Malware analysis snapshot64.exe Malicious activity | ANY.RUN

Add for printing

File name:	snapshot64.exe
Full analysis:	https://app.any.run/tasks/56c08215-f96f-4af0-accc-d2f917f63163
Verdict:	Malicious activity
Analysis date:	July 18, 2024, 19:43:38
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	upx
Indicators:
MIME:	application/x-dosexec
File info:	PE32+ executable (console) x86-64, for MS Windows
MD5:	9061C9227887E9CD12BBD35DB49848D7
SHA1:	88EE20E8881E353C1828F3670BFE21E60D5FF421
SHA256:	AD605D0BD010BE65340D5BCDF7BB372C5305ADED6588B4FCE53EB29ED6B070EF
SSDEEP:	49152:X1gY7EsRrIo829CXOIh+xj9pZSVRo8duto0yAEltqtZDnFc0LZp3mhSDNynWCSXP:l8wrIo1A+Q29pZGRo8dc7ynqtZDnFc03

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 180 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 120 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Drops the executable file immediately after the start
  - snapshot64.exe (PID: 5608)
- The DLL Hijacking
  - OfficeClickToRun.exe (PID: 5464)
- Creates a writable file in the system directory
  - OfficeClickToRun.exe (PID: 5464)
- Scans artifacts that could help determine the target
  - OfficeClickToRun.exe (PID: 5464)
SUSPICIOUS
- Executes as Windows Service
  - OfficeClickToRun.exe (PID: 5464)
- Checks Windows Trust Settings
  - OfficeClickToRun.exe (PID: 5464)
INFO
- Checks supported languages
  - snapshot64.exe (PID: 5608)
  - snapshot64.exe (PID: 2828)
  - snapshot64.exe (PID: 3328)
  - OfficeClickToRun.exe (PID: 5464)
  - snapshot64.exe (PID: 7480)
- Reads the computer name
  - snapshot64.exe (PID: 5608)
  - snapshot64.exe (PID: 2828)
  - snapshot64.exe (PID: 3328)
  - OfficeClickToRun.exe (PID: 5464)
  - snapshot64.exe (PID: 7480)
- Reads the machine GUID from the registry
  - snapshot64.exe (PID: 5608)
  - snapshot64.exe (PID: 2828)
  - snapshot64.exe (PID: 3328)
  - OfficeClickToRun.exe (PID: 5464)
  - snapshot64.exe (PID: 7480)
- UPX packer has been detected
  - snapshot64.exe (PID: 5608)
  - snapshot64.exe (PID: 2828)
  - snapshot64.exe (PID: 3328)
  - snapshot64.exe (PID: 7480)
- Manual execution by a user
  - snapshot64.exe (PID: 2828)
  - snapshot64.exe (PID: 6800)
  - snapshot64.exe (PID: 3328)
  - mspaint.exe (PID: 6980)
  - snapshot64.exe (PID: 7416)
  - WINWORD.EXE (PID: 7028)
  - snapshot64.exe (PID: 7480)
- Reads Microsoft Office registry keys
  - OfficeClickToRun.exe (PID: 5464)
- Checks proxy server information
  - OfficeClickToRun.exe (PID: 5464)
- Process checks computer location settings
  - OfficeClickToRun.exe (PID: 5464)
- Reads the software policy settings
  - OfficeClickToRun.exe (PID: 5464)
- Reads Environment values
  - OfficeClickToRun.exe (PID: 5464)
- Reads CPU info
  - OfficeClickToRun.exe (PID: 5464)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	UPX compressed Win32 Executable (87.1)
.exe	\|	Generic Win/DOS Executable (6.4)
.exe	\|	DOS Executable Generic (6.4)

EXIF

EXE

MachineType:	AMD AMD64
TimeStamp:	2024:06:10 07:26:51+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	14.16
CodeSize:	1380352
InitializedDataSize:	16384
UninitializedDataSize:	3289088
EntryPoint:	0x4735d0
OSVersion:	5.2
ImageVersion:	-
SubsystemVersion:	5.2
Subsystem:	Windows command line
FileVersionNumber:	1.50.0.1436
ProductVersionNumber:	1.50.0.1436
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Windows, Latin1
CompanyName:	Tom Ehlert Software
FileDescription:	Drive Snapshot - Diskimaging for WindowsNT
FileVersion:	1.501436
InternalName:	Snapshot
LegalCopyright:	Copyright © 2001-2024 by tom ehlert
LegalTrademarks:	Drive Snapshot is a trademark of Tom Ehlert
OriginalFileName:	snapshot.exe
ProductName:	Drive Snapshot for WindowsNT
ProductVersion:	1.501436

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

148

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

2080

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

snapshot64.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

2356

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

snapshot64.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

2828

"C:\Users\admin\Desktop\snapshot64.exe"

