| File name: | AltSnap1.64-x64-inst.exe |
| Full analysis: | https://app.any.run/tasks/e8ea46d6-a337-43cc-9f3e-f94fdf07bced |
| Verdict: | Malicious activity |
| Analysis date: | December 09, 2024, 16:17:12 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections |
| MD5: | E4B60B51969AB9D3A5CD702FCF31881E |
| SHA1: | DEB492F32420DCF284301A3869793609A88195CF |
| SHA256: | 09A43A314D0E2322EC5143103DEC92806903072B3B2624A7A193A000A9EFAA8F |
| SSDEEP: | 6144:rRHG/l/jLOpl7BaAZefPsYk+yrESO7vV0vy:rWApl7pZefPsbQSON06 |
MALICIOUS
No malicious indicators.SUSPICIOUS
Executable content was dropped or overwritten
- AltSnap1.64-x64-inst.exe (PID: 3128)
Creates a software uninstall entry
- AltSnap1.64-x64-inst.exe (PID: 3128)
INFO
Reads the computer name
- AltSnap1.64-x64-inst.exe (PID: 3128)
Checks supported languages
- AltSnap1.64-x64-inst.exe (PID: 3128)
- AltSnap.exe (PID: 5472)
Creates files or folders in the user directory
- AltSnap1.64-x64-inst.exe (PID: 3128)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | NSIS - Nullsoft Scriptable Install System (94.8) |
|---|---|---|
| .exe | | | Win32 Executable MS Visual C++ (generic) (3.4) |
| .dll | | | Win32 Dynamic Link Library (generic) (0.7) |
| .exe | | | Win32 Executable (generic) (0.5) |
| .exe | | | Generic Win/DOS Executable (0.2) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2006:09:09 14:44:18+00:00 |
| ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 6 |
| CodeSize: | 23552 |
| InitializedDataSize: | 122368 |
| UninitializedDataSize: | 1024 |
| EntryPoint: | 0x32d9 |
| OSVersion: | 4 |
| ImageVersion: | - |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
Total processes
123
Monitored processes
3
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2072 | "C:\Users\admin\Desktop\AltSnap1.64-x64-inst.exe" | C:\Users\admin\Desktop\AltSnap1.64-x64-inst.exe | — | explorer.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 3221226540 Modules
| |||||||||||||||
| 3128 | "C:\Users\admin\Desktop\AltSnap1.64-x64-inst.exe" | C:\Users\admin\Desktop\AltSnap1.64-x64-inst.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
| 5472 | C:\Users\admin\AppData\Roaming\AltSnap\AltSnap.exe | C:\Users\admin\AppData\Roaming\AltSnap\AltSnap.exe | — | AltSnap1.64-x64-inst.exe | |||||||||||
User: admin Company: Gillibert Software Integrity Level: HIGH Description: AltSnap Version: 1.64 Modules
| |||||||||||||||
Total events
292
Read events
277
Write events
15
Delete events
0
Modification events
| (PID) Process: | (3128) AltSnap1.64-x64-inst.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\AltSnap |
| Operation: | write | Name: | Install_Dir |
Value: C:\Users\admin\AppData\Roaming\AltSnap | |||
| (PID) Process: | (3128) AltSnap1.64-x64-inst.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\AltSnap |
| Operation: | write | Name: | Version |
Value: 1.64 | |||
| (PID) Process: | (3128) AltSnap1.64-x64-inst.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AltSnap |
| Operation: | write | Name: | EstimatedSize |
Value: 400 | |||
| (PID) Process: | (3128) AltSnap1.64-x64-inst.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AltSnap |
| Operation: | write | Name: | UninstallString |
Value: "C:\Users\admin\AppData\Roaming\AltSnap\Uninstall.exe" | |||
| (PID) Process: | (3128) AltSnap1.64-x64-inst.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AltSnap |
| Operation: | write | Name: | QuietUninstallString |
Value: "C:\Users\admin\AppData\Roaming\AltSnap\Uninstall.exe" /S | |||
| (PID) Process: | (3128) AltSnap1.64-x64-inst.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AltSnap |
| Operation: | write | Name: | DisplayName |
Value: AltSnap | |||
| (PID) Process: | (3128) AltSnap1.64-x64-inst.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AltSnap |
| Operation: | write | Name: | DisplayIcon |
Value: "C:\Users\admin\AppData\Roaming\AltSnap\AltSnap.exe" | |||
| (PID) Process: | (3128) AltSnap1.64-x64-inst.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AltSnap |
| Operation: | write | Name: | DisplayVersion |
Value: 1.64 | |||
| (PID) Process: | (3128) AltSnap1.64-x64-inst.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AltSnap |
| Operation: | write | Name: | HelpLink |
Value: https://github.com/RamonUnch/AltSnap/wiki | |||
| (PID) Process: | (3128) AltSnap1.64-x64-inst.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AltSnap |
| Operation: | write | Name: | Publisher |
Value: Raymond Gillibert | |||
Executable files
3
Suspicious files
2
Text files
28
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3128 | AltSnap1.64-x64-inst.exe | C:\Users\admin\AppData\Roaming\AltSnap\AltSnap.dni | text | |
MD5:77BD55F505D522D88569237444D13CDC | SHA256:B6FCE910BA5D1608EF3A77BAB80D5384AEEDC49EDF1795EEBE5410E35E30532E | |||
| 3128 | AltSnap1.64-x64-inst.exe | C:\Users\admin\AppData\Roaming\AltSnap\hooks.dll | executable | |
MD5:95399217AC7EF4DD772C6DB9A147F88C | SHA256:2AF30CFE48FDF0A18B82A782D4706652ECC69987E2F9E487FD13F3BB7984D293 | |||
| 3128 | AltSnap1.64-x64-inst.exe | C:\Users\admin\AppData\Roaming\AltSnap\sch_On.bat | text | |
MD5:8BFD05C2818CABC027D130754DF188B4 | SHA256:B5AE86273228DE5C4BF75F6DF02079DB544FB18CF8699CE7DAEA416889A667DE | |||
| 3128 | AltSnap1.64-x64-inst.exe | C:\Users\admin\AppData\Roaming\AltSnap\Lang\de_DE.ini | text | |
MD5:BB9ABCCBE34E552AF8E2AE09AB10F24D | SHA256:3C44AB42C3FE978A84988FD32B196D13A8FDDE9A15CB9728986C14C5ADEA17B1 | |||
| 3128 | AltSnap1.64-x64-inst.exe | C:\Users\admin\AppData\Roaming\AltSnap\sch_Off.bat | text | |
MD5:2D9AB5D2968A2F17AD8B6B650B6CC0A5 | SHA256:3C2F09951D08FEEDFF51264AB95683C11019222C12BD31422B0030B63AC64652 | |||
| 3128 | AltSnap1.64-x64-inst.exe | C:\Users\admin\AppData\Roaming\AltSnap\Lang\_en_US baseline.txt | text | |
MD5:2E851F6C12C4E1594B41FB781C3102BA | SHA256:BDA9D0DDB10F81F7D62D257F078B9A1E7E63CB821891A8C4A07777DECB884EF3 | |||
| 3128 | AltSnap1.64-x64-inst.exe | C:\Users\admin\AppData\Roaming\AltSnap\Lang\ja_JP.ini | text | |
MD5:1E2AD73B2AEAD94AB9C4ACA422A5FDB1 | SHA256:BC615B7DF50DE2436F3E5316BDB40AE0C9BB9FC4199C548C107FA8AAD9B69D39 | |||
| 3128 | AltSnap1.64-x64-inst.exe | C:\Users\admin\AppData\Roaming\AltSnap\Lang\gl_ES.ini | html | |
MD5:0B488F47282449D4AB832A6D75C6ED6A | SHA256:9667B6E53F4919CB73DCC30035ED24AE33B95F3B44911F63FA240AB590F65F2E | |||
| 3128 | AltSnap1.64-x64-inst.exe | C:\Users\admin\AppData\Roaming\AltSnap\Lang\ko_KR.ini | text | |
MD5:4DC3BE3EC40C1DC2926EC9B687702E9D | SHA256:A43BD2966D0DE398FAB87028390BD5E69B9C7DC9C9C8FAA5DA6B965058EFE07C | |||
| 3128 | AltSnap1.64-x64-inst.exe | C:\Users\admin\AppData\Roaming\AltSnap\Lang\fr_FR.ini | text | |
MD5:6A4C4BBC82656BFDB476D959CCE47432 | SHA256:2A5BA258E9C737A4134850CEEA1051E153DD57B68A200214F2EE3C05D1B8CD18 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
18
DNS requests
7
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
2736 | svchost.exe | GET | 200 | 184.24.77.35:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
4712 | MoUsoCoreWorker.exe | GET | 200 | 184.24.77.35:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
2736 | svchost.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
— | — | POST | 204 | 104.126.37.153:443 | https://www.bing.com/threshold/xls.aspx | unknown | — | — | whitelisted |
4712 | MoUsoCoreWorker.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4712 | MoUsoCoreWorker.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
2736 | svchost.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
— | — | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
2736 | svchost.exe | 184.24.77.35:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
4712 | MoUsoCoreWorker.exe | 184.24.77.35:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
2736 | svchost.exe | 184.30.21.171:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
4712 | MoUsoCoreWorker.exe | 184.30.21.171:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
4712 | MoUsoCoreWorker.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
www.bing.com |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |