File name:

ISL Light Client.exe

Full analysis: https://app.any.run/tasks/8b063878-9ff1-4a42-ae48-6a9dd1b2af4f
Verdict: Malicious activity
Analysis date: July 19, 2024, 12:50:30
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

0893DA1FC27BB54F8DF9113A46AE227C

SHA1:

153B41BA7348666B99DB72201D81DA8C7B86F99E

SHA256:

EDF9E2ECC81F58E0B519985F7F9194E51BF6DBABC2E13BA14F93E738EC8FE7CE

SSDEEP:

24576:mGf5nU/0pwgNGr8EZ2Q3gRsTeIVVbk33t4gsf15mrJTAXqk2:mGf5U/0pwg0r8EZ2Q3esTeITbknt4gsC

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • ISL Light Client.exe (PID: 3400)
      • ISL_Light_Client_4_4_2332_44.exe (PID: 2248)

  • SUSPICIOUS

    • Reads the Internet Settings

      • ISL Light Client.exe (PID: 3400)
      • ISL_Light_Client_4_4_2332_44.exe (PID: 2248)

    • Executable content was dropped or overwritten

      • ISL Light Client.exe (PID: 3400)
      • ISL_Light_Client_4_4_2332_44.exe (PID: 2248)

    • Connects to unusual port

      • ISL Light Client.exe (PID: 3400)
      • ISL_Light_Client_4_4_2332_44.exe (PID: 2248)

    • Reads security settings of Internet Explorer

      • ISL_Light_Client_4_4_2332_44.exe (PID: 2248)

    • Reads settings of System Certificates

      • ISL_Light_Client_4_4_2332_44.exe (PID: 2248)

    • Checks Windows Trust Settings

      • ISL_Light_Client_4_4_2332_44.exe (PID: 2248)

    • There is functionality for taking screenshot (YARA)

      • ISL_Light_Client_4_4_2332_44.exe (PID: 2248)

  • INFO

    • Checks supported languages

      • ISL Light Client.exe (PID: 3400)
      • ISL_Light_Client_4_4_2332_44.exe (PID: 2248)
      • wmpnscfg.exe (PID: 2408)

    • Creates files or folders in the user directory

      • ISL Light Client.exe (PID: 3400)
      • ISL_Light_Client_4_4_2332_44.exe (PID: 2248)

    • Reads the machine GUID from the registry

      • ISL Light Client.exe (PID: 3400)
      • ISL_Light_Client_4_4_2332_44.exe (PID: 2248)

    • Reads the computer name

      • ISL Light Client.exe (PID: 3400)
      • ISL_Light_Client_4_4_2332_44.exe (PID: 2248)
      • wmpnscfg.exe (PID: 2408)

    • Checks proxy server information

      • ISL_Light_Client_4_4_2332_44.exe (PID: 2248)

    • Reads the software policy settings

      • ISL_Light_Client_4_4_2332_44.exe (PID: 2248)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 2408)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:10:18 12:44:56+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14
CodeSize: 44032
InitializedDataSize: 32256
UninitializedDataSize: -
EntryPoint: 0x6730
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.1
ProductVersionNumber: 1.0.0.1
FileFlagsMask: 0x0017
FileFlags: (none)
FileOS: Win32
ObjectFileType: Unknown
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
CompanyName: Xlab d.o.o.
FileDescription: launch
FileVersion: 1, 0, 0, 1
InternalName: launch
LegalCopyright: Copyright (C) 2010
OriginalFileName: launch.rc
ProductName: launch
ProductVersion: 1, 0, 0, 1
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start isl light client.exe THREAT isl_light_client_4_4_2332_44.exe wmpnscfg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2248ISL_Light_Client_4_4_2332_44.exeC:\Users\admin\AppData\Local\ISL Online Cache\ISL Network Start\1\extract_1721393438_3400_3432_1476258529\ISL_Light_Client_4_4_2332_44.exe
ISL Light Client.exe
User:
admin
Company:
ISL Online Ltd.
Integrity Level:
MEDIUM
Description:
ISL Light Client - Remote Desktop Support
Exit code:
0
Version:
4, 4, 2332, 44
Modules
Images
c:\users\admin\appdata\local\isl online cache\isl network start\1\extract_1721393438_3400_3432_1476258529\isl_light_client_4_4_2332_44.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
2408"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
3400"C:\Users\admin\AppData\Local\Temp\ISL Light Client.exe" C:\Users\admin\AppData\Local\Temp\ISL Light Client.exe
explorer.exe
User:
admin
Company:
Xlab d.o.o.
Integrity Level:
MEDIUM
Description:
launch
Exit code:
0
Version:
1, 0, 0, 1
Modules
Images
c:\users\admin\appdata\local\temp\isl light client.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
Total events
9 456
Read events
9 399
Write events
51
Delete events
6

Modification events

(PID) Process:(3400) ISL Light Client.exeKey:HKEY_CURRENT_USER\Software\ISL Online\Grid\ISL Online Network
Operation:writeName:grid_id
Value:
3434306363633135373935333138636532613261633138316235666534396537356535303562313666623730323665643566306433366530646161663962353865646165626361386532313230366337616164346438333931363638323537353563363135313365623032393331646639363961303663346433376633323833
(PID) Process:(3400) ISL Light Client.exeKey:HKEY_CURRENT_USER\Software\ISL Online\Grid\ISL Online Network
Operation:writeName:cp_protocol
Value:
1-35
(PID) Process:(3400) ISL Light Client.exeKey:HKEY_CURRENT_USER\Software\ISL Online\Grid\ISL Online Network
Operation:writeName:key_cs
Value:
2D2D2D2D2D424547494E2043455254494649434154452D2D2D2D2D0D0A4D4949426A6A43422B41494A414E69776A53754A76764A6A4D413047435371475349623344514542425155414D417778436A414942674E5642414D54415445770D0A4868634E4D446B774D54497A4D4467304F5451315768634E4D7A59774E6A41354D4467304F545131576A414D4D516F774341594456515144457745784D4947660D0A4D413047435371475349623344514542415155414134474E4144434269514B426751444B65584F506D2F302F70553733676C3567796F6E2B7A4F4376555475500D0A4B72595455393447314D7A4235536C56556A77614B46486643626566672B4A6B6543666F384E4C742B7372694F314C417070434B6D4C684C656366304B4E514E0D0A6F3378727A3148456A614361716B63586167774A656871374B4551496D3733713842676E71486E4E79415543705767324A6F76454D4163584451592B4F45646E0D0A475A463149774D35544552316C774944415141424D413047435371475349623344514542425155414134474241426677466764736E6933556F6F795536535A340D0A30434A685764753365412F68433858597549476152646B314E4A6C6E49754B6D333345706D7A306E452B36345753742B777A31444B3839504B515758556552550D0A75537A4B3552516D48714E3766417A7A584A68584F482F4F4448565A737154542F447079706A48656F554561443245336A4772716148364D38434F74627672430D0A4632544D4E4C6162434663502F546E66715043385838626B0D0A2D2D2D2D2D454E442043455254494649434154452D2D2D2D2D0D0A
(PID) Process:(3400) ISL Light Client.exeKey:HKEY_CURRENT_USER\Software\ISL Online\Grid\ISL Online Network
Operation:writeName:key_cs_latest
Value:
2D2D2D2D2D424547494E2043455254494649434154452D2D2D2D2D0D0A4D494943767A4343416165674177494241674957414A66497568563278497977684B3547584D43766B386F5141595144416A414E42676B71686B6947397730420D0A41517346414441524D513877445159445651514444415A706332786659334D774868634E4D5463774F5445784D54517A4E4449785768634E4E4455774D6A49310D0A4D54517A4E444978576A41524D513877445159445651514444415A706332786659334D77676745694D41304743537147534962334451454241515541413449420D0A447741776767454B416F49424151433579323056596A2F50446B4A5441324E654A4C2B6D303868426F544E4D4F5956586F5061575135436842784B685435716F0D0A554E73756A68464278335A4750514879615573486D464D42644E79696B45354C58535A385832314F6271516A6546444E6F644D50454B4B796D47314B44787A2B0D0A5664586B5A4C4B2F5258444C496D5176697372315A49584F4A433439464B6C387A3072306C7A324F544B387735624C4542326D783239355353654E4F2B3048390D0A4771736D504E7446576A7234724641537263344F79796366676D666B6F6B4C742F564C376A667A4C4755396D57542F614E71684A6C6A48344C756C43547672770D0A4545594F36493871677545734152446D72586B7747627A5169476653736F6D556E4F53527A436A3250433230626D436257416D5541394A3138674559333534670D0A6A777A58746A446173416144302B7A563048483564736A7372546D4F743363305775384241674D424141476A4454414C4D416B4741315564457751434D4141770D0A4451594A4B6F5A496876634E4151454C4251414467674542414A34546237316D432F385638656D5373495363726B79504138674E352B622F3055795332484F550D0A546B614F715550305A69576B326848584D5551587870667935345A454A5A424C465A454C7A377A57534F453568782B536E52496D743746573446364867456D4F0D0A64485746724E6C4D776E71454535743358346F534C577A484D67582B64756E634A6C6F346C344645494B366F61666873616671376F6E694A4F783570444D38710D0A694E6F2F55396A374448537356744A7744667A6E3165392B69545252506D3471326F544F4C4C6C6F753678597A3532417248397133437A6B556D6E65393631440D0A395A7A2B73694B4C6974715135464D7232597571393668736F766B753371364353786E3857646C627A4C6D534558417836596D6364712F6362486D53773467750D0A37693774732B497277345863682B71394D437730765072516734346D6C496D416F7A335661364E4C774E42696134413D0D0A2D2D2D2D2D454E442043455254494649434154452D2D2D2D2D0D0A
(PID) Process:(3400) ISL Light Client.exeKey:HKEY_CURRENT_USER\Software\ISL Online\AutoTransport\Last public IP
Operation:writeName:.islonline.net
Value:
84.17.49.16
(PID) Process:(3400) ISL Light Client.exeKey:HKEY_CURRENT_USER\Software\ISL Online\Grid\ISL Online Network
Operation:writeName:key_hash
Value:
BC09B8E4DE3C61B23032D21AB088A197
(PID) Process:(3400) ISL Light Client.exeKey:HKEY_CURRENT_USER\Software\ISL Online\Grid\ISL Online Network
Operation:writeName:key_ss
Value:
0080BA188EC4ADE844100EB238BB05B42E29F255C09E894E6317A608CC167476BE23A5C0FF9BBAF636C82D7DC078E412797A5027837DDD25230C5EF53D5DBB1918BC47B9C1CB678F5FA2E06DDE523D0CFC5B334F52E6677C0EF7222088F96455ED2772BAEA8E55550C37364EB31BA9F28AC9F71ABC3C255773B75C4190735522594B0003010001
(PID) Process:(3400) ISL Light Client.exeKey:HKEY_CURRENT_USER\Software\ISL Online\AutoTransport\Boost transport type
Operation:writeName:v1
Value:
2E69736C6F6E6C696E652E6E65740E0164697265637406018E30514104DAD9DA0104
(PID) Process:(3400) ISL Light Client.exeKey:HKEY_CURRENT_USER\Software\ISL Online\AutoTransport\HTTP proxy PAC
Operation:writeName:v1
Value:
46468E30514104DAD9DA0104
(PID) Process:(2248) ISL_Light_Client_4_4_2332_44.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
Executable files
2
Suspicious files
22
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
3400ISL Light Client.exeC:\Users\admin\AppData\Local\ISL Online Cache\ISL Network Start\cache\file_cache_v3_eb38563e4f0113617f07f975db14888ed69b641a0e3c152d63766044595e149cbinary
MD5:63CB567D875500D18301DE3D8DFABFB9
SHA256:EB38563E4F0113617F07F975DB14888ED69B641A0E3C152D63766044595E149C
3400ISL Light Client.exeC:\Users\admin\AppData\Local\ISL Online Cache\ISL Network Start\cache\file_cache_v3_043065b2e452ce2cf70257bf9425894cba1c5de87ed10248a2b672c5c399c723binary
MD5:99903597D3BCC5A4ABA672CADC1651A0
SHA256:043065B2E452CE2CF70257BF9425894CBA1C5DE87ED10248A2B672C5C399C723
2248ISL_Light_Client_4_4_2332_44.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751binary
MD5:822467B728B7A66B081C91795373789A
SHA256:AF2343382B88335EEA72251AD84949E244FF54B6995063E24459A7216E9576B9
2248ISL_Light_Client_4_4_2332_44.exeC:\Users\admin\AppData\Local\ISL Online Cache\ISL Light Client\1\ISLClient.outtext
MD5:50E7685CCB95946B105E521EE5301176
SHA256:62DB42102646EBB03CDD03DCAF97097BEE10E5589EE8107324B67B6D5DA7A199
3400ISL Light Client.exeC:\Users\admin\AppData\Local\ISL Online Cache\ISL Network Start\1\extract_1721393438_3400_3432_1476258529\ISL_Light_Client_4_4_2332_44.exeexecutable
MD5:9D1D729147C3719490E8F477E182BA0D
SHA256:64C32FC6CF4A146E9CDA5E37DECA1EDAA9AA9D8010C34DC4BE29E5FD07858840
2248ISL_Light_Client_4_4_2332_44.exeC:\Users\admin\AppData\Local\ISL Online Cache\ISL Light Client\1\isllight.exeexecutable
MD5:9D1D729147C3719490E8F477E182BA0D
SHA256:64C32FC6CF4A146E9CDA5E37DECA1EDAA9AA9D8010C34DC4BE29E5FD07858840
3400ISL Light Client.exeC:\Users\admin\AppData\Local\ISL Online Cache\ISL Network Start\cache\file_cache_v3_3ed70ed34cf00c10cc154e384abd36a689ae85d7c5b9bae1ab71608ebbb9fb8cbinary
MD5:172C9E83F1C28D9795A9639CD70CE895
SHA256:3ED70ED34CF00C10CC154E384ABD36A689AE85D7C5B9BAE1AB71608EBBB9FB8C
2248ISL_Light_Client_4_4_2332_44.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0C4DCF3D07DAF46BB8B285B6CCE6723binary
MD5:64B25A7088EEC2CB7BEFC576535B2C97
SHA256:ED9745742A00EB3887FC4E8853E255EC2A08C0A98F340C06F0B1DCE24803395C
2248ISL_Light_Client_4_4_2332_44.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:35B7E045B793831E611B35745430C615
SHA256:5ADFB8240738C6EE93F41926FF008D3978B57109CDF8E35E20F6AD9DEC3F6778
2248ISL_Light_Client_4_4_2332_44.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0C4DCF3D07DAF46BB8B285B6CCE6723binary
MD5:49B7D7F8F1F5FEB921051DEB76E458C5
SHA256:00847F78BBFBF3E5D428CC4473861C0A5C635BA55780A0BD6A4C2368AE67E47E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
23
DNS requests
13
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2248
ISL_Light_Client_4_4_2332_44.exe
GET
301
185.110.66.2:80
http://www.iniciarcontrol.com/imagenes/logo.bmp
ES
html
706 b
unknown
2248
ISL_Light_Client_4_4_2332_44.exe
GET
301
185.110.66.2:80
http://www.iniciarcontrol.com/imagenes/logo.bmp
ES
html
706 b
unknown
2248
ISL_Light_Client_4_4_2332_44.exe
GET
304
199.232.214.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?00b9afb8713868d7
US
whitelisted
2248
ISL_Light_Client_4_4_2332_44.exe
GET
304
199.232.214.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?eaf41894c7aecf44
US
whitelisted
2248
ISL_Light_Client_4_4_2332_44.exe
GET
200
23.192.153.142:80
http://x1.c.lencr.org/
GB
binary
717 b
whitelisted
2248
ISL_Light_Client_4_4_2332_44.exe
GET
200
23.32.238.27:80
http://r11.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBQaUrm0WeTDM5ghfoZtS72KO9ZnzgQUCLkRO6XQhRi06g%2BgrZ%2BGHo78OCcCEgN%2BctoahUJ%2BU%2BE3zMVEuJwdQw%3D%3D
DE
binary
504 b
whitelisted
1060
svchost.exe
GET
304
199.232.214.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?2b2cfb908ae71288
US
whitelisted
1372
svchost.exe
GET
200
23.32.238.219:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
DE
binary
1.01 Kb
whitelisted
1372
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
DE
binary
973 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
224.0.0.252:5355
whitelisted
4
System
192.168.100.255:137
whitelisted
1372
svchost.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1060
svchost.exe
224.0.0.252:5355
whitelisted
3400
ISL Light Client.exe
195.201.56.244:7615
networkstart-qdqtvhm.islonline.net
Hetzner Online GmbH
DE
unknown
4
System
192.168.100.255:138
whitelisted
2564
svchost.exe
239.255.255.250:3702
whitelisted
2248
ISL_Light_Client_4_4_2332_44.exe
185.110.66.2:80
www.iniciarcontrol.com
Register S.p.A.
ES
unknown
2248
ISL_Light_Client_4_4_2332_44.exe
185.110.66.2:443
www.iniciarcontrol.com
Register S.p.A.
ES
unknown
2248
ISL_Light_Client_4_4_2332_44.exe
78.46.69.236:7615
isllight-myipfebbdbbangsc.islonline.net
Hetzner Online GmbH
DE
unknown

DNS requests

Domain
IP
Reputation
google.com
  • 172.217.23.110
whitelisted
networkstart-qdqtvhm.islonline.net
  • 195.201.56.244
unknown
networkstart-myipfebbdbbaztqp.islonline.net
  • 195.201.56.244
unknown
www.iniciarcontrol.com
  • 185.110.66.2
unknown
isllight-myipfebbdbbangsc.islonline.net
  • 78.46.69.236
unknown
ctldl.windowsupdate.com
  • 199.232.214.172
  • 199.232.210.172
whitelisted
x1.c.lencr.org
  • 23.192.153.142
whitelisted
r11.o.lencr.org
  • 23.32.238.27
  • 23.32.238.49
  • 23.32.238.64
  • 2.19.198.202
  • 23.32.238.82
whitelisted
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
crl.microsoft.com
  • 23.32.238.219
  • 23.32.238.171
whitelisted

Threats

PID
Process
Class
Message
3400
ISL Light Client.exe
Generic Protocol Command Decode
SURICATA HTTP METHOD terminated by non-compliant character
2248
ISL_Light_Client_4_4_2332_44.exe
Generic Protocol Command Decode
SURICATA HTTP invalid request field folding
2248
ISL_Light_Client_4_4_2332_44.exe
Generic Protocol Command Decode
SURICATA HTTP METHOD terminated by non-compliant character
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
ISL Light Client.exe