File name:

ISL Light Client.exe

Full analysis: https://app.any.run/tasks/8b063878-9ff1-4a42-ae48-6a9dd1b2af4f
Verdict: Malicious activity
Analysis date: July 19, 2024, 12:50:30
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

0893DA1FC27BB54F8DF9113A46AE227C

SHA1:

153B41BA7348666B99DB72201D81DA8C7B86F99E

SHA256:

EDF9E2ECC81F58E0B519985F7F9194E51BF6DBABC2E13BA14F93E738EC8FE7CE

SSDEEP:

24576:mGf5nU/0pwgNGr8EZ2Q3gRsTeIVVbk33t4gsf15mrJTAXqk2:mGf5U/0pwg0r8EZ2Q3esTeITbknt4gsC

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • ISL Light Client.exe (PID: 3400)
      • ISL_Light_Client_4_4_2332_44.exe (PID: 2248)

  • SUSPICIOUS

    • Reads the Internet Settings

      • ISL Light Client.exe (PID: 3400)
      • ISL_Light_Client_4_4_2332_44.exe (PID: 2248)

    • Executable content was dropped or overwritten

      • ISL Light Client.exe (PID: 3400)
      • ISL_Light_Client_4_4_2332_44.exe (PID: 2248)

    • Connects to unusual port

      • ISL Light Client.exe (PID: 3400)
      • ISL_Light_Client_4_4_2332_44.exe (PID: 2248)

    • Checks Windows Trust Settings

      • ISL_Light_Client_4_4_2332_44.exe (PID: 2248)

    • Reads settings of System Certificates

      • ISL_Light_Client_4_4_2332_44.exe (PID: 2248)

    • There is functionality for taking screenshot (YARA)

      • ISL_Light_Client_4_4_2332_44.exe (PID: 2248)

    • Reads security settings of Internet Explorer

      • ISL_Light_Client_4_4_2332_44.exe (PID: 2248)

  • INFO

    • Creates files or folders in the user directory

      • ISL_Light_Client_4_4_2332_44.exe (PID: 2248)
      • ISL Light Client.exe (PID: 3400)

    • Checks supported languages

      • ISL_Light_Client_4_4_2332_44.exe (PID: 2248)
      • ISL Light Client.exe (PID: 3400)
      • wmpnscfg.exe (PID: 2408)

    • Reads the computer name

      • ISL_Light_Client_4_4_2332_44.exe (PID: 2248)
      • wmpnscfg.exe (PID: 2408)
      • ISL Light Client.exe (PID: 3400)

    • Reads the machine GUID from the registry

      • ISL Light Client.exe (PID: 3400)
      • ISL_Light_Client_4_4_2332_44.exe (PID: 2248)

    • Checks proxy server information

      • ISL_Light_Client_4_4_2332_44.exe (PID: 2248)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 2408)

    • Reads the software policy settings

      • ISL_Light_Client_4_4_2332_44.exe (PID: 2248)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:10:18 12:44:56+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14
CodeSize: 44032
InitializedDataSize: 32256
UninitializedDataSize: -
EntryPoint: 0x6730
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.1
ProductVersionNumber: 1.0.0.1
FileFlagsMask: 0x0017
FileFlags: (none)
FileOS: Win32
ObjectFileType: Unknown
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
CompanyName: Xlab d.o.o.
FileDescription: launch
FileVersion: 1, 0, 0, 1
InternalName: launch
LegalCopyright: Copyright (C) 2010
OriginalFileName: launch.rc
ProductName: launch
ProductVersion: 1, 0, 0, 1
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start isl light client.exe THREAT isl_light_client_4_4_2332_44.exe wmpnscfg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2248ISL_Light_Client_4_4_2332_44.exeC:\Users\admin\AppData\Local\ISL Online Cache\ISL Network Start\1\extract_1721393438_3400_3432_1476258529\ISL_Light_Client_4_4_2332_44.exe
ISL Light Client.exe
User:
admin
Company:
ISL Online Ltd.
Integrity Level:
MEDIUM
Description:
ISL Light Client - Remote Desktop Support
Exit code:
0
Version:
4, 4, 2332, 44
Modules
Images
c:\users\admin\appdata\local\isl online cache\isl network start\1\extract_1721393438_3400_3432_1476258529\isl_light_client_4_4_2332_44.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
2408"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
3400"C:\Users\admin\AppData\Local\Temp\ISL Light Client.exe" C:\Users\admin\AppData\Local\Temp\ISL Light Client.exe
explorer.exe
User:
admin
Company:
Xlab d.o.o.
Integrity Level:
MEDIUM
Description:
launch
Exit code:
0
Version:
1, 0, 0, 1
Modules
Images
c:\users\admin\appdata\local\temp\isl light client.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
Total events
9 456
Read events
9 399
Write events
51
Delete events
6

Modification events

(PID) Process:(3400) ISL Light Client.exeKey:HKEY_CURRENT_USER\Software\ISL Online\Grid\ISL Online Network
Operation:writeName:grid_id
Value:
3434306363633135373935333138636532613261633138316235666534396537356535303562313666623730323665643566306433366530646161663962353865646165626361386532313230366337616164346438333931363638323537353563363135313365623032393331646639363961303663346433376633323833
(PID) Process:(3400) ISL Light Client.exeKey:HKEY_CURRENT_USER\Software\ISL Online\Grid\ISL Online Network
Operation:writeName:cp_protocol
Value:
1-35
(PID) Process:(3400) ISL Light Client.exeKey:HKEY_CURRENT_USER\Software\ISL Online\Grid\ISL Online Network
Operation:writeName:key_cs
Value:
2D2D2D2D2D424547494E2043455254494649434154452D2D2D2D2D0D0A4D4949426A6A43422B41494A414E69776A53754A76764A6A4D413047435371475349623344514542425155414D417778436A414942674E5642414D54415445770D0A4868634E4D446B774D54497A4D4467304F5451315768634E4D7A59774E6A41354D4467304F545131576A414D4D516F774341594456515144457745784D4947660D0A4D413047435371475349623344514542415155414134474E4144434269514B426751444B65584F506D2F302F70553733676C3567796F6E2B7A4F4376555475500D0A4B72595455393447314D7A4235536C56556A77614B46486643626566672B4A6B6543666F384E4C742B7372694F314C417070434B6D4C684C656366304B4E514E0D0A6F3378727A3148456A614361716B63586167774A656871374B4551496D3733713842676E71486E4E79415543705767324A6F76454D4163584451592B4F45646E0D0A475A463149774D35544552316C774944415141424D413047435371475349623344514542425155414134474241426677466764736E6933556F6F795536535A340D0A30434A685764753365412F68433858597549476152646B314E4A6C6E49754B6D333345706D7A306E452B36345753742B777A31444B3839504B515758556552550D0A75537A4B3552516D48714E3766417A7A584A68584F482F4F4448565A737154542F447079706A48656F554561443245336A4772716148364D38434F74627672430D0A4632544D4E4C6162434663502F546E66715043385838626B0D0A2D2D2D2D2D454E442043455254494649434154452D2D2D2D2D0D0A
(PID) Process:(3400) ISL Light Client.exeKey:HKEY_CURRENT_USER\Software\ISL Online\Grid\ISL Online Network
Operation:writeName:key_cs_latest
Value:
2D2D2D2D2D424547494E2043455254494649434154452D2D2D2D2D0D0A4D494943767A4343416165674177494241674957414A66497568563278497977684B3547584D43766B386F5141595144416A414E42676B71686B6947397730420D0A41517346414441524D513877445159445651514444415A706332786659334D774868634E4D5463774F5445784D54517A4E4449785768634E4E4455774D6A49310D0A4D54517A4E444978576A41524D513877445159445651514444415A706332786659334D77676745694D41304743537147534962334451454241515541413449420D0A447741776767454B416F49424151433579323056596A2F50446B4A5441324E654A4C2B6D303868426F544E4D4F5956586F5061575135436842784B685435716F0D0A554E73756A68464278335A4750514879615573486D464D42644E79696B45354C58535A385832314F6271516A6546444E6F644D50454B4B796D47314B44787A2B0D0A5664586B5A4C4B2F5258444C496D5176697372315A49584F4A433439464B6C387A3072306C7A324F544B387735624C4542326D783239355353654E4F2B3048390D0A4771736D504E7446576A7234724641537263344F79796366676D666B6F6B4C742F564C376A667A4C4755396D57542F614E71684A6C6A48344C756C43547672770D0A4545594F36493871677545734152446D72586B7747627A5169476653736F6D556E4F53527A436A3250433230626D436257416D5541394A3138674559333534670D0A6A777A58746A446173416144302B7A563048483564736A7372546D4F743363305775384241674D424141476A4454414C4D416B4741315564457751434D4141770D0A4451594A4B6F5A496876634E4151454C4251414467674542414A34546237316D432F385638656D5373495363726B79504138674E352B622F3055795332484F550D0A546B614F715550305A69576B326848584D5551587870667935345A454A5A424C465A454C7A377A57534F453568782B536E52496D743746573446364867456D4F0D0A64485746724E6C4D776E71454535743358346F534C577A484D67582B64756E634A6C6F346C344645494B366F61666873616671376F6E694A4F783570444D38710D0A694E6F2F55396A374448537356744A7744667A6E3165392B69545252506D3471326F544F4C4C6C6F753678597A3532417248397133437A6B556D6E65393631440D0A395A7A2B73694B4C6974715135464D7232597571393668736F766B753371364353786E3857646C627A4C6D534558417836596D6364712F6362486D53773467750D0A37693774732B497277345863682B71394D437730765072516734346D6C496D416F7A335661364E4C774E42696134413D0D0A2D2D2D2D2D454E442043455254494649434154452D2D2D2D2D0D0A
(PID) Process:(3400) ISL Light Client.exeKey:HKEY_CURRENT_USER\Software\ISL Online\AutoTransport\Last public IP
Operation:writeName:.islonline.net
Value:
84.17.49.16
(PID) Process:(3400) ISL Light Client.exeKey:HKEY_CURRENT_USER\Software\ISL Online\Grid\ISL Online Network
Operation:writeName:key_hash
Value:
BC09B8E4DE3C61B23032D21AB088A197
(PID) Process:(3400) ISL Light Client.exeKey:HKEY_CURRENT_USER\Software\ISL Online\Grid\ISL Online Network
Operation:writeName:key_ss
Value:
0080BA188EC4ADE844100EB238BB05B42E29F255C09E894E6317A608CC167476BE23A5C0FF9BBAF636C82D7DC078E412797A5027837DDD25230C5EF53D5DBB1918BC47B9C1CB678F5FA2E06DDE523D0CFC5B334F52E6677C0EF7222088F96455ED2772BAEA8E55550C37364EB31BA9F28AC9F71ABC3C255773B75C4190735522594B0003010001
(PID) Process:(3400) ISL Light Client.exeKey:HKEY_CURRENT_USER\Software\ISL Online\AutoTransport\Boost transport type
Operation:writeName:v1
Value:
2E69736C6F6E6C696E652E6E65740E0164697265637406018E30514104DAD9DA0104
(PID) Process:(3400) ISL Light Client.exeKey:HKEY_CURRENT_USER\Software\ISL Online\AutoTransport\HTTP proxy PAC
Operation:writeName:v1
Value:
46468E30514104DAD9DA0104
(PID) Process:(2248) ISL_Light_Client_4_4_2332_44.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
Executable files
2
Suspicious files
22
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
3400ISL Light Client.exeC:\Users\admin\AppData\Local\ISL Online Cache\ISL Network Start\cache\tmp_3400_3432binary
MD5:63CB567D875500D18301DE3D8DFABFB9
SHA256:EB38563E4F0113617F07F975DB14888ED69B641A0E3C152D63766044595E149C
3400ISL Light Client.exeC:\Users\admin\AppData\Local\ISL Online Cache\ISL Network Start\1\isl_network_start.logtext
MD5:C9F0092BB270F9892F2073A4E4AA4C55
SHA256:F76B435A92B98C503D9288DAC5B82970120BF36075AB377AA7E4D12400A665C4
3400ISL Light Client.exeC:\Users\admin\AppData\Local\ISL Online Cache\ISL Network Start\cache\file_cache_v3_17a6693bf313329081247f816bc088e8552a042e75197cfb58ea453a84849b6cbinary
MD5:19F23F8002776E35470507860AC4F4D2
SHA256:17A6693BF313329081247F816BC088E8552A042E75197CFB58EA453A84849B6C
2248ISL_Light_Client_4_4_2332_44.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\SendTo\ISL Light Client.lnkbinary
MD5:4CF0707CF7598136719F9EC18BA36C47
SHA256:D0C6E4881F102B1AF8C33DF4D4D1E16F11E67AD979E74CEEC62A46629D423591
3400ISL Light Client.exeC:\Users\admin\AppData\Local\ISL Online Cache\ISL Network Start\cache\file_cache_v3_3ed70ed34cf00c10cc154e384abd36a689ae85d7c5b9bae1ab71608ebbb9fb8cbinary
MD5:172C9E83F1C28D9795A9639CD70CE895
SHA256:3ED70ED34CF00C10CC154E384ABD36A689AE85D7C5B9BAE1AB71608EBBB9FB8C
3400ISL Light Client.exeC:\Users\admin\AppData\Local\ISL Online Cache\ISL Network Start\cache\file_cache_v3_043065b2e452ce2cf70257bf9425894cba1c5de87ed10248a2b672c5c399c723binary
MD5:99903597D3BCC5A4ABA672CADC1651A0
SHA256:043065B2E452CE2CF70257BF9425894CBA1C5DE87ED10248A2B672C5C399C723
3400ISL Light Client.exeC:\Users\admin\AppData\Local\ISL Online Cache\ISL Network Start\cache\file_cache_v3_eb38563e4f0113617f07f975db14888ed69b641a0e3c152d63766044595e149cbinary
MD5:63CB567D875500D18301DE3D8DFABFB9
SHA256:EB38563E4F0113617F07F975DB14888ED69B641A0E3C152D63766044595E149C
3400ISL Light Client.exeC:\Users\admin\AppData\Local\ISL Online Cache\ISL Network Start\cache\file_cache_v3_ec06f5a65519c937c97b0c078611123b92042574499c1b685bebec539a4eaad8binary
MD5:2A668F81B7A827B6CCB31F3CB9F1C14F
SHA256:EC06F5A65519C937C97B0C078611123B92042574499C1B685BEBEC539A4EAAD8
2248ISL_Light_Client_4_4_2332_44.exeC:\Users\admin\AppData\Local\ISL Online Cache\ISL Light Client\1\isllight.exeexecutable
MD5:9D1D729147C3719490E8F477E182BA0D
SHA256:64C32FC6CF4A146E9CDA5E37DECA1EDAA9AA9D8010C34DC4BE29E5FD07858840
3400ISL Light Client.exeC:\Users\admin\AppData\Local\ISL Online Cache\ISL Network Start\1\extract_1721393438_3400_3432_1476258529\ISL_Light_Client_4_4_2332_44.exeexecutable
MD5:9D1D729147C3719490E8F477E182BA0D
SHA256:64C32FC6CF4A146E9CDA5E37DECA1EDAA9AA9D8010C34DC4BE29E5FD07858840
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
23
DNS requests
13
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2248
ISL_Light_Client_4_4_2332_44.exe
GET
304
199.232.214.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?00b9afb8713868d7
unknown
whitelisted
2248
ISL_Light_Client_4_4_2332_44.exe
GET
301
185.110.66.2:80
http://www.iniciarcontrol.com/imagenes/logo.bmp
unknown
unknown
2248
ISL_Light_Client_4_4_2332_44.exe
GET
304
199.232.214.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?eaf41894c7aecf44
unknown
whitelisted
2248
ISL_Light_Client_4_4_2332_44.exe
GET
301
185.110.66.2:80
http://www.iniciarcontrol.com/imagenes/logo.bmp
unknown
unknown
2248
ISL_Light_Client_4_4_2332_44.exe
GET
200
23.192.153.142:80
http://x1.c.lencr.org/
unknown
whitelisted
2248
ISL_Light_Client_4_4_2332_44.exe
GET
200
23.32.238.27:80
http://r11.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBQaUrm0WeTDM5ghfoZtS72KO9ZnzgQUCLkRO6XQhRi06g%2BgrZ%2BGHo78OCcCEgN%2BctoahUJ%2BU%2BE3zMVEuJwdQw%3D%3D
unknown
whitelisted
1060
svchost.exe
GET
304
199.232.214.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?2b2cfb908ae71288
unknown
whitelisted
1372
svchost.exe
GET
200
23.32.238.219:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1372
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
224.0.0.252:5355
whitelisted
4
System
192.168.100.255:137
whitelisted
1372
svchost.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1060
svchost.exe
224.0.0.252:5355
whitelisted
3400
ISL Light Client.exe
195.201.56.244:7615
networkstart-qdqtvhm.islonline.net
Hetzner Online GmbH
DE
unknown
4
System
192.168.100.255:138
whitelisted
2564
svchost.exe
239.255.255.250:3702
whitelisted
2248
ISL_Light_Client_4_4_2332_44.exe
185.110.66.2:80
www.iniciarcontrol.com
Register S.p.A.
ES
unknown
2248
ISL_Light_Client_4_4_2332_44.exe
185.110.66.2:443
www.iniciarcontrol.com
Register S.p.A.
ES
unknown
2248
ISL_Light_Client_4_4_2332_44.exe
78.46.69.236:7615
isllight-myipfebbdbbangsc.islonline.net
Hetzner Online GmbH
DE
unknown

