General Info

File name

SWIFT-REIMBURSEMENT.zip

Full analysis
https://app.any.run/tasks/8a247992-1a40-4721-93d2-c6164f1aa251
Verdict
Malicious activity
Analysis date
5/15/2019, 16:16:08
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

trojan

dunihi

Indicators:

MIME:
application/zip
File info:
Zip archive data, at least v2.0 to extract
MD5

bf8e0597643b91be402b0af0fd829075

SHA1

675d9ad6f962d541a940926681b36018bd7d6b10

SHA256

8ff5f1c914adba93c92b52149f48dc47a73e5946b53b2f139a3ae53d4c3a25e2

SSDEEP

192:88aiZSTVJhEzVbM0AvOhLvDV+PdXC/7k18NAIkP:AdJhQM0xhU80P

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
240 seconds
Additional time used
180 seconds
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (73.0.3683.75)
  • Google Update Helper (1.3.33.23)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 65.0.2 (x86 en-US) (65.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
DUNIHI was detected
  • wscript.exe (PID: 664)
Writes to a start menu file
  • wscript.exe (PID: 664)
  • WScript.exe (PID: 3708)
Changes the autorun value in the registry
  • WScript.exe (PID: 3708)
  • wscript.exe (PID: 664)
Connects to CnC server
  • wscript.exe (PID: 664)
Creates files in the user directory
  • notepad++.exe (PID: 3692)
  • WScript.exe (PID: 3708)
Executes scripts
  • WScript.exe (PID: 3708)
Executable content was dropped or overwritten
  • gup.exe (PID: 2772)
Application launched itself
  • WScript.exe (PID: 3708)

No info indicators.

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.zip
|   ZIP compressed archive (100%)
EXIF
ZIP
ZipRequiredVersion:
20
ZipBitFlag:
null
ZipCompression:
Deflated
ZipModifyDate:
2019:05:13 13:52:29
ZipCRC:
0x153d2866
ZipCompressedSize:
8692
ZipUncompressedSize:
44119
ZipFileName:
SWIFT-REIMBURSEMENT.vbs

Screenshots

Processes

Total processes
39
Monitored processes
5
Malicious processes
2
Suspicious processes
0

Behavior graph

+
start winrar.exe no specs wscript.exe #DUNIHI wscript.exe notepad++.exe gup.exe
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
2944
CMD
"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\SWIFT-REIMBURSEMENT.zip"
Path
C:\Program Files\WinRAR\WinRAR.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Alexander Roshal
Description
WinRAR archiver
Version
5.60.0
Modules
Image
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\uxtheme.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\riched20.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\slc.dll
c:\windows\system32\imageres.dll
c:\windows\system32\mpr.dll
c:\windows\system32\drprov.dll
c:\windows\system32\winsta.dll
c:\windows\system32\ntlanman.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\davhlpr.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\netutils.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\winmm.dll
c:\windows\system32\portabledeviceapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\audiodev.dll
c:\windows\system32\wmvcore.dll
c:\windows\system32\wmasf.dll
c:\windows\system32\ehstorapi.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\samlib.dll
c:\windows\system32\profapi.dll
c:\windows\system32\wshext.dll
c:\windows\system32\wscript.exe
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll

PID
3708
CMD
"C:\Windows\System32\WScript.exe" "C:\Users\admin\Desktop\SWIFT-REIMBURSEMENT.vbs"
Path
C:\Windows\System32\WScript.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft ® Windows Based Script Host
Version
5.8.7600.16385
Modules
Image
c:\windows\system32\wscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\version.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sxs.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\vbscript.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\msisip.dll
c:\windows\system32\wshext.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\scrobj.dll
c:\windows\system32\msxml3.dll
c:\windows\system32\rpcrtremote.dll
c:\program files\common files\system\ado\msado15.dll
c:\windows\system32\msdart.dll
c:\windows\system32\mlang.dll
c:\windows\system32\wshom.ocx
c:\windows\system32\mpr.dll
c:\windows\system32\scrrun.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\sspicli.dll

PID
664
CMD
"C:\Windows\System32\wscript.exe" //B "C:\Users\admin\AppData\Local\Temp\SWIFT-REIMBURSEMENT.vbs"
Path
C:\Windows\System32\wscript.exe
Indicators
Parent process
WScript.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Microsoft ® Windows Based Script Host
Version
5.8.7600.16385
Modules
Image
c:\windows\system32\wscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\version.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sxs.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\vbscript.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\msisip.dll
c:\windows\system32\wshext.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\scrobj.dll
c:\windows\system32\msxml3.dll
c:\windows\system32\rpcrtremote.dll
c:\program files\common files\system\ado\msado15.dll
c:\windows\system32\msdart.dll
c:\windows\system32\mlang.dll
c:\windows\system32\wshom.ocx
c:\windows\system32\mpr.dll
c:\windows\system32\scrrun.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\wininet.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\wbem\wbemdisp.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbem\wmiutils.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\napinsp.dll
c:\windows\system32\pnrpnsp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\winrnr.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\normaliz.dll

PID
3692
CMD
"C:\Program Files\Notepad++\notepad++.exe" "C:\Users\admin\Desktop\SWIFT-REIMBURSEMENT.vbs"
Path
C:\Program Files\Notepad++\notepad++.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Don HO [email protected]
Description
Notepad++ : a free (GNU) source code editor
Version
7.51
Modules
Image
c:\program files\notepad++\notepad++.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\ole32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\program files\notepad++\scilexer.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\profapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\apphelp.dll
c:\program files\notepad++\updater\gup.exe
c:\windows\system32\windowscodecs.dll
c:\program files\notepad++\plugins\mimetools.dll
c:\program files\notepad++\plugins\nppconverter.dll
c:\program files\notepad++\plugins\nppexport.dll

PID
2772
CMD
"C:\Program Files\Notepad++\updater\gup.exe" -v7.51
Path
C:\Program Files\Notepad++\updater\gup.exe
Indicators
Parent process
notepad++.exe
User
admin
Integrity Level
MEDIUM
Exit code
4294967295
Version:
Company
Don HO [email protected]
Description
GUP : a free (LGPL) Generic Updater
Version
4.1
Modules
Image
c:\program files\notepad++\updater\gup.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\notepad++\updater\libcurl.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\normaliz.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wship6.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\credssp.dll
c:\windows\system32\schannel.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\ole32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\oleaut32.dll

Registry activity

Total events
828
Read events
717
Write events
111
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
2944
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtBMP
2944
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtIcon
2944
WinRAR.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
LanguageList
en-US
2944
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
0
C:\Users\admin\AppData\Local\Temp\SWIFT-REIMBURSEMENT.zip
2944
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
name
120
2944
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
size
80
2944
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
type
120
2944
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
mtime
100
2944
WinRAR.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@C:\Windows\System32\wshext.dll,-4802
VBScript Script File
2944
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\DialogEditHistory\ExtrPath
0
C:\Users\admin\Desktop
3708
WScript.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\SWIFT-REIMBURSEMENT
false - 5/15/2019
3708
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
SWIFT-REIMBURSEMENT
wscript.exe //B "C:\Users\admin\AppData\Local\Temp\SWIFT-REIMBURSEMENT.vbs"
3708
WScript.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SWIFT-REIMBURSEMENT
wscript.exe //B "C:\Users\admin\AppData\Local\Temp\SWIFT-REIMBURSEMENT.vbs"
3708
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3708
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
664
wscript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
SWIFT-REIMBURSEMENT
wscript.exe //B "C:\Users\admin\AppData\Local\Temp\SWIFT-REIMBURSEMENT.vbs"
664
wscript.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SWIFT-REIMBURSEMENT
wscript.exe //B "C:\Users\admin\AppData\Local\Temp\SWIFT-REIMBURSEMENT.vbs"
664
wscript.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\wscript_RASAPI32
EnableFileTracing
0
664
wscript.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\wscript_RASAPI32
EnableConsoleTracing
0
664
wscript.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\wscript_RASAPI32
FileTracingMask
4294901760
664
wscript.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\wscript_RASAPI32
ConsoleTracingMask
4294901760
664
wscript.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\wscript_RASAPI32
MaxFileSize
1048576
664
wscript.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\wscript_RASAPI32
FileDirectory
%windir%\tracing
664
wscript.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\wscript_RASMANCS
EnableFileTracing
0
664
wscript.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\wscript_RASMANCS
EnableConsoleTracing
0
664
wscript.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\wscript_RASMANCS
FileTracingMask
4294901760
664
wscript.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\wscript_RASMANCS
ConsoleTracingMask
4294901760
664
wscript.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\wscript_RASMANCS
MaxFileSize
1048576
664
wscript.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\wscript_RASMANCS
FileDirectory
%windir%\tracing
664
wscript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
664
wscript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
460000006E000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
664
wscript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
664
wscript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3692
notepad++.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
LanguageList
en-US
3692
notepad++.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3692
notepad++.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1

