Create Interactive Tour

Windows Analysis Report
http://www.ironplanet.com/jsp/mailing/mail-landing.jsp?userMailing=536238898&action=url&name=IP-MPE-Button-072523&url=https://ratty.cfd/cmn/ajtx/QMKGY/bHdhbGtlckBsaWZ0b25lLm5ldA==

Overview

General Information

Sample URL:	http://www.ironplanet.com/jsp/mailing/mail-landing.jsp?userMailing=536238898&action=url&name=IP-MPE-Button-072523&url=https://ratty.cfd/cmn/ajtx/QMKGY/bHdhbGtlckBsaWZ0b25lLm5ldA==
Analysis ID:	1343771

Detection

Score:	1
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

Stores files to the Windows start menu directory

Creates files inside the system directory

Uses insecure TLS / SSL version for HTTPS connection

Classification

Process Tree

System is w10x64_ra

chrome.exe (PID: 6300 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://www.ironplanet.com/jsp/mailing/mail-landing.jsp?userMailing=536238898&action=url&name=IP-MPE-Button-072523&url=https://ratty.cfd/cmn/ajtx/QMKGY/bHdhbGtlckBsaWZ0b25lLm5ldA== MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 5288 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 --field-trial-handle=2020,i,4159725604764370431,11736070217821171857,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 6516 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5796 --field-trial-handle=2020,i,4159725604764370431,11736070217821171857,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 1004 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5732 --field-trial-handle=2020,i,4159725604764370431,11736070217821171857,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

cleanup

HTTP traffic detected: GET /jsp/mailing/mail-landing.jsp?userMailing=536238898&action=url&name=IP-MPE-Button-072523&url=https://ratty.cfd/cmn/ajtx/QMKGY/bHdhbGtlckBsaWZ0b25lLm5ldA== HTTP/1.1Host: www.ironplanet.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9

Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.16:49985 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.16:50151 version: TLS 1.2

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Windows\SystemTemp\chrome_BITS_6300_1807853283

Source: classification engine

Classification label: clean1.win@30/531@306/865

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://www.ironplanet.com/jsp/mailing/mail-landing.jsp?userMailing=536238898&action=url&name=IP-MPE-Button-072523&url=https://ratty.cfd/cmn/ajtx/QMKGY/bHdhbGtlckBsaWZ0b25lLm5ldA==
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 --field-trial-handle=2020,i,4159725604764370431,11736070217821171857,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5796 --field-trial-handle=2020,i,4159725604764370431,11736070217821171857,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5732 --field-trial-handle=2020,i,4159725604764370431,11736070217821171857,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 --field-trial-handle=2020,i,4159725604764370431,11736070217821171857,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5796 --field-trial-handle=2020,i,4159725604764370431,11736070217821171857,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5732 --field-trial-handle=2020,i,4159725604764370431,11736070217821171857,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact	Resource Development	Reconnaissance
Valid Accounts	Windows Management Instrumentation	1 Registry Run Keys / Startup Folder	1 Process Injection	11 Masquerading	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	2 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Abuse Accessibility Features	Acquire Infrastructure	Gather Victim Identity Information
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Registry Run Keys / Startup Folder	1 Process Injection	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	2 Non-Application Layer Protocol	SIM Card Swap	Obtain Device Cloud Backups	Network Denial of Service	Domains	Credentials
Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	3 Application Layer Protocol			Data Encrypted for Impact	DNS Server	Email Addresses
Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Traffic Duplication	1 Ingress Tool Transfer			Data Destruction	Virtual Private Server	Employee Names

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

No bigger version

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
http://www.ironplanet.com/jsp/mailing/mail-landing.jsp?userMailing=536238898&action=url&name=IP-MPE-Button-072523&url=https://ratty.cfd/cmn/ajtx/QMKGY/bHdhbGtlckBsaWZ0b25lLm5ldA==	0%	Avira URL Cloud	safe

Name	IP	Active	Malicious	Reputation
rtb-csync-use1.smartadserver.com	23.105.14.105	true	false	high
forms.hubspot.com	104.19.155.83	true	false	high
pixel-lb-1846267185.us-east-1.elb.amazonaws.com	34.195.216.90	true	false	high
i.ytimg.com	142.251.33.118	true	false	high
csm.da1.vip.prod.criteo.net	74.119.118.154	true	false	high
us-east-eb2.3lift.com	35.71.139.29	true	false	high
jelly.mdhv.io	216.239.38.21	true	false	unknown
stats.g.doubleclick.net	142.250.107.155	true	false	high
cdn.w55c.net	44.235.246.214	true	false	high
measurement-api.da1.vip.prod.criteo.com	74.119.118.71	true	false	high
track.hubspot.com	104.19.155.83	true	false	high
r.casalemedia.com	104.18.36.155	true	false	high
servedbyadbutler.com	66.165.239.114	true	false	unknown
visitor-us-west-2.omnitagjs.com	52.33.237.62	true	false	high
na-ice.360yield.com	18.214.220.169	true	false	high
sync.crwdcntrl.net	52.8.183.69	true	false	high
js.hs-scripts.com	104.16.187.89	true	false	high
photos-ugc.l.googleusercontent.com	142.251.33.65	true	false	high
cm.g.doubleclick.net	142.251.211.226	true	false	high
idaas-ext.cph.liveintent.com	35.169.151.226	true	false	high
ds-pr-bh.ybp.gysm.yahoodns.net	54.71.223.112	true	false	unknown
www.google.com	142.250.217.100	true	false	high
sadc1.outbrain.org	66.225.223.191	true	false	unknown
static-cdn.hotjar.com	99.86.38.81	true	false	high
match.adsrvr.org	52.223.40.198	true	false	high
star-mini.c10r.facebook.com	157.240.3.35	true	false	high
js.hs-banner.com	172.64.153.27	true	false	unknown
match.prod.bidr.io	44.241.88.176	true	false	unknown
google.com	142.250.217.110	true	false	high
nydc1.outbrain.org	64.202.112.63	true	false	unknown
plus.l.google.com	142.250.217.110	true	false	high
ats-eks.us-west-2.dcs-online-targeting-prd.aws.oath.cloud	35.84.163.233	true	false	unknown
cdn26.vizury.com	172.66.43.56	true	false	high
trends.revcontent.com	100.21.136.151	true	false	high
d37ih4rs6zff7b.cloudfront.net	13.224.14.105	true	false	high
us-pl-whitelist-532871921.us-east-1.elb.amazonaws.com	44.221.31.224	true	false	high
static.doubleclick.net	142.251.33.102	true	false	high
consent.trustarc.com	108.138.94.71	true	false	high
youtube-ui.l.google.com	142.250.217.110	true	false	high
googleads.g.doubleclick.net	142.251.33.66	true	false	high
td.doubleclick.net	142.250.217.66	true	false	high
clients.l.google.com	142.251.211.238	true	false	high
la2-c2-ia4.ia4.r.salesforceliveagent.com	13.109.190.112	true	false	high
la-vip001.taboola.com	141.226.230.48	true	false	high
cdn.callrail.com	52.84.162.8	true	false	high
user-data-us-west.bidswitch.net	35.212.133.238	true	false	unknown
js.hs-analytics.net	104.16.76.186	true	false	unknown
gum.da1.vip.prod.criteo.com	74.119.118.149	true	false	high
vizury-common-286881781.us-east-1.elb.amazonaws.com	34.192.21.233	true	false	high
contextual.media.net	23.216.80.24	true	false	high
scontent.xx.fbcdn.net	157.240.3.29	true	false	high
dynamic.da1.vip.prod.criteo.com	74.119.118.155	true	false	high
widget.da1.vip.prod.criteo.com	74.119.118.138	true	false	high
tf-hitapp-prod.eba-akngjzsh.us-east-1.elasticbeanstalk.com	54.174.252.1	true	false	high
script.hotjar.com	3.163.189.126	true	false	high
tg.dr.socdm.com	211.120.53.205	true	false	high
tapestry.tapad.com	34.111.113.62	true	false	high
location.l.force.com	13.110.36.42	true	false	high
pi-ue1-public-lb-f0209c6950285322.elb.us-east-1.amazonaws.com	3.92.120.28	true	false	high
match-us-west-1-ecs.sharethrough.com	13.56.176.174	true	false	high
sync.ipredictive.com	54.157.141.59	true	false	unknown
accounts.google.com	142.250.217.109	true	false	high
pcs3prod18.us-east-1.elasticbeanstalk.com	184.73.254.83	true	false	high
fledge.da1.vip.prod.criteo.com	74.119.118.75	true	false	high
exchange.mediavine.com	44.240.96.183	true	false	high
js.hsleadflows.net	104.18.123.12	true	false	unknown
rba-ip-alb-prd-1135758781.us-west-2.elb.amazonaws.com	52.10.30.179	true	false	high
play.google.com	142.250.217.78	true	false	high
s.ad.smaato.net	18.65.229.33	true	false	high
analytics.google.com	172.217.14.206	true	false	high
tags.srv.stackadapt.com	18.205.112.160	true	false	high
la2-c2-ia5.ia5.r.salesforceliveagent.com	13.110.41.112	true	false	high
js.callrail.com	52.84.162.62	true	false	high
ib.anycast.adnxs.com	104.254.151.68	true	false	high
pug-sfo-bc.pubmnet.com	104.36.113.107	true	false	unknown
static.da1.vip.prod.criteo.net	74.119.118.134	true	false	high
ssgtm.ironplanet.com	216.239.32.21	true	false	high
d.la2-c2-ia4.salesforceliveagent.com	unknown	unknown	false	high
pm.w55c.net	unknown	unknown	false	high
www.ironplanet.com	unknown	unknown	false	high
siteintercept.qualtrics.com	unknown	unknown	false	high
