IOC Report
https://dormakaba-safelocks.link/Apexx-Calculator

Files

File Path

Type

Category

Malicious

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Oct 3 19:56:41 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Oct 3 19:56:40 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Oct 6 08:54:41 2023, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Oct 3 19:56:40 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Oct 3 19:56:40 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Oct 3 19:56:40 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide

dropped

Chrome Cache Entry: 101

ISO Media, AVIF Image

downloaded

Chrome Cache Entry: 102

ISO Media, AVIF Image

downloaded

Chrome Cache Entry: 103

Unicode text, UTF-8 text, with very long lines (65532), with no line terminators

downloaded

Chrome Cache Entry: 104

ISO Media, AVIF Image

downloaded

Chrome Cache Entry: 106

PNG image data, 512 x 512, 8-bit/color RGBA, non-interlaced

dropped

Chrome Cache Entry: 107

Web Open Font Format (Version 2), TrueType, length 7824, version 1.0

downloaded

Chrome Cache Entry: 108

PNG image data, 512 x 512, 8-bit/color RGBA, non-interlaced

dropped

Chrome Cache Entry: 109

SVG Scalable Vector Graphics image

dropped

Chrome Cache Entry: 110

ASCII text, with no line terminators

downloaded

Chrome Cache Entry: 111

MS Windows icon resource - 3 icons, 16x16, 32 bits/pixel, 32x32, 32 bits/pixel

downloaded

Chrome Cache Entry: 112

Unicode text, UTF-8 text, with very long lines (32599)

dropped

Chrome Cache Entry: 76

ASCII text, with very long lines (55494)

downloaded

Chrome Cache Entry: 80

JSON data

dropped

Chrome Cache Entry: 81

PNG image data, 512 x 512, 8-bit/color RGBA, non-interlaced

dropped

Chrome Cache Entry: 82

PNG image data, 512 x 512, 8-bit/color RGBA, non-interlaced

dropped

Chrome Cache Entry: 83

ASCII text, with no line terminators

downloaded

Chrome Cache Entry: 84

PNG image data, 512 x 512, 8-bit/color RGBA, non-interlaced

dropped

Chrome Cache Entry: 85

ISO Media, AVIF Image

downloaded

Chrome Cache Entry: 86

Web Open Font Format (Version 2), TrueType, length 615828, version 1.0

downloaded

Chrome Cache Entry: 87

HTML document, ASCII text, with very long lines (10747)

downloaded

Chrome Cache Entry: 88

PNG image data, 512 x 512, 8-bit/color RGBA, non-interlaced

dropped

Chrome Cache Entry: 89

ISO Media, AVIF Image

downloaded

Chrome Cache Entry: 90

ISO Media, AVIF Image

downloaded

Chrome Cache Entry: 92

ISO Media, AVIF Image

downloaded

Chrome Cache Entry: 93

ASCII text, with no line terminators

downloaded

Chrome Cache Entry: 94

PNG image data, 512 x 512, 8-bit/color RGBA, non-interlaced

dropped

Chrome Cache Entry: 95

ASCII text

downloaded

Chrome Cache Entry: 97

ISO Media, AVIF Image

downloaded

Chrome Cache Entry: 99

PNG image data, 512 x 512, 8-bit/color RGBA, non-interlaced

dropped

There are 26 hidden files, click here to show them.

URLs

Name

IP

Malicious

https://dormakaba-safelocks.link/Apexx-Calculator

Details

Filetype:	URL
Filename:	https://dormakaba-safelocks.link/Apexx-Calculator

Signature Hits	Behavior Group	Mitre Attack
Stores files to the Windows start menu directory	Boot Survival	Registry Run Keys / Startup Folder
Classification label	System Summary
Connects to IPs without corresponding DNS lookups	Networking
Creates files inside the user directory	System Summary	Masquerading
HTML page is missing a favicon	Phishing
Performs DNS lookups	Networking	Non-Application Layer Protocol Application Layer Protocol
Spawns processes	System Summary	Process Injection
Uses HTTPS	Networking
Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis		Encrypted Channel
Uses secure TLS version for HTTPS connections	Compliance, Networking
Found graphical window changes (likely an installer)	System Summary

https://dormakaba-safe-locks.convertcalculator.com/apexx-ip-calculator/

Domains

Name

IP

Malicious

a.nel.cloudflare.com

35.190.80.1

Details

Name:	a.nel.cloudflare.com
IP:	35.190.80.1
TargetID:	1
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

imagedelivery.net

104.18.2.36

Details

Name:	imagedelivery.net
IP:	104.18.2.36
TargetID:	1
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

worker.convertstaging.com

188.114.96.3

Details

Name:	worker.convertstaging.com
IP:	188.114.96.3
TargetID:	1
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

dormakaba-safe-locks.convertcalculator.com

76.76.21.123

Details

Name:	dormakaba-safe-locks.convertcalculator.com
IP:	76.76.21.123
TargetID:	1
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

www.google.com

142.250.185.100

Details

Name:	www.google.com
IP:	142.250.185.100
TargetID:	1
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

www.convertcalculator.com

76.76.21.142

Details

Name:	www.convertcalculator.com
IP:	76.76.21.142
TargetID:	1
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

dormakaba-safelocks.link

52.72.49.79

Details

Name:	dormakaba-safelocks.link
IP:	52.72.49.79
TargetID:	1
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Spawns processes	System Summary	Process Injection

IPs

IP

Domain

Country

Malicious

52.72.49.79

dormakaba-safelocks.link

United States

1.1.1.1

unknown

Australia

142.250.186.170

unknown

United States

76.76.21.123

dormakaba-safe-locks.convertcalculator.com

United States

104.18.2.36

imagedelivery.net

United States

76.76.21.142

www.convertcalculator.com

United States

76.76.21.241

unknown

United States

192.168.2.17

unknown

unknown

216.58.206.67

unknown

United States

172.217.18.3

unknown

United States

142.250.185.100

www.google.com

United States

142.250.185.202

unknown

United States

239.255.255.250

unknown

Reserved

188.114.97.3

unknown

European Union

188.114.96.3

worker.convertstaging.com

European Union

35.190.80.1

a.nel.cloudflare.com

United States

142.250.184.206

unknown

United States

216.58.212.174

unknown

United States

142.250.74.195

unknown

United States

66.102.1.84

unknown

United States

There are 10 hidden IPs, click here to show them.