IOC Report
https://gcv.microsoft.us/kgRWagmalJ

Files

File Path

Type

Category

Malicious

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Mar 28 13:26:22 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Mar 28 13:26:22 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Oct 6 08:05:01 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Mar 28 13:26:22 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Mar 28 13:26:22 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Mar 28 13:26:22 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide

dropped

Chrome Cache Entry: 101

MS Windows icon resource - 1 icon, 32x32, 32 bits/pixel

downloaded

Chrome Cache Entry: 103

ASCII text, with very long lines (2530)

downloaded

Chrome Cache Entry: 104

JSON data

dropped

Chrome Cache Entry: 105

Unicode text, UTF-8 text, with very long lines (64954), with CRLF line terminators

downloaded

Chrome Cache Entry: 107

JSON data

dropped

Chrome Cache Entry: 108

JSON data

dropped

Chrome Cache Entry: 109

ASCII text, with very long lines (14182)

downloaded

Chrome Cache Entry: 111

JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, progressive, precision 8, 1920x1080, components 3

downloaded

Chrome Cache Entry: 112

ASCII text, with very long lines (63096)

downloaded

Chrome Cache Entry: 113

ASCII text, with very long lines (47337)

downloaded

Chrome Cache Entry: 82

HTML document, ASCII text, with very long lines (379), with CRLF line terminators

downloaded

Chrome Cache Entry: 84

JSON data

downloaded

Chrome Cache Entry: 87

ASCII text, with very long lines (47421), with CRLF line terminators

downloaded

Chrome Cache Entry: 88

ASCII text, with very long lines (65536), with no line terminators

downloaded

Chrome Cache Entry: 89

ASCII text, with very long lines (58457)

downloaded

Chrome Cache Entry: 90

ASCII text, with very long lines (65536), with no line terminators

downloaded

Chrome Cache Entry: 91

JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=1, orientation=upper-left], baseline, precision 8, 572x233, components 3

downloaded

Chrome Cache Entry: 92

JSON data

downloaded

Chrome Cache Entry: 93

Unicode text, UTF-8 text, with very long lines (19569), with CRLF line terminators

downloaded

Chrome Cache Entry: 94

Unicode text, UTF-8 text, with very long lines (40515)

downloaded

Chrome Cache Entry: 95

JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 222x125, components 3

downloaded

Chrome Cache Entry: 96

Unicode text, UTF-8 text, with very long lines (60976)

downloaded

Chrome Cache Entry: 98

ASCII text, with very long lines (23932)

downloaded

Chrome Cache Entry: 99

ASCII text, with very long lines (29782)

downloaded

There are 21 hidden files, click here to show them.

URLs

Name

IP

Malicious

https://gcv.microsoft.us/kgRWagmalJ

Details

Filetype:	URL
Filename:	https://gcv.microsoft.us/kgRWagmalJ

Signature Hits	Behavior Group	Mitre Attack
Stores files to the Windows start menu directory	Boot Survival	Registry Run Keys / Startup Folder
Classification label	System Summary
Connects to IPs without corresponding DNS lookups	Networking
Creates files inside the user directory	System Summary	Masquerading
Performs DNS lookups	Networking	Non-Application Layer Protocol Application Layer Protocol
Spawns processes	System Summary	Process Injection
Uses HTTPS	Networking	Encrypted Channel
Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis
Uses secure TLS version for HTTPS connections	Compliance, Networking
Found graphical window changes (likely an installer)	System Summary

https://customervoice.microsoft.us/Pages/ResponsePage.aspx?id=-RPI-LusGEu7EBBylkNTjWWoXRslC5ZNgtyDYsHwo_NUQTZXV1E4UEdXQUhWNkpXUjlTWDVHQjJBNC4u&ctx=%7B%22First%20Name%22%3A%22Chez%20%22%7D

Domains

Name

IP

Malicious

eafd-3p-profile.usgovtrafficmanager.net

20.141.12.34

osiusgcc-usge-teal-001.usgovvirginia.cloudapp.usgovcloudapi.net

52.127.240.65

www.google.com

142.251.167.104

customervoice.microsoft.us

unknown

lists.gcc.osi.office365.us

unknown

gcv.microsoft.us

unknown

Details

Name:	gcv.microsoft.us
TargetID:	1
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe

Signature Hits	Behavior Group	Mitre Attack
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Spawns processes	System Summary	Process Injection

IPs

IP

Domain

Country

Malicious

1.1.1.1

unknown

Australia

20.189.173.8

unknown

United States

142.251.16.100

unknown

United States

20.141.12.34

eafd-3p-profile.usgovtrafficmanager.net

United States

52.182.143.213

unknown

United States

192.168.2.17

unknown

unknown

192.168.2.16

unknown

unknown

142.251.111.94

unknown

United States

142.251.167.104

www.google.com

United States

192.168.2.4

unknown

unknown

142.251.163.113

unknown

United States

52.127.240.65

osiusgcc-usge-teal-001.usgovvirginia.cloudapp.usgovcloudapi.net

United States

239.255.255.250

unknown

Reserved

52.127.240.59

unknown

United States

142.251.16.94

unknown

United States

172.253.115.84

unknown

United States

There are 6 hidden IPs, click here to show them.