8YRy4RCmaBiaTeD2V%2FJD7lssTzQfnZhLNMSLqEISDCN7TYsfL1%2BJREl4wSO7C", "https://hybrid-analysis.com/sample/4e4fa68c1c4d2cfee133c31432dd303bb5746f7094b5a6832a25e47e6279171c" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1409", "name": "Access Stored Application Data", "display_name": "T1409 - Access Stored Application Data" }, { "id": "T1418", "name": "Application Discovery", "display_name": "T1418 - Application Discovery" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1422", "name": "System Network Configuration Discovery", "display_name": "T1422 - System Network Configuration Discovery" }, { "id": "T1424", "name": "Process Discovery", "display_name": "T1424 - Process Discovery" }, { "id": "T1426", "name": "System Information Discovery", "display_name": "T1426 - System Information Discovery" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 302, "FileHash-SHA1": 71, "FileHash-SHA256": 78, "URL": 181, "domain": 34, "hostname": 237 }, "indicator_count": 903, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "18 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69dbeabf8e4208f8af8b744d", "name": "CAPE Sandbox", "description": "A full report on Google Tag Manager for GA4, available to download on the web at any time, here is the full set of key points and key details for the report: .", "modified": "2026-05-12T18:44:07.582000", "created": "2026-04-12T18:55:59.161000", "tags": [ "default", "typelib", "parent pid", "full path", "command line", "inprocserver32", "accept", "shell folders", "host", "cname", "install", "agent", "shutdown", "win64", "back", "info", "file type", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "text", "json", "in a", "estonia", "body", "performs dns", "https", "mitre attack", "network info", "processes extra", "t1055 process", "layer protocol", "overview", "overview zenbox", "verdict", "phishing", "next", "xffxf0 xffxf0", "xffxee xffxee", "xffxef xffxef", "xffxeb xffxeb", "px9d", "xe4x84", "fxf8", "x94 x94", "xc1 xc1", "xffxf1 xffxf1", "urls", "has permission", "united", "sim provider", "may check", "tls version", "persistence", "pe file", "pe32", "intel", "ms windows", "sample", "spawns", "found", "drops pe", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "download", "trojan", "apt", "hybrid analysis", "api key", "vetting process", "please note", "please" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/007b0aa19218de7fe7b47dc785b345e4e09f8c8a133c689dafc778cf793e3ce0_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776019916&Signature=xU%2B28g7ql0wStAL7V97bG%2Bu0WHtev4OIGz8U3iqDKd%2FVNVlrDQ3vuAEteGPtDDR7qOlLSsItJmNBqGgWLySJ6U0nGICmzJVo0byP8H6%2Fd3HprkIH74LXAL%2FamR8rSKAlS1VWW%2FnGofIVc0zLtQeJdz%2BAMpNC0WX4pzvsIv2uagnjpUxUyVUykArW18%2FIapRYlTQZ0g4MdrwH%2FZ7h%2F0u9jGUM6rAiCBz33EYObn4aNb", "https://vtbehaviour.commondatastorage.googleapis.com/3b145ee102848506dc7551758ee869b43a1753f06fabcbcf9ca574cb7843d60e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776019946&Signature=JcVZlsCApsz0O52G3FOi%2BaimamYfGaduCcu4UnDC9VmXvZgqZ7fDxGeCnZM9NPUhmq0561rZ8PRIqA52RiBX3KnC7vhJa9PFjro5MHPo48Ypu9wL0RVB7C0RmZ3osycpkpyxEhtxKbIBAhFSEeMaEF%2F1BQw5%2BiCzEgPRP4X89bIAzw2EDpi3ulfCz8hms3FgCvWD6JMXBGKQJt1aE58BlUPY7ZhwLtbK4kOd4wzZjtfRjMqcTIEH7E0l", "https://vtbehaviour.commondatastorage.googleapis.com/3aebd918df444e5261a70a7b9957a04b62899583cca94cb90078ee348988691e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776020086&Signature=vMuNzon2yUMc%2F5PXmshAS3lf0MVaReBDP3dcoOo82NLL71xjFa%2F0VIEFo55JjUmKlOHvhj6b0rJp8aIUUpsBDR%2FLZqmeDT44n0TYUkzfcIlLutGzkvs51q5mrJeeemJL6QT8bKwOFyLEXXO4SZPPduUilqL%2B1j79%2BDUni60qslB23F%2FgjYjG0edIuIfW6yq1yjBgsR34RyCGI5Lc8I%2FVLrF4ZjzIswsIHyhorBolKc7rKhoDz6masxaT", "https://vtbehaviour.commondatastorage.googleapis.com/3b145ee102848506dc7551758ee869b43a1753f06fabcbcf9ca574cb7843d60e_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776020136&Signature=H%2FVhg6NRizidJvYP4bRaC%2B%2Fuh8%2F0Z5Rd0CKbYgwrqTxA%2B2BloALbxPU70bhu3eDWE1sqvRizm6xer2MkUeNtxL9kjtBPDD7Vpxe6Oq6R6o22ZN5vWg%2BqZnbM3PVA3wfuJwZ1sZaO7gv79Bd4iyuD9687aMdFTrD5BJ%2Fbd2rKn063HRKOwRubgTuKJwxXlPjVI0ocAdDIvmmDac1rsWOYTbcHVCIKUVrpUCmnjpXsSag%2BZTA", "https://vtbehaviour.commondatastorage.googleapis.com/00000722ff984d5cd9cd766d12c70eecc7a2ad7502999c5a99d582c79b92c1a6_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776020243&Signature=H1wTQxzrttgLCjJhjhriXYwMDCRB5ydjPUCYh9LS7Sqr42Y7WZzXZe0hC7YLFaTXYy2N3AsSr89gjIRZR80Jda4iLYyDlgohE9qQ3kFeKNZ%2FNp7IQu5FZY%2FpXRI7rsIlJnvlZmpbI006al7O0LQV5CrC797x%2FTp6jmAxmP5TS7NA%2BGfaDL14G7dIIeHtBoHxi7cbP%2Fe3qT1q3LcRk5oN%2FRV8TXEhpggMmbhYUEmK6ATwmwrh", "https://vtbehaviour.commondatastorage.googleapis.com/005fdc2438f1b1e58ea5e4d9c396feea40ad8a4788e90da06ecea60c5a8d79c2_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776020323&Signature=Mogy01Itx6r1B%2BxNe8ittQgO%2FxZRRAb%2F9lJynhxwSVOzHX7CsWRLBNEGHRp0B9k%2Bg%2FHO2jb5K65QRLLPyqkoA45n8CsH6T5790n7E0fsbYtOvp04eV28khNlOt2b%2Feh0a3nwcC%2BNAmxEHgqzaCfQlHBqBjk2ErpfhlpC5uQJchq%2BBgGeuPcFc8YRy4RCmaBiaTeD2V%2FJD7lssTzQfnZhLNMSLqEISDCN7TYsfL1%2BJREl4wSO7C", "https://hybrid-analysis.com/sample/4e4fa68c1c4d2cfee133c31432dd303bb5746f7094b5a6832a25e47e6279171c" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1409", "name": "Access Stored Application Data", "display_name": "T1409 - Access Stored Application Data" }, { "id": "T1418", "name": "Application Discovery", "display_name": "T1418 - Application Discovery" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1422", "name": "System Network Configuration Discovery", "display_name": "T1422 - System Network Configuration Discovery" }, { "id": "T1424", "name": "Process Discovery", "display_name": "T1424 - Process Discovery" }, { "id": "T1426", "name": "System Information Discovery", "display_name": "T1426 - System Information Discovery" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 302, "FileHash-SHA1": 71, "FileHash-SHA256": 78, "URL": 181, "domain": 34, "hostname": 237 }, "indicator_count": 903, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "18 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69faf0e7e922f6018d039d15", "name": "CAPE Sandbox - Aurora like Flo.", "description": "[This research pulse identifies a file exhibiting high-frequency network activity with minimal local file system impact. The sample bypasses common detection signatures, relying on encrypted communications and rapid DNS resolution to establish external connections.Technical Analysis & MITRE ATT&CKCommand and Control (T1071.001): The sample utilizes standard Web Protocols (HTTP/DNS) for external communication.Reconnaissance (T1589): High volume of unique IP connections (17) and DNS queries (6) suggests automated environmental scanning or identity gathering.Protocol Obfuscation: The presence of 11 unique JA3 fingerprints indicates a sophisticated rotating encryption strategy for SSL/TLS traffic to evade traditional network inspection.Indicators of Compromise (IoCs)File Hash (SHA-256): df8f1674d7034cb48fcd0651304833febfcaf1814c8294839246e9db1d269b1dNetwork Activity with Nextron:HTTP Requests: 5DNS Queries: 6Unique IP Connections: 17Encrypted Traffic: 11 JA3 SSL/TLS fingerprints observed.", "modified": "2026-05-06T10:50:46.591000", "created": "2026-05-06T07:42:31.304000", "tags": [ "html internet", "html document", "ascii text", "code", "date", "icann whois", "server", "registrar abuse", "whois status", "notice", "dnssec", "registrant name", "tech email", "form", "tech", "handle", "address range", "cidr", "network name", "allocation type", "allocated pa", "status", "whois server", "entity scipmnt", "nextron", "show", "read", "t series", "textron", "europe", "nextron product", "brands", "transportation", "taiwan" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 151, "hostname": 232, "domain": 98, "FileHash-MD5": 50, "FileHash-SHA1": 6, "FileHash-SHA256": 32, "IPv4": 44, "email": 1, "CIDR": 2, "CVE": 1 }, "indicator_count": 617, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "25 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69faf0e688402e4e3ab85930", "name": "CAPE Sandbox - Aurora like Flo.", "description": "[This research pulse identifies a file exhibiting high-frequency network activity with minimal local file system impact. The sample bypasses common detection signatures, relying on encrypted communications and rapid DNS resolution to establish external connections.Technical Analysis & MITRE ATT&CKCommand and Control (T1071.001): The sample utilizes standard Web Protocols (HTTP/DNS) for external communication.Reconnaissance (T1589): High volume of unique IP connections (17) and DNS queries (6) suggests automated environmental scanning or identity gathering.Protocol Obfuscation: The presence of 11 unique JA3 fingerprints indicates a sophisticated rotating encryption strategy for SSL/TLS traffic to evade traditional network inspection.Indicators of Compromise (IoCs)File Hash (SHA-256): df8f1674d7034cb48fcd0651304833febfcaf1814c8294839246e9db1d269b1dNetwork Activity with Nextron:HTTP Requests: 5DNS Queries: 6Unique IP Connections: 17Encrypted Traffic: 11 JA3 SSL/TLS fingerprints observed.", "modified": "2026-05-06T10:50:46.337000", "created": "2026-05-06T07:42:30.565000", "tags": [ "html internet", "html document", "ascii text", "code", "date", "icann whois", "server", "registrar abuse", "whois status", "notice", "dnssec", "registrant name", "tech email", "form", "tech", "handle", "address range", "cidr", "network name", "allocation type", "allocated pa", "status", "whois server", "entity scipmnt", "nextron", "show", "read", "t series", "textron", "europe", "nextron product", "brands", "transportation", "taiwan" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 88, "hostname": 185, "domain": 62, "FileHash-MD5": 16, "FileHash-SHA1": 4, "FileHash-SHA256": 17, "IPv4": 32, "email": 1, "CIDR": 2, "CVE": 1 }, "indicator_count": 408, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "25 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69cc7c56a6de2ada64f680a3", "name": "VirusTotal report\n for index.html", "description": "A full report on an attack on the Windows operating system: Google Tag Manager for GA4, a search engine for web addresses, and the results of an investigation into a malicious web address. https://www.virustotal.com/gui/file/fb43553d906781edd1ae894cf50d7735a1207fcad1123eb837d55eb4d448fed4/behavior", "modified": "2026-05-01T02:13:09.867000", "created": "2026-04-01T02:00:54.253000", "tags": [ "performs dns", "file type", "https", "united", "urls", "unix", "cache entry", "tls version", "mitre attack", "network info", "phishing", "next" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/fb43553d906781edd1ae894cf50d7735a1207fcad1123eb837d55eb4d448fed4_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775009023&Signature=PziYPmignr4yS1lhHo3FLsy%2B3wv6NV3HLbjKGJEMNVGQ9aD9FDW5NK9YX72ZvwWQuRF%2Btlid2IMM4%2FSbExMWxsHBCbZgbfKOPbTmlL18CN3TRx76z6G99I5R3PdJ22Af%2FxunZxS5jido7mF%2FfbGNwDC%2FCsiIAEzqUMOrSXJSl5nL8wRA1i6D%2FlUeL5y9QJrChIb8dpWja0nNAlwwrI7VYKsu75vAi%2Fb0cjTeplMhdUDufC3dilUscH" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 12, "URL": 62, "domain": 12, "hostname": 56 }, "indicator_count": 146, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "30 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69cc545090c369b8067ecca7", "name": "VirusTotal report\n for index.html", "description": "The Town of Cohasset, a search engine for malicious websites, has been published for the first time in its 3,000-year-old history, with the result of a report generated on 27 March 2026.", "modified": "2026-04-30T23:10:15.978000", "created": "2026-03-31T23:10:08.836000", "tags": [ "performs dns", "mitre attack", "network info", "processes extra", "t1055 process", "overview", "overview zenbox", "verdict", "guest system", "ultimate file", "phishing", "next" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/c977a561765c2861793b64324a98233900e8db2b4838c90c96b84012115a7f32_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1774998761&Signature=XCnGnUE%2Fzu8qpCGFqG5mHoDrdTbULz9ErAVvON9F2Y60XotlqnfLyUMFIAGU1aeMRFamHsaXCWbWLSTFR9vCSNUIEEN30dMraEZWFhrRT2LnbLwY9wdF4cWqSIWTjyYbE6pxGFlNC40jkbF%2F4vF4Avq%2B4B2J%2FfQhR0ycE15g%2BCNnT8ApscdBI0anpiDf3tzhQkEwKgZ2P6zUlb1zSR98Y6qGTA9ZKiO2Ar5zPScur7uWPzW7EqyGOeucGXhf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 2, "FileHash-SHA256": 1, "URL": 18, "domain": 6, "hostname": 17 }, "indicator_count": 47, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "30 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69cc545b9f835c0425c4312d", "name": "VirusTotal report\n for index.html", "description": "The Town of Cohasset, a search engine for malicious websites, has been published for the first time in its 3,000-year-old history, with the result of a report generated on 27 March 2026.", "modified": "2026-04-30T23:10:15.978000", "created": "2026-03-31T23:10:19.792000", "tags": [ "performs dns", "mitre attack", "network info", "processes extra", "t1055 process", "overview", "overview zenbox", "verdict", "guest system", "ultimate file", "phishing", "next" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/c977a561765c2861793b64324a98233900e8db2b4838c90c96b84012115a7f32_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1774998761&Signature=XCnGnUE%2Fzu8qpCGFqG5mHoDrdTbULz9ErAVvON9F2Y60XotlqnfLyUMFIAGU1aeMRFamHsaXCWbWLSTFR9vCSNUIEEN30dMraEZWFhrRT2LnbLwY9wdF4cWqSIWTjyYbE6pxGFlNC40jkbF%2F4vF4Avq%2B4B2J%2FfQhR0ycE15g%2BCNnT8ApscdBI0anpiDf3tzhQkEwKgZ2P6zUlb1zSR98Y6qGTA9ZKiO2Ar5zPScur7uWPzW7EqyGOeucGXhf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 12, "domain": 5, "hostname": 11 }, "indicator_count": 31, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "30 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69ca5f28a0b7445d29e0458c", "name": "VirusTotal report\n for index.html", "description": "Test / Recall Calendar Invitation", "modified": "2026-04-29T11:26:13.615000", "created": "2026-03-30T11:31:52.605000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 13, "domain": 4, "hostname": 8 }, "indicator_count": 28, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "32 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69c0b5d85b51fac0918c898d", "name": "VirusTotal report\n for index.html", "description": "", "modified": "2026-04-22T03:27:13.249000", "created": "2026-03-23T03:39:04.137000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "URL": 24, "domain": 8, "hostname": 16 }, "indicator_count": 54, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "39 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69a9c35548c480bb6e797c02", "name": "acdf0355a4d8db8075002c982e6c30a2149ae2a4762e157d08e977be36ef24b0", "description": "", "modified": "2026-04-04T17:31:40.283000", "created": "2026-03-05T17:54:29.653000", "tags": [ "utf8 unicode", "english text" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 70, "FileHash-SHA1": 70, "FileHash-SHA256": 283, "URL": 154, "domain": 222, "email": 4, "hostname": 99 }, "indicator_count": 902, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "56 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69a8fff72a02303057d559c9", "name": "http://paragonparkbook.wordpress.com/", "description": "another Ma expired cert and unsigned dnssec. Creation Date\t2000-03-03T04:13:23\nDnssec\tunsigned\nDomain Name\tWORDPRESS.COM\nDomain Name\twordpress.com\nEmails\tdomains@automattic.com.80 Title\t301 Moved Permanently\n80 Body\thtml head title 301 Moved Permanently /title /head body center h1 301 Moved Permanently /h1 /center hr center nginx /center /body /html\n80 Header\tHTTP/1.1 301 Moved Permanently Server: nginx Date: Thu 05 Mar 2026 03:55:19 GMT Content Type: text/html Content Length: 162 Connection: keep alive Location: https://paragonparkbook.wordpress.com/ Alt Svc: h3= :443 ma=86400 Server Timing: a8c cdn dc desc=sea cache desc=BYPASS dur=0.0\n443 Title\tThe History of Paragon Park When Summer Meant Everything: The Enduring Legacy of Paragon Park\n443 A Domains\tparagonparkbook.wordpress.com", "modified": "2026-04-04T05:18:12.440000", "created": "2026-03-05T04:00:55.226000", "tags": [ "certificate", "value", "a domains", "found a", "server", "gmt content", "length", "header http2", "arizona", "scottsdale" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 138, "domain": 377, "URL": 117, "hostname": 95, "FileHash-MD5": 144, "email": 3, "FileHash-SHA256": 1162 }, "indicator_count": 2036, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "57 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/00000722ff984d5cd9cd766d12c70eecc7a2ad7502999c5a99d582c79b92c1a6_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776020243&Signature=H1wTQxzrttgLCjJhjhriXYwMDCRB5ydjPUCYh9LS7Sqr42Y7WZzXZe0hC7YLFaTXYy2N3AsSr89gjIRZR80Jda4iLYyDlgohE9qQ3kFeKNZ%2FNp7IQu5FZY%2FpXRI7rsIlJnvlZmpbI006al7O0LQV5CrC797x%2FTp6jmAxmP5TS7NA%2BGfaDL14G7dIIeHtBoHxi7cbP%2Fe3qT1q3LcRk5oN%2FRV8TXEhpggMmbhYUEmK6ATwmwrh", "https://hybrid-analysis.com/sample/4e4fa68c1c4d2cfee133c31432dd303bb5746f7094b5a6832a25e47e6279171c", "https://vtbehaviour.commondatastorage.googleapis.com/fb43553d906781edd1ae894cf50d7735a1207fcad1123eb837d55eb4d448fed4_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775009023&Signature=PziYPmignr4yS1lhHo3FLsy%2B3wv6NV3HLbjKGJEMNVGQ9aD9FDW5NK9YX72ZvwWQuRF%2Btlid2IMM4%2FSbExMWxsHBCbZgbfKOPbTmlL18CN3TRx76z6G99I5R3PdJ22Af%2FxunZxS5jido7mF%2FfbGNwDC%2FCsiIAEzqUMOrSXJSl5nL8wRA1i6D%2FlUeL5y9QJrChIb8dpWja0nNAlwwrI7VYKsu75vAi%2Fb0cjTeplMhdUDufC3dilUscH", "https://vtbehaviour.commondatastorage.googleapis.com/3b145ee102848506dc7551758ee869b43a1753f06fabcbcf9ca574cb7843d60e_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776020136&Signature=H%2FVhg6NRizidJvYP4bRaC%2B%2Fuh8%2F0Z5Rd0CKbYgwrqTxA%2B2BloALbxPU70bhu3eDWE1sqvRizm6xer2MkUeNtxL9kjtBPDD7Vpxe6Oq6R6o22ZN5vWg%2BqZnbM3PVA3wfuJwZ1sZaO7gv79Bd4iyuD9687aMdFTrD5BJ%2Fbd2rKn063HRKOwRubgTuKJwxXlPjVI0ocAdDIvmmDac1rsWOYTbcHVCIKUVrpUCmnjpXsSag%2BZTA", "https://vtbehaviour.commondatastorage.googleapis.com/3aebd918df444e5261a70a7b9957a04b62899583cca94cb90078ee348988691e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776020086&Signature=vMuNzon2yUMc%2F5PXmshAS3lf0MVaReBDP3dcoOo82NLL71xjFa%2F0VIEFo55JjUmKlOHvhj6b0rJp8aIUUpsBDR%2FLZqmeDT44n0TYUkzfcIlLutGzkvs51q5mrJeeemJL6QT8bKwOFyLEXXO4SZPPduUilqL%2B1j79%2BDUni60qslB23F%2FgjYjG0edIuIfW6yq1yjBgsR34RyCGI5Lc8I%2FVLrF4ZjzIswsIHyhorBolKc7rKhoDz6masxaT", "https://vtbehaviour.commondatastorage.googleapis.com/3b145ee102848506dc7551758ee869b43a1753f06fabcbcf9ca574cb7843d60e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776019946&Signature=JcVZlsCApsz0O52G3FOi%2BaimamYfGaduCcu4UnDC9VmXvZgqZ7fDxGeCnZM9NPUhmq0561rZ8PRIqA52RiBX3KnC7vhJa9PFjro5MHPo48Ypu9wL0RVB7C0RmZ3osycpkpyxEhtxKbIBAhFSEeMaEF%2F1BQw5%2BiCzEgPRP4X89bIAzw2EDpi3ulfCz8hms3FgCvWD6JMXBGKQJt1aE58BlUPY7ZhwLtbK4kOd4wzZjtfRjMqcTIEH7E0l", "https://vtbehaviour.commondatastorage.googleapis.com/007b0aa19218de7fe7b47dc785b345e4e09f8c8a133c689dafc778cf793e3ce0_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776019916&Signature=xU%2B28g7ql0wStAL7V97bG%2Bu0WHtev4OIGz8U3iqDKd%2FVNVlrDQ3vuAEteGPtDDR7qOlLSsItJmNBqGgWLySJ6U0nGICmzJVo0byP8H6%2Fd3HprkIH74LXAL%2FamR8rSKAlS1VWW%2FnGofIVc0zLtQeJdz%2BAMpNC0WX4pzvsIv2uagnjpUxUyVUykArW18%2FIapRYlTQZ0g4MdrwH%2FZ7h%2F0u9jGUM6rAiCBz33EYObn4aNb", "https://vtbehaviour.commondatastorage.googleapis.com/005fdc2438f1b1e58ea5e4d9c396feea40ad8a4788e90da06ecea60c5a8d79c2_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776020323&Signature=Mogy01Itx6r1B%2BxNe8ittQgO%2FxZRRAb%2F9lJynhxwSVOzHX7CsWRLBNEGHRp0B9k%2Bg%2FHO2jb5K65QRLLPyqkoA45n8CsH6T5790n7E0fsbYtOvp04eV28khNlOt2b%2Feh0a3nwcC%2BNAmxEHgqzaCfQlHBqBjk2ErpfhlpC5uQJchq%2BBgGeuPcFc8YRy4RCmaBiaTeD2V%2FJD7lssTzQfnZhLNMSLqEISDCN7TYsfL1%2BJREl4wSO7C", "https://vtbehaviour.commondatastorage.googleapis.com/c977a561765c2861793b64324a98233900e8db2b4838c90c96b84012115a7f32_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1774998761&Signature=XCnGnUE%2Fzu8qpCGFqG5mHoDrdTbULz9ErAVvON9F2Y60XotlqnfLyUMFIAGU1aeMRFamHsaXCWbWLSTFR9vCSNUIEEN30dMraEZWFhrRT2LnbLwY9wdF4cWqSIWTjyYbE6pxGFlNC40jkbF%2F4vF4Avq%2B4B2J%2FfQhR0ycE15g%2BCNnT8ApscdBI0anpiDf3tzhQkEwKgZ2P6zUlb1zSR98Y6qGTA9ZKiO2Ar5zPScur7uWPzW7EqyGOeucGXhf" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 6290 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/azure.com", "whois": "http://whois.domaintools.com/azure.com", "domain": "azure.com", "hostname": "js.monitor.azure.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 14, "pulses": [ { "id": "69e940361a6e8be7e02ffe5d", "name": "URL_File_Delivery clone by octoseek", "description": "", "modified": "2026-05-22T23:04:42.859000", "created": "2026-04-22T21:40:06.671000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "64d9d1b920c9b43c1885b2e4", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1644, "domain": 386, "hostname": 535, "FileHash-SHA256": 609, "email": 5, "URI": 9, "FilePath": 1, "FileHash-SHA1": 8, "FileHash-MD5": 24 }, "indicator_count": 3221, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "8 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a03cc521e13c5d6d34555d0", "name": "Judgement Day. VirusTotal report for index.html", "description": "[Apple.com has sent a series of \"fl flushMessages\" to its servers, but what exactly is the data and what is it going to get out of the system and how does it feel?]", "modified": "2026-05-15T10:22:00.139000", "created": "2026-05-13T00:56:50.182000", "tags": [ "darwin kernel", "version", "wed feb", "apfs4kobjs", "instagram", "mosaic", "free", "get http", "dns resolutions", "ip traffic", "pattern domains", "memory pattern", "urls https", "tls sni", "algorithm", "key identifier", "x509v3 subject", "v3 serial", "number", "cus olet", "encrypt cnr13", "validity", "subject public", "key info", "performs dns", "https", "urls", "united", "mitre attack", "network info", "processes extra", "t1055 process", "layer protocol", "overview", "phishing", "defense evasion", "next", "default", "parent pid", "full path", "command line", "k netsvcs", "k localservice", "s w32time", "event provider", "device", "registry keys" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 132, "FileHash-MD5": 43, "FileHash-SHA1": 6, "hostname": 364, "IPv4": 75, "URL": 574, "Mutex": 1, "FileHash-SHA256": 404 }, "indicator_count": 1599, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "16 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69dbeabd47b6e788ecf7fc32", "name": "CAPE Sandbox", "description": "A full report on Google Tag Manager for GA4, available to download on the web at any time, here is the full set of key points and key details for the report: .", "modified": "2026-05-12T18:44:07.582000", "created": "2026-04-12T18:55:57.872000", "tags": [ "default", "typelib", "parent pid", "full path", "command line", "inprocserver32", "accept", "shell folders", "host", "cname", "install", "agent", "shutdown", "win64", "back", "info", "file type", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "text", "json", "in a", "estonia", "body", "performs dns", "https", "mitre attack", "network info", "processes extra", "t1055 process", "layer protocol", "overview", "overview zenbox", "verdict", "phishing", "next", "xffxf0 xffxf0", "xffxee xffxee", "xffxef xffxef", "xffxeb xffxeb", "px9d", "xe4x84", "fxf8", "x94 x94", "xc1 xc1", "xffxf1 xffxf1", "urls", "has permission", "united", "sim provider", "may check", "tls version", "persistence", "pe file", "pe32", "intel", "ms windows", "sample", "spawns", "found", "drops pe", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "download", "trojan", "apt", "hybrid analysis", "api key", "vetting process", "please note", "please" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/007b0aa19218de7fe7b47dc785b345e4e09f8c8a133c689dafc778cf793e3ce0_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776019916&Signature=xU%2B28g7ql0wStAL7V97bG%2Bu0WHtev4OIGz8U3iqDKd%2FVNVlrDQ3vuAEteGPtDDR7qOlLSsItJmNBqGgWLySJ6U0nGICmzJVo0byP8H6%2Fd3HprkIH74LXAL%2FamR8rSKAlS1VWW%2FnGofIVc0zLtQeJdz%2BAMpNC0WX4pzvsIv2uagnjpUxUyVUykArW18%2FIapRYlTQZ0g4MdrwH%2FZ7h%2F0u9jGUM6rAiCBz33EYObn4aNb", "https://vtbehaviour.commondatastorage.googleapis.com/3b145ee102848506dc7551758ee869b43a1753f06fabcbcf9ca574cb7843d60e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776019946&Signature=JcVZlsCApsz0O52G3FOi%2BaimamYfGaduCcu4UnDC9VmXvZgqZ7fDxGeCnZM9NPUhmq0561rZ8PRIqA52RiBX3KnC7vhJa9PFjro5MHPo48Ypu9wL0RVB7C0RmZ3osycpkpyxEhtxKbIBAhFSEeMaEF%2F1BQw5%2BiCzEgPRP4X89bIAzw2EDpi3ulfCz8hms3FgCvWD6JMXBGKQJt1aE58BlUPY7ZhwLtbK4kOd4wzZjtfRjMqcTIEH7E0l", "https://vtbehaviour.commondatastorage.googleapis.com/3aebd918df444e5261a70a7b9957a04b62899583cca94cb90078ee348988691e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776020086&Signature=vMuNzon2yUMc%2F5PXmshAS3lf0MVaReBDP3dcoOo82NLL71xjFa%2F0VIEFo55JjUmKlOHvhj6b0rJp8aIUUpsBDR%2FLZqmeDT44n0TYUkzfcIlLutGzkvs51q5mrJeeemJL6QT8bKwOFyLEXXO4SZPPduUilqL%2B1j79%2BDUni60qslB23F%2FgjYjG0edIuIfW6yq1yjBgsR34RyCGI5Lc8I%2FVLrF4ZjzIswsIHyhorBolKc7rKhoDz6masxaT", "https://vtbehaviour.commondatastorage.googleapis.com/3b145ee102848506dc7551758ee869b43a1753f06fabcbcf9ca574cb7843d60e_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776020136&Signature=H%2FVhg6NRizidJvYP4bRaC%2B%2Fuh8%2F0Z5Rd0CKbYgwrqTxA%2B2BloALbxPU70bhu3eDWE1sqvRizm6xer2MkUeNtxL9kjtBPDD7Vpxe6Oq6R6o22ZN5vWg%2BqZnbM3PVA3wfuJwZ1sZaO7gv79Bd4iyuD9687aMdFTrD5BJ%2Fbd2rKn063HRKOwRubgTuKJwxXlPjVI0ocAdDIvmmDac1rsWOYTbcHVCIKUVrpUCmnjpXsSag%2BZTA", "https://vtbehaviour.commondatastorage.googleapis.com/00000722ff984d5cd9cd766d12c70eecc7a2ad7502999c5a99d582c79b92c1a6_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776020243&Signature=H1wTQxzrttgLCjJhjhriXYwMDCRB5ydjPUCYh9LS7Sqr42Y7WZzXZe0hC7YLFaTXYy2N3AsSr89gjIRZR80Jda4iLYyDlgohE9qQ3kFeKNZ%2FNp7IQu5FZY%2FpXRI7rsIlJnvlZmpbI006al7O0LQV5CrC797x%2FTp6jmAxmP5TS7NA%2BGfaDL14G7dIIeHtBoHxi7cbP%2Fe3qT1q3LcRk5oN%2FRV8TXEhpggMmbhYUEmK6ATwmwrh", "https://vtbehaviour.commondatastorage.googleapis.com/005fdc2438f1b1e58ea5e4d9c396feea40ad8a4788e90da06ecea60c5a8d79c2_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776020323&Signature=Mogy01Itx6r1B%2BxNe8ittQgO%2FxZRRAb%2F9lJynhxwSVOzHX7CsWRLBNEGHRp0B9k%2Bg%2FHO2jb5K65QRLLPyqkoA45n8CsH6T5790n7E0fsbYtOvp04eV28khNlOt2b%2Feh0a3nwcC%2BNAmxEHgqzaCfQlHBqBjk2ErpfhlpC5uQJchq%2BBgGeuPcFc8YRy4RCmaBiaTeD2V%2FJD7lssTzQfnZhLNMSLqEISDCN7TYsfL1%2BJREl4wSO7C", "https://hybrid-analysis.com/sample/4e4fa68c1c4d2cfee133c31432dd303bb5746f7094b5a6832a25e47e6279171c" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1409", "name": "Access Stored Application Data", "display_name": "T1409 - Access Stored Application Data" }, { "id": "T1418", "name": "Application Discovery", "display_name": "T1418 - Application Discovery" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1422", "name": "System Network Configuration Discovery", "display_name": "T1422 - System Network Configuration Discovery" }, { "id": "T1424", "name": "Process Discovery", "display_name": "T1424 - Process Discovery" }, { "id": "T1426", "name": "System Information Discovery", "display_name": "T1426 - System Information Discovery" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 302, "FileHash-SHA1": 71, "FileHash-SHA256": 78, "URL": 181, "domain": 34, "hostname": 237 }, "indicator_count": 903, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "18 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69dbeabe5c5690d468b08e7a", "name": "CAPE Sandbox", "description": "A full report on Google Tag Manager for GA4, available to download on the web at any time, here is the full set of key points and key details for the report: .", "modified": "2026-05-12T18:44:07.582000", "created": "2026-04-12T18:55:58.319000", "tags": [ "default", "typelib", "parent pid", "full path", "command line", "inprocserver32", "accept", "shell folders", "host", "cname", "install", "agent", "shutdown", "win64", "back", "info", "file type", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "text", "json", "in a", "estonia", "body", "performs dns", "https", "mitre attack", "network info", "processes extra", "t1055 process", "layer protocol", "overview", "overview zenbox", "verdict", "phishing", "next", "xffxf0 xffxf0", "xffxee xffxee", "xffxef xffxef", "xffxeb xffxeb", "px9d", "xe4x84", "fxf8", "x94 x94", "xc1 xc1", "xffxf1 xffxf1", "urls", "has permission", "united", "sim provider", "may check", "tls version", "persistence", "pe file", "pe32", "intel", "ms windows", "sample", "spawns", "found", "drops pe", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "download", "trojan", "apt", "hybrid analysis", "api key", "vetting process", "please note", "please" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/007b0aa19218de7fe7b47dc785b345e4e09f8c8a133c689dafc778cf793e3ce0_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776019916&Signature=xU%2B28g7ql0wStAL7V97bG%2Bu0WHtev4OIGz8U3iqDKd%2FVNVlrDQ3vuAEteGPtDDR7qOlLSsItJmNBqGgWLySJ6U0nGICmzJVo0byP8H6%2Fd3HprkIH74LXAL%2FamR8rSKAlS1VWW%2FnGofIVc0zLtQeJdz%2BAMpNC0WX4pzvsIv2uagnjpUxUyVUykArW18%2FIapRYlTQZ0g4MdrwH%2FZ7h%2F0u9jGUM6rAiCBz33EYObn4aNb", "https://vtbehaviour.commondatastorage.googleapis.com/3b145ee102848506dc7551758ee869b43a1753f06fabcbcf9ca574cb7843d60e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776019946&Signature=JcVZlsCApsz0O52G3FOi%2BaimamYfGaduCcu4UnDC9VmXvZgqZ7fDxGeCnZM9NPUhmq0561rZ8PRIqA52RiBX3KnC7vhJa9PFjro5MHPo48Ypu9wL0RVB7C0RmZ3osycpkpyxEhtxKbIBAhFSEeMaEF%2F1BQw5%2BiCzEgPRP4X89bIAzw2EDpi3ulfCz8hms3FgCvWD6JMXBGKQJt1aE58BlUPY7ZhwLtbK4kOd4wzZjtfRjMqcTIEH7E0l", "https://vtbehaviour.commondatastorage.googleapis.com/3aebd918df444e5261a70a7b9957a04b62899583cca94cb90078ee348988691e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776020086&Signature=vMuNzon2yUMc%2F5PXmshAS3lf0MVaReBDP3dcoOo82NLL71xjFa%2F0VIEFo55JjUmKlOHvhj6b0rJp8aIUUpsBDR%2FLZqmeDT44n0TYUkzfcIlLutGzkvs51q5mrJeeemJL6QT8bKwOFyLEXXO4SZPPduUilqL%2B1j79%2BDUni60qslB23F%2FgjYjG0edIuIfW6yq1yjBgsR34RyCGI5Lc8I%2FVLrF4ZjzIswsIHyhorBolKc7rKhoDz6masxaT", "https://vtbehaviour.commondatastorage.googleapis.com/3b145ee102848506dc7551758ee869b43a1753f06fabcbcf9ca574cb7843d60e_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776020136&Signature=H%2FVhg6NRizidJvYP4bRaC%2B%2Fuh8%2F0Z5Rd0CKbYgwrqTxA%2B2BloALbxPU70bhu3eDWE1sqvRizm6xer2MkUeNtxL9kjtBPDD7Vpxe6Oq6R6o22ZN5vWg%2BqZnbM3PVA3wfuJwZ1sZaO7gv79Bd4iyuD9687aMdFTrD5BJ%2Fbd2rKn063HRKOwRubgTuKJwxXlPjVI0ocAdDIvmmDac1rsWOYTbcHVCIKUVrpUCmnjpXsSag%2BZTA", "https://vtbehaviour.commondatastorage.googleapis.com/00000722ff984d5cd9cd766d12c70eecc7a2ad7502999c5a99d582c79b92c1a6_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776020243&Signature=H1wTQxzrttgLCjJhjhriXYwMDCRB5ydjPUCYh9LS7Sqr42Y7WZzXZe0hC7YLFaTXYy2N3AsSr89gjIRZR80Jda4iLYyDlgohE9qQ3kFeKNZ%2FNp7IQu5FZY%2FpXRI7rsIlJnvlZmpbI006al7O0LQV5CrC797x%2FTp6jmAxmP5TS7NA%2BGfaDL14G7dIIeHtBoHxi7cbP%2Fe3qT1q3LcRk5oN%2FRV8TXEhpggMmbhYUEmK6ATwmwrh", "https://vtbehaviour.commondatastorage.googleapis.com/005fdc2438f1b1e58ea5e4d9c396feea40ad8a4788e90da06ecea60c5a8d79c2_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776020323&Signature=Mogy01Itx6r1B%2BxNe8ittQgO%2FxZRRAb%2F9lJynhxwSVOzHX7CsWRLBNEGHRp0B9k%2Bg%2FHO2jb5K65QRLLPyqkoA45n8CsH6T5790n7E0fsbYtOvp04eV28khNlOt2b%2Feh0a3nwcC%2BNAmxEHgqzaCfQlHBqBjk2ErpfhlpC5uQJchq%2BBgGeuPcFc8YRy4RCmaBiaTeD2V%2FJD7lssTzQfnZhLNMSLqEISDCN7TYsfL1%2BJREl4wSO7C", "https://hybrid-analysis.com/sample/4e4fa68c1c4d2cfee133c31432dd303bb5746f7094b5a6832a25e47e6279171c" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1409", "name": "Access Stored Application Data", "display_name": "T1409 - Access Stored Application Data" }, { "id": "T1418", "name": "Application Discovery", "display_name": "T1418 - Application Discovery" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1422", "name": "System Network Configuration Discovery", "display_name": "T1422 - System Network Configuration Discovery" }, { "id": "T1424", "name": "Process Discovery", "display_name": "T1424 - Process Discovery" }, { "id": "T1426", "name": "System Information Discovery", "display_name": "T1426 - System Information Discovery" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 302, "FileHash-SHA1": 71, "FileHash-SHA256": 78, "URL": 181, "domain": 34, "hostname": 237 }, "indicator_count": 903, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "18 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69dbeabf8e4208f8af8b744d", "name": "CAPE Sandbox", "description": "A full report on Google Tag Manager for GA4, available to download on the web at any time, here is the full set of key points and key details for the report: .", "modified": "2026-05-12T18:44:07.582000", "created": "2026-04-12T18:55:59.161000", "tags": [ "default", "typelib", "parent pid", "full path", "command line", "inprocserver32", "accept", "shell folders", "host", "cname", "install", "agent", "shutdown", "win64", "back", "info", "file type", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "text", "json", "in a", "estonia", "body", "performs dns", "https", "mitre attack", "network info", "processes extra", "t1055 process", "layer protocol", "overview", "overview zenbox", "verdict", "phishing", "next", "xffxf0 xffxf0", "xffxee xffxee", "xffxef xffxef", "xffxeb xffxeb", "px9d", "xe4x84", "fxf8", "x94 x94", "xc1 xc1", "xffxf1 xffxf1", "urls", "has permission", "united", "sim provider", "may check", "tls version", "persistence", "pe file", "pe32", "intel", "ms windows", "sample", "spawns", "found", "drops pe", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "download", "trojan", "apt", "hybrid analysis", "api key", "vetting process", "please note", "please" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/007b0aa19218de7fe7b47dc785b345e4e09f8c8a133c689dafc778cf793e3ce0_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776019916&Signature=xU%2B28g7ql0wStAL7V97bG%2Bu0WHtev4OIGz8U3iqDKd%2FVNVlrDQ3vuAEteGPtDDR7qOlLSsItJmNBqGgWLySJ6U0nGICmzJVo0byP8H6%2Fd3HprkIH74LXAL%2FamR8rSKAlS1VWW%2FnGofIVc0zLtQeJdz%2BAMpNC0WX4pzvsIv2uagnjpUxUyVUykArW18%2FIapRYlTQZ0g4MdrwH%2FZ7h%2F0u9jGUM6rAiCBz33EYObn4aNb", "https://vtbehaviour.commondatastorage.googleapis.com/3b145ee102848506dc7551758ee869b43a1753f06fabcbcf9ca574cb7843d60e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776019946&Signature=JcVZlsCApsz0O52G3FOi%2BaimamYfGaduCcu4UnDC9VmXvZgqZ7fDxGeCnZM9NPUhmq0561rZ8PRIqA52RiBX3KnC7vhJa9PFjro5MHPo48Ypu9wL0RVB7C0RmZ3osycpkpyxEhtxKbIBAhFSEeMaEF%2F1BQw5%2BiCzEgPRP4X89bIAzw2EDpi3ulfCz8hms3FgCvWD6JMXBGKQJt1aE58BlUPY7ZhwLtbK4kOd4wzZjtfRjMqcTIEH7E0l", "https://vtbehaviour.commondatastorage.googleapis.com/3aebd918df444e5261a70a7b9957a04b62899583cca94cb90078ee348988691e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776020086&Signature=vMuNzon2yUMc%2F5PXmshAS3lf0MVaReBDP3dcoOo82NLL71xjFa%2F0VIEFo55JjUmKlOHvhj6b0rJp8aIUUpsBDR%2FLZqmeDT44n0TYUkzfcIlLutGzkvs51q5mrJeeemJL6QT8bKwOFyLEXXO4SZPPduUilqL%2B1j79%2BDUni60qslB23F%2FgjYjG0edIuIfW6yq1yjBgsR34RyCGI5Lc8I%2FVLrF4ZjzIswsIHyhorBolKc7rKhoDz6masxaT", "https://vtbehaviour.commondatastorage.googleapis.com/3b145ee102848506dc7551758ee869b43a1753f06fabcbcf9ca574cb7843d60e_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776020136&Signature=H%2FVhg6NRizidJvYP4bRaC%2B%2Fuh8%2F0Z5Rd0CKbYgwrqTxA%2B2BloALbxPU70bhu3eDWE1sqvRizm6xer2MkUeNtxL9kjtBPDD7Vpxe6Oq6R6o22ZN5vWg%2BqZnbM3PVA3wfuJwZ1sZaO7gv79Bd4iyuD9687aMdFTrD5BJ%2Fbd2rKn063HRKOwRubgTuKJwxXlPjVI0ocAdDIvmmDac1rsWOYTbcHVCIKUVrpUCmnjpXsSag%2BZTA", "https://vtbehaviour.commondatastorage.googleapis.com/00000722ff984d5cd9cd766d12c70eecc7a2ad7502999c5a99d582c79b92c1a6_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776020243&Signature=H1wTQxzrttgLCjJhjhriXYwMDCRB5ydjPUCYh9LS7Sqr42Y7WZzXZe0hC7YLFaTXYy2N3AsSr89gjIRZR80Jda4iLYyDlgohE9qQ3kFeKNZ%2FNp7IQu5FZY%2FpXRI7rsIlJnvlZmpbI006al7O0LQV5CrC797x%2FTp6jmAxmP5TS7NA%2BGfaDL14G7dIIeHtBoHxi7cbP%2Fe3qT1q3LcRk5oN%2FRV8TXEhpggMmbhYUEmK6ATwmwrh", "https://vtbehaviour.commondatastorage.googleapis.com/005fdc2438f1b1e58ea5e4d9c396feea40ad8a4788e90da06ecea60c5a8d79c2_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776020323&Signature=Mogy01Itx6r1B%2BxNe8ittQgO%2FxZRRAb%2F9lJynhxwSVOzHX7CsWRLBNEGHRp0B9k%2Bg%2FHO2jb5K65QRLLPyqkoA45n8CsH6T5790n7E0fsbYtOvp04eV28khNlOt2b%2Feh0a3nwcC%2BNAmxEHgqzaCfQlHBqBjk2ErpfhlpC5uQJchq%2BBgGeuPcFc8YRy4RCmaBiaTeD2V%2FJD7lssTzQfnZhLNMSLqEISDCN7TYsfL1%2BJREl4wSO7C", "https://hybrid-analysis.com/sample/4e4fa68c1c4d2cfee133c31432dd303bb5746f7094b5a6832a25e47e6279171c" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1409", "name": "Access Stored Application Data", "display_name": "T1409 - Access Stored Application Data" }, { "id": "T1418", "name": "Application Discovery", "display_name": "T1418 - Application Discovery" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1422", "name": "System Network Configuration Discovery", "display_name": "T1422 - System Network Configuration Discovery" }, { "id": "T1424", "name": "Process Discovery", "display_name": "T1424 - Process Discovery" }, { "id": "T1426", "name": "System Information Discovery", "display_name": "T1426 - System Information Discovery" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 302, "FileHash-SHA1": 71, "FileHash-SHA256": 78, "URL": 181, "domain": 34, "hostname": 237 }, "indicator_count": 903, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "18 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69faf0e7e922f6018d039d15", "name": "CAPE Sandbox - Aurora like Flo.", "description": "[This research pulse identifies a file exhibiting high-frequency network activity with minimal local file system impact. The sample bypasses common detection signatures, relying on encrypted communications and rapid DNS resolution to establish external connections.Technical Analysis & MITRE ATT&CKCommand and Control (T1071.001): The sample utilizes standard Web Protocols (HTTP/DNS) for external communication.Reconnaissance (T1589): High volume of unique IP connections (17) and DNS queries (6) suggests automated environmental scanning or identity gathering.Protocol Obfuscation: The presence of 11 unique JA3 fingerprints indicates a sophisticated rotating encryption strategy for SSL/TLS traffic to evade traditional network inspection.Indicators of Compromise (IoCs)File Hash (SHA-256): df8f1674d7034cb48fcd0651304833febfcaf1814c8294839246e9db1d269b1dNetwork Activity with Nextron:HTTP Requests: 5DNS Queries: 6Unique IP Connections: 17Encrypted Traffic: 11 JA3 SSL/TLS fingerprints observed.", "modified": "2026-05-06T10:50:46.591000", "created": "2026-05-06T07:42:31.304000", "tags": [ "html internet", "html document", "ascii text", "code", "date", "icann whois", "server", "registrar abuse", "whois status", "notice", "dnssec", "registrant name", "tech email", "form", "tech", "handle", "address range", "cidr", "network name", "allocation type", "allocated pa", "status", "whois server", "entity scipmnt", "nextron", "show", "read", "t series", "textron", "europe", "nextron product", "brands", "transportation", "taiwan" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 151, "hostname": 232, "domain": 98, "FileHash-MD5": 50, "FileHash-SHA1": 6, "FileHash-SHA256": 32, "IPv4": 44, "email": 1, "CIDR": 2, "CVE": 1 }, "indicator_count": 617, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "25 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69faf0e688402e4e3ab85930", "name": "CAPE Sandbox - Aurora like Flo.", "description": "[This research pulse identifies a file exhibiting high-frequency network activity with minimal local file system impact. The sample bypasses common detection signatures, relying on encrypted communications and rapid DNS resolution to establish external connections.Technical Analysis & MITRE ATT&CKCommand and Control (T1071.001): The sample utilizes standard Web Protocols (HTTP/DNS) for external communication.Reconnaissance (T1589): High volume of unique IP connections (17) and DNS queries (6) suggests automated environmental scanning or identity gathering.Protocol Obfuscation: The presence of 11 unique JA3 fingerprints indicates a sophisticated rotating encryption strategy for SSL/TLS traffic to evade traditional network inspection.Indicators of Compromise (IoCs)File Hash (SHA-256): df8f1674d7034cb48fcd0651304833febfcaf1814c8294839246e9db1d269b1dNetwork Activity with Nextron:HTTP Requests: 5DNS Queries: 6Unique IP Connections: 17Encrypted Traffic: 11 JA3 SSL/TLS fingerprints observed.", "modified": "2026-05-06T10:50:46.337000", "created": "2026-05-06T07:42:30.565000", "tags": [ "html internet", "html document", "ascii text", "code", "date", "icann whois", "server", "registrar abuse", "whois status", "notice", "dnssec", "registrant name", "tech email", "form", "tech", "handle", "address range", "cidr", "network name", "allocation type", "allocated pa", "status", "whois server", "entity scipmnt", "nextron", "show", "read", "t series", "textron", "europe", "nextron product", "brands", "transportation", "taiwan" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 88, "hostname": 185, "domain": 62, "FileHash-MD5": 16, "FileHash-SHA1": 4, "FileHash-SHA256": 17, "IPv4": 32, "email": 1, "CIDR": 2, "CVE": 1 }, "indicator_count": 408, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "25 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69cc7c56a6de2ada64f680a3", "name": "VirusTotal report\n for index.html", "description": "A full report on an attack on the Windows operating system: Google Tag Manager for GA4, a search engine for web addresses, and the results of an investigation into a malicious web address. https://www.virustotal.com/gui/file/fb43553d906781edd1ae894cf50d7735a1207fcad1123eb837d55eb4d448fed4/behavior", "modified": "2026-05-01T02:13:09.867000", "created": "2026-04-01T02:00:54.253000", "tags": [ "performs dns", "file type", "https", "united", "urls", "unix", "cache entry", "tls version", "mitre attack", "network info", "phishing", "next" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/fb43553d906781edd1ae894cf50d7735a1207fcad1123eb837d55eb4d448fed4_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775009023&Signature=PziYPmignr4yS1lhHo3FLsy%2B3wv6NV3HLbjKGJEMNVGQ9aD9FDW5NK9YX72ZvwWQuRF%2Btlid2IMM4%2FSbExMWxsHBCbZgbfKOPbTmlL18CN3TRx76z6G99I5R3PdJ22Af%2FxunZxS5jido7mF%2FfbGNwDC%2FCsiIAEzqUMOrSXJSl5nL8wRA1i6D%2FlUeL5y9QJrChIb8dpWja0nNAlwwrI7VYKsu75vAi%2Fb0cjTeplMhdUDufC3dilUscH" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 12, "URL": 62, "domain": 12, "hostname": 56 }, "indicator_count": 146, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "30 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69cc545090c369b8067ecca7", "name": "VirusTotal report\n for index.html", "description": "The Town of Cohasset, a search engine for malicious websites, has been published for the first time in its 3,000-year-old history, with the result of a report generated on 27 March 2026.", "modified": "2026-04-30T23:10:15.978000", "created": "2026-03-31T23:10:08.836000", "tags": [ "performs dns", "mitre attack", "network info", "processes extra", "t1055 process", "overview", "overview zenbox", "verdict", "guest system", "ultimate file", "phishing", "next" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/c977a561765c2861793b64324a98233900e8db2b4838c90c96b84012115a7f32_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1774998761&Signature=XCnGnUE%2Fzu8qpCGFqG5mHoDrdTbULz9ErAVvON9F2Y60XotlqnfLyUMFIAGU1aeMRFamHsaXCWbWLSTFR9vCSNUIEEN30dMraEZWFhrRT2LnbLwY9wdF4cWqSIWTjyYbE6pxGFlNC40jkbF%2F4vF4Avq%2B4B2J%2FfQhR0ycE15g%2BCNnT8ApscdBI0anpiDf3tzhQkEwKgZ2P6zUlb1zSR98Y6qGTA9ZKiO2Ar5zPScur7uWPzW7EqyGOeucGXhf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 2, "FileHash-SHA256": 1, "URL": 18, "domain": 6, "hostname": 17 }, "indicator_count": 47, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "30 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69cc545b9f835c0425c4312d", "name": "VirusTotal report\n for index.html", "description": "The Town of Cohasset, a search engine for malicious websites, has been published for the first time in its 3,000-year-old history, with the result of a report generated on 27 March 2026.", "modified": "2026-04-30T23:10:15.978000", "created": "2026-03-31T23:10:19.792000", "tags": [ "performs dns", "mitre attack", "network info", "processes extra", "t1055 process", "overview", "overview zenbox", "verdict", "guest system", "ultimate file", "phishing", "next" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/c977a561765c2861793b64324a98233900e8db2b4838c90c96b84012115a7f32_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1774998761&Signature=XCnGnUE%2Fzu8qpCGFqG5mHoDrdTbULz9ErAVvON9F2Y60XotlqnfLyUMFIAGU1aeMRFamHsaXCWbWLSTFR9vCSNUIEEN30dMraEZWFhrRT2LnbLwY9wdF4cWqSIWTjyYbE6pxGFlNC40jkbF%2F4vF4Avq%2B4B2J%2FfQhR0ycE15g%2BCNnT8ApscdBI0anpiDf3tzhQkEwKgZ2P6zUlb1zSR98Y6qGTA9ZKiO2Ar5zPScur7uWPzW7EqyGOeucGXhf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 12, "domain": 5, "hostname": 11 }, "indicator_count": 31, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "30 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://js.monitor.azure.com/scripts/a/ai.0.js", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://js.monitor.azure.com/scripts/a/ai.0.js", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780236623.7650433 }