Malware analysis snapshot64.exe Malicious activity | ANY.RUN

Add for printing

File name:	snapshot64.exe
Full analysis:	https://app.any.run/tasks/56c08215-f96f-4af0-accc-d2f917f63163
Verdict:	Malicious activity
Analysis date:	July 18, 2024, 19:43:38
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	upx
Indicators:
MIME:	application/x-dosexec
File info:	PE32+ executable (console) x86-64, for MS Windows
MD5:	9061C9227887E9CD12BBD35DB49848D7
SHA1:	88EE20E8881E353C1828F3670BFE21E60D5FF421
SHA256:	AD605D0BD010BE65340D5BCDF7BB372C5305ADED6588B4FCE53EB29ED6B070EF
SSDEEP:	49152:X1gY7EsRrIo829CXOIh+xj9pZSVRo8duto0yAEltqtZDnFc0LZp3mhSDNynWCSXP:l8wrIo1A+Q29pZGRo8dc7ynqtZDnFc03

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 180 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 120 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Drops the executable file immediately after the start
  - snapshot64.exe (PID: 5608)
- Creates a writable file in the system directory
  - OfficeClickToRun.exe (PID: 5464)
- The DLL Hijacking
  - OfficeClickToRun.exe (PID: 5464)
- Scans artifacts that could help determine the target
  - OfficeClickToRun.exe (PID: 5464)
SUSPICIOUS
- Executes as Windows Service
  - OfficeClickToRun.exe (PID: 5464)
- Checks Windows Trust Settings
  - OfficeClickToRun.exe (PID: 5464)
INFO
- UPX packer has been detected
  - snapshot64.exe (PID: 5608)
  - snapshot64.exe (PID: 2828)
  - snapshot64.exe (PID: 3328)
  - snapshot64.exe (PID: 7480)
- Reads the machine GUID from the registry
  - snapshot64.exe (PID: 5608)
  - snapshot64.exe (PID: 2828)
  - snapshot64.exe (PID: 3328)
  - OfficeClickToRun.exe (PID: 5464)
  - snapshot64.exe (PID: 7480)
- Reads the computer name
  - snapshot64.exe (PID: 5608)
  - snapshot64.exe (PID: 2828)
  - snapshot64.exe (PID: 3328)
  - OfficeClickToRun.exe (PID: 5464)
  - snapshot64.exe (PID: 7480)
- Checks supported languages
  - snapshot64.exe (PID: 5608)
  - snapshot64.exe (PID: 2828)
  - snapshot64.exe (PID: 3328)
  - snapshot64.exe (PID: 7480)
  - OfficeClickToRun.exe (PID: 5464)
- Manual execution by a user
  - snapshot64.exe (PID: 2828)
  - snapshot64.exe (PID: 6800)
  - snapshot64.exe (PID: 3328)
  - mspaint.exe (PID: 6980)
  - WINWORD.EXE (PID: 7028)
  - snapshot64.exe (PID: 7416)
  - snapshot64.exe (PID: 7480)
- Reads Microsoft Office registry keys
  - OfficeClickToRun.exe (PID: 5464)
- Process checks computer location settings
  - OfficeClickToRun.exe (PID: 5464)
- Checks proxy server information
  - OfficeClickToRun.exe (PID: 5464)
- Reads the software policy settings
  - OfficeClickToRun.exe (PID: 5464)
- Reads CPU info
  - OfficeClickToRun.exe (PID: 5464)
- Reads Environment values
  - OfficeClickToRun.exe (PID: 5464)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	UPX compressed Win32 Executable (87.1)
.exe	\|	Generic Win/DOS Executable (6.4)
.exe	\|	DOS Executable Generic (6.4)

EXIF

EXE

MachineType:	AMD AMD64
TimeStamp:	2024:06:10 07:26:51+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	14.16
CodeSize:	1380352
InitializedDataSize:	16384
UninitializedDataSize:	3289088
EntryPoint:	0x4735d0
OSVersion:	5.2
ImageVersion:	-
SubsystemVersion:	5.2
Subsystem:	Windows command line
FileVersionNumber:	1.50.0.1436
ProductVersionNumber:	1.50.0.1436
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Windows, Latin1
CompanyName:	Tom Ehlert Software
FileDescription:	Drive Snapshot - Diskimaging for WindowsNT
FileVersion:	1.501436
InternalName:	Snapshot
LegalCopyright:	Copyright © 2001-2024 by tom ehlert
LegalTrademarks:	Drive Snapshot is a trademark of Tom Ehlert
OriginalFileName:	snapshot.exe
ProductName:	Drive Snapshot for WindowsNT
ProductVersion:	1.501436

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

148

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

2080

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

snapshot64.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

2356

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

snapshot64.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

2828

"C:\Users\admin\Desktop\snapshot64.exe"

C:\Users\admin\Desktop\snapshot64.exe

explorer.exe

User:

admin

Company:

Tom Ehlert Software

Integrity Level:

HIGH

Description:

Drive Snapshot - Diskimaging for WindowsNT

Exit code:

3221225786

Version:

1.501436

Modules

Images
c:\users\admin\desktop\snapshot64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

3328

"C:\Users\admin\Desktop\snapshot64.exe"

C:\Users\admin\Desktop\snapshot64.exe

explorer.exe

User:

admin

Company:

Tom Ehlert Software

Integrity Level:

HIGH

Description:

Drive Snapshot - Diskimaging for WindowsNT

Exit code:

3221225786

Version:

1.501436

Modules

Images
c:\users\admin\desktop\snapshot64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

3672

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

snapshot64.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

5016

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

snapshot64.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

5464

"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service

C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe

services.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Microsoft Office Click-to-Run (SxS)

Version:

16.0.16026.20140

Modules

Images
c:\program files\common files\microsoft shared\clicktorun\officeclicktorun.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\gdi32.dll

5608

"C:\Users\admin\Desktop\snapshot64.exe"

C:\Users\admin\Desktop\snapshot64.exe

explorer.exe

User:

admin

Company:

Tom Ehlert Software

Integrity Level:

HIGH

Description:

Drive Snapshot - Diskimaging for WindowsNT

Exit code:

3221225786

Version:

1.501436

Modules

Images
c:\users\admin\desktop\snapshot64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

6136

"C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exe" "A7B8366D-5710-4DBA-8BB3-FFB4363129FE" "1C3C7FF5-2D1D-47EA-AAED-0C65BDFB631A" "7028"

C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exe

—

WINWORD.EXE

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Artificial Intelligence (AI) Host for the Microsoft® Windows® Operating System and Platform x64.

Exit code:

Version:

0.12.2.0

Modules

Images
c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\ai.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files\common files\microsoft shared\clicktorun\appvisvsubsystems64.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

6800

"C:\Users\admin\Desktop\snapshot64.exe"

C:\Users\admin\Desktop\snapshot64.exe

—

explorer.exe

User:

admin

Company:

Tom Ehlert Software

Integrity Level:

MEDIUM

Description:

Drive Snapshot - Diskimaging for WindowsNT

Exit code:

3221226540

Version:

1.501436

Modules

Images
c:\users\admin\desktop\snapshot64.exe
c:\windows\system32\ntdll.dll

Add for printing

Total events

20 680

Read events

20 151

Write events

494

Delete events

Modification events


(PID) Process:	(6980) mspaint.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Paint\View
Operation:	write	Name:	WindowPlacement
Value: 2C00000000000000010000000000000000000000FFFFFFFFFFFFFFFF7F000000470000007F04000087020000
(PID) Process:	(6980) mspaint.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Paint\View
Operation:	write	Name:	ShowThumbnail
Value: 0
(PID) Process:	(6980) mspaint.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Paint\View
Operation:	write	Name:	BMPWidth
Value: 0
(PID) Process:	(6980) mspaint.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Paint\View
Operation:	write	Name:	BMPHeight
Value: 0
(PID) Process:	(6980) mspaint.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Paint\View
Operation:	write	Name:	ThumbXPos
Value: 0
(PID) Process:	(6980) mspaint.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Paint\View
Operation:	write	Name:	ThumbYPos
Value: 0
(PID) Process:	(6980) mspaint.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Paint\View
Operation:	write	Name:	ThumbWidth
Value: 0
(PID) Process:	(6980) mspaint.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Paint\View
Operation:	write	Name:	ThumbHeight
Value: 0
(PID) Process:	(6980) mspaint.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Paint\View
Operation:	write	Name:	UnitSetting
Value: 0
(PID) Process:	(6980) mspaint.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Paint\View
Operation:	write	Name:	ShowRulers
Value: 0

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
7028	WINWORD.EXE	C:\Users\admin\Desktop\~$thmailing.rtf		binary
		MD5:274896FCA325EC396CB2A476F4FE10A6	SHA256:64CB58666911497224BA3E8201B71A6002F76A49C8F32170D1FF38090984E9C0
7028	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres		binary
		MD5:E6CC0340368AC4852BD4087A4EFABFF6	SHA256:EDB43BDC208B5EC6A48454CBE33123266EC66B8D79C4E6D2AFAD3CA9728D19C2
7028	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\1803E618-5061-4081-A4E5-09CB582F86AF		xml
		MD5:7F070818EC259F253EDEFDF5E7B12B15	SHA256:FAC9E09682510FEB645C4812F05F934888240C01CC989FA901AAD5E123F5B15C
7028	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\56a61aeb75d8f5be186c26607f4bb213abe7c5ec.tbres		binary
		MD5:1264AC1307996EB3ACBECE433E37D272	SHA256:428C83B7207DBB0A8184B1A52E22776408DC2BD3B65F278203FFAE3D6432D84A
7028	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\5475cb191e478c39370a215b2da98a37e9dc813d.tbres		binary
		MD5:093DAA34FD98E3D9EDD3668976583D12	SHA256:E51BA33A9379351805F5BB4BE1508B8FC19F9FDD8C266F3B2318AE55223124F1
7028	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Office\16.0\Personalization\Governance\Anonymous\floodgatecampaigns.json.tmp		binary
		MD5:52D405A38E67AB710C278D22F64E6333	SHA256:3D3E9A8E479FEFF5CC5275C3EDCBA410E446AE828F70E4AF8DDD468542474797
7028	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{32177479-59FD-4C10-91FD-94FBBC303B4A}.tmp		binary
		MD5:830FBF83999E052538EAF156AB6ECB17	SHA256:D5098A2CEAE815DB29CD53C76F85240C95DC4D2E3FEDDD71D628617064C29869
5464	OfficeClickToRun.exe	C:\WINDOWS\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187		der
		MD5:8925188261F81A3D7E78678C7042D282	SHA256:AF3203DDDE5EA800D4BD98F895BC0E5B33FBBDB23B6ED93B1A93192EB752C1E4
7028	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Office\16.0\Personalization\Governance\Anonymous\floodgatecampaigns.json		binary
		MD5:52D405A38E67AB710C278D22F64E6333	SHA256:3D3E9A8E479FEFF5CC5275C3EDCBA410E446AE828F70E4AF8DDD468542474797
7028	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Office\16.0\UsageMetricsStore\FileActivityStoreV3\Word\ASkwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDBfTnVsbAA.S		binary
		MD5:7EFDC2D6307AA992B96F576B53A4FD2A	SHA256:2D28432C6BA936CB641D4B023A61287BCAC6C96B69FDA53338FADC1C0F2DDA3F

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
7028	WINWORD.EXE	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA77flR%2B3w%2FxBpruV2lte6A%3D	unknown	—	—	whitelisted
5464	OfficeClickToRun.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D	unknown	—	—	whitelisted
7028	WINWORD.EXE	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
3616	backgroundTaskHost.exe	20.223.35.26:443	arc.msn.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
4716	svchost.exe	40.126.32.134:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
7856	svchost.exe	4.209.32.67:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown
4	System	192.168.100.255:138	—	—	—	whitelisted
4032	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
3616	backgroundTaskHost.exe	20.223.36.55:443	fd.api.iris.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
2760	svchost.exe	40.113.110.67:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
3404	slui.exe	40.91.76.224:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
4716	svchost.exe	20.190.160.14:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	unknown

DNS requests

Domain	IP	Reputation
arc.msn.com	20.223.35.26	whitelisted
login.live.com	40.126.32.134 20.190.160.14 40.126.32.138 20.190.160.17 40.126.32.136 20.190.160.22 40.126.32.76 40.126.32.68	whitelisted
google.com	142.250.185.142	whitelisted
fd.api.iris.microsoft.com	20.223.36.55	whitelisted
activation-v2.sls.microsoft.com	40.91.76.224	whitelisted
www.bing.com	2.23.209.135 2.23.209.189 2.23.209.187 2.23.209.149 2.23.209.141 2.23.209.130 2.23.209.185 2.23.209.144 2.23.209.133	whitelisted
officeclient.microsoft.com	52.109.32.97	whitelisted
ecs.office.com	52.113.194.132	whitelisted
roaming.officeapps.live.com	52.109.68.129	whitelisted
omex.cdn.office.net	23.48.23.185 23.48.23.145 23.48.23.153 23.48.23.172 23.48.23.194 23.48.23.188 23.48.23.189 23.48.23.139 23.48.23.195	whitelisted

Threats

No threats detected

Add for printing

No debug info

General Info

snapshot64.exe

9061C9227887E9CD12BBD35DB49848D7

88EE20E8881E353C1828F3670BFE21E60D5FF421

AD605D0BD010BE65340D5BCDF7BB372C5305ADED6588B4FCE53EB29ED6B070EF

49152:X1gY7EsRrIo829CXOIh+xj9pZSVRo8duto0yAEltqtZDnFc0LZp3mhSDNynWCSXP:l8wrIo1A+Q29pZGRo8dc7ynqtZDnFc03

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

Creates a writable file in the system directory

The DLL Hijacking

Scans artifacts that could help determine the target

SUSPICIOUS

Executes as Windows Service

Checks Windows Trust Settings

INFO

UPX packer has been detected

Reads the machine GUID from the registry

Reads the computer name

Checks supported languages

Manual execution by a user

Reads Microsoft Office registry keys

Process checks computer location settings

Checks proxy server information

Reads the software policy settings

Reads CPU info

Reads Environment values

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings