IOC Report
https://app.news.thunderinsider.com/e/es?s=184127279&e=629587&elqTrackId=69627081dd534b6d9af40eedd5595248&elq=ff4f2c7f80ce470b882fa1afd0e79650&elqaid=8363&elqat=1&elqak=8AF5F656DD33E68448FF43BC099216C68C1FC73E96343BF4719313AAFE55248E9FED

Files

File Path

Type

Category

Malicious

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Nov 20 13:17:08 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Nov 20 13:17:07 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Oct 4 12:54:07 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Nov 20 13:17:07 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Nov 20 13:17:07 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Nov 20 13:17:07 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide

dropped

Chrome Cache Entry: 79

Unicode text, UTF-8 text, with very long lines (65426)

dropped

Chrome Cache Entry: 80

ASCII text, with very long lines (20553), with no line terminators

downloaded

Chrome Cache Entry: 81

Unicode text, UTF-8 text, with very long lines (65426)

downloaded

Chrome Cache Entry: 82

ASCII text, with very long lines (65444)

dropped

Chrome Cache Entry: 83

ASCII text, with very long lines (11205), with no line terminators

dropped

Chrome Cache Entry: 84

TrueType Font data, digitally signed, 15 tables, 1st "DSIG", 26 names, Macintosh, Copyright 2014-2017 Indian Type Foundry (info@indiantypefoundry.com)PoppinsLight2.201;ITFO;Poppi

downloaded

Chrome Cache Entry: 85

PNG image data, 1536 x 208, 8-bit/color RGBA, non-interlaced

downloaded

Chrome Cache Entry: 86

ASCII text, with very long lines (47710), with no line terminators

downloaded

Chrome Cache Entry: 87

JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, comment: "CREATOR: gd-jpeg v1.0 (using IJG JPEG v62), default quality", baseline, precision 8, 8001x4500, components 3

downloaded

Chrome Cache Entry: 88

JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, comment: "CREATOR: gd-jpeg v1.0 (using IJG JPEG v62), default quality", baseline, precision 8, 8001x4500, components 3

dropped

Chrome Cache Entry: 89

ASCII text, with very long lines (11205), with no line terminators

downloaded

Chrome Cache Entry: 90

ASCII text, with very long lines (65444)

downloaded

Chrome Cache Entry: 91

TrueType Font data, digitally signed, 15 tables, 1st "DSIG", 26 names, Macintosh, Copyright 2014-2017 Indian Type Foundry (info@indiantypefoundry.com)PoppinsMedium2.201;ITFO;Popp

downloaded

Chrome Cache Entry: 92

data

downloaded

Chrome Cache Entry: 93

Unicode text, UTF-8 text, with very long lines (559)

downloaded

Chrome Cache Entry: 94

PNG image data, 1536 x 208, 8-bit/color RGBA, non-interlaced

dropped

Chrome Cache Entry: 95

ASCII text, with very long lines (47710), with no line terminators

dropped

Chrome Cache Entry: 96

Web Open Font Format, TrueType, length 1004, version 1.0

downloaded

Chrome Cache Entry: 97

ASCII text, with very long lines (20553), with no line terminators

dropped

Chrome Cache Entry: 98

data

dropped

There are 17 hidden files, click here to show them.

Processes

Path

Cmdline

Malicious

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"

Details

Is windows:	true
Is dropped:	false
PID:	3372
Target ID:	0
Parent PID:	5768
Name:	chrome.exe
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Size:	3242272
MD5:	45DE480806D1B5D462A7DDE4DCEFC4E4
Time:	09:17:01
Date:	20/11/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff715980000
Modulesize:	3325952
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2064 --field-trial-handle=2020,i,10143168073777583921,18166078978518154720,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8

Details

Is windows:	true
Is dropped:	false
PID:	3624
Target ID:	2
Parent PID:	3372
Name:	chrome.exe
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2064 --field-trial-handle=2020,i,10143168073777583921,18166078978518154720,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Size:	3242272
MD5:	45DE480806D1B5D462A7DDE4DCEFC4E4
Time:	09:17:04
Date:	20/11/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff715980000
Modulesize:	3325952
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://app.news.thunderinsider.com/e/es?s=184127279&e=629587&elqTrackId=69627081dd534b6d9af40eedd5595248&elq=ff4f2c7f80ce470b882fa1afd0e79650&elqaid=8363&elqat=1&elqak=8AF5F656DD33E68448FF43BC099216C68C1FC73E96343BF4719313AAFE55248E9FED"

