Windows Analysis Report
CiscoSetup.exe

Overview

General Information

Sample name:	CiscoSetup.exe
Analysis ID:	1546660
MD5:	446a85d94adb8e2e9157170b82592d6a
SHA1:	1ea726940904e568dbdc4a6ef50b61cae6bb55ea
SHA256:	65110470f6c6c96877e96a640adcf6178186b675e6d1bc24c19f977a12220294
Tags:	exeOMICAREJOINTSTOCKCOMPANYuser-SquiblydooBlog
Infos:

Detection

NetSupport RAT, NetSupport Downloader

Score:	54
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Compliance

Score:	33
Range:	0 - 100

Signatures

Malicious sample detected (through community Yara rule)

Sigma detected: Powershell drops NetSupport RAT client

Suricata IDS alerts for network traffic

Yara detected NetSupport Downloader

Bypasses PowerShell execution policy

Contains functionality to detect sleep reduction / modifications

Contains functionalty to change the wallpaper

Found suspicious powershell code related to unpacking or dynamic code loading

Loading BitLocker PowerShell Module

NDIS Filter Driver detected (likely used to intercept and sniff network traffic)

Powershell drops PE file

Sigma detected: Script Interpreter Execution From Suspicious Folder

Sigma detected: Suspicious Script Execution From Temp Folder

Abnormal high CPU Usage

Contains functionality for read data from the clipboard

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to enumerate running services

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Drops certificate files (DER)

EXE planting / hijacking vulnerabilities found

Enables debug privileges

Enables security privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evaded block containing many API calls

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May check if the current machine is a sandbox (GetTickCount - Sleep)

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Uses the system / local time for branch decision (may execute only at specific dates)

Yara detected Keylogger Generic

Yara detected NetSupport remote tool

Yara signature match

Classification

Signatures

Cryptography

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_110AC820 GetModuleHandleA,GetProcAddress,GetProcAddress,GetLastError,wsprintfA,GetLastError,_memset,CryptGetProvParam,CryptGetProvParam,GetLastError,_memset,CryptGetProvParam,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,_free,GetLastError,CryptReleaseContext,SetLastError,FreeLibrary,		6_2_110AC820
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 9_2_110AC820 GetModuleHandleA,GetProcAddress,GetProcAddress,GetLastError,wsprintfA,GetLastError,_memset,CryptGetProvParam,CryptGetProvParam,GetLastError,_memset,CryptGetProvParam,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,_free,GetLastError,CryptReleaseContext,SetLastError,FreeLibrary,		9_2_110AC820

Source: is-2J155.tmp.2.dr

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_d49f9afc-4

Privilege Escalation

EXE planting / hijacking vulnerabilities found

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	EXE: C:\Users\user\AppData\Roaming\Cisco\remcmdstub.exe			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	EXE: C:\Users\user\AppData\Roaming\Cisco\client32.exe			Jump to behavior

Compliance

EXE planting / hijacking vulnerabilities found

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	EXE: C:\Users\user\AppData\Roaming\Cisco\remcmdstub.exe			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	EXE: C:\Users\user\AppData\Roaming\Cisco\client32.exe			Jump to behavior

Uses 32bit PE files

Source: CiscoSetup.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: CiscoSetup.exe

Static PE information: certificate valid

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Users\user\AppData\Roaming\Cisco\msvcr100.dll

Jump to behavior

Source: CiscoSetup.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Full\pcichek.pdb source: client32.exe, 00000006.00000002.4600795851.000000006DEC2000.00000002.00000001.01000000.0000000C.sdmp, client32.exe, 00000009.00000002.2498300418.000000006DEC2000.00000002.00000001.01000000.0000000C.sdmp, client32.exe, 0000000A.00000002.2580406925.000000006DEC2000.00000002.00000001.01000000.0000000C.sdmp, PCICHEK.DLL.4.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\client32\Release\PCICL32.pdb source: client32.exe, 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 00000009.00000002.2497655081.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2579273114.000000001118F000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: C:\temp\build\thehoff\Quicksilver_MR50.560024709388\Quicksilver_MR5\vpn\ApiShim\Win32\Release\vpnapishim.pdb source: is-V8S0O.tmp.2.dr
Source:	Binary string: C:\temp\build\thehoff\Quicksilver_MR50.560024709388\Quicksilver_MR5\vpn\WebHelper\Plugin\Win32\Release\acwebhelper.pdb&&&GCTL source: is-S9VDU.tmp.2.dr
Source:	Binary string: ws\Mion.pdb source: powershell.exe, 00000004.00000002.2458265497.000000000756A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Full\pcichek.pdbN source: PCICHEK.DLL.4.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdbL source: powershell.exe, 00000004.00000002.2411285654.0000000005089000.00000004.00000800.00020000.00000000.sdmp, client32.exe, 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.2457352280.00000000074C0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: client32.pdb\1141\1141\client32\Release\client32.pdb source: powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmp, client32.exe.4.dr
Source:	Binary string: C:\temp\build\thehoff\Quicksilver_MR50.560024709388\Quicksilver_MR5\vpn\InstallHelper\Win32\Release\InstallHelper.pdb source: is-H5812.tmp.2.dr
Source:	Binary string: C:\temp\build\thehoff\Quicksilver_MR50.560024709388\Quicksilver_MR5\vpn\ApiShim\Win32\Release\vpnapishim.pdb...GCTL source: is-V8S0O.tmp.2.dr
Source:	Binary string: d:\a01\_work\11\s\\binaries\x86ret\bin\i386\vccorlib140.i386.pdb source: is-OJMRD.tmp.2.dr
Source:	Binary string: C:\Users\build\p4files\ngc\Phoenix\third-party\libcurl\out.win.7.x86\curl-7.84.0\builds\libcurl-vc-x86-release-dll-ssl-dll-ipv6-sspi-obj-lib\accurl.pdb source: is-2J155.tmp.2.dr
Source:	Binary string: E:\nsmsrc\nsm\1280\1280f\ctl32\release_unicode\tcctl32.pdbP` source: powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: \1141\1141\client32\Release\client32.pdb source: powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmp, client32.exe.4.dr
Source:	Binary string: C:\temp\build\thehoff\Quicksilver_MR50.560024709388\Quicksilver_MR5\vpn\WebHelper\Plugin\Win32\Release\acwebhelper.pdb source: is-S9VDU.tmp.2.dr
Source:	Binary string: C:\Users\build\p4files\ngc\Quicksilver\third-party\openssl\out.win.7.x86\ciscossl-1.1.1t.7.2.500\acciscossl.pdb source: is-VTDA9.tmp.2.dr
Source:	Binary string: C:\temp\build\thehoff\Quicksilver_MR50.560024709388\Quicksilver_MR5\PhoneHome\Win32\Release\acfeedback.pdb source: is-2TJID.tmp.2.dr
Source:	Binary string: C:\temp\build\thehoff\proj_Phoenix_VS20190.730599493905\proj_Phoenix_VS2019\vpn\VA\NDIS6\x64\Release\vpnva64-6.pdbGCTL source: is-EUMLH.tmp.2.dr
Source:	Binary string: msvcr100.i386.pdb source: powershell.exe, 00000004.00000002.2411285654.0000000005089000.00000004.00000800.00020000.00000000.sdmp, client32.exe, client32.exe, 00000006.00000002.4600362190.0000000068B31000.00000020.00000001.01000000.0000000E.sdmp, client32.exe, 00000009.00000002.2498047838.0000000068B31000.00000020.00000001.01000000.0000000E.sdmp, client32.exe, 0000000A.00000002.2580034650.0000000068B31000.00000020.00000001.01000000.0000000E.sdmp
Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.2409667962.0000000003148000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\temp\build\thehoff\proj_Phoenix_VS20190.730599493905\proj_Phoenix_VS2019\vpn\VA\NDIS6\x64\Release\vpnva64-6.pdb source: is-EUMLH.tmp.2.dr
Source:	Binary string: E:\nsmsrc\nsm\1280\1280f\ctl32\release_unicode\tcctl32.pdb source: powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\temp\build\thehoff\Quicksilver_MR50.560024709388\Quicksilver_MR5\vpn\InstallHelper\x64\Release\InstallHelper64.pdb source: is-KLEUG.tmp.2.dr
Source:	Binary string: C:\temp\build\thehoff\Quicksilver_MR50.560024709388\Quicksilver_MR5\vpn\InstallHelper\x64\Release\InstallHelper64.pdb; source: is-KLEUG.tmp.2.dr
Source:	Binary string: client32.pdb source: powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmp, client32.exe.4.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\AudioCapture\Release\AudioCapture.pdb source: powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\build\p4files\ngc\Quicksilver\third-party\openssl\out.win.7.x86\ciscossl-1.1.1t.7.2.500\acciscossl.pdbAAA source: is-VTDA9.tmp.2.dr
Source:	Binary string: C:\temp\build\thehoff\Quicksilver_MR50.560024709388\Quicksilver_MR5\PhoneHome\Win32\Release\acfeedback.pdbMM/GCTL source: is-2TJID.tmp.2.dr
Source:	Binary string: d:\a01\_work\11\s\\binaries\x86ret\bin\i386\vccorlib140.i386.pdbGCTL source: is-OJMRD.tmp.2.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdb source: powershell.exe, 00000004.00000002.2411285654.0000000005089000.00000004.00000800.00020000.00000000.sdmp, client32.exe, 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Release\pcicapi.pdb source: client32.exe, 00000006.00000002.4600671174.0000000068BF5000.00000002.00000001.01000000.0000000D.sdmp, client32.exe, 00000009.00000002.2498203499.0000000068BF5000.00000002.00000001.01000000.0000000D.sdmp, client32.exe, 0000000A.00000002.2580255021.0000000068BF5000.00000002.00000001.01000000.0000000D.sdmp

Spreading

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_11123570 _memset,_memset,GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,	6_2_11123570
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_11069690 GetTickCount,OpenPrinterA,StartDocPrinterA,ClosePrinter,FindFirstFileA,FindClose,CreateFileA,SetFilePointer,GetTickCount,GetLastError,	6_2_11069690
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_1110BB80 GetLocalTime,wsprintfA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,ExpandEnvironmentStringsA,CreateFileA,timeBeginPeriod,GetLocalTime,timeGetTime,_memset,WriteFile,	6_2_1110BB80
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_11107FE0 _memset,wsprintfA,wsprintfA,KillTimer,FindFirstFileA,wsprintfA,FindNextFileA,GetLastError,FindClose,	6_2_11107FE0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_110BC3D0 GetFileAttributesA,CreateDirectoryA,FindFirstFileA,CopyFileA,CopyFileA,FindNextFileA,FindClose,DrawMenuBar,	6_2_110BC3D0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_1102CE2D InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,	6_2_1102CE2D
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_11064E30 _memset,_memmove,_strncpy,CharUpperA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,	6_2_11064E30
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 9_2_1102D059 PostThreadMessageA,PostThreadMessageA,CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,	9_2_1102D059
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 9_2_1102CEB1 Sleep,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,	9_2_1102CEB1
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 9_2_11123570 _memset,_memset,GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,	9_2_11123570
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 9_2_1110BB80 GetLocalTime,wsprintfA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,ExpandEnvironmentStringsA,CreateFileA,timeBeginPeriod,GetLocalTime,timeGetTime,_memset,WriteFile,	9_2_1110BB80
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 9_2_11107FE0 _memset,wsprintfA,wsprintfA,KillTimer,FindFirstFileA,wsprintfA,FindNextFileA,GetLastError,FindClose,	9_2_11107FE0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 9_2_110BC3D0 GetFileAttributesA,CreateDirectoryA,FindFirstFileA,CopyFileA,CopyFileA,FindNextFileA,FindClose,DrawMenuBar,	9_2_110BC3D0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2827745 - Severity 1 - ETPRO MALWARE NetSupport RAT CnC Activity : 192.168.2.6:60703 -> 151.236.16.15:443
Source: Network traffic	Suricata IDS: 2827745 - Severity 1 - ETPRO MALWARE NetSupport RAT CnC Activity : 192.168.2.6:60707 -> 199.188.200.195:443

Yara detected NetSupport Downloader

Source: Yara match	File source: amsi32_3412.amsi.csv, type: OTHER
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\is-S9GUG.tmp\cispn.ps1, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Cisco\unins000.dat, type: DROPPED

NDIS Filter Driver detected (likely used to intercept and sniff network traffic)

Source: is-O18K3.tmp.2.dr	Static PE information: Found NDIS imports: FwpsCalloutRegister1, FwpsCalloutRegister0, FwpmFilterDeleteById0, FwpmBfeStateSubscribeChanges0, FwpsCalloutUnregisterById0, FwpmFilterAdd0, FwpsStreamInjectAsync0, FwpsQueryPacketInjectionState0, FwpsInjectTransportReceiveAsync0, FwpsInjectTransportSendAsync0, FwpsConstructIpHeaderForTransportPacket0, FwpsFreeCloneNetBufferList0, FwpsAllocateCloneNetBufferList0, FwpsFreeNetBufferList0, FwpsAllocateNetBufferAndNetBufferList0, FwpsInjectionHandleDestroy0, FwpsInjectionHandleCreate0, FwpsApplyModifiedLayerData0, FwpsAcquireWritableLayerDataPointer0, FwpsReleaseClassifyHandle0, FwpsAcquireClassifyHandle0, FwpmBfeStateUnsubscribeChanges0, FwpmuserOpen0, FwpmuserClose0, FwpmTransactionBegin0, FwpmTransactionCommit0, FwpmTransactionAbort0, FwpmProviderAdd0, FwpmProviderDeleteByKey0, FwpmSubLayerAdd0, FwpmSubLayerDeleteByKey0, FwpmCalloutAdd0, FwpmCalloutDeleteById0
Source: is-0CFDM.tmp.2.dr	Static PE information: Found NDIS imports: FwpmuserClose0, FwpmFilterAdd0, FwpmTransactionAbort0, FwpmFilterDeleteById0, FwpmTransactionBegin0, FwpmGetAppIdFromFileName0, FwpmuserOpen0, FwpmSubLayerDeleteByKey0, FwpmSubLayerAdd0, FwpmTransactionCommit0, FwpmProviderAdd0, FwpmProviderDeleteByKey0

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 104.26.1.231 104.26.1.231

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: HVC-ASUS HVC-ASUS
Source: Joe Sandbox View	ASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.12.23.50:443 -> 192.168.2.6:49748
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.12.23.50:443 -> 192.168.2.6:60861

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: payiki.com
Source: global traffic	DNS traffic detected: DNS query: anyhowdo.com
Source: global traffic	DNS traffic detected: DNS query: geo.netsupportsoftware.com

Source: unknown

HTTP traffic detected: POST http://151.236.16.15/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 22Host: 151.236.16.15Connection: Keep-AliveCMD=POLLINFO=1ACK=1Data Raw: Data Ascii:

Source: client32.exe, client32.exe, 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmp	String found in binary or memory: http://%s/fakeurl.htm
Source: powershell.exe, 00000004.00000002.2411285654.0000000005089000.00000004.00000800.00020000.00000000.sdmp, client32.exe, client32.exe, 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmp	String found in binary or memory: http://%s/testpage.htm
Source: powershell.exe, 00000004.00000002.2411285654.0000000005089000.00000004.00000800.00020000.00000000.sdmp, client32.exe, 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmp	String found in binary or memory: http://%s/testpage.htmwininet.dll
Source: client32.exe, client32.exe, 00000009.00000002.2497655081.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2579273114.000000001118F000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://127.0.0.1
Source: client32.exe, 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 00000009.00000002.2497655081.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2579273114.000000001118F000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://127.0.0.1RESUMEPRINTING
Source: is-KLEUG.tmp.2.dr, is-2J155.tmp.2.dr, is-I704D.tmp.2.dr, is-VTDA9.tmp.2.dr, is-V8S0O.tmp.2.dr, is-S9VDU.tmp.2.dr, is-2TJID.tmp.2.dr, is-SINFC.tmp.2.dr, is-H5812.tmp.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: is-KLEUG.tmp.2.dr, is-2J155.tmp.2.dr, is-I704D.tmp.2.dr, is-VTDA9.tmp.2.dr, is-V8S0O.tmp.2.dr, is-S9VDU.tmp.2.dr, is-2TJID.tmp.2.dr, is-SINFC.tmp.2.dr, is-H5812.tmp.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: is-KLEUG.tmp.2.dr, is-2J155.tmp.2.dr, is-I704D.tmp.2.dr, is-VTDA9.tmp.2.dr, is-V8S0O.tmp.2.dr, is-S9VDU.tmp.2.dr, is-2TJID.tmp.2.dr, is-SINFC.tmp.2.dr, is-H5812.tmp.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: is-KLEUG.tmp.2.dr, is-2J155.tmp.2.dr, is-I704D.tmp.2.dr, is-VTDA9.tmp.2.dr, is-V8S0O.tmp.2.dr, is-S9VDU.tmp.2.dr, is-2TJID.tmp.2.dr, is-SINFC.tmp.2.dr, is-H5812.tmp.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: is-KLEUG.tmp.2.dr, is-2J155.tmp.2.dr, is-I704D.tmp.2.dr, is-VTDA9.tmp.2.dr, is-V8S0O.tmp.2.dr, is-S9VDU.tmp.2.dr, is-2TJID.tmp.2.dr, is-SINFC.tmp.2.dr, is-H5812.tmp.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: powershell.exe, 00000004.00000002.2411285654.0000000004EF0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: CiscoSetup.exe	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: CiscoSetup.exe	String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
Source: CiscoSetup.exe	String found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0(
Source: CiscoSetup.exe	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: powershell.exe, 00000004.00000002.2458265497.000000000756A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft
Source: powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: powershell.exe, 00000004.00000002.2411285654.0000000004EF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: powershell.exe, 00000004.00000002.2411285654.0000000004EF0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: powershell.exe, 00000004.00000002.2411285654.0000000004EF0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.0000000004EE6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmp, client32.exe.4.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: is-KLEUG.tmp.2.dr, is-2J155.tmp.2.dr, is-I704D.tmp.2.dr, is-VTDA9.tmp.2.dr, is-V8S0O.tmp.2.dr, is-S9VDU.tmp.2.dr, is-2TJID.tmp.2.dr, is-SINFC.tmp.2.dr, is-H5812.tmp.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: is-KLEUG.tmp.2.dr, is-2J155.tmp.2.dr, is-I704D.tmp.2.dr, is-VTDA9.tmp.2.dr, is-V8S0O.tmp.2.dr, is-S9VDU.tmp.2.dr, is-2TJID.tmp.2.dr, is-SINFC.tmp.2.dr, is-H5812.tmp.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: is-KLEUG.tmp.2.dr, is-2J155.tmp.2.dr, is-I704D.tmp.2.dr, is-VTDA9.tmp.2.dr, is-V8S0O.tmp.2.dr, is-S9VDU.tmp.2.dr, is-2TJID.tmp.2.dr, is-SINFC.tmp.2.dr, is-H5812.tmp.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: is-KLEUG.tmp.2.dr, is-2J155.tmp.2.dr, is-I704D.tmp.2.dr, is-VTDA9.tmp.2.dr, is-V8S0O.tmp.2.dr, is-S9VDU.tmp.2.dr, is-2TJID.tmp.2.dr, is-SINFC.tmp.2.dr, is-H5812.tmp.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: is-KLEUG.tmp.2.dr, is-2J155.tmp.2.dr, is-I704D.tmp.2.dr, is-VTDA9.tmp.2.dr, is-V8S0O.tmp.2.dr, is-S9VDU.tmp.2.dr, is-2TJID.tmp.2.dr, is-SINFC.tmp.2.dr, is-H5812.tmp.2.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: is-KLEUG.tmp.2.dr, is-2J155.tmp.2.dr, is-I704D.tmp.2.dr, is-VTDA9.tmp.2.dr, is-V8S0O.tmp.2.dr, is-S9VDU.tmp.2.dr, is-2TJID.tmp.2.dr, is-SINFC.tmp.2.dr, is-H5812.tmp.2.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: is-KLEUG.tmp.2.dr, is-2J155.tmp.2.dr, is-I704D.tmp.2.dr, is-VTDA9.tmp.2.dr, is-V8S0O.tmp.2.dr, is-S9VDU.tmp.2.dr, is-2TJID.tmp.2.dr, is-SINFC.tmp.2.dr, is-H5812.tmp.2.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: powershell.exe, 00000004.00000002.2411285654.0000000004EF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: powershell.exe, 00000004.00000002.2411285654.0000000004EF0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: client32.exe, client32.exe, 00000009.00000002.2497655081.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2579273114.000000001118F000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.asp
Source: client32.exe, 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 00000009.00000002.2497655081.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2579273114.000000001118F000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspSetChannel(%s)
Source: client32.exe, 00000006.00000002.4598217115.0000000005101000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000006.00000003.2705520820.00000000050FF000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000006.00000003.2415445587.0000000005101000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspT
Source: client32.exe, 00000006.00000003.2415445587.00000000050AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspn
Source: powershell.exe, 00000004.00000002.2425908561.00000000064A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000004.00000002.2411285654.0000000004EF0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: is-KLEUG.tmp.2.dr, is-2J155.tmp.2.dr, is-I704D.tmp.2.dr, is-VTDA9.tmp.2.dr, is-V8S0O.tmp.2.dr, is-S9VDU.tmp.2.dr, is-2TJID.tmp.2.dr, is-SINFC.tmp.2.dr, is-H5812.tmp.2.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: is-KLEUG.tmp.2.dr, is-2J155.tmp.2.dr, is-I704D.tmp.2.dr, is-VTDA9.tmp.2.dr, is-V8S0O.tmp.2.dr, is-S9VDU.tmp.2.dr, is-2TJID.tmp.2.dr, is-SINFC.tmp.2.dr, is-H5812.tmp.2.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: is-KLEUG.tmp.2.dr, is-2J155.tmp.2.dr, is-I704D.tmp.2.dr, is-VTDA9.tmp.2.dr, is-V8S0O.tmp.2.dr, is-S9VDU.tmp.2.dr, is-2TJID.tmp.2.dr, is-SINFC.tmp.2.dr, is-H5812.tmp.2.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: is-KLEUG.tmp.2.dr, is-2J155.tmp.2.dr, is-I704D.tmp.2.dr, is-VTDA9.tmp.2.dr, is-V8S0O.tmp.2.dr, is-S9VDU.tmp.2.dr, is-2TJID.tmp.2.dr, is-SINFC.tmp.2.dr, is-H5812.tmp.2.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: CiscoSetup.exe	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: CiscoSetup.exe	String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: CiscoSetup.exe	String found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
Source: powershell.exe, 00000004.00000002.2411285654.0000000004EF0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: powershell.exe, 00000004.00000002.2411285654.0000000004EF0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.0000000004EE6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmp, client32.exe.4.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: CiscoSetup.exe	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: powershell.exe, 00000004.00000002.2411285654.0000000004B96000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: is-2TJID.tmp.2.dr	String found in binary or memory: http://relaxng.org/ns/structure/1.0
Source: powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.0000000005089000.00000004.00000800.00020000.00000000.sdmp, PCICHEK.DLL.4.dr	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.0000000005089000.00000004.00000800.00020000.00000000.sdmp, PCICHEK.DLL.4.dr	String found in binary or memory: http://s2.symcb.com0
Source: powershell.exe, 00000004.00000002.2411285654.0000000004B96000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.00000000053B3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000004.00000002.2411285654.0000000004A41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000004.00000002.2411285654.0000000004B96000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.00000000053B3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: CiscoSetup.exe	String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: CiscoSetup.exe	String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
Source: CiscoSetup.exe	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: powershell.exe, 00000004.00000002.2411285654.0000000004B96000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.0000000004EF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sf.symcb.com/sf.crl0f
Source: powershell.exe, 00000004.00000002.2411285654.0000000004B96000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.0000000004EF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sf.symcb.com/sf.crt0
Source: powershell.exe, 00000004.00000002.2411285654.0000000004B96000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.0000000004EF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sf.symcd.com0&
Source: powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.0000000005089000.00000004.00000800.00020000.00000000.sdmp, PCICHEK.DLL.4.dr	String found in binary or memory: http://sv.symcb.com/sv.crl0f
Source: powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.0000000005089000.00000004.00000800.00020000.00000000.sdmp, PCICHEK.DLL.4.dr	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.0000000005089000.00000004.00000800.00020000.00000000.sdmp, PCICHEK.DLL.4.dr	String found in binary or memory: http://sv.symcd.com0&
Source: powershell.exe, 00000004.00000002.2411285654.0000000004EF0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.0000000004EE6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmp, client32.exe.4.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: powershell.exe, 00000004.00000002.2411285654.0000000004EF0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.0000000004EE6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmp, client32.exe.4.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: powershell.exe, 00000004.00000002.2411285654.0000000004EF0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.0000000004EE6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmp, client32.exe.4.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: powershell.exe, 00000004.00000002.2411285654.0000000004B96000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: is-V7509.tmp.2.dr	String found in binary or memory: http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect40/user/guide/b_Androi
Source: is-KLEUG.tmp.2.dr, is-2J155.tmp.2.dr, is-I704D.tmp.2.dr, is-VTDA9.tmp.2.dr, is-V8S0O.tmp.2.dr, is-S9VDU.tmp.2.dr, is-2TJID.tmp.2.dr, is-SINFC.tmp.2.dr, is-H5812.tmp.2.dr	String found in binary or memory: http://www.cisco.com0
Source: is-KLEUG.tmp.2.dr, is-2J155.tmp.2.dr, is-I704D.tmp.2.dr, is-VTDA9.tmp.2.dr, is-V8S0O.tmp.2.dr, is-S9VDU.tmp.2.dr, is-2TJID.tmp.2.dr, is-SINFC.tmp.2.dr, is-H5812.tmp.2.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: powershell.exe, 00000004.00000002.2457352280.00000000074C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.
Source: powershell.exe, 00000004.00000002.2463153795.00000000084F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co
Source: client32.exe, 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 00000009.00000002.2497690917.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2579319799.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://www.netsupportschool.com/tutor-assistant.asp
Source: client32.exe, 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 00000009.00000002.2497690917.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2579319799.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://www.netsupportschool.com/tutor-assistant.asp11(
Source: powershell.exe, 00000004.00000002.2411285654.0000000004B96000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.0000000004EF0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmp, client32.exe.4.dr	String found in binary or memory: http://www.netsupportsoftware.com
Source: client32.exe, 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 00000009.00000002.2497690917.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2579319799.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://www.pci.co.uk/support
Source: client32.exe, 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 00000009.00000002.2497690917.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2579319799.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://www.pci.co.uk/supportsupport
Source: powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.0000000005089000.00000004.00000800.00020000.00000000.sdmp, PCICHEK.DLL.4.dr	String found in binary or memory: http://www.symauth.com/cps0(
Source: powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.0000000005089000.00000004.00000800.00020000.00000000.sdmp, PCICHEK.DLL.4.dr	String found in binary or memory: http://www.symauth.com/rpa00
Source: powershell.exe, 00000004.00000002.2411285654.0000000004A41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000004.00000002.2425908561.00000000064A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000004.00000002.2425908561.00000000064A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000004.00000002.2425908561.00000000064A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: is-2J155.tmp.2.dr	String found in binary or memory: https://curl.se/V
Source: is-2J155.tmp.2.dr	String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: is-2J155.tmp.2.dr	String found in binary or memory: https://curl.se/docs/copyright.htmlD
Source: is-2J155.tmp.2.dr	String found in binary or memory: https://curl.se/docs/hsts.html
Source: is-2J155.tmp.2.dr	String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: powershell.exe, 00000004.00000002.2411285654.0000000004B96000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.0000000004EF0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.0000000005089000.00000004.00000800.00020000.00000000.sdmp, PCICHEK.DLL.4.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: powershell.exe, 00000004.00000002.2411285654.0000000004B96000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.0000000004EF0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.0000000005089000.00000004.00000800.00020000.00000000.sdmp, PCICHEK.DLL.4.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: powershell.exe, 00000004.00000002.2411285654.0000000004B96000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: CiscoSetup.exe	String found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: powershell.exe, 00000004.00000002.2425908561.00000000064A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000004.00000002.2411285654.0000000004EF0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: powershell.exe, 00000004.00000002.2411285654.0000000004EF0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0D
Source: CiscoSetup.exe, 00000000.00000003.2546263258.0000000003123000.00000004.00001000.00020000.00000000.sdmp, CiscoSetup.tmp, 00000002.00000003.2535098758.0000000002CAC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.cisco.com
Source: CiscoSetup.exe, 00000000.00000003.2546263258.0000000003131000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.cisco.com/support
Source: CiscoSetup.tmp, 00000002.00000003.2535098758.0000000002CC1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.cisco.com/supportQy
Source: CiscoSetup.exe, 00000000.00000003.2546263258.0000000003131000.00000004.00001000.00020000.00000000.sdmp, CiscoSetup.tmp, 00000002.00000003.2535098758.0000000002CC1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.cisco.com/update
Source: is-KLEUG.tmp.2.dr, is-2J155.tmp.2.dr, is-I704D.tmp.2.dr, is-VTDA9.tmp.2.dr, is-V8S0O.tmp.2.dr, is-S9VDU.tmp.2.dr, is-2TJID.tmp.2.dr, is-SINFC.tmp.2.dr, is-H5812.tmp.2.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: CiscoSetup.exe	String found in binary or memory: https://www.globalsign.com/repository/0
Source: CiscoSetup.tmp, 00000002.00000003.2522959977.0000000005750000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.iminunet.com
Source: CiscoSetup.tmp, 00000002.00000003.2522959977.0000000005750000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.iminunet.comPara
Source: is-707KS.tmp.2.dr, is-V7509.tmp.2.dr	String found in binary or memory: https://www.immunet.com
Source: CiscoSetup.tmp, 00000002.00000003.2522959977.0000000005750000.00000004.00001000.00020000.00000000.sdmp, is-KOKH0.tmp.2.dr, is-KCJJQ.tmp.2.dr	String found in binary or memory: https://www.immunet.com.
Source: is-KOKH0.tmp.2.dr	String found in binary or memory: https://www.immunet.com.Um
Source: CiscoSetup.tmp, 00000002.00000003.2522959977.0000000005750000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.immunet.comAby
Source: CiscoSetup.tmp, 00000002.00000003.2522959977.0000000005750000.00000004.00001000.00020000.00000000.sdmp, is-RVLAV.tmp.2.dr	String found in binary or memory: https://www.immunet.comVoor
Source: CiscoSetup.exe, 00000000.00000003.2131548415.00000000035C0000.00000004.00001000.00020000.00000000.sdmp, CiscoSetup.exe, 00000000.00000003.2132065973.000000007F29B000.00000004.00001000.00020000.00000000.sdmp, CiscoSetup.tmp, 00000002.00000000.2133732042.0000000000C71000.00000020.00000001.01000000.00000004.sdmp	String found in binary or memory: https://www.innosetup.com/
Source: is-VTDA9.tmp.2.dr	String found in binary or memory: https://www.openssl.org/
Source: CiscoSetup.exe, 00000000.00000003.2131548415.00000000035C0000.00000004.00001000.00020000.00000000.sdmp, CiscoSetup.exe, 00000000.00000003.2132065973.000000007F29B000.00000004.00001000.00020000.00000000.sdmp, CiscoSetup.tmp, 00000002.00000000.2133732042.0000000000C71000.00000020.00000001.01000000.00000004.sdmp	String found in binary or memory: https://www.remobjects.com/ps

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60707
Source: unknown	Network traffic detected: HTTP traffic on port 60707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60703

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality for read data from the clipboard

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe

Code function: 6_2_1101F360 OpenClipboard,GlobalAlloc,GlobalLock,_memmove,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,MessageBeep,CloseClipboard,

6_2_1101F360

Contains functionality to modify clipboard data

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_1101F360 OpenClipboard,GlobalAlloc,GlobalLock,_memmove,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,MessageBeep,CloseClipboard,	6_2_1101F360
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_11032930 GetClipboardFormatNameA,SetClipboardData,	6_2_11032930
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 9_2_1101F360 OpenClipboard,GlobalAlloc,GlobalLock,_memmove,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,MessageBeep,CloseClipboard,	9_2_1101F360
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 9_2_11032930 GetClipboardFormatNameA,SetClipboardData,	9_2_11032930

Contains functionality to read the clipboard data

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe

Code function: 6_2_11031AC0 IsClipboardFormatAvailable,GetClipboardData,GlobalSize,GlobalLock,_memmove,GlobalUnlock,

6_2_11031AC0

Contains functionality to record screenshots

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe

Code function: 6_2_11007720 LoadCursorA,SetCursor,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,CreateDCA,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,SelectClipRgn,BitBlt,SelectClipRgn,DeleteObject,DeleteDC,BitBlt,ReleaseDC,CreatePen,CreateSolidBrush,GetSysColor,LoadBitmapA,_memset,_swscanf,CreateFontIndirectA,_memset,GetStockObject,GetObjectA,CreateFontIndirectA,GetWindowRect,SetWindowTextA,GetSystemMetrics,GetSystemMetrics,SetWindowPos,UpdateWindow,SetCursor,

6_2_11007720

Potential key logger detected (key state polling based)

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_11110810 PeekMessageA,GetKeyState,GetKeyState,GetKeyState,Sleep,GetKeyState,		6_2_11110810
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 9_2_11110810 PeekMessageA,GetKeyState,GetKeyState,GetKeyState,Sleep,GetKeyState,		9_2_11110810

Yara detected Keylogger Generic

Source: Yara match	File source: 9.2.client32.exe.111b3308.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.client32.exe.111b3308.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.client32.exe.111b3308.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.client32.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.client32.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.client32.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2497655081.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2579273114.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: client32.exe PID: 4176, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: client32.exe PID: 1112, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: client32.exe PID: 6484, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Cisco\PCICL32.DLL, type: DROPPED

E-Banking Fraud

Drops certificate files (DER)

Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-HOMEN.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\acsock64.cat (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\vpnva-6.cat (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-BRMT9.tmp	Jump to dropped file

Spam, unwanted Advertisements and Ransom Demands

Contains functionalty to change the wallpaper

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_11112840 SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA,		6_2_11112840
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 9_2_11112840 SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA,		9_2_11112840

System Summary

Malicious sample detected (through community Yara rule)

Source: amsi32_3412.amsi.csv, type: OTHER	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 3412, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Powershell drops PE file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Cisco\remcmdstub.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Cisco\AudioCapture.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Cisco\HTCTL32.DLL	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Cisco\msvcr100.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Cisco\pcicapi.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Cisco\PCICL32.DLL	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Cisco\PCICHEK.DLL	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Cisco\TCCTL32.DLL	Jump to dropped file

Abnormal high CPU Usage

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe

Process Stats: CPU usage > 49%

Contains functionality to communicate with device drivers

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe

Code function: 6_2_110A9240: DeviceIoControl,

6_2_110A9240

Contains functionality to launch a process as a different user

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe

Code function: 6_2_1115A340 FindWindowA,_memset,CreateProcessAsUserA,GetLastError,WinExec,CloseHandle,CloseHandle,CloseHandle,WinExec,

6_2_1115A340

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_1102CE2D InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,	6_2_1102CE2D
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 9_2_1102D059 PostThreadMessageA,PostThreadMessageA,CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,	9_2_1102D059
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 9_2_1102CEB1 Sleep,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,	9_2_1102CEB1

Detected potential crypto function

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_08823729	4_2_08823729
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_11029230	6_2_11029230
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_11072460	6_2_11072460
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_1115B180	6_2_1115B180
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_1105B3B0	6_2_1105B3B0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_1106F210	6_2_1106F210
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_1107F520	6_2_1107F520
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_1101B980	6_2_1101B980
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_1115F9F0	6_2_1115F9F0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_1101BDC0	6_2_1101BDC0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_11163C55	6_2_11163C55
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_1108A260	6_2_1108A260
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_11050430	6_2_11050430
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_110088DB	6_2_110088DB
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_1101CBE0	6_2_1101CBE0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_11032A60	6_2_11032A60
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_11086DA0	6_2_11086DA0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_11044C60	6_2_11044C60
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_688FA980	6_2_688FA980
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_68924910	6_2_68924910
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_68923923	6_2_68923923
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_688FDBA0	6_2_688FDBA0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_68923DB8	6_2_68923DB8
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_6892A063	6_2_6892A063
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_68924156	6_2_68924156
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_689143C0	6_2_689143C0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_688F1310	6_2_688F1310
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_689084F0	6_2_689084F0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_68924528	6_2_68924528
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_6891D70F	6_2_6891D70F
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_688F1760	6_2_688F1760
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 9_2_1115B180	9_2_1115B180
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 9_2_111131B0	9_2_111131B0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 9_2_11029230	9_2_11029230
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 9_2_1107F520	9_2_1107F520
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 9_2_1101B980	9_2_1101B980
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 9_2_1115F9F0	9_2_1115F9F0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 9_2_1101BDC0	9_2_1101BDC0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 9_2_11163C55	9_2_11163C55
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 9_2_11050430	9_2_11050430
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 9_2_11072460	9_2_11072460
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 9_2_110088DB	9_2_110088DB
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 9_2_1101CBE0	9_2_1101CBE0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 9_2_11032A60	9_2_11032A60
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 9_2_11086DA0	9_2_11086DA0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 9_2_11044C60	9_2_11044C60

Enables security privileges

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe

Process token adjusted: Security

Jump to behavior

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: String function: 68919480 appears 61 times
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: String function: 68907C70 appears 36 times
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: String function: 11142A60 appears 1134 times
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: String function: 68907D00 appears 135 times
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: String function: 1116B7E0 appears 55 times
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: String function: 6891F3CB appears 33 times
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: String function: 688F6F50 appears 171 times
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: String function: 111434D0 appears 46 times
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: String function: 11160790 appears 65 times
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: String function: 688F30A0 appears 54 times
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: String function: 11080C50 appears 70 times
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: String function: 68907A90 appears 62 times
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: String function: 1115CBB3 appears 90 times
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: String function: 110290F0 appears 1982 times
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: String function: 1105D340 appears 559 times
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: String function: 1109CBD0 appears 32 times
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: String function: 1105D470 appears 55 times
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: String function: 11027550 appears 94 times

PE file contains executable resources (Code or Archives)

Source: CiscoSetup.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-VTFF8.tmp.2.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-96AL6.tmp.2.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS

PE file contains more sections than normal

Source: CiscoSetup.tmp.0.dr	Static PE information: Number of sections : 11 > 10
Source: is-VTFF8.tmp.2.dr	Static PE information: Number of sections : 11 > 10
Source: CiscoSetup.exe	Static PE information: Number of sections : 11 > 10

Sample file is different than original file name gathered from version info

Source: CiscoSetup.exe, 00000000.00000000.2126103041.0000000000F39000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFileName vs CiscoSetup.exe
Source: CiscoSetup.exe, 00000000.00000003.2132065973.000000007F58B000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs CiscoSetup.exe
Source: CiscoSetup.exe, 00000000.00000003.2131548415.00000000036CF000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs CiscoSetup.exe
Source: CiscoSetup.exe	Binary or memory string: OriginalFileName vs CiscoSetup.exe

Uses 32bit PE files

Source: CiscoSetup.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: amsi32_3412.amsi.csv, type: OTHER	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 3412, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: is-EUMLH.tmp.2.dr

Binary string: \Device\VPNVA

Source: classification engine

Classification label: mal54.rans.troj.evad.winEXE@10/537@3/3

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe

Code function: 6_2_11059270 GetLastError,FormatMessageA,LocalFree,

6_2_11059270

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_1109C750 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,	6_2_1109C750
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_1109C7E0 AdjustTokenPrivileges,CloseHandle,	6_2_1109C7E0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 9_2_1109C750 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,	9_2_1109C750
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 9_2_1109C7E0 AdjustTokenPrivileges,CloseHandle,	9_2_1109C7E0

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe

Code function: 6_2_11095C90 GetTickCount,CoInitialize,CLSIDFromProgID,CoCreateInstance,CoUninitialize,

6_2_11095C90

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe

Code function: 6_2_11088290 FindResourceA,LoadResource,LockResource,

6_2_11088290

Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp

File created: C:\Program Files (x86)\Cisco

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Cisco

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2672:120:WilError_03

Source: C:\Users\user\Desktop\CiscoSetup.exe

File created: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp

Jump to behavior

Source: C:\Users\user\Desktop\CiscoSetup.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\CiscoSetup.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp

File read: C:\Program Files (x86)\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\CiscoSetup.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Jump to behavior

Source: CiscoSetup.exe

String found in binary or memory: /LOADINF="filename"

Source: C:\Users\user\Desktop\CiscoSetup.exe

File read: C:\Users\user\Desktop\CiscoSetup.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\CiscoSetup.exe "C:\Users\user\Desktop\CiscoSetup.exe"
Source: C:\Users\user\Desktop\CiscoSetup.exe	Process created: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp "C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp" /SL5="$103C8,13456411,1058304,C:\Users\user\Desktop\CiscoSetup.exe"
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-S9GUG.tmp\cispn.ps1"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\Cisco\client32.exe "C:\Users\user\AppData\Roaming\Cisco\client32.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Cisco\client32.exe "C:\Users\user\AppData\Roaming\Cisco\client32.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Cisco\client32.exe "C:\Users\user\AppData\Roaming\Cisco\client32.exe"
Source: C:\Users\user\Desktop\CiscoSetup.exe	Process created: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp "C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp" /SL5="$103C8,13456411,1058304,C:\Users\user\Desktop\CiscoSetup.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-S9GUG.tmp\cispn.ps1"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\Cisco\client32.exe "C:\Users\user\AppData\Roaming\Cisco\client32.exe"	Jump to behavior

Source: C:\Users\user\Desktop\CiscoSetup.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\CiscoSetup.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: pcicl32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: pcichek.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: pcicapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: dbgcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: nsmtrace.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: nslsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: pcihooks.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: riched32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: pciinv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: pcicl32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: pcichek.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: pcicapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: nsmtrace.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: nslsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: pcicl32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: pcichek.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: pcicapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: nsmtrace.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: nslsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: msasn1.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: Cisco Secure Client for Windows.lnk.2.dr

LNK file: ..\..\..\..\..\..\Program Files (x86)\Cisco\Cisco Secure Client\UI\csc_ui.exe

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File written: C:\Users\user\AppData\Roaming\Cisco\nsm_vpro.ini

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp

Window found: window name: TSelectLanguageForm

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Automated click: Install
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Automated click: Next

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe

File opened: C:\Windows\SysWOW64\riched32.dll

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: CiscoSetup.exe

Static PE information: certificate valid

Source: CiscoSetup.exe

Static file information: File size 16883280 > 1048576

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Users\user\AppData\Roaming\Cisco\msvcr100.dll

Jump to behavior

Source: CiscoSetup.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Full\pcichek.pdb source: client32.exe, 00000006.00000002.4600795851.000000006DEC2000.00000002.00000001.01000000.0000000C.sdmp, client32.exe, 00000009.00000002.2498300418.000000006DEC2000.00000002.00000001.01000000.0000000C.sdmp, client32.exe, 0000000A.00000002.2580406925.000000006DEC2000.00000002.00000001.01000000.0000000C.sdmp, PCICHEK.DLL.4.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\client32\Release\PCICL32.pdb source: client32.exe, 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 00000009.00000002.2497655081.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2579273114.000000001118F000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: C:\temp\build\thehoff\Quicksilver_MR50.560024709388\Quicksilver_MR5\vpn\ApiShim\Win32\Release\vpnapishim.pdb source: is-V8S0O.tmp.2.dr
Source:	Binary string: C:\temp\build\thehoff\Quicksilver_MR50.560024709388\Quicksilver_MR5\vpn\WebHelper\Plugin\Win32\Release\acwebhelper.pdb&&&GCTL source: is-S9VDU.tmp.2.dr
Source:	Binary string: ws\Mion.pdb source: powershell.exe, 00000004.00000002.2458265497.000000000756A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Full\pcichek.pdbN source: PCICHEK.DLL.4.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdbL source: powershell.exe, 00000004.00000002.2411285654.0000000005089000.00000004.00000800.00020000.00000000.sdmp, client32.exe, 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.2457352280.00000000074C0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: client32.pdb\1141\1141\client32\Release\client32.pdb source: powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmp, client32.exe.4.dr
Source:	Binary string: C:\temp\build\thehoff\Quicksilver_MR50.560024709388\Quicksilver_MR5\vpn\InstallHelper\Win32\Release\InstallHelper.pdb source: is-H5812.tmp.2.dr
Source:	Binary string: C:\temp\build\thehoff\Quicksilver_MR50.560024709388\Quicksilver_MR5\vpn\ApiShim\Win32\Release\vpnapishim.pdb...GCTL source: is-V8S0O.tmp.2.dr
Source:	Binary string: d:\a01\_work\11\s\\binaries\x86ret\bin\i386\vccorlib140.i386.pdb source: is-OJMRD.tmp.2.dr
Source:	Binary string: C:\Users\build\p4files\ngc\Phoenix\third-party\libcurl\out.win.7.x86\curl-7.84.0\builds\libcurl-vc-x86-release-dll-ssl-dll-ipv6-sspi-obj-lib\accurl.pdb source: is-2J155.tmp.2.dr
Source:	Binary string: E:\nsmsrc\nsm\1280\1280f\ctl32\release_unicode\tcctl32.pdbP` source: powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: \1141\1141\client32\Release\client32.pdb source: powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmp, client32.exe.4.dr
Source:	Binary string: C:\temp\build\thehoff\Quicksilver_MR50.560024709388\Quicksilver_MR5\vpn\WebHelper\Plugin\Win32\Release\acwebhelper.pdb source: is-S9VDU.tmp.2.dr
Source:	Binary string: C:\Users\build\p4files\ngc\Quicksilver\third-party\openssl\out.win.7.x86\ciscossl-1.1.1t.7.2.500\acciscossl.pdb source: is-VTDA9.tmp.2.dr
Source:	Binary string: C:\temp\build\thehoff\Quicksilver_MR50.560024709388\Quicksilver_MR5\PhoneHome\Win32\Release\acfeedback.pdb source: is-2TJID.tmp.2.dr
Source:	Binary string: C:\temp\build\thehoff\proj_Phoenix_VS20190.730599493905\proj_Phoenix_VS2019\vpn\VA\NDIS6\x64\Release\vpnva64-6.pdbGCTL source: is-EUMLH.tmp.2.dr
Source:	Binary string: msvcr100.i386.pdb source: powershell.exe, 00000004.00000002.2411285654.0000000005089000.00000004.00000800.00020000.00000000.sdmp, client32.exe, client32.exe, 00000006.00000002.4600362190.0000000068B31000.00000020.00000001.01000000.0000000E.sdmp, client32.exe, 00000009.00000002.2498047838.0000000068B31000.00000020.00000001.01000000.0000000E.sdmp, client32.exe, 0000000A.00000002.2580034650.0000000068B31000.00000020.00000001.01000000.0000000E.sdmp
Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.2409667962.0000000003148000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\temp\build\thehoff\proj_Phoenix_VS20190.730599493905\proj_Phoenix_VS2019\vpn\VA\NDIS6\x64\Release\vpnva64-6.pdb source: is-EUMLH.tmp.2.dr
Source:	Binary string: E:\nsmsrc\nsm\1280\1280f\ctl32\release_unicode\tcctl32.pdb source: powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\temp\build\thehoff\Quicksilver_MR50.560024709388\Quicksilver_MR5\vpn\InstallHelper\x64\Release\InstallHelper64.pdb source: is-KLEUG.tmp.2.dr
Source:	Binary string: C:\temp\build\thehoff\Quicksilver_MR50.560024709388\Quicksilver_MR5\vpn\InstallHelper\x64\Release\InstallHelper64.pdb; source: is-KLEUG.tmp.2.dr
Source:	Binary string: client32.pdb source: powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmp, client32.exe.4.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\AudioCapture\Release\AudioCapture.pdb source: powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\build\p4files\ngc\Quicksilver\third-party\openssl\out.win.7.x86\ciscossl-1.1.1t.7.2.500\acciscossl.pdbAAA source: is-VTDA9.tmp.2.dr
Source:	Binary string: C:\temp\build\thehoff\Quicksilver_MR50.560024709388\Quicksilver_MR5\PhoneHome\Win32\Release\acfeedback.pdbMM/GCTL source: is-2TJID.tmp.2.dr
Source:	Binary string: d:\a01\_work\11\s\\binaries\x86ret\bin\i386\vccorlib140.i386.pdbGCTL source: is-OJMRD.tmp.2.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdb source: powershell.exe, 00000004.00000002.2411285654.0000000005089000.00000004.00000800.00020000.00000000.sdmp, client32.exe, 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Release\pcicapi.pdb source: client32.exe, 00000006.00000002.4600671174.0000000068BF5000.00000002.00000001.01000000.0000000D.sdmp, client32.exe, 00000009.00000002.2498203499.0000000068BF5000.00000002.00000001.01000000.0000000D.sdmp, client32.exe, 0000000A.00000002.2580255021.0000000068BF5000.00000002.00000001.01000000.0000000D.sdmp

Data Obfuscation

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Anti Malware Scan Interface: FromBase64String($base64Content);[System.IO.File]::WriteAllBytes($zipFileName, $decodedBytes);New-Item -ItemType Directory -Path $destinationPath;Expand-Archive -Path $zipFileName -DestinationPath $de

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe

Code function: 6_2_11029230 GetTickCount,LoadLibraryA,GetProcAddress,SetLastError,GetProcAddress,GetLastError,_free,GetProcAddress,GetProcAddress,InternetOpenA,SetLastError,SetLastError,SetLastError,_free,GetProcAddress,SetLastError,GetProcAddress,InternetConnectA,GetProcAddress,SetLastError,SetLastError,GetProcAddress,SetLastError,GetProcAddress,SetLastError,GetLastError,GetProcAddress,SetLastError,GetLastError,GetDesktopWindow,GetProcAddress,SetLastError,GetProcAddress,SetLastError,GetProcAddress,SetLastError,FreeLibrary,

6_2_11029230

PE file contains sections with non-standard names

Source: CiscoSetup.exe	Static PE information: section name: .didata
Source: CiscoSetup.tmp.0.dr	Static PE information: section name: .didata
Source: is-VTFF8.tmp.2.dr	Static PE information: section name: .didata
Source: is-3NCDE.tmp.2.dr	Static PE information: section name: fipstx
Source: is-3NCDE.tmp.2.dr	Static PE information: section name: fipsro
Source: is-3NCDE.tmp.2.dr	Static PE information: section name: fipsda
Source: is-3NCDE.tmp.2.dr	Static PE information: section name: fsig
Source: is-3NCDE.tmp.2.dr	Static PE information: section name: fipsrd
Source: is-KLEUG.tmp.2.dr	Static PE information: section name: _RDATA
Source: is-8761D.tmp.2.dr	Static PE information: section name: _RDATA
Source: is-7ITNQ.tmp.2.dr	Static PE information: section name: .orpc
Source: is-S996S.tmp.2.dr	Static PE information: section name: .00cfg
Source: is-S996S.tmp.2.dr	Static PE information: section name: .voltbl
Source: PCICL32.DLL.4.dr	Static PE information: section name: .hhshare

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_04A1C492 pushad ; ret	4_2_04A1C493
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_07689740 pushad ; ret	4_2_07689A25
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_076892D9 push FFFFFFE8h; iretd	4_2_076892DD
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_088268EE push FFFFFFE9h; ret	4_2_088268F0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_08820F82 push esp; ret	4_2_08820F83
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_1116B825 push ecx; ret	6_2_1116B838
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_11166719 push ecx; ret	6_2_1116672C
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_68926BBF push ecx; ret	6_2_68926BD2
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_68924DF5 push 689243F9h; retf	6_2_68924E1F
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_689194C5 push ecx; ret	6_2_689194D8
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 9_2_1116B825 push ecx; ret	9_2_1116B838
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 9_2_1104E56B push ecx; retf 0007h	9_2_1104E56C
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 9_2_11166719 push ecx; ret	9_2_1116672C

Source: is-53P9C.tmp.2.dr	Static PE information: section name: .text entropy: 6.8383653762559575
Source: msvcr100.dll.4.dr	Static PE information: section name: .text entropy: 6.909044922675825

Persistence and Installation Behavior

Drops PE files

Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\ProxyCon.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\csc_ui_toast.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-0CFDM.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\Plugins\is-96AL6.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Cisco\pcicapi.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-I704D.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\Plugins\acdownloader.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\vpnipsec.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\msvcp140_2.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\csc_ui_setup.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\acwebhelper.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-N98KR.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-KHO2L.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-91CSN.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-98QQL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-EUMLH.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-8761D.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\csc_ui_toast.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\vpnapishim.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-7ITNQ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\acsock64.sys (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-O18K3.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-970AL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\boost_system.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\is-RN0PK.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-3JN2R.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\vpnmgmttun.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\msvcp140.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\is-T4BIJ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\is-Q7F68.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\vpncli.exe (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Cisco\PCICHEK.DLL	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-KLEUG.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\cfom.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\zlib1.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-P9NEN.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\InstallHelper.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-URJD8.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\is-VTFF8.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\InstallHelper64.exe (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Cisco\AudioCapture.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-Q7D23.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-D0HIO.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Users\user\AppData\Local\Temp\is-S9GUG.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\msvcp140_1.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\ac_sock_fltr_api.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\boost_thread.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-SINFC.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\is-1KC0P.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-5J2U6.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-OJMRD.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\acciscocrypto.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-1N4FB.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-2J155.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\acextwebhelper.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\vpnagentutilities.dll (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Cisco\msvcr100.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\VACon64.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\Uninstall.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\acfeedback.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-VTDA9.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\vpncommoncrypt.dll (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Cisco\PCICL32.DLL	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\vpnapi.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-3NCDE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\is-8OL4N.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\concrt140.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\vpnagent.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-MMI8M.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Cisco\remcmdstub.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\is-T9GPQ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\boost_filesystem.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-RDO3H.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-50H6H.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\CiscoSetup.exe	File created: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-H5812.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-2TJID.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\acwebhelper.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\acruntime.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-OTMTE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\accurl.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-Q2D0Q.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpndownloader.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\vpnva64-6.sys (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-UM1NO.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\csc_ui.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-3VFI6.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-V8S0O.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\boost_chrono.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-MGVA1.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-53P9C.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-S9VDU.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\acciscossl.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\vccorlib140.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\WebView2Loader.dll (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Cisco\TCCTL32.DLL	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Cisco\HTCTL32.DLL	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-MKOUV.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\boost_date_time.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\csc_ui.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\vpndownloader.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\vcruntime140.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\vpncommon.dll (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-S996S.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-D2T5K.tmp	Jump to dropped file

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_68907030 ctl_open,LoadLibraryA,InitializeCriticalSection,CreateEventA,CreateEventA,CreateEventA,CreateEventA,WSAStartup,_malloc,_memset,_calloc,_malloc,_memset,_malloc,_memset,GetTickCount,CreateThread,SetThreadPriority,GetModuleFileNameA,GetPrivateProfileIntA,GetModuleHandleA,CreateMutexA,timeBeginPeriod,	6_2_68907030
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_688F50E0 CreateFileA,wsprintfA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,CreateFileA,GetFileSize,GetPrivateProfileIntA,SetFilePointer,FlushFileBuffers,CloseHandle,wsprintfA,CreateFileA,__itow,WritePrivateProfileStringA,	6_2_688F50E0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_688F5117 GetPrivateProfileIntA,wsprintfA,CreateFileA,GetFileSize,GetPrivateProfileIntA,SetFilePointer,FlushFileBuffers,CloseHandle,wsprintfA,CreateFileA,__itow,WritePrivateProfileStringA,	6_2_688F5117
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_688F5490 GetPrivateProfileIntA,	6_2_688F5490

Boot Survival

Stores files to the Windows start menu directory

Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Cisco			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Cisco\Cisco Secure Client for Windows.lnk			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MyApp			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MyApp			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_110251B0 SetWindowPos,GetMenu,DrawMenuBar,GetMenu,DeleteMenu,UpdateWindow,IsIconic,SetTimer,KillTimer,	6_2_110251B0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_111575D0 IsIconic,ShowWindow,BringWindowToTop,IsWindow,IsIconic,ShowWindow,BringWindowToTop,	6_2_111575D0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_111575D0 IsIconic,ShowWindow,BringWindowToTop,IsWindow,IsIconic,ShowWindow,BringWindowToTop,	6_2_111575D0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_11025600 IsIconic,BringWindowToTop,GetCurrentThreadId,	6_2_11025600
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_1110F600 IsIconic,GetTickCount,	6_2_1110F600
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_111579D0 _memset,SendMessageA,SendMessageA,ShowWindow,SendMessageA,IsIconic,IsZoomed,ShowWindow,GetDesktopWindow,TileWindows,	6_2_111579D0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_1111F870 IsIconic,FreeLibrary,IsIconic,InvalidateRect,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,	6_2_1111F870
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_1111F870 IsIconic,FreeLibrary,IsIconic,InvalidateRect,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,	6_2_1111F870
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_110238D0 BringWindowToTop,SetWindowPos,SetWindowPos,SetWindowPos,GetWindowLongA,SetWindowLongA,GetDlgItem,EnableWindow,GetMenu,DeleteMenu,DrawMenuBar,SetWindowPos,IsIconic,UpdateWindow,SetTimer,KillTimer,	6_2_110238D0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_110BFDD0 IsIconic,ShowWindow,BringWindowToTop,GetCurrentThreadId,	6_2_110BFDD0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_11023FB0 _memset,_strncpy,_memset,_strncpy,IsWindow,IsIconic,BringWindowToTop,GetCurrentThreadId,	6_2_11023FB0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_110CA3C0 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos,	6_2_110CA3C0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_110CA3C0 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos,	6_2_110CA3C0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_11110220 IsIconic,GetTickCount,CreateRectRgn,GetClientRect,SetStretchBltMode,CreateRectRgn,GetClipRgn,OffsetRgn,GetRgnBox,SelectClipRgn,StretchBlt,SelectClipRgn,DeleteObject,StretchBlt,StretchBlt,GetWindowOrgEx,StretchBlt,GetKeyState,CreatePen,CreatePen,SelectObject,Polyline,Sleep,SelectObject,Polyline,Sleep,SelectObject,DeleteObject,DeleteObject,BitBlt,	6_2_11110220
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 9_2_110251B0 SetWindowPos,GetMenu,DrawMenuBar,GetMenu,DeleteMenu,UpdateWindow,IsIconic,SetTimer,KillTimer,	9_2_110251B0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 9_2_111575D0 IsIconic,ShowWindow,BringWindowToTop,IsWindow,IsIconic,ShowWindow,BringWindowToTop,	9_2_111575D0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 9_2_111575D0 IsIconic,ShowWindow,BringWindowToTop,IsWindow,IsIconic,ShowWindow,BringWindowToTop,	9_2_111575D0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 9_2_11025600 IsIconic,BringWindowToTop,GetCurrentThreadId,	9_2_11025600
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 9_2_1110F600 IsIconic,GetTickCount,	9_2_1110F600
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 9_2_111579D0 _memset,SendMessageA,SendMessageA,ShowWindow,SendMessageA,IsIconic,IsZoomed,ShowWindow,GetDesktopWindow,TileWindows,	9_2_111579D0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 9_2_110238D0 BringWindowToTop,SetWindowPos,SetWindowPos,SetWindowPos,GetWindowLongA,SetWindowLongA,GetDlgItem,EnableWindow,GetMenu,DeleteMenu,DrawMenuBar,SetWindowPos,IsIconic,UpdateWindow,SetTimer,KillTimer,	9_2_110238D0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 9_2_110BFDD0 IsIconic,ShowWindow,BringWindowToTop,GetCurrentThreadId,	9_2_110BFDD0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 9_2_11023FB0 _memset,_strncpy,_memset,_strncpy,IsWindow,IsIconic,BringWindowToTop,GetCurrentThreadId,	9_2_11023FB0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 9_2_110CA3C0 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos,	9_2_110CA3C0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 9_2_110CA3C0 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos,	9_2_110CA3C0

