Automated Malware Analysis Report For

ID: 256920 Cookbook: browseurl.jbs Time: 15:47:13 Date: 04/08/2020 Version: 29.0.0 Ocean Jasper Table of Contents

Table of Contents 2 Analysis Report http://micromedia.us/videos/Pichincha/Items/RemoteTeller.mp4 4 Overview 4 General Information 4 Detection 4 Signatures 4 Classification 4 Startup 4 Malware Configuration 4 Yara Overview 4 Sigma Overview 4 Signature Overview 4 Networking: 5 Mitre Att&ck Matrix 5 Behavior Graph 5 Screenshots 6 Thumbnails 6 Antivirus, Machine Learning and Genetic Malware Detection 7 Initial Sample 7 Dropped Files 7 Unpacked PE Files 7 Domains 7 URLs 7 Domains and IPs 8 Contacted Domains 8 Contacted URLs 8 URLs from Memory and Binaries 8 Contacted IPs 10 Public 10 General Information 10 Simulations 12 Behavior and APIs 12 Created / dropped Files 12 Static File Info 18 No static file info 18 Network Behavior 18 TCP Packets 18 DNS Queries 20 DNS Answers 20 HTTP Request Dependency Graph 20 Code Manipulations 20 Statistics 20 Behavior 21 System Behavior 21 Analysis Process: iexplore.exe PID: 6692 Parent PID: 800 21 General 21 File Activities 21 Registry Activities 21 Analysis Process: iexplore.exe PID: 6736 Parent PID: 6692 21 General 22 File Activities 22 Registry Activities 22 Analysis Process: ssvagent.exe PID: 6800 Parent PID: 6736 22 General 22

Copyright null 2020 Page 2 of 23 Registry Activities 22 Analysis Process: Video.UI.exe PID: 5616 Parent PID: 800 22 General 22 File Activities 23 File Read 23 Registry Activities 23 Disassembly 23 Code Analysis 23

Overview

General Information Detection Signatures Classification

Sample URL: micromedia.us/video s/Pichincha/Items/Remote SSnnoorrrttt IIIDDSS aallleerrrttt fffoorrr nneetttwwoorrrkk tttrrraaffffffiiicc (((ee...… Teller.mp4 ASAbnbnonorotrr rmIDaaSlll hahiiligeghrht CCfoPPr UUn e UUtwssaoagrgkee traffic (e. Analysis ID: 256920 CACobonntottaarimiinnsas lff fuhuningcchtttii iooCnnPaaUllliiittt yyU ttstooa cgcaeallllll nnaatttiiivvee fff… Ransomware Most interesting Screenshot: Miner Spreading DCDrroroonpptsas i cnceser rrftttuiiifffiniicccaatttiteoe n fffiaiillleleistsy ( ((tDDoE EcRRa)l))l native f mmaallliiiccciiioouusss

malicious

Evader Phishing QDuruoeeprrisiee scs e ddritisisfkikc iainntfefoo rfrmileaastt ii(ooDnnE ((Roof)ftteenn uusseedd sssuusssppiiiccciiioouusss Quueerrriiieess ddiiisskk iiinnfffoorrrmaatttiiioonn (((oofffttteenn uusseedd… suspicious

cccllleeaann Quueerrriiieess ttdthhiesek vv ioonlllfuuomrmee a iiintnifoffoonrrr m(oaaftttieiioonnn u (((nsneaadm… clean

Exploiter Banker UQUsuseessr i eccoso ddtheee oo vbbofffuulussmccaaettt iiioionnnfo tttreemcchahntniioiiqqnuu e(enssa (((m…

Uses code obfuscation techniques ( Spyware Trojan / Bot

Adware

Score: 48 Range: 0 - 100 Whitelisted: false Confidence: 100%

Startup

System is w10x64 iexplore.exe (PID: 6692 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596) iexplore.exe (PID: 6736 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6692 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A) ssvagent.exe (PID: 6800 cmdline: 'C:\PROGRA~2\Java\JRE18~1.0_2\bin\ssvagent.exe' -new MD5: A3DBA514D38464A5C5A9DEA19E6159F9) Video.UI.exe (PID: 5616 cmdline: 'C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.17112.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe' -ServerName:Microsoft.ZuneVide o.AppX758ya5sqdjd98rx6z7g95nw6jy7bqx9y.mca MD5: BEA19F0655789B224CEF4C5AFCE49AD1) cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Copyright null 2020 Page 4 of 23 • Networking • E-Banking Fraud • System Summary • Data Obfuscation • Hooking and other Techniques for Hiding and Protection • Malware Analysis System Evasion • HIPS / PFW / Operating System Protection Evasion • Language, Device and Operating System Detection

Click to jump to signature section

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Mitre Att&ck Matrix

Initial Privilege Credential Lateral Command Network Access Execution Persistence Escalation Defense Evasion Access Discovery Movement Collection Exfiltration and Control Effects Valid Windows Path Process Masquerading 1 OS Security Software Remote Data from Exfiltration Encrypted Eavesdrop on Accounts Management Interception Injection 2 Credential Discovery 1 1 Services Local Over Other Channel 2 Insecure Instrumentation Dumping System Network Network Medium Communication Default Scheduled Boot or Boot or Virtualization/Sandbox LSASS Virtualization/Sandbox Remote Data from Exfiltration Non- Exploit SS7 to Accounts Task/Job Logon Logon Evasion 1 Memory Evasion 1 Desktop Removable Over Application Redirect Phone Initialization Initialization Protocol Media Bluetooth Layer Calls/SMS Scripts Scripts Protocol 2 Domain At (Linux) Logon Script Logon Process Injection 2 Security Process Discovery 1 SMB/Windows Data from Automated Application Exploit SS7 to Accounts (Windows) Script Account Admin Shares Network Exfiltration Layer Track Device (Windows) Manager Shared Protocol 3 Location Drive Local At (Windows) Logon Script Logon Obfuscated Files or NTDS File and Directory Distributed Input Scheduled Ingress Tool SIM Card Accounts (Mac) Script Information 1 Discovery 1 Component Capture Transfer Transfer 1 Swap (Mac) Object Model Cloud Cron Network Network Software Packing LSA System Information SSH Keylogging Data Fallback Manipulate Accounts Logon Script Logon Secrets Discovery 2 1 Transfer Channels Device Script Size Limits Communication

Replication Launchd Rc.common Rc.common Steganography Cached Remote System VNC GUI Input Exfiltration Multiband Jamming or Through Domain Discovery 1 Capture Over C2 Communication Denial of Removable Credentials Channel Service Media

Behavior Graph

Copyright null 2020 Page 5 of 23 Hide Legend Behavior Graph Legend: ID: 256920 URL: http://micromedia.us/videos... Process Startdate: 04/08/2020 Signature Architecture: WINDOWS Score: 48 Created File DNS/IP Info

Snort IDS alert for Is Dropped network traffic (e.g. started started based on Emerging Threat rules) Is Windows Process

Number of created Registry Values

Number of created Files iexplore.exe Video.UI.exe Visual Basic

19 69 56 49 Delphi

Java

.Net C# or VB.NET activation2.eastus2.cloudapp.azure.com

started 40.79.86.63 settings-ssl.xboxlive.com C, C++ or other language MICROSOFT-CORP-MSN-AS-BLOCKUS United States Is malicious

Internet

iexplore.exe

micromedia.us

69.222.152.74, 49726, 49727, 80 started ATT-INTERNET4US United States

ssvagent.exe

501

Screenshots

Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.

