ID: Cookbook: urldownload.jbs Time: 20:31:48 Date: 13/04/2018 Version:

Size: px

Start display at page:

Download "ID: Cookbook: urldownload.jbs Time: 20:31:48 Date: 13/04/2018 Version:"

Nicholas Jordan
5 years ago
Views:

1 ID: Cookbook: urldownload.jbs Time: 20:31:48 Date: 13/04/2018 Version:

2 Table of Contents Analysis Report Overview Information Detection Confidence Classification Analysis Advice Signature Overview Key, Mouse, Clipboard, Microphone and Screen Capturing: Networking: Stealing of Sensitive Information: Persistence and Installation Behavior: Spreading: System Summary: HIPS / PFW / Operating System Protection Evasion: Anti Debugging: Malware Analysis System Evasion: Hooking and other Techniques for Hiding and Protection: Language, Device and Operating System Detection: Behavior Graph Simulations Behavior and APIs Antivirus Detection Initial Sample Dropped Files Unpacked PE Files Domains Yara Overview Initial Sample PCAP (Network Traffic) Dropped Files Memory Dumps Unpacked PEs Joe Sandbox View / Context IPs Domains ASN Dropped Files Screenshots Startup Created / dropped Files Contacted Domains/Contacted IPs Contacted Domains Contacted IPs Static File Info No static file info Network Behavior Network Port Distribution TCP Packets UDP Packets DNS Queries DNS Answers Table of Contents Copyright Joe Security LLC 2018 Page 2 of

3 HTTP Request Dependency Graph HTTP Packets Code Manipulations Statistics Behavior System Behavior Analysis cmd.exe PID: 3644 Parent PID: 748 Analysis wget.exe PID: 3692 Parent PID: 3644 Analysis wmplayer.exe PID: 3808 Parent PID: 3320 Registry Activities Analysis msdt.exe PID: 3984 Parent PID: 3808 Registry Activities Analysis msdt.exe PID: 3992 Parent PID: 3808 File Deleted Analysis msdt.exe PID: 4052 Parent PID: 3808 File Deleted Analysis msdt.exe PID: 4068 Parent PID: 3808 File Deleted Analysis sdiagnhost.exe PID: 4092 Parent PID: 548 File Read Analysis msdt.exe PID: 2164 Parent PID: 3808 File Deleted Analysis msdt.exe PID: 2300 Parent PID: 3808 File Deleted Analysis msdt.exe PID: 2468 Parent PID: 3808 File Deleted Analysis msdt.exe PID: 2288 Parent PID: 3808 File Deleted Analysis msdt.exe PID: 2428 Parent PID: 3808 File Deleted Analysis msdt.exe PID: 2420 Parent PID: 3808 Copyright Joe Security LLC 2018 Page 3 of

4 File Deleted Disassembly Code Analysis Copyright Joe Security LLC 2018 Page 4 of 38

5 Analysis Report Overview Information Joe Sandbox Version: Analysis ID: Start time: 20:31:48 Joe Sandbox Product: CloudBasic Start date: Overall analysis duration: Hypervisor based Inspection enabled: Report type: Cookbook file name: Sample URL: 0h 5m 33s light urldownload.jbs _1740/ima_html5/minimal.mp4 Analysis system description: Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java ) Number of analysed new started processes analysed: 18 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies Analysis stop reason: Detection: Classification: HCA enabled EGA enabled HDC enabled Timeout SUS sus29.win@25/36@1/2 HCA Information: Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 EGA Information: HDC Information: Cookbook Comments: Warnings: Failed Failed Adjust boot time Correcting counters for adjusted boot time Show All Exclude process from analysis (whitelisted): conhost.exe, dllhost.exe Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryAttributesFile calls found. Report size getting too big, too many NtQueryValueKey calls found. Skipping Hybrid Code Analysis (implementation is based on Java,.Net, VB or Delphi, or parses a document) for: sdiagnhost.exe Detection Strategy Score Range Reporting Detection Copyright Joe Security LLC 2018 Page 5 of 38

Strategy Score Range Reporting Detection Threshold 29

6 Strategy Score Range Reporting Detection Threshold Report FP / FN Confidence Strategy Score Range Further Analysis Required? Confidence Threshold true Classification Copyright Joe Security LLC 2018 Page 6 of 38

Ransomware Miner Spreading malicious malicious malicious Evader Phishing suspicious suspicious suspicious

drives. Launch the sample with the USB Fake Disk cookbook Sample monitors Window change

starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook

Sample tries to load a library which is not present or installed on the analysis machine, adding the

7 Ransomware Miner Spreading malicious malicious malicious Evader Phishing suspicious suspicious suspicious clean clean clean Exploiter Banker Spyware Trojan / Bot Adware Analysis Advice Sample is looking for USB drives. Launch the sample with the USB Fake Disk cookbook Sample monitors Window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook Sample searches for specific file, try point organization specific fake files to the analysis machine Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior Signature Overview Mouse, Clipboard, Microphone and Screen Capturing Key, Networking of Sensitive Information Stealing Persistence and Installation Behavior Copyright Joe Security LLC 2018 Page 7 of 38

8 Spreading System Summary HIPS / PFW / Operating System Protection Evasion Anti Debugging Malware Analysis System Evasion Hooking and other Techniques for Hiding and Protection Language, Device and Operating System Detection Click to jump to signature section Key, Mouse, Clipboard, Microphone and Screen Capturing: Creates a window with clipboard capturing capabilities Networking: Downloads files Downloads files from webservers via HTTP Found strings which match to known social media urls Performs DNS lookups Urls found in memory or binary data Stealing of Sensitive Information: Steals Internet Explorer cookies Persistence and Installation Behavior: Installs new ROOT certificates Drops PE files Drops PE files to the windows directory (C:\Windows) May use bcdedit to modify the Windows boot settings Spreading: Checks for available system drives (often done to infect USB drives) Enumerates the file system System Summary: Creates files inside the system directory Creates mutexes PE file contains strange resources PE file does not import any functions Reads the hosts file Tries to load missing DLLs PE file contains only one section Classification label Creates files inside the program directory Creates files inside the user directory Copyright Joe Security LLC 2018 Page 8 of 38

9 Creates temporary files Parts of this applications are using the.net runtime (Probably coded in C#) Reads ini files Reads software policies Spawns processes Uses an in-process (OLE) Automation server Found GUI installer (many successful clicks) Uses Rich Edit Controls Found graphical window changes (likely an installer) Uses Microsoft Silverlight Creates a directory in C:\Program Files Uses new MSVCR Dlls Binary contains paths to debug symbols HIPS / PFW / Operating System Protection Evasion: Very long cmdline option found, this is very uncommon (may be encrypted or packed) May try to detect the Windows Explorer process (often used for injection) Anti Debugging: Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation)) Enables debug privileges Creates guard pages, often used to prevent reverse engineering and debugging Malware Analysis System Evasion: Enumerates the file system Found a high number of Window / User specific system calls (may be a loop to detect user behavior) May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory) Queries a list of all running processes Hooking and other Techniques for Hiding and Protection: Disables application error messsages (SetErrorMode) Language, Device and Operating System Detection: Queries the volume information (name, serial number etc) of a device Queries the cryptographic machine GUID Behavior Graph Copyright Joe Security LLC 2018 Page 9 of 38

Hide Legend Legend: Process Signature Behavior Graph Created File ID: 54693 DNS/IP Info URL: Startdate: 13/04/2018 Architecture: WINDOWS http://c5x8i7c7.ssl.hwcdn.net/vplayer-parallel/20180321_1.

10 Hide Legend Legend: Process Signature Behavior Graph Created File ID: DNS/IP Info URL: Startdate: 13/04/2018 Architecture: WINDOWS Is Dropped Is Windows Process Score: 29 Number of created Registry Values started Number started of created Files started wmplayer.exe Visual Basic cmd.exe Delphi sdiagnhost.exe Java 1 2 started started started.net C# or VB.NET started msdt.exe msdt.exe msdt.exe C, C++ or other language wget.exe 7 other processes Is malicious dropped dropped c5x8i7c7.ssl.hwcdn.net , 49170, 80 HIGHWINDS3-HighwindsNetworkGroupIncUS United States , 52046, 53, GOOGLE-GoogleIncUS United States C:\Windows\Temp\...\DiagPackage.dll.mui, PE32 C:\Windows\Temp\...\DiagPackage.dll, PE32 Installs new ROOT certificates Simulations Behavior and APIs No simulations Antivirus Detection Initial Sample Detection Scanner Label Link 0% virustotal Browse Dropped Files Detection Scanner Label Link C:\Windows\Temp\SDIAG_ ff-4dc fb236c5e83bf\DiagPackage.dll 0% virustotal Browse C:\Windows\Temp\SDIAG_ ff-4dc fb236c5e83bf\DiagPackage.dll 0% metadefender Browse C:\Windows\Temp\SDIAG_ ff-4dc fb236c5e83bf\en-US\DiagPackage.dll.mui 0% virustotal Browse Unpacked PE Files No Antivirus matches Domains Copyright Joe Security LLC 2018 Page 10 of 38

11 Detection Scanner Label Link c5x8i7c7.ssl.hwcdn.net 0% virustotal Browse Yara Overview Initial Sample No yara matches PCAP (Network Traffic) No yara matches Dropped Files No yara matches Memory Dumps No yara matches Unpacked PEs No yara matches Joe Sandbox View / Context IPs No context Domains No context ASN No context Dropped Files No context Screenshots Copyright Joe Security LLC 2018 Page 11 of 38

$Startup System is w7 cmd.exe (PID: 3644 cmdline: C:\Windows\system32\cmd.exe /c wget -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent=' Mozilla/5.$

12 Startup System is w7 cmd.exe (PID: 3644 cmdline: C:\Windows\system32\cmd.exe /c wget -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent=' Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' ' > cmdline.out 2>&1 AD7B9C14083B52BC532FBA B98) wget.exe (PID: 3692 cmdline: wget -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='mozilla/5.0 (Windows NT 6.1; WO W64; Trident/7.0; AS; rv:11.0) like Gecko' ' 3DADB6E2ECE9C4B3E1E322E617658B60) wmplayer.exe (PID: 3808 cmdline: '' /prefetch:6 /Open 'C:\Users\user\Desktop\download\minimal.mp4.mov' C5CCC59506C897319FA05FE9D8DF79C3) msdt.exe (PID: 3984 cmdline: 'C:\Windows\System32\msdt.exe' -id WindowsMediaPlayerLibraryDiagnostic F67A64C46DE AF682802F5BA6) cleanup msdt.exe (PID: 3992 cmdline: 'C:\Windows\System32\msdt.exe' -id WindowsMediaPlayerLibraryDiagnostic F67A64C46DE AF682802F5BA6) msdt.exe (PID: 4052 cmdline: 'C:\Windows\System32\msdt.exe' -id WindowsMediaPlayerLibraryDiagnostic F67A64C46DE AF682802F5BA6) msdt.exe (PID: 4068 cmdline: 'C:\Windows\System32\msdt.exe' -id WindowsMediaPlayerLibraryDiagnostic F67A64C46DE AF682802F5BA6) msdt.exe (PID: 2164 cmdline: 'C:\Windows\System32\msdt.exe' -id WindowsMediaPlayerLibraryDiagnostic F67A64C46DE AF682802F5BA6) msdt.exe (PID: 2300 cmdline: 'C:\Windows\System32\msdt.exe' -id WindowsMediaPlayerLibraryDiagnostic F67A64C46DE AF682802F5BA6) msdt.exe (PID: 2468 cmdline: 'C:\Windows\System32\msdt.exe' -id WindowsMediaPlayerLibraryDiagnostic F67A64C46DE AF682802F5BA6) msdt.exe (PID: 2288 cmdline: 'C:\Windows\System32\msdt.exe' -id WindowsMediaPlayerLibraryDiagnostic F67A64C46DE AF682802F5BA6) msdt.exe (PID: 2428 cmdline: 'C:\Windows\System32\msdt.exe' -id WindowsMediaPlayerLibraryDiagnostic F67A64C46DE AF682802F5BA6) msdt.exe (PID: 2420 cmdline: 'C:\Windows\System32\msdt.exe' -id WindowsMediaPlayerLibraryDiagnostic F67A64C46DE AF682802F5BA6) sdiagnhost.exe (PID: 4092 cmdline: C:\Windows\System32\sdiagnhost.exe -Embedding 15F07E AA93D3FB6E612D2F74) Created / dropped Files Copyright Joe Security LLC 2018 Page 12 of 38

