Edit tour

Windows Analysis Report
IMG_3552.mp4

Overview

General Information

Sample name:	IMG_3552.mp4 (renamed file extension from heic to mp4)
Original sample name:	IMG_3552.heic
Analysis ID:	1541546
MD5:	9717a09d40bc1178aaf2841d68fb03a8
SHA1:	e0ad4a4582e00f335cd02ae62efd3267ebcb4d0f
SHA256:	03f0d2cc8723bdadbcd41c081fa77018351cb12402b362ce4d7a93cd6049a909
Infos:

Detection

Score:	3
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

Detected potential crypto function

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

Video.UI.exe (PID: 1516 cmdline: "C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe" -ServerName:Microsoft.ZuneVideo.AppX758ya5sqdjd98rx6z7g95nw6jy7bqx9y.mca MD5: FE340ECB1D09B5BAA66DFE25AF11654F)

cleanup

HTTP traffic detected: GET /PlayReady/ACT/Activation.asmx?WSDL&Client=Win10&LinkId=613387 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Microsoft-PlayReady-DRM/1.0Host: activation2.playready.microsoft.com

Source: global traffic	DNS traffic detected: DNS query: settings-ssl.xboxlive.com
Source: global traffic	DNS traffic detected: DNS query: 18.31.95.13.in-addr.arpa

Source: unknown

HTTP traffic detected: POST /PlayReady/ACT/Activation.asmx HTTP/1.1Connection: Keep-AliveContent-Type: text/xml; charset=utf-8Accept: */*User-Agent: Microsoft-PlayReady-DRM/1.0x-playready-info: OSVersion=10.0; ClientDllVersion=Windows.Media.Protection.PlayReady.dll/10.0.19041.2006 (WinBuild.160101.0800); Session=bd658ae49cf14753f24fddb21ec89b52; StoreAppID=Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo; X-XblCorrelationId: 4984944002049569559SOAPAction: "http://schemas.microsoft.com/PlayReady/ActivationService/v1/Activate"Content-Length: 3580Host: activation2.playready.microsoft.com

Source: Video.UI.exe, 00000002.00000003.1491455850.00000199C225B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dmd-ca-beta2/CertEnroll/Microsoft%20Digital%20Media%20Authority%202005.crl
Source: Video.UI.exe, 00000002.00000003.1491455850.00000199C225B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dmd-ca-beta2/CertEnroll/dmd-ca-beta2_Microsoft%20Digital%20Media%20Authority%202005.crt0d
Source: Video.UI.exe, 00000002.00000002.2615025287.00000199B2E13000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://json-schema.org/draft-04/schema
Source: Video.UI.exe, 00000002.00000003.1432395075.00000199BFD29000.00000004.00000020.00020000.00000000.sdmp, Video.UI.exe, 00000002.00000003.1471339907.00000199BFD36000.00000004.00000020.00020000.00000000.sdmp, Video.UI.exe, 00000002.00000003.1454818870.00000199BFD29000.00000004.00000020.00020000.00000000.sdmp, Video.UI.exe, 00000002.00000003.1390509504.00000199BFD25000.00000004.00000020.00020000.00000000.sdmp, Video.UI.exe, 00000002.00000003.1376869013.00000199BFC02000.00000004.00000020.00020000.00000000.sdmp, Video.UI.exe, 00000002.00000003.1376428177.00000199BFA02000.00000004.00000020.00020000.00000000.sdmp, IMG_3552.mp4	String found in binary or memory: http://ns.apple.com/HDRGainMap/1.0/
Source: Video.UI.exe, 00000002.00000002.2625294288.00000199BFD33000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ns.apple.com/HDRGainMap0X
Source: Video.UI.exe, 00000002.00000003.1491686223.00000199BFF13000.00000004.00000020.00020000.00000000.sdmp, Video.UI.exe, 00000002.00000002.2627521311.00000199C220A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/http
Source: Video.UI.exe, 00000002.00000002.2622939968.00000199BF145000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp
Source: Video.UI.exe, 00000002.00000002.2622827877.00000199BF0CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: Video.UI.exe, 00000002.00000002.2618016553.00000199B92A6000.00000004.00000020.00020000.00000000.sdmp, Video.UI.exe, 00000002.00000002.2618255369.00000199B93A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: Video.UI.exe, 00000002.00000002.2618255369.00000199B93A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/
Source: Video.UI.exe, 00000002.00000002.2622706013.00000199BF05D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.windows.local
Source: Video.UI.exe, 00000002.00000002.2622706013.00000199BF05D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.windows.local//
Source: Video.UI.exe, 00000002.00000002.2618016553.00000199B92A6000.00000004.00000020.00020000.00000000.sdmp, Video.UI.exe, 00000002.00000002.2622102588.00000199BEF38000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.windows.net
Source: Video.UI.exe, 00000002.00000002.2622102588.00000199BEF38000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.windows.net/
Source: Video.UI.exe, 00000002.00000003.1999829201.00000199BF1A3000.00000004.00000020.00020000.00000000.sdmp, Video.UI.exe, 00000002.00000002.2623143142.00000199BF1AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://settings-ssl.xboxlive.com/
Source: Video.UI.exe, 00000002.00000003.1999829201.00000199BF1A3000.00000004.00000020.00020000.00000000.sdmp, Video.UI.exe, 00000002.00000002.2623143142.00000199BF1AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://settings-ssl.xboxlive.com/.xml
Source: Video.UI.exe, 00000002.00000002.2622939968.00000199BF145000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://settings-ssl.xboxlive.com/XBLWinClient/v10_video/configuration.xml
Source: Video.UI.exe, 00000002.00000002.2622939968.00000199BF145000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://settings-ssl.xboxlive.com/XBLWinClient/v10_video/configuration.xml4
Source: Video.UI.exe, 00000002.00000002.2622939968.00000199BF145000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://settings-ssl.xboxlive.com/XBLWinClient/v10_video/configuration.xmle
Source: Video.UI.exe, 00000002.00000002.2622939968.00000199BF145000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://settings-ssl.xboxlive.com/XBLWinClient/v10_video/configuration.xmlte
Source: Video.UI.exe, 00000002.00000002.2622102588.00000199BEF38000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://xsts.auth.xboxlive.com
Source: Video.UI.exe, 00000002.00000002.2622102588.00000199BEF38000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://xsts.auth.xboxlive.com/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49810
Source: unknown	Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49810 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49800

Source: unknown	HTTPS traffic detected: 13.107.246.45:443 -> 192.168.2.9:49800 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.45:443 -> 192.168.2.9:49810 version: TLS 1.2

Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Code function: 2_2_00000199BF9A35D3		2_2_00000199BF9A35D3
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Code function: 2_2_00000199BF9AA352		2_2_00000199BF9AA352

Source: classification engine

Classification label: clean3.winMP4@1/15@2/1

Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe

File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalState\Database\

Jump to behavior

Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: sharedui.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: vccorlib140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: msvcp140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: concrt140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: vcruntime140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: vcruntime140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: msvcp140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: msvcp140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: concrt140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: vcruntime140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: vcruntime140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: windows.ui.xaml.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: windows.staterepositorycore.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: windows.ui.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: windowmanagementapi.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: rometadata.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: windows.applicationmodel.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: windows.storage.applicationdata.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: threadpoolwinrt.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: windows.globalization.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: bcp47mrm.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: clipc.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: mrmcorer.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: windows.staterepositoryclient.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: windows.ui.xaml.controls.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: windows.shell.servicehostbuilder.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: uiamanager.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: windows.ui.core.textinput.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: windows.ui.immersive.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: windows.system.profile.retailinfo.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: windows.media.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: windows.graphics.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: windows.ui.xaml.phone.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: twinapi.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: windows.energy.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: windows.networking.connectivity.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: windows.devices.enumeration.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: directmanipulation.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: wuceffects.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: profext.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: windows.media.playback.mediaplayer.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: mfplat.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: rtworkq.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: windows.media.mediacontrol.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: mmdevapi.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: mfmediaengine.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: audioses.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: windows.media.devices.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: windows.media.playback.proxystub.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: devdispitemprovider.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: windows.web.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: ddores.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: defaultdevicemanager.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: comppkgsup.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: mfmp4srcsnk.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: appcontracts.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: usermgrproxy.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: cdprt.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: cdp.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: dsreg.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: mfps.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: mfsrcsnk.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: msamrnbsource.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: mfasfsrcsnk.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: mfds.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: msflacdecoder.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: avrt.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: mfmpeg2srcsnk.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: mfmkvsrcsnk.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: mfnetsrc.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: mfnetcore.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: windows.media.protection.playready.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: wpnapps.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: windows.networking.backgroundtransfer.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: systemeventsbrokerclient.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: windows.applicationmodel.lockscreen.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: wincorlib.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: lockappbroker.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: windows.security.authentication.web.core.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: microsoftaccountwamextension.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: mfsvr.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: windows.applicationmodel.background.timebroker.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: biwinrt.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: gnsdk_fp.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: mf.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Section loaded: dwmapi.dll	Jump to behavior

Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: IMG_3552.mp4

Static file information: File size 3119675 > 1048576

Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Code function: 2_2_00000199BF9A2309 push ebp; iretd	2_2_00000199BF9A230A
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Code function: 2_2_00000199BF9AA943 push esp; retf	2_2_00000199BF9AA946
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Code function: 2_2_00000199BF9A2373 push ebp; iretd	2_2_00000199BF9A2374
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Code function: 2_2_00000199C21567C9 push ebp; iretd	2_2_00000199C21567CA
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Code function: 2_2_00000199C21540E0 push BA000002h; iretd	2_2_00000199C21540E5
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Code function: 2_2_00000199C2154E09 push ebp; iretd	2_2_00000199C2154E0A
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Code function: 2_2_00000199C2156833 push ebp; iretd	2_2_00000199C2156834
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Code function: 2_2_00000199C2154E73 push ebp; iretd	2_2_00000199C2154E74

Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe

File opened: PhysicalDrive0

Jump to behavior

Source: Video.UI.exe, 00000002.00000002.2624460310.00000199BFB2C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Video.UI.exe, 00000002.00000002.2622939968.00000199BF145000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe;C:\Windows\SYSTEM32C:\Program Files\WindowsApps\Microsoft.Hyper-V RAW.19071.19011.0_x64__8wekyb3d8bbwe;C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00_14.0.27323.0_x64__8wekyb3d8bbwe;
Source: Video.UI.exe, 00000002.00000002.2624460310.00000199BFB2C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@

Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalState\Database\anonymous\edbtmp.log VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalState\Database\anonymous\edbtmp.log VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalState\Database\anonymous\edbres00001.jrs VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalState\Database\anonymous\edbres00002.jrs VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalState\Database\anonymous\edb.log VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalState\Database\anonymous\edb.log VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalState\Database\anonymous\edb.log VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalState\Database\anonymous\edb.chk VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalState\Database\anonymous\EntClientDb.jfm VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalState\Database\anonymous\EntClientDb.edb VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalState\Database\anonymous\EntClientDb.edb VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalState\Database\anonymous\tmp.edb VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Queries volume information: C:\Windows\Fonts\segoeuisl.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Queries volume information: C:\Windows\Fonts\segmdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalState\Database\anonymous\edb.chk VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalState\SRPData.xml VolumeInformation	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Masquerading	OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Virtualization/Sandbox Evasion	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	3 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	21 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	4 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	1 Ingress Tool Transfer	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
https://login.windows.local	0%	URL Reputation	safe
https://login.windows.net	0%	URL Reputation	safe
https://android.notify.windows.com/iOS	0%	URL Reputation	safe
https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
s-part-0036.t-0009.t-msedge.net	13.107.246.64	true	false	unknown
s-part-0017.t-0009.t-msedge.net	13.107.246.45	true	false	unknown
settings-ssl.xboxlive.com	unknown	unknown	false	unknown
18.31.95.13.in-addr.arpa	unknown	unknown	false	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://login.windows.local	Video.UI.exe, 00000002.00000002.2622706013.00000199BF05D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://login.windows.net	Video.UI.exe, 00000002.00000002.2618016553.00000199B92A6000.00000004.00000020.00020000.00000000.sdmp, Video.UI.exe, 00000002.00000002.2622102588.00000199BEF38000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://login.windows.local//	Video.UI.exe, 00000002.00000002.2622706013.00000199BF05D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://login.windows.net/	Video.UI.exe, 00000002.00000002.2622102588.00000199BEF38000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://settings-ssl.xboxlive.com/XBLWinClient/v10_video/configuration.xmlte	Video.UI.exe, 00000002.00000002.2622939968.00000199BF145000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/soap/http	Video.UI.exe, 00000002.00000003.1491686223.00000199BFF13000.00000004.00000020.00020000.00000000.sdmp, Video.UI.exe, 00000002.00000002.2627521311.00000199C220A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://dmd-ca-beta2/CertEnroll/dmd-ca-beta2_Microsoft%20Digital%20Media%20Authority%202005.crt0d	Video.UI.exe, 00000002.00000003.1491455850.00000199C225B000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://android.notify.windows.com/iOS	Video.UI.exe, 00000002.00000002.2622827877.00000199BF0CA000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://settings-ssl.xboxlive.com/XBLWinClient/v10_video/configuration.xml4	Video.UI.exe, 00000002.00000002.2622939968.00000199BF145000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://settings-ssl.xboxlive.com/.xml	Video.UI.exe, 00000002.00000003.1999829201.00000199BF1A3000.00000004.00000020.00020000.00000000.sdmp, Video.UI.exe, 00000002.00000002.2623143142.00000199BF1AF000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://xsts.auth.xboxlive.com	Video.UI.exe, 00000002.00000002.2622102588.00000199BEF38000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://settings-ssl.xboxlive.com/XBLWinClient/v10_video/configuration.xml	Video.UI.exe, 00000002.00000002.2622939968.00000199BF145000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp	Video.UI.exe, 00000002.00000002.2622939968.00000199BF145000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://settings-ssl.xboxlive.com/	Video.UI.exe, 00000002.00000003.1999829201.00000199BF1A3000.00000004.00000020.00020000.00000000.sdmp, Video.UI.exe, 00000002.00000002.2623143142.00000199BF1AF000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://json-schema.org/draft-04/schema	Video.UI.exe, 00000002.00000002.2615025287.00000199B2E13000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://settings-ssl.xboxlive.com/XBLWinClient/v10_video/configuration.xmle	Video.UI.exe, 00000002.00000002.2622939968.00000199BF145000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://dmd-ca-beta2/CertEnroll/Microsoft%20Digital%20Media%20Authority%202005.crl	Video.UI.exe, 00000002.00000003.1491455850.00000199C225B000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://xsts.auth.xboxlive.com/	Video.UI.exe, 00000002.00000002.2622102588.00000199BEF38000.00000004.00000020.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
13.107.246.45	s-part-0017.t-0009.t-msedge.net	United States		8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1541546
Start date and time:	2024-10-25 00:11:17 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 51s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	IMG_3552.mp4 (renamed file extension from heic to mp4)
Original Sample Name:	IMG_3552.heic
Detection:	CLEAN
Classification:	clean3.winMP4@1/15@2/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 52% Number of executed functions: 7 Number of non-executed functions: 0

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 184.28.89.167, 95.101.148.7
Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, e87.dspb.akamaiedge.net, activation2.playready.microsoft.com, fe3cr.delivery.mp.microsoft.com, e11290.dspg.akamaiedge.net, go.microsoft.com, login.live.com, star-azurefd-prod.trafficmanager.net, go.microsoft.com.edgekey.net, azureedge-t-prod.trafficmanager.net, settings-ssl.xboxlive.com.edgekey.net, traf-activation-global.trafficmanager.net
Execution Graph export aborted for target Video.UI.exe, PID 1516 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: IMG_3552.mp4

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
13.107.246.45	https://pcefan.com/diary/index.php?st-manager=1&path=/click/track&id=4973&type=ranking&url=http://nam.dcv.ms/BxPVLH2cz4	Get hash	malicious	HTMLPhisher	Browse	nam.dcv.ms/BxPVLH2cz4

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0036.t-0009.t-msedge.net	https://cswlawgroup.artoffice.cloud/	Get hash	malicious	Unknown	Browse	13.107.246.64
	https://t.co/yXelyYqHRk	Get hash	malicious	Unknown	Browse	13.107.246.64
	1729664806c79c5d1fb6dbe09192bc26b6bdae0f6d25899e6d8d3edeabd559411bc9232ed9445.dat-decoded.exe	Get hash	malicious	LummaC	Browse	13.107.246.64
	https://eu-chervongroup.powerappsportalsecurefiles.xyz/	Get hash	malicious	HtmlDropper	Browse	13.107.246.64
	https://www.google.co.nz/url?q=38pQvvq6xRyj7Y00xDjnlx9kIHOSozurMOiaAkImPuQJnOIWtJjqJLi6stjtDz3yh&rct=tTPSrMOiaAkImPuQJnOIWtJjqJLi6stjtFX08pQvvq6xRyj7Y00xDjnlx9kIjusucT&sa=t&url=amp%2Falinegrazielle.com%2FKaW12DtgTK%2FCGJiV2TYiHhEjaWZAqcgtold/S0pvbmVzQGtvbmlhZy1ncy5jb20=	Get hash	malicious	HTMLPhisher, Mamba2FA	Browse	13.107.246.64
	http://169.1.16.29/S.bin	Get hash	malicious	Havoc	Browse	13.107.246.64
	https://specialpoint.net/	Get hash	malicious	Unknown	Browse	13.107.246.64
	file.exe	Get hash	malicious	HawkEye, MailPassView, PureLog Stealer	Browse	13.107.246.64
	https://t.ly/k1aDE	Get hash	malicious	HTMLPhisher, Mamba2FA	Browse	13.107.246.64
	https://pg9t70xx.r.us-east-1.awstrack.me/L0/https:%2F%2Fjustworks.app.link%2F%3F%24deeplink_path=%2Falerts%2Ftime_off_requests%2F13a6b7f0-b2ae-4165-87b0-da6673653a54%26%24fallback_url=http%253A%252F%252Fwww.google.com.sg%252Furl%253Fsa%253Dt%2526esrc%253DYUM58NDu%2526source%253D%2526rct%253D304J%2526%2526cd%253D256Du%2526uact%2526url%253Damp%252Fs%252F%2573%2579%2573%2562%2569%257A%257A%252E%2569%256E%252F%252E%2564%2572%2565%256E%2574%256F%2570%252F%23dm1hbnRocmlwcmFnYWRhQG1vbnRyb3NlLWVudi5jb20=/1/0100019291d15735-3d3bd509-ef84-4bb4-a854-1b8c9d0b05f9-000000/-gk1ZN3uoUfApTKZkXOmptm9MGY=396	Get hash	malicious	Unknown	Browse	13.107.246.64
s-part-0017.t-0009.t-msedge.net	file.exe	Get hash	malicious	LummaC	Browse	13.107.246.45
	bc3c228ad2c13f96cb14375c3860e802.pdf	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	Inv Confirmation.htm	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	https://t.ly/8Lgfk	Get hash	malicious	HTMLPhisher, Mamba2FA	Browse	13.107.246.45
	SecuriteInfo.com.Other.Malware-gen.26961.24680.xlsx	Get hash	malicious	Unknown	Browse	13.107.246.45
	https://u47751895.ct.sendgrid.net/ls/click?upn=u001.LUpianUM71xe7PV7wDA6i1kcuy38W249FfPzE-2Fn4iGArrL0MQBCUZHFEzmfBrwW7hf5h8aNQUml0OSIHqpXf0Hd-2FwQBg2gsGxKHK7PsY2xc-3DPya1_YT5LbHmSQ6soq50ixwpFbSYZshuq6-2FPFgRa8NDnR03IYhL-2F9Rsp4maHC7HKUeszLncLvtZaWCVsMwsguQ5-2FbgriKbvHymTrFFrqjql1V0tvMkZQvyA1xxy-2B6NtGFoUeUGIrvdabsXN8enx2k5c-2BvLXzm-2BRXmD29Cf33DbXC513Cwkuo46G2I7a1uwsANH8eVhz8r5XyLPneRi4ngixWtQkBEaLBBKkl5CzEPySNlMnqJuuWiTBlFswgUf9EX-2BEhUpqAvMFuAlKTpYcteS-2FjAegbPmUSDcSeBkfnhL6yUhTFHUFrxra-2BdIgnamsXKUUqu-2BC45G51EOfBd9qOCqWy3OeOC7KYj3-2FcaIfcOAM1Jkvyddtn3gwRC5w97RLza-2BBM2JcZLNzMYva4SJzBZv7RClCaMcjevyjP6ZFvlR0NECf5zAmWbPLmCUnefze8ZyTvnDqXVb3nrflSdnTlNxWfm617xjOrSoSu-2BVHZVqbE92ZodSyvWqgaCWZg0TMDZeq64M67nuH9ryo7I5u80SS081vnMThCYiPoN3JUoUliQPKbNY46GxAPyVhMs4qqZVi-2FFUtIGEycXziXytxfy6JCzAZ2sa7DZusc1RftLAVM4uJit-2FAhxM-2FK1sEHsKHKvs9o7uDMExZ5YqEBjrD2XHch-2BY6xwRGGg56MeC1Bpa72xAoR6DmInmiEX4j92yaROEh1-2FMsHdtSstN7zc8gxU7ETVWVMBRLf6m4dTRruSfSNaLUi9QLq9d7Qfe8VMdKN1j9FMGIYia88728BDNNxRTaT4nSNITRr9JPa4Z1K1vdUocdyCKNcYSZsN8yguI0-2FqNXUfWFuoxnz5MDqwufLzxub8Fw-3D-3D	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	https://na4.docusign.net/Signing/EmailStart.aspx?a=c1ee55e8-d253-4731-bf85-5377494446fc&etti=24&acct=c49653d8-ee55-4f22-afc9-287006261d0b&er=251e9446-3fcb-4714-8d01-feee559625a8	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	https://8jkfw9cqp7ep.z13.web.core.windows.net/?zpbid=78432_55610c1d-9229-11ef-824f-03718b6de7bb#	Get hash	malicious	HTMLPhisher, TechSupportScam	Browse	13.107.246.45
	SecuriteInfo.com.Trojan.Siggen29.57841.15930.23271.exe	Get hash	malicious	RedLine	Browse	13.107.246.45
	https://1drv.ms/o/c/76471f3776916fd0/EomjtsItbi9Ag0bnzrJDx08BhxVWepFoAXrJFoYeR9IZ0A?e=5%3aEFCh5b&sharingv2=true&fromShare=true&at=9	Get hash	malicious	Unknown	Browse	13.107.246.45

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
MICROSOFT-CORP-MSN-AS-BLOCKUS	https://app.pandadoc.com/document/v2?token=a0bcffa175414e2b8694792c4d9ae865b20836dd?	Get hash	malicious	Unknown	Browse	150.171.27.10
	https://app.pandadoc.com/document/v2?token=a0bcffa175414e2b8694792c4d9ae865b20836dd?	Get hash	malicious	Unknown	Browse	150.171.27.10
	Review_&_Aprove_Your_Next_Payroll72588.html	Get hash	malicious	HTMLPhisher	Browse	13.107.246.60
	https://email.email.pandadoc.net/c/eJxUkMtu2zAQRb9G3Dmghg-RCy2cxExQp4WLNCiQTTAihxH9EFWJVtN-fWGg6WM3GMwZnHtD22nRRcNC9ucTDeUlhfbb-GOyDzvX3zxunx_Pw_6jK58co7ZuwDZcW21Y3yqswRIJL41WFmVAHclyVKA8l1ax1AIHWXMQteEWmqsIBmMUmmQTa1K6kpxOmI5XIw4BQ_ZXAxWW5pcyoSfsjtSW6Uzs2PaljHMl1hW4ChyO41_E51MF7l2_ArdAJVzJBxoqcYu88zFi3ShZS4LOaCsbC14Gi2S06oAboUOohGNDLikmjyXl4VIDcBmtFbRSgdNKNkQrNBBX2EkjgUOwXLI8veKQfv6BnrTBz9fXfXgzUjz0_UbfbO4km9olDWnusZL8MGQ64UWcTbSk-TepNvutfcrWPzdvX7ttcDuJqWGlfc_2z7gqOL3Sf5v5crG0wL7n6TCP6OnydL9f1l8m-tCtd026v9X3-U6R-xUAAP__azuhWA	Get hash	malicious	Unknown	Browse	150.171.27.10
	bc3c228ad2c13f96cb14375c3860e802.pdf	Get hash	malicious	HTMLPhisher	Browse	52.98.179.34
	la.bot.sparc.elf	Get hash	malicious	Unknown	Browse	191.233.184.223
	Inv Confirmation.htm	Get hash	malicious	HTMLPhisher	Browse	13.107.246.44
	la.bot.arm5.elf	Get hash	malicious	Unknown	Browse	52.181.233.52
	la.bot.sparc.elf	Get hash	malicious	Unknown	Browse	21.215.245.118
	la.bot.sh4.elf	Get hash	malicious	Unknown	Browse	21.157.124.152

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
28a2c9bd18a11de089ef85a160da29e4	https://app.pandadoc.com/document/v2?token=a0bcffa175414e2b8694792c4d9ae865b20836dd?	Get hash	malicious	Unknown	Browse	13.107.246.45
	https://app.pandadoc.com/document/v2?token=a0bcffa175414e2b8694792c4d9ae865b20836dd?	Get hash	malicious	Unknown	Browse	13.107.246.45
	https://www.google.co.uk/url?q=38pQvvq6xRyj7Y00xDjnlx9kIHOSozurMOiaAkImPuQJnOIWtJjqJLi6stjtDz3yh&rct=tTPSrMOiaAkImPuQJnOIWtJjqJLi6stjtFX08pQvvq6xRyj7Y00xDjnlx9kIjusucT&sa=t&url=amp%2Fwe4uproducts.com/cbb/lld/jjg/5BVvnI7cfJ4HfuhWZvVda7dK/am9yZGFuLmJsYWNrQGxlYXJmaWVsZC5jb20=	Get hash	malicious	Unknown	Browse	13.107.246.45
	Review_&_Aprove_Your_Next_Payroll72588.html	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	https://email.email.pandadoc.net/c/eJxUkMtu2zAQRb9G3Dmghg-RCy2cxExQp4WLNCiQTTAihxH9EFWJVtN-fWGg6WM3GMwZnHtD22nRRcNC9ucTDeUlhfbb-GOyDzvX3zxunx_Pw_6jK58co7ZuwDZcW21Y3yqswRIJL41WFmVAHclyVKA8l1ax1AIHWXMQteEWmqsIBmMUmmQTa1K6kpxOmI5XIw4BQ_ZXAxWW5pcyoSfsjtSW6Uzs2PaljHMl1hW4ChyO41_E51MF7l2_ArdAJVzJBxoqcYu88zFi3ShZS4LOaCsbC14Gi2S06oAboUOohGNDLikmjyXl4VIDcBmtFbRSgdNKNkQrNBBX2EkjgUOwXLI8veKQfv6BnrTBz9fXfXgzUjz0_UbfbO4km9olDWnusZL8MGQ64UWcTbSk-TepNvutfcrWPzdvX7ttcDuJqWGlfc_2z7gqOL3Sf5v5crG0wL7n6TCP6OnydL9f1l8m-tCtd026v9X3-U6R-xUAAP__azuhWA	Get hash	malicious	Unknown	Browse	13.107.246.45
	bc3c228ad2c13f96cb14375c3860e802.pdf	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	https://phisher-parts-production-us-east-1.s3.amazonaws.com/68a29cbc-d8f9-4c01-aa8b-704c527e3dea/2024-10-24/hdp1f4m0mtn58r7e5djj3r2baep1oktpuitii5o1/d493f6c6bdfdcf5959ae27c95155d91b5b3c1ce0bab14ef02ea76d7c451b0ee9?response-content-disposition=attachment%3B%20filename%3D%22FaxDocument-873422-Wcepinc-Transmission.html%22%3B%20filename%2A%3DUTF-8%27%27FaxDocument-873422-Wcepinc-Transmission.html&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIA37KREM2QLQCGJML5%2F20241024%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20241024T201816Z&X-Amz-Expires=15711&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEHMaCXVzLWVhc3QtMSJIMEYCIQD5%2BhZvZGN6J3Fxb1eh7JhGJFYatdM4YSe%2FB1Lhu54clwIhAMGxuFEnQyuPv%2FCfNJf%2FM%2Bjk%2FqrMeNeOhUAY3BKeKKVEKogECNz%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEQABoMODIzMTkzMjY1ODI0IgxkadsnklCVctvwMWIq3APvQpQpI58knFBaUI%2FesQH1FJlTX%2BlsdPXwHmIEoA7JJLDUXnDzzteCVoUwvp1olI1h3PTJSpl3WxfIUi7BTzihzEqp3qn85AWXiDO1fWB1MbpD%2FSDfsrqMEgho9OQjpzPsQHM6e%2BmLmZ1yTIHD97Pf%2FN08letrYEZz2NFJVIQrLYTvWQwr2QPEZJyIm0WnuSbbq8Q1iYmha%2FIyVB9ZKxOPpvdgR1ptXZ6oLjzsy%2Bt%2BjafEISWZYsRDWwvLzIujqWG%2B63t%2BpCq3bxmYAsSHjxnzarIm7Hms4AOj9sIvR9pkL0wwD3qkWG7oBYHnb8k0%2B1AzzdJ2e%2FfLVD9TiwcG1KsTEzsabHJpEEBXTzducKIDP%2FcB%2FYcv03kyJnwWzUMaIbwdRV3lLj4itVuLpZpUbOm8RJChRMb83TR2qZdNKkjYktSR42en1uqps%2BU0qDC%2Fg93%2FFw2lIXwuMoTybf1fWYEY2OQz6E5eRoigwQhmg4wJe1ZZgjwP8fEQSG0yo9XZnXr%2FyAu%2BEt2RNzWy2wHuoZk3HVwPs4lWnhTyTcrSndmgKXkfVSpHeqCqkF3xveAbEhd%2F9qQutDIIcWnBBAlsILK5EUpHzYLvkIMYBMTieCtf00%2FFHqO4eOCLX5sGvDCHqeq4BjqkAeyFM5a%2FebzwF4uw87xMbquzIriBZ00BbMxSr1F6iNQrK5eiAmnkSYUYh%2Fp3YJofaU0ox8%2FOVLIHBKp3WtDzd5b5%2F5WwioyMhT1u0BDnhNT%2F%2B11YTTeSy4rC4fIYdhkm7tZrFS9Sa1WIiQXgQiBqqjkRydZT%2FLrmsyVTvK8wBscWkRvZxnU%2Bsi4OUJJHkmJ27ywwC3Ob5nE4D4%2FwrYfIb%2F4HWJO4&X-Amz-SignedHeaders=host&X-Amz-Signature=4bd824e8586cb631d993afbaa40b83fff9764a3fdcecf7e4b686cf1557dfa0d0	Get hash	malicious	Phisher	Browse	13.107.246.45
	Inv Confirmation.htm	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	https://cswlawgroup.artoffice.cloud/	Get hash	malicious	Unknown	Browse	13.107.246.45
	https://onlinepdf-qrsharedfile.com/index.html#XYW5uaWUua3lwcmlhbm91QGxjYXR0ZXJ0b24uY29t	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45

Process:	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1520
Entropy (8bit):	5.0183726539703795
Encrypted:	false
SSDEEP:	24:2dzI4+uTOBzpoD2h9f0lM702X9bh9q02Xiwqh9U02XiSbh9Uydq2X4h9Uy72Xyh2:cK88z2D2ff97DtbfqDtqfUD9bfUywBfW
MD5:	E72FC6D9DAF66E2D8BC9FE37BE8CE4D8
SHA1:	667F95190910D5841E4531330001423CBB8E2030
SHA-256:	B5CCAFA927AF87CEA7E85A2D197C2E841E557B87900665C12FA6F8059B8B9356
SHA-512:	5D56979DBDB586601570DB6AEE666EA1DF489F3EB25285DEDC4A216834955E590158058D6B0C23D084C6C059AD91CF7B7FC32436E572693A96527F3D6E14160C
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	<?xml version="1.0" encoding="utf-8"?>..<clientConfiguration xmlns="http://schemas.microsoft.com/XblWinClient/2012/03" version="1">.. <targetedClient>XblWinClient</targetedClient > .. <rights>Copyright (c) Microsoft Corporation. All rights reserved.</rights>.. <configuration name="Playback" minBuild="16122.1018">.. <property name="UseAdaptiveMediaSourcePercent" value="50" type="int32"/>.. <property name="UseDashContentForMBRSourcePercent" value="100" type="int32"/>.. </configuration>.. <configuration name="Playback" minBuild="16122.1018" maxBuild="17032.1033">.. <property name="UseDashContentForMBRSourcePercentBeforeRS2" value="0" type="int32"/>.. </configuration>.. <configuration name="Playback" minBuild="17032.1034">.. <property name="UseDashContentForMBRSourcePercentBeforeRS2" value="100" type="int32"/>.. </configuration>.. <configuration name="Groveler" minBuild="17063.0" maxBuild="17082.9999">..

C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalCache\PlayReady\Cache\msprcore.bla

Download File

Process:	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe
File Type:	RAGE Package Format (RPF),
Category:	dropped
Size (bytes):	5113
Entropy (8bit):	6.049151355035837
Encrypted:	false
SSDEEP:	96:h8GrB7i5nA4BNMYVUXiksiGAshzcEer1Y/v3QZMhMKUVeNK:h7rB74A8LQifiDR0NK
MD5:	29DA34CF50A1FECB6F9A978F27037709
SHA1:	A5BF8F621DEF9435E902CFCD76D80C60FD776DEC
SHA-256:	2C3271CF7803D76886D4B0E0E0BADEB16DDE9BD9E6E949BD67D3F66F7C1D1FBC
SHA-512:	C77CDFE546BFE8A5A2AC9F87D7A1F4D578CA3262D94CD973C61C2F4042A6262066B8164DA784EDF108F2EB09BA82BC5E084A5EE7E7F4DE21EBCC25D09C05CD5E
Malicious:	false
Reputation:	low
Preview:	PRKF...................................,..............h......P......4.TM.I7........\|.......@..r..7..E9p.fE.l[t...x.`.k.^uR..%..n.w.Aa.k.y..X-.......dz_".Jx..J...... .X...{.8..3uI2....!i.........k.......<......YLBz.K...../..j..\|<....A)............................................@K.K.o..e..(....rK.d..T.."....j..>,]..;2.'..GmS1.......IG.b.{........... ...[..#pR.....<!g#.N.(nC...S.y..i.%.1.I....~.e...................@.A..t..0.7....@....ZVm..;.Gd......"...."..1...Kmz.A.?.N`W.............. ..@....Oeq...&....<.\|.L.,...... ..-F..q....M...................@..r..7..E9p.fE.l[t...x.`.k.^uR..%..n.w.Aa.k.y..X-.......dz_".J...........AU..E.uHXGJv.TK..@#.d1..ju...>$I...`.T..h%/.....=.k...l...i.*...b..R.F..%A5J"4...........P.......@CHAI.......@........CERT...................X..T.2.7.rR..5>[............. ..:..b^t...t.%G...]i......,.d...............................(...<......................................................A..t..0.7....@....ZVm..;.Gd......"...."..1...Kmz.A.?.N

C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalCache\PlayReady\mspr.hds

Download File

Process:	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe
File Type:	data
Category:	dropped
Size (bytes):	528384
Entropy (8bit):	0.013100210675824195
Encrypted:	false
SSDEEP:	12:2qXydmgPtV0wfDXECEesAOScv8jvu4blW4Fi4TlWc8Rn0:2Tdm6JfltsAwCWsInkwXn0
MD5:	A8535AA3BE82631621F136DE216394D0
SHA1:	27E72888C6F8E56FD940FB28878D355F931C4682
SHA-256:	49A9BA9FDC24E224CFBA6CCFAB2083815AF8E46C824625F608AFF495CA8A21C4
SHA-512:	C051C22E202BDAFE45BE13B8F33896C4CD37B51634892284F2A75400369049AB0A9B5DD5127A87CAF24EE2E66B70CD630F129C73357C44395DD1E80A22D3408D
Malicious:	false
Reputation:	low
Preview:	........A.s..%-.i...0...........;rW.a&..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalState\Database\anonymous\EntClientDb.edb

Download File

Process:	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0x540dbc3c, page size 8192, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	3670016
Entropy (8bit):	0.13258167272825327
Encrypted:	false
SSDEEP:	1536:nSh2XsKY8ktSh2nKY8kMzyDFqfqbgTC0/k63bBu7fhWx9WKeIB:n6nL76ELap
MD5:	A1D518BA684F6D1274467C0D1A70AB62
SHA1:	EDC28B1B6D94A0485E381A538311683355822C84
SHA-256:	486488914FD6E54BF01BDCAB771250A7187CD8361FB8EFD526C84EB6F9FEBE58
SHA-512:	2AF15DA8DED4F9D7D908C55AAE52D95746D3A1CAC92D14A0AC0BA3FC30E1EE2CF019C7197CB20969B68B7F05DB439DFAD99A4C8A5A25EFAA3B87ADDD1271B194
Malicious:	false
Reputation:	low
Preview:	T..<... .......-................\|...........................................\|..h.............................U.....\|..........................................................................................................eJ........... ...................................................................................................... ............\|...................................................................................................................................................................................................\|..................................[O.......\|..................172v.....\|..........................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalState\Database\anonymous\EntClientDb.jfm

Download File

Process:	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.09267696628234554
Encrypted:	false
SSDEEP:	3:A/teRk/l3lhpXOllcT9i//FjJkllAllnW/llljVvlWk/fus9aclQ1Hkp+1shGl1v:AwRk/1N+/a9e+/ARW/Btocykp4ssv
MD5:	B12E9C669EE69EC2B9D10BB9B7DE14ED
SHA1:	3BAD31462F0079B857EE9E3361B8B6F89491C2B4
SHA-256:	2FBF034C6517547FE607001AF6C8DC7C29B9E3A3D877B55972D1D13B5058B408
SHA-512:	57B59717B604FDDFF5788B4735A36E5619573D6AE70470139EDCE1BFE301C9EC195A8E87D391E8C6387FA10B6A5660C8D41F3393F4723FE9899267CAF3E15968
Malicious:	false
Preview:	.'...........................................\|.......\|.......................\|............(.....\|..................172v.....\|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalState\Database\anonymous\edb.chk

Download File

Process:	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.6152466552989977
Encrypted:	false
SSDEEP:	24:t5iwZUO/qiwZUO/G/5iwZUO/qiwZUO/G:ziwZUOSiwZUOMiwZUOSiwZUO
MD5:	5ADE39563305E07951F187C7719712D0
SHA1:	02991F06639907AC8884CDA96809972478839E3D
SHA-256:	0F3D1A73C0E80AD6DCE8BA31BC30ACF1FEBF1CE93F5B6F7A7E84992DB4FFF72C
SHA-512:	251B20E18F4C5F64E5E4F32B68DA39A8752C021F57C84998A61F00ED206BC7FA12424B219766CB9C7CD0082A3626EB08FFDAC25788991BC6CC2A3ADB60B4C005
Malicious:	false
Preview:	.k....................U.....\|..................C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalState\Database\anonymous\................................................................................................................................................................C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalState\Database\anonymous\.................................................................................................................................................................0u..,.....................5w.................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalState\Database\anonymous\edb.log

Download File

Process:	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe
File Type:	data
Category:	dropped
Size (bytes):	2097152
Entropy (8bit):	0.6847718733637641
Encrypted:	false
SSDEEP:	1536:Z47ZR1dfEBmHl7DulDu+Oa+ciyizWYWHM3BiN+AKfO4Q56cI15a8AZ5yeh0G32f0:Z47ZRDDnBOZtttiqSjNqvme
MD5:	F80521D533C89EAAC33455411A269F73
SHA1:	2F3DB489C9F3A7F568604DAB5656D194B1216810
SHA-256:	80EF0460A8EE1FE02A22BD55952DE5B199DD92A1F6123D28B61A3846F811E40F
SHA-512:	1495E58E89FBBF2EA3F55928AD17DB6797AB5DC736C64182A88C0D31C4AFD5180A03687147C7594ED2DE70BC05D07CEBA4A1B6D0B3859F4217D739557FE7CBE0
Malicious:	false
Preview:	&.............. .....\|........................U.....\|..................C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalState\Database\anonymous\................................................................................................................................................................C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalState\Database\anonymous\.................................................................................................................................................................0u..,.....................5w.......................................#.................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalState\Database\anonymous\edbres00001.jrs

Download File

Process:	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe
File Type:	data
Category:	dropped
Size (bytes):	2097152
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	B2D1236C286A3C0704224FE4105ECA49
SHA1:	7D76D48D64D7AC5411D714A4BB83F37E3E5B8DF6
SHA-256:	5647F05EC18958947D32874EEB788FA396A05D0BAB7C1B71F112CEB7E9B31EEE
SHA-512:	731859029215873FDAC1C9F2F8BD25A334ABF0F3A9E1B057CF2CACC2826D86B0C26A3FA920A936421401C0471F38857CB53BA905489EA46B185209FDFF65B3B6
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalState\Database\anonymous\edbres00002.jrs

Download File

Process:	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe
File Type:	data
Category:	dropped
Size (bytes):	2097152
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	B2D1236C286A3C0704224FE4105ECA49
SHA1:	7D76D48D64D7AC5411D714A4BB83F37E3E5B8DF6
SHA-256:	5647F05EC18958947D32874EEB788FA396A05D0BAB7C1B71F112CEB7E9B31EEE
SHA-512:	731859029215873FDAC1C9F2F8BD25A334ABF0F3A9E1B057CF2CACC2826D86B0C26A3FA920A936421401C0471F38857CB53BA905489EA46B185209FDFF65B3B6
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalState\Database\anonymous\edbtmp.log

Download File

Process:	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe
File Type:	data
Category:	dropped
Size (bytes):	2097152
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	B2D1236C286A3C0704224FE4105ECA49
SHA1:	7D76D48D64D7AC5411D714A4BB83F37E3E5B8DF6
SHA-256:	5647F05EC18958947D32874EEB788FA396A05D0BAB7C1B71F112CEB7E9B31EEE
SHA-512:	731859029215873FDAC1C9F2F8BD25A334ABF0F3A9E1B057CF2CACC2826D86B0C26A3FA920A936421401C0471F38857CB53BA905489EA46B185209FDFF65B3B6
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalState\Database\anonymous\tmp.edb

Download File

Process:	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0xe269de7d, page size 8192, JustCreated, Windows version 0.0
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.023931992643941177
Encrypted:	false
SSDEEP:	12:a0as80as2YRXfadAsAlBsRb8lBQBQnoAw8clNzV4RGqzTLkrvu+R3upq:kYRSdjJTByXUNzVkNzTLsuu3uU
MD5:	CC271F8D36CEFDAEEAAF72CE44DEBBF1
SHA1:	63F03DF8D997F77D074E3D63B6F6E60C7733807A
SHA-256:	B105CAD50F1EE0945A9DBF55BB70A4B67F621390FCAF6FC1D575986E94E33804
SHA-512:	7082BBD4B7415D486D5582188B18FA30B80FAE78BEF1F8D7BDFBAE51A2E4CE5EC4E4FCB2E5CE86931EC2B83167A2D33E07BDAC093920B3E9F641F6B49C31147F
Malicious:	false
Preview:	.i.}... .......@........).......\|........................................................................................................................................................................................................... ...................................................................................................... ...................................................................................................................................................................................................................................................6`.W.....\|......................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalState\SRPData.xml (copy)

Download File

Process:	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	265
Entropy (8bit):	4.855175721763919
Encrypted:	false
SSDEEP:	6:e28IqUHeE7PnC8vPNhy5mOo9YEGmNrDnb:eCznv3O7FsrDnb
MD5:	7B730C8AC0AC9A84959341ED4556E660
SHA1:	2ACAB75EC054540C21F1BDCDF7FBB5063F5F2150
SHA-256:	273C04BEC221B177D09CCEB5B5B686FA7FAE25221D6748B448CF9D798ED43283
SHA-512:	55C96A06C6FF0E971EF09674E624EEB89D230DA2F3E3FCDB3EB9E9920051DA828983AFCBBCA0690043B6ADD352F1F02F120508FBB823CF7C2BDE229905108832
Malicious:	false
Preview:	<SRPData version="1" sessionId="1"><Outcomes><Outcome id="videoCompleted" timesOccurred="0" /></Outcomes><Threshold launches="1" daysLaunched="1" dayOfLastLaunch="24" monthOfLastLaunch="10" yearOfLastLaunch="2024" userHasAccepted="false" timesPolled="0"/></SRPData>

C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalState\SRPData.xml.~tmp

Download File

Process:	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	265
Entropy (8bit):	4.855175721763919
Encrypted:	false
SSDEEP:	6:e28IqUHeE7PnC8vPNhy5mOo9YEGmNrDnb:eCznv3O7FsrDnb
MD5:	7B730C8AC0AC9A84959341ED4556E660
SHA1:	2ACAB75EC054540C21F1BDCDF7FBB5063F5F2150
SHA-256:	273C04BEC221B177D09CCEB5B5B686FA7FAE25221D6748B448CF9D798ED43283
SHA-512:	55C96A06C6FF0E971EF09674E624EEB89D230DA2F3E3FCDB3EB9E9920051DA828983AFCBBCA0690043B6ADD352F1F02F120508FBB823CF7C2BDE229905108832
Malicious:	false
Preview:	<SRPData version="1" sessionId="1"><Outcomes><Outcome id="videoCompleted" timesOccurred="0" /></Outcomes><Threshold launches="1" daysLaunched="1" dayOfLastLaunch="24" monthOfLastLaunch="10" yearOfLastLaunch="2024" userHasAccepted="false" timesPolled="0"/></SRPData>

C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\Settings\settings.dat

Download File

Process:	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	1.830368188589728
Encrypted:	false
SSDEEP:	96:DJ+KuGiQqlDxU5BZTZs1FB39PtsRe33RZs6TK7Cmkf:V+KubxUzxZQPFs6TeC
MD5:	61E6FF985A867B5F51D472E699C4B4D8
SHA1:	E1A9429C5E7009BC90A031DA8F2552242724A70A
SHA-256:	7CA17E91FE22C533DDA4E39ECE9796BB37D3C8EBBC42B85770EF9AE83904799B
SHA-512:	76D7FBB871060BE57DE444ECFFD28D84D147AB46FEFC1BC8F3437B11682394A53CCC6C4078CBE78EF1D92AF122E588EEF09C73E9D2F848F7D7F3FEB65A99B957
Malicious:	false
Preview:	regf........b.Q.7.................. .... ......y.b.3.d.8.b.b.w.e.\.S.e.t.t.i.n.g.s.\.s.e.t.t.i.n.g.s...d.a.t...y..j.....J.....y..j.....J.........z..j.....J.....rmtmr..a&................................................................................................................................................................................................................................................................................................................................................SP........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\Settings\settings.dat.LOG1

Download File

Process:	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	2.3450732222142663
Encrypted:	false
SSDEEP:	96:YJCBKuGiQqlDxU5BZTZs1FB39PtsRe33RZs6TK7Cmkf:8CBKubxUzxZQPFs6TeC
MD5:	A881B61C41BEAB30647CDEF26EB9BF03
SHA1:	B6FFA17BE2CAC3C21C1F0FC0E8651E04932AEB6D
SHA-256:	B3DAB74A9850A6C545B0BFDA70286DE34A7DF6C9F8602D4014E5D8F2461F4E41
SHA-512:	5AE9E35B203F04914798626EFA2CA19DABF9FD9F25D539ACA0A61C2F9A14FDF1F5451F83885DEAE1C71B86988E43A6532E03031291F9076B780325ACFCA1731B
Malicious:	false
Preview:	regf........b.Q.7.................. .... ......y.b.3.d.8.b.b.w.e.\.S.e.t.t.i.n.g.s.\.s.e.t.t.i.n.g.s...d.a.t...y..j.....J.....y..j.....J.........z..j.....J.....rmtmr..a&................................................................................................................................................................................................................................................................................................................................................SPHvLE............. ........Z.....h..s'....... ..hbin................b.Q.7..........nk,.T...7..................................x...............................Test....p...sk..h...h.......t.......H...X.............4.........?.......................?....................... ... ...............YQ..fr]%dc;.............nk ..._.a&..................................h...............................Configuration...p...sk..x...x.......t.......H...X.............4.........?.......................

Static File Info

General

File type:	ISO Media, HEIF Image HEVC Main or Main Still Picture Profile
Entropy (8bit):	7.9996036084444295
TrID:	Generic MP4 container (3007/2) 59.98% MacBinary 2 header (1003/3) 20.01% Adobe PhotoShop Brush (1003/3) 20.01%
File name:	IMG_3552.mp4
File size:	3'119'675 bytes
MD5:	9717a09d40bc1178aaf2841d68fb03a8
SHA1:	e0ad4a4582e00f335cd02ae62efd3267ebcb4d0f
SHA256:	03f0d2cc8723bdadbcd41c081fa77018351cb12402b362ce4d7a93cd6049a909
SHA512:	026534b31e0d9a2037be505963e7d6e730b1b0a7299c61cefb239c51cac4c1693eed05ca9e9dff5bcaeec58fc5099049ba9606a84751bff9adef8cf612c254c6
SSDEEP:	49152:HK2aCtHl8VbK/d111YYZfKJdayQF8hEhNfKLd3Dq1s+14fs3YrdiHkhmCDHkhPsw:BaCM6jRZyJdaPKGQdTIs+yjrEHq7DHkv
TLSH:	91E533642F02D805F858EDBD31C634038407A7E916FF5BADB50D72822F8ED54AAA771E
File Content Preview:	...$ftypheic....mif1MiHEmiafMiHBheic....meta.......!hdlr........pict................$dinf....dref............url ........pitm.....1....iinf.....A....infe........hvc1.....infe........hvc1.....infe........hvc1.....infe........hvc1.....infe........hvc1.....i

