General Info Watch the FULL Interactive Analysis at ANY.RUN!

File name

a1565cb5e3a92dede041005fa0600cb844f17041bcd596ab10cee62148b7aeb8.pif

Verdict
Malicious activity
Analysis date
12/6/2018, 16:11:43
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
zbot
Indicators:

MIME:
application/x-dosexec
File info:
PE32 executable (GUI) Intel 80386, for MS Windows
MD5

ea71dbe6410ad29740839f1892d65256

SHA1

e2bc6d6d7907a834839aa96f3c6175f314687af2

SHA256

a1565cb5e3a92dede041005fa0600cb844f17041bcd596ab10cee62148b7aeb8

SSDEEP

12288:gGD4yVDBfzoR33+3861WscDYjHa3Vr4kDVCWN+lqavY/ZGZ0fbJlNuMoKmn4hSM/:2OWrz3RT

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
300 seconds
Additional time used
240 seconds
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
on
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
off

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (68.0.3440.106)
  • Google Update Helper (1.3.33.17)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 61.0.2 (x86 en-US) (61.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Application was injected by another process
  • windanr.exe (PID: 2156)
  • explorer.exe (PID: 236)
  • dwm.exe (PID: 2004)
Connects to CnC server
  • explorer.exe (PID: 236)
Runs injected code in another process
  • dwm.exe (PID: 2004)
  • accy.exe (PID: 3732)
Actions looks like stealing of personal data
  • dwm.exe (PID: 2004)
Modifies the Internet Explorer registry keys for privacy or tracking
  • dwm.exe (PID: 2004)
Changes internet zones settings
  • dwm.exe (PID: 2004)
Changes the autorun value in the registry
  • dwm.exe (PID: 2004)
Executable content was dropped or overwritten
  • WinMail.exe (PID: 1524)
  • a1565cb5e3a92dede041005fa0600cb844f17041bcd596ab10cee62148b7aeb8.pif.exe (PID: 2076)
Connects to server without host name
  • explorer.exe (PID: 236)
Creates files in the user directory
  • explorer.exe (PID: 236)
  • a1565cb5e3a92dede041005fa0600cb844f17041bcd596ab10cee62148b7aeb8.pif.exe (PID: 2076)
Application launched itself
  • a1565cb5e3a92dede041005fa0600cb844f17041bcd596ab10cee62148b7aeb8.pif.exe (PID: 3640)
  • accy.exe (PID: 3884)
Reads Internet Cache Settings
  • explorer.exe (PID: 236)
  • WinMail.exe (PID: 1524)
Reads internet explorer settings
  • WinMail.exe (PID: 1524)
Drops self deleting batch file
  • a1565cb5e3a92dede041005fa0600cb844f17041bcd596ab10cee62148b7aeb8.pif.exe (PID: 2076)
Starts itself from another location
  • a1565cb5e3a92dede041005fa0600cb844f17041bcd596ab10cee62148b7aeb8.pif.exe (PID: 2076)
Starts CMD.EXE for commands execution
  • a1565cb5e3a92dede041005fa0600cb844f17041bcd596ab10cee62148b7aeb8.pif.exe (PID: 2076)
Reads settings of System Certificates
  • explorer.exe (PID: 236)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.exe
|   Win32 Executable Microsoft Visual Basic 6 (90.6%)
.exe
|   Win32 Executable (generic) (4.9%)
.exe
|   Generic Win/DOS Executable (2.2%)
.exe
|   DOS Executable Generic (2.2%)
EXIF
EXE
MachineType:
Intel 386 or later, and compatibles
TimeStamp:
2005:12:17 04:18:49+01:00
PEType:
PE32
LinkerVersion:
6
CodeSize:
585728
InitializedDataSize:
28672
UninitializedDataSize:
null
EntryPoint:
0x171c
OSVersion:
4
ImageVersion:
6.9
SubsystemVersion:
4
Subsystem:
Windows GUI
FileVersionNumber:
6.9.0.1
ProductVersionNumber:
6.9.0.1
FileFlagsMask:
0x0000
FileFlags:
(none)
FileOS:
Win32
ObjectFileType:
Executable application
FileSubtype:
null
LanguageCode:
English (U.S.)
CharacterSet:
Unicode
Comments:
MEDICINELAKE6
CompanyName:
HOLOCRINE2
FileDescription:
Kunggari
ProductName:
Dannye2
FileVersion:
6.09.0001
ProductVersion:
6.09.0001
InternalName:
Sparke
OriginalFileName:
Sparke.exe
Summary
Architecture:
IMAGE_FILE_MACHINE_I386
Subsystem:
IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:
17-Dec-2005 03:18:49
Detected languages
English - United States
Comments:
MEDICINELAKE6
CompanyName:
HOLOCRINE2
FileDescription:
Kunggari
ProductName:
Dannye2
FileVersion:
6.09.0001
ProductVersion:
6.09.0001
InternalName:
Sparke
OriginalFilename:
Sparke.exe
DOS Header
Magic number:
MZ
Bytes on last page of file:
0x0090
Pages in file:
0x0003
Relocations:
0x0000
Size of header:
0x0004
Min extra paragraphs:
0x0000
Max extra paragraphs:
0xFFFF
Initial SS value:
0x0000
Initial SP value:
0x00B8
Checksum:
0x0000
Initial IP value:
0x0000
Initial CS value:
0x0000
Overlay number:
0x0000
OEM identifier:
0x0000
OEM information:
0x0000
Address of NE header:
0x000000B8
PE Headers
Signature:
PE
Machine:
IMAGE_FILE_MACHINE_I386
Number of sections:
3
Time date stamp:
17-Dec-2005 03:18:49
Pointer to Symbol Table:
0x00000000
Number of symbols:
0
Size of Optional Header:
0x00E0
Characteristics
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_RELOCS_STRIPPED
Sections
Name Virtual Address Virtual Size Raw Size Charateristics Entropy
.text 0x00001000 0x0008E8F8 0x0008F000 IMAGE_SCN_CNT_CODE,IMAGE_SCN_MEM_EXECUTE,IMAGE_SCN_MEM_READ 6.91899
.data 0x00090000 0x00000B48 0x00001000 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 0
.rsrc 0x00091000 0x00005C5A 0x00006000 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 4.41153
Resources
1

30001

30002

30003

30004

30005

30006

30007

30008

30009

30010

30011

30012

30013

30014

Imports
    MSVBVM60.DLL

Exports

    No exports.

Screenshots

Processes

Total processes
37
Monitored processes
9
Malicious processes
6
Suspicious processes
0

Behavior graph

+
start inject inject inject a1565cb5e3a92dede041005fa0600cb844f17041bcd596ab10cee62148b7aeb8.pif.exe no specs a1565cb5e3a92dede041005fa0600cb844f17041bcd596ab10cee62148b7aeb8.pif.exe accy.exe no specs accy.exe no specs cmd.exe no specs dwm.exe winmail.exe explorer.exe windanr.exe
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
2004
CMD
"C:\Windows\system32\Dwm.exe"
Path
C:\Windows\System32\dwm.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Desktop Window Manager
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\dwm.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\dwmredir.dll
c:\windows\system32\dwmcore.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\ole32.dll
c:\windows\system32\d3d10_1.dll
c:\windows\system32\d3d10_1core.dll
c:\windows\system32\dxgi.dll
c:\windows\system32\version.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\psapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\msxml3.dll
c:\program files\common files\system\wab32.dll
c:\windows\system32\cryptdlg.dll
c:\windows\system32\cryptui.dll
c:\windows\system32\msoert2.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\msimg32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\msftedit.dll
c:\windows\system32\propsys.dll
c:\windows\system32\msxml6.dll
c:\windows\system32\rpcrtremote.dll
c:\program files\windows mail\msoe.dll
c:\windows\system32\atl.dll
c:\windows\system32\msoeacct.dll
c:\windows\system32\inetcomm.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\esent.dll
c:\windows\system32\msidcrl30.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\inetres.dll
c:\windows\system32\acctres.dll
c:\program files\windows mail\msoeres.dll

PID
236
CMD
C:\Windows\Explorer.EXE
Path
C:\Windows\explorer.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Windows Explorer
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\winanr.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\slc.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\propsys.dll
c:\windows\system32\cryptbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\profapi.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\iconcodecservice.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\sndvolsso.dll
c:\windows\system32\hid.dll
c:\windows\system32\mmdevapi.dll
c:\windows\system32\timedate.cpl
c:\windows\system32\atl.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\actxprxy.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\userenv.dll
c:\windows\system32\shacct.dll
c:\windows\system32\samlib.dll
c:\windows\system32\samcli.dll
c:\windows\system32\netutils.dll
c:\windows\system32\xmllite.dll
c:\windows\system32\msftedit.dll
c:\windows\system32\msls31.dll
c:\windows\system32\gameux.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\wer.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\authui.dll
c:\windows\system32\cryptui.dll
c:\windows\system32\msiltcfg.dll
c:\windows\system32\version.dll
c:\windows\system32\msi.dll
c:\windows\system32\winsta.dll
c:\windows\system32\psapi.dll
c:\windows\system32\networkexplorer.dll
c:\windows\system32\winmm.dll
c:\windows\system32\wdmaud.drv
c:\windows\system32\ksuser.dll
c:\windows\system32\avrt.dll
c:\windows\system32\audioses.dll
c:\windows\system32\msacm32.drv
c:\windows\system32\msacm32.dll
c:\windows\system32\midimap.dll
c:\windows\system32\stobject.dll
c:\windows\system32\batmeter.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\es.dll
c:\windows\system32\prnfldr.dll
c:\windows\system32\winspool.drv
c:\windows\system32\dxp.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\syncreg.dll
c:\windows\ehome\ehsso.dll
c:\windows\system32\netshell.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\alttab.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
c:\program files\filezilla ftp client\fzshellext.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\taskschd.dll
c:\windows\system32\pnidui.dll
c:\windows\system32\qutil.dll
c:\windows\system32\wevtapi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\mssprxy.dll
c:\windows\system32\npmproxy.dll
c:\windows\system32\wlanapi.dll
c:\windows\system32\wlanutil.dll
c:\windows\system32\wwanapi.dll
c:\windows\system32\wwapi.dll
c:\windows\system32\qagent.dll
c:\windows\system32\srchadmin.dll
c:\windows\system32\sxs.dll
c:\windows\system32\bthprops.cpl
c:\windows\system32\ieframe.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\synccenter.dll
c:\windows\system32\actioncenter.dll
c:\windows\system32\imapi2.dll
c:\windows\system32\hgcpl.dll
c:\windows\system32\provsvc.dll
c:\windows\system32\netprofm.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\fxsst.dll
c:\windows\system32\fxsapi.dll
c:\windows\system32\fxsresm.dll
c:\windows\system32\wscinterop.dll
c:\windows\system32\wscapi.dll
c:\windows\system32\wscui.cpl
c:\windows\system32\werconcpl.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\wercplsupport.dll
c:\windows\system32\msxml6.dll
c:\windows\system32\hcproviders.dll
c:\program files\internet explorer\ieproxy.dll
c:\windows\system32\mpr.dll
c:\windows\system32\drprov.dll
c:\windows\system32\ntlanman.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\davhlpr.dll
c:\windows\system32\thumbcache.dll
c:\users\admin\desktop\a1565cb5e3a92dede041005fa0600cb844f17041bcd596ab10cee62148b7aeb8.pif.exe
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\devrtl.dll
c:\program files\windows sidebar\sbdrop.dll
c:\program files\common files\system\wab32res.dll
c:\windows\system32\display.dll
c:\program files\windows sidebar\sidebar.exe
c:\windows\system32\themecpl.dll
c:\program files\windows journal\journal.exe
c:\windows\system32\netapi32.dll
c:\windows\system32\wship6.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\schannel.dll
c:\windows\system32\credssp.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\gpapi.dll

PID
2156
CMD
"windanr.exe"
Path
C:\Windows\system32\windanr.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Description
Version
Modules
Image
c:\windows\system32\windanr.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winanr.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\winsanr.dll
c:\windows\system32\psapi.dll
c:\windows\system32\version.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\secur32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\samcli.dll