Details

Is windows:	true
Is dropped:	false
PID:	2992
Target ID:	3
Parent PID:	5768
Name:	chrome.exe
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://app.news.thunderinsider.com/e/es?s=184127279&e=629587&elqTrackId=69627081dd534b6d9af40eedd5595248&elq=ff4f2c7f80ce470b882fa1afd0e79650&elqaid=8363&elqat=1&elqak=8AF5F656DD33E68448FF43BC099216C68C1FC73E96343BF4719313AAFE55248E9FED"
Size:	3242272
MD5:	45DE480806D1B5D462A7DDE4DCEFC4E4
Time:	09:17:06
Date:	20/11/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff715980000
Modulesize:	3325952
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

IP

Malicious

https://app.news.thunderinsider.com/e/es?s=184127279&e=629587&elqTrackId=69627081dd534b6d9af40eedd5595248&elq=ff4f2c7f80ce470b882fa1afd0e79650&elqaid=8363&elqat=1&elqak=8AF5F656DD33E68448FF43BC099216C68C1FC73E96343BF4719313AAFE55248E9FED

https://s184127279.t.eloqua.com/e/footerimages/fi9?es=629587&s=184127279&u=aHR0cHM6Ly9hcHAubmV3cy50aHVuZGVyaW5zaWRlci5jb20vZS9lcz9zPTE4NDEyNzI3OSZlPTYyOTU4NyZlbHFUcmFja0lkPTY5NjI3MDgxZGQ1MzRiNmQ5YWY0MGVlZGQ1NTk1MjQ4JmVscT1mZjRmMmM3ZjgwY2U0NzBiODgyZmExYWZkMGU3OTY1MCZlbHFhaWQ9ODM2MyZlbHFhdD0xJmVscWFrPThBRjVGNjU2REQzM0U2ODQ0OEZGNDNCQzA5OTIxNkM2OEMxRkM3M0U5NjM0M0JGNDcxOTMxM0FBRkU1NTI0OEU5RkVE

147.154.0.190

https://app.news.thunderinsider.com/e/ref.ico

130.35.231.220

https://app.news.thunderinsider.com/e/er?s=184127279&lid=31461&elqTrackId=55be44a08e444040ad83c3b63250595f&email=mesiess%40lifeshareok.org&cid=&elq=ff4f2c7f80ce470b882fa1afd0e79650&elqaid=8363&elqat=1&elqak=8AF56AA30DC9EAAAF2EBCEC2ABAAF5AE46C2C73E96343BF4719313AAFE55248E9FED

130.35.231.220

https://s184127279.t.eloqua.com/e/er?s=184127279&lid=31461&elqTrackId=55be44a08e444040ad83c3b63250595f&email=mesiess@lifeshareok.org&cid=&elq=ff4f2c7f80ce470b882fa1afd0e79650&elqaid=8363&elqat=1&elqak=8AF56AA30DC9EAAAF2EBCEC2ABAAF5AE46C2C73E96343BF4719313AAFE55248E9FED

147.154.0.190

https://app.news.thunderinsider.com/e/es?s=184127279&e=629587&elqTrackId=69627081dd534b6d9af40eedd5595248&elq=ff4f2c7f80ce470b882fa1afd0e79650&elqaid=8363&elqat=1&elqak=8AF5F656DD33E68448FF43BC099216C68C1FC73E96343BF4719313AAFE55248E9FED

https://s184127279.t.eloqua.com/e/FooterImages/FooterImage1.aspx?elq=ff4f2c7f80ce470b882fa1afd0e79650&siteid=184127279&elqCookie=1

147.154.0.190

https://app.news.thunderinsider.com/e/FooterImages/FooterImage1?elq=ff4f2c7f80ce470b882fa1afd0e79650&siteid=184127279

