ID: 289896 Cookbook: browseurl.jbs Time: 11:27:01 Date: 25/09/2020 Version: 30.0.0 Red Diamond Table of Contents

Table of Contents 2 Analysis Report https://impression.appsflyer.com/de.autodoc.gmbh? c=Autodoc_Android_CPA&af_viewthrough_lookback=1d&af_siteid=92517241&pid=roockmobile_int&clickid=20200925085045_wangmeng7_1d84dd2966b4f9b867c49c49ca06d63216894_v3&android_id= {android_id}&advertising_id=6d0fd5e2-dfb8-4abf-b91c-844c98a8929d&imei={imei}&idfa=6d0fd5e2-dfb8-4abf-b91c- 844c98a8929d 3 Overview 3 General Information 3 Detection 3 Signatures 3 Classification 3 Startup 4 Malware Configuration 4 Yara Overview 4 Sigma Overview 4 Signature Overview 4 Mitre Att&ck Matrix 5 Behavior Graph 5 Screenshots 6 Thumbnails 6 Antivirus, Machine Learning and Genetic Malware Detection 7 Initial Sample 7 Dropped Files 7 Unpacked PE Files 7 Domains 7 URLs 7 Domains and IPs 8 Contacted Domains 8 Contacted URLs 8 URLs from Memory and Binaries 8 Contacted IPs 8 Public 9 General Information 9 Simulations 10 Behavior and APIs 10 Joe Sandbox View / Context 10 IPs 10 Domains 10 ASN 10 JA3 Fingerprints 10 Dropped Files 10 Created / dropped Files 11 Static File Info 15 No static file info 15 Network Behavior 15 Network Port Distribution 15 TCP Packets 16 UDP Packets 16 DNS Queries 17 DNS Answers 17 HTTPS Packets 18 Code Manipulations 18 Statistics 18 Behavior 18 System Behavior 19 Analysis Process: iexplore.exe PID: 6980 Parent PID: 796 19 General 19 File Activities 19 Registry Activities 19 Analysis Process: iexplore.exe PID: 7032 Parent PID: 6980 19 General 19 File Activities 20 Registry Activities 20 Disassembly 20

Copyright null 2020 Page 2 of 20 Analysis Report https://impression.appsflyer.com/de.au…todoc.gmbh?c=Autodoc_Android_CPA&af_viewthrough_lookback=1d&af_siteid=92517241&pid=roockmobile_int&clickid=20200925085045_wangmeng7_1d84dd2966b4f9b867c49c49ca06d63216894_v3&android_id={android_id}&advertising_id=6d0fd5e2-dfb8-4abf-b91c-844c98a8929d&imei={imei}&idfa=6d0fd5e2-dfb8-4abf-b91c-844c98a8929d

Overview

General Information Detection Signatures Classification

Sample URL: https://impression.ap No high impact signatures. psflyer.com/de.autodoc.gm bh?c=Autodoc_Android_C PA&af_viewthrough_lookb ack=1d&af_siteid=925172 41&pid=roockmobile_int&c lickid=20200925085045_w angmeng7_1d84dd2966b4f 9b867c49c49ca06d632168 94_v3&android_id={androi d_id}&advertising_id=6d0f d5e2-dfb8-4abf-b91c-844c 98a8929d&imei={imei}&idf a=6d0fd5e2-dfb8-4abf-b91 c-844c98a8929d Analysis ID: 289896 Most interesting Screenshot: Score: 0 Range: 0 - 100 Whitelisted: false Confidence: 80%

Copyright null 2020 Page 3 of 20 Ransomware

Miner Spreading

mmaallliiiccciiioouusss

malicious

Evader Phishing

sssuusssppiiiccciiioouusss

suspicious

cccllleeaann

clean

Exploiter Banker

Spyware Trojan / Bot

Adware

Startup

System is w10x64 iexplore.exe (PID: 6980 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596) iexplore.exe (PID: 7032 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6980 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A) cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Copyright null 2020 Page 4 of 20 • Networking • System Summary

Click to jump to signature section

There are no malicious signatures, click here to show all signatures .

Mitre Att&ck Matrix

Command Remote Initial Privilege Defense Credential Lateral and Network Service Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration Control Effects Effects Impact Valid Windows Path Process Masquerading 1 OS File and Remote Data from Exfiltration Encrypted Eavesdrop on Remotely Modify Accounts Management Interception Injection 1 Credential Directory Services Local Over Other Channel 2 Insecure Track Device System Instrumentation Dumping Discovery 1 System Network Network Without Partition Medium Communication Authorization Default Scheduled Boot or Boot or Process LSASS Application Remote Data from Exfiltration Non- Exploit SS7 to Remotely Device Accounts Task/Job Logon Logon Injection 1 Memory Window Desktop Removable Over Application Redirect Phone Wipe Data Lockout Initialization Initialization Discovery Protocol Media Bluetooth Layer Calls/SMS Without Scripts Scripts Protocol 1 Authorization Domain At (Linux) Logon Script Logon Obfuscated Files Security Query SMB/Windows Data from Automated Application Exploit SS7 to Obtain Delete Accounts (Windows) Script or Information Account Registry Admin Shares Network Exfiltration Layer Track Device Device Device (Windows) Manager Shared Protocol 2 Location Cloud Data Drive Backups

Behavior Graph

Copyright null 2020 Page 5 of 20 Hide Legend Behavior Graph Legend: ID: 289896 Process URL: https://impression.appsflye... Signature Startdate: 25/09/2020 Created File Architecture: WINDOWS DNS/IP Info Score: 0 Is Dropped

Is Windows Process

Number of created Registry Values

impression.appsflyer.com started Number of created Files

Visual Basic

Delphi

iexplore.exe Java .Net C# or VB.NET

C, C++ or other language 11 84 Is malicious

Internet started

iexplore.exe

2 33

impression.appsflyer.com

52.211.46.88, 443, 49718, 49719 AMAZON-02US United States

Screenshots

Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Copyright null 2020 Page 6 of 20 Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source Detection Scanner Label Link https://impression.appsflyer.com/de.autodoc.gmbh? 0% Avira URL Cloud safe c=Autodoc_Android_CPA&af_viewthrough_lookback=1d&af_siteid=92517241&pid=roockmobile_int&click id=20200925085045_wangmeng7_1d84dd2966b4f9b867c49c49ca06d63216894_v3&android_id= {android_id}&advertising_id=6d0fd5e2-dfb8-4abf-b91c-844c98a8929d&imei={imei}&idfa=6d0fd5e2-dfb8- 4abf-b91c-844c98a8929d

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source Detection Scanner Label Link www.wikipedia.com/ 0% URL Reputation safe

Copyright null 2020 Page 7 of 20 Source Detection Scanner Label Link www.wikipedia.com/ 0% URL Reputation safe www.wikipedia.com/ 0% URL Reputation safe

Domains and IPs

Contacted Domains

Name IP Active Malicious Antivirus Detection Reputation impression.appsflyer.com 52.211.46.88 true false high

Contacted URLs

Name Malicious Antivirus Detection Reputation https://impression.appsflyer.com/de.autodoc.gmbh? false high c=Autodoc_Android_CPA&af_viewthrough_lookback=1d&af_siteid=92517241&pid=roockmobil e_int&clickid=20200925085045_wangmeng7_1d84dd2966b4f9b867c49c49ca06d63216894_v3 &android_id={android_id}&advertising_id=6d0fd5e2-dfb8-4abf-b91c-844c98a8929d&imei= {imei}&idfa=6d0fd5e2-dfb8-4abf-b91c-844c98a8929d

URLs from Memory and Binaries

Name Source Malicious Antivirus Detection Reputation www.wikipedia.com/ msapplication.xml7.1.dr false URL Reputation: safe unknown URL Reputation: safe URL Reputation: safe www.amazon.com/ msapplication.xml.1.dr false high www.nytimes.com/ msapplication.xml4.1.dr false high https://impression.appsflyer.com/de.autodoc.gmbh? {D9B2DB49-FF5C-11EA-90E8-ECF4B false high c=Autodoc_Android_CPA&af_viewthrough_lookback=1d&af BEA1588}.dat.1.dr, ~DFB4749743 D40BC7E5.TMP.1.dr www.live.com/ msapplication.xml3.1.dr false high www.reddit.com/ msapplication.xml5.1.dr false high www..com/ msapplication.xml6.1.dr false high www.youtube.com/ msapplication.xml8.1.dr false high

Contacted IPs

No. of IPs < 25% 25% < No. of IPs < 50% 50% < No. of IPs < 75%

75% < No. of IPs

Copyright null 2020 Page 8 of 20 Public

IP Country Flag ASN ASN Name Malicious 52.211.46.88 United States 16509 AMAZON-02US false

General Information

Joe Sandbox Version: 30.0.0 Red Diamond Analysis ID: 289896 Start date: 25.09.2020 Start time: 11:27:01 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 4m 8s Hypervisor based Inspection enabled: false Report type: light Cookbook file name: browseurl.jbs Sample URL: https://impression.appsflyer.com/de.autodoc.gmb h?c=Autodoc_Android_CPA&af_viewthrough_lookback =1d&af_siteid=92517241&pid=roockmobile_int&clickid= 20200925085045_wangmeng7_1d84dd2966b4f9b867c4 9c49ca06d63216894_v3&android_id={android_id}&adv ertising_id=6d0fd5e2-dfb8-4abf-b91c-844c98a8929d&i mei={imei}&idfa=6d0fd5e2-dfb8-4abf-b91c-844c98a892 9d Analysis system description: w10x64 Windows 10 64 bit v1803 with Office Professional Plus 2016, IE 11, Adobe Reader DC 19, Java 8 Update 211 Number of analysed new started processes analysed: 15 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled AMSI enabled Analysis Mode: default Analysis stop reason: Timeout Detection: CLEAN Classification: clean0.win@3/17@2/1 Cookbook Comments: Adjust boot time Enable AMSI

Copyright null 2020 Page 9 of 20 Warnings: Show All Exclude process from analysis (whitelisted): audiodg.exe, BackgroundTransferHost.exe, ielowutil.exe, backgroundTaskHost.exe, SgrmBroker.exe, svchost.exe Excluded IPs from analysis (whitelisted): 52.184.221.185, 104.108.39.131, 51.104.139.180, 92.122.144.200, 80.239.152.136, 80.239.148.32, 152.199.19.161, 205.185.216.10, 205.185.216.42 Excluded domains from analysis (whitelisted): umwatson.trafficmanager.net, arc.msn.com.nsatc.net, fs.microsoft.com, ie9comview.vo.msecnd.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, fs- wildcard.microsoft.com.edgekey.net, fs- wildcard.microsoft.com.edgekey.net.globalredir.aka dns.net, a1449.dscg2.akamai.net, arc.msn.com, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, umwatsonrouting.trafficmanager.net, go.microsoft.com, go.microsoft.com.edgekey.net, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, watson.telemetry.microsoft.com, img-prod-cms-rt- microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg- shim.trafficmanager.net, cs9.wpc.v0cdn.net VT rate limit hit for: https://impression.appsflyer.com/de.autodoc.gmbh? c=Autodoc_Android_CPA&af_viewthrough_lookbac k=1d&af_siteid=92517241&pid=roockmobile_int&cli ckid=20200925085045_wangmeng7_1d84dd2966b4 f9b867c49c49ca06d63216894_v3&android_id= {android_id}&advertising_id=6d0fd5e2-dfb8-4abf- b91c-844c98a8929d&imei={imei}&idfa=6d0fd5e2- dfb8-4abf-b91c-844c98a8929d

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Copyright null 2020 Page 10 of 20 Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{D9B2DB47-FF5C-11EA-90E8-ECF4BBEA1588}.dat Process: C:\Program Files\internet explorer\iexplore.exe File Type: Microsoft Word Document Size (bytes): 30296 Entropy (8bit): 1.8391586794423 Encrypted: false MD5: C53D1451840363D99B9DDA88477D7A45 SHA1: C615997E3B2BFA5662332EACFD79F394477AF5CC SHA-256: 8254F672B2877078E31317A6817E4D1F5DC0CF55674E393757FA167F1A890B77 SHA-512: 7799EFD206AF8FDD421080378E627B4BDB758794E81EDF7CF83882056D8C063EFA435DC31391B895C0AC6031C6264D8FEC3DF6EDD7F864F56A5791FE85A4B2CA Malicious: false Reputation: low Preview: ...... R.o.o.t. .E.n.t.r. y......

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{D9B2DB49-FF5C-11EA-90E8-ECF4BBEA1588}.dat Process: C:\Program Files\internet explorer\iexplore.exe File Type: Microsoft Word Document Size (bytes): 24792 Entropy (8bit): 1.7495634783345555 Encrypted: false MD5: E6CE304999E1D1766C1DB9E2FF06817F SHA1: 85B42DCCAE3875DBA91E4662CB46BB714451568E SHA-256: FEF177B12D6894A6C37F8713A2FA1D30348A922F498170D0FF1AA3346DFA7765 SHA-512: 1A388F730E723E98D25CFC8FA0964545110D7406B0A4A5FA8AD4731B147ECE4FC0B29F959B379E06ECEE857ABCBBE1C78C26B8735B18D4DD9BB516D5512DDC D9 Malicious: false Reputation: low Preview: ...... R.o.o.t. .E.n.t.r. y......

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{D9B2DB4A-FF5C-11EA-90E8-ECF4BBEA1588}.dat Process: C:\Program Files\internet explorer\iexplore.exe File Type: Microsoft Word Document Size (bytes): 16984 Entropy (8bit): 1.5661990263884806 Encrypted: false MD5: A03A4AB7EA367FF38F6C84C05DF30A66 SHA1: 312E31B0762DBC97EF9D02CE3040011114182183 SHA-256: 69784794024FCBB8392BF5830E5376578685980F1E251ACDE3CE5229B97BD2FF SHA-512: 994BC94CD5EA602D06EC536B22D3224314BF5041F0E2DB4A5D9126E81619F5895FAF5E80B906D08B89CE80756575B819E512EDC24851A69890BAC4B7AC0476F8 Malicious: false Reputation: low Preview: ...... R.o.o.t. .E.n.t.r. y......

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Size (bytes): 656 Entropy (8bit): 5.129192621412279 Encrypted: false MD5: E4DEB09AF47ECCA2C979735B07033E52 SHA1: 28C99ED40563E1CB85363CB226F1EAE3D10D0F89 SHA-256: FCA7C025D64ACD99C3298B829FE10230620464B352C459AC93622A49154B177D SHA-512: 0F49FAA11E3E5F9FD7E49E3BECEC371D6E8511B69D8A2EA20C56DAF52DF947E7F57618BE183B5C8B874FE428B1C06E1FB1EC889E8FF2A08F63D638C477F8B4 A9

Copyright null 2020 Page 11 of 20 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml Malicious: false Reputation: low Preview: ..0xaf78d449,0x01d69369< accdate>0xaf78d449,0x01d69369....0xaf78d449,0x01d693690 xaf78d449,0x01d69369..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Size (bytes): 653 Entropy (8bit): 5.130456480709593 Encrypted: false MD5: 304ECBA0246308F2641B7ACC8AAE3DF4 SHA1: 368811418A05088414285F5E003EB3903B21D256 SHA-256: 7C04B94A305DB73E371CA6638D052EE8A782C202EF09225A806EC6770DC22EC7 SHA-512: D24926D3EA7DC0AE63E5BF659098F9C9B09F342E31372AEC752D820C2018022A93D7D163F637411467AE174C8C4235192AB8323E27322B343CA8F6C63D041BCD Malicious: false Reputation: low Preview: ..0xaf6f4ac4,0x01d693690xaf6f4ac4,0x01d69369....0xaf6f4ac4,0x01d693690xaf71ad2d,0x01d69369..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Size (bytes): 662 Entropy (8bit): 5.145209074423031 Encrypted: false MD5: 7BDAB7F7C2A212CC667AD5D6C9BF40E0 SHA1: 8AA00EEB89C468D2B16FCCAC06D7DA0861DCEA78 SHA-256: A4AB33FB25756AE1B937D6BD0BFDF0AF705604197EA6EA56AC49375A2F95478B SHA-512: 65D3B2707F6D361AA5E17216D57BAF338F93C58D74A08C7A28947BFE9BF0386725FCBAE7B86FE29E42AE1F657DC8CEE88E3A0BF1C51C2A26BBD2655BA0176A 6E Malicious: false Reputation: low Preview: ..0xaf78d449,0x01d69369 0xaf78d449,0x01d69369....0xaf78d449,0x01d693690xaf7b36a9,0x01d69369..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-314712940\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Size (bytes): 410 Entropy (8bit): 5.163771131507503 Encrypted: false MD5: 61ACDF4694755F4CEF38F7D25AC4F086 SHA1: 1E870C3B40C76C6875C01E284DEB647DD8D69517 SHA-256: 715CCE63A34E4A2FE94D377A4F756F0576925F1C9E9BF5997218E9CF7A051C72 SHA-512: B22C0E4C22B71F317DFFCA7EFF564466136B6843F6F2DC17B07589DCF25CC3FA830C5CF96856976956F14972835AEC01ADF251009FB3332A8F7697B5427824ED Malicious: false Reputation: low Preview: ..0x259f0d0f,0x01 d52d140xaf71ad2d,0x01d69369\lowres.png..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Size (bytes): 647 Entropy (8bit): 5.107670814806817

Copyright null 2020 Page 12 of 20 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml Encrypted: false MD5: 5FB3025D1D3BA4DDF18E162CF1523749 SHA1: 481D6F6273C2D6D5389209FED8A00F630BE0992A SHA-256: A100F2850EAE8AE72796529124FB754DBC3B94753382758B7A423EABB9472382 SHA-512: BD3E046CBAECA4E2578A30B057A378C0F48AC8F45D10743089CA15FA8871763EE8376122A3E49A4E1DD6E78B63CCEA9B0A9E2A06689CDADF43BBCD348B0340 F5 Malicious: false Reputation: low Preview: ..0xaf7671d6,0x01d693690xaf7671d6,0x01d69369....0xaf7671d6,0x01d693690xaf767 1d6,0x01d69369 ..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Size (bytes): 656 Entropy (8bit): 5.127938917333591 Encrypted: false MD5: AF27E2895A2778476D023A8BBC41597D SHA1: A187A1D41D847C88CF444637C49B55D11BAD2F1D SHA-256: 8C6E23022331C56364EF33C394B39EAF0CD8FA3460BBE6B1BC6E57A7BA626CF3 SHA-512: 28024109C5C4E9A7BDA32C145EF01C92922A15706BB687545AC3B3FE3FD4A049FCE06A22FA833FE06959662990647C791A479B1256C042AE51FE9A4E77091014 Malicious: false Reputation: low Preview: ..0xaf7b36a9,0x01d69369< accdate>0xaf7b36a9,0x01d69369....0xaf7b36a9,0x01d693690 xaf7b36a9,0x01d69369 ..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Size (bytes): 653 Entropy (8bit): 5.130566510092149 Encrypted: false MD5: 99F7537F4C02D1D63C848BD1D5FF9616 SHA1: 64BDF4C02B83A891A3F7505950FBBF2152F74A9E SHA-256: 956122F9EDE829A2DDB838CCA6C2E89FD6E08F777D31A371E6925F91A17F8F3F SHA-512: 6110A56AC5FA65E45C32D5D920A47E54B22308873EC64CF24E1D4205D40412579533625AA6A76E608F6858BD543643E3C501776CA7BDBED95650A9C495D232E4 Malicious: false Reputation: low Preview: ..0xaf78d449,0x01d693690xaf78d449,0x01d69369....0xaf78d449,0x01d693690xa f78d449,0x01d69369 ..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Size (bytes): 656 Entropy (8bit): 5.1318676780071035 Encrypted: false MD5: D7B210644F85D2ACE9C286F5A2513098 SHA1: D5B076E7556986EA1B10658451ABFF7D1FF41C50 SHA-256: 5CE1CC2D8B0F733EDF44EE765C3D0B35BD1612F5F9F90F695C62DE199591D475 SHA-512: 3D18EF6F70E84993572C922277980D92D7A369718C7585904F30CF3B84A188B97E9118121D26C21A7A62301537B90BF261F117D5E60B89DBA08140FCFA18DC41 Malicious: false Reputation: low

Copyright null 2020 Page 13 of 20 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml Preview: ..0xaf7671d6,0x01d69369< accdate>0xaf7671d6,0x01d69369....0xaf7671d6,0x01d693690 xaf7671d6,0x01d69369 ..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Size (bytes): 659 Entropy (8bit): 5.1385801393593775 Encrypted: false MD5: 45D53CDC727F06CE35C272037D216257 SHA1: 5D7998BD8D519B232F999D883F6E95C57D857449 SHA-256: F8D37265B1753F774402F4CC1B2D43759D768046D3C3E4E98D89082D409B2BB8 SHA-512: 26ADD6601B51A80CEBAF1CEA4B9CE6295ADBDFD317F5E6D808046A021C7AA379A07387C3FEC8C6CA2BBC306762949E889F79F67F4B8AD8540B2A2B50806014 A7 Malicious: false Reputation: low Preview: ..0xaf740f84,0x01d69369 0xaf740f84,0x01d69369....0xaf740f84,0x01d693690xaf740f84,0x01d69369 ..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Size (bytes): 653 Entropy (8bit): 5.121516016420222 Encrypted: false MD5: 4E0EF6A12A616B7D0441320CFB6FF1AF SHA1: B323EB304969B1AAFDF3D61AA4960A030B900830 SHA-256: D036BDC9111AEAA5E206BC75F6A07B463A2EB7C481944B2CCA16F6C58EC3DCEF SHA-512: 82A37B89D1162F5C692F7552550F3403D9224DA1F08F6E43DEB77F047C37933529DA9EDADA2639EFAE94C6804AC3839C2984ED03B8333A5B92F364BCD18203BA Malicious: false Reputation: low Preview: ..0xaf740f84,0x01d693690xaf740f84,0x01d69369....0xaf740f84,0x01d693690xa f740f84,0x01d69369 ..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\de.autodoc[1].htm Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: ASCII text, with no line terminators Size (bytes): 2 Entropy (8bit): 1.0 Encrypted: false MD5: 444BCB3A3FCF8389296C49467F27E1D6 SHA1: 7A85F4764BBD6DAF1C3545EFBBF0F279A6DC0BEB SHA-256: 2689367B205C16CE32ED4200942B8B8B1E262DFC70D9BC9FBC77C49699A4F1DF SHA-512: 9FBBBB5A0F329F9782E2356FA41D89CF9B3694327C1A934D6AF2A9DF2D7F936CE83717FB513196A4CE5548471708CD7134C2AE99B3C357BCABB2EAFC7B9B757 0 Malicious: false Reputation: low IE Cache URL: https://impression.appsflyer.com/de.autodoc.gmbh? c=Autodoc_Android_CPA&af_viewthrough_lookback=1d&af_siteid=92517241&pid=roockmobile_int&clickid=20200925085045_wangmeng7_1d84dd2966b4f9b867c49c49c a06d63216894_v3&android_id={android_id}&advertising_id=6d0fd5e2-dfb8-4abf-b91c-844c98a8929d&imei={imei}&idfa=6d0fd5e2-dfb8-4abf-b91c-844c98a8929d Preview: ok

C:\Users\user\AppData\Local\Temp\~DF578009C408BCF354.TMP Process: C:\Program Files\internet explorer\iexplore.exe File Type: data Size (bytes): 25441 Entropy (8bit): 0.27918767598683664

Copyright null 2020 Page 14 of 20 C:\Users\user\AppData\Local\Temp\~DF578009C408BCF354.TMP Encrypted: false MD5: AB889A32AB9ACD33E816C2422337C69A SHA1: 1190C6B34DED2D295827C2A88310D10A8B90B59B SHA-256: 4D6EC54B8D244E63B0F04FBE2B97402A3DF722560AD12F218665BA440F4CEFDA SHA-512: BD250855747BB4CEC61814D0E44F810156D390E3E9F120A12935EFDF80ACA33C4777AD66257CCA4E4003FEF0741692894980B9298F01C4CDD2D8A9C7BB522FB6 Malicious: false Reputation: low Preview: ...... *%..H..M..{y..+.0...(...... *%..H..M..{y..+.0...(......

C:\Users\user\AppData\Local\Temp\~DFB4749743D40BC7E5.TMP Process: C:\Program Files\internet explorer\iexplore.exe File Type: data Size (bytes): 34985 Entropy (8bit): 0.4514740854296223 Encrypted: false MD5: 1865141B523709308C8F305C89070DD3 SHA1: 671994AF32435F39B1FFE79475A2CA5E0F8F1875 SHA-256: 4BE97A85344F003927BC61B4C534F2504BCD5C9C695D303994508A4FC899134F SHA-512: 4F7CCBFA3A32B2A385166F7BCB1F2E32291C71AEBA5E0877F422A2094804C864842D5D866F182DC43F2330E1EAFBDEFA7C5BC97A6156521F8340C00AB03794C8 Malicious: false Reputation: low Preview: ...... *%..H..M..{y..+.0...(...... *%..H..M..{y..+.0...(......

C:\Users\user\AppData\Local\Temp\~DFDB2A7E51B5CCCFF4.TMP Process: C:\Program Files\internet explorer\iexplore.exe File Type: data Size (bytes): 13029 Entropy (8bit): 0.4754168399014438 Encrypted: false MD5: 993B64E563012AA355528E5E09D125F6 SHA1: 6867CE65D307BC5B906706BC4FC73C1BF65AD1EE SHA-256: BD3D2A76D2F324E77F3B18E149DE8518708E5CA902CB9484CB61A21660F640F5 SHA-512: 027D55E8894BDFD86C9F363596F56736F31B073FD93E464C613D818F5887AB9CF129FECD144B6FE09534688AF2D10C8E6DF78D434B60FBABF88DC5F6B2DB9488 Malicious: false Reputation: low Preview: ...... *%..H..M..{y..+.0...(...... *%..H..M..{y..+.0...(......

Static File Info

No static file info

Network Behavior

Network Port Distribution

Copyright null 2020 Page 15 of 20 Total Packets: 39 • 53 (DNS) • 443 (HTTPS)

TCP Packets

Timestamp Source Port Dest Port Source IP Dest IP Sep 25, 2020 11:28:07.719408989 CEST 49718 443 192.168.2.4 52.211.46.88 Sep 25, 2020 11:28:07.719793081 CEST 49719 443 192.168.2.4 52.211.46.88 Sep 25, 2020 11:28:07.782602072 CEST 443 49719 52.211.46.88 192.168.2.4 Sep 25, 2020 11:28:07.782736063 CEST 443 49718 52.211.46.88 192.168.2.4 Sep 25, 2020 11:28:07.782866955 CEST 49719 443 192.168.2.4 52.211.46.88 Sep 25, 2020 11:28:07.784010887 CEST 49718 443 192.168.2.4 52.211.46.88 Sep 25, 2020 11:28:07.796540022 CEST 49718 443 192.168.2.4 52.211.46.88 Sep 25, 2020 11:28:07.797394037 CEST 49719 443 192.168.2.4 52.211.46.88 Sep 25, 2020 11:28:07.867645979 CEST 443 49719 52.211.46.88 192.168.2.4 Sep 25, 2020 11:28:07.867717981 CEST 443 49718 52.211.46.88 192.168.2.4 Sep 25, 2020 11:28:07.867969036 CEST 443 49719 52.211.46.88 192.168.2.4 Sep 25, 2020 11:28:07.868093014 CEST 443 49719 52.211.46.88 192.168.2.4 Sep 25, 2020 11:28:07.868114948 CEST 49719 443 192.168.2.4 52.211.46.88 Sep 25, 2020 11:28:07.868195057 CEST 443 49719 52.211.46.88 192.168.2.4 Sep 25, 2020 11:28:07.868211985 CEST 49719 443 192.168.2.4 52.211.46.88 Sep 25, 2020 11:28:07.868268013 CEST 443 49718 52.211.46.88 192.168.2.4 Sep 25, 2020 11:28:07.868285894 CEST 49719 443 192.168.2.4 52.211.46.88 Sep 25, 2020 11:28:07.868381977 CEST 49718 443 192.168.2.4 52.211.46.88 Sep 25, 2020 11:28:07.868416071 CEST 443 49718 52.211.46.88 192.168.2.4 Sep 25, 2020 11:28:07.868515015 CEST 443 49718 52.211.46.88 192.168.2.4 Sep 25, 2020 11:28:07.868532896 CEST 49718 443 192.168.2.4 52.211.46.88 Sep 25, 2020 11:28:07.868598938 CEST 49718 443 192.168.2.4 52.211.46.88 Sep 25, 2020 11:28:07.914701939 CEST 49719 443 192.168.2.4 52.211.46.88 Sep 25, 2020 11:28:07.914895058 CEST 49718 443 192.168.2.4 52.211.46.88 Sep 25, 2020 11:28:07.925616026 CEST 49719 443 192.168.2.4 52.211.46.88 Sep 25, 2020 11:28:07.970144033 CEST 443 49719 52.211.46.88 192.168.2.4 Sep 25, 2020 11:28:07.970172882 CEST 443 49718 52.211.46.88 192.168.2.4 Sep 25, 2020 11:28:07.970436096 CEST 49719 443 192.168.2.4 52.211.46.88 Sep 25, 2020 11:28:07.970566034 CEST 49718 443 192.168.2.4 52.211.46.88 Sep 25, 2020 11:28:07.971997976 CEST 443 49719 52.211.46.88 192.168.2.4 Sep 25, 2020 11:28:07.972320080 CEST 49719 443 192.168.2.4 52.211.46.88 Sep 25, 2020 11:28:08.304147959 CEST 49719 443 192.168.2.4 52.211.46.88 Sep 25, 2020 11:28:08.398627043 CEST 443 49719 52.211.46.88 192.168.2.4 Sep 25, 2020 11:28:08.398746967 CEST 49719 443 192.168.2.4 52.211.46.88