No bigger version No bigger version

No bigger version No bigger version No bigger version No bigger version No bigger version No bigger version No bigger version No bigger version No bigger version No bigger version

No bigger version

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source Detection Scanner Label Link www.founder.com.cn/cn/bThe 0% URL Reputation safe www.founder.com.cn/cn/bThe 0% URL Reputation safe www.tiro.com 0% URL Reputation safe www.tiro.com 0% URL Reputation safe www.goodfont.co.kr 0% URL Reputation safe

Copyright null 2020 Page 7 of 23 Source Detection Scanner Label Link www.goodfont.co.kr 0% URL Reputation safe www.carterandcone.coml 0% URL Reputation safe www.carterandcone.coml 0% URL Reputation safe www.sajatypeworks.com 0% URL Reputation safe www.sajatypeworks.com 0% URL Reputation safe www.typography.netD 0% URL Reputation safe www.typography.netD 0% URL Reputation safe www.founder.com.cn/cn/cThe 0% URL Reputation safe www.founder.com.cn/cn/cThe 0% URL Reputation safe www.galapagosdesign.com/staff/dennis.htm 0% URL Reputation safe www.galapagosdesign.com/staff/dennis.htm 0% URL Reputation safe fontfabrik.com 0% URL Reputation safe fontfabrik.com 0% URL Reputation safe www.founder.com.cn/cn 0% URL Reputation safe www.founder.com.cn/cn 0% URL Reputation safe www.jiyu-kobo.co.jp/ 0% URL Reputation safe www.jiyu-kobo.co.jp/ 0% URL Reputation safe www.galapagosdesign.com/DPlease 0% URL Reputation safe www.galapagosdesign.com/DPlease 0% URL Reputation safe www.sandoll.co.kr 0% URL Reputation safe www.sandoll.co.kr 0% URL Reputation safe www.urwpp.deDPlease 0% URL Reputation safe www.urwpp.deDPlease 0% URL Reputation safe www.zhongyicts.com.cn 0% URL Reputation safe www.zhongyicts.com.cn 0% URL Reputation safe www.sakkal.com 0% URL Reputation safe www.sakkal.com 0% URL Reputation safe

Domains and IPs

Contacted Domains

Name IP Active Malicious Antivirus Detection Reputation asf-ris-prod- 168.63.67.155 true false high neurope.northeurope.cloudapp.azure.com micromedia.us 69.222.152.74 true false unknown activation2.eastus2.cloudapp.azure.com 40.79.86.63 true false high settings-ssl.xboxlive.com unknown unknown false high

Contacted URLs

Name Malicious Antivirus Detection Reputation micromedia.us/videos/Pichincha/Items/RemoteTeller.mp4 false unknown

URLs from Memory and Binaries

Name Source Malicious Antivirus Detection Reputation https://xbox.com Video.UI.exe, 0000000B.0000000 false high 2.645823287.000001BDC3780000.0 0000002.00000001.sdmp www.apache.org/licenses/LICENSE-2.0 Video.UI.exe, 0000000B.0000000 false high 2.635302107.000001BDBD4B6000.0 0000002.00000001.sdmp www.fontbureau.com Video.UI.exe, 0000000B.0000000 false high 2.635302107.000001BDBD4B6000.0 0000002.00000001.sdmp www.fontbureau.com/designersG Video.UI.exe, 0000000B.0000000 false high 2.635302107.000001BDBD4B6000.0 0000002.00000001.sdmp https://login.windows.net Video.UI.exe, 0000000B.0000000 false high 2.662607461.000001BDC4C6F000.0 0000004.00000001.sdmp www.fontbureau.com/designers/? Video.UI.exe, 0000000B.0000000 false high 2.635302107.000001BDBD4B6000.0 0000002.00000001.sdmp

Copyright null 2020 Page 8 of 23 Name Source Malicious Antivirus Detection Reputation www.founder.com.cn/cn/bThe Video.UI.exe, 0000000B.0000000 false URL Reputation: safe unknown 2.635302107.000001BDBD4B6000.0 URL Reputation: safe 0000002.00000001.sdmp www.fontbureau.com/designers? Video.UI.exe, 0000000B.0000000 false high 2.635302107.000001BDBD4B6000.0 0000002.00000001.sdmp https://xsts.auth.xboxlive.com Video.UI.exe, 0000000B.0000000 false high 2.662607461.000001BDC4C6F000.0 0000004.00000001.sdmp, Video.UI.exe, 0000000B.00000002.674275831.00000 1BDC5800000.00000004.00000001. sdmp www.tiro.com Video.UI.exe, 0000000B.0000000 false URL Reputation: safe unknown 2.635302107.000001BDBD4B6000.0 URL Reputation: safe 0000002.00000001.sdmp www.fontbureau.com/designers Video.UI.exe, 0000000B.0000000 false high 2.635302107.000001BDBD4B6000.0 0000002.00000001.sdmp www.goodfont.co.kr Video.UI.exe, 0000000B.0000000 false URL Reputation: safe unknown 2.635302107.000001BDBD4B6000.0 URL Reputation: safe 0000002.00000001.sdmp json-schema.org/draft-04/schema Video.UI.exe, 0000000B.0000000 false high 2.601678970.000001BDB8A13000.0 0000004.00000001.sdmp, Video.UI.exe, 0000000B.00000002.601798970.00000 1BDB8A2B000.00000004.00000001. sdmp www.carterandcone.coml Video.UI.exe, 0000000B.0000000 false URL Reputation: safe unknown 2.635302107.000001BDBD4B6000.0 URL Reputation: safe 0000002.00000001.sdmp www.sajatypeworks.com Video.UI.exe, 0000000B.0000000 false URL Reputation: safe unknown 2.635302107.000001BDBD4B6000.0 URL Reputation: safe 0000002.00000001.sdmp www.typography.netD Video.UI.exe, 0000000B.0000000 false URL Reputation: safe unknown 2.635302107.000001BDBD4B6000.0 URL Reputation: safe 0000002.00000001.sdmp www.fontbureau.com/designers/cabarga.htmlN Video.UI.exe, 0000000B.0000000 false high 2.635302107.000001BDBD4B6000.0 0000002.00000001.sdmp www.founder.com.cn/cn/cThe Video.UI.exe, 0000000B.0000000 false URL Reputation: safe unknown 2.635302107.000001BDBD4B6000.0 URL Reputation: safe 0000002.00000001.sdmp aka.ms/hevc Video.UI.exe, 0000000B.0000000 false high 2.645823287.000001BDC3780000.0 0000002.00000001.sdmp www.galapagosdesign.com/staff/dennis.htm Video.UI.exe, 0000000B.0000000 false URL Reputation: safe unknown 2.635302107.000001BDBD4B6000.0 URL Reputation: safe 0000002.00000001.sdmp fontfabrik.com Video.UI.exe, 0000000B.0000000 false URL Reputation: safe unknown 2.635302107.000001BDBD4B6000.0 URL Reputation: safe 0000002.00000001.sdmp www.founder.com.cn/cn Video.UI.exe, 0000000B.0000000 false URL Reputation: safe unknown 2.635302107.000001BDBD4B6000.0 URL Reputation: safe 0000002.00000001.sdmp www.fontbureau.com/designers/frere-jones.html Video.UI.exe, 0000000B.0000000 false high 2.635302107.000001BDBD4B6000.0 0000002.00000001.sdmp schemas.xmlsoap.org/soap/http Video.UI.exe, 0000000B.0000000 false high 3.355354255.000001BDC8913000.0 0000004.00000001.sdmp www.techsmith.com/xmp/tsc/ Video.UI.exe, 0000000B.0000000 false high 3.379616839.000001BDC8F70000.0 0000004.00000001.sdmp, RemoteT eller[1].mp4.2.dr https://account.xbox.com.The Video.UI.exe, 0000000B.0000000 false unknown 2.645823287.000001BDC3780000.0 0000002.00000001.sdmp www.jiyu-kobo.co.jp/ Video.UI.exe, 0000000B.0000000 false URL Reputation: safe unknown 2.635302107.000001BDBD4B6000.0 URL Reputation: safe 0000002.00000001.sdmp www.galapagosdesign.com/DPlease Video.UI.exe, 0000000B.0000000 false URL Reputation: safe unknown 2.635302107.000001BDBD4B6000.0 URL Reputation: safe 0000002.00000001.sdmp www.fontbureau.com/designers8 Video.UI.exe, 0000000B.0000000 false high 2.635302107.000001BDBD4B6000.0 0000002.00000001.sdmp www.fonts.com Video.UI.exe, 0000000B.0000000 false high 2.635302107.000001BDBD4B6000.0 0000002.00000001.sdmp

Copyright null 2020 Page 9 of 23 Name Source Malicious Antivirus Detection Reputation www.sandoll.co.kr Video.UI.exe, 0000000B.0000000 false URL Reputation: safe unknown 2.635302107.000001BDBD4B6000.0 URL Reputation: safe 0000002.00000001.sdmp https://account.xbox.com. Video.UI.exe, 0000000B.0000000 false high 2.645823287.000001BDC3780000.0 0000002.00000001.sdmp www.urwpp.deDPlease Video.UI.exe, 0000000B.0000000 false URL Reputation: safe unknown 2.635302107.000001BDBD4B6000.0 URL Reputation: safe 0000002.00000001.sdmp www.zhongyicts.com.cn Video.UI.exe, 0000000B.0000000 false URL Reputation: safe unknown 2.635302107.000001BDBD4B6000.0 URL Reputation: safe 0000002.00000001.sdmp https://login.windows.net/dll Video.UI.exe, 0000000B.0000000 false high 2.662607461.000001BDC4C6F000.0 0000004.00000001.sdmp www.sakkal.com Video.UI.exe, 0000000B.0000000 false URL Reputation: safe unknown 2.635302107.000001BDBD4B6000.0 URL Reputation: safe 0000002.00000001.sdmp https://login.windows.netg.dll Video.UI.exe, 0000000B.0000000 false unknown 2.662607461.000001BDC4C6F000.0 0000004.00000001.sdmp https://xsts.auth.xboxlive.com/ Video.UI.exe, 0000000B.0000000 false high 2.662607461.000001BDC4C6F000.0 0000004.00000001.sdmp

Contacted IPs

No. of IPs < 25% 25% < No. of IPs < 50%

50% < No. of IPs < 75% 75% < No. of IPs

Public

IP Country Flag ASN ASN Name Malicious 40.79.86.63 United States 8075 MICROSOFT-CORP-MSN-AS- false BLOCKUS 69.222.152.74 United States 7018 ATT-INTERNET4US false

General Information

Joe Sandbox Version: 29.0.0 Ocean Jasper Analysis ID: 256920 Copyright null 2020 Page 10 of 23 Start date: 04.08.2020 Start time: 15:47:13 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 6m 59s Hypervisor based Inspection enabled: false Report type: light Cookbook file name: browseurl.jbs Sample URL: micromedia.us/videos/Pichincha/Items/RemoteTel ler.mp4 Analysis system description: w10x64 Windows 10 64 bit v1803 with Office Professional Plus 2016, IE 11, Adobe Reader DC 19, Java 8 Update 211 Number of analysed new started processes analysed: 26 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled AMSI enabled Analysis Mode: default Analysis stop reason: Timeout Detection: MAL Classification: mal48.win@6/21@2/2 EGA Information: Successful, ratio: 100% HCA Information: Failed Cookbook Comments: Adjust boot time Enable AMSI

Copyright null 2020 Page 11 of 23 Warnings: Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, ielowutil.exe, RuntimeBroker.exe, WMIADAP.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, ApplicationFrameHost.exe TCP Packets have been reduced to 100 Excluded IPs from analysis (whitelisted): 23.54.113.104, 95.100.50.217, 51.104.139.180, 152.199.19.161, 40.127.240.158, 23.54.112.64, 93.184.220.29, 23.0.174.185, 23.0.174.184, 40.67.251.132, 23.54.113.53 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, cs9.wac.phicdn.net, store- images.s-microsoft.com-c.edgekey.net, fs- wildcard.microsoft.com.edgekey.net, fs- wildcard.microsoft.com.edgekey.net.globalredir.aka dns.net, wns.notify.windows.com.akadns.net, arc.msn.com, activation2.playready.microsoft.com, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, e12564.dspb.akamaiedge.net, go.microsoft.com, db5p.wns.notify.windows.com.akadns.net, ocsp.digicert.com, audownload.windowsupdate.nsatc.net, settings- ssl.xboxlive.com.edgekey.net, prod.fs.microsoft.com.akadns.net, au-bg- shim.trafficmanager.net, playreadyactivation.trafficmanager.net, client.wns.windows.com, fs.microsoft.com, ie9comview.vo.msecnd.net, ris- prod.trafficmanager.net, e1723.g.akamaiedge.net, settings-win.data.microsoft.com, ctldl.windowsupdate.com, a767.dscg3.akamai.net, e87.dspb.akamaiedge.net, emea2.notify.windows.com.akadns.net, settingsfd- geo.trafficmanager.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, go.microsoft.com.edgekey.net, cs9.wpc.v0cdn.net Report size exceeded maximum capacity and may have missing behavior information. Report size exceeded maximum capacity and may have missing network information. Report size getting too big, too many NtCreateKey calls found. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtOpenKey calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryAttributesFile calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtSetValueKey calls found.

Simulations

Behavior and APIs

No simulations

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{8D01306D-D6A4-11EA-90E0-ECF4BB2D2496}.dat Process: C:\Program Files\internet explorer\iexplore.exe File Type: Microsoft Word Document Size (bytes): 32344 Entropy (8bit): 1.785045083909344 Encrypted: false Copyright null 2020 Page 12 of 23 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{8D01306D-D6A4-11EA-90E0-ECF4BB2D2496}.dat MD5: BEB4ED30D9C7F36D6B5D30F63C31A16F SHA1: 0602AC4BDE4EE5979DD789B5845C046719847343 SHA-256: 584A4FDDBA667C3DFC6EDD32EE6B1ED687A3A33A57D418376133C71CA5DCB553 SHA-512: 7E5716EFC443548F61A9358AB9F61F686B59ADDA0851DB0C012304DC816C572A5604241AA0A7C113B54FF9D3F40F8FB3154D039224C55E44AD368DC0616C8D0D Malicious: false Reputation: low Preview: ...... R.o.o.t. .E.n.t.r. y......

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{8D01306F-D6A4-11EA-90E0-ECF4BB2D2496}.dat Process: C:\Program Files\internet explorer\iexplore.exe File Type: Microsoft Word Document Size (bytes): 19032 Entropy (8bit): 1.5968552487210201 Encrypted: false MD5: A2C5BD55CE46F5E93AFE4ED228B12064 SHA1: 5290FA30362058C188B53904E5813CBAD2B88D64 SHA-256: 11AF8E3168894BB644A75A3C429D7BEF9A365AC66A4ACEAB5B6D58CC369309FC SHA-512: 45437B983B0308176D80F4EAC6FBF1AA40C36E9C0F1B700A33BB36745EC58F827A1FF38E4A3A26247DBC036204F78C32BD9F2020FD3D598FE6DD0F465C28F320 Malicious: false Reputation: low Preview: ...... R.o.o.t. .E.n.t.r. y......

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\RemoteTeller.mp4.axe032e.partial Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: ISO Media, MP4 v2 [ISO 14496-14] Size (bytes): 14793426 Entropy (8bit): 7.952282368408224 Encrypted: false MD5: 8D561474BBB00F57FF5F61882528EF26 SHA1: DA97E1DEEAA54CDFE2BFA56EB1CE36C67F04B284 SHA-256: A985C40BF3BA3E452AD392EAD1354FD083D02F223FDD03EE685315EE7834DBB6 SHA-512: C335E1DBFC7A28C21BFD9C503BD99081F83B142B8A2F338430EEB807D935F51D26118AF73B43051C3D14F3FDB2FBF3DD6FE66C9E0842A7B94EF6B4FC284EB3B B Malicious: false Reputation: low Preview: ....ftypmp42....isommp42..?.moov...lmvhd.....N!..N!..._..B.9...... @...... |Qtrak...\tkhd.....N!..N!...... B.X...... @...... 8.....$edts....elst...... B.X...... {.mdia... mdhd.....N!..N!...u0.k...... Dhdlr...... vide...... Mainconcept MP4 Video Media Handler...{]minf....vmhd...... $dinf....dref...... url ...... {.stbl....stsd...... avc1...... 8.H...H...... AVC Coding...... ;avcC.d.(....gd.(.,...... R...... N.r....h.3RP...... stts...... (stsc...... nHstsz...... 6..._...\...\...\...\...\...\...\...\...\...F...... /...... x..._...\...\...\...\...\...\...\...\...i...... 4...... +...... C...... m...... r...... /...6...... |...9...... _...... @...... v...'...... 3...... 5...t..._......

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\RemoteTeller.mp4.axe032e.partial:Zone.Identifier Process: C:\Program Files\internet explorer\iexplore.exe File Type: ASCII text, with CRLF line terminators Size (bytes): 26 Entropy (8bit): 3.95006375643621 Encrypted: false MD5: FBCCF14D504B7B2DBCB5A5BDA75BD93B SHA1: D59FC84CDD5217C6CF74785703655F78DA6B582B SHA-256: EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913 SHA-512: AA1D2B1EA3C9DE3CCADB319D4E3E3276A2F27DD1A5244FE72DE2B6F94083DDDC762480482C5C2E53F803CD9E3973DDEFC68966F974E124307B5043E654443B9 8 Malicious: false Reputation: low Preview: [ZoneTransfer]..ZoneId=3..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\RemoteTeller.mp4:Zone.Identifier Process: C:\Program Files\internet explorer\iexplore.exe File Type: very short file (no magic)

Copyright null 2020 Page 13 of 23 C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\RemoteTeller.mp4:Zone.Identifier Size (bytes): 1 Entropy (8bit): 0.0 Encrypted: false MD5: ECCBC87E4B5CE2FE28308FD9F2A7BAF3 SHA1: 77DE68DAECD823BABBB58EDB1C8E14D7106E83BB SHA-256: 4E07408562BEDB8B60CE05C1DECFE3AD16B72230967DE01F640B7E4729B49FCE SHA-512: 3BAFBF08882A2D10133093A1B8433F50563B93C14ACD05B79028EB1D12799027241450980651994501423A66C276AE26C43B739BC65C4E16B10C3AF6C202AEBB Malicious: false Reputation: low Preview: 3

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\RemoteTeller[1].mp4 Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: ISO Media, MP4 v2 [ISO 14496-14] Size (bytes): 8520890 Entropy (8bit): 7.946677303460154 Encrypted: false MD5: 1E2AD0AF689AD7D08715F9D31377B875 SHA1: F01A64BB6408ABAAD1666653C4798F563B2A0A6D SHA-256: FB7C1BAF0C7539DAE859D25DE9853B61987AA74B6DFE03C24F26E090D36A11F9 SHA-512: AE84A39FAC2517706C6987A8F49D5EA4A48C6031CD69F21100077739DF0AC78CD4A4E7CF555FF1C745951BC93F6C28CAA5CDC8BEFFDA9506ABFCAF158ADD39 55 Malicious: false Reputation: low Preview: ....ftypmp42....isommp42..?.moov...lmvhd.....N!..N!..._..B.9...... @...... |Qtrak...\tkhd.....N!..N!...... B.X...... @...... 8.....$edts....elst...... B.X...... {.mdia... mdhd.....N!..N!...u0.k...... Dhdlr...... vide...... Mainconcept MP4 Video Media Handler...{]minf....vmhd...... $dinf....dref...... url ...... {.stbl....stsd...... avc1...... 8.H...H...... AVC Coding...... ;avcC.d.(....gd.(.,...... R...... N.r....h.3RP...... stts...... (stsc...... nHstsz...... 6..._...\...\...\...\...\...\...\...\...\...F...... /...... x..._...\...\...\...\...\...\...\...\...i...... 4...... +...... C...... m...... r...... /...6...... |...9...... _...... @...... v...'...... 3...... 5...t..._......

C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\AC\INetCache\JS2MI0CH\configuration[1].xml Process: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.17112.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe File Type: XML 1.0 document, ASCII text, with CRLF line terminators Size (bytes): 1520 Entropy (8bit): 5.0183726539703795 Encrypted: false MD5: E72FC6D9DAF66E2D8BC9FE37BE8CE4D8 SHA1: 667F95190910D5841E4531330001423CBB8E2030 SHA-256: B5CCAFA927AF87CEA7E85A2D197C2E841E557B87900665C12FA6F8059B8B9356 SHA-512: 5D56979DBDB586601570DB6AEE666EA1DF489F3EB25285DEDC4A216834955E590158058D6B0C23D084C6C059AD91CF7B7FC32436E572693A96527F3D6E14160C Malicious: false Reputation: low Preview: .... XblWinC lient .. Copyright (c) Microsoft Corporation. All rights reserved... .. .. .. .. .. .. .. .. .. .. ..

C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\AC\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC9 21D13E43B18_BEB37ABADF39714871232B4792417E04 Process: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.17112.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe File Type: data Size (bytes): 1507 Entropy (8bit): 7.486697684353544 Encrypted: false MD5: 18E4329343E388D35759E0CE21951FA9 SHA1: D8FD7D85AE3E59856B5C4A6CAD92E9DEA8811729 SHA-256: 5CD98B383A68A606CCA219976A8BBD00DCFA644BBA84D8D7727DFB9740E21C6E SHA-512: 77C4E8AB6BD0397582161BD78D670D2D55C5864082EEAF69D468298A05BC2A6B95D454245BF1B7142B0AD4E98B751596637C9EA4761E60734B478650D0FBC9E7 Malicious: false Reputation: low

Copyright null 2020 Page 14 of 23 C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\AC\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC9 21D13E43B18_BEB37ABADF39714871232B4792417E04 Preview: 0...... 0.....+.....0...... 0...0...... 2u.]/.O^..:..b....20200803174502Z0s0q0I0...+...... /Ev..Y.].....x.#.....Y0.GX...T6.{:..M...... R_.$DM.....R....20200803174502Z....202008 10170002Z0...*.H...... E.0.1o..B/N.*...... b(."_NY...u...R.mO\.".`.....,.r..^.y.9.A..)<.....m.M...P8...;...{.l..|..[s.c.2idI|....E.`...... f:..(P.1.._L..Q.W.&x...... #.....Y+....S....v*.L..(D..y...... f..=jnS.a.v.>."/r....:.b/[email protected]...^...7}[email protected]....}....U.Vy..c.H..1.Cp....D..,...<.Yyn...... "....=h8....<. ..^.I.W.;....n....F...... K..z.CzU#[email protected]

C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\AC\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC 921D13E43B18_BEB37ABADF39714871232B4792417E04 Process: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.17112.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe File Type: data Size (bytes): 868 Entropy (8bit): 3.7944834341146194 Encrypted: false MD5: 392C37361BF68230ADB6940845BC9F61 SHA1: 9E41954FDCFBD3F940667F9CAA339910F1337E01 SHA-256: 373644CFA8221DE959E619904535C3E5CBA84033BD32968567540826A687D545 SHA-512: 2C58A67E3F394D616D9FB55055A43FC3DC5947C9C79CBBD94CF0205137CB38C9BD0AA10C8E72AAAA4612AF2469FC6320B6C798A1C24A9F2CC0709552C57AAD9 5 Malicious: false Reputation: low Preview: p...... af.j..(...... d.i..q...... h.t.t.p.:././.o.c.s.p...d.i.g.i.c.e.r.t...c.o.m./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M .C.G.g.U.A.B.B.T.B.L.0.V.2.7.R.V.Z.7.L.B.d.u.o.m.%.2.F.n.Y.B.4.5.S.P.U.E.w.Q.U.5.Z.1.Z.M.I.J.H.W.M.y.s.%.2.B.g.h.U.N.o.Z.7.O.r.U.E.T.f.A.C.E.A.i.I.z.V.J.f.G.S.R .E.T.R.S.l.g.p.H.e.u.V.I.%.3.D...".5.f.2.8.4.d.1.e.-.5.e.3."...p...... af.j..(...... d.i...... 7o...... 7o...... d.i..q...... h.t.t.p.:././.o.c.s.p...d.i.g.i.c.e.r.t...c .o.m./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.T.B.L.0.V.2.7.R.V.Z.7.L.B.d.u.o.m.%.2.F.n.Y.B.4.5.S.P.U.E.w.Q.U.5.Z.1.Z.M.I.J.H.W.M.y.s.%.2.B .g.h.U.N.o.Z.7.O.r.U.E.T.f.A.C.E.A.i.I.z.V.J.f.G.S.R.E.T.R.S.l.g.p.H.e.u.V.I.%.3.D...".5.f.2.8.4.d.1.e.-.5.e.3."...

C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalCache\PlayReady\Cache\msprcore.bla Process: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.17112.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe File Type: data Size (bytes): 5113 Entropy (8bit): 6.0476953976257555 Encrypted: false MD5: 13F262C1EED3D5470BC16D3AB56BB21A SHA1: A377A982FD3CF3D96940909A10DFA0A020BA3E2F SHA-256: 6CF6A8BDE5372DF16C592FA67B92DDAA2DEE985DA458F183D8846444C752E4F5 SHA-512: 3341CAF8F958AC1224B76D136027E3F40B35BF9877297A462DE650FE0E423C31A93C33B8FC617E8C2171BFDB0FC8501E4FFD3DFB51DF0126D6729725C7BA9B74 Malicious: false Reputation: low Preview: PRKF...... ,...... 0...&.....H....z...@...<...... |...... @%j.*4.h=D..uG^. .U.J.w.T.^r:P*D$C.. ._....B.\X.B...w..J..-6....4../..3... ..]-*..6.SHl...... ].Wb..lSQ..:s...... <.... [.<....M....33....]....S-..X...... @.fc/..c.B...8..O...t.y.B.T..Q^V.cr..v.|..Q}l42>[email protected]...... ;....gG..D...|.#.S7../tA-i.%.*1.I....~.e...... @.?; .%r..p...;...p)rO;..fe....z....i...y.).:..r..AD....9..v6.C...... n.^...G(m.4s.[}h.W{. Q.{.. ..-F..q....M...... @%j.*4.h=D..uG^. .U.J.w.T.^r:P*D$C.. ._....B.\X.B...w..J..-6...... AC..cG..eS.8....a>[email protected]...... b..R.F..%A5J"4...... P...... @CHAI...... @...... CERT...... XP.p.jz.=...I...j...... c..Qk.4.3!a.....z...... 0...... (...<...... ?;.%r..p...;...p)rO;..fe....z....i...y.).:..r..AD....9.

C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalCache\PlayReady\mspr.hds Process: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.17112.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe File Type: data Size (bytes): 100294 Entropy (8bit): 0.17566044670920616 Encrypted: false MD5: EB36AA067538A27A1905A83CDCF19B9B SHA1: E6FC870E5C04E5F51A55BC1E46CD36EF53999E7D SHA-256: C68E1B6D26F8671493EEE56C265A7412BE84F1CF5D717F01CCFB7C44681C58B6 SHA-512: E616674869FD1D66413B2DE156ABDC4D91BC3EC8F59D651C7BF0B8DAE46DD7C43664B31293743308F1D5CAD73912022D909ED35AD1BC24C2B785B2E88EA441F E Malicious: false Reputation: low Preview: ...... /[email protected]...... ]..e.j...... ]..e.j..R....}.lg..(.l...... K...Ww.K/k.JA..0...... ]..e.j...... /[email protected]...... ]..e.j......

C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalState\Database\anonymous\EntClientDb.edb Process: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.17112.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe File Type: Extensible storage user DataBase, version 0x620, checksum 0xc7bb6a65, page size 8192, JustCreated, Windows version 0.0

Copyright null 2020 Page 15 of 23 C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalState\Database\anonymous\EntClientDb.edb Size (bytes): 1105920 Entropy (8bit): 0.930783977294383 Encrypted: false MD5: 7E6FD9C47686A6C0CE3488A32FC9EDA3 SHA1: EAA7A9A89067AEF21AD94B329FE830B79C7D1852 SHA-256: E61DD96BAE9501BD11E1503D43BFF08626B56E3F455EFB2CB76B63B7ADDB6F30 SHA-512: 7D8278A45EEA1EF7C4F7C1E6E38BB56A92E735A0B9A5C1E7F0042B6E0383B04215F56B4F9606E9DF50DE0E0B1D74EE0B3DC8856F32CC9454688F483381EFF9D A Malicious: false Reputation: low Preview: .je...... @...... _.2"0...x}...... h...... P."0...x...... P."0...x.J...... e4.."0...x......

C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalState\Database\anonymous\EntClientDb.jfm Process: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.17112.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe File Type: data Size (bytes): 24576 Entropy (8bit): 0.08392834836957645 Encrypted: false MD5: 23C92F43B4A1555040FA6A3AFB1194A6 SHA1: B549F701B4A45C226EE0332D3CAF7E31F666510F SHA-256: ADBDA19D6D2216D03DCBC3E414BA14753A0EC7A5FCE7FE4A3097FFECC7236DFA SHA-512: 8B040BA6714C31CFA6EFA32BFC4249336204C449EBC75FD63E4EB19CA9951C064A82D61C3158D49112A6610AF87ADDCBD8A4D4783F2FCCAF39E4737461F57411 Malicious: false Reputation: low Preview: ...a...... "0...x.."0...x...... e4.."0...x......

C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalState\Database\anonymous\edb.chk Process: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.17112.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe File Type: data Size (bytes): 8192 Entropy (8bit): 0.6312053642945705 Encrypted: false MD5: 37C52E153C4B908A01DA9AA7CAEF4857 SHA1: 75DB030322C05DC3B8546BE6204460CF8D8723C7 SHA-256: 2F669DCDB5D1A58F5A68B3E2107BAD936F27D241C057D7E4FDDF8E72D672FE80 SHA-512: DE53F5C0176E867C5F44EA7CA686C19F1AFA84DDD96BEA62D018B34598F9BB9E5DAE9972B341CA01DD473254A67C192A2BDD34716FC1D5BFE505EB02A225C1 7A Malicious: false Reputation: low Preview: .s...... P."0...x...... C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalState\Database\anonymous\...... C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\Loca lState\Database\anonymous\...... 0u..,...... 5w......