File Icon


Icon Hash:	74f0dcc4c4c4e0e4

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 25, 2024 00:12:25.909024954 CEST	49800	443	192.168.2.9	13.107.246.45
Oct 25, 2024 00:12:25.909050941 CEST	443	49800	13.107.246.45	192.168.2.9
Oct 25, 2024 00:12:25.909147024 CEST	49800	443	192.168.2.9	13.107.246.45
Oct 25, 2024 00:12:25.938637972 CEST	49800	443	192.168.2.9	13.107.246.45
Oct 25, 2024 00:12:25.938654900 CEST	443	49800	13.107.246.45	192.168.2.9
Oct 25, 2024 00:12:26.682276011 CEST	443	49800	13.107.246.45	192.168.2.9
Oct 25, 2024 00:12:26.682347059 CEST	49800	443	192.168.2.9	13.107.246.45
Oct 25, 2024 00:12:26.684577942 CEST	49800	443	192.168.2.9	13.107.246.45
Oct 25, 2024 00:12:26.684587955 CEST	443	49800	13.107.246.45	192.168.2.9
Oct 25, 2024 00:12:26.684848070 CEST	443	49800	13.107.246.45	192.168.2.9
Oct 25, 2024 00:12:26.685992002 CEST	49800	443	192.168.2.9	13.107.246.45
Oct 25, 2024 00:12:26.727341890 CEST	443	49800	13.107.246.45	192.168.2.9
Oct 25, 2024 00:12:26.945960045 CEST	443	49800	13.107.246.45	192.168.2.9
Oct 25, 2024 00:12:26.945987940 CEST	443	49800	13.107.246.45	192.168.2.9
Oct 25, 2024 00:12:26.946048021 CEST	443	49800	13.107.246.45	192.168.2.9
Oct 25, 2024 00:12:26.946108103 CEST	49800	443	192.168.2.9	13.107.246.45
Oct 25, 2024 00:12:26.946185112 CEST	49800	443	192.168.2.9	13.107.246.45
Oct 25, 2024 00:12:26.987937927 CEST	49800	443	192.168.2.9	13.107.246.45
Oct 25, 2024 00:12:26.987961054 CEST	443	49800	13.107.246.45	192.168.2.9
Oct 25, 2024 00:12:26.987973928 CEST	49800	443	192.168.2.9	13.107.246.45
Oct 25, 2024 00:12:26.987982035 CEST	443	49800	13.107.246.45	192.168.2.9
Oct 25, 2024 00:12:27.246014118 CEST	49810	443	192.168.2.9	13.107.246.45
Oct 25, 2024 00:12:27.246062040 CEST	443	49810	13.107.246.45	192.168.2.9
Oct 25, 2024 00:12:27.246148109 CEST	49810	443	192.168.2.9	13.107.246.45
Oct 25, 2024 00:12:27.255070925 CEST	49810	443	192.168.2.9	13.107.246.45
Oct 25, 2024 00:12:27.255098104 CEST	443	49810	13.107.246.45	192.168.2.9
Oct 25, 2024 00:12:28.065828085 CEST	443	49810	13.107.246.45	192.168.2.9
Oct 25, 2024 00:12:28.065916061 CEST	49810	443	192.168.2.9	13.107.246.45
Oct 25, 2024 00:12:28.068723917 CEST	49810	443	192.168.2.9	13.107.246.45
Oct 25, 2024 00:12:28.068737984 CEST	443	49810	13.107.246.45	192.168.2.9
Oct 25, 2024 00:12:28.068958044 CEST	443	49810	13.107.246.45	192.168.2.9
Oct 25, 2024 00:12:28.070617914 CEST	49810	443	192.168.2.9	13.107.246.45
Oct 25, 2024 00:12:28.070674896 CEST	49810	443	192.168.2.9	13.107.246.45
Oct 25, 2024 00:12:28.070684910 CEST	443	49810	13.107.246.45	192.168.2.9
Oct 25, 2024 00:12:28.355932951 CEST	443	49810	13.107.246.45	192.168.2.9
Oct 25, 2024 00:12:28.355962992 CEST	443	49810	13.107.246.45	192.168.2.9
Oct 25, 2024 00:12:28.355998993 CEST	443	49810	13.107.246.45	192.168.2.9
Oct 25, 2024 00:12:28.356014013 CEST	49810	443	192.168.2.9	13.107.246.45
Oct 25, 2024 00:12:28.356025934 CEST	443	49810	13.107.246.45	192.168.2.9
Oct 25, 2024 00:12:28.356040001 CEST	443	49810	13.107.246.45	192.168.2.9
Oct 25, 2024 00:12:28.356054068 CEST	49810	443	192.168.2.9	13.107.246.45
Oct 25, 2024 00:12:28.356076002 CEST	49810	443	192.168.2.9	13.107.246.45
Oct 25, 2024 00:12:28.394475937 CEST	49810	443	192.168.2.9	13.107.246.45
Oct 25, 2024 00:12:28.394501925 CEST	443	49810	13.107.246.45	192.168.2.9
Oct 25, 2024 00:12:28.394515038 CEST	49810	443	192.168.2.9	13.107.246.45
Oct 25, 2024 00:12:28.394521952 CEST	443	49810	13.107.246.45	192.168.2.9

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 25, 2024 00:12:24.864255905 CEST	64677	53	192.168.2.9	1.1.1.1
Oct 25, 2024 00:12:43.491719007 CEST	53	59584	162.159.36.2	192.168.2.9
Oct 25, 2024 00:12:44.114720106 CEST	59557	53	192.168.2.9	1.1.1.1
Oct 25, 2024 00:12:44.122520924 CEST	53	59557	1.1.1.1	192.168.2.9

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 25, 2024 00:12:24.864255905 CEST	192.168.2.9	1.1.1.1	0x3b2b	Standard query (0)	settings-ssl.xboxlive.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 00:12:44.114720106 CEST	192.168.2.9	1.1.1.1	0x9182	Standard query (0)	18.31.95.13.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 25, 2024 00:12:08.315341949 CEST	1.1.1.1	192.168.2.9	0x7e43	No error (0)	shed.dual-low.s-part-0036.t-0009.t-msedge.net	s-part-0036.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 00:12:08.315341949 CEST	1.1.1.1	192.168.2.9	0x7e43	No error (0)	s-part-0036.t-0009.t-msedge.net		13.107.246.64	A (IP address)	IN (0x0001)	false
Oct 25, 2024 00:12:24.875300884 CEST	1.1.1.1	192.168.2.9	0x3b2b	No error (0)	settings-ssl.xboxlive.com	settings-ssl.xboxlive.com.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 00:12:25.908014059 CEST	1.1.1.1	192.168.2.9	0x777b	No error (0)	ep-afd-activation-cubaf8a6apchfsg5.z01.azurefd.net	star-azurefd-prod.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 00:12:25.908014059 CEST	1.1.1.1	192.168.2.9	0x777b	No error (0)	shed.dual-low.s-part-0017.t-0009.t-msedge.net	s-part-0017.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 00:12:25.908014059 CEST	1.1.1.1	192.168.2.9	0x777b	No error (0)	s-part-0017.t-0009.t-msedge.net		13.107.246.45	A (IP address)	IN (0x0001)	false
Oct 25, 2024 00:12:44.122520924 CEST	1.1.1.1	192.168.2.9	0x9182	Name error (3)	18.31.95.13.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false

HTTP Request Dependency Graph

activation2.playready.microsoft.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49800	13.107.246.45	443	1516	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-24 22:12:26 UTC	200	OUT	GET /PlayReady/ACT/Activation.asmx?WSDL&Client=Win10&LinkId=613387 HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Microsoft-PlayReady-DRM/1.0 Host: activation2.playready.microsoft.com
2024-10-24 22:12:26 UTC	350	IN	HTTP/1.1 200 OK Date: Thu, 24 Oct 2024 22:12:26 GMT Content-Type: text/xml; charset=utf-8 Content-Length: 6250 Connection: close Cache-Control: private, max-age=0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET x-azure-ref: 20241024T221226Z-15b8d89586ff5l62aha9080wv000000000x0000000006tmu X-Cache: CONFIG_NOCACHE Accept-Ranges: bytes
2024-10-24 22:12:26 UTC	6250	IN	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 77 73 64 6c 3a 64 65 66 69 6e 69 74 69 6f 6e 73 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 31 32 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 77 73 64 6c 2f 73 6f 61 70 31 32 2f 22 20 78 6d 6c 6e 73 3a 68 74 74 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 77 73 64 6c 2f 68 74 74 70 2f 22 20 78 6d 6c 6e 73 3a 6d 69 6d 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 77 73 64 6c 2f 6d 69 6d 65 Data Ascii: <?xml version="1.0" encoding="utf-8"?><wsdl:definitions xmlns:s="http://www.w3.org/2001/XMLSchema" xmlns:soap12="http://schemas.xmlsoap.org/wsdl/soap12/" xmlns:http="http://schemas.xmlsoap.org/wsdl/http/" xmlns:mime="http://schemas.xmlsoap.org/wsdl/mime

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.9	49810	13.107.246.45	443	1516	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-24 22:12:28 UTC	595	OUT	POST /PlayReady/ACT/Activation.asmx HTTP/1.1 Connection: Keep-Alive Content-Type: text/xml; charset=utf-8 Accept: / User-Agent: Microsoft-PlayReady-DRM/1.0 x-playready-info: OSVersion=10.0; ClientDllVersion=Windows.Media.Protection.PlayReady.dll/10.0.19041.2006 (WinBuild.160101.0800); Session=bd658ae49cf14753f24fddb21ec89b52; StoreAppID=Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo; X-XblCorrelationId: 4984944002049569559 SOAPAction: "http://schemas.microsoft.com/PlayReady/ActivationService/v1/Activate" Content-Length: 3580 Host: activation2.playready.microsoft.com
2024-10-24 22:12:28 UTC	3580	OUT	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 63 74 69 76 61 74 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><Activate xmlns="http://schemas.micro
2024-10-24 22:12:28 UTC	350	IN	HTTP/1.1 200 OK Date: Thu, 24 Oct 2024 22:12:28 GMT Content-Type: text/xml; charset=utf-8 Content-Length: 7264 Connection: close Cache-Control: private, max-age=0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET x-azure-ref: 20241024T221228Z-r197bdfb6b4gx6v9pg74w9f47s00000001cg00000000dhe0 X-Cache: CONFIG_NOCACHE Accept-Ranges: bytes
2024-10-24 22:12:28 UTC	7264	IN	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 63 74 69 76 61 74 65 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><soap:Body><ActivateResponse xmlns="http://schem

Target ID:	2
Start time:	18:12:12
Start date:	24/10/2024
Path:	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe" -ServerName:Microsoft.ZuneVideo.AppX758ya5sqdjd98rx6z7g95nw6jy7bqx9y.mca
Imagebase:	0x7ff797770000
File size:	25'966'080 bytes
MD5 hash:	FE340ECB1D09B5BAA66DFE25AF11654F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Function 00000199BF9A35D3 Relevance: 6.5, Strings: 3, Instructions: 2754COMMON

Download Yara Rule

Strings

, xrefs: 00000199BF9A4181
, xrefs: 00000199BF9A3DBD
, xrefs: 00000199BF9A3740

Memory Dump Source

Source File: 00000002.00000002.2624125770.00000199BF9A0000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000199BF9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_199bf9a0000_Video.jbxd

Similarity

API ID:
String ID: $ $
API String ID: 0-3665324030
Opcode ID: ce92b16094f7286cd3b2e6b1c5a8d1b1838ca636ac348445c190fd0dfaed07e6
Instruction ID: e312952d966713b2f138c203098716c3539835c3617aae7dff7ee2f194c2d2dc
Opcode Fuzzy Hash: ce92b16094f7286cd3b2e6b1c5a8d1b1838ca636ac348445c190fd0dfaed07e6
Instruction Fuzzy Hash: 03138036614D1D8BDB66EB5CEC55BEA73E5FB64311F14012AC80BC31A4EF39E9468B80

Function 00000199BF9AA352 Relevance: .8, Instructions: 801COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2624125770.00000199BF9A0000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000199BF9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_199bf9a0000_Video.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be10e2c7524794fd1697c740bc645ac0397085899cb199c3a89f5ddf5bd1040c
Instruction ID: 7b2cb232981309f0458ed355119ab3a0d27aa9041ddffd5d68f977461daa8b6c
Opcode Fuzzy Hash: be10e2c7524794fd1697c740bc645ac0397085899cb199c3a89f5ddf5bd1040c
Instruction Fuzzy Hash: 2C42CF34218A4C8FDBAAEF1CD894BE977E1FB59311F14416ED84FCB291DA39D9058B40

Function 00000199C2154889 Relevance: .6, Instructions: 564COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2625622400.00000199C2150000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000199C2150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_199c2150000_Video.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb8faa067775f6e86767575ff679b5c457500833d5ce7a61697e8c9454539664
Instruction ID: 3f0213c1e3995859747d71c53e5ab59cadc2f3c0f2e24da6b8a99c7e94bbba88
Opcode Fuzzy Hash: bb8faa067775f6e86767575ff679b5c457500833d5ce7a61697e8c9454539664
Instruction Fuzzy Hash: 1BF19031618E0C8FDF69EF1CDC95AE973E5EB65310F0402AAD80AD7295DE34E9468BC1

Function 00000199BF9A2041 Relevance: .3, Instructions: 342COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2624125770.00000199BF9A0000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000199BF9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_199bf9a0000_Video.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe7fef7a75a044fe95ad06d229b801c63ae55c36ff6289ce6f28fabb1129bc91
Instruction ID: 5108040ea5c1797f252ece477d6dce1d7b0427c33670e32bda6420c73297d579
Opcode Fuzzy Hash: fe7fef7a75a044fe95ad06d229b801c63ae55c36ff6289ce6f28fabb1129bc91
Instruction Fuzzy Hash: 43B1AF31618E1C8FDB5AEF5CD891BE973E1FB65311B04026AD80AC7295DF39E9098BC1

Function 00000199C21565FC Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2625622400.00000199C2150000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000199C2150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_199c2150000_Video.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c41ab8a5acefa49825db216e35f7bd342f8df75155c04ab4ba191c80a2d9d65
Instruction ID: a96b0cfacb3a5600ccf9552e917e425989e9d0e63b12a07beb819939e45211e5
Opcode Fuzzy Hash: 4c41ab8a5acefa49825db216e35f7bd342f8df75155c04ab4ba191c80a2d9d65
Instruction Fuzzy Hash: 5B51A43161CA4C8FDF1ADF18D891BE973E1EB59310F0002AAD90AD7295EF34E94587C1

Function 00000199C21532F3 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2625622400.00000199C2150000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000199C2150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_199c2150000_Video.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2f8a8309cc72a766178a7db8a4844e4644fa5cf97c6444eddc88af2da4115f5
Instruction ID: 96f2266b270b1fbc18926ae4754db8127440daaca7e6dbffdf353271f653554d
Opcode Fuzzy Hash: c2f8a8309cc72a766178a7db8a4844e4644fa5cf97c6444eddc88af2da4115f5
Instruction Fuzzy Hash: C031183130CF4C8FDF99EF2DD89066A73E2FBA9310B0509AED58AC7255DA34E8458B41

Function 00000199C21544AA Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2625622400.00000199C2150000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000199C2150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_199c2150000_Video.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8847730a5ce9b84ebf3439c39bb8d7ebd404a5a170024e21c1c6fd5dcc648e8b
Instruction ID: c69ba2174c3723eb6a6ff44e7657f34062f59ef0a29fa3c8e2856ce5ec21dfb5
Opcode Fuzzy Hash: 8847730a5ce9b84ebf3439c39bb8d7ebd404a5a170024e21c1c6fd5dcc648e8b
Instruction Fuzzy Hash: 3821AF3120CB488FEB59DF18D8916AAB7E1FBA4310F1445BEE88AC7295EB74D5428B41

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report IMG_3552.mp4

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\AC\INetCache\7FA32KII\configuration[1].xml

C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalCache\PlayReady\Cache\msprcore.bla

C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalCache\PlayReady\mspr.hds

C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalState\Database\anonymous\EntClientDb.edb

C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalState\Database\anonymous\EntClientDb.jfm

C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalState\Database\anonymous\edb.chk

C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalState\Database\anonymous\edb.log

C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalState\Database\anonymous\edbres00001.jrs

C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalState\Database\anonymous\edbres00002.jrs

C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalState\Database\anonymous\edbtmp.log

C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalState\Database\anonymous\tmp.edb

C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalState\SRPData.xml (copy)

C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalState\SRPData.xml.~tmp

C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\Settings\settings.dat

C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\Settings\settings.dat.LOG1

Static File Info

General

File Icon

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Statistics

CPU Usage

Windows Analysis Report
IMG_3552.mp4