File name:

AtomicDMA-Launcher.exe

Full analysis: https://app.any.run/tasks/959e87fc-8337-453c-845d-a30e4e492af8
Verdict: Malicious activity
Analysis date: July 02, 2024, 12:46:47
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
themida
Indicators:
MIME: application/x-dosexec
File info: PE32+ executable (console) x86-64, for MS Windows
MD5:

DF2087336B35AB61C81AD047983EF44A

SHA1:

6312D326226A8B184ED4C70AF4AC4914FF24F066

SHA256:

1E161B2DC46F258345910A972542817E5BF00C8755439B165D0CFF4A9A19AA3D

SSDEEP:

98304:Grtss5S2qNRzXYzm0kiyF3XhdyqshOzTfgaS5BKEQA3FSsHfZ/kDgF6NBEhQNKjb:x3gXT+Q86

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • AtomicDMA-Launcher.exe (PID: 2448)

  • SUSPICIOUS

    • Reads the BIOS version

      • AtomicDMA-Launcher.exe (PID: 2448)

    • Connects to unusual port

      • AtomicDMA-Launcher.exe (PID: 2448)

  • INFO

    • Checks supported languages

      • AtomicDMA-Launcher.exe (PID: 2448)

    • Reads the software policy settings

      • AtomicDMA-Launcher.exe (PID: 2448)

    • Reads the computer name

      • AtomicDMA-Launcher.exe (PID: 2448)

    • Creates files or folders in the user directory

      • AtomicDMA-Launcher.exe (PID: 2448)

    • Themida protector has been detected

      • AtomicDMA-Launcher.exe (PID: 2448)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2024:06:02 01:12:38+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14
CodeSize: 770560
InitializedDataSize: 311808
UninitializedDataSize: -
EntryPoint: 0x9d2058
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows command line
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
133
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start THREAT atomicdma-launcher.exe conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2268\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeAtomicDMA-Launcher.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2448"C:\Users\admin\AppData\Local\Temp\AtomicDMA-Launcher.exe" C:\Users\admin\AppData\Local\Temp\AtomicDMA-Launcher.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\temp\atomicdma-launcher.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
Total events
608
Read events
608
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
4
Text files
8
Unknown types
0

Dropped files

PID
Process
Filename
Type
2448AtomicDMA-Launcher.exeC:\Users\admin\AppData\Roaming\AtomicDMA\shared\all_fonts.json
MD5:
SHA256:
2448AtomicDMA-Launcher.exeC:\Users\admin\AppData\Roaming\AtomicDMA\shared\fonts\MiSans\MiSans-Demibold.ttf
MD5:
SHA256:
2448AtomicDMA-Launcher.exeC:\Users\admin\AppData\Roaming\AtomicDMA\shared\fonts\HarmonyOS\HarmonyOS_Sans_SC_Medium.ttf
MD5:
SHA256:
2448AtomicDMA-Launcher.exeC:\Users\admin\AppData\Roaming\AtomicDMA\shared\fonts\HarmonyOS\HarmonyOS_Sans_SC_Regular.ttf
MD5:
SHA256:
2448AtomicDMA-Launcher.exeC:\Users\admin\AppData\Roaming\AtomicDMA\shared\fonts\HarmonyOS\HarmonyOS_Sans_SC_Bold.ttf
MD5:
SHA256:
2448AtomicDMA-Launcher.exeC:\Users\admin\AppData\Roaming\AtomicDMA\launcher\images\background.atomictext
MD5:69788D9300DEDAEDEE781AE45E4C7451
SHA256:30E7F6398AD90563C9888EF3D07F4926E057332A8B3C9E6EA134437CD90BE28D
2448AtomicDMA-Launcher.exeC:\Users\admin\AppData\Roaming\AtomicDMA\launcher\images\t_tile.atomictext
MD5:044B679B2D3B319FC064036E01780296
SHA256:1C55BBB66FF23160A8168DA19FDF0C4BBE070AAA8A32EAEA2F252FB91FCD88B4
2448AtomicDMA-Launcher.exeC:\Users\admin\AppData\Roaming\AtomicDMA\launcher\images\bb_tile.atomictext
MD5:4E9B73F3030982E20283D6106E037912
SHA256:F3326EA72CD1F6EB0140DD7EA51B05B0CA1F1DF66BDDBE49D957ECE7F131AA23
2448AtomicDMA-Launcher.exeC:\Users\admin\AppData\Roaming\AtomicDMA\shared\fonts\teko\Teko-SemiBold.ttfbinary
MD5:22C16DEFCBFB5992927ADF6C94CD414F
SHA256:9C58EFE60A27A660F5203293BB08E5C3A7DDCDCF74C4555AEB9B72D81619A250
2448AtomicDMA-Launcher.exeC:\Users\admin\AppData\Roaming\AtomicDMA\launcher\images\a_tile.atomictext
MD5:F07CD71902634812A44539D649B9A6C3
SHA256:F3C3256F55486B3592A0A409BF94A1CE5FE783DB592036EF7F98FA19B18F1050
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
69
DNS requests
20
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2468
svchost.exe
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
4656
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
unknown
3040
OfficeClickToRun.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
unknown
2468
svchost.exe
GET
200
88.221.125.143:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
4684
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
unknown
4120
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
unknown
256
SIHClient.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
unknown
1544
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
unknown
256
SIHClient.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4032
svchost.exe
239.255.255.250:1900
whitelisted
2336
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
2448
AtomicDMA-Launcher.exe
188.114.96.3:2096
atomicdma.com
CLOUDFLARENET
NL
unknown
2468
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4632
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2468
svchost.exe
2.16.241.12:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
2468
svchost.exe
88.221.125.143:80
www.microsoft.com
AKAMAI-AS
DE
unknown
3040
OfficeClickToRun.exe
20.189.173.5:443
self.events.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
3040
OfficeClickToRun.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
atomicdma.com
  • 188.114.96.3
  • 188.114.97.3
unknown
settings-win.data.microsoft.com
  • 20.73.194.208
  • 4.231.128.59
whitelisted
crl.microsoft.com
  • 2.16.241.12
  • 2.16.241.19
whitelisted
www.microsoft.com
  • 88.221.125.143
  • 88.221.169.152
whitelisted
self.events.data.microsoft.com
  • 20.189.173.5
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
www.bing.com
  • 92.123.104.4
  • 92.123.104.12
  • 92.123.104.13
  • 92.123.104.5
  • 92.123.104.11
  • 92.123.104.9
  • 92.123.104.10
  • 92.123.104.14
  • 92.123.104.8
whitelisted
r.bing.com
  • 92.123.104.10
  • 92.123.104.12
  • 92.123.104.14
  • 92.123.104.4
  • 92.123.104.13
  • 92.123.104.5
  • 92.123.104.9
  • 92.123.104.8
  • 92.123.104.11
whitelisted
login.live.com
  • 20.190.159.68
  • 40.126.31.73
  • 20.190.159.2
  • 20.190.159.4
  • 20.190.159.0
  • 20.190.159.71
  • 20.190.159.73
  • 40.126.31.67
whitelisted
go.microsoft.com
  • 184.28.89.167
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
AtomicDMA-Launcher.exe