Edit tour

Windows Analysis Report
InstallDriver.exe

Overview

General Information

Sample name:	InstallDriver.exe
Analysis ID:	1428974
MD5:	f25a0a82ad1eefd4becd6f034c078dbc
SHA1:	75c1063c318bd528b90e8a29bfc419beb1d35654
SHA256:	2f6cef951a937f898ff24bc6adcdffb321b55fd3d21769ca9580e0233bbeed5a
Infos:

Detection

Score:	2
Range:	0 - 100
Whitelisted:	false
Confidence:	60%

Signatures

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

May sleep (evasive loops) to hinder dynamic analysis

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Uses 32bit PE files

Classification

Analysis Advice

Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Process Tree

System is w10x64_ra

InstallDriver.exe (PID: 7016 cmdline: "C:\Users\user\Desktop\InstallDriver.exe" MD5: F25A0A82AD1EEFD4BECD6F034C078DBC)

Music.UI.exe (PID: 2196 cmdline: "C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe" -ServerName:Microsoft.ZuneMusic.AppX48dcrcgzqqdshm3kf61t0cm5e9pyd6h6.mca MD5: F963F75C0AD152437E10D656A00793A3)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: InstallDriver.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source:	Binary string: e:\My Documents\Visual Studio 2005\Projects\inpout32_source_and_bins\Inpout32_dll_source\Win32\Release\InstallDriver.pdb source: InstallDriver.exe
Source:	Binary string: e:\My Documents\Visual Studio 2005\Projects\inpout32_source_and_bins\Inpout32_dll_source\Win32\Release\InstallDriver.pdb),TXi source: InstallDriver.exe

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown

DNS traffic detected: queries for: settings-ssl.xboxlive.com

Source: Music.UI.exe, 00000011.00000002.2382048622.0000018F37413000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ns.a.0
Source: Music.UI.exe, 00000011.00000002.2382048622.0000018F37413000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ns.adobe.ho
Source: Music.UI.exe, 00000011.00000002.2398245124.0000018F38579000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp82hN
Source: Music.UI.exe, 00000011.00000002.2399528212.0000018F38600000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: Music.UI.exe, 00000011.00000002.2399528212.0000018F38600000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOShttps://android.notify.windows.com/iOS
Source: Music.UI.exe, 00000011.00000002.2403976447.0000018F38824000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: Music.UI.exe, 00000011.00000002.2403976447.0000018F38824000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/
Source: Music.UI.exe, 00000011.00000002.2398059478.0000018F38568000.00000004.00000020.00020000.00000000.sdmp, Music.UI.exe, 00000011.00000002.2393104911.0000018F37D86000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.windows.local
Source: Music.UI.exe, 00000011.00000002.2393104911.0000018F37D86000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.windows.local/
Source: Music.UI.exe, 00000011.00000002.2401689816.0000018F386CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.windows.net
Source: Music.UI.exe, 00000011.00000002.2401689816.0000018F386CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.windows.net/n
Source: Music.UI.exe, 00000011.00000002.2401689816.0000018F386CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.windows.net8AHSM
Source: Music.UI.exe, 00000011.00000002.2389150141.0000018F37C00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://musicart.xboxlive.com/9/5c6a4700-0000-0000-0000-000000000002/504/image.jpg
Source: Music.UI.exe, 00000011.00000002.2389150141.0000018F37C00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://musicart.xboxlive.com/9/e74d4600-0000-0000-0000-000000000002/504/image.jpg
Source: Music.UI.exe, 00000011.00000003.1913149954.0000018F3775F000.00000004.00000020.00020000.00000000.sdmp, Music.UI.exe, 00000011.00000002.2387013615.0000018F3776E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://musicimage.xboxlive.comtXBLWinClient/v10_music/configuration.xml
Source: Music.UI.exe, 00000011.00000002.2379989061.0000018F36F38000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://settings-ssl.xboxlive.com
Source: Music.UI.exe, 00000011.00000003.1913149954.0000018F3775F000.00000004.00000020.00020000.00000000.sdmp, Music.UI.exe, 00000011.00000002.2387013615.0000018F37780000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://settings-ssl.xboxlive.com/
Source: Music.UI.exe, 00000011.00000003.1913149954.0000018F3775F000.00000004.00000020.00020000.00000000.sdmp, Music.UI.exe, 00000011.00000002.2387013615.0000018F3776E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://settings-ssl.xboxlive.com/XBLWinClient/v10_music/configuration.xml
Source: Music.UI.exe, 00000011.00000003.1913149954.0000018F3775F000.00000004.00000020.00020000.00000000.sdmp, Music.UI.exe, 00000011.00000002.2387013615.0000018F3776E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://settings-ssl.xboxlive.com/XBLWinClient/v10_music/configuration.xmlAC
Source: Music.UI.exe, 00000011.00000002.2386766345.0000018F37700000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/
Source: Music.UI.exe, 00000011.00000002.2401689816.0000018F386CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://xsts.auth.xboxlive.com
Source: Music.UI.exe, 00000011.00000002.2401689816.0000018F386CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://xsts.auth.xboxlive.com/
Source: Music.UI.exe, 00000011.00000002.2389150141.0000018F37C00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://xsts.auth.xboxlive.comngpng(

Source: InstallDriver.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: clean2.winEXE@2/14@1/0

Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe

File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\Database\

Jump to behavior

Source: InstallDriver.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\InstallDriver.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\InstallDriver.exe "C:\Users\user\Desktop\InstallDriver.exe"
Source: unknown	Process created: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe "C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe" -ServerName:Microsoft.ZuneMusic.AppX48dcrcgzqqdshm3kf61t0cm5e9pyd6h6.mca

Source: C:\Users\user\Desktop\InstallDriver.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\InstallDriver.exe	Section loaded: inpout32.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: sharedui.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: vccorlib140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: msvcp140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: concrt140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: vcruntime140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: vcruntime140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: msvcp140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: vcruntime140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: windows.ui.xaml.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: windows.staterepositorycore.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: windows.ui.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: windowmanagementapi.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: rometadata.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: windows.applicationmodel.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: windows.storage.applicationdata.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: mrmcorer.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: windows.staterepositoryclient.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: bcp47mrm.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: windows.ui.xaml.controls.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: windows.shell.servicehostbuilder.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: uiamanager.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: windows.ui.core.textinput.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: windows.ui.immersive.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: threadpoolwinrt.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: windows.globalization.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: windows.system.profile.retailinfo.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: windows.media.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: windows.applicationmodel.lockscreen.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: wincorlib.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: lockappbroker.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: windows.graphics.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: windows.ui.xaml.phone.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: twinapi.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: windows.networking.connectivity.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: windows.media.playback.mediaplayer.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: mfplat.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: rtworkq.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: windows.media.mediacontrol.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: mmdevapi.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: mfmediaengine.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: audioses.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: windows.media.devices.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: windows.media.playback.proxystub.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: comppkgsup.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: windows.devices.enumeration.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: devdispitemprovider.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: ddores.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: defaultdevicemanager.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: directmanipulation.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: msftedit.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: globinputhost.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: windows.web.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: wpnapps.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: photometadatahandler.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: wuceffects.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: windows.networking.backgroundtransfer.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: systemeventsbrokerclient.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: profext.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: biwinrt.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: windows.security.authentication.web.core.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: microsoftaccountwamextension.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: mfsrcsnk.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: appcontracts.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: usermgrproxy.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: cdprt.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: cdp.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: dsreg.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: mfps.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: mfmp4srcsnk.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: msamrnbsource.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: mfasfsrcsnk.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: mfds.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: gnsdk_fp.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: msflacdecoder.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: avrt.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: mfmpeg2srcsnk.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: mfmkvsrcsnk.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: mfnetsrc.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: mfnetcore.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: dwmapi.dll	Jump to behavior

Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe

File opened: C:\Windows\SYSTEM32\msftedit.dll

Jump to behavior

Source: InstallDriver.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: e:\My Documents\Visual Studio 2005\Projects\inpout32_source_and_bins\Inpout32_dll_source\Win32\Release\InstallDriver.pdb source: InstallDriver.exe
Source:	Binary string: e:\My Documents\Visual Studio 2005\Projects\inpout32_source_and_bins\Inpout32_dll_source\Win32\Release\InstallDriver.pdb),TXi source: InstallDriver.exe

Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe

Window / User API: threadDelayed 381

Jump to behavior

Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe TID: 3640	Thread sleep count: 381 > 30	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe TID: 3640	Thread sleep time: -32918400000s >= -30000s	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe TID: 3640	Thread sleep time: -86400000s >= -30000s	Jump to behavior

Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe

File opened: PhysicalDrive0

Jump to behavior

Source: Music.UI.exe, 00000011.00000002.2389688641.0000018F37C57000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\Database\anonymous\edbtmp.log VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\Database\anonymous\edbtmp.log VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\Database\anonymous\edbres00001.jrs VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\Database\anonymous\edb.log VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\Database\anonymous\edb.log VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\Database\anonymous\edb.log VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\Database\anonymous\edb.chk VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\Database\anonymous\EntClientDb.jfm VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\Database\anonymous\EntClientDb.edb VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\Database\anonymous\EntClientDb.edb VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\Database\anonymous\tmp.edb VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\Database\anonymous\edb.chk VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Resources\Fonts\SegMVR2.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Resources\Fonts\SegMVR2.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Resources\Fonts\SegMVR2.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Resources\Fonts\SegMVR2.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Resources\Fonts\SegMVR2.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Queries volume information: C:\Windows\Fonts\segoeuisl.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\SRPData.xml VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\DiagOutputDir VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\DiagOutputDir\CriticalError_playbackTrace_1715897156.txt VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Queries volume information: C:\Windows\Fonts\segoeuil.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Queries volume information: C:\Windows\Fonts\segmdl2.ttf VolumeInformation	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	1 Masquerading	OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Non-Application Layer Protocol	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	2 Virtualization/Sandbox Evasion	LSASS Memory	2 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Process Injection	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	21 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
InstallDriver.exe	0%	ReversingLabs

Source	Detection	Scanner	Label	Link
https://login.windows.local	0%	URL Reputation	safe
https://login.windows.local/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
settings-ssl.xboxlive.com	unknown	unknown	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://login.windows.local	Music.UI.exe, 00000011.00000002.2398059478.0000018F38568000.00000004.00000020.00020000.00000000.sdmp, Music.UI.exe, 00000011.00000002.2393104911.0000018F37D86000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://login.windows.net	Music.UI.exe, 00000011.00000002.2401689816.0000018F386CD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://settings-ssl.xboxlive.com/XBLWinClient/v10_music/configuration.xml	Music.UI.exe, 00000011.00000003.1913149954.0000018F3775F000.00000004.00000020.00020000.00000000.sdmp, Music.UI.exe, 00000011.00000002.2387013615.0000018F3776E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://settings-ssl.xboxlive.com	Music.UI.exe, 00000011.00000002.2379989061.0000018F36F38000.00000004.00000020.00020000.00000000.sdmp	false		high
https://login.windows.net8AHSM	Music.UI.exe, 00000011.00000002.2401689816.0000018F386CD000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://musicimage.xboxlive.comtXBLWinClient/v10_music/configuration.xml	Music.UI.exe, 00000011.00000003.1913149954.0000018F3775F000.00000004.00000020.00020000.00000000.sdmp, Music.UI.exe, 00000011.00000002.2387013615.0000018F3776E000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://android.notify.windows.com/iOS	Music.UI.exe, 00000011.00000002.2399528212.0000018F38600000.00000004.00000020.00020000.00000000.sdmp	false		high
https://xsts.auth.xboxlive.com	Music.UI.exe, 00000011.00000002.2401689816.0000018F386CD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://android.notify.windows.com/iOShttps://android.notify.windows.com/iOS	Music.UI.exe, 00000011.00000002.2399528212.0000018F38600000.00000004.00000020.00020000.00000000.sdmp	false		high
https://musicart.xboxlive.com/9/e74d4600-0000-0000-0000-000000000002/504/image.jpg	Music.UI.exe, 00000011.00000002.2389150141.0000018F37C00000.00000004.00000020.00020000.00000000.sdmp	false		high
https://xsts.auth.xboxlive.comngpng(	Music.UI.exe, 00000011.00000002.2389150141.0000018F37C00000.00000004.00000020.00020000.00000000.sdmp	false		low
https://settings-ssl.xboxlive.com/	Music.UI.exe, 00000011.00000003.1913149954.0000018F3775F000.00000004.00000020.00020000.00000000.sdmp, Music.UI.exe, 00000011.00000002.2387013615.0000018F37780000.00000004.00000020.00020000.00000000.sdmp	false		high
https://musicart.xboxlive.com/9/5c6a4700-0000-0000-0000-000000000002/504/image.jpg	Music.UI.exe, 00000011.00000002.2389150141.0000018F37C00000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ns.a.0	Music.UI.exe, 00000011.00000002.2382048622.0000018F37413000.00000004.00000020.00020000.00000000.sdmp	false		low
https://wns.windows.com/	Music.UI.exe, 00000011.00000002.2386766345.0000018F37700000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ns.adobe.ho	Music.UI.exe, 00000011.00000002.2382048622.0000018F37413000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp82hN	Music.UI.exe, 00000011.00000002.2398245124.0000018F38579000.00000004.00000020.00020000.00000000.sdmp	false		high
https://login.windows.net/n	Music.UI.exe, 00000011.00000002.2401689816.0000018F386CD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://login.windows.local/	Music.UI.exe, 00000011.00000002.2393104911.0000018F37D86000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://settings-ssl.xboxlive.com/XBLWinClient/v10_music/configuration.xmlAC	Music.UI.exe, 00000011.00000003.1913149954.0000018F3775F000.00000004.00000020.00020000.00000000.sdmp, Music.UI.exe, 00000011.00000002.2387013615.0000018F3776E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://xsts.auth.xboxlive.com/	Music.UI.exe, 00000011.00000002.2401689816.0000018F386CD000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1428974
Start date and time:	2024-04-20 00:04:13 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 19s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	25
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	InstallDriver.exe
Detection:	CLEAN
Classification:	clean2.winEXE@2/14@1/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, SIHClient.exe, Microsoft.Photos.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.63.156.44
Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, login.live.com, ctldl.windowsupdate.com, settings-ssl.xboxlive.com.edgekey.net, e87.dspb.akamaiedge.net, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: InstallDriver.exe

Simulations

Behavior and APIs

Time	Type	Description
00:05:56	API Interceptor	451x Sleep call for process: Music.UI.exe modified

Process:	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2659
Entropy (8bit):	4.926959150875136
Encrypted:	false
SSDEEP:	48:cK88z2Dxfo++T4Vu5Hj2oJ//QBfM9ifr9jf2dBfUyrAf0dPfUytCfN4wc/+:n88z2DxueBQipjQB8BWP8pc+
MD5:	69415BBB2113097CE28402C78AAB8A1D
SHA1:	3CC52AA27D635F22434CFEAD93C27D3B5287BF2E
SHA-256:	95458051B4940AA84E142A19F4F775901CBFADC6BDEC409FC7C9DAC854FC8910
SHA-512:	03C62FF862F73046C45D6495D6E5E821ACBD228A230E6761DEE9E8A4E48F157CE3566E6E06FE8CACA73D4736B6AC78A4914855CDE4037574D8DBF86B2B2A0B54
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	<?xml version="1.0" encoding="utf-8"?>..<clientConfiguration xmlns="http://schemas.microsoft.com/XblWinClient/2012/03" version="1">.. <targetedClient>XblWinClient</targetedClient > .. <rights>Copyright (c) Microsoft Corporation. All rights reserved.</rights> .... <configuration name="Features">.. <property name="EditorialPlaylistsEnabled" type="string" value="AU,CA,DE,FR,GB,MX,NZ,US" />.. <property name="ExploreWithGenreDetailsEnabled" type="string" value="AU,CA,DE,FR,GB,MX,NZ,US" />.. <property name="GenreRadioEnabled" type="string" value="AU,CA,DE,FR,GB,MX,NZ,US" />.. <property name="MusicPassUpsell" type="string" value="" />.. <property name="MusicPassUpsellForCollectionPDP" type="string" value="" />.. <property name="MusicPassUpsellInMixtapes" type="string" value="" />.. <property name="MusicPassInAppPurchase" type="string" value="" />.. <property name="MusicSubscription" type="stri

C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\Database\anonymous\EntClientDb.edb

Download File

Process:	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0xde9a0322, page size 8192, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	3670016
Entropy (8bit):	0.2950584082208883
Encrypted:	false
SSDEEP:	1536:BdSh2d9KY8k/fnbfgTC0/k63bBu7fhWxM/46USh29KY8k2xyDFqfaLgTC0/k63bm:P6wLFNA6U6SLEQR6
MD5:	A0B429093F220DEF05533F67BAB23331
SHA1:	6EFBBF43068F56AE977B8D944A3098722960FCEF
SHA-256:	DD6518682C19E13A2CEB6BB686135F73B76D571D6940CCD4D048E1D3F4718A2E
SHA-512:	E7B1ED025F12227469EA4DF8F2C3B01EA36D9DFD86A505D449B819233D398149A6DA9C85E20E9DC983A737B251BC72E30094CD95701674AD4740895E61728AE6
Malicious:	false
Reputation:	low
Preview:	.."... .......-........e..8....\|m.....................................8....\|..h.............................\8....\|?.........................................................................................................eJ........... ...................................................................................................... .......8....\|?.................................................8....\|......................................................................................................................................8....\|....................................\|58....\|E.....................8....\|..........................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\Database\anonymous\EntClientDb.jfm

Download File

Process:	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.08390289220277451
Encrypted:	false
SSDEEP:	3:GJXYtvgQ2Xlll1lVgzSH3qiQR4izSHall7WWtXnl2n+9s9k/q/Qs9aclQ1Hl/l:yXYtvgXl/1+wniHSF/Icy
MD5:	48369515BB495C6A07619ACB1AC3C831
SHA1:	1B6E17215BA5BFF29C53826955F96C61BBB61534
SHA-256:	708B0718373D1AD0190773A2BF743B26F5465820E275161A78FAEEFB79A34FCC
SHA-512:	4FE7153809212230ED16E2A35ED1DFE85B9E877B979863BA9F9243B9F054D051A10C6544620D49DECF759F2677313BFBB85B8CC7FD9D280B143BBD44B1298C90
Malicious:	false
Reputation:	low
Preview:	../5....................................8....\|m.8....\|m.................8....\|...........'.z8....\|......................8....\|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\Database\anonymous\edb.chk

Download File

Process:	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.6123381902501969
Encrypted:	false
SSDEEP:	12:Ku1wUIPxJ1qwUIPxJ1GQelR2u1wUIPxJ1qwUIPxJ1GQelR:71wUCx/qwUCx/Gd1wUCx/qwUCx/G
MD5:	EB9670F79E9DF79C958FF3A7DBB52DB0
SHA1:	78ABE1EB6018F116129315251C2E65CE76C3ED99
SHA-256:	6DBFD3AE36DBD30B5D22079795CDECB844C470472A28C9D745F6B1E9CDDDC2F3
SHA-512:	DEE6057903806EA864CD13547E2D515F6D1571BC4B2F57A2F1D9E228022414E41B37F8BE5B5EB6EC7CB76D424406B87739A28ED25E552DD4CD55A20918D7D4FC
Malicious:	false
Reputation:	low
Preview:	.bE...................\8....\|?.................C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\Database\anonymous\................................................................................................................................................................C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\Database\anonymous\.................................................................................................................................................................0u..,.....................5w.................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\Database\anonymous\edb.log