DNS requests

Domain
IP
Reputation
google.com
  • 172.217.23.110
whitelisted
networkstart-qdqtvhm.islonline.net
  • 195.201.56.244
unknown
networkstart-myipfebbdbbaztqp.islonline.net
  • 195.201.56.244
unknown
www.iniciarcontrol.com
  • 185.110.66.2
unknown
isllight-myipfebbdbbangsc.islonline.net
  • 78.46.69.236
unknown
ctldl.windowsupdate.com
  • 199.232.214.172
  • 199.232.210.172
whitelisted
x1.c.lencr.org
  • 23.192.153.142
whitelisted
r11.o.lencr.org
  • 23.32.238.27
  • 23.32.238.49
  • 23.32.238.64
  • 2.19.198.202
  • 23.32.238.82
whitelisted
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
crl.microsoft.com
  • 23.32.238.219
  • 23.32.238.171
whitelisted

Threats

PID
Process
Class
Message
3400
ISL Light Client.exe
Generic Protocol Command Decode
SURICATA HTTP METHOD terminated by non-compliant character
2248
ISL_Light_Client_4_4_2332_44.exe
Generic Protocol Command Decode
SURICATA HTTP invalid request field folding
2248
ISL_Light_Client_4_4_2332_44.exe
Generic Protocol Command Decode
SURICATA HTTP METHOD terminated by non-compliant character
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
ISL Light Client.exe