Create Interactive Tour

Analysis Report Alvin2.xml

Overview

General Information

Sample Name:	Alvin2.xml
Analysis ID:	389598
MD5:	e2c3cd38d9fa9173bad4d0379180d8a1
SHA1:	9c57c956c67cfb157fab95e01ffa92b437518388
SHA256:	cddce16cabc65fa294b2ec6cf6277651f2db77d319942e53c58505532e80531a
Infos:
Most interesting Screenshot:

Detection

Score:	1
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Contains capabilities to detect virtual machines

Creates a process in suspended mode (likely to inject code)

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Classification

Startup

System is w10x64

MSOXMLED.EXE (PID: 6440 cmdline: 'C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\MSOXMLED.EXE' /verb open 'C:\Users\user\Desktop\Alvin2.xml' MD5: 77F586C2DB0175DD4AA085531A82C88A)

iexplore.exe (PID: 6480 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' C:\Users\user\Desktop\Alvin2.xml MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 6536 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6480 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

• Compliance
• Networking
• System Summary
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• HIPS / PFW / Operating System Protection Evasion

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source: msapplication.xml0.1.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x6f15ad8a,0x01d7332b</date><accdate>0x6f15ad8a,0x01d7332b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.1.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x6f15ad8a,0x01d7332b</date><accdate>0x6f15ad8a,0x01d7332b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.1.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x6f1a723d,0x01d7332b</date><accdate>0x6f1a723d,0x01d7332b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.1.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x6f1a723d,0x01d7332b</date><accdate>0x6f1a723d,0x01d7332b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.1.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x6f1a723d,0x01d7332b</date><accdate>0x6f1a723d,0x01d7332b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.1.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x6f1a723d,0x01d7332b</date><accdate>0x6f1a723d,0x01d7332b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)

Source: msapplication.xml.1.dr	String found in binary or memory: http://www.amazon.com/
Source: msapplication.xml1.1.dr	String found in binary or memory: http://www.google.com/
Source: msapplication.xml2.1.dr	String found in binary or memory: http://www.live.com/
Source: msapplication.xml3.1.dr	String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.1.dr	String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.1.dr	String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.1.dr	String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.1.dr	String found in binary or memory: http://www.youtube.com/

Source: classification engine

Classification label: clean1.winXML@5/14@0/0

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{9978A460-9F1E-11EB-90E5-ECF4BB570DC9}.dat

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DFC45588D931CEC673.TMP

Jump to behavior

Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOXMLED.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: unknown	Process created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOXMLED.EXE 'C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\MSOXMLED.EXE' /verb open 'C:\Users\user\Desktop\Alvin2.xml'
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOXMLED.EXE	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' C:\Users\user\Desktop\Alvin2.xml
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6480 CREDAT:17410 /prefetch:2
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOXMLED.EXE	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' C:\Users\user\Desktop\Alvin2.xml	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6480 CREDAT:17410 /prefetch:2	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOXMLED.EXE

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOXMLED.EXE

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOXMLED.EXE

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOXMLED.EXE

Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' C:\Users\user\Desktop\Alvin2.xml

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection11	Masquerading1	OS Credential Dumping	Query Registry1	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Data Obfuscation	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Virtualization/Sandbox Evasion1	LSASS Memory	Security Software Discovery1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection11	Security Account Manager	Virtualization/Sandbox Evasion1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	File and Directory Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Alvin2.xml	0%	Virustotal		Browse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.wikipedia.com/	0%	URL Reputation	safe
http://www.wikipedia.com/	0%	URL Reputation	safe
http://www.wikipedia.com/	0%	URL Reputation	safe
http://www.wikipedia.com/	0%	URL Reputation	safe

Domains and IPs Download Network PCAP: filtered – full

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.wikipedia.com/	msapplication.xml6.1.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.amazon.com/	msapplication.xml.1.dr	false		high
http://www.nytimes.com/	msapplication.xml3.1.dr	false		high
http://www.live.com/	msapplication.xml2.1.dr	false		high
http://www.reddit.com/	msapplication.xml4.1.dr	false		high
http://www.twitter.com/	msapplication.xml5.1.dr	false		high
http://www.youtube.com/	msapplication.xml7.1.dr	false		high

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	389598
Start date:	16.04.2021
Start time:	18:44:45
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 4m 31s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Alvin2.xml
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	31
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	CLEAN
Classification:	clean1.winXML@5/14@0/0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .xml
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 204.79.197.200, 13.107.21.200, 20.82.210.154, 104.42.151.234, 93.184.220.29, 104.43.193.48, 13.88.21.125, 168.61.161.212, 92.122.145.220, 52.255.188.83, 88.221.62.148, 23.57.80.111, 152.199.19.161, 92.122.213.194, 92.122.213.247, 205.185.216.42, 205.185.216.10, 20.82.209.183, 52.155.217.156, 20.54.26.129 Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, cs9.wac.phicdn.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, go.microsoft.com, ocsp.digicert.com, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, fs.microsoft.com, dual-a-0001.a-msedge.net, ie9comview.vo.msecnd.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, go.microsoft.com.edgekey.net, skypedataprdcolwus16.cloudapp.net, skypedataprdcolwus15.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, cs9.wpc.v0cdn.net

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{9978A460-9F1E-11EB-90E5-ECF4BB570DC9}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	24152
Entropy (8bit):	1.7594808966882751
Encrypted:	false
SSDEEP:	48:IwJ7GcproGwpLUyG/ap8Y5GIpc28GvnZpv2MTGvHZp922oGo1iqpv2DGo4h8Kpck:rLZwZp2KW4tsfxA7tPh8KW206
MD5:	5C195AF8E05FFB8269DFCB08B39E5BF6
SHA1:	8D5A99142E49659F48DD80EA66F2D5C28B4D4CEE
SHA-256:	DB264077FFF1B702466C1BBD58FD5D9D6053F826CDFC332374AB6A44B7AE9387
SHA-512:	DAF0A54804A99036D01E2E5FECF3F48586E6B58F0B4D5253CCF10B6124A7CFD035D42C9F7B6EF62760638636FFDA57D9BC5281C9E2BEAEF31E8097280E3BA63E
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{9978A462-9F1E-11EB-90E5-ECF4BB570DC9}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	23640
Entropy (8bit):	1.7062198350914597
Encrypted:	false
SSDEEP:	48:IwcGcprJGwpaBG4pglJ3G7HprilJRTGApxlJjGspPlJIGeXpdlJALGR4pNlJKuFY:rAZjQTqLWxiL/zLJtLCfLALPLLZL7umg
MD5:	CBB17C597CB6AC29073C1743B5A99D98
SHA1:	1FAF6C3F758AE5BAAFC61F9115BFF869A7B0598E
SHA-256:	EB85046FF228EA138AAEF807D548901CB55E288F79CFEF38ED0B246A7BD67267
SHA-512:	C51CEE00D08B91ECB1E04A54A9AADF05665D087030BB8AA9A2A872F36EE48A0E8DAD179FF0B180ABEBBC806472BC84FFE8806B1C1A30B0E387EA27D3AB4C5DD2
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	657
Entropy (8bit):	5.081698339429366
Encrypted:	false
SSDEEP:	12:TMHdNMNxOE8EGEg4nWimI002EtM3MHdNMNxOE8EGEg4nWimI00ONVbkEtMb:2d6NxO+R5SZHKd6NxO+R5SZ7Qb
MD5:	40DC2DAEA810016A2FEDF6EE0E7480CE
SHA1:	3C53B4879367ECBA64119863C382067ACE035635
SHA-256:	9906A3ADD2F4577ABA64C1C229CE2D9DA15350A4AF5CC11AC192EE84CA5633CF
SHA-512:	D28156E251E08698C328075DD43AEEE25339898DD1E6C506AB8D5C81A518147C9F4205416F991923814D04518816E8E877035E331616E9782437359FF4F93914
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x6f1a723d,0x01d7332b</date><accdate>0x6f1a723d,0x01d7332b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x6f1a723d,0x01d7332b</date><accdate>0x6f1a723d,0x01d7332b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	654
Entropy (8bit):	5.129427137361252
Encrypted:	false
SSDEEP:	12:TMHdNMNxe2k24/414nWimI002EtM3MHdNMNxe2k24/414nWimI00ONkak6EtMb:2d6NxrzMBSZHKd6NxrzMBSZ72a7b
MD5:	58ED65F3788FA4A9D7B42BB6338A9588
SHA1:	D25B1DCB448E85FDF9234165048C57F7AF7FDEED
SHA-256:	D144FEC44CE2B6DA5C8DE840EBADA61EDB8F8E44C8F4E44108B443547C8ACADA
SHA-512:	1C5A82CB54D4FC415AED9CC329A75D3B90C4AA415B05AC865EBDA8489C699E547B64EC9AA988D082851F6543FA2EA91E0A3F549D5FA0E96151DB1D2CE7C6D4A7
