{ "type": "URL", "indicator": "https://forms.cloud.microsoft/pages/responsepage.aspx...", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://forms.cloud.microsoft/pages/responsepage.aspx...", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4305605852, "indicator": "https://forms.cloud.microsoft/pages/responsepage.aspx...", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 14, "pulses": [ { "id": "69de5660177cfb2b911d0416", "name": "VirusTotal report\n for document.html", "description": "The full text of the full report on this year's EU Referendum, which will take place on 26 May 2017, will be published on 23 June.. and will appear on BBC One.", "modified": "2026-04-16T07:18:14.946000", "created": "2026-04-14T14:59:44.158000", "tags": [ "thumbprint", "server", "domain status", "not available", "combell", "fri oct", "domain name", "mitre attack", "network info", "performs dns", "found", "t1055 process", "overview", "processes extra", "overview zenbox", "verdict", "guest system", "next", "cauliflower", "ardo", "script", "green", "grey", "doctype html", "head", "ieedge", "meta", "noscript", "generator", "title", "fri jan", "value a", "cname", "file type", "unix", "dropped info", "linux verdict", "persistence", "malicious", "pe file", "pe32", "ms windows", "crlf line", "ascii text", "drops pe", "intel", "json", "info", "windows sandbox", "calls process", "algorithm", "key identifier", "x509v3 subject", "full name", "v3 serial", "number", "cus odigicert", "inc cndigicert", "global g3", "tls ecc" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/c171805ee886339a1f5ee75f7ebfbb030d316f6ada7dd2dc6c795c0de6000a34_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776177598&Signature=3OaXWi9Bxykp1wiOQNdwBhSVh8X4mMPRcbHBESETUx1dPXdeEb1wMVgkjjvnvvnZ14XzPuL4vMeT%2BM6%2B8cU0CciC2%2B%2BGT%2Fb9mRX1cN%2FXaafCIMjd8vWaqZtK1dawDuh8iKwPBAcYgi6vCnMgp28hPTUgniT1p0WNyIRU3CJvLwPSEU28quYE2LfQp6%2FL8YplQb8mVS%2FgoyB71aRRbadnyiAysuNsHN1pdEaY402DuI5QYpc9B1odu5", "https://vtbehaviour.commondatastorage.googleapis.com/c171805ee886339a1f5ee75f7ebfbb030d316f6ada7dd2dc6c795c0de6000a34_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776177637&Signature=BUiivmwCPsrCikfAjB28LBQHMVx%2FgTbehNpsMuz2VuoKMd%2FiRN1rhKYa8lS%2BTYZ1RNXXVqAR3ISVvI%2FmBIiPXTCg267f4DupHMvxLnZmQ7N0KqABTuh43x9kfuureCni9NLunQFSSWJwdt0KNQS3%2F57kVbeEOIzP7%2BcwyvyzuUpwFQR0d5Z6FniQUM0OXkWdAQwOXY3K%2FZlOIpXUtbyYLoXFI2SxAVG0cSF%2F5LRfI%2BqV", "https://vtbehaviour.commondatastorage.googleapis.com/b5cbc5fb20fb38eeec1be1b9befddfb1fb4e74ebd6393c5a284600b4fd8edd72_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776178045&Signature=hfNfMWMWKlkR0dmNZ4tTVvmgM0aQ3daOKDfK8yNihejr3kujfb37wAq3LmH7qtp%2BoiIbsDP06zGcG8dlexlRIuv37dwHofiSildpsN54e2zZ%2F%2Fn25cvnS2OqCOrlkZKLS4HfUQG4uDxTT6nCFFjtk1d88D7GRghUOiDYdLgbVfBW5DFTJ5bmDWA%2F%2FQn7%2BGjfOnnJonkxYfKJ0NAUYmESIbbNs2z4ZohntfXj28HJ8ofBVh09Vk", "https://vtbehaviour.commondatastorage.googleapis.com/b5cbc5fb20fb38eeec1be1b9befddfb1fb4e74ebd6393c5a284600b4fd8edd72_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776178084&Signature=l9VaaMtAu36gwPzacEQuEKIUtylRuocPeqapPjRJQlHLBAGzVaxtTG4tKKub3yjMoWmZ2pKMlpvNWm3hp0Fnvoj9c1RoQqis7Bza5ZkPbTWPic23pN64nADTtHu%2FpwsHeBc5e7ODzJiPCloc2E7y8Fc0OyaCv%2BRvL9Cp746CDgls39HfPWI4ukTSy5F2TsRUo36dz76PT%2FubK3HFHzUNnsFLj%2BZ8iif%2BgE9FpwabJT5WlgvUiqpqna6tcVHl", "https://vtbehaviour.commondatastorage.googleapis.com/b5cbc5fb20fb38eeec1be1b9befddfb1fb4e74ebd6393c5a284600b4fd8edd72_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776178098&Signature=uIxrV8sFHqQAjkRjYKVDQ1S%2FeWLsS9K%2F9PqMGOdk9nETeHOFarhSPqnYVH3z5vORlVnlvKrk10heyaF9Ks%2BfMnudJoqDG6UjXULyT5HbpHKXvdQItgfeAH6ZSHI%2FRRvWIw%2BEJoYnPVIn3gczV1o5LnA5flIbFyXVb%2BwulQMPJnSdhvsQx7PFkAY%2Bukjs4CYlC%2FrL3k8ouSPhJezZgJX3oMBL%2Bgxl15NF20wkj3" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 118, "domain": 361, "IPv4": 41, "hostname": 462, "URL": 291, "FileHash-SHA256": 968, "FileHash-MD5": 83, "CVE": 3 }, "indicator_count": 2327, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "3 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69de565b32d80c2973c2fd77", "name": "VirusTotal report\n for document.html", "description": "The full text of the full report on this year's EU Referendum, which will take place on 26 May 2017, will be published on 23 June.. and will appear on BBC One.", "modified": "2026-04-16T07:18:13.574000", "created": "2026-04-14T14:59:39.743000", "tags": [ "thumbprint", "server", "domain status", "not available", "combell", "fri oct", "domain name", "mitre attack", "network info", "performs dns", "found", "t1055 process", "overview", "processes extra", "overview zenbox", "verdict", "guest system", "next", "cauliflower", "ardo", "script", "green", "grey", "doctype html", "head", "ieedge", "meta", "noscript", "generator", "title", "fri jan", "value a", "cname", "file type", "unix", "dropped info", "linux verdict", "persistence", "malicious", "pe file", "pe32", "ms windows", "crlf line", "ascii text", "drops pe", "intel", "json", "info", "windows sandbox", "calls process", "algorithm", "key identifier", "x509v3 subject", "full name", "v3 serial", "number", "cus odigicert", "inc cndigicert", "global g3", "tls ecc" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/c171805ee886339a1f5ee75f7ebfbb030d316f6ada7dd2dc6c795c0de6000a34_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776177598&Signature=3OaXWi9Bxykp1wiOQNdwBhSVh8X4mMPRcbHBESETUx1dPXdeEb1wMVgkjjvnvvnZ14XzPuL4vMeT%2BM6%2B8cU0CciC2%2B%2BGT%2Fb9mRX1cN%2FXaafCIMjd8vWaqZtK1dawDuh8iKwPBAcYgi6vCnMgp28hPTUgniT1p0WNyIRU3CJvLwPSEU28quYE2LfQp6%2FL8YplQb8mVS%2FgoyB71aRRbadnyiAysuNsHN1pdEaY402DuI5QYpc9B1odu5", "https://vtbehaviour.commondatastorage.googleapis.com/c171805ee886339a1f5ee75f7ebfbb030d316f6ada7dd2dc6c795c0de6000a34_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776177637&Signature=BUiivmwCPsrCikfAjB28LBQHMVx%2FgTbehNpsMuz2VuoKMd%2FiRN1rhKYa8lS%2BTYZ1RNXXVqAR3ISVvI%2FmBIiPXTCg267f4DupHMvxLnZmQ7N0KqABTuh43x9kfuureCni9NLunQFSSWJwdt0KNQS3%2F57kVbeEOIzP7%2BcwyvyzuUpwFQR0d5Z6FniQUM0OXkWdAQwOXY3K%2FZlOIpXUtbyYLoXFI2SxAVG0cSF%2F5LRfI%2BqV", "https://vtbehaviour.commondatastorage.googleapis.com/b5cbc5fb20fb38eeec1be1b9befddfb1fb4e74ebd6393c5a284600b4fd8edd72_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776178045&Signature=hfNfMWMWKlkR0dmNZ4tTVvmgM0aQ3daOKDfK8yNihejr3kujfb37wAq3LmH7qtp%2BoiIbsDP06zGcG8dlexlRIuv37dwHofiSildpsN54e2zZ%2F%2Fn25cvnS2OqCOrlkZKLS4HfUQG4uDxTT6nCFFjtk1d88D7GRghUOiDYdLgbVfBW5DFTJ5bmDWA%2F%2FQn7%2BGjfOnnJonkxYfKJ0NAUYmESIbbNs2z4ZohntfXj28HJ8ofBVh09Vk", "https://vtbehaviour.commondatastorage.googleapis.com/b5cbc5fb20fb38eeec1be1b9befddfb1fb4e74ebd6393c5a284600b4fd8edd72_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776178084&Signature=l9VaaMtAu36gwPzacEQuEKIUtylRuocPeqapPjRJQlHLBAGzVaxtTG4tKKub3yjMoWmZ2pKMlpvNWm3hp0Fnvoj9c1RoQqis7Bza5ZkPbTWPic23pN64nADTtHu%2FpwsHeBc5e7ODzJiPCloc2E7y8Fc0OyaCv%2BRvL9Cp746CDgls39HfPWI4ukTSy5F2TsRUo36dz76PT%2FubK3HFHzUNnsFLj%2BZ8iif%2BgE9FpwabJT5WlgvUiqpqna6tcVHl", "https://vtbehaviour.commondatastorage.googleapis.com/b5cbc5fb20fb38eeec1be1b9befddfb1fb4e74ebd6393c5a284600b4fd8edd72_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776178098&Signature=uIxrV8sFHqQAjkRjYKVDQ1S%2FeWLsS9K%2F9PqMGOdk9nETeHOFarhSPqnYVH3z5vORlVnlvKrk10heyaF9Ks%2BfMnudJoqDG6UjXULyT5HbpHKXvdQItgfeAH6ZSHI%2FRRvWIw%2BEJoYnPVIn3gczV1o5LnA5flIbFyXVb%2BwulQMPJnSdhvsQx7PFkAY%2Bukjs4CYlC%2FrL3k8ouSPhJezZgJX3oMBL%2Bgxl15NF20wkj3" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 154, "domain": 367, "IPv4": 79, "hostname": 474, "URL": 293, "FileHash-SHA256": 1010, "FileHash-MD5": 119, "CVE": 11 }, "indicator_count": 2507, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "3 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69de69fe42542016114edaeb", "name": "VirusTotal report\n for document.html", "description": "A full report on malicious code found in an HTML file, compiled by Adobe, has been published by the University of California, San Francisco, at \u00c2\u00a31.5m (US$2.3m).", "modified": "2026-04-15T17:34:45.078000", "created": "2026-04-14T16:23:26.071000", "tags": [ "license", "performs dns", "mitre attack", "network info", "processes extra", "t1055 process", "overview", "overview zenbox", "verdict", "guest system", "phishing", "next", "script", "adobe", "apache license", "version", "unless", "as is", "basis", "any kind", "doctype html", "meta", "body", "pe file", "binary", "aslr", "ole file", "cname", "strong", "library", "accept", "cape sandbox", "pdb path", "name", "address virtual", "ip address", "shutdown", "pe32", "ms windows", "win16 ne", "os2 executable", "generic windos", "executable", "dos executable", "pe64 compiler", "ltcgc", "linker", "windows third", "party component", "valid from", "valid", "valid usage", "whql crypto", "code signing", "algorithm", "thumbprint", "serial number", "more" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/d11869fdfbf4bd87085e351b24d2c0e2ba5813fa267b05d969d9d2e46685d113_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183621&Signature=uQSwwOzpii%2FcKjaUt3UZ%2FKZ3C4DkSr3t5dURsz2pP4Es9CFMIWEz6oIAcURcfVri02K%2BedntrmLkvOs6c3g0yFcdgd9a82ARJF9jS5mDQGPXq9y54iiFvjgN98zNT%2BgoGoBF3IxeSAWO47BNwqYPY%2FzaVM0Pv14iXCBltAIH2Ss8R0OYrQytKcQLW48ggBvdA6fDl9x78WtpptMgs9Eu85KAN0wwHvtcrRpd1notnOQZYiYBk1qaAWD4HSrr", "https://vtbehaviour.commondatastorage.googleapis.com/d11869fdfbf4bd87085e351b24d2c0e2ba5813fa267b05d969d9d2e46685d113_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183658&Signature=tGjgj1F2qTBNB3zHOFjuVYbUuozwv%2FUH29aF5d5gmEhofNVf4N5DfD%2BmI9DjozB0MrJ96DeCjGEoPRo7i9Whr%2BThEkSnRgHkjV%2FPWe7tUL3zkNeuKXjs4bWH8BIxmdFyqGSy4cKx99ymtQAp%2F8AWxhqd15coMoLM31YqCpn8PnzvKtYQnIORJQjfhTUdyhha%2FmWvy7gaHGpZvJpaXiyF4IlYWdn9uYy%2FOSAR5Sh3f4F8fX3v", "https://vtbehaviour.commondatastorage.googleapis.com/000020331380e6110b5beba407728730579ebf170517913cc364e7dcb114187b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183676&Signature=IqbnhkkWYeM6kbjfuoTYF2bD3VY52MzFCe5v2P6L5%2FvT66S4ZUFYI3vDp1VG9lGc%2BD%2FJ2J3U67VgV%2BLYeRFGqnQdkctuODu7CXIAc%2FhcLsIB1HWqR9qge57%2FDpdeQUbM%2BjuZ5TWqdfA%2Bqhc1jioTcgrPNBR3JE6M97q%2BxKrz4CUb3WIOfl1mIP91XjXy2cReTAKc%2FsLCnmEvrIFVXx%2BaFUCpCCMCRxF8QOMb67WRJ8hD0iaM", "https://vtbehaviour.commondatastorage.googleapis.com/000020331380e6110b5beba407728730579ebf170517913cc364e7dcb114187b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183694&Signature=ZUnl%2FqTfn6nD5eHS7RvwcH%2Fv5Vtm4wB5Yc0hpeinjJ4Mk3V9%2FRkc6%2BJNireFTPFGSOwaLYwemKQwQA0okh9hYBN5ncSDlB6OSnED3OnM3iZUQDEdLBwgYUEP3M%2Bsg0s2XOV36s1V20ivPLzQVUrRM7CkuEyCsyWm7CCJQGdJBRcsNfR1BsgAOtLpiC6WPKr4xFa5QUh6PSgoGNXSDtj1Mk6Gs9iyav6G%2FtZYVoM%2FBUfcGg8W" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 16, "FileHash-SHA1": 3, "FileHash-SHA256": 175, "IPv4": 47, "URL": 114, "hostname": 130, "domain": 43 }, "indicator_count": 528, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "4 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69de69d63c6bc7ab66605f86", "name": "VirusTotal report\n for document.html", "description": "A full report on malicious code found in an HTML file, compiled by Adobe, has been published by the University of California, San Francisco, at \u00c2\u00a31.5m (US$2.3m).", "modified": "2026-04-15T17:27:59.100000", "created": "2026-04-14T16:22:46.502000", "tags": [ "license", "performs dns", "mitre attack", "network info", "processes extra", "t1055 process", "overview", "overview zenbox", "verdict", "guest system", "phishing", "next", "script", "adobe", "apache license", "version", "unless", "as is", "basis", "any kind", "doctype html", "meta", "body", "pe file", "binary", "aslr", "ole file", "cname", "strong", "library", "accept", "cape sandbox", "pdb path", "name", "address virtual", "ip address", "shutdown", "pe32", "ms windows", "win16 ne", "os2 executable", "generic windos", "executable", "dos executable", "pe64 compiler", "ltcgc", "linker", "windows third", "party component", "valid from", "valid", "valid usage", "whql crypto", "code signing", "algorithm", "thumbprint", "serial number", "more" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/d11869fdfbf4bd87085e351b24d2c0e2ba5813fa267b05d969d9d2e46685d113_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183621&Signature=uQSwwOzpii%2FcKjaUt3UZ%2FKZ3C4DkSr3t5dURsz2pP4Es9CFMIWEz6oIAcURcfVri02K%2BedntrmLkvOs6c3g0yFcdgd9a82ARJF9jS5mDQGPXq9y54iiFvjgN98zNT%2BgoGoBF3IxeSAWO47BNwqYPY%2FzaVM0Pv14iXCBltAIH2Ss8R0OYrQytKcQLW48ggBvdA6fDl9x78WtpptMgs9Eu85KAN0wwHvtcrRpd1notnOQZYiYBk1qaAWD4HSrr", "https://vtbehaviour.commondatastorage.googleapis.com/d11869fdfbf4bd87085e351b24d2c0e2ba5813fa267b05d969d9d2e46685d113_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183658&Signature=tGjgj1F2qTBNB3zHOFjuVYbUuozwv%2FUH29aF5d5gmEhofNVf4N5DfD%2BmI9DjozB0MrJ96DeCjGEoPRo7i9Whr%2BThEkSnRgHkjV%2FPWe7tUL3zkNeuKXjs4bWH8BIxmdFyqGSy4cKx99ymtQAp%2F8AWxhqd15coMoLM31YqCpn8PnzvKtYQnIORJQjfhTUdyhha%2FmWvy7gaHGpZvJpaXiyF4IlYWdn9uYy%2FOSAR5Sh3f4F8fX3v", "https://vtbehaviour.commondatastorage.googleapis.com/000020331380e6110b5beba407728730579ebf170517913cc364e7dcb114187b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183676&Signature=IqbnhkkWYeM6kbjfuoTYF2bD3VY52MzFCe5v2P6L5%2FvT66S4ZUFYI3vDp1VG9lGc%2BD%2FJ2J3U67VgV%2BLYeRFGqnQdkctuODu7CXIAc%2FhcLsIB1HWqR9qge57%2FDpdeQUbM%2BjuZ5TWqdfA%2Bqhc1jioTcgrPNBR3JE6M97q%2BxKrz4CUb3WIOfl1mIP91XjXy2cReTAKc%2FsLCnmEvrIFVXx%2BaFUCpCCMCRxF8QOMb67WRJ8hD0iaM", "https://vtbehaviour.commondatastorage.googleapis.com/000020331380e6110b5beba407728730579ebf170517913cc364e7dcb114187b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183694&Signature=ZUnl%2FqTfn6nD5eHS7RvwcH%2Fv5Vtm4wB5Yc0hpeinjJ4Mk3V9%2FRkc6%2BJNireFTPFGSOwaLYwemKQwQA0okh9hYBN5ncSDlB6OSnED3OnM3iZUQDEdLBwgYUEP3M%2Bsg0s2XOV36s1V20ivPLzQVUrRM7CkuEyCsyWm7CCJQGdJBRcsNfR1BsgAOtLpiC6WPKr4xFa5QUh6PSgoGNXSDtj1Mk6Gs9iyav6G%2FtZYVoM%2FBUfcGg8W" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 16, "FileHash-SHA1": 3, "FileHash-SHA256": 175, "IPv4": 43, "URL": 110, "hostname": 130, "domain": 41 }, "indicator_count": 518, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "4 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69de69d5a54cff2f8c80ba0b", "name": "VirusTotal report\n for document.html", "description": "A full report on malicious code found in an HTML file, compiled by Adobe, has been published by the University of California, San Francisco, at \u00c2\u00a31.5m (US$2.3m).", "modified": "2026-04-15T17:27:58.724000", "created": "2026-04-14T16:22:45.821000", "tags": [ "license", "performs dns", "mitre attack", "network info", "processes extra", "t1055 process", "overview", "overview zenbox", "verdict", "guest system", "phishing", "next", "script", "adobe", "apache license", "version", "unless", "as is", "basis", "any kind", "doctype html", "meta", "body", "pe file", "binary", "aslr", "ole file", "cname", "strong", "library", "accept", "cape sandbox", "pdb path", "name", "address virtual", "ip address", "shutdown", "pe32", "ms windows", "win16 ne", "os2 executable", "generic windos", "executable", "dos executable", "pe64 compiler", "ltcgc", "linker", "windows third", "party component", "valid from", "valid", "valid usage", "whql crypto", "code signing", "algorithm", "thumbprint", "serial number", "more" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/d11869fdfbf4bd87085e351b24d2c0e2ba5813fa267b05d969d9d2e46685d113_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183621&Signature=uQSwwOzpii%2FcKjaUt3UZ%2FKZ3C4DkSr3t5dURsz2pP4Es9CFMIWEz6oIAcURcfVri02K%2BedntrmLkvOs6c3g0yFcdgd9a82ARJF9jS5mDQGPXq9y54iiFvjgN98zNT%2BgoGoBF3IxeSAWO47BNwqYPY%2FzaVM0Pv14iXCBltAIH2Ss8R0OYrQytKcQLW48ggBvdA6fDl9x78WtpptMgs9Eu85KAN0wwHvtcrRpd1notnOQZYiYBk1qaAWD4HSrr", "https://vtbehaviour.commondatastorage.googleapis.com/d11869fdfbf4bd87085e351b24d2c0e2ba5813fa267b05d969d9d2e46685d113_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183658&Signature=tGjgj1F2qTBNB3zHOFjuVYbUuozwv%2FUH29aF5d5gmEhofNVf4N5DfD%2BmI9DjozB0MrJ96DeCjGEoPRo7i9Whr%2BThEkSnRgHkjV%2FPWe7tUL3zkNeuKXjs4bWH8BIxmdFyqGSy4cKx99ymtQAp%2F8AWxhqd15coMoLM31YqCpn8PnzvKtYQnIORJQjfhTUdyhha%2FmWvy7gaHGpZvJpaXiyF4IlYWdn9uYy%2FOSAR5Sh3f4F8fX3v", "https://vtbehaviour.commondatastorage.googleapis.com/000020331380e6110b5beba407728730579ebf170517913cc364e7dcb114187b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183676&Signature=IqbnhkkWYeM6kbjfuoTYF2bD3VY52MzFCe5v2P6L5%2FvT66S4ZUFYI3vDp1VG9lGc%2BD%2FJ2J3U67VgV%2BLYeRFGqnQdkctuODu7CXIAc%2FhcLsIB1HWqR9qge57%2FDpdeQUbM%2BjuZ5TWqdfA%2Bqhc1jioTcgrPNBR3JE6M97q%2BxKrz4CUb3WIOfl1mIP91XjXy2cReTAKc%2FsLCnmEvrIFVXx%2BaFUCpCCMCRxF8QOMb67WRJ8hD0iaM", "https://vtbehaviour.commondatastorage.googleapis.com/000020331380e6110b5beba407728730579ebf170517913cc364e7dcb114187b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183694&Signature=ZUnl%2FqTfn6nD5eHS7RvwcH%2Fv5Vtm4wB5Yc0hpeinjJ4Mk3V9%2FRkc6%2BJNireFTPFGSOwaLYwemKQwQA0okh9hYBN5ncSDlB6OSnED3OnM3iZUQDEdLBwgYUEP3M%2Bsg0s2XOV36s1V20ivPLzQVUrRM7CkuEyCsyWm7CCJQGdJBRcsNfR1BsgAOtLpiC6WPKr4xFa5QUh6PSgoGNXSDtj1Mk6Gs9iyav6G%2FtZYVoM%2FBUfcGg8W" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 16, "FileHash-SHA1": 3, "FileHash-SHA256": 175, "IPv4": 44, "URL": 109, "hostname": 130, "domain": 41 }, "indicator_count": 518, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "4 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69de69d5c691473d692fac54", "name": "VirusTotal report\n for document.html", "description": "A full report on malicious code found in an HTML file, compiled by Adobe, has been published by the University of California, San Francisco, at \u00c2\u00a31.5m (US$2.3m).", "modified": "2026-04-15T17:27:58.510000", "created": "2026-04-14T16:22:45.160000", "tags": [ "license", "performs dns", "mitre attack", "network info", "processes extra", "t1055 process", "overview", "overview zenbox", "verdict", "guest system", "phishing", "next", "script", "adobe", "apache license", "version", "unless", "as is", "basis", "any kind", "doctype html", "meta", "body", "pe file", "binary", "aslr", "ole file", "cname", "strong", "library", "accept", "cape sandbox", "pdb path", "name", "address virtual", "ip address", "shutdown", "pe32", "ms windows", "win16 ne", "os2 executable", "generic windos", "executable", "dos executable", "pe64 compiler", "ltcgc", "linker", "windows third", "party component", "valid from", "valid", "valid usage", "whql crypto", "code signing", "algorithm", "thumbprint", "serial number", "more" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/d11869fdfbf4bd87085e351b24d2c0e2ba5813fa267b05d969d9d2e46685d113_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183621&Signature=uQSwwOzpii%2FcKjaUt3UZ%2FKZ3C4DkSr3t5dURsz2pP4Es9CFMIWEz6oIAcURcfVri02K%2BedntrmLkvOs6c3g0yFcdgd9a82ARJF9jS5mDQGPXq9y54iiFvjgN98zNT%2BgoGoBF3IxeSAWO47BNwqYPY%2FzaVM0Pv14iXCBltAIH2Ss8R0OYrQytKcQLW48ggBvdA6fDl9x78WtpptMgs9Eu85KAN0wwHvtcrRpd1notnOQZYiYBk1qaAWD4HSrr", "https://vtbehaviour.commondatastorage.googleapis.com/d11869fdfbf4bd87085e351b24d2c0e2ba5813fa267b05d969d9d2e46685d113_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183658&Signature=tGjgj1F2qTBNB3zHOFjuVYbUuozwv%2FUH29aF5d5gmEhofNVf4N5DfD%2BmI9DjozB0MrJ96DeCjGEoPRo7i9Whr%2BThEkSnRgHkjV%2FPWe7tUL3zkNeuKXjs4bWH8BIxmdFyqGSy4cKx99ymtQAp%2F8AWxhqd15coMoLM31YqCpn8PnzvKtYQnIORJQjfhTUdyhha%2FmWvy7gaHGpZvJpaXiyF4IlYWdn9uYy%2FOSAR5Sh3f4F8fX3v", "https://vtbehaviour.commondatastorage.googleapis.com/000020331380e6110b5beba407728730579ebf170517913cc364e7dcb114187b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183676&Signature=IqbnhkkWYeM6kbjfuoTYF2bD3VY52MzFCe5v2P6L5%2FvT66S4ZUFYI3vDp1VG9lGc%2BD%2FJ2J3U67VgV%2BLYeRFGqnQdkctuODu7CXIAc%2FhcLsIB1HWqR9qge57%2FDpdeQUbM%2BjuZ5TWqdfA%2Bqhc1jioTcgrPNBR3JE6M97q%2BxKrz4CUb3WIOfl1mIP91XjXy2cReTAKc%2FsLCnmEvrIFVXx%2BaFUCpCCMCRxF8QOMb67WRJ8hD0iaM", "https://vtbehaviour.commondatastorage.googleapis.com/000020331380e6110b5beba407728730579ebf170517913cc364e7dcb114187b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183694&Signature=ZUnl%2FqTfn6nD5eHS7RvwcH%2Fv5Vtm4wB5Yc0hpeinjJ4Mk3V9%2FRkc6%2BJNireFTPFGSOwaLYwemKQwQA0okh9hYBN5ncSDlB6OSnED3OnM3iZUQDEdLBwgYUEP3M%2Bsg0s2XOV36s1V20ivPLzQVUrRM7CkuEyCsyWm7CCJQGdJBRcsNfR1BsgAOtLpiC6WPKr4xFa5QUh6PSgoGNXSDtj1Mk6Gs9iyav6G%2FtZYVoM%2FBUfcGg8W" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 16, "FileHash-SHA1": 3, "FileHash-SHA256": 175, "IPv4": 43, "URL": 109, "hostname": 130, "domain": 41 }, "indicator_count": 517, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "4 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69de69e81ae5bd040f77c01f", "name": "VirusTotal report\n for document.html", "description": "A full report on malicious code found in an HTML file, compiled by Adobe, has been published by the University of California, San Francisco, at \u00c2\u00a31.5m (US$2.3m).", "modified": "2026-04-15T17:16:23.246000", "created": "2026-04-14T16:23:04.494000", "tags": [ "license", "performs dns", "mitre attack", "network info", "processes extra", "t1055 process", "overview", "overview zenbox", "verdict", "guest system", "phishing", "next", "script", "adobe", "apache license", "version", "unless", "as is", "basis", "any kind", "doctype html", "meta", "body", "pe file", "binary", "aslr", "ole file", "cname", "strong", "library", "accept", "cape sandbox", "pdb path", "name", "address virtual", "ip address", "shutdown", "pe32", "ms windows", "win16 ne", "os2 executable", "generic windos", "executable", "dos executable", "pe64 compiler", "ltcgc", "linker", "windows third", "party component", "valid from", "valid", "valid usage", "whql crypto", "code signing", "algorithm", "thumbprint", "serial number", "more" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/d11869fdfbf4bd87085e351b24d2c0e2ba5813fa267b05d969d9d2e46685d113_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183621&Signature=uQSwwOzpii%2FcKjaUt3UZ%2FKZ3C4DkSr3t5dURsz2pP4Es9CFMIWEz6oIAcURcfVri02K%2BedntrmLkvOs6c3g0yFcdgd9a82ARJF9jS5mDQGPXq9y54iiFvjgN98zNT%2BgoGoBF3IxeSAWO47BNwqYPY%2FzaVM0Pv14iXCBltAIH2Ss8R0OYrQytKcQLW48ggBvdA6fDl9x78WtpptMgs9Eu85KAN0wwHvtcrRpd1notnOQZYiYBk1qaAWD4HSrr", "https://vtbehaviour.commondatastorage.googleapis.com/d11869fdfbf4bd87085e351b24d2c0e2ba5813fa267b05d969d9d2e46685d113_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183658&Signature=tGjgj1F2qTBNB3zHOFjuVYbUuozwv%2FUH29aF5d5gmEhofNVf4N5DfD%2BmI9DjozB0MrJ96DeCjGEoPRo7i9Whr%2BThEkSnRgHkjV%2FPWe7tUL3zkNeuKXjs4bWH8BIxmdFyqGSy4cKx99ymtQAp%2F8AWxhqd15coMoLM31YqCpn8PnzvKtYQnIORJQjfhTUdyhha%2FmWvy7gaHGpZvJpaXiyF4IlYWdn9uYy%2FOSAR5Sh3f4F8fX3v", "https://vtbehaviour.commondatastorage.googleapis.com/000020331380e6110b5beba407728730579ebf170517913cc364e7dcb114187b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183676&Signature=IqbnhkkWYeM6kbjfuoTYF2bD3VY52MzFCe5v2P6L5%2FvT66S4ZUFYI3vDp1VG9lGc%2BD%2FJ2J3U67VgV%2BLYeRFGqnQdkctuODu7CXIAc%2FhcLsIB1HWqR9qge57%2FDpdeQUbM%2BjuZ5TWqdfA%2Bqhc1jioTcgrPNBR3JE6M97q%2BxKrz4CUb3WIOfl1mIP91XjXy2cReTAKc%2FsLCnmEvrIFVXx%2BaFUCpCCMCRxF8QOMb67WRJ8hD0iaM", "https://vtbehaviour.commondatastorage.googleapis.com/000020331380e6110b5beba407728730579ebf170517913cc364e7dcb114187b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183694&Signature=ZUnl%2FqTfn6nD5eHS7RvwcH%2Fv5Vtm4wB5Yc0hpeinjJ4Mk3V9%2FRkc6%2BJNireFTPFGSOwaLYwemKQwQA0okh9hYBN5ncSDlB6OSnED3OnM3iZUQDEdLBwgYUEP3M%2Bsg0s2XOV36s1V20ivPLzQVUrRM7CkuEyCsyWm7CCJQGdJBRcsNfR1BsgAOtLpiC6WPKr4xFa5QUh6PSgoGNXSDtj1Mk6Gs9iyav6G%2FtZYVoM%2FBUfcGg8W" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 16, "FileHash-SHA1": 3, "FileHash-SHA256": 175, "IPv4": 46, "URL": 114, "hostname": 130, "domain": 43 }, "indicator_count": 527, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "4 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69de69d60272ee6be0b6be75", "name": "VirusTotal report\n for document.html", "description": "A full report on malicious code found in an HTML file, compiled by Adobe, has been published by the University of California, San Francisco, at \u00c2\u00a31.5m (US$2.3m).", "modified": "2026-04-15T04:32:43.593000", "created": "2026-04-14T16:22:46.679000", "tags": [ "license", "performs dns", "mitre attack", "network info", "processes extra", "t1055 process", "overview", "overview zenbox", "verdict", "guest system", "phishing", "next", "script", "adobe", "apache license", "version", "unless", "as is", "basis", "any kind", "doctype html", "meta", "body", "pe file", "binary", "aslr", "ole file", "cname", "strong", "library", "accept", "cape sandbox", "pdb path", "name", "address virtual", "ip address", "shutdown", "pe32", "ms windows", "win16 ne", "os2 executable", "generic windos", "executable", "dos executable", "pe64 compiler", "ltcgc", "linker", "windows third", "party component", "valid from", "valid", "valid usage", "whql crypto", "code signing", "algorithm", "thumbprint", "serial number", "more" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/d11869fdfbf4bd87085e351b24d2c0e2ba5813fa267b05d969d9d2e46685d113_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183621&Signature=uQSwwOzpii%2FcKjaUt3UZ%2FKZ3C4DkSr3t5dURsz2pP4Es9CFMIWEz6oIAcURcfVri02K%2BedntrmLkvOs6c3g0yFcdgd9a82ARJF9jS5mDQGPXq9y54iiFvjgN98zNT%2BgoGoBF3IxeSAWO47BNwqYPY%2FzaVM0Pv14iXCBltAIH2Ss8R0OYrQytKcQLW48ggBvdA6fDl9x78WtpptMgs9Eu85KAN0wwHvtcrRpd1notnOQZYiYBk1qaAWD4HSrr", "https://vtbehaviour.commondatastorage.googleapis.com/d11869fdfbf4bd87085e351b24d2c0e2ba5813fa267b05d969d9d2e46685d113_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183658&Signature=tGjgj1F2qTBNB3zHOFjuVYbUuozwv%2FUH29aF5d5gmEhofNVf4N5DfD%2BmI9DjozB0MrJ96DeCjGEoPRo7i9Whr%2BThEkSnRgHkjV%2FPWe7tUL3zkNeuKXjs4bWH8BIxmdFyqGSy4cKx99ymtQAp%2F8AWxhqd15coMoLM31YqCpn8PnzvKtYQnIORJQjfhTUdyhha%2FmWvy7gaHGpZvJpaXiyF4IlYWdn9uYy%2FOSAR5Sh3f4F8fX3v", "https://vtbehaviour.commondatastorage.googleapis.com/000020331380e6110b5beba407728730579ebf170517913cc364e7dcb114187b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183676&Signature=IqbnhkkWYeM6kbjfuoTYF2bD3VY52MzFCe5v2P6L5%2FvT66S4ZUFYI3vDp1VG9lGc%2BD%2FJ2J3U67VgV%2BLYeRFGqnQdkctuODu7CXIAc%2FhcLsIB1HWqR9qge57%2FDpdeQUbM%2BjuZ5TWqdfA%2Bqhc1jioTcgrPNBR3JE6M97q%2BxKrz4CUb3WIOfl1mIP91XjXy2cReTAKc%2FsLCnmEvrIFVXx%2BaFUCpCCMCRxF8QOMb67WRJ8hD0iaM", "https://vtbehaviour.commondatastorage.googleapis.com/000020331380e6110b5beba407728730579ebf170517913cc364e7dcb114187b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183694&Signature=ZUnl%2FqTfn6nD5eHS7RvwcH%2Fv5Vtm4wB5Yc0hpeinjJ4Mk3V9%2FRkc6%2BJNireFTPFGSOwaLYwemKQwQA0okh9hYBN5ncSDlB6OSnED3OnM3iZUQDEdLBwgYUEP3M%2Bsg0s2XOV36s1V20ivPLzQVUrRM7CkuEyCsyWm7CCJQGdJBRcsNfR1BsgAOtLpiC6WPKr4xFa5QUh6PSgoGNXSDtj1Mk6Gs9iyav6G%2FtZYVoM%2FBUfcGg8W" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 16, "FileHash-SHA1": 3, "FileHash-SHA256": 175, "IPv4": 45, "URL": 111, "hostname": 130, "domain": 42 }, "indicator_count": 522, "is_author": false, "is_subscribing": null, "subscriber_count": 47, "modified_text": "4 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69de69d6c23c1920ae49419b", "name": "VirusTotal report\n for document.html", "description": "A full report on malicious code found in an HTML file, compiled by Adobe, has been published by the University of California, San Francisco, at \u00c2\u00a31.5m (US$2.3m).", "modified": "2026-04-15T04:32:41.929000", "created": "2026-04-14T16:22:46.723000", "tags": [ "license", "performs dns", "mitre attack", "network info", "processes extra", "t1055 process", "overview", "overview zenbox", "verdict", "guest system", "phishing", "next", "script", "adobe", "apache license", "version", "unless", "as is", "basis", "any kind", "doctype html", "meta", "body", "pe file", "binary", "aslr", "ole file", "cname", "strong", "library", "accept", "cape sandbox", "pdb path", "name", "address virtual", "ip address", "shutdown", "pe32", "ms windows", "win16 ne", "os2 executable", "generic windos", "executable", "dos executable", "pe64 compiler", "ltcgc", "linker", "windows third", "party component", "valid from", "valid", "valid usage", "whql crypto", "code signing", "algorithm", "thumbprint", "serial number", "more" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/d11869fdfbf4bd87085e351b24d2c0e2ba5813fa267b05d969d9d2e46685d113_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183621&Signature=uQSwwOzpii%2FcKjaUt3UZ%2FKZ3C4DkSr3t5dURsz2pP4Es9CFMIWEz6oIAcURcfVri02K%2BedntrmLkvOs6c3g0yFcdgd9a82ARJF9jS5mDQGPXq9y54iiFvjgN98zNT%2BgoGoBF3IxeSAWO47BNwqYPY%2FzaVM0Pv14iXCBltAIH2Ss8R0OYrQytKcQLW48ggBvdA6fDl9x78WtpptMgs9Eu85KAN0wwHvtcrRpd1notnOQZYiYBk1qaAWD4HSrr", "https://vtbehaviour.commondatastorage.googleapis.com/d11869fdfbf4bd87085e351b24d2c0e2ba5813fa267b05d969d9d2e46685d113_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183658&Signature=tGjgj1F2qTBNB3zHOFjuVYbUuozwv%2FUH29aF5d5gmEhofNVf4N5DfD%2BmI9DjozB0MrJ96DeCjGEoPRo7i9Whr%2BThEkSnRgHkjV%2FPWe7tUL3zkNeuKXjs4bWH8BIxmdFyqGSy4cKx99ymtQAp%2F8AWxhqd15coMoLM31YqCpn8PnzvKtYQnIORJQjfhTUdyhha%2FmWvy7gaHGpZvJpaXiyF4IlYWdn9uYy%2FOSAR5Sh3f4F8fX3v", "https://vtbehaviour.commondatastorage.googleapis.com/000020331380e6110b5beba407728730579ebf170517913cc364e7dcb114187b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183676&Signature=IqbnhkkWYeM6kbjfuoTYF2bD3VY52MzFCe5v2P6L5%2FvT66S4ZUFYI3vDp1VG9lGc%2BD%2FJ2J3U67VgV%2BLYeRFGqnQdkctuODu7CXIAc%2FhcLsIB1HWqR9qge57%2FDpdeQUbM%2BjuZ5TWqdfA%2Bqhc1jioTcgrPNBR3JE6M97q%2BxKrz4CUb3WIOfl1mIP91XjXy2cReTAKc%2FsLCnmEvrIFVXx%2BaFUCpCCMCRxF8QOMb67WRJ8hD0iaM", "https://vtbehaviour.commondatastorage.googleapis.com/000020331380e6110b5beba407728730579ebf170517913cc364e7dcb114187b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183694&Signature=ZUnl%2FqTfn6nD5eHS7RvwcH%2Fv5Vtm4wB5Yc0hpeinjJ4Mk3V9%2FRkc6%2BJNireFTPFGSOwaLYwemKQwQA0okh9hYBN5ncSDlB6OSnED3OnM3iZUQDEdLBwgYUEP3M%2Bsg0s2XOV36s1V20ivPLzQVUrRM7CkuEyCsyWm7CCJQGdJBRcsNfR1BsgAOtLpiC6WPKr4xFa5QUh6PSgoGNXSDtj1Mk6Gs9iyav6G%2FtZYVoM%2FBUfcGg8W" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 16, "FileHash-SHA1": 3, "FileHash-SHA256": 175, "IPv4": 46, "URL": 114, "hostname": 130, "domain": 44 }, "indicator_count": 528, "is_author": false, "is_subscribing": null, "subscriber_count": 47, "modified_text": "4 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69ded8198b25581a09b90824", "name": "BearShare \u2022 Solarwinds? \u2022 SearchSuite \u2022 Healthcare Administration", "description": "", "modified": "2026-04-15T00:13:13.981000", "created": "2026-04-15T00:13:13.981000", "tags": [ "Win32/SearchSuite", "pe32", "intel", "ms windows", "ms visual", "win32 dynamic", "link library", "win16 ne", "pe32 installer", "install system", "compiler", "NSIS", "code signing", "serial number", "db d2", "de d3", "f3 e1", "issuer thawte", "primary root", "ca valid", "valid", "valid usage", "client auth", "algorithm", "rticon english", "type type", "chi2", "ico rtgroupicon", "english us", "capa", "c2 antianalysis", "executable", "sample appears", "installer", "installers well", "results may", "be misleading", "or incomplete", "analyze created", "techniques", "info modify", "files", "modify registry", "directory permi", "techniques none", "info", "scripting inte", "shared modules", "Bear Share", "urls", "ip address", "asn as8075", "united", "flag united", "name servers", "name domain", "org apple", "infinite loop", "city cupertino", "country us", "dnssec", "urlmailto", "urlhttps", "search", "urlhttp", "moved", "title", "encrypt", "certificate", "segoe ui", "otx logo", "url analysis", "tokyo", "msie", "chrome", "gmt content", "all ipv4", "zeppelin", "trojandropper", "cookie", "backdoor", "hash avast", "avg clamav", "msdefender feb", "k oct", "k may", "mtb feb", "mtb jan", "k aug", "windows nt", "dynamicloader", "unknown", "medium", "default", "as16509", "show", "powershell", "write", "xserver", "bearshar data", "passive dns", "pulse submit", "port", "destination", "high", "displayname", "windows", "win64", "tofsee", "stream", "malware", "push", "next", "asnone", "germany as8560", "russia as198610", "strings", "is__elf", "systembc_linux_variant", "khtml", "gecko", "acceptencoding", "get na", "macintosh", "intel mac", "accept", "france as16276", "yara detections", "contacted", "all filehash", "sha256", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "tls sni", "less see", "all ip", "Apple", "xordata", "United States" ], "references": [ "b9e4e47c3f96846c30581c08acf5bc56.virus", "BearShare Install File Version 12.0.0.135802", "Musiclab, LLC", "msoid.applemanic.com \u2022 msoid.giftcardapple.shop \u2022 msoid.appleportconsulting.com", "gateway.fe.apple-dns.net \u2022 apple-dns.net", "africa.konnect.com", "http://scratch-mit-edu.027.cloudns.asia/users/alessandrito123", "euw-serp-dev-testing19.duck.ai", "account-apple.com", "Win.Trojan.Tofsee-7102058-0 , Backdoor:Win32/Tofsee.T", "IDS Detections Win32/Tofsee.AX google.com connectivity check Observed Telegram Domain (t .me in TLS SNI)", "Yara Detections: Tofsee", "Alerts: behavior_tofsee creates_largekey injection_write_exe_process network_bind", "Alerts: persistence_autorun persistence_autorun_tasks procmem_yara static_pe_anomaly", "Alerts: suricata_alert antivm_generic_services physical_drive_access deletes_executed_files", "Alerts: deletes_self injection_runpe persistence_ads suspicious_command_tools", "Alerts: anomalous_deletefile antisandbox_sleep dead_connect dynamic_function_loading", "IP\u2019s Contacted: 47.43.26.4 195.35.13.119 149.154.167.99 185.138.56.214 142.250.147.26 81.88.48.101", "IP\u2019s Contacted: 104.21.72.117 172.66.156.195 157.240.200.174 141.193.213.20", "Domains Contacted: microsoft.com microsoft-com.mail.protection.outlook.com vanaheim.cn yahoo.com mta6.am0.yahoodns.net 13.205.167.198.dnsbl.sorbs.net 13.205.167.198.bl.spamcop.net 13.205.167.198.zen.spamhaus.org 13.205.167.198.sbl-xbl.spamhaus.org 13.205.167.198.cbl.abuseat.org", "https://perigon-one.au.itglue.com/password_shared_links/52f082d3-d889-4db5-ae03-c7bfcbe5aa21", "https://identity.prd-cdc.jemena.com.au/pages/jemena-reset-password", "https://in2it.itglue.com/password_shared_links/9b0e2a1d-b554-4f0c-a333-390e41defe8e", "https://oauth2.admin.p4d-1.p4d.aks.lightops.cloud.slb-ds.com/lightops-auth/callback&response_type=code&scope=openid+email+profile&state=uJZE80MW6TdJQjbI0RWXhnF3SpYZXckLkfafnEHgr_I:", "https://oauth2.admin.p4d-1.p4d.aks.lightops.cloud.slb-ds.com/lightops-auth/callback", "ids-apple.com \u2022 itunes.org", "xn--cloud-4sa.com", "http://cab.applemarketingtools.com", "http://console.applemarketingtools.com/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Spain", "France", "United Kingdom of Great Britain and Northern Ireland", "Netherlands", "Japan", "Switzerland", "Madagascar", "Finland", "Germany", "Russian Federation" ], "malware_families": [ { "id": "Win32/SearchSuite", "display_name": "Win32/SearchSuite", "target": null }, { "id": "Win32.Application.BearShare.A", "display_name": "Win32.Application.BearShare.A", "target": null }, { "id": "Exploit:Win32/CVE-2017-0147", "display_name": "Exploit:Win32/CVE-2017-0147", "target": "/malware/Exploit:Win32/CVE-2017-0147" }, { "id": "CVE-2023-22518", "display_name": "CVE-2023-22518", "target": null }, { "id": "Win.Packed.Bandook-9882274-1", "display_name": "Win.Packed.Bandook-9882274-1", "target": null }, { "id": "Win.Trojan.Tofsee-7102058-0", "display_name": "Win.Trojan.Tofsee-7102058-0", "target": null }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" }, { "id": "TrojanDownloader:Win32/Cutwail", "display_name": "TrojanDownloader:Win32/Cutwail", "target": "/malware/TrojanDownloader:Win32/Cutwail" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [ "Government", "Healthcare", "Technology" ], "TLP": "green", "cloned_from": "69dab27a0493e0e80a0f35cd", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 138, "FileHash-SHA1": 119, "FileHash-SHA256": 3553, "IPv4": 633, "CVE": 2, "URL": 6134, "domain": 2439, "hostname": 2271, "email": 9, "SSLCertFingerprint": 2 }, "indicator_count": 15300, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "4 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69de5661aa69bc26fcc67ca5", "name": "VirusTotal report\n for document.html", "description": "The full text of the full report on this year's EU Referendum, which will take place on 26 May 2017, will be published on 23 June.. and will appear on BBC One.", "modified": "2026-04-14T15:46:10.139000", "created": "2026-04-14T14:59:45.579000", "tags": [ "thumbprint", "server", "domain status", "not available", "combell", "fri oct", "domain name", "mitre attack", "network info", "performs dns", "found", "t1055 process", "overview", "processes extra", "overview zenbox", "verdict", "guest system", "next", "cauliflower", "ardo", "script", "green", "grey", "doctype html", "head", "ieedge", "meta", "noscript", "generator", "title", "fri jan", "value a", "cname", "file type", "unix", "dropped info", "linux verdict", "persistence", "malicious", "pe file", "pe32", "ms windows", "crlf line", "ascii text", "drops pe", "intel", "json", "info", "windows sandbox", "calls process", "algorithm", "key identifier", "x509v3 subject", "full name", "v3 serial", "number", "cus odigicert", "inc cndigicert", "global g3", "tls ecc" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/c171805ee886339a1f5ee75f7ebfbb030d316f6ada7dd2dc6c795c0de6000a34_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776177598&Signature=3OaXWi9Bxykp1wiOQNdwBhSVh8X4mMPRcbHBESETUx1dPXdeEb1wMVgkjjvnvvnZ14XzPuL4vMeT%2BM6%2B8cU0CciC2%2B%2BGT%2Fb9mRX1cN%2FXaafCIMjd8vWaqZtK1dawDuh8iKwPBAcYgi6vCnMgp28hPTUgniT1p0WNyIRU3CJvLwPSEU28quYE2LfQp6%2FL8YplQb8mVS%2FgoyB71aRRbadnyiAysuNsHN1pdEaY402DuI5QYpc9B1odu5", "https://vtbehaviour.commondatastorage.googleapis.com/c171805ee886339a1f5ee75f7ebfbb030d316f6ada7dd2dc6c795c0de6000a34_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776177637&Signature=BUiivmwCPsrCikfAjB28LBQHMVx%2FgTbehNpsMuz2VuoKMd%2FiRN1rhKYa8lS%2BTYZ1RNXXVqAR3ISVvI%2FmBIiPXTCg267f4DupHMvxLnZmQ7N0KqABTuh43x9kfuureCni9NLunQFSSWJwdt0KNQS3%2F57kVbeEOIzP7%2BcwyvyzuUpwFQR0d5Z6FniQUM0OXkWdAQwOXY3K%2FZlOIpXUtbyYLoXFI2SxAVG0cSF%2F5LRfI%2BqV", "https://vtbehaviour.commondatastorage.googleapis.com/b5cbc5fb20fb38eeec1be1b9befddfb1fb4e74ebd6393c5a284600b4fd8edd72_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776178045&Signature=hfNfMWMWKlkR0dmNZ4tTVvmgM0aQ3daOKDfK8yNihejr3kujfb37wAq3LmH7qtp%2BoiIbsDP06zGcG8dlexlRIuv37dwHofiSildpsN54e2zZ%2F%2Fn25cvnS2OqCOrlkZKLS4HfUQG4uDxTT6nCFFjtk1d88D7GRghUOiDYdLgbVfBW5DFTJ5bmDWA%2F%2FQn7%2BGjfOnnJonkxYfKJ0NAUYmESIbbNs2z4ZohntfXj28HJ8ofBVh09Vk", "https://vtbehaviour.commondatastorage.googleapis.com/b5cbc5fb20fb38eeec1be1b9befddfb1fb4e74ebd6393c5a284600b4fd8edd72_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776178084&Signature=l9VaaMtAu36gwPzacEQuEKIUtylRuocPeqapPjRJQlHLBAGzVaxtTG4tKKub3yjMoWmZ2pKMlpvNWm3hp0Fnvoj9c1RoQqis7Bza5ZkPbTWPic23pN64nADTtHu%2FpwsHeBc5e7ODzJiPCloc2E7y8Fc0OyaCv%2BRvL9Cp746CDgls39HfPWI4ukTSy5F2TsRUo36dz76PT%2FubK3HFHzUNnsFLj%2BZ8iif%2BgE9FpwabJT5WlgvUiqpqna6tcVHl", "https://vtbehaviour.commondatastorage.googleapis.com/b5cbc5fb20fb38eeec1be1b9befddfb1fb4e74ebd6393c5a284600b4fd8edd72_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776178098&Signature=uIxrV8sFHqQAjkRjYKVDQ1S%2FeWLsS9K%2F9PqMGOdk9nETeHOFarhSPqnYVH3z5vORlVnlvKrk10heyaF9Ks%2BfMnudJoqDG6UjXULyT5HbpHKXvdQItgfeAH6ZSHI%2FRRvWIw%2BEJoYnPVIn3gczV1o5LnA5flIbFyXVb%2BwulQMPJnSdhvsQx7PFkAY%2Bukjs4CYlC%2FrL3k8ouSPhJezZgJX3oMBL%2Bgxl15NF20wkj3" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 581, "domain": 706, "IPv4": 42, "hostname": 577, "URL": 386, "FileHash-SHA256": 1620, "FileHash-MD5": 537, "CVE": 6 }, "indicator_count": 4455, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "5 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69de5661607a80dbfa9f35c8", "name": "VirusTotal report\n for document.html", "description": "The full text of the full report on this year's EU Referendum, which will take place on 26 May 2017, will be published on 23 June.. and will appear on BBC One.", "modified": "2026-04-14T15:05:34.538000", "created": "2026-04-14T14:59:45.223000", "tags": [ "thumbprint", "server", "domain status", "not available", "combell", "fri oct", "domain name", "mitre attack", "network info", "performs dns", "found", "t1055 process", "overview", "processes extra", "overview zenbox", "verdict", "guest system", "next", "cauliflower", "ardo", "script", "green", "grey", "doctype html", "head", "ieedge", "meta", "noscript", "generator", "title", "fri jan", "value a", "cname", "file type", "unix", "dropped info", "linux verdict", "persistence", "malicious", "pe file", "pe32", "ms windows", "crlf line", "ascii text", "drops pe", "intel", "json", "info", "windows sandbox", "calls process", "algorithm", "key identifier", "x509v3 subject", "full name", "v3 serial", "number", "cus odigicert", "inc cndigicert", "global g3", "tls ecc" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/c171805ee886339a1f5ee75f7ebfbb030d316f6ada7dd2dc6c795c0de6000a34_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776177598&Signature=3OaXWi9Bxykp1wiOQNdwBhSVh8X4mMPRcbHBESETUx1dPXdeEb1wMVgkjjvnvvnZ14XzPuL4vMeT%2BM6%2B8cU0CciC2%2B%2BGT%2Fb9mRX1cN%2FXaafCIMjd8vWaqZtK1dawDuh8iKwPBAcYgi6vCnMgp28hPTUgniT1p0WNyIRU3CJvLwPSEU28quYE2LfQp6%2FL8YplQb8mVS%2FgoyB71aRRbadnyiAysuNsHN1pdEaY402DuI5QYpc9B1odu5", "https://vtbehaviour.commondatastorage.googleapis.com/c171805ee886339a1f5ee75f7ebfbb030d316f6ada7dd2dc6c795c0de6000a34_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776177637&Signature=BUiivmwCPsrCikfAjB28LBQHMVx%2FgTbehNpsMuz2VuoKMd%2FiRN1rhKYa8lS%2BTYZ1RNXXVqAR3ISVvI%2FmBIiPXTCg267f4DupHMvxLnZmQ7N0KqABTuh43x9kfuureCni9NLunQFSSWJwdt0KNQS3%2F57kVbeEOIzP7%2BcwyvyzuUpwFQR0d5Z6FniQUM0OXkWdAQwOXY3K%2FZlOIpXUtbyYLoXFI2SxAVG0cSF%2F5LRfI%2BqV", "https://vtbehaviour.commondatastorage.googleapis.com/b5cbc5fb20fb38eeec1be1b9befddfb1fb4e74ebd6393c5a284600b4fd8edd72_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776178045&Signature=hfNfMWMWKlkR0dmNZ4tTVvmgM0aQ3daOKDfK8yNihejr3kujfb37wAq3LmH7qtp%2BoiIbsDP06zGcG8dlexlRIuv37dwHofiSildpsN54e2zZ%2F%2Fn25cvnS2OqCOrlkZKLS4HfUQG4uDxTT6nCFFjtk1d88D7GRghUOiDYdLgbVfBW5DFTJ5bmDWA%2F%2FQn7%2BGjfOnnJonkxYfKJ0NAUYmESIbbNs2z4ZohntfXj28HJ8ofBVh09Vk", "https://vtbehaviour.commondatastorage.googleapis.com/b5cbc5fb20fb38eeec1be1b9befddfb1fb4e74ebd6393c5a284600b4fd8edd72_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776178084&Signature=l9VaaMtAu36gwPzacEQuEKIUtylRuocPeqapPjRJQlHLBAGzVaxtTG4tKKub3yjMoWmZ2pKMlpvNWm3hp0Fnvoj9c1RoQqis7Bza5ZkPbTWPic23pN64nADTtHu%2FpwsHeBc5e7ODzJiPCloc2E7y8Fc0OyaCv%2BRvL9Cp746CDgls39HfPWI4ukTSy5F2TsRUo36dz76PT%2FubK3HFHzUNnsFLj%2BZ8iif%2BgE9FpwabJT5WlgvUiqpqna6tcVHl", "https://vtbehaviour.commondatastorage.googleapis.com/b5cbc5fb20fb38eeec1be1b9befddfb1fb4e74ebd6393c5a284600b4fd8edd72_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776178098&Signature=uIxrV8sFHqQAjkRjYKVDQ1S%2FeWLsS9K%2F9PqMGOdk9nETeHOFarhSPqnYVH3z5vORlVnlvKrk10heyaF9Ks%2BfMnudJoqDG6UjXULyT5HbpHKXvdQItgfeAH6ZSHI%2FRRvWIw%2BEJoYnPVIn3gczV1o5LnA5flIbFyXVb%2BwulQMPJnSdhvsQx7PFkAY%2Bukjs4CYlC%2FrL3k8ouSPhJezZgJX3oMBL%2Bgxl15NF20wkj3" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 118, "domain": 360, "IPv4": 41, "hostname": 462, "URL": 290, "FileHash-SHA256": 968, "FileHash-MD5": 83, "CVE": 3 }, "indicator_count": 2325, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "5 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69db05f833d3d6d2231fb201", "name": "CREDIT: Q.Vashti's research: SearchSuite \u2022 Healthcare Administration CREATED 6 HOURS AGO by Q.Vashti", "description": "", "modified": "2026-04-12T02:39:52.993000", "created": "2026-04-12T02:39:52.993000", "tags": [ "Win32/SearchSuite", "pe32", "intel", "ms windows", "ms visual", "win32 dynamic", "link library", "win16 ne", "pe32 installer", "install system", "compiler", "NSIS", "code signing", "serial number", "db d2", "de d3", "f3 e1", "issuer thawte", "primary root", "ca valid", "valid", "valid usage", "client auth", "algorithm", "rticon english", "type type", "chi2", "ico rtgroupicon", "english us", "capa", "c2 antianalysis", "executable", "sample appears", "installer", "installers well", "results may", "be misleading", "or incomplete", "analyze created", "techniques", "info modify", "files", "modify registry", "directory permi", "techniques none", "info", "scripting inte", "shared modules", "Bear Share", "urls", "ip address", "asn as8075", "united", "flag united", "name servers", "name domain", "org apple", "infinite loop", "city cupertino", "country us", "dnssec", "urlmailto", "urlhttps", "search", "urlhttp", "moved", "title", "encrypt", "certificate", "segoe ui", "otx logo", "url analysis", "tokyo", "msie", "chrome", "gmt content", "all ipv4", "zeppelin", "trojandropper", "cookie", "backdoor", "hash avast", "avg clamav", "msdefender feb", "k oct", "k may", "mtb feb", "mtb jan", "k aug", "windows nt", "dynamicloader", "unknown", "medium", "default", "as16509", "show", "powershell", "write", "xserver", "bearshar data", "passive dns", "pulse submit", "port", "destination", "high", "displayname", "windows", "win64", "tofsee", "stream", "malware", "push", "next", "asnone", "germany as8560", "russia as198610", "strings", "is__elf", "systembc_linux_variant", "khtml", "gecko", "acceptencoding", "get na", "macintosh", "intel mac", "accept", "france as16276", "yara detections", "contacted", "all filehash", "sha256", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "tls sni", "less see", "all ip", "Apple", "xordata", "United States" ], "references": [ "b9e4e47c3f96846c30581c08acf5bc56.virus", "BearShare Install File Version 12.0.0.135802", "Musiclab, LLC", "msoid.applemanic.com \u2022 msoid.giftcardapple.shop \u2022 msoid.appleportconsulting.com", "gateway.fe.apple-dns.net \u2022 apple-dns.net", "africa.konnect.com", "http://scratch-mit-edu.027.cloudns.asia/users/alessandrito123", "euw-serp-dev-testing19.duck.ai", "account-apple.com", "Win.Trojan.Tofsee-7102058-0 , Backdoor:Win32/Tofsee.T", "IDS Detections Win32/Tofsee.AX google.com connectivity check Observed Telegram Domain (t .me in TLS SNI)", "Yara Detections: Tofsee", "Alerts: behavior_tofsee creates_largekey injection_write_exe_process network_bind", "Alerts: persistence_autorun persistence_autorun_tasks procmem_yara static_pe_anomaly", "Alerts: suricata_alert antivm_generic_services physical_drive_access deletes_executed_files", "Alerts: deletes_self injection_runpe persistence_ads suspicious_command_tools", "Alerts: anomalous_deletefile antisandbox_sleep dead_connect dynamic_function_loading", "IP\u2019s Contacted: 47.43.26.4 195.35.13.119 149.154.167.99 185.138.56.214 142.250.147.26 81.88.48.101", "IP\u2019s Contacted: 104.21.72.117 172.66.156.195 157.240.200.174 141.193.213.20", "Domains Contacted: microsoft.com microsoft-com.mail.protection.outlook.com vanaheim.cn yahoo.com mta6.am0.yahoodns.net 13.205.167.198.dnsbl.sorbs.net 13.205.167.198.bl.spamcop.net 13.205.167.198.zen.spamhaus.org 13.205.167.198.sbl-xbl.spamhaus.org 13.205.167.198.cbl.abuseat.org", "https://perigon-one.au.itglue.com/password_shared_links/52f082d3-d889-4db5-ae03-c7bfcbe5aa21", "https://identity.prd-cdc.jemena.com.au/pages/jemena-reset-password", "https://in2it.itglue.com/password_shared_links/9b0e2a1d-b554-4f0c-a333-390e41defe8e", "https://oauth2.admin.p4d-1.p4d.aks.lightops.cloud.slb-ds.com/lightops-auth/callback&response_type=code&scope=openid+email+profile&state=uJZE80MW6TdJQjbI0RWXhnF3SpYZXckLkfafnEHgr_I:", "https://oauth2.admin.p4d-1.p4d.aks.lightops.cloud.slb-ds.com/lightops-auth/callback", "ids-apple.com \u2022 itunes.org", "xn--cloud-4sa.com", "http://cab.applemarketingtools.com", "http://console.applemarketingtools.com/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Spain", "France", "United Kingdom of Great Britain and Northern Ireland", "Netherlands", "Japan", "Switzerland", "Madagascar", "Finland", "Germany", "Russian Federation" ], "malware_families": [ { "id": "Win32/SearchSuite", "display_name": "Win32/SearchSuite", "target": null }, { "id": "Win32.Application.BearShare.A", "display_name": "Win32.Application.BearShare.A", "target": null }, { "id": "Exploit:Win32/CVE-2017-0147", "display_name": "Exploit:Win32/CVE-2017-0147", "target": "/malware/Exploit:Win32/CVE-2017-0147" }, { "id": "CVE-2023-22518", "display_name": "CVE-2023-22518", "target": null }, { "id": "Win.Packed.Bandook-9882274-1", "display_name": "Win.Packed.Bandook-9882274-1", "target": null }, { "id": "Win.Trojan.Tofsee-7102058-0", "display_name": "Win.Trojan.Tofsee-7102058-0", "target": null }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" }, { "id": "TrojanDownloader:Win32/Cutwail", "display_name": "TrojanDownloader:Win32/Cutwail", "target": "/malware/TrojanDownloader:Win32/Cutwail" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [ "Government", "Healthcare", "Technology" ], "TLP": "green", "cloned_from": "69dab27a0493e0e80a0f35cd", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 138, "FileHash-SHA1": 119, "FileHash-SHA256": 3553, "IPv4": 633, "CVE": 2, "URL": 6134, "domain": 2439, "hostname": 2271, "email": 9, "SSLCertFingerprint": 2 }, "indicator_count": 15300, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "7 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69dab27a0493e0e80a0f35cd", "name": "SearchSuite \u2022 Healthcare Administration", "description": "Embedded in communication between a healthcare system and a client. \n\nThis is just one of countless internal issues causing a gap in communication, malicious adware, spyware, system sweeps, injection, system modification, downloads , call failures.", "modified": "2026-04-11T20:43:38.695000", "created": "2026-04-11T20:43:38.695000", "tags": [ "Win32/SearchSuite", "pe32", "intel", "ms windows", "ms visual", "win32 dynamic", "link library", "win16 ne", "pe32 installer", "install system", "compiler", "NSIS", "code signing", "serial number", "db d2", "de d3", "f3 e1", "issuer thawte", "primary root", "ca valid", "valid", "valid usage", "client auth", "algorithm", "rticon english", "type type", "chi2", "ico rtgroupicon", "english us", "capa", "c2 antianalysis", "executable", "sample appears", "installer", "installers well", "results may", "be misleading", "or incomplete", "analyze created", "techniques", "info modify", "files", "modify registry", "directory permi", "techniques none", "info", "scripting inte", "shared modules", "Bear Share", "urls", "ip address", "asn as8075", "united", "flag united", "name servers", "name domain", "org apple", "infinite loop", "city cupertino", "country us", "dnssec", "urlmailto", "urlhttps", "search", "urlhttp", "moved", "title", "encrypt", "certificate", "segoe ui", "otx logo", "url analysis", "tokyo", "msie", "chrome", "gmt content", "all ipv4", "zeppelin", "trojandropper", "cookie", "backdoor", "hash avast", "avg clamav", "msdefender feb", "k oct", "k may", "mtb feb", "mtb jan", "k aug", "windows nt", "dynamicloader", "unknown", "medium", "default", "as16509", "show", "powershell", "write", "xserver", "bearshar data", "passive dns", "pulse submit", "port", "destination", "high", "displayname", "windows", "win64", "tofsee", "stream", "malware", "push", "next", "asnone", "germany as8560", "russia as198610", "strings", "is__elf", "systembc_linux_variant", "khtml", "gecko", "acceptencoding", "get na", "macintosh", "intel mac", "accept", "france as16276", "yara detections", "contacted", "all filehash", "sha256", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "tls sni", "less see", "all ip", "Apple", "xordata", "United States" ], "references": [ "b9e4e47c3f96846c30581c08acf5bc56.virus", "BearShare Install File Version 12.0.0.135802", "Musiclab, LLC", "msoid.applemanic.com \u2022 msoid.giftcardapple.shop \u2022 msoid.appleportconsulting.com", "gateway.fe.apple-dns.net \u2022 apple-dns.net", "africa.konnect.com", "http://scratch-mit-edu.027.cloudns.asia/users/alessandrito123", "euw-serp-dev-testing19.duck.ai", "account-apple.com", "Win.Trojan.Tofsee-7102058-0 , Backdoor:Win32/Tofsee.T", "IDS Detections Win32/Tofsee.AX google.com connectivity check Observed Telegram Domain (t .me in TLS SNI)", "Yara Detections: Tofsee", "Alerts: behavior_tofsee creates_largekey injection_write_exe_process network_bind", "Alerts: persistence_autorun persistence_autorun_tasks procmem_yara static_pe_anomaly", "Alerts: suricata_alert antivm_generic_services physical_drive_access deletes_executed_files", "Alerts: deletes_self injection_runpe persistence_ads suspicious_command_tools", "Alerts: anomalous_deletefile antisandbox_sleep dead_connect dynamic_function_loading", "IP\u2019s Contacted: 47.43.26.4 195.35.13.119 149.154.167.99 185.138.56.214 142.250.147.26 81.88.48.101", "IP\u2019s Contacted: 104.21.72.117 172.66.156.195 157.240.200.174 141.193.213.20", "Domains Contacted: microsoft.com microsoft-com.mail.protection.outlook.com vanaheim.cn yahoo.com mta6.am0.yahoodns.net 13.205.167.198.dnsbl.sorbs.net 13.205.167.198.bl.spamcop.net 13.205.167.198.zen.spamhaus.org 13.205.167.198.sbl-xbl.spamhaus.org 13.205.167.198.cbl.abuseat.org", "https://perigon-one.au.itglue.com/password_shared_links/52f082d3-d889-4db5-ae03-c7bfcbe5aa21", "https://identity.prd-cdc.jemena.com.au/pages/jemena-reset-password", "https://in2it.itglue.com/password_shared_links/9b0e2a1d-b554-4f0c-a333-390e41defe8e", "https://oauth2.admin.p4d-1.p4d.aks.lightops.cloud.slb-ds.com/lightops-auth/callback&response_type=code&scope=openid+email+profile&state=uJZE80MW6TdJQjbI0RWXhnF3SpYZXckLkfafnEHgr_I:", "https://oauth2.admin.p4d-1.p4d.aks.lightops.cloud.slb-ds.com/lightops-auth/callback", "ids-apple.com \u2022 itunes.org", "xn--cloud-4sa.com", "http://cab.applemarketingtools.com", "http://console.applemarketingtools.com/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Spain", "France", "United Kingdom of Great Britain and Northern Ireland", "Netherlands", "Japan", "Switzerland", "Madagascar", "Finland", "Germany", "Russian Federation" ], "malware_families": [ { "id": "Win32/SearchSuite", "display_name": "Win32/SearchSuite", "target": null }, { "id": "Win32.Application.BearShare.A", "display_name": "Win32.Application.BearShare.A", "target": null }, { "id": "Exploit:Win32/CVE-2017-0147", "display_name": "Exploit:Win32/CVE-2017-0147", "target": "/malware/Exploit:Win32/CVE-2017-0147" }, { "id": "CVE-2023-22518", "display_name": "CVE-2023-22518", "target": null }, { "id": "Win.Packed.Bandook-9882274-1", "display_name": "Win.Packed.Bandook-9882274-1", "target": null }, { "id": "Win.Trojan.Tofsee-7102058-0", "display_name": "Win.Trojan.Tofsee-7102058-0", "target": null }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" }, { "id": "TrojanDownloader:Win32/Cutwail", "display_name": "TrojanDownloader:Win32/Cutwail", "target": "/malware/TrojanDownloader:Win32/Cutwail" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [ "Government", "Healthcare", "Technology" ], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 138, "FileHash-SHA1": 119, "FileHash-SHA256": 3553, "IPv4": 633, "CVE": 2, "URL": 6134, "domain": 2439, "hostname": 2271, "email": 9, "SSLCertFingerprint": 2 }, "indicator_count": 15300, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "7 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/b5cbc5fb20fb38eeec1be1b9befddfb1fb4e74ebd6393c5a284600b4fd8edd72_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776178084&Signature=l9VaaMtAu36gwPzacEQuEKIUtylRuocPeqapPjRJQlHLBAGzVaxtTG4tKKub3yjMoWmZ2pKMlpvNWm3hp0Fnvoj9c1RoQqis7Bza5ZkPbTWPic23pN64nADTtHu%2FpwsHeBc5e7ODzJiPCloc2E7y8Fc0OyaCv%2BRvL9Cp746CDgls39HfPWI4ukTSy5F2TsRUo36dz76PT%2FubK3HFHzUNnsFLj%2BZ8iif%2BgE9FpwabJT5WlgvUiqpqna6tcVHl", "https://vtbehaviour.commondatastorage.googleapis.com/b5cbc5fb20fb38eeec1be1b9befddfb1fb4e74ebd6393c5a284600b4fd8edd72_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776178045&Signature=hfNfMWMWKlkR0dmNZ4tTVvmgM0aQ3daOKDfK8yNihejr3kujfb37wAq3LmH7qtp%2BoiIbsDP06zGcG8dlexlRIuv37dwHofiSildpsN54e2zZ%2F%2Fn25cvnS2OqCOrlkZKLS4HfUQG4uDxTT6nCFFjtk1d88D7GRghUOiDYdLgbVfBW5DFTJ5bmDWA%2F%2FQn7%2BGjfOnnJonkxYfKJ0NAUYmESIbbNs2z4ZohntfXj28HJ8ofBVh09Vk", "https://vtbehaviour.commondatastorage.googleapis.com/b5cbc5fb20fb38eeec1be1b9befddfb1fb4e74ebd6393c5a284600b4fd8edd72_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776178098&Signature=uIxrV8sFHqQAjkRjYKVDQ1S%2FeWLsS9K%2F9PqMGOdk9nETeHOFarhSPqnYVH3z5vORlVnlvKrk10heyaF9Ks%2BfMnudJoqDG6UjXULyT5HbpHKXvdQItgfeAH6ZSHI%2FRRvWIw%2BEJoYnPVIn3gczV1o5LnA5flIbFyXVb%2BwulQMPJnSdhvsQx7PFkAY%2Bukjs4CYlC%2FrL3k8ouSPhJezZgJX3oMBL%2Bgxl15NF20wkj3", "b9e4e47c3f96846c30581c08acf5bc56.virus", "account-apple.com", "ids-apple.com \u2022 itunes.org", "https://vtbehaviour.commondatastorage.googleapis.com/c171805ee886339a1f5ee75f7ebfbb030d316f6ada7dd2dc6c795c0de6000a34_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776177637&Signature=BUiivmwCPsrCikfAjB28LBQHMVx%2FgTbehNpsMuz2VuoKMd%2FiRN1rhKYa8lS%2BTYZ1RNXXVqAR3ISVvI%2FmBIiPXTCg267f4DupHMvxLnZmQ7N0KqABTuh43x9kfuureCni9NLunQFSSWJwdt0KNQS3%2F57kVbeEOIzP7%2BcwyvyzuUpwFQR0d5Z6FniQUM0OXkWdAQwOXY3K%2FZlOIpXUtbyYLoXFI2SxAVG0cSF%2F5LRfI%2BqV", "http://scratch-mit-edu.027.cloudns.asia/users/alessandrito123", "gateway.fe.apple-dns.net \u2022 apple-dns.net", "https://oauth2.admin.p4d-1.p4d.aks.lightops.cloud.slb-ds.com/lightops-auth/callback", "https://identity.prd-cdc.jemena.com.au/pages/jemena-reset-password", "https://in2it.itglue.com/password_shared_links/9b0e2a1d-b554-4f0c-a333-390e41defe8e", "https://vtbehaviour.commondatastorage.googleapis.com/000020331380e6110b5beba407728730579ebf170517913cc364e7dcb114187b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183676&Signature=IqbnhkkWYeM6kbjfuoTYF2bD3VY52MzFCe5v2P6L5%2FvT66S4ZUFYI3vDp1VG9lGc%2BD%2FJ2J3U67VgV%2BLYeRFGqnQdkctuODu7CXIAc%2FhcLsIB1HWqR9qge57%2FDpdeQUbM%2BjuZ5TWqdfA%2Bqhc1jioTcgrPNBR3JE6M97q%2BxKrz4CUb3WIOfl1mIP91XjXy2cReTAKc%2FsLCnmEvrIFVXx%2BaFUCpCCMCRxF8QOMb67WRJ8hD0iaM", "https://vtbehaviour.commondatastorage.googleapis.com/d11869fdfbf4bd87085e351b24d2c0e2ba5813fa267b05d969d9d2e46685d113_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183621&Signature=uQSwwOzpii%2FcKjaUt3UZ%2FKZ3C4DkSr3t5dURsz2pP4Es9CFMIWEz6oIAcURcfVri02K%2BedntrmLkvOs6c3g0yFcdgd9a82ARJF9jS5mDQGPXq9y54iiFvjgN98zNT%2BgoGoBF3IxeSAWO47BNwqYPY%2FzaVM0Pv14iXCBltAIH2Ss8R0OYrQytKcQLW48ggBvdA6fDl9x78WtpptMgs9Eu85KAN0wwHvtcrRpd1notnOQZYiYBk1qaAWD4HSrr", "IP\u2019s Contacted: 47.43.26.4 195.35.13.119 149.154.167.99 185.138.56.214 142.250.147.26 81.88.48.101", "xn--cloud-4sa.com", "Win.Trojan.Tofsee-7102058-0 , Backdoor:Win32/Tofsee.T", "Alerts: anomalous_deletefile antisandbox_sleep dead_connect dynamic_function_loading", "msoid.applemanic.com \u2022 msoid.giftcardapple.shop \u2022 msoid.appleportconsulting.com", "http://console.applemarketingtools.com/", "Musiclab, LLC", "BearShare Install File Version 12.0.0.135802", "Yara Detections: Tofsee", "Alerts: suricata_alert antivm_generic_services physical_drive_access deletes_executed_files", "Domains Contacted: microsoft.com microsoft-com.mail.protection.outlook.com vanaheim.cn yahoo.com mta6.am0.yahoodns.net 13.205.167.198.dnsbl.sorbs.net 13.205.167.198.bl.spamcop.net 13.205.167.198.zen.spamhaus.org 13.205.167.198.sbl-xbl.spamhaus.org 13.205.167.198.cbl.abuseat.org", "https://perigon-one.au.itglue.com/password_shared_links/52f082d3-d889-4db5-ae03-c7bfcbe5aa21", "https://oauth2.admin.p4d-1.p4d.aks.lightops.cloud.slb-ds.com/lightops-auth/callback&response_type=code&scope=openid+email+profile&state=uJZE80MW6TdJQjbI0RWXhnF3SpYZXckLkfafnEHgr_I:", "https://vtbehaviour.commondatastorage.googleapis.com/c171805ee886339a1f5ee75f7ebfbb030d316f6ada7dd2dc6c795c0de6000a34_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776177598&Signature=3OaXWi9Bxykp1wiOQNdwBhSVh8X4mMPRcbHBESETUx1dPXdeEb1wMVgkjjvnvvnZ14XzPuL4vMeT%2BM6%2B8cU0CciC2%2B%2BGT%2Fb9mRX1cN%2FXaafCIMjd8vWaqZtK1dawDuh8iKwPBAcYgi6vCnMgp28hPTUgniT1p0WNyIRU3CJvLwPSEU28quYE2LfQp6%2FL8YplQb8mVS%2FgoyB71aRRbadnyiAysuNsHN1pdEaY402DuI5QYpc9B1odu5", "IDS Detections Win32/Tofsee.AX google.com connectivity check Observed Telegram Domain (t .me in TLS SNI)", "https://vtbehaviour.commondatastorage.googleapis.com/d11869fdfbf4bd87085e351b24d2c0e2ba5813fa267b05d969d9d2e46685d113_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183658&Signature=tGjgj1F2qTBNB3zHOFjuVYbUuozwv%2FUH29aF5d5gmEhofNVf4N5DfD%2BmI9DjozB0MrJ96DeCjGEoPRo7i9Whr%2BThEkSnRgHkjV%2FPWe7tUL3zkNeuKXjs4bWH8BIxmdFyqGSy4cKx99ymtQAp%2F8AWxhqd15coMoLM31YqCpn8PnzvKtYQnIORJQjfhTUdyhha%2FmWvy7gaHGpZvJpaXiyF4IlYWdn9uYy%2FOSAR5Sh3f4F8fX3v", "Alerts: deletes_self injection_runpe persistence_ads suspicious_command_tools", "africa.konnect.com", "Alerts: persistence_autorun persistence_autorun_tasks procmem_yara static_pe_anomaly", "euw-serp-dev-testing19.duck.ai", "http://cab.applemarketingtools.com", "IP\u2019s Contacted: 104.21.72.117 172.66.156.195 157.240.200.174 141.193.213.20", "Alerts: behavior_tofsee creates_largekey injection_write_exe_process network_bind", "https://vtbehaviour.commondatastorage.googleapis.com/000020331380e6110b5beba407728730579ebf170517913cc364e7dcb114187b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183694&Signature=ZUnl%2FqTfn6nD5eHS7RvwcH%2Fv5Vtm4wB5Yc0hpeinjJ4Mk3V9%2FRkc6%2BJNireFTPFGSOwaLYwemKQwQA0okh9hYBN5ncSDlB6OSnED3OnM3iZUQDEdLBwgYUEP3M%2Bsg0s2XOV36s1V20ivPLzQVUrRM7CkuEyCsyWm7CCJQGdJBRcsNfR1BsgAOtLpiC6WPKr4xFa5QUh6PSgoGNXSDtj1Mk6Gs9iyav6G%2FtZYVoM%2FBUfcGg8W" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Win.trojan.tofsee-7102058-0", "Exploit:win32/cve-2017-0147", "Backdoor:win32/tofsee.t", "Win.packed.bandook-9882274-1", "Trojandownloader:win32/cutwail", "Cve-2023-22518", "Win32.application.bearshare.a", "Win32/searchsuite" ], "industries": [ "Government", "Technology", "Healthcare" ], "unique_indicators": 18177 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/cloud.microsoft", "whois": "http://whois.domaintools.com/cloud.microsoft", "domain": "cloud.microsoft", "hostname": "forms.cloud.microsoft" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 14, "pulses": [ { "id": "69de5660177cfb2b911d0416", "name": "VirusTotal report\n for document.html", "description": "The full text of the full report on this year's EU Referendum, which will take place on 26 May 2017, will be published on 23 June.. and will appear on BBC One.", "modified": "2026-04-16T07:18:14.946000", "created": "2026-04-14T14:59:44.158000", "tags": [ "thumbprint", "server", "domain status", "not available", "combell", "fri oct", "domain name", "mitre attack", "network info", "performs dns", "found", "t1055 process", "overview", "processes extra", "overview zenbox", "verdict", "guest system", "next", "cauliflower", "ardo", "script", "green", "grey", "doctype html", "head", "ieedge", "meta", "noscript", "generator", "title", "fri jan", "value a", "cname", "file type", "unix", "dropped info", "linux verdict", "persistence", "malicious", "pe file", "pe32", "ms windows", "crlf line", "ascii text", "drops pe", "intel", "json", "info", "windows sandbox", "calls process", "algorithm", "key identifier", "x509v3 subject", "full name", "v3 serial", "number", "cus odigicert", "inc cndigicert", "global g3", "tls ecc" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/c171805ee886339a1f5ee75f7ebfbb030d316f6ada7dd2dc6c795c0de6000a34_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776177598&Signature=3OaXWi9Bxykp1wiOQNdwBhSVh8X4mMPRcbHBESETUx1dPXdeEb1wMVgkjjvnvvnZ14XzPuL4vMeT%2BM6%2B8cU0CciC2%2B%2BGT%2Fb9mRX1cN%2FXaafCIMjd8vWaqZtK1dawDuh8iKwPBAcYgi6vCnMgp28hPTUgniT1p0WNyIRU3CJvLwPSEU28quYE2LfQp6%2FL8YplQb8mVS%2FgoyB71aRRbadnyiAysuNsHN1pdEaY402DuI5QYpc9B1odu5", "https://vtbehaviour.commondatastorage.googleapis.com/c171805ee886339a1f5ee75f7ebfbb030d316f6ada7dd2dc6c795c0de6000a34_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776177637&Signature=BUiivmwCPsrCikfAjB28LBQHMVx%2FgTbehNpsMuz2VuoKMd%2FiRN1rhKYa8lS%2BTYZ1RNXXVqAR3ISVvI%2FmBIiPXTCg267f4DupHMvxLnZmQ7N0KqABTuh43x9kfuureCni9NLunQFSSWJwdt0KNQS3%2F57kVbeEOIzP7%2BcwyvyzuUpwFQR0d5Z6FniQUM0OXkWdAQwOXY3K%2FZlOIpXUtbyYLoXFI2SxAVG0cSF%2F5LRfI%2BqV", "https://vtbehaviour.commondatastorage.googleapis.com/b5cbc5fb20fb38eeec1be1b9befddfb1fb4e74ebd6393c5a284600b4fd8edd72_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776178045&Signature=hfNfMWMWKlkR0dmNZ4tTVvmgM0aQ3daOKDfK8yNihejr3kujfb37wAq3LmH7qtp%2BoiIbsDP06zGcG8dlexlRIuv37dwHofiSildpsN54e2zZ%2F%2Fn25cvnS2OqCOrlkZKLS4HfUQG4uDxTT6nCFFjtk1d88D7GRghUOiDYdLgbVfBW5DFTJ5bmDWA%2F%2FQn7%2BGjfOnnJonkxYfKJ0NAUYmESIbbNs2z4ZohntfXj28HJ8ofBVh09Vk", "https://vtbehaviour.commondatastorage.googleapis.com/b5cbc5fb20fb38eeec1be1b9befddfb1fb4e74ebd6393c5a284600b4fd8edd72_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776178084&Signature=l9VaaMtAu36gwPzacEQuEKIUtylRuocPeqapPjRJQlHLBAGzVaxtTG4tKKub3yjMoWmZ2pKMlpvNWm3hp0Fnvoj9c1RoQqis7Bza5ZkPbTWPic23pN64nADTtHu%2FpwsHeBc5e7ODzJiPCloc2E7y8Fc0OyaCv%2BRvL9Cp746CDgls39HfPWI4ukTSy5F2TsRUo36dz76PT%2FubK3HFHzUNnsFLj%2BZ8iif%2BgE9FpwabJT5WlgvUiqpqna6tcVHl", "https://vtbehaviour.commondatastorage.googleapis.com/b5cbc5fb20fb38eeec1be1b9befddfb1fb4e74ebd6393c5a284600b4fd8edd72_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776178098&Signature=uIxrV8sFHqQAjkRjYKVDQ1S%2FeWLsS9K%2F9PqMGOdk9nETeHOFarhSPqnYVH3z5vORlVnlvKrk10heyaF9Ks%2BfMnudJoqDG6UjXULyT5HbpHKXvdQItgfeAH6ZSHI%2FRRvWIw%2BEJoYnPVIn3gczV1o5LnA5flIbFyXVb%2BwulQMPJnSdhvsQx7PFkAY%2Bukjs4CYlC%2FrL3k8ouSPhJezZgJX3oMBL%2Bgxl15NF20wkj3" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 118, "domain": 361, "IPv4": 41, "hostname": 462, "URL": 291, "FileHash-SHA256": 968, "FileHash-MD5": 83, "CVE": 3 }, "indicator_count": 2327, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "3 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69de565b32d80c2973c2fd77", "name": "VirusTotal report\n for document.html", "description": "The full text of the full report on this year's EU Referendum, which will take place on 26 May 2017, will be published on 23 June.. and will appear on BBC One.", "modified": "2026-04-16T07:18:13.574000", "created": "2026-04-14T14:59:39.743000", "tags": [ "thumbprint", "server", "domain status", "not available", "combell", "fri oct", "domain name", "mitre attack", "network info", "performs dns", "found", "t1055 process", "overview", "processes extra", "overview zenbox", "verdict", "guest system", "next", "cauliflower", "ardo", "script", "green", "grey", "doctype html", "head", "ieedge", "meta", "noscript", "generator", "title", "fri jan", "value a", "cname", "file type", "unix", "dropped info", "linux verdict", "persistence", "malicious", "pe file", "pe32", "ms windows", "crlf line", "ascii text", "drops pe", "intel", "json", "info", "windows sandbox", "calls process", "algorithm", "key identifier", "x509v3 subject", "full name", "v3 serial", "number", "cus odigicert", "inc cndigicert", "global g3", "tls ecc" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/c171805ee886339a1f5ee75f7ebfbb030d316f6ada7dd2dc6c795c0de6000a34_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776177598&Signature=3OaXWi9Bxykp1wiOQNdwBhSVh8X4mMPRcbHBESETUx1dPXdeEb1wMVgkjjvnvvnZ14XzPuL4vMeT%2BM6%2B8cU0CciC2%2B%2BGT%2Fb9mRX1cN%2FXaafCIMjd8vWaqZtK1dawDuh8iKwPBAcYgi6vCnMgp28hPTUgniT1p0WNyIRU3CJvLwPSEU28quYE2LfQp6%2FL8YplQb8mVS%2FgoyB71aRRbadnyiAysuNsHN1pdEaY402DuI5QYpc9B1odu5", "https://vtbehaviour.commondatastorage.googleapis.com/c171805ee886339a1f5ee75f7ebfbb030d316f6ada7dd2dc6c795c0de6000a34_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776177637&Signature=BUiivmwCPsrCikfAjB28LBQHMVx%2FgTbehNpsMuz2VuoKMd%2FiRN1rhKYa8lS%2BTYZ1RNXXVqAR3ISVvI%2FmBIiPXTCg267f4DupHMvxLnZmQ7N0KqABTuh43x9kfuureCni9NLunQFSSWJwdt0KNQS3%2F57kVbeEOIzP7%2BcwyvyzuUpwFQR0d5Z6FniQUM0OXkWdAQwOXY3K%2FZlOIpXUtbyYLoXFI2SxAVG0cSF%2F5LRfI%2BqV", "https://vtbehaviour.commondatastorage.googleapis.com/b5cbc5fb20fb38eeec1be1b9befddfb1fb4e74ebd6393c5a284600b4fd8edd72_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776178045&Signature=hfNfMWMWKlkR0dmNZ4tTVvmgM0aQ3daOKDfK8yNihejr3kujfb37wAq3LmH7qtp%2BoiIbsDP06zGcG8dlexlRIuv37dwHofiSildpsN54e2zZ%2F%2Fn25cvnS2OqCOrlkZKLS4HfUQG4uDxTT6nCFFjtk1d88D7GRghUOiDYdLgbVfBW5DFTJ5bmDWA%2F%2FQn7%2BGjfOnnJonkxYfKJ0NAUYmESIbbNs2z4ZohntfXj28HJ8ofBVh09Vk", "https://vtbehaviour.commondatastorage.googleapis.com/b5cbc5fb20fb38eeec1be1b9befddfb1fb4e74ebd6393c5a284600b4fd8edd72_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776178084&Signature=l9VaaMtAu36gwPzacEQuEKIUtylRuocPeqapPjRJQlHLBAGzVaxtTG4tKKub3yjMoWmZ2pKMlpvNWm3hp0Fnvoj9c1RoQqis7Bza5ZkPbTWPic23pN64nADTtHu%2FpwsHeBc5e7ODzJiPCloc2E7y8Fc0OyaCv%2BRvL9Cp746CDgls39HfPWI4ukTSy5F2TsRUo36dz76PT%2FubK3HFHzUNnsFLj%2BZ8iif%2BgE9FpwabJT5WlgvUiqpqna6tcVHl", "https://vtbehaviour.commondatastorage.googleapis.com/b5cbc5fb20fb38eeec1be1b9befddfb1fb4e74ebd6393c5a284600b4fd8edd72_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776178098&Signature=uIxrV8sFHqQAjkRjYKVDQ1S%2FeWLsS9K%2F9PqMGOdk9nETeHOFarhSPqnYVH3z5vORlVnlvKrk10heyaF9Ks%2BfMnudJoqDG6UjXULyT5HbpHKXvdQItgfeAH6ZSHI%2FRRvWIw%2BEJoYnPVIn3gczV1o5LnA5flIbFyXVb%2BwulQMPJnSdhvsQx7PFkAY%2Bukjs4CYlC%2FrL3k8ouSPhJezZgJX3oMBL%2Bgxl15NF20wkj3" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 154, "domain": 367, "IPv4": 79, "hostname": 474, "URL": 293, "FileHash-SHA256": 1010, "FileHash-MD5": 119, "CVE": 11 }, "indicator_count": 2507, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "3 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69de69fe42542016114edaeb", "name": "VirusTotal report\n for document.html", "description": "A full report on malicious code found in an HTML file, compiled by Adobe, has been published by the University of California, San Francisco, at \u00c2\u00a31.5m (US$2.3m).", "modified": "2026-04-15T17:34:45.078000", "created": "2026-04-14T16:23:26.071000", "tags": [ "license", "performs dns", "mitre attack", "network info", "processes extra", "t1055 process", "overview", "overview zenbox", "verdict", "guest system", "phishing", "next", "script", "adobe", "apache license", "version", "unless", "as is", "basis", "any kind", "doctype html", "meta", "body", "pe file", "binary", "aslr", "ole file", "cname", "strong", "library", "accept", "cape sandbox", "pdb path", "name", "address virtual", "ip address", "shutdown", "pe32", "ms windows", "win16 ne", "os2 executable", "generic windos", "executable", "dos executable", "pe64 compiler", "ltcgc", "linker", "windows third", "party component", "valid from", "valid", "valid usage", "whql crypto", "code signing", "algorithm", "thumbprint", "serial number", "more" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/d11869fdfbf4bd87085e351b24d2c0e2ba5813fa267b05d969d9d2e46685d113_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183621&Signature=uQSwwOzpii%2FcKjaUt3UZ%2FKZ3C4DkSr3t5dURsz2pP4Es9CFMIWEz6oIAcURcfVri02K%2BedntrmLkvOs6c3g0yFcdgd9a82ARJF9jS5mDQGPXq9y54iiFvjgN98zNT%2BgoGoBF3IxeSAWO47BNwqYPY%2FzaVM0Pv14iXCBltAIH2Ss8R0OYrQytKcQLW48ggBvdA6fDl9x78WtpptMgs9Eu85KAN0wwHvtcrRpd1notnOQZYiYBk1qaAWD4HSrr", "https://vtbehaviour.commondatastorage.googleapis.com/d11869fdfbf4bd87085e351b24d2c0e2ba5813fa267b05d969d9d2e46685d113_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183658&Signature=tGjgj1F2qTBNB3zHOFjuVYbUuozwv%2FUH29aF5d5gmEhofNVf4N5DfD%2BmI9DjozB0MrJ96DeCjGEoPRo7i9Whr%2BThEkSnRgHkjV%2FPWe7tUL3zkNeuKXjs4bWH8BIxmdFyqGSy4cKx99ymtQAp%2F8AWxhqd15coMoLM31YqCpn8PnzvKtYQnIORJQjfhTUdyhha%2FmWvy7gaHGpZvJpaXiyF4IlYWdn9uYy%2FOSAR5Sh3f4F8fX3v", "https://vtbehaviour.commondatastorage.googleapis.com/000020331380e6110b5beba407728730579ebf170517913cc364e7dcb114187b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183676&Signature=IqbnhkkWYeM6kbjfuoTYF2bD3VY52MzFCe5v2P6L5%2FvT66S4ZUFYI3vDp1VG9lGc%2BD%2FJ2J3U67VgV%2BLYeRFGqnQdkctuODu7CXIAc%2FhcLsIB1HWqR9qge57%2FDpdeQUbM%2BjuZ5TWqdfA%2Bqhc1jioTcgrPNBR3JE6M97q%2BxKrz4CUb3WIOfl1mIP91XjXy2cReTAKc%2FsLCnmEvrIFVXx%2BaFUCpCCMCRxF8QOMb67WRJ8hD0iaM", "https://vtbehaviour.commondatastorage.googleapis.com/000020331380e6110b5beba407728730579ebf170517913cc364e7dcb114187b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183694&Signature=ZUnl%2FqTfn6nD5eHS7RvwcH%2Fv5Vtm4wB5Yc0hpeinjJ4Mk3V9%2FRkc6%2BJNireFTPFGSOwaLYwemKQwQA0okh9hYBN5ncSDlB6OSnED3OnM3iZUQDEdLBwgYUEP3M%2Bsg0s2XOV36s1V20ivPLzQVUrRM7CkuEyCsyWm7CCJQGdJBRcsNfR1BsgAOtLpiC6WPKr4xFa5QUh6PSgoGNXSDtj1Mk6Gs9iyav6G%2FtZYVoM%2FBUfcGg8W" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 16, "FileHash-SHA1": 3, "FileHash-SHA256": 175, "IPv4": 47, "URL": 114, "hostname": 130, "domain": 43 }, "indicator_count": 528, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "4 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69de69d63c6bc7ab66605f86", "name": "VirusTotal report\n for document.html", "description": "A full report on malicious code found in an HTML file, compiled by Adobe, has been published by the University of California, San Francisco, at \u00c2\u00a31.5m (US$2.3m).", "modified": "2026-04-15T17:27:59.100000", "created": "2026-04-14T16:22:46.502000", "tags": [ "license", "performs dns", "mitre attack", "network info", "processes extra", "t1055 process", "overview", "overview zenbox", "verdict", "guest system", "phishing", "next", "script", "adobe", "apache license", "version", "unless", "as is", "basis", "any kind", "doctype html", "meta", "body", "pe file", "binary", "aslr", "ole file", "cname", "strong", "library", "accept", "cape sandbox", "pdb path", "name", "address virtual", "ip address", "shutdown", "pe32", "ms windows", "win16 