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe

6_2_11029230

Source: C:\Users\user\Desktop\CiscoSetup.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Contains functionality to detect sleep reduction / modifications

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_11069C00	6_2_11069C00
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_11069C99	6_2_11069C99
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_688F91F0	6_2_688F91F0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_68904F30	6_2_68904F30

Contains functionality to enumerate running services

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe

Code function: OpenSCManagerA,EnumServicesStatusA,EnumServicesStatusA,LoadLibraryA,GetProcAddress,OpenServiceA,WideCharToMultiByte,CloseServiceHandle,_memset,_memset,FreeLibrary,CloseServiceHandle,

6_2_11127110

Contains long sleeps (>= 3 min)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7105	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2626	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Window / User API: threadDelayed 436	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Window / User API: threadDelayed 8000	Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\ProxyCon.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\csc_ui_toast.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-0CFDM.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\Plugins\is-96AL6.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-I704D.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\Plugins\acdownloader.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\vpnipsec.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\msvcp140_2.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\csc_ui_setup.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\acwebhelper.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-N98KR.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-KHO2L.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-91CSN.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-98QQL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-EUMLH.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-8761D.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\csc_ui_toast.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\vpnapishim.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-7ITNQ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\acsock64.sys (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-O18K3.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-970AL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\boost_system.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\is-RN0PK.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-3JN2R.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\msvcp140.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\is-T4BIJ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\vpnmgmttun.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\vpncli.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\is-Q7F68.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-KLEUG.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\cfom.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\zlib1.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-P9NEN.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\InstallHelper.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\is-VTFF8.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-URJD8.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\InstallHelper64.exe (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Cisco\AudioCapture.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-D0HIO.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-Q7D23.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-S9GUG.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\msvcp140_1.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\ac_sock_fltr_api.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\boost_thread.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-SINFC.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\is-1KC0P.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-5J2U6.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-OJMRD.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\acciscocrypto.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-1N4FB.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\acextwebhelper.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-2J155.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\vpnagentutilities.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\VACon64.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\Uninstall.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\acfeedback.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-VTDA9.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\vpncommoncrypt.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\vpnapi.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\is-8OL4N.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\concrt140.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-3NCDE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\vpnagent.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-MMI8M.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Cisco\remcmdstub.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\is-T9GPQ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\boost_filesystem.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-RDO3H.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-50H6H.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-H5812.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-2TJID.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\acwebhelper.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\acruntime.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-OTMTE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\accurl.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-Q2D0Q.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpndownloader.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\vpnva64-6.sys (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-UM1NO.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\csc_ui.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-V8S0O.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-3VFI6.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\boost_chrono.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-MGVA1.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-53P9C.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-S9VDU.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\acciscossl.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\vccorlib140.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\WebView2Loader.dll (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Cisco\TCCTL32.DLL	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Cisco\HTCTL32.DLL	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-MKOUV.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\boost_date_time.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\csc_ui.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\vpndownloader.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\vcruntime140.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\vpncommon.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-S996S.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-D2T5K.tmp	Jump to dropped file

Found evaded block containing many API calls

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Evaded block: after key decision
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Evaded block: after key decision
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Evaded block: after key decision
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Evaded block: after key decision
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Evaded block: after key decision
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Evaded block: after key decision
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Evaded block: after key decision
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Evaded block: after key decision
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Evaded block: after key decision
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Evaded block: after key decision
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Evaded block: after key decision
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Evaded block: after key decision

Found evasive API chain checking for process token information

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

Found large amount of non-executed APIs

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	API coverage: 5.6 %
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	API coverage: 3.0 %

May check if the current machine is a sandbox (GetTickCount - Sleep)

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe

Code function: 6_2_68904F30

6_2_68904F30

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6528	Thread sleep time: -8301034833169293s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe TID: 4856	Thread sleep time: -64000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe TID: 4948	Thread sleep time: -43600s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe TID: 4856	Thread sleep time: -2000000s >= -30000s	Jump to behavior

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe

Last function: Thread delayed

Uses the system / local time for branch decision (may execute only at specific dates)

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe

Code function: 6_2_68903130 GetSystemTime followed by cmp: cmp eax, 02h and CTI: je 68903226h

6_2_68903130

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_11123570 _memset,_memset,GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,	6_2_11123570
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_11069690 GetTickCount,OpenPrinterA,StartDocPrinterA,ClosePrinter,FindFirstFileA,FindClose,CreateFileA,SetFilePointer,GetTickCount,GetLastError,	6_2_11069690
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_1110BB80 GetLocalTime,wsprintfA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,ExpandEnvironmentStringsA,CreateFileA,timeBeginPeriod,GetLocalTime,timeGetTime,_memset,WriteFile,	6_2_1110BB80
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_11107FE0 _memset,wsprintfA,wsprintfA,KillTimer,FindFirstFileA,wsprintfA,FindNextFileA,GetLastError,FindClose,	6_2_11107FE0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_110BC3D0 GetFileAttributesA,CreateDirectoryA,FindFirstFileA,CopyFileA,CopyFileA,FindNextFileA,FindClose,DrawMenuBar,	6_2_110BC3D0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_1102CE2D InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,	6_2_1102CE2D
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_11064E30 _memset,_memmove,_strncpy,CharUpperA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,	6_2_11064E30
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 9_2_1102D059 PostThreadMessageA,PostThreadMessageA,CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,	9_2_1102D059
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 9_2_1102CEB1 Sleep,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,	9_2_1102CEB1
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 9_2_11123570 _memset,_memset,GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,	9_2_11123570
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 9_2_1110BB80 GetLocalTime,wsprintfA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,ExpandEnvironmentStringsA,CreateFileA,timeBeginPeriod,GetLocalTime,timeGetTime,_memset,WriteFile,	9_2_1110BB80
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 9_2_11107FE0 _memset,wsprintfA,wsprintfA,KillTimer,FindFirstFileA,wsprintfA,FindNextFileA,GetLastError,FindClose,	9_2_11107FE0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 9_2_110BC3D0 GetFileAttributesA,CreateDirectoryA,FindFirstFileA,CopyFileA,CopyFileA,FindNextFileA,FindClose,DrawMenuBar,	9_2_110BC3D0

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: client32.exe, 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmp	Binary or memory string: VMware
Source: client32.exe, 00000006.00000002.4598399799.0000000005196000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW{
Source: client32.exe, 00000009.00000003.2496832834.0000000000540000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlln
Source: client32.exe, 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmp	Binary or memory string: hbuf->datahttputil.c%5d000000000002004C4F4F50VirtualVMwareVIRTNETGetAdaptersInfoiphlpapi.dllcbMacAddress == MAX_ADAPTER_ADDRESS_LENGTHmacaddr.cpp,%02x%02x%02x%02x%02x%02x* Netbiosnetapi32.dll01234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZwhoa nelly, says Sherman, the Sharkhellooo nurse!kernel32.dllProcessIdToSessionId%s_L%d_%xNOT copied to diskcopied to %sAssert failed - Unhandled Exception (GPF) -
Source: client32.exe, 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmp	Binary or memory string: plist<T> too longp.secondQueueQueueThreadEventidata->Q.size () == 0p < ep%dWSAIoctlclosesocketsocketWSACleanupWSAStartupws2_32.dllIPHLPAPI.DLLVMWarevirtGetAdaptersAddressesVMWarevirtntohlWinHttpCloseHandleWinHttpGetProxyForUrlNS247WinHttpOpenWinHttpGetIEProxyConfigForCurrentUserwinhttp.dllc != '\0'dstbufyenc.cla
Source: client32.exe, 00000006.00000002.4598399799.0000000005196000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: client32.exe, 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmp	Binary or memory string: VMWare
Source: client32.exe, 00000006.00000002.4584818110.000000000048E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWH
Source: client32.exe, 0000000A.00000002.2578179566.00000000005E2000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 0000000A.00000003.2577187485.00000000005DF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllK
Source: CiscoSetup.tmp, 00000002.00000003.2541285182.00000000010C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}1
Source: powershell.exe, 00000004.00000002.2457352280.00000000074C0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}lP

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe

Code function: 6_2_1116A559 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

6_2_1116A559

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe

Code function: 6_2_110CFCF0 _memset,_strncpy,CreateMutexA,OpenMutexA,GetLastError,wsprintfA,OutputDebugStringA,

6_2_110CFCF0

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe

6_2_11029230

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe

Code function: 6_2_11178A14 __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,

6_2_11178A14

Enables debug privileges

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_11030B10 SetUnhandledExceptionFilter,	6_2_11030B10
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_1116A559 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_1116A559
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_1115E4D1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_1115E4D1
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_689128E1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_689128E1
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_689187F5 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_689187F5
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_68B40807 __report_gsfailure,IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,	6_2_68B40807
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 9_2_11030B10 SetUnhandledExceptionFilter,	9_2_11030B10
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 9_2_1116A559 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_1116A559
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 9_2_1115E4D1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_2_1115E4D1

HIPS / PFW / Operating System Protection Evasion

Bypasses PowerShell execution policy

Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp

Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-S9GUG.tmp\cispn.ps1"

Contains functionality to execute programs as a different user

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe

Code function: 6_2_110F2280 GetTickCount,LogonUserA,GetTickCount,GetLastError,

6_2_110F2280

Contains functionality to simulate keystroke presses

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe

Code function: 6_2_1110F410 GetKeyState,DeviceIoControl,keybd_event,

6_2_1110F410

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-S9GUG.tmp\cispn.ps1"			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\Cisco\client32.exe "C:\Users\user\AppData\Roaming\Cisco\client32.exe"			Jump to behavior

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe

Code function: 6_2_1109D4A0 LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,GetVersionExA,GetSecurityDescriptorSacl,SetSecurityDescriptorSacl,FreeLibrary,CreateFileMappingA,GetLastError,LocalFree,LocalFree,LocalFree,GetLastError,MapViewOfFile,LocalFree,LocalFree,LocalFree,GetModuleFileNameA,GetModuleFileNameA,LocalFree,LocalFree,LocalFree,_memset,GetTickCount,GetCurrentProcessId,GetModuleFileNameA,CreateEventA,CreateEventA,GetLastError,GetLastError,CreateEventA,GetLastError,GetLastError,CreateEventA,GetLastError,GetLastError,CreateEventA,GetLastError,GetLastError,GetLastError,LocalFree,LocalFree,LocalFree,GetCurrentThreadId,CreateThread,ResetEvent,ResetEvent,ResetEvent,ResetEvent,SetEvent,

6_2_1109D4A0

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe

Code function: 6_2_1109DC20 GetProcAddress,GetTokenInformation,GetTokenInformation,GetTokenInformation,AllocateAndInitializeSid,EqualSid,

6_2_1109DC20

Source: client32.exe, 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 00000009.00000002.2497655081.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2579273114.000000001118F000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: Shell_TrayWndunhandled plugin data, id=%d
Source: client32.exe, 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 00000009.00000002.2497655081.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2579273114.000000001118F000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: Shell_TrayWnd
Source: client32.exe, client32.exe, 00000009.00000002.2497655081.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2579273114.000000001118F000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: Progman

Language, Device and Operating System Detection

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	6_2_11170208
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	6_2_1117053C
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	6_2_11170499
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: GetLocaleInfoA,	6_2_11167B5E
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	6_2_11170106
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	6_2_111701AD
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	6_2_11170011
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	6_2_111703D9
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	6_2_11170500
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW,	6_2_6891FAE1
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,	6_2_6892DB7C
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: GetLocaleInfoA,	6_2_6892DC99
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	6_2_68921CC1
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	6_2_6892DC56
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	6_2_68921DB6
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	6_2_68921EB8
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	6_2_68921E5D
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free,	6_2_68920F39
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	6_2_68922089
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	6_2_689221DC
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: EnumSystemLocalesA,	6_2_68922151
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	6_2_68922175
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	6_2_689202AD
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	6_2_68922218
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,	6_2_68921257
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,	6_2_68921680
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: GetLocaleInfoW,free,_calloc_crt,strncpy_s,GetLocaleInfoW,GetLocaleInfoW,_calloc_crt,GetLocaleInfoW,GetLastError,_calloc_crt,free,free,__invoke_watson,	6_2_68B4888A
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	9_2_1117053C
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: GetLocaleInfoA,	9_2_11167B5E
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	9_2_11170011
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	9_2_11170500
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	9_2_11170499

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe

Code function: 6_2_1101D180 __time64,SetRect,GetLocalTime,

6_2_1101D180

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe

Code function: 6_2_1103B220 _calloc,GetUserNameA,_free,_calloc,_free,

6_2_1103B220

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe

6_2_1109D4A0

Stealing of Sensitive Information

OS version to string mapping found (often used in BOTs)

Source: is-H5812.tmp.2.dr	Binary or memory string: r?IsOs_WIN_VISTA@@YA_NXZ
Source: is-2TJID.tmp.2.dr	Binary or memory string: ?GetOsVersion@@YA?AUMYOSVERSION@@XZ\?IsOs_MAC@@YA_NXZq?IsOs_WIN_8_Only@@YA_NXZ
Source: is-H5812.tmp.2.dr	Binary or memory string: ?DeleteUser@CProcessApi@@SAJQA_W@Zr?IsOs_WIN_VISTA@@YA_NXZvpncommon.dllIPathFileExistsWSHLWAPI.dll
Source: is-2TJID.tmp.2.dr	Binary or memory string: p?IsOs_WIN_8Point10_Only@@YA_NXZ
Source: is-2TJID.tmp.2.dr	Binary or memory string: ?MakeSureDirectoryPathExists@@YA_NPB_W@Zl?IsOs_WIN_7_Only@@YA_NXZi
Source: is-2TJID.tmp.2.dr	Binary or memory string: l?IsOs_WIN_7_Only@@YA_NXZ
Source: is-2TJID.tmp.2.dr	Binary or memory string: GetCurrentTimeSecondss?IsOs_WIN_VISTA_Only@@YA_NXZR
Source: is-2TJID.tmp.2.dr	Binary or memory string: ?CreateMultitonInstance@CExecutionContext@@SAJAAPAV1@W4INSTANCE_ID@1@@ZW?IsOs_LINUX@@YA_NXZp?IsOs_WIN_8Point10_Only@@YA_NXZ
Source: is-2TJID.tmp.2.dr	Binary or memory string: q?IsOs_WIN_8_Only@@YA_NXZ
Source: is-2TJID.tmp.2.dr	Binary or memory string: s?IsOs_WIN_VISTA_Only@@YA_NXZ

