Edit tour

Windows Analysis Report
http://ironplanet.com/jsp///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////mailing/mail-landing.jsp?userMailing=536238898&action=url&name=IP-MPE-Button-072523&url=https://afrotechpodcast.com/hdlsoweiejsdcpoeueweipowep/1

Overview

General Information

Sample URL:	http://ironplanet.com/jsp///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////mailing/mail-landing.jsp?userMailing=5362388
Analysis ID:	1345148

Detection

Score:	1
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

Stores files to the Windows start menu directory

Creates files inside the system directory

Classification

Process Tree

System is w10x64_ra

chrome.exe (PID: 3852 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://ironplanet.com/jsp///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////mailing/mail-landing.jsp?userMailing=536238898&action=url&name=IP-MPE-Button-072523&url=https://afrotechpodcast.com/hdlsoweiejsdcpoeueweipowep/1/gAjNE/gAjNE/bGVoaWdobUBoaWxsc2Jvcm91Z2hjb3VudHkub3Jn MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA)

chrome.exe (PID: 3588 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2080 --field-trial-handle=2016,i,15475111551408866362,3318715979973244406,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA)

chrome.exe (PID: 5884 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5916 --field-trial-handle=2016,i,15475111551408866362,3318715979973244406,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA)

chrome.exe (PID: 5296 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3332 --field-trial-handle=2016,i,15475111551408866362,3318715979973244406,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA)

cleanup

HTTP traffic detected: GET /jsp///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////mailing/mail-landing.jsp?userMailing=536238898&action=url&name=IP-MPE-Button-072523&url=https://afrotechpodcast.com/hdlsoweiejsdcpoeueweipowep/1/gAjNE/gAjNE/bGVoaWdobUBoaWxsc2Jvcm91Z2hjb3VudHkub3Jn HTTP/1.1Host: ironplanet.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9

Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.17:49938 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 204.79.197.222:443 -> 192.168.2.17:50009 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.17:50110 version: TLS 1.2

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Windows\SystemTemp\chrome_BITS_3852_1797545806

Source: classification engine

Classification label: clean1.win@26/426@332/1070

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://ironplanet.com/jsp///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////mailing/mail-landing.jsp?userMailing=536238898&action=url&name=IP-MPE-Button-072523&url=https://afrotechpodcast.com/hdlsoweiejsdcpoeueweipowep/1/gAjNE/gAjNE/bGVoaWdobUBoaWxsc2Jvcm91Z2hjb3VudHkub3Jn
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2080 --field-trial-handle=2016,i,15475111551408866362,3318715979973244406,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2080 --field-trial-handle=2016,i,15475111551408866362,3318715979973244406,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5916 --field-trial-handle=2016,i,15475111551408866362,3318715979973244406,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3332 --field-trial-handle=2016,i,15475111551408866362,3318715979973244406,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5916 --field-trial-handle=2016,i,15475111551408866362,3318715979973244406,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3332 --field-trial-handle=2016,i,15475111551408866362,3318715979973244406,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact	Resource Development	Reconnaissance
Valid Accounts	Windows Management Instrumentation	1 Registry Run Keys / Startup Folder	1 Process Injection	11 Masquerading	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	2 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Abuse Accessibility Features	Acquire Infrastructure	Gather Victim Identity Information
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Registry Run Keys / Startup Folder	1 Process Injection	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	2 Non-Application Layer Protocol	SIM Card Swap	Obtain Device Cloud Backups	Network Denial of Service	Domains	Credentials
Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	1 Extra Window Memory Injection	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	3 Application Layer Protocol			Data Encrypted for Impact	DNS Server	Email Addresses
Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Traffic Duplication	1 Ingress Tool Transfer			Data Destruction	Virtual Private Server	Employee Names

Source	Detection	Scanner	Label	Link
http://ironplanet.com/jsp///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////mailing/mail-landing.jsp?userMailing=536238898&action=url&name=IP-MPE-Button-072523&url=https://afrotechpodcast.com/hdlsoweiejsdcpoeueweipowep/1/gAjNE/gAjNE/bGVoaWdobUBoaWxsc2Jvcm91Z2hjb3VudHkub3Jn	0%	Avira URL Cloud	safe

