Edit tour

Windows Analysis Report
CiscoSetup.exe

Overview

General Information

Sample name:	CiscoSetup.exe
Analysis ID:	1546659
MD5:	91f7229586df2c577a54ad0d1a5bdcb1
SHA1:	938b4ddf983e035130a7fcbf0458c4f9d5b69ca5
SHA256:	80f7768cbf016ae16f5758e31d9eb2d277c0566654f05bad152ecbde6eb616e5
Tags:	exeOMICAREJOINTSTOCKCOMPANYuser-SquiblydooBlog
Infos:

Detection

NetSupport RAT, NetSupport Downloader

Score:	54
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Compliance

Score:	33
Range:	0 - 100

Signatures

Malicious sample detected (through community Yara rule)

Sigma detected: Powershell drops NetSupport RAT client

Suricata IDS alerts for network traffic

Yara detected NetSupport Downloader

Bypasses PowerShell execution policy

Contains functionality to detect sleep reduction / modifications

Contains functionalty to change the wallpaper

Found suspicious powershell code related to unpacking or dynamic code loading

Loading BitLocker PowerShell Module

NDIS Filter Driver detected (likely used to intercept and sniff network traffic)

Powershell drops PE file

Sigma detected: Script Interpreter Execution From Suspicious Folder

Sigma detected: Suspicious Script Execution From Temp Folder

Abnormal high CPU Usage

Contains functionality for read data from the clipboard

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to enumerate running services

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Drops certificate files (DER)

EXE planting / hijacking vulnerabilities found

Enables debug privileges

Enables security privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evaded block containing many API calls

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May check if the current machine is a sandbox (GetTickCount - Sleep)

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Uses the system / local time for branch decision (may execute only at specific dates)

Yara detected Keylogger Generic

Yara detected NetSupport remote tool

Yara signature match

Classification

Process Tree

System is w10x64

CiscoSetup.exe (PID: 6776 cmdline: "C:\Users\user\Desktop\CiscoSetup.exe" MD5: 91F7229586DF2C577A54AD0D1A5BDCB1)

CiscoSetup.tmp (PID: 6820 cmdline: "C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp" /SL5="$2041A,13456411,1058304,C:\Users\user\Desktop\CiscoSetup.exe" MD5: BFD84005E52425F9B8FE658B9663E1C4)

powershell.exe (PID: 6724 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-D93RQ.tmp\cispn.ps1" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 2336 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

client32.exe (PID: 3052 cmdline: "C:\Users\user\AppData\Roaming\Cisco\client32.exe" MD5: 4F2D0F4A5BA798FA9E85379C7C4BD36E)

client32.exe (PID: 1516 cmdline: "C:\Users\user\AppData\Roaming\Cisco\client32.exe" MD5: 4F2D0F4A5BA798FA9E85379C7C4BD36E)

client32.exe (PID: 4124 cmdline: "C:\Users\user\AppData\Roaming\Cisco\client32.exe" MD5: 4F2D0F4A5BA798FA9E85379C7C4BD36E)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author
C:\Users\user\AppData\Roaming\Cisco\AudioCapture.dll	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
C:\Users\user\AppData\Roaming\Cisco\TCCTL32.DLL	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
C:\Users\user\AppData\Roaming\Cisco\client32.exe	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
C:\Users\user\AppData\Roaming\Cisco\pcicapi.dll	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
C:\Users\user\AppData\Local\Temp\is-D93RQ.tmp\cispn.ps1	JoeSecurity_NetSupportDownloader	Yara detected NetSupport Downloader	Joe Security
C:\Users\user\AppData\Roaming\Cisco\PCICHEK.DLL	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
C:\Users\user\AppData\Roaming\Cisco\HTCTL32.DLL	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
C:\Users\user\AppData\Roaming\Cisco\PCICL32.DLL	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
C:\Users\user\AppData\Roaming\Cisco\PCICL32.DLL	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
C:\Program Files (x86)\Cisco\unins000.dat	JoeSecurity_NetSupportDownloader	Yara detected NetSupport Downloader	Joe Security
Click to see the 5 entries

Memory Dumps

Source	Rule	Description	Author	Strings
0000000A.00000002.2190553256.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000007.00000000.1983117246.0000000000404000.00000002.00000001.01000000.0000000A.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000007.00000002.4143550370.00000000685D0000.00000002.00000001.01000000.0000000F.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
0000000A.00000002.2189669515.0000000000404000.00000002.00000001.01000000.0000000A.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
0000000A.00000000.2183700917.0000000000404000.00000002.00000001.01000000.0000000A.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000008.00000000.2102185097.0000000000404000.00000002.00000001.01000000.0000000A.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000007.00000003.2284925440.0000000005207000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000008.00000002.2109302873.000000001118F000.00000002.00000001.01000000.0000000B.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000008.00000002.2109302873.000000001118F000.00000002.00000001.01000000.0000000B.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000007.00000002.4142059175.0000000002648000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000005.00000002.2043735068.000000000883E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000008.00000002.2104099900.0000000000404000.00000002.00000001.01000000.0000000A.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000007.00000002.4143093821.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000007.00000002.4143045081.000000001118F000.00000002.00000001.01000000.0000000B.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000007.00000002.4143045081.000000001118F000.00000002.00000001.01000000.0000000B.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
0000000A.00000002.2190511917.000000001118F000.00000002.00000001.01000000.0000000B.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0000000A.00000002.2190511917.000000001118F000.00000002.00000001.01000000.0000000B.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000007.00000002.4141174786.0000000000404000.00000002.00000001.01000000.0000000A.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000008.00000002.2109384742.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000005.00000002.1991259471.0000000005259000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000007.00000003.2285282850.0000000005226000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000005.00000002.1991259471.0000000005357000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
Process Memory Space: powershell.exe PID: 6724	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
Process Memory Space: powershell.exe PID: 6724	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x5e1260:$b1: ::WriteAllBytes( 0x832960:$b1: ::WriteAllBytes( 0x5e122b:$b2: ::FromBase64String( 0x83292b:$b2: ::FromBase64String( 0x19bbbd:$s1: -join 0x1a8c92:$s1: -join 0x1ac064:$s1: -join 0x1ac716:$s1: -join 0x1ae207:$s1: -join 0x1b040d:$s1: -join 0x1b0c34:$s1: -join 0x1b14a4:$s1: -join 0x1b1bdf:$s1: -join 0x1b1c11:$s1: -join 0x1b1c59:$s1: -join 0x1b1c78:$s1: -join 0x1b24c8:$s1: -join 0x1b2644:$s1: -join 0x1b26bc:$s1: -join 0x1b274f:$s1: -join 0x1b29b5:$s1: -join
Process Memory Space: client32.exe PID: 3052	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: client32.exe PID: 3052	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
Process Memory Space: client32.exe PID: 1516	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: client32.exe PID: 1516	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
Process Memory Space: client32.exe PID: 4124	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: client32.exe PID: 4124	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
Click to see the 25 entries

Unpacked PEs

Source	Rule	Description	Author
8.2.client32.exe.688b0000.5.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
7.2.client32.exe.400000.0.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
10.2.client32.exe.688b0000.5.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
7.2.client32.exe.688b0000.6.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
8.0.client32.exe.400000.0.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
8.2.client32.exe.400000.0.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
7.0.client32.exe.400000.0.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
10.0.client32.exe.400000.0.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
10.2.client32.exe.400000.0.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
7.2.client32.exe.68890000.5.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
10.2.client32.exe.68890000.4.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
8.2.client32.exe.68890000.4.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
7.2.client32.exe.111b3308.2.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
7.2.client32.exe.111b3308.2.raw.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
8.2.client32.exe.111b3308.2.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
8.2.client32.exe.111b3308.2.raw.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
10.2.client32.exe.111b3308.2.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
10.2.client32.exe.111b3308.2.raw.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
7.2.client32.exe.68590000.3.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
8.2.client32.exe.11000000.1.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
8.2.client32.exe.11000000.1.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
10.2.client32.exe.11000000.1.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
10.2.client32.exe.11000000.1.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
7.2.client32.exe.11000000.1.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
7.2.client32.exe.11000000.1.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
Click to see the 20 entries

Other

Source	Rule	Description	Author	Strings
amsi32_6724.amsi.csv	JoeSecurity_NetSupportDownloader	Yara detected NetSupport Downloader	Joe Security
amsi32_6724.amsi.csv	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x2e4f74:$b1: ::WriteAllBytes( 0x2e4f3e:$b2: ::FromBase64String( 0x2f16a0:$s1: -join 0x2eae4c:$s4: += 0x2eaf0e:$s4: += 0x2ef135:$s4: += 0x2f1252:$s4: += 0x2f153c:$s4: += 0x2f1682:$s4: += 0x2f4e98:$s4: += 0x2f4f9c:$s4: += 0x2f83f8:$s4: += 0x2f8ad8:$s4: += 0x2f8f8e:$s4: += 0x2f8fe3:$s4: += 0x2f9257:$s4: += 0x2f9286:$s4: += 0x2f97ce:$s4: += 0x2f97fd:$s4: += 0x2f98dc:$s4: += 0x2fbb73:$s4: +=

Sigma Signatures

System Summary

Sigma detected: Script Interpreter Execution From Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-D93RQ.tmp\cispn.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-D93RQ.tmp\cispn.ps1", CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp" /SL5="$2041A,13456411,1058304,C:\Users\user\Desktop\CiscoSetup.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp, ParentProcessId: 6820, ParentProcessName: CiscoSetup.tmp, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-D93RQ.tmp\cispn.ps1", ProcessId: 6724, ProcessName: powershell.exe

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-D93RQ.tmp\cispn.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-D93RQ.tmp\cispn.ps1", CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp" /SL5="$2041A,13456411,1058304,C:\Users\user\Desktop\CiscoSetup.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp, ParentProcessId: 6820, ParentProcessName: CiscoSetup.tmp, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-D93RQ.tmp\cispn.ps1", ProcessId: 6724, ProcessName: powershell.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-D93RQ.tmp\cispn.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-D93RQ.tmp\cispn.ps1", CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp" /SL5="$2041A,13456411,1058304,C:\Users\user\Desktop\CiscoSetup.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp, ParentProcessId: 6820, ParentProcessName: CiscoSetup.tmp, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-D93RQ.tmp\cispn.ps1", ProcessId: 6724, ProcessName: powershell.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\Cisco\client32.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 6724, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MyApp

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 6724, TargetFilename: C:\Users\user\AppData\Roaming\Cisco\pcicapi.dll

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-D93RQ.tmp\cispn.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-D93RQ.tmp\cispn.ps1", CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp" /SL5="$2041A,13456411,1058304,C:\Users\user\Desktop\CiscoSetup.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp, ParentProcessId: 6820, ParentProcessName: CiscoSetup.tmp, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-D93RQ.tmp\cispn.ps1", ProcessId: 6724, ProcessName: powershell.exe

Remote Access Functionality

Sigma detected: Powershell drops NetSupport RAT client

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 6724, TargetFilename: C:\Users\user\AppData\Roaming\Cisco\NSM.LIC

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-01T12:11:21.347015+0100	2022930	1	A Network Trojan was detected	20.12.23.50	443	192.168.2.4	49733	TCP
2024-11-01T12:12:00.049379+0100	2022930	1	A Network Trojan was detected	20.12.23.50	443	192.168.2.4	49743	TCP

ETPRO MALWARE NetSupport RAT CnC Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-01T12:11:04.921590+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.4	49741	199.188.200.195	443	TCP
2024-11-01T12:11:04.921590+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.4	49739	151.236.16.15	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Cryptography

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 7_2_110AC820 GetModuleHandleA,GetProcAddress,GetProcAddress,GetLastError,wsprintfA,GetLastError,_memset,CryptGetProvParam,CryptGetProvParam,GetLastError,_memset,CryptGetProvParam,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,_free,GetLastError,CryptReleaseContext,SetLastError,FreeLibrary,		7_2_110AC820
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 8_2_110AC820 GetModuleHandleA,GetProcAddress,GetProcAddress,GetLastError,wsprintfA,GetLastError,_memset,CryptGetProvParam,CryptGetProvParam,GetLastError,_memset,CryptGetProvParam,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,_free,GetLastError,CryptReleaseContext,SetLastError,FreeLibrary,		8_2_110AC820

Privilege Escalation

EXE planting / hijacking vulnerabilities found

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	EXE: C:\Users\user\AppData\Roaming\Cisco\client32.exe			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	EXE: C:\Users\user\AppData\Roaming\Cisco\remcmdstub.exe			Jump to behavior

Compliance

EXE planting / hijacking vulnerabilities found

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	EXE: C:\Users\user\AppData\Roaming\Cisco\client32.exe			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	EXE: C:\Users\user\AppData\Roaming\Cisco\remcmdstub.exe			Jump to behavior

Uses 32bit PE files

Source: CiscoSetup.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

PE / OLE file has a valid certificate

Source: CiscoSetup.exe

Static PE information: certificate valid

Uses new MSVCR Dlls

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Users\user\AppData\Roaming\Cisco\msvcr100.dll

Jump to behavior

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: CiscoSetup.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Binary contains paths to debug symbols

Source:	Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Full\pcichek.pdb source: client32.exe, 00000007.00000002.4143990636.00000000688B2000.00000002.00000001.01000000.0000000C.sdmp, client32.exe, 00000008.00000002.2110324547.00000000688B2000.00000002.00000001.01000000.0000000C.sdmp, client32.exe, 0000000A.00000002.2191144837.00000000688B2000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\client32\Release\PCICL32.pdb source: client32.exe, 00000007.00000002.4143045081.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 00000008.00000002.2109302873.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2190511917.000000001118F000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: C:\Users\build\p4files\ngc\Quicksilver\third-party\openssl\out.win.7.x86\ciscossl-1.1.1t.7.2.500\engines\cfom\cfom.pdb source: is-N867I.tmp.1.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdbL source: powershell.exe, 00000005.00000002.1991259471.0000000005357000.00000004.00000800.00020000.00000000.sdmp, client32.exe, 00000007.00000002.4143550370.00000000685D0000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: client32.pdb\1141\1141\client32\Release\client32.pdb source: powershell.exe, 00000005.00000002.1991259471.0000000005259000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\temp\build\thehoff\Quicksilver_MR50.560024709388\Quicksilver_MR5\vpn\ExternalBrowserHelper\Win32\Win32\Release\acextwebhelper.pdb666GCTL source: is-K9DFT.tmp.1.dr
Source:	Binary string: C:\temp\build\thehoff\Quicksilver_MR50.560024709388\Quicksilver_MR5\vpn\ProxyCon\Win32\Release\ProxyCon.pdb source: is-139DF.tmp.1.dr
Source:	Binary string: C:\temp\build\thehoff\Quicksilver_MR50.560024709388\Quicksilver_MR5\ACRuntime\Release\acruntime.pdb source: is-FRTV6.tmp.1.dr
Source:	Binary string: E:\nsmsrc\nsm\1280\1280f\ctl32\release_unicode\tcctl32.pdbP` source: powershell.exe, 00000005.00000002.1991259471.0000000005259000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.5.dr
Source:	Binary string: d:\a01\_work\11\s\\binaries\x86ret\bin\i386\\msvcp140_2.i386.pdb source: is-0IGCD.tmp.1.dr
Source:	Binary string: \1141\1141\client32\Release\client32.pdb source: powershell.exe, 00000005.00000002.1991259471.0000000005259000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\temp\build\thehoff\Quicksilver_MR50.560024709388\Quicksilver_MR5\vpn\IPsec\Win32\Release\vpnipsec.pdb source: is-M1NCB.tmp.1.dr
Source:	Binary string: C:\temp\build\thehoff\Quicksilver_MR50.560024709388\Quicksilver_MR5\vpn\CommonCrypt\Win32\Release\vpncommoncrypt.pdb]]]GCTL source: is-T3UDO.tmp.1.dr
Source:	Binary string: System.Management.Automation.pdb-2476756634-1002_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32AppData source: powershell.exe, 00000005.00000002.2043735068.0000000008824000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\temp\build\thehoff\Quicksilver_MR50.560024709388\Quicksilver_MR5\vpn\CLI\Win32\Release\vpncli.pdb+++GCTL source: is-7ARTU.tmp.1.dr
Source:	Binary string: C:\temp\build\thehoff\Quicksilver_MR50.560024709388\Quicksilver_MR5\PhoneHome\Win32\Release\acfeedback.pdb source: is-O6HT8.tmp.1.dr
Source:	Binary string: msvcr100.i386.pdb source: powershell.exe, 00000005.00000002.1991259471.0000000005357000.00000004.00000800.00020000.00000000.sdmp, client32.exe, client32.exe, 00000007.00000002.4143689896.00000000687D1000.00000020.00000001.01000000.0000000E.sdmp, client32.exe, 00000008.00000002.2109997806.00000000687D1000.00000020.00000001.01000000.0000000E.sdmp, client32.exe, 0000000A.00000002.2190902884.00000000687D1000.00000020.00000001.01000000.0000000E.sdmp
Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2038900255.000000000777A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\nsmsrc\nsm\1280\1280f\ctl32\release_unicode\tcctl32.pdb source: powershell.exe, 00000005.00000002.1991259471.0000000005259000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.5.dr
Source:	Binary string: C:\temp\build\thehoff\Quicksilver_MR50.560024709388\Quicksilver_MR5\vpn\InstallHelper\x64\Release\InstallHelper64.pdb source: is-BKQ26.tmp.1.dr
Source:	Binary string: C:\temp\build\thehoff\Quicksilver_MR50.560024709388\Quicksilver_MR5\vpn\InstallHelper\x64\Release\InstallHelper64.pdb; source: is-BKQ26.tmp.1.dr
Source:	Binary string: C:\temp\build\thehoff\Quicksilver_MR50.560024709388\Quicksilver_MR5\vpn\ProxyCon\Win32\Release\ProxyCon.pdb)))GCTL source: is-139DF.tmp.1.dr
Source:	Binary string: client32.pdb source: powershell.exe, 00000005.00000002.1991259471.0000000005259000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\AudioCapture\Release\AudioCapture.pdb source: powershell.exe, 00000005.00000002.1991259471.0000000005259000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\temp\build\thehoff\Quicksilver_MR50.560024709388\Quicksilver_MR5\PhoneHome\Win32\Release\acfeedback.pdbMM/GCTL source: is-O6HT8.tmp.1.dr
Source:	Binary string: C:\temp\build\thehoff\Quicksilver_MR50.560024709388\Quicksilver_MR5\ACRuntime\Release\acruntime.pdbjjKGCTL source: is-FRTV6.tmp.1.dr
Source:	Binary string: C:\temp\build\thehoff\Quicksilver_MR50.560024709388\Quicksilver_MR5\vpn\ExternalBrowserHelper\Win32\Win32\Release\acextwebhelper.pdb source: is-K9DFT.tmp.1.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdb source: powershell.exe, 00000005.00000002.1991259471.0000000005357000.00000004.00000800.00020000.00000000.sdmp, client32.exe, 00000007.00000002.4143550370.00000000685D0000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Release\pcicapi.pdb source: client32.exe, 00000007.00000002.4143874760.0000000068895000.00000002.00000001.01000000.0000000D.sdmp, client32.exe, 00000008.00000002.2110207513.0000000068895000.00000002.00000001.01000000.0000000D.sdmp, client32.exe, 0000000A.00000002.2191058031.0000000068895000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: C:\temp\build\thehoff\Quicksilver_MR50.560024709388\Quicksilver_MR5\vpn\CLI\Win32\Release\vpncli.pdb source: is-7ARTU.tmp.1.dr
Source:	Binary string: C:\temp\build\thehoff\Quicksilver_MR50.560024709388\Quicksilver_MR5\vpn\CommonCrypt\Win32\Release\vpncommoncrypt.pdb source: is-T3UDO.tmp.1.dr