Remote Access Functionality

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_1106F210 CapiHangup,CapiClose,CapiOpen,CapiListen,GetTickCount,GetTickCount,GetTickCount,CapiHangup,Sleep,GetTickCount,Sleep,		6_2_1106F210
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_688FA980 EnterCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,WSAGetLastError,socket,WSAGetLastError,#21,#21,#21,bind,WSAGetLastError,closesocket,htons,WSASetBlockingHook,WSAGetLastError,WSAUnhookBlockingHook,closesocket,WSAGetLastError,WSAUnhookBlockingHook,closesocket,WSAUnhookBlockingHook,EnterCriticalSection,InitializeCriticalSection,getsockname,LeaveCriticalSection,GetTickCount,InterlockedExchange,		6_2_688FA980

Yara detected NetSupport remote tool

Source: Yara match	File source: 10.2.client32.exe.6dec0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.client32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.client32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.client32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.client32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.client32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.client32.exe.6dec0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.client32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.client32.exe.6dec0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.client32.exe.68bf0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.client32.exe.68bf0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.client32.exe.111b3308.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.client32.exe.68bf0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.client32.exe.111b3308.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.client32.exe.688f0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.client32.exe.111b3308.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.client32.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.client32.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.client32.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000000.2495587028.0000000000404000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.2576329982.0000000000404000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2497690917.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2577820279.0000000000404000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4582994339.0000000000404000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2497655081.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4598217115.0000000005101000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2579319799.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.2403584821.0000000000404000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2496967852.0000000000404000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.2705520820.00000000050FF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2411285654.0000000005089000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2579273114.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 3412, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: client32.exe PID: 4176, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: client32.exe PID: 1112, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: client32.exe PID: 6484, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Cisco\PCICHEK.DLL, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Cisco\client32.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Cisco\AudioCapture.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Cisco\TCCTL32.DLL, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Cisco\HTCTL32.DLL, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Cisco\pcicapi.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Cisco\PCICL32.DLL, type: DROPPED

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.26.1.231	geo.netsupportsoftware.com	United States	13335	CLOUDFLARENETUS	false
151.236.16.15	payiki.com	European Union	29802	HVC-ASUS	true
199.188.200.195	anyhowdo.com	United States	22612	NAMECHEAP-NETUS	true

Contacted Domains

Name	IP	Active
payiki.com	151.236.16.15	true
geo.netsupportsoftware.com	104.26.1.231	true
anyhowdo.com	199.188.200.195	true

Contacted URLs

Name	Malicious	Reputation
http://151.236.16.15/fakeurl.htm	true	unknown
http://geo.netsupportsoftware.com/location/loca.asp	false	unknown
http://199.188.200.195/fakeurl.htm	true	unknown

Cryptography

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_110AC820 GetModuleHandleA,GetProcAddress,GetProcAddress,GetLastError,wsprintfA,GetLastError,_memset,CryptGetProvParam,CryptGetProvParam,GetLastError,_memset,CryptGetProvParam,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,_free,GetLastError,CryptReleaseContext,SetLastError,FreeLibrary,		6_2_110AC820
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 9_2_110AC820 GetModuleHandleA,GetProcAddress,GetProcAddress,GetLastError,wsprintfA,GetLastError,_memset,CryptGetProvParam,CryptGetProvParam,GetLastError,_memset,CryptGetProvParam,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,_free,GetLastError,CryptReleaseContext,SetLastError,FreeLibrary,		9_2_110AC820

Source: is-2J155.tmp.2.dr

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_d49f9afc-4

Privilege Escalation

EXE planting / hijacking vulnerabilities found

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	EXE: C:\Users\user\AppData\Roaming\Cisco\remcmdstub.exe			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	EXE: C:\Users\user\AppData\Roaming\Cisco\client32.exe			Jump to behavior

Compliance

EXE planting / hijacking vulnerabilities found

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	EXE: C:\Users\user\AppData\Roaming\Cisco\remcmdstub.exe			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	EXE: C:\Users\user\AppData\Roaming\Cisco\client32.exe			Jump to behavior

Uses 32bit PE files

Source: CiscoSetup.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: CiscoSetup.exe

Static PE information: certificate valid

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Users\user\AppData\Roaming\Cisco\msvcr100.dll

Jump to behavior

Source: CiscoSetup.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Full\pcichek.pdb source: client32.exe, 00000006.00000002.4600795851.000000006DEC2000.00000002.00000001.01000000.0000000C.sdmp, client32.exe, 00000009.00000002.2498300418.000000006DEC2000.00000002.00000001.01000000.0000000C.sdmp, client32.exe, 0000000A.00000002.2580406925.000000006DEC2000.00000002.00000001.01000000.0000000C.sdmp, PCICHEK.DLL.4.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\client32\Release\PCICL32.pdb source: client32.exe, 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 00000009.00000002.2497655081.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2579273114.000000001118F000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: C:\temp\build\thehoff\Quicksilver_MR50.560024709388\Quicksilver_MR5\vpn\ApiShim\Win32\Release\vpnapishim.pdb source: is-V8S0O.tmp.2.dr
Source:	Binary string: C:\temp\build\thehoff\Quicksilver_MR50.560024709388\Quicksilver_MR5\vpn\WebHelper\Plugin\Win32\Release\acwebhelper.pdb&&&GCTL source: is-S9VDU.tmp.2.dr
Source:	Binary string: ws\Mion.pdb source: powershell.exe, 00000004.00000002.2458265497.000000000756A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Full\pcichek.pdbN source: PCICHEK.DLL.4.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdbL source: powershell.exe, 00000004.00000002.2411285654.0000000005089000.00000004.00000800.00020000.00000000.sdmp, client32.exe, 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.2457352280.00000000074C0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: client32.pdb\1141\1141\client32\Release\client32.pdb source: powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmp, client32.exe.4.dr
Source:	Binary string: C:\temp\build\thehoff\Quicksilver_MR50.560024709388\Quicksilver_MR5\vpn\InstallHelper\Win32\Release\InstallHelper.pdb source: is-H5812.tmp.2.dr
Source:	Binary string: C:\temp\build\thehoff\Quicksilver_MR50.560024709388\Quicksilver_MR5\vpn\ApiShim\Win32\Release\vpnapishim.pdb...GCTL source: is-V8S0O.tmp.2.dr
Source:	Binary string: d:\a01\_work\11\s\\binaries\x86ret\bin\i386\vccorlib140.i386.pdb source: is-OJMRD.tmp.2.dr
Source:	Binary string: C:\Users\build\p4files\ngc\Phoenix\third-party\libcurl\out.win.7.x86\curl-7.84.0\builds\libcurl-vc-x86-release-dll-ssl-dll-ipv6-sspi-obj-lib\accurl.pdb source: is-2J155.tmp.2.dr
Source:	Binary string: E:\nsmsrc\nsm\1280\1280f\ctl32\release_unicode\tcctl32.pdbP` source: powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: \1141\1141\client32\Release\client32.pdb source: powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmp, client32.exe.4.dr
Source:	Binary string: C:\temp\build\thehoff\Quicksilver_MR50.560024709388\Quicksilver_MR5\vpn\WebHelper\Plugin\Win32\Release\acwebhelper.pdb source: is-S9VDU.tmp.2.dr
Source:	Binary string: C:\Users\build\p4files\ngc\Quicksilver\third-party\openssl\out.win.7.x86\ciscossl-1.1.1t.7.2.500\acciscossl.pdb source: is-VTDA9.tmp.2.dr
Source:	Binary string: C:\temp\build\thehoff\Quicksilver_MR50.560024709388\Quicksilver_MR5\PhoneHome\Win32\Release\acfeedback.pdb source: is-2TJID.tmp.2.dr
Source:	Binary string: C:\temp\build\thehoff\proj_Phoenix_VS20190.730599493905\proj_Phoenix_VS2019\vpn\VA\NDIS6\x64\Release\vpnva64-6.pdbGCTL source: is-EUMLH.tmp.2.dr
Source:	Binary string: msvcr100.i386.pdb source: powershell.exe, 00000004.00000002.2411285654.0000000005089000.00000004.00000800.00020000.00000000.sdmp, client32.exe, client32.exe, 00000006.00000002.4600362190.0000000068B31000.00000020.00000001.01000000.0000000E.sdmp, client32.exe, 00000009.00000002.2498047838.0000000068B31000.00000020.00000001.01000000.0000000E.sdmp, client32.exe, 0000000A.00000002.2580034650.0000000068B31000.00000020.00000001.01000000.0000000E.sdmp
Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.2409667962.0000000003148000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\temp\build\thehoff\proj_Phoenix_VS20190.730599493905\proj_Phoenix_VS2019\vpn\VA\NDIS6\x64\Release\vpnva64-6.pdb source: is-EUMLH.tmp.2.dr
Source:	Binary string: E:\nsmsrc\nsm\1280\1280f\ctl32\release_unicode\tcctl32.pdb source: powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\temp\build\thehoff\Quicksilver_MR50.560024709388\Quicksilver_MR5\vpn\InstallHelper\x64\Release\InstallHelper64.pdb source: is-KLEUG.tmp.2.dr
Source:	Binary string: C:\temp\build\thehoff\Quicksilver_MR50.560024709388\Quicksilver_MR5\vpn\InstallHelper\x64\Release\InstallHelper64.pdb; source: is-KLEUG.tmp.2.dr
Source:	Binary string: client32.pdb source: powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmp, client32.exe.4.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\AudioCapture\Release\AudioCapture.pdb source: powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\build\p4files\ngc\Quicksilver\third-party\openssl\out.win.7.x86\ciscossl-1.1.1t.7.2.500\acciscossl.pdbAAA source: is-VTDA9.tmp.2.dr
Source:	Binary string: C:\temp\build\thehoff\Quicksilver_MR50.560024709388\Quicksilver_MR5\PhoneHome\Win32\Release\acfeedback.pdbMM/GCTL source: is-2TJID.tmp.2.dr
Source:	Binary string: d:\a01\_work\11\s\\binaries\x86ret\bin\i386\vccorlib140.i386.pdbGCTL source: is-OJMRD.tmp.2.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdb source: powershell.exe, 00000004.00000002.2411285654.0000000005089000.00000004.00000800.00020000.00000000.sdmp, client32.exe, 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Release\pcicapi.pdb source: client32.exe, 00000006.00000002.4600671174.0000000068BF5000.00000002.00000001.01000000.0000000D.sdmp, client32.exe, 00000009.00000002.2498203499.0000000068BF5000.00000002.00000001.01000000.0000000D.sdmp, client32.exe, 0000000A.00000002.2580255021.0000000068BF5000.00000002.00000001.01000000.0000000D.sdmp

Spreading

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_11123570 _memset,_memset,GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,	6_2_11123570
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_11069690 GetTickCount,OpenPrinterA,StartDocPrinterA,ClosePrinter,FindFirstFileA,FindClose,CreateFileA,SetFilePointer,GetTickCount,GetLastError,	6_2_11069690
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_1110BB80 GetLocalTime,wsprintfA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,ExpandEnvironmentStringsA,CreateFileA,timeBeginPeriod,GetLocalTime,timeGetTime,_memset,WriteFile,	6_2_1110BB80
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_11107FE0 _memset,wsprintfA,wsprintfA,KillTimer,FindFirstFileA,wsprintfA,FindNextFileA,GetLastError,FindClose,	6_2_11107FE0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_110BC3D0 GetFileAttributesA,CreateDirectoryA,FindFirstFileA,CopyFileA,CopyFileA,FindNextFileA,FindClose,DrawMenuBar,	6_2_110BC3D0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_1102CE2D InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,	6_2_1102CE2D
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_11064E30 _memset,_memmove,_strncpy,CharUpperA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,	6_2_11064E30
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 9_2_1102D059 PostThreadMessageA,PostThreadMessageA,CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,	9_2_1102D059
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 9_2_1102CEB1 Sleep,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,	9_2_1102CEB1
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 9_2_11123570 _memset,_memset,GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,	9_2_11123570
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 9_2_1110BB80 GetLocalTime,wsprintfA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,ExpandEnvironmentStringsA,CreateFileA,timeBeginPeriod,GetLocalTime,timeGetTime,_memset,WriteFile,	9_2_1110BB80
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 9_2_11107FE0 _memset,wsprintfA,wsprintfA,KillTimer,FindFirstFileA,wsprintfA,FindNextFileA,GetLastError,FindClose,	9_2_11107FE0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 9_2_110BC3D0 GetFileAttributesA,CreateDirectoryA,FindFirstFileA,CopyFileA,CopyFileA,FindNextFileA,FindClose,DrawMenuBar,	9_2_110BC3D0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2827745 - Severity 1 - ETPRO MALWARE NetSupport RAT CnC Activity : 192.168.2.6:60703 -> 151.236.16.15:443
Source: Network traffic	Suricata IDS: 2827745 - Severity 1 - ETPRO MALWARE NetSupport RAT CnC Activity : 192.168.2.6:60707 -> 199.188.200.195:443

Yara detected NetSupport Downloader

Source: Yara match	File source: amsi32_3412.amsi.csv, type: OTHER
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\is-S9GUG.tmp\cispn.ps1, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Cisco\unins000.dat, type: DROPPED

NDIS Filter Driver detected (likely used to intercept and sniff network traffic)

Source: is-O18K3.tmp.2.dr	Static PE information: Found NDIS imports: FwpsCalloutRegister1, FwpsCalloutRegister0, FwpmFilterDeleteById0, FwpmBfeStateSubscribeChanges0, FwpsCalloutUnregisterById0, FwpmFilterAdd0, FwpsStreamInjectAsync0, FwpsQueryPacketInjectionState0, FwpsInjectTransportReceiveAsync0, FwpsInjectTransportSendAsync0, FwpsConstructIpHeaderForTransportPacket0, FwpsFreeCloneNetBufferList0, FwpsAllocateCloneNetBufferList0, FwpsFreeNetBufferList0, FwpsAllocateNetBufferAndNetBufferList0, FwpsInjectionHandleDestroy0, FwpsInjectionHandleCreate0, FwpsApplyModifiedLayerData0, FwpsAcquireWritableLayerDataPointer0, FwpsReleaseClassifyHandle0, FwpsAcquireClassifyHandle0, FwpmBfeStateUnsubscribeChanges0, FwpmuserOpen0, FwpmuserClose0, FwpmTransactionBegin0, FwpmTransactionCommit0, FwpmTransactionAbort0, FwpmProviderAdd0, FwpmProviderDeleteByKey0, FwpmSubLayerAdd0, FwpmSubLayerDeleteByKey0, FwpmCalloutAdd0, FwpmCalloutDeleteById0
Source: is-0CFDM.tmp.2.dr	Static PE information: Found NDIS imports: FwpmuserClose0, FwpmFilterAdd0, FwpmTransactionAbort0, FwpmFilterDeleteById0, FwpmTransactionBegin0, FwpmGetAppIdFromFileName0, FwpmuserOpen0, FwpmSubLayerDeleteByKey0, FwpmSubLayerAdd0, FwpmTransactionCommit0, FwpmProviderAdd0, FwpmProviderDeleteByKey0

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 104.26.1.231 104.26.1.231

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: HVC-ASUS HVC-ASUS
Source: Joe Sandbox View	ASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.12.23.50:443 -> 192.168.2.6:49748
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.12.23.50:443 -> 192.168.2.6:60861

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: payiki.com
Source: global traffic	DNS traffic detected: DNS query: anyhowdo.com
Source: global traffic	DNS traffic detected: DNS query: geo.netsupportsoftware.com

Source: unknown

Source: client32.exe, client32.exe, 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmp	String found in binary or memory: http://%s/fakeurl.htm
Source: powershell.exe, 00000004.00000002.2411285654.0000000005089000.00000004.00000800.00020000.00000000.sdmp, client32.exe, client32.exe, 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmp	String found in binary or memory: http://%s/testpage.htm
Source: powershell.exe, 00000004.00000002.2411285654.0000000005089000.00000004.00000800.00020000.00000000.sdmp, client32.exe, 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmp	String found in binary or memory: http://%s/testpage.htmwininet.dll
Source: client32.exe, client32.exe, 00000009.00000002.2497655081.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2579273114.000000001118F000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://127.0.0.1
Source: client32.exe, 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 00000009.00000002.2497655081.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2579273114.000000001118F000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://127.0.0.1RESUMEPRINTING
Source: is-KLEUG.tmp.2.dr, is-2J155.tmp.2.dr, is-I704D.tmp.2.dr, is-VTDA9.tmp.2.dr, is-V8S0O.tmp.2.dr, is-S9VDU.tmp.2.dr, is-2TJID.tmp.2.dr, is-SINFC.tmp.2.dr, is-H5812.tmp.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: is-KLEUG.tmp.2.dr, is-2J155.tmp.2.dr, is-I704D.tmp.2.dr, is-VTDA9.tmp.2.dr, is-V8S0O.tmp.2.dr, is-S9VDU.tmp.2.dr, is-2TJID.tmp.2.dr, is-SINFC.tmp.2.dr, is-H5812.tmp.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: is-KLEUG.tmp.2.dr, is-2J155.tmp.2.dr, is-I704D.tmp.2.dr, is-VTDA9.tmp.2.dr, is-V8S0O.tmp.2.dr, is-S9VDU.tmp.2.dr, is-2TJID.tmp.2.dr, is-SINFC.tmp.2.dr, is-H5812.tmp.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: is-KLEUG.tmp.2.dr, is-2J155.tmp.2.dr, is-I704D.tmp.2.dr, is-VTDA9.tmp.2.dr, is-V8S0O.tmp.2.dr, is-S9VDU.tmp.2.dr, is-2TJID.tmp.2.dr, is-SINFC.tmp.2.dr, is-H5812.tmp.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: is-KLEUG.tmp.2.dr, is-2J155.tmp.2.dr, is-I704D.tmp.2.dr, is-VTDA9.tmp.2.dr, is-V8S0O.tmp.2.dr, is-S9VDU.tmp.2.dr, is-2TJID.tmp.2.dr, is-SINFC.tmp.2.dr, is-H5812.tmp.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: powershell.exe, 00000004.00000002.2411285654.0000000004EF0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: CiscoSetup.exe	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: CiscoSetup.exe	String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
Source: CiscoSetup.exe	String found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0(
Source: CiscoSetup.exe	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: powershell.exe, 00000004.00000002.2458265497.000000000756A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft
Source: powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: powershell.exe, 00000004.00000002.2411285654.0000000004EF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: powershell.exe, 00000004.00000002.2411285654.0000000004EF0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: powershell.exe, 00000004.00000002.2411285654.0000000004EF0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.0000000004EE6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmp, client32.exe.4.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: is-KLEUG.tmp.2.dr, is-2J155.tmp.2.dr, is-I704D.tmp.2.dr, is-VTDA9.tmp.2.dr, is-V8S0O.tmp.2.dr, is-S9VDU.tmp.2.dr, is-2TJID.tmp.2.dr, is-SINFC.tmp.2.dr, is-H5812.tmp.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: is-KLEUG.tmp.2.dr, is-2J155.tmp.2.dr, is-I704D.tmp.2.dr, is-VTDA9.tmp.2.dr, is-V8S0O.tmp.2.dr, is-S9VDU.tmp.2.dr, is-2TJID.tmp.2.dr, is-SINFC.tmp.2.dr, is-H5812.tmp.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: is-KLEUG.tmp.2.dr, is-2J155.tmp.2.dr, is-I704D.tmp.2.dr, is-VTDA9.tmp.2.dr, is-V8S0O.tmp.2.dr, is-S9VDU.tmp.2.dr, is-2TJID.tmp.2.dr, is-SINFC.tmp.2.dr, is-H5812.tmp.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: is-KLEUG.tmp.2.dr, is-2J155.tmp.2.dr, is-I704D.tmp.2.dr, is-VTDA9.tmp.2.dr, is-V8S0O.tmp.2.dr, is-S9VDU.tmp.2.dr, is-2TJID.tmp.2.dr, is-SINFC.tmp.2.dr, is-H5812.tmp.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: is-KLEUG.tmp.2.dr, is-2J155.tmp.2.dr, is-I704D.tmp.2.dr, is-VTDA9.tmp.2.dr, is-V8S0O.tmp.2.dr, is-S9VDU.tmp.2.dr, is-2TJID.tmp.2.dr, is-SINFC.tmp.2.dr, is-H5812.tmp.2.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: is-KLEUG.tmp.2.dr, is-2J155.tmp.2.dr, is-I704D.tmp.2.dr, is-VTDA9.tmp.2.dr, is-V8S0O.tmp.2.dr, is-S9VDU.tmp.2.dr, is-2TJID.tmp.2.dr, is-SINFC.tmp.2.dr, is-H5812.tmp.2.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: is-KLEUG.tmp.2.dr, is-2J155.tmp.2.dr, is-I704D.tmp.2.dr, is-VTDA9.tmp.2.dr, is-V8S0O.tmp.2.dr, is-S9VDU.tmp.2.dr, is-2TJID.tmp.2.dr, is-SINFC.tmp.2.dr, is-H5812.tmp.2.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: powershell.exe, 00000004.00000002.2411285654.0000000004EF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: powershell.exe, 00000004.00000002.2411285654.0000000004EF0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: client32.exe, client32.exe, 00000009.00000002.2497655081.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2579273114.000000001118F000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.asp
Source: client32.exe, 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 00000009.00000002.2497655081.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2579273114.000000001118F000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspSetChannel(%s)
Source: client32.exe, 00000006.00000002.4598217115.0000000005101000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000006.00000003.2705520820.00000000050FF000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000006.00000003.2415445587.0000000005101000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspT
Source: client32.exe, 00000006.00000003.2415445587.00000000050AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspn
Source: powershell.exe, 00000004.00000002.2425908561.00000000064A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000004.00000002.2411285654.0000000004EF0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: is-KLEUG.tmp.2.dr, is-2J155.tmp.2.dr, is-I704D.tmp.2.dr, is-VTDA9.tmp.2.dr, is-V8S0O.tmp.2.dr, is-S9VDU.tmp.2.dr, is-2TJID.tmp.2.dr, is-SINFC.tmp.2.dr, is-H5812.tmp.2.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: is-KLEUG.tmp.2.dr, is-2J155.tmp.2.dr, is-I704D.tmp.2.dr, is-VTDA9.tmp.2.dr, is-V8S0O.tmp.2.dr, is-S9VDU.tmp.2.dr, is-2TJID.tmp.2.dr, is-SINFC.tmp.2.dr, is-H5812.tmp.2.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: is-KLEUG.tmp.2.dr, is-2J155.tmp.2.dr, is-I704D.tmp.2.dr, is-VTDA9.tmp.2.dr, is-V8S0O.tmp.2.dr, is-S9VDU.tmp.2.dr, is-2TJID.tmp.2.dr, is-SINFC.tmp.2.dr, is-H5812.tmp.2.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: is-KLEUG.tmp.2.dr, is-2J155.tmp.2.dr, is-I704D.tmp.2.dr, is-VTDA9.tmp.2.dr, is-V8S0O.tmp.2.dr, is-S9VDU.tmp.2.dr, is-2TJID.tmp.2.dr, is-SINFC.tmp.2.dr, is-H5812.tmp.2.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: CiscoSetup.exe	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: CiscoSetup.exe	String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: CiscoSetup.exe	String found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
Source: powershell.exe, 00000004.00000002.2411285654.0000000004EF0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: powershell.exe, 00000004.00000002.2411285654.0000000004EF0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.0000000004EE6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmp, client32.exe.4.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: CiscoSetup.exe	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: powershell.exe, 00000004.00000002.2411285654.0000000004B96000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: is-2TJID.tmp.2.dr	String found in binary or memory: http://relaxng.org/ns/structure/1.0
Source: powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.0000000005089000.00000004.00000800.00020000.00000000.sdmp, PCICHEK.DLL.4.dr	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.0000000005089000.00000004.00000800.00020000.00000000.sdmp, PCICHEK.DLL.4.dr	String found in binary or memory: http://s2.symcb.com0
Source: powershell.exe, 00000004.00000002.2411285654.0000000004B96000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.00000000053B3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000004.00000002.2411285654.0000000004A41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000004.00000002.2411285654.0000000004B96000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.00000000053B3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: CiscoSetup.exe	String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: CiscoSetup.exe	String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
Source: CiscoSetup.exe	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: powershell.exe, 00000004.00000002.2411285654.0000000004B96000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.0000000004EF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sf.symcb.com/sf.crl0f
Source: powershell.exe, 00000004.00000002.2411285654.0000000004B96000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.0000000004EF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sf.symcb.com/sf.crt0
Source: powershell.exe, 00000004.00000002.2411285654.0000000004B96000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.0000000004EF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sf.symcd.com0&
Source: powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.0000000005089000.00000004.00000800.00020000.00000000.sdmp, PCICHEK.DLL.4.dr	String found in binary or memory: http://sv.symcb.com/sv.crl0f
Source: powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.0000000005089000.00000004.00000800.00020000.00000000.sdmp, PCICHEK.DLL.4.dr	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.0000000005089000.00000004.00000800.00020000.00000000.sdmp, PCICHEK.DLL.4.dr	String found in binary or memory: http://sv.symcd.com0&
Source: powershell.exe, 00000004.00000002.2411285654.0000000004EF0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.0000000004EE6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmp, client32.exe.4.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: powershell.exe, 00000004.00000002.2411285654.0000000004EF0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.0000000004EE6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmp, client32.exe.4.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: powershell.exe, 00000004.00000002.2411285654.0000000004EF0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.0000000004EE6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmp, client32.exe.4.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: powershell.exe, 00000004.00000002.2411285654.0000000004B96000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: is-V7509.tmp.2.dr	String found in binary or memory: http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect40/user/guide/b_Androi
Source: is-KLEUG.tmp.2.dr, is-2J155.tmp.2.dr, is-I704D.tmp.2.dr, is-VTDA9.tmp.2.dr, is-V8S0O.tmp.2.dr, is-S9VDU.tmp.2.dr, is-2TJID.tmp.2.dr, is-SINFC.tmp.2.dr, is-H5812.tmp.2.dr	String found in binary or memory: http://www.cisco.com0
Source: is-KLEUG.tmp.2.dr, is-2J155.tmp.2.dr, is-I704D.tmp.2.dr, is-VTDA9.tmp.2.dr, is-V8S0O.tmp.2.dr, is-S9VDU.tmp.2.dr, is-2TJID.tmp.2.dr, is-SINFC.tmp.2.dr, is-H5812.tmp.2.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: powershell.exe, 00000004.00000002.2457352280.00000000074C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.
Source: powershell.exe, 00000004.00000002.2463153795.00000000084F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co
Source: client32.exe, 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 00000009.00000002.2497690917.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2579319799.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://www.netsupportschool.com/tutor-assistant.asp
Source: client32.exe, 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 00000009.00000002.2497690917.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2579319799.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://www.netsupportschool.com/tutor-assistant.asp11(
Source: powershell.exe, 00000004.00000002.2411285654.0000000004B96000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.0000000004EF0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmp, client32.exe.4.dr	String found in binary or memory: http://www.netsupportsoftware.com
Source: client32.exe, 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 00000009.00000002.2497690917.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2579319799.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://www.pci.co.uk/support
Source: client32.exe, 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 00000009.00000002.2497690917.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2579319799.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://www.pci.co.uk/supportsupport
Source: powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.0000000005089000.00000004.00000800.00020000.00000000.sdmp, PCICHEK.DLL.4.dr	String found in binary or memory: http://www.symauth.com/cps0(
Source: powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.0000000005089000.00000004.00000800.00020000.00000000.sdmp, PCICHEK.DLL.4.dr	String found in binary or memory: http://www.symauth.com/rpa00
Source: powershell.exe, 00000004.00000002.2411285654.0000000004A41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000004.00000002.2425908561.00000000064A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000004.00000002.2425908561.00000000064A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000004.00000002.2425908561.00000000064A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: is-2J155.tmp.2.dr	String found in binary or memory: https://curl.se/V
Source: is-2J155.tmp.2.dr	String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: is-2J155.tmp.2.dr	String found in binary or memory: https://curl.se/docs/copyright.htmlD
Source: is-2J155.tmp.2.dr	String found in binary or memory: https://curl.se/docs/hsts.html
Source: is-2J155.tmp.2.dr	String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: powershell.exe, 00000004.00000002.2411285654.0000000004B96000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.0000000004EF0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.0000000005089000.00000004.00000800.00020000.00000000.sdmp, PCICHEK.DLL.4.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: powershell.exe, 00000004.00000002.2411285654.0000000004B96000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.0000000004EF0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.0000000005089000.00000004.00000800.00020000.00000000.sdmp, PCICHEK.DLL.4.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: powershell.exe, 00000004.00000002.2411285654.0000000004B96000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: CiscoSetup.exe	String found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: powershell.exe, 00000004.00000002.2425908561.00000000064A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000004.00000002.2411285654.0000000004EF0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: powershell.exe, 00000004.00000002.2411285654.0000000004EF0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0D
Source: CiscoSetup.exe, 00000000.00000003.2546263258.0000000003123000.00000004.00001000.00020000.00000000.sdmp, CiscoSetup.tmp, 00000002.00000003.2535098758.0000000002CAC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.cisco.com
Source: CiscoSetup.exe, 00000000.00000003.2546263258.0000000003131000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.cisco.com/support
Source: CiscoSetup.tmp, 00000002.00000003.2535098758.0000000002CC1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.cisco.com/supportQy
Source: CiscoSetup.exe, 00000000.00000003.2546263258.0000000003131000.00000004.00001000.00020000.00000000.sdmp, CiscoSetup.tmp, 00000002.00000003.2535098758.0000000002CC1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.cisco.com/update
Source: is-KLEUG.tmp.2.dr, is-2J155.tmp.2.dr, is-I704D.tmp.2.dr, is-VTDA9.tmp.2.dr, is-V8S0O.tmp.2.dr, is-S9VDU.tmp.2.dr, is-2TJID.tmp.2.dr, is-SINFC.tmp.2.dr, is-H5812.tmp.2.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: CiscoSetup.exe	String found in binary or memory: https://www.globalsign.com/repository/0
Source: CiscoSetup.tmp, 00000002.00000003.2522959977.0000000005750000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.iminunet.com
Source: CiscoSetup.tmp, 00000002.00000003.2522959977.0000000005750000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.iminunet.comPara
Source: is-707KS.tmp.2.dr, is-V7509.tmp.2.dr	String found in binary or memory: https://www.immunet.com
Source: CiscoSetup.tmp, 00000002.00000003.2522959977.0000000005750000.00000004.00001000.00020000.00000000.sdmp, is-KOKH0.tmp.2.dr, is-KCJJQ.tmp.2.dr	String found in binary or memory: https://www.immunet.com.
Source: is-KOKH0.tmp.2.dr	String found in binary or memory: https://www.immunet.com.Um
Source: CiscoSetup.tmp, 00000002.00000003.2522959977.0000000005750000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.immunet.comAby
Source: CiscoSetup.tmp, 00000002.00000003.2522959977.0000000005750000.00000004.00001000.00020000.00000000.sdmp, is-RVLAV.tmp.2.dr	String found in binary or memory: https://www.immunet.comVoor
Source: CiscoSetup.exe, 00000000.00000003.2131548415.00000000035C0000.00000004.00001000.00020000.00000000.sdmp, CiscoSetup.exe, 00000000.00000003.2132065973.000000007F29B000.00000004.00001000.00020000.00000000.sdmp, CiscoSetup.tmp, 00000002.00000000.2133732042.0000000000C71000.00000020.00000001.01000000.00000004.sdmp	String found in binary or memory: https://www.innosetup.com/
Source: is-VTDA9.tmp.2.dr	String found in binary or memory: https://www.openssl.org/
Source: CiscoSetup.exe, 00000000.00000003.2131548415.00000000035C0000.00000004.00001000.00020000.00000000.sdmp, CiscoSetup.exe, 00000000.00000003.2132065973.000000007F29B000.00000004.00001000.00020000.00000000.sdmp, CiscoSetup.tmp, 00000002.00000000.2133732042.0000000000C71000.00000020.00000001.01000000.00000004.sdmp	String found in binary or memory: https://www.remobjects.com/ps