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.amazon.com/"/><date>0x6f134b2a,0x01d7332b</date><accdate>0x6f134b2a,0x01d7332b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.amazon.com/"/><date>0x6f134b2a,0x01d7332b</date><accdate>0x6f134b2a,0x01d7332b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Amazon.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	663
Entropy (8bit):	5.099681739464678
Encrypted:	false
SSDEEP:	12:TMHdNMNxvL8EGEg4nWimI002EtM3MHdNMNxvL8EGEg4nWimI00ONmZEtMb:2d6Nxv7R5SZHKd6Nxv7R5SZ7Ub
MD5:	E5D978C874770642EFA19E39215B380B
SHA1:	A14A52403629D00FDCD61BE82D211682557F4737
SHA-256:	6CD620605925D51C65799EDC3467A5533A6DC65B296412D453039FAE2157BBD8
SHA-512:	303E6D2FE78D46A48A15C0957CFD9E22D65F0980D0D1CAD47BEE087898B5DB1221FB296AB43B02548DDDC6D2F3CC9F70007FE5A90356829820EB6E5F8CCFA3B2
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.wikipedia.com/"/><date>0x6f1a723d,0x01d7332b</date><accdate>0x6f1a723d,0x01d7332b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.wikipedia.com/"/><date>0x6f1a723d,0x01d7332b</date><accdate>0x6f1a723d,0x01d7332b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Wikipedia.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	648
Entropy (8bit):	5.09361039426407
Encrypted:	false
SSDEEP:	12:TMHdNMNxiW4nWimI002EtM3MHdNMNxiW4nWimI00ONd5EtMb:2d6Nx0SZHKd6Nx0SZ7njb
MD5:	D1D41306738D8FBFE83D7A6CF97FB9C1
SHA1:	37262C47333253EE7616EFDF7B00BB111FFA0F17
SHA-256:	0E42E03EB260C9274AA0B2A073900CFF3EA6E7A3A7476FBAA4222DF3633D264A
SHA-512:	AC4ECCC6E7B92E5C152214634592D1F82DB8F6687D3958C225A5CBC326AB11472239A0BE49B3B18EC6B3222CF03BED125709082E7B39AD388EB07C79AF9B17CF
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.live.com/"/><date>0x6f180feb,0x01d7332b</date><accdate>0x6f180feb,0x01d7332b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.live.com/"/><date>0x6f180feb,0x01d7332b</date><accdate>0x6f180feb,0x01d7332b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Live.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	657
Entropy (8bit):	5.112291170365664
Encrypted:	false
SSDEEP:	12:TMHdNMNxhGw8EGEg4nWimI002EtM3MHdNMNxhGw8EGEg4nWimI00ON8K075EtMb:2d6NxQqR5SZHKd6NxQqR5SZ7uKajb
MD5:	0850E21BD49C3030DB0CC7AB7A602E74
SHA1:	B8B95E3965385D37B26B468B22C849E0879947A6
SHA-256:	FCCF4F970C31CC878782025EBE944A9E4D86FC777EABFFB809E04073E0FD437C
SHA-512:	322C59AF8FD0CA45EF8B0FE1A4A997C81F45A230ECE95A5E06BE5BA77AC4CF322546E37788FA877F99CE57F276ED86430A4F01A70A24D71F751ACA109595968C
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x6f1a723d,0x01d7332b</date><accdate>0x6f1a723d,0x01d7332b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x6f1a723d,0x01d7332b</date><accdate>0x6f1a723d,0x01d7332b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	654
Entropy (8bit):	5.082332389767289
Encrypted:	false
SSDEEP:	12:TMHdNMNx0nW4nWimI002EtM3MHdNMNx0nW4nWimI00ONxEtMb:2d6Nx0zSZHKd6Nx0zSZ7Vb
MD5:	EC5CDFA47290C86B0363DDC06FD06477
SHA1:	CF4409FD811EE7EDF04F266B53637E3CBFA5A869
SHA-256:	E7B256AA490BF17B503F4DF7819327CC9CA205F3EA6AFE6AAC9C89CA8EA3FB13
SHA-512:	2B7F00E19F04DD00BFFFCB26098189C5BA19FBBEFFFB3354430BEA72429D5273D0502DFA2CA45BEB55DD17CDF108BAA7C3A23469AF9364D3A36B6FA4FD5CEF08
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.reddit.com/"/><date>0x6f180feb,0x01d7332b</date><accdate>0x6f180feb,0x01d7332b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.reddit.com/"/><date>0x6f180feb,0x01d7332b</date><accdate>0x6f180feb,0x01d7332b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Reddit.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	657
Entropy (8bit):	5.118231030921768
Encrypted:	false
SSDEEP:	12:TMHdNMNxxW4nWimI002EtM3MHdNMNxxW4nWimI00ON6Kq5EtMb:2d6NxlSZHKd6NxlSZ7ub
MD5:	8705AF54FBFCF5BB28B8D53E86F6CA09
SHA1:	47E0800F73659A6CABA32274B1F934B4A80F4291
SHA-256:	9B5C4BC006FEA9E5A092DB2008285A5DC34BAE340272A9E8C0CB262B6E541BEF
SHA-512:	204D39670C73BCF8AD6DD25EFDECE03C73401BBD0F81B3A35332002E0D281E2BB5CD645413336DFC4FEEE6A6236F6BE782C549BD3E119A5F0E890078420AD57F
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.nytimes.com/"/><date>0x6f180feb,0x01d7332b</date><accdate>0x6f180feb,0x01d7332b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.nytimes.com/"/><date>0x6f180feb,0x01d7332b</date><accdate>0x6f180feb,0x01d7332b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\NYTimes.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	660
Entropy (8bit):	5.101728356064849
Encrypted:	false
SSDEEP:	12:TMHdNMNxcW4nWimI002EtM3MHdNMNxcW4nWimI00ONVEtMb:2d6NxOSZHKd6NxOSZ71b
MD5:	DB1B382B2662B6A06635DA2C31ACF5C0
SHA1:	E46DE5C7AE0688C90B25273236DDC604504C1AE3
SHA-256:	463F1ED9F05BF586A836DE80C8755932C321DDADAB9D5289695EDE470340219B
SHA-512:	EF3668CF88B45AAC775B7F5A370F3F14AA22699BDA8754C4C22BD752B50FA020C29CE30BA62255C00FA123E3AE2530BFA57D09441497EF1CFDD777B58CC24F91
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x6f15ad8a,0x01d7332b</date><accdate>0x6f15ad8a,0x01d7332b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x6f15ad8a,0x01d7332b</date><accdate>0x6f15ad8a,0x01d7332b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	654
Entropy (8bit):	5.087914031049422
Encrypted:	false
SSDEEP:	12:TMHdNMNxfnW4nWimI002EtM3MHdNMNxfnW4nWimI00ONe5EtMb:2d6NxbSZHKd6NxbSZ7Ejb
MD5:	2ABF8DDC1C67C5587CB7EE23383F46C0
SHA1:	70AB83FFC6FFF348D15CAE90E66AB6ABBFE3364A
SHA-256:	6B1DC856F28CA70DFA10972DB7CF81A4F8AFAD7F1C73BE55347C6A0F01338FA9
SHA-512:	E550A7FB5A65C2E1BB40898C2B16AC61158D6DFACC5ADAE2E578C7F0699962C8BCD4A1B378AD71470522C6F267042A3BA5B3769B7E227512374E40BB7DAF3FAF
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.google.com/"/><date>0x6f15ad8a,0x01d7332b</date><accdate>0x6f15ad8a,0x01d7332b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.google.com/"/><date>0x6f15ad8a,0x01d7332b</date><accdate>0x6f15ad8a,0x01d7332b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Google.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\xmltreeview[1] Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with CRLF line terminators
Category:	downloaded
Size (bytes):	17524
Entropy (8bit):	4.340063035506032
Encrypted:	false
SSDEEP:	192:wiuFhk5un5EpDdblzKaz+OJGbiIBJofNbr5/dn82/jqmo3qAi:rq25unWZd9dvJGiIBJoh387oAi
MD5:	03710426AB25AD1280E197F61249F9DE
SHA1:	F5E7A6FD42503AE4758BC36C8DD78D98EFB35047
SHA-256:	21E63F7C77896ED2B5F115957F2448E0A9E2DD738D7D487E471217421F6A93E1
SHA-512:	213CB55B8573335D1384AE704FF4267F224376056F71548660F9B2FDAA1203D8ABDDB787900AAF5D1E0AC6E5BE261F713BDBEFB67643D08E8D3672512A1AF588
Malicious:	false
Reputation:	moderate, very likely benign file
IE Cache URL:	res://mshtml.dll/xmltreeview.js
Preview:	(function()..{.. var XHTML = "http://www.w3.org/1999/xhtml";.. .. // Time slicing constants.. var LIMIT = 10; // Maximum number of nodes to process before checking time.. var DURATION = 200; // Maximum amount of time (ms) to process before unblocking UI.. var DELAY = 15; // Amount of time (ms) to unblock UI.... // Tree building state.. var iterator;.. var nextNode;.. var root;.. var rootFirstChild;.. var time;.. .. // Template References.. var attrTemplate, attrName, attrValue;.. var elmStartTemplate, elmStartName;.. var elmEndTemplate, elmEndName;.. var cdataTemplate, cdataValue;.. var commentTemplate, commentValue;.. var style; .. .. // Only invoke this script if it was injected by our parser. Test for a condition that is.. // impossible for a markup to create - two direct children of the document... var secondRootElement = document.documentElement.nextElementSibling;.. if (secondRootElement == null