Spreading

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 7_2_11123570 _memset,_memset,GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,	7_2_11123570
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 7_2_11069690 GetTickCount,OpenPrinterA,StartDocPrinterA,ClosePrinter,FindFirstFileA,FindClose,CreateFileA,SetFilePointer,GetTickCount,GetLastError,	7_2_11069690
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 7_2_1110BB80 GetLocalTime,wsprintfA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,ExpandEnvironmentStringsA,CreateFileA,timeBeginPeriod,GetLocalTime,timeGetTime,_memset,WriteFile,	7_2_1110BB80
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 7_2_11107FE0 _memset,wsprintfA,wsprintfA,KillTimer,FindFirstFileA,wsprintfA,FindNextFileA,GetLastError,FindClose,	7_2_11107FE0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 7_2_110BC3D0 GetFileAttributesA,CreateDirectoryA,FindFirstFileA,CopyFileA,CopyFileA,FindNextFileA,FindClose,DrawMenuBar,	7_2_110BC3D0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 7_2_1102CE2D InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,	7_2_1102CE2D
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 7_2_11064E30 _memset,_memmove,_strncpy,CharUpperA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,	7_2_11064E30
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 8_2_1102CE2D InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,	8_2_1102CE2D
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 8_2_11123570 _memset,_memset,GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,	8_2_11123570
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 8_2_1110BB80 GetLocalTime,wsprintfA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,ExpandEnvironmentStringsA,CreateFileA,timeBeginPeriod,GetLocalTime,timeGetTime,_memset,WriteFile,	8_2_1110BB80
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 8_2_11107FE0 _memset,wsprintfA,wsprintfA,KillTimer,FindFirstFileA,wsprintfA,FindNextFileA,GetLastError,FindClose,	8_2_11107FE0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 8_2_110BC3D0 GetFileAttributesA,CreateDirectoryA,FindFirstFileA,CopyFileA,CopyFileA,FindNextFileA,FindClose,DrawMenuBar,	8_2_110BC3D0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2827745 - Severity 1 - ETPRO MALWARE NetSupport RAT CnC Activity : 192.168.2.4:49741 -> 199.188.200.195:443
Source: Network traffic	Suricata IDS: 2827745 - Severity 1 - ETPRO MALWARE NetSupport RAT CnC Activity : 192.168.2.4:49739 -> 151.236.16.15:443

Yara detected NetSupport Downloader

Source: Yara match	File source: amsi32_6724.amsi.csv, type: OTHER
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\is-D93RQ.tmp\cispn.ps1, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Cisco\unins000.dat, type: DROPPED

NDIS Filter Driver detected (likely used to intercept and sniff network traffic)

Source: is-HI577.tmp.1.dr	Static PE information: Found NDIS imports: FwpsCalloutRegister1, FwpsCalloutRegister0, FwpmFilterDeleteById0, FwpmBfeStateSubscribeChanges0, FwpsCalloutUnregisterById0, FwpmFilterAdd0, FwpsStreamInjectAsync0, FwpsQueryPacketInjectionState0, FwpsInjectTransportReceiveAsync0, FwpsInjectTransportSendAsync0, FwpsConstructIpHeaderForTransportPacket0, FwpsFreeCloneNetBufferList0, FwpsAllocateCloneNetBufferList0, FwpsFreeNetBufferList0, FwpsAllocateNetBufferAndNetBufferList0, FwpsInjectionHandleDestroy0, FwpsInjectionHandleCreate0, FwpsApplyModifiedLayerData0, FwpsAcquireWritableLayerDataPointer0, FwpsReleaseClassifyHandle0, FwpsAcquireClassifyHandle0, FwpmBfeStateUnsubscribeChanges0, FwpmEngineOpen0, FwpmEngineClose0, FwpmTransactionBegin0, FwpmTransactionCommit0, FwpmTransactionAbort0, FwpmProviderAdd0, FwpmProviderDeleteByKey0, FwpmSubLayerAdd0, FwpmSubLayerDeleteByKey0, FwpmCalloutAdd0, FwpmCalloutDeleteById0
Source: is-2J33H.tmp.1.dr	Static PE information: Found NDIS imports: FwpmEngineClose0, FwpmFilterAdd0, FwpmTransactionAbort0, FwpmFilterDeleteById0, FwpmTransactionBegin0, FwpmGetAppIdFromFileName0, FwpmEngineOpen0, FwpmSubLayerDeleteByKey0, FwpmSubLayerAdd0, FwpmTransactionCommit0, FwpmProviderAdd0, FwpmProviderDeleteByKey0

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 172.67.68.212 172.67.68.212

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: HVC-ASUS HVC-ASUS
Source: Joe Sandbox View	ASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.12.23.50:443 -> 192.168.2.4:49733
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.12.23.50:443 -> 192.168.2.4:49743

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: payiki.com
Source: global traffic	DNS traffic detected: DNS query: geo.netsupportsoftware.com
Source: global traffic	DNS traffic detected: DNS query: anyhowdo.com

Source: unknown

HTTP traffic detected: POST http://151.236.16.15/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 22Host: 151.236.16.15Connection: Keep-AliveCMD=POLLINFO=1ACK=1Data Raw: Data Ascii:

Source: client32.exe, client32.exe, 00000007.00000002.4143550370.00000000685D0000.00000002.00000001.01000000.0000000F.sdmp	String found in binary or memory: http://%s/fakeurl.htm
Source: powershell.exe, 00000005.00000002.1991259471.0000000005357000.00000004.00000800.00020000.00000000.sdmp, client32.exe, client32.exe, 00000007.00000002.4143550370.00000000685D0000.00000002.00000001.01000000.0000000F.sdmp	String found in binary or memory: http://%s/testpage.htm
Source: powershell.exe, 00000005.00000002.1991259471.0000000005357000.00000004.00000800.00020000.00000000.sdmp, client32.exe, 00000007.00000002.4143550370.00000000685D0000.00000002.00000001.01000000.0000000F.sdmp	String found in binary or memory: http://%s/testpage.htmwininet.dll
Source: client32.exe, client32.exe, 00000008.00000002.2109302873.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2190511917.000000001118F000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://127.0.0.1
Source: client32.exe, 00000007.00000002.4143045081.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 00000008.00000002.2109302873.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2190511917.000000001118F000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://127.0.0.1RESUMEPRINTING
Source: is-M1NCB.tmp.1.dr, is-C9M46.tmp.1.dr, is-139DF.tmp.1.dr, is-7ARTU.tmp.1.dr, is-BKQ26.tmp.1.dr, is-6FEVR.tmp.1.dr, is-9JGUE.tmp.1.dr, is-T3UDO.tmp.1.dr, is-N867I.tmp.1.dr, is-O6HT8.tmp.1.dr, is-K9DFT.tmp.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: is-M1NCB.tmp.1.dr, is-C9M46.tmp.1.dr, is-139DF.tmp.1.dr, is-7ARTU.tmp.1.dr, is-BKQ26.tmp.1.dr, is-6FEVR.tmp.1.dr, is-9JGUE.tmp.1.dr, is-T3UDO.tmp.1.dr, is-N867I.tmp.1.dr, is-O6HT8.tmp.1.dr, is-K9DFT.tmp.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: is-M1NCB.tmp.1.dr, is-C9M46.tmp.1.dr, is-139DF.tmp.1.dr, is-7ARTU.tmp.1.dr, is-BKQ26.tmp.1.dr, is-6FEVR.tmp.1.dr, is-9JGUE.tmp.1.dr, is-T3UDO.tmp.1.dr, is-N867I.tmp.1.dr, is-O6HT8.tmp.1.dr, is-K9DFT.tmp.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: is-M1NCB.tmp.1.dr, is-C9M46.tmp.1.dr, is-139DF.tmp.1.dr, is-7ARTU.tmp.1.dr, is-BKQ26.tmp.1.dr, is-6FEVR.tmp.1.dr, is-9JGUE.tmp.1.dr, is-T3UDO.tmp.1.dr, is-N867I.tmp.1.dr, is-O6HT8.tmp.1.dr, is-K9DFT.tmp.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: is-M1NCB.tmp.1.dr, is-C9M46.tmp.1.dr, is-139DF.tmp.1.dr, is-7ARTU.tmp.1.dr, is-BKQ26.tmp.1.dr, is-6FEVR.tmp.1.dr, is-9JGUE.tmp.1.dr, is-T3UDO.tmp.1.dr, is-N867I.tmp.1.dr, is-O6HT8.tmp.1.dr, is-K9DFT.tmp.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: powershell.exe, 00000005.00000002.1991259471.00000000051D0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1991259471.0000000005259000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.5.dr	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: powershell.exe, 00000005.00000002.2043622253.00000000087D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft
Source: powershell.exe, 00000005.00000002.1991259471.0000000005259000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.5.dr	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: powershell.exe, 00000005.00000002.1991259471.0000000005259000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.5.dr	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: powershell.exe, 00000005.00000002.1991259471.00000000051D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: powershell.exe, 00000005.00000002.1991259471.00000000051D0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1991259471.0000000005259000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.5.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: powershell.exe, 00000005.00000002.1991259471.00000000051B4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1991259471.00000000051BE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1991259471.0000000005259000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: is-M1NCB.tmp.1.dr, is-C9M46.tmp.1.dr, is-139DF.tmp.1.dr, is-7ARTU.tmp.1.dr, is-BKQ26.tmp.1.dr, is-6FEVR.tmp.1.dr, is-9JGUE.tmp.1.dr, is-T3UDO.tmp.1.dr, is-N867I.tmp.1.dr, is-O6HT8.tmp.1.dr, is-K9DFT.tmp.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: is-M1NCB.tmp.1.dr, is-C9M46.tmp.1.dr, is-139DF.tmp.1.dr, is-7ARTU.tmp.1.dr, is-BKQ26.tmp.1.dr, is-6FEVR.tmp.1.dr, is-9JGUE.tmp.1.dr, is-T3UDO.tmp.1.dr, is-N867I.tmp.1.dr, is-O6HT8.tmp.1.dr, is-K9DFT.tmp.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: is-M1NCB.tmp.1.dr, is-C9M46.tmp.1.dr, is-139DF.tmp.1.dr, is-7ARTU.tmp.1.dr, is-BKQ26.tmp.1.dr, is-6FEVR.tmp.1.dr, is-9JGUE.tmp.1.dr, is-T3UDO.tmp.1.dr, is-N867I.tmp.1.dr, is-O6HT8.tmp.1.dr, is-K9DFT.tmp.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: is-M1NCB.tmp.1.dr, is-C9M46.tmp.1.dr, is-139DF.tmp.1.dr, is-7ARTU.tmp.1.dr, is-BKQ26.tmp.1.dr, is-6FEVR.tmp.1.dr, is-9JGUE.tmp.1.dr, is-T3UDO.tmp.1.dr, is-N867I.tmp.1.dr, is-O6HT8.tmp.1.dr, is-K9DFT.tmp.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: is-M1NCB.tmp.1.dr, is-C9M46.tmp.1.dr, is-139DF.tmp.1.dr, is-7ARTU.tmp.1.dr, is-BKQ26.tmp.1.dr, is-6FEVR.tmp.1.dr, is-9JGUE.tmp.1.dr, is-T3UDO.tmp.1.dr, is-N867I.tmp.1.dr, is-O6HT8.tmp.1.dr, is-K9DFT.tmp.1.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: is-M1NCB.tmp.1.dr, is-C9M46.tmp.1.dr, is-139DF.tmp.1.dr, is-7ARTU.tmp.1.dr, is-BKQ26.tmp.1.dr, is-6FEVR.tmp.1.dr, is-9JGUE.tmp.1.dr, is-T3UDO.tmp.1.dr, is-N867I.tmp.1.dr, is-O6HT8.tmp.1.dr, is-K9DFT.tmp.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: is-M1NCB.tmp.1.dr, is-C9M46.tmp.1.dr, is-139DF.tmp.1.dr, is-7ARTU.tmp.1.dr, is-BKQ26.tmp.1.dr, is-6FEVR.tmp.1.dr, is-9JGUE.tmp.1.dr, is-T3UDO.tmp.1.dr, is-N867I.tmp.1.dr, is-O6HT8.tmp.1.dr, is-K9DFT.tmp.1.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: powershell.exe, 00000005.00000002.1991259471.0000000005259000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.5.dr	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: powershell.exe, 00000005.00000002.1991259471.0000000005259000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.5.dr	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: powershell.exe, 00000005.00000002.1991259471.00000000051D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: powershell.exe, 00000005.00000002.1991259471.00000000051D0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1991259471.0000000005259000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.5.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: client32.exe, client32.exe, 00000008.00000002.2109302873.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2190511917.000000001118F000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.asp
Source: client32.exe, 00000007.00000003.1987647210.000000000051A000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000007.00000002.4141461447.000000000053D000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000007.00000003.1989580496.000000000051E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspA5
Source: client32.exe, 00000007.00000003.1987647210.000000000051A000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000007.00000002.4141461447.000000000053D000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000007.00000003.1989580496.000000000051E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspPi
Source: client32.exe, 00000007.00000002.4143045081.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 00000008.00000002.2109302873.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2190511917.000000001118F000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspSetChannel(%s)
Source: powershell.exe, 00000005.00000002.2009549925.0000000006786000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000005.00000002.1991259471.00000000051D0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1991259471.0000000005259000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.5.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: is-M1NCB.tmp.1.dr, is-C9M46.tmp.1.dr, is-139DF.tmp.1.dr, is-7ARTU.tmp.1.dr, is-BKQ26.tmp.1.dr, is-6FEVR.tmp.1.dr, is-9JGUE.tmp.1.dr, is-T3UDO.tmp.1.dr, is-N867I.tmp.1.dr, is-O6HT8.tmp.1.dr, is-K9DFT.tmp.1.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: is-M1NCB.tmp.1.dr, is-C9M46.tmp.1.dr, is-139DF.tmp.1.dr, is-7ARTU.tmp.1.dr, is-BKQ26.tmp.1.dr, is-6FEVR.tmp.1.dr, is-9JGUE.tmp.1.dr, is-T3UDO.tmp.1.dr, is-N867I.tmp.1.dr, is-O6HT8.tmp.1.dr, is-K9DFT.tmp.1.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: is-M1NCB.tmp.1.dr, is-C9M46.tmp.1.dr, is-139DF.tmp.1.dr, is-7ARTU.tmp.1.dr, is-BKQ26.tmp.1.dr, is-6FEVR.tmp.1.dr, is-9JGUE.tmp.1.dr, is-T3UDO.tmp.1.dr, is-N867I.tmp.1.dr, is-O6HT8.tmp.1.dr, is-K9DFT.tmp.1.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: is-M1NCB.tmp.1.dr, is-C9M46.tmp.1.dr, is-139DF.tmp.1.dr, is-7ARTU.tmp.1.dr, is-BKQ26.tmp.1.dr, is-6FEVR.tmp.1.dr, is-9JGUE.tmp.1.dr, is-T3UDO.tmp.1.dr, is-N867I.tmp.1.dr, is-O6HT8.tmp.1.dr, is-K9DFT.tmp.1.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: powershell.exe, 00000005.00000002.1991259471.00000000051D0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1991259471.0000000005259000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.5.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: powershell.exe, 00000005.00000002.1991259471.00000000051B4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1991259471.00000000051BE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1991259471.0000000005259000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.thawte.com0
Source: powershell.exe, 00000005.00000002.1991259471.0000000004E73000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: is-O6HT8.tmp.1.dr, is-FRTV6.tmp.1.dr	String found in binary or memory: http://relaxng.org/ns/structure/1.0
Source: powershell.exe, 00000005.00000002.1991259471.0000000005357000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1991259471.0000000005259000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: powershell.exe, 00000005.00000002.1991259471.0000000005357000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1991259471.0000000005259000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://s2.symcb.com0
Source: powershell.exe, 00000005.00000002.1991259471.0000000005677000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1991259471.0000000004E73000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000005.00000002.1991259471.0000000004D21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000005.00000002.1991259471.0000000005677000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1991259471.0000000004E73000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000005.00000002.1991259471.0000000004E73000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1991259471.00000000051BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sf.symcb.com/sf.crl0f
Source: powershell.exe, 00000005.00000002.1991259471.0000000004E73000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1991259471.00000000051BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sf.symcb.com/sf.crt0
Source: powershell.exe, 00000005.00000002.1991259471.0000000004E73000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1991259471.00000000051BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sf.symcd.com0&
Source: powershell.exe, 00000005.00000002.1991259471.0000000005357000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1991259471.0000000005259000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crl0f
Source: powershell.exe, 00000005.00000002.1991259471.0000000005357000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1991259471.0000000005259000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: powershell.exe, 00000005.00000002.1991259471.0000000005357000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1991259471.0000000005259000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcd.com0&
Source: powershell.exe, 00000005.00000002.1991259471.00000000051B4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1991259471.00000000051BE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1991259471.0000000005259000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: powershell.exe, 00000005.00000002.1991259471.00000000051B4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1991259471.00000000051BE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1991259471.0000000005259000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: powershell.exe, 00000005.00000002.1991259471.00000000051B4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1991259471.00000000051BE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1991259471.0000000005259000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: powershell.exe, 00000005.00000002.1991259471.0000000004E73000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: is-C1171.tmp.1.dr	String found in binary or memory: http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect40/user/guide/b_Androi
Source: is-M1NCB.tmp.1.dr, is-C9M46.tmp.1.dr, is-139DF.tmp.1.dr, is-7ARTU.tmp.1.dr, is-BKQ26.tmp.1.dr, is-6FEVR.tmp.1.dr, is-9JGUE.tmp.1.dr, is-T3UDO.tmp.1.dr, is-N867I.tmp.1.dr, is-O6HT8.tmp.1.dr, is-K9DFT.tmp.1.dr	String found in binary or memory: http://www.cisco.com0
Source: is-M1NCB.tmp.1.dr, is-C9M46.tmp.1.dr, is-139DF.tmp.1.dr, is-7ARTU.tmp.1.dr, is-BKQ26.tmp.1.dr, is-6FEVR.tmp.1.dr, is-9JGUE.tmp.1.dr, is-T3UDO.tmp.1.dr, is-N867I.tmp.1.dr, is-O6HT8.tmp.1.dr, is-K9DFT.tmp.1.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: client32.exe, 00000007.00000002.4143093821.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 00000008.00000002.2109384742.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2190553256.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://www.netsupportschool.com/tutor-assistant.asp
Source: client32.exe, 00000007.00000002.4143093821.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 00000008.00000002.2109384742.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2190553256.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://www.netsupportschool.com/tutor-assistant.asp11(
Source: powershell.exe, 00000005.00000002.1991259471.0000000004E73000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1991259471.00000000051BE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1991259471.0000000005259000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.netsupportsoftware.com
Source: client32.exe, 00000007.00000002.4143093821.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 00000008.00000002.2109384742.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2190553256.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://www.pci.co.uk/support
Source: client32.exe, 00000007.00000002.4143093821.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 00000008.00000002.2109384742.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2190553256.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://www.pci.co.uk/supportsupport
Source: powershell.exe, 00000005.00000002.1991259471.0000000005357000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1991259471.0000000005259000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/cps0(
Source: powershell.exe, 00000005.00000002.1991259471.0000000005357000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1991259471.0000000005259000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/rpa00
Source: powershell.exe, 00000005.00000002.1991259471.0000000004D21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000005.00000002.2009549925.0000000006786000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000005.00000002.2009549925.0000000006786000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000005.00000002.2009549925.0000000006786000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000005.00000002.1991259471.0000000005357000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1991259471.0000000004E73000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1991259471.00000000051BE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1991259471.0000000005259000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/cps0%
Source: powershell.exe, 00000005.00000002.1991259471.0000000005357000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1991259471.0000000004E73000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1991259471.00000000051BE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1991259471.0000000005259000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0
Source: powershell.exe, 00000005.00000002.1991259471.0000000004E73000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: CiscoSetup.exe	String found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: powershell.exe, 00000005.00000002.2009549925.0000000006786000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000005.00000002.1991259471.00000000051D0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1991259471.0000000005259000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.5.dr	String found in binary or memory: https://sectigo.com/CPS0
Source: powershell.exe, 00000005.00000002.1991259471.00000000051D0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1991259471.0000000005259000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.5.dr	String found in binary or memory: https://sectigo.com/CPS0D
Source: CiscoSetup.exe, 00000000.00000003.2094322756.0000000000ED3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.cisco.com
Source: CiscoSetup.exe, 00000000.00000003.2094322756.0000000000EE1000.00000004.00001000.00020000.00000000.sdmp, CiscoSetup.tmp, 00000001.00000003.2087307462.00000000029D1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.cisco.com/support
Source: CiscoSetup.exe, 00000000.00000003.2094322756.0000000000EE1000.00000004.00001000.00020000.00000000.sdmp, CiscoSetup.tmp, 00000001.00000003.2087307462.00000000029D1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.cisco.com/update
Source: CiscoSetup.tmp, 00000001.00000003.2087307462.00000000029BC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.cisco.comQ9
Source: is-M1NCB.tmp.1.dr, is-C9M46.tmp.1.dr, is-139DF.tmp.1.dr, is-7ARTU.tmp.1.dr, is-BKQ26.tmp.1.dr, is-6FEVR.tmp.1.dr, is-9JGUE.tmp.1.dr, is-T3UDO.tmp.1.dr, is-N867I.tmp.1.dr, is-O6HT8.tmp.1.dr, is-K9DFT.tmp.1.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: CiscoSetup.tmp, 00000001.00000003.2076122927.0000000005660000.00000004.00001000.00020000.00000000.sdmp, is-1V30U.tmp.1.dr	String found in binary or memory: https://www.iminunet.com
Source: CiscoSetup.tmp, 00000001.00000003.2076122927.0000000005660000.00000004.00001000.00020000.00000000.sdmp, is-1V30U.tmp.1.dr	String found in binary or memory: https://www.iminunet.comPara
Source: is-C1171.tmp.1.dr	String found in binary or memory: https://www.immunet.com
Source: CiscoSetup.tmp, 00000001.00000003.2076122927.0000000005660000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.immunet.com.
Source: CiscoSetup.tmp, 00000001.00000003.2076122927.0000000005660000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.immunet.comAby
Source: CiscoSetup.tmp, 00000001.00000003.2076122927.0000000005660000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.immunet.comVoor
Source: CiscoSetup.exe, 00000000.00000003.1688495970.000000007EF3B000.00000004.00001000.00020000.00000000.sdmp, CiscoSetup.exe, 00000000.00000003.1688004235.0000000002B60000.00000004.00001000.00020000.00000000.sdmp, CiscoSetup.tmp, 00000001.00000000.1690462646.0000000000481000.00000020.00000001.01000000.00000004.sdmp	String found in binary or memory: https://www.innosetup.com/
Source: CiscoSetup.exe, 00000000.00000003.1688495970.000000007EF3B000.00000004.00001000.00020000.00000000.sdmp, CiscoSetup.exe, 00000000.00000003.1688004235.0000000002B60000.00000004.00001000.00020000.00000000.sdmp, CiscoSetup.tmp, 00000001.00000000.1690462646.0000000000481000.00000020.00000001.01000000.00000004.sdmp	String found in binary or memory: https://www.remobjects.com/ps

