Automated Malware Analysis Report For

ID: 289896 Cookbook: browseurl.jbs Time: 11:27:01 Date: 25/09/2020 Version: 30.0.0 Red Diamond Table of Contents

Table of Contents 2 Analysis Report https://impression.appsflyer.com/de.autodoc.gmbh? c=Autodoc_Android_CPA&af_viewthrough_lookback=1d&af_siteid=92517241&pid=roockmobile_int&clickid=20200925085045_wangmeng7_1d84dd2966b4f9b867c49c49ca06d63216894_v3&android_id= {android_id}&advertising_id=6d0fd5e2-dfb8-4abf-b91c-844c98a8929d&imei={imei}&idfa=6d0fd5e2-dfb8-4abf-b91c- 844c98a8929d 3 Overview 3 General Information 3 Detection 3 Signatures 3 Classification 3 Startup 4 Malware Configuration 4 Yara Overview 4 Sigma Overview 4 Signature Overview 4 Mitre Att&ck Matrix 5 Behavior Graph 5 Screenshots 6 Thumbnails 6 Antivirus, Machine Learning and Genetic Malware Detection 7 Initial Sample 7 Dropped Files 7 Unpacked PE Files 7 Domains 7 URLs 7 Domains and IPs 8 Contacted Domains 8 Contacted URLs 8 URLs from Memory and Binaries 8 Contacted IPs 8 Public 9 General Information 9 Simulations 10 Behavior and APIs 10 Joe Sandbox View / Context 10 IPs 10 Domains 10 ASN 10 JA3 Fingerprints 10 Dropped Files 10 Created / dropped Files 11 Static File Info 15 No static file info 15 Network Behavior 15 Network Port Distribution 15 TCP Packets 16 UDP Packets 16 DNS Queries 17 DNS Answers 17 HTTPS Packets 18 Code Manipulations 18 Statistics 18 Behavior 18 System Behavior 19 Analysis Process: iexplore.exe PID: 6980 Parent PID: 796 19 General 19 File Activities 19 Registry Activities 19 Analysis Process: iexplore.exe PID: 7032 Parent PID: 6980 19 General 19 File Activities 20 Registry Activities 20 Disassembly 20

Copyright null 2020 Page 2 of 20 Analysis Report https://impression.appsflyer.com/de.au…todoc.gmbh?c=Autodoc_Android_CPA&af_viewthrough_lookback=1d&af_siteid=92517241&pid=roockmobile_int&clickid=20200925085045_wangmeng7_1d84dd2966b4f9b867c49c49ca06d63216894_v3&android_id={android_id}&advertising_id=6d0fd5e2-dfb8-4abf-b91c-844c98a8929d&imei={imei}&idfa=6d0fd5e2-dfb8-4abf-b91c-844c98a8929d

Overview

General Information Detection Signatures Classification

Sample URL: https://impression.ap No high impact signatures. psflyer.com/de.autodoc.gm bh?c=Autodoc_Android_C PA&af_viewthrough_lookb ack=1d&af_siteid=925172 41&pid=roockmobile_int&c lickid=20200925085045_w angmeng7_1d84dd2966b4f 9b867c49c49ca06d632168 94_v3&android_id={androi d_id}&advertising_id=6d0f d5e2-dfb8-4abf-b91c-844c 98a8929d&imei={imei}&idf a=6d0fd5e2-dfb8-4abf-b91 c-844c98a8929d Analysis ID: 289896 Most interesting Screenshot: Score: 0 Range: 0 - 100 Whitelisted: false Confidence: 80%

Miner Spreading

mmaallliiiccciiioouusss

malicious

Evader Phishing

sssuusssppiiiccciiioouusss

suspicious

cccllleeaann

clean

Exploiter Banker

Spyware Trojan / Bot

Adware

Startup

System is w10x64 iexplore.exe (PID: 6980 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596) iexplore.exe (PID: 7032 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6980 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A) cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

There are no malicious signatures, click here to show all signatures .

Mitre Att&ck Matrix

Command Remote Initial Privilege Defense Credential Lateral and Network Service Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration Control Effects Effects Impact Valid Windows Path Process Masquerading 1 OS File and Remote Data from Exfiltration Encrypted Eavesdrop on Remotely Modify Accounts Management Interception Injection 1 Credential Directory Services Local Over Other Channel 2 Insecure Track Device System Instrumentation Dumping Discovery 1 System Network Network Without Partition Medium Communication Authorization Default Scheduled Boot or Boot or Process LSASS Application Remote Data from Exfiltration Non- Exploit SS7 to Remotely Device Accounts Task/Job Logon Logon Injection 1 Memory Window Desktop Removable Over Application Redirect Phone Wipe Data Lockout Initialization Initialization Discovery Protocol Media Bluetooth Layer Calls/SMS Without Scripts Scripts Protocol 1 Authorization Domain At (Linux) Logon Script Logon Obfuscated Files Security Query SMB/Windows Data from Automated Application Exploit SS7 to Obtain Delete Accounts (Windows) Script or Information Account Registry Admin Shares Network Exfiltration Layer Track Device Device Device (Windows) Manager Shared Protocol 2 Location Cloud Data Drive Backups

Behavior Graph

Copyright null 2020 Page 5 of 20 Hide Legend Behavior Graph Legend: ID: 289896 Process URL: https://impression.appsflye... Signature Startdate: 25/09/2020 Created File Architecture: WINDOWS DNS/IP Info Score: 0 Is Dropped

Is Windows Process

Number of created Registry Values

impression.appsflyer.com started Number of created Files

Visual Basic

Delphi

iexplore.exe Java .Net C# or VB.NET

C, C++ or other language 11 84 Is malicious

Internet started

iexplore.exe

2 33

impression.appsflyer.com

52.211.46.88, 443, 49718, 49719 AMAZON-02US United States

Screenshots

Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Initial Sample

Source Detection Scanner Label Link https://impression.appsflyer.com/de.autodoc.gmbh? 0% Avira URL Cloud safe c=Autodoc_Android_CPA&af_viewthrough_lookback=1d&af_siteid=92517241&pid=roockmobile_int&click id=20200925085045_wangmeng7_1d84dd2966b4f9b867c49c49ca06d63216894_v3&android_id= {android_id}&advertising_id=6d0fd5e2-dfb8-4abf-b91c-844c98a8929d&imei={imei}&idfa=6d0fd5e2-dfb8- 4abf-b91c-844c98a8929d

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source Detection Scanner Label Link www.wikipedia.com/ 0% URL Reputation safe

Copyright null 2020 Page 7 of 20 Source Detection Scanner Label Link www.wikipedia.com/ 0% URL Reputation safe www.wikipedia.com/ 0% URL Reputation safe

Domains and IPs

Contacted Domains

Name IP Active Malicious Antivirus Detection Reputation impression.appsflyer.com 52.211.46.88 true false high

Contacted URLs

Name Malicious Antivirus Detection Reputation https://impression.appsflyer.com/de.autodoc.gmbh? false high c=Autodoc_Android_CPA&af_viewthrough_lookback=1d&af_siteid=92517241&pid=roockmobil e_int&clickid=20200925085045_wangmeng7_1d84dd2966b4f9b867c49c49ca06d63216894_v3 &android_id={android_id}&advertising_id=6d0fd5e2-dfb8-4abf-b91c-844c98a8929d&imei= {imei}&idfa=6d0fd5e2-dfb8-4abf-b91c-844c98a8929d

URLs from Memory and Binaries

Name Source Malicious Antivirus Detection Reputation www.wikipedia.com/ msapplication.xml7.1.dr false URL Reputation: safe unknown URL Reputation: safe URL Reputation: safe www.amazon.com/ msapplication.xml.1.dr false high www.nytimes.com/ msapplication.xml4.1.dr false high https://impression.appsflyer.com/de.autodoc.gmbh? {D9B2DB49-FF5C-11EA-90E8-ECF4B false high c=Autodoc_Android_CPA&af_viewthrough_lookback=1d&af BEA1588}.dat.1.dr, ~DFB4749743 D40BC7E5.TMP.1.dr www.live.com/ msapplication.xml3.1.dr false high www.reddit.com/ msapplication.xml5.1.dr false high www.twitter.com/ msapplication.xml6.1.dr false high www.youtube.com/ msapplication.xml8.1.dr false high