C:\Users\admin\Desktop\snapshot64.exe

explorer.exe

User:

admin

Company:

Tom Ehlert Software

Integrity Level:

HIGH

Description:

Drive Snapshot - Diskimaging for WindowsNT

Exit code:

3221225786

Version:

1.501436

Modules

Images
c:\users\admin\desktop\snapshot64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

3328

"C:\Users\admin\Desktop\snapshot64.exe"

C:\Users\admin\Desktop\snapshot64.exe

explorer.exe

User:

admin

Company:

Tom Ehlert Software

Integrity Level:

HIGH

Description:

Drive Snapshot - Diskimaging for WindowsNT

Exit code:

3221225786

Version:

1.501436

Modules

Images
c:\users\admin\desktop\snapshot64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

3672

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

snapshot64.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

5016

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

snapshot64.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

5464

"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service

C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe

services.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Microsoft Office Click-to-Run (SxS)

Version:

16.0.16026.20140

Modules

Images
c:\program files\common files\microsoft shared\clicktorun\officeclicktorun.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\gdi32.dll

5608

"C:\Users\admin\Desktop\snapshot64.exe"

C:\Users\admin\Desktop\snapshot64.exe

explorer.exe

User:

admin

Company:

Tom Ehlert Software

Integrity Level:

HIGH

Description:

Drive Snapshot - Diskimaging for WindowsNT

Exit code:

3221225786

Version:

1.501436

Modules

Images
c:\users\admin\desktop\snapshot64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

6136

"C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exe" "A7B8366D-5710-4DBA-8BB3-FFB4363129FE" "1C3C7FF5-2D1D-47EA-AAED-0C65BDFB631A" "7028"

C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exe

—

WINWORD.EXE

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Artificial Intelligence (AI) Host for the Microsoft® Windows® Operating System and Platform x64.

Exit code:

Version:

0.12.2.0

Modules

Images
c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\ai.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files\common files\microsoft shared\clicktorun\appvisvsubsystems64.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

6800

"C:\Users\admin\Desktop\snapshot64.exe"

C:\Users\admin\Desktop\snapshot64.exe

—

explorer.exe

User:

admin

Company:

Tom Ehlert Software

Integrity Level:

MEDIUM

Description:

Drive Snapshot - Diskimaging for WindowsNT

Exit code:

3221226540

Version:

1.501436

Modules

Images
c:\users\admin\desktop\snapshot64.exe
c:\windows\system32\ntdll.dll

Add for printing

Total events

20 680

Read events

20 151

Write events

494

Delete events

Modification events


(PID) Process:	(6980) mspaint.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Paint\View
Operation:	write	Name:	WindowPlacement
Value: 2C00000000000000010000000000000000000000FFFFFFFFFFFFFFFF7F000000470000007F04000087020000
(PID) Process:	(6980) mspaint.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Paint\View
Operation:	write	Name:	ShowThumbnail
Value: 0
(PID) Process:	(6980) mspaint.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Paint\View
Operation:	write	Name:	BMPWidth
Value: 0
(PID) Process:	(6980) mspaint.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Paint\View
Operation:	write	Name:	BMPHeight
Value: 0
(PID) Process:	(6980) mspaint.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Paint\View
Operation:	write	Name:	ThumbXPos
Value: 0
(PID) Process:	(6980) mspaint.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Paint\View
Operation:	write	Name:	ThumbYPos
Value: 0
(PID) Process:	(6980) mspaint.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Paint\View
Operation:	write	Name:	ThumbWidth
Value: 0
(PID) Process:	(6980) mspaint.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Paint\View
Operation:	write	Name:	ThumbHeight
Value: 0
(PID) Process:	(6980) mspaint.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Paint\View
Operation:	write	Name:	UnitSetting
Value: 0
(PID) Process:	(6980) mspaint.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Paint\View
Operation:	write	Name:	ShowRulers
Value: 0

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
5464	OfficeClickToRun.exe	C:\WINDOWS\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\C67A7508-B8B9-4F7F-A716-77A221AB8997		xml
		MD5:CFACF55C7B128C36223D0681F90F0239	SHA256:090F72274CC1B76942D935E1268DF5F4E20752FBD15C2704EAB69566CB7A648A
7028	WINWORD.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\pathmailing.rtf.LNK		lnk
		MD5:8954CDCAD92C115ABDD37C35E733D50F	SHA256:D492487AA2ABBB1429AF30B495796048BD73B1BFE0A1335F679A8B32D2A110E7
7028	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntitiesUpdated.bin		text
		MD5:982996C59AD2443FC0C8C5EC685477B6	SHA256:61B6AA78041E2BBEAE03A246292328807D01F243DE4E9C436A5BBBE6371326D1
7028	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\1803E618-5061-4081-A4E5-09CB582F86AF		xml
		MD5:7F070818EC259F253EDEFDF5E7B12B15	SHA256:FAC9E09682510FEB645C4812F05F934888240C01CC989FA901AAD5E123F5B15C
7028	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres		binary
		MD5:E6CC0340368AC4852BD4087A4EFABFF6	SHA256:EDB43BDC208B5EC6A48454CBE33123266EC66B8D79C4E6D2AFAD3CA9728D19C2
7028	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\5475cb191e478c39370a215b2da98a37e9dc813d.tbres		binary
		MD5:093DAA34FD98E3D9EDD3668976583D12	SHA256:E51BA33A9379351805F5BB4BE1508B8FC19F9FDD8C266F3B2318AE55223124F1
7028	WINWORD.EXE	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9		binary
		MD5:5A26F75F014290D1B720B5CCD4FE9249	SHA256:0282961A16376A3885C3927C3B99460AA45187B0F2EF48ABF405F40E6FE66207
7028	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntities.bin		text
		MD5:CC90D669144261B198DEAD45AA266572	SHA256:89C701EEFF939A44F28921FD85365ECD87041935DCD0FE0BAF04957DA12C9899
7028	WINWORD.EXE	C:\Users\admin\Desktop\~$thmailing.rtf		binary
		MD5:274896FCA325EC396CB2A476F4FE10A6	SHA256:64CB58666911497224BA3E8201B71A6002F76A49C8F32170D1FF38090984E9C0
7028	WINWORD.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat		ini
		MD5:24B6A856CADE1A105C0F697D158E75C5	SHA256:3BECACB4FBF1F9A820EA015DEC6A620561957A9BF2E388860CA9AF68C5EA8DCD

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
7028	WINWORD.EXE	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA77flR%2B3w%2FxBpruV2lte6A%3D	unknown	—	—	whitelisted
5464	OfficeClickToRun.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D	unknown	—	—	whitelisted
7028	WINWORD.EXE	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
3616	backgroundTaskHost.exe	20.223.35.26:443	arc.msn.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
4716	svchost.exe	40.126.32.134:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
7856	svchost.exe	4.209.32.67:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown
4	System	192.168.100.255:138	—	—	—	whitelisted
4032	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
3616	backgroundTaskHost.exe	20.223.36.55:443	fd.api.iris.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
2760	svchost.exe	40.113.110.67:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
3404	slui.exe	40.91.76.224:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
4716	svchost.exe	20.190.160.14:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	unknown

DNS requests

Domain	IP	Reputation
arc.msn.com	20.223.35.26	whitelisted
login.live.com	40.126.32.134 20.190.160.14 40.126.32.138 20.190.160.17 40.126.32.136 20.190.160.22 40.126.32.76 40.126.32.68	whitelisted
google.com	142.250.185.142	whitelisted
fd.api.iris.microsoft.com	20.223.36.55	whitelisted
activation-v2.sls.microsoft.com	40.91.76.224	whitelisted
www.bing.com	2.23.209.135 2.23.209.189 2.23.209.187 2.23.209.149 2.23.209.141 2.23.209.130 2.23.209.185 2.23.209.144 2.23.209.133	whitelisted
officeclient.microsoft.com	52.109.32.97	whitelisted
ecs.office.com	52.113.194.132	whitelisted
roaming.officeapps.live.com	52.109.68.129	whitelisted
omex.cdn.office.net	23.48.23.185 23.48.23.145 23.48.23.153 23.48.23.172 23.48.23.194 23.48.23.188 23.48.23.189 23.48.23.139 23.48.23.195	whitelisted

Threats

No threats detected

Add for printing

No debug info

General Info

snapshot64.exe

9061C9227887E9CD12BBD35DB49848D7

88EE20E8881E353C1828F3670BFE21E60D5FF421

AD605D0BD010BE65340D5BCDF7BB372C5305ADED6588B4FCE53EB29ED6B070EF

49152:X1gY7EsRrIo829CXOIh+xj9pZSVRo8duto0yAEltqtZDnFc0LZp3mhSDNynWCSXP:l8wrIo1A+Q29pZGRo8dc7ynqtZDnFc03

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

The DLL Hijacking

Creates a writable file in the system directory

Scans artifacts that could help determine the target

SUSPICIOUS

Executes as Windows Service

Checks Windows Trust Settings

INFO

Checks supported languages

Reads the computer name

Reads the machine GUID from the registry

UPX packer has been detected

Manual execution by a user

Reads Microsoft Office registry keys

Checks proxy server information

Process checks computer location settings

Reads the software policy settings

Reads Environment values

Reads CPU info

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings