ID: 337157 Cookbook: browseurl.jbs Time: 21:05:56 Date: 07/01/2021 Version: 31.0.0 Red Diamond Table of Contents

Table of Contents 2 Analysis Report http://wus-streaming-video-msn- com.akamaized.net/35c99539-c98d-4e9f-9118-a80f496d5fdd/92ba4db9- e0d6-4671-ab48-97402815_2250.mp4 4 Overview 4 General Information 4 Detection 4 Signatures 4 Classification 4 Startup 4 Malware Configuration 4 Yara Overview 4 Sigma Overview 4 Signature Overview 4 Mitre Att&ck Matrix 5 Behavior Graph 5 Screenshots 6 Thumbnails 6 Antivirus, Machine Learning and Genetic Malware Detection 7 Initial Sample 7 Dropped Files 7 Unpacked PE Files 7 Domains 7 URLs 7 Domains and IPs 9 Contacted Domains 9 Contacted URLs 9 URLs from Memory and Binaries 9 Contacted IPs 11 General Information 11 Simulations 12 Behavior and APIs 12 Joe Sandbox View / Context 12 IPs 12 Domains 12 ASN 13 JA3 Fingerprints 13 Dropped Files 13 Created / dropped Files 13 Static File Info 20 No static file info 20 Network Behavior 20 Snort IDS Alerts 20 UDP Packets 20 DNS Queries 22 DNS Answers 22 Code Manipulations 22 Statistics 22 Behavior 22 System Behavior 22 Analysis Process: iexplore.exe PID: 6984 Parent PID: 800 22 General 22 File Activities 23 Registry Activities 23

Copyright null 2021 Page 2 of 24 Analysis Process: iexplore.exe PID: 7032 Parent PID: 6984 23 General 23 File Activities 23 Analysis Process: Video.UI.exe PID: 4248 Parent PID: 800 23 General 23 File Activities 24 File Read 24 Registry Activities 24 Disassembly 24 Code Analysis 24

Copyright null 2021 Page 3 of 24 Analysis Report http://wus-streaming-video-msn-com.a…kamaized.net/35c99539-c98d-4e9f-9118-a80f496d5fdd/92ba4db9-e0d6-4671-ab48-97402815_2250.mp4

Overview

General Information Detection Signatures Classification

Sample URL: wus-streaming-video -msn-com.akamaized.net/3 DDrrrooppss cceerrrtttiiifffiiiccaatttee fffiiillleess (((DDEERR))) 5c99539-c98d-4e9f-9118-a QDuruoeeprrrisiiee scs e ddriitisisfkikc iaiinntffefoo rrfrmileaasttt iii(ooDnnE (((Rooff)fttteenn uusseedd… 80f496d5fdd/92ba4db9-e0 d6-4671-ab48- Quueerrriiieess ttdthhiesek vv ioonlllfuuomrmee a iiintnifoffoonrrr m(oaaftttieiioonnn u (((nsneaadm… 97402815_2250.mp4 Ransomware UQUsuseessr i eccoso ddtheee oo vbbofffuulussmccaaettt iiioionnnfo tttreemcchahntniioiiqqnuu e(enssa (((m… Analysis ID: 337157 Miner Spreading Most interesting Screenshot: Uses code obfuscation techniques ( mmaallliiiccciiioouusss

malicious

Evader Phishing

sssuusssppiiiccciiioouusss

suspicious

cccllleeaann

clean

Exploiter Banker

Spyware Trojan / Bot

Adware

Score: 2 Range: 0 - 100 Whitelisted: false Confidence: 100%

Startup

System is w10x64 iexplore.exe (PID: 6984 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596) iexplore.exe (PID: 7032 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6984 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A) Video.UI.exe (PID: 4248 cmdline: 'C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.17112.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe' -ServerName:Microsoft.ZuneVide o.AppX758ya5sqdjd98rx6z7g95nw6jy7bqx9y.mca MD5: BEA19F0655789B224CEF4C5AFCE49AD1) cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Copyright null 2021 Page 4 of 24 • Compliance • Networking • E-Banking Fraud • System Summary • Data Obfuscation • Hooking and other Techniques for Hiding and Protection • Malware Analysis System Evasion • HIPS / PFW / Operating System Protection Evasion • Language, Device and Operating System Detection

Click to jump to signature section

There are no malicious signatures, click here to show all signatures .

Mitre Att&ck Matrix

Initial Privilege Credential Lateral Command Network Access Execution Persistence Escalation Defense Evasion Access Discovery Movement Collection Exfiltration and Control Effects Valid Windows Path Process Masquerading 1 OS Security Software Remote Data from Exfiltration Non- Eavesdrop on Accounts Management Interception Injection 2 Credential Discovery 1 1 Services Local Over Other Application Insecure Instrumentation Dumping System Network Layer Network Medium Protocol 1 Communication Default Scheduled Boot or Boot or Virtualization/Sandbox LSASS Virtualization/Sandbox Remote Data from Exfiltration Application Exploit SS7 to Accounts Task/Job Logon Logon Evasion 1 Memory Evasion 1 Desktop Removable Over Layer Redirect Phone Initialization Initialization Protocol Media Bluetooth Protocol 1 Calls/SMS Scripts Scripts Domain At (Linux) Logon Script Logon Process Injection 2 Security Process Discovery 1 SMB/Windows Data from Automated Steganography Exploit SS7 to Accounts (Windows) Script Account Admin Shares Network Exfiltration Track Device (Windows) Manager Shared Location Drive Local At (Windows) Logon Script Logon Obfuscated Files or NTDS File and Directory Distributed Input Scheduled Protocol SIM Card Accounts (Mac) Script Information 1 Discovery 1 Component Capture Transfer Impersonation Swap (Mac) Object Model Cloud Cron Network Network Software Packing LSA System Information SSH Keylogging Data Fallback Manipulate Accounts Logon Script Logon Secrets Discovery 2 1 Transfer Channels Device Script Size Limits Communication

Replication Launchd Rc.common Rc.common Steganography Cached Remote System VNC GUI Input Exfiltration Multiband Jamming or Through Domain Discovery 1 Capture Over C2 Communication Denial of Removable Credentials Channel Service Media

Behavior Graph

Copyright null 2021 Page 5 of 24 Hide Legend Legend: Process

Behavior Graph Signature Created File ID: 337157 DNS/IP Info URL: http://wus-streaming-video-... Is Dropped Startdate: 07/01/2021 Architecture: WINDOWS Is Windows Process Score: 2 Number of created Registry Values

Number of created Files

started started Visual Basic

Delphi

Video.UI.exe iexplore.exe Java

.Net C# or VB.NET

C, C++ or other language 56 49 2 60 Is malicious

Internet

settings-ssl.xboxlive.com started

iexplore.exe

26

Screenshots

Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.

No bigger version

No bigger version No bigger version No bigger version No bigger version No bigger version No bigger version No bigger version No bigger version No bigger version No bigger version

No bigger version

Copyright null 2021 Page 6 of 24 Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source Detection Scanner Label Link wus-streaming-video-msn-com.akamaized.net/35c99539-c98d-4e9f-9118-a80f496d5fdd/92ba4db9- 0% Avira URL Cloud safe e0d6-4671-ab48-97402815_2250.mp4

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source Detection Scanner Label Link www.founder.com.cn/cn/bThe 0% URL Reputation safe www.founder.com.cn/cn/bThe 0% URL Reputation safe www.founder.com.cn/cn/bThe 0% URL Reputation safe

