{ "type": "URL", "indicator": "https://www.albertahealthservices.ca/languages/languages.aspx", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://www.albertahealthservices.ca/languages/languages.aspx", "type": "url", "type_title": "URL", "validation": [ { "source": "majestic", "message": "Whitelisted domain albertahealthservices.ca", "name": "Whitelisted domain" } ], "base_indicator": { "id": 4061670601, "indicator": "https://www.albertahealthservices.ca/languages/languages.aspx", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "69e72d44bb57858cd46b3c8e", "name": "04.21.26 - AHS/Covenant Health/United Nurses/Alberta Doctors", "description": "Analyses of a few samples of problems that continue to spread around as a direct result of inaction by AHS/Covenant Health/Gov. Alberta/UAlberta.\nPII/PHI - Alberta Doctors & United Nurses // NathanIP Jodi Notified", "modified": "2026-05-21T09:40:07.961000", "created": "2026-04-21T07:54:44.662000", "tags": [ "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "hybrid analysis", "api key", "vetting process", "please note", "please", "AMA", "UNA", "AHS", "Covenant Health", "Connect Care", "AlbertaNDP" ], "references": [ "http://hybrid-analysis.com/file-collection/69c88e067efe5c20ff0e14da", "http://hybrid-analysis.com/file-collection/69c88ddb7a828cc98a0b5d0a", "http://hybrid-analysis.com/file-collection/69897cf33ec0874455036fdc", "http://hybrid-analysis.com/sample/0783c904e06bd678d9a060e2792a66a51d16e175ffb26f351cd5af17f61d5475", "http://hybrid-analysis.com/sample/5cbc6aba25c2151d71a2deb58f07a86097fafb4c375458f841c1e337cafc01c7/69203be81fa431c05d0e157f", "http://hybrid-analysis.com/sample/81e7491b17d5bf7a75c4fe9d24eb269d0a85bf8f8ac5c1be6b909e627287b8f4/68445d370bb5610af304f98c", "307fabc3ec54d141b7e9a8ae27258c4edd3801aaed9febb8c8e166c93eeaa466 4661ff6c9cece9774f34be180106d42b1d7dc770e7ef19a909e11b5899f8407a 9c4b06c1e8d0bdd6c16ca5efe547bdb067b372aaee54b5e2973c99f9d7f0641f 3132f97617635455e66f7f53282b4c7023f3939ce481ec13b4fbb39da0134140 6f533ccc79227e38f18bfc63bfc961ef4d3ee0e2bf33dd097ccf3548a12b743b 97cd8014827953e8d4c1b4797d03c47ed04e55c6957164439380bf3b7c962dad 6b3d6e268dcb76e175a7db3d9e031349ab2c32654c7e57581a851e64dd6214ab 7d592c61d98abf019ad7c47fb074f9c25a58149ceaf536005306d9d9e", "http://hybrid-analysis.com/file-collection/69dbfef2c548c576f7040936", "http://hybrid-analysis.com/sample/ca3ad00eb0c08e6cf6f4d0aec3fa82fc3bb715aba6d0365af89165560e569cff/6840e93d07e1fb99850dc5fb", "", "http://hybrid-analysis.com/sample/c3bebbff9e57e640178494d9d73eae1bf5859fe6edad062dea89dd6262d2a910/67f0335dd833bf8f7a06b644" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Healthcare", "Education", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 471, "FileHash-MD5": 315, "FileHash-SHA1": 245, "SSLCertFingerprint": 74, "URL": 652, "domain": 123, "hostname": 183, "email": 28 }, "indicator_count": 2091, "is_author": false, "is_subscribing": null, "subscriber_count": 132, "modified_text": "10 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6831a459b02fed33a40bc6d1", "name": "Page Not Found | Alberta Health Services", "description": "", "modified": "2025-06-23T04:00:39.930000", "created": "2025-05-24T10:50:01.662000", "tags": [ "div div", "alberta health", "home alberta", "health services", "meta", "services", "services ahs", "xl div", "text message", "scam alert", "date", "cookie", "present apr", "present nov", "present sep", "present oct", "present feb", "present dec", "present aug", "present jan", "present may", "present mar", "id1060552", "id1001957", "id1001471", "id1602", "search", "found", "alberta", "strong", "treaty", "english iska", "iabi", "niitsipowahssin", "nhiyawwin", "mission", "contact", "certificate", "http://cacerts.digicert.com/DigiCertGlobalG2TLSRSASHA2562020CA1-", "webdomain@albertahealthservices.ca", "rsa securid", "javascript", "rsa hardware", "netcare access", "please", "citrix receiver", "access", "alert", "users", "form", "vhash", "ssdeep", "user account", "password keep", "sign", "microsoft", "connect care", "dragon medical", "eupa", "record", "hyperspace", "mylearninglink", "zoom", "medical one", "powermic mobile", "usb microphone", "critical", "sha256", "imphash", "rich pe", "seupa", "end user", "library", "north campus", "test day", "submission tip", "sheet", "https://can01.safelinks.protection.outlook.com/?url=https%3A%2F%", "click", "epic login", "bow valley", "college student", "folder click", "folder double", "double click", "citrix", "detect citrix" ], "references": [ "https://ahs.queue-it.net/?c=ahs&e=accr&ver=v3-aspnet-3.6.2&cver=43&man=ACCR%20-%20Send%20To%20Queue&t=https://www.albertahealthservices.ca/covidbooking/Welcome.aspx", "https://webdomain@albertahealthservices.ca", "http://webdomain@albertahealthservices.ca", "https://xero.albertahealthservices.ca/", "https://aaa.albertahealthservices.ca/cgi/tm?code=0b409f3c5177212e", "https://aaa.albertahealthservices.ca/logon/LogonPoint/tmindex.html", "https://mylearninglink.albertahealthservices.ca/elearning/bins/index.asp", "https://manual.connect-care.ca/Training/Online-Learning/post-basic-training#h.kykghqohiwo6", "http://albertahealthservices.ca/hot-topics/covid-19-workflows/covid-19-critical-care-workflows", "https://bowvalleycollege.libanswers.com/faq/213446", "https://can01.safelinks.protection.outlook.com/?url=https%3A%2F%2Finsite.albertahealthservices.ca%2Fmain%2Fassets%2Fcis%2Ftms-cis-cc-seupa-regsub-tip-sheet.pdf&data=05%7C02%7Cfdyer%40bowvalleycollege.ca%7C80c9cbaf97d24c1c153008dcdd97ae07%7C8f11c6f4648e4c0cbb9996e8408a8e2a%7C0%7C0%7C638628890765909926%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=c9nalvONZgUg1%2BaiPNOMWMieVvWDzvv7UZIu1w8cChU%3D&reserved=0", "https://bowvalleycollege.libanswers.com/faq/213269" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 845, "FileHash-MD5": 17, "URL": 405, "domain": 8, "FileHash-SHA256": 18, "FileHash-SHA1": 55, "email": 2 }, "indicator_count": 1350, "is_author": false, "is_subscribing": null, "subscriber_count": 123, "modified_text": "343 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "680a8d38da27a781f3874c55", "name": "connect-care[.]ca - 04.24.25 - #UAlberta #DataBreach -> #Alberta #Healthcare", "description": "Found some more problems when attempting to access connectcare with my old (stolen) credentials and a work-a-round. It appears (as it was tied to the University of Alberta) that this account also has been tampered with. Conducted general domain analysis. Related to all healthcare pulses in this AlienVault Group in the listed countries below (several others to add in yet).", "modified": "2025-05-24T18:05:13.820000", "created": "2025-04-24T19:12:56.287000", "tags": [ "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "hybrid analysis", "api key", "vetting process", "please note", "please", "entity", "javascript", "virus", "ransomware", "static", "indicator of compromise", "ioc", "extraction", "emulation", "platform", "ansi", "connect care", "memoryfile scan", "span", "pcap processing", "pcap", "script", "pdf url", "win64", "date", "iframe", "contact", "footer", "meta", "wave", "suspicious", "general", "mission", "calgary", "comspec", "hybrid", "mozilla", "main", "body", "form", "model", "close", "click", "hosts", "mozi", "core", "false", "april", "path", "window", "dest", "bran", "strings", "malicious", "UAlberta", "Connect Care", "Alberta Health Services", "Healthcare", "#YYG", "#YYC" ], "references": [ "https://www.hybrid-analysis.com/sample/54aa9d1f10c072da249c270460c0269fae28347cc10abcb2f8a0c104a4abdaf5", "https://www.virustotal.com/graph/embed/g7a13908b6b3844af97ae41353ef4e5ddac98d327bf0b4b2d97343fbf97836264?theme=dark", "https://www.virustotal.com/gui/collection/a3392b58587d812c8c186ecbe6b13ff3794bb0e45a5ba2e10de4e34708dbd163", "https://www.filescan.io/uploads/680a86d6218c4a98ade08dd3/reports/4b5b194b-2a17-4f63-965b-804b22cef458/overview", "https://www.hybrid-analysis.com/sample/54aa9d1f10c072da249c270460c0269fae28347cc10abcb2f8a0c104a4abdaf5/680a8663a2ca2123f506b2c7", "https://www.virustotal.com/gui/collection/a3392b58587d812c8c186ecbe6b13ff3794bb0e45a5ba2e10de4e34708dbd163/summary", "https://www.virustotal.com/gui/collection/a3392b58587d812c8c186ecbe6b13ff3794bb0e45a5ba2e10de4e34708dbd163/iocs" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America", "Anguilla", "Aruba", "Netherlands", "Mexico", "Saint Vincent and the Grenadines", "Cura\u00e7ao", "Bonaire, Sint Eustatius and Saba", "Panama", "Tanzania, United Republic of", "Ukraine" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [ "Healthcare", "Education", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 89, "FileHash-SHA1": 84, "FileHash-SHA256": 166, "domain": 48, "hostname": 179, "URL": 151, "email": 14, "SSLCertFingerprint": 14 }, "indicator_count": 745, "is_author": false, "is_subscribing": null, "subscriber_count": 131, "modified_text": "372 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "", "https://www.hybrid-analysis.com/sample/54aa9d1f10c072da249c270460c0269fae28347cc10abcb2f8a0c104a4abdaf5/680a8663a2ca2123f506b2c7", "http://hybrid-analysis.com/sample/5cbc6aba25c2151d71a2deb58f07a86097fafb4c375458f841c1e337cafc01c7/69203be81fa431c05d0e157f", "https://bowvalleycollege.libanswers.com/faq/213269", "https://manual.connect-care.ca/Training/Online-Learning/post-basic-training#h.kykghqohiwo6", "https://aaa.albertahealthservices.ca/logon/LogonPoint/tmindex.html", "http://hybrid-analysis.com/sample/81e7491b17d5bf7a75c4fe9d24eb269d0a85bf8f8ac5c1be6b909e627287b8f4/68445d370bb5610af304f98c", "https://ahs.queue-it.net/?c=ahs&e=accr&ver=v3-aspnet-3.6.2&cver=43&man=ACCR%20-%20Send%20To%20Queue&t=https://www.albertahealthservices.ca/covidbooking/Welcome.aspx", "http://hybrid-analysis.com/sample/0783c904e06bd678d9a060e2792a66a51d16e175ffb26f351cd5af17f61d5475", "http://hybrid-analysis.com/file-collection/69dbfef2c548c576f7040936", "307fabc3ec54d141b7e9a8ae27258c4edd3801aaed9febb8c8e166c93eeaa466 4661ff6c9cece9774f34be180106d42b1d7dc770e7ef19a909e11b5899f8407a 9c4b06c1e8d0bdd6c16ca5efe547bdb067b372aaee54b5e2973c99f9d7f0641f 3132f97617635455e66f7f53282b4c7023f3939ce481ec13b4fbb39da0134140 6f533ccc79227e38f18bfc63bfc961ef4d3ee0e2bf33dd097ccf3548a12b743b 97cd8014827953e8d4c1b4797d03c47ed04e55c6957164439380bf3b7c962dad 6b3d6e268dcb76e175a7db3d9e031349ab2c32654c7e57581a851e64dd6214ab 7d592c61d98abf019ad7c47fb074f9c25a58149ceaf536005306d9d9e", "https://www.hybrid-analysis.com/sample/54aa9d1f10c072da249c270460c0269fae28347cc10abcb2f8a0c104a4abdaf5", "https://mylearninglink.albertahealthservices.ca/elearning/bins/index.asp", "http://hybrid-analysis.com/file-collection/69c88e067efe5c20ff0e14da", "https://aaa.albertahealthservices.ca/cgi/tm?code=0b409f3c5177212e", "https://www.virustotal.com/gui/collection/a3392b58587d812c8c186ecbe6b13ff3794bb0e45a5ba2e10de4e34708dbd163", "http://webdomain@albertahealthservices.ca", "http://hybrid-analysis.com/file-collection/69c88ddb7a828cc98a0b5d0a", "http://hybrid-analysis.com/sample/c3bebbff9e57e640178494d9d73eae1bf5859fe6edad062dea89dd6262d2a910/67f0335dd833bf8f7a06b644", "https://www.virustotal.com/graph/embed/g7a13908b6b3844af97ae41353ef4e5ddac98d327bf0b4b2d97343fbf97836264?theme=dark", "https://www.virustotal.com/gui/collection/a3392b58587d812c8c186ecbe6b13ff3794bb0e45a5ba2e10de4e34708dbd163/summary", "https://xero.albertahealthservices.ca/", "https://can01.safelinks.protection.outlook.com/?url=https%3A%2F%2Finsite.albertahealthservices.ca%2Fmain%2Fassets%2Fcis%2Ftms-cis-cc-seupa-regsub-tip-sheet.pdf&data=05%7C02%7Cfdyer%40bowvalleycollege.ca%7C80c9cbaf97d24c1c153008dcdd97ae07%7C8f11c6f4648e4c0cbb9996e8408a8e2a%7C0%7C0%7C638628890765909926%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=c9nalvONZgUg1%2BaiPNOMWMieVvWDzvv7UZIu1w8cChU%3D&reserved=0", "https://www.virustotal.com/gui/collection/a3392b58587d812c8c186ecbe6b13ff3794bb0e45a5ba2e10de4e34708dbd163/iocs", "https://www.filescan.io/uploads/680a86d6218c4a98ade08dd3/reports/4b5b194b-2a17-4f63-965b-804b22cef458/overview", "https://bowvalleycollege.libanswers.com/faq/213446", "http://albertahealthservices.ca/hot-topics/covid-19-workflows/covid-19-critical-care-workflows", "http://hybrid-analysis.com/sample/ca3ad00eb0c08e6cf6f4d0aec3fa82fc3bb715aba6d0365af89165560e569cff/6840e93d07e1fb99850dc5fb", "http://hybrid-analysis.com/file-collection/69897cf33ec0874455036fdc", "https://webdomain@albertahealthservices.ca" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [], "industries": [ "Education", "Healthcare", "Government" ], "unique_indicators": 2929 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/albertahealthservices.ca", "whois": "http://whois.domaintools.com/albertahealthservices.ca", "domain": "albertahealthservices.ca", "hostname": "www.albertahealthservices.ca" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "69e72d44bb57858cd46b3c8e", "name": "04.21.26 - AHS/Covenant Health/United Nurses/Alberta Doctors", "description": "Analyses of a few samples of problems that continue to spread around as a direct result of inaction by AHS/Covenant Health/Gov. Alberta/UAlberta.\nPII/PHI - Alberta Doctors & United Nurses // NathanIP Jodi Notified", "modified": "2026-05-21T09:40:07.961000", "created": "2026-04-21T07:54:44.662000", "tags": [ "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "hybrid analysis", "api key", "vetting process", "please note", "please", "AMA", "UNA", "AHS", "Covenant Health", "Connect Care", "AlbertaNDP" ], "references": [ "http://hybrid-analysis.com/file-collection/69c88e067efe5c20ff0e14da", "http://hybrid-analysis.com/file-collection/69c88ddb7a828cc98a0b5d0a", "http://hybrid-analysis.com/file-collection/69897cf33ec0874455036fdc", "http://hybrid-analysis.com/sample/0783c904e06bd678d9a060e2792a66a51d16e175ffb26f351cd5af17f61d5475", "http://hybrid-analysis.com/sample/5cbc6aba25c2151d71a2deb58f07a86097fafb4c375458f841c1e337cafc01c7/69203be81fa431c05d0e157f", "http://hybrid-analysis.com/sample/81e7491b17d5bf7a75c4fe9d24eb269d0a85bf8f8ac5c1be6b909e627287b8f4/68445d370bb5610af304f98c", "307fabc3ec54d141b7e9a8ae27258c4edd3801aaed9febb8c8e166c93eeaa466 4661ff6c9cece9774f34be180106d42b1d7dc770e7ef19a909e11b5899f8407a 9c4b06c1e8d0bdd6c16ca5efe547bdb067b372aaee54b5e2973c99f9d7f0641f 3132f97617635455e66f7f53282b4c7023f3939ce481ec13b4fbb39da0134140 6f533ccc79227e38f18bfc63bfc961ef4d3ee0e2bf33dd097ccf3548a12b743b 97cd8014827953e8d4c1b4797d03c47ed04e55c6957164439380bf3b7c962dad 6b3d6e268dcb76e175a7db3d9e031349ab2c32654c7e57581a851e64dd6214ab 7d592c61d98abf019ad7c47fb074f9c25a58149ceaf536005306d9d9e", "http://hybrid-analysis.com/file-collection/69dbfef2c548c576f7040936", "http://hybrid-analysis.com/sample/ca3ad00eb0c08e6cf6f4d0aec3fa82fc3bb715aba6d0365af89165560e569cff/6840e93d07e1fb99850dc5fb", "", "http://hybrid-analysis.com/sample/c3bebbff9e57e640178494d9d73eae1bf5859fe6edad062dea89dd6262d2a910/67f0335dd833bf8f7a06b644" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Healthcare", "Education", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 471, "FileHash-MD5": 315, "FileHash-SHA1": 245, "SSLCertFingerprint": 74, "URL": 652, "domain": 123, "hostname": 183, "email": 28 }, "indicator_count": 2091, "is_author": false, "is_subscribing": null, "subscriber_count": 132, "modified_text": "10 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6831a459b02fed33a40bc6d1", "name": "Page Not Found | Alberta Health Services", "description": "", "modified": "2025-06-23T04:00:39.930000", "created": "2025-05-24T10:50:01.662000", "tags": [ "div div", "alberta health", "home alberta", "health services", "meta", "services", "services ahs", "xl div", "text message", "scam alert", "date", "cookie", "present apr", "present nov", "present sep", "present oct", "present feb", "present dec", "present aug", "present jan", "present may", "present mar", "id1060552", "id1001957", "id1001471", "id1602", "search", "found", "alberta", "strong", "treaty", "english iska", "iabi", "niitsipowahssin", "nhiyawwin", "mission", "contact", "certificate", "http://cacerts.digicert.com/DigiCertGlobalG2TLSRSASHA2562020CA1-", "webdomain@albertahealthservices.ca", "rsa securid", "javascript", "rsa hardware", "netcare access", "please", "citrix receiver", "access", "alert", "users", "form", "vhash", "ssdeep", "user account", "password keep", "sign", "microsoft", "connect care", "dragon medical", "eupa", "record", "hyperspace", "mylearninglink", "zoom", "medical one", "powermic mobile", "usb microphone", "critical", "sha256", "imphash", "rich pe", "seupa", "end user", "library", "north campus", "test day", "submission tip", "sheet", "https://can01.safelinks.protection.outlook.com/?url=https%3A%2F%", "click", "epic login", "bow valley", "college student", "folder click", "folder double", "double click", "citrix", "detect citrix" ], "references": [ "https://ahs.queue-it.net/?c=ahs&e=accr&ver=v3-aspnet-3.6.2&cver=43&man=ACCR%20-%20Send%20To%20Queue&t=https://www.albertahealthservices.ca/covidbooking/Welcome.aspx", "https://webdomain@albertahealthservices.ca", "http://webdomain@albertahealthservices.ca", "https://xero.albertahealthservices.ca/", "https://aaa.albertahealthservices.ca/cgi/tm?code=0b409f3c5177212e", "https://aaa.albertahealthservices.ca/logon/LogonPoint/tmindex.html", "https://mylearninglink.albertahealthservices.ca/elearning/bins/index.asp", "https://manual.connect-care.ca/Training/Online-Learning/post-basic-training#h.kykghqohiwo6", "http://albertahealthservices.ca/hot-topics/covid-19-workflows/covid-19-critical-care-workflows", "https://bowvalleycollege.libanswers.com/faq/213446", "https://can01.safelinks.protection.outlook.com/?url=https%3A%2F%2Finsite.albertahealthservices.ca%2Fmain%2Fassets%2Fcis%2Ftms-cis-cc-seupa-regsub-tip-sheet.pdf&data=05%7C02%7Cfdyer%40bowvalleycollege.ca%7C80c9cbaf97d24c1c153008dcdd97ae07%7C8f11c6f4648e4c0cbb9996e8408a8e2a%7C0%7C0%7C638628890765909926%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=c9nalvONZgUg1%2BaiPNOMWMieVvWDzvv7UZIu1w8cChU%3D&reserved=0", "https://bowvalleycollege.libanswers.com/faq/213269" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 845, "FileHash-MD5": 17, "URL": 405, "domain": 8, "FileHash-SHA256": 18, "FileHash-SHA1": 55, "email": 2 }, "indicator_count": 1350, "is_author": false, "is_subscribing": null, "subscriber_count": 123, "modified_text": "343 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "680a8d38da27a781f3874c55", "name": "connect-care[.]ca - 04.24.25 - #UAlberta #DataBreach -> #Alberta #Healthcare", "description": "Found some more problems when attempting to access connectcare with my old (stolen) credentials and a work-a-round. It appears (as it was tied to the University of Alberta) that this account also has been tampered with. Conducted general domain analysis. Related to all healthcare pulses in this AlienVault Group in the listed countries below (several others to add in yet).", "modified": "2025-05-24T18:05:13.820000", "created": "2025-04-24T19:12:56.287000", "tags": [ "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "hybrid analysis", "api key", "vetting process", "please note", "please", "entity", "javascript", "virus", "ransomware", "static", "indicator of compromise", "ioc", "extraction", "emulation", "platform", "ansi", "connect care", "memoryfile scan", "span", "pcap processing", "pcap", "script", "pdf url", "win64", "date", "iframe", "contact", "footer", "meta", "wave", "suspicious", "general", "mission", "calgary", "comspec", "hybrid", "mozilla", "main", "body", "form", "model", "close", "click", "hosts", "mozi", "core", "false", "april", "path", "window", "dest", "bran", "strings", "malicious", "UAlberta", "Connect Care", "Alberta Health Services", "Healthcare", "#YYG", "#YYC" ], "references": [ "https://www.hybrid-analysis.com/sample/54aa9d1f10c072da249c270460c0269fae28347cc10abcb2f8a0c104a4abdaf5", "https://www.virustotal.com/graph/embed/g7a13908b6b3844af97ae41353ef4e5ddac98d327bf0b4b2d97343fbf97836264?theme=dark", "https://www.virustotal.com/gui/collection/a3392b58587d812c8c186ecbe6b13ff3794bb0e45a5ba2e10de4e34708dbd163", "https://www.filescan.io/uploads/680a86d6218c4a98ade08dd3/reports/4b5b194b-2a17-4f63-965b-804b22cef458/overview", "https://www.hybrid-analysis.com/sample/54aa9d1f10c072da249c270460c0269fae28347cc10abcb2f8a0c104a4abdaf5/680a8663a2ca2123f506b2c7", "https://www.virustotal.com/gui/collection/a3392b58587d812c8c186ecbe6b13ff3794bb0e45a5ba2e10de4e34708dbd163/summary", "https://www.virustotal.com/gui/collection/a3392b58587d812c8c186ecbe6b13ff3794bb0e45a5ba2e10de4e34708dbd163/iocs" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America", "Anguilla", "Aruba", "Netherlands", "Mexico", "Saint Vincent and the Grenadines", "Cura\u00e7ao", "Bonaire, Sint Eustatius and Saba", "Panama", "Tanzania, United Republic of", "Ukraine" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [ "Healthcare", "Education", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 89, "FileHash-SHA1": 84, "FileHash-SHA256": 166, "domain": 48, "hostname": 179, "URL": 151, "email": 14, "SSLCertFingerprint": 14 }, "indicator_count": 745, "is_author": false, "is_subscribing": null, "subscriber_count": 131, "modified_text": "372 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://www.albertahealthservices.ca/languages/languages.aspx", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://www.albertahealthservices.ca/languages/languages.aspx", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780293643.1296628 }