File name:

LAUNCH MINECRAFT.exe

Full analysis: https://app.any.run/tasks/cac59ca3-8de3-4132-a693-7fe7fa0fc8e3
Verdict: Malicious activity
Analysis date: October 30, 2018, 21:02:17
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

F1B96A4769CF4F589242C69EFB2BD979

SHA1:

BFAF51284B51BEF67CB35FBE62AEC8CC261D9978

SHA256:

B4557C1217823F7A865755D9330FDF2C98B91A46389E6B38FA360F036DDB12F7

SSDEEP:

24576:WVSU2HAiy+vz3hUqBcBVChBtI1eg6Th1DKAhM:uSU29vzlCBYW/4FKA

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • LAUNCH MINECRAFT.exe (PID: 2768)

    • Application was dropped or rewritten from another process

      • TLauncher-MCL.exe (PID: 1184)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • LAUNCH MINECRAFT.exe (PID: 2768)

    • Starts Internet Explorer

      • java.exe (PID: 2208)

    • Executes JAVA applets

      • javaw.exe (PID: 776)
      • TLauncher-MCL.exe (PID: 1184)

    • Creates files in the user directory

      • java.exe (PID: 2208)

  • INFO

    • Changes internet zones settings

      • iexplore.exe (PID: 2040)

    • Application launched itself

      • iexplore.exe (PID: 2040)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3648)

    • Creates files in the user directory

      • iexplore.exe (PID: 3648)

    • Reads internet explorer settings

      • iexplore.exe (PID: 3648)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (56.7)
.exe | Win64 Executable (generic) (21.3)
.scr | Windows screen saver (10.1)
.dll | Win32 Dynamic Link Library (generic) (5)
.exe | Win32 Executable (generic) (3.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2018:10:30 22:01:19+01:00
PEType: PE32
LinkerVersion: 8
CodeSize: 1161728
InitializedDataSize: 13312
UninitializedDataSize: -
EntryPoint: 0x11d91e
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
FileDescription: doner
FileVersion: 1.0.0.0
InternalName: doner.exe
LegalCopyright: Copyright © 2014
OriginalFileName: doner.exe
ProductName: doner
ProductVersion: 1.0.0.0
AssemblyVersion: 1.0.0.0

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 30-Oct-2018 21:01:19
FileDescription: doner
FileVersion: 1.0.0.0
InternalName: doner.exe
LegalCopyright: Copyright © 2014
OriginalFilename: doner.exe
ProductName: doner
ProductVersion: 1.0.0.0
Assembly Version: 1.0.0.0

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000080

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 3
Time date stamp: 30-Oct-2018 21:01:19
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00002000
0x0011B924
0x0011BA00
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
7.88836
.rsrc
0x0011E000
0x00003200
0x00003200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
3.58671
.reloc
0x00122000
0x0000000C
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
0.10191

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.00112
490
UNKNOWN
UNKNOWN
RT_MANIFEST
2
1.71396
744
UNKNOWN
UNKNOWN
RT_ICON
3
2.0843
296
UNKNOWN
UNKNOWN
RT_ICON
4
1.72071
2216
UNKNOWN
UNKNOWN
RT_ICON
5
1.04772
1384
UNKNOWN
UNKNOWN
RT_ICON
6
4.04524
851
UNKNOWN
UNKNOWN
RT_ICON
7
2.72257
4264
UNKNOWN
UNKNOWN
RT_ICON
8
2.76148
1128
UNKNOWN
UNKNOWN
RT_ICON
32512
2.68921
104
UNKNOWN
UNKNOWN
RT_GROUP_ICON

Imports

mscoree.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
6
Malicious processes
1
Suspicious processes
3