Copyright null 2021 Page 7 of 24 Source Detection Scanner Label Link www.founder.com.cn/cn/bThe 0% URL Reputation safe https://login.windows.netWebTokenRequestResult 0% Avira URL Cloud safe www.tiro.com 0% URL Reputation safe www.tiro.com 0% URL Reputation safe www.tiro.com 0% URL Reputation safe www.tiro.com 0% URL Reputation safe www.goodfont.co.kr 0% URL Reputation safe www.goodfont.co.kr 0% URL Reputation safe www.goodfont.co.kr 0% URL Reputation safe www.goodfont.co.kr 0% URL Reputation safe https://musicimage.xboxlive.comtBeforeRS2ent/v10_video/configuration.xml 0% Avira URL Cloud safe 0 0% Virustotal Browse www.carterandcone.coml 0% URL Reputation safe www.carterandcone.coml 0% URL Reputation safe www.carterandcone.coml 0% URL Reputation safe www.carterandcone.coml 0% URL Reputation safe www.sajatypeworks.com 0% URL Reputation safe www.sajatypeworks.com 0% URL Reputation safe www.sajatypeworks.com 0% URL Reputation safe www.sajatypeworks.com 0% URL Reputation safe www.typography.netD 0% URL Reputation safe www.typography.netD 0% URL Reputation safe www.typography.netD 0% URL Reputation safe www.typography.netD 0% URL Reputation safe www.founder.com.cn/cn/cThe 0% URL Reputation safe www.founder.com.cn/cn/cThe 0% URL Reputation safe www.founder.com.cn/cn/cThe 0% URL Reputation safe www.founder.com.cn/cn/cThe 0% URL Reputation safe www.galapagosdesign.com/staff/dennis.htm 0% URL Reputation safe www.galapagosdesign.com/staff/dennis.htm 0% URL Reputation safe www.galapagosdesign.com/staff/dennis.htm 0% URL Reputation safe www.galapagosdesign.com/staff/dennis.htm 0% URL Reputation safe fontfabrik.com 0% URL Reputation safe fontfabrik.com 0% URL Reputation safe fontfabrik.com 0% URL Reputation safe fontfabrik.com 0% URL Reputation safe www.founder.com.cn/cn 0% URL Reputation safe www.founder.com.cn/cn 0% URL Reputation safe www.founder.com.cn/cn 0% URL Reputation safe www.founder.com.cn/cn 0% URL Reputation safe https://account.xbox.com.The 0% Avira URL Cloud safe www.jiyu-kobo.co.jp/ 0% URL Reputation safe www.jiyu-kobo.co.jp/ 0% URL Reputation safe www.jiyu-kobo.co.jp/ 0% URL Reputation safe www.jiyu-kobo.co.jp/ 0% URL Reputation safe www.galapagosdesign.com/DPlease 0% URL Reputation safe www.galapagosdesign.com/DPlease 0% URL Reputation safe www.galapagosdesign.com/DPlease 0% URL Reputation safe www.galapagosdesign.com/DPlease 0% URL Reputation safe www.sandoll.co.kr 0% URL Reputation safe www.sandoll.co.kr 0% URL Reputation safe www.sandoll.co.kr 0% URL Reputation safe www.sandoll.co.kr 0% URL Reputation safe www.urwpp.deDPlease 0% URL Reputation safe www.urwpp.deDPlease 0% URL Reputation safe www.urwpp.deDPlease 0% URL Reputation safe www.urwpp.deDPlease 0% URL Reputation safe www.zhongyicts.com.cn 0% URL Reputation safe www.zhongyicts.com.cn 0% URL Reputation safe www.zhongyicts.com.cn 0% URL Reputation safe www.zhongyicts.com.cn 0% URL Reputation safe www.sakkal.com 0% URL Reputation safe www.sakkal.com 0% URL Reputation safe www.sakkal.com 0% URL Reputation safe

Copyright null 2021 Page 8 of 24 Source Detection Scanner Label Link www.sakkal.com 0% URL Reputation safe

Domains and IPs

Contacted Domains

Name IP Active Malicious Antivirus Detection Reputation settings-ssl.xboxlive.com unknown unknown false high

Contacted URLs

Name Malicious Antivirus Detection Reputation 0 false 0%, Virustotal, Browse low

URLs from Memory and Binaries

Name Source Malicious Antivirus Detection Reputation https://xbox.com Video.UI.exe, 00000004.0000000 false high 2.923248668.000001D32C1D0000.0 0000002.00000001.sdmp www.apache.org/licenses/LICENSE-2.0 Video.UI.exe, 00000004.0000000 false high 2.919968668.000001D325F36000.0 0000002.00000001.sdmp www.fontbureau.com Video.UI.exe, 00000004.0000000 false high 2.919968668.000001D325F36000.0 0000002.00000001.sdmp www.fontbureau.com/designersG Video.UI.exe, 00000004.0000000 false high 2.919968668.000001D325F36000.0 0000002.00000001.sdmp https://login.windows.net Video.UI.exe, 00000004.0000000 false high 2.932897165.000001D33253C000.0 0000004.00000001.sdmp www.fontbureau.com/designers/? Video.UI.exe, 00000004.0000000 false high 2.919968668.000001D325F36000.0 0000002.00000001.sdmp www.founder.com.cn/cn/bThe Video.UI.exe, 00000004.0000000 false URL Reputation: safe unknown 2.919968668.000001D325F36000.0 URL Reputation: safe 0000002.00000001.sdmp URL Reputation: safe URL Reputation: safe https://login.windows.netWebTokenRequestResult Video.UI.exe, 00000004.0000000 false Avira URL Cloud: safe unknown 2.932897165.000001D33253C000.0 0000004.00000001.sdmp www.fontbureau.com/designers? Video.UI.exe, 00000004.0000000 false high 2.919968668.000001D325F36000.0 0000002.00000001.sdmp https://xsts.auth.xboxlive.com Video.UI.exe, 00000004.0000000 false high 2.932897165.000001D33253C000.0 0000004.00000001.sdmp schemas.xmlsoap.org/soap/envelope/ Video.UI.exe, 00000004.0000000 false high 2.933034732.000001D332579000.0 0000004.00000001.sdmp www.tiro.com Video.UI.exe, 00000004.0000000 false URL Reputation: safe unknown 2.919968668.000001D325F36000.0 URL Reputation: safe 0000002.00000001.sdmp URL Reputation: safe URL Reputation: safe https://settings-ssl.xboxlive.com/ Video.UI.exe, 00000004.0000000 false high 2.925740491.000001D32E55D000.0 0000004.00000001.sdmp www.fontbureau.com/designers Video.UI.exe, 00000004.0000000 false high 2.919968668.000001D325F36000.0 0000002.00000001.sdmp www.goodfont.co.kr Video.UI.exe, 00000004.0000000 false URL Reputation: safe unknown 2.919968668.000001D325F36000.0 URL Reputation: safe 0000002.00000001.sdmp URL Reputation: safe URL Reputation: safe json-schema.org/draft-04/schema Video.UI.exe, 00000004.0000000 false high 2.917952506.000001D321640000.0 0000004.00000001.sdmp, Video.UI.exe, 00000004.00000003.686369304.00000 1D321631000.00000004.00000001. sdmp

Copyright null 2021 Page 9 of 24 Name Source Malicious Antivirus Detection Reputation Video.UI.exe, 00000004.0000000 false Avira URL Cloud: safe unknown https://musicimage.xboxlive.comtBeforeRS2ent/v10_video/con 2.925770124.000001D32E598000.0 figuration.xml 0000004.00000001.sdmp www.carterandcone.coml Video.UI.exe, 00000004.0000000 false URL Reputation: safe unknown 2.919968668.000001D325F36000.0 URL Reputation: safe 0000002.00000001.sdmp URL Reputation: safe URL Reputation: safe www.sajatypeworks.com Video.UI.exe, 00000004.0000000 false URL Reputation: safe unknown 2.919968668.000001D325F36000.0 URL Reputation: safe 0000002.00000001.sdmp URL Reputation: safe URL Reputation: safe www.typography.netD Video.UI.exe, 00000004.0000000 false URL Reputation: safe unknown 2.919968668.000001D325F36000.0 URL Reputation: safe 0000002.00000001.sdmp URL Reputation: safe URL Reputation: safe

www.fontbureau.com/designers/cabarga.htmlN Video.UI.exe, 00000004.0000000 false high 2.919968668.000001D325F36000.0 0000002.00000001.sdmp www.founder.com.cn/cn/cThe Video.UI.exe, 00000004.0000000 false URL Reputation: safe unknown 2.919968668.000001D325F36000.0 URL Reputation: safe 0000002.00000001.sdmp URL Reputation: safe URL Reputation: safe aka.ms/hevc Video.UI.exe, 00000004.0000000 false high 2.923248668.000001D32C1D0000.0 0000002.00000001.sdmp www.galapagosdesign.com/staff/dennis.htm Video.UI.exe, 00000004.0000000 false URL Reputation: safe unknown 2.919968668.000001D325F36000.0 URL Reputation: safe 0000002.00000001.sdmp URL Reputation: safe URL Reputation: safe fontfabrik.com Video.UI.exe, 00000004.0000000 false URL Reputation: safe unknown 2.919968668.000001D325F36000.0 URL Reputation: safe 0000002.00000001.sdmp URL Reputation: safe URL Reputation: safe www.founder.com.cn/cn Video.UI.exe, 00000004.0000000 false URL Reputation: safe unknown 2.919968668.000001D325F36000.0 URL Reputation: safe 0000002.00000001.sdmp URL Reputation: safe URL Reputation: safe https://login.windows.net/ Video.UI.exe, 00000004.0000000 false high 2.932897165.000001D33253C000.0 0000004.00000001.sdmp www.fontbureau.com/designers/frere-user.html Video.UI.exe, 00000004.0000000 false high 2.919968668.000001D325F36000.0 0000002.00000001.sdmp schemas.xmlsoap.org/soap/http Video.UI.exe, 00000004.0000000 false high 3.705062179.000001D330413000.0 0000004.00000001.sdmp https://settings-ssl.xboxlive.com Video.UI.exe, 00000004.0000000 false high 2.925740491.000001D32E55D000.0 0000004.00000001.sdmp https://account.xbox.com.The Video.UI.exe, 00000004.0000000 false Avira URL Cloud: safe unknown 2.923248668.000001D32C1D0000.0 0000002.00000001.sdmp www.jiyu-kobo.co.jp/ Video.UI.exe, 00000004.0000000 false URL Reputation: safe unknown 2.919968668.000001D325F36000.0 URL Reputation: safe 0000002.00000001.sdmp URL Reputation: safe URL Reputation: safe www.videolan.org/x264.html Video.UI.exe, 00000004.0000000 false high 2.925568304.000001D32E456000.0 0000004.00000001.sdmp, 92ba4db9- e0d6-4671-ab48-97402815_2250 .mp4.hk9wjym.partial.2.dr https://settings- Video.UI.exe, 00000004.0000000 false high ssl.xboxlive.com/XBLWinClient/v10_video/configuration.xml 2.925770124.000001D32E598000.0 0000004.00000001.sdmp www.galapagosdesign.com/DPlease Video.UI.exe, 00000004.0000000 false URL Reputation: safe unknown 2.919968668.000001D325F36000.0 URL Reputation: safe 0000002.00000001.sdmp URL Reputation: safe URL Reputation: safe www.fontbureau.com/designers8 Video.UI.exe, 00000004.0000000 false high 2.919968668.000001D325F36000.0 0000002.00000001.sdmp www.fonts.com Video.UI.exe, 00000004.0000000 false high 2.919968668.000001D325F36000.0 0000002.00000001.sdmp www.sandoll.co.kr Video.UI.exe, 00000004.0000000 false URL Reputation: safe unknown 2.919968668.000001D325F36000.0 URL Reputation: safe 0000002.00000001.sdmp URL Reputation: safe URL Reputation: safe

Copyright null 2021 Page 10 of 24 Name Source Malicious Antivirus Detection Reputation https://account.xbox.com. Video.UI.exe, 00000004.0000000 false high 2.923248668.000001D32C1D0000.0 0000002.00000001.sdmp www.urwpp.deDPlease Video.UI.exe, 00000004.0000000 false URL Reputation: safe unknown 2.919968668.000001D325F36000.0 URL Reputation: safe 0000002.00000001.sdmp URL Reputation: safe URL Reputation: safe www.zhongyicts.com.cn Video.UI.exe, 00000004.0000000 false URL Reputation: safe unknown 2.919968668.000001D325F36000.0 URL Reputation: safe 0000002.00000001.sdmp URL Reputation: safe URL Reputation: safe www.sakkal.com Video.UI.exe, 00000004.0000000 false URL Reputation: safe unknown 2.919968668.000001D325F36000.0 URL Reputation: safe 0000002.00000001.sdmp URL Reputation: safe URL Reputation: safe https://xsts.auth.xboxlive.com/ Video.UI.exe, 00000004.0000000 false high 2.932897165.000001D33253C000.0 0000004.00000001.sdmp

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version: 31.0.0 Red Diamond Analysis ID: 337157 Start date: 07.01.2021 Start time: 21:05:56 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 5m 50s Hypervisor based Inspection enabled: false Report type: light Cookbook file name: browseurl.jbs Sample URL: wus-streaming-video-msn-com.akamaized.net/35 c99539-c98d-4e9f-9118-a80f496d5fdd/92ba4db9-e0d6- 4671-ab48-97402815_2250.mp4 Analysis system description: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 Number of analysed new started processes analysed: 20 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled AMSI enabled Analysis Mode: default Analysis stop reason: Timeout Detection: CLEAN Classification: clean2.win@4/23@1/0 EGA Information: Successful, ratio: 100% HCA Information: Failed Cookbook Comments: Adjust boot time Enable AMSI

Copyright null 2021 Page 11 of 24 Warnings: Show All Exclude process from analysis (whitelisted): taskhostw.exe, BackgroundTransferHost.exe, ielowutil.exe, RuntimeBroker.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 40.88.32.150, 88.221.62.148, 92.122.213.163, 92.122.213.240, 104.42.151.234, 51.104.139.180, 23.210.248.10, 20.49.150.241, 93.184.220.29, 40.79.86.63, 152.199.19.161, 92.122.213.247, 92.122.213.194, 67.27.233.254, 8.248.119.254, 8.248.139.254, 67.26.137.254, 8.253.95.121, 52.155.217.156, 20.54.26.129, 51.104.144.132 Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, cs9.wac.phicdn.net, a1449.dscg2.akamai.net, arc.msn.com, activation2.playready.microsoft.com, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, db5eap.displaycatalog.md.mp.microsoft.com.akadn s.net, skypedataprdcoleus15.cloudapp.net, wus- streaming-video-msn-com.akamaized.net, go.microsoft.com, ocsp.digicert.com, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, settings- ssl.xboxlive.com.edgekey.net, img-prod-cms-rt- microsoft-com.akamaized.net, auto.au.download.windowsupdate.com.c.footprint.n et, au-bg-shim.trafficmanager.net, a1205.g2.akamai.net, playreadyactivation.trafficmanager.net, displaycatalog- europeeap.md.mp.microsoft.com.akadns.net, ie9comview.vo.msecnd.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, settings- win.data.microsoft.com, ctldl.windowsupdate.com, e87.dspb.akamaiedge.net, settingsfd- geo.trafficmanager.net, ris.api.iris.microsoft.com, blobcollector.events.data.trafficmanager.net, go.microsoft.com.edgekey.net, skypedataprdcolwus16.cloudapp.net, activation2.eastus2.cloudapp.azure.com, cs9.wpc.v0cdn.net Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtOpenKey calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryAttributesFile calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains Copyright null 2021 Page 12 of 24 No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{DCC2726B-5123-11EB-90EB-ECF4BBEA1588}.dat Process: C:\Program Files\internet explorer\iexplore.exe File Type: Microsoft Word Document Category: dropped Size (bytes): 32344 Entropy (8bit): 1.7946108631770834 Encrypted: false SSDEEP: 192:rLZUZL2z9WWtaifkBPzMAHBsNSwkWi4Akarp2:rdkCzU2jlEd4 MD5: 545A19293FDC6C61AE4AC960B1BD5D34 SHA1: BC54FF7766463BE506E024D006E319BE6CAAC8C9 SHA-256: DE6E078D67EF82F27B7FBD3DFB6A51BAB4719E342992A8A4FF792DEF92BD6505 SHA-512: 42D2AAE2F0FB3E5E2E52C5C8297FCCBD2B583969547AA1D0CB2CB36B2FDCE057CD0DCA6D961E0F14ACD655894F41945A78AB5FACD0119F21F5DA0913FDCB5 FFF Malicious: false Reputation: low Preview: ...... R.o.o.t. .E.n.t.r. y......

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{DCC2726D-5123-11EB-90EB-ECF4BBEA1588}.dat Process: C:\Program Files\internet explorer\iexplore.exe File Type: Microsoft Word Document Category: dropped Size (bytes): 19032 Entropy (8bit): 1.5983322354182163 Encrypted: false SSDEEP: 48:IwAGcprpGwpa+6G4pQoIGrapbSnrGQpBqGHHpc0sTGUpQ4qGcpm:rkZDQ+66oWBSnFjx20k6ng MD5: 07DE837A053EFE08C3EE449A02F77D65 SHA1: F37B8AC735FBC9C24DEFBA2CAEC26757A3DD103F SHA-256: BD5F070DC6BFB031F3A2C248A6C1CB23FE1EAD42F7282DE5AE42EE207B19FC08 SHA-512: 1F5D20630B0AC18A8294FF7548D4AFA4B399F2D4526BFABF7C1503C45E44FF892177517ADA51E4267DEC33B339C21CA7E20381818FA70F9E30B0DFB078E5AB17 Malicious: false Reputation: low Preview: ...... R.o.o.t. .E.n.t.r. y......

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\92ba4db9-e0d6-4671-ab48-97402815_2250[1].mp4

Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: ISO Media, MP4 Base Media v1 [IS0 14496-12:2003] Category: dropped Size (bytes): 26808457 Entropy (8bit): 7.998907061975683 Encrypted: true SSDEEP: 786432:Cplwk2HDW7HihdweywW5smR3UQ0yY6viQ0wFK9:WCksDWc2Dw2sk3UQYw0wQ

Copyright null 2021 Page 13 of 24 C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\92ba4db9-e0d6-4671-ab48-97402815_2250[1].mp4

MD5: D5579698C864402398ABFA0B046C6CBF SHA1: E7CB39E6084D7829B5F1DE941B7D825479143194 SHA-256: 8CB40AD7C442CD09DB4E9682F162563B2D969A020CF8721D5F014DB0AFD07AFA SHA-512: 9FD6BEF2C01188275DEA413352BCE240FC2BE7D432672A08DC5CFADC1A1DD3FF26BDD18FEE76ED93BB7932FD1795D1BA9AC499184C7C785E0DDF6A160AF19 D06 Malicious: false Reputation: low Preview: ... ftypisom....isomiso2avc1mp41....moov...lmvhd...... ]k...... @...... trak...\tkhd...... ]...... @...... 0edts...(elst...... B...... ]...... @mdia... mdhd...... u0.(.O...... -hdlr...... vide...... VideoHandler.....minf....vmhd...... $dinf....dref...... url ...... stbl....stsd...... avc1...... H...H...... 5avcC.d...... gd....@..~...... `..1....h..,...... pasp...... stts...... w...... stss...... -...... =...y...... -...i...... Y...... I...... 8...t...... (...d...... T...... D...... 3...o...... #..._...... O..R ctts...... B......