Download File

Process:	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe
File Type:	data
Category:	dropped
Size (bytes):	2097152
Entropy (8bit):	0.7400993880126588
Encrypted:	false
SSDEEP:	1536:TLf6R1dtEBmHltDulBuuia+ciy+zW8baf4lBiNO8WfO4odiFY1Z38AZ5yeh0G32l:TLf6R7DhXOhz9hCQlsNqKs3v
MD5:	A2319084E6965D19091DA9A82C86823A
SHA1:	78A796FD9766F96508838FBCC7709D6FBBC4C468
SHA-256:	E331D6D729497C3F5089745B454B931FFE4792FF4C222AF4279B90D125EF3B21
SHA-512:	C49B52CC59F244F22D43E1D57A1BF6C20C6E2155B9C9D8CB2BAF4CEB4FFED32A0E9D99907695F67E5793AA0CE54CC45E768C3174DA1CA40E70F16E26BD1C3C5C
Malicious:	false
Reputation:	low
Preview:	3.^............ 8....\|?.......................\8....\|?.................C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\Database\anonymous\................................................................................................................................................................C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\Database\anonymous\.................................................................................................................................................................0u..,.....................5w.......................................#.................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\Database\anonymous\edbres00001.jrs

Download File

Process:	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe
File Type:	data
Category:	dropped
Size (bytes):	2097152
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	B2D1236C286A3C0704224FE4105ECA49
SHA1:	7D76D48D64D7AC5411D714A4BB83F37E3E5B8DF6
SHA-256:	5647F05EC18958947D32874EEB788FA396A05D0BAB7C1B71F112CEB7E9B31EEE
SHA-512:	731859029215873FDAC1C9F2F8BD25A334ABF0F3A9E1B057CF2CACC2826D86B0C26A3FA920A936421401C0471F38857CB53BA905489EA46B185209FDFF65B3B6
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\Database\anonymous\edbres00002.jrs

Download File

Process:	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe
File Type:	data
Category:	dropped
Size (bytes):	2097152
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	B2D1236C286A3C0704224FE4105ECA49
SHA1:	7D76D48D64D7AC5411D714A4BB83F37E3E5B8DF6
SHA-256:	5647F05EC18958947D32874EEB788FA396A05D0BAB7C1B71F112CEB7E9B31EEE
SHA-512:	731859029215873FDAC1C9F2F8BD25A334ABF0F3A9E1B057CF2CACC2826D86B0C26A3FA920A936421401C0471F38857CB53BA905489EA46B185209FDFF65B3B6
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\Database\anonymous\edbtmp.log

Download File

Process:	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe
File Type:	data
Category:	dropped
Size (bytes):	2097152
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	B2D1236C286A3C0704224FE4105ECA49
SHA1:	7D76D48D64D7AC5411D714A4BB83F37E3E5B8DF6
SHA-256:	5647F05EC18958947D32874EEB788FA396A05D0BAB7C1B71F112CEB7E9B31EEE
SHA-512:	731859029215873FDAC1C9F2F8BD25A334ABF0F3A9E1B057CF2CACC2826D86B0C26A3FA920A936421401C0471F38857CB53BA905489EA46B185209FDFF65B3B6
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\Database\anonymous\tmp.edb

Download File

Process:	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0xf2644874, page size 8192, JustCreated, Windows version 0.0
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.14192384005184558
Encrypted:	false
SSDEEP:	768:E2gAhY+VxEyVjqaytqxUSYQHDmit8UPcim:bhY+VxEyVjqaytqxUSYQHDmit8UPcim
MD5:	2EF4BC0B2AF8FF7F5F43BA44CF90858C
SHA1:	0D74ECD75C321FC9C2F53F61B2C18EAA5F30649D
SHA-256:	E2AC2E2855FACFBA1967DE727ADFECF64F03A51C9CC3F1B2405D2EC6B46F7A60
SHA-512:	F82363F47B36D0CC2B9F56E34F4E7EC815354A34EEC6FC93EC707480490D2BE1C10132B7F482308B41B6767BB2CBCB06EFE20F12723FB203DFF66380AD185033
Malicious:	false
Reputation:	low
Preview:	.dHt... .......@...........8....\|........................................................................................................................................................................................................... ...................................................................................................... ...................................................................................................................................................................................................................................................$...8....\|.9....................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\DiagOutputDir\CriticalError_playbackTrace_1715897156.txt (copy)

Download File

Process:	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	40866
Entropy (8bit):	5.3162149368399225
Encrypted:	false
SSDEEP:	768:mBBBRX5y7OJEDws21uP+cYWblAyLsrpppSGrVsWsXOFOogPgqg6gOOGsWgitDGne:mBBdZs21uP+cYWblAyLsrpppSGraTeMh
MD5:	64D891F22EE6F5AB2B1E2C1A7D4A0295
SHA1:	E8E48872A4C4F3DEF76134E322F2C71225593833
SHA-256:	2D65BFAE05385E4DB00F0FF9C8C94ECFC49178CB1E9C1F23267E6BC67C75D8A5
SHA-512:	0EBCD485EC0BC980E33A002E952360B1CF26557762C424389153C29E2AEA10774E7AAF53909817908D5365BF14C9C49D97C93085BF3274F62713C11927037B3E
Malicious:	false
Reputation:	low
Preview:	1.04/22/24 01:57:50.2228.MS::Entertainment::Music::Playback::PlaybackProperties::AppActivationKind::set - value = File.2.04/26/24 01:57:50.4372.MS::Entertainment::Core::Services::MemoryLimitsInformationService::OnAppMemoryUsageLimitChanging - Memory Usage Limit Changed to 18446744073709551615 from 18446744073709551615, our current usage is 19480576.3.04/26/24 01:57:50.2228.MS::Entertainment::Music::Playback::PlaylistPlaybackService::PlaylistPlaybackService.4.04/26/24 01:57:50.4636.MS::Entertainment::Core::Services::MemoryLimitsInformationService::OnAppMemoryUsageIncreased - App memory usage level increased to Low, Total commit is 19480576 .5.04/26/24 01:57:50.2228.MS::Entertainment::Music::Playback::PlaylistPlaybackService::PlaylistPlaybackService - userCid = .6.04/28/24 01:57:50.2228.MS::Entertainment::Music::Playback::MetadataProviderEventWrapper::MetadataProviderEventWrapper.7.04/28/24 01:57:50.2228.MS::Entertainment::Music::Playback::SharedEvent::GetHandle - Event EnterpriseDataPro

C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\DiagOutputDir\CriticalError_playbackTrace_1715897156.txt.~tmp

Download File

Process:	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	40866
Entropy (8bit):	5.3162149368399225
Encrypted:	false
SSDEEP:	768:mBBBRX5y7OJEDws21uP+cYWblAyLsrpppSGrVsWsXOFOogPgqg6gOOGsWgitDGne:mBBdZs21uP+cYWblAyLsrpppSGraTeMh
MD5:	64D891F22EE6F5AB2B1E2C1A7D4A0295
SHA1:	E8E48872A4C4F3DEF76134E322F2C71225593833
SHA-256:	2D65BFAE05385E4DB00F0FF9C8C94ECFC49178CB1E9C1F23267E6BC67C75D8A5
SHA-512:	0EBCD485EC0BC980E33A002E952360B1CF26557762C424389153C29E2AEA10774E7AAF53909817908D5365BF14C9C49D97C93085BF3274F62713C11927037B3E
Malicious:	false
Reputation:	low
Preview:	1.04/22/24 01:57:50.2228.MS::Entertainment::Music::Playback::PlaybackProperties::AppActivationKind::set - value = File.2.04/26/24 01:57:50.4372.MS::Entertainment::Core::Services::MemoryLimitsInformationService::OnAppMemoryUsageLimitChanging - Memory Usage Limit Changed to 18446744073709551615 from 18446744073709551615, our current usage is 19480576.3.04/26/24 01:57:50.2228.MS::Entertainment::Music::Playback::PlaylistPlaybackService::PlaylistPlaybackService.4.04/26/24 01:57:50.4636.MS::Entertainment::Core::Services::MemoryLimitsInformationService::OnAppMemoryUsageIncreased - App memory usage level increased to Low, Total commit is 19480576 .5.04/26/24 01:57:50.2228.MS::Entertainment::Music::Playback::PlaylistPlaybackService::PlaylistPlaybackService - userCid = .6.04/28/24 01:57:50.2228.MS::Entertainment::Music::Playback::MetadataProviderEventWrapper::MetadataProviderEventWrapper.7.04/28/24 01:57:50.2228.MS::Entertainment::Music::Playback::SharedEvent::GetHandle - Event EnterpriseDataPro

C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\SRPData.xml (copy)

Download File

Process:	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	215
Entropy (8bit):	4.840898391480387
Encrypted:	false
SSDEEP:	3:uncHUTIqUHek8KIfFhKP4SfHUyLGewqcV3otRslUERrRD+EGmNrOVgNnb:e28IqUHeksNhy5mOw1SEGmNrDnb
MD5:	8E932FED9060096F7A1C355B1DD37B20
SHA1:	9EC80804A023F801409B30E196101EA1BBC5FCA8
SHA-256:	9AA87AC87F0B234F977AE2EF4D4F853065182E7E4BC47D9B1901FB2C28A0324F
SHA-512:	BCF405DAE69F73B4F8961E7DB6BBDA4679D8714813A27181CBB803A408C24A2C0DC9569D1897277CDE635904DF83DD2C80C660E5E2FD03D2720F9F778A98C146
Malicious:	false
Preview:	<SRPData version="1" sessionId="1"><Outcomes></Outcomes><Threshold launches="1" daysLaunched="1" dayOfLastLaunch="22" monthOfLastLaunch="5" yearOfLastLaunch="2024" userHasAccepted="false" timesPolled="0"/></SRPData>

C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\SRPData.xml.~tmp

Download File

Process:	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	215
Entropy (8bit):	4.840898391480387
Encrypted:	false
SSDEEP:	3:uncHUTIqUHek8KIfFhKP4SfHUyLGewqcV3otRslUERrRD+EGmNrOVgNnb:e28IqUHeksNhy5mOw1SEGmNrDnb
MD5:	8E932FED9060096F7A1C355B1DD37B20
SHA1:	9EC80804A023F801409B30E196101EA1BBC5FCA8
SHA-256:	9AA87AC87F0B234F977AE2EF4D4F853065182E7E4BC47D9B1901FB2C28A0324F
SHA-512:	BCF405DAE69F73B4F8961E7DB6BBDA4679D8714813A27181CBB803A408C24A2C0DC9569D1897277CDE635904DF83DD2C80C660E5E2FD03D2720F9F778A98C146
Malicious:	false
Preview:	<SRPData version="1" sessionId="1"><Outcomes></Outcomes><Threshold launches="1" daysLaunched="1" dayOfLastLaunch="22" monthOfLastLaunch="5" yearOfLastLaunch="2024" userHasAccepted="false" timesPolled="0"/></SRPData>

C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\Settings\settings.dat

Download File

Process:	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.3734170645836998
Encrypted:	false
SSDEEP:	24:6E1+/r4WlVnQlDuUbwB7d82/+wB7svTnl/wZPo:TMJlVM87d37J
MD5:	4899D54A8778500AE2788774C9894643
SHA1:	158459B3FBC6498098411A075761B94E08D54A2F
SHA-256:	5DE7EA3AD3F174FB5CABC4D78C5CDA8F3B285709D8FE8D5E342739F9E1B38FF2
SHA-512:	4599DEA9A709C9FAC96A4749D9E039B8960C76C25C34FBD838754AF8FDAE0EE91125D011C3299008EEB26CF5F429A7651BF5321AEC088450A465474CCE16AA17
Malicious:	false
Preview:	regf........b.Q.7.................. ...........:.\.W.i.n.d.o.w.s.\.S.y.s.t.e.m.3.2.\.s.e.t.t.i.n.g.s...d.a.t...y..j.....J.....y..j.....J.........z..j.....J.....rmtmr.P.7..............................................................................................................................................................................................................................................................................................................................................@Q.G........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.657316217386607
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	InstallDriver.exe
File size:	49'152 bytes
MD5:	f25a0a82ad1eefd4becd6f034c078dbc
SHA1:	75c1063c318bd528b90e8a29bfc419beb1d35654
SHA256:	2f6cef951a937f898ff24bc6adcdffb321b55fd3d21769ca9580e0233bbeed5a
SHA512:	5d16a06664a22d95b4a9c553608456e1e9499c72db3fa76e429e3e3da83c9af589fa76f0b66c867976d71b26c4c6d5cc67afb1d0861af3751852368e5d7c7e3b
SSDEEP:	768:zsfqbtPnPlt0RBNxamrr1A081ZadarUq3XEOgbtwg:FbFP/0D3DriT18w1etwg
TLSH:	3523180A3893C033E41649B586E58AC15FFF7C133AF3A06FEF84454E1AA129899797F5
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........cK.............np......nc......n`.......P......nv..............n.......nq......nu.....Rich............................PE..L..

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x4012cb
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x4D2F5F91 [Thu Jan 13 20:24:49 2011 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	87cea554f9cb4b282bb296a63949bda0

Entrypoint Preview

Instruction
call 00007F5CAC9BBC3Bh
jmp 00007F5CAC9BA28Ch
push ebp
mov ebp, esp
sub esp, 00000328h
mov dword ptr [0040ADD8h], eax
mov dword ptr [0040ADD4h], ecx
mov dword ptr [0040ADD0h], edx
mov dword ptr [0040ADCCh], ebx
mov dword ptr [0040ADC8h], esi
mov dword ptr [0040ADC4h], edi
mov word ptr [0040ADF0h], ss
mov word ptr [0040ADE4h], cs
mov word ptr [0040ADC0h], ds
mov word ptr [0040ADBCh], es
mov word ptr [0040ADB8h], fs
mov word ptr [0040ADB4h], gs
pushfd
pop dword ptr [0040ADE8h]
mov eax, dword ptr [ebp+00h]
mov dword ptr [0040ADDCh], eax
mov eax, dword ptr [ebp+04h]
mov dword ptr [0040ADE0h], eax
lea eax, dword ptr [ebp+08h]
mov dword ptr [0040ADECh], eax
mov eax, dword ptr [ebp-00000320h]
mov dword ptr [0040AD28h], 00010001h
mov eax, dword ptr [0040ADE0h]
mov dword ptr [0040ACDCh], eax
mov dword ptr [0040ACD0h], C0000409h
mov dword ptr [0040ACD4h], 00000001h
mov eax, dword ptr [0040A004h]
mov dword ptr [ebp-00000328h], eax
mov eax, dword ptr [0040A008h]
mov dword ptr [ebp-00000324h], eax
call dword ptr [00408024h]