C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalState\Database\anonymous\edb.log Process: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.17112.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe File Type: data Size (bytes): 380928 Entropy (8bit): 3.1553228461835445 Encrypted: false MD5: 8A9C01F463C96A610194647294132A09 SHA1: DE0C1CFE54DF4B29EF958A19BCB627686F3C4231 SHA-256: 7810D451441FE6DB224F4ACFD689C71D6B47F3DB11BD8C835B4086B629FC500E SHA-512: 158596FB41B476FD93D95D0BDBC62160344D5AC1048EC244E9EC7CDF85DF410299F52249463B3E7855AA264713132FC24279879779769529543AD09BDBDFBD74 Malicious: false Reputation: low

Copyright null 2020 Page 16 of 23 C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalState\Database\anonymous\edb.log Preview: G.._...... "0...x...... 1C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalState\Database\anonymous\...... C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalState\ Database\anonymous\...... 0u..,...... 5w...... "0...x...... _.2"0...x}...... C.:.\.U.s.e.r.s.\.e.n.g.i.n.e.e.r.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.P.a.c.k.a.g.e.s.\.M.i.c.r.o.s.o.f.t...Z.u.n.e.V.i.d.e.o._.8.w.e.k.y.b.3.d.8.b.b.w.e.\.L.o.c.a.l.S.t.a .t.e.\.D.a.t.a.b.a.s.e.\.a.n.o.n.y.m.o.u.s.\.E.n.t.C.l.i.e.n.t.D.b...e.d.b...Gr......

C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalState\Database\anonymous\edbtmp.log Process: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.17112.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe File Type: data Size (bytes): 4198400 Entropy (8bit): 0.0012939574178166494 Encrypted: false MD5: 263545E6AEF15AEA8D53FF9213C7FDD7 SHA1: 3513F11F8B989ACDB37FB8E7164E8A91422758EC SHA-256: CECA8786B595D826A8AFCD64EE97F07E53D236DC5355932C42B83DF0BE1326E2 SHA-512: 62FD3983431360C3EEA7B952F3C558099A13139AD82D95742F2939BC279594A666844ADE1D8E8D7D9D9A962B4932E689FF7D87626FFBDD25B5D05A56A18C05E0 Malicious: false Reputation: low Preview: ......

C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalState\Database\anonymous\tmp.edb Process: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.17112.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe File Type: Extensible storage user DataBase, version 0x620, checksum 0x8cea0cab, page size 8192, JustCreated, Windows version 0.0 Size (bytes): 57344 Entropy (8bit): 0.09836501863013615 Encrypted: false MD5: DED847F03CDA1D0DAE6041FBDA97A260 SHA1: 2DA70BDA6D58C7942A4174040273C76CCFE99485 SHA-256: 634A73C7CDEC46912F35B30EA82FF73BF0915CC4B4EB6DF6E470590762C46C5D SHA-512: AA883215FC686E0E7830B822FF3EFE3BE505789F23E646A3FBCB789327C73E8B740EC85E806A98699947E611D8970F220F2558A8F61A65D400E7304C8EC84172 Malicious: false Reputation: low Preview: ...... @...... O.e"0...xq...... ?.."0...xqN......

C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalState\SRPData.xml.~tmp Process: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.17112.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe File Type: ASCII text, with no line terminators Size (bytes): 263 Entropy (8bit): 4.851756360545685 Encrypted: false MD5: 7A8BB069D1140E91E820C1A91EECE9E9 SHA1: F835D661384541D1A4DF016C33C40DD1B28A3AD4 SHA-256: C7ABC15C3B493E7631403FCB3229976AF69EDEE990566ECE53B92A134B27D405 SHA-512: 4EE84C7DD2E226129EADE585B212BB351284BF0B1858D23845D06F5FF6728988BFBAE402F71CDE8047FF7C2DAD3399EFF0C610C9C9A8C7EF9C19D208C438E24 D Malicious: false Reputation: low Preview:

C:\Users\user\AppData\Local\Temp\JavaDeployReg.log Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: ASCII text, with CRLF line terminators Size (bytes): 89 Entropy (8bit): 4.558402431512068 Encrypted: false MD5: 032814029F7A054566D84412539F5BA4 SHA1: 9DC09EB8C701A981CA725F3621493692E27A59BD SHA-256: 0DAB9ABA1D9AD24D3A4B4317C464084A4876BE00E073BACC42FAE20B5AACB923

Copyright null 2020 Page 17 of 23 C:\Users\user\AppData\Local\Temp\JavaDeployReg.log SHA-512: AFE153B3D2A5E4514762AC94B07017D2D9DD65385654BDBB37B5B5ADC9D0B381658A89BB95BA5DCEF9F25B664D853565E867634154FF2CAEEA09FAE26DB2366 6 Malicious: false Reputation: low Preview: [2020/08/04 15:48:03.764] Latest deploy version: ..[2020/08/04 15:48:03.764] 11.211.2 ..

C:\Users\user\AppData\Local\Temp\~DFD65C50FFA66DD15F.TMP Process: C:\Program Files\internet explorer\iexplore.exe File Type: data Size (bytes): 29989 Entropy (8bit): 0.3303254578367068 Encrypted: false MD5: A157C49D9FE778BE32F454A67B46A132 SHA1: A6EC1998DFC7073E7D57A81472AB5E27350AF6A3 SHA-256: 04AC7C496B981B02E8309447B9C87BB712AF2F2F6328C9173ABD91743B8AC3F8 SHA-512: 882B1A09A5E3A18EB45678E705894167A3CF420A661920EF233FFA94EB96C26206775DB277CDE6165A8842FD71A6B09FF2FC3930E67AD29E33426849528A51CB Malicious: false Reputation: low Preview: ...... *%..H..M..{y..+.0...(...... *%..H..M..{y..+.0...(......

C:\Users\user\AppData\Local\Temp\~DFF656D69D5A5EAFB6.TMP Process: C:\Program Files\internet explorer\iexplore.exe File Type: data Size (bytes): 12981 Entropy (8bit): 0.43871803862264325 Encrypted: false MD5: 4C477819A963B2DE70B84EF1FE980DC9 SHA1: 4132D7E4BF5F6F5542B1492E7DC257A69D70C5A1 SHA-256: C42B95FA583973A4BDC9937B26B5B8E78AC62FD65C17123336C01500CED9CC44 SHA-512: 4B6A1526241A3F4E6E80A8DE4FFE26738BAC87828E93F9A102AA1EC4CF8BFED49535C8DC7A0DE4E102DA365D2FF8AAEA0647AB7A72B548FEC80026A19C3AD9 49 Malicious: false Reputation: low Preview: ...... *%..H..M..{y..+.0...(...... *%..H..M..{y..+.0...(......

Static File Info

No static file info

Network Behavior

TCP Packets

Timestamp Source Port Dest Port Source IP Dest IP Aug 4, 2020 15:48:07.703712940 CEST 49727 80 192.168.2.6 69.222.152.74 Aug 4, 2020 15:48:07.703782082 CEST 49726 80 192.168.2.6 69.222.152.74 Aug 4, 2020 15:48:07.845833063 CEST 80 49727 69.222.152.74 192.168.2.6 Aug 4, 2020 15:48:07.846013069 CEST 49727 80 192.168.2.6 69.222.152.74 Aug 4, 2020 15:48:07.846764088 CEST 49727 80 192.168.2.6 69.222.152.74 Aug 4, 2020 15:48:07.847558022 CEST 80 49726 69.222.152.74 192.168.2.6 Aug 4, 2020 15:48:07.847706079 CEST 49726 80 192.168.2.6 69.222.152.74 Aug 4, 2020 15:48:08.010035038 CEST 80 49727 69.222.152.74 192.168.2.6 Aug 4, 2020 15:48:08.010063887 CEST 80 49727 69.222.152.74 192.168.2.6