13 C:\Program Files\AutoIt3\cmdline.out Size (bytes): 611 C:\Windows\System32\wget.exe ASCII text, with CRLF line terminators Entropy (8bit): E48E557361C3BEB37D6F39FFBBBB97B A BEED85B39B1A E329A0 9DA97FD3B4806D18947A604DF5CC5A0650CDA185DE2A981D48FC6EDC51F6A0EB B22E9FDFBDA59D6E38A962FE0FBA1A90FD D68C28BCB1E D9221D6EAC86D13B9C6D45B23674 ABDC167D00DA4DF321BF2146E876162B03EB11 C:\Users\Public\Music\Sample Music\AlbumArtSmall.jpg JPEG image data, JFIF standard 1.01 Size (bytes): Entropy (8bit): F32B25EAFE090FF4040B287ABBE41E5 C43F5CE3F0EA07D70EC8F31BD621C33BCDBED67C 3EE85A99B D5C784D110083D05D8E0BC3227E3AE391C2260FA49D4640 A71BBDECE98A9928CEE4D98076E8034EBE76DB4114B40D3E4C572E4396DCDBA4CEB72A0983F34109DF45E711E 4C19BCDE8CAB0BFC2AE71D2F432BEE9D815357A C:\Users\Public\Music\Sample Music\AlbumArt_{5FA05D35-A682-4AF6-96F7-0773E42D4D16}_Large.jpg JPEG image data, JFIF standard 1.01 Size (bytes): Entropy (8bit): BBA83CFBC BB C617DE788DE380D28C52DC733AD580C3745A1C1 6ECF98ADB3CD0931EC803F3A56A9563C7D60BB86EC1886B21E3D0F7EB25198D9 A6A80C00A28C43C1C427018E6FB6DAC4682D299D2F50202F520AF0B1BCA803546C850F04094ED2F532FF8775F6D 45F2A40E4F5E069937BCAA0326A80BD818E0E C:\Users\Public\Music\Sample Music\AlbumArt_{5FA05D35-A682-4AF6-96F7-0773E42D4D16}_Small.jpg JPEG image data, JFIF standard 1.01 Size (bytes): 7329 Entropy (8bit): E29D6B28A6F50FFE9D D78303A A467DBCA90581D5FA6FD9EBCD 2A9D62271A367C7E0FF582CF131007AC5B9F773077A53D48B4D782F6B23A9A4E 5B F09A80DE5774FB6ED4CC878EBAC40A72F6739BF39C487914FA6B6A B E0D9306E9 D275BAF77EBA352FBF1D1E BE9BA0D C:\Users\Public\Music\Sample Music\Folder.jpg JPEG image data, JFIF standard 1.01 Size (bytes): Entropy (8bit): E02FAAA61CEC59F74A7D4EF E59CC0603BDACA9B4B5C319A63F4E BD19 7F15A12A AFEAC828F9C35B ED87CBDFE746BF766963E6F30 3C5F18EDBBFA7D6FA1AA12EB2E347155F725ABDC43B2ACB6BEF62128EDEB4F398E4C9CD822B588A417AB865E 6D0F291A2E318B6D23C1747AA16AA4D67A79EC2D Copyright Joe Security LLC 2018 Page 13 of 38

14 C:\Users\Public\Music\Sample Music\Folder.jpg C:\Users\user\AppData\Local\Microsoft\Media Player\Art Cache\LocalMLS\{D4C0C6D9-389A-4000-AC3D-71289B18ED89}.jpg JPEG image data, JFIF standard 1.01 Size (bytes): Entropy (8bit): E787587CD3FA8ED360036C9FCA3DF2 84C76A25C6FE336F6559C033917A4C D 98C49A68EE578E EBC17C0AD188ED39C7D0C91A2B505F317259C0C9B2 AEEC3EED5A52670F4CC BB04BB435964A1975E489B8E101ADFBCE278142FD1A6C475860B7CCB414AFE 5E A66D92F457937DE9B21A7A112E1F9 C:\Users\user\AppData\Local\Microsoft\Media Player\CurrentDatabase_372.wmdb data Size (bytes): Entropy (8bit): FCA6FF8B576CF0E9AB56463C86837DB A8C4BEDF83E2F4ED7EED96E13F15659F0D7981F B1631BB7CB511D275FCB8FF15E3BBBA998C8324EFAF0C86C6DA9CC755ED 6A76C20B4B653525DADD331A96ADAC59AB3425B183A191C660FB4FD618DD13E8AAA8D612C1DA6DCAA74869DF CC31A6BC68635DC88C8319C3757A5B C:\Users\user\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\ E\01_Music_auto_rated_at_5_stars.wpl Size (bytes): 1272 Entropy (8bit): HTML document, ASCII text, with CRLF line terminators 159E EC4C9747B664BD BE4E32D7D022C3E3277E1ED65A21BEBCF787CE3F D A904636E C85026DA07E68F4E9D8DACBE98E5DEE844 1A128D4F59424BCE6818C117F84DBFE16B7DA1543D7B DA74839BFC6CFE805DA00112E17CBAAFDF4179E 357B70FA0850FA722FB04F202E1D75E65EDB60 C:\Users\user\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\ E\02_Music_added_in_the_last_month.wpl Size (bytes): 1279 Entropy (8bit): HTML document, ASCII text, with CRLF line terminators 907BFC98CE854AE312127C952D8BE0F2 02DEFE8C5F9CC85742E45BA55E4FCFE326FD960C C475DC7423C2AD60F25ADAAC754CD8B68B57FF04F26ECEF78F3E5961B986A324 DB4045F992BAD6AD660769A22345C5E0D965AE521D6828D612B15F C629992C313A41BC9E381F9B0F0981 7EEF840D33100AF4C6A3634EB0013A7FE1C7 C:\Users\user\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\ E\03_Music_rated_at_4_or_5_stars.wpl HTML document, ASCII text, with CRLF line terminators Size (bytes): 1267 Entropy (8bit): D791B697AF46D AF7F18C2955 Copyright Joe Security LLC 2018 Page 14 of 38

15 C:\Users\user\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\ E\03_Music_rated_at_4_or_5_stars.wpl D73E8B5F4EE646C1C4AB6D23F3CB3394CB833CA8 4825EB90140F6B2F4F7ED0DF66B24E10FF5D0DA70AF53EA495FD30B3AA CF327A9F471D547AD1DAE47833CF6D722C08F9CBF5E7867A422282CE52DC320340DED93473A598903BFEE9B F6A1A DBEB27D3390DBD59E6D20BA C:\Users\user\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\ E\04_Music_played_in_the_last_month.wpl Size (bytes): 1284 Entropy (8bit): HTML document, ASCII text, with CRLF line terminators F8D3A4CACF055F5EC5C62218EA50D CE3FE345D BD6EA7242BA118532B 201F CF C4D3C5EF539D96ADEBA6A68B69ECAED0AFFE3AE8E25F AC32CBEB05FAE AECF9B56314BAA09C2D3ABB7EAC655710D7CB2C967EA E366BB502E 8AD6DE375302F51CA62A76D962EE539B45BFC21 C:\Users\user\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\ E\05_Pictures_taken_in_the_last_month.wpl Size (bytes): 797 Entropy (8bit): HTML document, ASCII text, with CRLF line terminators 821D2BE672F C117CEF460C6E 1C75F314E7658A3DCDCAD315E301F2BAE6D47B31 3ABDB6CBD88AD ECE3F10DD1A8494ED32F423B3CF8321B18DECC D B80FFE3721AE6E61293CC1D838E8A72713BE8B859CE33C69EF BE9CE15A78D573E EE674CA3FEA77EFA3D330CE8C8A50F8A8A988 C:\Users\user\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\ E\06_Pictures_rated_4_or_5_stars.wpl Size (bytes): 785 Entropy (8bit): HTML document, ASCII text, with CRLF line terminators 0A8A40CA87323DC B00C7FE77 B88A42A85053E0A7483E331B66BA5A40A6290E10 9AA433BED2E090CC6904F1C24D5A7B5A1ED6D8F71A997E661B886C69383FD53E 5932F09106D622054E6D624221D754FF471E3F37D9F585ED23DB7F7327FE1E2F624B22A8F7F2827B607FDB9A3068 3B8F20C48A39CD35A57AD5CB78467AF2C20E C:\Users\user\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\ E\07_TV_recorded_in_the_last_week.wpl Size (bytes): 1040 Entropy (8bit): HTML document, ASCII text, with CRLF line terminators B9987B1F9DF6D0AFC01558B907E62A16 EF202D5D6F90B37C71CB757F3BABB0857CE54D EFDB8459D81D4C5E D9910B9C6A1DEBD7189CF385141F0B19D1 6BC C3E56FFE1D371F E93E014F5C5C83DFDCA2DC9EFD C79EC87CFE2AFD4374B837 71AE56A3EB7FAC00F83921B433CB F9 C:\Users\user\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\ E\08_Video_rated_at_4_or_5_stars.wpl HTML document, ASCII text, with CRLF line terminators Copyright Joe Security LLC 2018 Page 15 of 38