Behavior graph

Click at the process to see the details
drop and start start launch minecraft.exe tlauncher-mcl.exe no specs javaw.exe no specs java.exe iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
776"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -jar "C:\Users\admin\AppData\Local\Temp\TLauncher-MCL.exe"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exeTLauncher-MCL.exe
User:
admin
Company:
Oracle Corporation
Integrity Level:
MEDIUM
Description:
Java(TM) Platform SE binary
Exit code:
0
Version:
8.0.920.14
Modules
Images
c:\program files\java\jre1.8.0_92\bin\javaw.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1184"C:\Users\admin\AppData\Local\Temp\TLauncher-MCL.exe" C:\Users\admin\AppData\Local\Temp\TLauncher-MCL.exeLAUNCH MINECRAFT.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Free Minecraft launcher
Exit code:
0
Version:
1.5.13+master
Modules
Images
c:\users\admin\appdata\local\temp\tlauncher-mcl.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
2040"C:\Program Files\Internet Explorer\iexplore.exe" -nohomeC:\Program Files\Internet Explorer\iexplore.exe
java.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2208"C:\Program Files\Java\jre1.8.0_92\bin\java.exe" -Xmx128m -Dfile.encoding=UTF-8 -classpath C:\Users\admin\AppData\Local\Temp\TLauncher-MCL.exe ru.turikhay.tlauncher.bootstrap.BootstrapC:\Program Files\Java\jre1.8.0_92\bin\java.exe
javaw.exe
User:
admin
Company:
Oracle Corporation
Integrity Level:
MEDIUM
Description:
Java(TM) Platform SE binary
Exit code:
0
Version:
8.0.920.14
Modules
Images
c:\program files\java\jre1.8.0_92\bin\java.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2768"C:\Users\admin\AppData\Local\Temp\LAUNCH MINECRAFT.exe" C:\Users\admin\AppData\Local\Temp\LAUNCH MINECRAFT.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
doner
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\launch minecraft.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
3648"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2040 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
1 153
Read events
1 094
Write events
58
Delete events
1

Modification events

(PID) Process:(2768) LAUNCH MINECRAFT.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(2768) LAUNCH MINECRAFT.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(2768) LAUNCH MINECRAFT.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Win Update
Value:
C:\Users\admin\AppData\Local\Temp\Win Update\Win Update.exe
(PID) Process:(2768) LAUNCH MINECRAFT.exeKey:HKEY_CURRENT_USER
Operation:writeName:di
Value:
!
(PID) Process:(2208) java.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication
Operation:writeName:Name
Value:
java.exe
(PID) Process:(2208) java.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2040) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(2040) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(2040) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(2040) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
Operation:writeName:SecuritySafe
Value:
1
Executable files
18
Suspicious files
22
Text files
25
Unknown types
5

Dropped files

PID
Process
Filename
Type
776javaw.exeC:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamptext
MD5:
SHA256:
2768LAUNCH MINECRAFT.exeC:\Users\admin\AppData\Local\Temp\Win Update\Win Update.exeexecutable
MD5:
SHA256:
2208java.exeC:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamptext
MD5:
SHA256:
2208java.exeC:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\83aa4cc77f591dfc2374580bbd95f6ba_90059c37-1320-41a4-b58d-2b75a9850d2fdbf
MD5:C8366AE350E7019AEFC9D1E6E6A498C6
SHA256:11E6ACA8E682C046C83B721EEB5C72C5EF03CB5936C60DF6F4993511DDC61238
2208java.exeC:\Users\admin\AppData\Local\Temp\tlauncher3153249994155929820.tmpjava
MD5:
SHA256:
2208java.exeC:\Users\admin\AppData\Roaming\.tlauncher\bin\mcl.jarjava
MD5:
SHA256:
2208java.exeC:\Users\admin\AppData\Roaming\.tlauncher\bin\lib\com\github\zafarkhaja\java-semver\0.9.0\java-semver-0.9.0.jarcompressed
MD5:9417096FF6A9DB74DB273ABBDA0F334E
SHA256:2218C73B40F9AF98B570D084420C1B4A81332297BD7FC27DDD552E903BE8E93C
2208java.exeC:\Users\admin\AppData\Roaming\.tlauncher\bin\lib\org\tukaani\xz\1.5\xz-1.5.jarjava
MD5:51050E595B308C4AEC8AC314F66E18BC
SHA256:86F30FA8775FA3A62CDB39D1ED78A6019164C1058864048D42CBEE244E26E840
2208java.exeC:\Users\admin\AppData\Local\Temp\tlauncher4757618722085188099.tmpcompressed
MD5:E2D74794FBA570EC2115FB9D5B05DC9B
SHA256:A10418348D234968600CCB1D988EFCBBD08716E1D96936CCC1880E7D22513474
2768LAUNCH MINECRAFT.exeC:\Users\admin\AppData\Local\Temp\TLauncher-MCL.exeexecutable
MD5:A8A3A5A77FA7A0FDA9D0E9833B812CB3
SHA256:796E104FC91175E0592C11B07098856E86CEAA5D33EFAB1BF46420B8B5047250
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
25
TCP/UDP connections
42
DNS requests
17
Threats
20

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2208
java.exe
GET
200
213.186.33.186:80
http://tlauncherrepo.com/mcl/launcher/8f4c44a6af3ef2ce1d537c1cad5b35f3046c38826f7d3a2c6218d661ea22de7e.jar
FR
java
2.52 Mb
suspicious
2208
java.exe
GET
200
188.40.26.206:80
http://u.tlauncher.ru/repo/libraries/com/getsentry/raven/raven/7.8.1/raven-7.8.1.jar
DE
compressed
120 Kb
suspicious
2208
java.exe
GET
200
188.40.26.206:80
http://u.tlauncher.ru/stats/?client=bf8ae24d-80d3-4cfa-b5be-387b5afd7d4f&version=1.98.13%2Bmaster&brand=for%20Mc-launcher.com&os=windows&locale=en_US&action=beacon
DE
suspicious
2208
java.exe
GET
200
50.7.91.64:80
http://cdn.turikhay.ru/tlauncher/mcl/bootstrap.json
DE
text
1.84 Kb
suspicious
2208
java.exe
GET
200
188.40.26.206:80
http://u.tlauncher.ru/repo/libraries/org/apache/commons/commons-compress/1.10/commons-compress-1.10.jar
DE
compressed
399 Kb
suspicious
2208
java.exe
GET
200
188.40.26.206:80
http://u.tlauncher.ru/repo/libraries/org/jdom/jdom/2.0.2/jdom-2.0.2.jar
DE
java
288 Kb
suspicious
2208
java.exe
GET
200
188.40.26.206:80
http://u.tlauncher.ru/repo/libraries/org/tukaani/xz/1.5/xz-1.5.jar
DE
java
97.2 Kb
suspicious
2208
java.exe
GET
200
188.40.26.206:80
http://u.tlauncher.ru/repo/libraries/org/apache/commons/commons-lang3/3.4/commons-lang3-3.4.jar
DE
compressed
424 Kb
suspicious
2208
java.exe
GET
200
188.40.26.206:80
http://u.tlauncher.ru/repo/libraries/commons-io/commons-io/2.5/commons-io-2.5.jar
DE
compressed
203 Kb
suspicious
2208
java.exe
GET
200
188.40.26.206:80
http://u.tlauncher.ru/repo/libraries/net/sf/jopt-simple/jopt-simple/4.9/jopt-simple-4.9.jar
DE
java
64.9 Kb
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3648
iexplore.exe
216.58.205.99:443
www.gstatic.com
Google Inc.
US
whitelisted
3648
iexplore.exe
216.58.205.129:443
lh6.googleusercontent.com
Google Inc.
US
unknown
2208
java.exe
50.7.91.64:80
cdn.turikhay.ru
Cogent Communications
DE
unknown
2208
java.exe
213.186.33.186:80
tlauncherrepo.com
OVH SAS
FR
suspicious
2208
java.exe
188.40.26.206:80
u.tlauncher.ru
Hetzner Online GmbH
DE
suspicious
2208
java.exe
52.222.172.59:443
launchermeta.mojang.com
Amazon.com, Inc.
US
unknown
2208
java.exe
87.236.16.53:80
turikhay.ru
Beget Ltd
RU
malicious
2208
java.exe
163.172.152.183:443
account.ely.by
Online S.a.s.
FR
unknown
2208
java.exe
188.40.26.206:443
u.tlauncher.ru
Hetzner Online GmbH
DE
suspicious
2208
java.exe
136.243.88.97:443
sentry.ely.by
Hetzner Online GmbH
DE
unknown

DNS requests

Domain
IP
Reputation
cdn.turikhay.ru
  • 50.7.91.64
suspicious
tlauncherrepo.com
  • 213.186.33.186
unknown
u.tlauncher.ru
  • 188.40.26.206
suspicious
turikhay.ru
  • 87.236.16.53
malicious
launchermeta.mojang.com
  • 52.222.172.59
whitelisted
s3.amazonaws.com
  • 54.231.72.114
shared
account.ely.by
  • 163.172.152.183
unknown
tlauncher.ru
  • 188.40.26.206
suspicious
sentry.ely.by
  • 136.243.88.97
unknown
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted

Threats

PID
Process
Class
Message
2208
java.exe
A Network Trojan was detected
ET INFO JAVA - Java Archive Download
2208
java.exe
A Network Trojan was detected
ET INFO JAVA - Java Archive Download
2208
java.exe
A Network Trojan was detected
ET INFO JAVA - Java Archive Download
2208
java.exe
A Network Trojan was detected
ET INFO JAVA - Java Archive Download
2208
java.exe
A Network Trojan was detected
ET INFO JAVA - Java Archive Download
2208
java.exe
A Network Trojan was detected
ET INFO JAVA - Java Archive Download
2208
java.exe
A Network Trojan was detected
ET INFO JAVA - Java Archive Download
2208
java.exe
A Network Trojan was detected
ET INFO JAVA - Java Archive Download
2208
java.exe
A Network Trojan was detected
ET INFO JAVA - Java Archive Download
2208
java.exe
A Network Trojan was detected
ET INFO JAVA - Java Archive Download
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
LAUNCH MINECRAFT.exe