File name:

RuLauncher.Updater.exe

Full analysis: https://app.any.run/tasks/eaf27f32-5bc0-4c41-9327-f170b06941c7
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: September 16, 2024, 21:29:49
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
loader
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

5354FF34E1EA50A7AD81A698A09BDF14

SHA1:

902F1516A3F615F1DAA1C68D1C58E09CF5CB7732

SHA256:

04C2F0CDC0DD90AEC5E0ABF092DA045C0F30BBF14DE1659F4FB63A9ED4E03B89

SSDEEP:

196608:ZTlVjK5VsImUn1hKI2+VPVC5VsIuYk2+VT:5eVsOn1hKZ+VEVs7Y1+V

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • RuLauncher.Updater.exe (PID: 6944)
      • RuLauncher.exe (PID: 2524)

    • Potential Corporate Privacy Violation

      • RuLauncher.Updater.exe (PID: 6944)
      • RuLauncher.exe (PID: 2524)

    • Process requests binary or script from the Internet

      • RuLauncher.Updater.exe (PID: 6944)
      • RuLauncher.exe (PID: 2524)

    • Executable content was dropped or overwritten

      • RuLauncher.Updater.exe (PID: 6944)

    • Reads the date of Windows installation

      • RuLauncher.Updater.exe (PID: 6944)

    • Checks for Java to be installed

      • RuLauncher.exe (PID: 2524)

  • INFO

    • Checks supported languages

      • RuLauncher.Updater.exe (PID: 6944)
      • RuLauncher.exe (PID: 2524)

    • Reads the computer name

      • RuLauncher.Updater.exe (PID: 6944)
      • RuLauncher.exe (PID: 2524)

    • Disables trace logs

      • RuLauncher.Updater.exe (PID: 6944)
      • RuLauncher.exe (PID: 2524)

    • Reads Environment values

      • RuLauncher.Updater.exe (PID: 6944)
      • RuLauncher.exe (PID: 2524)

    • Reads the machine GUID from the registry

      • RuLauncher.Updater.exe (PID: 6944)
      • RuLauncher.exe (PID: 2524)

    • Checks proxy server information

      • RuLauncher.Updater.exe (PID: 6944)
      • RuLauncher.exe (PID: 2524)

    • Creates files or folders in the user directory

      • RuLauncher.Updater.exe (PID: 6944)
      • RuLauncher.exe (PID: 2524)

    • Reads the software policy settings

      • RuLauncher.Updater.exe (PID: 6944)
      • RuLauncher.exe (PID: 2524)

    • The process uses the downloaded file

      • RuLauncher.Updater.exe (PID: 6944)
      • RuLauncher.exe (PID: 2524)

    • Process checks computer location settings

      • RuLauncher.Updater.exe (PID: 6944)

    • Reads product name

      • RuLauncher.exe (PID: 2524)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:01:14 21:49:43+00:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 48
CodeSize: 18831872
InitializedDataSize: 272896
UninitializedDataSize: -
EntryPoint: 0x11f78de
OSVersion: 4
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 24.1.14.479
ProductVersionNumber: 24.1.14.17
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: -
CompanyName: RuLauncher.com
FileDescription: RuLauncher.Updater
FileVersion: 24.1.14.479
InternalName: RuLauncher.Updater.exe
LegalCopyright: Copyright © 2018 RuLauncher.com and contributors
LegalTrademarks: -
OriginalFileName: RuLauncher.Updater.exe
ProductName: RuLauncher.Updater
ProductVersion: 24.1.14.17
AssemblyVersion: 24.1.14.479
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
118
Monitored processes
2
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start rulauncher.updater.exe rulauncher.exe

Process information

PID
CMD
Path
Indicators
Parent process
2524"C:\Users\admin\AppData\Roaming\.rulauncher\RuLauncher.exe" C:\Users\admin\AppData\Roaming\.rulauncher\RuLauncher.exe
RuLauncher.Updater.exe
User:
admin
Company:
RuLauncher.com
Integrity Level:
MEDIUM
Description:
RuLauncher
Version:
24.6.26.4765
Modules
Images
c:\users\admin\appdata\roaming\.rulauncher\rulauncher.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
6944"C:\Users\admin\Desktop\RuLauncher.Updater.exe" C:\Users\admin\Desktop\RuLauncher.Updater.exe
explorer.exe
User:
admin
Company:
RuLauncher.com
Integrity Level:
MEDIUM
Description:
RuLauncher.Updater
Exit code:
0
Version:
24.1.14.479
Modules
Images
c:\users\admin\desktop\rulauncher.updater.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
Total events
14 943
Read events
14 929
Write events
14
Delete events
0

Modification events

(PID) Process:(6944) RuLauncher.Updater.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RuLauncher_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(6944) RuLauncher.Updater.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RuLauncher_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(6944) RuLauncher.Updater.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RuLauncher_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(6944) RuLauncher.Updater.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RuLauncher_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(6944) RuLauncher.Updater.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RuLauncher_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(6944) RuLauncher.Updater.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RuLauncher_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(6944) RuLauncher.Updater.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RuLauncher_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(6944) RuLauncher.Updater.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RuLauncher_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(6944) RuLauncher.Updater.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RuLauncher_RASMANCS
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(6944) RuLauncher.Updater.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RuLauncher_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
Executable files
8
Suspicious files
10
Text files
22
Unknown types
0

Dropped files

PID
Process
Filename
Type
6944RuLauncher.Updater.exeC:\Users\admin\AppData\Roaming\.rulauncher\configs\launcher_appearance.jsonbinary
MD5:59792912C4407858A34F8DB78AC2A68B
SHA256:782D6FA7D4DCA83D8A12FACC3991964A4C588BAFFC0E05E0972180481E500F90
2524RuLauncher.exeC:\Users\admin\AppData\Roaming\.rulauncher\configs\launcher_configuration.jsonbinary
MD5:F4446BE3CEB0E816E0E24E58C8E99240
SHA256:A4CD32CFB640CE88539FF27424FCDEF8208871C35F0F1CA462EEB93096E8045F
2524RuLauncher.exeC:\Users\admin\AppData\Roaming\.rulauncher\utils\LibraryUnpacker\xz-1.8.jarjava
MD5:5F982127E0DE85B785C4B2ABAD21AA2E
SHA256:8C7964B36FE3F0CBE644B04FCBFF84E491CE81917DB2F5BFA0CBA8E9548AFF5D
6944RuLauncher.Updater.exeC:\Users\admin\AppData\Roaming\.rulauncher\RuLauncher.exeexecutable
MD5:267BB405D3C3EAEF6302D91CB515DC7D
SHA256:C0D80B955F53C77FE91182EBE990251D63BED1120F52E29C904D22EBF9C2B08C
6944RuLauncher.Updater.exeC:\Users\admin\AppData\Roaming\.rulauncher\plugins\RuLauncher.PluginSystem.IrisProvider.dllexecutable
MD5:7AD8B2D5EC144853105C97F10BC50DAD
SHA256:DF54EE447F26A2AC063E3456D67027DCDFBF28CFA21D006BA6A6BC7AB0DD1D3A
6944RuLauncher.Updater.exeC:\Users\admin\AppData\Roaming\.rulauncher\plugins\RuLauncher.PluginSystem.ProviderChainer.dllexecutable
MD5:E3187115EA5D9D47798A635F8B149E68
SHA256:D651B85DA7C3E61DFF82BE173E5E588E5855FD062B1A3FE7774CFF4570CE4A04
2524RuLauncher.exeC:\Users\admin\AppData\Local\IsolatedStorage\hqldvrps.svc\tfdwbtjf.kbp\Url.v2eevft10qyi5e0cqp1bdylpzopyv2s4\Url.v2eevft10qyi5e0cqp1bdylpzopyv2s4\identity.datbinary
MD5:7CCBB2257EB06597914DB56275E46706
SHA256:338A1C9C744EF69DB55E6CB6A5B7CF1DA1552CEEE473F142327580CDF2D99F71
6944RuLauncher.Updater.exeC:\Users\admin\AppData\Roaming\.rulauncher\plugins\RuLauncher.PluginSystem.OptifineProvider.dllexecutable
MD5:8BF1AB75F4416506B4BFAE6E78DB61EF
SHA256:E633698B562F8717FD68D0DD056F25F33C2B78AC2D7E8497C4F453AA7B0555EE
2524RuLauncher.exeC:\Users\admin\AppData\Roaming\.rulauncher\configs\client_environments.jsonbinary
MD5:1F0AEE41DC24D9615E82F103FC44AD9C
SHA256:B15103F7F8623DA5ED4C9A0213F6333EA1CA55B1D3367787D0C0F53707DB97CC
2524RuLauncher.exeC:\Users\admin\AppData\Roaming\.minecraft\launcher_profiles.jsonbinary
MD5:4E18965E853B43B24034871FA7016410
SHA256:FCA2CB1E3EC78808FEEA0EE829A5BDCCCC4523C83AE4ADAD36E80200E3868B44
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
55
TCP/UDP connections
28
DNS requests
10
Threats
30

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
DE
binary
973 b
whitelisted
7128
svchost.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
DE
binary
973 b
whitelisted
2120
MoUsoCoreWorker.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
DE
binary
973 b
whitelisted
6944
RuLauncher.Updater.exe
HEAD
204
104.21.48.8:80
http://rulauncher.com/generate_204
unknown
malicious
HEAD
200
13.107.253.45:443
https://launchermeta.mojang.com/mc/game/version_manifest.json
US
unknown
6944
RuLauncher.Updater.exe
HEAD
200
17.253.15.207:80
http://captive.apple.com/generate_204
DE
whitelisted
6944
RuLauncher.Updater.exe
GET
200
104.21.48.8:80
http://rulauncher.com/get/launcher/24.6.26.4765/RuLauncher.exe
unknown
executable
10.9 Mb
malicious
6944
RuLauncher.Updater.exe
GET
200
104.21.48.8:80
http://rulauncher.com/meta/update_manifest.json
unknown
binary
5.00 Kb
malicious
6944
RuLauncher.Updater.exe
GET
200
104.21.48.8:80
http://rulauncher.com/get/plugin/RuLauncher.PluginSystem.FabricProvider/21.12.15.25/RuLauncher.PluginSystem.FabricProvider.dll
unknown
executable
19.5 Kb
malicious
6944
RuLauncher.Updater.exe
GET
200
104.21.48.8:80
http://rulauncher.com/get/plugin/RuLauncher.PluginSystem.ForgeProvider/23.12.10.166/RuLauncher.PluginSystem.ForgeProvider.dll
unknown
executable
31.5 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
7128
svchost.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2120
MoUsoCoreWorker.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
4324
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6944
RuLauncher.Updater.exe
104.21.48.8:80
rulauncher.com
CLOUDFLARENET
suspicious
7128
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6944
RuLauncher.Updater.exe
17.253.15.207:80
captive.apple.com
APPLE-AUSTIN
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
google.com
  • 142.250.185.174
whitelisted
www.microsoft.com
  • 88.221.169.152
whitelisted
rulauncher.com
  • 104.21.48.8
  • 172.67.175.42
unknown
captive.apple.com
  • 17.253.15.207
  • 17.253.15.197
whitelisted
launchermeta.mojang.com
  • 13.107.253.42
whitelisted
startup.mobile.yandex.net
  • 213.180.204.244
whitelisted
report.appmetrica.yandex.net
  • 213.180.193.226
whitelisted
libraries.rulauncher.com
  • 172.67.175.42
  • 104.21.48.8
unknown

Threats

PID
Process
Class
Message
6944
RuLauncher.Updater.exe
Potential Corporate Privacy Violation
ET POLICY User-Agent (Launcher)
6944
RuLauncher.Updater.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
6944
RuLauncher.Updater.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
2524
RuLauncher.exe
Potential Corporate Privacy Violation
ET POLICY User-Agent (Launcher)
2524
RuLauncher.exe
Potential Corporate Privacy Violation
ET POLICY User-Agent (Launcher)
2524
RuLauncher.exe
Potential Corporate Privacy Violation
ET POLICY User-Agent (Launcher)
2524
RuLauncher.exe
Potential Corporate Privacy Violation
ET POLICY User-Agent (Launcher)
2524
RuLauncher.exe
Potential Corporate Privacy Violation
ET POLICY User-Agent (Launcher)
2524
RuLauncher.exe
Potential Corporate Privacy Violation
ET POLICY User-Agent (Launcher)
2524
RuLauncher.exe
Potential Corporate Privacy Violation
ET POLICY User-Agent (Launcher)
3 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
RuLauncher.Updater.exe