Automated Malware Analysis Report For

ID: 289897 Cookbook: browseurl.jbs Time: 11:27:39 Date: 25/09/2020 Version: 30.0.0 Red Diamond Table of Contents

Table of Contents 2 Analysis Report http://c3.sdkclickurl.com/click/? adgroup_id=3954232&user_id=699999&timeflag=202009250600&mid=2157&android_id={android_id}&bundle={bundle}&ip= {ip}&ua={ua}&lang= {lang}&tid=RSB_C8323ABF5CB47CABF251DE48B390223CD18ED4F247BEB9107AEA02D0D05C1F8B6020BB87965D54B6422A0F9E968CC1A9_MOBILEPARTNER_zya_giraffe5f6d8fd1e4b04b780100a4fe26&gaid=6d0fd5e2- dfb8-4abf-b91c-844c98a8929d&pub_id=28446&idx=26 3 Overview 3 General Information 3 Detection 3 Signatures 3 Classification 3 Startup 4 Malware Configuration 4 Yara Overview 4 Sigma Overview 4 Signature Overview 4 Mitre Att&ck Matrix 5 Behavior Graph 5 Screenshots 5 Thumbnails 5 Antivirus, Machine Learning and Genetic Malware Detection 6 Initial Sample 6 Dropped Files 6 Unpacked PE Files 6 Domains 7 URLs 7 Domains and IPs 7 Contacted Domains 7 Contacted URLs 7 URLs from Memory and Binaries 7 Contacted IPs 7 Public 8 General Information 8 Simulations 9 Behavior and APIs 9 Joe Sandbox View / Context 9 IPs 9 Domains 9 ASN 9 JA3 Fingerprints 9 Dropped Files 9 Created / dropped Files 10 Static File Info 14 No static file info 14 Network Behavior 14 Network Port Distribution 14 TCP Packets 15 UDP Packets 16 DNS Queries 16 DNS Answers 17 HTTP Request Dependency Graph 17 HTTP Packets 17 HTTPS Packets 18 Code Manipulations 18 Statistics 19 Behavior 19 System Behavior 19 Analysis Process: iexplore.exe PID: 5320 Parent PID: 788 19 General 19 File Activities 19 Registry Activities 19 Analysis Process: iexplore.exe PID: 4444 Parent PID: 5320 20 General 20 File Activities 20 Registry Activities 20 Disassembly 20

Copyright null 2020 Page 2 of 20 Analysis Report http://c3.sdkclickurl.com/click/?adgroup…_id=3954232&user_id=699999&timeflag=202009250600&mid=2157&android_id={android_id}&bundle={bundle}&ip={ip}&ua={ua}&lang={lang}&tid=RSB_C8323ABF5CB47CABF251DE48B390223CD18ED4F247BEB9107AEA02D0D05C1F8B6020BB87965D54B6422A0F9E968CC1A9_MOBILEPARTNER_zya_giraffe5f6d8fd1e4b04b780100a4fe26&gaid=6d0fd5e2-dfb8-4abf-b91c-844c98a8929d&pub_id=28446&idx=26

Overview

General Information Detection Signatures Classification

Sample URL: c3.sdkclickurl.com/cli No high impact signatures. ck/?adgroup_id=3954232& user_id=699999&timeflag= 202009250600&mid=2157 &android_id={android_id}& bundle={bundle}&ip={ip}&u a={ua}&lang={lang}&tid=R SB_C8323ABF5CB47CAB F251DE48B390223CD18E D4F247BEB9107AEA02D 0D05C1F8B6020BB87965 D54B6422A0F9E968CC1A 9_MOBILEPARTNER_zya _giraffe5f6d8fd1e4b04b780 100a4fe26&gaid=6d0fd5e2 -dfb8-4abf-b91c-844c98a8 929d&pub_id=28446&idx= 26 Score: 0 Analysis ID: 289897 Range: 0 - 100 Most interesting Screenshot: Whitelisted: false Confidence: 80%

Miner Spreading

mmaallliiiccciiioouusss

malicious

Evader Phishing

sssuusssppiiiccciiioouusss

suspicious

cccllleeaann

clean

Exploiter Banker

Spyware Trojan / Bot

Adware

Startup

System is w10x64 iexplore.exe (PID: 5320 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596) iexplore.exe (PID: 4444 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5320 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A) cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

• Networking • System Summary

Click to jump to signature section

There are no malicious signatures, click here to show all signatures .

Command Remote Initial Privilege Defense Credential Lateral and Network Service Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration Control Effects Effects Impact Valid Windows Path Process Masquerading 1 OS File and Remote Data from Exfiltration Encrypted Eavesdrop on Remotely Modify Accounts Management Interception Injection 1 Credential Directory Services Local Over Other Channel 2 Insecure Track Device System Instrumentation Dumping Discovery 1 System Network Network Without Partition Medium Communication Authorization Default Scheduled Boot or Boot or Process LSASS Application Remote Data from Exfiltration Non- Exploit SS7 to Remotely Device Accounts Task/Job Logon Logon Injection 1 Memory Window Desktop Removable Over Application Redirect Phone Wipe Data Lockout Initialization Initialization Discovery Protocol Media Bluetooth Layer Calls/SMS Without Scripts Scripts Protocol 2 Authorization Domain At (Linux) Logon Script Logon Obfuscated Files Security Query SMB/Windows Data from Automated Application Exploit SS7 to Obtain Delete Accounts (Windows) Script or Information Account Registry Admin Shares Network Exfiltration Layer Track Device Device Device (Windows) Manager Shared Protocol 3 Location Cloud Data Drive Backups Local At (Windows) Logon Script Logon Binary Padding NTDS System Distributed Input Scheduled Ingress SIM Card Carrier Accounts (Mac) Script Network Component Capture Transfer Tool Swap Billing (Mac) Configuration Object Model Transfer 1 Fraud Discovery

Behavior Graph

Hide Legend Behavior Graph Legend: ID: 289897 Process URL: http://c3.sdkclickurl.com/c... Signature Startdate: 25/09/2020 Created File Architecture: WINDOWS DNS/IP Info Score: 0 Is Dropped

Is Windows Process

Number of created Registry Values

impression.appsflyer.com started Number of created Files

Visual Basic

Delphi

iexplore.exe Java .Net C# or VB.NET

C, C++ or other language 11 85 Is malicious

Internet started

iexplore.exe

c3.sdkclickurl.com impression.appsflyer.com

47.254.213.111, 49707, 49708, 80 52.51.186.116, 443, 49709, 49710 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC AMAZON-02US United States United States

Screenshots

Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Initial Sample

Source Detection Scanner Label Link c3.sdkclickurl.com/click/? 3% Virustotal Browse adgroup_id=3954232&user_id=699999&timeflag=202009250600&mid=2157&android_id= {android_id}&bundle={bundle}&ip={ip}&ua={ua}&lang= {lang}&tid=RSB_C8323ABF5CB47CABF251DE48B390223CD18ED4F247BEB9107AEA02D0D05C1F8B 6020BB87965D54B6422A0F9E968CC1A9_MOBILEPARTNER_zya_giraffe5f6d8fd1e4b04b780100a4fe2 6&gaid=6d0fd5e2-dfb8-4abf-b91c-844c98a8929d&pub_id=28446&idx=26 c3.sdkclickurl.com/click/? 0% Avira URL Cloud safe adgroup_id=3954232&user_id=699999&timeflag=202009250600&mid=2157&android_id= {android_id}&bundle={bundle}&ip={ip}&ua={ua}&lang= {lang}&tid=RSB_C8323ABF5CB47CABF251DE48B390223CD18ED4F247BEB9107AEA02D0D05C1F8B 6020BB87965D54B6422A0F9E968CC1A9_MOBILEPARTNER_zya_giraffe5f6d8fd1e4b04b780100a4fe2 6&gaid=6d0fd5e2-dfb8-4abf-b91c-844c98a8929d&pub_id=28446&idx=26

Dropped Files

No Antivirus matches

Unpacked PE Files

Domains

Source Detection Scanner Label Link c3.sdkclickurl.com 1% Virustotal Browse

URLs

Source Detection Scanner Label Link www.wikipedia.com/ 0% Virustotal Browse www.wikipedia.com/ 0% URL Reputation safe www.wikipedia.com/ 0% URL Reputation safe www.wikipedia.com/ 0% URL Reputation safe