16 C:\Users\user\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\ E\08_Video_rated_at_4_or_5_stars.wpl Size (bytes): 1020 Entropy (8bit): A3787A42B81FCE0E448976AD158EDD93 45FF275C0C32EAB1F0B56E8B61E8EAD18CFD BC17AC59BDE92FBCA00FCC69AED68FCBFE2C1754DD45F F5FDF774FF B36CA10F580EC9D455FB57149BCE1897FE48FDA6023B2FB55B6B4B80A91F B91EDD72C13103E0DA9ED90 B696C28D6904EA91984ADE69ED50791F4065AE C:\Users\user\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\ E\09_Music_played_the_most.wpl Size (bytes): 1025 Entropy (8bit): HTML document, ASCII text, with CRLF line terminators 467E71AA2FD951EB0A1AF3D6BB8378E8 FB654C0B2663D4FA5FD0F D936DD0429ED A54BC2CAD63CED4FD9FF2A3A094A26E264E8A5CE D13236F494E2EE F9242A4925B910F4A A6E2F49444A3F0D9F35402FEF28CC8D39C BAF92EB6716AF541FD 76E3803CCC1E742CEC07F1D4FB6ABC13A42C C:\Users\user\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\ E\10_All_Music.wpl Size (bytes): 1063 Entropy (8bit): HTML document, ASCII text, with CRLF line terminators 51AEED E0706C1259DF22E 6434E915B018C6D15898FE0A4D006BBE3E1EDB60 EC286113E5AD77AC A137A6DC4B4CAB8845CD9C FA3B48F0 A674487F9CABE1FB2809CD98958DCE696F7F066D3738BFB ED804DF3C72F2D24D6F9C0832CF446C8A96 E21F3EA50AADA1C69860A12340D6ECA88E942 C:\Users\user\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\ E\11_All_Pictures.wpl Size (bytes): 585 Entropy (8bit): HTML document, ASCII text, with CRLF line terminators 74294EF495559ED32731F19096D70312 FDC6CC D2A382D7D0DAABF44A4556CD9 DB34D82F2CD23E6E55A64E12D2A0A9C27AC2DED F22A336CA B068D903B83945F146ABD4CF384DA99AF608643C62B647EA65DB33C3B0E0FACE4727A74BE3210A9C6469BBC403 D1F5C59D92CBD E992B0E4F5E66662A C:\Users\user\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\ E\12_All_Video.wpl Size (bytes): 1079 Entropy (8bit): HTML document, ASCII text, with CRLF line terminators 372D0BEEBEA A6A1C53AC52A18 1B5A925E00F9A4CC3A18FEB8F74A2E39EF11EEB6 5B8B62B35E5DD8A46CCCCAF3FC3743BE9E0965D24CBCD20DA EEB37EF3 EFB412E3A17F4EAB84FB9F99B9E420D18E23610A9A66BCD7298C3BA68FD24ABE0C1F2E58FAA411E059788D34F 4CEDE45F9E25C6578D13FAEFB8EE79ACD50F2E0 Copyright Joe Security LLC 2018 Page 16 of 38

17 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9CMFZC4R\GetMDRCDPOSTURL[1].aspx Size (bytes): 171 ASCII text, with no line terminators Entropy (8bit): D3C67D0A9DA9D102910E9252A D6AE237A445184DFE332E4A0935C5FC0D06F D7139F2B E71A0B4B290E59FADD9226ECBE35C1C20BF35BA493C1CA527 8A3D E3BDF59A63E9A94CE5ECB0DE18AC8E476BA4BC6E5CB9E7A4E7C1308AC6D FFC91F6E4 A71CD931CEB333B1F9007D EDB9D66B C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9CMFZC4R\getmdrcd[1].xml Size (bytes): 309 Entropy (8bit): ASCII text, with very long lines, with no line terminators 6FDFA64455F C EF8 A957B992263F9849DF4D4D56C96EFFCF7FA69F91 FDA9697A5837D7789E583C B183BBF E5AE5C8B41B94E F4E43C2136A47ECF31492AF7DB7357A25A19A AD231A3FF641063BCC122059E16F6DA14282ED716 24FC D2E0E218ED22CEFCE392A9B C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E2PG59KZ\GetMDRCDPOSTURL[1].aspx Size (bytes): 171 ASCII text, with no line terminators Entropy (8bit): DDC8829FB19F30B C02D58581 A7018DCBF49F030374A E17EB42A9CEF1C 0B FE526DB B3D725D6AB93FCB85989CBD5FA857FE94B5775F2 E774455BD9A47B5D83937F986F912823BB7D3782C0930A4073F46D72B0F80E6F BF4DA B54E12D BA3B9EB9B7BE4CAAEF2DBCCEF78025D1CB16 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E2PG59KZ\GetMDRCD[1].xml Size (bytes): 7015 Entropy (8bit): ASCII text, with very long lines, with no line terminators 4BD9FDD4D6A5B2E341347E96D4D5C92E D0D AB1564AD0B04FC08655D3EC1839 C1B DC1AC0D B6D010A7F27062AB8CF4B6800B038C5EC50713AD 7E9AF1A E546CD5B0011D654D59890F340716E13A1432C34534CEC877210ED69DC9CAEAC09C703C5E B101CF628DC3A3287C7B368023B19EA8C C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ULEAKRVD\getmdrcd[1].xml Size (bytes): 309 Entropy (8bit): ASCII text, with very long lines, with no line terminators 271C3F85DFAD EB43844DD7C14 089EAE19AC973ECA2AF FC47CCC CDA4C82771C93258A52C959FCA4B52C461EB ADC211FCAF6C6639 EC30A132C7D B33F7A7AEB34A2F7302A6FAA48BB358E68E6BDAC16F E539BD801672D2B0215 C15669DB8B8A58E61B B60E8C3AFF6 Copyright Joe Security LLC 2018 Page 17 of 38

18 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ULEAKRVD\getmdrcd[1].xml C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\OA1SV39O8TEW5WEQXVV4.temp data Size (bytes): 1809 Entropy (8bit): A0E18A2A979ED8E7DD7BBC632F107F6C AEDCB46C7F0448B9B7B345512C5B12A22F39D115 47E04EDDE5EBB6748EFC13FF26B222882AE09565BA5961B4D2EFA9D7916F7C36 D1A36FF2021D6AA7EF453E EC46C337DEE7FEB1EB5E13E474D2B4FAFEF DD41D2B5BEC973ABB E254E45EC21047E3ADFB5F53C2BE097F6B C:\Users\user\Desktop\download\minimal.mp4 C:\Windows\System32\wget.exe ISO Media, MPEG v4 system, version 1 Size (bytes): 843 Entropy (8bit): FB62001AFAA95ED461F35992D A08EA A6EBC88E97830CC2601B23FEB0 4C81A618F5D53D3380EC72A4C754C3E4FDDA31319BB82126F5702F652101CCF6 E9F4C283A18BC30D800D43AE2F649C40F5824C9A09DB7C459596E5D293D9B969A8F3AE509A3E75F52EDD9A4930 E2A77893CDE63CBA61E1BA42502B85EE9F9748 C:\Windows\Temp\SDIAG_ ff-4dc fb236c5e83bf\DiagPackage.diagpkg Size (bytes): 4681 C:\Windows\System32\msdt.exe Entropy (8bit): HTML document, ASCII text, with CRLF line terminators 0AB8039AFB5058F3F2158C1C97D79E10 E11FC9DBD2B88568B7E1A11BB997C532BF3877C8 47A B63C2C608AF4F4DE11340EFAA83B189CE1E50DB36798F692B0DFC D88D770DFA82D8261B EA385F8D D3D8ECD7A790DBB2372F8964BEED7322E33149F CD36E7B9F47C7C8FD557228A65E5948DEE14 C:\Windows\Temp\SDIAG_ ff-4dc fb236c5e83bf\DiagPackage.dll Size (bytes): C:\Windows\System32\msdt.exe Entropy (8bit): Antivirus: PE32 executable (DLL) (console) Intel 80386, for MS Windows 77E666076DEF BF4C13C EA98F31418F16571EAA52BE699A8FDF5FD3B7615 E1030A9EF55FCE281C2CD515F5FE15689BC084CC53B4EAC4EEF093A9EA82A304 C2DF0627D F1BD9F37C73E24B13FF9C77D2677BCD476963B94B29E1477A3556CC1D2D7D32AB93D E4554A597F602FE5291D4BF01A0C78B3AF true Antivirus: virustotal, Detection: 0%, Browse Antivirus: metadefender, Detection: 0%, Browse C:\Windows\Temp\SDIAG_ ff-4dc fb236c5e83bf\RS_MediaLibCorrupted.ps1 C:\Windows\System32\msdt.exe ISO-8859 text, with CRLF line terminators Size (bytes): 592 Entropy (8bit): Copyright Joe Security LLC 2018 Page 18 of 38

19 C:\Windows\Temp\SDIAG_ ff-4dc fb236c5e83bf\RS_MediaLibCorrupted.ps1 96DA911A4ABF02D24973BF51A2E6E8E2 12FDE6151F78D3DA633B8B01D9A1667BA7F8E2F4 45DBCC2FDF8FBB9E0A534B57D88A8F6B876B711FF4D5D45CF887DD002251A7C4 CB0367D2EA614E9DF3E3BABF349A615DD9CAB39E5CD756186DF728F889937C4C96DB10E72CF8525BF8E31DE5A 4FB26094EE54978D8F2F3C2339B327A496C25EA C:\Windows\Temp\SDIAG_ ff-4dc fb236c5e83bf\TS_IsWMPUnavailable.ps1 Size (bytes): 645 C:\Windows\System32\msdt.exe ISO-8859 text, with CRLF line terminators Entropy (8bit): DD258E2B285F69619B098A35C29 481C E469872CF4C97E9753AA03CB46 CBB CE8F9C73D9B3B5CC90FE054A272B270DB9C596B9AA58980ECEA E859E64AAA1E3BB1714E48B44DA237BF0660EBD090792FB9D84F4856D1CCC7BCBD4A0FA E9D8E9A7B771EB9127CF17CA78869 C:\Windows\Temp\SDIAG_ ff-4dc fb236c5e83bf\TS_WindowsMediaPlayer.ps1 Size (bytes): 471 C:\Windows\System32\msdt.exe Entropy (8bit): ISO-8859 text, with CRLF line terminators EF4153F66CEC33C79C410E071630F34C F0707F55DA1D7E4255D D0630D 246F859EFE02CA3889F08C8BA9C8C0950D4841C036CD E58ACB584 6ABE E1C03D3AFDF796CAF559DCF8225DAA70508D53761A74EA0B904DDD734840D85E01E9D5FC75 C BF138FEB6C6E0B348B443715B9 C:\Windows\Temp\SDIAG_ ff-4dc fb236c5e83bf\en-US\CL_LocalizationData.psd1 Size (bytes): 392 C:\Windows\System32\msdt.exe Entropy (8bit): Little-endian UTF-16 Unicode text, with CRLF, CR line terminators C96CD0D793DD5BBA3B2C30F255061CA3 BDD5250A7C3E6E100784AD4C9B3DC3458B FEFAB76C24FA0A5E4B0D85188A6E99C91135ED18EB564136B FBD2C6A19599F279E53EAD27C19551A3814C4129BB973D13F0B8403C9A71B29122F4BD8CCCD4AD0E743975CA5A 83299B7CD68135DDEEC7AAB92F6487C5C7EAC9 C:\Windows\Temp\SDIAG_ ff-4dc fb236c5e83bf\en-US\DiagPackage.dll.mui Size (bytes): 4096 C:\Windows\System32\msdt.exe Entropy (8bit): Antivirus: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows 20FF2A95BC12BC86E DBAEA 81CFB7D02C37F F E2 42DA112F566F2386F0DF7161DE77A9FB6F880E7830C4C106706D0559F0C75779 C90CD4938E6B463BB6B13DCEA55ED146AF29CA6AF1CA0D4FC406074B37AAA1A0E8CEF1F5DB63C7B1083FC18C D16D23D2E0748C4735A5F7F2B58763ADC true Antivirus: virustotal, Detection: 0%, Browse Copyright Joe Security LLC 2018 Page 19 of 38

20 C:\Windows\Temp\SDIAG_ ff-4dc fb236c5e83bf\result\results.xsl Size (bytes): C:\Windows\System32\msdt.exe XML document text Entropy (8bit): E1DA2344BA6CA96666FB639840EA9 E8694EDF9EE68782AA1DE05470B884CC1A0E1DED BABC27E62D4C1E CC3F2BD28F77399E71D245EAE8D3F63C 62AB361FFEA1F0B6FF1CC76C74B8E20C2499D72F3EB0C010D47DBA7E6D723F9948DBA3397EA26241A1A995CFF CE2A68CD0AAA1BB8D917DD8F4C8F3729FA6D244 \Endpoint Size (bytes): 250 C:\Windows\System32\wget.exe ASCII text, with CRLF line terminators Entropy (8bit): C0D3194BFE171FAF72DC660F07B4C1A E38CD46C1EDCA CCA00A501B306921B0C3 05C572F640A108D10BAEA93F9A599F8CBB18539AEBF71DA912DA86C735BC2EDA DFA45B3DCE94A A4E0F442AFA462C978B3D726DE E902FCA725C539FC1711CA8AF5CA59F E4C152AD020F1D2BA5B835B CE2 \samr Size (bytes): 116 Entropy (8bit): Hitachi SH big-endian COFF object, not stripped 080E701E8B8E2E9C68203C150AC7C6B7 4EF B805758AE1D3B122F9D FE129AE2A7C F6F51091E6E512C9FEACA1042A1E9DB914C651FEB344D C11D88B8E355B7B922B B693F75BA4C2A62F9137A15842CA82F9B6B3ED13059EDC0DF1C04E7DE43719 D892B4C0D22BB67BE0D57EAB368BA1BC057E79 Contacted Domains/Contacted IPs Contacted Domains Name IP Active Malicious Antivirus Detection Reputation c5x8i7c7.ssl.hwcdn.net true 0%, virustotal, Browse high Contacted IPs Copyright Joe Security LLC 2018 Page 20 of 38

21 No. of IPs < 25% 25% < No. of IPs < 50% 50% < No. of IPs < 75% 75% < No. of IPs IP Country Flag ASN ASN Name Malicious United States HIGHWINDS3- HighwindsNetworkGroupIncUS United States GOOGLE-GoogleIncUS Static File Info No static file info Network Behavior Network Port Distribution Total Packets: (HTTP) 53 (DNS) TCP Packets Copyright Joe Security LLC 2018 Page 21 of 38

22 Timestamp Port Dest Port IP Dest IP Apr 13, :32: CEST Apr 13, :32: CEST Apr 13, :32: CEST Apr 13, :32: CEST Apr 13, :32: CEST Apr 13, :32: CEST Apr 13, :32: CEST Apr 13, :32: CEST Apr 13, :32: CEST Apr 13, :32: CEST Apr 13, :32: CEST Apr 13, :32: CEST Apr 13, :32: CEST Apr 13, :32: CEST Apr 13, :32: CEST Apr 13, :32: CEST Apr 13, :32: CEST UDP Packets Timestamp Port Dest Port IP Dest IP Apr 13, :32: CEST Apr 13, :32: CEST Apr 13, :32: CEST Apr 13, :32: CEST Apr 13, :32: CEST Apr 13, :32: CEST Apr 13, :32: CEST Apr 13, :32: CEST DNS Queries Timestamp IP Dest IP Trans ID OP Code Name Type Class Apr 13, :32: CEST x5ab5 Standard query (0) c5x8i7c7.s sl.hwcdn.net A (IP address) IN (0x0001) DNS Answers Timestamp IP Dest IP Trans ID Replay Code Name CName Address Type Class Apr 13, x5ab5 No error (0) c5x8i7c7.s 20:32: sl.hwcdn.net CEST A (IP address) IN (0x0001) HTTP Request Dependency Graph c5x8i7c7.ssl.hwcdn.net HTTP Packets Session ID IP Port Destination IP Destination Port Process C:\Windows\System32\wget.exe Timestamp kbytes transferred Direction Data Apr 13, :32: CEST 0 OUT GET /vplayer-parallel/ _1740/ima_html5/minimal.mp4 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko Accept: */* Accept-Encoding: identity Host: c5x8i7c7.ssl.hwcdn.net Connection: Keep-Alive Copyright Joe Security LLC 2018 Page 22 of 38

23 Timestamp kbytes transferred Direction Data Apr 13, :32: CEST 1 IN HTTP/ OK Date: Fri, 13 Apr :32:26 GMT Connection: Keep-Alive Accept-Ranges: bytes ETag: Cache-Control: max-age=34100 Content-Length: 843 Content-Type: video/mp4 Last-Modified: Thu, 22 Mar :40:25 GMT X-HW: dop018.am4.t, cds053.am4.c Data Raw: c f 6d f 6d f 32 6d a 6d b b d b7 ef d 6d 6f 6f c 6d c5 cc be fa c5 cc be fa e a f f ff ff ff fe ff b c 74 6b f c5 cc be fa c5 cc be fa a bd 6d d c5 cc be fa c5 cc be fa c d c f e 64 6c d 69 6 e d e c c c c c b4 6d ff ff e d f d d b b c4 8d c b2 4c e e c a f c d c d c b 69 6c a9 74 6f 6f b c e e 31 Data Ascii: ftypisomisomiso2mp41freemdat`q=moovlmvhd*@iodso!trak\tkhd*@mdia mdhd-hdlrvidevideohandle rhminfvmhd$dinfdrefurl DCLavc sttsstscstszstco,`udtaXmeta!hdlrmdirappl+ilst#to odatalavf Apr 13, :32: CEST 3 IN HTTP/ OK Date: Fri, 13 Apr :32:26 GMT Connection: Keep-Alive Accept-Ranges: bytes ETag: Cache-Control: max-age=34100 Content-Length: 843 Content-Type: video/mp4 Last-Modified: Thu, 22 Mar :40:25 GMT X-HW: dop018.am4.t, cds053.am4.c Data Raw: c f 6d f 6d f 32 6d a 6d b b d b7 ef d 6d 6f 6f c 6d c5 cc be fa c5 cc be fa e a f f ff ff ff fe ff b c 74 6b f c5 cc be fa c5 cc be fa a bd 6d d c5 cc be fa c5 cc be fa c d c f e 64 6c d 69 6 e d e c c c c c b4 6d ff ff e d f d d b b c4 8d c b2 4c e e c a f c d c d c b 69 6c a9 74 6f 6f b c e e 31 Data Ascii: ftypisomisomiso2mp41freemdat`q=moovlmvhd*@iodso!trak\tkhd*@mdia mdhd-hdlrvidevideohandle rhminfvmhd$dinfdrefurl DCLavc sttsstscstszstco,`udtaXmeta!hdlrmdirappl+ilst#to odatalavf Code Manipulations Statistics Copyright Joe Security LLC 2018 Page 23 of 38

24 Behavior cmd.exe wget.exe wmplayer.exe msdt.exe msdt.exe msdt.exe msdt.exe sdiagnhost.exe msdt.exe msdt.exe msdt.exe msdt.exe msdt.exe msdt.exe Click to jump to process System Behavior Analysis cmd.exe PID: 3644 Parent PID: 748 Start time: 20:32:23 Start date: 13/04/2018 Path: Wow64 process (32bit): Commandline: Imagebase: File size: MD5 hash: Has administrator privileges: Programmed in: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wget -v -T 60 -P 'C:\Users\user\Desktop\download' --nocheck-certificate --content-disposition --user-agent='mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' ' _1740/ima_html5/minimal.mp4' > cmdline.out 2>&1 0x4aa bytes AD7B9C14083B52BC532FBA B98 true C, C++ or other language File Path Access Attributes Options Completion Count C:\Program Files\AutoIt3\cmdline.out read attributes and synchroniz e and generic write n on directory file Address Symbol success or wait 1 4AA83A79 CreateFileW File Path Offset Length Completion Count Analysis wget.exe PID: 3692 Parent PID: 3644 Start time: 20:32:24 Start date: 13/04/2018 Copyright Joe Security LLC 2018 Page 24 of 38

25 Path: Wow64 process (32bit): Commandline: Imagebase: File size: MD5 hash: Has administrator privileges: Programmed in: C:\Windows\System32\wget.exe wget -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'http: //c5x8i7c7.ssl.hwcdn.net/vplayer-parallel/ _1740/ima_html5/minimal.mp4' 0x bytes 3DADB6E2ECE9C4B3E1E322E617658B60 true C, C++ or other language File Path Access Attributes Options Completion Count C:\Users\user\Desktop\download\minimal.mp4 read attributes and and generic write n on directory file success or wait C fopen File Path Offset Length Value Ascii Completion Count File Path Offset Length Completion Count Analysis wmplayer.exe PID: 3808 Parent PID: 3320 Start time: 20:32:27 Start date: 13/04/2018 Path: Wow64 process (32bit): Commandline: Imagebase: File size: MD5 hash: Has administrator privileges: Programmed in: '' /prefetch:6 /Open 'C:\Users \user\desktop\download\minimal.mp4.mov' 0x bytes C5CCC59506C897319FA05FE9D8DF79C3 true C, C++ or other language File Path Access Attributes Options Completion Count Old File Path New File Path Completion Count File Path Offset Length Value Ascii Completion Count File Path Offset Length Completion Count Registry Activities Key Path Completion Count Key Path Name Type Data Completion Count Copyright Joe Security LLC 2018 Page 25 of 38

26 Key Path Name Type Old Data New Data Completion Count Analysis msdt.exe PID: 3984 Parent PID: 3808 Start time: 20:32:34 Start date: 13/04/2018 Path: Wow64 process (32bit): Commandline: Imagebase: File size: MD5 hash: Has administrator privileges: Programmed in: C:\Windows\System32\msdt.exe 'C:\Windows\System32\msdt.exe' -id WindowsMediaPlayerLibraryDiagnostic 0xe bytes F67A64C46DE AF682802F5BA6 true C, C++ or other language File Path Access Attributes Options Completion Count C:\Users C:\Users\SAMTAR~1 C:\Users\SAMTAR~1\AppData C:\Users\SAMTAR~1\AppData\Local C:\Users\SAMTAR~1\AppData\Local\Temp C:\Users\SAMTAR~1\AppData\Local\Temp\msdtadmin C:\Users\SAMTAR~1\AppData\Local\Temp\msdtadmin\_1FD68DA9-3CFF- 442A-8E88-F9E2B3B2146A_ C:\Users\SAMTAR~1\AppData\Local\Temp\msdtadmin\_1FD68DA9-3CFF- 442A-8E88-F9E2B3B2146A_\inuse read attributes and synchroniz e and generic read and generic write readony directory file and success or wait 1 10F615 CreateDirectoryW directory file and success or wait 1 10F615 CreateDirectoryW n on directory file success or wait CreateFileW Copyright Joe Security LLC 2018 Page 26 of 38

27 File Path Offset Length Value Ascii Completion Count File Path Offset Length Completion Count Registry Activities Key Path Name Type Old Data New Data Completion Count Analysis msdt.exe PID: 3992 Parent PID: 3808 Start time: 20:32:35 Start date: 13/04/2018 Path: Wow64 process (32bit): Commandline: Imagebase: File size: MD5 hash: Has administrator privileges: Programmed in: C:\Windows\System32\msdt.exe 'C:\Windows\System32\msdt.exe' -id WindowsMediaPlayerLibraryDiagnostic 0xe bytes F67A64C46DE AF682802F5BA6 true C, C++ or other language File Path Access Attributes Options Completion Count C:\Users C:\Users\SAMTAR~1 C:\Users\SAMTAR~1\AppData C:\Users\SAMTAR~1\AppData\Local C:\Users\SAMTAR~1\AppData\Local\Temp C:\Users\SAMTAR~1\AppData\Local\Temp\msdtadmin Copyright Joe Security LLC 2018 Page 27 of 38

28 File Path Access Attributes Options Completion Count C:\Users\SAMTAR~1\AppData\Local\Temp\msdtadmin\_F F2A4-404A-A2F7-E6BC659F7D21_ C:\Users\SAMTAR~1\AppData\Local\Temp\msdtadmin\_F F2A4-404A-A2F7-E6BC659F7D21_\inuse read attributes and synchroniz e and generic read and generic write readony directory file and success or wait 1 10F615 CreateDirectoryW n on directory file success or wait CreateFileW File Deleted File Path Completion Count C:\Users\SAMTAR~1\AppData\Local\Temp\msdtadmin\_F F2A4-404A-A2F7-E6BC659F7D21_\inuse success or wait 1 10F94A DeleteFileW File Path Offset Length Completion Count Analysis msdt.exe PID: 4052 Parent PID: 3808 Start time: 20:32:36 Start date: 13/04/2018 Path: Wow64 process (32bit): Commandline: Imagebase: File size: MD5 hash: Has administrator privileges: Programmed in: C:\Windows\System32\msdt.exe 'C:\Windows\System32\msdt.exe' -id WindowsMediaPlayerLibraryDiagnostic 0xe bytes F67A64C46DE AF682802F5BA6 true C, C++ or other language File Path Access Attributes Options Completion Count C:\Users C:\Users\SAMTAR~1 C:\Users\SAMTAR~1\AppData C:\Users\SAMTAR~1\AppData\Local Copyright Joe Security LLC 2018 Page 28 of 38

29 File Path Access Attributes Options Completion Count C:\Users\SAMTAR~1\AppData\Local\Temp C:\Users\SAMTAR~1\AppData\Local\Temp\msdtadmin C:\Users\SAMTAR~1\AppData\Local\Temp\msdtadmin\_259B786A B D5C48474BA_ C:\Users\SAMTAR~1\AppData\Local\Temp\msdtadmin\_259B786A B D5C48474BA_\inuse read attributes and synchroniz e and generic read and generic write readony directory file and success or wait 1 10F615 CreateDirectoryW n on directory file success or wait CreateFileW File Deleted File Path Completion Count C:\Users\SAMTAR~1\AppData\Local\Temp\msdtadmin\_259B786A B D5C48474BA_\inuse success or wait 1 10F94A DeleteFileW File Path Offset Length Completion Count Analysis msdt.exe PID: 4068 Parent PID: 3808 Start time: 20:32:37 Start date: 13/04/2018 Path: Wow64 process (32bit): Commandline: Imagebase: File size: MD5 hash: Has administrator privileges: Programmed in: C:\Windows\System32\msdt.exe 'C:\Windows\System32\msdt.exe' -id WindowsMediaPlayerLibraryDiagnostic 0xe bytes F67A64C46DE AF682802F5BA6 true C, C++ or other language File Path Access Attributes Options Completion Count C:\Users C:\Users\SAMTAR~1 Copyright Joe Security LLC 2018 Page 29 of 38

30 File Path Access Attributes Options Completion Count C:\Users\SAMTAR~1\AppData C:\Users\SAMTAR~1\AppData\Local C:\Users\SAMTAR~1\AppData\Local\Temp C:\Users\SAMTAR~1\AppData\Local\Temp\msdtadmin C:\Users\SAMTAR~1\AppData\Local\Temp\msdtadmin\_952D2107-6FAC- 46DF-AB39-42EC4BB8BA3B_ C:\Users\SAMTAR~1\AppData\Local\Temp\msdtadmin\_952D2107-6FAC- 46DF-AB39-42EC4BB8BA3B_\inuse read attributes and synchroniz e and generic read and generic write readony directory file and success or wait 1 10F615 CreateDirectoryW n on directory file success or wait CreateFileW File Deleted File Path Completion Count C:\Users\SAMTAR~1\AppData\Local\Temp\msdtadmin\_952D2107-6FAC-46DF-AB39-42EC4BB8BA3B_\inuse success or wait 1 10F94A DeleteFileW File Path Offset Length Completion Count Analysis sdiagnhost.exe PID: 4092 Parent PID: 548 Start time: 20:32:38 Start date: 13/04/2018 Path: Wow64 process (32bit): Commandline: Imagebase: File size: MD5 hash: Has administrator privileges: Programmed in: C:\Windows\System32\sdiagnhost.exe C:\Windows\System32\sdiagnhost.exe -Embedding 0xab bytes 15F07E AA93D3FB6E612D2F74 true.net C# or VB.NET File Path Access Attributes Options Completion Count File Read File Path Offset Length Completion Count Address Symbol Copyright Joe Security LLC 2018 Page 30 of 38

31 File Path Offset Length Completion Count C:\Windows\Microsoft.NET\Framework\v \CONFIG\machine.config unknown 4095 success or wait 1 6AD5C01C unknown C:\Windows\Microsoft.NET\Framework\v \CONFIG\machine.config unknown 6304 success or wait 3 6AD5C01C unknown C:\Windows\Microsoft.NET\Framework\v \CONFIG\machine.config unknown 4106 success or wait 1 6AD5C01C unknown C:\Windows\Microsoft.NET\Framework\v \CONFIG\machine.config unknown 4095 success or wait 1 6AD5F210 ReadFile C:\Windows\Microsoft.NET\Framework\v \CONFIG\machine.config unknown 6304 success or wait 3 6AD5F210 ReadFile C:\Windows\Microsoft.NET\Framework\v \CONFIG\machine.config unknown 4106 success or wait 1 6AD5F210 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\getevent.types.ps1xml unknown 4096 success or wait 4 2ABB77 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\getevent.types.ps1xml unknown 781 end of file 1 2ABB77 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\getevent.types.ps1xml unknown 4096 end of file 1 2ABB77 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml unknown 4096 success or wait 42 2ABB77 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml unknown 4096 end of file 1 2ABB77 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml unknown 4096 success or wait 7 2ABB77 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml unknown 542 end of file 1 2ABB77 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml unknown 4096 end of file 1 2ABB77 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.Format.ps1xml unknown 4096 success or wait 6 2ABB77 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.Format.ps1xml unknown 78 end of file 1 2ABB77 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.Format.ps1xml unknown 4096 end of file 1 2ABB77 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml unknown 4096 success or wait 7 2ABB77 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml unknown 310 end of file 1 2ABB77 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml unknown 4096 end of file 1 2ABB77 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml unknown 4096 success or wait 18 2ABB77 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml unknown 50 end of file 1 2ABB77 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml unknown 4096 end of file 1 2ABB77 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml unknown 4096 success or wait 7 2ABB77 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml unknown 4096 end of file 1 2ABB77 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml unknown 4096 success or wait 63 2ABB77 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml unknown 201 end of file 1 2ABB77 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml unknown 4096 end of file 1 2ABB77 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml unknown 4096 success or wait 22 2ABB77 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml unknown 409 end of file 1 2ABB77 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml unknown 4096 end of file 1 2ABB77 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml unknown 4096 success or wait 5 2ABB77 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml unknown 844 end of file 1 2ABB77 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml unknown 4096 end of file 1 2ABB77 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml unknown 4096 success or wait 5 2ABB77 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml unknown 360 end of file 1 2ABB77 ReadFile C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml unknown 4096 end of file 1 2ABB77 ReadFile C:\Windows\Temp\SDIAG_ ff-4dc fb236c5e83bf\TS_WindowsMediaPlayer.ps1 unknown 4096 success or wait 1 2ABB77 ReadFile C:\Windows\Temp\SDIAG_ ff-4dc fb236c5e83bf\TS_WindowsMediaPlayer.ps1 unknown 4096 end of file 1 2ABB77 ReadFile C:\Windows\Temp\SDIAG_ ff-4dc fb236c5e83bf\en- US\CL_LocalizationData.psd1 C:\Windows\Temp\SDIAG_ ff-4dc fb236c5e83bf\en- US\CL_LocalizationData.psd1 Address unknown 4096 success or wait 1 2ABB77 ReadFile unknown 4096 end of file 1 2ABB77 ReadFile C:\Windows\Temp\SDIAG_ ff-4dc fb236c5e83bf\TS_IsWMPUnavailable.ps1 unknown 4096 success or wait 1 2ABB77 ReadFile C:\Windows\Temp\SDIAG_ ff-4dc fb236c5e83bf\TS_IsWMPUnavailable.ps1 unknown 4096 end of file 1 2ABB77 ReadFile Symbol Analysis msdt.exe PID: 2164 Parent PID: 3808 Start time: 20:32:38 Start date: 13/04/2018 Path: Wow64 process (32bit): Commandline: Imagebase: File size: MD5 hash: Has administrator privileges: Programmed in: C:\Windows\System32\msdt.exe 'C:\Windows\System32\msdt.exe' -id WindowsMediaPlayerLibraryDiagnostic 0xe bytes F67A64C46DE AF682802F5BA6 true C, C++ or other language Copyright Joe Security LLC 2018 Page 31 of 38

ID: Cookbook: urldownload.jbs Time: 19:58:34 Date: 02/05/2018 Version:

ID: Cookbook: urldownload.jbs Time: 19:58:34 Date: 02/05/2018 Version: ID: 57706 Cookbook: urldownload.jbs Time: 19:5:34 Date: 02/05/201 Version: 22.0.0 Table of Contents Table of Contents Analysis Report Overview General Information Detection Confidence Classification Analysis