File name:

ATLauncher-setup-1.2.0.0.exe

Full analysis: https://app.any.run/tasks/9b054eb8-930b-49d1-9bf6-2ae8aae64572
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: May 31, 2024, 13:12:08
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
loader
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

9515A0D3A9DFA2C861BAEE86EE447419

SHA1:

6FA7B3341F3FA7D9BD38A194C80AE8077E842524

SHA256:

D051B434836408A72C8B8D9BE423C30BF51CEF3DF2F954B5B099740954845CCD

SSDEEP:

98304:D+cD4dn2yWzeZD/ydyQhIVhSWvmwZ4yc773U3lDn5cTTWLElAllTdfo7BZGP8lIP:yj6UT1P

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • ATLauncher-setup-1.2.0.0.exe (PID: 6344)
      • ATLauncher-setup-1.2.0.0.tmp (PID: 6364)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • ATLauncher-setup-1.2.0.0.exe (PID: 6344)
      • ATLauncher-setup-1.2.0.0.tmp (PID: 6364)

    • Reads the Windows owner or organization settings

      • ATLauncher-setup-1.2.0.0.tmp (PID: 6364)

  • INFO

    • Create files in a temporary directory

      • ATLauncher-setup-1.2.0.0.exe (PID: 6344)
      • ATLauncher-setup-1.2.0.0.tmp (PID: 6364)

    • Checks supported languages

      • ATLauncher-setup-1.2.0.0.exe (PID: 6344)
      • ATLauncher-setup-1.2.0.0.tmp (PID: 6364)

    • Reads the computer name

      • ATLauncher-setup-1.2.0.0.tmp (PID: 6364)

    • Reads the software policy settings

      • ATLauncher-setup-1.2.0.0.tmp (PID: 6364)

    • Checks proxy server information

      • ATLauncher-setup-1.2.0.0.tmp (PID: 6364)

    • Reads the machine GUID from the registry

      • ATLauncher-setup-1.2.0.0.tmp (PID: 6364)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (53.5)
.exe | InstallShield setup (21)
.exe | Win32 EXE PECompact compressed (generic) (20.2)
.exe | Win32 Executable (generic) (2.1)
.exe | Win16/32 Executable Delphi generic (1)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:02:15 14:54:16+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 741888
InitializedDataSize: 459776
UninitializedDataSize: -
EntryPoint: 0xb5eec
OSVersion: 6.1
ImageVersion: 6
SubsystemVersion: 6.1
Subsystem: Windows GUI
FileVersionNumber: 1.2.0.0
ProductVersionNumber: 1.2.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName: ATLauncher
FileDescription: ATLauncher Setup
FileVersion: 1.2.0.0
LegalCopyright:
OriginalFileName:
ProductName: ATLauncher
ProductVersion: 1.2.0.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
116
Monitored processes
2
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start atlauncher-setup-1.2.0.0.exe atlauncher-setup-1.2.0.0.tmp

Process information

PID
CMD
Path
Indicators
Parent process
6344"C:\Users\admin\Desktop\ATLauncher-setup-1.2.0.0.exe" C:\Users\admin\Desktop\ATLauncher-setup-1.2.0.0.exe
explorer.exe
User:
admin
Company:
ATLauncher
Integrity Level:
MEDIUM
Description:
ATLauncher Setup
Version:
1.2.0.0
Modules
Images
c:\users\admin\desktop\atlauncher-setup-1.2.0.0.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
6364"C:\Users\admin\AppData\Local\Temp\is-K0RTH.tmp\ATLauncher-setup-1.2.0.0.tmp" /SL5="$401DE,1526961,1202688,C:\Users\admin\Desktop\ATLauncher-setup-1.2.0.0.exe" C:\Users\admin\AppData\Local\Temp\is-K0RTH.tmp\ATLauncher-setup-1.2.0.0.tmp
ATLauncher-setup-1.2.0.0.exe
User:
admin
Company:
ATLauncher
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-k0rth.tmp\atlauncher-setup-1.2.0.0.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
Total events
3 682
Read events
3 679
Write events
3
Delete events
0

Modification events

(PID) Process:(6364) ATLauncher-setup-1.2.0.0.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:Owner
Value:
DC1800007DA7492D5CB3DA01
(PID) Process:(6364) ATLauncher-setup-1.2.0.0.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:SessionHash
Value:
1AF427E0D501E8A2EE9CB41A7F71C63E9A09F597C63A60D83CACE74F60FDDAA7
(PID) Process:(6364) ATLauncher-setup-1.2.0.0.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:Sequence
Value:
1
Executable files
4
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
6364ATLauncher-setup-1.2.0.0.tmpC:\Users\admin\AppData\Local\Temp\is-5084Q.tmp\is-ADOAJ.tmp
MD5:
SHA256:
6344ATLauncher-setup-1.2.0.0.exeC:\Users\admin\AppData\Local\Temp\is-K0RTH.tmp\ATLauncher-setup-1.2.0.0.tmpexecutable
MD5:FDDFC2FD95D94FCC4F4C3D3ABC482DD7
SHA256:5B15C5D2B573D06A78B1774A6B5ED549FEF9EACE60B1B137F5186A3DAC25AB68
6364ATLauncher-setup-1.2.0.0.tmpC:\Users\admin\AppData\Local\Temp\is-5084Q.tmp\is-3LIC7.tmpexecutable
MD5:3B1D83FF2FCB3813E7C57D8019517C7C
SHA256:17C28BF319B89C5CA375CCA15128523D5734138DA0AF69D6B761ABAE7C533F96
6364ATLauncher-setup-1.2.0.0.tmpC:\Users\admin\AppData\Local\Temp\is-5084Q.tmp\ATLauncher.exeexecutable
MD5:3B1D83FF2FCB3813E7C57D8019517C7C
SHA256:17C28BF319B89C5CA375CCA15128523D5734138DA0AF69D6B761ABAE7C533F96
6364ATLauncher-setup-1.2.0.0.tmpC:\Users\admin\AppData\Local\Temp\is-5084Q.tmp\_isetup\_setup64.tmpexecutable
MD5:E4211D6D009757C078A9FAC7FF4F03D4
SHA256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
19
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
302
140.82.121.3:443
https://github.com/adoptium/temurin17-binaries/releases/download/jdk-17.0.3%2B7/OpenJDK17U-jre_x64_windows_hotspot_17.0.3_7.zip
unknown
GET
200
104.22.69.118:443
https://download.nodecdn.net/containers/atl/ATLauncher.exe
unknown
executable
25.1 Mb
POST
200
20.189.173.18:443
https://self.events.data.microsoft.com/OneCollector/1.0/
unknown
binary
9 b
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
239.255.255.250:1900
unknown
5504
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4264
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
5140
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
6364
ATLauncher-setup-1.2.0.0.tmp
172.67.11.201:443
download.nodecdn.net
CLOUDFLARENET
US
unknown
5456
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
6364
ATLauncher-setup-1.2.0.0.tmp
140.82.121.4:443
github.com
GITHUB
US
unknown
2908
OfficeClickToRun.exe
20.189.173.18:443
self.events.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
download.nodecdn.net
  • 172.67.11.201
  • 104.22.68.118
  • 104.22.69.118
unknown
github.com
  • 140.82.121.4
shared
self.events.data.microsoft.com
  • 20.189.173.18
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
ATLauncher-setup-1.2.0.0.exe