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\92ba4db9-e0d6-4671-ab48-97402815_2250.mp4.hk9wjym.partial

Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: ISO Media, MP4 Base Media v1 [IS0 14496-12:2003] Category: dropped Size (bytes): 26808457 Entropy (8bit): 7.998907061975683 Encrypted: true SSDEEP: 786432:Cplwk2HDW7HihdweywW5smR3UQ0yY6viQ0wFK9:WCksDWc2Dw2sk3UQYw0wQ MD5: D5579698C864402398ABFA0B046C6CBF SHA1: E7CB39E6084D7829B5F1DE941B7D825479143194 SHA-256: 8CB40AD7C442CD09DB4E9682F162563B2D969A020CF8721D5F014DB0AFD07AFA SHA-512: 9FD6BEF2C01188275DEA413352BCE240FC2BE7D432672A08DC5CFADC1A1DD3FF26BDD18FEE76ED93BB7932FD1795D1BA9AC499184C7C785E0DDF6A160AF19 D06 Malicious: false Reputation: low Preview: ... ftypisom....isomiso2avc1mp41....moov...lmvhd...... ]k...... @...... trak...\tkhd...... ]...... @...... 0edts...(elst...... B...... ]...... @mdia... mdhd...... u0.(.O...... -hdlr...... vide...... VideoHandler.....minf....vmhd...... $dinf....dref...... url ...... stbl....stsd...... avc1...... H...H...... 5avcC.d...... gd....@..~...... `..1....h..,...... pasp...... stts...... w...... stss...... -...... =...y...... -...i...... Y...... I...... 8...t...... (...d...... T...... D...... 3...o...... #..._...... O..R ctts...... B......

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\92ba4db9-e0d6-4671-ab48-97402815_2250.mp4.hk9wjym.partial:Zone.Identifier Process: C:\Program Files\internet explorer\iexplore.exe File Type: ASCII text, with CRLF line terminators Category: dropped Size (bytes): 26 Entropy (8bit): 3.95006375643621 Encrypted: false SSDEEP: 3:gAWY3n:qY3n MD5: FBCCF14D504B7B2DBCB5A5BDA75BD93B SHA1: D59FC84CDD5217C6CF74785703655F78DA6B582B SHA-256: EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913 SHA-512: AA1D2B1EA3C9DE3CCADB319D4E3E3276A2F27DD1A5244FE72DE2B6F94083DDDC762480482C5C2E53F803CD9E3973DDEFC68966F974E124307B5043E654443B9 8 Malicious: false Reputation: low Preview: [ZoneTransfer]..ZoneId=3..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\92ba4db9-e0d6-4671-ab48-97402815_2250.mp4:Zone.Identifier Process: C:\Program Files\internet explorer\iexplore.exe File Type: very short file (no magic) Category: modified Size (bytes): 1 Entropy (8bit): 0.0 Encrypted: false SSDEEP: 3:W:W MD5: ECCBC87E4B5CE2FE28308FD9F2A7BAF3 SHA1: 77DE68DAECD823BABBB58EDB1C8E14D7106E83BB SHA-256: 4E07408562BEDB8B60CE05C1DECFE3AD16B72230967DE01F640B7E4729B49FCE SHA-512: 3BAFBF08882A2D10133093A1B8433F50563B93C14ACD05B79028EB1D12799027241450980651994501423A66C276AE26C43B739BC65C4E16B10C3AF6C202AEBB Malicious: false Reputation: low

Copyright null 2021 Page 14 of 24 C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\92ba4db9-e0d6-4671-ab48-97402815_2250.mp4:Zone.Identifier Preview: 3

C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\AC\INetCache\H2DYPAER\configuration[1].xml Process: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.17112.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe File Type: XML 1.0 document, ASCII text, with CRLF line terminators Category: dropped Size (bytes): 1520 Entropy (8bit): 5.0183726539703795 Encrypted: false SSDEEP: 24:2dzI4+uTOBzpoD2h9f0lM702X9bh9q02Xiwqh9U02XiSbh9Uydq2X4h9Uy72Xyh2:cK88z2D2ff97DtbfqDtqfUD9bfUywBfW MD5: E72FC6D9DAF66E2D8BC9FE37BE8CE4D8 SHA1: 667F95190910D5841E4531330001423CBB8E2030 SHA-256: B5CCAFA927AF87CEA7E85A2D197C2E841E557B87900665C12FA6F8059B8B9356 SHA-512: 5D56979DBDB586601570DB6AEE666EA1DF489F3EB25285DEDC4A216834955E590158058D6B0C23D084C6C059AD91CF7B7FC32436E572693A96527F3D6E14160C Malicious: false Reputation: low Preview: .... XblWinC lient .. Copyright (c) Microsoft Corporation. All rights reserved... .. .. .. .. .. .. .. .. .. .. ..

C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\AC\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC9 21D13E43B18_BEB37ABADF39714871232B4792417E04 Process: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.17112.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe File Type: data Category: dropped Size (bytes): 1507 Entropy (8bit): 7.466828611602883 Encrypted: false SSDEEP: 24:C92KDwSYfzHdXUGyYHiTcDu6T997ZGm5sdkie784y02KDh6ruXfxdv1QnzTMGHM1:4DN+dcxIa6xV0Ddkd784yUDwu3ukQdPc MD5: D63D21DC9B544419092E6677A86B1E37 SHA1: 76867A30B724FF107E13A4FA762BE9EB2693203C SHA-256: B2BFDCADC2F7B148233324C89A4C644A9D3C5A301AE00E38E864582B90978FB1 SHA-512: C1B309CA92FBB9006DEE4EBE588339B202C06E49315FAD6A6CE27FF3531E2C8470703B1D18AE432B68ED32176B2CF0E9FF602476C21BC35EFE6611C1756A15F3 Malicious: false Reputation: low Preview: 0...... 0.....+.....0...... 0...0...... 2u.]/.O^..:..b....20210106184500Z0s0q0I0...+...... /Ev..Y.].....x.#.....Y0.GX...T6.{:..M...... R_.$DM.....R....20210106184500Z....202101 13180000Z0...*.H...... !...... &..zI_.>9b..k.w.:up%..`"Z..|.P-...{6_2..>.&...... K...t....=aOL.Fw|o.AQE...a...'...]/.N...... MeF..Q..}{...(...t...uiG/.;.$.R.*...... JL..6.P.\.....rI`(.\....z9 m.+.S...b#.._{..B.uO...Z.Kz.....=q.....'!..l.~@f]...l....S..GW..3[.....0...0...0...... a.&..L.l..op.20...*.H...... 0Z1.0...U....IE1.0...U....Baltimore1.0...U....CyberTrust1"0 ..U....Bal timore CyberTrust Root0...190507121335Z..250512235859Z0U1.0...U....US1.0...U....DigiCert, Inc.1-0+..U...$Baltimore Cybertrust Validation 20250.."0...*.H...... 0...... $G....S~}....E..6...K.R$gZ.Q...... 3.`.8.Q.R].>...v*.L..(D..y...... f..=jnS.a.v.>."/r....:.b/[email protected]...^...7}[email protected]....}....U.Vy..c.H..1.Cp....D..,...<.Yyn...... "....=h8....<...^ .I.W.;....n....F...... K..z.CzU#[email protected]

C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\AC\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF 55BF996A292_C5130A0BDC8C859A2757D77746C10868 Process: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.17112.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe File Type: data Category: dropped Size (bytes): 471 Entropy (8bit): 7.212339633848904 Encrypted: false SSDEEP: 6:J0MwGsU5o7D82TwrUGld1ngU8sjEnxjWgQOAOa2DslsoupNEhhbGO2w0Az5YfCla:JuG15qPGlULQOAvlTupEhbGO2w0q5SrH MD5: DFE5F2695B65BF3B1E48C6BA93826303 SHA1: 97E5199F42A5A39F1F80709B373B3C1ECC750141 SHA-256: AE8256E6ACCDA5C60B48A27D3C88C2234E8AB6A5E2DEC0B40AEA372C344AC80C SHA-512: 68F8FC9D80C09E6D847DF6C8F314A59608D3DB5890903C1555C19B425CCC859ED36BDA6C412CEA536D0BAAE5F4344A85E6032F6953EFA2FE8C175E7882CD130 7 Malicious: false Reputation: low Preview: 0...... 0.....+.....0...... 0...0...... N"T ....n...... 9..20210106214308Z0s0q0I0...+...... 9.q...._..(.#..Y\C...N"T ....n...... 9...... c.QA.;...S.....20210106214308Z....20210113214 308Z0...*.H...... `6....^.,o..Ff%...... !7....].e/..c.r....:..S.< ....q.AH!.%..L...c.H>...... 8...Q#..h...$.2z.Y....]..[..g.*...... !....A...W.'..F..2...F....(x:..I...^.;.Zs).+P..!|..$."P.I...G...... XV.. "...X.k.7."..D|..#b(.t.Z..]9.t...... [.F.8/...... "/0..

Copyright null 2021 Page 15 of 24 C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\AC\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC 921D13E43B18_BEB37ABADF39714871232B4792417E04 Process: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.17112.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe File Type: data Category: dropped Size (bytes): 868 Entropy (8bit): 3.8130582648247735 Encrypted: false SSDEEP: 12:/mxMiv8sFluSEIM63lh3GhJyEhyqmxMiv8sFluSEIM63lh3GhJM:/mxxv3ua0wE4qmxxv3ua0+ MD5: FF2EB3A46FBDC81E7CA77224610074C0 SHA1: 259F8ABDA7635402AF309C9ADDF5FC7554B8A901 SHA-256: 66FE15B891A794C05493E8E76B898CE2004C1D9A4AC3518FA35F024188F2145C SHA-512: F14822B8F33F05361FEA449620BBDA34B7F46BFF1849BB35DF365CA8C6D08E4AC88B0E01A0CD00149323D59B8B17E9838220CB23B7BF34A1C63B1939F23B512E Malicious: false Reputation: low Preview: p...... 0...(...... h.\....P...... h.t.t.p.:././.o.c.s.p...d.i.g.i.c.e.r.t...c.o.m./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g. M.C.G.g.U.A.B.B.T.B.L.0.V.2.7.R.V.Z.7.L.B.d.u.o.m.%.2.F.n.Y.B.4.5.S.P.U.E.w.Q.U.5.Z.1.Z.M.I.J.H.W.M.y.s.%.2.B.g.h.U.N.o.Z.7.O.r.U.E.T.f.A.C.E.A.i.I.z.V.J.f.G.S. R.E.T.R.S.l.g.p.H.e.u.V.I.%.3.D...".5.f.f.6.0.5.2.c.-.5.e.3."...p...... 0...(...... h.\...... h.\....P...... h.t.t.p.:././.o.c.s.p...d.i.g.i.c.e.r.t. ..c.o.m./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.T.B.L.0.V.2.7.R.V.Z.7.L.B.d.u.o.m.%.2.F.n.Y.B.4.5.S.P.U.E.w.Q.U.5.Z.1.Z.M.I.J.H.W.M.y.s.%. 2.B.g.h.U.N.o.Z.7.O.r.U.E.T.f.A.C.E.A.i.I.z.V.J.f.G.S.R.E.T.R.S.l.g.p.H.e.u.V.I.%.3.D...".5.f.f.6.0.5.2.c.-.5.e.3."...

C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\AC\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AA F55BF996A292_C5130A0BDC8C859A2757D77746C10868 Process: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.17112.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe File Type: data Category: dropped Size (bytes): 884 Entropy (8bit): 3.8423381930025573 Encrypted: false SSDEEP: 24:93mxxvPKb7PhCNyIOfS83mxxvPKb7PhCNyIOi:93QKnPhCNy5fS83QKnPhCNy5i MD5: 97502E83DDD59F18550DA6CA9EDA6114 SHA1: 0E6F915106852419E7AFC87E4CCFF2247D508765 SHA-256: DED0C63D5B9DDD9D079D52E958D2B0D7AEAD640D9A9CAC2A8D220E8584050247 SHA-512: D865B74FAEA1D1A437558068370FE03A142171FEE694843199E51D1A477762218E2F02521AF5FB1A5EEAB58F93C7B7CD0BDEB79C8DB525FF6711F3893412B18A Malicious: false Reputation: low Preview: p...... (...... 0...(...... x...%z...... h.t.t.p.:././.o.c.s.p...d.i.g.i.c.e.r.t...c.o.m./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g. M.C.G.g.U.A.B.B.Q.5.0.o.t.x.%.2.F.h.0.Z.t.l.%.2.B.z.8.S.i.P.I.7.w.E.W.V.x.D.l.Q.Q.U.T.i.J.U.I.B.i.V.5.u.N.u.5.g.%.2.F.6.%.2.B.r.k.S.7.Q.Y.X.j.z.k.C.E.A.q.v.p.s.X.K.Y.8.R. R.Q.e.o.7.4.f.f.H.U.x.c.%.3.D...".5.f.f.6.3.4.f.c.-.1.d.7."...p...... (...... 0...(...... >..t....~...... ~...... x...%z...... h.t.t.p.:././.o.c.s.p...d.i.g.i.c.e.r.t... c.o.m./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.Q.5.0.o.t.x.%.2.F.h.0.Z.t.l.%.2.B.z.8.S.i.P.I.7.w.E.W.V.x.D.l.Q.Q.U.T.i.J.U.I.B.i.V.5.u.N.u.5.g.%.2.F. 6.%.2.B.r.k.S.7.Q.Y.X.j.z.k.C.E.A.q.v.p.s.X.K.Y.8.R.R.Q.e.o.7.4.f.f.H.U.x.c.%.3.D...".5.f.f.6.3.4.f.c.-.1.d.7."...

C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalCache\PlayReady\Cache\msprcore.bla Process: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.17112.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe File Type: data Category: dropped Size (bytes): 5113 Entropy (8bit): 6.058997993833263 Encrypted: false SSDEEP: 96:AX7FBqKMYMqjvRYY7+LlOcPYVUXiksiGAshzcEei9Y/v3QZMhMKUVeLQ:AXxBqxrqdPWyQifiDu0k MD5: 6359DA46674CBE815B2DA4828D438F10 SHA1: 9E5D0246A0A8032B75B8FBF41CF1CB1570BE6121 SHA-256: 4ABAD5FFC1D115858EC8B910B6B5B08E58799616397C5D36B023A04663CC57FA SHA-512: 975B1F4F3417EDE84FCC114CC55FDFD962FB581AFE99074CB6A2E25DE6D3A16AA5E86A3206907F78204F5C64D1C3FC0223197D2D9E78E5EFF9B0D37CE425AEB 9 Malicious: false Reputation: low Preview: PRKF...... ,...... M.....z....#x....<.....<...... |...... @SNjcj...... C[..z..XD.8.#nv.."...... i...J..0n..<.DFW.#[email protected].... 6....0ME...... @.....p....S...9.P]8...... /....7d.qYg....W...~..(...... r...ot$q...K<..9...]W...... i.%.*1.I....~.e...... @o...... Z...... Bp.j{.z.p...UE.`[email protected]";e.0z..L.j..[...... F..|I.]0F...1q..._...... f. ..-F..q....M...... @SNjcj...... C[..z..XD.8.#nv.."...... i...J..0n..<.DFW.#...... A.0RRm..[f "I]Y*... ..B..7..I.wA..uxO....".?Sz.RD..Uh.I...4....{...b..R.F..%A5J"4...... P...... @CHAI...... @...... CERT...... X.%...|....w...... z>[email protected]...... (...<...... o...... Z...... Bp.j{.z.p...UE.`[email protected]";e.0z..L.j

C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalCache\PlayReady\mspr.hds Process: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.17112.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe File Type: data Category: dropped

Copyright null 2021 Page 16 of 24 C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalCache\PlayReady\mspr.hds Size (bytes): 100326 Entropy (8bit): 0.1784484369151069 Encrypted: false SSDEEP: 48:P96VHyk6TcWJmEynwF+HPtu5yC8GBN+DGIlRWZ:1k1QcWv2tu4GBNuGWRW MD5: FF35EE18EE5ED29090BD510F77C17C0C SHA1: 11141BE6C42F1FC24CE90FCB5D63AEB91AC5151B SHA-256: 09ACCED2ACFA00B80E61AB1A75A7BFB0C6C17DD29B0DF1CDD495F4BD99FFE34A SHA-512: 19C4AD718C2D35638D8641859498A7C3DC9C3DEB1F5A7986BF8CEBC18F31F44FC33B4DE4CD11CC54246D86EB8E94DFE49F897F803763FC7A67AAF800A841E58 2 Malicious: false Reputation: low Preview: ...... /[email protected]...... 0...... 0...... oN.u...G..pq...... K...Ww.K/k.JA..0...... 0...... /[email protected]...... 0......

C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalState\Database\anonymous\EntClientDb.edb Process: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.17112.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe File Type: Extensible storage engine DataBase, version 0x620, checksum 0xf72aae54, page size 8192, JustCreated, Windows version 0.0 Category: dropped Size (bytes): 925696 Entropy (8bit): 0.5153951459454026 Encrypted: false SSDEEP: 1536:eSh2OvSh2O6yDFqfVSh2OSTKY8vFKY8voyDFqfsSh2nSh2mSh2yYaWB9RLyDFqfU:e6F6m6lYLsLO6c656eQ MD5: 30E9B0EB8636E793E8DD240325EF1F73 SHA1: 0CBEE07525F52710A2E66C23ADB170EC80F49D72 SHA-256: EA73DAB0E380C3B4DD7D508ED28E77B2D3632FEC624FC66804E9C452514E3CA0 SHA-512: 445A0EED3853F3193DEF0BEAEA284B0B6454300A129892F8A11822194FEB2BBC051CC538E6A242C033AF09D90B157C81F26CCF0A2F1ECC8B295B0359C84D2A6 3 Malicious: false Reputation: low Preview: .*.T...... @...... j~...... y...... h...... }...... yo...... 6.S.....y+...... `)9a.....y+......

C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalState\Database\anonymous\EntClientDb.jfm Process: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.17112.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe File Type: data Category: dropped Size (bytes): 16384 Entropy (8bit): 0.07175102238969115 Encrypted: false SSDEEP: 3:ETD//plslTEmixikploll8DmlXz//pltluiFOzOplTWAll:ETbwbixine61rRUiFOz9A MD5: 4681A9C967CBCF7A3F925A6ECA58380E SHA1: B0F3C365D8EC3D66508A1B64D3F4A23153F04EF3 SHA-256: 874780DAD750E428C4EE0506703E54F6AB846DE88F345FA9BA5B89C6ACA0888C SHA-512: 66EBAD8EE9C62763E02034944A57601306A22CD48839E58CF00F40C70E89632B0C334065A3275E1A2E98D20AC32AC4E11E65B9F161E4F965194A631C4990AFBF Malicious: false Reputation: low Preview: ...... y+...... y+...... `)9a.....y+......

C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalState\Database\anonymous\edb.chk Process: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.17112.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe File Type: data Category: dropped Size (bytes): 8192 Entropy (8bit): 0.6168808729176228 Encrypted: false SSDEEP: 12:wTN+fUI1+uJ18+fUI1+uJ1QQelBsUTN+fUI1+uJ18+fUI1+uJ1QQelBs:IN+fUO/8+fUO/QVN+fUO/8+fUO/Q MD5: 81AC7DBBDDFB0100C36405564750C935 SHA1: 13A73D5DEEE9330BDDB4B0CD7CECF9C2B026F211

Copyright null 2021 Page 17 of 24 C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalState\Database\anonymous\edb.chk SHA-256: 43A34779876D602A5B3A6F29EEF51FADF3368443F8B6EFF7B1ECFA022DABDE84 SHA-512: 4447181AFBF15FA2679A1005F382E9ADA0B355B4ECE960A58C038FCADBBB3DE9D8EDB4420B57FCFB0CC33EC2CC457F86F3FB8F394DB955E8C4E47A448B6A92 46 Malicious: false Reputation: low Preview: ...... }...... yo...... C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalState\Database\anonymous\...... C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\L ocalState\Database\anonymous\...... 0u..,...... 5w......

C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalState\Database\anonymous\edb.log Process: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.17112.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe File Type: data Category: dropped Size (bytes): 421888 Entropy (8bit): 3.1693358588774396 Encrypted: false SSDEEP: 1536:9KdfVBkZm3lkf49IyB0ga04H0ga04+z6wlJEKRyi124HC6cLcBRQw1ht4itxmqt7:9KdkfVI0CHg4Qi6vEz7ljyt/ MD5: 388E73DCD9DC482A8048EDF7E5C5F56A SHA1: 064214F61C8A2325C41299F20877FC51DC32AC7D SHA-256: 6633DAF1AF983524CF37F3693EF69287B6B2BB30B46FF6A54AA5173A2E68AF43 SHA-512: A7A6E1CA001F0DAD3495A6ED3045CD1419805746E7687079F18495DF8F505075801AE501514C3B8699487FD0B5FBEE86F251C6E3F9EC71372C99365D44E4B1CC Malicious: false Reputation: low Preview: ..!...... yo...... 1C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalState\Database\anonymous\...... C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalStat e\Database\anonymous\...... 0u..,...... 5w...... yo...... j~...... y...... C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.P.a.c.k.a.g.e.s.\.M.i.c.r.o.s.o.f.t...Z.u.n.e.V.i.d.e.o._.8.w.e.k.y.b.3.d.8.b.b.w.e.\.L.o.c.a.l.S.t.a. t.e.\.D.a.t.a.b.a.s.e.\.a.n.o.n.y.m.o.u.s.\.E.n.t.C.l.i.e.n.t.D.b...e.d.b...Gx......

C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalState\Database\anonymous\edbtmp.log Process: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.17112.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe File Type: data Category: dropped Size (bytes): 4198400 Entropy (8bit): 0.0012626560866259556 Encrypted: false SSDEEP: 6:SJZfH+uoNNwkn23BLeILB+uJ1tQUtYNwkn23BLeILB+uJ1tQUtMQGRlO+F:ufeuoN+fUI1+uJ18+fUI1+uJ1QQelOK MD5: 9352AC057968CB1C25E1DD9A4D782EDA SHA1: 2053D394637404A2190FF79C62B7215111CE3B6C SHA-256: 7209D90316E7E7479FAB7ECCC61E3FA06F319645519F799809C9DA704C2E1DC3 SHA-512: 34DD71B727B7736D0242DBB2B9667912842BF99DF73D97E825ACDF5B12DC7BF8A7CB2BDC5DED14094C381F3F54F2DEA214E709A46A1AB21923079B4E8345D62 9 Malicious: false Reputation: low Preview: ......

C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalState\Database\anonymous\tmp.edb Process: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.17112.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe File Type: Extensible storage engine DataBase, version 0x620, checksum 0xf660142c, page size 8192, JustCreated, Windows version 0.0 Category: dropped Size (bytes): 90112 Entropy (8bit): 0.42420641042446827 Encrypted: false SSDEEP: 1536:2kZV2P6hY+VxEyVjqaytqxUSYQHDmit8UPcim3:Q MD5: 5ADA3C1F6E7E1A5B3319A001C68C5C62 SHA1: CA0A42CFE9F639ACBA6A01117844C1666B6FEE26 SHA-256: C25348435025A49CF1952C286E75047D35A7B607F3D6DF58241AF9F40325419C SHA-512: 38E88F8E87E07F39BA564DA6D800E44BC39BC27DAEBE687D92EEB306832F75C9E0A0CA4DB41B9F5E49C14000B5C6CB0AF872DD3B4E9344D6DD01EC70FBE20 C70 Malicious: false Reputation: low

Copyright null 2021 Page 18 of 24 C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalState\Database\anonymous\tmp.edb Preview: .`.,...... @...... ].7...... yc...... #K.....yc......

C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalState\SRPData.xml.~tmp Process: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.17112.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe File Type: ASCII text, with very long lines, with no line terminators Category: dropped Size (bytes): 526 Entropy (8bit): 4.833286100450112 Encrypted: false SSDEEP: 12:eCznv3OZS4FsrDnU31hJCznK3OZS4FsrDnb:dw1Ca MD5: 98BBB47E0B38047595454F25E18A40BB SHA1: 60C8ACF94B402524D50DD6303F2057353814176C SHA-256: D8DC863B832D2022D55D9FEECC0A9E0EBA866DEC420D16B481BDBDED3E0FB292 SHA-512: D807C68A90BB47F43360C4104C12729F9839934CD6B2924C8574B92DCD7752AB981F18429C182E8414B7E3F0C33FA4B3D27B5D733068FED2CD3206D220847157 Malicious: false Reputation: low Preview:

C:\Users\user\AppData\Local\Temp\JavaDeployReg.log Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: ASCII text, with CRLF line terminators Category: modified Size (bytes): 89 Entropy (8bit): 4.4382905670638335 Encrypted: false SSDEEP: 3:oVXUbXGeBcU498JOGXnEbXGeBcpUCn:o9UzGeBcU4qEzGeBc6C MD5: 56F5E52A100E706C3D6269B4D3738A77 SHA1: FC111F66B4A0B15609C692A6A4BD148116D3E19B SHA-256: 4F4859D53BFCA2AA1C866B0F6FADCB46374F2E0DC0B2AB5F7582FB0412B5CB7B SHA-512: 97D8B1F05BDB809824C57B8AE4C7EEA8BB497EF0545CE6842C17BC7C68E940F6ED48BFD396968087DE343478246690C8E04400D4185BF47886F15133F8EE70B8 Malicious: false Reputation: low Preview: [2021/01/07 21:06:45.249] Latest deploy version: ..[2021/01/07 21:06:45.249] 11.211.2 ..