C:\Users\user\AppData\Local\Temp\~DFC45588D931CEC673.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	12965
Entropy (8bit):	0.4206675811013856
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9log9low9lW4CaVogf3:kBqoIb9WVPv
MD5:	860B26E2A95CFEBF34203FF5C82A9BD2
SHA1:	EF2CEA6A6A667630B6D8F6F7EE8B05900166BA0C
SHA-256:	A5F79B030FA7149680340C861E2CD8552594F94D40739A58268B24894347F867
SHA-512:	B70870A17AEED0663F755EC4E4615408A0095A1A5DD3280CF106A38542690E96B58688204834D9B827492C2F6987C4BB679F173565C933DADED7CBEAB5DF0DEB
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFFBACEAD0A58BD79A.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	34629
Entropy (8bit):	0.42936611486861104
Encrypted:	false
SSDEEP:	48:kBqoxKwlJBlJ4ilJ7ilJBlJ7lJFlJXlJOlJKYlJKMvzcScm:kBqoxKwLBL4iL7iLBL7LFLXLOLVLh7um
MD5:	697DBE9CBC38F363DC7777022588AA82
SHA1:	61A84D5C7A61F66B56AB2E0B9605663A57013611
SHA-256:	EF246FAEC465B0120A3DCC3CEA7016F24CAEF5201D2EDA4D2442F1EE81E23A24
SHA-512:	99F9DE1EA87B9BA582D12C7E5971D5738207A2C61497EC327CF0F5B1D4E3DB89045541328E11C66F18B6B19006BF7173119A3FCC4D9BC46142A4BF7E9064231E
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	XML 1.0 document text
Entropy (8bit):	5.249063309229664
TrID:	Generic XML (ASCII) (5005/1) 100.00%
File name:	Alvin2.xml
File size:	381
MD5:	e2c3cd38d9fa9173bad4d0379180d8a1
SHA1:	9c57c956c67cfb157fab95e01ffa92b437518388
SHA256:	cddce16cabc65fa294b2ec6cf6277651f2db77d319942e53c58505532e80531a
SHA512:	285cb8c294585c7b42868e1d367f5414b99d56008c86a20455a46b3ebb2ba6418de096d226ac92fb1ac8b4706519299d585489c5e6ca2b22fdcc2f4c67f59496
SSDEEP:	6:TM3iWT1jopL6LDYrqXQ3bYBq2NYnHPT33YaRtiYhyVqp4XkY8bH62yYXihqiO2Kq:TM3ii1JPAw5qHPTzRt9pKXepGoiL1
File Content Preview:	<?xml version='1.0' encoding='utf-8' standalone='yes' ?>.<map>.<long name="S" value="2579698657" />.<string name="EI">352402098459201</string>.<string name="UTDID">XfdZvh5OLg4DAN1FgSs6tosj</string>.<string name="SI">505023407162404</string>.<long name="t2

File Icon


Icon Hash:	e4ccd4ccccd6d4d8

Network Behavior

Download Network PCAP: filtered – full

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 16, 2021 18:45:27.003997087 CEST	54302	53	192.168.2.5	8.8.8.8
Apr 16, 2021 18:45:27.084110975 CEST	53	54302	8.8.8.8	192.168.2.5
Apr 16, 2021 18:45:27.123907089 CEST	53784	53	192.168.2.5	8.8.8.8
Apr 16, 2021 18:45:27.193443060 CEST	53	53784	8.8.8.8	192.168.2.5
Apr 16, 2021 18:45:27.296859026 CEST	65307	53	192.168.2.5	8.8.8.8
Apr 16, 2021 18:45:27.314275980 CEST	64344	53	192.168.2.5	8.8.8.8
Apr 16, 2021 18:45:27.345521927 CEST	53	65307	8.8.8.8	192.168.2.5
Apr 16, 2021 18:45:27.372853994 CEST	53	64344	8.8.8.8	192.168.2.5
Apr 16, 2021 18:45:28.364448071 CEST	62060	53	192.168.2.5	8.8.8.8
Apr 16, 2021 18:45:28.423305035 CEST	53	62060	8.8.8.8	192.168.2.5
Apr 16, 2021 18:45:29.319371939 CEST	61805	53	192.168.2.5	8.8.8.8
Apr 16, 2021 18:45:29.370882988 CEST	53	61805	8.8.8.8	192.168.2.5
Apr 16, 2021 18:45:30.528007030 CEST	54795	53	192.168.2.5	8.8.8.8
Apr 16, 2021 18:45:30.576828957 CEST	53	54795	8.8.8.8	192.168.2.5
Apr 16, 2021 18:45:30.878120899 CEST	49557	53	192.168.2.5	8.8.8.8
Apr 16, 2021 18:45:30.937136889 CEST	53	49557	8.8.8.8	192.168.2.5
Apr 16, 2021 18:45:31.937319994 CEST	61733	53	192.168.2.5	8.8.8.8
Apr 16, 2021 18:45:31.988883018 CEST	53	61733	8.8.8.8	192.168.2.5
Apr 16, 2021 18:45:33.288614035 CEST	65447	53	192.168.2.5	8.8.8.8
Apr 16, 2021 18:45:33.340142012 CEST	53	65447	8.8.8.8	192.168.2.5
Apr 16, 2021 18:45:34.394736052 CEST	52441	53	192.168.2.5	8.8.8.8
Apr 16, 2021 18:45:34.455893993 CEST	53	52441	8.8.8.8	192.168.2.5
Apr 16, 2021 18:45:35.208201885 CEST	62176	53	192.168.2.5	8.8.8.8
Apr 16, 2021 18:45:35.270422935 CEST	53	62176	8.8.8.8	192.168.2.5
Apr 16, 2021 18:45:37.349318027 CEST	59596	53	192.168.2.5	8.8.8.8
Apr 16, 2021 18:45:37.398360014 CEST	53	59596	8.8.8.8	192.168.2.5
Apr 16, 2021 18:45:38.300128937 CEST	65296	53	192.168.2.5	8.8.8.8
Apr 16, 2021 18:45:38.351805925 CEST	53	65296	8.8.8.8	192.168.2.5
Apr 16, 2021 18:45:46.397495985 CEST	63183	53	192.168.2.5	8.8.8.8
Apr 16, 2021 18:45:46.447633028 CEST	53	63183	8.8.8.8	192.168.2.5
Apr 16, 2021 18:45:47.518301964 CEST	60151	53	192.168.2.5	8.8.8.8
Apr 16, 2021 18:45:47.567161083 CEST	53	60151	8.8.8.8	192.168.2.5
Apr 16, 2021 18:45:53.567276955 CEST	56969	53	192.168.2.5	8.8.8.8
Apr 16, 2021 18:45:53.631599903 CEST	53	56969	8.8.8.8	192.168.2.5
Apr 16, 2021 18:45:54.924175024 CEST	55161	53	192.168.2.5	8.8.8.8
Apr 16, 2021 18:45:54.983314991 CEST	53	55161	8.8.8.8	192.168.2.5
Apr 16, 2021 18:46:05.190788031 CEST	54757	53	192.168.2.5	8.8.8.8
Apr 16, 2021 18:46:05.242422104 CEST	53	54757	8.8.8.8	192.168.2.5
Apr 16, 2021 18:46:06.198542118 CEST	54757	53	192.168.2.5	8.8.8.8
Apr 16, 2021 18:46:06.250128984 CEST	53	54757	8.8.8.8	192.168.2.5
Apr 16, 2021 18:46:06.260516882 CEST	49992	53	192.168.2.5	8.8.8.8
Apr 16, 2021 18:46:06.319612980 CEST	53	49992	8.8.8.8	192.168.2.5
Apr 16, 2021 18:46:06.805007935 CEST	60075	53	192.168.2.5	8.8.8.8
Apr 16, 2021 18:46:06.864937067 CEST	53	60075	8.8.8.8	192.168.2.5
Apr 16, 2021 18:46:07.257224083 CEST	54757	53	192.168.2.5	8.8.8.8
Apr 16, 2021 18:46:07.277537107 CEST	49992	53	192.168.2.5	8.8.8.8
Apr 16, 2021 18:46:07.310343027 CEST	53	54757	8.8.8.8	192.168.2.5
Apr 16, 2021 18:46:07.327632904 CEST	53	49992	8.8.8.8	192.168.2.5
Apr 16, 2021 18:46:08.290887117 CEST	49992	53	192.168.2.5	8.8.8.8
Apr 16, 2021 18:46:08.339560032 CEST	53	49992	8.8.8.8	192.168.2.5
Apr 16, 2021 18:46:09.259527922 CEST	54757	53	192.168.2.5	8.8.8.8
Apr 16, 2021 18:46:09.311391115 CEST	53	54757	8.8.8.8	192.168.2.5
Apr 16, 2021 18:46:10.290791035 CEST	49992	53	192.168.2.5	8.8.8.8
Apr 16, 2021 18:46:10.339519978 CEST	53	49992	8.8.8.8	192.168.2.5
Apr 16, 2021 18:46:13.275501966 CEST	54757	53	192.168.2.5	8.8.8.8
Apr 16, 2021 18:46:13.327306032 CEST	53	54757	8.8.8.8	192.168.2.5
Apr 16, 2021 18:46:14.306689978 CEST	49992	53	192.168.2.5	8.8.8.8
Apr 16, 2021 18:46:14.365835905 CEST	53	49992	8.8.8.8	192.168.2.5
Apr 16, 2021 18:46:14.953933954 CEST	55016	53	192.168.2.5	8.8.8.8
Apr 16, 2021 18:46:15.014249086 CEST	53	55016	8.8.8.8	192.168.2.5
Apr 16, 2021 18:46:21.811578035 CEST	64345	53	192.168.2.5	8.8.8.8
Apr 16, 2021 18:46:21.870476007 CEST	53	64345	8.8.8.8	192.168.2.5
Apr 16, 2021 18:46:46.503160000 CEST	57128	53	192.168.2.5	8.8.8.8
Apr 16, 2021 18:46:46.553739071 CEST	53	57128	8.8.8.8	192.168.2.5
Apr 16, 2021 18:46:49.483150005 CEST	54791	53	192.168.2.5	8.8.8.8
Apr 16, 2021 18:46:49.540337086 CEST	53	54791	8.8.8.8	192.168.2.5
Apr 16, 2021 18:47:09.055783033 CEST	50463	53	192.168.2.5	8.8.8.8
Apr 16, 2021 18:47:09.117686033 CEST	53	50463	8.8.8.8	192.168.2.5
Apr 16, 2021 18:47:09.952390909 CEST	50394	53	192.168.2.5	8.8.8.8
Apr 16, 2021 18:47:10.009460926 CEST	53	50394	8.8.8.8	192.168.2.5
Apr 16, 2021 18:47:10.268024921 CEST	58530	53	192.168.2.5	8.8.8.8
Apr 16, 2021 18:47:10.332945108 CEST	53	58530	8.8.8.8	192.168.2.5
Apr 16, 2021 18:47:10.586636066 CEST	53813	53	192.168.2.5	8.8.8.8
Apr 16, 2021 18:47:10.886852026 CEST	53	53813	8.8.8.8	192.168.2.5
Apr 16, 2021 18:47:11.344201088 CEST	63732	53	192.168.2.5	8.8.8.8
Apr 16, 2021 18:47:11.403708935 CEST	53	63732	8.8.8.8	192.168.2.5
Apr 16, 2021 18:47:11.930423021 CEST	57344	53	192.168.2.5	8.8.8.8
Apr 16, 2021 18:47:11.984051943 CEST	53	57344	8.8.8.8	192.168.2.5
Apr 16, 2021 18:47:12.602488995 CEST	54450	53	192.168.2.5	8.8.8.8
Apr 16, 2021 18:47:12.651155949 CEST	53	54450	8.8.8.8	192.168.2.5
Apr 16, 2021 18:47:13.246529102 CEST	59261	53	192.168.2.5	8.8.8.8
Apr 16, 2021 18:47:13.298137903 CEST	53	59261	8.8.8.8	192.168.2.5
Apr 16, 2021 18:47:14.089862108 CEST	57151	53	192.168.2.5	8.8.8.8
Apr 16, 2021 18:47:14.148979902 CEST	53	57151	8.8.8.8	192.168.2.5
Apr 16, 2021 18:47:15.102264881 CEST	59413	53	192.168.2.5	8.8.8.8
Apr 16, 2021 18:47:15.159820080 CEST	53	59413	8.8.8.8	192.168.2.5
Apr 16, 2021 18:47:15.697483063 CEST	60516	53	192.168.2.5	8.8.8.8
Apr 16, 2021 18:47:15.754612923 CEST	53	60516	8.8.8.8	192.168.2.5
Apr 16, 2021 18:47:25.722743988 CEST	51649	53	192.168.2.5	8.8.8.8
Apr 16, 2021 18:47:25.771487951 CEST	53	51649	8.8.8.8	192.168.2.5
Apr 16, 2021 18:47:27.206918955 CEST	65086	53	192.168.2.5	8.8.8.8
Apr 16, 2021 18:47:27.267535925 CEST	53	65086	8.8.8.8	192.168.2.5

