{ "type": "URL", "indicator": "https://en.cube-soft.jp/entry/cubepdf/A0", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://en.cube-soft.jp/entry/cubepdf/A0", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4042152421, "indicator": "https://en.cube-soft.jp/entry/cubepdf/A0", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 6, "pulses": [ { "id": "69ba97dadbd6e4729709fa6d", "name": "pobierz.zip Sygn. akt II K 909/23 oskar clone by arek-BTC", "description": "", "modified": "2026-03-18T12:17:30.176000", "created": "2026-03-18T12:17:30.176000", "tags": [ "typ pliku", "ascii", "sqlite", "tekst", "postscript", "cza typ", "windows", "152 x", "utf8", "dziennik", "sha1", "json", "foxpro fpt", "sha256", "mwdb", "bazar", "sha3384", "crc32 c69b0751", "gboki", "settings", "categories", "default", "toolspanose", "cname", "nova cond", "inprocserver32", "metadata", "lcid1033", "syslcid1033", "light" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": "67c44a6e14a21bec8ba63984", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 210, "FileHash-SHA1": 53, "FileHash-SHA256": 599, "hostname": 151, "domain": 23, "URL": 233 }, "indicator_count": 1269, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "75 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6944ce38344ccded23df66f5", "name": "Ransom - Amnesty.org - a single link in a Pegasus attack against a civilian.", "description": "I don\u2019t have the right words to put this together because it involves so much coercion, fraud, betrayal, manipulation , hacking, multiple business fronts, loud mouth mafia plants, working with someone under false pretenses, redhat security teams in Denver , Colorado, false implications of cyber attacks coming from foreign entities. \n\nTips come from a highly reliable sources. One link in a Pegasus attack .", "modified": "2026-01-18T03:05:59.836000", "created": "2025-12-19T04:02:00.973000", "tags": [ "intel", "ms windows", "write c", "pe32", "pe32 executable", "copy c", "free", "benjamin", "write", "worm", "win32", "code", "june", "delphi", "malware", "benjamin", "tulach", "state of colorado", "christopher p. \u2018buzz\u2019 ahmann", "danica implants", "nids_malware_alert", "bonu$", "network_icmp", "network_irc", "persistence_autorun", "network_http", "nids_alert", "allocates_rwx", "hackers", "creates_exe", "brian sabey", "sour del", "packer_entropy", "antivm_memory_available", "pe_features", "get key", "crime", "organized crime", "federal crime", "cyber crime", "piracy", "status", "china unknown", "name servers", "div div", "ip address", "domain", "creation date", "record value", "meta", "title", "hong kong", "passive dns", "gmt content", "type", "content length", "ipv4 add", "urls", "files", "location hong", "twitter", "youtube", "side 3 studios", "denver music", "infiltration", "whistleblower", "getkey", "cyber warfare", "fraud", "financial crimes", "pegasus", "music front", "france unknown", "present feb", "iran unknown", "present nov", "present jun", "present jan", "hidden", "present jul", "date", "united", "flag", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "llc name", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "defense evasion", "spawns", "found", "pattern match", "mitre att", "show technique", "ck matrix", "ascii text", "href", "show process", "file", "general", "local", "path", "memory dumping", "entries", "icmp delphi", "showing", "delete", "yara detections", "windows nt", "wow64", "khtml", "gecko", "dns query", "packing t1045", "ransom", "cve", "palantir", "remote", "graham" ], "references": [ "Amnesty.org | remote.amnesty.org", "tulach.cc", "Worm:Win32/Benjamin IDS Detections: Win32.Worm.Benjamin.A CnC Checkin ICMP", "Alerts : nids_malware_alert network_icmp network_irc persistence_autorun network_http", "Alerts : nids_alert allocates_rwx creates_exe packer_entropy antivm_memory_available", "Delphi Likely Precursor to Scan PING Delphi-Piette Windows Yara Detections Delphi", "Delphi This program must be run under Win32 Compilers", "More IP\u2019s Contacted 74.6.143.26 Domains Contacted benjamin.xww.de", "http://www.yixun.com/getkey {\"privateKey\": \"JMVRar4COFWb3eKZ\"}", "Server: JFE https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://www.yixun.com/getkey", "http://www.shopsleuth.com/goal-academy/the-citadel/colorado-springs-co", "ipv4bot.whatismyipaddress.com", "helloprismatic.com", "https://palantir-staging.staging.candidate.app.paulsjob.ai/", "Brian Sabey", "Christopher P. \u2018Buzz\u2019 Ahmann" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Worm:Win32/Benjamin", "display_name": "Worm:Win32/Benjamin", "target": "/malware/Worm:Win32/Benjamin" }, { "id": "Ransom:Win32/GandCrab", "display_name": "Ransom:Win32/GandCrab", "target": "/malware/Ransom:Win32/GandCrab" }, { "id": "CVE-2023-2868", "display_name": "CVE-2023-2868", "target": null }, { "id": "Exploit:Win32/CVE-2017-0147", "display_name": "Exploit:Win32/CVE-2017-0147", "target": "/malware/Exploit:Win32/CVE-2017-0147" } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 429, "FileHash-SHA1": 341, "FileHash-SHA256": 2766, "URL": 6976, "domain": 1151, "CVE": 2, "email": 3, "hostname": 2913, "SSLCertFingerprint": 4 }, "indicator_count": 14585, "is_author": false, "is_subscribing": null, "subscriber_count": 146, "modified_text": "134 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6886e2075292809751cfefad", "name": "Eula.txt \tProcess Explorer", "description": "https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer\nhttps://www.virustotal.com/gui/file/8329bcbadc7f81539a4969ca13f0be5b8eb7652b912324a1926fc9bfb6ec005a/relations", "modified": "2025-10-01T00:01:22.860000", "created": "2025-07-28T02:35:51.837000", "tags": [ "sysinternals", "united", "the software", "internet", "canada", "le prsent", "please", "by using", "you accept", "these terms", "effect", "vhash", "authentihash", "imphash", "rich pe", "ssdeep", "ospo9ephzf tlsh", "writefile", "readfile", "isbadreadptr", "setfilepointer", "inquest labs", "windows api", "inquestpii", "loadlibrarya", "shellexecutea", "getprocaddress", "nextron", "lazarus group", "system file", "anomaly id", "svchost rule", "windows system", "roth", "patrick bareiss", "anton kutepov", "winreagent", "sha256", "peexe process", "text process", "cab process", "user", "peexe c", "zenbox", "peexe", "cape sandbox", "evader mitre", "files", "date", "malware", "trojan", "anomaly", "cnwr2 ogoogle", "trust", "cus subject", "memory pattern", "sigma rules", "other", "text network", "ja3 behavior", "tags", "malware trojan" ], "references": [ "Eula[1].txt", "procexp.Sys", "microstub.exe", "msedgewebview2.exe" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 300, "FileHash-SHA1": 288, "FileHash-SHA256": 1417, "URL": 348, "YARA": 1, "domain": 18, "hostname": 65 }, "indicator_count": 2437, "is_author": false, "is_subscribing": null, "subscriber_count": 128, "modified_text": "243 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "686c5dd19c990e74486c5e1f", "name": "(by gameprofits.io) ? DILBOOSTENERY.COM RHORINC.COM JANUSCAPITALINC.COM BRITISH COLUMBIA", "description": "", "modified": "2025-07-07T23:52:49.965000", "created": "2025-07-07T23:52:49.965000", "tags": [ "ip address", "country name", "gameprofitshack", "t'sara brashears", "Texas GOP Hack", "patent theft", "januscapitalinc.com hack", "pluspetro framing", "rhorinc hack" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [ "", "Video Games", "Petro", "Oil", "Energy", "telecommunications" ], "TLP": "white", "cloned_from": "6830a9467691823193700901", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 65, "URL": 315, "FileHash-SHA256": 84, "hostname": 90 }, "indicator_count": 554, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "329 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6830a9467691823193700901", "name": "DILBOOSTENERY.COM RHORINC.COM JANUSCAPITALINC.COM BRITISH COLUMBIA VITCIM OF CYBERSTALKING ESPONIAGE FRAMING IP THEFT FORCED POVERTY HACKING", "description": "MAJOR UPDATE - \n\nCHRISTY LEE DEWALT WORKING WITH CRIMINAL ENTERPRISE PK TECHNOLOGY BEHIND THE HACKERS ON THESE PULSES FRAMED", "modified": "2025-06-22T16:03:56.158000", "created": "2025-05-23T16:58:46.788000", "tags": [ "ip address", "country name", "gameprofitshack", "t'sara brashears", "Texas GOP Hack", "patent theft", "januscapitalinc.com hack", "pluspetro framing", "rhorinc hack" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [ "", "Video Games", "Petro", "Oil", "Energy", "telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "gameprofits.io", "id": "170823", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_170823/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 65, "URL": 315, "FileHash-SHA256": 84, "hostname": 90 }, "indicator_count": 554, "is_author": false, "is_subscribing": null, "subscriber_count": 51, "modified_text": "344 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67c44a6e14a21bec8ba63984", "name": "pobierz.zip Sygn. akt II K 909/23 oskar\u017conego z art. 190 \u00a7 1 k.k. i inne", "description": "Sugerowane identyfikatory ATT&CK:\n7eab0ed0a8a050ad34f71dfd3e2109ff SHA1 c60c3d64cfa19fb1f19eabc656aafdcf12d87dd4 SHA256 3d0f3f98cea613718def2eb9dca707ad57d3d96d4e6b593aca38c8574a578905 [VT] [MWDB] [Bazar] SHA3-384 32d70abaa630d0a8e6237b1df88da306306d27096950469ff7e99d754274e28cfaa0736af43ad55f3d57fc66d9812d4d CRC32 C69B0751 TLSH T1013413B6C8A16CF2D93D2BF2D89A3715DFDAB2C28156C057EB22C09359CE5D817438D8 G\u0142\u0119boki 6144:E8FhrpzjsHyC6DgXapizwbZ8ePb85pNLmih2tC:vrpESCUgX8ikbZ8ePb8J0E", "modified": "2025-04-01T09:03:52.165000", "created": "2025-03-02T12:09:18.878000", "tags": [ "typ pliku", "ascii", "sqlite", "tekst", "postscript", "cza typ", "windows", "152 x", "utf8", "dziennik", "sha1", "json", "foxpro fpt", "sha256", "mwdb", "bazar", "sha3384", "crc32 c69b0751", "gboki", "settings", "categories", "default", "toolspanose", "cname", "nova cond", "inprocserver32", "metadata", "lcid1033", "syslcid1033", "light" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 210, "FileHash-SHA1": 53, "FileHash-SHA256": 599, "hostname": 151, "domain": 23, "URL": 233 }, "indicator_count": 1269, "is_author": false, "is_subscribing": null, "subscriber_count": 127, "modified_text": "426 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "procexp.Sys", "Alerts : nids_malware_alert network_icmp network_irc persistence_autorun network_http", "ipv4bot.whatismyipaddress.com", "helloprismatic.com", "microstub.exe", "http://www.yixun.com/getkey {\"privateKey\": \"JMVRar4COFWb3eKZ\"}", "Eula[1].txt", "Brian Sabey", "http://www.shopsleuth.com/goal-academy/the-citadel/colorado-springs-co", "Server: JFE https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://www.yixun.com/getkey", "More IP\u2019s Contacted 74.6.143.26 Domains Contacted benjamin.xww.de", "tulach.cc", "https://palantir-staging.staging.candidate.app.paulsjob.ai/", "Amnesty.org | remote.amnesty.org", "Delphi Likely Precursor to Scan PING Delphi-Piette Windows Yara Detections Delphi", "Christopher P. \u2018Buzz\u2019 Ahmann", "Delphi This program must be run under Win32 Compilers", "Worm:Win32/Benjamin IDS Detections: Win32.Worm.Benjamin.A CnC Checkin ICMP", "msedgewebview2.exe", "Alerts : nids_alert allocates_rwx creates_exe packer_entropy antivm_memory_available" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Cve-2023-2868", "Worm:win32/benjamin", "Exploit:win32/cve-2017-0147", "Ransom:win32/gandcrab" ], "industries": [ "", "Petro", "Energy", "Video games", "Telecommunications", "Oil" ], "unique_indicators": 18631 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/cube-soft.jp", "whois": "http://whois.domaintools.com/cube-soft.jp", "domain": "cube-soft.jp", "hostname": "en.cube-soft.jp" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 6, "pulses": [ { "id": "69ba97dadbd6e4729709fa6d", "name": "pobierz.zip Sygn. akt II K 909/23 oskar clone by arek-BTC", "description": "", "modified": "2026-03-18T12:17:30.176000", "created": "2026-03-18T12:17:30.176000", "tags": [ "typ pliku", "ascii", "sqlite", "tekst", "postscript", "cza typ", "windows", "152 x", "utf8", "dziennik", "sha1", "json", "foxpro fpt", "sha256", "mwdb", "bazar", "sha3384", "crc32 c69b0751", "gboki", "settings", "categories", "default", "toolspanose", "cname", "nova cond", "inprocserver32", "metadata", "lcid1033", "syslcid1033", "light" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": "67c44a6e14a21bec8ba63984", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 210, "FileHash-SHA1": 53, "FileHash-SHA256": 599, "hostname": 151, "domain": 23, "URL": 233 }, "indicator_count": 1269, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "75 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6944ce38344ccded23df66f5", "name": "Ransom - Amnesty.org - a single link in a Pegasus attack against a civilian.", "description": "I don\u2019t have the right words to put this together because it involves so much coercion, fraud, betrayal, manipulation , hacking, multiple business fronts, loud mouth mafia plants, working with someone under false pretenses, redhat security teams in Denver , Colorado, false implications of cyber attacks coming from foreign entities. \n\nTips come from a highly reliable sources. One link in a Pegasus attack .", "modified": "2026-01-18T03:05:59.836000", "created": "2025-12-19T04:02:00.973000", "tags": [ "intel", "ms windows", "write c", "pe32", "pe32 executable", "copy c", "free", "benjamin", "write", "worm", "win32", "code", "june", "delphi", "malware", "benjamin", "tulach", "state of colorado", "christopher p. \u2018buzz\u2019 ahmann", "danica implants", "nids_malware_alert", "bonu$", "network_icmp", "network_irc", "persistence_autorun", "network_http", "nids_alert", "allocates_rwx", "hackers", "creates_exe", "brian sabey", "sour del", "packer_entropy", "antivm_memory_available", "pe_features", "get key", "crime", "organized crime", "federal crime", "cyber crime", "piracy", "status", "china unknown", "name servers", "div div", "ip address", "domain", "creation date", "record value", "meta", "title", "hong kong", "passive dns", "gmt content", "type", "content length", "ipv4 add", "urls", "files", "location hong", "twitter", "youtube", "side 3 studios", "denver music", "infiltration", "whistleblower", "getkey", "cyber warfare", "fraud", "financial crimes", "pegasus", "music front", "france unknown", "present feb", "iran unknown", "present nov", "present jun", "present jan", "hidden", "present jul", "date", "united", "flag", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "llc name", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "defense evasion", "spawns", "found", "pattern match", "mitre att", "show technique", "ck matrix", "ascii text", "href", "show process", "file", "general", "local", "path", "memory dumping", "entries", "icmp delphi", "showing", "delete", "yara detections", "windows nt", "wow64", "khtml", "gecko", "dns query", "packing t1045", "ransom", "cve", "palantir", "remote", "graham" ], "references": [ "Amnesty.org | remote.amnesty.org", "tulach.cc", "Worm:Win32/Benjamin IDS Detections: Win32.Worm.Benjamin.A CnC Checkin ICMP", "Alerts : nids_malware_alert network_icmp network_irc persistence_autorun network_http", "Alerts : nids_alert allocates_rwx creates_exe packer_entropy antivm_memory_available", "Delphi Likely Precursor to Scan PING Delphi-Piette Windows Yara Detections Delphi", "Delphi This program must be run under Win32 Compilers", "More IP\u2019s Contacted 74.6.143.26 Domains Contacted benjamin.xww.de", "http://www.yixun.com/getkey {\"privateKey\": \"JMVRar4COFWb3eKZ\"}", "Server: JFE https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://www.yixun.com/getkey", "http://www.shopsleuth.com/goal-academy/the-citadel/colorado-springs-co", "ipv4bot.whatismyipaddress.com", "helloprismatic.com", "https://palantir-staging.staging.candidate.app.paulsjob.ai/", "Brian Sabey", "Christopher P. \u2018Buzz\u2019 Ahmann" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Worm:Win32/Benjamin", "display_name": "Worm:Win32/Benjamin", "target": "/malware/Worm:Win32/Benjamin" }, { "id": "Ransom:Win32/GandCrab", "display_name": "Ransom:Win32/GandCrab", "target": "/malware/Ransom:Win32/GandCrab" }, { "id": "CVE-2023-2868", "display_name": "CVE-2023-2868", "target": null }, { "id": "Exploit:Win32/CVE-2017-0147", "display_name": "Exploit:Win32/CVE-2017-0147", "target": "/malware/Exploit:Win32/CVE-2017-0147" } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 429, "FileHash-SHA1": 341, "FileHash-SHA256": 2766, "URL": 6976, "domain": 1151, "CVE": 2, "email": 3, "hostname": 2913, "SSLCertFingerprint": 4 }, "indicator_count": 14585, "is_author": false, "is_subscribing": null, "subscriber_count": 146, "modified_text": "134 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6886e2075292809751cfefad", "name": "Eula.txt \tProcess Explorer", "description": "https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer\nhttps://www.virustotal.com/gui/file/8329bcbadc7f81539a4969ca13f0be5b8eb7652b912324a1926fc9bfb6ec005a/relations", "modified": "2025-10-01T00:01:22.860000", "created": "2025-07-28T02:35:51.837000", "tags": [ "sysinternals", "united", "the software", "internet", "canada", "le prsent", "please", "by using", "you accept", "these terms", "effect", "vhash", "authentihash", "imphash", "rich pe", "ssdeep", "ospo9ephzf tlsh", "writefile", "readfile", "isbadreadptr", "setfilepointer", "inquest labs", "windows api", "inquestpii", "loadlibrarya", "shellexecutea", "getprocaddress", "nextron", "lazarus group", "system file", "anomaly id", "svchost rule", "windows system", "roth", "patrick bareiss", "anton kutepov", "winreagent", "sha256", "peexe process", "text process", "cab process", "user", "peexe c", "zenbox", "peexe", "cape sandbox", "evader mitre", "files", "date", "malware", "trojan", "anomaly", "cnwr2 ogoogle", "trust", "cus subject", "memory pattern", "sigma rules", "other", "text network", "ja3 behavior", "tags", "malware trojan" ], "references": [ "Eula[1].txt", "procexp.Sys", "microstub.exe", "msedgewebview2.exe" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 300, "FileHash-SHA1": 288, "FileHash-SHA256": 1417, "URL": 348, "YARA": 1, "domain": 18, "hostname": 65 }, "indicator_count": 2437, "is_author": false, "is_subscribing": null, "subscriber_count": 128, "modified_text": "243 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "686c5dd19c990e74486c5e1f", "name": "(by gameprofits.io) ? DILBOOSTENERY.COM RHORINC.COM JANUSCAPITALINC.COM BRITISH COLUMBIA", "description": "", "modified": "2025-07-07T23:52:49.965000", "created": "2025-07-07T23:52:49.965000", "tags": [ "ip address", "country name", "gameprofitshack", "t'sara brashears", "Texas GOP Hack", "patent theft", "januscapitalinc.com hack", "pluspetro framing", "rhorinc hack" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [ "", "Video Games", "Petro", "Oil", "Energy", "telecommunications" ], "TLP": "white", "cloned_from": "6830a9467691823193700901", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 65, "URL": 315, "FileHash-SHA256": 84, "hostname": 90 }, "indicator_count": 554, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "329 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6830a9467691823193700901", "name": "DILBOOSTENERY.COM RHORINC.COM JANUSCAPITALINC.COM BRITISH COLUMBIA VITCIM OF CYBERSTALKING ESPONIAGE FRAMING IP THEFT FORCED POVERTY HACKING", "description": "MAJOR UPDATE - \n\nCHRISTY LEE DEWALT WORKING WITH CRIMINAL ENTERPRISE PK TECHNOLOGY BEHIND THE HACKERS ON THESE PULSES FRAMED", "modified": "2025-06-22T16:03:56.158000", "created": "2025-05-23T16:58:46.788000", "tags": [ "ip address", "country name", "gameprofitshack", "t'sara brashears", "Texas GOP Hack", "patent theft", "januscapitalinc.com hack", "pluspetro framing", "rhorinc hack" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [ "", "Video Games", "Petro", "Oil", "Energy", "telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "gameprofits.io", "id": "170823", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_170823/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 65, "URL": 315, "FileHash-SHA256": 84, "hostname": 90 }, "indicator_count": 554, "is_author": false, "is_subscribing": null, "subscriber_count": 51, "modified_text": "344 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67c44a6e14a21bec8ba63984", "name": "pobierz.zip Sygn. akt II K 909/23 oskar\u017conego z art. 190 \u00a7 1 k.k. i inne", "description": "Sugerowane identyfikatory ATT&CK:\n7eab0ed0a8a050ad34f71dfd3e2109ff SHA1 c60c3d64cfa19fb1f19eabc656aafdcf12d87dd4 SHA256 3d0f3f98cea613718def2eb9dca707ad57d3d96d4e6b593aca38c8574a578905 [VT] [MWDB] [Bazar] SHA3-384 32d70abaa630d0a8e6237b1df88da306306d27096950469ff7e99d754274e28cfaa0736af43ad55f3d57fc66d9812d4d CRC32 C69B0751 TLSH T1013413B6C8A16CF2D93D2BF2D89A3715DFDAB2C28156C057EB22C09359CE5D817438D8 G\u0142\u0119boki 6144:E8FhrpzjsHyC6DgXapizwbZ8ePb85pNLmih2tC:vrpESCUgX8ikbZ8ePb8J0E", "modified": "2025-04-01T09:03:52.165000", "created": "2025-03-02T12:09:18.878000", "tags": [ "typ pliku", "ascii", "sqlite", "tekst", "postscript", "cza typ", "windows", "152 x", "utf8", "dziennik", "sha1", "json", "foxpro fpt", "sha256", "mwdb", "bazar", "sha3384", "crc32 c69b0751", "gboki", "settings", "categories", "default", "toolspanose", "cname", "nova cond", "inprocserver32", "metadata", "lcid1033", "syslcid1033", "light" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 210, "FileHash-SHA1": 53, "FileHash-SHA256": 599, "hostname": 151, "domain": 23, "URL": 233 }, "indicator_count": 1269, "is_author": false, "is_subscribing": null, "subscriber_count": 127, "modified_text": "426 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://en.cube-soft.jp/entry/cubepdf/A0", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://en.cube-soft.jp/entry/cubepdf/A0", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780358111.5209706 }