{ "type": "URL", "indicator": "https://edge.microsoft.com/extensionwebstorebase/v1/crx", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://edge.microsoft.com/extensionwebstorebase/v1/crx", "type": "url", "type_title": "URL", "validation": [ { "source": "alexa", "message": "Alexa rank: #19", "name": "Listed on Alexa" }, { "source": "akamai", "message": "Akamai rank: #4", "name": "Akamai Popular Domain" }, { "source": "whitelist", "message": "Whitelisted domain microsoft.com", "name": "Whitelisted domain" }, { "source": "majestic", "message": "Whitelisted domain microsoft.com", "name": "Whitelisted domain" }, { "source": "newssite", "message": "Whitelisted news domain microsoft.com", "name": "Whitelisted newssite network domain" } ], "base_indicator": { "id": 4216346974, "indicator": "https://edge.microsoft.com/extensionwebstorebase/v1/crx", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "69ab50eb37dbe71a1a2f22bd", "name": "Infected Hosts - MagicSword Analytics - Alerts Merged 03.06.26", "description": "Analytics from 2 infected hosts from MagicSword\nHosts are both psuedo clones (?) of a production device that connects to AHS/Covenant Health, UAlberta, Government of Alberta daily. FFSS\n\n******https://tria.ge/260306-2134tsfs3n <- Analytic Files & a few problem Files & 'secret files' only found in Triage VM. Did not include in pulse -> 9/10 *****************", "modified": "2026-04-05T21:06:49.776000", "created": "2026-03-06T22:10:51.168000", "tags": [ "protection\"\",\"\"internal_name\"\":\"\"mpsigstub.exe\"\",\"\"file_descript", "fileexplorer", "system32", "sha256", "block rules", "unknown", "filehash", "filename", "filepath", "policy block", "rules", "valid", "false", "service", "terminal", "core", "stub", "powershell", "updater", "win32", "compiler", "stack", "format", "model", "fast", "connector", "shell", "installer", "lsass", "bits", "rest", "explorer", "brain", "dcom", "android", "play", "energy", "malware", "virus", "trojan", "ransomware", "static", "analysis", "indicator of compromise", "ioc", "extraction", "emulation", "online", "submit", "sample", "download", "platform", "sandbox", "static analyzer", "analyzer", "true", "mcafee", "protect", "powerful", "death", "bsod", "UAlberta", "AHS", "Covenant Health", "Microsoft", "Google", "ID Theft", "Credential Theft", "Dell", "Lenovo", "ASUS", "Insite", "AlbertaNDP", "AlbertaUCP", "University", "Alberta", "NathanIP", "Telus", "Botnet", "Spreader", "Malcerts", "Certificates", "Treaty8", "TreatySix", "Edmonton", "YEG", "Eduroam" ], "references": [ "https://www.filescan.io/uploads/69ab467397feb4afd670f9d7/reports/1a4169f3-4b2d-4442-9d52-914c643954bc/overview", "https://app.threat.zone/submission/ceae3b93-a33f-401b-8a54-a951b524adf4/overview", "https://www.filescan.io/uploads/69ab48ab9eaae8465944a7a7/reports/0b631689-e054-441a-8302-0c1c9c9d4783/overview", "https://app.threat.zone/submission/f5353cb5-7f63-4462-a4c5-96fc9e9de8fe/overview", "https://www.filescan.io/uploads/69ab4a18cd25bfe1dfe2ef6f/reports/59c49be5-98f1-4055-a49b-e5a9ce532f15/overview", "https://app.threat.zone/submission/1a95a88b-069d-4ca0-94be-46798f0156cf/overview", "https://www.filescan.io/uploads/69ab4c8697feb4afd671070f/reports/1c10bb12-152b-47b0-9d50-0d37fd946a77/overview", "http://hybrid-analysis.com/file-collection/69ab53ada78313258c0cd3b1", "Polyswarm", "******https://tria.ge/260306-2134tsfs3n <- Analytic Files & a few problem Files & 'secret files' only found in Triage VM. Did not include in pulse -> 9/10" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [ { "id": "Protection\"\",\"\"internal_name\"\":\"\"MpSigStub.exe\"\",\"\"file_description\"\":\"\"Microsoft", "display_name": "Protection\"\",\"\"internal_name\"\":\"\"MpSigStub.exe\"\",\"\"file_description\"\":\"\"Microsoft", "target": null }, { "id": "FileExplorer", "display_name": "FileExplorer", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Trojan", "display_name": "Trojan", "target": null }, { "id": "Thimeda", "display_name": "Thimeda", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1211", "name": "Exploitation for Defense Evasion", "display_name": "T1211 - Exploitation for Defense Evasion" } ], "industries": [ "Healthcare", "Education", "Government", "Finance", "Hospitality", "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 52, "FileHash-SHA256": 728, "URL": 24, "email": 1, "hostname": 6, "domain": 2 }, "indicator_count": 815, "is_author": false, "is_subscribing": null, "subscriber_count": 130, "modified_text": "55 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69958c30537f1dcd43440139", "name": "magicsword[.]io analytics - analytics_raw_export_2026-02-18_020847", "description": "analytics_raw_export_2026-02-18_020847 from magicsword analytics on 2 devices briefly exposed to some problems at a location\n**Related to upcoming -> Blue + Red + Unknown Poly + Signed & Upgraded = ?\"Eternal Stealer\"?", "modified": "2026-03-20T09:37:45.201000", "created": "2026-02-18T09:53:52.669000", "tags": [ "block rules", "block", "sha256", "production pca", "windows", "desktopv4qjnev", "gen digital", "edge extension", "microsoft", "windows system", "unknown", "mcafee", "powershell", "service", "powerful", "model", "explorer", "protect", "win32", "fast", "dcom", "death", "bsod", "bits", "core", "please", "javascript", "entity" ], "references": [ "analytics_raw_export_2026-02-18_020847.csv", "https://www.virustotal.com/gui/collection/bc4c9b04f15414c4a65a7647f7b78d1db126354670ba4ad547ef2ab309a9cb91", "https://www.virustotal.com/gui/collection/bc4c9b04f15414c4a65a7647f7b78d1db126354670ba4ad547ef2ab309a9cb91/iocs", "https://www.virustotal.com/graph/embed/ga3531b49fc644071bc978399129140912f14c52776fb45edb8e0674a14f625e4?theme=dark" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [ "Education", "Healthcare", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 3, "FileHash-SHA256": 137, "URL": 6, "hostname": 4 }, "indicator_count": 150, "is_author": false, "is_subscribing": null, "subscriber_count": 130, "modified_text": "71 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "Polyswarm", "https://www.filescan.io/uploads/69ab4a18cd25bfe1dfe2ef6f/reports/59c49be5-98f1-4055-a49b-e5a9ce532f15/overview", "https://app.threat.zone/submission/ceae3b93-a33f-401b-8a54-a951b524adf4/overview", "https://www.virustotal.com/gui/collection/bc4c9b04f15414c4a65a7647f7b78d1db126354670ba4ad547ef2ab309a9cb91", "https://app.threat.zone/submission/f5353cb5-7f63-4462-a4c5-96fc9e9de8fe/overview", "https://www.virustotal.com/gui/collection/bc4c9b04f15414c4a65a7647f7b78d1db126354670ba4ad547ef2ab309a9cb91/iocs", "https://www.filescan.io/uploads/69ab467397feb4afd670f9d7/reports/1a4169f3-4b2d-4442-9d52-914c643954bc/overview", "https://app.threat.zone/submission/1a95a88b-069d-4ca0-94be-46798f0156cf/overview", "******https://tria.ge/260306-2134tsfs3n <- Analytic Files & a few problem Files & 'secret files' only found in Triage VM. Did not include in pulse -> 9/10", "https://www.filescan.io/uploads/69ab48ab9eaae8465944a7a7/reports/0b631689-e054-441a-8302-0c1c9c9d4783/overview", "http://hybrid-analysis.com/file-collection/69ab53ada78313258c0cd3b1", "https://www.virustotal.com/graph/embed/ga3531b49fc644071bc978399129140912f14c52776fb45edb8e0674a14f625e4?theme=dark", "analytics_raw_export_2026-02-18_020847.csv", "https://www.filescan.io/uploads/69ab4c8697feb4afd671070f/reports/1c10bb12-152b-47b0-9d50-0d37fd946a77/overview" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Protection\"\",\"\"internal_name\"\":\"\"mpsigstub.exe\"\",\"\"file_description\"\":\"\"microsoft", "Fileexplorer", "Ransomware", "Thimeda", "Trojan" ], "industries": [ "Education", "Telecommunications", "Finance", "Technology", "Hospitality", "Healthcare", "Government" ], "unique_indicators": 837 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/microsoft.com", "whois": "http://whois.domaintools.com/microsoft.com", "domain": "microsoft.com", "hostname": "edge.microsoft.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "69ab50eb37dbe71a1a2f22bd", "name": "Infected Hosts - MagicSword Analytics - Alerts Merged 03.06.26", "description": "Analytics from 2 infected hosts from MagicSword\nHosts are both psuedo clones (?) of a production device that connects to AHS/Covenant Health, UAlberta, Government of Alberta daily. FFSS\n\n******https://tria.ge/260306-2134tsfs3n <- Analytic Files & a few problem Files & 'secret files' only found in Triage VM. Did not include in pulse -> 9/10 *****************", "modified": "2026-04-05T21:06:49.776000", "created": "2026-03-06T22:10:51.168000", "tags": [ "protection\"\",\"\"internal_name\"\":\"\"mpsigstub.exe\"\",\"\"file_descript", "fileexplorer", "system32", "sha256", "block rules", "unknown", "filehash", "filename", "filepath", "policy