C:\Users\user\AppData\Local\Temp\~DF6261FBC5E966F370.TMP Process: C:\Program Files\internet explorer\iexplore.exe File Type: data Category: dropped Size (bytes): 29989 Entropy (8bit): 0.3303364407165875 Encrypted: false SSDEEP: 24:c9lLh9lLh9lIn9lIn9lRg9lRA9lTS9lTy9lSSd9lSSd9lwm9lw29l2Q/9l249laz:kBqoxKAuvScS+pHQ+Z4y MD5: 0970813141CAC44350E985626E832E79 SHA1: 63ADDD2C8CECFFB46D2F08104813223996E38CC4 SHA-256: 6C8BBE29C2E92D4F8B48D8A5DC00B33CEA299CF9229E48A17B4EB0A66EEDB06C SHA-512: A422B4A39EEC881C414311B798C61C85A0B15FD6D0239F3968F34F3F7782E0ABCEEF512283107057540B36719C72F6C5F2F8BFA99680F71ED8BE44AFF2512558 Malicious: false Reputation: low Preview: ...... *%..H..M..{y..+.0...(...... *%..H..M..{y..+.0...(......

C:\Users\user\AppData\Local\Temp\~DFE1EF526DE2D37E79.TMP Process: C:\Program Files\internet explorer\iexplore.exe File Type: data Category: dropped Size (bytes): 12981

Copyright null 2021 Page 19 of 24 C:\Users\user\AppData\Local\Temp\~DFE1EF526DE2D37E79.TMP Entropy (8bit): 0.4426885841081412 Encrypted: false SSDEEP: 12:c9lCg5/9lCgeK9l26an9l26an9l8fRXF9l8fR19lTq8O9C:c9lLh9lLh9lIn9lIn9loV9lo19lW8O9C MD5: E52F82187EC577018AAB085AABFAF9F8 SHA1: 93337AA5DD7C1F13313A38662334A4A5678A0293 SHA-256: 7BF1D7C91EDD0B23A91707128DAC90312B8538B570192789EF8A3DE0967179DD SHA-512: CE2E9582C186F5D66D2173919A5DD765FD026EA18DB03A0E55F19B09A96B1F27D461D9B1AF33D8A2268F20D761C8802373038E5E6B6D5139CC316FCEDA73E673 Malicious: false Reputation: low Preview: ...... *%..H..M..{y..+.0...(...... *%..H..M..{y..+.0...(......

Static File Info

No static file info

Network Behavior

Snort IDS Alerts

Source Dest Timestamp Protocol SID Message Port Port Source IP Dest IP 01/07/21- TCP 2657 WEB-MISC SSLv2 Client_Hello with pad Challenge Length overflow attempt 49756 443 192.168.2.4 40.79.86.63 21:07:11.048873

UDP Packets

Timestamp Source Port Dest Port Source IP Dest IP Jan 7, 2021 21:06:42.841370106 CET 62389 53 192.168.2.4 8.8.8.8 Jan 7, 2021 21:06:42.892441988 CET 53 62389 8.8.8.8 192.168.2.4 Jan 7, 2021 21:06:44.500606060 CET 49910 53 192.168.2.4 8.8.8.8 Jan 7, 2021 21:06:44.558610916 CET 53 49910 8.8.8.8 192.168.2.4 Jan 7, 2021 21:06:45.490948915 CET 55854 53 192.168.2.4 8.8.8.8 Jan 7, 2021 21:06:45.548633099 CET 53 55854 8.8.8.8 192.168.2.4 Jan 7, 2021 21:07:02.497487068 CET 64549 53 192.168.2.4 8.8.8.8 Jan 7, 2021 21:07:02.545519114 CET 53 64549 8.8.8.8 192.168.2.4 Jan 7, 2021 21:07:03.956338882 CET 63153 53 192.168.2.4 8.8.8.8 Jan 7, 2021 21:07:04.004399061 CET 53 63153 8.8.8.8 192.168.2.4 Jan 7, 2021 21:07:05.898221016 CET 52991 53 192.168.2.4 8.8.8.8 Jan 7, 2021 21:07:05.946295023 CET 53 52991 8.8.8.8 192.168.2.4 Jan 7, 2021 21:07:06.647703886 CET 53700 53 192.168.2.4 8.8.8.8 Jan 7, 2021 21:07:06.658199072 CET 51726 53 192.168.2.4 8.8.8.8 Jan 7, 2021 21:07:06.695491076 CET 53 53700 8.8.8.8 192.168.2.4 Jan 7, 2021 21:07:06.710268974 CET 56794 53 192.168.2.4 8.8.8.8 Jan 7, 2021 21:07:06.716603041 CET 53 51726 8.8.8.8 192.168.2.4 Jan 7, 2021 21:07:06.781687021 CET 53 56794 8.8.8.8 192.168.2.4 Jan 7, 2021 21:07:06.847795963 CET 56534 53 192.168.2.4 8.8.8.8 Jan 7, 2021 21:07:06.905312061 CET 53 56534 8.8.8.8 192.168.2.4 Jan 7, 2021 21:07:07.458702087 CET 56627 53 192.168.2.4 8.8.8.8 Jan 7, 2021 21:07:07.509741068 CET 53 56627 8.8.8.8 192.168.2.4 Jan 7, 2021 21:07:08.030169964 CET 56621 53 192.168.2.4 8.8.8.8 Jan 7, 2021 21:07:08.089365005 CET 53 56621 8.8.8.8 192.168.2.4 Jan 7, 2021 21:07:10.190124989 CET 63116 53 192.168.2.4 8.8.8.8 Jan 7, 2021 21:07:10.275649071 CET 53 63116 8.8.8.8 192.168.2.4 Jan 7, 2021 21:07:10.387468100 CET 64078 53 192.168.2.4 8.8.8.8 Jan 7, 2021 21:07:10.438442945 CET 53 64078 8.8.8.8 192.168.2.4 Jan 7, 2021 21:07:11.607918024 CET 64801 53 192.168.2.4 8.8.8.8

Copyright null 2021 Page 20 of 24 Timestamp Source Port Dest Port Source IP Dest IP Jan 7, 2021 21:07:11.664391041 CET 53 64801 8.8.8.8 192.168.2.4 Jan 7, 2021 21:07:13.837266922 CET 61721 53 192.168.2.4 8.8.8.8 Jan 7, 2021 21:07:13.885196924 CET 53 61721 8.8.8.8 192.168.2.4 Jan 7, 2021 21:07:14.522067070 CET 51255 53 192.168.2.4 8.8.8.8 Jan 7, 2021 21:07:14.581506968 CET 53 51255 8.8.8.8 192.168.2.4 Jan 7, 2021 21:07:15.536701918 CET 51255 53 192.168.2.4 8.8.8.8 Jan 7, 2021 21:07:15.555078983 CET 61522 53 192.168.2.4 8.8.8.8 Jan 7, 2021 21:07:15.596507072 CET 53 51255 8.8.8.8 192.168.2.4 Jan 7, 2021 21:07:15.606050968 CET 53 61522 8.8.8.8 192.168.2.4 Jan 7, 2021 21:07:16.547168970 CET 51255 53 192.168.2.4 8.8.8.8 Jan 7, 2021 21:07:16.598128080 CET 53 51255 8.8.8.8 192.168.2.4 Jan 7, 2021 21:07:17.091495037 CET 52337 53 192.168.2.4 8.8.8.8 Jan 7, 2021 21:07:17.148022890 CET 53 52337 8.8.8.8 192.168.2.4 Jan 7, 2021 21:07:18.596441031 CET 51255 53 192.168.2.4 8.8.8.8 Jan 7, 2021 21:07:18.647346973 CET 53 51255 8.8.8.8 192.168.2.4 Jan 7, 2021 21:07:19.470694065 CET 55046 53 192.168.2.4 8.8.8.8 Jan 7, 2021 21:07:19.518959999 CET 53 55046 8.8.8.8 192.168.2.4 Jan 7, 2021 21:07:19.736273050 CET 49612 53 192.168.2.4 8.8.8.8 Jan 7, 2021 21:07:19.796685934 CET 53 49612 8.8.8.8 192.168.2.4 Jan 7, 2021 21:07:20.667114973 CET 49285 53 192.168.2.4 8.8.8.8 Jan 7, 2021 21:07:20.715154886 CET 53 49285 8.8.8.8 192.168.2.4 Jan 7, 2021 21:07:22.597361088 CET 51255 53 192.168.2.4 8.8.8.8 Jan 7, 2021 21:07:22.648300886 CET 53 51255 8.8.8.8 192.168.2.4 Jan 7, 2021 21:07:24.676731110 CET 50601 53 192.168.2.4 8.8.8.8 Jan 7, 2021 21:07:24.727521896 CET 53 50601 8.8.8.8 192.168.2.4 Jan 7, 2021 21:07:25.887640953 CET 60875 53 192.168.2.4 8.8.8.8 Jan 7, 2021 21:07:25.938684940 CET 53 60875 8.8.8.8 192.168.2.4 Jan 7, 2021 21:07:27.580147982 CET 56448 53 192.168.2.4 8.8.8.8 Jan 7, 2021 21:07:27.628119946 CET 53 56448 8.8.8.8 192.168.2.4 Jan 7, 2021 21:07:29.172856092 CET 59172 53 192.168.2.4 8.8.8.8 Jan 7, 2021 21:07:29.223655939 CET 53 59172 8.8.8.8 192.168.2.4 Jan 7, 2021 21:07:30.522877932 CET 62420 53 192.168.2.4 8.8.8.8 Jan 7, 2021 21:07:30.571041107 CET 53 62420 8.8.8.8 192.168.2.4 Jan 7, 2021 21:07:30.674812078 CET 60579 53 192.168.2.4 8.8.8.8 Jan 7, 2021 21:07:30.723002911 CET 53 60579 8.8.8.8 192.168.2.4 Jan 7, 2021 21:07:30.845030069 CET 50183 53 192.168.2.4 8.8.8.8 Jan 7, 2021 21:07:30.892956972 CET 53 50183 8.8.8.8 192.168.2.4 Jan 7, 2021 21:07:31.785677910 CET 61531 53 192.168.2.4 8.8.8.8 Jan 7, 2021 21:07:31.836493969 CET 53 61531 8.8.8.8 192.168.2.4 Jan 7, 2021 21:07:33.072690964 CET 49228 53 192.168.2.4 8.8.8.8 Jan 7, 2021 21:07:33.123538017 CET 53 49228 8.8.8.8 192.168.2.4 Jan 7, 2021 21:07:45.549288034 CET 59794 53 192.168.2.4 8.8.8.8 Jan 7, 2021 21:07:45.636667967 CET 53 59794 8.8.8.8 192.168.2.4 Jan 7, 2021 21:07:46.358661890 CET 55916 53 192.168.2.4 8.8.8.8 Jan 7, 2021 21:07:46.415520906 CET 53 55916 8.8.8.8 192.168.2.4 Jan 7, 2021 21:07:47.137368917 CET 52752 53 192.168.2.4 8.8.8.8 Jan 7, 2021 21:07:47.254877090 CET 53 52752 8.8.8.8 192.168.2.4 Jan 7, 2021 21:07:47.768450975 CET 60542 53 192.168.2.4 8.8.8.8 Jan 7, 2021 21:07:47.827733040 CET 53 60542 8.8.8.8 192.168.2.4 Jan 7, 2021 21:07:47.995888948 CET 60689 53 192.168.2.4 8.8.8.8 Jan 7, 2021 21:07:48.061602116 CET 53 60689 8.8.8.8 192.168.2.4 Jan 7, 2021 21:07:48.393795967 CET 64206 53 192.168.2.4 8.8.8.8 Jan 7, 2021 21:07:48.450505018 CET 53 64206 8.8.8.8 192.168.2.4 Jan 7, 2021 21:07:49.715663910 CET 50904 53 192.168.2.4 8.8.8.8 Jan 7, 2021 21:07:49.772433996 CET 53 50904 8.8.8.8 192.168.2.4 Jan 7, 2021 21:07:50.695250034 CET 57525 53 192.168.2.4 8.8.8.8 Jan 7, 2021 21:07:50.751739979 CET 53 57525 8.8.8.8 192.168.2.4 Jan 7, 2021 21:07:53.472381115 CET 53814 53 192.168.2.4 8.8.8.8 Jan 7, 2021 21:07:53.529122114 CET 53 53814 8.8.8.8 192.168.2.4 Jan 7, 2021 21:07:55.393733025 CET 53418 53 192.168.2.4 8.8.8.8 Jan 7, 2021 21:07:55.460767031 CET 53 53418 8.8.8.8 192.168.2.4 Jan 7, 2021 21:07:55.576241016 CET 62833 53 192.168.2.4 8.8.8.8 Jan 7, 2021 21:07:55.632570982 CET 53 62833 8.8.8.8 192.168.2.4 Jan 7, 2021 21:07:56.285303116 CET 59260 53 192.168.2.4 8.8.8.8

Copyright null 2021 Page 21 of 24 Timestamp Source Port Dest Port Source IP Dest IP Jan 7, 2021 21:07:56.344922066 CET 53 59260 8.8.8.8 192.168.2.4 Jan 7, 2021 21:08:22.668191910 CET 49944 53 192.168.2.4 8.8.8.8 Jan 7, 2021 21:08:22.716124058 CET 53 49944 8.8.8.8 192.168.2.4 Jan 7, 2021 21:08:24.679749966 CET 63300 53 192.168.2.4 8.8.8.8 Jan 7, 2021 21:08:24.735918045 CET 53 63300 8.8.8.8 192.168.2.4

DNS Queries

Timestamp Source IP Dest IP Trans ID OP Code Name Type Class Jan 7, 2021 21:07:06.658199072 CET 192.168.2.4 8.8.8.8 0xad75 Standard query settings-s A (IP address) IN (0x0001) (0) sl.xboxlive.com

DNS Answers

Timestamp Source IP Dest IP Trans ID Reply Code Name CName Address Type Class Jan 7, 2021 8.8.8.8 192.168.2.4 0xad75 No error (0) settings-s settings- CNAME IN (0x0001) 21:07:06.716603041 sl.xboxlive.com ssl.xboxlive.com.edgekey (Canonical CET .net name)

Code Manipulations

Statistics

Behavior

• iexplore.exe • iexplore.exe • Video.UI.exe

Click to jump to process

System Behavior

Analysis Process: iexplore.exe PID: 6984 Parent PID: 800

General

Start time: 21:06:44 Start date: 07/01/2021 Path: C:\Program Files\internet explorer\iexplore.exe Wow64 process (32bit): false Commandline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding Imagebase: 0x7ff787e70000 File size: 823560 bytes

Copyright null 2021 Page 22 of 24 MD5 hash: 6465CB92B25A7BC1DF8E01D8AC5E7596 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: low

File Activities

Source File Path Access Attributes Options Completion Count Address Symbol

Source File Path Offset Length Value Ascii Completion Count Address Symbol

Source File Path Offset Length Completion Count Address Symbol

Registry Activities

Source Key Path Name Type Data Completion Count Address Symbol

Source Key Path Name Type Old Data New Data Completion Count Address Symbol

Analysis Process: iexplore.exe PID: 7032 Parent PID: 6984

General

Start time: 21:06:44 Start date: 07/01/2021 Path: C:\Program Files (x86)\Internet Explorer\iexplore.exe Wow64 process (32bit): true Commandline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6984 CREDAT:17410 /prefetch:2 Imagebase: 0x890000 File size: 822536 bytes MD5 hash: 071277CC2E3DF41EEEA8013E2AB58D5A Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: low

File Activities

Source File Path Access Attributes Options Completion Count Address Symbol

Source File Path Offset Length Value Ascii Completion Count Address Symbol

Source File Path Offset Length Completion Count Address Symbol

Analysis Process: Video.UI.exe PID: 4248 Parent PID: 800

General

Start time: 21:07:02 Start date: 07/01/2021 Path: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.17112.19011.0_x64__8wekyb3d8bbwe\Video.UI. exe Wow64 process (32bit): false

Copyright null 2021 Page 23 of 24 Commandline: 'C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.17112.19011.0_x64__8wekyb3d 8bbwe\Video.UI.exe' -ServerName:Microsoft.ZuneVideo.AppX758ya5sqdjd98rx6z7g95nw6 jy7bqx9y.mca Imagebase: 0x7ff67bd90000 File size: 26934272 bytes MD5 hash: BEA19F0655789B224CEF4C5AFCE49AD1 Has elevated privileges: true Has administrator privileges: false Programmed in: C, C++ or other language Reputation: low

File Activities

Source File Path Access Attributes Options Completion Count Address Symbol

Source File Path Completion Count Address Symbol

Source Old File Path New File Path Completion Count Address Symbol

Source File Path Offset Length Value Ascii Completion Count Address Symbol

File Read

Source File Path Offset Length Completion Count Address Symbol C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8we unknown 5113 success or wait 1 1D33204CD39 ReadFile kyb3d8bbwe\LocalCache\PlayReady\Cache\msprcore.bla

Registry Activities

Source Key Path Completion Count Address Symbol

Source Key Path Name Type Data Completion Count Address Symbol

Source Key Path Name Type Old Data New Data Completion Count Address Symbol

Disassembly

Code Analysis

Copyright null 2021 Page 24 of 24