ne", "os2 executable", "generic windos", "executable", "dos executable", "pe64 compiler", "ltcgc", "linker", "windows third", "party component", "valid from", "valid", "valid usage", "whql crypto", "code signing", "algorithm", "thumbprint", "serial number", "more" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/d11869fdfbf4bd87085e351b24d2c0e2ba5813fa267b05d969d9d2e46685d113_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183621&Signature=uQSwwOzpii%2FcKjaUt3UZ%2FKZ3C4DkSr3t5dURsz2pP4Es9CFMIWEz6oIAcURcfVri02K%2BedntrmLkvOs6c3g0yFcdgd9a82ARJF9jS5mDQGPXq9y54iiFvjgN98zNT%2BgoGoBF3IxeSAWO47BNwqYPY%2FzaVM0Pv14iXCBltAIH2Ss8R0OYrQytKcQLW48ggBvdA6fDl9x78WtpptMgs9Eu85KAN0wwHvtcrRpd1notnOQZYiYBk1qaAWD4HSrr", "https://vtbehaviour.commondatastorage.googleapis.com/d11869fdfbf4bd87085e351b24d2c0e2ba5813fa267b05d969d9d2e46685d113_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183658&Signature=tGjgj1F2qTBNB3zHOFjuVYbUuozwv%2FUH29aF5d5gmEhofNVf4N5DfD%2BmI9DjozB0MrJ96DeCjGEoPRo7i9Whr%2BThEkSnRgHkjV%2FPWe7tUL3zkNeuKXjs4bWH8BIxmdFyqGSy4cKx99ymtQAp%2F8AWxhqd15coMoLM31YqCpn8PnzvKtYQnIORJQjfhTUdyhha%2FmWvy7gaHGpZvJpaXiyF4IlYWdn9uYy%2FOSAR5Sh3f4F8fX3v", "https://vtbehaviour.commondatastorage.googleapis.com/000020331380e6110b5beba407728730579ebf170517913cc364e7dcb114187b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183676&Signature=IqbnhkkWYeM6kbjfuoTYF2bD3VY52MzFCe5v2P6L5%2FvT66S4ZUFYI3vDp1VG9lGc%2BD%2FJ2J3U67VgV%2BLYeRFGqnQdkctuODu7CXIAc%2FhcLsIB1HWqR9qge57%2FDpdeQUbM%2BjuZ5TWqdfA%2Bqhc1jioTcgrPNBR3JE6M97q%2BxKrz4CUb3WIOfl1mIP91XjXy2cReTAKc%2FsLCnmEvrIFVXx%2BaFUCpCCMCRxF8QOMb67WRJ8hD0iaM", "https://vtbehaviour.commondatastorage.googleapis.com/000020331380e6110b5beba407728730579ebf170517913cc364e7dcb114187b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183694&Signature=ZUnl%2FqTfn6nD5eHS7RvwcH%2Fv5Vtm4wB5Yc0hpeinjJ4Mk3V9%2FRkc6%2BJNireFTPFGSOwaLYwemKQwQA0okh9hYBN5ncSDlB6OSnED3OnM3iZUQDEdLBwgYUEP3M%2Bsg0s2XOV36s1V20ivPLzQVUrRM7CkuEyCsyWm7CCJQGdJBRcsNfR1BsgAOtLpiC6WPKr4xFa5QUh6PSgoGNXSDtj1Mk6Gs9iyav6G%2FtZYVoM%2FBUfcGg8W" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 16, "FileHash-SHA1": 3, "FileHash-SHA256": 175, "IPv4": 43, "URL": 110, "hostname": 130, "domain": 41 }, "indicator_count": 518, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "4 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69de69d5a54cff2f8c80ba0b", "name": "VirusTotal report\n for document.html", "description": "A full report on malicious code found in an HTML file, compiled by Adobe, has been published by the University of California, San Francisco, at \u00c2\u00a31.5m (US$2.3m).", "modified": "2026-04-15T17:27:58.724000", "created": "2026-04-14T16:22:45.821000", "tags": [ "license", "performs dns", "mitre attack", "network info", "processes extra", "t1055 process", "overview", "overview zenbox", "verdict", "guest system", "phishing", "next", "script", "adobe", "apache license", "version", "unless", "as is", "basis", "any kind", "doctype html", "meta", "body", "pe file", "binary", "aslr", "ole file", "cname", "strong", "library", "accept", "cape sandbox", "pdb path", "name", "address virtual", "ip address", "shutdown", "pe32", "ms windows", "win16 ne", "os2 executable", "generic windos", "executable", "dos executable", "pe64 compiler", "ltcgc", "linker", "windows third", "party component", "valid from", "valid", "valid usage", "whql crypto", "code signing", "algorithm", "thumbprint", "serial number", "more" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/d11869fdfbf4bd87085e351b24d2c0e2ba5813fa267b05d969d9d2e46685d113_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183621&Signature=uQSwwOzpii%2FcKjaUt3UZ%2FKZ3C4DkSr3t5dURsz2pP4Es9CFMIWEz6oIAcURcfVri02K%2BedntrmLkvOs6c3g0yFcdgd9a82ARJF9jS5mDQGPXq9y54iiFvjgN98zNT%2BgoGoBF3IxeSAWO47BNwqYPY%2FzaVM0Pv14iXCBltAIH2Ss8R0OYrQytKcQLW48ggBvdA6fDl9x78WtpptMgs9Eu85KAN0wwHvtcrRpd1notnOQZYiYBk1qaAWD4HSrr", "https://vtbehaviour.commondatastorage.googleapis.com/d11869fdfbf4bd87085e351b24d2c0e2ba5813fa267b05d969d9d2e46685d113_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183658&Signature=tGjgj1F2qTBNB3zHOFjuVYbUuozwv%2FUH29aF5d5gmEhofNVf4N5DfD%2BmI9DjozB0MrJ96DeCjGEoPRo7i9Whr%2BThEkSnRgHkjV%2FPWe7tUL3zkNeuKXjs4bWH8BIxmdFyqGSy4cKx99ymtQAp%2F8AWxhqd15coMoLM31YqCpn8PnzvKtYQnIORJQjfhTUdyhha%2FmWvy7gaHGpZvJpaXiyF4IlYWdn9uYy%2FOSAR5Sh3f4F8fX3v", "https://vtbehaviour.commondatastorage.googleapis.com/000020331380e6110b5beba407728730579ebf170517913cc364e7dcb114187b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183676&Signature=IqbnhkkWYeM6kbjfuoTYF2bD3VY52MzFCe5v2P6L5%2FvT66S4ZUFYI3vDp1VG9lGc%2BD%2FJ2J3U67VgV%2BLYeRFGqnQdkctuODu7CXIAc%2FhcLsIB1HWqR9qge57%2FDpdeQUbM%2BjuZ5TWqdfA%2Bqhc1jioTcgrPNBR3JE6M97q%2BxKrz4CUb3WIOfl1mIP91XjXy2cReTAKc%2FsLCnmEvrIFVXx%2BaFUCpCCMCRxF8QOMb67WRJ8hD0iaM", "https://vtbehaviour.commondatastorage.googleapis.com/000020331380e6110b5beba407728730579ebf170517913cc364e7dcb114187b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183694&Signature=ZUnl%2FqTfn6nD5eHS7RvwcH%2Fv5Vtm4wB5Yc0hpeinjJ4Mk3V9%2FRkc6%2BJNireFTPFGSOwaLYwemKQwQA0okh9hYBN5ncSDlB6OSnED3OnM3iZUQDEdLBwgYUEP3M%2Bsg0s2XOV36s1V20ivPLzQVUrRM7CkuEyCsyWm7CCJQGdJBRcsNfR1BsgAOtLpiC6WPKr4xFa5QUh6PSgoGNXSDtj1Mk6Gs9iyav6G%2FtZYVoM%2FBUfcGg8W" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 16, "FileHash-SHA1": 3, "FileHash-SHA256": 175, "IPv4": 44, "URL": 109, "hostname": 130, "domain": 41 }, "indicator_count": 518, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "4 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69de69d5c691473d692fac54", "name": "VirusTotal report\n for document.html", "description": "A full report on malicious code found in an HTML file, compiled by Adobe, has been published by the University of California, San Francisco, at \u00c2\u00a31.5m (US$2.3m).", "modified": "2026-04-15T17:27:58.510000", "created": "2026-04-14T16:22:45.160000", "tags": [ "license", "performs dns", "mitre attack", "network info", "processes extra", "t1055 process", "overview", "overview zenbox", "verdict", "guest system", "phishing", "next", "script", "adobe", "apache license", "version", "unless", "as is", "basis", "any kind", "doctype html", "meta", "body", "pe file", "binary", "aslr", "ole file", "cname", "strong", "library", "accept", "cape sandbox", "pdb path", "name", "address virtual", "ip address", "shutdown", "pe32", "ms windows", "win16 ne", "os2 executable", "generic windos", "executable", "dos executable", "pe64 compiler", "ltcgc", "linker", "windows third", "party component", "valid from", "valid", "valid usage", "whql crypto", "code signing", "algorithm", "thumbprint", "serial number", "more" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/d11869fdfbf4bd87085e351b24d2c0e2ba5813fa267b05d969d9d2e46685d113_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183621&Signature=uQSwwOzpii%2FcKjaUt3UZ%2FKZ3C4DkSr3t5dURsz2pP4Es9CFMIWEz6oIAcURcfVri02K%2BedntrmLkvOs6c3g0yFcdgd9a82ARJF9jS5mDQGPXq9y54iiFvjgN98zNT%2BgoGoBF3IxeSAWO47BNwqYPY%2FzaVM0Pv14iXCBltAIH2Ss8R0OYrQytKcQLW48ggBvdA6fDl9x78WtpptMgs9Eu85KAN0wwHvtcrRpd1notnOQZYiYBk1qaAWD4HSrr", "https://vtbehaviour.commondatastorage.googleapis.com/d11869fdfbf4bd87085e351b24d2c0e2ba5813fa267b05d969d9d2e46685d113_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183658&Signature=tGjgj1F2qTBNB3zHOFjuVYbUuozwv%2FUH29aF5d5gmEhofNVf4N5DfD%2BmI9DjozB0MrJ96DeCjGEoPRo7i9Whr%2BThEkSnRgHkjV%2FPWe7tUL3zkNeuKXjs4bWH8BIxmdFyqGSy4cKx99ymtQAp%2F8AWxhqd15coMoLM31YqCpn8PnzvKtYQnIORJQjfhTUdyhha%2FmWvy7gaHGpZvJpaXiyF4IlYWdn9uYy%2FOSAR5Sh3f4F8fX3v", "https://vtbehaviour.commondatastorage.googleapis.com/000020331380e6110b5beba407728730579ebf170517913cc364e7dcb114187b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183676&Signature=IqbnhkkWYeM6kbjfuoTYF2bD3VY52MzFCe5v2P6L5%2FvT66S4ZUFYI3vDp1VG9lGc%2BD%2FJ2J3U67VgV%2BLYeRFGqnQdkctuODu7CXIAc%2FhcLsIB1HWqR9qge57%2FDpdeQUbM%2BjuZ5TWqdfA%2Bqhc1jioTcgrPNBR3JE6M97q%2BxKrz4CUb3WIOfl1mIP91XjXy2cReTAKc%2FsLCnmEvrIFVXx%2BaFUCpCCMCRxF8QOMb67WRJ8hD0iaM", "https://vtbehaviour.commondatastorage.googleapis.com/000020331380e6110b5beba407728730579ebf170517913cc364e7dcb114187b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183694&Signature=ZUnl%2FqTfn6nD5eHS7RvwcH%2Fv5Vtm4wB5Yc0hpeinjJ4Mk3V9%2FRkc6%2BJNireFTPFGSOwaLYwemKQwQA0okh9hYBN5ncSDlB6OSnED3OnM3iZUQDEdLBwgYUEP3M%2Bsg0s2XOV36s1V20ivPLzQVUrRM7CkuEyCsyWm7CCJQGdJBRcsNfR1BsgAOtLpiC6WPKr4xFa5QUh6PSgoGNXSDtj1Mk6Gs9iyav6G%2FtZYVoM%2FBUfcGg8W" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 16, "FileHash-SHA1": 3, "FileHash-SHA256": 175, "IPv4": 43, "URL": 109, "hostname": 130, "domain": 41 }, "indicator_count": 517, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "4 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69de69e81ae5bd040f77c01f", "name": "VirusTotal report\n for document.html", "description": "A full report on malicious code found in an HTML file, compiled by Adobe, has been published by the University of California, San Francisco, at \u00c2\u00a31.5m (US$2.3m).", "modified": "2026-04-15T17:16:23.246000", "created": "2026-04-14T16:23:04.494000", "tags": [ "license", "performs dns", "mitre attack", "network info", "processes extra", "t1055 process", "overview", "overview zenbox", "verdict", "guest system", "phishing", "next", "script", "adobe", "apache license", "version", "unless", "as is", "basis", "any kind", "doctype html", "meta", "body", "pe file", "binary", "aslr", "ole file", "cname", "strong", "library", "accept", "cape sandbox", "pdb path", "name", "address virtual", "ip address", "shutdown", "pe32", "ms windows", "win16 ne", "os2 executable", "generic windos", "executable", "dos executable", "pe64 compiler", "ltcgc", "linker", "windows third", "party component", "valid from", "valid", "valid usage", "whql crypto", "code signing", "algorithm", "thumbprint", "serial number", "more" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/d11869fdfbf4bd87085e351b24d2c0e2ba5813fa267b05d969d9d2e46685d113_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183621&Signature=uQSwwOzpii%2FcKjaUt3UZ%2FKZ3C4DkSr3t5dURsz2pP4Es9CFMIWEz6oIAcURcfVri02K%2BedntrmLkvOs6c3g0yFcdgd9a82ARJF9jS5mDQGPXq9y54iiFvjgN98zNT%2BgoGoBF3IxeSAWO47BNwqYPY%2FzaVM0Pv14iXCBltAIH2Ss8R0OYrQytKcQLW48ggBvdA6fDl9x78WtpptMgs9Eu85KAN0wwHvtcrRpd1notnOQZYiYBk1qaAWD4HSrr", "https://vtbehaviour.commondatastorage.googleapis.com/d11869fdfbf4bd87085e351b24d2c0e2ba5813fa267b05d969d9d2e46685d113_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183658&Signature=tGjgj1F2qTBNB3zHOFjuVYbUuozwv%2FUH29aF5d5gmEhofNVf4N5DfD%2BmI9DjozB0MrJ96DeCjGEoPRo7i9Whr%2BThEkSnRgHkjV%2FPWe7tUL3zkNeuKXjs4bWH8BIxmdFyqGSy4cKx99ymtQAp%2F8AWxhqd15coMoLM31YqCpn8PnzvKtYQnIORJQjfhTUdyhha%2FmWvy7gaHGpZvJpaXiyF4IlYWdn9uYy%2FOSAR5Sh3f4F8fX3v", "https://vtbehaviour.commondatastorage.googleapis.com/000020331380e6110b5beba407728730579ebf170517913cc364e7dcb114187b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183676&Signature=IqbnhkkWYeM6kbjfuoTYF2bD3VY52MzFCe5v2P6L5%2FvT66S4ZUFYI3vDp1VG9lGc%2BD%2FJ2J3U67VgV%2BLYeRFGqnQdkctuODu7CXIAc%2FhcLsIB1HWqR9qge57%2FDpdeQUbM%2BjuZ5TWqdfA%2Bqhc1jioTcgrPNBR3JE6M97q%2BxKrz4CUb3WIOfl1mIP91XjXy2cReTAKc%2FsLCnmEvrIFVXx%2BaFUCpCCMCRxF8QOMb67WRJ8hD0iaM", "https://vtbehaviour.commondatastorage.googleapis.com/000020331380e6110b5beba407728730579ebf170517913cc364e7dcb114187b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183694&Signature=ZUnl%2FqTfn6nD5eHS7RvwcH%2Fv5Vtm4wB5Yc0hpeinjJ4Mk3V9%2FRkc6%2BJNireFTPFGSOwaLYwemKQwQA0okh9hYBN5ncSDlB6OSnED3OnM3iZUQDEdLBwgYUEP3M%2Bsg0s2XOV36s1V20ivPLzQVUrRM7CkuEyCsyWm7CCJQGdJBRcsNfR1BsgAOtLpiC6WPKr4xFa5QUh6PSgoGNXSDtj1Mk6Gs9iyav6G%2FtZYVoM%2FBUfcGg8W" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 16, "FileHash-SHA1": 3, "FileHash-SHA256": 175, "IPv4": 46, "URL": 114, "hostname": 130, "domain": 43 }, "indicator_count": 527, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "4 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69de69d60272ee6be0b6be75", "name": "VirusTotal report\n for document.html", "description": "A full report on malicious code found in an HTML file, compiled by Adobe, has been published by the University of California, San Francisco, at \u00c2\u00a31.5m (US$2.3m).", "modified": "2026-04-15T04:32:43.593000", "created": "2026-04-14T16:22:46.679000", "tags": [ "license", "performs dns", "mitre attack", "network info", "processes extra", "t1055 process", "overview", "overview zenbox", "verdict", "guest system", "phishing", "next", "script", "adobe", "apache license", "version", "unless", "as is", "basis", "any kind", "doctype html", "meta", "body", "pe file", "binary", "aslr", "ole file", "cname", "strong", "library", "accept", "cape sandbox", "pdb path", "name", "address virtual", "ip address", "shutdown", "pe32", "ms windows", "win16 ne", "os2 executable", "generic windos", "executable", "dos executable", "pe64 compiler", "ltcgc", "linker", "windows third", "party component", "valid from", "valid", "valid usage", "whql crypto", "code signing", "algorithm", "thumbprint", "serial number", "more" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/d11869fdfbf4bd87085e351b24d2c0e2ba5813fa267b05d969d9d2e46685d113_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183621&Signature=uQSwwOzpii%2FcKjaUt3UZ%2FKZ3C4DkSr3t5dURsz2pP4Es9CFMIWEz6oIAcURcfVri02K%2BedntrmLkvOs6c3g0yFcdgd9a82ARJF9jS5mDQGPXq9y54iiFvjgN98zNT%2BgoGoBF3IxeSAWO47BNwqYPY%2FzaVM0Pv14iXCBltAIH2Ss8R0OYrQytKcQLW48ggBvdA6fDl9x78WtpptMgs9Eu85KAN0wwHvtcrRpd1notnOQZYiYBk1qaAWD4HSrr", "https://vtbehaviour.commondatastorage.googleapis.com/d11869fdfbf4bd87085e351b24d2c0e2ba5813fa267b05d969d9d2e46685d113_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183658&Signature=tGjgj1F2qTBNB3zHOFjuVYbUuozwv%2FUH29aF5d5gmEhofNVf4N5DfD%2BmI9DjozB0MrJ96DeCjGEoPRo7i9Whr%2BThEkSnRgHkjV%2FPWe7tUL3zkNeuKXjs4bWH8BIxmdFyqGSy4cKx99ymtQAp%2F8AWxhqd15coMoLM31YqCpn8PnzvKtYQnIORJQjfhTUdyhha%2FmWvy7gaHGpZvJpaXiyF4IlYWdn9uYy%2FOSAR5Sh3f4F8fX3v", "https://vtbehaviour.commondatastorage.googleapis.com/000020331380e6110b5beba407728730579ebf170517913cc364e7dcb114187b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183676&Signature=IqbnhkkWYeM6kbjfuoTYF2bD3VY52MzFCe5v2P6L5%2FvT66S4ZUFYI3vDp1VG9lGc%2BD%2FJ2J3U67VgV%2BLYeRFGqnQdkctuODu7CXIAc%2FhcLsIB1HWqR9qge57%2FDpdeQUbM%2BjuZ5TWqdfA%2Bqhc1jioTcgrPNBR3JE6M97q%2BxKrz4CUb3WIOfl1mIP91XjXy2cReTAKc%2FsLCnmEvrIFVXx%2BaFUCpCCMCRxF8QOMb67WRJ8hD0iaM", "https://vtbehaviour.commondatastorage.googleapis.com/000020331380e6110b5beba407728730579ebf170517913cc364e7dcb114187b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183694&Signature=ZUnl%2FqTfn6nD5eHS7RvwcH%2Fv5Vtm4wB5Yc0hpeinjJ4Mk3V9%2FRkc6%2BJNireFTPFGSOwaLYwemKQwQA0okh9hYBN5ncSDlB6OSnED3OnM3iZUQDEdLBwgYUEP3M%2Bsg0s2XOV36s1V20ivPLzQVUrRM7CkuEyCsyWm7CCJQGdJBRcsNfR1BsgAOtLpiC6WPKr4xFa5QUh6PSgoGNXSDtj1Mk6Gs9iyav6G%2FtZYVoM%2FBUfcGg8W" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 16, "FileHash-SHA1": 3, "FileHash-SHA256": 175, "IPv4": 45, "URL": 111, "hostname": 130, "domain": 42 }, "indicator_count": 522, "is_author": false, "is_subscribing": null, "subscriber_count": 47, "modified_text": "4 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69de69d6c23c1920ae49419b", "name": "VirusTotal report\n for document.html", "description": "A full report on malicious code found in an HTML file, compiled by Adobe, has been published by the University of California, San Francisco, at \u00c2\u00a31.5m (US$2.3m).", "modified": "2026-04-15T04:32:41.929000", "created": "2026-04-14T16:22:46.723000", "tags": [ "license", "performs dns", "mitre attack", "network info", "processes extra", "t1055 process", "overview", "overview zenbox", "verdict", "guest system", "phishing", "next", "script", "adobe", "apache license", "version", "unless", "as is", "basis", "any kind", "doctype html", "meta", "body", "pe file", "binary", "aslr", "ole file", "cname", "strong", "library", "accept", "cape sandbox", "pdb path", "name", "address virtual", "ip address", "shutdown", "pe32", "ms windows", "win16 ne", "os2 executable", "generic windos", "executable", "dos executable", "pe64 compiler", "ltcgc", "linker", "windows third", "party component", "valid from", "valid", "valid usage", "whql crypto", "code signing", "algorithm", "thumbprint", "serial number", "more" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/d11869fdfbf4bd87085e351b24d2c0e2ba5813fa267b05d969d9d2e46685d113_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183621&Signature=uQSwwOzpii%2FcKjaUt3UZ%2FKZ3C4DkSr3t5dURsz2pP4Es9CFMIWEz6oIAcURcfVri02K%2BedntrmLkvOs6c3g0yFcdgd9a82ARJF9jS5mDQGPXq9y54iiFvjgN98zNT%2BgoGoBF3IxeSAWO47BNwqYPY%2FzaVM0Pv14iXCBltAIH2Ss8R0OYrQytKcQLW48ggBvdA6fDl9x78WtpptMgs9Eu85KAN0wwHvtcrRpd1notnOQZYiYBk1qaAWD4HSrr", "https://vtbehaviour.commondatastorage.googleapis.com/d11869fdfbf4bd87085e351b24d2c0e2ba5813fa267b05d969d9d2e46685d113_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183658&Signature=tGjgj1F2qTBNB3zHOFjuVYbUuozwv%2FUH29aF5d5gmEhofNVf4N5DfD%2BmI9DjozB0MrJ96DeCjGEoPRo7i9Whr%2BThEkSnRgHkjV%2FPWe7tUL3zkNeuKXjs4bWH8BIxmdFyqGSy4cKx99ymtQAp%2F8AWxhqd15coMoLM31YqCpn8PnzvKtYQnIORJQjfhTUdyhha%2FmWvy7gaHGpZvJpaXiyF4IlYWdn9uYy%2FOSAR5Sh3f4F8fX3v", "https://vtbehaviour.commondatastorage.googleapis.com/000020331380e6110b5beba407728730579ebf170517913cc364e7dcb114187b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183676&Signature=IqbnhkkWYeM6kbjfuoTYF2bD3VY52MzFCe5v2P6L5%2FvT66S4ZUFYI3vDp1VG9lGc%2BD%2FJ2J3U67VgV%2BLYeRFGqnQdkctuODu7CXIAc%2FhcLsIB1HWqR9qge57%2FDpdeQUbM%2BjuZ5TWqdfA%2Bqhc1jioTcgrPNBR3JE6M97q%2BxKrz4CUb3WIOfl1mIP91XjXy2cReTAKc%2FsLCnmEvrIFVXx%2BaFUCpCCMCRxF8QOMb67WRJ8hD0iaM", "https://vtbehaviour.commondatastorage.googleapis.com/000020331380e6110b5beba407728730579ebf170517913cc364e7dcb114187b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183694&Signature=ZUnl%2FqTfn6nD5eHS7RvwcH%2Fv5Vtm4wB5Yc0hpeinjJ4Mk3V9%2FRkc6%2BJNireFTPFGSOwaLYwemKQwQA0okh9hYBN5ncSDlB6OSnED3OnM3iZUQDEdLBwgYUEP3M%2Bsg0s2XOV36s1V20ivPLzQVUrRM7CkuEyCsyWm7CCJQGdJBRcsNfR1BsgAOtLpiC6WPKr4xFa5QUh6PSgoGNXSDtj1Mk6Gs9iyav6G%2FtZYVoM%2FBUfcGg8W" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 16, "FileHash-SHA1": 3, "FileHash-SHA256": 175, "IPv4": 46, "URL": 114, "hostname": 130, "domain": 44 }, "indicator_count": 528, "is_author": false, "is_subscribing": null, "subscriber_count": 47, "modified_text": "4 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69ded8198b25581a09b90824", "name": "BearShare \u2022 Solarwinds? \u2022 SearchSuite \u2022 Healthcare Administration", "description": "", "modified": "2026-04-15T00:13:13.981000", "created": "2026-04-15T00:13:13.981000", "tags": [ "Win32/SearchSuite", "pe32", "intel", "ms windows", "ms visual", "win32 dynamic", "link library", "win16 ne", "pe32 installer", "install system", "compiler", "NSIS", "code signing", "serial number", "db d2", "de d3", "f3 e1", "issuer thawte", "primary root", "ca valid", "valid", "valid usage", "client auth", "algorithm", "rticon english", "type type", "chi2", "ico rtgroupicon", "english us", "capa", "c2 antianalysis", "executable", "sample appears", "installer", "installers well", "results may", "be misleading", "or incomplete", "analyze created", "techniques", "info modify", "files", "modify registry", "directory permi", "techniques none", "info", "scripting inte", "shared modules", "Bear Share", "urls", "ip address", "asn as8075", "united", "flag united", "name servers", "name domain", "org apple", "infinite loop", "city cupertino", "country us", "dnssec", "urlmailto", "urlhttps", "search", "urlhttp", "moved", "title", "encrypt", "certificate", "segoe ui", "otx logo", "url analysis", "tokyo", "msie", "chrome", "gmt content", "all ipv4", "zeppelin", "trojandropper", "cookie", "backdoor", "hash avast", "avg clamav", "msdefender feb", "k oct", "k may", "mtb feb", "mtb jan", "k aug", "windows nt", "dynamicloader", "unknown", "medium", "default", "as16509", "show", "powershell", "write", "xserver", "bearshar data", "passive dns", "pulse submit", "port", "destination", "high", "displayname", "windows", "win64", "tofsee", "stream", "malware", "push", "next", "asnone", "germany as8560", "russia as198610", "strings", "is__elf", "systembc_linux_variant", "khtml", "gecko", "acceptencoding", "get na", "macintosh", "intel mac", "accept", "france as16276", "yara detections", "contacted", "all filehash", "sha256", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "tls sni", "less see", "all ip", "Apple", "xordata", "United States" ], "references": [ "b9e4e47c3f96846c30581c08acf5bc56.virus", "BearShare Install File Version 12.0.0.135802", "Musiclab, LLC", "msoid.applemanic.com \u2022 msoid.giftcardapple.shop \u2022 msoid.appleportconsulting.com", "gateway.fe.apple-dns.net \u2022 apple-dns.net", "africa.konnect.com", "http://scratch-mit-edu.027.cloudns.asia/users/alessandrito123", "euw-serp-dev-testing19.duck.ai", "account-apple.com", "Win.Trojan.Tofsee-7102058-0 , Backdoor:Win32/Tofsee.T", "IDS Detections Win32/Tofsee.AX google.com connectivity check Observed Telegram Domain (t .me in TLS SNI)", "Yara Detections: Tofsee", "Alerts: behavior_tofsee creates_largekey injection_write_exe_process network_bind", "Alerts: persistence_autorun persistence_autorun_tasks procmem_yara static_pe_anomaly", "Alerts: suricata_alert antivm_generic_services physical_drive_access deletes_executed_files", "Alerts: deletes_self injection_runpe persistence_ads suspicious_command_tools", "Alerts: anomalous_deletefile antisandbox_sleep dead_connect dynamic_function_loading", "IP\u2019s Contacted: 47.43.26.4 195.35.13.119 149.154.167.99 185.138.56.214 142.250.147.26 81.88.48.101", "IP\u2019s Contacted: 104.21.72.117 172.66.156.195 157.240.200.174 141.193.213.20", "Domains Contacted: microsoft.com microsoft-com.mail.protection.outlook.com vanaheim.cn yahoo.com mta6.am0.yahoodns.net 13.205.167.198.dnsbl.sorbs.net 13.205.167.198.bl.spamcop.net 13.205.167.198.zen.spamhaus.org 13.205.167.198.sbl-xbl.spamhaus.org 13.205.167.198.cbl.abuseat.org", "https://perigon-one.au.itglue.com/password_shared_links/52f082d3-d889-4db5-ae03-c7bfcbe5aa21", "https://identity.prd-cdc.jemena.com.au/pages/jemena-reset-password", "https://in2it.itglue.com/password_shared_links/9b0e2a1d-b554-4f0c-a333-390e41defe8e", "https://oauth2.admin.p4d-1.p4d.aks.lightops.cloud.slb-ds.com/lightops-auth/callback&response_type=code&scope=openid+email+profile&state=uJZE80MW6TdJQjbI0RWXhnF3SpYZXckLkfafnEHgr_I:", "https://oauth2.admin.p4d-1.p4d.aks.lightops.cloud.slb-ds.com/lightops-auth/callback", "ids-apple.com \u2022 itunes.org", "xn--cloud-4sa.com", "http://cab.applemarketingtools.com", "http://console.applemarketingtools.com/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Spain", "France", "United Kingdom of Great Britain and Northern Ireland", "Netherlands", "Japan", "Switzerland", "Madagascar", "Finland", "Germany", "Russian Federation" ], "malware_families": [ { "id": "Win32/SearchSuite", "display_name": "Win32/SearchSuite", "target": null }, { "id": "Win32.Application.BearShare.A", "display_name": "Win32.Application.BearShare.A", "target": null }, { "id": "Exploit:Win32/CVE-2017-0147", "display_name": "Exploit:Win32/CVE-2017-0147", "target": "/malware/Exploit:Win32/CVE-2017-0147" }, { "id": "CVE-2023-22518", "display_name": "CVE-2023-22518", "target": null }, { "id": "Win.Packed.Bandook-9882274-1", "display_name": "Win.Packed.Bandook-9882274-1", "target": null }, { "id": "Win.Trojan.Tofsee-7102058-0", "display_name": "Win.Trojan.Tofsee-7102058-0", "target": null }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" }, { "id": "TrojanDownloader:Win32/Cutwail", "display_name": "TrojanDownloader:Win32/Cutwail", "target": "/malware/TrojanDownloader:Win32/Cutwail" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [ "Government", "Healthcare", "Technology" ], "TLP": "green", "cloned_from": "69dab27a0493e0e80a0f35cd", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 138, "FileHash-SHA1": 119, "FileHash-SHA256": 3553, "IPv4": 633, "CVE": 2, "URL": 6134, "domain": 2439, "hostname": 2271, "email": 9, "SSLCertFingerprint": 2 }, "indicator_count": 15300, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "4 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://forms.cloud.microsoft/pages/responsepage.aspx...", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://forms.cloud.microsoft/pages/responsepage.aspx...", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776629359.0767326 }