block", "rules", "valid", "false", "service", "terminal", "core", "stub", "powershell", "updater", "win32", "compiler", "stack", "format", "model", "fast", "connector", "shell", "installer", "lsass", "bits", "rest", "explorer", "brain", "dcom", "android", "play", "energy", "malware", "virus", "trojan", "ransomware", "static", "analysis", "indicator of compromise", "ioc", "extraction", "emulation", "online", "submit", "sample", "download", "platform", "sandbox", "static analyzer", "analyzer", "true", "mcafee", "protect", "powerful", "death", "bsod", "UAlberta", "AHS", "Covenant Health", "Microsoft", "Google", "ID Theft", "Credential Theft", "Dell", "Lenovo", "ASUS", "Insite", "AlbertaNDP", "AlbertaUCP", "University", "Alberta", "NathanIP", "Telus", "Botnet", "Spreader", "Malcerts", "Certificates", "Treaty8", "TreatySix", "Edmonton", "YEG", "Eduroam" ], "references": [ "https://www.filescan.io/uploads/69ab467397feb4afd670f9d7/reports/1a4169f3-4b2d-4442-9d52-914c643954bc/overview", "https://app.threat.zone/submission/ceae3b93-a33f-401b-8a54-a951b524adf4/overview", "https://www.filescan.io/uploads/69ab48ab9eaae8465944a7a7/reports/0b631689-e054-441a-8302-0c1c9c9d4783/overview", "https://app.threat.zone/submission/f5353cb5-7f63-4462-a4c5-96fc9e9de8fe/overview", "https://www.filescan.io/uploads/69ab4a18cd25bfe1dfe2ef6f/reports/59c49be5-98f1-4055-a49b-e5a9ce532f15/overview", "https://app.threat.zone/submission/1a95a88b-069d-4ca0-94be-46798f0156cf/overview", "https://www.filescan.io/uploads/69ab4c8697feb4afd671070f/reports/1c10bb12-152b-47b0-9d50-0d37fd946a77/overview", "http://hybrid-analysis.com/file-collection/69ab53ada78313258c0cd3b1", "Polyswarm", "******https://tria.ge/260306-2134tsfs3n <- Analytic Files & a few problem Files & 'secret files' only found in Triage VM. Did not include in pulse -> 9/10" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [ { "id": "Protection\"\",\"\"internal_name\"\":\"\"MpSigStub.exe\"\",\"\"file_description\"\":\"\"Microsoft", "display_name": "Protection\"\",\"\"internal_name\"\":\"\"MpSigStub.exe\"\",\"\"file_description\"\":\"\"Microsoft", "target": null }, { "id": "FileExplorer", "display_name": "FileExplorer", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Trojan", "display_name": "Trojan", "target": null }, { "id": "Thimeda", "display_name": "Thimeda", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1211", "name": "Exploitation for Defense Evasion", "display_name": "T1211 - Exploitation for Defense Evasion" } ], "industries": [ "Healthcare", "Education", "Government", "Finance", "Hospitality", "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 52, "FileHash-SHA256": 728, "URL": 24, "email": 1, "hostname": 6, "domain": 2 }, "indicator_count": 815, "is_author": false, "is_subscribing": null, "subscriber_count": 130, "modified_text": "55 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69958c30537f1dcd43440139", "name": "magicsword[.]io analytics - analytics_raw_export_2026-02-18_020847", "description": "analytics_raw_export_2026-02-18_020847 from magicsword analytics on 2 devices briefly exposed to some problems at a location\n**Related to upcoming -> Blue + Red + Unknown Poly + Signed & Upgraded = ?\"Eternal Stealer\"?", "modified": "2026-03-20T09:37:45.201000", "created": "2026-02-18T09:53:52.669000", "tags": [ "block rules", "block", "sha256", "production pca", "windows", "desktopv4qjnev", "gen digital", "edge extension", "microsoft", "windows system", "unknown", "mcafee", "powershell", "service", "powerful", "model", "explorer", "protect", "win32", "fast", "dcom", "death", "bsod", "bits", "core", "please", "javascript", "entity" ], "references": [ "analytics_raw_export_2026-02-18_020847.csv", "https://www.virustotal.com/gui/collection/bc4c9b04f15414c4a65a7647f7b78d1db126354670ba4ad547ef2ab309a9cb91", "https://www.virustotal.com/gui/collection/bc4c9b04f15414c4a65a7647f7b78d1db126354670ba4ad547ef2ab309a9cb91/iocs", "https://www.virustotal.com/graph/embed/ga3531b49fc644071bc978399129140912f14c52776fb45edb8e0674a14f625e4?theme=dark" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [ "Education", "Healthcare", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 3, "FileHash-SHA256": 137, "URL": 6, "hostname": 4 }, "indicator_count": 150, "is_author": false, "is_subscribing": null, "subscriber_count": 130, "modified_text": "71 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://edge.microsoft.com/extensionwebstorebase/v1/crx", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://edge.microsoft.com/extensionwebstorebase/v1/crx", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780214616.6976213 }