{ "type": "URL", "indicator": "http://schemas.xmlsoap.org/soap/encoding/arrayType", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "http://schemas.xmlsoap.org/soap/encoding/arrayType", "type": "url", "type_title": "URL", "validation": [ { "source": "majestic", "message": "Whitelisted domain xmlsoap.org", "name": "Whitelisted domain" } ], "base_indicator": { "id": 856609946, "indicator": "http://schemas.xmlsoap.org/soap/encoding/arrayType", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "69f3dd29978345cc0033cdec", "name": "CAPE Sandbox - powershell unsigned trust bypass affects arpa and msedge update", "description": "File is not signed-Microsoft Corporation. All rights reserved.\nProduct\nMicrosoft\u00ae Windows\u00ae Operating System\nDescription\nWindows PowerShell\nOriginal Name\nPowerShell.EXE\nInternal Name\nPOWERSHELL\nFile Version\n10.0.19041.546 (WinBuild.160101.0800)\nrefer to belasco chain or broken seal\nclient does not have windows", "modified": "2026-05-31T01:02:14", "created": "2026-04-30T22:52:25.691000", "tags": [ "31community", "35business", "cid1", "youtube https", "cohasset", "meta tags", "home category0", "home themecolor", "script tags" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 718, "FileHash-SHA1": 428, "FileHash-SHA256": 1579, "URL": 720, "hostname": 612, "domain": 210, "email": 4 }, "indicator_count": 4271, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "685f1bca5b6f76aba3079f1e", "name": "Application Window Discovery, Technique T1010 - Enterprise | MITRE ATT&CK®", "description": "1340f7f39c177f42f701209a563c0e5a94352e20d37c3e0bb36adc82942m.", "modified": "2025-10-01T00:01:22.860000", "created": "2025-06-27T22:31:38.306000", "tags": [ "submission", "vhash", "ssdeep", "file type", "html internet", "magic html", "unicode text", "utf8 text", "trid file", "magika html", "body", "header", "united", "as8075", "passive dns", "soap", "clientheader", "client", "faultcode", "pulse search", "error", "pattern", "multiref", "fault", "server", "bea382500", "sendsyncr", "loanrequestmsg", "sha1", "imphash", "pehash", "richhash", "roth", "nextron", "detection rule", "license", "ransomware", "rule", "yara rule", "set author", "roth date", "identifier", "authentihash", "rich pe", "result", "memcpy", "function405e27", "memcpy8", "v43 v45", "getprocaddress", "null", "closehandle", "memset", "result2", "false", "copy", "ascii text", "crlf line", "rich text", "format", "ascii", "gif image", "c source", "microsoft asf", "intel", "ms windows", "july", "april", "november", "june", "february", "january", "august", "discovery", "darkgate", "os api", "window", "flagpro", "netwire", "qakbot", "rokrat", "attor", "cadelspy", "catchamas", "nirsoft", "darkwatchman", "duqu", "dusttrap", "funnydream", "grandoreiro", "hotcroissant", "invisimole", "metamorfo", "nightclub", "plead", "powerduke", "remexi", "soundbite", "winerack", "powershell", "stuxnet", "dust", "knight", "evolution", "lazarus", "zhang", "nettraveler", "travnet", "belarus", "carr", "sector", "jpeg image", "jfif", "png image", "rgba" ], "references": [ "http://www.adobe.com/support/security/bulletins/apsb12-03.html", "https://attack.mitre.org/techniques/T1010" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 55, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 258, "hostname": 156, "domain": 7, "FileHash-MD5": 353, "FileHash-SHA1": 187, "FileHash-SHA256": 681, "CVE": 1, "YARA": 6 }, "indicator_count": 1649, "is_author": false, "is_subscribing": null, "subscriber_count": 127, "modified_text": "243 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "http://www.adobe.com/support/security/bulletins/apsb12-03.html", "https://attack.mitre.org/techniques/T1010" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 4317 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/xmlsoap.org", "whois": "http://whois.domaintools.com/xmlsoap.org", "domain": "xmlsoap.org", "hostname": "schemas.xmlsoap.org" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "69f3dd29978345cc0033cdec", "name": "CAPE Sandbox - powershell unsigned trust bypass affects arpa and msedge update", "description": "File is not signed-Microsoft Corporation. All rights reserved.\nProduct\nMicrosoft\u00ae Windows\u00ae Operating System\nDescription\nWindows PowerShell\nOriginal Name\nPowerShell.EXE\nInternal Name\nPOWERSHELL\nFile Version\n10.0.19041.546 (WinBuild.160101.0800)\nrefer to belasco chain or broken seal\nclient does not have windows", "modified": "2026-05-31T01:02:14", "created": "2026-04-30T22:52:25.691000", "tags": [ "31community", "35business", "cid1", "youtube https", "cohasset", "meta tags", "home category0", "home themecolor", "script tags" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 718, "FileHash-SHA1": 428, "FileHash-SHA256": 1579, "URL": 720, "hostname": 612, "domain": 210, "email": 4 }, "indicator_count": 4271, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "685f1bca5b6f76aba3079f1e", "name": "Application Window Discovery, Technique T1010 - Enterprise | MITRE ATT&CK®", "description": "1340f7f39c177f42f701209a563c0e5a94352e20d37c3e0bb36adc82942m.", "modified": "2025-10-01T00:01:22.860000", "created": "2025-06-27T22:31:38.306000", "tags": [ "submission", "vhash", "ssdeep", "file type", "html internet", "magic html", "unicode text", "utf8 text", "trid file", "magika html", "body", "header", "united", "as8075", "passive dns", "soap", "clientheader", "client", "faultcode", "pulse search", "error", "pattern", "multiref", "fault", "server", "bea382500", "sendsyncr", "loanrequestmsg", "sha1", "imphash", "pehash", "richhash", "roth", "nextron", "detection rule", "license", "ransomware", "rule", "yara rule", "set author", "roth date", "identifier", "authentihash", "rich pe", "result", "memcpy", "function405e27", "memcpy8", "v43 v45", "getprocaddress", "null", "closehandle", "memset", "result2", "false", "copy", "ascii text", "crlf line", "rich text", "format", "ascii", "gif image", "c source", "microsoft asf", "intel", "ms windows", "july", "april", "november", "june", "february", "january", "august", "discovery", "darkgate", "os api", "window", "flagpro", "netwire", "qakbot", "rokrat", "attor", "cadelspy", "catchamas", "nirsoft", "darkwatchman", "duqu", "dusttrap", "funnydream", "grandoreiro", "hotcroissant", "invisimole", "metamorfo", "nightclub", "plead", "powerduke", "remexi", "soundbite", "winerack", "powershell", "stuxnet", "dust", "knight", "evolution", "lazarus", "zhang", "nettraveler", "travnet", "belarus", "carr", "sector", "jpeg image", "jfif", "png image", "rgba" ], "references": [ "http://www.adobe.com/support/security/bulletins/apsb12-03.html", "https://attack.mitre.org/techniques/T1010" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 55, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 258, "hostname": 156, "domain": 7, "FileHash-MD5": 353, "FileHash-SHA1": 187, "FileHash-SHA256": 681, "CVE": 1, "YARA": 6 }, "indicator_count": 1649, "is_author": false, "is_subscribing": null, "subscriber_count": 127, "modified_text": "243 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "http://schemas.xmlsoap.org/soap/encoding/arrayType", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "http://schemas.xmlsoap.org/soap/encoding/arrayType", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780337612.4304838 }