{ "type": "URL", "indicator": "https://microsoft.powershell.management", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://microsoft.powershell.management", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3091768730, "indicator": "https://microsoft.powershell.management", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "685f1b9063bc8c6621e17b34", "name": "Query Registry, Technique T1012 - Enterprise | MITRE ATT&CK®", "description": "Adversaries can access the Windows Registry to gather information about the operating system, configuration, and installed software, as well as to make modifications to the system's registry, according to a report published in the Security Research Institute (CTI).", "modified": "2025-10-01T00:01:22.860000", "created": "2025-06-27T22:30:40.728000", "tags": [ "registry", "june", "november", "december", "march", "april", "january", "february", "july", "august", "powersploit", "turla", "team", "cobalt strike", "over", "bazar", "ransomware", "bumblebee", "carberp", "clambling", "felixroot", "hoplight", "kimsuky", "terminal", "quadagent", "shamoon", "sibot", "sunburst", "synack", "teardrop", "tinyturla", "panda", "zxshell", "trojan", "attor", "azorult", "babyshark", "backspace", "bankshot", "bisonal", "bitpaymer", "blackbyte", "carbanak", "chimera", "chopstick", "crimson", "darkwatchman", "derusbi", "downpaper", "dtrack", "dusttrap", "fatduke", "funnydream", "dragon", "hydraq", "industroyer", "invisimole", "kapeka", "realvnc", "tightvnc", "radmin", "teamviewer", "lucifer", "milan", "oilrig", "pcshare", "pillowmint", "plugx", "proxysvc", "quietcanary", "stealer", "reaver", "revil", "rokrat", "samurai", "shark", "autorun", "sodamaster", "stonedrill", "stuxnet", "svcready", "taidoor", "powershell", "ursnif", "volgmer", "waterbear", "zebrocy", "zxxz", "enumerate", "sednit", "oceanlotus", "cadelspy", "remexi", "tour", "shellcode", "evolution", "hook", "energy", "dust", "blackenergy", "hades", "back", "lockbit", "sanctions", "sagerunex", "dnsmessenger", "attack", "galaxy", "defense", "saint bot", "goldmax", "goldfinder", "solorigate", "raindrop", "snake", "malware", "valak", "carr", "indiaindia" ], "references": [ "https://attack.mitre.org/techniques/T1012" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "IndiaIndia", "display_name": "IndiaIndia", "target": null } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 73, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "domain": 2, "hostname": 2, "URL": 6 }, "indicator_count": 11, "is_author": false, "is_subscribing": null, "subscriber_count": 125, "modified_text": "242 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6848c105e22453c2bec2258d", "name": "Ogrodnictwo - Baza Firm 2024.xls adorno.pl", "description": "Researchers at the University of California at Berkeley, in the United States, have published their findings on the subject of a security vulnerability in Microsoft's PowerShell operating system, also known as \"Chocolatey\".", "modified": "2025-07-28T08:00:49.288000", "created": "2025-06-10T23:34:29.281000", "tags": [ "vhash", "ssdeep", "inquest labs", "microsoft excel", "d0 cf", "e0 a1", "hiddenss", "statess", "hidden", "nocase", "sha256", "externalnet", "homenet", "mtu denial", "5762", "needed", "df bit", "reply", "policies", "insecure level", "registry type", "powershell", "powershell id", "script block", "logging", "windows", "getfreespace", "imageendswith", "example", "imagestartswith", "files", "sandbox author", "securityuserid", "windows upgrade", "k netsvcs", "defender", "update", "cache entry", "gzip chrome", "user", "woff chrome", "javascript c", "doscom c", "text c", "bmp c", "text chrome" ], "references": [ "MD5 da63ff099674eab612f7101116bddaa5", "https://virustotalcloud.firebaseapp.com/__/auth/handler?state=AMbdmDmB7R-mobcjqlNn5Tk3TSMlTTChMo-X0Gu7sho4DBhHzFXXT13BnjoMIZ2BiUB9IwoPL5YHSk3Ad2Hjsn7dL9LVBA89o2Xy4CjQj6siPR5s_G-pxcVnajQCDVEG7aXwBPaq8QmoPG5sRErBd_3iX0RDSzNL0_AU9_ldsWsakbA0LOLkIluupkaXhS72NREPpemuXBzy0pI7pvWidxXFtfFklcG_-fzn8KLDIO4BVRcktGFwWvQ2Oa46KE8oqkAynQoBDw-ssMd-fZwwNdPME_GWE9q4dvXE8cHt7rUcfStwp9XZ7_Jd82zJHsp-cFPguYZx-a0NGA&code=4%2F0AUJR-x6e6ebOwSRIdn1ETUESvDBcpCwDMA12A8aZtVcAffxzGkWb2YWoSX-_VtzNaYcw6w&scope=email+profile+https%3A%2F%2F", "d37481f608bdf78117b2f8819bcfd6744c3934b5c08c2ec8b8cbd36030a6fbd3 g_Faktury__FAKTURA_Bruttoppn.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 14, "FileHash-SHA1": 12, "FileHash-SHA256": 51, "URL": 239, "YARA": 1, "domain": 35, "hostname": 22, "CVE": 1 }, "indicator_count": 375, "is_author": false, "is_subscribing": null, "subscriber_count": 123, "modified_text": "307 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "d37481f608bdf78117b2f8819bcfd6744c3934b5c08c2ec8b8cbd36030a6fbd3 g_Faktury__FAKTURA_Bruttoppn.pdf", "https://virustotalcloud.firebaseapp.com/__/auth/handler?state=AMbdmDmB7R-mobcjqlNn5Tk3TSMlTTChMo-X0Gu7sho4DBhHzFXXT13BnjoMIZ2BiUB9IwoPL5YHSk3Ad2Hjsn7dL9LVBA89o2Xy4CjQj6siPR5s_G-pxcVnajQCDVEG7aXwBPaq8QmoPG5sRErBd_3iX0RDSzNL0_AU9_ldsWsakbA0LOLkIluupkaXhS72NREPpemuXBzy0pI7pvWidxXFtfFklcG_-fzn8KLDIO4BVRcktGFwWvQ2Oa46KE8oqkAynQoBDw-ssMd-fZwwNdPME_GWE9q4dvXE8cHt7rUcfStwp9XZ7_Jd82zJHsp-cFPguYZx-a0NGA&code=4%2F0AUJR-x6e6ebOwSRIdn1ETUESvDBcpCwDMA12A8aZtVcAffxzGkWb2YWoSX-_VtzNaYcw6w&scope=email+profile+https%3A%2F%2F", "https://attack.mitre.org/techniques/T1012", "MD5 da63ff099674eab612f7101116bddaa5" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Indiaindia" ], "industries": [], "unique_indicators": 379 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/powershell.management", "whois": "http://whois.domaintools.com/powershell.management", "domain": "powershell.management", "hostname": "microsoft.powershell.management" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "685f1b9063bc8c6621e17b34", "name": "Query Registry, Technique T1012 - Enterprise | MITRE ATT&CK®", "description": "Adversaries can access the Windows Registry to gather information about the operating system, configuration, and installed software, as well as to make modifications to the system's registry, according to a report published in the Security Research Institute (CTI).", "modified": "2025-10-01T00:01:22.860000", "created": "2025-06-27T22:30:40.728000", "tags": [ "registry", "june", "november", "december", "march", "april", "january", "february", "july", "august", "powersploit", "turla", "team", "cobalt strike", "over", "bazar", "ransomware", "bumblebee", "carberp", "clambling", "felixroot", "hoplight", "kimsuky", "terminal", "quadagent", "shamoon", "sibot", "sunburst", "synack", "teardrop", "tinyturla", "panda", "zxshell", "trojan", "attor", "azorult", "babyshark", "backspace", "bankshot", "bisonal", "bitpaymer", "blackbyte", "carbanak", "chimera", "chopstick", "crimson", "darkwatchman", "derusbi", "downpaper", "dtrack", "dusttrap", "fatduke", "funnydream", "dragon", "hydraq", "industroyer", "invisimole", "kapeka", "realvnc", "tightvnc", "radmin", "teamviewer", "lucifer", "milan", "oilrig", "pcshare", "pillowmint", "plugx", "proxysvc", "quietcanary", "stealer", "reaver", "revil", "rokrat", "samurai", "shark", "autorun", "sodamaster", "stonedrill", "stuxnet", "svcready", "taidoor", "powershell", "ursnif", "volgmer", "waterbear", "zebrocy", "zxxz", "enumerate", "sednit", "oceanlotus", "cadelspy", "remexi", "tour", "shellcode", "evolution", "hook", "energy", "dust", "blackenergy", "hades", "back", "lockbit", "sanctions", "sagerunex", "dnsmessenger", "attack", "galaxy", "defense", "saint bot", "goldmax", "goldfinder", "solorigate", "raindrop", "snake", "malware", "valak", "carr", "indiaindia" ], "references": [ "https://attack.mitre.org/techniques/T1012" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "IndiaIndia", "display_name": "IndiaIndia", "target": null } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 73, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "domain": 2, "hostname": 2, "URL": 6 }, "indicator_count": 11, "is_author": false, "is_subscribing": null, "subscriber_count": 125, "modified_text": "242 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6848c105e22453c2bec2258d", "name": "Ogrodnictwo - Baza Firm 2024.xls adorno.pl", "description": "Researchers at the University of California at Berkeley, in the United States, have published their findings on the subject of a security vulnerability in Microsoft's PowerShell operating system, also known as \"Chocolatey\".", "modified": "2025-07-28T08:00:49.288000", "created": "2025-06-10T23:34:29.281000", "tags": [ "vhash", "ssdeep", "inquest labs", "microsoft excel", "d0 cf", "e0 a1", "hiddenss", "statess", "hidden", "nocase", "sha256", "externalnet", "homenet", "mtu denial", "5762", "needed", "df bit", "reply", "policies", "insecure level", "registry type", "powershell", "powershell id", "script block", "logging", "windows", "getfreespace", "imageendswith", "example", "imagestartswith", "files", "sandbox author", "securityuserid", "windows upgrade", "k netsvcs", "defender", "update", "cache entry", "gzip chrome", "user", "woff chrome", "javascript c", "doscom c", "text c", "bmp c", "text chrome" ], "references": [ "MD5 da63ff099674eab612f7101116bddaa5", "https://virustotalcloud.firebaseapp.com/__/auth/handler?state=AMbdmDmB7R-mobcjqlNn5Tk3TSMlTTChMo-X0Gu7sho4DBhHzFXXT13BnjoMIZ2BiUB9IwoPL5YHSk3Ad2Hjsn7dL9LVBA89o2Xy4CjQj6siPR5s_G-pxcVnajQCDVEG7aXwBPaq8QmoPG5sRErBd_3iX0RDSzNL0_AU9_ldsWsakbA0LOLkIluupkaXhS72NREPpemuXBzy0pI7pvWidxXFtfFklcG_-fzn8KLDIO4BVRcktGFwWvQ2Oa46KE8oqkAynQoBDw-ssMd-fZwwNdPME_GWE9q4dvXE8cHt7rUcfStwp9XZ7_Jd82zJHsp-cFPguYZx-a0NGA&code=4%2F0AUJR-x6e6ebOwSRIdn1ETUESvDBcpCwDMA12A8aZtVcAffxzGkWb2YWoSX-_VtzNaYcw6w&scope=email+profile+https%3A%2F%2F", "d37481f608bdf78117b2f8819bcfd6744c3934b5c08c2ec8b8cbd36030a6fbd3 g_Faktury__FAKTURA_Bruttoppn.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 14, "FileHash-SHA1": 12, "FileHash-SHA256": 51, "URL": 239, "YARA": 1, "domain": 35, "hostname": 22, "CVE": 1 }, "indicator_count": 375, "is_author": false, "is_subscribing": null, "subscriber_count": 123, "modified_text": "307 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://microsoft.powershell.management", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://microsoft.powershell.management", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780234685.7217853 }