PID
3640
CMD
"C:\Users\admin\Desktop\a1565cb5e3a92dede041005fa0600cb844f17041bcd596ab10cee62148b7aeb8.pif.exe"
Path
C:\Users\admin\Desktop\a1565cb5e3a92dede041005fa0600cb844f17041bcd596ab10cee62148b7aeb8.pif.exe
Indicators
No indicators
Parent process
explorer.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
HOLOCRINE2
Description
Kunggari
Version
6.09.0001
Modules
Image
c:\users\admin\desktop\a1565cb5e3a92dede041005fa0600cb844f17041bcd596ab10cee62148b7aeb8.pif.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sxs.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\apphelp.dll

PID
2076
CMD
C:\Users\admin\Desktop\a1565cb5e3a92dede041005fa0600cb844f17041bcd596ab10cee62148b7aeb8.pif.exe"
Path
C:\Users\admin\Desktop\a1565cb5e3a92dede041005fa0600cb844f17041bcd596ab10cee62148b7aeb8.pif.exe
Indicators
Parent process
a1565cb5e3a92dede041005fa0600cb844f17041bcd596ab10cee62148b7aeb8.pif.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
HOLOCRINE2
Description
Kunggari
Version
6.09.0001
Modules
Image
c:\users\admin\desktop\a1565cb5e3a92dede041005fa0600cb844f17041bcd596ab10cee62148b7aeb8.pif.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\apphelp.dll
c:\users\admin\appdata\roaming\omis\accy.exe

PID
3884
CMD
"C:\Users\admin\AppData\Roaming\Omis\accy.exe"
Path
C:\Users\admin\AppData\Roaming\Omis\accy.exe
Indicators
No indicators
Parent process
a1565cb5e3a92dede041005fa0600cb844f17041bcd596ab10cee62148b7aeb8.pif.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
HOLOCRINE2
Description
Kunggari
Version
6.09.0001
Modules
Image
c:\users\admin\appdata\roaming\omis\accy.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sxs.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\apphelp.dll

PID
3732
CMD
C:\Users\admin\AppData\Roaming\Omis\accy.exe"
Path
C:\Users\admin\AppData\Roaming\Omis\accy.exe
Indicators
No indicators
Parent process
accy.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
HOLOCRINE2
Description
Kunggari
Version
6.09.0001
Modules
Image
c:\users\admin\appdata\roaming\omis\accy.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\samcli.dll

PID
1840
CMD
"C:\Windows\system32\cmd.exe" /c "C:\Users\admin\AppData\Local\Temp\tmp4128d286.bat"
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
a1565cb5e3a92dede041005fa0600cb844f17041bcd596ab10cee62148b7aeb8.pif.exe
User
admin
Integrity Level
MEDIUM
Exit code
1
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

PID
1524
CMD
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
Path
C:\Program Files\Windows Mail\WinMail.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Mail
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\program files\windows mail\winmail.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msoert2.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\program files\windows mail\msoe.dll
c:\windows\system32\atl.dll
c:\windows\system32\msoeacct.dll
c:\windows\system32\inetcomm.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\esent.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\msidcrl30.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\inetres.dll
c:\windows\system32\acctres.dll
c:\windows\system32\psapi.dll
c:\program files\windows mail\msoeres.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\mlang.dll
c:\windows\system32\msxml3.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\msident.dll
c:\windows\system32\pstorec.dll
c:\program files\common files\system\wab32.dll
c:\windows\system32\cryptdlg.dll
c:\windows\system32\cryptui.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\msftedit.dll
c:\program files\common files\system\wab32res.dll
c:\windows\system32\profapi.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\version.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\userenv.dll
c:\windows\system32\gpapi.dll
c:\programdata\microsoft\identitycrl\ppcrlconfig.dll
c:\programdata\microsoft\identitycrl\ppcrlui.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll
c:\program files\filezilla ftp client\fzshellext.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\slc.dll
c:\windows\system32\netutils.dll
c:\windows\system32\mssprxy.dll

Registry activity

Total events
2891
Read events
1961
Write events
930
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
2004
dwm.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Privacy
CleanCookies
0
2004
dwm.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
1406
0
2004
dwm.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
1609
0
2004
dwm.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
1406
0
2004
dwm.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
1609
0
2004
dwm.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
{CA6A9F13-8623-94BE-79D9-5E19FF04467F}
C:\Users\admin\AppData\Roaming\Omis\accy.exe
2004
dwm.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Odcu
Kuviucz
48C808DEEDBBE0452745BEE142E1AEAFC0C0F7430F93B84BD8070BD73368295E4D85458286342FBC1131BD8CFE47214D74FF42F5DF55A184F4403B1D5C573910469034353FA0ACF315E7A5B621017327174B9540F8E9C83F472765FCE9342ED872BE1847FF3D7095A9C3E150B757EED023C7672F
236
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
LanguageList
en-US
236
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@C:\Program Files\Common Files\System\wab32res.dll,-4602
Contact file
236
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@C:\Windows\System32\display.dll,-4
S&creen resolution
236
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@C:\Program Files\Windows Sidebar\sidebar.exe,-11100
&Gadgets
236
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@"C:\Program Files\Windows Journal\Journal.exe",-3072
Journal Document
236
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@C:\Windows\system32\themecpl.dll,-10
Pe&rsonalize
236
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\ShellNew
Classes
.accdb
236
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\ShellNew
~reserved~
0800000000000600
236
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
236
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000069000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
236
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Odcu
Kuviucz
48C808DEEDBBE0452745BEE142E1AEAFC0C0F7430F93B84BD8070BD73368295E4D85458286342FBC1131BD8CFE47214D74FF42F5DF55A184F4403B1D5C573910469034353FA0ACF315E7A5B621017327174B9540F8E9C83F472765FCE9342ED872BE1847FF3D7095A9C3E150B757EED023C7672F
236
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Odcu
Kuviucz
48C808DEEDBBE0452745BEE142E1AEAFC0C0F7430F93B84BD8070BD73368295E4D85458286342FBC1131BD8CFE47214D74FF3CDEDF55A184F4403B1D5C573910469034353FA0ACF315E7A5B621017327174B9540F8E9C83F472765FCE9342ED872BE1847FF3D7095A9C3E150B757EED023C7672F
2156
windanr.exe
write
HKEY_CURRENT_USER\Control Panel\Cursors
APPSTARTING
%SystemRoot%\cursors\clearcur.cur
2156
windanr.exe
write
HKEY_CURRENT_USER\Control Panel\Cursors
ARROW
%SystemRoot%\cursors\clearcur.cur
2156
windanr.exe
write
HKEY_CURRENT_USER\Control Panel\Cursors
CROSS
%SystemRoot%\cursors\clearcur.cur
2156
windanr.exe
write
HKEY_CURRENT_USER\Control Panel\Cursors
HAND
%SystemRoot%\cursors\clearcur.cur
2156
windanr.exe
write
HKEY_CURRENT_USER\Control Panel\Cursors
HELP
%SystemRoot%\cursors\clearcur.cur
2156
windanr.exe
write
HKEY_CURRENT_USER\Control Panel\Cursors
IBEAM
%SystemRoot%\cursors\clearcur.cur
2156
windanr.exe
write
HKEY_CURRENT_USER\Control Panel\Cursors
NO
%SystemRoot%\cursors\clearcur.cur
2156
windanr.exe
write
HKEY_CURRENT_USER\Control Panel\Cursors
SIZEALL
%SystemRoot%\cursors\clearcur.cur
2156
windanr.exe
write
HKEY_CURRENT_USER\Control Panel\Cursors
SIZENESW
%SystemRoot%\cursors\clearcur.cur
2156
windanr.exe
write
HKEY_CURRENT_USER\Control Panel\Cursors
SIZENS
%SystemRoot%\cursors\clearcur.cur
2156
windanr.exe
write
HKEY_CURRENT_USER\Control Panel\Cursors
SIZENWSE
%SystemRoot%\cursors\clearcur.cur
2156
windanr.exe
write
HKEY_CURRENT_USER\Control Panel\Cursors
SIZEWE
%SystemRoot%\cursors\clearcur.cur
2156
windanr.exe
write
HKEY_CURRENT_USER\Control Panel\Cursors
UPARROW
%SystemRoot%\cursors\clearcur.cur
2156
windanr.exe
write
HKEY_CURRENT_USER\Control Panel\Cursors
WAIT
%SystemRoot%\cursors\clearcur.cur
2156
windanr.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Odcu
Kuviucz
48C808DEEDBBE0452745BEE142E1AEAFC0C0F7430F93B84BD8070BD73368295E4D85458286342FBC1131BD8CFE47214D74FF3CDEDF55A184F4403B1D5C573910469034353FA0ACF315E7A5B621017327174B9540F8E9C83F472765FCE9342ED872BE1847FF3D7095A9C3E150B757EED023C7672F
3732
accy.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Odcu
Kuviucz
48C808DEEDBBE0452745BEE142E1AEAFC0C0F7430F93B84BD8070BD73368295E4D85458286342FBC1131BD8CFE47214D74FF3CDEDF55A184F4403B1D5C573910469034353FA0ACF315E7A5B621017327174B9540F8E9C83F472765FCE9342ED872BE1847FF3D7095A9C3E150B757EED023C7672F
1524
WinMail.exe
write
HKEY_CURRENT_USER\Software\Microsoft\IAM\Accounts
ConnectionSettingsMigrated
1
1524
WinMail.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows Mail\Trident\Main
Move System Caret
no
1524
WinMail.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows Mail
StoreMigratedV5
1
1524
WinMail.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows Mail
Settings Upgraded
10
1524
WinMail.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows Mail\Mail
Safe Attachments
1
1524
WinMail.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows Mail\Mail
Secure Safe Attachments
1
1524
WinMail.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows Mail
Running
1
1524
WinMail.exe
write
HKEY_CURRENT_USER\Software\Microsoft\IAM
Server ID
2
1524
WinMail.exe
write
HKEY_CURRENT_USER\Identities
Identity Ordinal
2
1524
WinMail.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows Mail
LastBackup
E2070C00040006000F000E000B002003
1524
WinMail.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows Mail
V7StoreMigDone
01000000
1524
WinMail.exe
write
HKEY_CURRENT_USER\Software\Microsoft\IAM
Default News Account
account{30CE7C98-AA27-4327-91CA-78FA20FFA850}.oeaccount
1524
WinMail.exe
write
HKEY_CURRENT_USER\Software\Microsoft\WAB
NamedProps
0420060000000000C00000000000004604000000000000800E0000000100330032003800350034000000000001800E0000000100330032003800350035000000000002800E0000000100330032003800350036000000000003800E0000000100330032003800350037000000
1524
WinMail.exe
write
HKEY_CURRENT_USER\Software\Microsoft\WAB
NamedPropCount
1
1524
WinMail.exe
write
HKEY_CURRENT_USER\Software\Microsoft\WAB
NamedProps
0420060000000000C00000000000004604000000000000800E0000000100330032003800350034000000000001800E0000000100330032003800350035000000000002800E0000000100330032003800350036000000000003800E0000000100330032003800350037000000813284C18505D011B29000AA003CF6760B000000000004800E0000000100330032003700360039000000000005800E0000000100330032003700370030000000000006800E0000000100330032003700370031000000000007800E0000000100330032003700370032000000000008800E0000000100330032003700370033000000000009800E000000010033003200370037003400000000000A800E000000010033003200370037003500000000000B800E000000010033003200370037003600000000000C800E000000010033003200370037003700000000000D800E000000010033003200370037003800000000000E800E0000000100330032003700370039000000
1524
WinMail.exe
write
HKEY_CURRENT_USER\Software\Microsoft\WAB
NamedPropCount
2
1524
WinMail.exe
write
HKEY_CURRENT_USER\Software\Microsoft\WAB
NamedProps
0420060000000000C00000000000004607000000000000800E0000000100330032003800350034000000000001800E0000000100330032003800350035000000000002800E0000000100330032003800350036000000000003800E000000010033003200380035003700000000000F800E0000000100330032003800310032000000000010800E0000000100330032003800310033000000000011800E0000000100330032003800310034000000813284C18505D011B29000AA003CF6760B000000000004800E0000000100330032003700360039000000000005800E0000000100330032003700370030000000000006800E0000000100330032003700370031000000000007800E0000000100330032003700370032000000000008800E0000000100330032003700370033000000000009800E000000010033003200370037003400000000000A800E000000010033003200370037003500000000000B800E000000010033003200370037003600000000000C800E000000010033003200370037003700000000000D800E000000010033003200370037003800000000000E800E0000000100330032003700370039000000
1524
WinMail.exe
write
HKEY_CURRENT_USER\Software\Microsoft\WAB
NamedProps
0420060000000000C00000000000004608000000000000800E0000000100330032003800350034000000000001800E0000000100330032003800350035000000000002800E0000000100330032003800350036000000000003800E000000010033003200380035003700000000000F800E0000000100330032003800310032000000000010800E0000000100330032003800310033000000000011800E0000000100330032003800310034000000000012800E0000000100330032003800300032000000813284C18505D011B29000AA003CF6760B000000000004800E0000000100330032003700360039000000000005800E0000000100330032003700370030000000000006800E0000000100330032003700370031000000000007800E0000000100330032003700370032000000000008800E0000000100330032003700370033000000000009800E000000010033003200370037003400000000000A800E000000010033003200370037003500000000000B800E000000010033003200370037003600000000000C800E000000010033003200370037003700000000000D800E000000010033003200370037003800000000000E800E0000000100330032003700370039000000
1524
WinMail.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
1524
WinMail.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
1524
WinMail.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows Mail\Mail
Welcome Message
0
1524
WinMail.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows Mail\Junk Mail\Safe Senders List
Version
327680
1524
WinMail.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows Mail\Junk Mail\Block Senders List
Version
327680
1524
WinMail.exe
write
HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt
Value
01000000D08C9DDF0115D1118C7A00C04FC297EB010000003DB655491DA5AB4F93D45894187BF456000000002600000050005000430052004C002000440079006E0061006D00690063002000530061006C007400000010660000000100002000000075E8CF4AF33D3B526F17F552DF55824B50ED1CC27094639D762976826652619F000000000E80000000020000200000009A2CEF8CA125209968670D0A8FA36233FE527BF57036E97D1F9EECA45A4C371E500000007CA6298CC24E1DDD4FE84B8D9BD7C1BD127A131BFBA14887C90AD797D18B6E7599C37EF69E339B974F240FB93845D1194B9CD34603A527EDABF62A627B68DF84CECD93339FBF666AB707D685FFB6D9E8400000001AA427A81EF3A9D43F8801D828BD9B5EAF8ADC06887C0F38DD578BC3945CE4ADBB6E79DC3F380DC5EBED2FA4A4C6681095478B005FE3D1AD341E1CC3FE9B4C23
1524
WinMail.exe
write
HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt
Size
330
1524
WinMail.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
LanguageList
en-US
1524
WinMail.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows Mail
SpoolerDlgPos
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF64010000790000009C03000038010000
1524
WinMail.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows Mail
SpoolerTack
0
1524
WinMail.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows Mail\Mail
Default_CodePage
28591
1524
WinMail.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows Mail
Compact Check Count
2
1524
WinMail.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows Mail
LastRun
6CFF725B768DD401
1524
WinMail.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows Mail
Running
0

Files activity

Executable files
2
Suspicious files
16
Text files
20
Unknown types
6

Dropped files

PID Process Filename Type
1524 WinMail.exe C:\Users\admin\AppData\Local\Temp\ppcrlui_1524_2 executable
2076 a1565cb5e3a92dede041005fa0600cb844f17041bcd596ab10cee62148b7aeb8.pif.exe C:\Users\admin\AppData\Roaming\Omis\accy.exe executable
1524 WinMail.exe C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\48BD0A63-00000001.eml:OECustomProperty pc1
236 explorer.exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@google[2].txt text
236 explorer.exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@google[1].txt text
236 explorer.exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@google[2].txt text
236 explorer.exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@google[1].txt text
236 explorer.exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@google[2].txt text
236 explorer.exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@google[1].txt text
236 explorer.exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@google[2].txt text
236 explorer.exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@google[1].txt text
236 explorer.exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@google[2].txt text
236 explorer.exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@google[1].txt text
236 explorer.exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@google[2].txt text
236 explorer.exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@google[1].txt text
236 explorer.exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@google[2].txt text
236 explorer.exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@google[1].txt text
236 explorer.exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@google[1].txt text
236 explorer.exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@google[2].txt text
236 explorer.exe C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\config[1].bin ––
1524 WinMail.exe C:\Users\admin\AppData\Local\Microsoft\Windows Mail\edb.chk binary
1524 WinMail.exe C:\Users\admin\AppData\Local\Microsoft\Windows Mail\edb.log binary
1524 WinMail.exe C:\Users\admin\AppData\Local\Microsoft\Windows Mail\WindowsMail.MSMessageStore edb
1524 WinMail.exe C:\Users\admin\AppData\Local\Microsoft\Windows Mail\tmp.edb ––
236 explorer.exe C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\webhp[1].txt ––
3640 a1565cb5e3a92dede041005fa0600cb844f17041bcd596ab10cee62148b7aeb8.pif.exe C:\Users\admin\AppData\Local\Temp\~DF9C531F164F1365E8.TMP binary
1524 WinMail.exe C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\48BD0A63-00000001.eml eml
1524 WinMail.exe C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Microsoft Communities\account{30CE7C98-AA27-4327-91CA-78FA20FFA850}.oeaccount xml
1524 WinMail.exe C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Drafts\winmail.fol binary
1524 WinMail.exe C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Junk E-mail\winmail.fol binary
1524 WinMail.exe C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Deleted Items\winmail.fol binary
1524 WinMail.exe C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\winmail.fol binary
1524 WinMail.exe C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Outbox\winmail.fol binary
1524 WinMail.exe C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Sent Items\winmail.fol binary
236 explorer.exe C:\Users\admin\AppData\Roaming\Lyarun\iqub.tmp binary
1524 WinMail.exe C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Backup\new ––
1524 WinMail.exe C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Backup\temp\WindowsMail.pat ––
1524 WinMail.exe C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Backup\temp\edb00002.log ––
1524 WinMail.exe C:\Users\admin\AppData\Local\Microsoft\Windows Mail\WindowsMail.pat dbf
1524 WinMail.exe C:\Users\admin\AppData\Local\Microsoft\Windows Mail\edbtmp.log ––
1524 WinMail.exe C:\Users\admin\AppData\Local\Microsoft\Windows Mail\edb00002.log binary
1524 WinMail.exe C:\Users\admin\AppData\Local\Microsoft\Windows Mail\edb.chk binary
1524 WinMail.exe C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Backup\temp\WindowsMail.MSMessageStore edb
1524 WinMail.exe C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Backup\old\ ––
2004 dwm.exe C:\Users\admin\AppData\Roaming\Lyarun\iqub.law binary
2004 dwm.exe C:\Users\admin\AppData\Roaming\Lyarun\iqub.law binary
2076 a1565cb5e3a92dede041005fa0600cb844f17041bcd596ab10cee62148b7aeb8.pif.exe C:\Users\admin\AppData\Local\Temp\tmp4128d286.bat text
3884 accy.exe C:\Users\admin\AppData\Local\Temp\~DFB52B1D1A2F5488C5.TMP binary
236 explorer.exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@google[1].txt text
236 explorer.exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@google[2].txt text

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
31
TCP/UDP connections
41
DNS requests
1
Threats
110

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
236 explorer.exe GET 200 31.220.2.120:80 http://31.220.2.120/~chuxtr/abj/server/config.bin BZ
binary
malicious
236 explorer.exe POST 200 31.220.2.120:80 http://31.220.2.120/~chuxtr/abj/server/gate.php BZ
binary
––
––
malicious
236 explorer.exe GET 302 216.58.213.196:80 http://www.google.com/webhp US
html
whitelisted
236 explorer.exe POST 200 31.220.2.120:80 http://31.220.2.120/~chuxtr/abj/server/gate.php BZ
binary
––
––
malicious
236 explorer.exe POST 200 31.220.2.120:80 http://31.220.2.120/~chuxtr/abj/server/gate.php BZ
binary
––
––
malicious
236 explorer.exe GET 302 216.58.213.196:80 http://www.google.com/webhp US
html
whitelisted
236 explorer.exe POST 200 31.220.2.120:80 http://31.220.2.120/~chuxtr/abj/server/gate.php BZ
binary
––
––
malicious
236 explorer.exe POST 200 31.220.2.120:80 http://31.220.2.120/~chuxtr/abj/server/gate.php BZ
binary
––
––
malicious
236 explorer.exe GET 302 216.58.213.196:80 http://www.google.com/webhp US
html
whitelisted
236 explorer.exe POST 200 31.220.2.120:80 http://31.220.2.120/~chuxtr/abj/server/gate.php BZ
binary
––
––
malicious
236 explorer.exe POST 200 31.220.2.120:80 http://31.220.2.120/~chuxtr/abj/server/gate.php BZ
binary
––
––
malicious
236 explorer.exe GET 302 216.58.213.196:80 http://www.google.com/webhp US
html
whitelisted
236 explorer.exe POST 200 31.220.2.120:80 http://31.220.2.120/~chuxtr/abj/server/gate.php BZ
binary
––
––
malicious
236 explorer.exe POST 200 31.220.2.120:80 http://31.220.2.120/~chuxtr/abj/server/gate.php BZ
binary
––
––
malicious
236 explorer.exe GET 302 216.58.213.196:80 http://www.google.com/webhp US
html
whitelisted
236 explorer.exe POST 200 31.220.2.120:80 http://31.220.2.120/~chuxtr/abj/server/gate.php BZ
binary
––
––
malicious
236 explorer.exe POST 200 31.220.2.120:80 http://31.220.2.120/~chuxtr/abj/server/gate.php BZ
binary
––
––
malicious
236 explorer.exe GET 302 216.58.213.196:80 http://www.google.com/webhp US
html
whitelisted
236 explorer.exe POST 200 31.220.2.120:80 http://31.220.2.120/~chuxtr/abj/server/gate.php BZ
binary
––
––
malicious
236 explorer.exe POST 200 31.220.2.120:80 http://31.220.2.120/~chuxtr/abj/server/gate.php BZ
binary
––
––
malicious
236 explorer.exe POST 200 31.220.2.120:80 http://31.220.2.120/~chuxtr/abj/server/gate.php BZ
binary
––
––
malicious
236 explorer.exe GET 302 216.58.213.196:80 http://www.google.com/webhp US
html
whitelisted
236 explorer.exe POST 200 31.220.2.120:80 http://31.220.2.120/~chuxtr/abj/server/gate.php BZ
binary
––
––
malicious
236 explorer.exe POST 200 31.220.2.120:80 http://31.220.2.120/~chuxtr/abj/server/gate.php BZ
binary
––
––
malicious
236 explorer.exe GET 302 216.58.213.196:80 http://www.google.com/webhp US
html
whitelisted
236 explorer.exe POST 200 31.220.2.120:80 http://31.220.2.120/~chuxtr/abj/server/gate.php BZ
binary
––
––
malicious
236 explorer.exe POST 200 31.220.2.120:80 http://31.220.2.120/~chuxtr/abj/server/gate.php BZ
binary
––
––
malicious
236 explorer.exe GET 302 216.58.213.196:80 http://www.google.com/webhp US
html
whitelisted
236 explorer.exe POST 200 31.220.2.120:80 http://31.220.2.120/~chuxtr/abj/server/gate.php BZ
binary
––
––
malicious
236 explorer.exe GET 302 216.58.213.196:80 http://www.google.com/webhp US
html
whitelisted
236 explorer.exe POST 200 31.220.2.120:80 http://31.220.2.120/~chuxtr/abj/server/gate.php BZ
binary
––
––
malicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
236 explorer.exe 31.220.2.120:80 Amarutu Technology Ltd BZ malicious
236 explorer.exe 216.58.213.196:80 Google Inc. US whitelisted
236 explorer.exe 216.58.213.196:443 Google Inc. US whitelisted