UDP Packets

Timestamp Source Port Dest Port Source IP Dest IP Sep 25, 2020 11:27:57.972224951 CEST 63540 53 192.168.2.4 8.8.8.8 Sep 25, 2020 11:27:57.997198105 CEST 53 63540 8.8.8.8 192.168.2.4 Sep 25, 2020 11:27:58.663393021 CEST 50757 53 192.168.2.4 8.8.8.8 Sep 25, 2020 11:27:58.687309980 CEST 53 50757 8.8.8.8 192.168.2.4 Sep 25, 2020 11:28:06.074047089 CEST 59058 53 192.168.2.4 8.8.8.8 Sep 25, 2020 11:28:06.107973099 CEST 53 59058 8.8.8.8 192.168.2.4 Sep 25, 2020 11:28:07.675678968 CEST 53809 53 192.168.2.4 8.8.8.8 Copyright null 2020 Page 16 of 20 Timestamp Source Port Dest Port Source IP Dest IP Sep 25, 2020 11:28:07.699268103 CEST 53 53809 8.8.8.8 192.168.2.4 Sep 25, 2020 11:28:16.251599073 CEST 52224 53 192.168.2.4 8.8.8.8 Sep 25, 2020 11:28:16.302731037 CEST 53 52224 8.8.8.8 192.168.2.4 Sep 25, 2020 11:28:20.645924091 CEST 57637 53 192.168.2.4 8.8.8.8 Sep 25, 2020 11:28:20.705415964 CEST 53 57637 8.8.8.8 192.168.2.4 Sep 25, 2020 11:28:25.031224966 CEST 63419 53 192.168.2.4 8.8.8.8 Sep 25, 2020 11:28:25.055202007 CEST 53 63419 8.8.8.8 192.168.2.4 Sep 25, 2020 11:28:26.873467922 CEST 54357 53 192.168.2.4 8.8.8.8 Sep 25, 2020 11:28:26.906667948 CEST 53 54357 8.8.8.8 192.168.2.4 Sep 25, 2020 11:28:36.091345072 CEST 60328 53 192.168.2.4 8.8.8.8 Sep 25, 2020 11:28:36.114948988 CEST 53 60328 8.8.8.8 192.168.2.4 Sep 25, 2020 11:28:36.995870113 CEST 49936 53 192.168.2.4 8.8.8.8 Sep 25, 2020 11:28:37.019634008 CEST 53 49936 8.8.8.8 192.168.2.4 Sep 25, 2020 11:28:37.284029007 CEST 60328 53 192.168.2.4 8.8.8.8 Sep 25, 2020 11:28:37.308219910 CEST 53 60328 8.8.8.8 192.168.2.4 Sep 25, 2020 11:28:38.078532934 CEST 49936 53 192.168.2.4 8.8.8.8 Sep 25, 2020 11:28:38.103984118 CEST 53 49936 8.8.8.8 192.168.2.4 Sep 25, 2020 11:28:38.290039062 CEST 60328 53 192.168.2.4 8.8.8.8 Sep 25, 2020 11:28:38.313621044 CEST 53 60328 8.8.8.8 192.168.2.4 Sep 25, 2020 11:28:39.081207037 CEST 49936 53 192.168.2.4 8.8.8.8 Sep 25, 2020 11:28:39.105097055 CEST 53 49936 8.8.8.8 192.168.2.4 Sep 25, 2020 11:28:40.303808928 CEST 60328 53 192.168.2.4 8.8.8.8 Sep 25, 2020 11:28:40.327404022 CEST 53 60328 8.8.8.8 192.168.2.4 Sep 25, 2020 11:28:41.246148109 CEST 49936 53 192.168.2.4 8.8.8.8 Sep 25, 2020 11:28:41.269793034 CEST 53 49936 8.8.8.8 192.168.2.4 Sep 25, 2020 11:28:43.675774097 CEST 52456 53 192.168.2.4 8.8.8.8 Sep 25, 2020 11:28:43.699455976 CEST 53 52456 8.8.8.8 192.168.2.4 Sep 25, 2020 11:28:44.417340994 CEST 60328 53 192.168.2.4 8.8.8.8 Sep 25, 2020 11:28:44.440985918 CEST 53 60328 8.8.8.8 192.168.2.4 Sep 25, 2020 11:28:45.242892981 CEST 49936 53 192.168.2.4 8.8.8.8 Sep 25, 2020 11:28:45.344835997 CEST 53 49936 8.8.8.8 192.168.2.4

DNS Queries

Timestamp Source IP Dest IP Trans ID OP Code Name Type Class Sep 25, 2020 11:28:07.675678968 CEST 192.168.2.4 8.8.8.8 0x254c Standard query impression A (IP address) IN (0x0001) (0) .appsflyer.com Sep 25, 2020 11:28:25.031224966 CEST 192.168.2.4 8.8.8.8 0x6b73 Standard query impression A (IP address) IN (0x0001) (0) .appsflyer.com

DNS Answers

Timestamp Source IP Dest IP Trans ID Reply Code Name CName Address Type Class Sep 25, 2020 8.8.8.8 192.168.2.4 0x254c No error (0) impression 52.211.46.88 A (IP address) IN (0x0001) 11:28:07.699268103 .appsflyer.com CEST Sep 25, 2020 8.8.8.8 192.168.2.4 0x254c No error (0) impression 52.48.249.216 A (IP address) IN (0x0001) 11:28:07.699268103 .appsflyer.com CEST Sep 25, 2020 8.8.8.8 192.168.2.4 0x254c No error (0) impression 54.171.52.39 A (IP address) IN (0x0001) 11:28:07.699268103 .appsflyer.com CEST Sep 25, 2020 8.8.8.8 192.168.2.4 0x254c No error (0) impression 34.252.124.214 A (IP address) IN (0x0001) 11:28:07.699268103 .appsflyer.com CEST Sep 25, 2020 8.8.8.8 192.168.2.4 0x254c No error (0) impression 34.253.159.76 A (IP address) IN (0x0001) 11:28:07.699268103 .appsflyer.com CEST Sep 25, 2020 8.8.8.8 192.168.2.4 0x254c No error (0) impression 52.215.26.122 A (IP address) IN (0x0001) 11:28:07.699268103 .appsflyer.com CEST Sep 25, 2020 8.8.8.8 192.168.2.4 0x254c No error (0) impression 54.194.23.209 A (IP address) IN (0x0001) 11:28:07.699268103 .appsflyer.com CEST Sep 25, 2020 8.8.8.8 192.168.2.4 0x254c No error (0) impression 52.212.196.226 A (IP address) IN (0x0001) 11:28:07.699268103 .appsflyer.com CEST

Copyright null 2020 Page 17 of 20 Timestamp Source IP Dest IP Trans ID Reply Code Name CName Address Type Class Sep 25, 2020 8.8.8.8 192.168.2.4 0x6b73 No error (0) impression 34.247.233.229 A (IP address) IN (0x0001) 11:28:25.055202007 .appsflyer.com CEST Sep 25, 2020 8.8.8.8 192.168.2.4 0x6b73 No error (0) impression 52.50.190.83 A (IP address) IN (0x0001) 11:28:25.055202007 .appsflyer.com CEST Sep 25, 2020 8.8.8.8 192.168.2.4 0x6b73 No error (0) impression 63.32.227.89 A (IP address) IN (0x0001) 11:28:25.055202007 .appsflyer.com CEST Sep 25, 2020 8.8.8.8 192.168.2.4 0x6b73 No error (0) impression 52.50.217.35 A (IP address) IN (0x0001) 11:28:25.055202007 .appsflyer.com CEST Sep 25, 2020 8.8.8.8 192.168.2.4 0x6b73 No error (0) impression 52.17.171.19 A (IP address) IN (0x0001) 11:28:25.055202007 .appsflyer.com CEST Sep 25, 2020 8.8.8.8 192.168.2.4 0x6b73 No error (0) impression 52.208.149.21 A (IP address) IN (0x0001) 11:28:25.055202007 .appsflyer.com CEST Sep 25, 2020 8.8.8.8 192.168.2.4 0x6b73 No error (0) impression 108.128.73.49 A (IP address) IN (0x0001) 11:28:25.055202007 .appsflyer.com CEST Sep 25, 2020 8.8.8.8 192.168.2.4 0x6b73 No error (0) impression 63.34.40.14 A (IP address) IN (0x0001) 11:28:25.055202007 .appsflyer.com CEST

HTTPS Packets

Source Dest Not Not JA3 SSL Client Timestamp Source IP Port Dest IP Port Subject Issuer Before After Fingerprint JA3 SSL Client Digest Sep 25, 2020 52.211.46.88 443 192.168.2.4 49719 CN=*.appsflyer.com, CN=GeoTrust RSA CA Mon Jan Fri Mar 771,49196-49195- 9e10692f1b7f78228b2d4e 11:28:07.868195057 OU=development, 2018, 28 19 49200-49199- 424db3a98c CEST O=AppsFlyer Ltd, OU=www.digicert.com, 01:00:00 13:00:00 49188-49187- L=Herzliya, C=IL O=DigiCert Inc, C=US CET CET 49192-49191- CN=GeoTrust RSA CA CN=DigiCert Global 2019 2021 49162-49161- 2018, Root CA, Mon Sat Nov 49172-49171-157- OU=www.digicert.com, OU=www.digicert.com, Nov 06 06 156-61-60-53-47- O=DigiCert Inc, C=US O=DigiCert Inc, C=US 13:23:45 13:23:45 10,0-10-11-13-35- CET CET 16-23-24- 2017 2027 65281,29-23-24,0 CN=GeoTrust RSA CA CN=DigiCert Global Mon Sat Nov 2018, Root CA, Nov 06 06 OU=www.digicert.com, OU=www.digicert.com, 13:23:45 13:23:45 O=DigiCert Inc, C=US O=DigiCert Inc, C=US CET CET 2017 2027 Sep 25, 2020 52.211.46.88 443 192.168.2.4 49718 CN=*.appsflyer.com, CN=GeoTrust RSA CA Mon Jan Fri Mar 771,49196-49195- 9e10692f1b7f78228b2d4e 11:28:07.868515015 OU=development, 2018, 28 19 49200-49199- 424db3a98c CEST O=AppsFlyer Ltd, OU=www.digicert.com, 01:00:00 13:00:00 49188-49187- L=Herzliya, C=IL O=DigiCert Inc, C=US CET CET 49192-49191- CN=GeoTrust RSA CA CN=DigiCert Global 2019 2021 49162-49161- 2018, Root CA, Mon Sat Nov 49172-49171-157- OU=www.digicert.com, OU=www.digicert.com, Nov 06 06 156-61-60-53-47- O=DigiCert Inc, C=US O=DigiCert Inc, C=US 13:23:45 13:23:45 10,0-10-11-13-35- CET CET 16-23-24- 2017 2027 65281,29-23-24,0 CN=GeoTrust RSA CA CN=DigiCert Global Mon Sat Nov 2018, Root CA, Nov 06 06 OU=www.digicert.com, OU=www.digicert.com, 13:23:45 13:23:45 O=DigiCert Inc, C=US O=DigiCert Inc, C=US CET CET 2017 2027

Code Manipulations

Statistics

Behavior

Copyright null 2020 Page 18 of 20 • iexplore.exe • iexplore.exe

Click to jump to process

System Behavior

Analysis Process: iexplore.exe PID: 6980 Parent PID: 796

General

Start time: 11:28:04 Start date: 25/09/2020 Path: C:\Program Files\internet explorer\iexplore.exe Wow64 process (32bit): false Commandline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding Imagebase: 0x7ff757530000 File size: 823560 bytes MD5 hash: 6465CB92B25A7BC1DF8E01D8AC5E7596 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: low

File Activities

Source File Path Access Attributes Options Completion Count Address Symbol

Source File Path Offset Length Value Ascii Completion Count Address Symbol

Source File Path Offset Length Completion Count Address Symbol

Registry Activities

Source Key Path Completion Count Address Symbol

Source Key Path Name Type Data Completion Count Address Symbol

Source Key Path Name Type Old Data New Data Completion Count Address Symbol

Analysis Process: iexplore.exe PID: 7032 Parent PID: 6980

General

Copyright null 2020 Page 19 of 20 Start time: 11:28:05 Start date: 25/09/2020 Path: C:\Program Files (x86)\Internet Explorer\iexplore.exe Wow64 process (32bit): true Commandline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6980 CREDAT:17410 /prefetch:2 Imagebase: 0x2b0000 File size: 822536 bytes MD5 hash: 071277CC2E3DF41EEEA8013E2AB58D5A Has administrator privileges: true Programmed in: C, C++ or other language Reputation: low

File Activities

Source File Path Access Attributes Options Completion Count Address Symbol

Source File Path Offset Length Value Ascii Completion Count Address Symbol

Source File Path Offset Length Completion Count Address Symbol

Registry Activities

Source Key Path Completion Count Address Symbol

Source Key Path Name Type Data Completion Count Address Symbol

Disassembly

Copyright null 2020 Page 20 of 20