File name:

Plain Craft Launcher 2.exe

Full analysis: https://app.any.run/tasks/3c6e6a1e-3edc-4049-8097-03ccb17efd8a
Verdict: Malicious activity
Analysis date: July 16, 2024, 06:15:18
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
netreactor
github
dyndns
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

4B91CF43DBC23ED17A5FB42FF8B72A30

SHA1:

75E9EF4572F1A711B47C76148E6CB56E3318EB26

SHA256:

54A57DB260FF16D3C13DCDDF380DDC3ADADDE1FFD270FB7CE8FDCA56791FEE16

SSDEEP:

98304:qr7ayGJ6kHOSmda1sTaWGXLuXbZPZJrjaeGeV3M0lrvg72ZH96QFSZQ0N31I2yK9:zT

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • Plain Craft Launcher 2.exe (PID: 3520)
      • ._cache_Plain Craft Launcher 2.exe (PID: 3172)
      • Plain Craft Launcher 2.exe (PID: 1616)

    • Changes the autorun value in the registry

      • Plain Craft Launcher 2.exe (PID: 3520)

    • Connects to the CnC server

      • Synaptics.exe (PID: 2900)

  • SUSPICIOUS

    • Reads the Internet Settings

      • Plain Craft Launcher 2.exe (PID: 3520)
      • ._cache_Plain Craft Launcher 2.exe (PID: 3172)
      • Synaptics.exe (PID: 2900)

    • Reads security settings of Internet Explorer

      • Plain Craft Launcher 2.exe (PID: 3520)
      • Synaptics.exe (PID: 2900)
      • ._cache_Plain Craft Launcher 2.exe (PID: 3172)

    • Executable content was dropped or overwritten

      • Plain Craft Launcher 2.exe (PID: 3520)
      • ._cache_Plain Craft Launcher 2.exe (PID: 3172)
      • Plain Craft Launcher 2.exe (PID: 1616)

    • Reads the date of Windows installation

      • Plain Craft Launcher 2.exe (PID: 3520)

    • Reads settings of System Certificates

      • ._cache_Plain Craft Launcher 2.exe (PID: 3172)

    • Contacting a server suspected of hosting an CnC

      • Synaptics.exe (PID: 2900)

    • There is functionality for communication over UDP network (YARA)

      • Synaptics.exe (PID: 2900)

    • There is functionality for taking screenshot (YARA)

      • Synaptics.exe (PID: 2900)

    • There is functionality for communication dyndns network (YARA)

      • Synaptics.exe (PID: 2900)

  • INFO

    • Checks supported languages

      • Plain Craft Launcher 2.exe (PID: 3520)
      • wmpnscfg.exe (PID: 3224)
      • ._cache_Plain Craft Launcher 2.exe (PID: 3172)
      • Synaptics.exe (PID: 2900)
      • java.exe (PID: 932)
      • Plain Craft Launcher 2.exe (PID: 1616)

    • Creates files in the program directory

      • Plain Craft Launcher 2.exe (PID: 3520)
      • Synaptics.exe (PID: 2900)
      • java.exe (PID: 932)

    • Reads the computer name

      • wmpnscfg.exe (PID: 3224)
      • Plain Craft Launcher 2.exe (PID: 3520)
      • ._cache_Plain Craft Launcher 2.exe (PID: 3172)
      • Synaptics.exe (PID: 2900)
      • Plain Craft Launcher 2.exe (PID: 1616)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 3224)

    • Create files in a temporary directory

      • Plain Craft Launcher 2.exe (PID: 3520)
      • ._cache_Plain Craft Launcher 2.exe (PID: 3172)
      • java.exe (PID: 932)
      • Plain Craft Launcher 2.exe (PID: 1616)

    • Reads the machine GUID from the registry

      • ._cache_Plain Craft Launcher 2.exe (PID: 3172)
      • Plain Craft Launcher 2.exe (PID: 3520)
      • Synaptics.exe (PID: 2900)
      • Plain Craft Launcher 2.exe (PID: 1616)

    • Checks proxy server information

      • Synaptics.exe (PID: 2900)

    • Reads Environment values

      • ._cache_Plain Craft Launcher 2.exe (PID: 3172)

    • .NET Reactor protector has been detected

      • ._cache_Plain Craft Launcher 2.exe (PID: 3172)

    • Reads the software policy settings

      • ._cache_Plain Craft Launcher 2.exe (PID: 3172)

    • Disables trace logs

      • ._cache_Plain Craft Launcher 2.exe (PID: 3172)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable Borland Delphi 7 (90.9)
.exe | Win32 EXE PECompact compressed (generic) (5.6)
.exe | Win32 Executable Delphi generic (1.9)
.exe | Win32 Executable (generic) (0.6)
.exe | Win16/32 Executable Delphi generic (0.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:19 22:22:17+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 629760
InitializedDataSize: 3364864
UninitializedDataSize: -
EntryPoint: 0x9ab80
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.4
ProductVersionNumber: 1.0.0.4
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Turkish
CharacterSet: Windows, Turkish
CompanyName: Synaptics
FileDescription: Synaptics Pointing Device Driver
FileVersion: 1.0.0.4
InternalName: -
LegalCopyright: -
LegalTrademarks: -
OriginalFileName: -
ProductName: Synaptics Pointing Device Driver
ProductVersion: 1.0.0.0
Comments: -
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
50
Monitored processes
7
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start plain craft launcher 2.exe THREAT ._cache_plain craft launcher 2.exe wmpnscfg.exe no specs THREAT synaptics.exe java.exe no specs icacls.exe no specs plain craft launcher 2.exe

Process information

PID
CMD
Path
Indicators
Parent process
932"C:\Program Files\Java\jre1.8.0_271\bin\java.exe" -versionC:\Program Files\Java\jre1.8.0_271\bin\java.exe._cache_Plain Craft Launcher 2.exe
User:
admin
Company:
Oracle Corporation
Integrity Level:
MEDIUM
Description:
Java(TM) Platform SE binary
Exit code:
0
Version:
8.0.2710.9
Modules
Images
c:\program files\java\jre1.8.0_271\bin\java.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1596C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)MC:\Windows\System32\icacls.exejava.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\icacls.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ntmarta.dll
1616"C:\Users\admin\AppData\Local\Temp\PCL\Plain Craft Launcher 2.exe" --update 3172 "._cache_Plain Craft Launcher 2.exe" "._cache_Plain Craft Launcher 2.exe" FalseC:\Users\admin\AppData\Local\Temp\PCL\Plain Craft Launcher 2.exe
._cache_Plain Craft Launcher 2.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Plain Craft Launcher 启动器
Exit code:
4
Version:
2.8.3.0
Modules
Images
c:\users\admin\appdata\local\temp\pcl\plain craft launcher 2.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
2900"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdateC:\ProgramData\Synaptics\Synaptics.exe
Plain Craft Launcher 2.exe
User:
admin
Company:
Synaptics
Integrity Level:
HIGH
Description:
Synaptics Pointing Device Driver
Version:
1.0.0.4
Modules
Images
c:\programdata\synaptics\synaptics.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
3172"C:\Users\admin\AppData\Local\Temp\._cache_Plain Craft Launcher 2.exe" C:\Users\admin\AppData\Local\Temp\._cache_Plain Craft Launcher 2.exe
Plain Craft Launcher 2.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Plain Craft Launcher 启动器
Exit code:
4294967295
Version:
2.7.4.0
Modules
Images
c:\users\admin\appdata\local\temp\._cache_plain craft launcher 2.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
3224"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
3520"C:\Users\admin\AppData\Local\Temp\Plain Craft Launcher 2.exe" C:\Users\admin\AppData\Local\Temp\Plain Craft Launcher 2.exe
explorer.exe
User:
admin
Company:
Synaptics
Integrity Level:
MEDIUM
Description:
Synaptics Pointing Device Driver
Exit code:
0
Version:
1.0.0.4
Modules
Images
c:\users\admin\appdata\local\temp\plain craft launcher 2.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
Total events
16 014
Read events
15 859
Write events
149
Delete events
6

Modification events

(PID) Process:(3520) Plain Craft Launcher 2.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3520) Plain Craft Launcher 2.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3520) Plain Craft Launcher 2.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3520) Plain Craft Launcher 2.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(3520) Plain Craft Launcher 2.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Synaptics Pointing Device Driver
Value:
C:\ProgramData\Synaptics\Synaptics.exe
(PID) Process:(3520) Plain Craft Launcher 2.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3172) ._cache_Plain Craft Launcher 2.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3172) ._cache_Plain Craft Launcher 2.exeKey:HKEY_CURRENT_USER\Software\PCL
Operation:writeName:Identify
Value:
21478064012559000576
(PID) Process:(3172) ._cache_Plain Craft Launcher 2.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication
Operation:writeName:Name
Value:
._cache_Plain Craft Launcher 2.exe
(PID) Process:(3172) ._cache_Plain Craft Launcher 2.exeKey:HKEY_CURRENT_USER\Software\PCL
Operation:writeName:SystemLastVersionReg
Value:
Q85pxYuad20=
Executable files
7
Suspicious files
3
Text files
7
Unknown types
0

Dropped files

PID
Process
Filename
Type
3172._cache_Plain Craft Launcher 2.exeC:\Users\admin\AppData\Local\Temp\PCL\Cache\Code\771128284_120ini
MD5:56FAF34D7412EA057C5B1FED47DCF564
SHA256:BF0665FBC297169108CFB9A7429FC6F1778E2E6E93F36928A26C5B9DE93C511D
3520Plain Craft Launcher 2.exeC:\ProgramData\Synaptics\RCXE348.tmpexecutable
MD5:6E13DC2F067A73423D471377B7FB4CA6
SHA256:819ADFCB9F383205241F30C7676BF2176E1F5B3CD5C299ADB23A6C43FCC82EA3
3172._cache_Plain Craft Launcher 2.exeC:\Users\admin\AppData\Local\Temp\PCL\Setup.initext
MD5:AEA596AC69560ED233554038B63443DB
SHA256:7AF950949F60579B27727191F9E4D61B71596AC3D68AEBD046A1A3BC3FBEF8EE
3520Plain Craft Launcher 2.exeC:\ProgramData\Synaptics\Synaptics.exeexecutable
MD5:4B91CF43DBC23ED17A5FB42FF8B72A30
SHA256:54A57DB260FF16D3C13DCDDF380DDC3ADADDE1FFD270FB7CE8FDCA56791FEE16
3172._cache_Plain Craft Launcher 2.exeC:\Users\admin\AppData\Local\Temp\PCL\Cache\Notice.cfgtext
MD5:E5B120888CE13F6EBAF470B2625FAC72
SHA256:DF52EFE89EEC79C08184D2837934C7549DFF7AEFD40A17C7C5333443AAE27C66
932java.exeC:\ProgramData\Oracle\Java\.oracle_jre_usage\17dfc292991c8061.timestamptext
MD5:D10CAC8A4ADC25C92D9DAFE9A7292A8D
SHA256:294130997A66AF933C37BEE93CBEFA41A5F04051AE298C117CC0B60C61C93610
3172._cache_Plain Craft Launcher 2.exeC:\Users\admin\AppData\Local\Temp\PCL\Download\125_130_14607.tmpcompressed
MD5:9534ED354C6E9A98751721E2CC98F5F2
SHA256:FC0CE6F43BABBBA1CC69BCB615CA0AC3BB3A3061A6921AAF355F010F1AB03AE0
3172._cache_Plain Craft Launcher 2.exeC:\Users\admin\AppData\Local\Temp\PCL\Update.zipcompressed
MD5:9534ED354C6E9A98751721E2CC98F5F2
SHA256:FC0CE6F43BABBBA1CC69BCB615CA0AC3BB3A3061A6921AAF355F010F1AB03AE0
3172._cache_Plain Craft Launcher 2.exeC:\Users\admin\AppData\Local\Temp\.minecraft\launcher_profiles.jsonbinary
MD5:45510FD9537E0E1E0BC704B3647DB7CD
SHA256:D10FF647D0240A1131EDE69AB93E8F3AEC700377138D8528ECCDE81BE8159179
3172._cache_Plain Craft Launcher 2.exeC:\Users\admin\AppData\Local\Temp\.minecraft\PCL.initext
MD5:F377ECFFB461C621B82C3CBC3300AB89
SHA256:F837D5B030C7D1F8A93995BCC47E043D2B460DF773AFB9FC5F84A6C4BFC71846
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
19
DNS requests
12
Threats
7

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1372
svchost.exe
GET
304
23.32.238.216:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?33775f6043c93e33
unknown
whitelisted
2900
Synaptics.exe
GET
200
69.42.215.252:80
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
unknown
whitelisted
1060
svchost.exe
GET
304
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?32e8c3cdb69e6bfa
unknown
whitelisted
1372
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1372
svchost.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
224.0.0.252:5355
whitelisted
4
System
192.168.100.255:137
whitelisted
1372
svchost.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1060
svchost.exe
224.0.0.252:5355
whitelisted
2564
svchost.exe
239.255.255.250:3702
whitelisted
4
System
192.168.100.255:138
whitelisted
2900
Synaptics.exe
69.42.215.252:80
freedns.afraid.org
AWKNET
US
unknown
3172
._cache_Plain Craft Launcher 2.exe
13.107.246.60:443
launchermeta.mojang.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
3172
._cache_Plain Craft Launcher 2.exe
112.84.131.219:443
pcl2-server-1253424809.file.myqcloud.com
CHINA UNICOM China169 Backbone
CN
unknown
1372
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.142
whitelisted
xred.mooo.com
whitelisted
freedns.afraid.org
  • 69.42.215.252
whitelisted
launchermeta.mojang.com
  • 13.107.246.60
whitelisted
pcl2-server-1253424809.file.myqcloud.com
  • 112.84.131.219
  • 119.176.27.237
  • 116.153.46.40
  • 42.177.83.214
  • 153.0.228.201
  • 42.177.83.87
  • 116.153.68.72
  • 42.177.83.225
  • 61.240.220.235
  • 60.221.17.183
  • 42.177.83.134
  • 60.221.17.244
  • 14.205.93.60
whitelisted
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
ctldl.windowsupdate.com
  • 23.32.238.216
  • 23.32.238.225
  • 23.32.238.218
  • 23.32.238.219
  • 23.32.238.202
  • 23.32.238.210
  • 23.32.238.203
  • 23.32.238.208
  • 23.32.238.217
  • 93.184.221.240
whitelisted
crl.microsoft.com
  • 23.53.40.176
  • 23.53.40.178
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
github.com
  • 140.82.121.3
shared

Threats

PID
Process
Class
Message
Misc activity
ET INFO DYNAMIC_DNS Query to Abused Domain *.mooo.com
Misc activity
ET INFO Tencent Cloud Storage Domain in DNS Lookup (myqcloud .com)
Misc activity
ET INFO Observed Tencent Cloud Storage Domain (myqcloud .com in TLS SNI)
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
3 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Plain Craft Launcher 2.exe