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality for read data from the clipboard

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe

Code function: 7_2_1101F360 OpenClipboard,GlobalAlloc,GlobalLock,_memmove,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,MessageBeep,CloseClipboard,

7_2_1101F360

Contains functionality to modify clipboard data

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 7_2_1101F360 OpenClipboard,GlobalAlloc,GlobalLock,_memmove,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,MessageBeep,CloseClipboard,	7_2_1101F360
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 7_2_11032930 GetClipboardFormatNameA,SetClipboardData,	7_2_11032930
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 8_2_1101F360 OpenClipboard,GlobalAlloc,GlobalLock,_memmove,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,MessageBeep,CloseClipboard,	8_2_1101F360
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 8_2_11032930 GetClipboardFormatNameA,SetClipboardData,	8_2_11032930

Contains functionality to read the clipboard data

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe

Code function: 7_2_11031AC0 IsClipboardFormatAvailable,GetClipboardData,GlobalSize,GlobalLock,_memmove,GlobalUnlock,

7_2_11031AC0

Contains functionality to record screenshots

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe

Code function: 7_2_11007720 LoadCursorA,SetCursor,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,CreateDCA,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,SelectClipRgn,BitBlt,SelectClipRgn,DeleteObject,DeleteDC,BitBlt,ReleaseDC,CreatePen,CreateSolidBrush,GetSysColor,LoadBitmapA,_memset,_swscanf,CreateFontIndirectA,_memset,GetStockObject,GetObjectA,CreateFontIndirectA,GetWindowRect,SetWindowTextA,GetSystemMetrics,GetSystemMetrics,SetWindowPos,UpdateWindow,SetCursor,

7_2_11007720

Yara detected Keylogger Generic

Source: Yara match	File source: 7.2.client32.exe.111b3308.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.client32.exe.111b3308.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.client32.exe.111b3308.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.client32.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.client32.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.client32.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2109302873.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4143045081.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2190511917.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: client32.exe PID: 3052, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: client32.exe PID: 1516, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: client32.exe PID: 4124, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Cisco\PCICL32.DLL, type: DROPPED

E-Banking Fraud

Drops certificate files (DER)

Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-40G52.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-DN046.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\acsock64.cat (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\vpnva-6.cat (copy)	Jump to dropped file

Spam, unwanted Advertisements and Ransom Demands

Contains functionalty to change the wallpaper

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 7_2_11112840 SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA,		7_2_11112840
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 8_2_11112840 SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA,		8_2_11112840

System Summary

Malicious sample detected (through community Yara rule)

Source: amsi32_6724.amsi.csv, type: OTHER	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 6724, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Powershell drops PE file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Cisco\pcicapi.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Cisco\remcmdstub.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Cisco\HTCTL32.DLL	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Cisco\PCICHEK.DLL	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Cisco\PCICL32.DLL	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Cisco\TCCTL32.DLL	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Cisco\msvcr100.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Cisco\AudioCapture.dll	Jump to dropped file

Abnormal high CPU Usage

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe

Process Stats: CPU usage > 49%

Contains functionality to communicate with device drivers

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe

Code function: 7_2_110A9240: DeviceIoControl,

7_2_110A9240

Contains functionality to launch a process as a different user

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe

Code function: 7_2_1115A340 FindWindowA,_memset,CreateProcessAsUserA,GetLastError,WinExec,CloseHandle,CloseHandle,CloseHandle,WinExec,

7_2_1115A340

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 7_2_1102CE2D InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,		7_2_1102CE2D
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 8_2_1102CE2D InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,		8_2_1102CE2D

Detected potential crypto function

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_089C3730	5_2_089C3730
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 7_2_11029230	7_2_11029230
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 7_2_11072460	7_2_11072460
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 7_2_1115B180	7_2_1115B180
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 7_2_1107F520	7_2_1107F520
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 7_2_1101B980	7_2_1101B980
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 7_2_1115F9F0	7_2_1115F9F0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 7_2_1101BDC0	7_2_1101BDC0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 7_2_11163C55	7_2_11163C55
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 7_2_11050430	7_2_11050430
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 7_2_110088DB	7_2_110088DB
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 7_2_1101CBE0	7_2_1101CBE0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 7_2_11032A60	7_2_11032A60
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 7_2_11086DA0	7_2_11086DA0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 7_2_11044C60	7_2_11044C60
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 7_2_6859A980	7_2_6859A980
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 7_2_685C4910	7_2_685C4910
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 7_2_685C3923	7_2_685C3923
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 7_2_6859DBA0	7_2_6859DBA0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 7_2_685C3DB8	7_2_685C3DB8
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 7_2_685CA063	7_2_685CA063
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 7_2_685C4156	7_2_685C4156
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 7_2_68591310	7_2_68591310
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 8_2_1115B180	8_2_1115B180
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 8_2_11029230	8_2_11029230
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 8_2_1107F520	8_2_1107F520
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 8_2_1101B980	8_2_1101B980
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 8_2_1115F9F0	8_2_1115F9F0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 8_2_1101BDC0	8_2_1101BDC0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 8_2_11163C55	8_2_11163C55
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 8_2_11050430	8_2_11050430
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 8_2_11072460	8_2_11072460
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 8_2_110088DB	8_2_110088DB
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 8_2_1101CBE0	8_2_1101CBE0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 8_2_11032A60	8_2_11032A60
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 8_2_11086DA0	8_2_11086DA0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 8_2_11044C60	8_2_11044C60

Enables security privileges

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe

Process token adjusted: Security

Jump to behavior

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: String function: 685A7D00 appears 106 times
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: String function: 685A7A90 appears 50 times
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: String function: 685930A0 appears 42 times
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: String function: 11142A60 appears 1040 times
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: String function: 685B9480 appears 36 times
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: String function: 68596F50 appears 143 times
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: String function: 11080C50 appears 63 times
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: String function: 1116B7E0 appears 54 times
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: String function: 1115CBB3 appears 92 times
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: String function: 110290F0 appears 1872 times
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: String function: 1105D340 appears 484 times
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: String function: 1109CBD0 appears 32 times
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: String function: 111434D0 appears 42 times
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: String function: 1105D470 appears 40 times
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: String function: 11027550 appears 94 times
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: String function: 11160790 appears 64 times

PE file contains executable resources (Code or Archives)

Source: CiscoSetup.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-BOBU7.tmp.1.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-LMS1D.tmp.1.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS

PE file contains more sections than normal

Source: CiscoSetup.tmp.0.dr	Static PE information: Number of sections : 11 > 10
Source: is-BOBU7.tmp.1.dr	Static PE information: Number of sections : 11 > 10
Source: CiscoSetup.exe	Static PE information: Number of sections : 11 > 10

Sample file is different than original file name gathered from version info

Source: CiscoSetup.exe, 00000000.00000003.1688495970.000000007F22B000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs CiscoSetup.exe
Source: CiscoSetup.exe, 00000000.00000000.1682587708.0000000000779000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFileName vs CiscoSetup.exe
Source: CiscoSetup.exe, 00000000.00000003.1688004235.0000000002C6F000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs CiscoSetup.exe
Source: CiscoSetup.exe	Binary or memory string: OriginalFileName vs CiscoSetup.exe

Uses 32bit PE files

Source: CiscoSetup.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: amsi32_6724.amsi.csv, type: OTHER	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 6724, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: classification engine

Classification label: mal54.rans.troj.evad.winEXE@10/537@3/3

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe

Code function: 7_2_11059270 GetLastError,FormatMessageA,LocalFree,

7_2_11059270

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 7_2_1109C750 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,	7_2_1109C750
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 7_2_1109C7E0 AdjustTokenPrivileges,CloseHandle,	7_2_1109C7E0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 8_2_1109C750 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,	8_2_1109C750
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 8_2_1109C7E0 AdjustTokenPrivileges,CloseHandle,	8_2_1109C7E0

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe

Code function: 7_2_11095C90 GetTickCount,CoInitialize,CLSIDFromProgID,CoCreateInstance,CoUninitialize,

7_2_11095C90

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe

Code function: 7_2_11088290 FindResourceA,LoadResource,LockResource,

7_2_11088290

Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp

File created: C:\Program Files (x86)\Cisco

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Cisco

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2336:120:WilError_03

Source: C:\Users\user\Desktop\CiscoSetup.exe

File created: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp

Jump to behavior

Source: C:\Users\user\Desktop\CiscoSetup.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\CiscoSetup.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp

File read: C:\Program Files (x86)\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\CiscoSetup.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Jump to behavior

Source: CiscoSetup.exe

String found in binary or memory: /LOADINF="filename"

Source: C:\Users\user\Desktop\CiscoSetup.exe

File read: C:\Users\user\Desktop\CiscoSetup.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\CiscoSetup.exe "C:\Users\user\Desktop\CiscoSetup.exe"
Source: C:\Users\user\Desktop\CiscoSetup.exe	Process created: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp "C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp" /SL5="$2041A,13456411,1058304,C:\Users\user\Desktop\CiscoSetup.exe"
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-D93RQ.tmp\cispn.ps1"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\Cisco\client32.exe "C:\Users\user\AppData\Roaming\Cisco\client32.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Cisco\client32.exe "C:\Users\user\AppData\Roaming\Cisco\client32.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Cisco\client32.exe "C:\Users\user\AppData\Roaming\Cisco\client32.exe"
Source: C:\Users\user\Desktop\CiscoSetup.exe	Process created: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp "C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp" /SL5="$2041A,13456411,1058304,C:\Users\user\Desktop\CiscoSetup.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-D93RQ.tmp\cispn.ps1"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\Cisco\client32.exe "C:\Users\user\AppData\Roaming\Cisco\client32.exe"	Jump to behavior

Source: C:\Users\user\Desktop\CiscoSetup.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\CiscoSetup.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: pcicl32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: pcichek.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: pcicapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: dbgcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: nsmtrace.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: nslsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: pcihooks.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: riched32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: pciinv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: pcicl32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: pcichek.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: pcicapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: nsmtrace.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: nslsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: pcicl32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: pcichek.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: pcicapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: nsmtrace.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: nslsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: msasn1.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: Cisco Secure Client for Windows.lnk.1.dr

LNK file: ..\..\..\..\..\..\Program Files (x86)\Cisco\Cisco Secure Client\UI\csc_ui.exe

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File written: C:\Users\user\AppData\Roaming\Cisco\nsm_vpro.ini

Jump to behavior

Reads the Windows registered owner settings

Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Jump to behavior

Executable creates window controls seldom found in malware

Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp

Window found: window name: TSelectLanguageForm

Jump to behavior

Found GUI installer (many successful clicks)

Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Automated click: Install
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Automated click: Next

Uses Rich Edit Controls

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe

File opened: C:\Windows\SysWOW64\riched32.dll

Jump to behavior

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Uses Microsoft Silverlight

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

PE / OLE file has a valid certificate

Source: CiscoSetup.exe

Static PE information: certificate valid

Submission file is bigger than most known malware samples

Source: CiscoSetup.exe

Static file information: File size 16877888 > 1048576

Uses new MSVCR Dlls

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Users\user\AppData\Roaming\Cisco\msvcr100.dll

Jump to behavior

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: CiscoSetup.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Binary contains paths to debug symbols

Source:	Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Full\pcichek.pdb source: client32.exe, 00000007.00000002.4143990636.00000000688B2000.00000002.00000001.01000000.0000000C.sdmp, client32.exe, 00000008.00000002.2110324547.00000000688B2000.00000002.00000001.01000000.0000000C.sdmp, client32.exe, 0000000A.00000002.2191144837.00000000688B2000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\client32\Release\PCICL32.pdb source: client32.exe, 00000007.00000002.4143045081.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 00000008.00000002.2109302873.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2190511917.000000001118F000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: C:\Users\build\p4files\ngc\Quicksilver\third-party\openssl\out.win.7.x86\ciscossl-1.1.1t.7.2.500\engines\cfom\cfom.pdb source: is-N867I.tmp.1.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdbL source: powershell.exe, 00000005.00000002.1991259471.0000000005357000.00000004.00000800.00020000.00000000.sdmp, client32.exe, 00000007.00000002.4143550370.00000000685D0000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: client32.pdb\1141\1141\client32\Release\client32.pdb source: powershell.exe, 00000005.00000002.1991259471.0000000005259000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\temp\build\thehoff\Quicksilver_MR50.560024709388\Quicksilver_MR5\vpn\ExternalBrowserHelper\Win32\Win32\Release\acextwebhelper.pdb666GCTL source: is-K9DFT.tmp.1.dr
Source:	Binary string: C:\temp\build\thehoff\Quicksilver_MR50.560024709388\Quicksilver_MR5\vpn\ProxyCon\Win32\Release\ProxyCon.pdb source: is-139DF.tmp.1.dr
Source:	Binary string: C:\temp\build\thehoff\Quicksilver_MR50.560024709388\Quicksilver_MR5\ACRuntime\Release\acruntime.pdb source: is-FRTV6.tmp.1.dr
Source:	Binary string: E:\nsmsrc\nsm\1280\1280f\ctl32\release_unicode\tcctl32.pdbP` source: powershell.exe, 00000005.00000002.1991259471.0000000005259000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.5.dr
Source:	Binary string: d:\a01\_work\11\s\\binaries\x86ret\bin\i386\\msvcp140_2.i386.pdb source: is-0IGCD.tmp.1.dr
Source:	Binary string: \1141\1141\client32\Release\client32.pdb source: powershell.exe, 00000005.00000002.1991259471.0000000005259000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\temp\build\thehoff\Quicksilver_MR50.560024709388\Quicksilver_MR5\vpn\IPsec\Win32\Release\vpnipsec.pdb source: is-M1NCB.tmp.1.dr
Source:	Binary string: C:\temp\build\thehoff\Quicksilver_MR50.560024709388\Quicksilver_MR5\vpn\CommonCrypt\Win32\Release\vpncommoncrypt.pdb]]]GCTL source: is-T3UDO.tmp.1.dr
Source:	Binary string: System.Management.Automation.pdb-2476756634-1002_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32AppData source: powershell.exe, 00000005.00000002.2043735068.0000000008824000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\temp\build\thehoff\Quicksilver_MR50.560024709388\Quicksilver_MR5\vpn\CLI\Win32\Release\vpncli.pdb+++GCTL source: is-7ARTU.tmp.1.dr
Source:	Binary string: C:\temp\build\thehoff\Quicksilver_MR50.560024709388\Quicksilver_MR5\PhoneHome\Win32\Release\acfeedback.pdb source: is-O6HT8.tmp.1.dr
Source:	Binary string: msvcr100.i386.pdb source: powershell.exe, 00000005.00000002.1991259471.0000000005357000.00000004.00000800.00020000.00000000.sdmp, client32.exe, client32.exe, 00000007.00000002.4143689896.00000000687D1000.00000020.00000001.01000000.0000000E.sdmp, client32.exe, 00000008.00000002.2109997806.00000000687D1000.00000020.00000001.01000000.0000000E.sdmp, client32.exe, 0000000A.00000002.2190902884.00000000687D1000.00000020.00000001.01000000.0000000E.sdmp
Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2038900255.000000000777A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\nsmsrc\nsm\1280\1280f\ctl32\release_unicode\tcctl32.pdb source: powershell.exe, 00000005.00000002.1991259471.0000000005259000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.5.dr
Source:	Binary string: C:\temp\build\thehoff\Quicksilver_MR50.560024709388\Quicksilver_MR5\vpn\InstallHelper\x64\Release\InstallHelper64.pdb source: is-BKQ26.tmp.1.dr
Source:	Binary string: C:\temp\build\thehoff\Quicksilver_MR50.560024709388\Quicksilver_MR5\vpn\InstallHelper\x64\Release\InstallHelper64.pdb; source: is-BKQ26.tmp.1.dr
Source:	Binary string: C:\temp\build\thehoff\Quicksilver_MR50.560024709388\Quicksilver_MR5\vpn\ProxyCon\Win32\Release\ProxyCon.pdb)))GCTL source: is-139DF.tmp.1.dr
Source:	Binary string: client32.pdb source: powershell.exe, 00000005.00000002.1991259471.0000000005259000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\AudioCapture\Release\AudioCapture.pdb source: powershell.exe, 00000005.00000002.1991259471.0000000005259000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\temp\build\thehoff\Quicksilver_MR50.560024709388\Quicksilver_MR5\PhoneHome\Win32\Release\acfeedback.pdbMM/GCTL source: is-O6HT8.tmp.1.dr
Source:	Binary string: C:\temp\build\thehoff\Quicksilver_MR50.560024709388\Quicksilver_MR5\ACRuntime\Release\acruntime.pdbjjKGCTL source: is-FRTV6.tmp.1.dr
Source:	Binary string: C:\temp\build\thehoff\Quicksilver_MR50.560024709388\Quicksilver_MR5\vpn\ExternalBrowserHelper\Win32\Win32\Release\acextwebhelper.pdb source: is-K9DFT.tmp.1.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdb source: powershell.exe, 00000005.00000002.1991259471.0000000005357000.00000004.00000800.00020000.00000000.sdmp, client32.exe, 00000007.00000002.4143550370.00000000685D0000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Release\pcicapi.pdb source: client32.exe, 00000007.00000002.4143874760.0000000068895000.00000002.00000001.01000000.0000000D.sdmp, client32.exe, 00000008.00000002.2110207513.0000000068895000.00000002.00000001.01000000.0000000D.sdmp, client32.exe, 0000000A.00000002.2191058031.0000000068895000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: C:\temp\build\thehoff\Quicksilver_MR50.560024709388\Quicksilver_MR5\vpn\CLI\Win32\Release\vpncli.pdb source: is-7ARTU.tmp.1.dr
Source:	Binary string: C:\temp\build\thehoff\Quicksilver_MR50.560024709388\Quicksilver_MR5\vpn\CommonCrypt\Win32\Release\vpncommoncrypt.pdb source: is-T3UDO.tmp.1.dr

Data Obfuscation

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Anti Malware Scan Interface: FromBase64String($base64Content);[System.IO.File]::WriteAllBytes($zipFileName, $decodedBytes);New-Item -ItemType Directory -Path $destinationPath;Expand-Archive -Path $zipFileName -DestinationPath $de

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe

Code function: 7_2_11029230 GetTickCount,LoadLibraryA,GetProcAddress,SetLastError,GetProcAddress,GetLastError,_free,GetProcAddress,GetProcAddress,InternetOpenA,SetLastError,SetLastError,SetLastError,_free,GetProcAddress,SetLastError,GetProcAddress,InternetConnectA,GetProcAddress,SetLastError,SetLastError,GetProcAddress,SetLastError,GetProcAddress,SetLastError,GetLastError,GetProcAddress,SetLastError,GetLastError,GetDesktopWindow,GetProcAddress,SetLastError,GetProcAddress,SetLastError,GetProcAddress,SetLastError,FreeLibrary,

7_2_11029230

PE file contains sections with non-standard names

Source: CiscoSetup.exe	Static PE information: section name: .didata
Source: CiscoSetup.tmp.0.dr	Static PE information: section name: .didata
Source: is-BOBU7.tmp.1.dr	Static PE information: section name: .didata
Source: is-N867I.tmp.1.dr	Static PE information: section name: fipstx
Source: is-N867I.tmp.1.dr	Static PE information: section name: fipsro
Source: is-N867I.tmp.1.dr	Static PE information: section name: fipsda
Source: is-N867I.tmp.1.dr	Static PE information: section name: fsig
Source: is-N867I.tmp.1.dr	Static PE information: section name: fipsrd
Source: is-BKQ26.tmp.1.dr	Static PE information: section name: _RDATA
Source: is-HL1L8.tmp.1.dr	Static PE information: section name: _RDATA
Source: is-42UFL.tmp.1.dr	Static PE information: section name: .orpc
Source: is-DSLII.tmp.1.dr	Static PE information: section name: .00cfg
Source: is-DSLII.tmp.1.dr	Static PE information: section name: .voltbl
Source: PCICL32.DLL.5.dr	Static PE information: section name: .hhshare

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_0345C492 pushad ; ret	5_2_0345C493
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_034531FA pushfd ; ret	5_2_03453209
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_07AF7712 push dword ptr [ebp+ebx-75h]; iretd	5_2_07AF7716
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_07AF75D8 push FFFFFFE8h; retf	5_2_07AF75E1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_07AF1377 push FFFFFFE8h; ret	5_2_07AF1379
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_07AF0003 push FFFFFFC3h; ret	5_2_07AF007E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_07AF0F6F push FFFFFFE8h; retf	5_2_07AF0F71
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_07AF9CE5 push FFFFFFE8h; ret	5_2_07AF9CE9
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 7_2_1116B825 push ecx; ret	7_2_1116B838
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 7_2_11166719 push ecx; ret	7_2_1116672C
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 7_2_11040641 push 3BFFFFFEh; ret	7_2_11040646
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 7_2_685C6BBF push ecx; ret	7_2_685C6BD2
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 7_2_685C4DF5 push 685C43F9h; retf	7_2_685C4E1F
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 7_2_685B8377 push 3BFFFFFFh; retf	7_2_685B837C
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 7_2_685BE36C push edi; ret	7_2_685BE37B
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 8_2_1116B825 push ecx; ret	8_2_1116B838
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 8_2_1104E56B push ecx; retf 0007h	8_2_1104E56C
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 8_2_11166719 push ecx; ret	8_2_1116672C
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 8_2_11040641 push 3BFFFFFEh; ret	8_2_11040646

Source: is-Q67GI.tmp.1.dr	Static PE information: section name: .text entropy: 6.8383653762559575
Source: msvcr100.dll.5.dr	Static PE information: section name: .text entropy: 6.909044922675825

Persistence and Installation Behavior

Drops PE files

Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\ProxyCon.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\csc_ui_toast.dll (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Cisco\remcmdstub.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-0E14V.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-MJ3RA.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-Q67GI.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\Plugins\acdownloader.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\vpnipsec.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-HL1L8.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-24FVM.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-7A47V.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-T3UDO.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\msvcp140_2.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\csc_ui_setup.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\acwebhelper.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-N867I.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-9JGUE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-LO7QV.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-13C42.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-O6HT8.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Cisco\TCCTL32.DLL	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\csc_ui_toast.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\vpnapishim.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\acsock64.sys (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-2J33H.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\Plugins\is-LMS1D.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\boost_system.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	File created: C:\Users\user\AppData\Local\Temp\is-D93RQ.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-K9DFT.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\vpnmgmttun.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\msvcp140.dll (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Cisco\PCICHEK.DLL	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Cisco\msvcr100.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-C8R9M.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\vpncli.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\is-FCDNQ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-6FEVR.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-FRTV6.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\cfom.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\zlib1.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-0IGCD.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-UP6H5.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\InstallHelper.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\InstallHelper64.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\is-BSCSU.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-3H81M.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-139DF.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\msvcp140_1.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\ac_sock_fltr_api.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\boost_thread.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\acciscocrypto.dll (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Cisco\AudioCapture.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\acextwebhelper.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-KC1BF.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\vpnagentutilities.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-ULT5V.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Cisco\pcicapi.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-M1NCB.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\VACon64.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\Uninstall.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\acfeedback.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\vpncommoncrypt.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-LU7CG.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\vpnapi.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-T40JR.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\concrt140.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\vpnagent.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-PS1DU.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-C9M46.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\is-AB2VI.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-GKS0T.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\boost_filesystem.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-RJSOM.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-O7USL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-QC4EE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-K8IRC.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-O8UOD.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\acwebhelper.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\acruntime.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\accurl.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\CiscoSetup.exe	File created: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpndownloader.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\is-8QMTQ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\vpnva64-6.sys (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\csc_ui.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-7ARTU.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\boost_chrono.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-3MUNV.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\is-V7O6A.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\acciscossl.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\vccorlib140.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\WebView2Loader.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\is-0667M.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Cisco\HTCTL32.DLL	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-HI577.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\boost_date_time.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\csc_ui.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-42UFL.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Cisco\PCICL32.DLL	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\vpndownloader.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\vcruntime140.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-BKQ26.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\vpncommon.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\is-BOBU7.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-DSLII.tmp	Jump to dropped file

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 7_2_685A7030 ctl_open,LoadLibraryA,InitializeCriticalSection,CreateEventA,CreateEventA,CreateEventA,CreateEventA,WSAStartup,_malloc,_memset,_calloc,_malloc,_memset,_malloc,_memset,GetTickCount,CreateThread,SetThreadPriority,GetModuleFileNameA,GetPrivateProfileIntA,GetModuleHandleA,CreateMutexA,timeBeginPeriod,	7_2_685A7030
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 7_2_685950E0 CreateFileA,wsprintfA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,CreateFileA,GetFileSize,GetPrivateProfileIntA,SetFilePointer,FlushFileBuffers,CloseHandle,wsprintfA,CreateFileA,__itow,WritePrivateProfileStringA,	7_2_685950E0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 7_2_68595117 GetPrivateProfileIntA,wsprintfA,CreateFileA,GetFileSize,GetPrivateProfileIntA,SetFilePointer,FlushFileBuffers,CloseHandle,wsprintfA,CreateFileA,__itow,WritePrivateProfileStringA,	7_2_68595117

