IOC Report
https://www.research.net/tr/v1/te/akU_2BQc2vAhAsa_2B264x1g6_2FSdSvKedPmeZkblcZEtqvWWcHQCCZfFPeYTO7s7GTl_2BHoTT1ElLj3bLqta9CqvgtfIfU5JwCeniRwF_2Bvxrbs83YCeD25PdeafcZkN9JO2JJ4iG5TDlyG9wrw5tiL2LoOuYFRLEkjxufslh6kYG9PEUv62pSoByi7ocLvbdThPWjpQjrzFXcqIE3U_2FNsGtwSL97WwZQGDjiaC8wYdDRWitDMHJGTuAVdpQCxhZ_2B8

Files

File Path

Type

Category

Malicious

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Oct 29 14:03:49 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Oct 29 14:03:49 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Oct 6 09:23:19 2023, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Oct 29 14:03:49 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Oct 29 14:03:49 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Oct 29 14:03:49 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide

dropped

Chrome Cache Entry: 173

HTML document, Unicode text, UTF-8 text, with very long lines (737)

downloaded

Chrome Cache Entry: 174

ASCII text, with very long lines (1981)

downloaded

Chrome Cache Entry: 175

ASCII text, with very long lines (65536), with no line terminators

downloaded

Chrome Cache Entry: 176

ASCII text, with very long lines (888)

downloaded

Chrome Cache Entry: 177

ASCII text, with very long lines (65536), with no line terminators

dropped

Chrome Cache Entry: 178

ASCII text, with very long lines (1146)

downloaded

Chrome Cache Entry: 179

Unicode text, UTF-8 (with BOM) text, with very long lines (63680)

downloaded

Chrome Cache Entry: 180

ASCII text, with very long lines (1572)

downloaded

Chrome Cache Entry: 181

MS Windows icon resource - 1 icon, 256x256 with PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced, 32 bits/pixel

dropped

Chrome Cache Entry: 183

ASCII text, with very long lines (5128)

downloaded

Chrome Cache Entry: 184

ASCII text, with very long lines (25690), with no line terminators

dropped

Chrome Cache Entry: 185

ASCII text, with very long lines (65536), with no line terminators

downloaded

Chrome Cache Entry: 186

ASCII text, with very long lines (7813), with no line terminators

downloaded

Chrome Cache Entry: 187

gzip compressed data, from Unix, original size modulo 2^32 187170

dropped

Chrome Cache Entry: 190

ASCII text, with very long lines (65536), with no line terminators

downloaded

Chrome Cache Entry: 193

ASCII text, with very long lines (65536), with no line terminators

downloaded

Chrome Cache Entry: 195

Unicode text, UTF-8 (with BOM) text, with very long lines (65522), with no line terminators

downloaded

Chrome Cache Entry: 197

ASCII text, with very long lines (1486), with no line terminators

downloaded

Chrome Cache Entry: 198

ASCII text, with very long lines (65536), with no line terminators

downloaded

Chrome Cache Entry: 199

ASCII text, with very long lines (65536), with no line terminators

downloaded

Chrome Cache Entry: 201

ASCII text, with very long lines (11718)

downloaded

Chrome Cache Entry: 202

Web Open Font Format (Version 2), TrueType, length 34775, version 1.0

downloaded

Chrome Cache Entry: 203

Web Open Font Format, TrueType, length 49040, version 2.0

downloaded

There are 20 hidden files, click here to show them.

URLs

Name

IP

Malicious

https://www.research.net/tr/v1/te/akU_2BQc2vAhAsa_2B264x1g6_2FSdSvKedPmeZkblcZEtqvWWcHQCCZfFPeYTO7s7GTl_2BHoTT1ElLj3bLqta9CqvgtfIfU5JwCeniRwF_2Bvxrbs83YCeD25PdeafcZkN9JO2JJ4iG5TDlyG9wrw5tiL2LoOuYFRLEkjxufslh6kYG9PEUv62pSoByi7ocLvbdThPWjpQjrzFXcqIE3U_2FNsGtwSL97WwZQGDjiaC8wYdDRWitDMHJGTuAVdpQCxhZ_2B8eaa6

Details

Filetype:	URL
Filename:	https://www.research.net/tr/v1/te/akU_2BQc2vAhAsa_2B264x1g6_2FSdSvKedPmeZkblcZEtqvWWcHQCCZfFPeYTO7s7GTl_2BHoTT1ElLj3bLqta9CqvgtfIfU5JwCeniRwF_2Bvxrbs83YCeD25PdeafcZkN9JO2JJ4iG5TDlyG9wrw5tiL2LoOuYFRLEkjxufslh6kYG9PEUv62pSoByi7ocLvbdThPWjpQjrzFXcqIE3U_2FNsGtwSL97WwZQGDjiaC8wYdDRWitDMHJGTuAVdpQCxhZ_2B8eaa6

Signature Hits	Behavior Group	Mitre Attack
Detected non-DNS traffic on DNS port	Networking
Stores files to the Windows start menu directory	Boot Survival	Registry Run Keys / Startup Folder
Uses insecure TLS / SSL version for HTTPS connection	Compliance, Networking
Classification label	System Summary
Connects to IPs without corresponding DNS lookups	Networking
Creates files inside the user directory	System Summary	Masquerading
HTML page is missing a favicon	Phishing
Performs DNS lookups	Networking	Non-Application Layer Protocol Application Layer Protocol
Spawns processes	System Summary	Process Injection
Uses HTTPS	Networking	Encrypted Channel
Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis
Uses secure TLS version for HTTPS connections	Compliance, Networking
Found graphical window changes (likely an installer)	System Summary

https://www.research.net/r/?sm=MeeKO1NBiu_2FVNCxLo1_2BcIKxGw5enwPdP_2FhO_2FhM0N7ujsHCvZRnEXEpxEJRPB0mHI

Domains

Name

IP

Malicious

s3-w.us-east-1.amazonaws.com

52.217.123.1

d2yx97y2ukjhui.cloudfront.net

18.244.18.107

cdn.signalfx.com

18.239.18.30

www.google.com

142.250.185.132

fastly-tls12-bam-cell.nr-data.net

162.247.243.30

d15akbylw3vqc5.cloudfront.net

18.238.243.55

cdn.smassets.net

unknown

surveymonkey-assets.s3.amazonaws.com

unknown

prod.smassets.net

unknown

www.research.net

unknown

bam-cell.nr-data.net

unknown

secure.surveymonkey.com

unknown

There are 2 hidden domains, click here to show them.

IPs

IP

Domain

Country

Malicious

142.250.184.195

unknown

United States

34.104.35.123

unknown

United States

1.1.1.1

unknown

Australia

18.239.18.30

cdn.signalfx.com

United States

142.250.185.132

www.google.com

United States

192.168.2.18

unknown

unknown

142.250.185.238

unknown

United States

18.238.243.55

d15akbylw3vqc5.cloudfront.net

United States

162.247.243.30

fastly-tls12-bam-cell.nr-data.net

United States

239.255.255.250

unknown

Reserved

18.173.205.24

unknown

United States

142.250.185.174

unknown

United States

18.173.205.119

unknown

United States

52.217.123.1

s3-w.us-east-1.amazonaws.com

United States

142.250.185.142

unknown

United States

18.173.205.26

unknown

United States

142.250.186.131

unknown

United States

64.233.184.84

unknown

United States

216.58.212.163

unknown

United States

142.250.185.74

unknown

United States

18.244.18.107

d2yx97y2ukjhui.cloudfront.net

United States

There are 11 hidden IPs, click here to show them.