IOC Report
https://pub.marq.com/f459f366-29c1-4795-9b3e-a3c3f6e24fda/

Files

File Path

Type

Category

Malicious

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Jan 15 18:58:43 2025, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Jan 15 18:58:43 2025, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Oct 6 09:23:19 2023, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Jan 15 18:58:42 2025, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Jan 15 18:58:43 2025, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Jan 15 18:58:42 2025, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide

dropped

Chrome Cache Entry: 102

gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 58144

downloaded

Chrome Cache Entry: 104

ASCII text, with very long lines (2343)

downloaded

Chrome Cache Entry: 106

ASCII text, with very long lines (1305)

dropped

Chrome Cache Entry: 107

ASCII text, with very long lines (821), with no line terminators

downloaded

Chrome Cache Entry: 108

gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 301175

dropped

Chrome Cache Entry: 109

very short file (no magic)

downloaded

Chrome Cache Entry: 110

gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 13909

downloaded

Chrome Cache Entry: 112

PNG image data, 3024 x 1700, 8-bit/color RGBA, non-interlaced

downloaded

Chrome Cache Entry: 113

gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 3127

downloaded

Chrome Cache Entry: 85

gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 3322

dropped

Chrome Cache Entry: 86

gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 52366

dropped

Chrome Cache Entry: 87

ASCII text, with very long lines (5960)

dropped

Chrome Cache Entry: 88

ASCII text, with very long lines (5960)

downloaded

Chrome Cache Entry: 91

gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 429880

downloaded

Chrome Cache Entry: 92

gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 1704906

downloaded

Chrome Cache Entry: 93

XML 1.0 document, ASCII text

downloaded

Chrome Cache Entry: 94

TrueType Font data, 13 tables, 1st "GDEF", 17 names, Microsoft, language 0x409

downloaded

Chrome Cache Entry: 95

gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 7470

downloaded

Chrome Cache Entry: 96

HTML document, ASCII text, with very long lines (358)

downloaded

Chrome Cache Entry: 99

ASCII text, with very long lines (912), with no line terminators

downloaded

There are 17 hidden files, click here to show them.

URLs

Name

IP

Malicious

https://pub.marq.com/f459f366-29c1-4795-9b3e-a3c3f6e24fda/

Details

Filetype:	URL
Filename:	https://pub.marq.com/f459f366-29c1-4795-9b3e-a3c3f6e24fda/

Signature Hits	Behavior Group	Mitre Attack
AI detected suspicious URL	Phishing	Browser Extensions
HTML page contains hidden javascript code	Phishing
Stores files to the Windows start menu directory	Boot Survival	Registry Run Keys / Startup Folder
Classification label	System Summary
Connects to IPs without corresponding DNS lookups	Networking
Creates files inside the user directory	System Summary	Masquerading
Performs DNS lookups	Networking	Non-Application Layer Protocol
Spawns processes	System Summary	Process Injection
Uses HTTPS	Networking	Encrypted Channel Application Layer Protocol
Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis
Uses secure TLS version for HTTPS connections	Compliance, Networking
Found graphical window changes (likely an installer)	System Summary

https://slvraircomfort.com/n/?c3Y9bzM2NV8xX3ZvaWNlJnJhbmQ9VGpWVlVqaz0mdWlkPVVTRVIwODAxMjAyNVUwNDAxMDgwNg==N0123N

https://pub.marq.com/f459f366-29c1-4795-9b3e-a3c3f6e24fda/#_0

Domains

Name

IP

Malicious

slvraircomfort.com

192.185.107.17

Details

Name:	slvraircomfort.com
IP:	192.185.107.17
TargetID:	1
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Active:	true

Signature Hits	Behavior Group	Mitre Attack
AI detected suspicious URL	Phishing	Browser Extensions
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

cdn-cashy-static-assets.marq.com

18.245.60.10

Details

Name:	cdn-cashy-static-assets.marq.com
IP:	18.245.60.10
TargetID:	1
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

analytics-pub.marq.com

54.204.91.219

Details

Name:	analytics-pub.marq.com
IP:	54.204.91.219
TargetID:	1
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

www.google.com

216.58.206.36

Details

Name:	www.google.com
IP:	216.58.206.36
TargetID:	1
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

d3v04nmt9jknbk.cloudfront.net

99.86.4.28

app.marq.com

3.93.140.3

Details

Name:	app.marq.com
IP:	3.93.140.3
TargetID:	1
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

analytics-pub.app.marq.com

35.171.222.254

Details

Name:	analytics-pub.app.marq.com
IP:	35.171.222.254
TargetID:	1
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

stats.g.doubleclick.net

173.194.76.157

Details

Name:	stats.g.doubleclick.net
IP:	173.194.76.157
TargetID:	1
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

pub.marq.com

unknown

Details

Name:	pub.marq.com
TargetID:	1
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe

Signature Hits	Behavior Group	Mitre Attack
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Spawns processes	System Summary	Process Injection

IPs

IP

Domain

Country

Malicious

192.185.107.17

slvraircomfort.com

United States

142.250.186.46

unknown

United States

3.93.140.3

app.marq.com

United States

142.250.186.78

unknown

United States

173.194.76.157

stats.g.doubleclick.net

United States

142.250.185.67

unknown

United States

1.1.1.1

unknown

Australia

173.194.76.84

unknown

United States

54.204.91.219

analytics-pub.marq.com

United States

99.86.4.85

unknown

United States

142.251.5.156

unknown

United States

192.168.2.18

unknown

unknown

142.250.185.232

unknown

United States

216.58.206.36

www.google.com

United States

142.250.181.232

unknown

United States

99.86.4.28

d3v04nmt9jknbk.cloudfront.net

United States

239.255.255.250

unknown

Reserved

142.250.186.142

unknown

United States

18.245.60.10

cdn-cashy-static-assets.marq.com

United States

142.250.184.232

unknown

United States

216.239.36.178

unknown

United States

142.250.186.99

unknown

United States

35.171.222.254

analytics-pub.app.marq.com

United States

There are 13 hidden IPs, click here to show them.