Code Manipulations

Statistics

CPU Usage

• MSOXMLED.EXE
• iexplore.exe
• iexplore.exe

Click to jump to process

Memory Usage

• MSOXMLED.EXE
• iexplore.exe
• iexplore.exe

Click to jump to process

Behavior

• MSOXMLED.EXE
• iexplore.exe
• iexplore.exe

Click to jump to process

System Behavior

Analysis Process: MSOXMLED.EXE PID: 6440 Parent PID: 5664

Function Logs

General

Start time:	18:45:33
Start date:	16/04/2021
Path:	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOXMLED.EXE
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\MSOXMLED.EXE' /verb open 'C:\Users\user\Desktop\Alvin2.xml'
Imagebase:	0x13c0000
File size:	220872 bytes
MD5 hash:	77F586C2DB0175DD4AA085531A82C88A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

File Activities

File Opened

File Read

Show Windows behavior

Section Activities

Sections loaded by Windows

Process Activities

Process Terminated

Show Windows behavior

Thread Activities

Thread Information Set

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

System Activities

Show Windows behavior

Timing Activities

Show Windows behavior

Windows UI Activities

Show Windows behavior

LPC Port Activities

Chronological Activities

Analysis Process: iexplore.exe PID: 6480 Parent PID: 6440

Function Logs

General

Start time:	18:45:34
Start date:	16/04/2021
Path:	C:\Program Files\internet explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Internet Explorer\iexplore.exe' C:\Users\user\Desktop\Alvin2.xml
Imagebase:	0x7ff7942f0000
File size:	823560 bytes
MD5 hash:	6465CB92B25A7BC1DF8E01D8AC5E7596
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

File Activities

Show Windows behavior

Section Activities

Sections loaded by Windows

Show Windows behavior

Registry Activities

Show Windows behavior

Mutex Activities

Show Windows behavior

Process Activities

Process Information Set

Show Windows behavior

Thread Activities

Thread Information Set

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

System Activities

Language or Locale ID Queried

Show Windows behavior

Timing Activities

Show Windows behavior

Windows UI Activities

Window UI Enumerated

Show Windows behavior

Network Activities

Show Windows behavior

Object Security Activities

Show Windows behavior

LPC Port Activities

Chronological Activities

Analysis Process: iexplore.exe PID: 6536 Parent PID: 6480

Function Logs

General

Start time:	18:45:35
Start date:	16/04/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6480 CREDAT:17410 /prefetch:2
Imagebase:	0xd70000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

File Activities

Show Windows behavior

Section Activities

Sections loaded by Windows

Show Windows behavior

Registry Activities

Show Windows behavior

Mutex Activities

Show Windows behavior

Process Activities

Process Information Set

Show Windows behavior

Thread Activities

Thread Information Set

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

System Activities

Show Windows behavior

Timing Activities

Show Windows behavior

Windows UI Activities

Show Windows behavior

Network Activities

Show Windows behavior

Object Security Activities

Show Windows behavior

LPC Port Activities

Chronological Activities

Disassembly

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report Alvin2.xml

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Sigma Overview

Signature Overview

Compliance:

Networking:

System Summary:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

HIPS / PFW / Operating System Protection Evasion:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Network Behavior

UDP Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: MSOXMLED.EXE PID: 6440 Parent PID: 5664

General

File Activities

File Opened

File Created

File Read

File Attributes Queried

Directory Queried

Other File Operations

Volume Information Queried

Section Activities

Sections loaded by Windows

Sections loaded by Program

Registry Activities

Key Opened

Key Value Created

Key Monitored

Mutex Activities

Mutex Created

Process Activities

Process Created