DNS requests

Domain IP Reputation
www.google.com 216.58.213.196
whitelisted

Threats

PID Process Class Message
236 explorer.exe A Network Trojan was detected ET TROJAN Possible Zbot Activity Common Download Struct
236 explorer.exe A Network Trojan was detected ET CURRENT_EVENTS Zbot Generic URI/Header Struct .bin
236 explorer.exe A Network Trojan was detected ET TROJAN Generic .bin download from Dotted Quad
236 explorer.exe A Network Trojan was detected ET TROJAN Trojan Generic - POST To gate.php with no referer
236 explorer.exe A Network Trojan was detected ET TROJAN Zbot POST Request to C2
236 explorer.exe A Network Trojan was detected ET TROJAN Likely Zbot Generic Post to gate.php Dotted-Quad
236 explorer.exe Potentially Bad Traffic ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
236 explorer.exe A Network Trojan was detected ET TROJAN Zeus Bot GET to Google checking Internet connectivity
236 explorer.exe A Network Trojan was detected ET TROJAN Trojan Generic - POST To gate.php with no referer
236 explorer.exe A Network Trojan was detected ET TROJAN Zbot POST Request to C2
236 explorer.exe A Network Trojan was detected ET TROJAN Likely Zbot Generic Post to gate.php Dotted-Quad
236 explorer.exe Potentially Bad Traffic ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
236 explorer.exe A Network Trojan was detected ET TROJAN Generic - POST To .php w/Extended ASCII Characters (Likely Zeus Derivative)
236 explorer.exe A Network Trojan was detected ET TROJAN Trojan Generic - POST To gate.php with no referer
236 explorer.exe A Network Trojan was detected ET TROJAN Zbot POST Request to C2
236 explorer.exe A Network Trojan was detected ET TROJAN Likely Zbot Generic Post to gate.php Dotted-Quad
236 explorer.exe Potentially Bad Traffic ET TROJAN Generic -POST To gate.php w/Extended ASCII Characters (Likely Zeus Derivative)
236 explorer.exe Potentially Bad Traffic ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
236 explorer.exe A Network Trojan was detected ET TROJAN Zeus Bot GET to Google checking Internet connectivity
236 explorer.exe A Network Trojan was detected ET TROJAN Trojan Generic - POST To gate.php with no referer
236 explorer.exe A Network Trojan was detected ET TROJAN Zbot POST Request to C2
236 explorer.exe A Network Trojan was detected ET TROJAN Likely Zbot Generic Post to gate.php Dotted-Quad
236 explorer.exe Potentially Bad Traffic ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
236 explorer.exe A Network Trojan was detected ET TROJAN Generic - POST To .php w/Extended ASCII Characters (Likely Zeus Derivative)
236 explorer.exe A Network Trojan was detected ET TROJAN Trojan Generic - POST To gate.php with no referer
236 explorer.exe A Network Trojan was detected ET TROJAN Zbot POST Request to C2
236 explorer.exe A Network Trojan was detected ET TROJAN Likely Zbot Generic Post to gate.php Dotted-Quad
236 explorer.exe Potentially Bad Traffic ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
236 explorer.exe A Network Trojan was detected ET TROJAN Zeus Bot GET to Google checking Internet connectivity
236 explorer.exe A Network Trojan was detected ET TROJAN Trojan Generic - POST To gate.php with no referer
236 explorer.exe A Network Trojan was detected ET TROJAN Zbot POST Request to C2
236 explorer.exe A Network Trojan was detected ET TROJAN Likely Zbot Generic Post to gate.php Dotted-Quad
236 explorer.exe Potentially Bad Traffic ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
236 explorer.exe A Network Trojan was detected ET TROJAN Generic - POST To .php w/Extended ASCII Characters (Likely Zeus Derivative)
236 explorer.exe A Network Trojan was detected ET TROJAN Trojan Generic - POST To gate.php with no referer
236 explorer.exe A Network Trojan was detected ET TROJAN Zbot POST Request to C2
236 explorer.exe A Network Trojan was detected ET TROJAN Likely Zbot Generic Post to gate.php Dotted-Quad
236 explorer.exe Potentially Bad Traffic ET TROJAN Generic -POST To gate.php w/Extended ASCII Characters (Likely Zeus Derivative)
236 explorer.exe Potentially Bad Traffic ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
236 explorer.exe A Network Trojan was detected ET TROJAN Zeus Bot GET to Google checking Internet connectivity
236 explorer.exe A Network Trojan was detected ET TROJAN Generic - POST To .php w/Extended ASCII Characters (Likely Zeus Derivative)
236 explorer.exe A Network Trojan was detected ET TROJAN Trojan Generic - POST To gate.php with no referer
236 explorer.exe A Network Trojan was detected ET TROJAN Zbot POST Request to C2
236 explorer.exe A Network Trojan was detected ET TROJAN Likely Zbot Generic Post to gate.php Dotted-Quad
236 explorer.exe Potentially Bad Traffic ET TROJAN Generic -POST To gate.php w/Extended ASCII Characters (Likely Zeus Derivative)
236 explorer.exe Potentially Bad Traffic ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
236 explorer.exe A Network Trojan was detected ET TROJAN Trojan Generic - POST To gate.php with no referer
236 explorer.exe A Network Trojan was detected ET TROJAN Zbot POST Request to C2
236 explorer.exe A Network Trojan was detected ET TROJAN Likely Zbot Generic Post to gate.php Dotted-Quad
236 explorer.exe Potentially Bad Traffic ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
236 explorer.exe A Network Trojan was detected ET TROJAN Zeus Bot GET to Google checking Internet connectivity
236 explorer.exe A Network Trojan was detected ET TROJAN Trojan Generic - POST To gate.php with no referer
236 explorer.exe A Network Trojan was detected ET TROJAN Zbot POST Request to C2
236 explorer.exe A Network Trojan was detected ET TROJAN Likely Zbot Generic Post to gate.php Dotted-Quad
236 explorer.exe Potentially Bad Traffic ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
236 explorer.exe A Network Trojan was detected ET TROJAN Generic - POST To .php w/Extended ASCII Characters (Likely Zeus Derivative)
236 explorer.exe A Network Trojan was detected ET TROJAN Trojan Generic - POST To gate.php with no referer
236 explorer.exe A Network Trojan was detected ET TROJAN Zbot POST Request to C2
236 explorer.exe A Network Trojan was detected ET TROJAN Likely Zbot Generic Post to gate.php Dotted-Quad
236 explorer.exe Potentially Bad Traffic ET TROJAN Generic -POST To gate.php w/Extended ASCII Characters (Likely Zeus Derivative)
236 explorer.exe Potentially Bad Traffic ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
236 explorer.exe A Network Trojan was detected ET TROJAN Zeus Bot GET to Google checking Internet connectivity
236 explorer.exe A Network Trojan was detected ET TROJAN Trojan Generic - POST To gate.php with no referer
236 explorer.exe A Network Trojan was detected ET TROJAN Zbot POST Request to C2
236 explorer.exe A Network Trojan was detected ET TROJAN Likely Zbot Generic Post to gate.php Dotted-Quad
236 explorer.exe Potentially Bad Traffic ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
236 explorer.exe A Network Trojan was detected ET TROJAN Generic - POST To .php w/Extended ASCII Characters (Likely Zeus Derivative)
236 explorer.exe A Network Trojan was detected ET TROJAN Trojan Generic - POST To gate.php with no referer
236 explorer.exe A Network Trojan was detected ET TROJAN Zbot POST Request to C2
236 explorer.exe A Network Trojan was detected ET TROJAN Likely Zbot Generic Post to gate.php Dotted-Quad
236 explorer.exe Potentially Bad Traffic ET TROJAN Generic -POST To gate.php w/Extended ASCII Characters (Likely Zeus Derivative)
236 explorer.exe Potentially Bad Traffic ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
236 explorer.exe A Network Trojan was detected ET TROJAN Generic - POST To .php w/Extended ASCII Characters (Likely Zeus Derivative)
236 explorer.exe A Network Trojan was detected ET TROJAN Trojan Generic - POST To gate.php with no referer
236 explorer.exe A Network Trojan was detected ET TROJAN Zbot POST Request to C2
236 explorer.exe A Network Trojan was detected ET TROJAN Likely Zbot Generic Post to gate.php Dotted-Quad
236 explorer.exe Potentially Bad Traffic ET TROJAN Generic -POST To gate.php w/Extended ASCII Characters (Likely Zeus Derivative)
236 explorer.exe Potentially Bad Traffic ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
236 explorer.exe A Network Trojan was detected ET TROJAN Zeus Bot GET to Google checking Internet connectivity
236 explorer.exe A Network Trojan was detected ET TROJAN Trojan Generic - POST To gate.php with no referer
236 explorer.exe A Network Trojan was detected ET TROJAN Zbot POST Request to C2
236 explorer.exe A Network Trojan was detected ET TROJAN Likely Zbot Generic Post to gate.php Dotted-Quad
236 explorer.exe Potentially Bad Traffic ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
236 explorer.exe A Network Trojan was detected ET TROJAN Generic - POST To .php w/Extended ASCII Characters (Likely Zeus Derivative)
236 explorer.exe A Network Trojan was detected ET TROJAN Trojan Generic - POST To gate.php with no referer
236 explorer.exe A Network Trojan was detected ET TROJAN Zbot POST Request to C2
236 explorer.exe A Network Trojan was detected ET TROJAN Likely Zbot Generic Post to gate.php Dotted-Quad
236 explorer.exe Potentially Bad Traffic ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
236 explorer.exe A Network Trojan was detected ET TROJAN Zeus Bot GET to Google checking Internet connectivity
236 explorer.exe A Network Trojan was detected ET TROJAN Trojan Generic - POST To gate.php with no referer
236 explorer.exe A Network Trojan was detected ET TROJAN Zbot POST Request to C2
236 explorer.exe A Network Trojan was detected ET TROJAN Likely Zbot Generic Post to gate.php Dotted-Quad
236 explorer.exe Potentially Bad Traffic ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
236 explorer.exe A Network Trojan was detected ET TROJAN Generic - POST To .php w/Extended ASCII Characters (Likely Zeus Derivative)
236 explorer.exe A Network Trojan was detected ET TROJAN Trojan Generic - POST To gate.php with no referer
236 explorer.exe A Network Trojan was detected ET TROJAN Zbot POST Request to C2
236 explorer.exe A Network Trojan was detected ET TROJAN Likely Zbot Generic Post to gate.php Dotted-Quad
236 explorer.exe Potentially Bad Traffic ET TROJAN Generic -POST To gate.php w/Extended ASCII Characters (Likely Zeus Derivative)
236 explorer.exe Potentially Bad Traffic ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
236 explorer.exe A Network Trojan was detected ET TROJAN Zeus Bot GET to Google checking Internet connectivity
236 explorer.exe A Network Trojan was detected ET TROJAN Generic - POST To .php w/Extended ASCII Characters (Likely Zeus Derivative)
236 explorer.exe A Network Trojan was detected ET TROJAN Trojan Generic - POST To gate.php with no referer
236 explorer.exe A Network Trojan was detected ET TROJAN Zbot POST Request to C2
236 explorer.exe A Network Trojan was detected ET TROJAN Likely Zbot Generic Post to gate.php Dotted-Quad
236 explorer.exe Potentially Bad Traffic ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
236 explorer.exe A Network Trojan was detected ET TROJAN Zeus Bot GET to Google checking Internet connectivity
236 explorer.exe A Network Trojan was detected ET TROJAN Trojan Generic - POST To gate.php with no referer
236 explorer.exe A Network Trojan was detected ET TROJAN Zbot POST Request to C2
236 explorer.exe A Network Trojan was detected ET TROJAN Likely Zbot Generic Post to gate.php Dotted-Quad
236 explorer.exe Potentially Bad Traffic ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1

Debug output strings

No debug info.