Boot Survival

Stores files to the Windows start menu directory

Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Cisco			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Cisco\Cisco Secure Client for Windows.lnk			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MyApp			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MyApp			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 7_2_110251B0 SetWindowPos,GetMenu,DrawMenuBar,GetMenu,DeleteMenu,UpdateWindow,IsIconic,SetTimer,KillTimer,	7_2_110251B0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 7_2_111575D0 IsIconic,ShowWindow,BringWindowToTop,IsWindow,IsIconic,ShowWindow,BringWindowToTop,	7_2_111575D0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 7_2_111575D0 IsIconic,ShowWindow,BringWindowToTop,IsWindow,IsIconic,ShowWindow,BringWindowToTop,	7_2_111575D0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 7_2_11025600 IsIconic,BringWindowToTop,GetCurrentThreadId,	7_2_11025600
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 7_2_111579D0 _memset,SendMessageA,SendMessageA,ShowWindow,SendMessageA,IsIconic,IsZoomed,ShowWindow,GetDesktopWindow,TileWindows,	7_2_111579D0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 7_2_110238D0 BringWindowToTop,SetWindowPos,SetWindowPos,SetWindowPos,GetWindowLongA,SetWindowLongA,GetDlgItem,EnableWindow,GetMenu,DeleteMenu,DrawMenuBar,SetWindowPos,IsIconic,UpdateWindow,SetTimer,KillTimer,	7_2_110238D0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 7_2_110BFDD0 IsIconic,ShowWindow,BringWindowToTop,GetCurrentThreadId,	7_2_110BFDD0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 7_2_11023FB0 _memset,_strncpy,_memset,_strncpy,IsWindow,IsIconic,BringWindowToTop,GetCurrentThreadId,	7_2_11023FB0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 7_2_110CA3C0 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos,	7_2_110CA3C0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 7_2_110CA3C0 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos,	7_2_110CA3C0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 7_2_11110220 IsIconic,GetTickCount,CreateRectRgn,GetClientRect,SetStretchBltMode,CreateRectRgn,GetClipRgn,OffsetRgn,GetRgnBox,SelectClipRgn,StretchBlt,SelectClipRgn,DeleteObject,StretchBlt,StretchBlt,GetWindowOrgEx,StretchBlt,GetKeyState,CreatePen,CreatePen,SelectObject,Polyline,Sleep,SelectObject,Polyline,Sleep,SelectObject,DeleteObject,DeleteObject,BitBlt,	7_2_11110220
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 8_2_110251B0 SetWindowPos,GetMenu,DrawMenuBar,GetMenu,DeleteMenu,UpdateWindow,IsIconic,SetTimer,KillTimer,	8_2_110251B0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 8_2_111575D0 IsIconic,ShowWindow,BringWindowToTop,IsWindow,IsIconic,ShowWindow,BringWindowToTop,	8_2_111575D0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 8_2_111575D0 IsIconic,ShowWindow,BringWindowToTop,IsWindow,IsIconic,ShowWindow,BringWindowToTop,	8_2_111575D0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 8_2_11025600 IsIconic,BringWindowToTop,GetCurrentThreadId,	8_2_11025600
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 8_2_111579D0 _memset,SendMessageA,SendMessageA,ShowWindow,SendMessageA,IsIconic,IsZoomed,ShowWindow,GetDesktopWindow,TileWindows,	8_2_111579D0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 8_2_110238D0 BringWindowToTop,SetWindowPos,SetWindowPos,SetWindowPos,GetWindowLongA,SetWindowLongA,GetDlgItem,EnableWindow,GetMenu,DeleteMenu,DrawMenuBar,SetWindowPos,IsIconic,UpdateWindow,SetTimer,KillTimer,	8_2_110238D0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 8_2_110BFDD0 IsIconic,ShowWindow,BringWindowToTop,GetCurrentThreadId,	8_2_110BFDD0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 8_2_11023FB0 _memset,_strncpy,_memset,_strncpy,IsWindow,IsIconic,BringWindowToTop,GetCurrentThreadId,	8_2_11023FB0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 8_2_110CA3C0 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos,	8_2_110CA3C0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 8_2_110CA3C0 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos,	8_2_110CA3C0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 8_2_11110220 IsIconic,GetTickCount,CreateRectRgn,GetClientRect,SetStretchBltMode,CreateRectRgn,GetClipRgn,OffsetRgn,GetRgnBox,SelectClipRgn,StretchBlt,SelectClipRgn,DeleteObject,StretchBlt,StretchBlt,GetWindowOrgEx,StretchBlt,GetKeyState,CreatePen,CreatePen,SelectObject,Polyline,Sleep,SelectObject,Polyline,Sleep,SelectObject,DeleteObject,DeleteObject,BitBlt,	8_2_11110220

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe

7_2_11029230

Source: C:\Users\user\Desktop\CiscoSetup.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Contains functionality to detect sleep reduction / modifications

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 7_2_685991F0		7_2_685991F0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 7_2_685A4F30		7_2_685A4F30

Contains functionality to enumerate running services

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe

Code function: OpenSCManagerA,EnumServicesStatusA,EnumServicesStatusA,LoadLibraryA,GetProcAddress,OpenServiceA,WideCharToMultiByte,CloseServiceHandle,_memset,_memset,FreeLibrary,CloseServiceHandle,

7_2_11127110

Contains long sleeps (>= 3 min)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6962	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2767	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Window / User API: threadDelayed 450	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Window / User API: threadDelayed 7993	Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\ProxyCon.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\csc_ui_toast.dll (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Cisco\remcmdstub.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-0E14V.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-MJ3RA.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-Q67GI.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\Plugins\acdownloader.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\vpnipsec.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-HL1L8.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-24FVM.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-7A47V.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-T3UDO.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\msvcp140_2.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\csc_ui_setup.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\acwebhelper.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-N867I.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-9JGUE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-LO7QV.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-13C42.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-O6HT8.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Cisco\TCCTL32.DLL	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\csc_ui_toast.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\vpnapishim.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\acsock64.sys (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-2J33H.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\Plugins\is-LMS1D.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\boost_system.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-K9DFT.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-D93RQ.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\msvcp140.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\vpnmgmttun.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-C8R9M.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\vpncli.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\is-FCDNQ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-6FEVR.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-FRTV6.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\cfom.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\zlib1.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-UP6H5.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-0IGCD.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\InstallHelper.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\InstallHelper64.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\is-BSCSU.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-3H81M.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-139DF.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\msvcp140_1.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\ac_sock_fltr_api.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\boost_thread.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\acciscocrypto.dll (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Cisco\AudioCapture.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\acextwebhelper.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-KC1BF.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\vpnagentutilities.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-ULT5V.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-M1NCB.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\VACon64.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\Uninstall.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\acfeedback.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\vpncommoncrypt.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\vpnapi.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-LU7CG.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-T40JR.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\concrt140.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\vpnagent.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-PS1DU.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-C9M46.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\is-AB2VI.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-GKS0T.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\boost_filesystem.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-RJSOM.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-O7USL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-QC4EE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-K8IRC.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-O8UOD.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\acwebhelper.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\acruntime.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\accurl.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpndownloader.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\is-8QMTQ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\vpnva64-6.sys (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\csc_ui.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-7ARTU.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\boost_chrono.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-3MUNV.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\is-V7O6A.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\acciscossl.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\vccorlib140.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\WebView2Loader.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\is-0667M.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Cisco\HTCTL32.DLL	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-HI577.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\boost_date_time.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\csc_ui.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-42UFL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\vpndownloader.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\vcruntime140.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-BKQ26.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\vpncommon.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\is-BOBU7.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-DSLII.tmp	Jump to dropped file

Found evaded block containing many API calls

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Evaded block: after key decision	graph_7-83036
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Evaded block: after key decision	graph_7-85940
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Evaded block: after key decision	graph_7-86032
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Evaded block: after key decision	graph_7-86220
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Evaded block: after key decision	graph_7-86254
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Evaded block: after key decision
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Evaded block: after key decision
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Evaded block: after key decision
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Evaded block: after key decision
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Evaded block: after key decision
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Evaded block: after key decision
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Evaded block: after key decision
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Evaded block: after key decision
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Evaded block: after key decision

Found evasive API chain checking for process token information

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_7-82538

Found large amount of non-executed APIs

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	API coverage: 6.1 %
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	API coverage: 2.9 %

May check if the current machine is a sandbox (GetTickCount - Sleep)

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe

Code function: 7_2_685A4F30

7_2_685A4F30

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1800	Thread sleep time: -7378697629483816s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe TID: 2020	Thread sleep time: -52250s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe TID: 5440	Thread sleep time: -45000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe TID: 2020	Thread sleep time: -1998250s >= -30000s	Jump to behavior

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe

Last function: Thread delayed

Uses the system / local time for branch decision (may execute only at specific dates)

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe

Code function: 7_2_685A3130 GetSystemTime followed by cmp: cmp eax, 02h and CTI: je 685A3226h

7_2_685A3130

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 7_2_11123570 _memset,_memset,GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,	7_2_11123570
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 7_2_11069690 GetTickCount,OpenPrinterA,StartDocPrinterA,ClosePrinter,FindFirstFileA,FindClose,CreateFileA,SetFilePointer,GetTickCount,GetLastError,	7_2_11069690
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 7_2_1110BB80 GetLocalTime,wsprintfA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,ExpandEnvironmentStringsA,CreateFileA,timeBeginPeriod,GetLocalTime,timeGetTime,_memset,WriteFile,	7_2_1110BB80
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 7_2_11107FE0 _memset,wsprintfA,wsprintfA,KillTimer,FindFirstFileA,wsprintfA,FindNextFileA,GetLastError,FindClose,	7_2_11107FE0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 7_2_110BC3D0 GetFileAttributesA,CreateDirectoryA,FindFirstFileA,CopyFileA,CopyFileA,FindNextFileA,FindClose,DrawMenuBar,	7_2_110BC3D0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 7_2_1102CE2D InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,	7_2_1102CE2D
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 7_2_11064E30 _memset,_memmove,_strncpy,CharUpperA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,	7_2_11064E30
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 8_2_1102CE2D InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,	8_2_1102CE2D
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 8_2_11123570 _memset,_memset,GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,	8_2_11123570
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 8_2_1110BB80 GetLocalTime,wsprintfA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,ExpandEnvironmentStringsA,CreateFileA,timeBeginPeriod,GetLocalTime,timeGetTime,_memset,WriteFile,	8_2_1110BB80
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 8_2_11107FE0 _memset,wsprintfA,wsprintfA,KillTimer,FindFirstFileA,wsprintfA,FindNextFileA,GetLastError,FindClose,	8_2_11107FE0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 8_2_110BC3D0 GetFileAttributesA,CreateDirectoryA,FindFirstFileA,CopyFileA,CopyFileA,FindNextFileA,FindClose,DrawMenuBar,	8_2_110BC3D0

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: client32.exe, 00000007.00000002.4143550370.00000000685D0000.00000002.00000001.01000000.0000000F.sdmp	Binary or memory string: VMware
Source: client32.exe, 00000007.00000002.4143550370.00000000685D0000.00000002.00000001.01000000.0000000F.sdmp	Binary or memory string: plist<T> too longp.secondQueueQueueThreadEventidata->Q.size () == 0p < ep%dWSAIoctlclosesocketsocketWSACleanupWSAStartupws2_32.dllIPHLPAPI.DLLVMWarevirtGetAdaptersAddressesVMWarevirtntohlWinHttpCloseHandleWinHttpGetProxyForUrlNS247WinHttpOpenWinHttpGetIEProxyConfigForCurrentUserwinhttp.dllc != '\0'dstbufyenc.cla]h*
Source: client32.exe, 00000007.00000002.4141243158.000000000045E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`q%
Source: is-FRTV6.tmp.1.dr	Binary or memory string: %d.%d.%dUnknownWin9xWinNTgetWindowsEdition(): Could not get OS Edition lengthC:\temp\build\thehoff\Quicksilver_MR50.560024709388\Quicksilver_MR5\ACRuntime\library\OSVersionAPI.cppGetOsVersionGetOsVersion(): Could not get OS EditionGetVersionEx call failed with error: %dgetWindowsEditionWindows VistaWindows Server 2008Windows 7Windows Server 2008 R2Windows 8Windows Server 2012Windows 8.1Windows Server 2012 R2Windows 11Windows 10Windows Server 2016Windows Server 2019Windows Server 2022Windows ServerGetProductInfo%s UnknownUltimateUltimate EUltimate NProfessionalProfessional EProfessional NProfessional with Media CenterHome BasicHome Basic EHome Basic NHome PremiumHome Premium EHome Premium NEnterpriseBusinessStarterStarter EStarter NEnterprise EHomeHome ChinaHome NHome Single LanguageEnterprise EvaluationEnterprise NEnterprise N EvaluationEnterprise 2015 LTSBEnterprise 2015 LTSB EvaluationEnterprise 2015 LTSB NEnterprise 2015 LTSB N EvaluationMobileMobile EnterpriseUnlicensedDatacenter (evaluation installation)Datacenter (full installation)Datacenter (core installation)Datacenter without Hyper-V (core installation)Datacenter without Hyper-V (full installation)Enterprise (full installation)Enterprise (core installation)Enterprise without Hyper-V (core installation)Enterprise for Itanium-based SystemsEnterprise without Hyper-V (full installation)Essential Server Solution AdditionalEssential Server Solution Additional SVCEssential Server Solution ManagementEssential Server Solution Management SVCHome Server 2011Storage Server 2008 R2 EssentialsMicrosoft Hyper-V ServerEssential Business Server Management ServerEssential Business Server Messaging ServerEssential Business Server Security ServerMultiPoint Server Premium (full installation)MultiPoint Server Standard (full installation)Small Business Server 2011 EssentialsFor SB Solutions EMFor SB SolutionsFor Essential Server SolutionsWithout Hyper-V for Windows Essential Server SolutionsFoundationSmall Business ServerSmall Business Server PremiumSmall Business Server Premium (core installation)MultiPoint ServerStandardStandard (core installation)Standard without Hyper-V (core installation)Standard without Hyper-VStandard Solutions PremiumStandard Solutions Premium (core installation)Storage Server EnterpriseStorage Server Enterprise (core installation)Storage Server ExpressStorage Server Express (core installation)Storage Server Standard (evaluation installation)Storage Server StandardStorage Server Standard (core installation)Storage Server Workgroup (evaluation installation)Storage Server WorkgroupStorage Server Workgroup (core installation)HPC EditionServer Hyper Core VWeb Server (full installation)Web Server (core installation)%s %s$
Source: client32.exe, 00000007.00000002.4143550370.00000000685D0000.00000002.00000001.01000000.0000000F.sdmp	Binary or memory string: hbuf->datahttputil.c%5d000000000002004C4F4F50VirtualVMwareVIRTNETGetAdaptersInfoiphlpapi.dllcbMacAddress == MAX_ADAPTER_ADDRESS_LENGTHmacaddr.cpp,%02x%02x%02x%02x%02x%02x* Netbiosnetapi32.dll01234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZwhoa nelly, says Sherman, the Sharkhellooo nurse!kernel32.dllProcessIdToSessionId%s_L%d_%xNOT copied to diskcopied to %sAssert failed - Unhandled Exception (GPF) -
Source: powershell.exe, 00000005.00000002.1991259471.0000000005357000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: plist<T> too longp.secondQueueQueueThreadEventidata->Q.size () == 0p < ep%dWSAIoctlclosesocketsocketWSACleanupWSAStartupws2_32.dllIPHLPAPI.DLLVMWarevirtGetAdaptersAddressesVMWarevirtntohlWinHttpCloseHandleWinHttpGetProxyForUrlNS247WinHttpOpenWinHttpGetIEProxyConfigForCurrentUserwinhttp.dllc != '\0'dstbufyenc.cla
Source: client32.exe, 00000007.00000003.1989645822.000000000525C000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000007.00000003.2285282850.000000000527B000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000007.00000002.4142691665.000000000527B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: TCCTL32.DLL.5.dr	Binary or memory string: VMWare
Source: client32.exe, 00000007.00000003.2284925440.0000000005207000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000007.00000002.4142691665.0000000005226000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000007.00000003.1989702492.0000000005255000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000007.00000003.2285282850.0000000005226000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.ZuneVideo/resources/IDS_MANIFEST_VIDEO_APP_DESCRIPTION}LMEM
Source: TCCTL32.DLL.5.dr	Binary or memory string: >localhost:%d%dWSAIoctlclosesocketsocketWSACleanupWSAStartupws2_32.dllGetAdaptersInfoIPHLPAPI.DLLVMWarevirtGetAdaptersAddressesvirtualVMWarevirt0000000000%02X%02X%02X%02X%02X%02XBluetoothpfntcctlex.cppRtlIpv6AddressToStringWntdll.dllntohlTCREMOTETCBRIDGE%s=%s
Source: client32.exe, 00000008.00000002.2104328100.00000000005C2000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000008.00000003.2103752720.00000000005BF000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 0000000A.00000003.2189007519.000000000068F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	API call chain: ExitProcess graph end node			graph_7-85829
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe

Code function: 7_2_1116A559 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

7_2_1116A559

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe

Code function: 7_2_110CFCF0 _memset,_strncpy,CreateMutexA,OpenMutexA,GetLastError,wsprintfA,OutputDebugStringA,

7_2_110CFCF0

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe

7_2_11029230

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe

Code function: 7_2_11178A14 __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,

7_2_11178A14

Enables debug privileges

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 7_2_11030B10 SetUnhandledExceptionFilter,	7_2_11030B10
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 7_2_1116A559 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_1116A559
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 7_2_1115E4D1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_1115E4D1
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 7_2_685B28E1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_685B28E1
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 8_2_11030B10 SetUnhandledExceptionFilter,	8_2_11030B10
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 8_2_1116A559 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_1116A559
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 8_2_1115E4D1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_1115E4D1

HIPS / PFW / Operating System Protection Evasion

Bypasses PowerShell execution policy

Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp

Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-D93RQ.tmp\cispn.ps1"

Contains functionality to execute programs as a different user

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe

Code function: 7_2_110F2280 GetTickCount,LogonUserA,GetTickCount,GetLastError,

7_2_110F2280

Contains functionality to simulate keystroke presses

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe

Code function: 7_2_11027BE0 keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,

7_2_11027BE0

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-D93RQ.tmp\cispn.ps1"			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\Cisco\client32.exe "C:\Users\user\AppData\Roaming\Cisco\client32.exe"			Jump to behavior

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe

Code function: 7_2_1109D4A0 LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,GetVersionExA,GetSecurityDescriptorSacl,SetSecurityDescriptorSacl,FreeLibrary,CreateFileMappingA,GetLastError,LocalFree,LocalFree,LocalFree,GetLastError,MapViewOfFile,LocalFree,LocalFree,LocalFree,GetModuleFileNameA,GetModuleFileNameA,LocalFree,LocalFree,LocalFree,_memset,GetTickCount,GetCurrentProcessId,GetModuleFileNameA,CreateEventA,CreateEventA,GetLastError,GetLastError,CreateEventA,GetLastError,GetLastError,CreateEventA,GetLastError,GetLastError,CreateEventA,GetLastError,GetLastError,GetLastError,LocalFree,LocalFree,LocalFree,GetCurrentThreadId,CreateThread,ResetEvent,ResetEvent,ResetEvent,ResetEvent,SetEvent,

7_2_1109D4A0

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe

Code function: 7_2_1109DC20 GetProcAddress,GetTokenInformation,GetTokenInformation,GetTokenInformation,AllocateAndInitializeSid,EqualSid,

