File name:

Launch.exe

Full analysis: https://app.any.run/tasks/15277490-6bfb-4347-adad-07cf610646e6
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: March 23, 2020, 12:28:02
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
stealer
poullight
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

912BF8FFFA55F914FAF6E91D91EA2906

SHA1:

7339F849AD085281D3C9CB02880B3D20095818E4

SHA256:

7EB413DAD7C8B001BBEAE51A20513D2DA210D5A6A2AABA16A4FDF428E24DFF0A

SSDEEP:

49152:iirG5H4WQ64kUyTpp/zartPeGbAgZD3KSmbPuVGF9pmlhLQKJOnkJD39:iiiJbQ9TyD/WrJpzXmbWVGPmnJO2DN

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • ezesp-18-03.exe (PID: 916)
      • build (1).exe (PID: 3740)

    • Poullight was detected

      • build (1).exe (PID: 3740)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • Launch.exe (PID: 3580)

    • Creates files in the user directory

      • Launch.exe (PID: 3580)

    • Starts CMD.EXE for commands execution

      • ezesp-18-03.exe (PID: 916)

    • Starts Internet Explorer

      • ezesp-18-03.exe (PID: 916)

    • Reads Environment values

      • build (1).exe (PID: 3740)

  • INFO

    • Reads internet explorer settings

      • iexplore.exe (PID: 1544)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 1524)
      • iexplore.exe (PID: 1544)

    • Changes internet zones settings

      • iexplore.exe (PID: 1524)

    • Creates files in the user directory

      • iexplore.exe (PID: 1544)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 1544)
      • iexplore.exe (PID: 1524)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 1524)

    • Changes settings of System certificates

      • iexplore.exe (PID: 1524)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.dll | Win32 Dynamic Link Library (generic) (43.5)
.exe | Win32 Executable (generic) (29.8)
.exe | Generic Win/DOS Executable (13.2)
.exe | DOS Executable Generic (13.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2020:03:23 12:58:32+01:00
PEType: PE32
LinkerVersion: 12
CodeSize: 581632
InitializedDataSize: 316928
UninitializedDataSize: -
EntryPoint: 0x468000
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 66.48.50.16
ProductVersionNumber: 66.48.50.16
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
FileVersion: 66.48.50.16
ProductVersion: 66.48.50.16
FileDescription: File Risk Estimation
CompanyName: OLE PropertySet Implementation
LegalCopyright: (C) cyL6y979MKagT8mVw7Bwq6SfG1rKiXRc6aMh Technology Co. Ltd., All rights reserved.
ProductName:
Comments: 7m7aEISEHOwm78QruT8bkdhcx7TEZ9U631aQKUZvbatZcUSKhCwd2zuNoGiEa3t46mnppcd1A
InternalName: grpconv.exe
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
6
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
drop and start drop and start start launch.exe #POULLIGHT build (1).exe ezesp-18-03.exe no specs cmd.exe no specs iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
916"C:\Users\admin\AppData\Roaming\GMsbdXV5TyL\ezesp-18-03.exe" C:\Users\admin\AppData\Roaming\GMsbdXV5TyL\ezesp-18-03.exeLaunch.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\roaming\gmsbdxv5tyl\ezesp-18-03.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\api-ms-win-crt-heap-l1-1-0.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\api-ms-win-core-timezone-l1-1-0.dll
c:\windows\system32\api-ms-win-core-file-l2-1-0.dll
c:\windows\system32\api-ms-win-core-localization-l1-2-0.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
1524"C:\Program Files\Internet Explorer\iexplore.exe" https://ezhack.ru/ezesp/hh.phpC:\Program Files\Internet Explorer\iexplore.exe
ezesp-18-03.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
1544"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1524 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
3304C:\Windows\system32\cmd.exe /c Color 2C:\Windows\system32\cmd.exeezesp-18-03.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3580"C:\Users\admin\AppData\Local\Temp\Launch.exe" C:\Users\admin\AppData\Local\Temp\Launch.exe
explorer.exe
User:
admin
Company:
OLE PropertySet Implementation
Integrity Level:
MEDIUM
Description:
File Risk Estimation
Exit code:
0
Version:
66.48.50.16
Modules
Images
c:\users\admin\appdata\local\temp\launch.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
3740"C:\Users\admin\AppData\Roaming\GMsbdXV5TyL\build (1).exe" C:\Users\admin\AppData\Roaming\GMsbdXV5TyL\build (1).exe
Launch.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Video Player V
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\roaming\gmsbdxv5tyl\build (1).exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
Total events
6 492
Read events
1 033
Write events
3 681
Delete events
1 778

Modification events

(PID) Process:(3580) Launch.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(3580) Launch.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(916) ezesp-18-03.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached
Operation:writeName:{17FE9752-0B5A-4665-84CD-569794602F5C} {7F9185B0-CB92-43C5-80A9-92277A4F7B54} 0xFFFF
Value:
010000000000000030F2528A0E01D601
(PID) Process:(1524) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateLowDateTime
Value:
2622254260
(PID) Process:(1524) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateHighDateTime
Value:
30802190
(PID) Process:(1524) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(1524) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(1524) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(1524) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(1524) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
Executable files
2
Suspicious files
93
Text files
85
Unknown types
67

Dropped files

PID
Process
Filename
Type
3580Launch.exeC:\Users\admin\AppData\Local\Temp\aut6F4C.tmp
MD5:
SHA256:
3580Launch.exeC:\Users\admin\AppData\Local\Temp\aut70E4.tmp
MD5:
SHA256:
1544iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Cab7B24.tmp
MD5:
SHA256:
1544iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Tar7B25.tmp
MD5:
SHA256:
3580Launch.exeC:\Users\admin\AppData\Roaming\GMsbdXV5TyL\build (1).exeexecutable
MD5:
SHA256:
1544iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08der
MD5:
SHA256:
1544iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\xlogo.png.pagespeed.ic.gKHL6gnDOG[1].pngimage
MD5:
SHA256:
1544iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2CEFB5C8F1D3FA8C53AAC8971CACCA2Fder
MD5:
SHA256:
1544iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\A.style.css.pagespeed.cf.oFP_BOSep3[1].csstext
MD5:
SHA256:
1544iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\superfish.min.js+jquery.slicknav.min.js+modernizr.min.js+html5shiv.min.js+jquery.custom.js.pagespeed.jc.EVWLn_y0-F[1].jstext
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
52
TCP/UDP connections
104
DNS requests
38
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1544
iexplore.exe
GET
200
192.124.249.41:80
http://ocsp.godaddy.com//MEQwQjBAMD4wPDAJBgUrDgMCGgUABBTkIInKBAzXkF0Qh0pel3lfHJ9GPAQU0sSw0pHUTBFxs2HLPaH%2B3ahq1OMCAxvnFQ%3D%3D
US
der
1.66 Kb
whitelisted
1544
iexplore.exe
GET
200
192.124.249.41:80
http://ocsp.godaddy.com//MEQwQjBAMD4wPDAJBgUrDgMCGgUABBTkIInKBAzXkF0Qh0pel3lfHJ9GPAQU0sSw0pHUTBFxs2HLPaH%2B3ahq1OMCAxvnFQ%3D%3D
US
der
1.66 Kb
whitelisted
1544
iexplore.exe
GET
304
192.124.249.41:80
http://ocsp.godaddy.com//MEQwQjBAMD4wPDAJBgUrDgMCGgUABBTkIInKBAzXkF0Qh0pel3lfHJ9GPAQU0sSw0pHUTBFxs2HLPaH%2B3ahq1OMCAxvnFQ%3D%3D
US
der
1.66 Kb
whitelisted
1544
iexplore.exe
GET
304
192.124.249.41:80
http://ocsp.godaddy.com//MEQwQjBAMD4wPDAJBgUrDgMCGgUABBTkIInKBAzXkF0Qh0pel3lfHJ9GPAQU0sSw0pHUTBFxs2HLPaH%2B3ahq1OMCAxvnFQ%3D%3D
US
der
1.66 Kb
whitelisted
1544
iexplore.exe
GET
200
2.16.186.27:80
http://ocsp.int-x3.letsencrypt.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBR%2B5mrncpqz%2FPiiIGRsFqEtYHEIXQQUqEpqYwR93brm0Tm3pkVl7%2FOo7KECEgPVojFmMyZ%2F0HwYZu0apogixw%3D%3D
unknown
der
527 b
whitelisted
1544
iexplore.exe
GET
200
192.124.249.41:80
http://ocsp.godaddy.com//MEIwQDA%2BMDwwOjAJBgUrDgMCGgUABBQdI2%2BOBkuXH93foRUj4a7lAr4rGwQUOpqFBxBnKLbv9r0FQW4gwZTaD94CAQc%3D
US
der
1.69 Kb
whitelisted
1544
iexplore.exe
GET
304
192.124.249.41:80
http://ocsp.godaddy.com//MEQwQjBAMD4wPDAJBgUrDgMCGgUABBTkIInKBAzXkF0Qh0pel3lfHJ9GPAQU0sSw0pHUTBFxs2HLPaH%2B3ahq1OMCAxvnFQ%3D%3D
US
der
1.66 Kb
whitelisted
1544
iexplore.exe
GET
200
192.124.249.41:80
http://ocsp.godaddy.com//MEQwQjBAMD4wPDAJBgUrDgMCGgUABBTkIInKBAzXkF0Qh0pel3lfHJ9GPAQU0sSw0pHUTBFxs2HLPaH%2B3ahq1OMCAxvnFQ%3D%3D
US
der
1.66 Kb
whitelisted
1544
iexplore.exe
GET
200
192.124.249.41:80
http://ocsp.godaddy.com//MEQwQjBAMD4wPDAJBgUrDgMCGgUABBTkIInKBAzXkF0Qh0pel3lfHJ9GPAQU0sSw0pHUTBFxs2HLPaH%2B3ahq1OMCAxvnFQ%3D%3D
US
der
1.66 Kb
whitelisted
1544
iexplore.exe
GET
200
151.139.128.14:80
http://ocsp.trust-provider.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCEHbYt4bR81JP7pU%2BcUA9mdU%3D
US
der
471 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1544
iexplore.exe
216.58.207.74:443
fonts.googleapis.com
Google Inc.
US
whitelisted
1544
iexplore.exe
192.0.77.2:443
i2.wp.com
Automattic, Inc
US
suspicious
1544
iexplore.exe
192.0.76.3:443
stats.wp.com
Automattic, Inc
US
suspicious
1544
iexplore.exe
87.240.190.67:443
vk.com
VKontakte Ltd
RU
suspicious
1544
iexplore.exe
192.124.249.41:80
ocsp.godaddy.com
Sucuri
US
suspicious
1544
iexplore.exe
5.23.50.102:443
ezhack.ru
TIMEWEB GmbH
RU
malicious
1544
iexplore.exe
172.217.21.227:443
fonts.gstatic.com
Google Inc.
US
whitelisted
1544
iexplore.exe
77.88.21.119:443
mc.yandex.ru
YANDEX LLC
RU
whitelisted
1544
iexplore.exe
88.212.201.210:443
counter.yadro.ru
United Network LLC
RU
suspicious
1544
iexplore.exe
217.69.133.145:443
top-fwz1.mail.ru
Limited liability company Mail.Ru
RU
suspicious

DNS requests

Domain
IP
Reputation
ezhack.ru
  • 5.23.50.102
unknown
isrg.trustid.ocsp.identrust.com
  • 2.16.186.35
  • 2.16.186.11
whitelisted
ocsp.int-x3.letsencrypt.org
  • 2.16.186.27
  • 2.16.186.11
whitelisted
c0.wp.com
  • 192.0.77.37
whitelisted
fonts.googleapis.com
  • 216.58.207.74
whitelisted
i2.wp.com
  • 192.0.77.2
whitelisted
i0.wp.com
  • 192.0.77.2
whitelisted
i1.wp.com
  • 192.0.77.2
whitelisted
vk.com
  • 87.240.190.67
  • 87.240.190.72
  • 87.240.190.78
  • 93.186.225.208
  • 87.240.139.194
  • 87.240.137.158
whitelisted
stats.wp.com
  • 192.0.76.3
whitelisted

Threats

Found threats are available for the paid subscriptions
1 ETPRO signatures available at the full report
Process
Message
Launch.exe
%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
build (1).exe
Program has been crashed
build (1).exe
Program has been crashed
build (1).exe
"
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Launch.exe