Domains and IPs

Contacted Domains

Name IP Active Malicious Antivirus Detection Reputation impression.appsflyer.com 52.51.186.116 true false high c3.sdkclickurl.com 47.254.213.111 true false 1%, Virustotal, Browse unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation https://impression.appsflyer.com/de.autodoc.gmbh? false high c=Autodoc_Android_CPA&af_viewthrough_lookback=1d&af_siteid=92517477&pid=roockmobil e_int&clickid=20200925092837_wangmeng10_21df697a0270dd7675eabf9afce2d53444227_v3 &android_id={android_id}&advertising_id=6d0fd5e2-dfb8-4abf-b91c-844c98a8929d&imei= {imei}&idfa=6d0fd5e2-dfb8-4abf-b91c-844c98a8929d c3.sdkclickurl.com/click/? false unknown adgroup_id=3954232&user_id=699999&timeflag=202009250600&mid=2157&android_id= {android_id}&bundle={bundle}&ip={ip}&ua={ua}&lang= {lang}&tid=RSB_C8323ABF5CB47CABF251DE48B390223CD18ED4F247BEB9107AEA02D0 D05C1F8B6020BB87965D54B6422A0F9E968CC1A9_MOBILEPARTNER_zya_giraffe5f6d8fd 1e4b04b780100a4fe26&gaid=6d0fd5e2-dfb8-4abf-b91c- 844c98a8929d&pub_id=28446&idx=26

URLs from Memory and Binaries

Name Source Malicious Antivirus Detection Reputation www.wikipedia.com/ msapplication.xml7.1.dr false 0%, Virustotal, Browse unknown URL Reputation: safe URL Reputation: safe URL Reputation: safe www.amazon.com/ msapplication.xml.1.dr false high www.nytimes.com/ msapplication.xml4.1.dr false high https://impression.appsflyer.com/de.autodoc.gmbh? {EB2B3048-FF5C-11EA-90E3-ECF4B false high c=Autodoc_Android_CPA&af_viewthrough_lookback=1d&af B570DC9}.dat.1.dr, ~DFF0DB07DF 8329656E.TMP.1.dr www.live.com/ msapplication.xml3.1.dr false high www.reddit.com/ msapplication.xml5.1.dr false high www.twitter.com/ msapplication.xml6.1.dr false high www.youtube.com/ msapplication.xml8.1.dr false high

Contacted IPs

25% < No. of IPs < 50% 50% < No. of IPs < 75% 75% < No. of IPs

Public

IP Country Flag ASN ASN Name Malicious 47.254.213.111 United States 45102 CNNIC-ALIBABA-US-NET- false APAlibabaUSTechnologyCoLtdC 52.51.186.116 United States 16509 AMAZON-02US false

General Information

Joe Sandbox Version: 30.0.0 Red Diamond Analysis ID: 289897 Start date: 25.09.2020 Start time: 11:27:39 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 3m 43s Hypervisor based Inspection enabled: false Report type: light Cookbook file name: browseurl.jbs Sample URL: c3.sdkclickurl.com/click/? adgroup_id=3954232&user_id=699999&timeflag=20200 9250600&mid=2157&android_id={android_id}&bundle={ bundle}&ip={ip}&ua={ua}&lang={lang}&tid=RSB_C8323 ABF5CB47CABF251DE48B390223CD18ED4F247BEB 9107AEA02D0D05C1F8B6020BB87965D54B6422A0F9 E968CC1A9_MOBILEPARTNER_zya_giraffe5f6d8fd1e 4b04b780100a4fe26&gaid=6d0fd5e2-dfb8-4abf-b91c-8 44c98a8929d&pub_id=28446&idx=26 Analysis system description: w10x64 Windows 10 64 bit v1803 with Office Professional Plus 2016, IE 11, Adobe Reader DC 19, Java 8 Update 211 Number of analysed new started processes analysed: 11 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0

Copyright null 2020 Page 8 of 20 Technologies: HCA enabled EGA enabled AMSI enabled Analysis Mode: default Analysis stop reason: Timeout Detection: CLEAN Classification: clean0.win@3/17@3/2 Cookbook Comments: Adjust boot time Enable AMSI Warnings: Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, ielowutil.exe, backgroundTaskHost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 104.108.39.131, 51.104.139.180, 80.239.152.136, 80.239.148.32, 152.199.19.161, 23.210.248.85, 67.27.234.126, 67.27.159.126, 8.248.115.254, 67.27.157.254, 67.27.233.254 Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, fs.microsoft.com, ie9comview.vo.msecnd.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs- wildcard.microsoft.com.edgekey.net.globalredir.aka dns.net, arc.msn.com, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, go.microsoft.com, go.microsoft.com.edgekey.net, audownload.windowsupdate.nsatc.net, img-prod- cms-rt-microsoft-com.akamaized.net, auto.au.download.windowsupdate.com.c.footprint.n et, prod.fs.microsoft.com.akadns.net, au-bg- shim.trafficmanager.net, cs9.wpc.v0cdn.net

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{EB2B3046-FF5C-11EA-90E3-ECF4BB570DC9}.dat Process: C:\Program Files\internet explorer\iexplore.exe File Type: Microsoft Word Document Size (bytes): 30296 Entropy (8bit): 1.8354345957483758 Encrypted: false MD5: 1C5ACE7FBD9D54C12A537D47DF92EAA9 SHA1: F945A451B39411F7DDC579502781B8F9FD3DDE3B SHA-256: 32B5B64B9F0B9245FF4C8E621F06E426FFE998926C6EF5D7D42A9F7CC9BCD3C5 SHA-512: BFCBD99492C934525E310E4B8B1235D2E34423FCED98E391B9C208A39FB6DE853FE06BC7AAB20FEB10EDF84EB1DB106BBC7EEF85711EA145641CC8A8C33737 4D Malicious: false Reputation: low Preview: ...... R.o.o.t. .E.n.t.r. y......

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{EB2B3048-FF5C-11EA-90E3-ECF4BB570DC9}.dat Process: C:\Program Files\internet explorer\iexplore.exe File Type: Microsoft Word Document Size (bytes): 24792 Entropy (8bit): 1.7516914421288088 Encrypted: false MD5: 22802A9CBBDABDE746ED8408CBCAB557 SHA1: 22DA1038ED8271CF2CE7685CFB087BDA51939EE8 SHA-256: 1186EB4F6DE99CBBF3D02742A3BC5519726A2B33550D36A21797F4257F2419F7 SHA-512: DF4AD7EDDAEA775DC9C5B0DA8C1CBF0191558BEF223C41E28CD48E9E84F8D0B4E57E5D2DA0F12145631482E445261FD15C1BDF86B5E38F2FC737E7374082E9 47 Malicious: false Reputation: low Preview: ...... R.o.o.t. .E.n.t.r. y......

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{EB2B3049-FF5C-11EA-90E3-ECF4BB570DC9}.dat Process: C:\Program Files\internet explorer\iexplore.exe File Type: Microsoft Word Document Size (bytes): 16984 Entropy (8bit): 1.565684085886699 Encrypted: false MD5: 7A9C6192C7EB6EAE47C591E9B4EA8AF5 SHA1: 7D688968CFA10B389B1D20DADB413597A1834F73 SHA-256: 2F36113973FBAC4FFDAF92D90460EA1284FA70F6559B8D6AD12E9A8FA7112340 SHA-512: E629261BB8914667C01C91008DD073E41380E1FE592871D0A732D8DF1C143387AB6314BB755366522142AC15144C8C33F43348C233512D40632AAF3EE775C42D Malicious: false Reputation: low Preview: ...... R.o.o.t. .E.n.t.r. y......

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Size (bytes): 657 Entropy (8bit): 5.110906840758846 Encrypted: false MD5: 9956A898877B7D6A1941DA033A47AA89 SHA1: 5D7668E99DD4A628DFAE6F80AD75DEC5A22D0A01 SHA-256: 191A2CAFBB68FA1A2D090DF5B399FDF6F2411CE8C34BA2E52F761B927CC5577A SHA-512: 0DFE993941839F7C89260DC04E6E464AD3240FFE82AF038F22EB75E788586FFF5A31A2DDEAC55D8F3BF076B3480630A53C462F1443E664D04B98949519CDCC75 Malicious: false Copyright null 2020 Page 10 of 20 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml Reputation: low Preview: ..0xc1b91444,0x01d69369< accdate>0xc1b91444,0x01d69369....0xc1b91444,0x01d693690 xc1b91444,0x01d69369..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Size (bytes): 654 Entropy (8bit): 5.15810992951023 Encrypted: false MD5: 284F5B94A7D4FF5F3C27B2FAC919EE9E SHA1: AC42A7FBEB1997580AD5CBB638FE747333BDEA1F SHA-256: 33BB10DCD1B0E207A8FC353CC1075D921C71865E25EFE1D2A793817C45E2EC7D SHA-512: 30FF4D6B6F401647B9E133A5491B5C6BE46BFDAC0793A573DC766FDF3C6E0A49CF4CC8DEF02E8A400B648349CDCFD3CBFC6DFF9BE9DA3F502EAA1149511FD 8C6 Malicious: false Reputation: low Preview: ..0xc1b44fb2,0x01d693690xc1b44fb2,0x01d69369....0xc1b44fb2,0x01d69369 0xc1b44fb2,0x01d69369..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Size (bytes): 663 Entropy (8bit): 5.139882592826386 Encrypted: false MD5: 371116A1E18CF00ECE161AECF3DA3F43 SHA1: C6B5C6D63F9BAB1FD48C01F8EF8913318B822395 SHA-256: 2704D983F88F0CB5E4F4E6C523A7EF9B39CBD7396B936CAD51F4898CBDE33BA6 SHA-512: E45C265E0E7A2E809B4727DB10284FACB6702D1E40A3C2EAC09B8B074C6006DCC0346BAE1DA442883D48A73BE8C6EE7D824E1B769FADD95F8FC5E8E6C77ED BEC Malicious: false Reputation: low Preview: ..0xc1b91444,0x01d69369 0xc1b91444,0x01d69369.. ..0xc1b91444,0x01d693690xc1bb7675,0x01d69369..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-314712940\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Size (bytes): 411 Entropy (8bit): 5.175043986281132 Encrypted: false MD5: ABA7BB32A05744D7C3C6F0C088755EB0 SHA1: DE62EA926BA273A84732BAE9C47F92AEB717DA99 SHA-256: DCBEFEF5361B9CCB8F857312D9DBE33C19540D6397325EAEB1556ECD08D293E4 SHA-512: 9115A525E92CB27035885B3868FEF40371993422076DE6C2D37E643FAFA998EE0AC562F4A7EEBDCDA6F14D2F61873C5029C2B10143C35C1BB6DF906B0C8DA261 Malicious: false Reputation: low Preview: ..0x38349af4,0x01 d52d170xc1b6b1da,0x01d69369\lowres.png..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Size (bytes): 648 Entropy (8bit): 5.089832717320654

Copyright null 2020 Page 11 of 20 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml Encrypted: false MD5: B8904970F284CF5ABC3C8DE1130E56C6 SHA1: CDED6F09C30A1010D2B5DFDBC4A6B74320E2DDA7 SHA-256: 84EF938E9EA155D81187FFB174E959E52481267CBA0E3533B1DCAA063BCCDB7E SHA-512: 30E4729F6F0183FA352F33B08A54C1CBF593D974662A658A91C2666E5F59847F0FD7B37EDE5DD55B80462C7D60BD4EA19B381A91174E413DF9F33325E63972ED Malicious: false Reputation: low Preview: ..0xc1b6b1da,0x01d693690xc1b6b1da,0x01d69369....0xc1b6b1da,0x01d693690xc1b6b 1da,0x01d69369 ..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Size (bytes): 657 Entropy (8bit): 5.136917418195319 Encrypted: false MD5: 7E419FA9132FCBB168213FDD54F52EAD SHA1: B6D02E3A44B5C88ACF9596CEAE4AEBF174B9DAB9 SHA-256: 95E13A2F1EB5656BFE789CAF83293B7F597D9A58C7CB503CD2845706E2405DE7 SHA-512: F119AE7810F3A7658E3B9F4F414F07234C6FC3E14E5FEDBDCF8C10B7C9C4C6E55A80348F36FE5CE00D8D0EDF7760A372EC740C6DF3065C070D0992E58B5ECA0 B Malicious: false Reputation: low Preview: ..0xc1bb7675,0x01d69369< accdate>0xc1bb7675,0x01d69369....0xc1bb7675,0x01d693690 xc1bb7675,0x01d69369 ..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Size (bytes): 654 Entropy (8bit): 5.11473109053486 Encrypted: false MD5: FF3677B5DB6EF679C5697BDC479863E5 SHA1: A7CC188436C010A2B3775E669FA133408EA2D42A SHA-256: 26BEF94438CB563B55A6B4ED0E1F3737C01E7B58C38874165544083372D3970A SHA-512: C56CCD4F8692D318DF7B044DAB4929ACE7D9CABC36B07CC832504AE8569EE1F82F14819BFC401EAA41023F2BE7DEDF590E4F498FC14A635A43C328C685E6120 A Malicious: false Reputation: low Preview: ..0xc1b91444,0x01d69369 0xc1b91444,0x01d69369....0xc1b91444,0x01d693690xc 1b91444,0x01d69369 ..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Size (bytes): 657 Entropy (8bit): 5.15048179241643 Encrypted: false MD5: 266225AEDA5D5263425C24E1D9EDCC26 SHA1: A7308BBC9E83C18F20C63731CC9D2A91F5E4ED45 SHA-256: 9165634277AB8B5D77AFD46C5655A1206AF82080BF5FEF3B7F07AFD397992374 SHA-512: 49755FF65B60C0414616385AECAC494AA2CDC762DEB50505C75F05D7D090D45B1F581F1DFE574C4612D1C5136B5A63A43BF704BC108755031EA5182BEA02AB43 Malicious: false Reputation: low

Copyright null 2020 Page 12 of 20 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml Preview: ..0xc1b91444,0x01d69369< accdate>0xc1b91444,0x01d69369....0xc1b91444,0x01d693690 xc1b91444,0x01d69369 ..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Size (bytes): 660 Entropy (8bit): 5.08797290536485 Encrypted: false MD5: C59DF87926D2BD6D0F39E391B2BC21C8 SHA1: 02C943CDC21226794E36D0ED1EB4847952F5A36E SHA-256: 714444AE2B631A328EB33E2D2004C500E607E2E466ECF2E76295C9B415DD5094 SHA-512: 713CBB116327289612DEBF475F792B3BFE74641AA8AB955323CECE7949ECB863F70CEF12482C99F30894856AC968F58257634E9BD91749B40805E2E64D2DDC3A Malicious: false Reputation: low Preview: ..0xc1b6b1da,0x01d69369 0xc1b6b1da,0x01d69369....0xc1b6b1da,0x01d693690xc1b6b1da,0x01d69369..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Size (bytes): 654 Entropy (8bit): 5.075287791395091 Encrypted: false MD5: 53107D7151F1101FA40D4B12C9C8A1AF SHA1: B3B8B3C6DBC3DE3CD84EB8A0E42B35A8BFE556A9 SHA-256: DC5D12898CD12C2D7A67E560505FDE7F4A92F1F0CDD33FF9EF0C09C475ECBFD4 SHA-512: DB580CA461E5034D5C6C8C77FB6DFE91B464BBFA1FE5F3D077C4B3237B6743A594E23E7D4DCB9354D14A914C1089B2D2B19EC010D1D7C7FEAC2135BCD8E344 B0 Malicious: false Reputation: low Preview: ..0xc1b6b1da,0x01d69369 0xc1b6b1da,0x01d69369....0xc1b6b1da,0x01d69369 0xc1b6b1da,0x01d69369..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\de.autodoc[1].htm Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: ASCII text, with no line terminators Size (bytes): 2 Entropy (8bit): 1.0 Encrypted: false MD5: 444BCB3A3FCF8389296C49467F27E1D6 SHA1: 7A85F4764BBD6DAF1C3545EFBBF0F279A6DC0BEB SHA-256: 2689367B205C16CE32ED4200942B8B8B1E262DFC70D9BC9FBC77C49699A4F1DF SHA-512: 9FBBBB5A0F329F9782E2356FA41D89CF9B3694327C1A934D6AF2A9DF2D7F936CE83717FB513196A4CE5548471708CD7134C2AE99B3C357BCABB2EAFC7B9B757 0 Malicious: false Reputation: low IE Cache URL: https://impression.appsflyer.com/de.autodoc.gmbh? c=Autodoc_Android_CPA&af_viewthrough_lookback=1d&af_siteid=92517477&pid=roockmobile_int&clickid=20200925092837_wangmeng10_21df697a0270dd7675eabf9af ce2d53444227_v3&android_id={android_id}&advertising_id=6d0fd5e2-dfb8-4abf-b91c-844c98a8929d&imei={imei}&idfa=6d0fd5e2-dfb8-4abf-b91c-844c98a8929d Preview: ok

C:\Users\user\AppData\Local\Temp\~DF0BD829745EC07A58.TMP Process: C:\Program Files\internet explorer\iexplore.exe File Type: data Size (bytes): 25441 Entropy (8bit): 0.27918767598683664