{ "type": "Domain", "indicator": "telus.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/telus.com", "alexa": "http://www.alexa.com/siteinfo/telus.com", "indicator": "telus.com", "type": "domain", "type_title": "Domain", "validation": [ { "source": "akamai", "message": "Akamai rank: #2834", "name": "Akamai Popular Domain" }, { "source": "majestic", "message": "Whitelisted domain telus.com", "name": "Whitelisted domain" }, { "source": "whitelist", "message": "Whitelisted domain telus.com", "name": "Whitelisted domain" } ], "base_indicator": { "id": 2863395587, "indicator": "telus.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 50, "pulses": [ { "id": "69cdfa3fffcead91f1de0e24", "name": "Google Pixel - Falcon Sandbox - 04.02.26", "description": "The following is the full list of links to the Falcon Sandbox, an anti-virus service set up by CrowdStrike\nGoogle Pixel via Telus", "modified": "2026-04-03T02:23:36.206000", "created": "2026-04-02T05:10:18.910000", "tags": [ "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "hybrid analysis", "api key", "vetting process", "please note", "please", "abuse.ch", "yara", "scan", "engine", "yaraify", "clamav", "yara task", "results yara", "scan hunting", "alerts access", "data yarahub", "search faq", "login", "task results", "first", "cookie" ], "references": [ "http://hybrid-analysis.com/file-collection/69cde0c4bb7312412908e0be", "http://hybrid-analysis.com/file-collection/69cde2f3f65064c187045802", "http://hybrid-analysis.com/file-collection/69cde6bc2a3b38371e0699b5", "https://yaraify.abuse.ch/scan/results/6b287c37-2e43-11f1-b47f-42010aa4000b", "http://hybrid-analysis.com/file-collection/69cf1e657df98395e50a4e33", "http://hybrid-analysis.com/sample/9782f26f60db73a042a51fd9b6a1f881e87c5b54506be3de099cfc48a62e5ee2" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "UCP_GoA23", "id": "382539", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_382539/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 214, "FileHash-SHA1": 214, "FileHash-SHA256": 238, "domain": 5, "hostname": 17, "IPv4": 10, "URL": 1 }, "indicator_count": 699, "is_author": false, "is_subscribing": null, "subscriber_count": 16, "modified_text": "16 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69c0a51731a8beabb13f2144", "name": "VirusTotal report\n for GET_BTC-409.pdf", "description": "", "modified": "2026-03-23T02:31:26.825000", "created": "2026-03-23T02:27:35.667000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 6, "FileHash-SHA256": 118, "URL": 158, "domain": 141, "hostname": 38, "IPv4": 10 }, "indicator_count": 477, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "27 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b10d1ce4563d38fbbc72d6", "name": "disable_duck clone Alberta", "description": "", "modified": "2026-03-11T07:40:56.177000", "created": "2026-03-11T06:35:08.464000", "tags": [ "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "white", "modified", "runtime data", "ansi", "public", "months ago", "filehashsha256", "hostname", "domain", "path", "green", "copy", "powershell", "general", "malicious", "pixel", "suspicious", "meta", "covenant", "virustotal", "click", "open", "cobalt strike", "probe", "first", "installer", "template", "crypto", "cobalt", "mozilla", "mirai", "false", "date", "title", "roboto", "arch", "android", "april", "drovorub", "squad", "baby", "geek", "tofsee", "redline stealer", "twitter", "service", "team", "killswitch", "mini", "cobaltstrike", "enterprise", "simda", "suppobox", "ransomware", "maldoc", "computrace", "february", "tetris", "hybrid", "body", "iframe", "qakbot", "double", "proton", "mark", "jakarta", "win32", "explorer", "union", "redirector", "xrat", "model", "rogue", "done", "python", "police", "thor", "xploit", "impact", "retro", "jeff", "oilrig", "sliver", "bypass", "info", "school", "miner", "phishing", "riots", "comment", "gafgyt", "bashlite", "calgary", "tech", "bitcoin", "test", "survey", "ukraine", "gamarue", "swisyn", "krucky", "systembc", "june", "dridex", "agent", "close", "format", "autodetect", "strings", "contact", "switch", "community", "limits", "inquest labs", "resources api", "cve list", "notes blog", "drop your", "file", "kaspersky threat intelligence portal", "online virus scan file", "online file scanner", "kaspersky online scanner", "online file virus scan", "scan file online", "scan file for virus", "file scanner", "online file virus scanner", "check link for virus", "kaspersky online scan", "check file for virus", "false alarm", "false detection", "false positive", "online virus", "scanner", "hybrid analysis", "api key", "vetting process", "please note", "please", "ualberta", "ualberta http", "xormozilla", "disableduck", "virus", "static", "indicator of compromise", "ioc", "extraction", "emulation", "platform", "triage", "report", "reported", "analyze", "filesize", "set value", "iocs", "process", "process key", "monitor", "resource", "config", "target", "generic", "javascript", "static analyzer", "analyzer", "Microsoft", "YEG", "UAlberta", "Google", "AHS", "Covenant Health" ], "references": [ "https://hybrid-analysis.com/sample/5e066617cc959dbab123f23d5d36a4dc4d813358e43eddbd1a6e7c87827c301d/68e01fdde76500b3c20326c4", "https://metadefender.com/results/file/bzI1MTAwMzhvTXdHbkVaZGItcW0tbnU2Nmkx_mdaas", "https://opentip.kaspersky.com/5E066617CC959DBAB123F23D5D36A4DC4D813358E43EDDBD1A6E7C87827C301D/?tab=upload", "https://hybrid-analysis.com/sample/5e066617cc959dbab123f23d5d36a4dc4d813358e43eddbd1a6e7c87827c301d", "https://www.filescan.io/uploads/68e01279f377ab2310519c81/reports/02a0a465-8936-4b6d-99a2-6950b71ab1c5/ioc", "https://tria.ge/251003-x8c56azky6/behavioral2", "https://www.virustotal.com/gui/file/5e066617cc959dbab123f23d5d36a4dc4d813358e43eddbd1a6e7c87827c301d?nocache=1", "https://app.threat.zone/submission/db9c1a4a-a706-4ed9-9229-4190f02151bc/overview" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America", "Netherlands" ], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1135", "name": "Network Share Discovery", "display_name": "T1135 - Network Share Discovery" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" } ], "industries": [ "Education", "Government", "Healthcare" ], "TLP": "white", "cloned_from": "68e02ab7156e79ecd34a4929", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4203, "CIDR": 8, "CVE": 13, "FileHash-MD5": 31, "FileHash-SHA1": 25, "FileHash-SHA256": 74, "domain": 117, "email": 14, "hostname": 76 }, "indicator_count": 4561, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "39 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69a5c36b78ed73550bb0bf22", "name": "by Disable_Duck", "description": "", "modified": "2026-03-04T23:37:24.208000", "created": "2026-03-02T17:05:47.288000", "tags": [ "kgs0", "kls0", "botname http", "entity", "UAlberta", "Telus", "Norton", "ffss", "Alberta", "AlbertaNDP", "InteriorHealth", "RCMP", "CrimeStoppersAB", "EdmontonPolice", "RCMP Kelowna", "RCMP AB", "TLS/SSL Crawler", "CVE-2026-24061 Attempt", "Generic IoT Default Password Attempt", "Cisco Prime Infrastructure CVE-2019-1821 RCE Attempt", "Dahua Backdoor Attempt", "ENV Crawler", "DCERPC Protocol", "Carries HTTP Referer", "GNU Inetutils Telnetd Auth Bypass", "ICMPv4 Protocol" ], "references": [ "https://www.virustotal.com/graph/embed/g34c2ebfedb6c47c286431a829da992c3744ab3fab0d74008946f3b9bbeb83e23?theme=dark", "https://viz.greynoise.io/ip/analysis/61bb7542-40c2-448e-87d4-947a4623eada", "https://viz.greynoise.io/ip/analysis/7e527b44-c950-4c01-bb33-d96" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada", "Netherlands", "Panama", "Poland", "United Kingdom of Great Britain and Northern Ireland", "Slovakia", "Aruba", "Anguilla", "Australia", "Costa Rica", "Guatemala", "Mexico", "Trinidad and Tobago", "Cura\u00e7ao", "Philippines", "Virgin Islands, U.S.", "Ukraine", "Barbados", "Germany", "Sint Maarten (Dutch part)", "Argentina", "Switzerland" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Healthcare", "Government", "Technology", "Energy", "Telecommunications" ], "TLP": "white", "cloned_from": "6901363c4ce422f5caf0f72c", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3903, "FileHash-SHA1": 4967, "FileHash-SHA256": 12884, "URL": 996, "domain": 987, "hostname": 3306, "email": 4, "CVE": 1 }, "indicator_count": 27048, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "45 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69228447b9c71795633314df", "name": "Keep Corrupt - University of Alberta Incidents continue to escalate - 02.16.26", "description": "Recovered accounts that have been used & abused - courtesy of decisions by non-technical leadership = accounts for UAlberta students -> PW manager made inaccessible (tied to UAlberta account) during a Data-Breach.\nWhen PW manager & Accounts returned, was populated by these (many = fraudulent; some appear to be abuse of legitimate services, while others do not, yet don't know function or origin)\n\nNot representative of OG PW manager. Many (most) accts. used/abused (on-going). \n\nDon't have a backup of original = hard to compare. Don't quite know what the majority of these companies etc. are for and/or do exactly. Putting them together as they roll-in.\nCan't turn them off in most cases - I don't have access to the U of A accounts these originate from and/or original recovery methods. \n\n2 more batches to add to this pulse (Need to add into VT) 02.16.26\n\nCountries listed are where 2 victims (UAlberta Graduates) have citizenship or some tie with.", "modified": "2026-03-04T21:04:10.482000", "created": "2025-11-23T03:49:27.649000", "tags": [ "geoip", "as54113", "fastly", "as20940", "as15169", "google", "as214401", "maincubesas", "gmbh", "apache geoip", "facebook", "UAlberta", "AHS", "Treaty 8", "GoA", "Alberta", "Edmonton", "YEG" ], "references": [ "https://viz.greynoise.io/ip/analysis/3cf1334a-df9d-448f-8145-d5fe67637c1a", "URLscanio, FSio, vT", "03.11.14: https://www.virustotal.com/graph/embed/ge2e309eb8bd34fcca56398089b2291058dfe1fca69dc4e5aa66db0365caf735b?theme=dark", "https://www.virustotal.com/gui/collection/6a41ae1cf2d3d51fedd2393d893c3b26ed0352dde2e0851d03f0bae9aaa69ae1/summary", "https://www.virustotal.com/gui/collection/6a41ae1cf2d3d51fedd2393d893c3b26ed0352dde2e0851d03f0bae9aaa69ae1/iocs", "https://viz.greynoise.io/ip/analysis/3cf1334a-df9d-448f-8145-d5fe67637c1a (11.22.25)" ], "public": 1, "adversary": "", "targeted_countries": [ "Cura\u00e7ao", "Guatemala", "Sint Maarten (Dutch part)", "Tanzania, United Republic of", "Barbados", "United States of America", "Bahamas", "Anguilla", "Canada", "Saint Vincent and the Grenadines", "United Kingdom of Great Britain and Northern Ireland", "Kenya", "France", "Aruba", "Mexico", "Poland", "Costa Rica", "Ireland", "Trinidad and Tobago", "Netherlands", "Slovakia", "Spain", "Philippines" ], "malware_families": [], "attack_ids": [], "industries": [ "Government", "Technology", "Telecommunications", "Education", "Healthcare", "Finance", "Retail", "Hospitality", "Transportation" ], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 47, "FileHash-MD5": 32, "FileHash-SHA1": 12, "FileHash-SHA256": 1047, "URL": 4006, "domain": 2126, "email": 412, "hostname": 2122, "CVE": 1 }, "indicator_count": 9805, "is_author": false, "is_subscribing": null, "subscriber_count": 134, "modified_text": "45 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6901363c4ce422f5caf0f72c", "name": "Copy of DevT-OddTags-Browser-BasedOdditites - (L4ke.Aff3ct.216, 01.18.26)", "description": "Updated based on VT Graph & Tracking Spread of Cybercrime. This Pulse is mostly covering activity in the Province of Alberta Canada. Given recent news, it appears that BC Interior Health and Kelowna RCMP Detachment impacted in addition to Alberta Sectors of Education, Healthcare, and Government (Provincial & Federal - e.g. Treaty 6,7,8 as well as the Canadian CRA heavily impacted). \nEnriched a graph by vt user (L4ke.Aff3ct.216, 01.02.26)\nSubmitted IOCs to Greynoise.io (10.28.25)", "modified": "2026-02-18T05:00:41.494000", "created": "2025-10-28T21:31:40.008000", "tags": [ "kgs0", "kls0", "botname http", "entity", "UAlberta", "Telus", "Norton", "ffss", "Alberta", "AlbertaNDP", "InteriorHealth", "RCMP", "CrimeStoppersAB", "EdmontonPolice", "RCMP Kelowna", "RCMP AB" ], "references": [ "https://www.virustotal.com/graph/embed/g34c2ebfedb6c47c286431a829da992c3744ab3fab0d74008946f3b9bbeb83e23?theme=dark", "https://viz.greynoise.io/ip/analysis/61bb7542-40c2-448e-87d4-947a4623eada" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada", "Netherlands", "Panama", "Poland", "United Kingdom of Great Britain and Northern Ireland", "Slovakia", "Aruba", "Anguilla", "Australia", "Costa Rica", "Guatemala", "Mexico", "Trinidad and Tobago", "Cura\u00e7ao", "Philippines", "Virgin Islands, U.S.", "Ukraine", "Barbados", "Germany", "Sint Maarten (Dutch part)" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Healthcare", "Government", "Technology", "Energy", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3903, "FileHash-SHA1": 4967, "FileHash-SHA256": 12884, "URL": 995, "domain": 984, "hostname": 3305, "email": 4 }, "indicator_count": 27042, "is_author": false, "is_subscribing": null, "subscriber_count": 128, "modified_text": "60 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6941e87912ebb7843300906d", "name": "Telus Github", "description": "Telus has a Github. They are one of Canada's 'big 3' ISPs. They are compromised.", "modified": "2026-01-15T23:03:27.378000", "created": "2025-12-16T23:17:13.020000", "tags": [ "type", "path", "secure", "date", "accept", "self", "httponly", "samesitelax", "expireswed", "updated", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "prefetch8 ansi", "ansi", "show process", "hash seen", "threat level", "pcap", "sha256", "pcap processing", "ck id", "suspicious", "hybrid", "comspec", "close", "click", "hosts", "general", "model", "strings", "contact", "hybrid analysis", "api key", "vetting process", "please note", "please", "virus", "ransomware", "static", "indicator of compromise", "ioc", "extraction", "emulation", "platform", "javascript", "static analyzer", "analyzer" ], "references": [ "http://hybrid-analysis.com/sample/f62e99ffe34a3f0c186ac31d151d22dd940884f79bbaafcc6061a2a9387f45a8/6941e0586df20223a505d490", "http://hybrid-analysis.com/sample/f62e99ffe34a3f0c186ac31d151d22dd940884f79bbaafcc6061a2a9387f45a8", "https://www.filescan.io/uploads/6941e02584afa5547b586bac/reports/a23ea43a-ad21-4306-9f47-1a8deaa129c0/ioc", "https://www.virustotal.com/gui/collection/5967f31c865dce02efd16cebad1e75bd838298965361912987dd932a513f9212/iocs", "https://www.virustotal.com/gui/collection/5967f31c865dce02efd16cebad1e75bd838298965361912987dd932a513f9212/summary", "https://app.threat.zone/submission/12b7b619-0e5a-4996-9bb5-493ef98f2803/url-analysis-report" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" } ], "industries": [ "Telecommunications", "Technology", "Healthcare", "Education" ], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 32, "FileHash-SHA1": 31, "FileHash-SHA256": 31, "SSLCertFingerprint": 11, "URL": 197, "domain": 27, "email": 2, "hostname": 101 }, "indicator_count": 432, "is_author": false, "is_subscribing": null, "subscriber_count": 130, "modified_text": "93 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65eea19a23474b8c7dca351f", "name": "All Items - find from the UA archive disk", "description": "Again have zero idea 'what these are' - just uploading from the 'archives' as I sort through things", "modified": "2025-12-24T08:28:47.628000", "created": "2024-03-11T06:15:54.351000", "tags": [], "references": [ "https://www.virustotal.com/gui/collection/09af9ef0b7b23d2dc73d83858106ae4fc97a352dbb521ac04493a0e79095ac69/iocs", "https://www.virustotal.com/gui/collection/79c25168b2f93d9730a56b8d2b834cbfb2752b63b21b9dd51109416fbaa676d8/iocs", "https://www.virustotal.com/graph/embed/g8726609a12794ebeb59edd531961a233068149bcdf994b428f20141be6111551?theme=dark", "https://www.virustotal.com/graph/embed/g365a82115f934e31a69118715695c91c231f66cda9084c9389e56afb985a243e?theme=dark", "", "https://www.virustotal.com/gui/collection/6a8d582df4fe5a29885dad4074236bc9e4ed445aaf0cc00702d45963fb0459bb/iocs" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1165, "hostname": 866, "URL": 657, "FileHash-SHA256": 26, "email": 337, "FileHash-MD5": 12, "FileHash-SHA1": 8, "CIDR": 1 }, "indicator_count": 3072, "is_author": false, "is_subscribing": null, "subscriber_count": 128, "modified_text": "116 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6940e9789fd90101ae15b481", "name": "iPhone 13 Pro Max", "description": "E:\\Suss - SG2\\Backup Drive 2 - UAlberta OneDrive\\User - ualberta.ca\\No Problems\\1. Data for No Problems - Analysis and Upload in Progress\\Apple\\iPhone 13 Pro Max\\", "modified": "2025-12-16T05:10:50.897000", "created": "2025-12-16T05:09:12.600000", "tags": [ "Apple", "iOS", "iPhone" ], "references": [ "https://www.virustotal.com/gui/collection/3c03918e6a22b2c260f85ed6430b98495758973d754d3274124b5bf2b9c194aa", "https://www.virustotal.com/gui/collection/3c03918e6a22b2c260f85ed6430b98495758973d754d3274124b5bf2b9c194aa/iocs" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [ "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 25, "domain": 4, "hostname": 8, "URL": 51, "FileHash-SHA256": 3 }, "indicator_count": 91, "is_author": false, "is_subscribing": null, "subscriber_count": 128, "modified_text": "124 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6940e744ca8a110d3f8efa94", "name": "Apple iPhone SE2", "description": "E:\\Suss - SG2\\Backup Drive 2 - UAlberta OneDrive\\User - ualberta.ca\\No Problems\\1. Data for No Problems - Analysis and Upload in Progress\\Apple\\iPhone SE 2\\", "modified": "2025-12-16T05:02:46.014000", "created": "2025-12-16T04:59:48.704000", "tags": [ "Apple", "iOS" ], "references": [ "https://www.virustotal.com/gui/collection/42a860ff5b9f4fcb926d2b66cf9f4f59effa82aad96c271807b6cad96cda522d", "https://www.virustotal.com/gui/collection/42a860ff5b9f4fcb926d2b66cf9f4f59effa82aad96c271807b6cad96cda522d/iocs" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [ "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 20, "FileHash-SHA1": 16, "FileHash-SHA256": 21, "domain": 2 }, "indicator_count": 59, "is_author": false, "is_subscribing": null, "subscriber_count": 128, "modified_text": "124 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68e02ab7156e79ecd34a4929", "name": "Samples of OTX 2096 Libraries - up to 10.03.25", "description": "An attempt to skim over a little bit of everything in OTX 2096 for another project in the works\n\nUAlberta sighhh", "modified": "2025-11-02T19:00:47.473000", "created": "2025-10-03T19:57:43.609000", "tags": [ "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "white", "modified", "runtime data", "ansi", "public", "months ago", "filehashsha256", "hostname", "domain", "path", "green", "copy", "powershell", "general", "malicious", "pixel", "suspicious", "meta", "covenant", "virustotal", "click", "open", "cobalt strike", "probe", "first", "installer", "template", "crypto", "cobalt", "mozilla", "mirai", "false", "date", "title", "roboto", "arch", "android", "april", "drovorub", "squad", "baby", "geek", "tofsee", "redline stealer", "twitter", "service", "team", "killswitch", "mini", "cobaltstrike", "enterprise", "simda", "suppobox", "ransomware", "maldoc", "computrace", "february", "tetris", "hybrid", "body", "iframe", "qakbot", "double", "proton", "mark", "jakarta", "win32", "explorer", "union", "redirector", "xrat", "model", "rogue", "done", "python", "police", "thor", "xploit", "impact", "retro", "jeff", "oilrig", "sliver", "bypass", "info", "school", "miner", "phishing", "riots", "comment", "gafgyt", "bashlite", "calgary", "tech", "bitcoin", "test", "survey", "ukraine", "gamarue", "swisyn", "krucky", "systembc", "june", "dridex", "agent", "close", "format", "autodetect", "strings", "contact", "switch", "community", "limits", "inquest labs", "resources api", "cve list", "notes blog", "drop your", "file", "kaspersky threat intelligence portal", "online virus scan file", "online file scanner", "kaspersky online scanner", "online file virus scan", "scan file online", "scan file for virus", "file scanner", "online file virus scanner", "check link for virus", "kaspersky online scan", "check file for virus", "false alarm", "false detection", "false positive", "online virus", "scanner", "hybrid analysis", "api key", "vetting process", "please note", "please", "ualberta", "ualberta http", "xormozilla", "disableduck", "virus", "static", "indicator of compromise", "ioc", "extraction", "emulation", "platform", "triage", "report", "reported", "analyze", "filesize", "set value", "iocs", "process", "process key", "monitor", "resource", "config", "target", "generic", "javascript", "static analyzer", "analyzer", "Microsoft", "YEG", "UAlberta", "Google", "AHS", "Covenant Health" ], "references": [ "https://hybrid-analysis.com/sample/5e066617cc959dbab123f23d5d36a4dc4d813358e43eddbd1a6e7c87827c301d/68e01fdde76500b3c20326c4", "https://metadefender.com/results/file/bzI1MTAwMzhvTXdHbkVaZGItcW0tbnU2Nmkx_mdaas", "https://opentip.kaspersky.com/5E066617CC959DBAB123F23D5D36A4DC4D813358E43EDDBD1A6E7C87827C301D/?tab=upload", "https://hybrid-analysis.com/sample/5e066617cc959dbab123f23d5d36a4dc4d813358e43eddbd1a6e7c87827c301d", "https://www.filescan.io/uploads/68e01279f377ab2310519c81/reports/02a0a465-8936-4b6d-99a2-6950b71ab1c5/ioc", "https://tria.ge/251003-x8c56azky6/behavioral2", "https://www.virustotal.com/gui/file/5e066617cc959dbab123f23d5d36a4dc4d813358e43eddbd1a6e7c87827c301d?nocache=1", "https://app.threat.zone/submission/db9c1a4a-a706-4ed9-9229-4190f02151bc/overview" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America", "Netherlands" ], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1135", "name": "Network Share Discovery", "display_name": "T1135 - Network Share Discovery" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" } ], "industries": [ "Education", "Government", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4203, "CIDR": 8, "CVE": 13, "FileHash-MD5": 31, "FileHash-SHA1": 25, "FileHash-SHA256": 74, "domain": 115, "email": 14, "hostname": 76 }, "indicator_count": 4559, "is_author": false, "is_subscribing": null, "subscriber_count": 131, "modified_text": "167 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68768fee832e9d7358e7ec77", "name": "IT4US Ransom clone", "description": "", "modified": "2025-08-14T03:03:45.057000", "created": "2025-07-15T17:29:18.363000", "tags": [ "entity", "Alberta", "Alberta Health Services", "Covenent Health", "Alberta NDP", "Treaty 6", "Treaty 7", "Treaty 8", "UAlberta", "Connect Care", "Telus", "Rogers", "City of Edmonton", "Edmonton Police Services", "United Nurses of Alberta", "Alberta Medical Association", "EduRoam", "DGA", "Alberta Doctors", "University of Calgary", "Alberta UCP", "Ministry of Advanced Education", "Ministry of Health", "Ministry of Tech & Innovation", "Ransomware", "Botnet" ], "references": [ "https://www.virustotal.com/graph/embed/gdef52451e74740eaabbbcc6db2209b722e6a17129ba94f4eb92fa176bcea66f7?theme=dark", "https://www.virustotal.com/gui/collection/525d014c83ee92554cb6a88685ba822e147f30dbc797a18b6071081a109b7dcb", "https://www.virustotal.com/gui/collection/525d014c83ee92554cb6a88685ba822e147f30dbc797a18b6071081a109b7dcb/iocs", "https://viz.greynoise.io/analysis/16d9bc15-d3ed-4e71-9631-16742e511649" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Healthcare", "Government", "Education" ], "TLP": "white", "cloned_from": "6875cbb7f546e86006afa0ea", "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Dougline", "id": "350513", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 122, "FileHash-SHA1": 123, "FileHash-SHA256": 931, "URL": 60, "domain": 58, "email": 2, "hostname": 812 }, "indicator_count": 2108, "is_author": false, "is_subscribing": null, "subscriber_count": 2, "modified_text": "248 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6875cbb7f546e86006afa0ea", "name": "Ransomware attack ConnectCare Alberta - 07.12.25", "description": "On 07.12.25 ConnectCare Alberta experienced what was initially thought to be an outtage or downtime. Further analysis of data captured in realtime reveals this to not be the case. Healthcare Provider and patient services were disrupted across multiple zone in the Province of Alberta. Other organizations impacted include: The Government of Alberta, The Alberta NDP, The Alberta UCP, The University of Alberta, both Alberta Health Services & Covenant Health, Telus Communications, United Nurses of Alberta, Alberta Physicians Association, Treaty 8 FNA & Confederacy of Treaty Six, in addition to the City of Edmonton.\nGraph:", "modified": "2025-08-14T03:03:45.057000", "created": "2025-07-15T03:32:07.251000", "tags": [ "entity", "Alberta", "Alberta Health Services", "Covenent Health", "Alberta NDP", "Treaty 6", "Treaty 7", "Treaty 8", "UAlberta", "Connect Care", "Telus", "Rogers", "City of Edmonton", "Edmonton Police Services", "United Nurses of Alberta", "Alberta Medical Association", "EduRoam", "DGA", "Alberta Doctors", "University of Calgary", "Alberta UCP", "Ministry of Advanced Education", "Ministry of Health", "Ministry of Tech & Innovation", "Ransomware", "Botnet" ], "references": [ "https://www.virustotal.com/graph/embed/gdef52451e74740eaabbbcc6db2209b722e6a17129ba94f4eb92fa176bcea66f7?theme=dark", "https://www.virustotal.com/gui/collection/525d014c83ee92554cb6a88685ba822e147f30dbc797a18b6071081a109b7dcb", "https://www.virustotal.com/gui/collection/525d014c83ee92554cb6a88685ba822e147f30dbc797a18b6071081a109b7dcb/iocs", "https://viz.greynoise.io/analysis/16d9bc15-d3ed-4e71-9631-16742e511649" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Healthcare", "Government", "Education" ], "TLP": "white", "cloned_from": null, "export_count": 41, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 122, "FileHash-SHA1": 123, "FileHash-SHA256": 931, "URL": 60, "domain": 58, "email": 2, "hostname": 812 }, "indicator_count": 2108, "is_author": false, "is_subscribing": null, "subscriber_count": 130, "modified_text": "248 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6614565faf9eb7bd8f9b7956", "name": "Government of Alberta: U of A -> Telus -> Advanced Education", "description": "So I retraced some steps. I guess I'm admin. Neat. Already notified Ministry of Advanced Education, Government of Alberta Cybersecurity (not helpful). I don't have access to this account anymore (well, I haven't tried), but I did work my way back in an attempt to figure out why I could administrate the \"Honourable Ministry of Education\". \n\nUpdate on the alberta.ca domain: by malcore on 02.11.25 in references. **Need to add malcore IOCs** https://app.malcore.io/share/652553f6aec33d70a1dbbd25/67ab2665da3e8886f5e4ecce", "modified": "2025-03-14T21:04:23.242000", "created": "2024-04-08T20:41:03.850000", "tags": [], "references": [ "https://www.virustotal.com/graph/embed/g4f693a77e33b425bba54132d3a641fcd8b78af74d8fc44528a643c4a264d582f?theme=dark", "https://www.virustotal.com/gui/collection/8d65d93130b4775903adbffbb53820d40bb9425dcf1848b806ffee65ee883984/iocs", "https://www.virustotal.com/gui/collection/8d65d93130b4775903adbffbb53820d40bb9425dcf1848b806ffee65ee883984", "https://www.alberta.ca/minister-of-advanced-education", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/67ab2665782e1dfbf8ec2d3c", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/67ab2665da3e8886f5e4ecce" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Government", "Education", "Telecommunications", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 5, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 5137, "hostname": 3405, "domain": 1659, "URL": 2452, "FileHash-MD5": 576, "FileHash-SHA1": 567, "CIDR": 9, "email": 7, "CVE": 15 }, "indicator_count": 13827, "is_author": false, "is_subscribing": null, "subscriber_count": 132, "modified_text": "400 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66f235b9a7a94a6a61acd651", "name": "n0paste - Show paste: \\\"No Problems\\\" - dos meses del URLscan", "description": "This pulse represents a 'scattered sample' of data extracted from 'submissions of interest' made to virustotal, filescan_itsec, HybridAnalysis, anyrun_app, DynamiteLab, and triage (over a period of two months) which were submitted to urlscanio & subsequently GreyNoiseIO (which I've come across both from live samples and also those from offlined data). I don't particularly anticipate this will correlate w. anything specific - but at least will be put in one more place for further analysis & increased visibility.", "modified": "2025-03-07T08:38:08.584000", "created": "2024-09-24T03:44:57.902000", "tags": [ "geoip", "public url", "as16509", "amazon02", "as20940", "akamaiasn1", "as8075", "as15169", "google", "akamaias", "facebook", "telecom", "twitter", "media", "win64", "level3", "mini", "ukraine", "proton", "ghost", "win32", "cuba", "mexico", "indonesia", "seznam", "as3359", "as852" ], "references": [ "https://metadefender.com/results/file/bzI1MDMwMVFWaXRDS0hpWElYcnV0QllCYlB1", "https://mwdb.cert.pl/file/efb45096e24a61b488eb809bd8edf874d15bb498dd75ced8b888b020c87e5c6c", "https://n0paste.eu/UH6n5pD/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada", "Anguilla", "Poland", "Aruba", "Australia", "Barbados", "Costa Rica", "Guatemala", "Philippines", "Panama", "Sint Maarten (Dutch part)", "Saint Martin (French part)", "Cayman Islands", "Cura\u00e7ao", "Mexico", "Saint Vincent and the Grenadines", "Saint Kitts and Nevis", "Tanzania, United Republic of", "Netherlands", "Ukraine", "Trinidad and Tobago", "Japan", "Bahamas", "United Kingdom of Great Britain and Northern Ireland", "Georgia" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Technology", "Government", "Telecommunications", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1, "CIDR": 1186, "CVE": 4, "FileHash-MD5": 29, "FileHash-SHA1": 3, "URL": 25493, "domain": 5396, "email": 10, "hostname": 10770 }, "indicator_count": 42892, "is_author": false, "is_subscribing": null, "subscriber_count": 147, "modified_text": "408 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "677db8b56d3d4c3af9ebd9b5", "name": "hxxps://tinyurl [.] com/Pixel2 - Link to Google Drive of Malicious APKs (unenriched analysis of link to the Google Drive)", "description": "hxxps://tinyurl [.] com - Link to Google Drive of Malicious APKs\nIt appears a link to a Backup of Client's APKs (Telus Google Device Protected by Norton)\nDevice currently connected to the University of Alberta, Telus Communications (ISP), Alberta Health Services (AHS) and the Government of Alberta - is apparently itself malicious (still links to Google Drive Folder of APKs - to import for analysis later).", "modified": "2025-02-07T05:00:08.549000", "created": "2025-01-07T23:28:53.566000", "tags": [ "UAlberta", "AHS", "Google", "Telus", "Pixel", "Norton" ], "references": [ "https://www.filescan.io/uploads/677e0e14212309a70397d357/reports/0077a75d-f7d7-4634-a1ba-6f7b0488f9da/overview", "https://urlquery.net/report/16d1e034-1c64-4cbe-8b58-f5926dab9001", "https://www.virustotal.com/gui/url/1763a71e86e74729f1e993dc2e6b5cec9d91dd51245533a5300c85c9d49bc7ef", "http://www.hybrid-analysis.com/sample/dc744fc325700c6fda2b8d83b39a8c241258b9305058a3402ce70c97932acc74", "http://www.hybrid-analysis.com/sample/dc744fc325700c6fda2b8d83b39a8c241258b9305058a3402ce70c97932acc74/677d1d5dcb161e2448026452" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Healthcare", "Government", "Education" ], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 13, "FileHash-MD5": 96, "FileHash-SHA1": 96, "FileHash-SHA256": 97, "SSLCertFingerprint": 4, "URL": 221, "hostname": 34 }, "indicator_count": 561, "is_author": false, "is_subscribing": null, "subscriber_count": 128, "modified_text": "436 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67593f9d86f849435f8f3db4", "name": "Report - telus[.]com - URL Query", "description": "https://urlquery.net/report/651a5df9-e1ed-46d1-a53f-a334b0462430", "modified": "2025-01-10T07:01:15.866000", "created": "2024-12-11T07:30:37.570000", "tags": [ "url", "sandbox", "scanner", "reputation", "phishing", "malware", "cloudflarenet", "secure", "gmt file", "linux x8664", "accept", "httponly", "http2", "subject", "fingerprint", "url get", "path", "date", "write", "Telus" ], "references": [ "https://urlquery.net/report/651a5df9-e1ed-46d1-a53f-a334b0462430" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 157, "FileHash-SHA1": 125, "FileHash-SHA256": 125, "SSLCertFingerprint": 11, "URL": 114, "domain": 5, "hostname": 24 }, "indicator_count": 561, "is_author": false, "is_subscribing": null, "subscriber_count": 128, "modified_text": "464 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65f3e394bcf868816a29c2dc", "name": "Google Pixel 7a Devices - Telus ISP devices 'protected' by Norton", "description": "Exactly as above. I mean, out of all of the phones these ones make phonecalls (most of the time can send & receive calls). Can be a little tricky. Incomplete - it be doing it's own thing downloading/uploading stuff and heading down the 'way all the other phones went' route.", "modified": "2024-11-02T15:05:54.240000", "created": "2024-03-15T05:58:44.839000", "tags": [ "ISP", "Google", "Telus", "Norton", "Pixel" ], "references": [ "https://www.virustotal.com/gui/collection/c1ea74232c607b23ded09484664f00ae58f911ccb82433d042056cbb84c9d602/summary", "https://www.virustotal.com/gui/collection/c1ea74232c607b23ded09484664f00ae58f911ccb82433d042056cbb84c9d602/iocs", "https://www.virustotal.com/graph/embed/ga590434b8e274dc99fd39dd298c8c786abff51132c8d4646bb3fb3f1f4c3d100?theme=dark", "https://www.virustotal.com/graph/embed/g16457cd5ead246d99d2ecf37b965641b258cffddb8374ad194cdea194868d1ec?theme=dark", "https://www.virustotal.com/graph/embed/g2ef035cd31754a649909336c174aa141b9cca7e431994d12969e0d9d73a01b71?theme=dark", "https://www.virustotal.com/graph/embed/g1ea71614909243c1a291970fa39651a2d169deef25b7418fab2f0299221eb152?theme=dark", "https://www.virustotal.com/graph/embed/g20d14d97883a4127a500c45fcfb6e3e4961a30ef4bf74db7ab918bcbdb3f476b?theme=dark", "https://www.virustotal.com/gui/collection/c1ea74232c607b23ded09484664f00ae58f911ccb82433d042056cbb84c9d602/graph", "", "https://www.filescan.io/uploads/66feb74d83903120b70c820f/reports/0a3a6c27-a872-4e0c-86a4-0fc690fb5ecd/details", "https://tip.neiki.dev/file/fb0b66efe3b780270db0693b6df42dd08068428b86fc1a579fe5117d4ae76e07/network", "http://www.hybrid-analysis.com/file-collection/66febb8ee0244a7af5014d61" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Telecommunications", "Technology", "Government" ], "TLP": "green", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 3, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1231, "FileHash-SHA1": 1215, "FileHash-SHA256": 99653, "URL": 158638, "domain": 49468, "hostname": 77233, "email": 6, "CIDR": 5450, "CVE": 55 }, "indicator_count": 392949, "is_author": false, "is_subscribing": null, "subscriber_count": 130, "modified_text": "532 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "661858cf6ac4c024886515d7", "name": "Windows Sample of Windows - System32", "description": "An analysis of Malware Distribution and Threats stemming from an ongoing breach at the University of Alberta. Retrospective & In-Progress tracking, identification, and characterization among affected individuals/organizations/sectors affected by misuse of credentials.\n\nA deeper dive into malicious files on samples of System32 gathered from the UofA as well as from Sample W11 PC", "modified": "2024-09-27T22:03:43.303000", "created": "2024-04-11T21:40:31.045000", "tags": [], "references": [ "https://www.virustotal.com/gui/collection/d142f78015e1c929cedae31dba7e5b735b6dedfc31e4759d8ec5f02c16328b98/summary", "https://www.virustotal.com/graph/embed/gfc33296181c74257ae503130940c083ee0c60fc5174e47118fc38f04ffb09584?theme=dark", "https://www.virustotal.com/ui/file_behaviours/2bc23a995bf4af9ba43ee21bd71c398444dd994b84d8fb7cb94b5429af4e60bf_Zenbox/html", "https://www.virustotal.com/gui/collection/d142f78015e1c929cedae31dba7e5b735b6dedfc31e4759d8ec5f02c16328b98/iocs", "https://www.virustotal.com/graph/embed/g8a2d0c1eca164cb0a1844db566d28208e0e5b5e03bfb4377a98265a5c0e47960?theme=dark", "https://www.virustotal.com/graph/embed/g03752e112d454511bb41e53c4ca610371d531e6bfe2444ed9fd093145aef08f0?theme=dark", "https://vtbehaviour.commondatastorage.googleapis.com/b9af69ac821a649f211c99e3edf32a76a213e9450b5e972a6cdda5758af530dd_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1724181274&Signature=i8XiiJ%2BdCvj6ByL4c5tRY21ZEXdquVAdSRwC7OrdlnUHP75gU59aV17r7CtZaWH%2B1qhK94T1CSnRScW5Ez3t%2B9eCCNPcgPI2mOl1c1dBBiiIrj3r1rIzlDQyKFTQhaLjOzFcFzCL5OZ8XXk6ppN9iC6N5uEYJWHDOZs7bbsQYPwnmo2iwRhFDDUjSCQMKwOPrF34fDOoqnSlZCfe981ZRIr6HISZTbu1fhFFdpNgPTVw7D3Y384i4b6nkfzjkI8u", "https://vtbehaviour.commondatastorage.googleapis.com/b9af69ac821a649f211c99e3edf32a76a213e9450b5e972a6cdda5758af530dd_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1724181174&Signature=XTu5xxPcqMp3JXhCztWWQOwupXutbdzYwP1MwmdMKWErO3M%2FWEjxgmoErtsmQnLlYNIXVLVgervCeRmzfUzT1wiVZpMuHQS7UFndYWF53GNwFdAzDd4kqU%2F09GvKe1Da4wgvN0HHvA4wdRUm6os0N9jjSFRIXKc6ALqq0eHL7LgDtV6fdx1g22MN2RLGfNkkzIpXSuUwD%2BeFPR0osNVszClRiFi5dLJIahlcjYcWeTpd%2FGvBQ2kLcv", "https://www.virustotal.com/graph/embed/gcf877329e4824f7ea96cf4dce8a5fe5f7b0ba40333ae46ba92da9a514c2e006b?theme=dark", "https://www.virustotal.com/graph/embed/g64431c9444084659a4360cb063de46ef275e7f87c38a4da8b67dde4541729147?theme=dark", "https://vtbehaviour.commondatastorage.googleapis.com/b9af69ac821a649f211c99e3edf32a76a213e9450b5e972a6cdda5758af530dd_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1724263681&Signature=sRNF3CXtbsizlNdCMDBJqa0Oxx4P3yW1sAZJvHB1xF981vua%2Fxh6EAKeKpwFlRlflCybIOWHPyQC5awq%2BwJslkM%2FLI9Wv5HA4EipG36shGNh5ML2wkco57c9ITd8dKgOti67d9sVy2VQHcLt3o5UBMlOE%2BMhhf4AONsGvftAO7kQsz41rdwT4L%2BnBHntaiIqG6Rz438Lo%2FcyaTFgmNJ5NkbVgnEJvWhqhqGzFhk18O8wZt1Nh4", "https://vtbehaviour.commondatastorage.googleapis.com/b9af69ac821a649f211c99e3edf32a76a213e9450b5e972a6cdda5758af530dd_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1724263684&Signature=xXQ9O6EGcEiatL%2FEjaTaOTH9kgTWN7ZCmaIM6wb2vcXjEmSqDd6c9XpfadCYK9uln%2FKAqjzkVCs9reZTrsl8p6w6MDIelJQ%2FdCUTriPH%2F%2FWy3yiRbT6VZGnVk9iNBOxIGDE%2Bz4UPbuLXaler%2B11uCyHouGQJhG1CvoCEC64JpsC89GsV9%2FaOyrduTZK3XJpvrRVMdoRTKEayIYHD59OSeCeLlAde2yETDvIOPoxT6Bp5FO1spfMq7S", "updated 08.21.24: https://www.virustotal.com/graph/embed/g64431c9444084659a4360cb063de46ef275e7f87c38a4da8b67dde4541729147?theme=dark", "https://vtbehaviour.commondatastorage.googleapis.com/27f74e49d7263156339c0b950fdbd6c98f633254229085814689ba348ea4d85a_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1724426279&Signature=KWv3ie5iuSeNS%2Flc%2BGXXzfwbqKYxF4lfka5N2gHnA6gYz63eETZ8yzhfO64lV6HacEN9qfuNfVzdltiRLDV8hweWSZHPdZgx%2ByHGwEvpBI6Pk7PvgX8nKdcJso8%2B1iA3hgRF10wNbQKIZP3K%2BOMdzLLHN9JpuSJUVxxHVhORYlokSH6OaM6Yn6qzdNQcGhAH%2B3LXiSJZggxduc%2F2cGsNIj47o%2FCrC3B0GZzIicJar8MJFq" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1070.006", "name": "Timestomp", "display_name": "T1070.006 - Timestomp" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "TA0040", "name": "Impact", "display_name": "TA0040 - Impact" }, { "id": "TA0034", "name": "Impact", "display_name": "TA0034 - Impact" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1542.003", "name": "Bootkit", "display_name": "T1542.003 - Bootkit" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" } ], "industries": [ "Education", "Government", "Technology", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1329, "FileHash-SHA1": 1302, "FileHash-SHA256": 9051, "domain": 1341, "hostname": 4941, "URL": 1903, "CVE": 3 }, "indicator_count": 19870, "is_author": false, "is_subscribing": null, "subscriber_count": 131, "modified_text": "568 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "666cc0893636f98479e34f6e", "name": "Telus Communications ASN 852 - part 1.5", "description": "https://asnlookup.com/asn/AS852/\n\nhttps://www.virustotal.com/graph/embed/gf794b7e0cba442578197356822e0457b8d920ff9ea32461e85ddb716b3c771cf?theme=dark\n\nhttps://www.filescan.io/search-result?query=dGVsdXMuY29t", "modified": "2024-09-22T18:06:53.325000", "created": "2024-06-14T22:13:29.917000", "tags": [ "entity", "please", "javascript", "mirai", "mozi", "hajime" ], "references": [ "https://www.virustotal.com/graph/embed/gf794b7e0cba442578197356822e0457b8d920ff9ea32461e85ddb716b3c771cf?theme=dark", "https://www.virustotal.com/gui/collection/0b3c0a84782018d8bafc47ebd40c4eaf993f40ca3de61aa98eb15302a7a80b04/iocs", "https://www.virustotal.com/gui/collection/0b3c0a84782018d8bafc47ebd40c4eaf993f40ca3de61aa98eb15302a7a80b04/graph", "https://www.virustotal.com/gui/collection/0b3c0a84782018d8bafc47ebd40c4eaf993f40ca3de61aa98eb15302a7a80b04/summary", "https://asnlookup.com/asn/AS852/", "https://viz.greynoise.io/analysis/7a369df9-bcbf-4540-ad0f-6d52c0c55cdb", "https://www.virustotal.com/graph/embed/gbe89575feac440f0b831e98562c12d0534475b1006e54221acffc624919deef7?theme=dark", "https://urlscan.io/search/#page.asn%3AAS852", "https://viz.greynoise.io/analysis/8be38b3f-73d9-4f4c-bb64-508ee329596e", "https://dnschecker.org/asn-whois-lookup.php?query=AS852", "https://mxtoolbox.com/SuperTool.aspx?action=asn%3aAS852&run=toolpage", "https://viz.greynoise.io/query/AS852", "https://viz.greynoise.io/query/AS852%20classification:%22malicious%22", "https://ipinfo.io", "https://viz.greynoise.io/analysis/1ba1e524-0d96-4cc6-9426-d01abbe75443", "https://bgp.tools/as/852", "https://www.ipvoid.com/whois/", "https://urlscan.io/search/#asn%3A%22AS852%22", "https://dnschecker.org/asn-whois-lookup.php?query=852", "https://leakix.net/search?scope=leak&q=telus.com", "http://ci-www.threatcrowd.org/domain.php?domain=telus.com", "https://intelx.io/?s=telus.com", "https://whiteintel.io/", "https://inteltechniques.com/tools/Domain.html", "https://informationlaundromat.com/content-search", "https://urlhaus.abuse.ch/asn/852", "https://bgp.he.net/AS852#_prefixes", "https://dnstwist.it/#9966d7b4-2d66-4349-9129-21d2adc26c89", "https://urlscan.io/search/#asn:%22AS852%22", "08.05.24 - https://viz.greynoise.io/query/AS852", "https://urlscan.io/asn/AS852", "https://www.telus.com/en/ab/outages?INTCMP=contactus_outage_AB_V2", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/66b3cdc9971b263122bd14db" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Telecommunications", "Technology", "Healthcare", "Government", "Media", "Finance", "Retail", "Education", "Energy" ], "TLP": "white", "cloned_from": null, "export_count": 55, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 12, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 4696, "FileHash-MD5": 69, "FileHash-SHA256": 1211, "URL": 3453, "domain": 2060, "hostname": 1853, "FileHash-SHA1": 68, "email": 5, "CVE": 11 }, "indicator_count": 13426, "is_author": false, "is_subscribing": null, "subscriber_count": 130, "modified_text": "573 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66844266b18b359a3a385cf4", "name": "Alberta NDP", "description": "This pulse takes a peak into the Alberta NDP party and their current breach situation. The (original) purpose of this pulse was to further identify and characterize issues relating to the (still) ongoing UAlberta breach and to see if the Alberta NDP were impacted. Prepared this pulse to present to them as a component of it's relevancy to their own infrastructure (e.g. highlighting the privacy, safety, security implications for their party) as it was 2 months ago. Was told my contacts would be on vacation until September. It now seems during that waiting time much of the party and it's leaders have been breached/affected by similar malware & infostealers. Still waiting?", "modified": "2024-09-04T19:53:22.824000", "created": "2024-07-02T18:09:42.084000", "tags": [ "Hacked", "" ], "references": [ "https://www.virustotal.com/graph/embed/gc3d0a481dd64463a889ad9f206727d9d87db106da3c34deb922a2ce7837d6577?theme=dark", "https://www.virustotal.com/graph/embed/g99d61feda7554cba94972ae4110efe8acacfea236d6943d0bdc93dcbc7e9b60f?theme=dark", "https://www.virustotal.com/graph/embed/ga26f4bba58834344a271a36d59827ec2154f655df6324f939f674b0d49e1290a?theme=dark", "https://www.virustotal.com/gui/collection/40d6991f82d1a475ac48126d0fe7cd1481611146ae96cd496abf3f80955dda06", "https://www.virustotal.com/gui/collection/40d6991f82d1a475ac48126d0fe7cd1481611146ae96cd496abf3f80955dda06/summary", "https://www.virustotal.com/gui/collection/40d6991f82d1a475ac48126d0fe7cd1481611146ae96cd496abf3f80955dda06/iocs", "https://www.virustotal.com/gui/collection/40d6991f82d1a475ac48126d0fe7cd1481611146ae96cd496abf3f80955dda06/graph", "https://www.virustotal.com/gui/collection/e49552b5297eb28f2ec7245429e50fb363823c4683606ddb61c1d014b2238a6e", "type,id 