7_2_1109DC20

Source: client32.exe, 00000007.00000002.4143045081.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 00000008.00000002.2109302873.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2190511917.000000001118F000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: Shell_TrayWndunhandled plugin data, id=%d
Source: client32.exe, 00000007.00000002.4143045081.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 00000008.00000002.2109302873.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2190511917.000000001118F000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: Shell_TrayWnd
Source: client32.exe, client32.exe, 00000008.00000002.2109302873.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2190511917.000000001118F000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: Progman

Language, Device and Operating System Detection

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	7_2_11170208
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	7_2_1117053C
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	7_2_11170499
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: GetLocaleInfoA,	7_2_11167B5E
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	7_2_11170106
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	7_2_111701AD
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	7_2_11170011
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	7_2_111703D9
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	7_2_11170500
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,	7_2_685CDB7C
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	7_2_685CDC56
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	7_2_685C1CC1
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: GetLocaleInfoA,	7_2_685CDC99
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	7_2_685C1DB6
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	7_2_685C1E5D
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	7_2_685C1EB8
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	7_2_685C2089
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: EnumSystemLocalesA,	7_2_685C2151
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	7_2_685C2175
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	7_2_685C21DC
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	7_2_685C2218
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	8_2_1117053C
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: GetLocaleInfoA,	8_2_11167B5E
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	8_2_11170011
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	8_2_11170500
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	8_2_11170499

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe

Code function: 7_2_1101D180 __time64,SetRect,GetLocalTime,

7_2_1101D180

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe

Code function: 7_2_1103B220 _calloc,GetUserNameA,_free,_calloc,_free,

7_2_1103B220

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe

7_2_1109D4A0

Stealing of Sensitive Information

OS version to string mapping found (often used in BOTs)

Source: is-T3UDO.tmp.1.dr	Binary or memory string: r?IsOs_WIN_VISTA@@YA_NXZ
Source: is-O6HT8.tmp.1.dr	Binary or memory string: ?GetOsVersion@@YA?AUMYOSVERSION@@XZ\?IsOs_MAC@@YA_NXZq?IsOs_WIN_8_Only@@YA_NXZ
Source: is-FRTV6.tmp.1.dr	Binary or memory string: ?IsOs_WIN_8_Only@@YA_NXZ
Source: is-FRTV6.tmp.1.dr	Binary or memory string: ?IsOs_WIN_7_Only@@YA_NXZ
Source: is-O6HT8.tmp.1.dr	Binary or memory string: p?IsOs_WIN_8Point10_Only@@YA_NXZ
Source: is-O6HT8.tmp.1.dr	Binary or memory string: ?MakeSureDirectoryPathExists@@YA_NPB_W@Zl?IsOs_WIN_7_Only@@YA_NXZi
Source: is-FRTV6.tmp.1.dr	Binary or memory string: ?IsOs_WIN_VISTA_Only@@YA_NXZ
Source: is-FRTV6.tmp.1.dr	Binary or memory string: ?IsOs_WIN_8@@YA_NXZ
Source: is-O6HT8.tmp.1.dr	Binary or memory string: l?IsOs_WIN_7_Only@@YA_NXZ
Source: is-T3UDO.tmp.1.dr	Binary or memory string: ??1CHModuleMgr@@QAE@XZr?IsOs_WIN_VISTA@@YA_NXZw
Source: is-O6HT8.tmp.1.dr	Binary or memory string: GetCurrentTimeSecondss?IsOs_WIN_VISTA_Only@@YA_NXZR
Source: is-FRTV6.tmp.1.dr	Binary or memory string: ?IsOs_WIN_8Point10@@YA_NXZ
Source: is-FRTV6.tmp.1.dr	Binary or memory string: ?IsOs_WIN_8Point10_Only@@YA_NXZ
Source: is-FRTV6.tmp.1.dr	Binary or memory string: ?IsOs_WIN_VISTA@@YA_NXZ
Source: is-O6HT8.tmp.1.dr	Binary or memory string: ?CreateMultitonInstance@CExecutionContext@@SAJAAPAV1@W4INSTANCE_ID@1@@ZW?IsOs_LINUX@@YA_NXZp?IsOs_WIN_8Point10_Only@@YA_NXZ
Source: is-O6HT8.tmp.1.dr	Binary or memory string: q?IsOs_WIN_8_Only@@YA_NXZ
Source: is-O6HT8.tmp.1.dr	Binary or memory string: s?IsOs_WIN_VISTA_Only@@YA_NXZ
Source: is-FRTV6.tmp.1.dr	Binary or memory string: ?IsOs_WIN_7@@YA_NXZ

Remote Access Functionality

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe

Code function: 7_2_6859A980 EnterCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,WSAGetLastError,socket,WSAGetLastError,#21,#21,#21,bind,WSAGetLastError,closesocket,htons,WSASetBlockingHook,WSAGetLastError,WSAUnhookBlockingHook,closesocket,WSAGetLastError,WSAUnhookBlockingHook,closesocket,WSAUnhookBlockingHook,EnterCriticalSection,InitializeCriticalSection,getsockname,LeaveCriticalSection,GetTickCount,InterlockedExchange,

7_2_6859A980

Yara detected NetSupport remote tool

Source: Yara match	File source: 8.2.client32.exe.688b0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.client32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.client32.exe.688b0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.client32.exe.688b0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.client32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.client32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.client32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.client32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.client32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.client32.exe.68890000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.client32.exe.68890000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.client32.exe.68890000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.client32.exe.111b3308.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.client32.exe.111b3308.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.client32.exe.111b3308.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.client32.exe.68590000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.client32.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.client32.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.client32.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.2190553256.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.1983117246.0000000000404000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4143550370.00000000685D0000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2189669515.0000000000404000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.2183700917.0000000000404000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.2102185097.0000000000404000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.2284925440.0000000005207000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2109302873.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4142059175.0000000002648000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2043735068.000000000883E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2104099900.0000000000404000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4143093821.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4143045081.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2190511917.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4141174786.0000000000404000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2109384742.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1991259471.0000000005259000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.2285282850.0000000005226000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1991259471.0000000005357000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6724, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: client32.exe PID: 3052, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: client32.exe PID: 1516, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: client32.exe PID: 4124, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Cisco\AudioCapture.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Cisco\TCCTL32.DLL, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Cisco\client32.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Cisco\pcicapi.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Cisco\PCICHEK.DLL, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Cisco\HTCTL32.DLL, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Cisco\PCICL32.DLL, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	1 Network Sniffing	11 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	3 Native API	1 DLL Search Order Hijacking	1 DLL Search Order Hijacking	3 Obfuscated Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	1 Screen Capture	22 Encrypted Channel	Exfiltration Over Bluetooth	1 Defacement
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	2 Valid Accounts	2 Valid Accounts	11 Software Packing	Security Account Manager	1 System Service Discovery	SMB/Windows Admin Shares	3 Clipboard Data	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	2 PowerShell	11 Registry Run Keys / Startup Folder	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	3 File and Directory Discovery	Distributed Component Object Model	Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	12 Process Injection	1 DLL Search Order Hijacking	LSA Secrets	1 Network Sniffing	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	11 Registry Run Keys / Startup Folder	2 Masquerading	Cached Domain Credentials	33 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	151 Security Software Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	31 Virtualization/Sandbox Evasion	Proc Filesystem	2 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	31 Virtualization/Sandbox Evasion	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	12 Process Injection	Network Sniffing	11 Application Window Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	Stripped Payloads	Input Capture	3 System Owner/User Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
CiscoSetup.exe	0%	ReversingLabs

Dropped Files

Source	Detection	Scanner
C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\is-AB2VI.tmp	0%	ReversingLabs
C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpndownloader.exe (copy)	0%	ReversingLabs
C:\Program Files (x86)\Cisco\Cisco Secure Client\InstallHelper.exe (copy)	0%	ReversingLabs
C:\Program Files (x86)\Cisco\Cisco Secure Client\InstallHelper64.exe (copy)	0%	ReversingLabs
C:\Program Files (x86)\Cisco\Cisco Secure Client\Plugins\acdownloader.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Cisco\Cisco Secure Client\Plugins\is-LMS1D.tmp	0%	ReversingLabs
C:\Program Files (x86)\Cisco\Cisco Secure Client\ProxyCon.exe (copy)	0%	ReversingLabs
C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\csc_ui.exe (copy)	0%	ReversingLabs
C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\csc_ui_toast.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\is-0667M.tmp	0%	ReversingLabs
C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\is-FCDNQ.tmp	0%	ReversingLabs
C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\csc_ui_setup.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\is-V7O6A.tmp	0%	ReversingLabs
C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\csc_ui.exe (copy)	0%	ReversingLabs
C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\csc_ui_toast.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\is-8QMTQ.tmp	0%	ReversingLabs
C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\is-BSCSU.tmp	0%	ReversingLabs
C:\Program Files (x86)\Cisco\Cisco Secure Client\Uninstall.exe (copy)	0%	ReversingLabs
C:\Program Files (x86)\Cisco\Cisco Secure Client\VACon64.exe (copy)	0%	ReversingLabs
C:\Program Files (x86)\Cisco\Cisco Secure Client\WebView2Loader.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Cisco\Cisco Secure Client\ac_sock_fltr_api.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Cisco\Cisco Secure Client\acciscocrypto.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Cisco\Cisco Secure Client\acciscossl.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Cisco\Cisco Secure Client\accurl.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Cisco\Cisco Secure Client\acextwebhelper.exe (copy)	0%	ReversingLabs
C:\Program Files (x86)\Cisco\Cisco Secure Client\acfeedback.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Cisco\Cisco Secure Client\acruntime.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Cisco\Cisco Secure Client\acsock64.sys (copy)	0%	ReversingLabs
C:\Program Files (x86)\Cisco\Cisco Secure Client\acwebhelper.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Cisco\Cisco Secure Client\acwebhelper.exe (copy)	0%	ReversingLabs
C:\Program Files (x86)\Cisco\Cisco Secure Client\boost_chrono.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Cisco\Cisco Secure Client\boost_date_time.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Cisco\Cisco Secure Client\boost_filesystem.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Cisco\Cisco Secure Client\boost_system.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Cisco\Cisco Secure Client\boost_thread.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Cisco\Cisco Secure Client\cfom.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Cisco\Cisco Secure Client\concrt140.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Cisco\Cisco Secure Client\is-0E14V.tmp	0%	ReversingLabs
C:\Program Files (x86)\Cisco\Cisco Secure Client\is-0IGCD.tmp	0%	ReversingLabs
C:\Program Files (x86)\Cisco\Cisco Secure Client\is-139DF.tmp	0%	ReversingLabs
C:\Program Files (x86)\Cisco\Cisco Secure Client\is-13C42.tmp	0%	ReversingLabs
C:\Program Files (x86)\Cisco\Cisco Secure Client\is-24FVM.tmp	0%	ReversingLabs
C:\Program Files (x86)\Cisco\Cisco Secure Client\is-2J33H.tmp	0%	ReversingLabs
C:\Program Files (x86)\Cisco\Cisco Secure Client\is-3H81M.tmp	0%	ReversingLabs
C:\Program Files (x86)\Cisco\Cisco Secure Client\is-3MUNV.tmp	0%	ReversingLabs
C:\Program Files (x86)\Cisco\Cisco Secure Client\is-42UFL.tmp	0%	ReversingLabs
C:\Program Files (x86)\Cisco\Cisco Secure Client\is-6FEVR.tmp	0%	ReversingLabs
C:\Program Files (x86)\Cisco\Cisco Secure Client\is-7A47V.tmp	0%	ReversingLabs
C:\Program Files (x86)\Cisco\Cisco Secure Client\is-7ARTU.tmp	0%	ReversingLabs
C:\Program Files (x86)\Cisco\Cisco Secure Client\is-9JGUE.tmp	0%	ReversingLabs
C:\Program Files (x86)\Cisco\Cisco Secure Client\is-BKQ26.tmp	0%	ReversingLabs
C:\Program Files (x86)\Cisco\Cisco Secure Client\is-C8R9M.tmp	0%	ReversingLabs
C:\Program Files (x86)\Cisco\Cisco Secure Client\is-C9M46.tmp	0%	ReversingLabs
C:\Program Files (x86)\Cisco\Cisco Secure Client\is-DSLII.tmp	0%	ReversingLabs
C:\Program Files (x86)\Cisco\Cisco Secure Client\is-FRTV6.tmp	0%	ReversingLabs
C:\Program Files (x86)\Cisco\Cisco Secure Client\is-GKS0T.tmp	0%	ReversingLabs
C:\Program Files (x86)\Cisco\Cisco Secure Client\is-HI577.tmp	0%	ReversingLabs
C:\Program Files (x86)\Cisco\Cisco Secure Client\is-HL1L8.tmp	0%	ReversingLabs
C:\Program Files (x86)\Cisco\Cisco Secure Client\is-K8IRC.tmp	0%	ReversingLabs
C:\Program Files (x86)\Cisco\Cisco Secure Client\is-K9DFT.tmp	0%	ReversingLabs
C:\Program Files (x86)\Cisco\Cisco Secure Client\is-KC1BF.tmp	0%	ReversingLabs
C:\Program Files (x86)\Cisco\Cisco Secure Client\is-LO7QV.tmp	0%	ReversingLabs
C:\Program Files (x86)\Cisco\Cisco Secure Client\is-LU7CG.tmp	0%	ReversingLabs
C:\Program Files (x86)\Cisco\Cisco Secure Client\is-M1NCB.tmp	0%	ReversingLabs
C:\Program Files (x86)\Cisco\Cisco Secure Client\is-MJ3RA.tmp	0%	ReversingLabs
C:\Program Files (x86)\Cisco\Cisco Secure Client\is-N867I.tmp	0%	ReversingLabs
C:\Program Files (x86)\Cisco\Cisco Secure Client\is-O6HT8.tmp	0%	ReversingLabs
C:\Program Files (x86)\Cisco\Cisco Secure Client\is-O7USL.tmp	0%	ReversingLabs
C:\Program Files (x86)\Cisco\Cisco Secure Client\is-O8UOD.tmp	0%	ReversingLabs
C:\Program Files (x86)\Cisco\Cisco Secure Client\is-PS1DU.tmp	0%	ReversingLabs
C:\Program Files (x86)\Cisco\Cisco Secure Client\is-Q67GI.tmp	0%	ReversingLabs
C:\Program Files (x86)\Cisco\Cisco Secure Client\is-QC4EE.tmp	0%	ReversingLabs
C:\Program Files (x86)\Cisco\Cisco Secure Client\is-RJSOM.tmp	0%	ReversingLabs
C:\Program Files (x86)\Cisco\Cisco Secure Client\is-T3UDO.tmp	0%	ReversingLabs
C:\Program Files (x86)\Cisco\Cisco Secure Client\is-T40JR.tmp	0%	ReversingLabs
C:\Program Files (x86)\Cisco\Cisco Secure Client\is-ULT5V.tmp	0%	ReversingLabs
C:\Program Files (x86)\Cisco\Cisco Secure Client\is-UP6H5.tmp	0%	ReversingLabs
C:\Program Files (x86)\Cisco\Cisco Secure Client\msvcp140.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Cisco\Cisco Secure Client\msvcp140_1.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Cisco\Cisco Secure Client\msvcp140_2.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Cisco\Cisco Secure Client\vccorlib140.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Cisco\Cisco Secure Client\vcruntime140.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Cisco\Cisco Secure Client\vpnagent.exe (copy)	0%	ReversingLabs
C:\Program Files (x86)\Cisco\Cisco Secure Client\vpnagentutilities.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Cisco\Cisco Secure Client\vpnapi.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Cisco\Cisco Secure Client\vpnapishim.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Cisco\Cisco Secure Client\vpncli.exe (copy)	0%	ReversingLabs
C:\Program Files (x86)\Cisco\Cisco Secure Client\vpncommon.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Cisco\Cisco Secure Client\vpncommoncrypt.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Cisco\Cisco Secure Client\vpndownloader.exe (copy)	0%	ReversingLabs
C:\Program Files (x86)\Cisco\Cisco Secure Client\vpnipsec.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Cisco\Cisco Secure Client\vpnmgmttun.exe (copy)	0%	ReversingLabs
C:\Program Files (x86)\Cisco\Cisco Secure Client\vpnva64-6.sys (copy)	0%	ReversingLabs
C:\Program Files (x86)\Cisco\Cisco Secure Client\zlib1.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Cisco\is-BOBU7.tmp	0%	ReversingLabs
C:\Program Files (x86)\Cisco\unins000.exe (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-D93RQ.tmp\_isetup\_setup64.tmp	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Cisco\AudioCapture.dll	3%	ReversingLabs
C:\Users\user\AppData\Roaming\Cisco\HTCTL32.DLL	3%	ReversingLabs

Source	Detection	Scanner	Label
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://crl.microsoft	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#	0%	URL Reputation	safe
http://crl.thawte.com/ThawteTimestampingCA.crl0	0%	URL Reputation	safe
https://aka.ms/pscore6lB	0%	URL Reputation	safe
https://www.remobjects.com/ps	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://nuget.org/nuget.exe	0%	URL Reputation	safe
https://www.innosetup.com/	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://nuget.org/NuGet.exe	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://schemas.xmlsoap.org/soap/encoding/	0%	URL Reputation	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s	0%	URL Reputation	safe
http://www.symauth.com/cps0(	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y	0%	URL Reputation	safe
http://www.symauth.com/rpa00	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	0%	URL Reputation	safe
http://schemas.xmlsoap.org/wsdl/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
payiki.com	151.236.16.15	true	true	unknown
geo.netsupportsoftware.com	172.67.68.212	true	false	unknown
anyhowdo.com	199.188.200.195	true	true	unknown

