Threat Feed
1tlmCLMyIXhTZsLh.exe
2026-04-18T23:12:58.915
malicious
Windows Exe (x86-32)
Close
1tlmCLMyIXhTZsLh.exe
malicious
SHA256:
ee8770b90a0480c32a6893b4a08c0832e521679f1c3ba79528f71b51c08d7a77
VMRay Threat Identifiers
Close
Severity
Operation
5/5
Combination of other detections shows configuration discovery
4/5
Obscures a file's origin
3/5
Reads SMB connection information
3/5
Modifies native system functions
2/5
Enables critical process privileges
2/5
Collects hardware properties
2/5
Reads network adapter information
2/5
Queries OS info via WMI
2/5
Delays execution
2/5
Tries to detect virtual machine
2/5
Creates an unusually large number of processes
2/5
Signed executable failed signature validation
2/5
Executes dropped PE masquerading Filename
2/5
Collects information about services
1/5
Drops PE masquerading Filename
1/5
Accesses volumes directly
1/5
Content matched by YARA rules
1/5
Resolves API functions dynamically
1/5
Overwrites code
1/5
Creates a page with write and execute permissions
1/5
A monitored process crashed
1/5
Modifies operating system directory
1/5
Creates mutex
1/5
Drops PE file
1/5
Executes WMI query
1/5
Creates process with hidden window
1/5
Reads from memory of another process
1/5
Executes dropped PE file
1/5
Query CPU Properties
1/5
Enables process privileges
orden de compra.js
2026-04-18T23:00:19.272
malicious
JScript
Close
orden de compra.js
malicious
SHA256:
b5f874ab552bb459e44d4eb8acf8f899f1fc0b815b266ccbf0230dad0ea66222
VMRay Threat Identifiers
Close
Severity
Operation
5/5
DarkCloud configuration was extracted
5/5
Malicious content matched by YARA rules
5/5
Combination of other detections shows configuration discovery
4/5
Process Hollowing
4/5
Writes into the memory of another process
4/5
Reads from memory of another process
3/5
Reads sensitive mail data
3/5
Bypasses PowerShell execution policy
2/5
Queries OS info via WMI
2/5
Collects hardware properties
2/5
Enumerates running processes
2/5
Suspicious content matched by YARA rules
2/5
Executes PowerShell without default profile
2/5
Executes PowerShell with hidden window
2/5
Searches for sensitive mail data
2/5
Searches for sensitive FTP data
2/5
Possibly does reconnaissance
2/5
Searches for sensitive application data
1/5
Enumerates running processes
Spyware
Injector
RFQMMHE.exe
2026-04-18T22:56:20.045
malicious
Windows Exe (x86-32)
Close
RFQMMHE.exe
malicious
SHA256:
eabfeaae331c7278211942d74f8d7f9520f5aea57dc18a374c311b1f67888002
VMRay Threat Identifiers
Close
Severity
Operation
4/5
Writes into the memory of another process
4/5
Modifies control flow of another process
4/5
Process Hollowing
3/5
Makes direct system calls to hide process injection
2/5
Suspicious content matched by YARA rules
2/5
Makes direct system call to possibly evade hooking based monitoring
1/5
Reloads native system libraries
1/5
Creates process with hidden window
1/5
Content matched by YARA rules
1/5
A monitored process crashed
1/5
Reads from memory of another process
1/5
Tries to detect debugger
Injector
https://instagram-copy.vercel.app/?from=clonemusicproduction.com
2026-04-18T22:51:26.952
malicious
URL
Close
https://instagram-copy.vercel.app/?from=clonemusicproduction.com
malicious
SHA256:
VMRay Threat Identifiers
Close
Severity
Operation
5/5
Combination of other detections indicates a phishing website
4/5
Possible Pastejacking attempt
4/5
URL extracted from clipboard data
2/5
Page is served from a service commonly used for temporary hosting
2/5
Page uses exact same title as that of a popular online service
1/5
Page secured via a Domain Validated SSL certificate
1/5
Resource is loaded from a service commonly used for temporary hosting
1/5
Content is served from a user home directory
1/5
Logon form detected via Computer Vision
1/5
Content matched by YARA rules
Phishing
http://instagram-uson.vercel.app
2026-04-18T22:50:58.502
malicious
URL
Close
http://instagram-uson.vercel.app
malicious
SHA256:
VMRay Threat Identifiers
Close
Severity
Operation
5/5
Combination of other detections indicates a phishing website
4/5
Phishing page detected via Machine Learning
2/5
Page is served from a service commonly used for temporary hosting
2/5
Page uses exact same title as that of a popular online service
1/5
Logon form detected via Computer Vision
1/5
Resource is loaded from a service commonly used for temporary hosting
1/5
Page presents itself as a logon page
1/5
Page secured via a Domain Validated SSL certificate
1/5
Branding image detected via Computer Vision
Phishing