Contacted IPs

No. of IPs < 25% 25% < No. of IPs < 50% 50% < No. of IPs < 75%

75% < No. of IPs

IP Country Flag ASN ASN Name Malicious 52.211.46.88 United States 16509 AMAZON-02US false

General Information

Joe Sandbox Version: 30.0.0 Red Diamond Analysis ID: 289896 Start date: 25.09.2020 Start time: 11:27:01 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 4m 8s Hypervisor based Inspection enabled: false Report type: light Cookbook file name: browseurl.jbs Sample URL: https://impression.appsflyer.com/de.autodoc.gmb h?c=Autodoc_Android_CPA&af_viewthrough_lookback =1d&af_siteid=92517241&pid=roockmobile_int&clickid= 20200925085045_wangmeng7_1d84dd2966b4f9b867c4 9c49ca06d63216894_v3&android_id={android_id}&adv ertising_id=6d0fd5e2-dfb8-4abf-b91c-844c98a8929d&i mei={imei}&idfa=6d0fd5e2-dfb8-4abf-b91c-844c98a892 9d Analysis system description: w10x64 Windows 10 64 bit v1803 with Office Professional Plus 2016, IE 11, Adobe Reader DC 19, Java 8 Update 211 Number of analysed new started processes analysed: 15 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled AMSI enabled Analysis Mode: default Analysis stop reason: Timeout Detection: CLEAN Classification: clean0.win@3/17@2/1 Cookbook Comments: Adjust boot time Enable AMSI

Copyright null 2020 Page 9 of 20 Warnings: Show All Exclude process from analysis (whitelisted): audiodg.exe, BackgroundTransferHost.exe, ielowutil.exe, backgroundTaskHost.exe, SgrmBroker.exe, svchost.exe Excluded IPs from analysis (whitelisted): 52.184.221.185, 104.108.39.131, 51.104.139.180, 92.122.144.200, 80.239.152.136, 80.239.148.32, 152.199.19.161, 205.185.216.10, 205.185.216.42 Excluded domains from analysis (whitelisted): umwatson.trafficmanager.net, arc.msn.com.nsatc.net, fs.microsoft.com, ie9comview.vo.msecnd.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, fs- wildcard.microsoft.com.edgekey.net, fs- wildcard.microsoft.com.edgekey.net.globalredir.aka dns.net, a1449.dscg2.akamai.net, arc.msn.com, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, umwatsonrouting.trafficmanager.net, go.microsoft.com, go.microsoft.com.edgekey.net, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, watson.telemetry.microsoft.com, img-prod-cms-rt- microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg- shim.trafficmanager.net, cs9.wpc.v0cdn.net VT rate limit hit for: https://impression.appsflyer.com/de.autodoc.gmbh? c=Autodoc_Android_CPA&af_viewthrough_lookbac k=1d&af_siteid=92517241&pid=roockmobile_int&cli ckid=20200925085045_wangmeng7_1d84dd2966b4 f9b867c49c49ca06d63216894_v3&android_id= {android_id}&advertising_id=6d0fd5e2-dfb8-4abf- b91c-844c98a8929d&imei={imei}&idfa=6d0fd5e2- dfb8-4abf-b91c-844c98a8929d

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{D9B2DB47-FF5C-11EA-90E8-ECF4BBEA1588}.dat Process: C:\Program Files\internet explorer\iexplore.exe File Type: Microsoft Word Document Size (bytes): 30296 Entropy (8bit): 1.8391586794423 Encrypted: false MD5: C53D1451840363D99B9DDA88477D7A45 SHA1: C615997E3B2BFA5662332EACFD79F394477AF5CC SHA-256: 8254F672B2877078E31317A6817E4D1F5DC0CF55674E393757FA167F1A890B77 SHA-512: 7799EFD206AF8FDD421080378E627B4BDB758794E81EDF7CF83882056D8C063EFA435DC31391B895C0AC6031C6264D8FEC3DF6EDD7F864F56A5791FE85A4B2CA Malicious: false Reputation: low Preview: ...... R.o.o.t. .E.n.t.r. y......

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{D9B2DB49-FF5C-11EA-90E8-ECF4BBEA1588}.dat Process: C:\Program Files\internet explorer\iexplore.exe File Type: Microsoft Word Document Size (bytes): 24792 Entropy (8bit): 1.7495634783345555 Encrypted: false MD5: E6CE304999E1D1766C1DB9E2FF06817F SHA1: 85B42DCCAE3875DBA91E4662CB46BB714451568E SHA-256: FEF177B12D6894A6C37F8713A2FA1D30348A922F498170D0FF1AA3346DFA7765 SHA-512: 1A388F730E723E98D25CFC8FA0964545110D7406B0A4A5FA8AD4731B147ECE4FC0B29F959B379E06ECEE857ABCBBE1C78C26B8735B18D4DD9BB516D5512DDC D9 Malicious: false Reputation: low Preview: ...... R.o.o.t. .E.n.t.r. y......

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{D9B2DB4A-FF5C-11EA-90E8-ECF4BBEA1588}.dat Process: C:\Program Files\internet explorer\iexplore.exe File Type: Microsoft Word Document Size (bytes): 16984 Entropy (8bit): 1.5661990263884806 Encrypted: false MD5: A03A4AB7EA367FF38F6C84C05DF30A66 SHA1: 312E31B0762DBC97EF9D02CE3040011114182183 SHA-256: 69784794024FCBB8392BF5830E5376578685980F1E251ACDE3CE5229B97BD2FF SHA-512: 994BC94CD5EA602D06EC536B22D3224314BF5041F0E2DB4A5D9126E81619F5895FAF5E80B906D08B89CE80756575B819E512EDC24851A69890BAC4B7AC0476F8 Malicious: false Reputation: low Preview: ...... R.o.o.t. .E.n.t.r. y......

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Size (bytes): 656 Entropy (8bit): 5.129192621412279 Encrypted: false MD5: E4DEB09AF47ECCA2C979735B07033E52 SHA1: 28C99ED40563E1CB85363CB226F1EAE3D10D0F89 SHA-256: FCA7C025D64ACD99C3298B829FE10230620464B352C459AC93622A49154B177D SHA-512: 0F49FAA11E3E5F9FD7E49E3BECEC371D6E8511B69D8A2EA20C56DAF52DF947E7F57618BE183B5C8B874FE428B1C06E1FB1EC889E8FF2A08F63D638C477F8B4 A9