Files activity

Executable files
1
Suspicious files
0
Text files
11
Unknown types
0

Dropped files

PID
Process
Filename
Type
2772
gup.exe
C:\Users\admin\AppData\Local\Temp\npp.7.6.6.Installer.exe
executable
MD5: cde816b7333cb047c991a85cecc410dc
SHA256: 7520561f13b97dc1b8df64626f46c3a1b8ac7d2cbb725165cc9823c03ea69cff
2944
WinRAR.exe
C:\Users\admin\Desktop\SWIFT-REIMBURSEMENT.vbs
text
MD5: 029d32fa882f018f7beff16b4df497ec
SHA256: 658694505b659cc94819bdfe753748cb5c99ed7fac8c7e6d6c012f8754ae014c
3692
notepad++.exe
C:\Users\admin\AppData\Roaming\Notepad++\config.xml
xml
MD5: 18dcaf9edcef5ed84750cfbbc634581d
SHA256: f3c4ee9271dfd9e565ce74fc1006df00768da53c0d6c227f9c0014f81e03f15f
3692
notepad++.exe
C:\Users\admin\AppData\Roaming\Notepad++\plugins\Config\converter.ini
text
MD5: f70f579156c93b097e656caba577a5c9
SHA256: b926498a19ca95dc28964b7336e5847107dd3c0f52c85195c135d9dd6ca402d4
3692
notepad++.exe
C:\Users\admin\AppData\Roaming\Notepad++\shortcuts.xml
text
MD5: ad21a64014891793dd9b21d835278f36
SHA256: c24699c9d00abdd510140fe1b2ace97bfc70d8b21bf3462ded85afc4f73fe52f
3692
notepad++.exe
C:\Users\admin\AppData\Roaming\Notepad++\stylers.xml
xml
MD5: 44982e1d48434c0ab3e8277e322dd1e4
SHA256: 3e661d3f1ff3977b022a0acc26b840b5e57d600bc03dcfc6befdb408c665904c
3692
notepad++.exe
C:\Users\admin\AppData\Roaming\Notepad++\langs.xml
xml
MD5: e792264bec29005b9044a435fba185ab
SHA256: 5298fd2f119c43d04f6cf831f379ec25b4156192278e40e458ec356f9b49d624
664
wscript.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SWIFT-REIMBURSEMENT.vbs
text
MD5: 029d32fa882f018f7beff16b4df497ec
SHA256: 658694505b659cc94819bdfe753748cb5c99ed7fac8c7e6d6c012f8754ae014c
3708
WScript.exe
C:\Users\admin\AppData\Local\Temp\SWIFT-REIMBURSEMENT.vbs
text
MD5: 029d32fa882f018f7beff16b4df497ec
SHA256: 658694505b659cc94819bdfe753748cb5c99ed7fac8c7e6d6c012f8754ae014c
3708
WScript.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SWIFT-REIMBURSEMENT.vbs
text
MD5: 029d32fa882f018f7beff16b4df497ec
SHA256: 658694505b659cc94819bdfe753748cb5c99ed7fac8c7e6d6c012f8754ae014c
3692
notepad++.exe
C:\Users\admin\AppData\Roaming\Notepad++\session.xml
text
MD5: 47e2ac4b7b928cdd77353c6d231c63a3
SHA256: d327f4e44d1a60a4b721fddc294b75636f1678ae6b86b74072e670093edc807f

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
31
TCP/UDP connections
32
DNS requests
2
Threats
90

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
664 wscript.exe POST 200 178.239.21.184:3578 http://178.239.21.184:3578/is-ready BA
text
malicious
664 wscript.exe POST 200 178.239.21.184:3578 http://178.239.21.184:3578/is-ready BA
text
malicious
664 wscript.exe POST 200 178.239.21.184:3578 http://178.239.21.184:3578/is-ready BA
text
malicious
664 wscript.exe POST 200 178.239.21.184:3578 http://178.239.21.184:3578/is-ready BA
text
malicious
664 wscript.exe POST 200 178.239.21.184:3578 http://178.239.21.184:3578/is-ready BA
text
malicious
664 wscript.exe POST 200 178.239.21.184:3578 http://178.239.21.184:3578/is-ready BA
text
malicious
664 wscript.exe POST 200 178.239.21.184:3578 http://178.239.21.184:3578/is-ready BA
text
malicious
664 wscript.exe POST 200 178.239.21.184:3578 http://178.239.21.184:3578/is-ready BA
text
malicious
664 wscript.exe POST 200 178.239.21.184:3578 http://178.239.21.184:3578/is-ready BA
text
malicious
664 wscript.exe POST 200 178.239.21.184:3578 http://178.239.21.184:3578/is-ready BA
text
malicious
664 wscript.exe POST 200 178.239.21.184:3578 http://178.239.21.184:3578/is-ready BA
text
malicious
664 wscript.exe POST 200 178.239.21.184:3578 http://178.239.21.184:3578/is-ready BA
text
malicious
664 wscript.exe POST 200 178.239.21.184:3578 http://178.239.21.184:3578/is-ready BA
text
malicious
664 wscript.exe POST 200 178.239.21.184:3578 http://178.239.21.184:3578/is-ready BA
text
malicious
664 wscript.exe POST 200 178.239.21.184:3578 http://178.239.21.184:3578/is-ready BA
text
malicious
664 wscript.exe POST 200 178.239.21.184:3578 http://178.239.21.184:3578/is-ready BA
text
malicious
664 wscript.exe POST 200 178.239.21.184:3578 http://178.239.21.184:3578/is-ready BA
text
malicious
664 wscript.exe POST 200 178.239.21.184:3578 http://178.239.21.184:3578/is-ready BA
text
malicious
–– –– GET 200 72.247.178.16:80 http://isrg.trustid.ocsp.identrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf%2FEFWCFiRACEAoBQUIAAAFThXNqC4Xspwg%3D NL
der
whitelisted
664 wscript.exe POST 200 178.239.21.184:3578 http://178.239.21.184:3578/is-ready BA
text
malicious
664 wscript.exe POST 200 178.239.21.184:3578 http://178.239.21.184:3578/is-ready BA
text
malicious
664 wscript.exe POST 200 178.239.21.184:3578 http://178.239.21.184:3578/is-ready BA
text
malicious
664 wscript.exe POST 200 178.239.21.184:3578 http://178.239.21.184:3578/is-ready BA
text
malicious
664 wscript.exe POST 200 178.239.21.184:3578 http://178.239.21.184:3578/is-ready BA
text
malicious
664 wscript.exe POST 200 178.239.21.184:3578 http://178.239.21.184:3578/is-ready BA
text
malicious
664 wscript.exe POST 200 178.239.21.184:3578 http://178.239.21.184:3578/is-ready BA
text
malicious
664 wscript.exe POST 200 178.239.21.184:3578 http://178.239.21.184:3578/is-ready BA
text
malicious
664 wscript.exe POST 200 178.239.21.184:3578 http://178.239.21.184:3578/is-ready BA
text
malicious
664 wscript.exe POST 200 178.239.21.184:3578 http://178.239.21.184:3578/is-ready BA
text
malicious
664 wscript.exe POST 200 178.239.21.184:3578 http://178.239.21.184:3578/is-ready BA
text
malicious
–– –– POST –– 178.239.21.184:3578 http://178.239.21.184:3578/is-ready BA
––
––
malicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
664 wscript.exe 178.239.21.184:3578 Telekomunikacije Republike Srpske akcionarsko drustvo Banja Luka BA malicious
2772 gup.exe 37.59.28.236:443 OVH SAS FR whitelisted
–– –– 72.247.178.16:80 Akamai International B.V. NL whitelisted

DNS requests

Domain IP Reputation
notepad-plus-plus.org 37.59.28.236
whitelisted
isrg.trustid.ocsp.identrust.com 72.247.178.16
72.247.178.41
whitelisted

Threats

PID Process Class Message
664 wscript.exe A Network Trojan was detected ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
664 wscript.exe A Network Trojan was detected ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin UA
664 wscript.exe A Network Trojan was detected MALWARE [PTsecurity] Dunihi VBS.Downloader.Trojan
664 wscript.exe A Network Trojan was detected ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
664 wscript.exe A Network Trojan was detected ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin UA
664 wscript.exe A Network Trojan was detected MALWARE [PTsecurity] Dunihi VBS.Downloader.Trojan
664 wscript.exe A Network Trojan was detected ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
664 wscript.exe A Network Trojan was detected ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin UA
664 wscript.exe A Network Trojan was detected MALWARE [PTsecurity] Dunihi VBS.Downloader.Trojan
664 wscript.exe A Network Trojan was detected ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
664 wscript.exe A Network Trojan was detected ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin UA
664 wscript.exe A Network Trojan was detected MALWARE [PTsecurity] Dunihi VBS.Downloader.Trojan
664 wscript.exe A Network Trojan was detected ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
664 wscript.exe A Network Trojan was detected ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin UA
664 wscript.exe A Network Trojan was detected MALWARE [PTsecurity] Dunihi VBS.Downloader.Trojan
664 wscript.exe A Network Trojan was detected ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
664 wscript.exe A Network Trojan was detected ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin UA
664 wscript.exe A Network Trojan was detected MALWARE [PTsecurity] Dunihi VBS.Downloader.Trojan
664 wscript.exe A Network Trojan was detected ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
664 wscript.exe A Network Trojan was detected ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin UA
664 wscript.exe A Network Trojan was detected MALWARE [PTsecurity] Dunihi VBS.Downloader.Trojan
664 wscript.exe A Network Trojan was detected ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
664 wscript.exe A Network Trojan was detected ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin UA
664 wscript.exe A Network Trojan was detected MALWARE [PTsecurity] Dunihi VBS.Downloader.Trojan
664 wscript.exe A Network Trojan was detected ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
664 wscript.exe A Network Trojan was detected ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin UA
664 wscript.exe A Network Trojan was detected MALWARE [PTsecurity] Dunihi VBS.Downloader.Trojan
664 wscript.exe A Network Trojan was detected ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
664 wscript.exe A Network Trojan was detected ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin UA
664 wscript.exe A Network Trojan was detected MALWARE [PTsecurity] Dunihi VBS.Downloader.Trojan
664 wscript.exe A Network Trojan was detected ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
664 wscript.exe A Network Trojan was detected ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin UA
664 wscript.exe A Network Trojan was detected MALWARE [PTsecurity] Dunihi VBS.Downloader.Trojan
664 wscript.exe A Network Trojan was detected ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
664 wscript.exe A Network Trojan was detected ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin UA
664 wscript.exe A Network Trojan was detected MALWARE [PTsecurity] Dunihi VBS.Downloader.Trojan
664 wscript.exe A Network Trojan was detected ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
664 wscript.exe A Network Trojan was detected ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin UA
664 wscript.exe A Network Trojan was detected MALWARE [PTsecurity] Dunihi VBS.Downloader.Trojan
664 wscript.exe A Network Trojan was detected ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
664 wscript.exe A Network Trojan was detected ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin UA
664 wscript.exe A Network Trojan was detected MALWARE [PTsecurity] Dunihi VBS.Downloader.Trojan
664 wscript.exe A Network Trojan was detected ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
664 wscript.exe A Network Trojan was detected ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin UA
664 wscript.exe A Network Trojan was detected MALWARE [PTsecurity] Dunihi VBS.Downloader.Trojan
664 wscript.exe A Network Trojan was detected ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
664 wscript.exe A Network Trojan was detected ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin UA
664 wscript.exe A Network Trojan was detected MALWARE [PTsecurity] Dunihi VBS.Downloader.Trojan
664 wscript.exe A Network Trojan was detected ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
664 wscript.exe A Network Trojan was detected ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin UA
664 wscript.exe A Network Trojan was detected MALWARE [PTsecurity] Dunihi VBS.Downloader.Trojan
664 wscript.exe A Network Trojan was detected ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
664 wscript.exe A Network Trojan was detected ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin UA
664 wscript.exe A Network Trojan was detected MALWARE [PTsecurity] Dunihi VBS.Downloader.Trojan
664 wscript.exe A Network Trojan was detected ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
664 wscript.exe A Network Trojan was detected ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin UA
664 wscript.exe A Network Trojan was detected MALWARE [PTsecurity] Dunihi VBS.Downloader.Trojan
664 wscript.exe A Network Trojan was detected ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
664 wscript.exe A Network Trojan was detected ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin UA
664 wscript.exe A Network Trojan was detected MALWARE [PTsecurity] Dunihi VBS.Downloader.Trojan
664 wscript.exe A Network Trojan was detected ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
664 wscript.exe A Network Trojan was detected ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin UA
664 wscript.exe A Network Trojan was detected MALWARE [PTsecurity] Dunihi VBS.Downloader.Trojan
664 wscript.exe A Network Trojan was detected ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
664 wscript.exe A Network Trojan was detected ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin UA
664 wscript.exe A Network Trojan was detected MALWARE [PTsecurity] Dunihi VBS.Downloader.Trojan
664 wscript.exe A Network Trojan was detected ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
664 wscript.exe A Network Trojan was detected ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin UA
664 wscript.exe A Network Trojan was detected MALWARE [PTsecurity] Dunihi VBS.Downloader.Trojan
664 wscript.exe A Network Trojan was detected ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
664 wscript.exe A Network Trojan was detected ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin UA
664 wscript.exe A Network Trojan was detected MALWARE [PTsecurity] Dunihi VBS.Downloader.Trojan
664 wscript.exe A Network Trojan was detected ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
664 wscript.exe A Network Trojan was detected ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin UA
664 wscript.exe A Network Trojan was detected MALWARE [PTsecurity] Dunihi VBS.Downloader.Trojan
664 wscript.exe A Network Trojan was detected ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
664 wscript.exe A Network Trojan was detected ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin UA
664 wscript.exe A Network Trojan was detected MALWARE [PTsecurity] Dunihi VBS.Downloader.Trojan
664 wscript.exe A Network Trojan was detected ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
664 wscript.exe A Network Trojan was detected ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin UA
664 wscript.exe A Network Trojan was detected MALWARE [PTsecurity] Dunihi VBS.Downloader.Trojan
664 wscript.exe A Network Trojan was detected ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
664 wscript.exe A Network Trojan was detected ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin UA
664 wscript.exe A Network Trojan was detected MALWARE [PTsecurity] Dunihi VBS.Downloader.Trojan
664 wscript.exe A Network Trojan was detected ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
664 wscript.exe A Network Trojan was detected ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin UA
664 wscript.exe A Network Trojan was detected MALWARE [PTsecurity] Dunihi VBS.Downloader.Trojan
–– –– A Network Trojan was detected ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
–– –– A Network Trojan was detected ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin UA
–– –– A Network Trojan was detected MALWARE [PTsecurity] Dunihi VBS.Downloader.Trojan

Debug output strings

Process Message
notepad++.exe 42C4C5846BB675C74E2B2C90C69AB44366401093
notepad++.exe 42C4C5846BB675C74E2B2C90C69AB44366401093
notepad++.exe 42C4C5846BB675C74E2B2C90C69AB44366401093