Copyright null 2020 Page 18 of 23 Timestamp Source Port Dest Port Source IP Dest IP Aug 4, 2020 15:48:08.010432005 CEST 80 49727 69.222.152.74 192.168.2.6 Aug 4, 2020 15:48:08.010446072 CEST 49727 80 192.168.2.6 69.222.152.74 Aug 4, 2020 15:48:08.010500908 CEST 49727 80 192.168.2.6 69.222.152.74 Aug 4, 2020 15:48:08.010580063 CEST 80 49727 69.222.152.74 192.168.2.6 Aug 4, 2020 15:48:08.010610104 CEST 80 49727 69.222.152.74 192.168.2.6 Aug 4, 2020 15:48:08.010639906 CEST 49727 80 192.168.2.6 69.222.152.74 Aug 4, 2020 15:48:08.010679960 CEST 49727 80 192.168.2.6 69.222.152.74 Aug 4, 2020 15:48:08.010780096 CEST 80 49727 69.222.152.74 192.168.2.6 Aug 4, 2020 15:48:08.010850906 CEST 49727 80 192.168.2.6 69.222.152.74 Aug 4, 2020 15:48:08.011153936 CEST 80 49727 69.222.152.74 192.168.2.6 Aug 4, 2020 15:48:08.011243105 CEST 49727 80 192.168.2.6 69.222.152.74 Aug 4, 2020 15:48:08.011298895 CEST 80 49727 69.222.152.74 192.168.2.6 Aug 4, 2020 15:48:08.011331081 CEST 80 49727 69.222.152.74 192.168.2.6 Aug 4, 2020 15:48:08.011353970 CEST 49727 80 192.168.2.6 69.222.152.74 Aug 4, 2020 15:48:08.011378050 CEST 49727 80 192.168.2.6 69.222.152.74 Aug 4, 2020 15:48:08.011498928 CEST 80 49727 69.222.152.74 192.168.2.6 Aug 4, 2020 15:48:08.011559010 CEST 49727 80 192.168.2.6 69.222.152.74 Aug 4, 2020 15:48:08.158181906 CEST 80 49727 69.222.152.74 192.168.2.6 Aug 4, 2020 15:48:08.158231974 CEST 80 49727 69.222.152.74 192.168.2.6 Aug 4, 2020 15:48:08.158382893 CEST 49727 80 192.168.2.6 69.222.152.74 Aug 4, 2020 15:48:08.158405066 CEST 80 49727 69.222.152.74 192.168.2.6 Aug 4, 2020 15:48:08.158483982 CEST 49727 80 192.168.2.6 69.222.152.74 Aug 4, 2020 15:48:08.158540964 CEST 80 49727 69.222.152.74 192.168.2.6 Aug 4, 2020 15:48:08.158570051 CEST 80 49727 69.222.152.74 192.168.2.6 Aug 4, 2020 15:48:08.158593893 CEST 49727 80 192.168.2.6 69.222.152.74 Aug 4, 2020 15:48:08.158632994 CEST 49727 80 192.168.2.6 69.222.152.74 Aug 4, 2020 15:48:08.158723116 CEST 80 49727 69.222.152.74 192.168.2.6 Aug 4, 2020 15:48:08.158780098 CEST 49727 80 192.168.2.6 69.222.152.74 Aug 4, 2020 15:48:08.159152985 CEST 80 49727 69.222.152.74 192.168.2.6 Aug 4, 2020 15:48:08.159235001 CEST 49727 80 192.168.2.6 69.222.152.74 Aug 4, 2020 15:48:08.159351110 CEST 80 49727 69.222.152.74 192.168.2.6 Aug 4, 2020 15:48:08.159379005 CEST 80 49727 69.222.152.74 192.168.2.6 Aug 4, 2020 15:48:08.159409046 CEST 49727 80 192.168.2.6 69.222.152.74 Aug 4, 2020 15:48:08.159446955 CEST 49727 80 192.168.2.6 69.222.152.74 Aug 4, 2020 15:48:08.159471035 CEST 80 49727 69.222.152.74 192.168.2.6 Aug 4, 2020 15:48:08.159517050 CEST 49727 80 192.168.2.6 69.222.152.74 Aug 4, 2020 15:48:08.159841061 CEST 80 49727 69.222.152.74 192.168.2.6 Aug 4, 2020 15:48:08.159914970 CEST 49727 80 192.168.2.6 69.222.152.74 Aug 4, 2020 15:48:08.160012960 CEST 80 49727 69.222.152.74 192.168.2.6 Aug 4, 2020 15:48:08.160041094 CEST 80 49727 69.222.152.74 192.168.2.6 Aug 4, 2020 15:48:08.160068035 CEST 49727 80 192.168.2.6 69.222.152.74 Aug 4, 2020 15:48:08.160096884 CEST 49727 80 192.168.2.6 69.222.152.74 Aug 4, 2020 15:48:08.160398006 CEST 80 49727 69.222.152.74 192.168.2.6 Aug 4, 2020 15:48:08.160470963 CEST 49727 80 192.168.2.6 69.222.152.74 Aug 4, 2020 15:48:08.160547972 CEST 80 49727 69.222.152.74 192.168.2.6 Aug 4, 2020 15:48:08.160605907 CEST 49727 80 192.168.2.6 69.222.152.74 Aug 4, 2020 15:48:08.160799980 CEST 80 49727 69.222.152.74 192.168.2.6 Aug 4, 2020 15:48:08.160828114 CEST 80 49727 69.222.152.74 192.168.2.6 Aug 4, 2020 15:48:08.160871029 CEST 49727 80 192.168.2.6 69.222.152.74 Aug 4, 2020 15:48:08.160897970 CEST 49727 80 192.168.2.6 69.222.152.74 Aug 4, 2020 15:48:08.161034107 CEST 80 49727 69.222.152.74 192.168.2.6 Aug 4, 2020 15:48:08.161093950 CEST 49727 80 192.168.2.6 69.222.152.74 Aug 4, 2020 15:48:08.161406040 CEST 80 49727 69.222.152.74 192.168.2.6 Aug 4, 2020 15:48:08.161474943 CEST 49727 80 192.168.2.6 69.222.152.74 Aug 4, 2020 15:48:08.161593914 CEST 80 49727 69.222.152.74 192.168.2.6 Aug 4, 2020 15:48:08.161660910 CEST 49727 80 192.168.2.6 69.222.152.74 Aug 4, 2020 15:48:08.318094969 CEST 80 49727 69.222.152.74 192.168.2.6 Aug 4, 2020 15:48:08.318208933 CEST 80 49727 69.222.152.74 192.168.2.6 Aug 4, 2020 15:48:08.318223000 CEST 49727 80 192.168.2.6 69.222.152.74 Aug 4, 2020 15:48:08.318279982 CEST 49727 80 192.168.2.6 69.222.152.74 Aug 4, 2020 15:48:08.318627119 CEST 80 49727 69.222.152.74 192.168.2.6 Aug 4, 2020 15:48:08.318655968 CEST 80 49727 69.222.152.74 192.168.2.6 Aug 4, 2020 15:48:08.318696976 CEST 49727 80 192.168.2.6 69.222.152.74 Aug 4, 2020 15:48:08.318762064 CEST 49727 80 192.168.2.6 69.222.152.74

Copyright null 2020 Page 19 of 23 Timestamp Source Port Dest Port Source IP Dest IP Aug 4, 2020 15:48:08.318818092 CEST 80 49727 69.222.152.74 192.168.2.6 Aug 4, 2020 15:48:08.318896055 CEST 49727 80 192.168.2.6 69.222.152.74 Aug 4, 2020 15:48:08.318972111 CEST 80 49727 69.222.152.74 192.168.2.6 Aug 4, 2020 15:48:08.319017887 CEST 49727 80 192.168.2.6 69.222.152.74 Aug 4, 2020 15:48:08.319150925 CEST 80 49727 69.222.152.74 192.168.2.6 Aug 4, 2020 15:48:08.319252968 CEST 49727 80 192.168.2.6 69.222.152.74 Aug 4, 2020 15:48:08.319324970 CEST 80 49727 69.222.152.74 192.168.2.6 Aug 4, 2020 15:48:08.319367886 CEST 49727 80 192.168.2.6 69.222.152.74 Aug 4, 2020 15:48:08.319540024 CEST 80 49727 69.222.152.74 192.168.2.6 Aug 4, 2020 15:48:08.319567919 CEST 80 49727 69.222.152.74 192.168.2.6 Aug 4, 2020 15:48:08.319587946 CEST 49727 80 192.168.2.6 69.222.152.74 Aug 4, 2020 15:48:08.319612026 CEST 49727 80 192.168.2.6 69.222.152.74 Aug 4, 2020 15:48:08.319897890 CEST 80 49727 69.222.152.74 192.168.2.6 Aug 4, 2020 15:48:08.319957018 CEST 49727 80 192.168.2.6 69.222.152.74 Aug 4, 2020 15:48:08.320044041 CEST 80 49727 69.222.152.74 192.168.2.6 Aug 4, 2020 15:48:08.320070982 CEST 80 49727 69.222.152.74 192.168.2.6 Aug 4, 2020 15:48:08.320105076 CEST 49727 80 192.168.2.6 69.222.152.74 Aug 4, 2020 15:48:08.320126057 CEST 49727 80 192.168.2.6 69.222.152.74 Aug 4, 2020 15:48:08.320245981 CEST 80 49727 69.222.152.74 192.168.2.6 Aug 4, 2020 15:48:08.320291042 CEST 49727 80 192.168.2.6 69.222.152.74 Aug 4, 2020 15:48:08.320612907 CEST 80 49727 69.222.152.74 192.168.2.6 Aug 4, 2020 15:48:08.320641041 CEST 80 49727 69.222.152.74 192.168.2.6 Aug 4, 2020 15:48:08.320672989 CEST 49727 80 192.168.2.6 69.222.152.74 Aug 4, 2020 15:48:08.320698023 CEST 49727 80 192.168.2.6 69.222.152.74 Aug 4, 2020 15:48:08.320759058 CEST 80 49727 69.222.152.74 192.168.2.6 Aug 4, 2020 15:48:08.320805073 CEST 49727 80 192.168.2.6 69.222.152.74 Aug 4, 2020 15:48:08.321305037 CEST 80 49727 69.222.152.74 192.168.2.6

DNS Queries

Timestamp Source IP Dest IP Trans ID OP Code Name Type Class Aug 4, 2020 15:48:07.655468941 CEST 192.168.2.6 8.8.8.8 0xcf27 Standard query micromedia.us A (IP address) IN (0x0001) (0) Aug 4, 2020 15:48:40.628556967 CEST 192.168.2.6 8.8.8.8 0x40d0 Standard query settings-s A (IP address) IN (0x0001) (0) sl.xboxlive.com

DNS Answers

Timestamp Source IP Dest IP Trans ID Reply Code Name CName Address Type Class Aug 4, 2020 8.8.8.8 192.168.2.6 0xcf27 No error (0) micromedia.us 69.222.152.74 A (IP address) IN (0x0001) 15:48:07.686547041 CEST Aug 4, 2020 8.8.8.8 192.168.2.6 0x40d0 No error (0) settings-s settings- CNAME IN (0x0001) 15:48:40.659784079 sl.xboxlive.com ssl.xboxlive.com.edgekey (Canonical CEST .net name) Aug 4, 2020 8.8.8.8 192.168.2.6 0xda6d No error (0) activation 40.79.86.63 A (IP address) IN (0x0001) 15:48:42.220649958 2.eastus2. CEST cloudapp.a zure.com Aug 4, 2020 8.8.8.8 192.168.2.6 0xc713 No error (0) asf-ris-prod- 168.63.67.155 A (IP address) IN (0x0001) 15:49:10.321171999 neurope CEST .northeuro pe.cloudap p.azure.com

HTTP Request Dependency Graph

micromedia.us

Code Manipulations

Statistics

• iexplore.exe • iexplore.exe • ssvagent.exe • Video.UI.exe

Click to jump to process

System Behavior

Analysis Process: iexplore.exe PID: 6692 Parent PID: 800

General

Start time: 15:48:02 Start date: 04/08/2020 Path: C:\Program Files\internet explorer\iexplore.exe Wow64 process (32bit): false Commandline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding Imagebase: 0x7ff79b300000 File size: 823560 bytes MD5 hash: 6465CB92B25A7BC1DF8E01D8AC5E7596 Has administrator privileges: false Programmed in: C, C++ or other language Reputation: low

File Activities

Source File Path Access Attributes Options Completion Count Address Symbol

Source File Path Offset Length Value Ascii Completion Count Address Symbol

Source File Path Offset Length Completion Count Address Symbol

Registry Activities

Source Key Path Completion Count Address Symbol

Source Key Path Name Type Data Completion Count Address Symbol

Source Key Path Name Type Old Data New Data Completion Count Address Symbol

Analysis Process: iexplore.exe PID: 6736 Parent PID: 6692

Start time: 15:48:03 Start date: 04/08/2020 Path: C:\Program Files (x86)\Internet Explorer\iexplore.exe Wow64 process (32bit): true Commandline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6692 CREDAT:17410 /prefetch:2 Imagebase: 0xe50000 File size: 822536 bytes MD5 hash: 071277CC2E3DF41EEEA8013E2AB58D5A Has administrator privileges: false Programmed in: C, C++ or other language Reputation: low

File Activities

Source File Path Access Attributes Options Completion Count Address Symbol

Source File Path Offset Length Value Ascii Completion Count Address Symbol

Source File Path Offset Length Completion Count Address Symbol

Registry Activities

Source Key Path Completion Count Address Symbol

Analysis Process: ssvagent.exe PID: 6800 Parent PID: 6736

General

Start time: 15:48:03 Start date: 04/08/2020 Path: C:\Program Files (x86)\Java\jre1.8.0_211\bin\ssvagent.exe Wow64 process (32bit): true Commandline: 'C:\PROGRA~2\Java\JRE18~1.0_2\bin\ssvagent.exe' -new Imagebase: 0xeb0000 File size: 57720 bytes MD5 hash: A3DBA514D38464A5C5A9DEA19E6159F9 Has administrator privileges: false Programmed in: C, C++ or other language Reputation: low

Registry Activities

Source Key Path Completion Count Address Symbol

Source Key Path Name Type Data Completion Count Address Symbol

Analysis Process: Video.UI.exe PID: 5616 Parent PID: 800

General

Start time: 15:48:33 Start date: 04/08/2020 Path: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.17112.19011.0_x64__8wekyb3d8bbwe\Video.UI. exe Copyright null 2020 Page 22 of 23 Wow64 process (32bit): false Commandline: 'C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.17112.19011.0_x64__8wekyb3d 8bbwe\Video.UI.exe' -ServerName:Microsoft.ZuneVideo.AppX758ya5sqdjd98rx6z7g95nw6 jy7bqx9y.mca Imagebase: 0x7ff670af0000 File size: 26934272 bytes MD5 hash: BEA19F0655789B224CEF4C5AFCE49AD1 Has administrator privileges: false Programmed in: C, C++ or other language Reputation: low

File Activities

Source File Path Access Attributes Options Completion Count Address Symbol

Source File Path Completion Count Address Symbol

Source Old File Path New File Path Completion Count Address Symbol

Source File Path Offset Length Value Ascii Completion Count Address Symbol

File Read

Source File Path Offset Length Completion Count Address Symbol C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8we unknown 5113 success or wait 1 1BDC9E61379 ReadFile kyb3d8bbwe\LocalCache\PlayReady\Cache\msprcore.bla

Registry Activities

Source Key Path Completion Count Address Symbol

Source Key Path Name Type Data Completion Count Address Symbol

Source Key Path Name Type Old Data New Data Completion Count Address Symbol

Disassembly

Code Analysis