Copyright null 2020 Page 11 of 20 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml Malicious: false Reputation: low Preview: ..0xaf78d449,0x01d69369< accdate>0xaf78d449,0x01d69369....0xaf78d449,0x01d693690 xaf78d449,0x01d69369..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Size (bytes): 653 Entropy (8bit): 5.130456480709593 Encrypted: false MD5: 304ECBA0246308F2641B7ACC8AAE3DF4 SHA1: 368811418A05088414285F5E003EB3903B21D256 SHA-256: 7C04B94A305DB73E371CA6638D052EE8A782C202EF09225A806EC6770DC22EC7 SHA-512: D24926D3EA7DC0AE63E5BF659098F9C9B09F342E31372AEC752D820C2018022A93D7D163F637411467AE174C8C4235192AB8323E27322B343CA8F6C63D041BCD Malicious: false Reputation: low Preview: ..0xaf6f4ac4,0x01d693690xaf6f4ac4,0x01d69369....0xaf6f4ac4,0x01d69369 0xaf71ad2d,0x01d69369..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Size (bytes): 662 Entropy (8bit): 5.145209074423031 Encrypted: false MD5: 7BDAB7F7C2A212CC667AD5D6C9BF40E0 SHA1: 8AA00EEB89C468D2B16FCCAC06D7DA0861DCEA78 SHA-256: A4AB33FB25756AE1B937D6BD0BFDF0AF705604197EA6EA56AC49375A2F95478B SHA-512: 65D3B2707F6D361AA5E17216D57BAF338F93C58D74A08C7A28947BFE9BF0386725FCBAE7B86FE29E42AE1F657DC8CEE88E3A0BF1C51C2A26BBD2655BA0176A 6E Malicious: false Reputation: low Preview: ..0xaf78d449,0x01d69369 0xaf78d449,0x01d69369....0xaf78d449,0x01d693690xaf7b36a9,0x01d69369..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-314712940\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Size (bytes): 410 Entropy (8bit): 5.163771131507503 Encrypted: false MD5: 61ACDF4694755F4CEF38F7D25AC4F086 SHA1: 1E870C3B40C76C6875C01E284DEB647DD8D69517 SHA-256: 715CCE63A34E4A2FE94D377A4F756F0576925F1C9E9BF5997218E9CF7A051C72 SHA-512: B22C0E4C22B71F317DFFCA7EFF564466136B6843F6F2DC17B07589DCF25CC3FA830C5CF96856976956F14972835AEC01ADF251009FB3332A8F7697B5427824ED Malicious: false Reputation: low Preview: ..0x259f0d0f,0x01 d52d140xaf71ad2d,0x01d69369\lowres.png..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Size (bytes): 647 Entropy (8bit): 5.107670814806817

Copyright null 2020 Page 12 of 20 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml Encrypted: false MD5: 5FB3025D1D3BA4DDF18E162CF1523749 SHA1: 481D6F6273C2D6D5389209FED8A00F630BE0992A SHA-256: A100F2850EAE8AE72796529124FB754DBC3B94753382758B7A423EABB9472382 SHA-512: BD3E046CBAECA4E2578A30B057A378C0F48AC8F45D10743089CA15FA8871763EE8376122A3E49A4E1DD6E78B63CCEA9B0A9E2A06689CDADF43BBCD348B0340 F5 Malicious: false Reputation: low Preview: ..0xaf7671d6,0x01d693690xaf7671d6,0x01d69369....0xaf7671d6,0x01d693690xaf767 1d6,0x01d69369 ..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Size (bytes): 656 Entropy (8bit): 5.127938917333591 Encrypted: false MD5: AF27E2895A2778476D023A8BBC41597D SHA1: A187A1D41D847C88CF444637C49B55D11BAD2F1D SHA-256: 8C6E23022331C56364EF33C394B39EAF0CD8FA3460BBE6B1BC6E57A7BA626CF3 SHA-512: 28024109C5C4E9A7BDA32C145EF01C92922A15706BB687545AC3B3FE3FD4A049FCE06A22FA833FE06959662990647C791A479B1256C042AE51FE9A4E77091014 Malicious: false Reputation: low Preview: ..0xaf7b36a9,0x01d69369< accdate>0xaf7b36a9,0x01d69369....0xaf7b36a9,0x01d693690 xaf7b36a9,0x01d69369 ..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Size (bytes): 653 Entropy (8bit): 5.130566510092149 Encrypted: false MD5: 99F7537F4C02D1D63C848BD1D5FF9616 SHA1: 64BDF4C02B83A891A3F7505950FBBF2152F74A9E SHA-256: 956122F9EDE829A2DDB838CCA6C2E89FD6E08F777D31A371E6925F91A17F8F3F SHA-512: 6110A56AC5FA65E45C32D5D920A47E54B22308873EC64CF24E1D4205D40412579533625AA6A76E608F6858BD543643E3C501776CA7BDBED95650A9C495D232E4 Malicious: false Reputation: low Preview: ..0xaf78d449,0x01d69369 0xaf78d449,0x01d69369....0xaf78d449,0x01d693690xa f78d449,0x01d69369 ..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Size (bytes): 656 Entropy (8bit): 5.1318676780071035 Encrypted: false MD5: D7B210644F85D2ACE9C286F5A2513098 SHA1: D5B076E7556986EA1B10658451ABFF7D1FF41C50 SHA-256: 5CE1CC2D8B0F733EDF44EE765C3D0B35BD1612F5F9F90F695C62DE199591D475 SHA-512: 3D18EF6F70E84993572C922277980D92D7A369718C7585904F30CF3B84A188B97E9118121D26C21A7A62301537B90BF261F117D5E60B89DBA08140FCFA18DC41 Malicious: false Reputation: low

Copyright null 2020 Page 13 of 20 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml Preview: ..0xaf7671d6,0x01d69369< accdate>0xaf7671d6,0x01d69369....0xaf7671d6,0x01d693690 xaf7671d6,0x01d69369 ..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Size (bytes): 659 Entropy (8bit): 5.1385801393593775 Encrypted: false MD5: 45D53CDC727F06CE35C272037D216257 SHA1: 5D7998BD8D519B232F999D883F6E95C57D857449 SHA-256: F8D37265B1753F774402F4CC1B2D43759D768046D3C3E4E98D89082D409B2BB8 SHA-512: 26ADD6601B51A80CEBAF1CEA4B9CE6295ADBDFD317F5E6D808046A021C7AA379A07387C3FEC8C6CA2BBC306762949E889F79F67F4B8AD8540B2A2B50806014 A7 Malicious: false Reputation: low Preview: ..0xaf740f84,0x01d69369 0xaf740f84,0x01d69369....0xaf740f84,0x01d693690xaf740f84,0x01d69369 ..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Size (bytes): 653 Entropy (8bit): 5.121516016420222 Encrypted: false MD5: 4E0EF6A12A616B7D0441320CFB6FF1AF SHA1: B323EB304969B1AAFDF3D61AA4960A030B900830 SHA-256: D036BDC9111AEAA5E206BC75F6A07B463A2EB7C481944B2CCA16F6C58EC3DCEF SHA-512: 82A37B89D1162F5C692F7552550F3403D9224DA1F08F6E43DEB77F047C37933529DA9EDADA2639EFAE94C6804AC3839C2984ED03B8333A5B92F364BCD18203BA Malicious: false Reputation: low Preview: ..0xaf740f84,0x01d69369 0xaf740f84,0x01d69369....0xaf740f84,0x01d693690xa f740f84,0x01d69369 ..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\de.autodoc[1].htm Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: ASCII text, with no line terminators Size (bytes): 2 Entropy (8bit): 1.0 Encrypted: false MD5: 444BCB3A3FCF8389296C49467F27E1D6 SHA1: 7A85F4764BBD6DAF1C3545EFBBF0F279A6DC0BEB SHA-256: 2689367B205C16CE32ED4200942B8B8B1E262DFC70D9BC9FBC77C49699A4F1DF SHA-512: 9FBBBB5A0F329F9782E2356FA41D89CF9B3694327C1A934D6AF2A9DF2D7F936CE83717FB513196A4CE5548471708CD7134C2AE99B3C357BCABB2EAFC7B9B757 0 Malicious: false Reputation: low IE Cache URL: https://impression.appsflyer.com/de.autodoc.gmbh? c=Autodoc_Android_CPA&af_viewthrough_lookback=1d&af_siteid=92517241&pid=roockmobile_int&clickid=20200925085045_wangmeng7_1d84dd2966b4f9b867c49c49c a06d63216894_v3&android_id={android_id}&advertising_id=6d0fd5e2-dfb8-4abf-b91c-844c98a8929d&imei={imei}&idfa=6d0fd5e2-dfb8-4abf-b91c-844c98a8929d Preview: ok

C:\Users\user\AppData\Local\Temp\~DF578009C408BCF354.TMP Process: C:\Program Files\internet explorer\iexplore.exe File Type: data Size (bytes): 25441 Entropy (8bit): 0.27918767598683664