Contacted URLs

Name	Malicious	Reputation
http://151.236.16.15/fakeurl.htm	true	unknown
http://geo.netsupportsoftware.com/location/loca.asp	false	unknown
http://199.188.200.195/fakeurl.htm	true	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.netsupportsoftware.com	powershell.exe, 00000005.00000002.1991259471.0000000004E73000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1991259471.00000000051BE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1991259471.0000000005259000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU	CiscoSetup.exe	false		unknown
http://%s/testpage.htmwininet.dll	powershell.exe, 00000005.00000002.1991259471.0000000005357000.00000004.00000800.00020000.00000000.sdmp, client32.exe, 00000007.00000002.4143550370.00000000685D0000.00000002.00000001.01000000.0000000F.sdmp	false		unknown
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	powershell.exe, 00000005.00000002.1991259471.0000000005259000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.5.dr	false	URL Reputation: safe	unknown
http://geo.netsupportsoftware.com/location/loca.aspSetChannel(%s)	client32.exe, 00000007.00000002.4143045081.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 00000008.00000002.2109302873.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2190511917.000000001118F000.00000002.00000001.01000000.0000000B.sdmp	false		unknown
http://ocsp.sectigo.com0	powershell.exe, 00000005.00000002.1991259471.00000000051D0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1991259471.0000000005259000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.5.dr	false	URL Reputation: safe	unknown
http://www.pci.co.uk/supportsupport	client32.exe, 00000007.00000002.4143093821.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 00000008.00000002.2109384742.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2190553256.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp	false		unknown
http://crl.microsoft	powershell.exe, 00000005.00000002.2043622253.00000000087D0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/License	powershell.exe, 00000005.00000002.2009549925.0000000006786000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://127.0.0.1RESUMEPRINTING	client32.exe, 00000007.00000002.4143045081.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 00000008.00000002.2109302873.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2190511917.000000001118F000.00000002.00000001.01000000.0000000B.sdmp	false		unknown
http://%s/testpage.htm	powershell.exe, 00000005.00000002.1991259471.0000000005357000.00000004.00000800.00020000.00000000.sdmp, client32.exe, client32.exe, 00000007.00000002.4143550370.00000000685D0000.00000002.00000001.01000000.0000000F.sdmp	false		unknown
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	powershell.exe, 00000005.00000002.1991259471.0000000005259000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.5.dr	false	URL Reputation: safe	unknown
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#	powershell.exe, 00000005.00000002.1991259471.00000000051D0000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.immunet.comVoor	CiscoSetup.tmp, 00000001.00000003.2076122927.0000000005660000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://%s/fakeurl.htm	client32.exe, client32.exe, 00000007.00000002.4143550370.00000000685D0000.00000002.00000001.01000000.0000000F.sdmp	false		unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	powershell.exe, 00000005.00000002.1991259471.00000000051B4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1991259471.00000000051BE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1991259471.0000000005259000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://aka.ms/pscore6lB	powershell.exe, 00000005.00000002.1991259471.0000000004D21000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.remobjects.com/ps	CiscoSetup.exe, 00000000.00000003.1688495970.000000007EF3B000.00000004.00001000.00020000.00000000.sdmp, CiscoSetup.exe, 00000000.00000003.1688004235.0000000002B60000.00000004.00001000.00020000.00000000.sdmp, CiscoSetup.tmp, 00000001.00000000.1690462646.0000000000481000.00000020.00000001.01000000.00000004.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/	powershell.exe, 00000005.00000002.2009549925.0000000006786000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000005.00000002.2009549925.0000000006786000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.innosetup.com/	CiscoSetup.exe, 00000000.00000003.1688495970.000000007EF3B000.00000004.00001000.00020000.00000000.sdmp, CiscoSetup.exe, 00000000.00000003.1688004235.0000000002B60000.00000004.00001000.00020000.00000000.sdmp, CiscoSetup.tmp, 00000001.00000000.1690462646.0000000000481000.00000020.00000001.01000000.00000004.sdmp	false	URL Reputation: safe	unknown
https://sectigo.com/CPS0D	powershell.exe, 00000005.00000002.1991259471.00000000051D0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1991259471.0000000005259000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.5.dr	false		unknown
http://www.netsupportschool.com/tutor-assistant.asp11(	client32.exe, 00000007.00000002.4143093821.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 00000008.00000002.2109384742.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2190553256.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp	false		unknown
https://www.iminunet.comPara	CiscoSetup.tmp, 00000001.00000003.2076122927.0000000005660000.00000004.00001000.00020000.00000000.sdmp, is-1V30U.tmp.1.dr	false		unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000005.00000002.1991259471.0000000004D21000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.netsupportschool.com/tutor-assistant.asp	client32.exe, 00000007.00000002.4143093821.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 00000008.00000002.2109384742.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2190553256.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp	false		unknown
https://www.cisco.com	CiscoSetup.exe, 00000000.00000003.2094322756.0000000000ED3000.00000004.00001000.00020000.00000000.sdmp	false		unknown
https://www.cisco.comQ9	CiscoSetup.tmp, 00000001.00000003.2087307462.00000000029BC000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://nuget.org/NuGet.exe	powershell.exe, 00000005.00000002.2009549925.0000000006786000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect40/user/guide/b_Androi	is-C1171.tmp.1.dr	false		unknown
http://www.pci.co.uk/support	client32.exe, 00000007.00000002.4143093821.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 00000008.00000002.2109384742.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2190553256.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp	false		unknown
https://sectigo.com/CPS0	powershell.exe, 00000005.00000002.1991259471.00000000051D0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1991259471.0000000005259000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.5.dr	false	URL Reputation: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000005.00000002.1991259471.0000000004E73000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000005.00000002.1991259471.0000000005677000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1991259471.0000000004E73000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000005.00000002.1991259471.0000000004E73000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://geo.netsupportsoftware.com/location/loca.aspPi	client32.exe, 00000007.00000003.1987647210.000000000051A000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000007.00000002.4141461447.000000000053D000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000007.00000003.1989580496.000000000051E000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://ocsp.thawte.com0	powershell.exe, 00000005.00000002.1991259471.00000000051B4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1991259471.00000000051BE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1991259471.0000000005259000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.immunet.com.	CiscoSetup.tmp, 00000001.00000003.2076122927.0000000005660000.00000004.00001000.00020000.00000000.sdmp	false		unknown
https://contoso.com/Icon	powershell.exe, 00000005.00000002.2009549925.0000000006786000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#	powershell.exe, 00000005.00000002.1991259471.0000000005259000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.5.dr	false	URL Reputation: safe	unknown
https://www.cisco.com/update	CiscoSetup.exe, 00000000.00000003.2094322756.0000000000EE1000.00000004.00001000.00020000.00000000.sdmp, CiscoSetup.tmp, 00000001.00000003.2087307462.00000000029D1000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s	powershell.exe, 00000005.00000002.1991259471.00000000051D0000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://127.0.0.1	client32.exe, client32.exe, 00000008.00000002.2109302873.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2190511917.000000001118F000.00000002.00000001.01000000.0000000B.sdmp	false		unknown
http://geo.netsupportsoftware.com/location/loca.aspA5	client32.exe, 00000007.00000003.1987647210.000000000051A000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000007.00000002.4141461447.000000000053D000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000007.00000003.1989580496.000000000051E000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.immunet.comAby	CiscoSetup.tmp, 00000001.00000003.2076122927.0000000005660000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://www.symauth.com/cps0(	powershell.exe, 00000005.00000002.1991259471.0000000005357000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1991259471.0000000005259000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 00000005.00000002.1991259471.0000000004E73000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	powershell.exe, 00000005.00000002.1991259471.00000000051D0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1991259471.0000000005259000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.5.dr	false	URL Reputation: safe	unknown
http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y	powershell.exe, 00000005.00000002.1991259471.0000000005259000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.5.dr	false	URL Reputation: safe	unknown
http://www.symauth.com/rpa00	powershell.exe, 00000005.00000002.1991259471.0000000005357000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1991259471.0000000005259000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.iminunet.com	CiscoSetup.tmp, 00000001.00000003.2076122927.0000000005660000.00000004.00001000.00020000.00000000.sdmp, is-1V30U.tmp.1.dr	false		unknown
https://www.immunet.com	is-C1171.tmp.1.dr	false		unknown
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	powershell.exe, 00000005.00000002.1991259471.00000000051D0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1991259471.0000000005259000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.5.dr	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000005.00000002.1991259471.0000000005677000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1991259471.0000000004E73000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.cisco.com0	is-M1NCB.tmp.1.dr, is-C9M46.tmp.1.dr, is-139DF.tmp.1.dr, is-7ARTU.tmp.1.dr, is-BKQ26.tmp.1.dr, is-6FEVR.tmp.1.dr, is-9JGUE.tmp.1.dr, is-T3UDO.tmp.1.dr, is-N867I.tmp.1.dr, is-O6HT8.tmp.1.dr, is-K9DFT.tmp.1.dr	false		unknown
http://relaxng.org/ns/structure/1.0	is-O6HT8.tmp.1.dr, is-FRTV6.tmp.1.dr	false		unknown
https://www.cisco.com/support	CiscoSetup.exe, 00000000.00000003.2094322756.0000000000EE1000.00000004.00001000.00020000.00000000.sdmp, CiscoSetup.tmp, 00000001.00000003.2087307462.00000000029D1000.00000004.00001000.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
172.67.68.212	geo.netsupportsoftware.com	United States	13335	CLOUDFLARENETUS	false
151.236.16.15	payiki.com	European Union	29802	HVC-ASUS	true
199.188.200.195	anyhowdo.com	United States	22612	NAMECHEAP-NETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1546659
Start date and time:	2024-11-01 12:10:10 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 12m 6s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	CiscoSetup.exe
Detection:	MAL
Classification:	mal54.rans.troj.evad.winEXE@10/537@3/3
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 69% Number of executed functions: 182 Number of non-executed functions: 196
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 6724 because it is empty
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: CiscoSetup.exe

Simulations

Behavior and APIs

Time	Type	Description
07:11:29	API Interceptor	23x Sleep call for process: powershell.exe modified
07:12:04	API Interceptor	14473663x Sleep call for process: client32.exe modified
11:11:35	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run MyApp C:\Users\user\AppData\Roaming\Cisco\client32.exe
11:11:43	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run MyApp C:\Users\user\AppData\Roaming\Cisco\client32.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
172.67.68.212	https://asknetsupertech.com/wp-content/plugins/elementor/app/modules/site-editor/CiscoSetup.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	geo.netsupportsoftware.com/location/loca.asp
	file.exe	Get hash	malicious	NetSupport RAT	Browse	geo.netsupportsoftware.com/location/loca.asp
	https://inspyrehomedesign.com/Ray-verify.html	Get hash	malicious	NetSupport RAT	Browse	geo.netsupportsoftware.com/location/loca.asp
	file.exe	Get hash	malicious	NetSupport RAT	Browse	geo.netsupportsoftware.com/location/loca.asp
	SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe	Get hash	malicious	NetSupport RAT	Browse	geo.netsupportsoftware.com/location/loca.asp
	SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe	Get hash	malicious	NetSupport RAT	Browse	geo.netsupportsoftware.com/location/loca.asp
	SecuriteInfo.com.Win32.PWSX-gen.10211.1601.exe	Get hash	malicious	NetSupport RAT	Browse	geo.netsupportsoftware.com/location/loca.asp
	8hN4C25a0O.exe	Get hash	malicious	NetSupport RAT	Browse	geo.netsupportsoftware.com/location/loca.asp
	FakturaPDF.exe	Get hash	malicious	NetSupport RAT	Browse	geo.netsupportsoftware.com/location/loca.asp
	JbZaDxFXF3.exe	Get hash	malicious	NetSupport RAT	Browse	geo.netsupportsoftware.com/location/loca.asp
151.236.16.15	Advanced_IP_Scanner_2.5.4594.12.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	http://151.236.16.15/fakeurl.htm
	Advanced_IP_Scanner_2.5.4594.12.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	http://151.236.16.15/fakeurl.htm
	https://asknetsupertech.com/wp-content/plugins/elementor/app/modules/site-editor/CiscoSetup.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	http://151.236.16.15/fakeurl.htm
199.188.200.195	Advanced_IP_Scanner_2.5.4594.12.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	http://199.188.200.195/fakeurl.htm
	Advanced_IP_Scanner_2.5.4594.12.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	http://199.188.200.195/fakeurl.htm
	https://asknetsupertech.com/wp-content/plugins/elementor/app/modules/site-editor/CiscoSetup.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	http://199.188.200.195/fakeurl.htm

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
payiki.com	Advanced_IP_Scanner_2.5.4594.12.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	151.236.16.15
	Advanced_IP_Scanner_2.5.4594.12.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	151.236.16.15
	https://asknetsupertech.com/wp-content/plugins/elementor/app/modules/site-editor/CiscoSetup.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	151.236.16.15
geo.netsupportsoftware.com	Advanced_IP_Scanner_2.5.4594.12.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	104.26.1.231
	Advanced_IP_Scanner_2.5.4594.12.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	104.26.1.231
	https://asknetsupertech.com/wp-content/plugins/elementor/app/modules/site-editor/CiscoSetup.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	172.67.68.212
	file.exe	Get hash	malicious	NetSupport RAT	Browse	172.67.68.212
	file.exe	Get hash	malicious	NetSupport RAT	Browse	104.26.1.231
	https://webdemo.biz/	Get hash	malicious	NetSupport RAT, CAPTCHA Scam	Browse	104.26.0.231
	https://inspyrehomedesign.com	Get hash	malicious	NetSupport RAT	Browse	172.67.68.212
	https://inspyrehomedesign.com/Ray-verify.html	Get hash	malicious	NetSupport RAT	Browse	172.67.68.212
	file.exe	Get hash	malicious	NetSupport RAT	Browse	172.67.68.212
	file.exe	Get hash	malicious	NetSupport RAT	Browse	104.26.0.231
anyhowdo.com	Advanced_IP_Scanner_2.5.4594.12.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	199.188.200.195
	Advanced_IP_Scanner_2.5.4594.12.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	199.188.200.195
	https://asknetsupertech.com/wp-content/plugins/elementor/app/modules/site-editor/CiscoSetup.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	199.188.200.195

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
NAMECHEAP-NETUS	NF_Payment_Ref_FAN930276.exe	Get hash	malicious	FormBook	Browse	162.0.231.203
	FW CMA SHZ Freight invoice CHN1080769.exe	Get hash	malicious	FormBook	Browse	199.192.21.169
	Advanced_IP_Scanner_2.5.4594.12.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	199.188.200.195
	Advanced_IP_Scanner_2.5.4594.12.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	199.188.200.195
	https://asknetsupertech.com/wp-content/plugins/elementor/app/modules/site-editor/CiscoSetup.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	199.188.200.195
	https://saniest.com/PO/PO%20-%20OCT.'24673937.rar	Get hash	malicious	Unknown	Browse	162.0.232.202
	#U2749Factura_#U2749_#U2462#U2465#U2460#U2463#U2463#U2460#U2462#U2461.hta	Get hash	malicious	Unknown	Browse	68.65.122.45
	#U2749Factura_#U2749_#U2466#U2461#U2466#U2462#U2467#U2465#U2465#U2465.hta	Get hash	malicious	Unknown	Browse	68.65.122.45
	672365339196e.vbs	Get hash	malicious	Unknown	Browse	68.65.122.45
	18in SPA-198-2024.exe	Get hash	malicious	FormBook	Browse	162.0.231.203
HVC-ASUS	Advanced_IP_Scanner_2.5.4594.12.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	151.236.16.15
	Advanced_IP_Scanner_2.5.4594.12.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	151.236.16.15
	https://asknetsupertech.com/wp-content/plugins/elementor/app/modules/site-editor/CiscoSetup.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	151.236.16.15
	PO-33463334788.exe	Get hash	malicious	Remcos, GuLoader	Browse	23.227.202.197
	IGNM2810202400017701_270620240801_546001.vbs	Get hash	malicious	GuLoader	Browse	66.206.22.19
	https://www-suasconsult-com-br.translate.goog/?_x_tr_sl=pt&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=sc	Get hash	malicious	Unknown	Browse	69.46.1.10
	nklarm7.elf	Get hash	malicious	Unknown	Browse	23.227.187.69
	splmips.elf	Get hash	malicious	Unknown	Browse	172.110.9.223
	jklppc.elf	Get hash	malicious	Unknown	Browse	149.255.39.213
	kkkmips.elf	Get hash	malicious	Unknown	Browse	104.156.53.55
CLOUDFLARENETUS	Alvise Maria CV 1.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	188.114.97.3
	Action Desk Support 01 Nov.msg	Get hash	malicious	Unknown	Browse	188.114.96.3
	https://www.cognitoforms.com/f/wAh1CzXrnEmEifrmJ4OEgg/1	Get hash	malicious	HTMLPhisher, Mamba2FA	Browse	104.17.24.14
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC	Browse	104.21.85.194
	kill.exe	Get hash	malicious	Unknown	Browse	104.26.13.205
	http://edgeupgrade.com	Get hash	malicious	Unknown	Browse	104.22.48.74
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	188.114.96.3
	https://pcapp.store/pixel.gif	Get hash	malicious	Unknown	Browse	172.67.15.14
	draft contract for order #782334.exe	Get hash	malicious	FormBook	Browse	172.67.131.32

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\is-AB2VI.tmp	https://asknetsupertech.com/wp-content/plugins/elementor/app/modules/site-editor/CiscoSetup.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse
	SecureClientInstaller.exe	Get hash	malicious	NetSupport RAT	Browse
	SecureClientInstaller.exe	Get hash	malicious	NetSupport RAT	Browse
C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpndownloader.exe (copy)	https://asknetsupertech.com/wp-content/plugins/elementor/app/modules/site-editor/CiscoSetup.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse
	SecureClientInstaller.exe	Get hash	malicious	NetSupport RAT	Browse
	SecureClientInstaller.exe	Get hash	malicious	NetSupport RAT	Browse

Process:	C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4467816
Entropy (8bit):	6.598146073323608
Encrypted:	false
SSDEEP:	98304:+QCnFew3oMj8NiqvOE41lDJO2Gi3VjGClUjtbnaC:+TeOLECDJrpVSZbL
MD5:	03615EEF106C5E54C5279B05A9686B9A
SHA1:	621C9AB49367298751EAAB0E0A29575327041729
SHA-256:	7B6826DD31DB6E559BBF873DE756292B22B910F319C6C4B09D7A62A5312A4AC3
SHA-512:	BFB2ADE2B66B7CCD3E1CB9FCFAD2AF8D35BD12E063ECC1D388958C5A66776CC865CDD25B72B3786011C388C9A3FF730DAF5F97D58923829DA9DBC76AD393FCE8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: , Detection: malicious, Browse Filename: SecureClientInstaller.exe, Detection: malicious, Browse Filename: SecureClientInstaller.exe, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........d..............n.......n..q....jf......p.......p.......p.......n.......l...............p..Q....n..........p...\|p..s...\|pd.............\|p......Rich....................PE..L......d..................)...................)...@..........................`D......YD...@...................................8.T.....:.X.............C.hH... B..6..0.6.T.....................6.......6.@.............)..............................text.....).......)................. ..`.rdata..fd....)..f....).............@..@.data.........9.......8.............@....rsrc...X.....:.. ....9.............@..@.reloc...6... B..8....A.............@..B................................................................................................................................................................................................................................................................

