DomainHighVerifiedSignal 77/100

`microsoftstart.org`

Location

Anguilla

First Seen

Apr 17, 2026

Last Seen

Jun 2, 2026

Apr 17

First Seen

57d ago

Jun 2

Last Seen

11d ago

Reports

source reports

77%

Confidence

high

Found in 6 reports. Confidence: high. · Confidence scores are heuristic. Verify before acting on results.

Domain Name

Malicious domain used for C2, phishing, or malware distribution.

MISP Category

Network Activity

Confidence

77%

Signal Score

77 / 100

IDS Rule

Threat Context

MITRE ATT&CK TTPs

76 techniques

Feed Intelligence Summary

6 reports77% confidence

Source reports

77%

Confidence score

Category tags

aaaaabuseabuse contactacceptaccessacrongl integactiveactive scanaddremoveinfoaddressaddress rangeaddress virtualadmin countryadobe airadobe deviceadobe portableadumitriuafricaagentaigair sdkalbanianalertaalienvault_ransomwareall domainall ipv4allocated paallocation typealphenalreadyamerica flaganalysis dateanchorand notand versionnt64android sandboxanguillaapnicapnic whoisappleapples sandboxapt29arabicarin whoisartifacts vas2497 internetas9714 vocusasciiascii textasiaaslrassigned paattack networkaustraliaaustralia asnauthentihashauthorityautorun keysavailable fromavalonbackbad reputationbankers trojanbannedbasebasquebayesspambazaarbc edbengalibinarybitsblackboardbodybody lengthbootkitbridgebrute forcebrute-forcebruteforcebuildinfoc0 a0c4 d8c9 f6ca g1ca1 validcabinet archivecacblock44cachecalls clearcalls processcanadacape sandboxcapturecclicde stbayerncenterchatcheckerchi2chocochristopher ahmannchrome cachecidrcitycivicplusck idclear filtersclickclient executclosecloud14cloud14 addresscmdlinecnamecngo daddycobalt strikecodecode signingcohassethinghamcommandcommand & controlcommand linecommerce industryconcernsconfigcontains mediumcontent typecontrolcookiecopycountrycouriercrc32cre pulcredential stuffingcrlfcrlf linecrypt32cryptocurrencycurrent objectcus cnr3cus cnrapidsslcus cnthawtecus oapplecus odigicertcus oletcus starizonacve's exploiteddarkbotdarkzerodatadata uploaddatingdcomddosdefense evasiondelphidenverdenver courtsdes moinesdetail infodetectdev17devicerasacd cdisplaynamedisplayversiondmca httpsdns attackdnssecdoctype htmldocument formatdomaindomains topdonedosya klasrdougcodr wifidropdropped infodropperdropsdrops pedukesdump filedumpingduration cuckoodynamicloadere cityec oidedgeeducationee fceestefseliteemailemailsemfsemotetenableluaencrypt cne8encrypt cnr10encrypt cnr11encrypt cnr13encrypt cnr3encryptionenglish usenricenterenter scentityentity cloud14entity icone2entryerrorerrstresmtpesmtp idesmtpsesmtps ideuropeevader mitreexclude suggesexecutable fileexecution fileexecution filleexecution flowexpiration dateexpiry dateexploitation activityextraextra dataextra infoextraction datafailfailedfalsefederationff d5filefilesfiles cfiles ipfiles maliciousfiles nothingfiltered routefinalfindfind sfirstfirst counterflashfoldersfont formatformformatfoundfound sigmafoundrypalantirfrancefraudfrequenciesfri decfromfromeqenvfromfromhasdnfullfull namefull pathfunctiong1 validityg2 validityg4 codegammagenericgeofencegermanyglobalgooglegrabber honestgsd supportguardguest systemguloaderhackinghacking toolshalfrighandlehas permissionhasheshavanaheadhealth hazardheighthelixhellohelptexthighhigh priorityhijackhipsholderhomehookhosting ukrainehostnamehotkeyhoustonhouston addresshtml documenthtml internethttphttpshybridianaiana registrariana webicann whoisicone2id httpid loginidentity & access exploitationiframeil845impactimproper channelsinc cndigicertinclude reviewincluded iocsindicatorindustry commerceinfoinfo droppedinfo fileinfo idsinfo processinfo processesinfo titleinitial accessinjectioninjection activityinjusticeinsertinsideinstallinstructorintelinternet investiocsiot securityipv4ipxo llcissuerissuer digicertjapanjapan asnjapan unknownjeffrey reimerjennyjenny greenjsonk localservicekevsight toxkey algorithmkey identifierkey infokeys nothingkids goldadobekievkiev regionkindkoreankr registrantks postalcodekyivkyiv registrantl xe0xfbtlab52label hostinglangpacklassa2layer protocollearnlegacy adminlegallevellf linelibrarylicenselinklink librarylinkerlinkid2179911linkslinux verdictlittle endianllc adminlmnchen oteamloadslocallookltcgcmachine labelmagic pe32magicwebmainexemajorupgrademakeupmalwaremalware configmanagermarshfieldmassdotmb bodymcafeemediamediummemory patternmetamethod editormicrosoft codemicrosoft inputmigratemigrate pluginminermitm_attacksmitre attmitre attackmobile threatmodified filesmodify registrymove timemozilla firefoxms visualms windowsmsbuildmsdosmsiemusicmutexes nothingmwdbnamename digicertname nname pathname serversname tacticsnation-state activitynatoncc countrynet104net1040000netbiosthread1netbiosthread2networknetwork abusenetwork adminnetwork disruptionnetwork infonetwork interferencenetwork namenextnext generationnextronnlrnsrdbnomeente httpnon profitnone rticonnorth americanorwaynoscriptnothingnow boardingntgraph xenullworldnumbernvcontaineroaauth helixobjectoceaniaodigicert incofficeoffsetoletopenopenpgp secretoperationsorgabusereforgidorionos credentialoverview zenboxp2404p4de83ek69hqsh4parent pidpasspassive dnspathpattern matchpayloadpcappdapppdf documentpe filepe64 compilerpegasuspendoperforms dnspersistphishingphotoshop ccpleasepng imagepointpolandpoleasspornhubportpostpostfixpowershellpreos bootprivacy violationprocessprocess openprocesses extraproduct installproductinfoprogramproperty namepublic keypublic serverpx8be px8bepxa1x90xa6pxe8 pxe8pxff pxffquasiquery firmwarequery languagequery timeqxff qxfframs twitterran sandboxransomwarerar adoberareencodingrdap databaserdtsc timeread filesreadsredistributablereferenrefreshregdword fregenumvaluewregistrant nameregistry keysregistry riperegistry techreimer gropesrelated pulsesreloadremovalrentrepairreportresearchedrestartreview iocsrgbarich perijnriperipe nccripe networkrootrootkitrsapssrticon englishrules notrxff rxffs ngcctnrsvcs ngcsvcsabeysan franciscosandbox sha256sc datascams & fraudscriptscript scriptscript tagssearchsections nameseraph secureserverserver caserviceservice issuerservice packserving ipset cookiesettings readsha2 securesheep trackershellshell foldersshhhshibuyasigmasignalssignals attacksigning pcasigning rsa4096sizeslovakiasmtpsolarwindsspanspawnsspyspynotesqlitesqlite versionssdeepstagedevicestatestate coloradostatic analysisstatusstatus codestreamstring idstringsstrongstubstudiostudio buildstudio idestylesubjectsubject publicsuccesssuite esupply chain attacksuricata idssvg scalableswedishsx8bsystemsystem numbersystem processt httpt regdwordt1003t1005t1010t1012t1014t1016t1018t1027t1033t1036t1040t1045t1046t1047t1053t1055t1055 processt1056t1057t1059t1059.001t1060t1064t1069t1069.002t1070t1071t1071.001t1071.004t1074t1082t1083t1091t1095t1102t1105t1106t1112t1114t1115t1120t1129t1134t1140t1176t1185t1202t1203t1222t1480t1485t1486t1496t1497t1518t1518.001t1539t1542t1542.003t1543t1547t1548t1552t1553t1553.002t1555t1560t1562t1564t1566t1569t1571t1573t1574t1574.002t1592t1614ta profiletabletargeting databasetbodyteamtechtechnir processtelecommunicationsthemidathreat actortickcounttitletls rsatls thumbprinttls versiontofseetoggletoll freetoolstor nodetotalsizetownsend streettrackertrojantrojanspytrumusictrusted g4tsara brashearstt trtulachtypetype emotettype oltypeof definetypeof etypeof moduletypeof tua continentuaepp nameukraineukraine admincukraine ltdultimate fileultradns clientunicode textunitedunited statesunixupatreupdate dateupdaterurihandlerurlsurls httpus localityus tcpusage ffuse shortuserutc entryutc htmlutf8 textuwagav hiddenv hidefileextv3 serialvalid fromvalid usagevaluevalue avalue langvector graphicsverdictverifyversionversion fileversionntversionnt64vhashvirlockvirtual sizevirustotal boxvisual cvisual studiovtuishellvxff vxffwatering holewaveweb openwelcomewhois privacywhois serverwidgetwidthwifiwifi datawifi idwin32 dynamicwin32 exewindowwindowswindows folderwindows ntwindows sandboxwindows81x86winmmwireshark pcapwixbundlenamewordworkers compensationworld mediawpaddetectedurlwpaddhcpwpaddnswritewrite cwrite deletewriteswx8bx509v3 keyx509v3 subjectx5173x95edx53d6x6d88x83xc4 x83xc4x85xc0t x85xc0tx85xd2t x85xd2tx8bxc0xffx8bxe5xagvyejxe0xfbtxf0xb3 xf0xb3xf7xd8 xf7xd8xff dxff0dx89xportyarayara ruleylarvzenbox androidzenbox macoszip adobe

Activity Timeline

1 total obs

Jun 2Jun 2

Threat Activity Heatmap

· Peak: 2026-06-02

Less

Mon

Wed

Fri

Jun

Jul

Aug

Sep

Oct

Nov

Dec

Jan

Feb

Mar

Apr

May

Jun

24h

Dormant

30d

Minimal

3mo

Minimal

Threat ScoreHigh Risk

SIGNAL

Signal Score

77%

Confidence

Reports

First seenApr 17, 2026

Last seenJun 2, 2026

Verified IOC

VirusTotal

Not checked

WHOIS

domain rank: -1
raw: Create date: 2021-05-13 00:00:00 Domain name: microsoftstart.org Domain registrar id: 292.0 Domain registrar url: https://rdap.markmonitor.com/rdap/ Expiry date: 2027-05-13 00:00:00 Query time: 2026-04-14 19:21:52 Registrant address: 86c54a730ec120b0 Registrant city: b6b1ba5f05367788 Registrant company: 628983377a05fb4c Registrant country: United States Registrant email: [email protected] Registrant fax: 6c39824943df5520 Registrant name: 1f33d7151e7ebf55 Registrant phone: 1ad2654c255d0dcb Registrant state: 163b5dbd6196f461 Registrant zip: 2908382a58eb4969 Technical email: [email protected] Update date: 2026-04-11 00:00:00
references: https://www.avertium.com/resources/threat-reports/evolution-of-russian-apt29-new-attacks-and-techniques-uncovered, https://otx.alienvault.com/pulse/64c131d13447ec7826c8ac6f, I copied IoC’s & from a pulse by AlienVault. I added related , resourced information I found interesting, XOR_embeded_exefile_xored_with_round_256_bytes_key, FILEHASH - SHA256 966e070a52de1c51976f6ea1fc48ec77f6b89f4bf5e5007650755e9cd0d73281 ->, Name: Invitation - Santa Lucia Celebration.msg • File Type CDFV2 Microsoft Outlook Message, YARA DESCRIPTION: Detects encoded keyword - GetCurrentThreadId RULE_AUTHOR: Florian Roth, YARA Signature Match - THOR APT Scanner Get RULE_AUTHOR: Florian Roth, YARA RULE: SUSP_Encoded_GetCurrentThreadId RULE_AUTHOR: Florian Roth, YARA RULE_SET: Livehunt - Suspicious82 Indicators RULE_AUTHOR: Florian Roth, YARA RULE_TYPE: THOR APT Scanner's rule set only RULE_AUTHOR: Florian Roth, YARA RULE : SUSP_Decimal_Encoded_Executable_May21_1 RULE_AUTHOR: Florian Roth, SIGMA Matches rule Use Short Name Path in Command Line by frack113, Nasreddine Bencherchali, Matches rule Use Short Name Path in Image by frack113, Nasreddine Bencherchali - Sigma rule cannot be loaded., kefas.id: Crowdsourced Sigma below | Malicious Score High, Activity related to APT29 - according to source Cluster25 - This DOMAIN is used as a CnC by APT29, Evolution of Russian APT29 – New Attacks and Techniques Uncovered - according to source ArcSight Threat Intelligence - 2 years ago CCleaner, Credit: Resourced by AlienVault on July 26, 2023 at 8:48:39 • AlienVault |, Additions: resourced by Q.Vashti 04.17.2026 - credit crowdsourced information & personal research
subdomains count: 0

`microsoftstart.org`

MITRE ATT&CK TTPs

Feed Intelligence Summary

Activity Timeline

Threat Activity Heatmap

VirusTotal

WHOIS

Export & API

IOC Journey

We value your privacy