000d161246615fb8d5b30411c753420f82a881a9d7750639bbace67e1bb270a0 001155a72482c2ddd750b1e9c28633a7e13228e4e2b05f0ba585a395ac852b49 0014425cb6011c2086b6aeca5eee11368431356a68d173c2ff7ffef327c0ba86 0018686a02600f7da1a3f0981ce78bb6982480b14130a0cc2b8c8401bc1b8449 003bfd323f6366ac283b9f922d942d7c8f6070a2f2b919a719af7fc8e7c77995 00434aa911043b208854236a41c8e7a284185710ff67b52eea9f538f4151fa28 0063c0019a4ec47bc251753be3aca37c0d84699d34a99df83963364fe640c795 00651f483b685736596ebc95817b01c34382a4691b81701cc", "https://www.virustotal.com/gui/collection/8d65d93130b4775903adbffbb53820d40bb9425dcf1848b806ffee65ee883984", "https://www.virustotal.com/gui/collection/4b0d82fda81972be3f9373edf863a3bcf426aafc9a53927eedc0b694554de33f", "https://viz.greynoise.io/analysis/52a90c2d-0774-46cd-bb66-79cb82c903fe - 07.03.24", "https://www.ipvoid.com/whois/", "https://leakix.net/search?scope=leak&q=alberta.ca", "https://intelx.io/?s=albertandp.ca", "http://ci-www.threatcrowd.org/domain.php?domain=albertandp.ca", "https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Fsites.google.com%2Fstudent.concordia.ab.ca%2Fcybersecuritybriefi%2Fhome&followup=https%3A%2F%2Fsites.google.com%2Fstudent.concordia.ab.ca%2Fcybersecuritybriefi%2Fhome&ifkv=AdF4I74DbXz0axIgI_8-2HKe5uTaiHcEn5GDXdTMvWumG7pqQExSEV6IUvXUJDoG9Ra0ZgbhrlrC&osid=1&passive=1209600&flowName=GlifWebSignIn&flowEntry=ServiceLogin&dsh=S-1391668132%3A1721034538211512&ddm=0", "" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Government", "Telecommunications", "Healthcare", "Education", "Technology", "Hospitality", "Finance", "Manufacturing", "Retail" ], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 10030, "FileHash-MD5": 719, "FileHash-SHA1": 719, "FileHash-SHA256": 14832, "URL": 12538, "hostname": 10238, "CVE": 35, "email": 2, "CIDR": 847 }, "indicator_count": 49960, "is_author": false, "is_subscribing": null, "subscriber_count": 130, "modified_text": "591 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "664bd9b732ecaf1b3c3beddf", "name": "Found some problems - Files from the UAlberta Google Drive Archive", "description": "Been looking for these...Gifts from the University of Alberta to the World apparently\n*Please note: I emptied out the Drive, however, there was a significant amount of abuse re: Google and Microsoft Accounts at the University of Alberta (reported).\n*On the Google side I utilized: Drive (a little), Docs/Slides/Sheets (when groupwork was required)\n*On the Microsoft side I utilized: OneDrive, Office 365 (Word, PPT, Excel, and OneNote). I used to also have a personal microsoft account (OneNote, OneDrive, Skype).\nThese were the applications I lived on for my studies. I could access the Gmail/Microsoft accounts for the University (however - 'bad things' usually happen because of this). I have no access to my personal Microsoft Account (i.e. myself and other affected student(s) do not have access to our personal stuff.", "modified": "2024-09-03T00:02:13.980000", "created": "2024-05-20T23:16:07.255000", "tags": [ "contact", "quick", "destination", "entry", "safety", "local", "health", "travel", "notification", "considerations", "service", "criminal", "showit", "click", "outcome", "step", "please", "class", "questions set", "question set", "unlock", "continue", "jointfilingyes", "jointfilingno", "minimum req", "domicileresusno", "joint sponsor", "sponsorjoint", "path", "href", "span", "activetab", "starton", "newpage", "searchq", "datasia", "datacon", "segfilter", "subsite", "issuance agency", "visas", "null", "state", "dialog field", "tabpanel", "recaptcha", "nameinputvisa", "fullnameinput1", "license headers", "tools", "templates", "sia contact", "visa", "website", "phoneregexp", "emailregexp", "azaz", "urlpattern", "example starter", "javascript", "fetch", "comptwo", "compone", "dateofbirth", "function", "date", "passport", "nameinput", "fullnameinput", "adult passport", "child passport", "new child", "new adult", "new passport", "datepicker", "ds5504", "hideit", "infinity", "false", "jquery", "error", "body", "trident", "simple", "turn", "back", "calendar", "format", "february", "april", "june", "august", "show", "page has", "bcdate", "col1child", "col2child", "coldatechild", "rowdisplay", "val1", "val2", "repaginate", "grab", "jandec", "86400000", "current", "namerbcontactme", "agency", "compliment", "complaint", "passportfees", "customerservice", "bymail", "namerbcategory", "brokenlink", "search", "departuredate", "calendar date", "picker", "change", "month", "vital", "records form", "component js", "select", "please enter", "azaz09", "dddddd", "woff2", "woff", "truetype", "css document", "efefef", "ffffff", "gradienttype0", "galaxy", "nexus", "iphone5", "abtn", "bbtn", "cbtn", "dbtn", "ebtn", "fbtn", "gbtn", "hbtn", "ibtn", "media query", "from", "fce68e", "font family", "bold", "document", "cc3333", "b7b7b7", "e2edff", "ced9ea", "pm author", "ipca csi", "helvetica", "arial", "cq aem", "feed classes", "f2cd54", "f4d97e", "portrait", "landscape", "ipad", "declare", "immigrant", "visa navigation", "navigation css", "georgia", "times new", "roman", "times", "verdana", "photomodal", "styles media", "ff0000", "queries", "form component", "typetext", "queries media", "phone media", "tablet styles", "media queries", "jumbo sized", "copyright", "gpl version", "http", "alpha", "button", "out width", "ui css", "framework", "icons", "misc", "mini", "input", "label", "textarea", "overlays", "csi page", "embassy info", "embassy data", "embassy names", "end adjust", "embassy nameso", "pages", "e1a04d", "c0c0c0", "ffffff url", "us survey", "component css", "country list", "e7eceb", "important", "additional css", "wizard", "corner radius", "f97800", "c61700", "largestbox", "thisbox", "csi navigation", "ui autocomplete", "ui menu", "noticeid", "countnote", "largestnote", "thisnote", "desktops", "43px", "42px", "large", "aem interface", "styles", "web email", "ytconfig", "typeerror", "facebook pixel", "pixel code", "symbol", "fblog", "typeof", "iterator", "pageview", "pixel", "facebook", "config", "meta", "propname", "dpjquerydpuuid", "this", "next", "atom", "cookie", "iframe", "close", "string", "number", "edge", "regexp", "silk", "sxa0", "object", "opera", "android", "void", "form", "UAlberta", "Android", "Mac", "iPhone", "Gov Alberta", "AWS", "AZURE", "ENTRA", "iCloud", "Telus", "Bitdefender", "Norton" ], "references": [ "Copy of clientlib.js(1).download", "Copy of clientlib.js(2).download", "Copy of clientlib.js(5).download", "Copy of clientlib.js(7).download", "Copy of clientlib.js(4).download", "Copy of clientlib.js(10).download", "Copy of clientlib.js(8).download", "Copy of clientlib.js(11).download", "Copy of clientlib.js(12).download", "Copy of clientlib.js(13).download", "Copy of clientlib.js(14).download", "Copy of clientlib.js(9).download", "Copy of clientlib.js(16).download", "Copy of clientlib.js(17).download", "Copy of clientlib.js(18).download", "Copy of clientlib.js(3).download", "Copy of clientlib.js(19).download", "Copy of clientlib.js(15).download", "Copy of clientlib.js(22).download", "Copy of clientlib.js(23).download", "Copy of clientlib.js(21).download", "Copy of clientlib.js(26).download", "Copy of clientlib.js(25).download", "Copy of clientlib.js(24).download", "Copy of clientlib.js(31).download", "Copy of clientlib.js(28).download", "Copy of clientlib.js(30).download", "Copy of clientlib.js(32).download", "Copy of clientlib.js(29).download", "Copy of clientlib.js(34).download", "Copy of clientlib.js(35).download", "Copy of clientlib.js(37).download", "Copy of clientlib.js(36).download", "Copy of clientlib.js(38).download", "Copy of clientlib.js(39).download", "Copy of clientlib.js(33).download", "Copy of clientlib.js(44).download", "Copy of clientlib.js(43).download", "Copy of clientlib.js(41).download", "Copy of clientlib.js(42).download", "Copy of clientlib.js(45).download", "Copy of clientlib.js(51).download", "Copy of clientlib.js(56).download", "Copy of clientlib.js(55).download", "Copy of clientlib.js(54).download", "Copy of clientlib.js(57).download", "Copy of clientlib.js(52).download", "Copy of clientlib.js(53).download", "Copy of clientlib.js(60).download", "Copy of clientlib(1).css", "Copy of clientlib.js(59).download", "Copy of clientlib(3).css", "Copy of clientlib(2).css", "Copy of clientlib(5).css", "Copy of clientlib.js(58).download", "Copy of clientlib(8).css", "Copy of clientlib(10).css", "Copy of clientlib(7).css", "Copy of clientlib(6).css", "Copy of clientlib(12).css", "Copy of clientlib(13).css", "Copy of clientlib(9).css", "Copy of clientlib(4).css", "Copy of clientlib(14).css", "Copy of clientlib(17).css", "Copy of clientlib(15).css", "Copy of clientlib(19).css", "Copy of clientlib(18).css", "Copy of clientlib(11).css", "Copy of clientlib(20).css", "Copy of clientlib(16).css", "Copy of clientlib(23).css", "Copy of clientlib(24).css", "Copy of clientlib(26).css", "Copy of clientlib(25).css", "Copy of clientlib(28).css", "Copy of clientlib(22).css", "Copy of clientlib(27).css", "Copy of clientlib(31).css", "Copy of clientlib(29).css", "Copy of clientlib(30).css", "Copy of clientlib(32).css", "Copy of clientlib(34).css", "Copy of clientlib(35).css", "Copy of clientlib(33).css", "Copy of clientlib(38).css", "Copy of clientlib(37).css", "Copy of clientlib(36).css", "Copy of clientlib(40).css", "Copy of clientlib(39).css", "Copy of clientlib(43).css", "Copy of clientlib(21).css", "Copy of clientlib(41).css", "Copy of clientlib(44).css", "Copy of clientlib(42).css", "Copy of clientlib(46).css", "Copy of clientlib(45).css", "Copy of clientlib(47).css", "Copy of clientlib(48).css", "Copy of clientlib(49).css", "Copy of clientlib(50).css", "Copy of clientlib(52).css", "Copy of clientlib(54).css", "Copy of clientlibs.js(3).download", "Copy of clientlib(53).css", "Copy of clientlibs.js(2).download", "Copy of clientlibs(3).css", "Copy of clientlib(51).css", "Copy of clientlibs(1).css", "Copy of clientlibs(2).css", "Copy of clientlibs.js.download", "Copy of clientlibs.js(4).download", "Copy of clientlibs(5).css", "Copy of clientlibs.css", "Copy of clientlibs(4).css", "Copy of dir (1).c9r", "Copy of clientlib(55).css", "Copy of iframe_api", "Copy of fbevents.js.download", "Copy of clientlibs.js(1).download", "Copy of js", "https://www.virustotal.com/gui/collection/7196cbc5285fb7e155a529980dc1797d3ab3884e20c77c66d9b1b971c313fe56/iocs", "https://www.virustotal.com/gui/collection/7196cbc5285fb7e155a529980dc1797d3ab3884e20c77c66d9b1b971c313fe56/graph", "hxxps://go[.]microsoft[.]com/fwlink/?LinkId=2033498", "hxxps://portal[.]office[.]com/Account", "hxxps://myapplications[.]microsoft[.]com/", "https://tria.ge/240521-rvybaahb79", "https://tria.ge/240521-rxpf6ahd6w", "https://tria.ge/240521-r1yh8shd44", "https://tria.ge/240521-ry949ahe2z/behavioral1", "https://tria.ge/240521-r3mvhshd83" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada", "Mexico", "Anguilla", "Aruba", "Panama", "Ukraine", "Trinidad and Tobago", "Saint Vincent and the Grenadines", "Saint Martin (French part)", "Sint Maarten (Dutch part)", "Philippines", "Netherlands", "Cura\u00e7ao", "Georgia", "Tanzania, United Republic of", "Costa Rica", "Guatemala", "Japan", "Barbados" ], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" } ], "industries": [ "Education", "Technology", "Government", "Healthcare", "Biotechnology", "Telecommunications", "Energy", "Construction", "Chemical", "Agriculture", "Finance", "Media", "Defense", "Transportation" ], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 251, "hostname": 188, "FileHash-SHA256": 142, "URL": 69, "FileHash-MD5": 77, "FileHash-SHA1": 77 }, "indicator_count": 804, "is_author": false, "is_subscribing": null, "subscriber_count": 133, "modified_text": "593 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "662e72197adff2cced4acab5", "name": "Telus Communications (Canadian ISP)", "description": "IOCs associated with and/or collected from Telus Communications ISP\nAlso, please refer to other collections (Relevant Pulses in Group Pulse)", "modified": "2024-09-03T00:02:13.980000", "created": "2024-04-28T15:58:17.777000", "tags": [ "Telus" ], "references": [ "https://www.virustotal.com/gui/collection/9220d9375ebb4289fdbc4a7aac232b75a5c1b01e5e27edd965982bc6fe28f0e2/graph", "https://www.virustotal.com/gui/collection/9220d9375ebb4289fdbc4a7aac232b75a5c1b01e5e27edd965982bc6fe28f0e2/iocs", "https://tria.ge/240428-tjsmrsbf4t", "https://www.virustotal.com/graph/embed/ga06a03c71a1848adb8e47517af7d1803f6bc8aa5dd4a480f921a7e9528da34df?theme=dark", "https://intelx.io/?s=telus.com", "https://lab.dynamite.ai/pcaps/319ab9c1-044c-4791-98b8-a134918cae63", "https://lab.dynamite.ai/pcaps/8c720f26-cf1b-4aed-bad5-da87f7f17977", "https://lab.dynamite.ai/pcaps/5beb5211-b3ce-4c11-8fa7-44eee039113a", "https://www.virustotal.com/graph/embed/ga408d14b97e346d788613eab3a11c80af28a15dda5334f9a93221e82d25545bb?theme=dark", "https://urlhaus.abuse.ch/feeds/asn/852/" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [ "Government", "Technology", "Telecommunications", "Education" ], "TLP": "green", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 3, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 283, "FileHash-SHA1": 283, "FileHash-SHA256": 366, "URL": 726, "domain": 564, "hostname": 523 }, "indicator_count": 2745, "is_author": false, "is_subscribing": null, "subscriber_count": 131, "modified_text": "593 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "669ad504a491593b3092d20c", "name": "Apple Stuff Combined", "description": "Description: IOCs derived from downed Apple Fleet logs\nCommon IOCs from Apple-Related Products - extracted from Apple Logs/Reports", "modified": "2024-09-03T00:02:13.980000", "created": "2024-07-19T21:05:08.808000", "tags": [ "contains-zip", "contains-apk", "upx", "pecompact", "contains-elf", "attachment", "as-protect", "contains-pe", "aspack", "telock", "downloads-zip", "nsis", "downloads-pe", "base64-embedded", "bobsoft", "opendir" ], "references": [ "https://viz.greynoise.io/analysis/c8416853-215d-48d0-9420-b6f43cdb1aaf", "https://www.virustotal.com/graph/embed/g266c7267d27a42b494f80bfa327d9a47a182ff352a4843c69c655a09e131dd49?theme=dark", "https://www.virustotal.com/gui/collection/3955f19b42e4ed4d4af0bb416ee463d8a6190cdcc4b1de29a0bf795d2dc18a97/iocs", "https://viz.greynoise.io/analysis/0746f250-b49a-4017-9e80-b0c9ce1993d6", "cve-2015-2414, 2016-0101, 2006-3869, 2004-0790, 2004-0566, 2005-0068, 2009-1122, 2017-17215, 2017-11882, 2017-0199, 2002-0013, 2016-2569, 2014-8361, 1999-0016, 2008-2257, 2009-1535, 2022-30190, 2008-2938, 2014-6345, 2002-0012", "https://www.filescan.io/uploads/669fffb84c5c17942a7c1d3f/reports/c881cbc5-750f-4b35-a43d-084844d036e6/overview", "https://www.filescan.io/uploads/66a001cb3ba51bb345a32569/reports/34b4aa58-68cb-4045-8653-ccfd3a1fb3dd/overview", "https://urlscan.io/user/submit/", "https://viz.greynoise.io/analysis/cb9811dd-809d-4a25-bb28-512d2c2b3393", "https://www.virustotal.com/gui/collection/3955f19b42e4ed4d4af0bb416ee463d8a6190cdcc4b1de29a0bf795d2dc18a97/summary", "07.19.24: IPs, Greynoise: https://viz.greynoise.io/analysis/ba31ba2b-4967-4d39-ac24-143d9c66136b", "https://viz.greynoise.io/analysis/3fbd45fa-08a2-423a-98b9-e6b37ea05e8a" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Telecommunications", "Government", "Healthcare", "Education" ], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 10067, "FileHash-SHA256": 6080, "hostname": 1957, "domain": 1445, "CVE": 20 }, "indicator_count": 19569, "is_author": false, "is_subscribing": null, "subscriber_count": 132, "modified_text": "593 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6668b85065eec626e4766a38", "name": "Thor-Lite Linux 64 (06.11.24) - enriched a bit more but not 'pruned'", "description": "Please note: This sample is a tad 'outdated' as I ran both scans kind of by accident lol (i.e. did not update w. the utils utility). I was a bit tired so a happy accident of more data? - but gives a general 'picture' or 'painting' anyways on a rather small set of data.