Rich Headers

Programming Language:

[ASM] VS2005 build 50727
[C++] VS2005 build 50727
[ C ] VS2005 build 50727
[IMP] VS2005 build 50727
[RES] VS2005 build 50727
[LNK] VS2005 build 50727

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x98cc	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc000	0x608	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x8150	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x9540	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x114	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x63e4	0x7000	5eda842b76912c93face23b0e6da1c81	False	0.5626743861607143	MPEG-4 LOAS	6.227527587523542	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x1ee4	0x2000	9f22aadfb5847aa841f5a12f656e6eca	False	0.335693359375	data	5.293548469075136	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x199c	0x1000	afbe25c12caab7ca2f123e94e0f0eba0	False	0.20361328125	firmware 1200 v0 (revision 1350909952) N\346@\273\261\031\277D\ \224\206@ V2, version 8704.0.55425 (region 318767104), 209993728 bytes or less, UNKNOWN1 0x13000000, UNKNOWN2 0xc4844000, UNKNOWN3 0x1c000000, at 0x1f000000 2827173888 bytes , at 0x20000000 1887649792 bytes , at 0x21000000 2021801984 bytes	2.120795269175888	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc000	0x608	0x1000	8366c09c7f65b861036e291728a92229	False	0.1689453125	data	4.095901447806458	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_STRING	0xc0e8	0x3a	data	English	Great Britain	0.6551724137931034
RT_VERSION	0xc124	0x39c	data	English	Great Britain	0.4296536796536797
RT_MANIFEST	0xc4c0	0x147	ASCII text, with CRLF line terminators	English	United States	0.5749235474006116

Imports

DLL	Import
inpout32.dll
USER32.dll	MessageBoxW
KERNEL32.dll	HeapFree, GetVersionExA, HeapAlloc, GetProcessHeap, GetStartupInfoW, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetProcAddress, GetModuleHandleA, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameA, GetModuleFileNameW, FreeEnvironmentStringsA, MultiByteToWideChar, GetEnvironmentStrings, FreeEnvironmentStringsW, GetLastError, GetEnvironmentStringsW, GetCommandLineA, GetCommandLineW, SetHandleCount, GetFileType, GetStartupInfoA, DeleteCriticalSection, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, GetCurrentThreadId, InterlockedDecrement, HeapDestroy, HeapCreate, VirtualFree, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, LeaveCriticalSection, EnterCriticalSection, LoadLibraryA, InitializeCriticalSection, Sleep, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, VirtualAlloc, HeapReAlloc, RtlUnwind, HeapSize, GetLocaleInfoA, WideCharToMultiByte, GetStringTypeA, GetStringTypeW, LCMapStringA, LCMapStringW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 20, 2024 00:05:59.566011906 CEST	59761	53	192.168.2.16	1.1.1.1

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 20, 2024 00:05:59.566011906 CEST	192.168.2.16	1.1.1.1	0x75a9	Standard query (0)	settings-ssl.xboxlive.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 20, 2024 00:05:59.673691988 CEST	1.1.1.1	192.168.2.16	0x75a9	No error (0)	settings-ssl.xboxlive.com	settings-ssl.xboxlive.com.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false

Target ID:	0
Start time:	00:04:37
Start date:	20/04/2024
Path:	C:\Users\user\Desktop\InstallDriver.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\InstallDriver.exe"
Imagebase:	0x400000
File size:	49'152 bytes
MD5 hash:	F25A0A82AD1EEFD4BECD6F034C078DBC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	00:05:56
Start date:	20/04/2024
Path:	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe" -ServerName:Microsoft.ZuneMusic.AppX48dcrcgzqqdshm3kf61t0cm5e9pyd6h6.mca
Imagebase:	0x7ff77a460000
File size:	23'140'864 bytes
MD5 hash:	F963F75C0AD152437E10D656A00793A3
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report InstallDriver.exe

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\AC\INetCache\DDXMMW15\configuration[1].xml

C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\Database\anonymous\EntClientDb.edb

C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\Database\anonymous\EntClientDb.jfm

C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\Database\anonymous\edb.chk

C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\Database\anonymous\edb.log

C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\Database\anonymous\edbres00001.jrs

C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\Database\anonymous\edbres00002.jrs

C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\Database\anonymous\edbtmp.log

C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\Database\anonymous\tmp.edb

C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\DiagOutputDir\CriticalError_playbackTrace_1715897156.txt (copy)

C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\DiagOutputDir\CriticalError_playbackTrace_1715897156.txt.~tmp

C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\SRPData.xml (copy)

C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\SRPData.xml.~tmp

C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\Settings\settings.dat

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

UDP Packets

Windows Analysis Report
InstallDriver.exe