{ "type": "URL", "indicator": "https://static.edge.microsoftapp.net/default/cloud_config_observers.json", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://static.edge.microsoftapp.net/default/cloud_config_observers.json", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4077311409, "indicator": "https://static.edge.microsoftapp.net/default/cloud_config_observers.json", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 34, "pulses": [ { "id": "69f0ccbc76103a52f45c7f57", "name": "MalSpam_28032026", "description": "IoCs Extracted from Fortimail quarantine email. Analysis Verify your account settings now!.eml (MD5: D65936EBA4C38EE3D30441A9671FC6C3) Malicious activity - Interactive analysis ANY.RUN. Microsoft users are being urged to log in to their accounts on the same day as they are on a different account at the other end of the world. and here is the full list of files:", "modified": "2026-05-28T15:26:26.017000", "created": "2026-04-28T15:05:32.464000", "tags": [ "p2404", "p11777645428", "attrdataver186", "p11777645427", "telemetrylevel1", "osuilocaleenus", "osskuid48", "processorcores6", "tpmversion0", "osnamewin", "main", "verify" ], "references": [ "https://app.any.run/tasks/b37fc505-f470-4db4-b140-7d9e7c72d6d2" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "soc_columbus", "id": "2084", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2084/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 1, "FileHash-SHA256": 7, "URL": 1, "email": 1, "hostname": 1 }, "indicator_count": 14, "is_author": false, "is_subscribing": null, "subscriber_count": 210, "modified_text": "2 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69eb630a8e44088d23f24d99", "name": "Outbound Network Analyser - ARU - Research in to router traffic - identified academic cyber attack", "description": "TROJAN DROP ON C# CODE ACTIVATION - \n\nfile dropped new.exe - runs .dlls and installs complete package of multipme malwares - inlcuding backdoors and spywares -", "modified": "2026-05-24T19:21:10.096000", "created": "2026-04-24T12:33:14.341000", "tags": [ "vnc default", "protocol p", "secure", "buffer", "remote", "windows", "authentication", "network", "c2 default", "dameware remote", "deos", "finger", "netbus", "back", "aeroadmin", "back orifice", "hack", "error", "shell", "simple", "terminal", "service", "trivial", "gopher", "example", "backorifice", "optix pro", "metasploit", "bladerunner", "gotomypc", "dcrat", "darkcomet", "netcat", "trinoo", "md5 sha1", "sha512 ssdeep", "size", "sample", "tlsh score", "10 malware", "iocs checks", "file explorer", "tlsh windows6", "pe checks", "path c", "get https", "sha256", "head https", "tlsh", "sha512 tlsh", "post https", "ttps", "get http", "10 execution", "malware config", "javascript", "ttps execution", "pid4784 network", "state path", "datalocal state", "tlsh local", "p2404", "score", "system", "pid2148 network" ], "references": [ "Program.cs" ], "public": 1, "adversary": "", "targeted_countries": [ "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "Optix Pro", "display_name": "Optix Pro", "target": null }, { "id": "Back Orifice", "display_name": "Back Orifice", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" } ], "industries": [ "Cyber Security", "Academic", "University", "Research", "Cyber REsearch" ], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "r0b1nh0od", "id": "320328", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_320328/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 16, "FileHash-SHA256": 2371, "FileHash-MD5": 366, "FileHash-SHA1": 64, "URL": 23, "domain": 3 }, "indicator_count": 2843, "is_author": false, "is_subscribing": null, "subscriber_count": 26, "modified_text": "6 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69eb6308e87c53ec7b9bf112", "name": "Outbound Network Analyser - ARU - Research in to router traffic - identified academic cyber attack", "description": "TROJAN DROP ON C# CODE ACTIVATION - \n\nfile dropped new.exe - runs .dlls and installs complete package of multipme malwares - inlcuding backdoors and spywares -", "modified": "2026-05-24T12:05:23.190000", "created": "2026-04-24T12:33:12.569000", "tags": [ "vnc default", "protocol p", "secure", "buffer", "remote", "windows", "authentication", "network", "c2 default", "dameware remote", "deos", "finger", "netbus", "back", "aeroadmin", "back orifice", "hack", "error", "shell", "simple", "terminal", "service", "trivial", "gopher", "example", "backorifice", "optix pro", "metasploit", "bladerunner", "gotomypc", "dcrat", "darkcomet", "netcat", "trinoo", "md5 sha1", "sha512 ssdeep", "size", "sample", "tlsh score", "10 malware", "iocs checks", "file explorer", "tlsh windows6", "pe checks", "path c", "get https", "sha256", "head https", "tlsh", "sha512 tlsh", "post https", "ttps", "get http", "10 execution", "malware config", "javascript", "ttps execution", "pid4784 network", "state path", "datalocal state", "tlsh local", "p2404", "score", "system", "pid2148 network" ], "references": [ "Program.cs" ], "public": 1, "adversary": "", "targeted_countries": [ "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "Optix Pro", "display_name": "Optix Pro", "target": null }, { "id": "Back Orifice", "display_name": "Back Orifice", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [ "Cyber Security", "Academic", "University", "Research", "Cyber REsearch" ], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "r0b1nh0od", "id": "320328", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_320328/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2, "FileHash-SHA256": 143, "FileHash-MD5": 35, "FileHash-SHA1": 32, "URL": 4 }, "indicator_count": 216, "is_author": false, "is_subscribing": null, "subscriber_count": 26, "modified_text": "7 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69e7d7edd91aab8d1e8d5590", "name": "hxxps://support[.]apple[.]com/100100", "description": "hxxps://support[.]apple[.]com/100100", "modified": "2026-05-21T20:10:22.225000", "created": "2026-04-21T20:02:53.543000", "tags": [ "malware", "virus", "trojan", "ransomware", "static", "analysis", "indicator of compromise", "ioc", "extraction", "emulation", "online", "submit", "sample", "download", "platform", "switch", "community add", "security menlo", "reports", "cve list", "notes blog", "drop your", "file", "service", "privacy policy", "intelix portal", "javascript", "please", "strong", "united kingdom", "urls", "domain name", "url analysis", "report https", "request", "status", "public ev", "server rsa", "g1 apple", "virustotal", "domain", "benign no", "february", "date february", "safe browsing", "ctx database", "upgrade plan", "my submissions", "free", "april", "august", "sandbox", "static analyzer", "analyzer", "vxstream", "apt", "hybrid analysis", "api key", "vetting process", "please note", "triage", "report", "reported", "analyze", "md5 sha1", "sha256", "submit download", "sha1", "sha512", "path c", "sha512 tlsh", "ssdeep", "prefetch8", "general", "config", "copy", "target", "score", "impact", "get https", "post https", "sha512 ssdeep", "size", "p2404", "tlsh", "Apple", "iPad", "Update" ], "references": [ "https://www.filescan.io/uploads/69e7ceb08a82359247ab7647/reports/e7fdc5f9-d521-4ce6-afae-50b558e39445/overview", "https://metadefender.com/results/url/aHR0cHM6Ly9zdXBwb3J0LmFwcGxlLmNvbS8xMDAxMDA=", "https://intelix.sophos.com/report/ce2b7a12bcf74e2f8bae0263e6ae69f0/static/file", "https://intelix.sophos.com/report/ce2b7a12bcf74e2f8bae0263e6ae69f0/static/url", "https://app.threat.zone/submission/9484b40d-a27f-4837-9e66-956835282d63/url-analysis-report", "http://hybrid-analysis.com/sample/0a875f2646dc2b4b36fdf7196e357b8b2718a449e3e92b817194ba287238ae00", "https://tria.ge/260421-ygl5esbt5p/behavioral1", "https://www.scyscan.com/scan-report/?rid=1743532660988884337", "https://polyswarm.network/scan/results/url/a6220c097dabdc5fd659eb3ca1441fd3ce853817647bbac71109847df837af70", "http://hybrid-analysis.com/sample/0a875f2646dc2b4b36fdf7196e357b8b2718a449e3e92b817194ba287238ae00/69e7d3627e525d99f106537e", "https://tria.ge/260421-ygl5esbt5p", "https://opentip.kaspersky.com/https%3A%2F%2Fsupport.apple.com%2F100100/?tab=lookup", "https://www.virustotal.com/graph/embed/ge7e62e923913419f9a4096f64b057f85af4f61c7ddba41b09ce577061284a468?theme=dark", "https://www.virustotal.com/gui/collection/31128b22372d1d820a4c494cc4e846ae3a5a60ffd1dd7b00b4e303a8007529bc/summary", "https://www.virustotal.com/gui/collection/31128b22372d1d820a4c494cc4e846ae3a5a60ffd1dd7b00b4e303a8007529bc/iocs" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" }, { "id": "T1217", "name": "Browser Bookmark Discovery", "display_name": "T1217 - Browser Bookmark Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [ "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 80, "hostname": 175, "URL": 1571, "FileHash-MD5": 183, "email": 7, "CIDR": 3, "FileHash-SHA1": 117, "FileHash-SHA256": 181, "SSLCertFingerprint": 14 }, "indicator_count": 2331, "is_author": false, "is_subscribing": null, "subscriber_count": 131, "modified_text": "9 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69d50ab8883af2ff2017b81a", "name": "MalSpam_07042026", "description": "IoC Extracted from Fortimail quarantine mail. Analysis Secure Your Retirement Benefits.eml (MD5: 1A3F2B66A7E38F7857C54D9A368068AC) Malicious activity - Interactive analysis ANY.RUN. Microsoft has released a new version of its Office operating system, called Office Outlook, which is based on the same software as the Office Store and Microsoft Office app, for use in the US and UK.", "modified": "2026-05-07T13:00:26.944000", "created": "2026-04-07T13:46:32.552000", "tags": [ "secure your", "p2404", "p11775851954", "p11775851955", "processorcores6", "tpmversion0", "attrdataver186", "osnamewin", "main", "secure", "dropped file" ], "references": [ "https://app.any.run/tasks/e0a4305e-2b16-4192-b886-55758307f6e0" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "soc_columbus", "id": "2084", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2084/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 2, "FileHash-SHA256": 6, "URL": 1, "email": 1, "hostname": 2 }, "indicator_count": 16, "is_author": false, "is_subscribing": null, "subscriber_count": 212, "modified_text": "24 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69cbf2775446abf635fe2c95", "name": "MalSpam_31032026_7", "description": "IoC Extracted from Fortimail quarantine mail.. Analysis:Subject: \tAccount Deactivation notification", "modified": "2026-04-30T16:30:10.878000", "created": "2026-03-31T16:12:39.674000", "tags": [ "p2404", "processorcores6", "tpmversion0", "attrdataver186", "osnamewin", "p11775548094", "main", "deactivation", "connections ip", "httphttps" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "soc_columbus", "id": "2084", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2084/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 2, "FileHash-SHA256": 6, "URL": 2, "email": 1, "hostname": 4 }, "indicator_count": 19, "is_author": false, "is_subscribing": null, "subscriber_count": 210, "modified_text": "30 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69cbeb74cc9878a356224d97", "name": "MalSpam_31032026_2", "description": "IoC Extracted from Fortimail quarantine mail.. Analysis: Re_ Request for dominique Quote 3_27_2026 6_32_01 a.m..eml", "modified": "2026-04-30T15:30:17.242000", "created": "2026-03-31T15:42:43.990000", "tags": [ "p2404", "re request", "quote", "attrdataver186", "processorcores6", "tpmversion0", "p11775311120", "p11775311122", "osnamewin", "main" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "soc_columbus", "id": "2084", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2084/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 2, "FileHash-SHA256": 7, "URL": 1, "email": 1, "hostname": 1 }, "indicator_count": 15, "is_author": false, "is_subscribing": null, "subscriber_count": 209, "modified_text": "30 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69c29c38a298c75d4598aa38", "name": "MalSpam_24032026_1", "description": "IoCs Extracted from Fortimail quarantine email. Analysis Incoming Messages Failed Fix now.eml (MD5: EA4C7690092D45B5C28330E25E17BDD4) Malicious activity - Interactive analysis ANY.RUN. Main object - Incoming Messages Failed Fix now, after being detected by Microsoft's security team at 0:00 GMT on Tuesday..eml. and the following day, on Wednesday, 1 September", "modified": "2026-04-23T14:22:41.589000", "created": "2026-03-24T14:14:16.320000", "tags": [ "p2404", "p11774458416", "p11774458417", "processorcores6", "tpmversion0", "attrdataver186", "osnamewin", "main", "messages", "dropped file" ], "references": [ "https://app.any.run/tasks/95be81c1-a169-4cd8-a6f0-9e78281f6dad" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "soc_columbus", "id": "2084", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2084/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 2, "FileHash-SHA256": 8, "URL": 2, "email": 1, "hostname": 4 }, "indicator_count": 22, "is_author": false, "is_subscribing": null, "subscriber_count": 210, "modified_text": "37 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69c29c38109c5adee3e5c659", "name": "MalSpam_24032026_1", "description": "IoCs Extracted from Fortimail quarantine email. Analysis Incoming Messages Failed Fix now.eml (MD5: EA4C7690092D45B5C28330E25E17BDD4) Malicious activity - Interactive analysis ANY.RUN. Main object - Incoming Messages Failed Fix now, after being detected by Microsoft's security team at 0:00 GMT on Tuesday..eml. and the following day, on Wednesday, 1 September", "modified": "2026-04-23T14:22:41.589000", "created": "2026-03-24T14:14:16.605000", "tags": [ "p2404", "p11774458416", "p11774458417", "processorcores6", "tpmversion0", "attrdataver186", "osnamewin", "main", "messages", "dropped file" ], "references": [ "https://app.any.run/tasks/95be81c1-a169-4cd8-a6f0-9e78281f6dad" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "soc_columbus", "id": "2084", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2084/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 2, "FileHash-SHA256": 8, "URL": 2, "email": 1, "hostname": 4 }, "indicator_count": 22, "is_author": false, "is_subscribing": null, "subscriber_count": 210, "modified_text": "37 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69c296f5e47e50850e6d9eee", "name": "MalSpam_24032026", "description": "IoCs Extracted from Fortimail quarantine email. Analysis printwareonline.com WARNING_ The \u201cinfo@printwareonline.com\u201d email account is almost full..eml (MD5: A38092C728D8A1322E09708FABDD46A4) Malicious activity - Interactive analysis ANY.RUN. Microsoft\u2019s \u201chelp\" system is being used to monitor users' browsing habits on the Windows operating system, as well as the use of the \u2018help system\u201d on its website.", "modified": "2026-04-23T13:04:04.453000", "created": "2026-03-24T13:51:49.835000", "tags": [ "warning", "info", "email", "p2404", "p11774503352", "processorcores6", "tpmversion0", "attrdataver186", "osnamewin", "p11774503354", "main" ], "references": [ "https://app.any.run/tasks/70b35454-3588-4ee8-aa50-b6c6926fa64f" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "soc_columbus", "id": "2084", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2084/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "domain": 2, "email": 1, "FileHash-SHA1": 2, "FileHash-SHA256": 10, "URL": 3, "hostname": 2 }, "indicator_count": 24, "is_author": false, "is_subscribing": null, "subscriber_count": 210, "modified_text": "38 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69b037620d161898a2bdcbcc", "name": "MalSpam_10032026_5", "description": "IoC Extracted from Fortimail quarantine mail. Analysis Reminder_ Your Password Expires on 10 March, 2026 00_59_37 AM - ID#227263081678510..eml (MD5: 13A7523C8436BA18FF0DC10FCBCDD566) Malicious activity - Interactive analysis ANY.RUN", "modified": "2026-04-09T15:03:06.200000", "created": "2026-03-10T15:23:14.653000", "tags": [ "reminder your", "password", "march", "p2404", "processorcores6", "tpmversion0", "attrdataver186", "osnamewin", "p11773419512", "main" ], "references": [ "https://app.any.run/tasks/dafcfd2d-8a38-47f7-bce3-65845320192f" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "soc_columbus", "id": "2084", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2084/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 2, "FileHash-SHA256": 7, "URL": 2, "domain": 1, "email": 1, "hostname": 1 }, "indicator_count": 18, "is_author": false, "is_subscribing": null, "subscriber_count": 209, "modified_text": "51 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69b02c9fb034eb24c194e5f4", "name": "MalSpam_10032026_3", "description": "Analysis [dominique@printwareonline.com]_ URGENT NEW ORDER for PrintWare Online 09 March, 2026.eml (MD5: D2366EE7024F4E607243A524AB7624D0) Malicious activity - Interactive analysis ANY.RUN", "modified": "2026-04-09T14:03:30.440000", "created": "2026-03-10T14:37:19.772000", "tags": [ "urgent new", "order", "march", "p2404", "osnamewin", "p11773423119", "main", "dominique", "dropped file", "connections" ], "references": [ "https://app.any.run/tasks/aadadf58-1ac4-4378-9505-3bfec93982f2" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "soc_columbus", "id": "2084", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2084/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "email": 1, "FileHash-SHA1": 2, "FileHash-SHA256": 10, "URL": 1, "hostname": 1 }, "indicator_count": 21, "is_author": false, "is_subscribing": null, "subscriber_count": 210, "modified_text": "51 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69b0275ce20cc2cbbe1a3656", "name": "MalSpam_10032026_2", "description": "IoC Extracted from Fortimail quarantine mail. Analysis Email is Banned.eml (MD5: A33F623FBCE8C6476E9173A2A794D120) Malicious activity - Interactive analysis ANY.RUN", "modified": "2026-04-09T14:03:30.440000", "created": "2026-03-10T14:14:52.932000", "tags": [ "email", "nsyt", "p2404", "xpcegvo2adsnq", "mhqy", "mvi4", "keepaliveyes", "ump1", "processorcores6", "tpmversion0", "attrdataver186", "main" ], "references": [ "https://app.any.run/tasks/cc358dd2-90cd-449a-a732-4ff9bf6c9adf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "soc_columbus", "id": "2084", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2084/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA256": 3, "URL": 44, "domain": 2, "email": 2, "hostname": 3 }, "indicator_count": 59, "is_author": false, "is_subscribing": null, "subscriber_count": 209, "modified_text": "51 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69b01df3648ac3816434c6c5", "name": "MalSpam_10032026", "description": "IoC Extracted from Fortimail quarantine mail. Analysis Revised proposed wage increment Sheet 2026-2027.eml (MD5: 802F3CAC42F4EAE82F7BF38AC90CE797) Malicious activity - Interactive analysis ANY.RUN", "modified": "2026-04-09T13:11:43.766000", "created": "2026-03-10T13:34:43.559000", "tags": [ "sheet", "p2404", "osnamewin", "processorcores6", "tpmversion0", "attrdataver186", "p11773420822", "p11773420825", "main", "dropped file" ], "references": [ "https://app.any.run/tasks/1882b2bc-ad7f-457b-b5d8-fdd2b75e349b" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "soc_columbus", "id": "2084", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2084/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 2, "FileHash-SHA256": 7, "URL": 4, "domain": 2, "email": 1, "hostname": 3 }, "indicator_count": 23, "is_author": false, "is_subscribing": null, "subscriber_count": 210, "modified_text": "52 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69a70bc414705640c6b3e3ea", "name": "MalSpam_03032026_3", "description": "IoC Extracted from Fortimail quarantine mail.. Analysis:[dominique@printwareonline.com]_ Please confirm to continue..eml", "modified": "2026-04-02T16:23:49.285000", "created": "2026-03-03T16:26:44.889000", "tags": [ "p2404", "attrdataver186", "cidalgoversion2", "please confirm", "oemmodeldell", "osuilocaleenus", "osskuid48", "telemetrylevel1", "processorcores6", "tpmversion0", "main" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "soc_columbus", "id": "2084", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2084/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 2, "FileHash-SHA256": 12, "URL": 69, "domain": 3, "email": 1, "hostname": 4 }, "indicator_count": 97, "is_author": false, "is_subscribing": null, "subscriber_count": 211, "modified_text": "58 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69a709d01e126c2b67426981", "name": "MalSpam_03032026_1", "description": "IoC Extracted from Fortimail quarantine mail.. Analysis: Salary Review & Performance Award for 2026-dominique@printwareonline.com.eml", "modified": "2026-04-02T16:23:49.285000", "created": "2026-03-03T16:18:24.770000", "tags": [ "p2404", "attrdataver186", "cidalgoversion2", "salary review", "telemetrylevel1", "oemmodeldell", "osuilocaleenus", "osskuid48", "processorcores6", "tpmversion0", "main" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "soc_columbus", "id": "2084", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2084/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 2, "FileHash-SHA256": 8, "URL": 2, "domain": 1, "email": 1, "hostname": 1 }, "indicator_count": 20, "is_author": false, "is_subscribing": null, "subscriber_count": 210, "modified_text": "58 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "699db153ebef6899624396dc", "name": "MalSpam_24022026_7", "description": "IoC Extracted from Fortimail quarantine mail.. Analysis: Request for Quotation-PO1757611..eml", "modified": "2026-03-26T14:08:03.078000", "created": "2026-02-24T14:10:27.043000", "tags": [ "p2404", "attrdataver186", "osnamewin", "processorcores6", "tpmversion0", "telemetrylevel1", "oemmodeldell", "osuilocaleenus", "osskuid48", "main" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "soc_columbus", "id": "2084", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2084/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA256": 4, "URL": 2, "hostname": 2 }, "indicator_count": 9, "is_author": false, "is_subscribing": null, "subscriber_count": 209, "modified_text": "65 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6993a71f4d27a7ff637d948d", "name": "\"Gay\" dating websites that spoof assets", "description": "fake and redirect - enjoyflirting.com\n\nincluding pornhub, xhamster and uk age verification systems", "modified": "2026-03-18T23:02:37.713000", "created": "2026-02-16T23:24:10.804000", "tags": [ "get https", "sha512", "post https", "sha256", "sha1", "get http", "p2404", "filesize", "p11771835368", "options https", "score" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "r0b1nh0od", "id": "320328", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_320328/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 500, "FileHash-SHA1": 419, "FileHash-SHA256": 419, "URL": 327, "domain": 14, "hostname": 43 }, "indicator_count": 1722, "is_author": false, "is_subscribing": null, "subscriber_count": 26, "modified_text": "73 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "698b3224ff1b546d6e5af9f3", "name": "MalSpam_10022026", "description": "IoC Extracted from Fortimail quarantine mail. Analysis Email Account Closure Notification.eml (MD5: 54566E9D200D6212966B8FB5E9B71E57) Malicious activity - Interactive analysis ANY.RUN. Microsoft users are being urged to check their email accounts before they send them to a new address or log in to an account they have set up on their home page, or to use the same address at home.", "modified": "2026-03-12T13:29:04.644000", "created": "2026-02-10T13:26:57.927000", "tags": [ "email account", "p2404", "attrdataver186", "telemetrylevel1", "oemmodeldell", "osuilocaleenus", "osskuid48", "processorcores6", "tpmversion0", "osnamewin", "main" ], "references": [ "https://app.any.run/tasks/ed984ec8-5918-4844-abbf-80a0e9ebf16e" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "soc_columbus", "id": "2084", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2084/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 2, "FileHash-SHA256": 10, "URL": 3, "domain": 2, "email": 1, "hostname": 2 }, "indicator_count": 24, "is_author": false, "is_subscribing": null, "subscriber_count": 209, "modified_text": "79 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "698548fdc5e1b22b45457eb4", "name": "http://support[.]apple[.]com/kb/HT5012 - 02.05.26", "description": "\"Learn more about trusted certificates\" -> http://support[.]apple[.]com/kb/HT5012\nTrust Store Version 2025082000\nTrust Asset Version 1012", "modified": "2026-03-08T02:01:42.135000", "created": "2026-02-06T01:50:53.485000", "tags": [ "vhash", "ssdeep", "html internet", "magic html", "unicode text", "utf8", "trid text", "magika html", "file size", "please", "javascript", "malware", "virus", "trojan", "ransomware", "static", "analysis", "indicator of compromise", "ioc", "extraction", "emulation", "online", "submit", "sample", "download", "platform", "url", "sandbox", "scanner", "reputation", "phishing", "warning icon", "share report", "domain", "apple mapkit", "java", "manager", "report", "home search", "insights", "login check", "android", "write", "login report", "overview", "tags submit", "tags url", "finishing url", "asn norway", "title available", "apple", "static analyzer", "analyzer", "type", "website title", "apple support", "date", "security", "access control", "plan search", "submission", "february", "error", "vxstream", "apt", "hybrid analysis", "api key", "vetting process", "please note", "prefetch8 ansi", "ansi", "show process", "hash seen", "programfiles", "ck id", "command decode", "mitre att", "suricata ipv4", "windir", "suspicious", "comspec", "hybrid", "model", "close", "click", "hosts", "general", "path", "form", "strings", "contact", "p2404", "attrdataver186", "p11770919978", "processorcores6", "tpmversion0", "telemetrylevel1", "oemmodeldell", "osuilocaleenus", "osskuid48", "osnamewin", "main", "sha1", "Apple", "iPadOS", "Freedom" ], "references": [ "https://www.virustotal.com/gui/url/aec932cd6ff44a6b8a13e3573f47d7e543cc0e1cc25f6d4fa2e0b0f1b8c44603/details", "https://www.virustotal.com/gui/file/3447d0e0dce83b163308c04dffeb52afb9f22d756b57d516fb1930d60303278d/details", "https://www.filescan.io/uploads/69853e76930564ff3c8e3576/reports/132722cc-526c-428b-85d8-bb863204ec6f/ioc", "https://urlquery.net/report/f7f1fb29-f7fb-4aec-be06-978b4bb296ab", "https://app.threat.zone/submission/f373032a-49fe-46f2-be28-a4636cbeb3c2/url-analysis-report", "https://hybrid-analysis.com/sample/04fcf10162401756459d90569bdda9bd3f264efc7ce75e2ca96a8fc93e159bdb", "http://hybrid-analysis.com/sample/04fcf10162401756459d90569bdda9bd3f264efc7ce75e2ca96a8fc93e159bdb/698522a0b8d0f8b6c404b7b4", "https://app.any.run/tasks/40ac99f3-0bf0-4455-996b-01e9ba0aaf79", "https://www.virustotal.com/gui/collection/fc2724a35b1672bcbcbb1af5a8e77d1e6095818a9db880a18661208aa9e9f1ed", "https://www.virustotal.com/gui/collection/fc2724a35b1672bcbcbb1af5a8e77d1e6095818a9db880a18661208aa9e9f1ed/iocs", "https://www.virustotal.com/graph/embed/g70516ab17e6a482eb6641c8d15f795a9d0fbc493ae9d4c3ca0e0617754ba679c?theme=dark", "https://viz.greynoise.io/ip/analysis/66ca01e5-ac9a-4baf-b088-901cfbe72cac" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [ "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 29, "FileHash-SHA1": 24, "FileHash-SHA256": 126, "URL": 323, "SSLCertFingerprint": 8, "domain": 14, "email": 4, "hostname": 138 }, "indicator_count": 666, "is_author": false, "is_subscribing": null, "subscriber_count": 132, "modified_text": "84 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "697b7bab3796a403c34877f4", "name": "MalSpam_29012026_1", "description": "IoC Extracted from Quarantine email on Fortimail. Analysis Your Email verna@printwareonline.com Service Will Be Terminated_ Kindly Verify.eml (MD5: E1648E9329F4701FE36366DF58EB1555) Malicious activity - Interactive analysis ANY.RUN. A security alert has been launched on the website of printwareonline.com, a website for people who use the term \"sandermat\" to communicate with their email addresses and access to their accounts.", "modified": "2026-02-28T15:01:23.673000", "created": "2026-01-29T15:24:27.717000", "tags": [ "email verna", "service will", "be terminated", "p2404", "cidalgoversion2", "processorcores6", "tpmversion0", "attrdataver186", "osnamewin", "p11769994383", "main" ], "references": [ "https://app.any.run/tasks/87a167c6-2c9a-4fe8-a7f3-4b21b168d7df" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "soc_columbus", "id": "2084", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2084/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "email": 1, "FileHash-SHA256": 4, "URL": 22, "domain": 1, "hostname": 5 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 208, "modified_text": "91 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "697b7f6fb51f10775445d99a", "name": "MalSpam_29012026_2", "description": "IoC Extracted from Quarantine email on Fortimail. Analysis printwareonline.com WARNING_ The \u201cinfo@printwareonline.com\u201d email account is almost full..eml (MD5: 6EDAF46D96E8208584C04D944C7BF75C) Malicious activity - Interactive analysis ANY.RUN. An object - printwareonline.com - has been found on the Microsoft website and is being investigated by the Office for Outlooks (Office.microsoft) for possible malicious activity, as well as its own website.", "modified": "2026-02-28T15:01:23.673000", "created": "2026-01-29T15:40:31.388000", "tags": [ "warning", "info", "email", "p2404", "p11769710634", "processorcores6", "tpmversion0", "attrdataver186", "osnamewin", "p11769714155", "main" ], "references": [ "https://app.any.run/tasks/a79a0c00-59de-4d11-bb54-c418a5874ae4" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "soc_columbus", "id": "2084", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2084/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "domain": 2, "email": 1, "FileHash-SHA1": 2, "FileHash-SHA256": 7, "URL": 3, "hostname": 2 }, "indicator_count": 23, "is_author": false, "is_subscribing": null, "subscriber_count": 208, "modified_text": "91 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "696f88285f71f6b3ef66af7d", "name": "MalSpam_20012026", "description": "IoC Extracted from Quarantine email on Fortimail. Analysis : Salary budget for 2026.eml", "modified": "2026-02-19T13:05:08.845000", "created": "2026-01-20T13:50:32.980000", "tags": [ "p2404", "processorcores6", "tpmversion0", "attrdataver186", "cidalgoversion2", "p11769116343", "p11769119945", "main", "salary budget", "dropped file" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "soc_columbus", "id": "2084", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2084/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3, "FileHash-MD5": 4, "FileHash-SHA1": 2, "FileHash-SHA256": 5, "domain": 2, "email": 1, "hostname": 3 }, "indicator_count": 20, "is_author": false, "is_subscribing": null, "subscriber_count": 208, "modified_text": "101 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "696f88285f85519cca82e8fe", "name": "MalSpam_20012026", "description": "IoC Extracted from Quarantine email on Fortimail. Analysis : Salary budget for 2026.eml", "modified": "2026-02-19T13:05:08.845000", "created": "2026-01-20T13:50:32.753000", "tags": [ "p2404", "processorcores6", "tpmversion0", "attrdataver186", "cidalgoversion2", "p11769116343", "p11769119945", "main", "salary budget", "dropped file" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "soc_columbus", "id": "2084", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2084/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3, "FileHash-MD5": 4, "FileHash-SHA1": 2, "FileHash-SHA256": 5, "domain": 2, "email": 1, "hostname": 3 }, "indicator_count": 20, "is_author": false, "is_subscribing": null, "subscriber_count": 208, "modified_text": "101 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6993c32c96045e824b62e315", "name": "Potential Difference in Banking and Playstores", "description": "http vs https \n\nno redirect - block port 80\n\nmalicious X redirect that pishes emails and phone numbers", "modified": "2026-02-17T02:05:46.527000", "created": "2026-02-17T01:23:53.312000", "tags": [ "get https", "sha512", "sha256", "sha1", "post https", "filesize", "p2404", "get http", "p11771623157", "p11771623158", "tura", "p1771290942772", "fplc0", "p11771834386", "options https" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "r0b1nh0od", "id": "320328", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_320328/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 243, "FileHash-SHA1": 170, "FileHash-SHA256": 168, "URL": 21, "hostname": 7, "domain": 4 }, "indicator_count": 613, "is_author": false, "is_subscribing": null, "subscriber_count": 25, "modified_text": "103 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6993c84ef4f56c4d241ceb95", "name": "Potential Cloudflare Script distributing malicious payment scripts on protected sites", "description": "apologies if wrong", "modified": "2026-02-17T01:54:03.342000", "created": "2026-02-17T01:45:50.446000", "tags": [ "get https", "post https", "sha512", "sha256", "sha1", "filesize", "secure", "expiresthu", "path", "p2404", "win64" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "r0b1nh0od", "id": "320328", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_320328/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 186, "FileHash-SHA1": 94, "FileHash-SHA256": 94, "URL": 7, "domain": 3, "hostname": 6 }, "indicator_count": 390, "is_author": false, "is_subscribing": null, "subscriber_count": 26, "modified_text": "103 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6993c00ac4dad226b1768403", "name": "Student Finance and HMRC potentially targeted", "description": "Skimming Loan payments and cataloguing applications??", "modified": "2026-02-17T01:10:32.240000", "created": "2026-02-17T01:10:32.240000", "tags": [ "get https", "post https", "sha512", "sha1", "sha256", "filesize", "euaaaaagq", "p2404", "p1771290362137", "get http" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "r0b1nh0od", "id": "320328", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_320328/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 54, "FileHash-SHA1": 49, "FileHash-SHA256": 49, "URL": 33, "hostname": 7 }, "indicator_count": 192, "is_author": false, "is_subscribing": null, "subscriber_count": 25, "modified_text": "103 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69924fece0dfbd1a13ea22bf", "name": "UNI REDIRECT - Careers Page", "description": "Researchers have identified and identified a new type of malware that targets a victim's web browser, time zone and browser settings, and a number of other malicious tools.", "modified": "2026-02-15T22:59:54.282000", "created": "2026-02-15T22:59:54.282000", "tags": [ "get https", "sha512", "sha256", "sha1", "post https", "filesize", "p2404", "get http", "head http", "state filesize" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "r0b1nh0od", "id": "320328", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_320328/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 52, "FileHash-SHA1": 50, "FileHash-SHA256": 50, "URL": 21, "hostname": 3 }, "indicator_count": 176, "is_author": false, "is_subscribing": null, "subscriber_count": 25, "modified_text": "104 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6962aab170cb4210b7adf0cd", "name": "Live Casino Fraud", "description": "Casino Operating Live Betting on Casino desks whilst being prerecorded. \nAlso Malware.", "modified": "2026-02-09T19:00:09.890000", "created": "2026-01-10T19:38:24.713000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "r0b1nh0od", "id": "320328", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_320328/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 27, "FileHash-MD5": 216, "FileHash-SHA1": 113, "FileHash-SHA256": 113, "URL": 445, "domain": 2 }, "indicator_count": 916, "is_author": false, "is_subscribing": null, "subscriber_count": 25, "modified_text": "110 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "693a347c167dff46a9331079", "name": "GRINR PHISHING SCAM TARGETING CRYPTO", "description": "CONS", "modified": "2026-01-20T14:03:13.843000", "created": "2025-12-11T03:03:22.788000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "NaughtyTouch", "display_name": "NaughtyTouch", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "r0b1nh0od", "id": "320328", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_320328/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 27, "FileHash-MD5": 70, "FileHash-SHA1": 67, "FileHash-SHA256": 66, "domain": 1, "hostname": 3 }, "indicator_count": 234, "is_author": false, "is_subscribing": null, "subscriber_count": 25, "modified_text": "130 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69236dd13572ff133083fc04", "name": "IPTV.exe The Darknet Trojan Spyware with FAKE365", "description": "The activity observed indicates the presence of multiple malware families and behaviors, primarily associated with Neshta, WSHRAT, and AutoIT-based droppers, along with several malicious techniques commonly used by infostealers, spyware, and persistence-focused trojans.", "modified": "2025-12-23T22:03:53.839000", "created": "2025-11-23T20:25:50.899000", "tags": [ "sha1", "sha256", "sha512", "ssdeep" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Virus:Win32/Neshta", "display_name": "Virus:Win32/Neshta", "target": "/malware/Virus:Win32/Neshta" }, { "id": "WSHRAT", "display_name": "WSHRAT", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "r0b1nh0od", "id": "320328", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_320328/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 516, "FileHash-SHA1": 458, "FileHash-SHA256": 447, "domain": 8, "hostname": 20, "URL": 53 }, "indicator_count": 1502, "is_author": false, "is_subscribing": null, "subscriber_count": 26, "modified_text": "158 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6876e1e75949dfc0fe3c7875", "name": "Potentially ICARUS, Strange redirect from urlscan.io to 103.224.212.210", "description": "The \u201cPotentially ICARUS\u201d threat hunt focuses on identifying a highly capable and persistent malware strain exhibiting a broad range of tactics and behaviors. This threat shows hallmarks of a multi-purpose implant or a modular malware framework. With confirmed classifications as adware, bootkit, trojan, stealer, and spyware, the sample uses layered techniques for persistence, evasion, discovery, and privilege escalation.\nPersistence Techniques\n\nThis hunt aims to uncover infection vectors, malicious registry keys, dropped binaries, and behavioral indicators across the environment, with a focus on detecting early execution, data exfiltration mechanisms, and evasion patterns consistent with the ICARUS threat profile.", "modified": "2025-08-22T05:03:46.995000", "created": "2025-07-15T23:19:02.845000", "tags": [ "potentially", "icarus", "setup", "session manager", "com hijacking", "task scheduler", "com api", "image file", "ifeo", "master boot", "aqb1", "ndh1", "s1280x720", "aqe1", "qclienttypeweb", "p11752710011", "p2404", "p4eqyyz1w", "AvEmUpdate.exe", "afwServ.exe", "icarus.exe", "AvLaunch.exe", "avast_free_antivirus_online_setup.exe", "AvastBrowser.exe", "RegSvr.exe", "msiexec.exe", "msedge.exe", "wsc_proxy.exe", "overseer.exe", "setup.exe", "undefined", "Zeppelin_10", "ConventionEngine_Anomaly_MultiPDB_Double", "RansomWin32Apollo", "Win.Exploit.CVE_2019_0803-6976664-0", "Trojan.Penguish.an", "Win.Dropper.Sykipot-9950506-0", "" ], "references": [ "AvastBrowserUpdate.exe", "update.avastbrowser.com", "icarus.exe", "icarus.exe", "honzik.avcdn.net", "branding.avast.com", "branding.avast.com", "honzik.avcdn.net", "branding.avast.com", "honzik.avcdn.net", "AvastBrowserUpdate.exe", "update.avastbrowser.com", "172.66.175.47", "AvastBrowserUpdate.exe", "update.avastbrowser.com", "172.66.175.47", "update.avastbrowser.com", "172.66.175.47", "C:\\Windows\\system32\\drivers\\asw489b6244737c3046.tmp", "C:\\Windows\\system32\\drivers\\asw489b6244737c3046.tmp", "C:\\Windows\\system32\\drivers\\asw489b6244737c3046.tmp", "\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Services\\aswbIDSAgent\\ImagePath = \"\\\"C:\\\\Program Files\\\\Avast Software\\\\Avast\\\\aswidsagent.exe\\\"\"", "\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Services\\avast! Antivirus\\ImagePath = \"\\\"C:\\\\Program Files\\\\Avast Software\\\\Avast\\\\AvastSvc.exe\\\" /runassvc\"", "\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Services\\aswbIDSAgent\\ImagePath = \"\\\"C:\\\\Program Files\\\\Avast Software\\\\Avast\\\\aswidsagent.exe\\\"\"", "\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Services\\avast! Antivirus\\ImagePath = \"\\\"C:\\\\Program Files\\\\Avast Software\\\\Avast\\\\AvastSvc.exe\\\" /runassvc\"", "\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Services\\avast! Antivirus\\ImagePath = \"\\\"C:\\\\Program Files\\\\Avast Software\\\\Avast\\\\AvastSvc.exe\\\" /runassvc\"", "\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Services\\aswbIDSAgent\\ImagePath = \"\\\"C:\\\\Program Files\\\\Avast Software\\\\Avast\\\\aswidsagent.exe\\\"\"", "\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\BootExecute = 6100750074006f0063006800650063006b0020006100750074006f00630068006b0020002a0000000000", "\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\BootExecute = 6100750074006f0063006800650063006b0020006100750074006f00630068006b0020002a0000006900630061007200750073005f0072007600720074002e0065007800650000000000", "\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\BootExecute = 6100750074006f0063006800650063006b0020006100750074006f00630068006b0020002a0000006900630061007200750073005f0072007600720074002e0065007800650000000000", "\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\BootExecute = 6100750074006f0063006800650063006b0020006100750074006f00630068006b0020002a0000000000", "\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\BootExecute = 6100750074006f0063006800650063006b0020006100750074006f00630068006b0020002a0000006900630061007200750073005f0072007600720074002e0065007800650000000000", "\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\BootExecute = 6100750074006f0063006800650063006b0020006100750074006f00630068006b0020002a0000000000", "\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\BootExecute = 6100750074006f0063006800650063006b0020006100750074006f00630068006b0020002a0000000000", "\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\BootExecute = 6100750074006f0063006800650063006b0020006100750074006f00630068006b0020002a0000006900630061007200750073005f0072007600720074002e0065007800650000000000", "\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\BootExecute = 6100750074006f0063006800650063006b0020006100750074006f00630068006b0020002a0000006900630061007200750073005f0072007600720074002e0065007800650000000000", "\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\BootExecute = 6100750074006f0063006800650063006b0020006100750074006f00630068006b0020002a0000006900630061007200750073005f0072007600720074002e0065007800650000000000", "\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\BootExecute = 6100750074006f0063006800650063006b0020006100750074006f00630068006b0020002a0000006900630061007200750073005f0072007600720074002e0065007800650000000000", "\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\BootExecute = 6100750074006f0063006800650063006b0020006100750074006f00630068006b0020002a0000000000", "\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\BootExecute = 6100750074006f0063006800650063006b0020006100750074006f00630068006b0020002a0000006900630061007200750073005f0072007600720074002e0065007800650000000000", "\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\BootExecute = 6100750074006f0063006800650063006b0020006100750074006f00630068006b0020002a0000000000", "\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\BootExecute = 6100750074006f0063006800650063006b0020006100750074006f00630068006b0020002a0000000000", "\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\BootExecute = 6100750074006f0063006800650063006b0020006100750074006f00630068006b0020002a0000000000", "\\REGISTRY\\MACHINE\\HARDWARE\\DESCRIPTION\\System\\SystemBiosVersion", "\\REGISTRY\\MACHINE\\HARDWARE\\DESCRIPTION\\System\\VideoBiosVersion", "\\REGISTRY\\MACHINE\\HARDWARE\\DESCRIPTION\\System\\SystemBiosVersion", "\\REGISTRY\\MACHINE\\HARDWARE\\DESCRIPTION\\System\\VideoBiosVersion", "\\REGISTRY\\MACHINE\\HARDWARE\\DESCRIPTION\\System\\SystemBiosVersion", "\\REGISTRY\\MACHINE\\HARDWARE\\DESCRIPTION\\System\\VideoBiosVersion", "\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{7C4966F0-D502-412D-A636-ACCC39A24BB2}", "\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\Common", "\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{2243A056-84B3-4327-8E46-5FE41F72EE91}", "\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\Common", "\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\Common", "\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\Languages", "\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\Common", "\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{D93EF81A-B92F-27FE-AF54-9278EA8BF910}", "\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{CC13CA7D-229B-4D0A-8D27-E26129CDDF10}", "\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{A9682249-08E7-4BBF-B870-EFBC63AA2888}", "\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{D93EF81A-B92F-27FE-AF54-9278EA8BF910}", "\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{93876F24-B4F5-4DBC-97B9-762CD8066719}", "\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{CC13CA7D-229B-4D0A-8D27-E26129CDDF10}", "\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{93876F24-B4F5-4DBC-97B9-762CD8066719}", "\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{93876F24-B4F5-4DBC-97B9-762CD8066719}", "\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{7C4966F0-D502-412D-A636-ACCC39A24BB2}", "\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\Languages", "\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{2243A056-84B3-4327-8E46-5FE41F72EE91}", "\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Services\\avast! Antivirus\\ImagePath = \"\\\"C:\\\\Program Files\\\\Avast Software\\\\Avast\\\\AvastSvc.exe\\\" /runassvc\"", "\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{7C4966F0-D502-412D-A636-ACCC39A24BB2}", "\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{7C4966F0-D502-412D-A636-ACCC39A24BB2}", "\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{D93EF81A-B92F-27FE-AF54-9278EA8BF910}", "\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\Languages", "\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{2243A056-84B3-4327-8E46-5FE41F72EE91}", "\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{A9682249-08E7-4BBF-B870-EFBC63AA2888}", "\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{A9682249-08E7-4BBF-B870-EFBC63AA2888}", "\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{2243A056-84B3-4327-8E46-5FE41F72EE91}", "\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{A9682249-08E7-4BBF-B870-EFBC63AA2888}", "\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{A9682249-08E7-4BBF-B870-EFBC63AA2888}", "\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{CC13CA7D-229B-4D0A-8D27-E26129CDDF10}", "icarus.exe", "AvastBrowserUpdate.exe", "C:\\Windows\\system32\\aswBoot.exe", "C:\\Windows\\system32\\aswBoot.exe", "C:\\Windows\\system32\\aswBoot.exe", "https://tria.ge/250717-z7b8kssly4", "https://tria.ge/250717-zt5yqsbp8z/behavioral1", "https://tria.ge/250715-xd58fsysc1", "https://tria.ge/250717-zt5yqsbp8z", "https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2019-0803", "https://hackread.com/fake-antivirus-sites-malware-avast-malwarebytes-bitdefender/" ], "public": 1, "adversary": "", "targeted_countries": [ "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [], "attack_ids": [ { "id": "T1547.014", "name": "Active Setup", "display_name": "T1547.014 - Active Setup" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1130", "name": "Install Root Certificate", "display_name": "T1130 - Install Root Certificate" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1016.001", "name": "Internet Connection Discovery", "display_name": "T1016.001 - Internet Connection Discovery" }, { "id": "T1067", "name": "Bootkit", "display_name": "T1067 - Bootkit" }, { "id": "T1503", "name": "Credentials from Web Browsers", "display_name": "T1503 - Credentials from Web Browsers" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1546.012", "name": "Image File Execution Options Injection", "display_name": "T1546.012 - Image File Execution Options Injection" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1198", "name": "SIP and Trust Provider Hijacking", "display_name": "T1198 - SIP and Trust Provider Hijacking" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" } ], "industries": [ "Cyber Security and Networking" ], "TLP": "green", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "r0b1nh0od", "id": "320328", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_320328/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 165, "domain": 65, "hostname": 57, "FileHash-MD5": 4197, "FileHash-SHA256": 4117, "FileHash-SHA1": 4092 }, "indicator_count": 12693, "is_author": false, "is_subscribing": null, "subscriber_count": 26, "modified_text": "282 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "680b76563f2d35581fe1ea35", "name": "\"Multi-Family Malware Intrusion Leveraging Skeeyah, PowerRunner, and Tiggre for Stealthy System Reconnaissance and Privilege Escalation\"", "description": "The malicious activity observed in this case is characteristic of advanced adversary behavior, aligning with known malware families such as Skeeyah, PowerRunner, and Tiggre. The threat begins with extensive system reconnaissance\u2014enumerating connected drives and accessing the root of non-default hard drives, while dropping suspicious files like desktop.ini and unauthorized binaries in the Windows directory. It proceeds to gather detailed system information, including browser details and system language, potentially to adapt its behavior based on geographical location. Registry activity shows signs of evasion and persistence, with queries and modifications under HKEY_USERS, registry classes, and processor-related keys.\n\nET EXPLOIT_KIT Malicious TA2726 TDS Domain in DNS Lookup (blessedwirrow .org)", "modified": "2025-08-22T04:03:28.655000", "created": "2025-04-25T11:47:34.444000", "tags": [ "", "Port 443", "Linux", "Windows", "Source port 64145", ".dll", "Mac", "Wifi Router Firmware", "upnp", ".exe", "ET EXPLOIT_KIT Malicious TA2726 TDS Domain in DNS Lookup (blesse", "infdefaultinstal.exe" ], "references": [ "https://levelblue.com/blogs/labs-research/hijacked-how-cybercriminals-are-turning-anti-virus-software-against-you", "https://tria.ge/250426-d7g8yassfv/behavioral1", "https://any.run/report/b206d141d10bfc17040dd7feb70d0a35267aee0f8493b6406c502104d9a8a546/1a03b630-06fa-4c33-959c-50a307fade7a", "https://hybrid-analysis.com/sample/aa15fe9c07f104c8373ce3844140ce06834c0201eacfb9e55a6d8b7cbf430bff/67d32a44606a9ad5f804d20a", "https://www.malwareurl.com/listing.php?domain=150.171.27.11", "https://tria.ge/250516-kbx3vazvev/behavioral1", "https://tria.ge/250516-l2w4xaem2y/behavioral2", "https://outbound.tiiny.site" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Trojan:Win32/Skeeyah", "display_name": "Trojan:Win32/Skeeyah", "target": "/malware/Trojan:Win32/Skeeyah" }, { "id": "PowerRunner", "display_name": "PowerRunner", "target": null }, { "id": "Trojan:Win32/Tiggre", "display_name": "Trojan:Win32/Tiggre", "target": "/malware/Trojan:Win32/Tiggre" }, { "id": "Trojan.Malware.300983.susgen", "display_name": "Trojan.Malware.300983.susgen", "target": null } ], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 150, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "r0b1nh0od", "id": "320328", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_320328/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 103, "FileHash-SHA1": 87, "FileHash-SHA256": 93, "CVE": 1, "FilePath": 7, "URL": 13, "SSLCertFingerprint": 1, "hostname": 4, "domain": 2 }, "indicator_count": 311, "is_author": false, "is_subscribing": null, "subscriber_count": 25, "modified_text": "282 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "685141327cd7e3ed407eb167", "name": "Phishing Alert: Brindle & Green", "description": "A phishing email has been identified, Brindle & Green, a legitimate provider of environmental consultancy services across the UK. The email contains the following details:\n\t\u2022 Subject: Brindle and Green Ltd \n\t\u2022 Sender Address: neil@brindlegreen[.]co[.]uk \n\t\u2022 Display Name: Neil Crofts \n\t\u2022 Sender IP: 2a01:111:f403:c200::1", "modified": "2025-07-17T10:00:25.852000", "created": "2025-06-17T10:19:30.362000", "tags": [ "httphttps", "pfny06id6", "arch-email", "phishing", "storm1747", "tycoon", "43", "qrcode" ], "references": [ "https://any.run/malware-trends/tycoon/", "https://app.any.run/tasks/deb8f75a-51ba-470e-a3bb-1bb1f2e8096c", "https://urlscan.io/result/01977d24-53a4-7788-bdbc-8a02d9906b6b/" ], "public": 1, "adversary": "", "targeted_countries": [ "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "TYCOON 2FA", "display_name": "TYCOON 2FA", "target": null }, { "id": "Tycoon", "display_name": "Tycoon", "target": null } ], "attack_ids": [ { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" } ], "industries": [ "Government" ], "TLP": "white", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "FS13JKMK", "id": "312129", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_312129/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 15, "hostname": 25, "URL": 71, "FileHash-MD5": 5, "FileHash-SHA256": 28, "FileHash-SHA1": 1 }, "indicator_count": 145, "is_author": false, "is_subscribing": null, "subscriber_count": 71, "modified_text": "318 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://app.any.run/tasks/1882b2bc-ad7f-457b-b5d8-fdd2b75e349b", "https://outbound.tiiny.site", "https://app.any.run/tasks/dafcfd2d-8a38-47f7-bce3-65845320192f", "https://app.any.run/tasks/87a167c6-2c9a-4fe8-a7f3-4b21b168d7df", "https://www.virustotal.com/gui/collection/fc2724a35b1672bcbcbb1af5a8e77d1e6095818a9db880a18661208aa9e9f1ed/iocs", "https://app.any.run/tasks/deb8f75a-51ba-470e-a3bb-1bb1f2e8096c", "https://www.scyscan.com/scan-report/?rid=1743532660988884337", "https://app.any.run/tasks/e0a4305e-2b16-4192-b886-55758307f6e0", "https://opentip.kaspersky.com/https%3A%2F%2Fsupport.apple.com%2F100100/?tab=lookup", "https://app.any.run/tasks/40ac99f3-0bf0-4455-996b-01e9ba0aaf79", "\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Services\\aswbIDSAgent\\ImagePath = \"\\\"C:\\\\Program Files\\\\Avast Software\\\\Avast\\\\aswidsagent.exe\\\"\"", "https://www.virustotal.com/gui/collection/31128b22372d1d820a4c494cc4e846ae3a5a60ffd1dd7b00b4e303a8007529bc/iocs", "C:\\Windows\\system32\\aswBoot.exe", "https://www.virustotal.com/gui/url/aec932cd6ff44a6b8a13e3573f47d7e543cc0e1cc25f6d4fa2e0b0f1b8c44603/details", "\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\Common", "http://hybrid-analysis.com/sample/04fcf10162401756459d90569bdda9bd3f264efc7ce75e2ca96a8fc93e159bdb/698522a0b8d0f8b6c404b7b4", "https://app.any.run/tasks/cc358dd2-90cd-449a-a732-4ff9bf6c9adf", "http://hybrid-analysis.com/sample/0a875f2646dc2b4b36fdf7196e357b8b2718a449e3e92b817194ba287238ae00", "https://www.virustotal.com/graph/embed/g70516ab17e6a482eb6641c8d15f795a9d0fbc493ae9d4c3ca0e0617754ba679c?theme=dark", "https://levelblue.com/blogs/labs-research/hijacked-how-cybercriminals-are-turning-anti-virus-software-against-you", "https://tria.ge/250717-zt5yqsbp8z", "C:\\Windows\\system32\\drivers\\asw489b6244737c3046.tmp", "https://app.any.run/tasks/b37fc505-f470-4db4-b140-7d9e7c72d6d2", "\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\Languages", "https://app.any.run/tasks/ed984ec8-5918-4844-abbf-80a0e9ebf16e", "https://intelix.sophos.com/report/ce2b7a12bcf74e2f8bae0263e6ae69f0/static/file", "\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{93876F24-B4F5-4DBC-97B9-762CD8066719}", "https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2019-0803", "\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{A9682249-08E7-4BBF-B870-EFBC63AA2888}", "https://intelix.sophos.com/report/ce2b7a12bcf74e2f8bae0263e6ae69f0/static/url", "https://tria.ge/250426-d7g8yassfv/behavioral1", "icarus.exe", "https://urlquery.net/report/f7f1fb29-f7fb-4aec-be06-978b4bb296ab", "https://any.run/report/b206d141d10bfc17040dd7feb70d0a35267aee0f8493b6406c502104d9a8a546/1a03b630-06fa-4c33-959c-50a307fade7a", "https://hackread.com/fake-antivirus-sites-malware-avast-malwarebytes-bitdefender/", "\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{7C4966F0-D502-412D-A636-ACCC39A24BB2}", "\\REGISTRY\\MACHINE\\HARDWARE\\DESCRIPTION\\System\\SystemBiosVersion", "https://tria.ge/250715-xd58fsysc1", "https://www.virustotal.com/gui/file/3447d0e0dce83b163308c04dffeb52afb9f22d756b57d516fb1930d60303278d/details", "\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{D93EF81A-B92F-27FE-AF54-9278EA8BF910}", "https://hybrid-analysis.com/sample/aa15fe9c07f104c8373ce3844140ce06834c0201eacfb9e55a6d8b7cbf430bff/67d32a44606a9ad5f804d20a", "https://metadefender.com/results/url/aHR0cHM6Ly9zdXBwb3J0LmFwcGxlLmNvbS8xMDAxMDA=", "https://www.virustotal.com/gui/collection/31128b22372d1d820a4c494cc4e846ae3a5a60ffd1dd7b00b4e303a8007529bc/summary", "\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{CC13CA7D-229B-4D0A-8D27-E26129CDDF10}", "https://app.any.run/tasks/70b35454-3588-4ee8-aa50-b6c6926fa64f", "https://app.any.run/tasks/aadadf58-1ac4-4378-9505-3bfec93982f2", "\\REGISTRY\\MACHINE\\SOFTWARE\\Avast Software\\Avast\\properties\\settings\\{2243A056-84B3-4327-8E46-5FE41F72EE91}", "https://app.threat.zone/submission/9484b40d-a27f-4837-9e66-956835282d63/url-analysis-report", "https://www.filescan.io/uploads/69853e76930564ff3c8e3576/reports/132722cc-526c-428b-85d8-bb863204ec6f/ioc", "https://tria.ge/250717-zt5yqsbp8z/behavioral1", "https://hybrid-analysis.com/sample/04fcf10162401756459d90569bdda9bd3f264efc7ce75e2ca96a8fc93e159bdb", "\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Services\\avast! Antivirus\\ImagePath = \"\\\"C:\\\\Program Files\\\\Avast Software\\\\Avast\\\\AvastSvc.exe\\\" /runassvc\"", "https://www.malwareurl.com/listing.php?domain=150.171.27.11", "https://urlscan.io/result/01977d24-53a4-7788-bdbc-8a02d9906b6b/", "https://www.virustotal.com/graph/embed/ge7e62e923913419f9a4096f64b057f85af4f61c7ddba41b09ce577061284a468?theme=dark", "172.66.175.47", "https://tria.ge/250516-kbx3vazvev/behavioral1", "https://tria.ge/260421-ygl5esbt5p", "https://app.any.run/tasks/95be81c1-a169-4cd8-a6f0-9e78281f6dad", "https://viz.greynoise.io/ip/analysis/66ca01e5-ac9a-4baf-b088-901cfbe72cac", "branding.avast.com", "https://app.any.run/tasks/a79a0c00-59de-4d11-bb54-c418a5874ae4", "https://www.filescan.io/uploads/69e7ceb08a82359247ab7647/reports/e7fdc5f9-d521-4ce6-afae-50b558e39445/overview", "Program.cs", "https://tria.ge/250516-l2w4xaem2y/behavioral2", "https://www.virustotal.com/gui/collection/fc2724a35b1672bcbcbb1af5a8e77d1e6095818a9db880a18661208aa9e9f1ed", "\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\BootExecute = 6100750074006f0063006800650063006b0020006100750074006f00630068006b0020002a0000000000", "update.avastbrowser.com", "AvastBrowserUpdate.exe", "https://app.threat.zone/submission/f373032a-49fe-46f2-be28-a4636cbeb3c2/url-analysis-report", "honzik.avcdn.net", "https://tria.ge/250717-z7b8kssly4", "http://hybrid-analysis.com/sample/0a875f2646dc2b4b36fdf7196e357b8b2718a449e3e92b817194ba287238ae00/69e7d3627e525d99f106537e", "https://any.run/malware-trends/tycoon/", "https://tria.ge/260421-ygl5esbt5p/behavioral1", "https://polyswarm.network/scan/results/url/a6220c097dabdc5fd659eb3ca1441fd3ce853817647bbac71109847df837af70", "\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\BootExecute = 6100750074006f0063006800650063006b0020006100750074006f00630068006b0020002a0000006900630061007200750073005f0072007600720074002e0065007800650000000000", "\\REGISTRY\\MACHINE\\HARDWARE\\DESCRIPTION\\System\\VideoBiosVersion" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Powerrunner", "Optix pro", "Wshrat", "Trojan:win32/skeeyah", "Trojan.malware.300983.susgen", "Naughtytouch", "Virus:win32/neshta", "Tycoon", "Tycoon 2fa", "Trojan:win32/tiggre", "Back orifice" ], "industries": [ "Government", "University", "Technology", "Cyber security", "Cyber research", "Academic", "Research", "Cyber security and networking" ], "unique_indicators": 15578 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/microsoftapp.net", "whois": "http://whois.domaintools.com/microsoftapp.net", "domain": "microsoftapp.net", "hostname": "static.edge.microsoftapp.net" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 34, "pulses": [ { "id": "69f0ccbc76103a52f45c7f57", "name": "MalSpam_28032026", "description": "IoCs Extracted from Fortimail quarantine email. Analysis Verify your account settings now!.eml (MD5: D65936EBA4C38EE3D30441A9671FC6C3) Malicious activity - Interactive analysis ANY.RUN. Microsoft users are being urged to log in to their accounts on the same day as they are on a different account at the other end of the world. and here is the full list of files:", "modified": "2026-05-28T15:26:26.017000", "created": "2026-04-28T15:05:32.464000", "tags": [ "p2404", "p11777645428", "attrdataver186", "p11777645427", "telemetrylevel1", "osuilocaleenus", "osskuid48", "processorcores6", "tpmversion0", "osnamewin", "main", "verify" ], "references": [ "https://app.any.run/tasks/b37fc505-f470-4db4-b140-7d9e7c72d6d2" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "soc_columbus", "id": "2084", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2084/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 1, "FileHash-SHA256": 7, "URL": 1, "email": 1, "hostname": 1 }, "indicator_count": 14, "is_author": false, "is_subscribing": null, "subscriber_count": 210, "modified_text": "2 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69eb630a8e44088d23f24d99", "name": "Outbound Network Analyser - ARU - Research in to router traffic - identified academic cyber attack", "description": "TROJAN DROP ON C# CODE ACTIVATION - \n\nfile dropped new.exe - runs .dlls and installs complete package of multipme malwares - inlcuding backdoors and spywares -", "modified": "2026-05-24T19:21:10.096000", "created": "2026-04-24T12:33:14.341000", "tags": [ "vnc default", "protocol p", "secure", "buffer", "remote", "windows", "authentication", "network", "c2 default", "dameware remote", "deos", "finger", "netbus", "back", "aeroadmin", "back orifice", "hack", "error", "shell", "simple", "terminal", "service", "trivial", "gopher", "example", "backorifice", "optix pro", "metasploit", "bladerunner", "gotomypc", "dcrat", "darkcomet", "netcat", "trinoo", "md5 sha1", "sha512 ssdeep", "size", "sample", "tlsh score", "10 malware", "iocs checks", "file explorer", "tlsh windows6", "pe checks", "path c", "get https", "sha256", "head https", "tlsh", "sha512 tlsh", "post https", "ttps", "get http", "10 execution", "malware config", "javascript", "ttps execution", "pid4784 network", "state path", "datalocal state", "tlsh local", "p2404", "score", "system", "pid2148 network" ], "references": [ "Program.cs" ], "public": 1, "adversary": "", "targeted_countries": [ "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "Optix Pro", "display_name": "Optix Pro", "target": null }, { "id": "Back Orifice", "display_name": "Back Orifice", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" } ], "industries": [ "Cyber Security", "Academic", "University", "Research", "Cyber REsearch" ], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "r0b1nh0od", "id": "320328", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_320328/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 16, "FileHash-SHA256": 2371, "FileHash-MD5": 366, "FileHash-SHA1": 64, "URL": 23, "domain": 3 }, "indicator_count": 2843, "is_author": false, "is_subscribing": null, "subscriber_count": 26, "modified_text": "6 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69eb6308e87c53ec7b9bf112", "name": "Outbound Network Analyser - ARU - Research in to router traffic - identified academic cyber attack", "description": "TROJAN DROP ON C# CODE ACTIVATION - \n\nfile dropped new.exe - runs .dlls and installs complete package of multipme malwares - inlcuding backdoors and spywares -", "modified": "2026-05-24T12:05:23.190000", "created": "2026-04-24T12:33:12.569000", "tags": [ "vnc default", "protocol p", "secure", "buffer", "remote", "windows", "authentication", "network", "c2 default", "dameware remote", "deos", "finger", "netbus", "back", "aeroadmin", "back orifice", "hack", "error", "shell", "simple", "terminal", "service", "trivial", "gopher", "example", "backorifice", "optix pro", "metasploit", "bladerunner", "gotomypc", "dcrat", "darkcomet", "netcat", "trinoo", "md5 sha1", "sha512 ssdeep", "size", "sample", "tlsh score", "10 malware", "iocs checks", "file explorer", "tlsh windows6", "pe checks", "path c", "get https", "sha256", "head https", "tlsh", "sha512 tlsh", "post https", "ttps", "get http", "10 execution", "malware config", "javascript", "ttps execution", "pid4784 network", "state path", "datalocal state", "tlsh local", "p2404", "score", "system", "pid2148 network" ], "references": [ "Program.cs" ], "public": 1, "adversary": "", "targeted_countries": [ "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "Optix Pro", "display_name": "Optix Pro", "target": null }, { "id": "Back Orifice", "display_name": "Back Orifice", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [ "Cyber Security", "Academic", "University", "Research", "Cyber REsearch" ], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "r0b1nh0od", "id": "320328", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_320328/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2, "FileHash-SHA256": 143, "FileHash-MD5": 35, "FileHash-SHA1": 32, "URL": 4 }, "indicator_count": 216, "is_author": false, "is_subscribing": null, "subscriber_count": 26, "modified_text": "7 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69e7d7edd91aab8d1e8d5590", "name": "hxxps://support[.]apple[.]com/100100", "description": "hxxps://support[.]apple[.]com/100100", "modified": "2026-05-21T20:10:22.225000", "created": "2026-04-21T20:02:53.543000", "tags": [ "malware", "virus", "trojan", "ransomware", "static", "analysis", "indicator of compromise", "ioc", "extraction", "emulation", "online", "submit", "sample", "download", "platform", "switch", "community add", "security menlo", "reports", "cve list", "notes blog", "drop your", "file", "service", "privacy policy", "intelix portal", "javascript", "please", "strong", "united kingdom", "urls", "domain name", "url analysis", "report https", "request", "status", "public ev", "server rsa", "g1 apple", "virustotal", "domain", "benign no", "february", "date february", "safe browsing", "ctx database", "upgrade plan", "my submissions", "free", "april", "august", "sandbox", "static analyzer", "analyzer", "vxstream", "apt", "hybrid analysis", "api key", "vetting process", "please note", "triage", "report", "reported", "analyze", "md5 sha1", "sha256", "submit download", "sha1", "sha512", "path c", "sha512 tlsh", "ssdeep", "prefetch8", "general", "config", "copy", "target", "score", "impact", "get https", "post https", "sha512 ssdeep", "size", "p2404", "tlsh", "Apple", "iPad", "Update" ], "references": [ "https://www.filescan.io/uploads/69e7ceb08a82359247ab7647/reports/e7fdc5f9-d521-4ce6-afae-50b558e39445/overview", "https://metadefender.com/results/url/aHR0cHM6Ly9zdXBwb3J0LmFwcGxlLmNvbS8xMDAxMDA=", "https://intelix.sophos.com/report/ce2b7a12bcf74e2f8bae0263e6ae69f0/static/file", "https://intelix.sophos.com/report/ce2b7a12bcf74e2f8bae0263e6ae69f0/static/url", "https://app.threat.zone/submission/9484b40d-a27f-4837-9e66-956835282d63/url-analysis-report", "http://hybrid-analysis.com/sample/0a875f2646dc2b4b36fdf7196e357b8b2718a449e3e92b817194ba287238ae00", "https://tria.ge/260421-ygl5esbt5p/behavioral1", "https://www.scyscan.com/scan-report/?rid=1743532660988884337", "https://polyswarm.network/scan/results/url/a6220c097dabdc5fd659eb3ca1441fd3ce853817647bbac71109847df837af70", "http://hybrid-analysis.com/sample/0a875f2646dc2b4b36fdf7196e357b8b2718a449e3e92b817194ba287238ae00/69e7d3627e525d99f106537e", "https://tria.ge/260421-ygl5esbt5p", "https://opentip.kaspersky.com/https%3A%2F%2Fsupport.apple.com%2F100100/?tab=lookup", "https://www.virustotal.com/graph/embed/ge7e62e923913419f9a4096f64b057f85af4f61c7ddba41b09ce577061284a468?theme=dark", "https://www.virustotal.com/gui/collection/31128b22372d1d820a4c494cc4e846ae3a5a60ffd1dd7b00b4e303a8007529bc/summary", "https://www.virustotal.com/gui/collection/31128b22372d1d820a4c494cc4e846ae3a5a60ffd1dd7b00b4e303a8007529bc/iocs" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" }, { "id": "T1217", "name": "Browser Bookmark Discovery", "display_name": "T1217 - Browser Bookmark Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [ "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 80, "hostname": 175, "URL": 1571, "FileHash-MD5": 183, "email": 7, "CIDR": 3, "FileHash-SHA1": 117, "FileHash-SHA256": 181, "SSLCertFingerprint": 14 }, "indicator_count": 2331, "is_author": false, "is_subscribing": null, "subscriber_count": 131, "modified_text": "9 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69d50ab8883af2ff2017b81a", "name": "MalSpam_07042026", "description": "IoC Extracted from Fortimail quarantine mail. Analysis Secure Your Retirement Benefits.eml (MD5: 1A3F2B66A7E38F7857C54D9A368068AC) Malicious activity - Interactive analysis ANY.RUN. Microsoft has released a new version of its Office operating system, called Office Outlook, which is based on the same software as the Office Store and Microsoft Office app, for use in the US and UK.", "modified": "2026-05-07T13:00:26.944000", "created": "2026-04-07T13:46:32.552000", "tags": [ "secure your", "p2404", "p11775851954", "p11775851955", "processorcores6", "tpmversion0", "attrdataver186", "osnamewin", "main", "secure", "dropped file" ], "references": [ "https://app.any.run/tasks/e0a4305e-2b16-4192-b886-55758307f6e0" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "soc_columbus", "id": "2084", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2084/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 2, "FileHash-SHA256": 6, "URL": 1, "email": 1, "hostname": 2 }, "indicator_count": 16, "is_author": false, "is_subscribing": null, "subscriber_count": 212, "modified_text": "24 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69cbf2775446abf635fe2c95", "name": "MalSpam_31032026_7", "description": "IoC Extracted from Fortimail quarantine mail.. Analysis:Subject: \tAccount Deactivation notification", "modified": "2026-04-30T16:30:10.878000", "created": "2026-03-31T16:12:39.674000", "tags": [ "p2404", "processorcores6", "tpmversion0", "attrdataver186", "osnamewin", "p11775548094", "main", "deactivation", "connections ip", "httphttps" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "soc_columbus", "id": "2084", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2084/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 2, "FileHash-SHA256": 6, "URL": 2, "email": 1, "hostname": 4 }, "indicator_count": 19, "is_author": false, "is_subscribing": null, "subscriber_count": 210, "modified_text": "30 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69cbeb74cc9878a356224d97", "name": "MalSpam_31032026_2", "description": "IoC Extracted from Fortimail quarantine mail.. Analysis: Re_ Request for dominique Quote 3_27_2026 6_32_01 a.m..eml", "modified": "2026-04-30T15:30:17.242000", "created": "2026-03-31T15:42:43.990000", "tags": [ "p2404", "re request", "quote", "attrdataver186", "processorcores6", "tpmversion0", "p11775311120", "p11775311122", "osnamewin", "main" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "soc_columbus", "id": "2084", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2084/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 2, "FileHash-SHA256": 7, "URL": 1, "email": 1, "hostname": 1 }, "indicator_count": 15, "is_author": false, "is_subscribing": null, "subscriber_count": 209, "modified_text": "30 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69c29c38a298c75d4598aa38", "name": "MalSpam_24032026_1", "description": "IoCs Extracted from Fortimail quarantine email. Analysis Incoming Messages Failed Fix now.eml (MD5: EA4C7690092D45B5C28330E25E17BDD4) Malicious activity - Interactive analysis ANY.RUN. Main object - Incoming Messages Failed Fix now, after being detected by Microsoft's security team at 0:00 GMT on Tuesday..eml. and the following day, on Wednesday, 1 September", "modified": "2026-04-23T14:22:41.589000", "created": "2026-03-24T14:14:16.320000", "tags": [ "p2404", "p11774458416", "p11774458417", "processorcores6", "tpmversion0", "attrdataver186", "osnamewin", "main", "messages", "dropped file" ], "references": [ "https://app.any.run/tasks/95be81c1-a169-4cd8-a6f0-9e78281f6dad" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "soc_columbus", "id": "2084", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2084/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 2, "FileHash-SHA256": 8, "URL": 2, "email": 1, "hostname": 4 }, "indicator_count": 22, "is_author": false, "is_subscribing": null, "subscriber_count": 210, "modified_text": "37 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69c29c38109c5adee3e5c659", "name": "MalSpam_24032026_1", "description": "IoCs Extracted from Fortimail quarantine email. Analysis Incoming Messages Failed Fix now.eml (MD5: EA4C7690092D45B5C28330E25E17BDD4) Malicious activity - Interactive analysis ANY.RUN. Main object - Incoming Messages Failed Fix now, after being detected by Microsoft's security team at 0:00 GMT on Tuesday..eml. and the following day, on Wednesday, 1 September", "modified": "2026-04-23T14:22:41.589000", "created": "2026-03-24T14:14:16.605000", "tags": [ "p2404", "p11774458416", "p11774458417", "processorcores6", "tpmversion0", "attrdataver186", "osnamewin", "main", "messages", "dropped file" ], "references": [ "https://app.any.run/tasks/95be81c1-a169-4cd8-a6f0-9e78281f6dad" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "soc_columbus", "id": "2084", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2084/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 2, "FileHash-SHA256": 8, "URL": 2, "email": 1, "hostname": 4 }, "indicator_count": 22, "is_author": false, "is_subscribing": null, "subscriber_count": 210, "modified_text": "37 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69c296f5e47e50850e6d9eee", "name": "MalSpam_24032026", "description": "IoCs Extracted from Fortimail quarantine email. Analysis printwareonline.com WARNING_ The \u201cinfo@printwareonline.com\u201d email account is almost full..eml (MD5: A38092C728D8A1322E09708FABDD46A4) Malicious activity - Interactive analysis ANY.RUN. Microsoft\u2019s \u201chelp\" system is being used to monitor users' browsing habits on the Windows operating system, as well as the use of the \u2018help system\u201d on its website.", "modified": "2026-04-23T13:04:04.453000", "created": "2026-03-24T13:51:49.835000", "tags": [ "warning", "info", "email", "p2404", "p11774503352", "processorcores6", "tpmversion0", "attrdataver186", "osnamewin", "p11774503354", "main" ], "references": [ "https://app.any.run/tasks/70b35454-3588-4ee8-aa50-b6c6926fa64f" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "soc_columbus", "id": "2084", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2084/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "domain": 2, "email": 1, "FileHash-SHA1": 2, "FileHash-SHA256": 10, "URL": 3, "hostname": 2 }, "indicator_count": 24, "is_author": false, "is_subscribing": null, "subscriber_count": 210, "modified_text": "38 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://static.edge.microsoftapp.net/default/cloud_config_observers.json", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://static.edge.microsoftapp.net/default/cloud_config_observers.json", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780234116.663493 }