{ "type": "URL", "indicator": "https://region1.analytics.google.com/g/collect", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://region1.analytics.google.com/g/collect", "type": "url", "type_title": "URL", "validation": [ { "source": "alexa", "message": "Alexa rank: #1", "name": "Listed on Alexa" }, { "source": "akamai", "message": "Akamai rank: #3", "name": "Akamai Popular Domain" }, { "source": "whitelist", "message": "Whitelisted domain google.com", "name": "Whitelisted domain" }, { "source": "majestic", "message": "Whitelisted domain google.com", "name": "Whitelisted domain" } ], "base_indicator": { "id": 4049618505, "indicator": "https://region1.analytics.google.com/g/collect", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 4, "pulses": [ { "id": "68b60cdecf42fb532f2ceb12", "name": "U of A DataBreach Update - 11.13.25", "description": "Domain Analysis that serves as evidence of an on-going DataBreaches at the University of Alberta with associated references.\nAnalysis demonstrates abused critical infrastructure in the Province of Alberta stemming from UAlberta as detailed in this Pulse.", "modified": "2025-12-13T22:01:27.739000", "created": "2025-09-01T21:15:10.117000", "tags": [ "as16509", "amazon02", "redirect", "tags", "as14618", "amazonaes", "search", "public", "search live", "api blog", "patch http", "please", "javascript", "url", "website", "web", "scanner", "analyze", "analyzer", "search api", "make sure", "domain", "and not", "page", "home search", "live api", "blog docs", "pricing login", "greynoise", "visualizer skip", "service status", "company blog", "us careers", "policies vpat", "slo privacy", "cookie patent", "copyright", "google privacy", "sandbox", "reputation", "phishing", "malware", "amazon web", "services", "warning icon", "share report", "systems", "cloudflare", "varnish", "nginx", "apache", "write", "virus", "trojan", "ransomware", "static", "analysis", "indicator of compromise", "ioc", "extraction", "emulation", "online", "submit", "sample", "download", "platform", "course", "program", "vxstream", "apt", "hybrid analysis", "api key", "vetting process", "please note", "UAlberta" ], "references": [ "https://www.virustotal.com/gui/collection/081aaa3e4cc9594cebbd39781c156d337527737e7123481e44ca9de1b39852ee/iocs", "https://www.virustotal.com/gui/collection/081aaa3e4cc9594cebbd39781c156d337527737e7123481e44ca9de1b39852ee/summary", "https://urlscan.io/search/#page.domain%3Awww.ualberta.ca", "https://viz.greynoise.io/ip/analysis/d90b0bd7-aaa1-4ea6-93c1-92bfd2d8f930", "https://urlquery.net/report/e9f9c430-fb2f-4166-8bfb-500339fdb9c0", "https://www.filescan.io/uploads/68b608d639a6221faa7935aa/reports/dd218cea-f81d-43ed-97fe-dd8c5aec52a3/ioc", "https://hybrid-analysis.com/sample/3b036b4b2b1d24e19238c6af7bbfaba465cf54cb2f9aab048002deddeafb7f43", "https://viz.greynoise.io/query/AS3359", "https://www.virustotal.com/graph/embed/g4022b02acb3b46ddb4b24043845853d9f56a84d80b5849188fee79c90217d4ca?theme=dark", "http://ci-www.threatcrowd.org/domain.php?domain=ualberta.ca", "https://www.urlvoid.com/dns-records-lookup/", "https://www.shodan.io/search?query=ualberta.ca", "https://dnsdumpster.com/", "https://bgpview.io/asn/3359#whois", "https://centralops.net/co/", "https://app.netlas.io/domains/stats/?facets=domain&indices=&q=domain%3A%2A.ualberta.ca&size=1100", "09.10.25 - https://viz.greynoise.io/ip/analysis/df2c8c37-f8f2-4398-b709-7c716b03b697", "09.10.25 - https://urlscan.io/search/#page.domain%3Awww.ualberta.ca", "https://hybrid-analysis.com/sample/3b036b4b2b1d24e19238c6af7bbfaba465cf54cb2f9aab048002deddeafb7f43/680e723df123be6c63004290", "https://www.criminalip.io/asset/search?query=ualberta.ca", "09.20.25 - https://urlscan.io/search/#page.domain%3Aualberta.ca", "https://app.threat.zone/submission/c70698bf-881e-491a-a582-eee634b4bf73/url-analysis-report", "https://whois.domaintools.com/ualberta.ca", "https://research.domaintools.com/research/whois-history/search/?q=ualberta.ca", "https://viewdns.info/iphistory/?domain=ualberta.ca", "https://viewdns.info/portscan/?host=ualberta.ca", "https://whois.easycounter.com/ualberta.ca", "https://search.censys.io/search?resource=hosts&sort=RELEVANCE&per_page=25&virtual_hosts=EXCLUDE&q=ualberta.ca", "https://who.is/whois/ualberta.ca", "https://www.robtex.com/en/dns-lookup/ca/ualberta", "https://www.whoxy.com/ualberta.ca", "https://reverseip.domaintools.com/search/?q=ualberta.ca", "https://bgp.he.net/dns/ualberta.ca", "https://intelx.io/?s=ualberta.ca", "https://pulsedive.com/indicator/?indicator=ualberta.ca", "https://web.archive.org/web/20250000000000*/ualberta.ca", "https://crt.sh/?q=ualberta.ca&exclude=expired&group=none", "https://viewdns.info/traceroute/?domain=ualberta.ca", "https://centralops.net/co/DomainDossier.aspx", "https://search.odin.io/hosts?query=ualberta.ca", "https://www.merklemap.com/search?query=ualberta.ca&page=0" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 92, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 9901, "domain": 790, "email": 982, "hostname": 10520, "FileHash-MD5": 550, "FileHash-SHA256": 1726, "FileHash-SHA1": 519, "SSLCertFingerprint": 64, "CIDR": 26, "CVE": 12 }, "indicator_count": 25090, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "127 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68c6ee7fed3c32c4e9d929f9", "name": "https://www[.]alberta[.]ca/technology-and-innovation - 09.14.25", "description": "Find out more about the Alberta government's technology and innovation projects at the same time as the release of a new artificial intelligence (AI) search tool on the website of the province's main website. Mashup of VT collections/graphs from jwanihad and Arkadij_0", "modified": "2025-10-14T16:57:23.520000", "created": "2025-09-14T16:34:07.408000", "tags": [ "alberta", "find", "innovation", "government", "august", "home all", "business", "strategy", "skip", "search ai", "wildfire", "footer", "please", "javascript", "technology", "ai data", "ministry", "social", "ministries", "june", "media", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "ansi", "prefetch8 ansi", "show process", "date", "pcap processing", "threat level", "hash seen", "pcap frame", "programfiles", "sha256", "suspicious", "comspec", "hybrid", "model", "close", "click", "hosts", "general", "path", "starfield", "strings", "contact", "url", "scanner", "reputation", "phishing", "warning icon", "share report", "domain", "systems", "google tag", "manager", "cloudflare", "nginx", "amazon web", "services", "write", "url analysis", "website security scan", "phishing detection", "brand monitoring", "website vulnerability checker", "online threat intelligence", "cybersecurity tools", "api for website analysis", "python security library", "ai web analysis", "online fraud prevention", "takedown service", "dna test", "virus", "ransomware", "static", "indicator of compromise", "ioc", "extraction", "emulation", "platform", "pcap", "entity", "UCP", "Alberta", "UAlberta" ], "references": [ "https://www.alberta.ca/innovation-technology", "https://www.virustotal.com/gui/url/02ac643ab4887f1369e972111782ffb97a98e476ba9277217b048e9c529c7b67/details", "https://www.virustotal.com/gui/url/50a0c769107dd6645c080610169f2da5a43d64d06839800fdb426b2b1dc8b552/details", "https://www.alberta.ca/technology-and-innovation", "https://hybrid-analysis.com/sample/8f73a016e04056778913b3a3192cd57649f6243488898938874b7f31831002aa/68c6dbeb73994f791800aa28", "https://urlquery.net/report/9e772488-395e-4d54-a170-c148a573c337", "https://urldna.io/scan/68c6dc443b7750000f71bb02", "https://www.filescan.io/uploads/68c6de05732879482929ac55/reports/ed420243-2df7-46a3-89e0-f807373b8885/overview", "https://hybrid-analysis.com/sample/e81eb1d6abbf1818869d857b2dba4b432cfdb69d11d02336946c229f252e8f03/68c6de4c44d253a54b0e2076", "https://urlquery.net/report/b68eb048-4eca-43f6-8f8e-f58064296d03", "https://urldna.io/scan/68c6e2653b7750000ab1b015", "https://www.virustotal.com/graph/embed/ge6af493614484a64b8f6778d729f95faeb8d09db49ea4e8da0a3e1e5d6497ca4?theme=dark" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" } ], "industries": [ "Government", "Tech" ], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 54, "FileHash-SHA1": 53, "FileHash-SHA256": 122, "SSLCertFingerprint": 12, "URL": 75, "email": 6, "domain": 10, "hostname": 82 }, "indicator_count": 414, "is_author": false, "is_subscribing": null, "subscriber_count": 129, "modified_text": "187 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67e709c0cfa1a1851d81a657", "name": "Government of Alberta ** Domain Analysis - 05.05.25", "description": "Domain Name: alberta.ca\nRegistry Domain ID: D198023-CIRA\nRegistrar WHOIS Server: whois.ca.fury.ca\nRegistrar URL: webnames.ca\nRegistrar: Webnames.ca Inc.\nRegistrar IANA ID: 456\nRegistrar Abuse Contact Email: abuse@webnames.ca\nRegistrar Abuse Contact Phone: +1.8662217878\n\nRegistry Registrant ID: R2532-CIRA\nRegistrant Name: Alberta Provincial Government\n3720 - 76 Avenue, Main Floor - Access Building\nEdmonton, AB T6B2N9, CA\nPh: +1.7806381828\nFax: +1.7806385949\nRegistrant Email: dutyweb@gov.ab.ca\nRegistry Admin ID: C851779-CIRA\nAdmin Name: CERTS Analyst\nAdmin Email: certs@gov.ab.ca\nRegistry Tech ID: C851781-CIRA\n\nName Server: is-dns1.gov.ab.ca\nName Server: is-dns3.gov.ab.ca\nDNSSEC: unsigned", "modified": "2025-06-05T02:05:37.765000", "created": "2025-03-28T20:42:40.389000", "tags": [ "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "ansi", "symbol", "memoryfile scan", "path", "alberta", "prefetch8 ansi", "please", "show process", "date", "span", "find", "facebook", "twitter", "footer", "iframe", "suspicious", "body", "generator", "april", "energy", "comspec", "hybrid", "form", "main", "model", "close", "click", "hosts", "general", "starfield", "strings", "contact", "triage", "report", "reported", "analyze", "download submit", "sha512", "sha256", "prefetch8", "sha1", "filesize", "file", "prefetch1", "dataedge cloud", "process key", "config", "copy", "target", "impact", "javascript", "threat intelligence", "feed", "ioc", "change theme", "contact us", "intelligence", "threats api", "analyze api", "overview", "threats explore", "rate limits", "stixtaxii", "bulk export", "virus", "ransomware", "static", "indicator of compromise", "extraction", "emulation", "platform", "eid2", "eid3", "uaaaaaaai", "eid104", "malcore", "file analysis", "historical dns", "info", "login", "scan", "domain analysis", "discovered ip", "subdomains", "info malcore", "simple file", "policy terms", "intelligence x", "results", "product blog", "sign", "most relevant", "darknet", "please search", "search advanced", "categories date", "term", "slow", "scroll", "schedule", "cavalier", "bayonet", "full report", "users", "free report", "hudson rock", "attack surface", "customers", "demo explore", "tools", "third", "protect", "over", "rock", "service" ], "references": [ "https://hybrid-analysis.com/sample/b0221df98cf7c8cbb752166c2942167038905c6ce60cd4289bee7d6c9d9c9981/67e70010db76da6d2704fa75", "https://tria.ge/250328-yq3hrsz1c1/behavioral1", "https://www.virustotal.com/gui/domain/alberta.ca", "https://pulsedive.com/indicator/?iid=9866511", "https://www.filescan.io/uploads/67e70367631830704a8a8a0c/reports/0cb06032-68da-40e4-8f2a-f2ef06384df8/ioc", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/67ab2665da3e8886f5e4ecce = Domain Analysis (refer to databreaches)", "https://intelx.io/?s=alberta.ca", "https://www.hudsonrock.com/search?domain=alberta.ca", "https://polyswarm.network/scan/results/url/8f3e04dffd9a4447667ca0135138ca8da321c66c9dbd6be815c17e2aa6e6f292", "https://www.urlvoid.com/whois-lookup/", "https://app.pentester.com/scans/U2NhblR5cGU6NjM1NDk1OA==", "https://cwe.mitre.org/data/definitions/79.html", "https://www.virustotal.com/gui/domain/alberta.ca/relations", "http://ci-www.threatcrowd.org/domain.php?domain=alberta.ca", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/67ab2665da3e8886f5e4ecce", "https://www.hybrid-analysis.com/sample/9b22c3771c435ce35bd0d8c766594a7e01156167829b60155e028d8852c69ba2/681974f451849933040662f6", "https://www.filescan.io/uploads/68197523c7418694c8a5dcd3/reports/ae06283d-f5d8-426d-a32c-1a04566e7635/ioc" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1217", "name": "Browser Bookmark Discovery", "display_name": "T1217 - Browser Bookmark Discovery" } ], "industries": [ "Education", "Technology", "Government", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 62, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 126, "FileHash-SHA1": 118, "FileHash-SHA256": 347, "SSLCertFingerprint": 18, "domain": 149, "email": 16, "URL": 478, "hostname": 1562, "CVE": 7 }, "indicator_count": 2821, "is_author": false, "is_subscribing": null, "subscriber_count": 129, "modified_text": "318 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67db9be18168bc23126a0f17", "name": "Falcon Sandbox (Hybrid Analysis), FileScan[.]io & URLScan[.]io - UAlberta[.]ca domain analysis", "description": "Domain Analysis of hxxp://ualberta[.]ca w. Hybrid Analysis, Filescan, URLscan\n-Followed up w. analysis of previously submitted URLscan submissions w. an analysis by Greynoise[.]io (up to 03.19.25)\n-Greynoise yielded (from URLScan 120 Identified & 10 Unknowns) - the results classified as RIOTS appear to be confounded (potential abuse of Amazon Web Services in combination w. other cloud provider services.\n-It appears just visiting and/or touching this domain is - generally not recommended\n-Results from PulseDive -> Redirects to: https://www.ualberta[.]ca/en/index.html // SSL certificate found: ualberta[.]ca and 239 more. Edmonton, Canada, University of Alberta. dnsmaster@ualberta.ca\neasyDNS Technologies Inc. Amazon ALB, Amazon Cloudfront, Apache HTTP Server, Bootstrap, Coveo, Crazy Egg, Facebook Pixel, Font Awesome, Google Analytics, Google Font API, jQuery, Linkedin Insight Tag, Microsoft Clarity, Open Graph, TikTok Pixel, Twitter Ads", "modified": "2025-04-19T04:02:16.037000", "created": "2025-03-20T04:38:57.551000", "tags": [ "as16509", "amazon02", "redirect", "as14618", "amazonaes", "search", "public", "home search", "live api", "blog docs", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "pcap processing", "ansi", "pcap", "gecko", "win64", "khtml", "windows nt", "brand", "prefetch8 ansi", "microsoft edge", "date", "cookie", "mozilla", "suspicious", "comspec", "window", "model", "hybrid", "accept", "hacked", "starfield", "encrypt", "close", "click", "twitter", "hosts", "service", "general", "path", "union", "dest", "strings", "contact" ], "references": [ "https://hybrid-analysis.com/sample/dea64c4ce5cd9b55fb634888e4c6530728e266c8cb6d2bf670a9fe9e3f712c43/67db93032dc368d2d80c3df1", "https://urlscan.io/search/#page.domain%3Awww.ualberta.ca", "https://www.filescan.io/uploads/67db2f67b93e688233ef36e9/reports/7e4e4377-5eb9-48a7-848d-bfdca4fb244c/ioc", "https://hybrid-analysis.com/sample/dea64c4ce5cd9b55fb634888e4c6530728e266c8cb6d2bf670a9fe9e3f712c43", "https://hybrid-analysis.com/sample/dea64c4ce5cd9b55fb634888e4c6530728e266c8cb6d2bf670a9fe9e3f712c43/67db93032dc368d2d80c3df1", "https://viz.greynoise.io/analysis/5692e934-322f-48b9-bd9b-556e653ff5b6", "https://pulsedive.com/ioc/ualberta.ca" ], "public": 1, "adversary": "dosdean@ualberta[.]ca // ciso@ualberta[.]ca", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [ "Education", "Technology", "Government", "Agriculture", "Healthcare", "Chemical", "Finance", "Media" ], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 897, "domain": 37, "email": 34, "hostname": 396, "FileHash-MD5": 71, "FileHash-SHA1": 69, "FileHash-SHA256": 69, "SSLCertFingerprint": 23 }, "indicator_count": 1596, "is_author": false, "is_subscribing": null, "subscriber_count": 130, "modified_text": "365 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://www.virustotal.com/gui/domain/alberta.ca", "https://hybrid-analysis.com/sample/b0221df98cf7c8cbb752166c2942167038905c6ce60cd4289bee7d6c9d9c9981/67e70010db76da6d2704fa75", "https://www.merklemap.com/search?query=ualberta.ca&page=0", "https://www.urlvoid.com/dns-records-lookup/", "https://reverseip.domaintools.com/search/?q=ualberta.ca", "https://viewdns.info/portscan/?host=ualberta.ca", "https://web.archive.org/web/20250000000000*/ualberta.ca", "https://www.virustotal.com/gui/url/50a0c769107dd6645c080610169f2da5a43d64d06839800fdb426b2b1dc8b552/details", "https://hybrid-analysis.com/sample/dea64c4ce5cd9b55fb634888e4c6530728e266c8cb6d2bf670a9fe9e3f712c43/67db93032dc368d2d80c3df1", "https://hybrid-analysis.com/sample/dea64c4ce5cd9b55fb634888e4c6530728e266c8cb6d2bf670a9fe9e3f712c43", "https://search.censys.io/search?resource=hosts&sort=RELEVANCE&per_page=25&virtual_hosts=EXCLUDE&q=ualberta.ca", "https://www.hybrid-analysis.com/sample/9b22c3771c435ce35bd0d8c766594a7e01156167829b60155e028d8852c69ba2/681974f451849933040662f6", "https://urldna.io/scan/68c6dc443b7750000f71bb02", "https://www.filescan.io/uploads/68197523c7418694c8a5dcd3/reports/ae06283d-f5d8-426d-a32c-1a04566e7635/ioc", "https://www.filescan.io/uploads/67e70367631830704a8a8a0c/reports/0cb06032-68da-40e4-8f2a-f2ef06384df8/ioc", "https://www.hudsonrock.com/search?domain=alberta.ca", "https://centralops.net/co/DomainDossier.aspx", "https://pulsedive.com/indicator/?indicator=ualberta.ca", "https://viewdns.info/traceroute/?domain=ualberta.ca", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/67ab2665da3e8886f5e4ecce = Domain Analysis (refer to databreaches)", "https://polyswarm.network/scan/results/url/8f3e04dffd9a4447667ca0135138ca8da321c66c9dbd6be815c17e2aa6e6f292", "https://centralops.net/co/", "https://app.netlas.io/domains/stats/?facets=domain&indices=&q=domain%3A%2A.ualberta.ca&size=1100", "https://viz.greynoise.io/ip/analysis/d90b0bd7-aaa1-4ea6-93c1-92bfd2d8f930", "https://www.virustotal.com/gui/url/02ac643ab4887f1369e972111782ffb97a98e476ba9277217b048e9c529c7b67/details", "https://hybrid-analysis.com/sample/3b036b4b2b1d24e19238c6af7bbfaba465cf54cb2f9aab048002deddeafb7f43/680e723df123be6c63004290", "https://intelx.io/?s=ualberta.ca", "https://www.filescan.io/uploads/67db2f67b93e688233ef36e9/reports/7e4e4377-5eb9-48a7-848d-bfdca4fb244c/ioc", "https://www.alberta.ca/technology-and-innovation", "https://urlquery.net/report/e9f9c430-fb2f-4166-8bfb-500339fdb9c0", "https://www.criminalip.io/asset/search?query=ualberta.ca", "https://www.virustotal.com/gui/collection/081aaa3e4cc9594cebbd39781c156d337527737e7123481e44ca9de1b39852ee/iocs", "https://intelx.io/?s=alberta.ca", "https://www.urlvoid.com/whois-lookup/", "https://app.pentester.com/scans/U2NhblR5cGU6NjM1NDk1OA==", "https://app.threat.zone/submission/c70698bf-881e-491a-a582-eee634b4bf73/url-analysis-report", "https://www.alberta.ca/innovation-technology", "https://hybrid-analysis.com/sample/8f73a016e04056778913b3a3192cd57649f6243488898938874b7f31831002aa/68c6dbeb73994f791800aa28", "09.20.25 - https://urlscan.io/search/#page.domain%3Aualberta.ca", "https://www.whoxy.com/ualberta.ca", "https://urlquery.net/report/b68eb048-4eca-43f6-8f8e-f58064296d03", "https://viz.greynoise.io/analysis/5692e934-322f-48b9-bd9b-556e653ff5b6", "09.10.25 - https://viz.greynoise.io/ip/analysis/df2c8c37-f8f2-4398-b709-7c716b03b697", "https://viewdns.info/iphistory/?domain=ualberta.ca", "https://pulsedive.com/ioc/ualberta.ca", "https://hybrid-analysis.com/sample/3b036b4b2b1d24e19238c6af7bbfaba465cf54cb2f9aab048002deddeafb7f43", "https://bgpview.io/asn/3359#whois", "http://ci-www.threatcrowd.org/domain.php?domain=ualberta.ca", "https://hybrid-analysis.com/sample/e81eb1d6abbf1818869d857b2dba4b432cfdb69d11d02336946c229f252e8f03/68c6de4c44d253a54b0e2076", "https://whois.domaintools.com/ualberta.ca", "https://research.domaintools.com/research/whois-history/search/?q=ualberta.ca", "https://search.odin.io/hosts?query=ualberta.ca", "https://tria.ge/250328-yq3hrsz1c1/behavioral1", "https://www.shodan.io/search?query=ualberta.ca", "https://www.virustotal.com/graph/embed/ge6af493614484a64b8f6778d729f95faeb8d09db49ea4e8da0a3e1e5d6497ca4?theme=dark", "https://www.virustotal.com/gui/domain/alberta.ca/relations", "https://urldna.io/scan/68c6e2653b7750000ab1b015", "https://urlscan.io/search/#page.domain%3Awww.ualberta.ca", "https://dnsdumpster.com/", "https://www.virustotal.com/graph/embed/g4022b02acb3b46ddb4b24043845853d9f56a84d80b5849188fee79c90217d4ca?theme=dark", "https://bgp.he.net/dns/ualberta.ca", "https://www.filescan.io/uploads/68b608d639a6221faa7935aa/reports/dd218cea-f81d-43ed-97fe-dd8c5aec52a3/ioc", "https://crt.sh/?q=ualberta.ca&exclude=expired&group=none", "https://cwe.mitre.org/data/definitions/79.html", "09.10.25 - https://urlscan.io/search/#page.domain%3Awww.ualberta.ca", "https://who.is/whois/ualberta.ca", "https://urlquery.net/report/9e772488-395e-4d54-a170-c148a573c337", "https://www.filescan.io/uploads/68c6de05732879482929ac55/reports/ed420243-2df7-46a3-89e0-f807373b8885/overview", "http://ci-www.threatcrowd.org/domain.php?domain=alberta.ca", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/67ab2665da3e8886f5e4ecce", "https://whois.easycounter.com/ualberta.ca", "https://www.robtex.com/en/dns-lookup/ca/ualberta", "https://viz.greynoise.io/query/AS3359", "https://pulsedive.com/indicator/?iid=9866511", "https://www.virustotal.com/gui/collection/081aaa3e4cc9594cebbd39781c156d337527737e7123481e44ca9de1b39852ee/summary" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "dosdean@ualberta[.]ca // ciso@ualberta[.]ca" ], "malware_families": [], "industries": [ "Media", "Finance", "Education", "Chemical", "Technology", "Government", "Tech", "Healthcare", "Agriculture" ], "unique_indicators": 13910 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/google.com", "whois": "http://whois.domaintools.com/google.com", "domain": "google.com", "hostname": "region1.analytics.google.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 4, "pulses": [ { "id": "68b60cdecf42fb532f2ceb12", "name": "U of A DataBreach Update - 11.13.25", "description": "Domain Analysis that serves as evidence of an on-going DataBreaches at the University of Alberta with associated references.\nAnalysis demonstrates abused critical infrastructure in the Province of Alberta stemming from UAlberta as detailed in this Pulse.", "modified": "2025-12-13T22:01:27.739000", "created": "2025-09-01T21:15:10.117000", "tags": [ "as16509", "amazon02", "redirect", "tags", "as14618", "amazonaes", "search", "public", "search live", "api blog", "patch http", "please", "javascript", "url", "website", "web", "scanner", "analyze", "analyzer", "search api", "make sure", "domain", "and not", "page", "home search", "live api", "blog docs", "pricing login", "greynoise", "visualizer skip", "service status", "company blog", "us careers", "policies vpat", "slo privacy", "cookie patent", "copyright", "google privacy", "sandbox", "reputation", "phishing", "malware", "amazon web", "services", "warning icon", "share report", "systems", "cloudflare", "varnish", "nginx", "apache", "write", "virus", "trojan", "ransomware", "static", "analysis", "indicator of compromise", "ioc", "extraction", "emulation", "online", "submit", "sample", "download", "platform", "course", "program", "vxstream", "apt", "hybrid analysis", "api key", "vetting process", "please note", "UAlberta" ], "references": [ "https://www.virustotal.com/gui/collection/081aaa3e4cc9594cebbd39781c156d337527737e7123481e44ca9de1b39852ee/iocs", "https://www.virustotal.com/gui/collection/081aaa3e4cc9594cebbd39781c156d337527737e7123481e44ca9de1b39852ee/summary", "https://urlscan.io/search/#page.domain%3Awww.ualberta.ca", "https://viz.greynoise.io/ip/analysis/d90b0bd7-aaa1-4ea6-93c1-92bfd2d8f930", "https://urlquery.net/report/e9f9c430-fb2f-4166-8bfb-500339fdb9c0", "https://www.filescan.io/uploads/68b608d639a6221faa7935aa/reports/dd218cea-f81d-43ed-97fe-dd8c5aec52a3/ioc", "https://hybrid-analysis.com/sample/3b036b4b2b1d24e19238c6af7bbfaba465cf54cb2f9aab048002deddeafb7f43", "https://viz.greynoise.io/query/AS3359", "https://www.virustotal.com/graph/embed/g4022b02acb3b46ddb4b24043845853d9f56a84d80b5849188fee79c90217d4ca?theme=dark", "http://ci-www.threatcrowd.org/domain.php?domain=ualberta.ca", "https://www.urlvoid.com/dns-records-lookup/", "https://www.shodan.io/search?query=ualberta.ca", "https://dnsdumpster.com/", "https://bgpview.io/asn/3359#whois", "https://centralops.net/co/", "https://app.netlas.io/domains/stats/?facets=domain&indices=&q=domain%3A%2A.ualberta.ca&size=1100", "09.10.25 - https://viz.greynoise.io/ip/analysis/df2c8c37-f8f2-4398-b709-7c716b03b697", "09.10.25 - https://urlscan.io/search/#page.domain%3Awww.ualberta.ca", "https://hybrid-analysis.com/sample/3b036b4b2b1d24e19238c6af7bbfaba465cf54cb2f9aab048002deddeafb7f43/680e723df123be6c63004290", "https://www.criminalip.io/asset/search?query=ualberta.ca", "09.20.25 - https://urlscan.io/search/#page.domain%3Aualberta.ca", "https://app.threat.zone/submission/c70698bf-881e-491a-a582-eee634b4bf73/url-analysis-report", "https://whois.domaintools.com/ualberta.ca", "https://research.domaintools.com/research/whois-history/search/?q=ualberta.ca", "https://viewdns.info/iphistory/?domain=ualberta.ca", "https://viewdns.info/portscan/?host=ualberta.ca", "https://whois.easycounter.com/ualberta.ca", "https://search.censys.io/search?resource=hosts&sort=RELEVANCE&per_page=25&virtual_hosts=EXCLUDE&q=ualberta.ca", "https://who.is/whois/ualberta.ca", "https://www.robtex.com/en/dns-lookup/ca/ualberta", "https://www.whoxy.com/ualberta.ca", "https://reverseip.domaintools.com/search/?q=ualberta.ca", "https://bgp.he.net/dns/ualberta.ca", "https://intelx.io/?s=ualberta.ca", "https://pulsedive.com/indicator/?indicator=ualberta.ca", "https://web.archive.org/web/20250000000000*/ualberta.ca", "https://crt.sh/?q=ualberta.ca&exclude=expired&group=none", "https://viewdns.info/traceroute/?domain=ualberta.ca", "https://centralops.net/co/DomainDossier.aspx", "https://search.odin.io/hosts?query=ualberta.ca", "https://www.merklemap.com/search?query=ualberta.ca&page=0" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 92, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 9901, "domain": 790, "email": 982, "hostname": 10520, "FileHash-MD5": 550, "FileHash-SHA256": 1726, "FileHash-SHA1": 519, "SSLCertFingerprint": 64, "CIDR": 26, "CVE": 12 }, "indicator_count": 25090, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "127 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68c6ee7fed3c32c4e9d929f9", "name": "https://www[.]alberta[.]ca/technology-and-innovation - 09.14.25", "description": "Find out more about the Alberta government's technology and innovation projects at the same time as the release of a new artificial intelligence (AI) search tool on the website of the province's main website. Mashup of VT collections/graphs from jwanihad and Arkadij_0", "modified": "2025-10-14T16:57:23.520000", "created": "2025-09-14T16:34:07.408000", "tags": [ "alberta", "find", "innovation", "government", "august", "home all", "business", "strategy", "skip", "search ai", "wildfire", "footer", "please", "javascript", "technology", "ai data", "ministry", "social", "ministries", "june", "media", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "ansi", "prefetch8 ansi", "show process", "date", "pcap processing", "threat level", "hash seen", "pcap frame", "programfiles", "sha256", "suspicious", "comspec", "hybrid", "model", "close", "click", "hosts", "general", "path", "starfield", "strings", "contact", "url", "scanner", "reputation", "phishing", "warning icon", "share report", "domain", "systems", "google tag", "manager", "cloudflare", "nginx", "amazon web", "services", "write", "url analysis", "website security scan", "phishing detection", "brand monitoring", "website vulnerability checker", "online threat intelligence", "cybersecurity tools", "api for website analysis", "python security library", "ai web analysis", "online fraud prevention", "takedown service", "dna test", "virus", "ransomware", "static", "indicator of compromise", "ioc", "extraction", "emulation", "platform", "pcap", "entity", "UCP", "Alberta", "UAlberta" ], "references": [ "https://www.alberta.ca/innovation-technology", "https://www.virustotal.com/gui/url/02ac643ab4887f1369e972111782ffb97a98e476ba9277217b048e9c529c7b67/details", "https://www.virustotal.com/gui/url/50a0c769107dd6645c080610169f2da5a43d64d06839800fdb426b2b1dc8b552/details", "https://www.alberta.ca/technology-and-innovation", "https://hybrid-analysis.com/sample/8f73a016e04056778913b3a3192cd57649f6243488898938874b7f31831002aa/68c6dbeb73994f791800aa28", "https://urlquery.net/report/9e772488-395e-4d54-a170-c148a573c337", "https://urldna.io/scan/68c6dc443b7750000f71bb02", "https://www.filescan.io/uploads/68c6de05732879482929ac55/reports/ed420243-2df7-46a3-89e0-f807373b8885/overview", "https://hybrid-analysis.com/sample/e81eb1d6abbf1818869d857b2dba4b432cfdb69d11d02336946c229f252e8f03/68c6de4c44d253a54b0e2076", "https://urlquery.net/report/b68eb048-4eca-43f6-8f8e-f58064296d03", "https://urldna.io/scan/68c6e2653b7750000ab1b015", "https://www.virustotal.com/graph/embed/ge6af493614484a64b8f6778d729f95faeb8d09db49ea4e8da0a3e1e5d6497ca4?theme=dark" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" } ], "industries": [ "Government", "Tech" ], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 54, "FileHash-SHA1": 53, "FileHash-SHA256": 122, "SSLCertFingerprint": 12, "URL": 75, "email": 6, "domain": 10, "hostname": 82 }, "indicator_count": 414, "is_author": false, "is_subscribing": null, "subscriber_count": 129, "modified_text": "187 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67e709c0cfa1a1851d81a657", "name": "Government of Alberta ** Domain Analysis - 05.05.25", "description": "Domain Name: alberta.ca\nRegistry Domain ID: D198023-CIRA\nRegistrar WHOIS Server: whois.ca.fury.ca\nRegistrar URL: webnames.ca\nRegistrar: Webnames.ca Inc.\nRegistrar IANA ID: 456\nRegistrar Abuse Contact Email: abuse@webnames.ca\nRegistrar Abuse Contact Phone: +1.8662217878\n\nRegistry Registrant ID: R2532-CIRA\nRegistrant Name: Alberta Provincial Government\n3720 - 76 Avenue, Main Floor - Access Building\nEdmonton, AB T6B2N9, CA\nPh: +1.7806381828\nFax: +1.7806385949\nRegistrant Email: dutyweb@gov.ab.ca\nRegistry Admin ID: C851779-CIRA\nAdmin Name: CERTS Analyst\nAdmin Email: certs@gov.ab.ca\nRegistry Tech ID: C851781-CIRA\n\nName Server: is-dns1.gov.ab.ca\nName Server: is-dns3.gov.ab.ca\nDNSSEC: unsigned", "modified": "2025-06-05T02:05:37.765000", "created": "2025-03-28T20:42:40.389000", "tags": [ "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "ansi", "symbol", "memoryfile scan", "path", "alberta", "prefetch8 ansi", "please", "show process", "date", "span", "find", "facebook", "twitter", "footer", "iframe", "suspicious", "body", "generator", "april", "energy", "comspec", "hybrid", "form", "main", "model", "close", "click", "hosts", "general", "starfield", "strings", "contact", "triage", "report", "reported", "analyze", "download submit", "sha512", "sha256", "prefetch8", "sha1", "filesize", "file", "prefetch1", "dataedge cloud", "process key", "config", "copy", "target", "impact", "javascript", "threat intelligence", "feed", "ioc", "change theme", "contact us", "intelligence", "threats api", "analyze api", "overview", "threats explore", "rate limits", "stixtaxii", "bulk export", "virus", "ransomware", "static", "indicator of compromise", "extraction", "emulation", "platform", "eid2", "eid3", "uaaaaaaai", "eid104", "malcore", "file analysis", "historical dns", "info", "login", "scan", "domain analysis", "discovered ip", "subdomains", "info malcore", "simple file", "policy terms", "intelligence x", "results", "product blog", "sign", "most relevant", "darknet", "please search", "search advanced", "categories date", "term", "slow", "scroll", "schedule", "cavalier", "bayonet", "full report", "users", "free report", "hudson rock", "attack surface", "customers", "demo explore", "tools", "third", "protect", "over", "rock", "service" ], "references": [ "https://hybrid-analysis.com/sample/b0221df98cf7c8cbb752166c2942167038905c6ce60cd4289bee7d6c9d9c9981/67e70010db76da6d2704fa75", "https://tria.ge/250328-yq3hrsz1c1/behavioral1", "https://www.virustotal.com/gui/domain/alberta.ca", "https://pulsedive.com/indicator/?iid=9866511", "https://www.filescan.io/uploads/67e70367631830704a8a8a0c/reports/0cb06032-68da-40e4-8f2a-f2ef06384df8/ioc", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/67ab2665da3e8886f5e4ecce = Domain Analysis (refer to databreaches)", "https://intelx.io/?s=alberta.ca", "https://www.hudsonrock.com/search?domain=alberta.ca", "https://polyswarm.network/scan/results/url/8f3e04dffd9a4447667ca0135138ca8da321c66c9dbd6be815c17e2aa6e6f292", "https://www.urlvoid.com/whois-lookup/", "https://app.pentester.com/scans/U2NhblR5cGU6NjM1NDk1OA==", "https://cwe.mitre.org/data/definitions/79.html", "https://www.virustotal.com/gui/domain/alberta.ca/relations", "http://ci-www.threatcrowd.org/domain.php?domain=alberta.ca", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/67ab2665da3e8886f5e4ecce", "https://www.hybrid-analysis.com/sample/9b22c3771c435ce35bd0d8c766594a7e01156167829b60155e028d8852c69ba2/681974f451849933040662f6", "https://www.filescan.io/uploads/68197523c7418694c8a5dcd3/reports/ae06283d-f5d8-426d-a32c-1a04566e7635/ioc" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1217", "name": "Browser Bookmark Discovery", "display_name": "T1217 - Browser Bookmark Discovery" } ], "industries": [ "Education", "Technology", "Government", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 62, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 126, "FileHash-SHA1": 118, "FileHash-SHA256": 347, "SSLCertFingerprint": 18, "domain": 149, "email": 16, "URL": 478, "hostname": 1562, "CVE": 7 }, "indicator_count": 2821, "is_author": false, "is_subscribing": null, "subscriber_count": 129, "modified_text": "318 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67db9be18168bc23126a0f17", "name": "Falcon Sandbox (Hybrid Analysis), FileScan[.]io & URLScan[.]io - UAlberta[.]ca domain analysis", "description": "Domain Analysis of hxxp://ualberta[.]ca w. Hybrid Analysis, Filescan, URLscan\n-Followed up w. analysis of previously submitted URLscan submissions w. an analysis by Greynoise[.]io (up to 03.19.25)\n-Greynoise yielded (from URLScan 120 Identified & 10 Unknowns) - the results classified as RIOTS appear to be confounded (potential abuse of Amazon Web Services in combination w. other cloud provider services.\n-It appears just visiting and/or touching this domain is - generally not recommended\n-Results from PulseDive -> Redirects to: https://www.ualberta[.]ca/en/index.html // SSL certificate found: ualberta[.]ca and 239 more. Edmonton, Canada, University of Alberta. dnsmaster@ualberta.ca\neasyDNS Technologies Inc. Amazon ALB, Amazon Cloudfront, Apache HTTP Server, Bootstrap, Coveo, Crazy Egg, Facebook Pixel, Font Awesome, Google Analytics, Google Font API, jQuery, Linkedin Insight Tag, Microsoft Clarity, Open Graph, TikTok Pixel, Twitter Ads", "modified": "2025-04-19T04:02:16.037000", "created": "2025-03-20T04:38:57.551000", "tags": [ "as16509", "amazon02", "redirect", "as14618", "amazonaes", "search", "public", "home search", "live api", "blog docs", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "pcap processing", "ansi", "pcap", "gecko", "win64", "khtml", "windows nt", "brand", "prefetch8 ansi", "microsoft edge", "date", "cookie", "mozilla", "suspicious", "comspec", "window", "model", "hybrid", "accept", "hacked", "starfield", "encrypt", "close", "click", "twitter", "hosts", "service", "general", "path", "union", "dest", "strings", "contact" ], "references": [ "https://hybrid-analysis.com/sample/dea64c4ce5cd9b55fb634888e4c6530728e266c8cb6d2bf670a9fe9e3f712c43/67db93032dc368d2d80c3df1", "https://urlscan.io/search/#page.domain%3Awww.ualberta.ca", "https://www.filescan.io/uploads/67db2f67b93e688233ef36e9/reports/7e4e4377-5eb9-48a7-848d-bfdca4fb244c/ioc", "https://hybrid-analysis.com/sample/dea64c4ce5cd9b55fb634888e4c6530728e266c8cb6d2bf670a9fe9e3f712c43", "https://hybrid-analysis.com/sample/dea64c4ce5cd9b55fb634888e4c6530728e266c8cb6d2bf670a9fe9e3f712c43/67db93032dc368d2d80c3df1", "https://viz.greynoise.io/analysis/5692e934-322f-48b9-bd9b-556e653ff5b6", "https://pulsedive.com/ioc/ualberta.ca" ], "public": 1, "adversary": "dosdean@ualberta[.]ca // ciso@ualberta[.]ca", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [ "Education", "Technology", "Government", "Agriculture", "Healthcare", "Chemical", "Finance", "Media" ], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 897, "domain": 37, "email": 34, "hostname": 396, "FileHash-MD5": 71, "FileHash-SHA1": 69, "FileHash-SHA256": 69, "SSLCertFingerprint": 23 }, "indicator_count": 1596, "is_author": false, "is_subscribing": null, "subscriber_count": 130, "modified_text": "365 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://region1.analytics.google.com/g/collect", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://region1.analytics.google.com/g/collect", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776638062.7200322 }