\n\nHave some more data to put up (picked up by Huntress Labs) - just have to get that back online.\n\nWould love to accommodate for some confounding variables - e.g. filter for false positives, windows logs, networking capabilities (better than what I have now) to better inform the team taking care of me (us). \n\nNote: Given it was using some outdated thor modules (lite-version), it was 'good enough' to provide some data worth looking into that 'falls in line' w. what I've come across. \n\nJust a combined sample (2 in 1) of a thor-lite scan of a linux instance (06.11.24)\n\nI've just listed a few places I have some direct ties to in one way or another (not including the other UAlberta students affected that have been in contact with me or reached out).", "modified": "2024-07-11T21:08:15.880000", "created": "2024-06-11T20:49:20.318000", "tags": [ "mon jun", "filename ioc", "scanid", "sigtype1", "group", "reason1", "matched1", "reasonscount", "dangerous file", "exploit code", "trace", "anomaly", "project", "import", "mimikatz", "form", "powershell", "shellcode", "cobaltstrike", "hermanos", "cobalt strike", "inject", "body", "null", "confuserex", "virustotal", "generic", "comspec", "injectdll", "rootkit", "timestomp", "doublepulsar", "logger", "teamviewer", "obfus", "webshell", "phpshell", "error", "exploit", "dllimport", "info", "kill", "path", "arch", "hosts", "bifrost", "thor", "false", "tools", "flash", "cve201711882", "macos", "bypass", "green", "team", "target", "cred", "powersploit", "recursive", "term", "download", "zero", "antak", "install", "metasploit", "local", "meterpreter", "shell", "please", "javascript", "entity" ], "references": [ "https://www.virustotal.com/gui/collection/2b33908584f5c3987941edc9aa8995f797fe13900feeb9fa8fb86ccb5abdaa01/iocs", "https://www.virustotal.com/graph/embed/gfdb1aa99d73447818bfcd10130b237a4e92dbf316d5f4f028ad64f71f882bccc?theme=dark", "https://www.virustotal.com/gui/collection/2b33908584f5c3987941edc9aa8995f797fe13900feeb9fa8fb86ccb5abdaa01/graph", "https://www.virustotal.com/gui/collection/2b33908584f5c3987941edc9aa8995f797fe13900feeb9fa8fb86ccb5abdaa01/summary", "https://urlscan.io/search/#user:me%20OR%20team:me", "https://viz.greynoise.io/analysis/eaa63cd1-14fd-4d03-9e83-29bd58eab538" ], "public": 1, "adversary": "Unknown", "targeted_countries": [ "United States of America", "Canada", "Netherlands", "Anguilla", "Panama", "Trinidad and Tobago", "Saint Martin (French part)", "Saint Vincent and the Grenadines", "Sint Maarten (Dutch part)", "Mexico", "Philippines", "Japan", "Aruba", "Costa Rica", "Guatemala", "China", "Barbados", "Saint Kitts and Nevis", "Cayman Islands", "Cura\u00e7ao", "Virgin Islands, U.S." ], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1558", "name": "Steal or Forge Kerberos Tickets", "display_name": "T1558 - Steal or Forge Kerberos Tickets" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1572", "name": "Protocol Tunneling", "display_name": "T1572 - Protocol Tunneling" } ], "industries": [ "Education", "Technology", "Government", "Healthcare", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 247, "FileHash-MD5": 1183, "FileHash-SHA1": 1553, "FileHash-SHA256": 1240, "URL": 486, "domain": 294, "email": 8, "hostname": 138 }, "indicator_count": 5149, "is_author": false, "is_subscribing": null, "subscriber_count": 132, "modified_text": "646 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66480cb1cc174fd804e0cef9", "name": "Elgoogle", "description": "", "modified": "2024-05-18T02:12:28.801000", "created": "2024-05-18T02:04:33.967000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "65709f0bbdd32cb4b343a12f", "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Elgoogle", "id": "281171", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2218, "FileHash-SHA256": 24526, "FileHash-MD5": 7187, "URL": 1175, "hostname": 2514, "JA3": 2, "email": 83, "FileHash-SHA1": 7164, "CVE": 35 }, "indicator_count": 44904, "is_author": false, "is_subscribing": null, "subscriber_count": 8, "modified_text": "701 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6639853fc403f7be5bd6f27d", "name": "Facebook+", "description": "", "modified": "2024-05-07T01:34:55.365000", "created": "2024-05-07T01:34:55.365000", "tags": [], "references": [ "https://www.virustotal.com/gui/collection/09af9ef0b7b23d2dc73d83858106ae4fc97a352dbb521ac04493a0e79095ac69/iocs", "https://www.virustotal.com/gui/collection/79c25168b2f93d9730a56b8d2b834cbfb2752b63b21b9dd51109416fbaa676d8/iocs", "https://www.virustotal.com/graph/embed/g8726609a12794ebeb59edd531961a233068149bcdf994b428f20141be6111551?theme=dark", "https://www.virustotal.com/graph/embed/g365a82115f934e31a69118715695c91c231f66cda9084c9389e56afb985a243e?theme=dark", "", "https://www.virustotal.com/gui/collection/6a8d582df4fe5a29885dad4074236bc9e4ed445aaf0cc00702d45963fb0459bb/iocs" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "65eea19a23474b8c7dca351f", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Phone2209", "id": "281168", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1165, "hostname": 866, "URL": 657, "FileHash-SHA256": 26, "email": 337, "FileHash-MD5": 12, "FileHash-SHA1": 8, "CIDR": 1 }, "indicator_count": 3072, "is_author": false, "is_subscribing": null, "subscriber_count": 1, "modified_text": "712 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6570a756ee3c8ce2314e235a", "name": "Home Networks", "description": "", "modified": "2023-12-06T16:54:46.263000", "created": "2023-12-06T16:54:46.263000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 290, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2298, "FileHash-SHA256": 24535, "FileHash-MD5": 7197, "URL": 1188, "hostname": 2636, "JA3": 2, "email": 96, "CVE": 44, "FileHash-SHA1": 7174 }, "indicator_count": 45170, "is_author": false, "is_subscribing": null, "subscriber_count": 114, "modified_text": "864 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65709f0bbdd32cb4b343a12f", "name": "WHO SAV.COM LLC (SOURCEADULT.COM)", "description": "", "modified": "2023-12-06T16:19:23.067000", "created": "2023-12-06T16:19:23.067000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2218, "FileHash-SHA256": 24526, "FileHash-MD5": 7187, "URL": 1175, "hostname": 2514, "JA3": 2, "email": 83, "FileHash-SHA1": 7164, "CVE": 35 }, "indicator_count": 44904, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "864 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65709eee2f74978bd15d60a9", "name": "WHO SAV.COM LLC (SOURCEADULT.COM)", "description": "", "modified": "2023-12-06T16:18:53.346000", "created": "2023-12-06T16:18:53.346000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2219, "FileHash-SHA256": 24526, "FileHash-MD5": 7187, "URL": 1175, "hostname": 2513, "JA3": 2, "email": 83, "FileHash-SHA1": 7164, "CVE": 35 }, "indicator_count": 44904, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "864 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65709ed8415c89746a234d89", "name": "WHO SAV.COM LLC (SOURCEADULT.COM)", "description": "", "modified": "2023-12-06T16:18:32.627000", "created": "2023-12-06T16:18:32.627000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2218, "FileHash-SHA256": 24526, "FileHash-MD5": 7187, "URL": 1175, "hostname": 2513, "JA3": 2, "email": 83, "FileHash-SHA1": 7164, "CVE": 35 }, "indicator_count": 44903, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "864 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65709ebd65cdc059b8e373ef", "name": "WHO SAV.COM LLC (SOURCEADULT.COM)", "description": "", "modified": "2023-12-06T16:18:05.044000", "created": "2023-12-06T16:18:05.044000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2218, "FileHash-SHA256": 24526, "FileHash-MD5": 7187, "URL": 1175, "hostname": 2519, "JA3": 2, "email": 83, "FileHash-SHA1": 7164, "CVE": 36 }, "indicator_count": 44910, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "864 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65709ea58a4b251d0f7aac7b", "name": "WHO SAV.COM LLC (SOURCEADULT.COM)", "description": "", "modified": "2023-12-06T16:17:41.816000", "created": "2023-12-06T16:17:41.816000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2221, "FileHash-SHA256": 24526, "FileHash-MD5": 7187, "URL": 1176, "hostname": 2513, "JA3": 2, "email": 83, "FileHash-SHA1": 7164, "CVE": 37 }, "indicator_count": 44909, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "864 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65709e8b31eda9b13196277a", "name": "WHO SAV.COM LLC (SOURCEADULT.COM)", "description": "", "modified": "2023-12-06T16:17:15.458000", "created": "2023-12-06T16:17:15.458000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2222, "FileHash-SHA256": 24526, "FileHash-MD5": 7187, "URL": 1176, "hostname": 2513, "JA3": 2, "email": 83, "FileHash-SHA1": 7164, "CVE": 38 }, "indicator_count": 44911, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "864 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65709e736e1768898768814f", "name": "WHO SAV.COM LLC (SOURCEADULT.COM)", "description": "", "modified": "2023-12-06T16:16:51.265000", "created": "2023-12-06T16:16:51.265000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2221, "FileHash-SHA256": 24526, "FileHash-MD5": 7187, "URL": 1179, "hostname": 2521, "JA3": 2, "email": 84, "FileHash-SHA1": 7164, "CVE": 40 }, "indicator_count": 44924, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "864 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65709e5d4c59f8ac3f86f615", "name": "WHO SAV.COM LLC (SOURCEADULT.COM)", "description": "", "modified": "2023-12-06T16:16:29.659000", "created": "2023-12-06T16:16:29.659000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2430, "FileHash-SHA256": 24526, "FileHash-MD5": 7187, "URL": 1331, "hostname": 2748, "JA3": 2, "email": 94, "CVE": 42, "FileHash-SHA1": 7164 }, "indicator_count": 45524, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "864 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65709ded7d8a5ce8dba3444a", "name": "Who is SHAW.CA (TUSCOW DOMAINS)", "description": "", "modified": "2023-12-06T16:14:37.212000", "created": "2023-12-06T16:14:37.212000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2362, "FileHash-SHA256": 24578, "FileHash-MD5": 7241, "URL": 1216, "hostname": 2688, "JA3": 2, "email": 97, "CVE": 43, "FileHash-SHA1": 7217 }, "indicator_count": 45444, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "864 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65709dd6926a5676de0e2a19", "name": "Who is SHAW.CA (TUSCOW DOMAINS)", "description": "", "modified": "2023-12-06T16:14:13.668000", "created": "2023-12-06T16:14:13.668000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2427, "FileHash-SHA256": 24528, "FileHash-MD5": 7187, "URL": 1346, "hostname": 2829, "JA3": 2, "email": 99, "CVE": 43, "FileHash-SHA1": 7164 }, "indicator_count": 45625, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "864 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65709a49ed44fea53e9aeec5", "name": "home networks", "description": "", "modified": "2023-12-06T15:59:05.075000", "created": "2023-12-06T15:59:05.075000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2298, "FileHash-SHA256": 24535, "FileHash-MD5": 7197, "URL": 1188, "hostname": 2636, "JA3": 2, "email": 96, "CVE": 44, "FileHash-SHA1": 7174 }, "indicator_count": 45170, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "864 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6540a399fd8814337712770b", "name": "Support & Help Centre | TELUS", "description": "", "modified": "2023-11-30T07:01:37.424000", "created": "2023-10-31T06:50:01.232000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ellenmmm", "id": "233693", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 732, "domain": 287, "hostname": 188, "FileHash-SHA256": 4258, "FileHash-MD5": 853, "FileHash-SHA1": 851, "email": 2, "CVE": 1 }, "indicator_count": 7172, "is_author": false, "is_subscribing": null, "subscriber_count": 82, "modified_text": "871 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "653f1b78e5e7e24debcdd89b", "name": "Home Networks", "description": "", "modified": "2023-10-30T02:56:56.851000", "created": "2023-10-30T02:56:56.851000", "tags": [ "home wifi" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "65136f65f7240bd2ba4b325c", "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 3274, "URL": 2565, "hostname": 3853, "FileHash-MD5": 12061, "FileHash-SHA1": 12035, "FileHash-SHA256": 57447, "CVE": 68, "IPv4": 84, "email": 109, "JA3": 2 }, "indicator_count": 91498, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "902 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "653f1b77c1090397a32b6979", "name": "Home Networks", "description": "", "modified": "2023-10-30T02:56:55.293000", "created": "2023-10-30T02:56:55.293000", "tags": [ "home wifi" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "65136f65f7240bd2ba4b325c", "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 3274, "URL": 2565, "hostname": 3853, "FileHash-MD5": 12061, "FileHash-SHA1": 12035, "FileHash-SHA256": 57447, "CVE": 68, "IPv4": 84, "email": 109, "JA3": 2 }, "indicator_count": 91498, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "902 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "653f1b744f82ff189926035a", "name": "Home Networks", "description": "", "modified": "2023-10-30T02:56:52.243000", "created": "2023-10-30T02:56:52.243000", "tags": [ "home wifi" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "65136f65f7240bd2ba4b325c", "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 3274, "URL": 2565, "hostname": 3853, "FileHash-MD5": 12061, "FileHash-SHA1": 12035, "FileHash-SHA256": 57447, "CVE": 68, "IPv4": 84, "email": 109, "JA3": 2 }, "indicator_count": 91498, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "902 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64c17dc55bd8ed9bca3d4c02", "name": "Who is SHAW.CA (TUSCOW DOMAINS)", "description": "", "modified": "2023-09-27T00:01:19.593000", "created": "2023-07-26T20:10:45.140000", "tags": [ "home wifi" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "645a0d4c0e0c3cffd34ec23a", "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "ellenmmm", "id": "233693", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 3392, "URL": 2619, "hostname": 3967, "FileHash-MD5": 12115, "FileHash-SHA1": 12088, "FileHash-SHA256": 57501, "CVE": 61, "IPv4": 84, "email": 106, "JA3": 2 }, "indicator_count": 91935, "is_author": false, "is_subscribing": null, "subscriber_count": 85, "modified_text": "935 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65136f65f7240bd2ba4b325c", "name": "Home Networks", "description": "", "modified": "2023-09-26T23:55:17.763000", "created": "2023-09-26T23:55:17.763000", "tags": [ "home wifi" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "645a0d4c0e0c3cffd34ec23a", "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 3274, "URL": 2565, "hostname": 3853, "FileHash-MD5": 12061, "FileHash-SHA1": 12035, "FileHash-SHA256": 57447, "CVE": 68, "IPv4": 84, "email": 109, "JA3": 2 }, "indicator_count": 91498, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "935 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64c82712d7810b852cabc855", "name": "WHO SAV.COM LLC (SOURCEADULT.COM)", "description": "", "modified": "2023-08-31T23:01:13.597000", "created": "2023-07-31T21:26:42.783000", "tags": [ "home wifi" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "64c17dc55bd8ed9bca3d4c02", "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ellenmmm", "id": "233693", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 3442, "URL": 2763, "hostname": 4033, "FileHash-MD5": 12051, "FileHash-SHA1": 12025, "FileHash-SHA256": 57438, "CVE": 61, "IPv4": 84, "email": 105, "JA3": 2 }, "indicator_count": 92004, "is_author": false, "is_subscribing": null, "subscriber_count": 85, "modified_text": "961 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64c17dc34265fd1359962a8a", "name": "Who is SHAW.CA (TUSCOW DOMAINS)", "description": "", "modified": "2023-08-31T23:01:13.597000", "created": "2023-07-26T20:10:43.473000", "tags": [ "home wifi" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "645a0d4c0e0c3cffd34ec23a", "export_count": 299, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "ellenmmm", "id": "233693", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 3539, "URL": 3403, "hostname": 4473, "FileHash-MD5": 12051, "FileHash-SHA1": 12025, "FileHash-SHA256": 57441, "CVE": 63, "IPv4": 84, "email": 112, "JA3": 2 }, "indicator_count": 93193, "is_author": false, "is_subscribing": null, "subscriber_count": 84, "modified_text": "961 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64c827144620e1502824a501", "name": "WHO SAV.COM LLC (SOURCEADULT.COM)", "description": "", "modified": "2023-08-31T19:04:41.183000", "created": "2023-07-31T21:26:44.747000", "tags": [ "home wifi" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "64c17dc55bd8ed9bca3d4c02", "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ellenmmm", "id": "233693", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 3191, "URL": 2558, "hostname": 3737, "FileHash-MD5": 12051, "FileHash-SHA1": 12025, "FileHash-SHA256": 57438, "CVE": 56, "IPv4": 84, "email": 93, "JA3": 2 }, "indicator_count": 91235, "is_author": false, "is_subscribing": null, "subscriber_count": 85, "modified_text": "961 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64c8271c154fb0e795a4eed4", "name": "WHO SAV.COM LLC (SOURCEADULT.COM)", "description": "", "modified": "2023-08-31T00:02:54.189000", "created": "2023-07-31T21:26:52.771000", "tags": [ "home wifi" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "64c17dc55bd8ed9bca3d4c02", "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ellenmmm", "id": "233693", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 3188, "URL": 2554, "hostname": 3729, "FileHash-MD5": 12051, "FileHash-SHA1": 12025, "FileHash-SHA256": 57438, "CVE": 49, "IPv4": 84, "email": 92, "JA3": 2 }, "indicator_count": 91212, "is_author": false, "is_subscribing": null, "subscriber_count": 84, "modified_text": "962 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64c8271a118ad7ca6ad1cc1c", "name": "WHO SAV.COM LLC (SOURCEADULT.COM)", "description": "", "modified": "2023-08-31T00:02:54.189000", "created": "2023-07-31T21:26:50.414000", "tags": [ "home wifi" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "64c17dc55bd8ed9bca3d4c02", "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ellenmmm", "id": "233693", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 3189, "URL": 2554, "hostname": 3728, "FileHash-MD5": 12051, "FileHash-SHA1": 12025, "FileHash-SHA256": 57438, "CVE": 49, "IPv4": 84, "email": 92, "JA3": 2 }, "indicator_count": 91212, "is_author": false, "is_subscribing": null, "subscriber_count": 83, "modified_text": "962 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "", "Copy of clientlib(46).css", "Copy of clientlib.js(36).download", "cve-2015-2414, 2016-0101, 2006-3869, 2004-0790, 2004-0566, 2005-0068, 2009-1122, 2017-17215, 2017-11882, 2017-0199, 2002-0013, 2016-2569, 2014-8361, 1999-0016, 2008-2257, 2009-1535, 2022-30190, 2008-2938, 2014-6345, 2002-0012", "https://www.virustotal.com/gui/collection/40d6991f82d1a475ac48126d0fe7cd1481611146ae96cd496abf3f80955dda06/iocs", "Copy of clientlib.js(34).download", "https://n0paste.eu/UH6n5pD/", "https://viz.greynoise.io/query/AS852", "https://mxtoolbox.com/SuperTool.aspx?action=asn%3aAS852&run=toolpage", "Copy of clientlibs(1).css", "Copy of clientlib(50).css", "Copy of clientlibs(5).css", "https://viz.greynoise.io/analysis/cb9811dd-809d-4a25-bb28-512d2c2b3393", "Copy of clientlib(17).css", "https://opentip.kaspersky.com/5E066617CC959DBAB123F23D5D36A4DC4D813358E43EDDBD1A6E7C87827C301D/?tab=upload", "https://www.virustotal.com/gui/collection/5967f31c865dce02efd16cebad1e75bd838298965361912987dd932a513f9212/summary", "Copy of clientlib(52).css", "https://urlscan.io/asn/AS852", "Copy of clientlib(16).css", "https://www.virustotal.com/graph/embed/g266c7267d27a42b494f80bfa327d9a47a182ff352a4843c69c655a09e131dd49?theme=dark", "https://vtbehaviour.commondatastorage.googleapis.com/b9af69ac821a649f211c99e3edf32a76a213e9450b5e972a6cdda5758af530dd_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1724263684&Signature=xXQ9O6EGcEiatL%2FEjaTaOTH9kgTWN7ZCmaIM6wb2vcXjEmSqDd6c9XpfadCYK9uln%2FKAqjzkVCs9reZTrsl8p6w6MDIelJQ%2FdCUTriPH%2F%2FWy3yiRbT6VZGnVk9iNBOxIGDE%2Bz4UPbuLXaler%2B11uCyHouGQJhG1CvoCEC64JpsC89GsV9%2FaOyrduTZK3XJpvrRVMdoRTKEayIYHD59OSeCeLlAde2yETDvIOPoxT6Bp5FO1spfMq7S", "Copy of clientlib.js(4).download", "https://tria.ge/240521-ry949ahe2z/behavioral1", "https://www.virustotal.com/graph/embed/gfdb1aa99d73447818bfcd10130b237a4e92dbf316d5f4f028ad64f71f882bccc?theme=dark", "Copy of clientlib(5).css", "https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Fsites.google.com%2Fstudent.concordia.ab.ca%2Fcybersecuritybriefi%2Fhome&followup=https%3A%2F%2Fsites.google.com%2Fstudent.concordia.ab.ca%2Fcybersecuritybriefi%2Fhome&ifkv=AdF4I74DbXz0axIgI_8-2HKe5uTaiHcEn5GDXdTMvWumG7pqQExSEV6IUvXUJDoG9Ra0ZgbhrlrC&osid=1&passive=1209600&flowName=GlifWebSignIn&flowEntry=ServiceLogin&dsh=S-1391668132%3A1721034538211512&ddm=0", "Copy of clientlib.js(15).download", "https://www.virustotal.com/gui/collection/7196cbc5285fb7e155a529980dc1797d3ab3884e20c77c66d9b1b971c313fe56/graph", "Copy of clientlib(49).css", "https://viz.greynoise.io/ip/analysis/61bb7542-40c2-448e-87d4-947a4623eada", "https://www.virustotal.com/gui/collection/3c03918e6a22b2c260f85ed6430b98495758973d754d3274124b5bf2b9c194aa/iocs", "Copy of clientlib(1).css", "Copy of clientlib(13).css", "Copy of clientlibs.css", "https://www.filescan.io/uploads/677e0e14212309a70397d357/reports/0077a75d-f7d7-4634-a1ba-6f7b0488f9da/overview", "https://viz.greynoise.io/ip/analysis/3cf1334a-df9d-448f-8145-d5fe67637c1a", "http://www.hybrid-analysis.com/file-collection/66febb8ee0244a7af5014d61", "Copy of clientlib.js(58).download", "Copy of clientlib.js(21).download", "http://www.hybrid-analysis.com/sample/dc744fc325700c6fda2b8d83b39a8c241258b9305058a3402ce70c97932acc74", "https://www.virustotal.com/graph/embed/g20d14d97883a4127a500c45fcfb6e3e4961a30ef4bf74db7ab918bcbdb3f476b?theme=dark", "https://www.virustotal.com/gui/collection/e49552b5297eb28f2ec7245429e50fb363823c4683606ddb61c1d014b2238a6e", "https://tria.ge/251003-x8c56azky6/behavioral2", "https://www.virustotal.com/gui/collection/525d014c83ee92554cb6a88685ba822e147f30dbc797a18b6071081a109b7dcb/iocs", "https://www.virustotal.com/gui/collection/c1ea74232c607b23ded09484664f00ae58f911ccb82433d042056cbb84c9d602/graph", "Copy of clientlib.js(25).download", "https://urlscan.io/search/#asn%3A%22AS852%22", "Copy of clientlib.js(18).download", "https://lab.dynamite.ai/pcaps/5beb5211-b3ce-4c11-8fa7-44eee039113a", "https://tria.ge/240428-tjsmrsbf4t", "https://www.virustotal.com/gui/collection/40d6991f82d1a475ac48126d0fe7cd1481611146ae96cd496abf3f80955dda06", "Copy of clientlib(25).css", "Copy of clientlibs.js(1).download", "Copy of clientlib.js(30).download", "Copy of clientlib(41).css", "Copy of clientlib(36).css", "https://hybrid-analysis.com/sample/5e066617cc959dbab123f23d5d36a4dc4d813358e43eddbd1a6e7c87827c301d/68e01fdde76500b3c20326c4", "hxxps://portal[.]office[.]com/Account", "https://intelx.io/?s=albertandp.ca", "Copy of clientlib(39).css", "Copy of clientlib(54).css", "Copy of clientlib(18).css", "https://www.virustotal.com/gui/collection/7196cbc5285fb7e155a529980dc1797d3ab3884e20c77c66d9b1b971c313fe56/iocs", "https://asnlookup.com/asn/AS852/", "https://metadefender.com/results/file/bzI1MTAwMzhvTXdHbkVaZGItcW0tbnU2Nmkx_mdaas", "https://www.virustotal.com/graph/embed/g34c2ebfedb6c47c286431a829da992c3744ab3fab0d74008946f3b9bbeb83e23?theme=dark", "https://www.ipvoid.com/whois/", "Copy of clientlib.js(43).download", "https://urlhaus.abuse.ch/asn/852", "Copy of clientlibs(4).css", "http://hybrid-analysis.com/file-collection/69cde2f3f65064c187045802", "https://urlscan.io/search/#user:me%20OR%20team:me", "Copy of clientlib(4).css", "https://viz.greynoise.io/ip/analysis/7e527b44-c950-4c01-bb33-d96", "https://vtbehaviour.commondatastorage.googleapis.com/b9af69ac821a649f211c99e3edf32a76a213e9450b5e972a6cdda5758af530dd_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1724263681&Signature=sRNF3CXtbsizlNdCMDBJqa0Oxx4P3yW1sAZJvHB1xF981vua%2Fxh6EAKeKpwFlRlflCybIOWHPyQC5awq%2BwJslkM%2FLI9Wv5HA4EipG36shGNh5ML2wkco57c9ITd8dKgOti67d9sVy2VQHcLt3o5UBMlOE%2BMhhf4AONsGvftAO7kQsz41rdwT4L%2BnBHntaiIqG6Rz438Lo%2FcyaTFgmNJ5NkbVgnEJvWhqhqGzFhk18O8wZt1Nh4", "https://www.virustotal.com/gui/collection/3c03918e6a22b2c260f85ed6430b98495758973d754d3274124b5bf2b9c194aa", "https://app.threat.zone/submission/db9c1a4a-a706-4ed9-9229-4190f02151bc/overview", "http://hybrid-analysis.com/sample/9782f26f60db73a042a51fd9b6a1f881e87c5b54506be3de099cfc48a62e5ee2", "https://www.virustotal.com/gui/collection/d142f78015e1c929cedae31dba7e5b735b6dedfc31e4759d8ec5f02c16328b98/summary", "https://intelx.io/?s=telus.com", "Copy of clientlib.js(28).download", "Copy of clientlib.js(13).download", "Copy of clientlib(8).css", "type,id 000d161246615fb8d5b30411c753420f82a881a9d7750639bbace67e1bb270a0 001155a72482c2ddd750b1e9c28633a7e13228e4e2b05f0ba585a395ac852b49 0014425cb6011c2086b6aeca5eee11368431356a68d173c2ff7ffef327c0ba86 0018686a02600f7da1a3f0981ce78bb6982480b14130a0cc2b8c8401bc1b8449 003bfd323f6366ac283b9f922d942d7c8f6070a2f2b919a719af7fc8e7c77995 00434aa911043b208854236a41c8e7a284185710ff67b52eea9f538f4151fa28 0063c0019a4ec47bc251753be3aca37c0d84699d34a99df83963364fe640c795 00651f483b685736596ebc95817b01c34382a4691b81701cc", "Copy of clientlib.js(31).download", "https://lab.dynamite.ai/pcaps/8c720f26-cf1b-4aed-bad5-da87f7f17977", "https://viz.greynoise.io/analysis/eaa63cd1-14fd-4d03-9e83-29bd58eab538", "https://www.virustotal.com/gui/collection/525d014c83ee92554cb6a88685ba822e147f30dbc797a18b6071081a109b7dcb", "https://tria.ge/240521-r3mvhshd83", "Copy of clientlib.js(41).download", "Copy of clientlib.js(12).download", "Copy of clientlib.js(53).download", "Copy of clientlib(20).css", "https://www.virustotal.com/gui/collection/2b33908584f5c3987941edc9aa8995f797fe13900feeb9fa8fb86ccb5abdaa01/graph", "https://www.virustotal.com/gui/collection/d142f78015e1c929cedae31dba7e5b735b6dedfc31e4759d8ec5f02c16328b98/iocs", "https://urlhaus.abuse.ch/feeds/asn/852/", "https://www.virustotal.com/gui/collection/09af9ef0b7b23d2dc73d83858106ae4fc97a352dbb521ac04493a0e79095ac69/iocs", "Copy of js", "https://www.virustotal.com/gui/collection/8d65d93130b4775903adbffbb53820d40bb9425dcf1848b806ffee65ee883984/iocs", "https://vtbehaviour.commondatastorage.googleapis.com/b9af69ac821a649f211c99e3edf32a76a213e9450b5e972a6cdda5758af530dd_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1724181174&Signature=XTu5xxPcqMp3JXhCztWWQOwupXutbdzYwP1MwmdMKWErO3M%2FWEjxgmoErtsmQnLlYNIXVLVgervCeRmzfUzT1wiVZpMuHQS7UFndYWF53GNwFdAzDd4kqU%2F09GvKe1Da4wgvN0HHvA4wdRUm6os0N9jjSFRIXKc6ALqq0eHL7LgDtV6fdx1g22MN2RLGfNkkzIpXSuUwD%2BeFPR0osNVszClRiFi5dLJIahlcjYcWeTpd%2FGvBQ2kLcv", "Copy of clientlib(29).css", "Copy of clientlib(22).css", "Copy of clientlib.js(33).download", "https://www.virustotal.com/gui/collection/0b3c0a84782018d8bafc47ebd40c4eaf993f40ca3de61aa98eb15302a7a80b04/iocs", "Copy of clientlib.js(3).download", "https://viz.greynoise.io/analysis/52a90c2d-0774-46cd-bb66-79cb82c903fe - 07.03.24", "Copy of clientlib(11).css", "Copy of clientlib(3).css", "https://www.virustotal.com/graph/embed/g365a82115f934e31a69118715695c91c231f66cda9084c9389e56afb985a243e?theme=dark", "Copy of clientlib.js(45).download", "08.05.24 - https://viz.greynoise.io/query/AS852", "Copy of clientlib.js(26).download", "https://dnschecker.org/asn-whois-lookup.php?query=852", "Copy of clientlib.js(39).download", "https://www.virustotal.com/gui/collection/c1ea74232c607b23ded09484664f00ae58f911ccb82433d042056cbb84c9d602/summary", "Copy of clientlib.js(56).download", "Copy of clientlib.js(54).download", "Copy of clientlib(12).css", "Copy of clientlib.js(37).download", "https://lab.dynamite.ai/pcaps/319ab9c1-044c-4791-98b8-a134918cae63", "https://www.filescan.io/uploads/66feb74d83903120b70c820f/reports/0a3a6c27-a872-4e0c-86a4-0fc690fb5ecd/details", "https://tria.ge/240521-r1yh8shd44", "Copy of clientlib(2).css", "Copy of clientlib(23).css", "Copy of clientlib(26).css", "https://www.virustotal.com/gui/collection/6a8d582df4fe5a29885dad4074236bc9e4ed445aaf0cc00702d45963fb0459bb/iocs", "Copy of clientlib.js(23).download", "Copy of fbevents.js.download", "https://www.virustotal.com/gui/collection/9220d9375ebb4289fdbc4a7aac232b75a5c1b01e5e27edd965982bc6fe28f0e2/iocs", "Copy of clientlib(42).css", "Copy of clientlib(34).css", "Copy of clientlib(28).css", "Copy of clientlib(31).css", "Copy of clientlib.js(52).download", "http://hybrid-analysis.com/file-collection/69cde6bc2a3b38371e0699b5", "https://www.virustotal.com/gui/collection/42a860ff5b9f4fcb926d2b66cf9f4f59effa82aad96c271807b6cad96cda522d", "https://viz.greynoise.io/analysis/1ba1e524-0d96-4cc6-9426-d01abbe75443", "https://www.virustotal.com/gui/collection/9220d9375ebb4289fdbc4a7aac232b75a5c1b01e5e27edd965982bc6fe28f0e2/graph", "Copy of clientlib(32).css", "https://www.virustotal.com/gui/collection/2b33908584f5c3987941edc9aa8995f797fe13900feeb9fa8fb86ccb5abdaa01/summary", "Copy of clientlib.js(11).download", "Copy of clientlib(14).css", "https://www.virustotal.com/graph/embed/gfc33296181c74257ae503130940c083ee0c60fc5174e47118fc38f04ffb09584?theme=dark", "https://www.virustotal.com/graph/embed/gdef52451e74740eaabbbcc6db2209b722e6a17129ba94f4eb92fa176bcea66f7?theme=dark", "Copy of clientlib.js(42).download", "Copy of clientlib(55).css", "Copy of clientlib.js(9).download", "https://urlscan.io/user/submit/", "Copy of clientlib(6).css", "Copy of iframe_api", "Copy of clientlib(35).css", "Copy of clientlib.js(22).download", "Copy of clientlib.js(35).download", "Copy of clientlib(45).css", "https://www.virustotal.com/ui/file_behaviours/2bc23a995bf4af9ba43ee21bd71c398444dd994b84d8fb7cb94b5429af4e60bf_Zenbox/html", "https://www.virustotal.com/graph/embed/g8a2d0c1eca164cb0a1844db566d28208e0e5b5e03bfb4377a98265a5c0e47960?theme=dark", "Copy of clientlibs.js(3).download", "https://www.virustotal.com/graph/embed/ga408d14b97e346d788613eab3a11c80af28a15dda5334f9a93221e82d25545bb?theme=dark", "https://www.virustotal.com/graph/embed/gcf877329e4824f7ea96cf4dce8a5fe5f7b0ba40333ae46ba92da9a514c2e006b?theme=dark", "Copy of clientlib.js(10).download", "https://www.virustotal.com/gui/collection/3955f19b42e4ed4d4af0bb416ee463d8a6190cdcc4b1de29a0bf795d2dc18a97/summary", "Copy of clientlib(38).css", "https://urlscan.io/search/#asn:%22AS852%22", "https://www.filescan.io/uploads/66a001cb3ba51bb345a32569/reports/34b4aa58-68cb-4045-8653-ccfd3a1fb3dd/overview", "https://urlquery.net/report/16d1e034-1c64-4cbe-8b58-f5926dab9001", "Copy of clientlib(53).css", "Copy of clientlib(15).css", "http://ci-www.threatcrowd.org/domain.php?domain=albertandp.ca", "https://ipinfo.io", "http://ci-www.threatcrowd.org/domain.php?domain=telus.com", "Copy of clientlib.js(8).download", "Copy of clientlib(43).css", "https://www.filescan.io/uploads/6941e02584afa5547b586bac/reports/a23ea43a-ad21-4306-9f47-1a8deaa129c0/ioc", "https://www.virustotal.com/gui/collection/3955f19b42e4ed4d4af0bb416ee463d8a6190cdcc4b1de29a0bf795d2dc18a97/iocs", "https://dnstwist.it/#9966d7b4-2d66-4349-9129-21d2adc26c89", "Copy of clientlib.js(60).download", "Copy of clientlib(51).css", "https://tip.neiki.dev/file/fb0b66efe3b780270db0693b6df42dd08068428b86fc1a579fe5117d4ae76e07/network", "https://tria.ge/240521-rvybaahb79", "https://viz.greynoise.io/analysis/c8416853-215d-48d0-9420-b6f43cdb1aaf", "Copy of clientlib.js(24).download", "Copy of clientlib(37).css", "https://www.telus.com/en/ab/outages?INTCMP=contactus_outage_AB_V2", "https://viz.greynoise.io/analysis/7a369df9-bcbf-4540-ad0f-6d52c0c55cdb", "https://yaraify.abuse.ch/scan/results/6b287c37-2e43-11f1-b47f-42010aa4000b", "https://vtbehaviour.commondatastorage.googleapis.com/b9af69ac821a649f211c99e3edf32a76a213e9450b5e972a6cdda5758af530dd_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1724181274&Signature=i8XiiJ%2BdCvj6ByL4c5tRY21ZEXdquVAdSRwC7OrdlnUHP75gU59aV17r7CtZaWH%2B1qhK94T1CSnRScW5Ez3t%2B9eCCNPcgPI2mOl1c1dBBiiIrj3r1rIzlDQyKFTQhaLjOzFcFzCL5OZ8XXk6ppN9iC6N5uEYJWHDOZs7bbsQYPwnmo2iwRhFDDUjSCQMKwOPrF34fDOoqnSlZCfe981ZRIr6HISZTbu1fhFFdpNgPTVw7D3Y384i4b6nkfzjkI8u", "Copy of clientlib.js(55).download", "https://hybrid-analysis.com/sample/5e066617cc959dbab123f23d5d36a4dc4d813358e43eddbd1a6e7c87827c301d", "Copy of clientlibs(2).css", "http://www.hybrid-analysis.com/sample/dc744fc325700c6fda2b8d83b39a8c241258b9305058a3402ce70c97932acc74/677d1d5dcb161e2448026452", "Copy of clientlib(27).css", "https://www.virustotal.com/gui/collection/6a41ae1cf2d3d51fedd2393d893c3b26ed0352dde2e0851d03f0bae9aaa69ae1/iocs", "Copy of clientlib.js(14).download", "https://www.virustotal.com/gui/collection/0b3c0a84782018d8bafc47ebd40c4eaf993f40ca3de61aa98eb15302a7a80b04/summary", "https://www.virustotal.com/gui/collection/8d65d93130b4775903adbffbb53820d40bb9425dcf1848b806ffee65ee883984", "Copy of clientlib(40).css", "https://www.virustotal.com/gui/file/5e066617cc959dbab123f23d5d36a4dc4d813358e43eddbd1a6e7c87827c301d?nocache=1", "https://viz.greynoise.io/query/AS852%20classification:%22malicious%22", "https://www.virustotal.com/graph/embed/g03752e112d454511bb41e53c4ca610371d531e6bfe2444ed9fd093145aef08f0?theme=dark", "Copy of clientlib(44).css", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/66b3cdc9971b263122bd14db", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/67ab2665782e1dfbf8ec2d3c", "https://www.virustotal.com/graph/embed/g1ea71614909243c1a291970fa39651a2d169deef25b7418fab2f0299221eb152?theme=dark", "URLscanio, FSio, vT", "Copy of clientlib.js(59).download", "Copy of clientlibs(3).css", "hxxps://go[.]microsoft[.]com/fwlink/?LinkId=2033498", "https://urlquery.net/report/651a5df9-e1ed-46d1-a53f-a334b0462430", "Copy of clientlib.js(51).download", "https://whiteintel.io/", "https://www.virustotal.com/graph/embed/g99d61feda7554cba94972ae4110efe8acacfea236d6943d0bdc93dcbc7e9b60f?theme=dark", "07.19.24: IPs, Greynoise: https://viz.greynoise.io/analysis/ba31ba2b-4967-4d39-ac24-143d9c66136b", "https://www.virustotal.com/gui/url/1763a71e86e74729f1e993dc2e6b5cec9d91dd51245533a5300c85c9d49bc7ef", "https://www.virustotal.com/graph/embed/g2ef035cd31754a649909336c174aa141b9cca7e431994d12969e0d9d73a01b71?theme=dark", "https://www.virustotal.com/graph/embed/gf794b7e0cba442578197356822e0457b8d920ff9ea32461e85ddb716b3c771cf?theme=dark", "https://www.filescan.io/uploads/68e01279f377ab2310519c81/reports/02a0a465-8936-4b6d-99a2-6950b71ab1c5/ioc", "https://viz.greynoise.io/analysis/8be38b3f-73d9-4f4c-bb64-508ee329596e", "https://mwdb.cert.pl/file/efb45096e24a61b488eb809bd8edf874d15bb498dd75ced8b888b020c87e5c6c", "Copy of clientlib.js(38).download", "Copy of clientlib.js(19).download", "Copy of clientlib(30).css", "https://www.virustotal.com/gui/collection/6a41ae1cf2d3d51fedd2393d893c3b26ed0352dde2e0851d03f0bae9aaa69ae1/summary", "Copy of clientlib(24).css", "https://www.virustotal.com/gui/collection/4b0d82fda81972be3f9373edf863a3bcf426aafc9a53927eedc0b694554de33f", "http://hybrid-analysis.com/sample/f62e99ffe34a3f0c186ac31d151d22dd940884f79bbaafcc6061a2a9387f45a8", "Copy of clientlib(19).css", "https://bgp.tools/as/852", "https://www.virustotal.com/graph/embed/ga590434b8e274dc99fd39dd298c8c786abff51132c8d4646bb3fb3f1f4c3d100?theme=dark", "Copy of clientlib(48).css", "https://inteltechniques.com/tools/Domain.html", "https://www.virustotal.com/graph/embed/gbe89575feac440f0b831e98562c12d0534475b1006e54221acffc624919deef7?theme=dark", "Copy of clientlib(7).css", "https://www.filescan.io/uploads/669fffb84c5c17942a7c1d3f/reports/c881cbc5-750f-4b35-a43d-084844d036e6/overview", "https://vtbehaviour.commondatastorage.googleapis.com/27f74e49d7263156339c0b950fdbd6c98f633254229085814689ba348ea4d85a_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1724426279&Signature=KWv3ie5iuSeNS%2Flc%2BGXXzfwbqKYxF4lfka5N2gHnA6gYz63eETZ8yzhfO64lV6HacEN9qfuNfVzdltiRLDV8hweWSZHPdZgx%2ByHGwEvpBI6Pk7PvgX8nKdcJso8%2B1iA3hgRF10wNbQKIZP3K%2BOMdzLLHN9JpuSJUVxxHVhORYlokSH6OaM6Yn6qzdNQcGhAH%2B3LXiSJZggxduc%2F2cGsNIj47o%2FCrC3B0GZzIicJar8MJFq", "https://www.virustotal.com/graph/embed/ga26f4bba58834344a271a36d59827ec2154f655df6324f939f674b0d49e1290a?theme=dark", "Copy of clientlib.js(16).download", "Copy of clientlib(21).css", "https://www.virustotal.com/gui/collection/5967f31c865dce02efd16cebad1e75bd838298965361912987dd932a513f9212/iocs", "Copy of clientlibs.js.download", "Copy of clientlib.js(32).download", "https://leakix.net/search?scope=leak&q=alberta.ca", "Copy of clientlibs.js(4).download", "http://hybrid-analysis.com/file-collection/69cde0c4bb7312412908e0be", "Copy of clientlib(9).css", "Copy of clientlib.js(29).download", "http://hybrid-analysis.com/file-collection/69cf1e657df98395e50a4e33", "https://www.virustotal.com/graph/embed/g64431c9444084659a4360cb063de46ef275e7f87c38a4da8b67dde4541729147?theme=dark", "https://informationlaundromat.com/content-search", "03.11.14: https://www.virustotal.com/graph/embed/ge2e309eb8bd34fcca56398089b2291058dfe1fca69dc4e5aa66db0365caf735b?theme=dark", "https://viz.greynoise.io/analysis/16d9bc15-d3ed-4e71-9631-16742e511649", "https://www.virustotal.com/gui/collection/79c25168b2f93d9730a56b8d2b834cbfb2752b63b21b9dd51109416fbaa676d8/iocs", "https://viz.greynoise.io/ip/analysis/3cf1334a-df9d-448f-8145-d5fe67637c1a (11.22.25)", "https://www.virustotal.com/gui/collection/42a860ff5b9f4fcb926d2b66cf9f4f59effa82aad96c271807b6cad96cda522d/iocs", "https://www.virustotal.com/gui/collection/40d6991f82d1a475ac48126d0fe7cd1481611146ae96cd496abf3f80955dda06/graph", "https://leakix.net/search?scope=leak&q=telus.com", "Copy of clientlib(33).css", "hxxps://myapplications[.]microsoft[.]com/", "Copy of clientlib.js(44).download", "https://www.virustotal.com/gui/collection/2b33908584f5c3987941edc9aa8995f797fe13900feeb9fa8fb86ccb5abdaa01/iocs", "http://hybrid-analysis.com/sample/f62e99ffe34a3f0c186ac31d151d22dd940884f79bbaafcc6061a2a9387f45a8/6941e0586df20223a505d490", "https://www.virustotal.com/graph/embed/gc3d0a481dd64463a889ad9f206727d9d87db106da3c34deb922a2ce7837d6577?theme=dark", "Copy of clientlib.js(5).download", "https://viz.greynoise.io/analysis/3fbd45fa-08a2-423a-98b9-e6b37ea05e8a", "updated 08.21.24: https://www.virustotal.com/graph/embed/g64431c9444084659a4360cb063de46ef275e7f87c38a4da8b67dde4541729147?theme=dark", "https://www.virustotal.com/graph/embed/g8726609a12794ebeb59edd531961a233068149bcdf994b428f20141be6111551?theme=dark", "Copy of clientlib.js(1).download", "https://urlscan.io/search/#page.asn%3AAS852", "Copy of clientlib.js(7).download", "https://bgp.he.net/AS852#_prefixes", "https://www.virustotal.com/graph/embed/g4f693a77e33b425bba54132d3a641fcd8b78af74d8fc44528a643c4a264d582f?theme=dark", "Copy of clientlib.js(2).download", "https://dnschecker.org/asn-whois-lookup.php?query=AS852", "https://www.alberta.ca/minister-of-advanced-education", "https://tria.ge/240521-rxpf6ahd6w", "https://app.threat.zone/submission/12b7b619-0e5a-4996-9bb5-493ef98f2803/url-analysis-report", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/67ab2665da3e8886f5e4ecce", "https://www.virustotal.com/gui/collection/0b3c0a84782018d8bafc47ebd40c4eaf993f40ca3de61aa98eb15302a7a80b04/graph", "Copy of clientlibs.js(2).download", "Copy of clientlib.js(57).download", "https://www.virustotal.com/gui/collection/c1ea74232c607b23ded09484664f00ae58f911ccb82433d042056cbb84c9d602/iocs", "Copy of dir (1).c9r", "https://metadefender.com/results/file/bzI1MDMwMVFWaXRDS0hpWElYcnV0QllCYlB1", "Copy of clientlib(47).css", "Copy of clientlib.js(17).download", "Copy of clientlib(10).css", "https://www.virustotal.com/graph/embed/g16457cd5ead246d99d2ecf37b965641b258cffddb8374ad194cdea194868d1ec?theme=dark", "https://www.virustotal.com/graph/embed/ga06a03c71a1848adb8e47517af7d1803f6bc8aa5dd4a480f921a7e9528da34df?theme=dark", "https://viz.greynoise.io/analysis/0746f250-b49a-4017-9e80-b0c9ce1993d6", "https://www.virustotal.com/gui/collection/40d6991f82d1a475ac48126d0fe7cd1481611146ae96cd496abf3f80955dda06/summary" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "Unknown" ], "malware_families": [], "industries": [ "Energy", "Agriculture", "Chemical", "Manufacturing", "Education", "Healthcare", "Technology", "Government", "Retail", "Media", "Biotechnology", "Transportation", "Construction", "Defense", "Finance", "Telecommunications", "Hospitality" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 50, "pulses": [ { "id": "69cdfa3fffcead91f1de0e24", "name": "Google Pixel - Falcon Sandbox - 04.02.26", "description": "The following is the full list of links to the Falcon Sandbox, an anti-virus service set up by CrowdStrike\nGoogle Pixel via Telus", "modified": "2026-04-03T02:23:36.206000", "created": "2026-04-02T05:10:18.910000", "tags": [ "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "hybrid analysis", "api key", "vetting process", "please note", "please", "abuse.ch", "yara", "scan", "engine", "yaraify", "clamav", "yara task", "results yara", "scan hunting", "alerts access", "data yarahub", "search faq", "login", "task results", "first", "cookie" ], "references": [ "http://hybrid-analysis.com/file-collection/69cde0c4bb7312412908e0be", "http://hybrid-analysis.com/file-collection/69cde2f3f65064c187045802", "http://hybrid-analysis.com/file-collection/69cde6bc2a3b38371e0699b5", "https://yaraify.abuse.ch/scan/results/6b287c37-2e43-11f1-b47f-42010aa4000b", "http://hybrid-analysis.com/file-collection/69cf1e657df98395e50a4e33", "http://hybrid-analysis.com/sample/9782f26f60db73a042a51fd9b6a1f881e87c5b54506be3de099cfc48a62e5ee2" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "UCP_GoA23", "id": "382539", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_382539/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 214, "FileHash-SHA1": 214, "FileHash-SHA256": 238, "domain": 5, "hostname": 17, "IPv4": 10, "URL": 1 }, "indicator_count": 699, "is_author": false, "is_subscribing": null, "subscriber_count": 16, "modified_text": "16 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69c0a51731a8beabb13f2144", "name": "VirusTotal report\n for GET_BTC-409.pdf", "description": "", "modified": "2026-03-23T02:31:26.825000", "created": "2026-03-23T02:27:35.667000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 6, "FileHash-SHA256": 118, "URL": 158, "domain": 141, "hostname": 38, "IPv4": 10 }, "indicator_count": 477, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "27 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b10d1ce4563d38fbbc72d6", "name": "disable_duck clone Alberta", "description": "", "modified": "2026-03-11T07:40:56.177000", "created": "2026-03-11T06:35:08.464000", "tags": [ "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "white", "modified", "runtime data", "ansi", "public", "months ago", "filehashsha256", "hostname", "domain", "path", "green", "copy", "powershell", "general", "malicious", "pixel", "suspicious", "meta", "covenant", "virustotal", "click", "open", "cobalt strike", "probe", "first", "installer", "template", "crypto", "cobalt", "mozilla", "mirai", "false", "date", "title", "roboto", "arch", "android", "april", "drovorub", "squad", "baby", "geek", "tofsee", "redline stealer", "twitter", "service", "team", "killswitch", "mini", "cobaltstrike", "enterprise", "simda", "suppobox", "ransomware", "maldoc", "computrace", "february", "tetris", "hybrid", "body", "iframe", "qakbot", "double", "proton", "mark", "jakarta", "win32", "explorer", "union", "redirector", "xrat", "model", "rogue", "done", "python", "police", "thor", "xploit", "impact", "retro", "jeff", "oilrig", "sliver", "bypass", "info", "school", "miner", "phishing", "riots", "comment", "gafgyt", "bashlite", "calgary", "tech", "bitcoin", "test", "survey", "ukraine", "gamarue", "swisyn", "krucky", "systembc", "june", "dridex", "agent", "close", "format", "autodetect", "strings", "contact", "switch", "community", "limits", "inquest labs", "resources api", "cve list", "notes blog", "drop your", "file", "kaspersky threat intelligence portal", "online virus scan file", "online file scanner", "kaspersky online scanner", "online file virus scan", "scan file online", "scan file for virus", "file scanner", "online file virus scanner", "check link for virus", "kaspersky online scan", "check file for virus", "false alarm", "false detection", "false positive", "online virus", "scanner", "hybrid analysis", "api key", "vetting process", "please note", "please", "ualberta", "ualberta http", "xormozilla", "disableduck", "virus", "static", "indicator of compromise", "ioc", "extraction", "emulation", "platform", "triage", "report", "reported", "analyze", "filesize", "set value", "iocs", "process", "process key", "monitor", "resource", "config", "target", "generic", "javascript", "static analyzer", "analyzer", "Microsoft", "YEG", "UAlberta", "Google", "AHS", "Covenant Health" ], "references": [ "https://hybrid-analysis.com/sample/5e066617cc959dbab123f23d5d36a4dc4d813358e43eddbd1a6e7c87827c301d/68e01fdde76500b3c20326c4", "https://metadefender.com/results/file/bzI1MTAwMzhvTXdHbkVaZGItcW0tbnU2Nmkx_mdaas", "https://opentip.kaspersky.com/5E066617CC959DBAB123F23D5D36A4DC4D813358E43EDDBD1A6E7C87827C301D/?tab=upload", "https://hybrid-analysis.com/sample/5e066617cc959dbab123f23d5d36a4dc4d813358e43eddbd1a6e7c87827c301d", "https://www.filescan.io/uploads/68e01279f377ab2310519c81/reports/02a0a465-8936-4b6d-99a2-6950b71ab1c5/ioc", "https://tria.ge/251003-x8c56azky6/behavioral2", "https://www.virustotal.com/gui/file/5e066617cc959dbab123f23d5d36a4dc4d813358e43eddbd1a6e7c87827c301d?nocache=1", "https://app.threat.zone/submission/db9c1a4a-a706-4ed9-9229-4190f02151bc/overview" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America", "Netherlands" ], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1135", "name": "Network Share Discovery", "display_name": "T1135 - Network Share Discovery" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" } ], "industries": [ "Education", "Government", "Healthcare" ], "TLP": "white", "cloned_from": "68e02ab7156e79ecd34a4929", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4203, "CIDR": 8, "CVE": 13, "FileHash-MD5": 31, "FileHash-SHA1": 25, "FileHash-SHA256": 74, "domain": 117, "email": 14, "hostname": 76 }, "indicator_count": 4561, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "39 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69a5c36b78ed73550bb0bf22", "name": "by Disable_Duck", "description": "", "modified": "2026-03-04T23:37:24.208000", "created": "2026-03-02T17:05:47.288000", "tags": [ "kgs0", "kls0", "botname http", "entity", "UAlberta", "Telus", "Norton", "ffss", "Alberta", "AlbertaNDP", "InteriorHealth", "RCMP", "CrimeStoppersAB", "EdmontonPolice", "RCMP Kelowna", "RCMP AB", "TLS/SSL Crawler", "CVE-2026-24061 Attempt", "Generic IoT Default Password Attempt", "Cisco Prime Infrastructure CVE-2019-1821 RCE Attempt", "Dahua Backdoor Attempt", "ENV Crawler", "DCERPC Protocol", "Carries HTTP Referer", "GNU Inetutils Telnetd Auth Bypass", "ICMPv4 Protocol" ], "references": [ "https://www.virustotal.com/graph/embed/g34c2ebfedb6c47c286431a829da992c3744ab3fab0d74008946f3b9bbeb83e23?theme=dark", "https://viz.greynoise.io/ip/analysis/61bb7542-40c2-448e-87d4-947a4623eada", "https://viz.greynoise.io/ip/analysis/7e527b44-c950-4c01-bb33-d96" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada", "Netherlands", "Panama", "Poland", "United Kingdom of Great Britain and Northern Ireland", "Slovakia", "Aruba", "Anguilla", "Australia", "Costa Rica", "Guatemala", "Mexico", "Trinidad and Tobago", "Cura\u00e7ao", "Philippines", "Virgin Islands, U.S.", "Ukraine", "Barbados", "Germany", "Sint Maarten (Dutch part)", "Argentina", "Switzerland" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Healthcare", "Government", "Technology", "Energy", "Telecommunications" ], "TLP": "white", "cloned_from": "6901363c4ce422f5caf0f72c", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3903, "FileHash-SHA1": 4967, "FileHash-SHA256": 12884, "URL": 996, "domain": 987, "hostname": 3306, "email": 4, "CVE": 1 }, "indicator_count": 27048, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "45 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69228447b9c71795633314df", "name": "Keep Corrupt - University of Alberta Incidents continue to escalate - 02.16.26", "description": "Recovered accounts that have been used & abused - courtesy of decisions by non-technical leadership = accounts for UAlberta students -> PW manager made inaccessible (tied to UAlberta account) during a Data-Breach.\nWhen PW manager & Accounts returned, was populated by these (many = fraudulent; some appear to be abuse of legitimate services, while others do not, yet don't know function or origin)\n\nNot representative of OG PW manager. Many (most) accts. used/abused (on-going). \n\nDon't have a backup of original = hard to compare. Don't quite know what the majority of these companies etc. are for and/or do exactly. Putting them together as they roll-in.\nCan't turn them off in most cases - I don't have access to the U of A accounts these originate from and/or original recovery methods. \n\n2 more batches to add to this pulse (Need to add into VT) 02.16.26\n\nCountries listed are where 2 victims (UAlberta Graduates) have citizenship or some tie with.", "modified": "2026-03-04T21:04:10.482000", "created": "2025-11-23T03:49:27.649000", "tags": [ "geoip", "as54113", "fastly", "as20940", "as15169", "google", "as214401", "maincubesas", "gmbh", "apache geoip", "facebook", "UAlberta", "AHS", "Treaty 8", "GoA", "Alberta", "Edmonton", "YEG" ], "references": [ "https://viz.greynoise.io/ip/analysis/3cf1334a-df9d-448f-8145-d5fe67637c1a", "URLscanio, FSio, vT", "03.11.14: https://www.virustotal.com/graph/embed/ge2e309eb8bd34fcca56398089b2291058dfe1fca69dc4e5aa66db0365caf735b?theme=dark", "https://www.virustotal.com/gui/collection/6a41ae1cf2d3d51fedd2393d893c3b26ed0352dde2e0851d03f0bae9aaa69ae1/summary", "https://www.virustotal.com/gui/collection/6a41ae1cf2d3d51fedd2393d893c3b26ed0352dde2e0851d03f0bae9aaa69ae1/iocs", "https://viz.greynoise.io/ip/analysis/3cf1334a-df9d-448f-8145-d5fe67637c1a (11.22.25)" ], "public": 1, "adversary": "", "targeted_countries": [ "Cura\u00e7ao", "Guatemala", "Sint Maarten (Dutch part)", "Tanzania, United Republic of", "Barbados", "United States of America", "Bahamas", "Anguilla", "Canada", "Saint Vincent and the Grenadines", "United Kingdom of Great Britain and Northern Ireland", "Kenya", "France", "Aruba", "Mexico", "Poland", "Costa Rica", "Ireland", "Trinidad and Tobago", "Netherlands", "Slovakia", "Spain", "Philippines" ], "malware_families": [], "attack_ids": [], "industries": [ "Government", "Technology", "Telecommunications", "Education", "Healthcare", "Finance", "Retail", "Hospitality", "Transportation" ], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 47, "FileHash-MD5": 32, "FileHash-SHA1": 12, "FileHash-SHA256": 1047, "URL": 4006, "domain": 2126, "email": 412, "hostname": 2122, "CVE": 1 }, "indicator_count": 9805, "is_author": false, "is_subscribing": null, "subscriber_count": 134, "modified_text": "45 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6901363c4ce422f5caf0f72c", "name": "Copy of DevT-OddTags-Browser-BasedOdditites - (L4ke.Aff3ct.216, 01.18.26)", "description": "Updated based on VT Graph & Tracking Spread of Cybercrime. This Pulse is mostly covering activity in the Province of Alberta Canada. Given recent news, it appears that BC Interior Health and Kelowna RCMP Detachment impacted in addition to Alberta Sectors of Education, Healthcare, and Government (Provincial & Federal - e.g. Treaty 6,7,8 as well as the Canadian CRA heavily impacted). \nEnriched a graph by vt user (L4ke.Aff3ct.216, 01.02.26)\nSubmitted IOCs to Greynoise.io (10.28.25)", "modified": "2026-02-18T05:00:41.494000", "created": "2025-10-28T21:31:40.008000", "tags": [ "kgs0", "kls0", "botname http", "entity", "UAlberta", "Telus", "Norton", "ffss", "Alberta", "AlbertaNDP", "InteriorHealth", "RCMP", "CrimeStoppersAB", "EdmontonPolice", "RCMP Kelowna", "RCMP AB" ], "references": [ "https://www.virustotal.com/graph/embed/g34c2ebfedb6c47c286431a829da992c3744ab3fab0d74008946f3b9bbeb83e23?theme=dark", "https://viz.greynoise.io/ip/analysis/61bb7542-40c2-448e-87d4-947a4623eada" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada", "Netherlands", "Panama", "Poland", "United Kingdom of Great Britain and Northern Ireland", "Slovakia", "Aruba", "Anguilla", "Australia", "Costa Rica", "Guatemala", "Mexico", "Trinidad and Tobago", "Cura\u00e7ao", "Philippines", "Virgin Islands, U.S.", "Ukraine", "Barbados", "Germany", "Sint Maarten (Dutch part)" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Healthcare", "Government", "Technology", "Energy", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3903, "FileHash-SHA1": 4967, "FileHash-SHA256": 12884, "URL": 995, "domain": 984, "hostname": 3305, "email": 4 }, "indicator_count": 27042, "is_author": false, "is_subscribing": null, "subscriber_count": 128, "modified_text": "60 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6941e87912ebb7843300906d", "name": "Telus Github", "description": "Telus has a Github. They are one of Canada's 'big 3' ISPs. They are compromised.", "modified": "2026-01-15T23:03:27.378000", "created": "2025-12-16T23:17:13.020000", "tags": [ "type", "path", "secure", "date", "accept", "self", "httponly", "samesitelax", "expireswed", "updated", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "prefetch8 ansi", "ansi", "show process", "hash seen", "threat level", "pcap", "sha256", "pcap processing", "ck id", "suspicious", "hybrid", "comspec", "close", "click", "hosts", "general", "model", "strings", "contact", "hybrid analysis", "api key", "vetting process", "please note", "please", "virus", "ransomware", "static", "indicator of compromise", "ioc", "extraction", "emulation", "platform", "javascript", "static analyzer", "analyzer" ], "references": [ "http://hybrid-analysis.com/sample/f62e99ffe34a3f0c186ac31d151d22dd940884f79bbaafcc6061a2a9387f45a8/6941e0586df20223a505d490", "http://hybrid-analysis.com/sample/f62e99ffe34a3f0c186ac31d151d22dd940884f79bbaafcc6061a2a9387f45a8", "https://www.filescan.io/uploads/6941e02584afa5547b586bac/reports/a23ea43a-ad21-4306-9f47-1a8deaa129c0/ioc", "https://www.virustotal.com/gui/collection/5967f31c865dce02efd16cebad1e75bd838298965361912987dd932a513f9212/iocs", "https://www.virustotal.com/gui/collection/5967f31c865dce02efd16cebad1e75bd838298965361912987dd932a513f9212/summary", "https://app.threat.zone/submission/12b7b619-0e5a-4996-9bb5-493ef98f2803/url-analysis-report" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" } ], "industries": [ "Telecommunications", "Technology", "Healthcare", "Education" ], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 32, "FileHash-SHA1": 31, "FileHash-SHA256": 31, "SSLCertFingerprint": 11, "URL": 197, "domain": 27, "email": 2, "hostname": 101 }, "indicator_count": 432, "is_author": false, "is_subscribing": null, "subscriber_count": 130, "modified_text": "93 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65eea19a23474b8c7dca351f", "name": "All Items - find from the UA archive disk", "description": "Again have zero idea 'what these are' - just uploading from the 'archives' as I sort through things", "modified": "2025-12-24T08:28:47.628000", "created": "2024-03-11T06:15:54.351000", "tags": [], "references": [ "https://www.virustotal.com/gui/collection/09af9ef0b7b23d2dc73d83858106ae4fc97a352dbb521ac04493a0e79095ac69/iocs", "https://www.virustotal.com/gui/collection/79c25168b2f93d9730a56b8d2b834cbfb2752b63b21b9dd51109416fbaa676d8/iocs", "https://www.virustotal.com/graph/embed/g8726609a12794ebeb59edd531961a233068149bcdf994b428f20141be6111551?theme=dark", "https://www.virustotal.com/graph/embed/g365a82115f934e31a69118715695c91c231f66cda9084c9389e56afb985a243e?theme=dark", "", "https://www.virustotal.com/gui/collection/6a8d582df4fe5a29885dad4074236bc9e4ed445aaf0cc00702d45963fb0459bb/iocs" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1165, "hostname": 866, "URL": 657, "FileHash-SHA256": 26, "email": 337, "FileHash-MD5": 12, "FileHash-SHA1": 8, "CIDR": 1 }, "indicator_count": 3072, "is_author": false, "is_subscribing": null, "subscriber_count": 128, "modified_text": "116 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6940e9789fd90101ae15b481", "name": "iPhone 13 Pro Max", "description": "E:\\Suss - SG2\\Backup Drive 2 - UAlberta OneDrive\\User - ualberta.ca\\No Problems\\1. Data for No Problems - Analysis and Upload in Progress\\Apple\\iPhone 13 Pro Max\\", "modified": "2025-12-16T05:10:50.897000", "created": "2025-12-16T05:09:12.600000", "tags": [ "Apple", "iOS", "iPhone" ], "references": [ "https://www.virustotal.com/gui/collection/3c03918e6a22b2c260f85ed6430b98495758973d754d3274124b5bf2b9c194aa", "https://www.virustotal.com/gui/collection/3c03918e6a22b2c260f85ed6430b98495758973d754d3274124b5bf2b9c194aa/iocs" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [ "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 25, "domain": 4, "hostname": 8, "URL": 51, "FileHash-SHA256": 3 }, "indicator_count": 91, "is_author": false, "is_subscribing": null, "subscriber_count": 128, "modified_text": "124 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6940e744ca8a110d3f8efa94", "name": "Apple iPhone SE2", "description": "E:\\Suss - SG2\\Backup Drive 2 - UAlberta OneDrive\\User - ualberta.ca\\No Problems\\1. Data for No Problems - Analysis and Upload in Progress\\Apple\\iPhone SE 2\\", "modified": "2025-12-16T05:02:46.014000", "created": "2025-12-16T04:59:48.704000", "tags": [ "Apple", "iOS" ], "references": [ "https://www.virustotal.com/gui/collection/42a860ff5b9f4fcb926d2b66cf9f4f59effa82aad96c271807b6cad96cda522d", "https://www.virustotal.com/gui/collection/42a860ff5b9f4fcb926d2b66cf9f4f59effa82aad96c271807b6cad96cda522d/iocs" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [ "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 20, "FileHash-SHA1": 16, "FileHash-SHA256": 21, "domain": 2 }, "indicator_count": 59, "is_author": false, "is_subscribing": null, "subscriber_count": 128, "modified_text": "124 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "telus.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "telus.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1776598871.4069338 }