secure.adnxs.com	unknown	unknown	false	high
ads.stickyadstv.com	unknown	unknown	false	unknown
dynamic.criteo.com	unknown	unknown	false	high
jadserve.postrelease.com	unknown	unknown	false	high
sslwidget.criteo.com	unknown	unknown	false	high
clients2.google.com	unknown	unknown	false	high
static.hotjar.com	unknown	unknown	false	high
dis.criteo.com	unknown	unknown	false	high
ir.ironpla.net	unknown	unknown	false	unknown
www.youtube.com	unknown	unknown	false	high
us-pl.vizury.com	unknown	unknown	false	high
cdn.ironpla.net	unknown	unknown	false	unknown
static.criteo.net	unknown	unknown	false	high
measurement-api.criteo.com	unknown	unknown	false	high
pixel.rubiconproject.com	unknown	unknown	false	high
connect.facebook.net	unknown	unknown	false	high
px.ads.linkedin.com	unknown	unknown	false	high
1f2e7.v.fwmrm.net	unknown	unknown	false	unknown
service.force.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
http://www.ironplanet.com/jsp/mailing/mail-landing.jsp?userMailing=536238898&action=url&name=IP-MPE-Button-072523&url=https://ratty.cfd/cmn/ajtx/QMKGY/bHdhbGtlckBsaWZ0b25lLm5ldA==	false	high
about:blank	false	low
https://www.ironplanet.com/?h=1	false	high
https://consent.trustarc.com/get?name=crossdomain.html&domain=ironplanet.ritchiebros.com	false	high
https://us-pl.vizury.com/analyze/analyze.php?account_id=VIZVRM5383&URL=https%3A%2F%2Fwww.ironplanet.com%2F%3Fh%3D1&referrer=&ts=&fp34=97db9db01ba15e8369cb63c7307799f2&param=e100&section=1&level=1&ealevel=1&cb=viz_65565f640a642	false	high
https://gum.criteo.com/syncframe?topUrl=www.ironplanet.com&origin=onetag#{%22bundle%22:{%22origin%22:0,%22value%22:null},%22cw%22:true,%22optout%22:{%22origin%22:0,%22value%22:null},%22origin%22:%22onetag%22,%22sid%22:{%22origin%22:0,%22value%22:null},%22tld%22:%22ironplanet.com%22,%22topUrl%22:%22www.ironplanet.com%22,%22version%22:%225_20_0%22,%22ifa%22:{%22origin%22:0,%22value%22:null},%22lsw%22:true,%22pm%22:0}	false	high
https://service.force.com/embeddedservice/5.0/esw.html?parent=https://www.ironplanet.com/?h=1	false	high
https://www.youtube.com/embed/gL92lxZamzI?rel=0&showinfo=0	false	high
https://static.criteo.net/empty.html	false	high
https://www.ironplanet.com/jsp/equip/auctionTicker.jsp?groupId=94078	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.19.155.83	forms.hubspot.com	United States	13335	CLOUDFLARENETUS	false
142.251.211.238	clients.l.google.com	United States	15169	GOOGLEUS	false
13.56.176.174	match-us-west-1-ecs.sharethrough.com	United States	16509	AMAZON-02US	false
157.240.3.35	star-mini.c10r.facebook.com	United States	32934	FACEBOOKUS	false
3.218.201.11	unknown	United States	14618	AMAZON-AESUS	false
34.223.199.217	unknown	United States	16509	AMAZON-02US	false
3.92.120.28	pi-ue1-public-lb-f0209c6950285322.elb.us-east-1.amazonaws.com	United States	14618	AMAZON-AESUS	false
100.21.136.151	trends.revcontent.com	United States	16509	AMAZON-02US	false
38.71.2.236	unknown	United States	26558	FREEWHEELUS	false
142.251.33.100	unknown	United States	15169	GOOGLEUS	false
172.217.14.238	unknown	United States	15169	GOOGLEUS	false
142.251.211.246	unknown	United States	15169	GOOGLEUS	false
104.16.187.89	js.hs-scripts.com	United States	13335	CLOUDFLARENETUS	false
23.105.12.172	unknown	United States	30633	LEASEWEB-USA-WDCUS	false
142.250.217.67	unknown	United States	15169	GOOGLEUS	false
142.250.217.66	td.doubleclick.net	United States	15169	GOOGLEUS	false
142.251.33.102	static.doubleclick.net	United States	15169	GOOGLEUS	false
157.240.3.29	scontent.xx.fbcdn.net	United States	32934	FACEBOOKUS	false
142.251.33.106	unknown	United States	15169	GOOGLEUS	false
142.250.107.155	stats.g.doubleclick.net	United States	15169	GOOGLEUS	false
142.250.217.109	accounts.google.com	United States	15169	GOOGLEUS	false
142.250.217.110	google.com	United States	15169	GOOGLEUS	false
35.169.151.226	idaas-ext.cph.liveintent.com	United States	14618	AMAZON-AESUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
13.110.36.42	location.l.force.com	United States	14340	SALESFORCEUS	false
34.210.130.159	unknown	United States	16509	AMAZON-02US	false
142.250.217.78	play.google.com	United States	15169	GOOGLEUS	false
13.110.36.45	unknown	United States	14340	SALESFORCEUS	false
44.233.84.246	unknown	United States	16509	AMAZON-02US	false
66.225.223.191	sadc1.outbrain.org	United States	3949	NTTA-3946US	false
142.250.217.100	www.google.com	United States	15169	GOOGLEUS	false
142.250.69.194	unknown	United States	15169	GOOGLEUS	false
142.250.69.195	unknown	United States	15169	GOOGLEUS	false
54.157.141.59	sync.ipredictive.com	United States	14618	AMAZON-AESUS	false
216.239.38.21	jelly.mdhv.io	United States	15169	GOOGLEUS	false
142.251.211.226	cm.g.doubleclick.net	United States	15169	GOOGLEUS	false
34.194.151.183	unknown	United States	14618	AMAZON-AESUS	false
216.239.32.21	ssgtm.ironplanet.com	United States	15169	GOOGLEUS	false
23.36.53.73	unknown	United States	16625	AKAMAI-ASUS	false
13.224.14.74	unknown	United States	16509	AMAZON-02US	false
52.33.237.62	visitor-us-west-2.omnitagjs.com	United States	16509	AMAZON-02US	false
104.254.148.251	unknown	United States	29990	ASN-APPNEXUS	false
35.84.163.233	ats-eks.us-west-2.dcs-online-targeting-prd.aws.oath.cloud	United States	237	MERIT-AS-14US	false
52.223.22.214	unknown	United States	8987	AMAZONEXPANSIONGB	false
104.18.123.12	js.hsleadflows.net	United States	13335	CLOUDFLARENETUS	false
142.251.33.97	unknown	United States	15169	GOOGLEUS	false
211.120.53.205	tg.dr.socdm.com	Japan	4694	IDCFIDCFrontierIncJP	false
18.214.220.169	na-ice.360yield.com	United States	14618	AMAZON-AESUS	false
211.120.53.206	unknown	Japan	4694	IDCFIDCFrontierIncJP	false
52.10.30.179	rba-ip-alb-prd-1135758781.us-west-2.elb.amazonaws.com	United States	16509	AMAZON-02US	false
142.251.33.99	unknown	United States	15169	GOOGLEUS	false
44.240.96.183	exchange.mediavine.com	United States	16509	AMAZON-02US	false
104.16.76.186	js.hs-analytics.net	United States	13335	CLOUDFLARENETUS	false
64.202.112.63	nydc1.outbrain.org	United States	22075	AS-OUTBRAINUS	false
172.217.14.206	analytics.google.com	United States	15169	GOOGLEUS	false
13.224.14.27	unknown	United States	16509	AMAZON-02US	false
204.79.197.200	unknown	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
3.163.189.126	script.hotjar.com	United States	16509	AMAZON-02US	false
172.217.14.202	unknown	United States	15169	GOOGLEUS	false
74.119.118.134	static.da1.vip.prod.criteo.net	United States	19750	AS-CRITEOUS	false
74.125.197.156	unknown	United States	15169	GOOGLEUS	false
74.119.118.138	widget.da1.vip.prod.criteo.com	United States	19750	AS-CRITEOUS	false
99.86.38.81	static-cdn.hotjar.com	United States	16509	AMAZON-02US	false
34.195.216.90	pixel-lb-1846267185.us-east-1.elb.amazonaws.com	United States	14618	AMAZON-AESUS	false
184.73.254.83	pcs3prod18.us-east-1.elasticbeanstalk.com	United States	14618	AMAZON-AESUS	false
23.216.80.24	contextual.media.net	United States	33652	CMCSUS	false
44.241.88.176	match.prod.bidr.io	United States	16509	AMAZON-02US	false
35.212.133.238	user-data-us-west.bidswitch.net	United States	19527	GOOGLE-2US	false
44.235.246.214	cdn.w55c.net	United States	16509	AMAZON-02US	false
104.19.154.83	unknown	United States	13335	CLOUDFLARENETUS	false
54.176.4.245	unknown	United States	16509	AMAZON-02US	false
66.165.239.114	servedbyadbutler.com	United States	29802	HVC-ASUS	false
54.174.252.1	tf-hitapp-prod.eba-akngjzsh.us-east-1.elasticbeanstalk.com	United States	14618	AMAZON-AESUS	false
74.119.118.149	gum.da1.vip.prod.criteo.com	United States	19750	AS-CRITEOUS	false
13.109.190.112	la2-c2-ia4.ia4.r.salesforceliveagent.com	United States	14340	SALESFORCEUS	false
104.18.36.155	r.casalemedia.com	United States	13335	CLOUDFLARENETUS	false
18.65.229.33	s.ad.smaato.net	United States	3	MIT-GATEWAYSUS	false
13.107.42.14	unknown	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
142.251.33.74	unknown	United States	15169	GOOGLEUS	false
23.216.147.68	unknown	United States	7016	CCCH-3US	false
52.84.162.8	cdn.callrail.com	United States	16509	AMAZON-02US	false
18.208.125.13	unknown	United States	14618	AMAZON-AESUS	false
52.223.40.198	match.adsrvr.org	United States	8987	AMAZONEXPANSIONGB	false
104.17.208.240	unknown	United States	13335	CLOUDFLARENETUS	false
34.192.36.77	unknown	United States	14618	AMAZON-AESUS	false
13.224.14.105	d37ih4rs6zff7b.cloudfront.net	United States	16509	AMAZON-02US	false
8.39.36.142	unknown	United States	26667	RUBICONPROJECTUS	false
74.119.118.154	csm.da1.vip.prod.criteo.net	United States	19750	AS-CRITEOUS	false
74.119.118.155	dynamic.da1.vip.prod.criteo.com	United States	19750	AS-CRITEOUS	false
35.160.111.165	unknown	United States	16509	AMAZON-02US	false
142.251.33.68	unknown	United States	15169	GOOGLEUS	false
13.107.21.200	unknown	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
142.251.215.232	unknown	United States	15169	GOOGLEUS	false
142.251.33.67	unknown	United States	15169	GOOGLEUS	false
172.64.151.101	unknown	United States	13335	CLOUDFLARENETUS	false
142.251.33.118	i.ytimg.com	United States	15169	GOOGLEUS	false
52.8.183.69	sync.crwdcntrl.net	United States	16509	AMAZON-02US	false
141.226.230.48	la-vip001.taboola.com	Israel	200478	TABOOLA-ASIL	false

Private

IP
192.168.2.17
192.168.2.16

General Information

Joe Sandbox Version:	38.0.0 Ammolite
Analysis ID:	1343771
Start date and time:	2023-11-16 19:28:05 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Sample URL:	http://www.ironplanet.com/jsp/mailing/mail-landing.jsp?userMailing=536238898&action=url&name=IP-MPE-Button-072523&url=https://ratty.cfd/cmn/ajtx/QMKGY/bHdhbGtlckBsaWZ0b25lLm5ldA==
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled
Analysis Mode:	stream
Analysis stop reason:	Timeout
Detection:	CLEAN
Classification:	clean1.win@30/531@306/865

Warnings

Exclude process from analysis (whitelisted): SIHClient.exe
Excluded IPs from analysis (whitelisted): 142.251.33.99, 34.104.35.123, 142.251.33.74, 142.250.69.195
Excluded domains from analysis (whitelisted): fonts.googleapis.com, edgedl.me.gvt1.com, fonts.gstatic.com, clientservices.googleapis.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: http://www.ironplanet.com/jsp/mailing/mail-landing.jsp?userMailing=536238898&action=url&name=IP-MPE-Button-072523&url=https://ratty.cfd/cmn/ajtx/QMKGY/bHdhbGtlckBsaWZ0b25lLm5ldA==

Source: https://www.ironplanet.com/jsp/equip/auctionTicker.jsp?groupId=94078	HTTP Parser: No favicon
Source: https://www.ironplanet.com/?h=1	HTTP Parser: No favicon
Source: https://www.ironplanet.com/?h=1	HTTP Parser: No favicon
Source: https://www.ironplanet.com/?h=1	HTTP Parser: No favicon
Source: https://www.ironplanet.com/jsp/equip/auctionTicker.jsp?groupId=94078	HTTP Parser: No favicon
Source: https://www.ironplanet.com/jsp/equip/auctionTicker.jsp?groupId=94078	HTTP Parser: No favicon
Source: https://www.youtube.com/embed/gL92lxZamzI?rel=0&showinfo=0	HTTP Parser: No favicon
Source: https://www.ironplanet.com/?h=1	HTTP Parser: No favicon
Source: https://www.ironplanet.com/?h=1	HTTP Parser: No favicon
Source: https://www.ironplanet.com/jsp/equip/auctionTicker.jsp?groupId=94078	HTTP Parser: No favicon
Source: https://fledge.us.criteo.com/interest-group?data=wgPUAHxRd3N4dTEvRDM3SzBNcmhwY1ZMZ1VUVkhHWUkvb001aThrNW5UZEd1eVlrZkxYZWxic0VUQXlMS0ZYNkxMOTZHYUZzbnJEOVJGVmpNMlNRYVkxWDlVS2JCL0s2bEJQQzM4TzRVL2Z2TGxpST18	HTTP Parser: No favicon
Source: https://td.doubleclick.net/td/rul/1072577230?random=1700159330279&cv=11&fst=1700159330279&fmt=3&bg=ffffff&guid=ON&async=1&gtm=45He3b81v71134794&gcd=11l1l1l1l1&dma=0&u_w=1280&u_h=1024&url=https%3A%2F%2Fwww.ironplanet.com%2F%3Fh%3D1&hn=www.googleadservices.com&frm=0&tiba=Used%20Heavy%20Construction%20Equipment%20%26%20Trucks%20For%20Sale%20%7C%20IronPlanet&auid=1378802919.1700159323&fledge=1&uaa=x86&uab=64&uafvl=Google%2520Chrome%3B117.0.5938.132%7CNot%253BA%253DBrand%3B8.0.0.0%7CChromium%3B117.0.5938.132&uamb=0&uap=Windows&uapv=10.0.0&uaw=0	HTTP Parser: No favicon
Source: https://service.force.com/embeddedservice/5.0/esw.html?parent=https://www.ironplanet.com/?h=1	HTTP Parser: No favicon
Source: https://service.force.com/embeddedservice/5.0/esw.html?parent=https://www.ironplanet.com/?h=1	HTTP Parser: No favicon
Source: https://www.ironplanet.com/?h=1	HTTP Parser: No favicon
Source: https://www.ironplanet.com/jsp/equip/auctionTicker.jsp?groupId=94078	HTTP Parser: No favicon
Source: https://www.ironplanet.com/?h=1	HTTP Parser: No favicon

Source: unknown	TCP traffic detected without corresponding DNS query: 104.117.234.93
Source: unknown	TCP traffic detected without corresponding DNS query: 104.117.234.93
Source: unknown	TCP traffic detected without corresponding DNS query: 104.117.234.93
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.25
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.25
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.25
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.25
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.25
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.25
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.25
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Nov 16 17:28:34 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2673
Entropy (8bit):	3.9785943073366865
Encrypted:	false
SSDEEP:
MD5:	C40D0730782E8BC50B2AEBF650281504
SHA1:	ED82ACF78B59604D5F4BB2A37EC4C5332216A7B2
SHA-256:	8E89B45E2F7FA31527A39137F9DC4499C707E487DD88FA9F458DBB2FD9905530
SHA-512:	585D03D2B1939D5C76A24254B94EF65B77ECDFBAFE790951A7A1CA4FC6910986EE652790CEA06FDB03926C45F2E4545D3E757F85EC76DCBF56AA8CAADD439AC5
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,..../x......N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.IpW......B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VpW......L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VpW......M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VpW............................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VpW.............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...................C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	PNG image data, 221 x 85, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	4827
Entropy (8bit):	7.552262618805935
Encrypted:	false
SSDEEP:
MD5:	F97759EE3A80E729AB351F7194C011CB
SHA1:	55CC29AE6641E916B50478B8860B6163558868E9
SHA-256:	626B8EEA1D009E60655FA0A632281C355FD4C288B723DA231931A44BB98704FD
SHA-512:	BD098FA4624406E242FA7A5402776E45044A3E2D6DDFD3793B448EC3E81557E81810A19C6EF73366344E1D7CA2E0BC5C9CDB2A56BA03C16A0A622016AA0049B1
Malicious:	false
Reputation:	low
Preview:	.PNG........IHDR.......U......'.....tEXtSoftware.Adobe ImageReadyq.e<....iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c138 79.159824, 2016/09/14-01:09:01 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:photoshop="http://ns.adobe.com/photoshop/1.0/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stEvt="http://ns.adobe.com/xap/1.0/sType/ResourceEvent#" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CC 2017 (Windows)" xmp:CreateDate="2018-01-11T15:20:53-08:00" xmp:MetadataDate="2018-01-11T15:58:31-08:00" xmp:ModifyDate="2018-01-11T15:58:31-08:00" dc:format="image/png" xmpMM:InstanceID="xmp.iid:535119DEF72B11E7AD9BDFA5D44F41A8" xmpMM:DocumentID="xmp.did:535119DFF72B11E7AD9BDFA5D44F41A8" xmpMM:O

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	C source, ASCII text, with very long lines (754)
Category:	downloaded
Size (bytes):	30813
Entropy (8bit):	5.163195557334805
Encrypted:	false
SSDEEP:
MD5:	E42DF024FAD660BBADF4D550BB33FE6D
SHA1:	0C73CF3E830F5FFED5C9D070A95D98883DB23454
SHA-256:	EF4DCC4DAB4D780F44939C455D4720CAB662B2F5FABC36EBC33A21F4CDBECD4E
SHA-512:	193AB01FB92FBFC0BFF58D018D2F2AC64850A29D0EB47283370B0A872D71C1B00636FB2A8BC0F79F0CB906457061AA869BC291F69E3B6703EA08A04E922596EA
Malicious:	false
Reputation:	low
URL:	https://service.force.com/embeddedservice/5.0/esw.min.js
Preview:	/. Where possible, we changed noninclusive terms to align with our company value of Equality. We maintained certain terms to avoid any effect on customer implementations. ./.(function(l){function d(){var a=!1,b;this.settings={appendHelpButton:!0,displayHelpButton:!0,isExternalPage:!0,devMode:!1,targetElement:document.body,elementForOnlineDisplay:void 0,elementForOfflineDisplay:void 0,defaultMinimizedText:"",disabledMinimizedText:"",defaultAssistiveText:"",loadingText:"Loading",showIcon:void 0,enabledFeatures:[],entryFeature:"FieldService",storageDomain:document.domain,language:void 0,linkAction:{feature:void 0,name:void 0,valid:!1},linkActionParameters:{},useCustomAuthentication:!1,.allowGuestUsers:!1,requireSLDS:!1,hasBottomTabBar:!1};this.auth={};this.validLinkActions={};this.alwaysWarnOnBeforeUnload=!1;Object.defineProperty(this.auth,"oauthToken",{get:function(){return b},set:function(c){this.validateHeaderValue(c)?(b=c)?(this.setSessionData("ESW_OAUTH_TOKEN",c),this.checkAuthenti

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (30837)
Category:	downloaded
Size (bytes):	31000
Entropy (8bit):	4.746143404849733
Encrypted:	false
SSDEEP:
MD5:	269550530CC127B6AA5A35925A7DE6CE
SHA1:	512C7D79033E3028A9BE61B540CF1A6870C896F8
SHA-256:	799AEB25CC0373FDEE0E1B1DB7AD6C2F6A0E058DFADAA3379689F583213190BD
SHA-512:	49F4E24E55FA924FAA8AD7DEBE5FFB2E26D439E25696DF6B6F20E7F766B50EA58EC3DBD61B6305A1ACACD2C80E6E659ACCEE4140F885B9C9E71008E9001FBF4B
Malicious:	false
Reputation:	low
URL:	https://s.ironpla.net/s/resources/fonts/awesome-4.7/css/font-awesome.min.css
Preview:	/!. Font Awesome 4.7.0 by @davegandy - http://fontawesome.io - @fontawesome. * License - http://fontawesome.io/license (Font: SIL OFL 1.1, CSS: MIT License). */@font-face{font-family:'FontAwesome';src:url('../fonts/fontawesome-webfont.eot?v=4.7.0');src:url('../fonts/fontawesome-webfont.eot?#iefix&v=4.7.0') format('embedded-opentype'),url('../fonts/fontawesome-webfont.woff2?v=4.7.0') format('woff2'),url('../fonts/fontawesome-webfont.woff?v=4.7.0') format('woff'),url('../fonts/fontawesome-webfont.ttf?v=4.7.0') format('truetype'),url('../fonts/fontawesome-webfont.svg?v=4.7.0#fontawesomeregular') format('svg');font-weight:normal;font-style:normal}.fa{display:inline-block;font:normal normal normal 14px/1 FontAwesome;font-size:inherit;text-rendering:auto;-webkit-font-smoothing:antialiased;-moz-osx-font-smoothing:grayscale}.fa-lg{font-size:1.33333333em;line-height:.75em;vertical-align:-15%}.fa-2x{font-size:2em}.fa-3x{font-size:3em}.fa-4x{font-size:4em}.fa-5x{font-size:5em}.fa-fw{width:1.

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	HTML document, ASCII text, with very long lines (351)
Category:	downloaded
Size (bytes):	225083
Entropy (8bit):	5.102791493883387
Encrypted:	false
SSDEEP:
MD5:	7115B657C28256DB6077ADA4F2A46F99
SHA1:	630F7617E697166A2B6584125D94C2BA05D520D7
SHA-256:	87EA18E708438C7E68659AFBD6A368D18DD015222145A84AAF7C78DD5EB80907
SHA-512:	CC821B8A5CFAC65179233273CEE339C49DEB9C14FFED650DF34194293B13C5FCE8546824FF4FEACC39F6B46AE08AF9625272558A861D9127ABA2A2A341F33951
Malicious:	false
Reputation:	low
URL:	https://www.ironplanet.com/?h=1
Preview:	<!doctype html>......<html lang="en">.<head>..<title>Used Heavy Construction Equipment & Trucks For Sale \| IronPlanet</title>... Meta Tag Include -->..<meta name="description" content="Buy & sell used construction equipment, trucks & government surplus. Bid online, on-site, buy now or make an offer. Buy with confidence with our IronClad Assurance®.">..<meta name="keywords" content="used construction equipment, used trucks, government surplus, military surplus, equipment auctions, truck auctions, used backhoe loaders, used wheel loaders, buy used equipment, sell used equipment">..<meta name="viewport" content="width=device-width,initial-scale=1.0"/>...<meta http-equiv="X-UA-Compatible" content="IE=edge">..<link rel="stylesheet" type="text/css" href="https://s.ironpla.net/s/resources/fonts/fonts-2016.min.css">.<link rel="stylesheet" type="text/css" href="https://s.ironpla.net/s/bootstrap-3.1.1/css/bootstrap.min.css"/>.<link rel="stylesheet" type="text/css" href="https://s.ironpla

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report http://www.ironplanet.com/jsp/mailing/mail-landing.jsp?userMailing=536238898&action=url&name=IP-MPE-Button-072523&url=https://ratty.cfd/cmn/ajtx/QMKGY/bHdhbGtlckBsaWZ0b25lLm5ldA==

Overview

General Information

Detection

Signatures

Classification

Process Tree

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Phishing

Compliance

Networking

System Summary

Boot Survival

Mitre Att&ck Matrix

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Chrome Cache Entry: 208

Chrome Cache Entry: 209

Chrome Cache Entry: 212

Chrome Cache Entry: 213

Chrome Cache Entry: 214

Chrome Cache Entry: 217

Chrome Cache Entry: 218

Chrome Cache Entry: 220

Chrome Cache Entry: 222

Chrome Cache Entry: 223

Chrome Cache Entry: 224

Chrome Cache Entry: 226

Chrome Cache Entry: 227

Chrome Cache Entry: 228

Chrome Cache Entry: 229

Chrome Cache Entry: 232

Chrome Cache Entry: 234

Chrome Cache Entry: 236

Chrome Cache Entry: 237

Chrome Cache Entry: 238

Chrome Cache Entry: 239

Chrome Cache Entry: 240

Chrome Cache Entry: 242

Chrome Cache Entry: 244

Chrome Cache Entry: 245

Chrome Cache Entry: 246

Chrome Cache Entry: 249

Chrome Cache Entry: 250

Chrome Cache Entry: 251

Chrome Cache Entry: 252

Chrome Cache Entry: 253

Chrome Cache Entry: 255

Chrome Cache Entry: 256

Windows Analysis Report
http://www.ironplanet.com/jsp/mailing/mail-landing.jsp?userMailing=536238898&action=url&name=IP-MPE-Button-072523&url=https://ratty.cfd/cmn/ajtx/QMKGY/bHdhbGtlckBsaWZ0b25lLm5ldA==