130.35.231.220

https://app.news.thunderinsider.com/e/footerimages/fi9?es=629587&s=184127279&u=aHR0cHM6Ly9hcHAubmV3cy50aHVuZGVyaW5zaWRlci5jb20vZS9lcz9zPTE4NDEyNzI3OSZlPTYyOTU4NyZlbHFUcmFja0lkPTY5NjI3MDgxZGQ1MzRiNmQ5YWY0MGVlZGQ1NTk1MjQ4JmVscT1mZjRmMmM3ZjgwY2U0NzBiODgyZmExYWZkMGU3OTY1MCZlbHFhaWQ9ODM2MyZlbHFhdD0xJmVscWFrPThBRjVGNjU2REQzM0U2ODQ0OEZGNDNCQzA5OTIxNkM2OEMxRkM3M0U5NjM0M0JGNDcxOTMxM0FBRkU1NTI0OEU5RkVE

130.35.231.220

https://indiantypefoundry.comThis

unknown

http://scripts.sil.org/OFLhttp://scripts.sil.org/OFLPoppinsMedium

unknown

http://scripts.sil.org/OFLhttp://scripts.sil.org/OFL

unknown

https://s184127279.t.eloqua.com/e/FooterImages/FooterImage1?elq=ff4f2c7f80ce470b882fa1afd0e79650&siteid=184127279

147.154.0.190

http://scripts.sil.org/OFLhttp://scripts.sil.org/OFLPoppinsLight

unknown

https://okcthundersurveys.qualtrics.com/CP/Graphic.php?IM=IM_eQI0vWP2GucgSd8)

unknown

http://scripts.sil.org/OFLhttp://scripts.sil.org/OFLCopyright

unknown

There are 5 hidden URLs, click here to show them.

Domains

Name

IP

Malicious

p03g.t.eloqua.com

147.154.0.190

p03g.t.en25.com

130.35.231.220

www.google.com

142.250.181.68

Details

Name:	www.google.com
IP:	142.250.181.68
TargetID:	2
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

okcthundersurveys.qualtrics.com

unknown

Details

Name:	okcthundersurveys.qualtrics.com
TargetID:	2
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe

Signature Hits	Behavior Group	Mitre Attack
Detected suspicious crossdomain redirect	Networking
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

img03.en25.com

unknown

app.news.thunderinsider.com

unknown

Details

Name:	app.news.thunderinsider.com
TargetID:	2
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe

Signature Hits	Behavior Group	Mitre Attack
Detected suspicious crossdomain redirect	Networking
HTML page contains hidden javascript code	Phishing
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Spawns processes	System Summary	Process Injection

eu.qualtrics.com

unknown

s184127279.t.eloqua.com

unknown

Details

Name:	s184127279.t.eloqua.com
TargetID:	2
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe

Signature Hits	Behavior Group	Mitre Attack
Detected suspicious crossdomain redirect	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

images.news.thunderinsider.com

unknown

IPs

IP

Domain

Country

Malicious

147.154.0.190

p03g.t.eloqua.com

United States

192.168.2.5

unknown

unknown

239.255.255.250

unknown

Reserved

130.35.231.220

p03g.t.en25.com

United States

142.250.181.68

www.google.com

United States

DOM / HTML

URL

Malicious

https://app.news.thunderinsider.com/e/es?s=184127279&e=629587&elqTrackId=69627081dd534b6d9af40eedd5595248&elq=ff4f2c7f80ce470b882fa1afd0e79650&elqaid=8363&elqat=1&elqak=8AF5F656DD33E68448FF43BC099216C68C1FC73E96343BF4719313AAFE55248E9FED

https://app.news.thunderinsider.com/e/es?s=184127279&e=629587&elqTrackId=69627081dd534b6d9af40eedd5595248&elq=ff4f2c7f80ce470b882fa1afd0e79650&elqaid=8363&elqat=1&elqak=8AF5F656DD33E68448FF43BC099216C68C1FC73E96343BF4719313AAFE55248E9FED

https://okcthundersurveys.qualtrics.com/jfe/form/SV_baxphtOL0ez7g22?src=de&email=mesiess%40lifeshareok.org&cid=

https://okcthundersurveys.qualtrics.com/jfe/form/SV_baxphtOL0ez7g22?src=de&email=mesiess%40lifeshareok.org&cid=

https://okcthundersurveys.qualtrics.com/jfe/form/SV_baxphtOL0ez7g22?src=de&email=mesiess%40lifeshareok.org&cid=

https://okcthundersurveys.qualtrics.com/jfe/form/SV_baxphtOL0ez7g22?src=de&email=mesiess%40lifeshareok.org&cid=