Source	Detection	Scanner	Link
vc-live-cf.hotjar.io	0%	Virustotal	Browse
servedbyadbutler.com	1%	Virustotal	Browse
www.google.co.uk	0%	Virustotal	Browse
a.ironpla.net	0%	Virustotal	Browse
cdn.ironpla.net	0%	Virustotal	Browse
512-015.net	0%	Virustotal	Browse
cdns.brsrvr.com	0%	Virustotal	Browse
s.ironpla.net	0%	Virustotal	Browse
p.brsrvr.com	0%	Virustotal	Browse
vc.hotjar.io	0%	Virustotal	Browse
ws.rqtrk.eu	0%	Virustotal	Browse
jelly.mdhv.io	0%	Virustotal	Browse
js.hs-banner.com	0%	Virustotal	Browse
ds-pr-bh.ybp.gysm.yahoodns.net	0%	Virustotal	Browse
pug-vac.pubmnet.com	0%	Virustotal	Browse
nydc1.outbrain.org	0%	Virustotal	Browse
js.hs-analytics.net	0%	Virustotal	Browse
match.prod.bidr.io	0%	Virustotal	Browse
sync.ipredictive.com	0%	Virustotal	Browse
user-data-us-east.bidswitch.net	0%	Virustotal	Browse
js.hsleadflows.net	0%	Virustotal	Browse
ats-eks.us-east-1.dcs-online-targeting-prd.aws.oath.cloud	0%	Virustotal	Browse
pug-njrpb.pubmnet.com	0%	Virustotal	Browse
ads.stickyadstv.com	0%	Virustotal	Browse
go.rbfinance.com	0%	Virustotal	Browse

Name	IP	Active	Malicious	Antivirus Detection	Reputation
rtb-csync-use1.smartadserver.com	23.105.12.150	true	false		high
forms.hubspot.com	104.19.155.83	true	false		high
pixel-lb-1846267185.us-east-1.elb.amazonaws.com	34.195.216.90	true	false		high
i.ytimg.com	142.251.179.119	true	false		high
us-east-eb2.3lift.com	35.71.139.29	true	false		high
jelly.mdhv.io	216.239.36.21	true	false	0%, Virustotal, Browse	unknown
ws.rqtrk.eu	15.235.42.102	true	false	0%, Virustotal, Browse	unknown
mobile-gtalk.l.google.com	142.251.163.188	true	false		high
live.rezync.com	13.32.151.42	true	false		high
d20qwf0wrdtevy.cloudfront.net	13.249.39.128	true	false		high
stats.g.doubleclick.net	172.253.63.155	true	false		high
cdn.w55c.net	54.161.164.30	true	false		high
dcs-public-edge-va6-158015560.us-east-1.elb.amazonaws.com	52.6.69.74	true	false		high
kong-us-east-2-prod.omnitagjs.com	3.17.245.223	true	false		high
track.hubspot.com	104.19.155.83	true	false		high
r.casalemedia.com	104.18.36.155	true	false		high
servedbyadbutler.com	104.254.130.154	true	false	1%, Virustotal, Browse	unknown
na-ice.360yield.com	34.230.251.138	true	false		high
sync.crwdcntrl.net	54.86.66.215	true	false		high
fledge.va1.vip.prod.criteo.com	74.119.119.74	true	false		high
js.hs-scripts.com	104.16.191.89	true	false		high
photos-ugc.l.googleusercontent.com	142.251.167.132	true	false		high
cm.g.doubleclick.net	142.251.111.154	true	false		high
pug-vac.pubmnet.com	8.28.7.83	true	false	0%, Virustotal, Browse	unknown
idaas-ext.cph.liveintent.com	54.84.84.225	true	false		high
ds-pr-bh.ybp.gysm.yahoodns.net	18.211.113.251	true	false	0%, Virustotal, Browse	unknown
www.google.com	172.253.63.147	true	false		high
static-cdn.hotjar.com	18.160.41.58	true	false		high
match.adsrvr.org	15.197.193.217	true	false		high
star-mini.c10r.facebook.com	31.13.66.35	true	false		high
js.hs-banner.com	172.64.153.27	true	false	0%, Virustotal, Browse	unknown
android.l.google.com	172.253.115.139	true	false		high
match.prod.bidr.io	52.3.212.20	true	false	0%, Virustotal, Browse	unknown
google.com	142.251.16.113	true	false		high
widget.va1.vip.prod.criteo.com	74.119.119.150	true	false		high
nydc1.outbrain.org	64.202.112.127	true	false	0%, Virustotal, Browse	unknown
dynamic.va1.vip.prod.criteo.com	74.119.119.142	true	false		high
csm.va1.vip.prod.criteo.net	74.119.119.149	true	false		high
cdn26.vizury.com	172.66.40.200	true	false		high
trends.revcontent.com	34.224.206.118	true	false		high
d37ih4rs6zff7b.cloudfront.net	3.162.125.104	true	false		high
us-pl-whitelist-532871921.us-east-1.elb.amazonaws.com	44.197.16.28	true	false		high
static.doubleclick.net	142.251.16.148	true	false		high
consent.trustarc.com	52.85.151.27	true	false		high
youtube-ui.l.google.com	142.251.16.190	true	false		high
googleads.g.doubleclick.net	142.251.16.156	true	false		high
www.google.co.uk	172.253.63.94	true	false	0%, Virustotal, Browse	unknown
td.doubleclick.net	142.251.167.155	true	false		high
gum.va1.vip.prod.criteo.com	74.119.119.139	true	false		high
clients.l.google.com	142.250.31.100	true	false		high
match-us-east-1-ecs.sharethrough.com	34.193.82.223	true	false		high
user-data-us-east.bidswitch.net	35.211.178.172	true	false	0%, Virustotal, Browse	unknown
la2-c2-ia4.ia4.r.salesforceliveagent.com	13.109.191.112	true	false		high
vc-live-cf.hotjar.io	18.160.46.48	true	false	0%, Virustotal, Browse	unknown
cdn.callrail.com	99.84.108.85	true	false		high
js.hs-analytics.net	104.16.78.186	true	false	0%, Virustotal, Browse	unknown
us-vip001.taboola.com	141.226.224.48	true	false		high
vizury-common-286881781.us-east-1.elb.amazonaws.com	52.22.199.137	true	false		high
contextual.media.net	23.50.124.22	true	false		high
scontent.xx.fbcdn.net	31.13.66.19	true	false		high
tf-hitapp-prod.eba-akngjzsh.us-east-1.elasticbeanstalk.com	54.164.150.113	true	false		high
script.hotjar.com	99.84.191.41	true	false		high
tapestry.tapad.com	34.111.113.62	true	false		high
location.l.force.com	13.110.34.148	true	false		high
ironplanet.com	44.227.226.47	true	false		high
pi-ue1-public-lb-f0209c6950285322.elb.us-east-1.amazonaws.com	18.208.125.13	true	false		high
pippio.com	107.178.254.65	true	false		high
sync.ipredictive.com	52.5.145.170	true	false	0%, Virustotal, Browse	unknown
accounts.google.com	172.253.63.84	true	false		high
pcs3prod18.us-east-1.elasticbeanstalk.com	3.224.104.47	true	false		high
512-015.net	198.37.120.52	true	false	0%, Virustotal, Browse	unknown
pacman-metrics-live.live.eks.hotjar.com	52.51.146.255	true	false		high
static.va1.vip.prod.criteo.net	74.119.119.131	true	false		high
exchange.mediavine.com	3.211.29.151	true	false		high
js.hsleadflows.net	104.18.125.12	true	false	0%, Virustotal, Browse	unknown
rba-ip-alb-prd-1135758781.us-west-2.elb.amazonaws.com	52.10.30.179	true	false		high
play.google.com	172.253.62.102	true	false		high
s.ad.smaato.net	18.67.76.70	true	false		high
pug-njrpb.pubmnet.com	162.248.18.37	true	false	0%, Virustotal, Browse	unknown
analytics.google.com	142.251.167.102	true	false		high
tags.srv.stackadapt.com	34.202.187.88	true	false		high
la2-c2-ia5.ia5.r.salesforceliveagent.com	13.110.65.112	true	false		high
js.callrail.com	99.84.108.44	true	false		high
ats-eks.us-east-1.dcs-online-targeting-prd.aws.oath.cloud	3.225.218.10	true	false	0%, Virustotal, Browse	unknown
measurement-api.va1.vip.prod.criteo.com	74.119.119.71	true	false		high
ib.anycast.adnxs.com	68.67.181.211	true	false		high
ssgtm.ironplanet.com	216.239.32.21	true	false		high
ads.stickyadstv.com	unknown	unknown	false	0%, Virustotal, Browse	unknown
csm.va.us.criteo.net	unknown	unknown	false		high
jadserve.postrelease.com	unknown	unknown	false		high
sslwidget.criteo.com	unknown	unknown	false		high
clients2.google.com	unknown	unknown	false		high
www.youtube.com	unknown	unknown	false		high
us-pl.vizury.com	unknown	unknown	false		high
cdn.ironpla.net	unknown	unknown	false	0%, Virustotal, Browse	unknown
pixel.rubiconproject.com	unknown	unknown	false		high
connect.facebook.net	unknown	unknown	false		high
p.brsrvr.com	unknown	unknown	false	0%, Virustotal, Browse	unknown
go.rbfinance.com	unknown	unknown	false	0%, Virustotal, Browse	unknown
eu.ironplanet.com	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Reputation
https://www.ironplanet.com/?src=insideemail-IronPlanet-072523&utm_source=pet&utm_medium=email&utm_campaign=IP-MPE-072523	false	high
about:blank	false	low
http://ironplanet.com/jsp///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////mailing/mail-landing.jsp?userMailing=536238898&action=url&name=IP-MPE-Button-072523&url=https://afrotechpodcast.com/hdlsoweiejsdcpoeueweipowep/1/gAjNE/gAjNE/bGVoaWdobUBoaWxsc2Jvcm91Z2hjb3VudHkub3Jn	false	high
https://service.force.com/embeddedservice/5.0/esw.html?parent=https://www.ironplanet.com/?src=insideemail-IronPlanet-072523&utm_source=pet&utm_medium=email&utm_campaign=IP-MPE-072523	false	high
https://consent.trustarc.com/get?name=crossdomain.html&domain=ironplanet.ritchiebros.com	false	high
https://gum.criteo.com/syncframe?topUrl=www.ironplanet.com&origin=onetag#{%22bundle%22:{%22origin%22:0,%22value%22:null},%22cw%22:true,%22optout%22:{%22origin%22:0,%22value%22:null},%22origin%22:%22onetag%22,%22sid%22:{%22origin%22:0,%22value%22:null},%22tld%22:%22ironplanet.com%22,%22topUrl%22:%22www.ironplanet.com%22,%22version%22:%225_20_0%22,%22ifa%22:{%22origin%22:0,%22value%22:null},%22lsw%22:true,%22pm%22:0}	false	high
https://us-pl.vizury.com/analyze/analyze.php?account_id=VIZVRM5383&URL=https%3A%2F%2Fwww.ironplanet.com%2F%3Fsrc%3Dinsideemail-IronPlanet-072523%26utm_source%3Dpet%26utm_medium%3Demail%26utm_campaign%3DIP-MPE-072523&referrer=&ts=&fp34=0da7f7cbd14fa28c554f3c51a6f547d6&param=e100&section=1&level=1&ealevel=1&cb=viz_655b56d7fd72a	false	high
https://www.youtube.com/embed/gL92lxZamzI?rel=0&showinfo=0	false	high
https://static.criteo.net/empty.html	false	high
https://fledge.us.criteo.com/interest-group?data=UosGmXw0Y24xQjdkQjhDUys3b3Zydjg1QldVTjFLRThLL1R1UFM5R0RSUEhneDB5ZDc0TUcwL3A1SGJOcWszVlBKWjBqamRZQnBSSjc0OEppOEpOSWRSekVsQT09fA	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.19.155.83	forms.hubspot.com	United States	13335	CLOUDFLARENETUS	false
74.119.119.139	gum.va1.vip.prod.criteo.com	United States	19750	AS-CRITEOUS	false
13.249.39.128	d20qwf0wrdtevy.cloudfront.net	United States	16509	AMAZON-02US	false
74.119.119.131	static.va1.vip.prod.criteo.net	United States	19750	AS-CRITEOUS	false
142.251.163.101	unknown	United States	15169	GOOGLEUS	false
142.251.163.188	mobile-gtalk.l.google.com	United States	15169	GOOGLEUS	false
3.218.201.11	unknown	United States	14618	AMAZON-AESUS	false
172.253.115.105	unknown	United States	15169	GOOGLEUS	false
44.193.49.175	unknown	United States	14618	AMAZON-AESUS	false
18.160.46.48	vc-live-cf.hotjar.io	United States	3	MIT-GATEWAYSUS	false
68.67.161.182	unknown	United States	29990	ASN-APPNEXUS	false
216.239.36.21	jelly.mdhv.io	United States	15169	GOOGLEUS	false
3.162.125.74	unknown	United States	16509	AMAZON-02US	false
3.231.143.13	unknown	United States	14618	AMAZON-AESUS	false
13.110.34.148	location.l.force.com	United States	14340	SALESFORCEUS	false
1.1.1.1	unknown	Australia	13335	CLOUDFLARENETUS	false
142.251.167.132	photos-ugc.l.googleusercontent.com	United States	15169	GOOGLEUS	false
74.119.119.149	csm.va1.vip.prod.criteo.net	United States	19750	AS-CRITEOUS	false
142.251.16.148	static.doubleclick.net	United States	15169	GOOGLEUS	false
74.119.119.142	dynamic.va1.vip.prod.criteo.com	United States	19750	AS-CRITEOUS	false
34.195.219.22	unknown	United States	14618	AMAZON-AESUS	false
172.253.122.95	unknown	United States	15169	GOOGLEUS	false
172.253.122.94	unknown	United States	15169	GOOGLEUS	false
199.38.167.130	unknown	United States	54312	ROCKETFUELUS	false
107.178.254.65	pippio.com	United States	15169	GOOGLEUS	false
104.18.125.12	js.hsleadflows.net	United States	13335	CLOUDFLARENETUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
13.109.191.112	la2-c2-ia4.ia4.r.salesforceliveagent.com	United States	14340	SALESFORCEUS	false
13.110.65.112	la2-c2-ia5.ia5.r.salesforceliveagent.com	United States	14340	SALESFORCEUS	false
23.223.253.75	unknown	United States	16625	AKAMAI-ASUS	false
23.223.252.212	unknown	United States	16625	AKAMAI-ASUS	false
3.162.125.104	d37ih4rs6zff7b.cloudfront.net	United States	16509	AMAZON-02US	false
99.84.108.124	unknown	United States	16509	AMAZON-02US	false
172.253.62.157	unknown	United States	15169	GOOGLEUS	false
3.225.218.10	ats-eks.us-east-1.dcs-online-targeting-prd.aws.oath.cloud	United States	14618	AMAZON-AESUS	false
34.205.214.102	unknown	United States	14618	AMAZON-AESUS	false
3.215.172.219	unknown	United States	14618	AMAZON-AESUS	false
172.253.62.94	unknown	United States	15169	GOOGLEUS	false
142.251.167.102	analytics.google.com	United States	15169	GOOGLEUS	false
142.251.16.156	googleads.g.doubleclick.net	United States	15169	GOOGLEUS	false
34.230.251.138	na-ice.360yield.com	United States	14618	AMAZON-AESUS	false
18.117.210.217	unknown	United States	3	MIT-GATEWAYSUS	false
172.253.122.113	unknown	United States	15169	GOOGLEUS	false
8.43.72.98	unknown	United States	26667	RUBICONPROJECTUS	false
8.43.72.97	unknown	United States	26667	RUBICONPROJECTUS	false
74.119.119.150	widget.va1.vip.prod.criteo.com	United States	19750	AS-CRITEOUS	false
44.206.97.113	unknown	United States	14618	AMAZON-AESUS	false
172.66.40.200	cdn26.vizury.com	United States	13335	CLOUDFLARENETUS	false
3.224.104.47	pcs3prod18.us-east-1.elasticbeanstalk.com	United States	14618	AMAZON-AESUS	false
3.86.122.46	unknown	United States	14618	AMAZON-AESUS	false
52.25.20.194	unknown	United States	16509	AMAZON-02US	false
70.42.32.95	unknown	United States	22075	AS-OUTBRAINUS	false
23.39.185.111	unknown	United States	16625	AKAMAI-ASUS	false
142.251.163.95	unknown	United States	15169	GOOGLEUS	false
18.238.49.62	unknown	United States	16509	AMAZON-02US	false
3.138.212.158	unknown	United States	16509	AMAZON-02US	false
142.251.163.139	unknown	United States	15169	GOOGLEUS	false
23.105.12.150	rtb-csync-use1.smartadserver.com	United States	30633	LEASEWEB-USA-WDCUS	false
99.84.108.44	js.callrail.com	United States	16509	AMAZON-02US	false
31.13.66.35	star-mini.c10r.facebook.com	Ireland	32934	FACEBOOKUS	false
216.239.32.21	ssgtm.ironplanet.com	United States	15169	GOOGLEUS	false
3.211.29.151	exchange.mediavine.com	United States	14618	AMAZON-AESUS	false
54.86.66.215	sync.crwdcntrl.net	United States	14618	AMAZON-AESUS	false
13.110.44.112	unknown	United States	14340	SALESFORCEUS	false
142.251.179.154	unknown	United States	15169	GOOGLEUS	false
18.211.113.251	ds-pr-bh.ybp.gysm.yahoodns.net	United States	14618	AMAZON-AESUS	false
52.10.30.179	rba-ip-alb-prd-1135758781.us-west-2.elb.amazonaws.com	United States	16509	AMAZON-02US	false
18.67.76.70	s.ad.smaato.net	United States	3	MIT-GATEWAYSUS	false
142.251.16.94	unknown	United States	15169	GOOGLEUS	false
52.51.146.255	pacman-metrics-live.live.eks.hotjar.com	United States	16509	AMAZON-02US	false
52.85.151.27	consent.trustarc.com	United States	16509	AMAZON-02US	false
34.202.187.88	tags.srv.stackadapt.com	United States	14618	AMAZON-AESUS	false
13.32.151.42	live.rezync.com	United States	16509	AMAZON-02US	false
23.222.201.151	unknown	United States	16625	AKAMAI-ASUS	false
13.110.32.179	unknown	United States	14340	SALESFORCEUS	false
204.79.197.200	unknown	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
172.253.63.84	accounts.google.com	United States	15169	GOOGLEUS	false
172.253.63.155	stats.g.doubleclick.net	United States	15169	GOOGLEUS	false
63.251.28.134	unknown	United States	26558	FREEWHEELUS	false
23.50.124.22	contextual.media.net	United States	16625	AKAMAI-ASUS	false
63.251.28.133	unknown	United States	26558	FREEWHEELUS	false
74.119.119.74	fledge.va1.vip.prod.criteo.com	United States	19750	AS-CRITEOUS	false
3.232.219.155	unknown	United States	14618	AMAZON-AESUS	false
34.195.216.90	pixel-lb-1846267185.us-east-1.elb.amazonaws.com	United States	14618	AMAZON-AESUS	false
35.211.178.172	user-data-us-east.bidswitch.net	United States	19527	GOOGLE-2US	false
8.28.7.83	pug-vac.pubmnet.com	United States	62713	AS-PUBMATICUS	false
104.16.78.186	js.hs-analytics.net	United States	13335	CLOUDFLARENETUS	false
52.5.145.170	sync.ipredictive.com	United States	14618	AMAZON-AESUS	false
198.37.120.52	512-015.net	United States	397373	H4Y-TECHNOLOGIESUS	false
44.197.16.28	us-pl-whitelist-532871921.us-east-1.elb.amazonaws.com	United States	14618	AMAZON-AESUS	false
74.119.119.71	measurement-api.va1.vip.prod.criteo.com	United States	19750	AS-CRITEOUS	false
52.22.199.137	vizury-common-286881781.us-east-1.elb.amazonaws.com	United States	14618	AMAZON-AESUS	false
172.253.62.102	play.google.com	United States	15169	GOOGLEUS	false
172.253.122.104	unknown	United States	15169	GOOGLEUS	false
104.19.154.83	unknown	United States	13335	CLOUDFLARENETUS	false
54.84.84.225	idaas-ext.cph.liveintent.com	United States	14618	AMAZON-AESUS	false
54.174.252.1	unknown	United States	14618	AMAZON-AESUS	false
31.13.66.19	scontent.xx.fbcdn.net	Ireland	32934	FACEBOOKUS	false
172.253.63.94	www.google.co.uk	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.17

General Information

Joe Sandbox Version:	38.0.0 Ammolite
Analysis ID:	1345148
Start date and time:	2023-11-20 13:53:01 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Sample URL:	http://ironplanet.com/jsp///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////mailing/mail-landing.jsp?userMailing=536238898&action=url&name=IP-MPE-Button-072523&url=https://afrotechpodcast.com/hdlsoweiejsdcpoeueweipowep/1/gAjNE/gAjNE/bGVoaWdobUBoaWxsc2Jvcm91Z2hjb3VudHkub3Jn
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled
Analysis Mode:	stream
Analysis stop reason:	Timeout
Detection:	CLEAN
Classification:	clean1.win@26/426@332/1070

Warnings

Exclude process from analysis (whitelisted): SgrmBroker.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.48.10.90
Excluded domains from analysis (whitelisted): fs.microsoft.com, e16604.g.akamaiedge.net, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net
Not all processes where analyzed, report is missing behavior information

Source: https://www.ironplanet.com/?src=insideemail-IronPlanet-072523&utm_source=pet&utm_medium=email&utm_campaign=IP-MPE-072523	HTTP Parser: No favicon
Source: https://www.ironplanet.com/?src=insideemail-IronPlanet-072523&utm_source=pet&utm_medium=email&utm_campaign=IP-MPE-072523	HTTP Parser: No favicon
Source: https://www.ironplanet.com/?src=insideemail-IronPlanet-072523&utm_source=pet&utm_medium=email&utm_campaign=IP-MPE-072523	HTTP Parser: No favicon
Source: https://www.ironplanet.com/?src=insideemail-IronPlanet-072523&utm_source=pet&utm_medium=email&utm_campaign=IP-MPE-072523	HTTP Parser: No favicon
Source: https://www.youtube.com/embed/gL92lxZamzI?rel=0&showinfo=0	HTTP Parser: No favicon
Source: https://fledge.us.criteo.com/interest-group?data=UosGmXw0Y24xQjdkQjhDUys3b3Zydjg1QldVTjFLRThLL1R1UFM5R0RSUEhneDB5ZDc0TUcwL3A1SGJOcWszVlBKWjBqamRZQnBSSjc0OEppOEpOSWRSekVsQT09fA	HTTP Parser: No favicon
Source: https://td.doubleclick.net/td/rul/1072577230?random=1700484821912&cv=11&fst=1700484821912&fmt=3&bg=ffffff&guid=ON&async=1&gtm=45He3b81v71134794&gcd=11l1l1l1l1&dma=0&u_w=1280&u_h=1024&url=https%3A%2F%2Fwww.ironplanet.com%2F%3Fsrc%3Dinsideemail-IronPlanet-072523%26utm_source%3Dpet%26utm_medium%3Demail%26utm_campaign%3DIP-MPE-072523&hn=www.googleadservices.com&frm=0&tiba=Used%20Heavy%20Construction%20Equipment%20%26%20Trucks%20For%20Sale%20%7C%20IronPlanet&auid=204803022.1700484818&fledge=1&uaa=x86&uab=64&uafvl=Google%2520Chrome%3B117.0.5938.149%7CNot%253BA%253DBrand%3B8.0.0.0%7CChromium%3B117.0.5938.149&uamb=0&uap=Windows&uapv=10.0.0&uaw=0	HTTP Parser: No favicon
Source: https://service.force.com/embeddedservice/5.0/esw.html?parent=https://www.ironplanet.com/?src=insideemail-IronPlanet-072523&utm_source=pet&utm_medium=email&utm_campaign=IP-MPE-072523	HTTP Parser: No favicon
Source: https://www.ironplanet.com/?src=insideemail-IronPlanet-072523&utm_source=pet&utm_medium=email&utm_campaign=IP-MPE-072523	HTTP Parser: No favicon
Source: https://www.ironplanet.com/?src=insideemail-IronPlanet-072523&utm_source=pet&utm_medium=email&utm_campaign=IP-MPE-072523	HTTP Parser: No favicon

Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.65.84
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.58
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.58
Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.65.84
Source: unknown	TCP traffic detected without corresponding DNS query: 13.67.144.177
Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.65.84
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Mon Nov 20 11:53:31 2023, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.9854734810960246
Encrypted:	false
SSDEEP:
MD5:	334CDD8F7537CB6A26A61679BD13CBA4
SHA1:	7FD1930475F916ABA5CF45655BF0CD1C7191755A
SHA-256:	A8E4E37443205FA38476A9CF0D3FBB8386BE6F896A111372CBC172DA916948F5
SHA-512:	805C310346A8765E56ED745BB010233CCCB2E6022B2A147B00724864E1EB6F2DC8561B7B6C05073129CC2908E1016BB60EF060254D7E9B8861EE5D6D2677C987
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,....A...........y... w......................1....P.O. .:i.....+00.../C:\.....................1.....FWoN..PROGRA~1..t......O.ItW.f....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VtW.f....L.....................p+j.G.o.o.g.l.e.....T.1.....FW.N..Chrome..>......CW.VtW.f....M......................W..C.h.r.o.m.e.....`.1.....FW.N..APPLIC~1..H......CW.VtW.f...........................W..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.VtW.f...........................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i....................C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	C source, ASCII text, with very long lines (754)
Category:	downloaded
Size (bytes):	30813
Entropy (8bit):	5.163195557334805
Encrypted:	false
SSDEEP:
MD5:	E42DF024FAD660BBADF4D550BB33FE6D
SHA1:	0C73CF3E830F5FFED5C9D070A95D98883DB23454
SHA-256:	EF4DCC4DAB4D780F44939C455D4720CAB662B2F5FABC36EBC33A21F4CDBECD4E
SHA-512:	193AB01FB92FBFC0BFF58D018D2F2AC64850A29D0EB47283370B0A872D71C1B00636FB2A8BC0F79F0CB906457061AA869BC291F69E3B6703EA08A04E922596EA
Malicious:	false
Reputation:	low
URL:	https://service.force.com/embeddedservice/5.0/esw.min.js
Preview:	/. Where possible, we changed noninclusive terms to align with our company value of Equality. We maintained certain terms to avoid any effect on customer implementations. ./.(function(l){function d(){var a=!1,b;this.settings={appendHelpButton:!0,displayHelpButton:!0,isExternalPage:!0,devMode:!1,targetElement:document.body,elementForOnlineDisplay:void 0,elementForOfflineDisplay:void 0,defaultMinimizedText:"",disabledMinimizedText:"",defaultAssistiveText:"",loadingText:"Loading",showIcon:void 0,enabledFeatures:[],entryFeature:"FieldService",storageDomain:document.domain,language:void 0,linkAction:{feature:void 0,name:void 0,valid:!1},linkActionParameters:{},useCustomAuthentication:!1,.allowGuestUsers:!1,requireSLDS:!1,hasBottomTabBar:!1};this.auth={};this.validLinkActions={};this.alwaysWarnOnBeforeUnload=!1;Object.defineProperty(this.auth,"oauthToken",{get:function(){return b},set:function(c){this.validateHeaderValue(c)?(b=c)?(this.setSessionData("ESW_OAUTH_TOKEN",c),this.checkAuthenti

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	PNG image data, 218 x 85, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	13981
Entropy (8bit):	7.928598274724738
Encrypted:	false
SSDEEP:
MD5:	04E5CED645ACC19EE595B4012FBFB0CB
SHA1:	55D7CBE561FAD4E25057620DC4CC471C4C9D99A6
SHA-256:	96E93BA133125169CC86EEE977481FE321E1F8C0CA28374023AA05CB46918909
SHA-512:	DCD0BFBC76D783A7E7391EF54C0DEED5913ADA41C8F34DDA7026E1A69E1A6454DE12269D2DB92C460F56B562BF116F947B8D73B3A548D1754EFEB5985993E002
Malicious:	false
Reputation:	low
URL:	https://cdn.ironpla.net/i/hmpg/2018/john_deere_logo_new.png
Preview:	.PNG........IHDR.......U...../.......tEXtSoftware.Adobe ImageReadyq.e<....iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c138 79.159824, 2016/09/14-01:09:01 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:photoshop="http://ns.adobe.com/photoshop/1.0/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stEvt="http://ns.adobe.com/xap/1.0/sType/ResourceEvent#" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CC 2017 (Windows)" xmp:CreateDate="2018-01-11T15:20:53-08:00" xmp:MetadataDate="2018-01-11T15:54:06-08:00" xmp:ModifyDate="2018-01-11T15:54:06-08:00" dc:format="image/png" xmpMM:InstanceID="xmp.iid:B5A04AC7F72A11E79C36814494A58782" xmpMM:DocumentID="xmp.did:B5A04AC8F72A11E79C36814494A58782" xmpMM:O

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (30837)
Category:	downloaded
Size (bytes):	31000
Entropy (8bit):	4.746143404849733
Encrypted:	false
SSDEEP:
MD5:	269550530CC127B6AA5A35925A7DE6CE
SHA1:	512C7D79033E3028A9BE61B540CF1A6870C896F8
SHA-256:	799AEB25CC0373FDEE0E1B1DB7AD6C2F6A0E058DFADAA3379689F583213190BD
SHA-512:	49F4E24E55FA924FAA8AD7DEBE5FFB2E26D439E25696DF6B6F20E7F766B50EA58EC3DBD61B6305A1ACACD2C80E6E659ACCEE4140F885B9C9E71008E9001FBF4B
Malicious:	false
Reputation:	low
URL:	https://s.ironpla.net/s/resources/fonts/awesome-4.7/css/font-awesome.min.css
Preview:	/!. Font Awesome 4.7.0 by @davegandy - http://fontawesome.io - @fontawesome. * License - http://fontawesome.io/license (Font: SIL OFL 1.1, CSS: MIT License). */@font-face{font-family:'FontAwesome';src:url('../fonts/fontawesome-webfont.eot?v=4.7.0');src:url('../fonts/fontawesome-webfont.eot?#iefix&v=4.7.0') format('embedded-opentype'),url('../fonts/fontawesome-webfont.woff2?v=4.7.0') format('woff2'),url('../fonts/fontawesome-webfont.woff?v=4.7.0') format('woff'),url('../fonts/fontawesome-webfont.ttf?v=4.7.0') format('truetype'),url('../fonts/fontawesome-webfont.svg?v=4.7.0#fontawesomeregular') format('svg');font-weight:normal;font-style:normal}.fa{display:inline-block;font:normal normal normal 14px/1 FontAwesome;font-size:inherit;text-rendering:auto;-webkit-font-smoothing:antialiased;-moz-osx-font-smoothing:grayscale}.fa-lg{font-size:1.33333333em;line-height:.75em;vertical-align:-15%}.fa-2x{font-size:2em}.fa-3x{font-size:3em}.fa-4x{font-size:4em}.fa-5x{font-size:5em}.fa-fw{width:1.

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Overview

General Information

Detection

Signatures

Classification

Process Tree

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Phishing

Compliance

Software Vulnerabilities

Networking

System Summary

Boot Survival

Mitre Att&ck Matrix

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Chrome Cache Entry: 194

Chrome Cache Entry: 195

Chrome Cache Entry: 197

Chrome Cache Entry: 198

Chrome Cache Entry: 199

Chrome Cache Entry: 200

Chrome Cache Entry: 201

Chrome Cache Entry: 203

Chrome Cache Entry: 204

Chrome Cache Entry: 205

Chrome Cache Entry: 207

Chrome Cache Entry: 208

Chrome Cache Entry: 209

Chrome Cache Entry: 211

Chrome Cache Entry: 212

Chrome Cache Entry: 213

Chrome Cache Entry: 214

Chrome Cache Entry: 216

Chrome Cache Entry: 217

Chrome Cache Entry: 218

Chrome Cache Entry: 219

Chrome Cache Entry: 220

Chrome Cache Entry: 221

Chrome Cache Entry: 223

Chrome Cache Entry: 226

Chrome Cache Entry: 227

Chrome Cache Entry: 228

Chrome Cache Entry: 229

Chrome Cache Entry: 231

Chrome Cache Entry: 233

Chrome Cache Entry: 236

Chrome Cache Entry: 237

Chrome Cache Entry: 238