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	1772
Entropy (8bit):	5.467764531932053
Encrypted:	false
SSDEEP:	48:QN1WSU4xympx4RfoUP7mZ9tlNWR831NTx99001dqZ0:QPLHxv/IwBZXW8n7S01YZ0
MD5:	8A22891FE710EAC74DE50BBEA21B2C13
SHA1:	FDD95DE1545BE9AE35B14D78A77FADB35151A8BC
SHA-256:	798FB3C47E7006ACDEAB0C355240FA2A9218D0E865A2AACF07ABCBB40EFCE2A0
SHA-512:	EAE44AEEE14333776C6B93D53F5C15211038F9CB159A29601C418083189D68AD6414FBCF591EA7A58A15C378D3EF3C0964A2DADB2355DC7AAC0DA491A759D6A3
Malicious:	false
Preview:	@...e...........S....................................@..........P................1]...E.....'.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.H................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.D....................+.H..!...e........System.Configuration.Ins

Process:	C:\Users\user\Desktop\CiscoSetup.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3548672
Entropy (8bit):	6.54053651576307
Encrypted:	false
SSDEEP:	98304:6JYVM+LtVt3P/KuG2ONG9iqLRQf333f5vC:LVL/tnHGYiqlz
MD5:	BFD84005E52425F9B8FE658B9663E1C4
SHA1:	49C54A003678DC14A19AC5D07C9BF053B8CD0683
SHA-256:	2EA785B8A4CF5C5FC457350A4C636DAC40137269A1A93D24C1083F1F77324D5D
SHA-512:	3E4E2A32F50C6BB200AF8A37C8653EF55E6D8FF47042266181546FD1CCF125A4FD5D2B7D8801D9179BF5E899C4992092895EE6F0D3F4E11AC8D5A1F40E5F82BF
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f....................`..................@...........................7...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text............................. ..`.itext..$.......0................. ..`.data................*.............@....bss.....\|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................

Entrypoint:	0x4a83bc
Entrypoint Section:	.itext
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x6690DABD [Fri Jul 12 07:26:53 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	1
File Version Major:	6
File Version Minor:	1
Subsystem Version Major:	6
Subsystem Version Minor:	1
Import Hash:	40ab50289f7ef5fae60801f88d4541fc

Signature Valid:	true
Signature Issuer:	CN=GlobalSign GCC R45 EV CodeSigning CA 2020, O=GlobalSign nv-sa, C=BE
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	26/09/2024 07:47:26 27/09/2025 07:47:26
Subject Chain	E=makedasalzbergneu79@gmail.com, CN=OMICARE JOINT STOCK COMPANY, O=OMICARE JOINT STOCK COMPANY, L=Ha Noi, S=Ha Noi, C=VN, OID.1.3.6.1.4.1.311.60.2.1.2=Ha Noi, OID.1.3.6.1.4.1.311.60.2.1.3=VN, SERIALNUMBER=0108523661, OID.2.5.4.15=Private Organization
Version:	3
Thumbprint MD5:	92142F58BB541C3BD5CD828C76AE0FC4
Thumbprint SHA-1:	56FC98490B4845072947536B9E0AC121A37744E6
Thumbprint SHA-256:	CF7A5967658B1BDB4A50A13D22EF734C707876B01D8D4B1F94FA493C5D4F3F57
Serial:	7F07AA1BB8A3B0183893B1AA

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0xb7000	0x71	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb5000	0xfec	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xcb000	0x44d7c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x1016000	0x2940
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xba000	0x10fa8	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xb9000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xb52d4	0x25c	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0xb6000	0x1a4	.didata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xa568c	0xa5800	b889d302f6fc48a904de33d8d947ae80	False	0.3620185045317221	data	6.377190161826806	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.itext	0xa7000	0x1b64	0x1c00	588dd0a8ab499300d3701cbd11b017d9	False	0.548828125	data	6.109264411030635	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0xa9000	0x3838	0x3a00	5c0c76e77aef52ebc6702430837ccb6e	False	0.35338092672413796	data	4.95916338709992	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0xad000	0x7258	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0xb5000	0xfec	0x1000	627340dff539ef99048969aa4824fb2d	False	0.380615234375	data	5.020404933181373	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didata	0xb6000	0x1a4	0x200	fd11c1109737963cc6cb7258063abfd6	False	0.34765625	data	2.729290535217263	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata	0xb7000	0x71	0x200	7de8ca0c7a61668a728fd3a88dc0942d	False	0.1796875	data	1.305578535725827	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tls	0xb8000	0x18	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0xb9000	0x5d	0x200	d84006640084dc9f74a07c2ff9c7d656	False	0.189453125	data	1.3892750148744617	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xba000	0x10fa8	0x11000	a85fda2741bd9417695daa5fc5a9d7a5	False	0.5789579503676471	data	6.709466460182023	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc	0xcb000	0x44d7c	0x44e00	32e5332dbe3e261662e315c2c1237cb1	False	0.19719118647912887	data	5.165226138525442	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xcb438	0x41828	Device independent bitmap graphic, 254 x 512 x 32, image size 260096	English	United States	0.19084478697713247
RT_STRING	0x10cc60	0x3f8	data			0.3198818897637795
RT_STRING	0x10d058	0x2dc	data			0.36475409836065575
RT_STRING	0x10d334	0x430	data			0.40578358208955223
RT_STRING	0x10d764	0x44c	data			0.38636363636363635
RT_STRING	0x10dbb0	0x2d4	data			0.39226519337016574
RT_STRING	0x10de84	0xb8	data			0.6467391304347826
RT_STRING	0x10df3c	0x9c	data			0.6410256410256411
RT_STRING	0x10dfd8	0x374	data			0.4230769230769231
RT_STRING	0x10e34c	0x398	data			0.3358695652173913
RT_STRING	0x10e6e4	0x368	data			0.3795871559633027
RT_STRING	0x10ea4c	0x2a4	data			0.4275147928994083
RT_RCDATA	0x10ecf0	0x10	data			1.5
RT_RCDATA	0x10ed00	0x310	data			0.6173469387755102
RT_RCDATA	0x10f010	0x2c	data			1.1818181818181819
RT_GROUP_ICON	0x10f03c	0x14	data	English	United States	1.25
RT_VERSION	0x10f050	0x584	data	English	United States	0.2747875354107649
RT_MANIFEST	0x10f5d4	0x7a8	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.3377551020408163

DLL	Import
kernel32.dll	GetACP, GetExitCodeProcess, CloseHandle, LocalFree, SizeofResource, VirtualProtect, QueryPerformanceFrequency, VirtualFree, GetFullPathNameW, GetProcessHeap, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVolumeInformationW, GetVersion, GetDriveTypeW, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetSystemWindowsDirectoryW, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetCommandLineW, GetSystemInfo, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, LCMapStringW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
comctl32.dll	InitCommonControls
user32.dll	CreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
oleaut32.dll	SysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
advapi32.dll	ConvertStringSecurityDescriptorToSecurityDescriptorW, OpenThreadToken, AdjustTokenPrivileges, LookupPrivilegeValueW, RegOpenKeyExW, OpenProcessToken, FreeSid, AllocateAndInitializeSid, EqualSid, RegQueryValueExW, GetTokenInformation, ConvertSidToStringSidW, RegCloseKey

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 1, 2024 12:11:33.228985071 CET	49739	443	192.168.2.4	151.236.16.15
Nov 1, 2024 12:11:33.229021072 CET	443	49739	151.236.16.15	192.168.2.4
Nov 1, 2024 12:11:33.229110003 CET	49739	443	192.168.2.4	151.236.16.15
Nov 1, 2024 12:11:33.264504910 CET	49740	80	192.168.2.4	172.67.68.212
Nov 1, 2024 12:11:33.269339085 CET	80	49740	172.67.68.212	192.168.2.4
Nov 1, 2024 12:11:33.269810915 CET	49740	80	192.168.2.4	172.67.68.212
Nov 1, 2024 12:11:33.287374973 CET	49740	80	192.168.2.4	172.67.68.212
Nov 1, 2024 12:11:33.292212009 CET	80	49740	172.67.68.212	192.168.2.4
Nov 1, 2024 12:11:33.312225103 CET	49739	443	192.168.2.4	151.236.16.15
Nov 1, 2024 12:11:33.312258005 CET	443	49739	151.236.16.15	192.168.2.4
Nov 1, 2024 12:11:33.312313080 CET	443	49739	151.236.16.15	192.168.2.4
Nov 1, 2024 12:11:33.327492952 CET	49741	443	192.168.2.4	199.188.200.195
Nov 1, 2024 12:11:33.327538013 CET	443	49741	199.188.200.195	192.168.2.4
Nov 1, 2024 12:11:33.327609062 CET	49741	443	192.168.2.4	199.188.200.195
Nov 1, 2024 12:11:33.393940926 CET	49741	443	192.168.2.4	199.188.200.195
Nov 1, 2024 12:11:33.393978119 CET	443	49741	199.188.200.195	192.168.2.4
Nov 1, 2024 12:11:33.394054890 CET	443	49741	199.188.200.195	192.168.2.4
Nov 1, 2024 12:11:34.059222937 CET	80	49740	172.67.68.212	192.168.2.4
Nov 1, 2024 12:11:34.060316086 CET	49740	80	192.168.2.4	172.67.68.212
Nov 1, 2024 12:13:23.067640066 CET	49740	80	192.168.2.4	172.67.68.212
Nov 1, 2024 12:13:23.073836088 CET	80	49740	172.67.68.212	192.168.2.4
Nov 1, 2024 12:13:23.073887110 CET	49740	80	192.168.2.4	172.67.68.212

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 1, 2024 12:11:32.885265112 CET	49988	53	192.168.2.4	1.1.1.1
Nov 1, 2024 12:11:33.110045910 CET	63722	53	192.168.2.4	1.1.1.1
Nov 1, 2024 12:11:33.119891882 CET	53	63722	1.1.1.1	192.168.2.4
Nov 1, 2024 12:11:33.166495085 CET	53	49988	1.1.1.1	192.168.2.4
Nov 1, 2024 12:11:33.313072920 CET	53099	53	192.168.2.4	1.1.1.1
Nov 1, 2024 12:11:33.325557947 CET	53	53099	1.1.1.1	192.168.2.4

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 12:11:33.287374973 CET	118	OUT	GET /location/loca.asp HTTP/1.1 Host: geo.netsupportsoftware.com Connection: Keep-Alive Cache-Control: no-cache
Nov 1, 2024 12:11:34.059222937 CET	798	IN	HTTP/1.1 200 OK Date: Fri, 01 Nov 2024 11:11:33 GMT Content-Type: text/html; Charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive CF-Ray: 8dbb71dc48134763-DFW CF-Cache-Status: DYNAMIC Access-Control-Allow-Origin: * Cache-Control: private Set-Cookie: ASPSESSIONIDACBSDDAB=PDPLDFECPAOBJDLAMCMHAFIP; path=/ cf-apo-via: origin,host X-Frame-Options: SAMEORIGIN X-Powered-By: ASP.NET Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=17fL%2BlK%2B83gtAbD1HNwxMOC%2FN78P5c0O0alFgSK3EXL%2B5O%2B1xS%2FWN5R8mX%2FX4ZiX%2F4rlgkCU%2F0JxZbyU135Vg6jarv%2FiXMiJ05wcuJOfvF62sT2hCvHGYWVFCONasNjllTKFT483TqAWYskk"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare Data Raw: 66 0d 0a 33 32 2e 37 37 36 37 2c 2d 39 36 2e 37 39 37 0d 0a 30 0d 0a 0d 0a Data Ascii: f32.7767,-96.7970

Target ID:	0
Start time:	07:11:01
Start date:	01/11/2024
Path:	C:\Users\user\Desktop\CiscoSetup.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\CiscoSetup.exe"
Imagebase:	0x6c0000
File size:	16'877'888 bytes
MD5 hash:	91F7229586DF2C577A54AD0D1A5BDCB1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	true

Target ID:	1
Start time:	07:11:02
Start date:	01/11/2024
Path:	C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp" /SL5="$2041A,13456411,1058304,C:\Users\user\Desktop\CiscoSetup.exe"
Imagebase:	0x480000
File size:	3'548'672 bytes
MD5 hash:	BFD84005E52425F9B8FE658B9663E1C4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	true

Target ID:	5
Start time:	07:11:28
Start date:	01/11/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-D93RQ.tmp\cispn.ps1"
Imagebase:	0x600000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000005.00000002.2043735068.000000000883E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000005.00000002.1991259471.0000000005259000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000005.00000002.1991259471.0000000005357000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Target ID:	7
Start time:	07:11:31
Start date:	01/11/2024
Path:	C:\Users\user\AppData\Roaming\Cisco\client32.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Cisco\client32.exe"
Imagebase:	0x400000
File size:	121'304 bytes
MD5 hash:	4F2D0F4A5BA798FA9E85379C7C4BD36E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000007.00000000.1983117246.0000000000404000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000007.00000002.4143550370.00000000685D0000.00000002.00000001.01000000.0000000F.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000007.00000003.2284925440.0000000005207000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000007.00000002.4142059175.0000000002648000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000007.00000002.4143093821.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000007.00000002.4143045081.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000007.00000002.4143045081.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000007.00000002.4141174786.0000000000404000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000007.00000003.2285282850.0000000005226000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe, Author: Joe Security
Reputation:	low
Has exited:	false

Target ID:	8
Start time:	07:11:43
Start date:	01/11/2024
Path:	C:\Users\user\AppData\Roaming\Cisco\client32.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Cisco\client32.exe"
Imagebase:	0x400000
File size:	121'304 bytes
MD5 hash:	4F2D0F4A5BA798FA9E85379C7C4BD36E
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000008.00000000.2102185097.0000000000404000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000008.00000002.2109302873.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000008.00000002.2109302873.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000008.00000002.2104099900.0000000000404000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000008.00000002.2109384742.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Target ID:	10
Start time:	07:11:52
Start date:	01/11/2024
Path:	C:\Users\user\AppData\Roaming\Cisco\client32.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Cisco\client32.exe"
Imagebase:	0x400000
File size:	121'304 bytes
MD5 hash:	4F2D0F4A5BA798FA9E85379C7C4BD36E
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 0000000A.00000002.2190553256.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 0000000A.00000002.2189669515.0000000000404000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 0000000A.00000000.2183700917.0000000000404000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000A.00000002.2190511917.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 0000000A.00000002.2190511917.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Execution Coverage:	5.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	7.5%
Total number of Nodes:	2000
Total number of Limit Nodes:	103

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report CiscoSetup.exe

Overview

General Information

Detection

Compliance

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Other

Sigma Signatures

System Summary

Remote Access Functionality

Suricata Signatures

Joe Sandbox Signatures

Cryptography

Privilege Escalation

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\is-AB2VI.tmp

C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpndownloader.exe (copy)

C:\Program Files (x86)\Cisco\Cisco Secure Client\InstallHelper.exe (copy)

C:\Program Files (x86)\Cisco\Cisco Secure Client\InstallHelper64.exe (copy)

C:\Program Files (x86)\Cisco\Cisco Secure Client\Install\Component\acsock64.json (copy)

C:\Program Files (x86)\Cisco\Cisco Secure Client\Install\Component\is-I38LK.tmp

C:\Program Files (x86)\Cisco\Cisco Secure Client\Install\Dependency\is-4FJ8H.tmp

C:\Program Files (x86)\Cisco\Cisco Secure Client\Install\Dependency\vpn_manifest.json (copy)

Windows Analysis Report
CiscoSetup.exe

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre