{ "type": "URL", "indicator": "https://permiteyes.us/cohasset/loginuser.php", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://permiteyes.us/cohasset/loginuser.php", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4276980699, "indicator": "https://permiteyes.us/cohasset/loginuser.php", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 16, "pulses": [ { "id": "69f3dd29978345cc0033cdec", "name": "CAPE Sandbox - powershell unsigned trust bypass affects arpa and msedge update", "description": "File is not signed-Microsoft Corporation. All rights reserved.\nProduct\nMicrosoft\u00ae Windows\u00ae Operating System\nDescription\nWindows PowerShell\nOriginal Name\nPowerShell.EXE\nInternal Name\nPOWERSHELL\nFile Version\n10.0.19041.546 (WinBuild.160101.0800)\nrefer to belasco chain or broken seal\nclient does not have windows", "modified": "2026-05-31T01:02:14", "created": "2026-04-30T22:52:25.691000", "tags": [ "31community", "35business", "cid1", "youtube https", "cohasset", "meta tags", "home category0", "home themecolor", "script tags" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 718, "FileHash-SHA1": 428, "FileHash-SHA256": 1579, "URL": 720, "hostname": 612, "domain": 210, "email": 4 }, "indicator_count": 4271, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "10 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69f3dd24843020a4ba674665", "name": "CAPE Sandbox - powershell unsigned trust bypass affects arpa and msedge update", "description": "File is not signed-Microsoft Corporation. All rights reserved.\nProduct\nMicrosoft\u00ae Windows\u00ae Operating System\nDescription\nWindows PowerShell\nOriginal Name\nPowerShell.EXE\nInternal Name\nPOWERSHELL\nFile Version\n10.0.19041.546 (WinBuild.160101.0800)\nrefer to belasco chain or broken seal\nclient does not have windows", "modified": "2026-05-30T23:01:01.821000", "created": "2026-04-30T22:52:20.006000", "tags": [ "31community", "35business", "cid1", "youtube https", "cohasset", "meta tags", "home category0", "home themecolor", "script tags" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 292, "FileHash-SHA1": 262, "FileHash-SHA256": 1179, "URL": 68, "hostname": 237, "domain": 16 }, "indicator_count": 2054, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "12 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69f3dd264e217e3724abedd7", "name": "CAPE Sandbox - powershell unsigned trust bypass affects arpa and msedge update", "description": "File is not signed-Microsoft Corporation. All rights reserved.\nProduct\nMicrosoft\u00ae Windows\u00ae Operating System\nDescription\nWindows PowerShell\nOriginal Name\nPowerShell.EXE\nInternal Name\nPOWERSHELL\nFile Version\n10.0.19041.546 (WinBuild.160101.0800)\nrefer to belasco chain or broken seal\nclient does not have windows included is others windows [exe] that appear to have a false flag origin with US wordpress roots.", "modified": "2026-05-30T23:01:01.821000", "created": "2026-04-30T22:52:22.813000", "tags": [ "31community", "35business", "cid1", "youtube https", "cohasset", "meta tags", "home category0", "home themecolor", "script tags" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 237, "FileHash-SHA1": 226, "FileHash-SHA256": 940, "URL": 213, "hostname": 197, "domain": 139 }, "indicator_count": 1952, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "12 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69e940361a6e8be7e02ffe5d", "name": "URL_File_Delivery clone by octoseek", "description": "", "modified": "2026-05-22T23:04:42.859000", "created": "2026-04-22T21:40:06.671000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "64d9d1b920c9b43c1885b2e4", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1644, "domain": 386, "hostname": 535, "FileHash-SHA256": 609, "email": 5, "URI": 9, "FilePath": 1, "FileHash-SHA1": 8, "FileHash-MD5": 24 }, "indicator_count": 3221, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "8 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a03cc521e13c5d6d34555d0", "name": "Judgement Day. VirusTotal report for index.html", "description": "[Apple.com has sent a series of \"fl flushMessages\" to its servers, but what exactly is the data and what is it going to get out of the system and how does it feel?]", "modified": "2026-05-15T10:22:00.139000", "created": "2026-05-13T00:56:50.182000", "tags": [ "darwin kernel", "version", "wed feb", "apfs4kobjs", "instagram", "mosaic", "free", "get http", "dns resolutions", "ip traffic", "pattern domains", "memory pattern", "urls https", "tls sni", "algorithm", "key identifier", "x509v3 subject", "v3 serial", "number", "cus olet", "encrypt cnr13", "validity", "subject public", "key info", "performs dns", "https", "urls", "united", "mitre attack", "network info", "processes extra", "t1055 process", "layer protocol", "overview", "phishing", "defense evasion", "next", "default", "parent pid", "full path", "command line", "k netsvcs", "k localservice", "s w32time", "event provider", "device", "registry keys" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 132, "FileHash-MD5": 43, "FileHash-SHA1": 6, "hostname": 364, "IPv4": 75, "URL": 574, "Mutex": 1, "FileHash-SHA256": 404 }, "indicator_count": 1599, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "16 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69dbeabd47b6e788ecf7fc32", "name": "CAPE Sandbox", "description": "A full report on Google Tag Manager for GA4, available to download on the web at any time, here is the full set of key points and key details for the report: .", "modified": "2026-05-12T18:44:07.582000", "created": "2026-04-12T18:55:57.872000", "tags": [ "default", "typelib", "parent pid", "full path", "command line", "inprocserver32", "accept", "shell folders", "host", "cname", "install", "agent", "shutdown", "win64", "back", "info", "file type", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "text", "json", "in a", "estonia", "body", "performs dns", "https", "mitre attack", "network info", "processes extra", "t1055 process", "layer protocol", "overview", "overview zenbox", "verdict", "phishing", "next", "xffxf0 xffxf0", "xffxee xffxee", "xffxef xffxef", "xffxeb xffxeb", "px9d", "xe4x84", "fxf8", "x94 x94", "xc1 xc1", "xffxf1 xffxf1", "urls", "has permission", "united", "sim provider", "may check", "tls version", "persistence", "pe file", "pe32", "intel", "ms windows", "sample", "spawns", "found", "drops pe", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "download", "trojan", "apt", "hybrid analysis", "api key", "vetting process", "please note", "please" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/007b0aa19218de7fe7b47dc785b345e4e09f8c8a133c689dafc778cf793e3ce0_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776019916&Signature=xU%2B28g7ql0wStAL7V97bG%2Bu0WHtev4OIGz8U3iqDKd%2FVNVlrDQ3vuAEteGPtDDR7qOlLSsItJmNBqGgWLySJ6U0nGICmzJVo0byP8H6%2Fd3HprkIH74LXAL%2FamR8rSKAlS1VWW%2FnGofIVc0zLtQeJdz%2BAMpNC0WX4pzvsIv2uagnjpUxUyVUykArW18%2FIapRYlTQZ0g4MdrwH%2FZ7h%2F0u9jGUM6rAiCBz33EYObn4aNb", "https://vtbehaviour.commondatastorage.googleapis.com/3b145ee102848506dc7551758ee869b43a1753f06fabcbcf9ca574cb7843d60e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776019946&Signature=JcVZlsCApsz0O52G3FOi%2BaimamYfGaduCcu4UnDC9VmXvZgqZ7fDxGeCnZM9NPUhmq0561rZ8PRIqA52RiBX3KnC7vhJa9PFjro5MHPo48Ypu9wL0RVB7C0RmZ3osycpkpyxEhtxKbIBAhFSEeMaEF%2F1BQw5%2BiCzEgPRP4X89bIAzw2EDpi3ulfCz8hms3FgCvWD6JMXBGKQJt1aE58BlUPY7ZhwLtbK4kOd4wzZjtfRjMqcTIEH7E0l", "https://vtbehaviour.commondatastorage.googleapis.com/3aebd918df444e5261a70a7b9957a04b62899583cca94cb90078ee348988691e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776020086&Signature=vMuNzon2yUMc%2F5PXmshAS3lf0MVaReBDP3dcoOo82NLL71xjFa%2F0VIEFo55JjUmKlOHvhj6b0rJp8aIUUpsBDR%2FLZqmeDT44n0TYUkzfcIlLutGzkvs51q5mrJeeemJL6QT8bKwOFyLEXXO4SZPPduUilqL%2B1j79%2BDUni60qslB23F%2FgjYjG0edIuIfW6yq1yjBgsR34RyCGI5Lc8I%2FVLrF4ZjzIswsIHyhorBolKc7rKhoDz6masxaT", "https://vtbehaviour.commondatastorage.googleapis.com/3b145ee102848506dc7551758ee869b43a1753f06fabcbcf9ca574cb7843d60e_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776020136&Signature=H%2FVhg6NRizidJvYP4bRaC%2B%2Fuh8%2F0Z5Rd0CKbYgwrqTxA%2B2BloALbxPU70bhu3eDWE1sqvRizm6xer2MkUeNtxL9kjtBPDD7Vpxe6Oq6R6o22ZN5vWg%2BqZnbM3PVA3wfuJwZ1sZaO7gv79Bd4iyuD9687aMdFTrD5BJ%2Fbd2rKn063HRKOwRubgTuKJwxXlPjVI0ocAdDIvmmDac1rsWOYTbcHVCIKUVrpUCmnjpXsSag%2BZTA", "https://vtbehaviour.commondatastorage.googleapis.com/00000722ff984d5cd9cd766d12c70eecc7a2ad7502999c5a99d582c79b92c1a6_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776020243&Signature=H1wTQxzrttgLCjJhjhriXYwMDCRB5ydjPUCYh9LS7Sqr42Y7WZzXZe0hC7YLFaTXYy2N3AsSr89gjIRZR80Jda4iLYyDlgohE9qQ3kFeKNZ%2FNp7IQu5FZY%2FpXRI7rsIlJnvlZmpbI006al7O0LQV5CrC797x%2FTp6jmAxmP5TS7NA%2BGfaDL14G7dIIeHtBoHxi7cbP%2Fe3qT1q3LcRk5oN%2FRV8TXEhpggMmbhYUEmK6ATwmwrh", "https://vtbehaviour.commondatastorage.googleapis.com/005fdc2438f1b1e58ea5e4d9c396feea40ad8a4788e90da06ecea60c5a8d79c2_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776020323&Signature=Mogy01Itx6r1B%2BxNe8ittQgO%2FxZRRAb%2F9lJynhxwSVOzHX7CsWRLBNEGHRp0B9k%2Bg%2FHO2jb5K65QRLLPyqkoA45n8CsH6T5790n7E0fsbYtOvp04eV28khNlOt2b%2Feh0a3nwcC%2BNAmxEHgqzaCfQlHBqBjk2ErpfhlpC5uQJchq%2BBgGeuPcFc8YRy4RCmaBiaTeD2V%2FJD7lssTzQfnZhLNMSLqEISDCN7TYsfL1%2BJREl4wSO7C", "https://hybrid-analysis.com/sample/4e4fa68c1c4d2cfee133c31432dd303bb5746f7094b5a6832a25e47e6279171c" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1409", "name": "Access Stored Application Data", "display_name": "T1409 - Access Stored Application Data" }, { "id": "T1418", "name": "Application Discovery", "display_name": "T1418 - Application Discovery" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1422", "name": "System Network Configuration Discovery", "display_name": "T1422 - System Network Configuration Discovery" }, { "id": "T1424", "name": "Process Discovery", "display_name": "T1424 - Process Discovery" }, { "id": "T1426", "name": "System Information Discovery", "display_name": "T1426 - System Information Discovery" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 302, "FileHash-SHA1": 71, "FileHash-SHA256": 78, "URL": 181, "domain": 34, "hostname": 237 }, "indicator_count": 903, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "18 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69dbeabe5c5690d468b08e7a", "name": "CAPE Sandbox", "description": "A full report on Google Tag Manager for GA4, available to download on the web at any time, here is the full set of key points and key details for the report: .", "modified": "2026-05-12T18:44:07.582000", "created": "2026-04-12T18:55:58.319000", "tags": [ "default", "typelib", "parent pid", "full path", "command line", "inprocserver32", "accept", "shell folders", "host", "cname", "install", "agent", "shutdown", "win64", "back", "info", "file type", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "text", "json", "in a", "estonia", "body", "performs dns", "https", "mitre attack", "network info", "processes extra", "t1055 process", "layer protocol", "overview", "overview zenbox", "verdict", "phishing", "next", "xffxf0 xffxf0", "xffxee xffxee", "xffxef xffxef", "xffxeb xffxeb", "px9d", "xe4x84", "fxf8", "x94 x94", "xc1 xc1", "xffxf1 xffxf1", "urls", "has permission", "united", "sim provider", "may check", "tls version", "persistence", "pe file", "pe32", "intel", "ms windows", "sample", "spawns", "found", "drops pe", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "download", "trojan", "apt", "hybrid analysis", "api key", "vetting process", "please note", "please" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/007b0aa19218de7fe7b47dc785b345e4e09f8c8a133c689dafc778cf793e3ce0_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776019916&Signature=xU%2B28g7ql0wStAL7V97bG%2Bu0WHtev4OIGz8U3iqDKd%2FVNVlrDQ3vuAEteGPtDDR7qOlLSsItJmNBqGgWLySJ6U0nGICmzJVo0byP8H6%2Fd3HprkIH74LXAL%2FamR8rSKAlS1VWW%2FnGofIVc0zLtQeJdz%2BAMpNC0WX4pzvsIv2uagnjpUxUyVUykArW18%2FIapRYlTQZ0g4MdrwH%2FZ7h%2F0u9jGUM6rAiCBz33EYObn4aNb", "https://vtbehaviour.commondatastorage.googleapis.com/3b145ee102848506dc7551758ee869b43a1753f06fabcbcf9ca574cb7843d60e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776019946&Signature=JcVZlsCApsz0O52G3FOi%2BaimamYfGaduCcu4UnDC9VmXvZgqZ7fDxGeCnZM9NPUhmq0561rZ8PRIqA52RiBX3KnC7vhJa9PFjro5MHPo48Ypu9wL0RVB7C0RmZ3osycpkpyxEhtxKbIBAhFSEeMaEF%2F1BQw5%2BiCzEgPRP4X89bIAzw2EDpi3ulfCz8hms3FgCvWD6JMXBGKQJt1aE58BlUPY7ZhwLtbK4kOd4wzZjtfRjMqcTIEH7E0l", "https://vtbehaviour.commondatastorage.googleapis.com/3aebd918df444e5261a70a7b9957a04b62899583cca94cb90078ee348988691e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776020086&Signature=vMuNzon2yUMc%2F5PXmshAS3lf0MVaReBDP3dcoOo82NLL71xjFa%2F0VIEFo55JjUmKlOHvhj6b0rJp8aIUUpsBDR%2FLZqmeDT44n0TYUkzfcIlLutGzkvs51q5mrJeeemJL6QT8bKwOFyLEXXO4SZPPduUilqL%2B1j79%2BDUni60qslB23F%2FgjYjG0edIuIfW6yq1yjBgsR34RyCGI5Lc8I%2FVLrF4ZjzIswsIHyhorBolKc7rKhoDz6masxaT", "https://vtbehaviour.commondatastorage.googleapis.com/3b145ee102848506dc7551758ee869b43a1753f06fabcbcf9ca574cb7843d60e_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776020136&Signature=H%2FVhg6NRizidJvYP4bRaC%2B%2Fuh8%2F0Z5Rd0CKbYgwrqTxA%2B2BloALbxPU70bhu3eDWE1sqvRizm6xer2MkUeNtxL9kjtBPDD7Vpxe6Oq6R6o22ZN5vWg%2BqZnbM3PVA3wfuJwZ1sZaO7gv79Bd4iyuD9687aMdFTrD5BJ%2Fbd2rKn063HRKOwRubgTuKJwxXlPjVI0ocAdDIvmmDac1rsWOYTbcHVCIKUVrpUCmnjpXsSag%2BZTA", "https://vtbehaviour.commondatastorage.googleapis.com/00000722ff984d5cd9cd766d12c70eecc7a2ad7502999c5a99d582c79b92c1a6_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776020243&Signature=H1wTQxzrttgLCjJhjhriXYwMDCRB5ydjPUCYh9LS7Sqr42Y7WZzXZe0hC7YLFaTXYy2N3AsSr89gjIRZR80Jda4iLYyDlgohE9qQ3kFeKNZ%2FNp7IQu5FZY%2FpXRI7rsIlJnvlZmpbI006al7O0LQV5CrC797x%2FTp6jmAxmP5TS7NA%2BGfaDL14G7dIIeHtBoHxi7cbP%2Fe3qT1q3LcRk5oN%2FRV8TXEhpggMmbhYUEmK6ATwmwrh", "https://vtbehaviour.commondatastorage.googleapis.com/005fdc2438f1b1e58ea5e4d9c396feea40ad8a4788e90da06ecea60c5a8d79c2_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776020323&Signature=Mogy01Itx6r1B%2BxNe8ittQgO%2FxZRRAb%2F9lJynhxwSVOzHX7CsWRLBNEGHRp0B9k%2Bg%2FHO2jb5K65QRLLPyqkoA45n8CsH6T5790n7E0fsbYtOvp04eV28khNlOt2b%2Feh0a3nwcC%2BNAmxEHgqzaCfQlHBqBjk2ErpfhlpC5uQJchq%2BBgGeuPcFc8YRy4RCmaBiaTeD2V%2FJD7lssTzQfnZhLNMSLqEISDCN7TYsfL1%2BJREl4wSO7C", "https://hybrid-analysis.com/sample/4e4fa68c1c4d2cfee133c31432dd303bb5746f7094b5a6832a25e47e6279171c" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1409", "name": "Access Stored Application Data", "display_name": "T1409 - Access Stored Application Data" }, { "id": "T1418", "name": "Application Discovery", "display_name": "T1418 - Application Discovery" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1422", "name": "System Network Configuration Discovery", "display_name": "T1422 - System Network Configuration Discovery" }, { "id": "T1424", "name": "Process Discovery", "display_name": "T1424 - Process Discovery" }, { "id": "T1426", "name": "System Information Discovery", "display_name": "T1426 - System Information Discovery" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 302, "FileHash-SHA1": 71, "FileHash-SHA256": 78, "URL": 181, "domain": 34, "hostname": 237 }, "indicator_count": 903, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "18 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69dbeabf8e4208f8af8b744d", "name": "CAPE Sandbox", "description": "A full report on Google Tag Manager for GA4, available to download on the web at any time, here is the full set of key points and key details for the report: .", "modified": "2026-05-12T18:44:07.582000", "created": "2026-04-12T18:55:59.161000", "tags": [ "default", "typelib", "parent pid", "full path", "command line", "inprocserver32", "accept", "shell folders", "host", "cname", "install", "agent", "shutdown", "win64", "back", "info", "file type", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "text", "json", "in a", "estonia", "body", "performs dns", "https", "mitre attack", "network info", "processes extra", "t1055 process", "layer protocol", "overview", "overview zenbox", "verdict", "phishing", "next", "xffxf0 xffxf0", "xffxee xffxee", "xffxef xffxef", "xffxeb xffxeb", "px9d", "xe4x84", "fxf8", "x94 x94", "xc1 xc1", "xffxf1 xffxf1", "urls", "has permission", "united", "sim provider", "may check", "tls version", "persistence", "pe file", "pe32", "intel", "ms windows", "sample", "spawns", "found", "drops pe", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "download", "trojan", "apt", "hybrid analysis", "api key", "vetting process", "please note", "please" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/007b0aa19218de7fe7b47dc785b345e4e09f8c8a133c689dafc778cf793e3ce0_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776019916&Signature=xU%2B28g7ql0wStAL7V97bG%2Bu0WHtev4OIGz8U3iqDKd%2FVNVlrDQ3vuAEteGPtDDR7qOlLSsItJmNBqGgWLySJ6U0nGICmzJVo0byP8H6%2Fd3HprkIH74LXAL%2FamR8rSKAlS1VWW%2FnGofIVc0zLtQeJdz%2BAMpNC0WX4pzvsIv2uagnjpUxUyVUykArW18%2FIapRYlTQZ0g4MdrwH%2FZ7h%2F0u9jGUM6rAiCBz33EYObn4aNb", "https://vtbehaviour.commondatastorage.googleapis.com/3b145ee102848506dc7551758ee869b43a1753f06fabcbcf9ca574cb7843d60e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776019946&Signature=JcVZlsCApsz0O52G3FOi%2BaimamYfGaduCcu4UnDC9VmXvZgqZ7fDxGeCnZM9NPUhmq0561rZ8PRIqA52RiBX3KnC7vhJa9PFjro5MHPo48Ypu9wL0RVB7C0RmZ3osycpkpyxEhtxKbIBAhFSEeMaEF%2F1BQw5%2BiCzEgPRP4X89bIAzw2EDpi3ulfCz8hms3FgCvWD6JMXBGKQJt1aE58BlUPY7ZhwLtbK4kOd4wzZjtfRjMqcTIEH7E0l", "https://vtbehaviour.commondatastorage.googleapis.com/3aebd918df444e5261a70a7b9957a04b62899583cca94cb90078ee348988691e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776020086&Signature=vMuNzon2yUMc%2F5PXmshAS3lf0MVaReBDP3dcoOo82NLL71xjFa%2F0VIEFo55JjUmKlOHvhj6b0rJp8aIUUpsBDR%2FLZqmeDT44n0TYUkzfcIlLutGzkvs51q5mrJeeemJL6QT8bKwOFyLEXXO4SZPPduUilqL%2B1j79%2BDUni60qslB23F%2FgjYjG0edIuIfW6yq1yjBgsR34RyCGI5Lc8I%2FVLrF4ZjzIswsIHyhorBolKc7rKhoDz6masxaT", "https://vtbehaviour.commondatastorage.googleapis.com/3b145ee102848506dc7551758ee869b43a1753f06fabcbcf9ca574cb7843d60e_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776020136&Signature=H%2FVhg6NRizidJvYP4bRaC%2B%2Fuh8%2F0Z5Rd0CKbYgwrqTxA%2B2BloALbxPU70bhu3eDWE1sqvRizm6xer2MkUeNtxL9kjtBPDD7Vpxe6Oq6R6o22ZN5vWg%2BqZnbM3PVA3wfuJwZ1sZaO7gv79Bd4iyuD9687aMdFTrD5BJ%2Fbd2rKn063HRKOwRubgTuKJwxXlPjVI0ocAdDIvmmDac1rsWOYTbcHVCIKUVrpUCmnjpXsSag%2BZTA", "https://vtbehaviour.commondatastorage.googleapis.com/00000722ff984d5cd9cd766d12c70eecc7a2ad7502999c5a99d582c79b92c1a6_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776020243&Signature=H1wTQxzrttgLCjJhjhriXYwMDCRB5ydjPUCYh9LS7Sqr42Y7WZzXZe0hC7YLFaTXYy2N3AsSr89gjIRZR80Jda4iLYyDlgohE9qQ3kFeKNZ%2FNp7IQu5FZY%2FpXRI7rsIlJnvlZmpbI006al7O0LQV5CrC797x%2FTp6jmAxmP5TS7NA%2BGfaDL14G7dIIeHtBoHxi7cbP%2Fe3qT1q3LcRk5oN%2FRV8TXEhpggMmbhYUEmK6ATwmwrh", "https://vtbehaviour.commondatastorage.googleapis.com/005fdc2438f1b1e58ea5e4d9c396feea40ad8a4788e90da06ecea60c5a8d79c2_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776020323&Signature=Mogy01Itx6r1B%2BxNe8ittQgO%2FxZRRAb%2F9lJynhxwSVOzHX7CsWRLBNEGHRp0B9k%2Bg%2FHO2jb5K65QRLLPyqkoA45n8CsH6T5790n7E0fsbYtOvp04eV28khNlOt2b%2Feh0a3nwcC%2BNAmxEHgqzaCfQlHBqBjk2ErpfhlpC5uQJchq%2BBgGeuPcFc8YRy4RCmaBiaTeD2V%2FJD7lssTzQfnZhLNMSLqEISDCN7TYsfL1%2BJREl4wSO7C", "https://hybrid-analysis.com/sample/4e4fa68c1c4d2cfee133c31432dd303bb5746f7094b5a6832a25e47e6279171c" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1409", "name": "Access Stored Application Data", "display_name": "T1409 - Access Stored Application Data" }, { "id": "T1418", "name": "Application Discovery", "display_name": "T1418 - Application Discovery" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1422", "name": "System Network Configuration Discovery", "display_name": "T1422 - System Network Configuration Discovery" }, { "id": "T1424", "name": "Process Discovery", "display_name": "T1424 - Process Discovery" }, { "id": "T1426", "name": "System Information Discovery", "display_name": "T1426 - System Information Discovery" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 302, "FileHash-SHA1": 71, "FileHash-SHA256": 78, "URL": 181, "domain": 34, "hostname": 237 }, "indicator_count": 903, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "18 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69faf0e7e922f6018d039d15", "name": "CAPE Sandbox - Aurora like Flo.", "description": "[This research pulse identifies a file exhibiting high-frequency network activity with minimal local file system impact. The sample bypasses common detection signatures, relying on encrypted communications and rapid DNS resolution to establish external connections.Technical Analysis & MITRE ATT&CKCommand and Control (T1071.001): The sample utilizes standard Web Protocols (HTTP/DNS) for external communication.Reconnaissance (T1589): High volume of unique IP connections (17) and DNS queries (6) suggests automated environmental scanning or identity gathering.Protocol Obfuscation: The presence of 11 unique JA3 fingerprints indicates a sophisticated rotating encryption strategy for SSL/TLS traffic to evade traditional network inspection.Indicators of Compromise (IoCs)File Hash (SHA-256): df8f1674d7034cb48fcd0651304833febfcaf1814c8294839246e9db1d269b1dNetwork Activity with Nextron:HTTP Requests: 5DNS Queries: 6Unique IP Connections: 17Encrypted Traffic: 11 JA3 SSL/TLS fingerprints observed.", "modified": "2026-05-06T10:50:46.591000", "created": "2026-05-06T07:42:31.304000", "tags": [ "html internet", "html document", "ascii text", "code", "date", "icann whois", "server", "registrar abuse", "whois status", "notice", "dnssec", "registrant name", "tech email", "form", "tech", "handle", "address range", "cidr", "network name", "allocation type", "allocated pa", "status", "whois server", "entity scipmnt", "nextron", "show", "read", "t series", "textron", "europe", "nextron product", "brands", "transportation", "taiwan" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 151, "hostname": 232, "domain": 98, "FileHash-MD5": 50, "FileHash-SHA1": 6, "FileHash-SHA256": 32, "IPv4": 44, "email": 1, "CIDR": 2, "CVE": 1 }, "indicator_count": 617, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "25 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69faf0e688402e4e3ab85930", "name": "CAPE Sandbox - Aurora like Flo.", "description": "[This research pulse identifies a file exhibiting high-frequency network activity with minimal local file system impact. The sample bypasses common detection signatures, relying on encrypted communications and rapid DNS resolution to establish external connections.Technical Analysis & MITRE ATT&CKCommand and Control (T1071.001): The sample utilizes standard Web Protocols (HTTP/DNS) for external communication.Reconnaissance (T1589): High volume of unique IP connections (17) and DNS queries (6) suggests automated environmental scanning or identity gathering.Protocol Obfuscation: The presence of 11 unique JA3 fingerprints indicates a sophisticated rotating encryption strategy for SSL/TLS traffic to evade traditional network inspection.Indicators of Compromise (IoCs)File Hash (SHA-256): df8f1674d7034cb48fcd0651304833febfcaf1814c8294839246e9db1d269b1dNetwork Activity with Nextron:HTTP Requests: 5DNS Queries: 6Unique IP Connections: 17Encrypted Traffic: 11 JA3 SSL/TLS fingerprints observed.", "modified": "2026-05-06T10:50:46.337000", "created": "2026-05-06T07:42:30.565000", "tags": [ "html internet", "html document", "ascii text", "code", "date", "icann whois", "server", "registrar abuse", "whois status", "notice", "dnssec", "registrant name", "tech email", "form", "tech", "handle", "address range", "cidr", "network name", "allocation type", "allocated pa", "status", "whois server", "entity scipmnt", "nextron", "show", "read", "t series", "textron", "europe", "nextron product", "brands", "transportation", "taiwan" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 88, "hostname": 185, "domain": 62, "FileHash-MD5": 16, "FileHash-SHA1": 4, "FileHash-SHA256": 17, "IPv4": 32, "email": 1, "CIDR": 2, "CVE": 1 }, "indicator_count": 408, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "25 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69cc545090c369b8067ecca7", "name": "VirusTotal report\n for index.html", "description": "The Town of Cohasset, a search engine for malicious websites, has been published for the first time in its 3,000-year-old history, with the result of a report generated on 27 March 2026.", "modified": "2026-04-30T23:10:15.978000", "created": "2026-03-31T23:10:08.836000", "tags": [ "performs dns", "mitre attack", "network info", "processes extra", "t1055 process", "overview", "overview zenbox", "verdict", "guest system", "ultimate file", "phishing", "next" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/c977a561765c2861793b64324a98233900e8db2b4838c90c96b84012115a7f32_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1774998761&Signature=XCnGnUE%2Fzu8qpCGFqG5mHoDrdTbULz9ErAVvON9F2Y60XotlqnfLyUMFIAGU1aeMRFamHsaXCWbWLSTFR9vCSNUIEEN30dMraEZWFhrRT2LnbLwY9wdF4cWqSIWTjyYbE6pxGFlNC40jkbF%2F4vF4Avq%2B4B2J%2FfQhR0ycE15g%2BCNnT8ApscdBI0anpiDf3tzhQkEwKgZ2P6zUlb1zSR98Y6qGTA9ZKiO2Ar5zPScur7uWPzW7EqyGOeucGXhf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 2, "FileHash-SHA256": 1, "URL": 18, "domain": 6, "hostname": 17 }, "indicator_count": 47, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "30 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69cc545b9f835c0425c4312d", "name": "VirusTotal report\n for index.html", "description": "The Town of Cohasset, a search engine for malicious websites, has been published for the first time in its 3,000-year-old history, with the result of a report generated on 27 March 2026.", "modified": "2026-04-30T23:10:15.978000", "created": "2026-03-31T23:10:19.792000", "tags": [ "performs dns", "mitre attack", "network info", "processes extra", "t1055 process", "overview", "overview zenbox", "verdict", "guest system", "ultimate file", "phishing", "next" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/c977a561765c2861793b64324a98233900e8db2b4838c90c96b84012115a7f32_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1774998761&Signature=XCnGnUE%2Fzu8qpCGFqG5mHoDrdTbULz9ErAVvON9F2Y60XotlqnfLyUMFIAGU1aeMRFamHsaXCWbWLSTFR9vCSNUIEEN30dMraEZWFhrRT2LnbLwY9wdF4cWqSIWTjyYbE6pxGFlNC40jkbF%2F4vF4Avq%2B4B2J%2FfQhR0ycE15g%2BCNnT8ApscdBI0anpiDf3tzhQkEwKgZ2P6zUlb1zSR98Y6qGTA9ZKiO2Ar5zPScur7uWPzW7EqyGOeucGXhf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 12, "domain": 5, "hostname": 11 }, "indicator_count": 31, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "30 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69ca5f28a0b7445d29e0458c", "name": "VirusTotal report\n for index.html", "description": "Test / Recall Calendar Invitation", "modified": "2026-04-29T11:26:13.615000", "created": "2026-03-30T11:31:52.605000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 13, "domain": 4, "hostname": 8 }, "indicator_count": 28, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "31 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69bf6a0d59d56a5cf1c5d5f9", "name": "h3heydyhehdyfueu3uryfy", "description": "freepool.net", "modified": "2026-04-23T00:01:35.514000", "created": "2026-03-22T04:03:25.979000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 40, "FileHash-MD5": 10, "FileHash-SHA1": 8, "domain": 353, "email": 12, "hostname": 972, "URL": 126 }, "indicator_count": 1521, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "38 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69c0b5d85b51fac0918c898d", "name": "VirusTotal report\n for index.html", "description": "", "modified": "2026-04-22T03:27:13.249000", "created": "2026-03-23T03:39:04.137000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "URL": 24, "domain": 8, "hostname": 16 }, "indicator_count": 54, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "39 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69bf19eaf07fe8e7478c0d85", "name": "Behavior Iocs", "description": "", "modified": "2026-04-20T23:10:00.870000", "created": "2026-03-21T22:21:30.218000", "tags": [ "html document", "unicode text", "utf8 text", "crlf", "lf line" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 106, "FileHash-SHA1": 59, "FileHash-SHA256": 663, "URL": 572, "domain": 311, "hostname": 698, "email": 7 }, "indicator_count": 2416, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "40 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/005fdc2438f1b1e58ea5e4d9c396feea40ad8a4788e90da06ecea60c5a8d79c2_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776020323&Signature=Mogy01Itx6r1B%2BxNe8ittQgO%2FxZRRAb%2F9lJynhxwSVOzHX7CsWRLBNEGHRp0B9k%2Bg%2FHO2jb5K65QRLLPyqkoA45n8CsH6T5790n7E0fsbYtOvp04eV28khNlOt2b%2Feh0a3nwcC%2BNAmxEHgqzaCfQlHBqBjk2ErpfhlpC5uQJchq%2BBgGeuPcFc8YRy4RCmaBiaTeD2V%2FJD7lssTzQfnZhLNMSLqEISDCN7TYsfL1%2BJREl4wSO7C", "https://vtbehaviour.commondatastorage.googleapis.com/007b0aa19218de7fe7b47dc785b345e4e09f8c8a133c689dafc778cf793e3ce0_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776019916&Signature=xU%2B28g7ql0wStAL7V97bG%2Bu0WHtev4OIGz8U3iqDKd%2FVNVlrDQ3vuAEteGPtDDR7qOlLSsItJmNBqGgWLySJ6U0nGICmzJVo0byP8H6%2Fd3HprkIH74LXAL%2FamR8rSKAlS1VWW%2FnGofIVc0zLtQeJdz%2BAMpNC0WX4pzvsIv2uagnjpUxUyVUykArW18%2FIapRYlTQZ0g4MdrwH%2FZ7h%2F0u9jGUM6rAiCBz33EYObn4aNb", "https://vtbehaviour.commondatastorage.googleapis.com/c977a561765c2861793b64324a98233900e8db2b4838c90c96b84012115a7f32_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1774998761&Signature=XCnGnUE%2Fzu8qpCGFqG5mHoDrdTbULz9ErAVvON9F2Y60XotlqnfLyUMFIAGU1aeMRFamHsaXCWbWLSTFR9vCSNUIEEN30dMraEZWFhrRT2LnbLwY9wdF4cWqSIWTjyYbE6pxGFlNC40jkbF%2F4vF4Avq%2B4B2J%2FfQhR0ycE15g%2BCNnT8ApscdBI0anpiDf3tzhQkEwKgZ2P6zUlb1zSR98Y6qGTA9ZKiO2Ar5zPScur7uWPzW7EqyGOeucGXhf", "https://vtbehaviour.commondatastorage.googleapis.com/3b145ee102848506dc7551758ee869b43a1753f06fabcbcf9ca574cb7843d60e_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776020136&Signature=H%2FVhg6NRizidJvYP4bRaC%2B%2Fuh8%2F0Z5Rd0CKbYgwrqTxA%2B2BloALbxPU70bhu3eDWE1sqvRizm6xer2MkUeNtxL9kjtBPDD7Vpxe6Oq6R6o22ZN5vWg%2BqZnbM3PVA3wfuJwZ1sZaO7gv79Bd4iyuD9687aMdFTrD5BJ%2Fbd2rKn063HRKOwRubgTuKJwxXlPjVI0ocAdDIvmmDac1rsWOYTbcHVCIKUVrpUCmnjpXsSag%2BZTA", "https://hybrid-analysis.com/sample/4e4fa68c1c4d2cfee133c31432dd303bb5746f7094b5a6832a25e47e6279171c", "https://vtbehaviour.commondatastorage.googleapis.com/3aebd918df444e5261a70a7b9957a04b62899583cca94cb90078ee348988691e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776020086&Signature=vMuNzon2yUMc%2F5PXmshAS3lf0MVaReBDP3dcoOo82NLL71xjFa%2F0VIEFo55JjUmKlOHvhj6b0rJp8aIUUpsBDR%2FLZqmeDT44n0TYUkzfcIlLutGzkvs51q5mrJeeemJL6QT8bKwOFyLEXXO4SZPPduUilqL%2B1j79%2BDUni60qslB23F%2FgjYjG0edIuIfW6yq1yjBgsR34RyCGI5Lc8I%2FVLrF4ZjzIswsIHyhorBolKc7rKhoDz6masxaT", "https://vtbehaviour.commondatastorage.googleapis.com/3b145ee102848506dc7551758ee869b43a1753f06fabcbcf9ca574cb7843d60e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776019946&Signature=JcVZlsCApsz0O52G3FOi%2BaimamYfGaduCcu4UnDC9VmXvZgqZ7fDxGeCnZM9NPUhmq0561rZ8PRIqA52RiBX3KnC7vhJa9PFjro5MHPo48Ypu9wL0RVB7C0RmZ3osycpkpyxEhtxKbIBAhFSEeMaEF%2F1BQw5%2BiCzEgPRP4X89bIAzw2EDpi3ulfCz8hms3FgCvWD6JMXBGKQJt1aE58BlUPY7ZhwLtbK4kOd4wzZjtfRjMqcTIEH7E0l", "https://vtbehaviour.commondatastorage.googleapis.com/00000722ff984d5cd9cd766d12c70eecc7a2ad7502999c5a99d582c79b92c1a6_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776020243&Signature=H1wTQxzrttgLCjJhjhriXYwMDCRB5ydjPUCYh9LS7Sqr42Y7WZzXZe0hC7YLFaTXYy2N3AsSr89gjIRZR80Jda4iLYyDlgohE9qQ3kFeKNZ%2FNp7IQu5FZY%2FpXRI7rsIlJnvlZmpbI006al7O0LQV5CrC797x%2FTp6jmAxmP5TS7NA%2BGfaDL14G7dIIeHtBoHxi7cbP%2Fe3qT1q3LcRk5oN%2FRV8TXEhpggMmbhYUEmK6ATwmwrh" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 10447 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/permiteyes.us", "whois": "http://whois.domaintools.com/permiteyes.us", "domain": "permiteyes.us", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 16, "pulses": [ { "id": "69f3dd29978345cc0033cdec", "name": "CAPE Sandbox - powershell unsigned trust bypass affects arpa and msedge update", "description": "File is not signed-Microsoft Corporation. All rights reserved.\nProduct\nMicrosoft\u00ae Windows\u00ae Operating System\nDescription\nWindows PowerShell\nOriginal Name\nPowerShell.EXE\nInternal Name\nPOWERSHELL\nFile Version\n10.0.19041.546 (WinBuild.160101.0800)\nrefer to belasco chain or broken seal\nclient does not have windows", "modified": "2026-05-31T01:02:14", "created": "2026-04-30T22:52:25.691000", "tags": [ "31community", "35business", "cid1", "youtube https", "cohasset", "meta tags", "home category0", "home themecolor", "script tags" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 718, "FileHash-SHA1": 428, "FileHash-SHA256": 1579, "URL": 720, "hostname": 612, "domain": 210, "email": 4 }, "indicator_count": 4271, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "10 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69f3dd24843020a4ba674665", "name": "CAPE Sandbox - powershell unsigned trust bypass affects arpa and msedge update", "description": "File is not signed-Microsoft Corporation. All rights reserved.\nProduct\nMicrosoft\u00ae Windows\u00ae Operating System\nDescription\nWindows PowerShell\nOriginal Name\nPowerShell.EXE\nInternal Name\nPOWERSHELL\nFile Version\n10.0.19041.546 (WinBuild.160101.0800)\nrefer to belasco chain or broken seal\nclient does not have windows", "modified": "2026-05-30T23:01:01.821000", "created": "2026-04-30T22:52:20.006000", "tags": [ "31community", "35business", "cid1", "youtube https", "cohasset", "meta tags", "home category0", "home themecolor", "script tags" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 292, "FileHash-SHA1": 262, "FileHash-SHA256": 1179, "URL": 68, "hostname": 237, "domain": 16 }, "indicator_count": 2054, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "12 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69f3dd264e217e3724abedd7", "name": "CAPE Sandbox - powershell unsigned trust bypass affects arpa and msedge update", "description": "File is not signed-Microsoft Corporation. All rights reserved.\nProduct\nMicrosoft\u00ae Windows\u00ae Operating System\nDescription\nWindows PowerShell\nOriginal Name\nPowerShell.EXE\nInternal Name\nPOWERSHELL\nFile Version\n10.0.19041.546 (WinBuild.160101.0800)\nrefer to belasco chain or broken seal\nclient does not have windows included is others windows [exe] that appear to have a false flag origin with US wordpress roots.", "modified": "2026-05-30T23:01:01.821000", "created": "2026-04-30T22:52:22.813000", "tags": [ "31community", "35business", "cid1", "youtube https", "cohasset", "meta tags", "home category0", "home themecolor", "script tags" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 237, "FileHash-SHA1": 226, "FileHash-SHA256": 940, "URL": 213, "hostname": 197, "domain": 139 }, "indicator_count": 1952, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "12 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69e940361a6e8be7e02ffe5d", "name": "URL_File_Delivery clone by octoseek", "description": "", "modified": "2026-05-22T23:04:42.859000", "created": "2026-04-22T21:40:06.671000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "64d9d1b920c9b43c1885b2e4", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1644, "domain": 386, "hostname": 535, "FileHash-SHA256": 609, "email": 5, "URI": 9, "FilePath": 1, "FileHash-SHA1": 8, "FileHash-MD5": 24 }, "indicator_count": 3221, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "8 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a03cc521e13c5d6d34555d0", "name": "Judgement Day. VirusTotal report for index.html", "description": "[Apple.com has sent a series of \"fl flushMessages\" to its servers, but what exactly is the data and what is it going to get out of the system and how does it feel?]", "modified": "2026-05-15T10:22:00.139000", "created": "2026-05-13T00:56:50.182000", "tags": [ "darwin kernel", "version", "wed feb", "apfs4kobjs", "instagram", "mosaic", "free", "get http", "dns resolutions", "ip traffic", "pattern domains", "memory pattern", "urls https", "tls sni", "algorithm", "key identifier", "x509v3 subject", "v3 serial", "number", "cus olet", "encrypt cnr13", "validity", "subject public", "key info", "performs dns", "https", "urls", "united", "mitre attack", "network info", "processes extra", "t1055 process", "layer protocol", "overview", "phishing", "defense evasion", "next", "default", "parent pid", "full path", "command line", "k netsvcs", "k localservice", "s w32time", "event provider", "device", "registry keys" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 132, "FileHash-MD5": 43, "FileHash-SHA1": 6, "hostname": 364, "IPv4": 75, "URL": 574, "Mutex": 1, "FileHash-SHA256": 404 }, "indicator_count": 1599, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "16 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69dbeabd47b6e788ecf7fc32", "name": "CAPE Sandbox", "description": "A full report on Google Tag Manager for GA4, available to download on the web at any time, here is the full set of key points and key details for the report: .", "modified": "2026-05-12T18:44:07.582000", "created": "2026-04-12T18:55:57.872000", "tags": [ "default", "typelib", "parent pid", "full path", "command line", "inprocserver32", "accept", "shell folders", "host", "cname", "install", "agent", "shutdown", "win64", "back", "info", "file type", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "text", "json", "in a", "estonia", "body", "performs dns", "https", "mitre attack", "network info", "processes extra", "t1055 process", "layer protocol", "overview", "overview zenbox", "verdict", "phishing", "next", "xffxf0 xffxf0", "xffxee xffxee", "xffxef xffxef", "xffxeb xffxeb", "px9d", "xe4x84", "fxf8", "x94 x94", "xc1 xc1", "xffxf1 xffxf1", "urls", "has permission", "united", "sim provider", "may check", "tls version", "persistence", "pe file", "pe32", "intel", "ms windows", "sample", "spawns", "found", "drops pe", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "download", "trojan", "apt", "hybrid analysis", "api key", "vetting process", "please note", "please" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/007b0aa19218de7fe7b47dc785b345e4e09f8c8a133c689dafc778cf793e3ce0_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776019916&Signature=xU%2B28g7ql0wStAL7V97bG%2Bu0WHtev4OIGz8U3iqDKd%2FVNVlrDQ3vuAEteGPtDDR7qOlLSsItJmNBqGgWLySJ6U0nGICmzJVo0byP8H6%2Fd3HprkIH74LXAL%2FamR8rSKAlS1VWW%2FnGofIVc0zLtQeJdz%2BAMpNC0WX4pzvsIv2uagnjpUxUyVUykArW18%2FIapRYlTQZ0g4MdrwH%2FZ7h%2F0u9jGUM6rAiCBz33EYObn4aNb", "https://vtbehaviour.commondatastorage.googleapis.com/3b145ee102848506dc7551758ee869b43a1753f06fabcbcf9ca574cb7843d60e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776019946&Signature=JcVZlsCApsz0O52G3FOi%2BaimamYfGaduCcu4UnDC9VmXvZgqZ7fDxGeCnZM9NPUhmq0561rZ8PRIqA52RiBX3KnC7vhJa9PFjro5MHPo48Ypu9wL0RVB7C0RmZ3osycpkpyxEhtxKbIBAhFSEeMaEF%2F1BQw5%2BiCzEgPRP4X89bIAzw2EDpi3ulfCz8hms3FgCvWD6JMXBGKQJt1aE58BlUPY7ZhwLtbK4kOd4wzZjtfRjMqcTIEH7E0l", "https://vtbehaviour.commondatastorage.googleapis.com/3aebd918df444e5261a70a7b9957a04b62899583cca94cb90078ee348988691e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776020086&Signature=vMuNzon2yUMc%2F5PXmshAS3lf0MVaReBDP3dcoOo82NLL71xjFa%2F0VIEFo55JjUmKlOHvhj6b0rJp8aIUUpsBDR%2FLZqmeDT44n0TYUkzfcIlLutGzkvs51q5mrJeeemJL6QT8bKwOFyLEXXO4SZPPduUilqL%2B1j79%2BDUni60qslB23F%2FgjYjG0edIuIfW6yq1yjBgsR34RyCGI5Lc8I%2FVLrF4ZjzIswsIHyhorBolKc7rKhoDz6masxaT", "https://vtbehaviour.commondatastorage.googleapis.com/3b145ee102848506dc7551758ee869b43a1753f06fabcbcf9ca574cb7843d60e_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776020136&Signature=H%2FVhg6NRizidJvYP4bRaC%2B%2Fuh8%2F0Z5Rd0CKbYgwrqTxA%2B2BloALbxPU70bhu3eDWE1sqvRizm6xer2MkUeNtxL9kjtBPDD7Vpxe6Oq6R6o22ZN5vWg%2BqZnbM3PVA3wfuJwZ1sZaO7gv79Bd4iyuD9687aMdFTrD5BJ%2Fbd2rKn063HRKOwRubgTuKJwxXlPjVI0ocAdDIvmmDac1rsWOYTbcHVCIKUVrpUCmnjpXsSag%2BZTA", "https://vtbehaviour.commondatastorage.googleapis.com/00000722ff984d5cd9cd766d12c70eecc7a2ad7502999c5a99d582c79b92c1a6_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776020243&Signature=H1wTQxzrttgLCjJhjhriXYwMDCRB5ydjPUCYh9LS7Sqr42Y7WZzXZe0hC7YLFaTXYy2N3AsSr89gjIRZR80Jda4iLYyDlgohE9qQ3kFeKNZ%2FNp7IQu5FZY%2FpXRI7rsIlJnvlZmpbI006al7O0LQV5CrC797x%2FTp6jmAxmP5TS7NA%2BGfaDL14G7dIIeHtBoHxi7cbP%2Fe3qT1q3LcRk5oN%2FRV8TXEhpggMmbhYUEmK6ATwmwrh", "https://vtbehaviour.commondatastorage.googleapis.com/005fdc2438f1b1e58ea5e4d9c396feea40ad8a4788e90da06ecea60c5a8d79c2_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776020323&Signature=Mogy01Itx6r1B%2BxNe8ittQgO%2FxZRRAb%2F9lJynhxwSVOzHX7CsWRLBNEGHRp0B9k%2Bg%2FHO2jb5K65QRLLPyqkoA45n8CsH6T5790n7E0fsbYtOvp04eV28khNlOt2b%2Feh0a3nwcC%2BNAmxEHgqzaCfQlHBqBjk2ErpfhlpC5uQJchq%2BBgGeuPcFc8YRy4RCmaBiaTeD2V%2FJD7lssTzQfnZhLNMSLqEISDCN7TYsfL1%2BJREl4wSO7C", "https://hybrid-analysis.com/sample/4e4fa68c1c4d2cfee133c31432dd303bb5746f7094b5a6832a25e47e6279171c" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1409", "name": "Access Stored Application Data", "display_name": "T1409 - Access Stored Application Data" }, { "id": "T1418", "name": "Application Discovery", "display_name": "T1418 - Application Discovery" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1422", "name": "System Network Configuration Discovery", "display_name": "T1422 - System Network Configuration Discovery" }, { "id": "T1424", "name": "Process Discovery", "display_name": "T1424 - Process Discovery" }, { "id": "T1426", "name": "System Information Discovery", "display_name": "T1426 - System Information Discovery" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 302, "FileHash-SHA1": 71, "FileHash-SHA256": 78, "URL": 181, "domain": 34, "hostname": 237 }, "indicator_count": 903, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "18 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69dbeabe5c5690d468b08e7a", "name": "CAPE Sandbox", "description": "A full report on Google Tag Manager for GA4, available to download on the web at any time, here is the full set of key points and key details for the report: .", "modified": "2026-05-12T18:44:07.582000", "created": "2026-04-12T18:55:58.319000", "tags": [ "default", "typelib", "parent pid", "full path", "command line", "inprocserver32", "accept", "shell folders", "host", "cname", "install", "agent", "shutdown", "win64", "back", "info", "file type", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "text", "json", "in a", "estonia", "body", "performs dns", "https", "mitre attack", "network info", "processes extra", "t1055 process", "layer protocol", "overview", "overview zenbox", "verdict", "phishing", "next", "xffxf0 xffxf0", "xffxee xffxee", "xffxef xffxef", "xffxeb xffxeb", "px9d", "xe4x84", "fxf8", "x94 x94", "xc1 xc1", "xffxf1 xffxf1", "urls", "has permission", "united", "sim provider", "may check", "tls version", "persistence", "pe file", "pe32", "intel", "ms windows", "sample", "spawns", "found", "drops pe", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "download", "trojan", "apt", "hybrid analysis", "api key", "vetting process", "please note", "please" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/007b0aa19218de7fe7b47dc785b345e4e09f8c8a133c689dafc778cf793e3ce0_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776019916&Signature=xU%2B28g7ql0wStAL7V97bG%2Bu0WHtev4OIGz8U3iqDKd%2FVNVlrDQ3vuAEteGPtDDR7qOlLSsItJmNBqGgWLySJ6U0nGICmzJVo0byP8H6%2Fd3HprkIH74LXAL%2FamR8rSKAlS1VWW%2FnGofIVc0zLtQeJdz%2BAMpNC0WX4pzvsIv2uagnjpUxUyVUykArW18%2FIapRYlTQZ0g4MdrwH%2FZ7h%2F0u9jGUM6rAiCBz33EYObn4aNb", "https://vtbehaviour.commondatastorage.googleapis.com/3b145ee102848506dc7551758ee869b43a1753f06fabcbcf9ca574cb7843d60e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776019946&Signature=JcVZlsCApsz0O52G3FOi%2BaimamYfGaduCcu4UnDC9VmXvZgqZ7fDxGeCnZM9NPUhmq0561rZ8PRIqA52RiBX3KnC7vhJa9PFjro5MHPo48Ypu9wL0RVB7C0RmZ3osycpkpyxEhtxKbIBAhFSEeMaEF%2F1BQw5%2BiCzEgPRP4X89bIAzw2EDpi3ulfCz8hms3FgCvWD6JMXBGKQJt1aE58BlUPY7ZhwLtbK4kOd4wzZjtfRjMqcTIEH7E0l", "https://vtbehaviour.commondatastorage.googleapis.com/3aebd918df444e5261a70a7b9957a04b62899583cca94cb90078ee348988691e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776020086&Signature=vMuNzon2yUMc%2F5PXmshAS3lf0MVaReBDP3dcoOo82NLL71xjFa%2F0VIEFo55JjUmKlOHvhj6b0rJp8aIUUpsBDR%2FLZqmeDT44n0TYUkzfcIlLutGzkvs51q5mrJeeemJL6QT8bKwOFyLEXXO4SZPPduUilqL%2B1j79%2BDUni60qslB23F%2FgjYjG0edIuIfW6yq1yjBgsR34RyCGI5Lc8I%2FVLrF4ZjzIswsIHyhorBolKc7rKhoDz6masxaT", "https://vtbehaviour.commondatastorage.googleapis.com/3b145ee102848506dc7551758ee869b43a1753f06fabcbcf9ca574cb7843d60e_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776020136&Signature=H%2FVhg6NRizidJvYP4bRaC%2B%2Fuh8%2F0Z5Rd0CKbYgwrqTxA%2B2BloALbxPU70bhu3eDWE1sqvRizm6xer2MkUeNtxL9kjtBPDD7Vpxe6Oq6R6o22ZN5vWg%2BqZnbM3PVA3wfuJwZ1sZaO7gv79Bd4iyuD9687aMdFTrD5BJ%2Fbd2rKn063HRKOwRubgTuKJwxXlPjVI0ocAdDIvmmDac1rsWOYTbcHVCIKUVrpUCmnjpXsSag%2BZTA", "https://vtbehaviour.commondatastorage.googleapis.com/00000722ff984d5cd9cd766d12c70eecc7a2ad7502999c5a99d582c79b92c1a6_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776020243&Signature=H1wTQxzrttgLCjJhjhriXYwMDCRB5ydjPUCYh9LS7Sqr42Y7WZzXZe0hC7YLFaTXYy2N3AsSr89gjIRZR80Jda4iLYyDlgohE9qQ3kFeKNZ%2FNp7IQu5FZY%2FpXRI7rsIlJnvlZmpbI006al7O0LQV5CrC797x%2FTp6jmAxmP5TS7NA%2BGfaDL14G7dIIeHtBoHxi7cbP%2Fe3qT1q3LcRk5oN%2FRV8TXEhpggMmbhYUEmK6ATwmwrh", "https://vtbehaviour.commondatastorage.googleapis.com/005fdc2438f1b1e58ea5e4d9c396feea40ad8a4788e90da06ecea60c5a8d79c2_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776020323&Signature=Mogy01Itx6r1B%2BxNe8ittQgO%2FxZRRAb%2F9lJynhxwSVOzHX7CsWRLBNEGHRp0B9k%2Bg%2FHO2jb5K65QRLLPyqkoA45n8CsH6T5790n7E0fsbYtOvp04eV28khNlOt2b%2Feh0a3nwcC%2BNAmxEHgqzaCfQlHBqBjk2ErpfhlpC5uQJchq%2BBgGeuPcFc8YRy4RCmaBiaTeD2V%2FJD7lssTzQfnZhLNMSLqEISDCN7TYsfL1%2BJREl4wSO7C", "https://hybrid-analysis.com/sample/4e4fa68c1c4d2cfee133c31432dd303bb5746f7094b5a6832a25e47e6279171c" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1409", "name": "Access Stored Application Data", "display_name": "T1409 - Access Stored Application Data" }, { "id": "T1418", "name": "Application Discovery", "display_name": "T1418 - Application Discovery" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1422", "name": "System Network Configuration Discovery", "display_name": "T1422 - System Network Configuration Discovery" }, { "id": "T1424", "name": "Process Discovery", "display_name": "T1424 - Process Discovery" }, { "id": "T1426", "name": "System Information Discovery", "display_name": "T1426 - System Information Discovery" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 302, "FileHash-SHA1": 71, "FileHash-SHA256": 78, "URL": 181, "domain": 34, "hostname": 237 }, "indicator_count": 903, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "18 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69dbeabf8e4208f8af8b744d", "name": "CAPE Sandbox", "description": "A full report on Google Tag Manager for GA4, available to download on the web at any time, here is the full set of key points and key details for the report: .", "modified": "2026-05-12T18:44:07.582000", "created": "2026-04-12T18:55:59.161000", "tags": [ "default", "typelib", "parent pid", "full path", "command line", "inprocserver32", "accept", "shell folders", "host", "cname", "install", "agent", "shutdown", "win64", "back", "info", "file type", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "text", "json", "in a", "estonia", "body", "performs dns", "https", "mitre attack", "network info", "processes extra", "t1055 process", "layer protocol", "overview", "overview zenbox", "verdict", "phishing", "next", "xffxf0 xffxf0", "xffxee xffxee", "xffxef xffxef", "xffxeb xffxeb", "px9d", "xe4x84", "fxf8", "x94 x94", "xc1 xc1", "xffxf1 xffxf1", "urls", "has permission", "united", "sim provider", "may check", "tls version", "persistence", "pe file", "pe32", "intel", "ms windows", "sample", "spawns", "found", "drops pe", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "download", "trojan", "apt", "hybrid analysis", "api key", "vetting process", "please note", "please" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/007b0aa19218de7fe7b47dc785b345e4e09f8c8a133c689dafc778cf793e3ce0_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776019916&Signature=xU%2B28g7ql0wStAL7V97bG%2Bu0WHtev4OIGz8U3iqDKd%2FVNVlrDQ3vuAEteGPtDDR7qOlLSsItJmNBqGgWLySJ6U0nGICmzJVo0byP8H6%2Fd3HprkIH74LXAL%2FamR8rSKAlS1VWW%2FnGofIVc0zLtQeJdz%2BAMpNC0WX4pzvsIv2uagnjpUxUyVUykArW18%2FIapRYlTQZ0g4MdrwH%2FZ7h%2F0u9jGUM6rAiCBz33EYObn4aNb", "https://vtbehaviour.commondatastorage.googleapis.com/3b145ee102848506dc7551758ee869b43a1753f06fabcbcf9ca574cb7843d60e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776019946&Signature=JcVZlsCApsz0O52G3FOi%2BaimamYfGaduCcu4UnDC9VmXvZgqZ7fDxGeCnZM9NPUhmq0561rZ8PRIqA52RiBX3KnC7vhJa9PFjro5MHPo48Ypu9wL0RVB7C0RmZ3osycpkpyxEhtxKbIBAhFSEeMaEF%2F1BQw5%2BiCzEgPRP4X89bIAzw2EDpi3ulfCz8hms3FgCvWD6JMXBGKQJt1aE58BlUPY7ZhwLtbK4kOd4wzZjtfRjMqcTIEH7E0l", "https://vtbehaviour.commondatastorage.googleapis.com/3aebd918df444e5261a70a7b9957a04b62899583cca94cb90078ee348988691e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776020086&Signature=vMuNzon2yUMc%2F5PXmshAS3lf0MVaReBDP3dcoOo82NLL71xjFa%2F0VIEFo55JjUmKlOHvhj6b0rJp8aIUUpsBDR%2FLZqmeDT44n0TYUkzfcIlLutGzkvs51q5mrJeeemJL6QT8bKwOFyLEXXO4SZPPduUilqL%2B1j79%2BDUni60qslB23F%2FgjYjG0edIuIfW6yq1yjBgsR34RyCGI5Lc8I%2FVLrF4ZjzIswsIHyhorBolKc7rKhoDz6masxaT", "https://vtbehaviour.commondatastorage.googleapis.com/3b145ee102848506dc7551758ee869b43a1753f06fabcbcf9ca574cb7843d60e_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776020136&Signature=H%2FVhg6NRizidJvYP4bRaC%2B%2Fuh8%2F0Z5Rd0CKbYgwrqTxA%2B2BloALbxPU70bhu3eDWE1sqvRizm6xer2MkUeNtxL9kjtBPDD7Vpxe6Oq6R6o22ZN5vWg%2BqZnbM3PVA3wfuJwZ1sZaO7gv79Bd4iyuD9687aMdFTrD5BJ%2Fbd2rKn063HRKOwRubgTuKJwxXlPjVI0ocAdDIvmmDac1rsWOYTbcHVCIKUVrpUCmnjpXsSag%2BZTA", "https://vtbehaviour.commondatastorage.googleapis.com/00000722ff984d5cd9cd766d12c70eecc7a2ad7502999c5a99d582c79b92c1a6_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776020243&Signature=H1wTQxzrttgLCjJhjhriXYwMDCRB5ydjPUCYh9LS7Sqr42Y7WZzXZe0hC7YLFaTXYy2N3AsSr89gjIRZR80Jda4iLYyDlgohE9qQ3kFeKNZ%2FNp7IQu5FZY%2FpXRI7rsIlJnvlZmpbI006al7O0LQV5CrC797x%2FTp6jmAxmP5TS7NA%2BGfaDL14G7dIIeHtBoHxi7cbP%2Fe3qT1q3LcRk5oN%2FRV8TXEhpggMmbhYUEmK6ATwmwrh", "https://vtbehaviour.commondatastorage.googleapis.com/005fdc2438f1b1e58ea5e4d9c396feea40ad8a4788e90da06ecea60c5a8d79c2_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776020323&Signature=Mogy01Itx6r1B%2BxNe8ittQgO%2FxZRRAb%2F9lJynhxwSVOzHX7CsWRLBNEGHRp0B9k%2Bg%2FHO2jb5K65QRLLPyqkoA45n8CsH6T5790n7E0fsbYtOvp04eV28khNlOt2b%2Feh0a3nwcC%2BNAmxEHgqzaCfQlHBqBjk2ErpfhlpC5uQJchq%2BBgGeuPcFc8YRy4RCmaBiaTeD2V%2FJD7lssTzQfnZhLNMSLqEISDCN7TYsfL1%2BJREl4wSO7C", "https://hybrid-analysis.com/sample/4e4fa68c1c4d2cfee133c31432dd303bb5746f7094b5a6832a25e47e6279171c" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1409", "name": "Access Stored Application Data", "display_name": "T1409 - Access Stored Application Data" }, { "id": "T1418", "name": "Application Discovery", "display_name": "T1418 - Application Discovery" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1422", "name": "System Network Configuration Discovery", "display_name": "T1422 - System Network Configuration Discovery" }, { "id": "T1424", "name": "Process Discovery", "display_name": "T1424 - Process Discovery" }, { "id": "T1426", "name": "System Information Discovery", "display_name": "T1426 - System Information Discovery" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 302, "FileHash-SHA1": 71, "FileHash-SHA256": 78, "URL": 181, "domain": 34, "hostname": 237 }, "indicator_count": 903, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "18 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69faf0e7e922f6018d039d15", "name": "CAPE Sandbox - Aurora like Flo.", "description": "[This research pulse identifies a file exhibiting high-frequency network activity with minimal local file system impact. The sample bypasses common detection signatures, relying on encrypted communications and rapid DNS resolution to establish external connections.Technical Analysis & MITRE ATT&CKCommand and Control (T1071.001): The sample utilizes standard Web Protocols (HTTP/DNS) for external communication.Reconnaissance (T1589): High volume of unique IP connections (17) and DNS queries (6) suggests automated environmental scanning or identity gathering.Protocol Obfuscation: The presence of 11 unique JA3 fingerprints indicates a sophisticated rotating encryption strategy for SSL/TLS traffic to evade traditional network inspection.Indicators of Compromise (IoCs)File Hash (SHA-256): df8f1674d7034cb48fcd0651304833febfcaf1814c8294839246e9db1d269b1dNetwork Activity with Nextron:HTTP Requests: 5DNS Queries: 6Unique IP Connections: 17Encrypted Traffic: 11 JA3 SSL/TLS fingerprints observed.", "modified": "2026-05-06T10:50:46.591000", "created": "2026-05-06T07:42:31.304000", "tags": [ "html internet", "html document", "ascii text", "code", "date", "icann whois", "server", "registrar abuse", "whois status", "notice", "dnssec", "registrant name", "tech email", "form", "tech", "handle", "address range", "cidr", "network name", "allocation type", "allocated pa", "status", "whois server", "entity scipmnt", "nextron", "show", "read", "t series", "textron", "europe", "nextron product", "brands", "transportation", "taiwan" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 151, "hostname": 232, "domain": 98, "FileHash-MD5": 50, "FileHash-SHA1": 6, "FileHash-SHA256": 32, "IPv4": 44, "email": 1, "CIDR": 2, "CVE": 1 }, "indicator_count": 617, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "25 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69faf0e688402e4e3ab85930", "name": "CAPE Sandbox - Aurora like Flo.", "description": "[This research pulse identifies a file exhibiting high-frequency network activity with minimal local file system impact. The sample bypasses common detection signatures, relying on encrypted communications and rapid DNS resolution to establish external connections.Technical Analysis & MITRE ATT&CKCommand and Control (T1071.001): The sample utilizes standard Web Protocols (HTTP/DNS) for external communication.Reconnaissance (T1589): High volume of unique IP connections (17) and DNS queries (6) suggests automated environmental scanning or identity gathering.Protocol Obfuscation: The presence of 11 unique JA3 fingerprints indicates a sophisticated rotating encryption strategy for SSL/TLS traffic to evade traditional network inspection.Indicators of Compromise (IoCs)File Hash (SHA-256): df8f1674d7034cb48fcd0651304833febfcaf1814c8294839246e9db1d269b1dNetwork Activity with Nextron:HTTP Requests: 5DNS Queries: 6Unique IP Connections: 17Encrypted Traffic: 11 JA3 SSL/TLS fingerprints observed.", "modified": "2026-05-06T10:50:46.337000", "created": "2026-05-06T07:42:30.565000", "tags": [ "html internet", "html document", "ascii text", "code", "date", "icann whois", "server", "registrar abuse", "whois status", "notice", "dnssec", "registrant name", "tech email", "form", "tech", "handle", "address range", "cidr", "network name", "allocation type", "allocated pa", "status", "whois server", "entity scipmnt", "nextron", "show", "read", "t series", "textron", "europe", "nextron product", "brands", "transportation", "taiwan" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 88, "hostname": 185, "domain": 62, "FileHash-MD5": 16, "FileHash-SHA1": 4, "FileHash-SHA256": 17, "IPv4": 32, "email": 1, "CIDR": 2, "CVE": 1 }, "indicator_count": 408, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "25 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://permiteyes.us/cohasset/loginuser.php", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://permiteyes.us/cohasset/loginuser.php", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780226135.2881796 }