{ "type": "URL", "indicator": "https://js.monitor.azure.com/scripts/a/ai.0.js'", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://js.monitor.azure.com/scripts/a/ai.0.js'", "type": "url", "type_title": "URL", "validation": [ { "source": "akamai", "message": "Akamai rank: #45", "name": "Akamai Popular Domain" }, { "source": "whitelist", "message": "Whitelisted domain azure.com", "name": "Whitelisted domain" }, { "source": "majestic", "message": "Whitelisted domain azure.com", "name": "Whitelisted domain" } ], "base_indicator": { "id": 4241299791, "indicator": "https://js.monitor.azure.com/scripts/a/ai.0.js'", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 8, "pulses": [ { "id": "69fae1934f6e33a4ccf7541f", "name": "Habo Analysis System + My own Iocs - Dropped Spybot Extraction with Invalid X[RAR] Cert.", "description": "Certificate Stuffing & Root Exploitation- This binary employs a high-level Certificate Grafting technique. The threat actor has manually appended a chain of X509 certificates to the file's overlay to manipulate the host's trust store.The Microsoft Anchor: The inclusion of the Microsoft Code Verification Root (Serial: 610C1206...) is a strategic TTP. By pinning a defunct Safer Networking Ltd. certificate to a Microsoft root, the binary aims to exploit Windows Authenticode logic which may default to \"Trusted\" if the root is recognized, regardless of leaf expiration.Signature Status: Invalid/Not Signed. Despite the 22MB of certificate metadata, the Authentihash does not match. The certificates are static artifacts in the overlay, not functional cryptographic signatures.2. Hardware-Level Evasion (RDTSC)The sample contains Direct CPU Clock Access (RDTSC) instructions. This is a non-standard behavior for legitimate installers and is used for Anti-Analysis (T1497.001): See References for more information.", "modified": "2026-05-06T08:11:11.834000", "created": "2026-05-06T06:37:07.013000", "tags": [ "technology", "subdomains", "date", "domain status", "registrar abuse", "handle", "dnssec", "registrar", "record type", "ttl value", "rdap", "rdap database", "entity", "code", "contact", "iana registrar", "markmonitor", "domain name", "registrant city", "us registrant", "email", "registrant fax", "server", "iana id", "contact phone", "registrar url", "registrar whois", "search", "filesspybot", "detail info", "tickcount", "text", "classname", "processid", "threadid", "startaddress", "parameter", "window", "behaviour", "spybot", "class", "shell", "find", "serial number", "verisign time", "stamping", "ca valid", "from", "code signing", "algorithm", "thumbprint", "signer", "ca name", "verisign class", "symantec time", "root valid", "neutral", "ascii text", "russian neutral", "data rtdialog", "chromium" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/afad4f7fca4a8e2fd3e5a3dc3da079684bae7cc0bc2692ce70cd9ffd188b5034_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778048469&Signature=3y8LGGE52IUhhx7hMK9GsZthoRtiom8xy%2Fc5fyc0MJCsTSAblPs7nnE0YLV9E0mixvkxzBSCDGMpIt5vnQeTQ8t23sFEPJfm6SpG8DL4RXYGw7c6UALrxOofauzPiAuvBf%2Bnw5biEXDjWFuplGYRt83ZncF0nR5Bj4iwk2qDJ0xdgl86BUkgtNNd04hN16UsjAaL%2BojrFR4%2Fi%2F49ETbftnR2dvnXyVfPU0e0AF2TTg2hk8In2OMG", "The PE creation date is 2013, but the first global submission was 2021. This indicates a \"dormant\" or \"re-packed\" binary where a legacy installer was modified to serve as a modern dropper.Staged Execution: The binary drops spybotsd162.exe and .tmp variants into %TEMP%. This creates a TTP Chain where the initial \"trusted\" process spawns secondary, unsigned payloads to establish persistence while the user believes they are running a routine security scan.", "Temporal Inconsistency & PersistenceThe 8-Year Gap.", "The code measures CPU cycles to detect the \"timing slide\" caused by hypervisor intervention in a Sandbox or Virtual Machine.Conditional Detonation: If the environment is identified as a VM, the malicious payload remains suppressed to prevent capture by automated security orchestration.", "This is a Weaponized Wrapper. Whether deployed by a malicious actor or a rogue enterprise entity, the technical reality is the same: the file uses Brand Reputations and Microsoft Root Strings to bypass the standard \"Gatekeeper\" functions of the OS.", "Pending Rec-Block Hash: afad4f7fca4a8e2fd3e5a3dc3da079684bae7cc0bc2692ce70cd9ffd188b5034", "Rec: Process Monitoring: Audit all instances of RDTSC calls originating from unsigned binaries in the %USERPROFILE%\\Downloads or %TEMP% directories.", "", " Issuer Microsoft Code Verification Root Valid From 2006-05-23 17:01:29 Valid To 2016-05-23 17:11:29 Algorithm sha1RSA Thumbprint 58455389CF1D0CD6A08E3CE216F65ADFF7A86408 Serial Number 61 0C 12 06 00 00 00 00 00 1B", "2023-02-24 0 / 69 Win32 EXE SpyBot - Search & Destroy 1.6.0.30 Final.tmp" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1030", "name": "Data Transfer Size Limits", "display_name": "T1030 - Data Transfer Size Limits" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 99, "FileHash-SHA1": 75, "FileHash-SHA256": 342, "IPv4": 45, "domain": 14, "hostname": 102, "email": 3, "URL": 51 }, "indicator_count": 731, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "25 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69cc8243d6e7b1edbf302f20", "name": "CAPE Sandbox", "description": "8841e3e96c8cceffe1e1845c120b54eb\nSHA-1\n16e14b0380b06baa2b8598061e169e104c51889f\nSHA-256\nfb43553d906781edd1ae894cf50d7735a1207fcad1123eb837d55eb4d448fed4\nVhash\n89763c2de97baa7cc2c12f6e65e2749d", "modified": "2026-05-01T02:13:09.867000", "created": "2026-04-01T02:26:11.619000", "tags": [ "script", "javascript", "google tag", "manager", "date", "meta", "doctype html", "gb22bz6q819", "cpdatalayerga4", "gtmk73c5ps", "window", "trace", "error", "title", "body" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/fb43553d906781edd1ae894cf50d7735a1207fcad1123eb837d55eb4d448fed4_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775010521&Signature=OXcJ1J8Kk03zwe4PPibmxigPvsepBg8TfuxQybtAhd9qJkWY0SJXJDVPahU9SgbUE32735eNKJ5Lx80XE%2FmLlpqjQ9NjkeZ2yTF2VoFr8PJtzADo5KVOoNEIUG%2BbI0Ob9IpPjdjyd0SPtYF4e9JU4gkthj5G5dG3htFzR0L2NklppXhWW25bOpf%2FUkclXmnigkZVOgZBgKqevwAcZewRXXHqIhBp3pNkRs1qz%2FEtOrIHjO3F3potdQ" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 11, "domain": 5, "hostname": 58 }, "indicator_count": 77, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "30 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69cc82447d69c56d976f8d49", "name": "CAPE Sandbox", "description": "8841e3e96c8cceffe1e1845c120b54eb\nSHA-1\n16e14b0380b06baa2b8598061e169e104c51889f\nSHA-256\nfb43553d906781edd1ae894cf50d7735a1207fcad1123eb837d55eb4d448fed4\nVhash\n89763c2de97baa7cc2c12f6e65e2749d", "modified": "2026-05-01T02:13:09.867000", "created": "2026-04-01T02:26:12.968000", "tags": [ "script", "javascript", "google tag", "manager", "date", "meta", "doctype html", "gb22bz6q819", "cpdatalayerga4", "gtmk73c5ps", "window", "trace", "error", "title", "body" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/fb43553d906781edd1ae894cf50d7735a1207fcad1123eb837d55eb4d448fed4_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775010521&Signature=OXcJ1J8Kk03zwe4PPibmxigPvsepBg8TfuxQybtAhd9qJkWY0SJXJDVPahU9SgbUE32735eNKJ5Lx80XE%2FmLlpqjQ9NjkeZ2yTF2VoFr8PJtzADo5KVOoNEIUG%2BbI0Ob9IpPjdjyd0SPtYF4e9JU4gkthj5G5dG3htFzR0L2NklppXhWW25bOpf%2FUkclXmnigkZVOgZBgKqevwAcZewRXXHqIhBp3pNkRs1qz%2FEtOrIHjO3F3potdQ" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 11, "domain": 5, "hostname": 58 }, "indicator_count": 77, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "30 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69cc5400b703689bcc63312e", "name": "CAPE Sandbox", "description": "Google TagManager for GA4 a search engine for the Google Chrome operating system - is available on the web at 23:00 GMT on Wednesday, 2 February 2017, and here is the full report.>>pretext", "modified": "2026-04-30T23:10:15.978000", "created": "2026-03-31T23:08:48.290000", "tags": [ "script", "javascript", "google tag", "manager", "home", "title", "doctype html", "g2tc34beqq1", "date", "cpdatalayerga4", "window", "trace", "error", "meta", "body" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/c977a561765c2861793b64324a98233900e8db2b4838c90c96b84012115a7f32_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1774998732&Signature=abklSr27zG%2F95pmGLD5i5gIecIdJzpeybqDkc8ZQ6eAGLLhJYcwfLaMfxS9UdnDoOI%2Fsik9D4jzjSu183OS1xShSpLV39hNHSjeQKdZKFU%2BdfMeBXugDh4vaioMbECTIZIsBAjAF2exzqw%2BqiLoOV916%2B3gYI7g%2B5ps4ETYxXzNUW1MgfE5NCmJk2yyrNpwU%2BzXh80Y2yFZBuXfSma7kqffjSU4etSbDyCcWEcOXweo5aai0" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 10, "domain": 5, "hostname": 58 }, "indicator_count": 76, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "31 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69c0b65eb3a9d8321a855397", "name": "CAPE Sandbox", "description": "Google has released a full report on the performance of its artificial intelligence platform, GA4, using its own tag manager for the Google Tag Manager, which can be accessed via the web browser or app.", "modified": "2026-04-22T03:27:13.249000", "created": "2026-03-23T03:41:18.381000", "tags": [ "script", "javascript", "google tag", "manager", "home", "title", "doctype html", "g2tc34beqq1", "date", "cpdatalayerga4", "window", "trace", "error", "meta", "body" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/8e5997a654929867a07dcf89077a7b571bffd57ea59834ec3bdcae6304f60f49_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1774237536&Signature=rmgld9x39huQoZokOZEU%2Fom7Zo3DZwxPyIY6VvGpkYwIXdEo2IGYGgiA%2F75LOe2QmdJ0Q4uZDy5LsX0t2jiM%2B4WePTrJ6%2BSK2FgeUJsRq7GXDErhYh8wZVEfv3n57blHELTkUPnxbVaSqHb8%2FcbwlU9ox1C%2F%2BQRJDqtmVfG6OnC6O0MyYgrcJfKe2tC4LRS5ETSkgdA3Tm9aIwBruUNMzGQaW%2F7dQkoAEEofGoeseUrell" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "URL": 20, "domain": 9, "hostname": 68 }, "indicator_count": 103, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "39 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69aa842cef967c844adef1de", "name": "CAPE Sandbox part 2 - see part 1", "description": "heartbreaking", "modified": "2026-04-05T11:04:28.804000", "created": "2026-03-06T07:37:16.417000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3905, "FileHash-SHA1": 3515, "FileHash-SHA256": 8002, "URL": 982, "hostname": 2532, "domain": 164, "email": 1 }, "indicator_count": 19101, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "56 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69a90f69274935b1a5d045ae", "name": "Malware", "description": "A full report on the Cuckoo malware has been published by researchers at the University of California, Los Angeles, and by the European Commission (ECB) in the UK, with the following:", "modified": "2026-04-04T05:18:12.440000", "created": "2026-03-05T05:06:49.844000", "tags": [ "files c", "state c", "nel c", "data", "parent pid", "full path", "command line", "registry keys", "datacrashpad", "datadefault c", "shutdown", "guard", "back" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 232, "FileHash-SHA1": 248, "FileHash-SHA256": 3023, "domain": 13, "hostname": 171, "URL": 12 }, "indicator_count": 3699, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "57 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69a90edfed1e02cd32d0c4e9", "name": "The Root Problem", "description": "33ba8221ff3f5211b6b08004d7a48fb4ccfbef8450715cfbfa299cc1b617d7a0\ntype\nCAB 1 Yara Detection", "modified": "2026-03-06T00:33:30.080000", "created": "2026-03-05T05:04:31.983000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 1, "hostname": 1 }, "indicator_count": 5, "is_author": false, "is_subscribing": null, "subscriber_count": 65, "modified_text": "87 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "", "https://vtbehaviour.commondatastorage.googleapis.com/8e5997a654929867a07dcf89077a7b571bffd57ea59834ec3bdcae6304f60f49_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1774237536&Signature=rmgld9x39huQoZokOZEU%2Fom7Zo3DZwxPyIY6VvGpkYwIXdEo2IGYGgiA%2F75LOe2QmdJ0Q4uZDy5LsX0t2jiM%2B4WePTrJ6%2BSK2FgeUJsRq7GXDErhYh8wZVEfv3n57blHELTkUPnxbVaSqHb8%2FcbwlU9ox1C%2F%2BQRJDqtmVfG6OnC6O0MyYgrcJfKe2tC4LRS5ETSkgdA3Tm9aIwBruUNMzGQaW%2F7dQkoAEEofGoeseUrell", "This is a Weaponized Wrapper. Whether deployed by a malicious actor or a rogue enterprise entity, the technical reality is the same: the file uses Brand Reputations and Microsoft Root Strings to bypass the standard \"Gatekeeper\" functions of the OS.", "2023-02-24 0 / 69 Win32 EXE SpyBot - Search & Destroy 1.6.0.30 Final.tmp", "The code measures CPU cycles to detect the \"timing slide\" caused by hypervisor intervention in a Sandbox or Virtual Machine.Conditional Detonation: If the environment is identified as a VM, the malicious payload remains suppressed to prevent capture by automated security orchestration.", "Pending Rec-Block Hash: afad4f7fca4a8e2fd3e5a3dc3da079684bae7cc0bc2692ce70cd9ffd188b5034", "The PE creation date is 2013, but the first global submission was 2021. This indicates a \"dormant\" or \"re-packed\" binary where a legacy installer was modified to serve as a modern dropper.Staged Execution: The binary drops spybotsd162.exe and .tmp variants into %TEMP%. This creates a TTP Chain where the initial \"trusted\" process spawns secondary, unsigned payloads to establish persistence while the user believes they are running a routine security scan.", "https://vtbehaviour.commondatastorage.googleapis.com/fb43553d906781edd1ae894cf50d7735a1207fcad1123eb837d55eb4d448fed4_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775010521&Signature=OXcJ1J8Kk03zwe4PPibmxigPvsepBg8TfuxQybtAhd9qJkWY0SJXJDVPahU9SgbUE32735eNKJ5Lx80XE%2FmLlpqjQ9NjkeZ2yTF2VoFr8PJtzADo5KVOoNEIUG%2BbI0Ob9IpPjdjyd0SPtYF4e9JU4gkthj5G5dG3htFzR0L2NklppXhWW25bOpf%2FUkclXmnigkZVOgZBgKqevwAcZewRXXHqIhBp3pNkRs1qz%2FEtOrIHjO3F3potdQ", "https://vtbehaviour.commondatastorage.googleapis.com/c977a561765c2861793b64324a98233900e8db2b4838c90c96b84012115a7f32_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1774998732&Signature=abklSr27zG%2F95pmGLD5i5gIecIdJzpeybqDkc8ZQ6eAGLLhJYcwfLaMfxS9UdnDoOI%2Fsik9D4jzjSu183OS1xShSpLV39hNHSjeQKdZKFU%2BdfMeBXugDh4vaioMbECTIZIsBAjAF2exzqw%2BqiLoOV916%2B3gYI7g%2B5ps4ETYxXzNUW1MgfE5NCmJk2yyrNpwU%2BzXh80Y2yFZBuXfSma7kqffjSU4etSbDyCcWEcOXweo5aai0", "https://vtbehaviour.commondatastorage.googleapis.com/afad4f7fca4a8e2fd3e5a3dc3da079684bae7cc0bc2692ce70cd9ffd188b5034_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778048469&Signature=3y8LGGE52IUhhx7hMK9GsZthoRtiom8xy%2Fc5fyc0MJCsTSAblPs7nnE0YLV9E0mixvkxzBSCDGMpIt5vnQeTQ8t23sFEPJfm6SpG8DL4RXYGw7c6UALrxOofauzPiAuvBf%2Bnw5biEXDjWFuplGYRt83ZncF0nR5Bj4iwk2qDJ0xdgl86BUkgtNNd04hN16UsjAaL%2BojrFR4%2Fi%2F49ETbftnR2dvnXyVfPU0e0AF2TTg2hk8In2OMG", "Temporal Inconsistency & PersistenceThe 8-Year Gap.", "Rec: Process Monitoring: Audit all instances of RDTSC calls originating from unsigned binaries in the %USERPROFILE%\\Downloads or %TEMP% directories.", " Issuer Microsoft Code Verification Root Valid From 2006-05-23 17:01:29 Valid To 2016-05-23 17:11:29 Algorithm sha1RSA Thumbprint 58455389CF1D0CD6A08E3CE216F65ADFF7A86408 Serial Number 61 0C 12 06 00 00 00 00 00 1B" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 6782 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/azure.com", "whois": "http://whois.domaintools.com/azure.com", "domain": "azure.com", "hostname": "js.monitor.azure.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 8, "pulses": [ { "id": "69fae1934f6e33a4ccf7541f", "name": "Habo Analysis System + My own Iocs - Dropped Spybot Extraction with Invalid X[RAR] Cert.", "description": "Certificate Stuffing & Root Exploitation- This binary employs a high-level Certificate Grafting technique. The threat actor has manually appended a chain of X509 certificates to the file's overlay to manipulate the host's trust store.The Microsoft Anchor: The inclusion of the Microsoft Code Verification Root (Serial: 610C1206...) is a strategic TTP. By pinning a defunct Safer Networking Ltd. certificate to a Microsoft root, the binary aims to exploit Windows Authenticode logic which may default to \"Trusted\" if the root is recognized, regardless of leaf expiration.Signature Status: Invalid/Not Signed. Despite the 22MB of certificate metadata, the Authentihash does not match. The certificates are static artifacts in the overlay, not functional cryptographic signatures.2. Hardware-Level Evasion (RDTSC)The sample contains Direct CPU Clock Access (RDTSC) instructions. This is a non-standard behavior for legitimate installers and is used for Anti-Analysis (T1497.001): See References for more information.", "modified": "2026-05-06T08:11:11.834000", "created": "2026-05-06T06:37:07.013000", "tags": [ "technology", "subdomains", "date", "domain status", "registrar abuse", "handle", "dnssec", "registrar", "record type", "ttl value", "rdap", "rdap database", "entity", "code", "contact", "iana registrar", "markmonitor", "domain name", "registrant city", "us registrant", "email", "registrant fax", "server", "iana id", "contact phone", "registrar url", "registrar whois", "search", "filesspybot", "detail info", "tickcount", "text", "classname", "processid", "threadid", "startaddress", "parameter", "window", "behaviour", "spybot", "class", "shell", "find", "serial number", "verisign time", "stamping", "ca valid", "from", "code signing", "algorithm", "thumbprint", "signer", "ca name", "verisign class", "symantec time", "root valid", "neutral", "ascii text", "russian neutral", "data rtdialog", "chromium" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/afad4f7fca4a8e2fd3e5a3dc3da079684bae7cc0bc2692ce70cd9ffd188b5034_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778048469&Signature=3y8LGGE52IUhhx7hMK9GsZthoRtiom8xy%2Fc5fyc0MJCsTSAblPs7nnE0YLV9E0mixvkxzBSCDGMpIt5vnQeTQ8t23sFEPJfm6SpG8DL4RXYGw7c6UALrxOofauzPiAuvBf%2Bnw5biEXDjWFuplGYRt83ZncF0nR5Bj4iwk2qDJ0xdgl86BUkgtNNd04hN16UsjAaL%2BojrFR4%2Fi%2F49ETbftnR2dvnXyVfPU0e0AF2TTg2hk8In2OMG", "The PE creation date is 2013, but the first global submission was 2021. This indicates a \"dormant\" or \"re-packed\" binary where a legacy installer was modified to serve as a modern dropper.Staged Execution: The binary drops spybotsd162.exe and .tmp variants into %TEMP%. This creates a TTP Chain where the initial \"trusted\" process spawns secondary, unsigned payloads to establish persistence while the user believes they are running a routine security scan.", "Temporal Inconsistency & PersistenceThe 8-Year Gap.", "The code measures CPU cycles to detect the \"timing slide\" caused by hypervisor intervention in a Sandbox or Virtual Machine.Conditional Detonation: If the environment is identified as a VM, the malicious payload remains suppressed to prevent capture by automated security orchestration.", "This is a Weaponized Wrapper. Whether deployed by a malicious actor or a rogue enterprise entity, the technical reality is the same: the file uses Brand Reputations and Microsoft Root Strings to bypass the standard \"Gatekeeper\" functions of the OS.", "Pending Rec-Block Hash: afad4f7fca4a8e2fd3e5a3dc3da079684bae7cc0bc2692ce70cd9ffd188b5034", "Rec: Process Monitoring: Audit all instances of RDTSC calls originating from unsigned binaries in the %USERPROFILE%\\Downloads or %TEMP% directories.", "", " Issuer Microsoft Code Verification Root Valid From 2006-05-23 17:01:29 Valid To 2016-05-23 17:11:29 Algorithm sha1RSA Thumbprint 58455389CF1D0CD6A08E3CE216F65ADFF7A86408 Serial Number 61 0C 12 06 00 00 00 00 00 1B", "2023-02-24 0 / 69 Win32 EXE SpyBot - Search & Destroy 1.6.0.30 Final.tmp" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1030", "name": "Data Transfer Size Limits", "display_name": "T1030 - Data Transfer Size Limits" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 99, "FileHash-SHA1": 75, "FileHash-SHA256": 342, "IPv4": 45, "domain": 14, "hostname": 102, "email": 3, "URL": 51 }, "indicator_count": 731, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "25 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69cc8243d6e7b1edbf302f20", "name": "CAPE Sandbox", "description": "8841e3e96c8cceffe1e1845c120b54eb\nSHA-1\n16e14b0380b06baa2b8598061e169e104c51889f\nSHA-256\nfb43553d906781edd1ae894cf50d7735a1207fcad1123eb837d55eb4d448fed4\nVhash\n89763c2de97baa7cc2c12f6e65e2749d", "modified": "2026-05-01T02:13:09.867000", "created": "2026-04-01T02:26:11.619000", "tags": [ "script", "javascript", "google tag", "manager", "date", "meta", "doctype html", "gb22bz6q819", "cpdatalayerga4", "gtmk73c5ps", "window", "trace", "error", "title", "body" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/fb43553d906781edd1ae894cf50d7735a1207fcad1123eb837d55eb4d448fed4_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775010521&Signature=OXcJ1J8Kk03zwe4PPibmxigPvsepBg8TfuxQybtAhd9qJkWY0SJXJDVPahU9SgbUE32735eNKJ5Lx80XE%2FmLlpqjQ9NjkeZ2yTF2VoFr8PJtzADo5KVOoNEIUG%2BbI0Ob9IpPjdjyd0SPtYF4e9JU4gkthj5G5dG3htFzR0L2NklppXhWW25bOpf%2FUkclXmnigkZVOgZBgKqevwAcZewRXXHqIhBp3pNkRs1qz%2FEtOrIHjO3F3potdQ" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 11, "domain": 5, "hostname": 58 }, "indicator_count": 77, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "30 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69cc82447d69c56d976f8d49", "name": "CAPE Sandbox", "description": "8841e3e96c8cceffe1e1845c120b54eb\nSHA-1\n16e14b0380b06baa2b8598061e169e104c51889f\nSHA-256\nfb43553d906781edd1ae894cf50d7735a1207fcad1123eb837d55eb4d448fed4\nVhash\n89763c2de97baa7cc2c12f6e65e2749d", "modified": "2026-05-01T02:13:09.867000", "created": "2026-04-01T02:26:12.968000", "tags": [ "script", "javascript", "google tag", "manager", "date", "meta", "doctype html", "gb22bz6q819", "cpdatalayerga4", "gtmk73c5ps", "window", "trace", "error", "title", "body" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/fb43553d906781edd1ae894cf50d7735a1207fcad1123eb837d55eb4d448fed4_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775010521&Signature=OXcJ1J8Kk03zwe4PPibmxigPvsepBg8TfuxQybtAhd9qJkWY0SJXJDVPahU9SgbUE32735eNKJ5Lx80XE%2FmLlpqjQ9NjkeZ2yTF2VoFr8PJtzADo5KVOoNEIUG%2BbI0Ob9IpPjdjyd0SPtYF4e9JU4gkthj5G5dG3htFzR0L2NklppXhWW25bOpf%2FUkclXmnigkZVOgZBgKqevwAcZewRXXHqIhBp3pNkRs1qz%2FEtOrIHjO3F3potdQ" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 11, "domain": 5, "hostname": 58 }, "indicator_count": 77, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "30 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69cc5400b703689bcc63312e", "name": "CAPE Sandbox", "description": "Google TagManager for GA4 a search engine for the Google Chrome operating system - is available on the web at 23:00 GMT on Wednesday, 2 February 2017, and here is the full report.>>pretext", "modified": "2026-04-30T23:10:15.978000", "created": "2026-03-31T23:08:48.290000", "tags": [ "script", "javascript", "google tag", "manager", "home", "title", "doctype html", "g2tc34beqq1", "date", "cpdatalayerga4", "window", "trace", "error", "meta", "body" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/c977a561765c2861793b64324a98233900e8db2b4838c90c96b84012115a7f32_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1774998732&Signature=abklSr27zG%2F95pmGLD5i5gIecIdJzpeybqDkc8ZQ6eAGLLhJYcwfLaMfxS9UdnDoOI%2Fsik9D4jzjSu183OS1xShSpLV39hNHSjeQKdZKFU%2BdfMeBXugDh4vaioMbECTIZIsBAjAF2exzqw%2BqiLoOV916%2B3gYI7g%2B5ps4ETYxXzNUW1MgfE5NCmJk2yyrNpwU%2BzXh80Y2yFZBuXfSma7kqffjSU4etSbDyCcWEcOXweo5aai0" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 10, "domain": 5, "hostname": 58 }, "indicator_count": 76, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "31 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69c0b65eb3a9d8321a855397", "name": "CAPE Sandbox", "description": "Google has released a full report on the performance of its artificial intelligence platform, GA4, using its own tag manager for the Google Tag Manager, which can be accessed via the web browser or app.", "modified": "2026-04-22T03:27:13.249000", "created": "2026-03-23T03:41:18.381000", "tags": [ "script", "javascript", "google tag", "manager", "home", "title", "doctype html", "g2tc34beqq1", "date", "cpdatalayerga4", "window", "trace", "error", "meta", "body" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/8e5997a654929867a07dcf89077a7b571bffd57ea59834ec3bdcae6304f60f49_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1774237536&Signature=rmgld9x39huQoZokOZEU%2Fom7Zo3DZwxPyIY6VvGpkYwIXdEo2IGYGgiA%2F75LOe2QmdJ0Q4uZDy5LsX0t2jiM%2B4WePTrJ6%2BSK2FgeUJsRq7GXDErhYh8wZVEfv3n57blHELTkUPnxbVaSqHb8%2FcbwlU9ox1C%2F%2BQRJDqtmVfG6OnC6O0MyYgrcJfKe2tC4LRS5ETSkgdA3Tm9aIwBruUNMzGQaW%2F7dQkoAEEofGoeseUrell" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "URL": 20, "domain": 9, "hostname": 68 }, "indicator_count": 103, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "39 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69aa842cef967c844adef1de", "name": "CAPE Sandbox part 2 - see part 1", "description": "heartbreaking", "modified": "2026-04-05T11:04:28.804000", "created": "2026-03-06T07:37:16.417000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3905, "FileHash-SHA1": 3515, "FileHash-SHA256": 8002, "URL": 982, "hostname": 2532, "domain": 164, "email": 1 }, "indicator_count": 19101, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "56 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69a90f69274935b1a5d045ae", "name": "Malware", "description": "A full report on the Cuckoo malware has been published by researchers at the University of California, Los Angeles, and by the European Commission (ECB) in the UK, with the following:", "modified": "2026-04-04T05:18:12.440000", "created": "2026-03-05T05:06:49.844000", "tags": [ "files c", "state c", "nel c", "data", "parent pid", "full path", "command line", "registry keys", "datacrashpad", "datadefault c", "shutdown", "guard", "back" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 232, "FileHash-SHA1": 248, "FileHash-SHA256": 3023, "domain": 13, "hostname": 171, "URL": 12 }, "indicator_count": 3699, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "57 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69a90edfed1e02cd32d0c4e9", "name": "The Root Problem", "description": "33ba8221ff3f5211b6b08004d7a48fb4ccfbef8450715cfbfa299cc1b617d7a0\ntype\nCAB 1 Yara Detection", "modified": "2026-03-06T00:33:30.080000", "created": "2026-03-05T05:04:31.983000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 1, "hostname": 1 }, "indicator_count": 5, "is_author": false, "is_subscribing": null, "subscriber_count": 65, "modified_text": "87 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://js.monitor.azure.com/scripts/a/ai.0.js'", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://js.monitor.azure.com/scripts/a/ai.0.js'", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780278613.6205206 }