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60707
Source: unknown	Network traffic detected: HTTP traffic on port 60707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60703

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality for read data from the clipboard

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe

Code function: 6_2_1101F360 OpenClipboard,GlobalAlloc,GlobalLock,_memmove,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,MessageBeep,CloseClipboard,

6_2_1101F360

Contains functionality to modify clipboard data

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_1101F360 OpenClipboard,GlobalAlloc,GlobalLock,_memmove,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,MessageBeep,CloseClipboard,	6_2_1101F360
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_11032930 GetClipboardFormatNameA,SetClipboardData,	6_2_11032930
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 9_2_1101F360 OpenClipboard,GlobalAlloc,GlobalLock,_memmove,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,MessageBeep,CloseClipboard,	9_2_1101F360
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 9_2_11032930 GetClipboardFormatNameA,SetClipboardData,	9_2_11032930

Contains functionality to read the clipboard data

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe

Code function: 6_2_11031AC0 IsClipboardFormatAvailable,GetClipboardData,GlobalSize,GlobalLock,_memmove,GlobalUnlock,

6_2_11031AC0

Contains functionality to record screenshots

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe

6_2_11007720

Potential key logger detected (key state polling based)

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_11110810 PeekMessageA,GetKeyState,GetKeyState,GetKeyState,Sleep,GetKeyState,		6_2_11110810
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 9_2_11110810 PeekMessageA,GetKeyState,GetKeyState,GetKeyState,Sleep,GetKeyState,		9_2_11110810

Yara detected Keylogger Generic

Source: Yara match	File source: 9.2.client32.exe.111b3308.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.client32.exe.111b3308.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.client32.exe.111b3308.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.client32.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.client32.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.client32.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2497655081.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2579273114.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: client32.exe PID: 4176, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: client32.exe PID: 1112, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: client32.exe PID: 6484, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Cisco\PCICL32.DLL, type: DROPPED

E-Banking Fraud

Drops certificate files (DER)

Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-HOMEN.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\acsock64.cat (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\vpnva-6.cat (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-BRMT9.tmp	Jump to dropped file

Spam, unwanted Advertisements and Ransom Demands

Contains functionalty to change the wallpaper

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_11112840 SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA,		6_2_11112840
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 9_2_11112840 SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA,		9_2_11112840

System Summary

Malicious sample detected (through community Yara rule)

Source: amsi32_3412.amsi.csv, type: OTHER	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 3412, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Powershell drops PE file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Cisco\remcmdstub.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Cisco\AudioCapture.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Cisco\HTCTL32.DLL	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Cisco\msvcr100.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Cisco\pcicapi.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Cisco\PCICL32.DLL	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Cisco\PCICHEK.DLL	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Cisco\TCCTL32.DLL	Jump to dropped file

Abnormal high CPU Usage

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe

Process Stats: CPU usage > 49%

Contains functionality to communicate with device drivers

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe

Code function: 6_2_110A9240: DeviceIoControl,

6_2_110A9240

Contains functionality to launch a process as a different user

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe

Code function: 6_2_1115A340 FindWindowA,_memset,CreateProcessAsUserA,GetLastError,WinExec,CloseHandle,CloseHandle,CloseHandle,WinExec,

6_2_1115A340

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_1102CE2D InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,	6_2_1102CE2D
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 9_2_1102D059 PostThreadMessageA,PostThreadMessageA,CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,	9_2_1102D059
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 9_2_1102CEB1 Sleep,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,	9_2_1102CEB1

Detected potential crypto function

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_08823729	4_2_08823729
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_11029230	6_2_11029230
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_11072460	6_2_11072460
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_1115B180	6_2_1115B180
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_1105B3B0	6_2_1105B3B0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_1106F210	6_2_1106F210
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_1107F520	6_2_1107F520
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_1101B980	6_2_1101B980
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_1115F9F0	6_2_1115F9F0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_1101BDC0	6_2_1101BDC0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_11163C55	6_2_11163C55
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_1108A260	6_2_1108A260
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_11050430	6_2_11050430
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_110088DB	6_2_110088DB
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_1101CBE0	6_2_1101CBE0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_11032A60	6_2_11032A60
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_11086DA0	6_2_11086DA0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_11044C60	6_2_11044C60
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_688FA980	6_2_688FA980
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_68924910	6_2_68924910
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_68923923	6_2_68923923
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_688FDBA0	6_2_688FDBA0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_68923DB8	6_2_68923DB8
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_6892A063	6_2_6892A063
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_68924156	6_2_68924156
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_689143C0	6_2_689143C0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_688F1310	6_2_688F1310
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_689084F0	6_2_689084F0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_68924528	6_2_68924528
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_6891D70F	6_2_6891D70F
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_688F1760	6_2_688F1760
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 9_2_1115B180	9_2_1115B180
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 9_2_111131B0	9_2_111131B0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 9_2_11029230	9_2_11029230
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 9_2_1107F520	9_2_1107F520
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 9_2_1101B980	9_2_1101B980
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 9_2_1115F9F0	9_2_1115F9F0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 9_2_1101BDC0	9_2_1101BDC0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 9_2_11163C55	9_2_11163C55
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 9_2_11050430	9_2_11050430
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 9_2_11072460	9_2_11072460
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 9_2_110088DB	9_2_110088DB
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 9_2_1101CBE0	9_2_1101CBE0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 9_2_11032A60	9_2_11032A60
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 9_2_11086DA0	9_2_11086DA0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 9_2_11044C60	9_2_11044C60

Enables security privileges

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe

Process token adjusted: Security

Jump to behavior

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: String function: 68919480 appears 61 times
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: String function: 68907C70 appears 36 times
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: String function: 11142A60 appears 1134 times
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: String function: 68907D00 appears 135 times
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: String function: 1116B7E0 appears 55 times
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: String function: 6891F3CB appears 33 times
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: String function: 688F6F50 appears 171 times
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: String function: 111434D0 appears 46 times
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: String function: 11160790 appears 65 times
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: String function: 688F30A0 appears 54 times
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: String function: 11080C50 appears 70 times
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: String function: 68907A90 appears 62 times
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: String function: 1115CBB3 appears 90 times
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: String function: 110290F0 appears 1982 times
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: String function: 1105D340 appears 559 times
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: String function: 1109CBD0 appears 32 times
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: String function: 1105D470 appears 55 times
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: String function: 11027550 appears 94 times

PE file contains executable resources (Code or Archives)

Source: CiscoSetup.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-VTFF8.tmp.2.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-96AL6.tmp.2.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS

PE file contains more sections than normal

Source: CiscoSetup.tmp.0.dr	Static PE information: Number of sections : 11 > 10
Source: is-VTFF8.tmp.2.dr	Static PE information: Number of sections : 11 > 10
Source: CiscoSetup.exe	Static PE information: Number of sections : 11 > 10

Sample file is different than original file name gathered from version info

Source: CiscoSetup.exe, 00000000.00000000.2126103041.0000000000F39000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFileName vs CiscoSetup.exe
Source: CiscoSetup.exe, 00000000.00000003.2132065973.000000007F58B000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs CiscoSetup.exe
Source: CiscoSetup.exe, 00000000.00000003.2131548415.00000000036CF000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs CiscoSetup.exe
Source: CiscoSetup.exe	Binary or memory string: OriginalFileName vs CiscoSetup.exe

Uses 32bit PE files

Source: CiscoSetup.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: amsi32_3412.amsi.csv, type: OTHER	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 3412, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: is-EUMLH.tmp.2.dr

Binary string: \Device\VPNVA

Source: classification engine

Classification label: mal54.rans.troj.evad.winEXE@10/537@3/3

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe

Code function: 6_2_11059270 GetLastError,FormatMessageA,LocalFree,

6_2_11059270

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_1109C750 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,	6_2_1109C750
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_1109C7E0 AdjustTokenPrivileges,CloseHandle,	6_2_1109C7E0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 9_2_1109C750 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,	9_2_1109C750
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 9_2_1109C7E0 AdjustTokenPrivileges,CloseHandle,	9_2_1109C7E0

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe

Code function: 6_2_11095C90 GetTickCount,CoInitialize,CLSIDFromProgID,CoCreateInstance,CoUninitialize,

6_2_11095C90

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe

Code function: 6_2_11088290 FindResourceA,LoadResource,LockResource,

6_2_11088290

Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp

File created: C:\Program Files (x86)\Cisco

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Cisco

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2672:120:WilError_03

Source: C:\Users\user\Desktop\CiscoSetup.exe

File created: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp

Jump to behavior

Source: C:\Users\user\Desktop\CiscoSetup.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\CiscoSetup.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp

File read: C:\Program Files (x86)\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\CiscoSetup.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Jump to behavior

Source: CiscoSetup.exe

String found in binary or memory: /LOADINF="filename"

Source: C:\Users\user\Desktop\CiscoSetup.exe

File read: C:\Users\user\Desktop\CiscoSetup.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\CiscoSetup.exe "C:\Users\user\Desktop\CiscoSetup.exe"
Source: C:\Users\user\Desktop\CiscoSetup.exe	Process created: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp "C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp" /SL5="$103C8,13456411,1058304,C:\Users\user\Desktop\CiscoSetup.exe"
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-S9GUG.tmp\cispn.ps1"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\Cisco\client32.exe "C:\Users\user\AppData\Roaming\Cisco\client32.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Cisco\client32.exe "C:\Users\user\AppData\Roaming\Cisco\client32.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Cisco\client32.exe "C:\Users\user\AppData\Roaming\Cisco\client32.exe"
Source: C:\Users\user\Desktop\CiscoSetup.exe	Process created: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp "C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp" /SL5="$103C8,13456411,1058304,C:\Users\user\Desktop\CiscoSetup.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-S9GUG.tmp\cispn.ps1"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\Cisco\client32.exe "C:\Users\user\AppData\Roaming\Cisco\client32.exe"	Jump to behavior

Source: C:\Users\user\Desktop\CiscoSetup.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\CiscoSetup.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: pcicl32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: pcichek.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: pcicapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: dbgcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: nsmtrace.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: nslsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: pcihooks.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: riched32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: pciinv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: pcicl32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: pcichek.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: pcicapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: nsmtrace.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: nslsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: pcicl32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: pcichek.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: pcicapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: nsmtrace.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: nslsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Section loaded: msasn1.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: Cisco Secure Client for Windows.lnk.2.dr

LNK file: ..\..\..\..\..\..\Program Files (x86)\Cisco\Cisco Secure Client\UI\csc_ui.exe

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File written: C:\Users\user\AppData\Roaming\Cisco\nsm_vpro.ini

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp

Window found: window name: TSelectLanguageForm

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Automated click: Install
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Automated click: Next

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe

File opened: C:\Windows\SysWOW64\riched32.dll

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: CiscoSetup.exe

Static PE information: certificate valid

Source: CiscoSetup.exe

Static file information: File size 16883280 > 1048576

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Users\user\AppData\Roaming\Cisco\msvcr100.dll

Jump to behavior

Source: CiscoSetup.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Full\pcichek.pdb source: client32.exe, 00000006.00000002.4600795851.000000006DEC2000.00000002.00000001.01000000.0000000C.sdmp, client32.exe, 00000009.00000002.2498300418.000000006DEC2000.00000002.00000001.01000000.0000000C.sdmp, client32.exe, 0000000A.00000002.2580406925.000000006DEC2000.00000002.00000001.01000000.0000000C.sdmp, PCICHEK.DLL.4.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\client32\Release\PCICL32.pdb source: client32.exe, 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 00000009.00000002.2497655081.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2579273114.000000001118F000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: C:\temp\build\thehoff\Quicksilver_MR50.560024709388\Quicksilver_MR5\vpn\ApiShim\Win32\Release\vpnapishim.pdb source: is-V8S0O.tmp.2.dr
Source:	Binary string: C:\temp\build\thehoff\Quicksilver_MR50.560024709388\Quicksilver_MR5\vpn\WebHelper\Plugin\Win32\Release\acwebhelper.pdb&&&GCTL source: is-S9VDU.tmp.2.dr
Source:	Binary string: ws\Mion.pdb source: powershell.exe, 00000004.00000002.2458265497.000000000756A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Full\pcichek.pdbN source: PCICHEK.DLL.4.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdbL source: powershell.exe, 00000004.00000002.2411285654.0000000005089000.00000004.00000800.00020000.00000000.sdmp, client32.exe, 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.2457352280.00000000074C0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: client32.pdb\1141\1141\client32\Release\client32.pdb source: powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmp, client32.exe.4.dr
Source:	Binary string: C:\temp\build\thehoff\Quicksilver_MR50.560024709388\Quicksilver_MR5\vpn\InstallHelper\Win32\Release\InstallHelper.pdb source: is-H5812.tmp.2.dr
Source:	Binary string: C:\temp\build\thehoff\Quicksilver_MR50.560024709388\Quicksilver_MR5\vpn\ApiShim\Win32\Release\vpnapishim.pdb...GCTL source: is-V8S0O.tmp.2.dr
Source:	Binary string: d:\a01\_work\11\s\\binaries\x86ret\bin\i386\vccorlib140.i386.pdb source: is-OJMRD.tmp.2.dr
Source:	Binary string: C:\Users\build\p4files\ngc\Phoenix\third-party\libcurl\out.win.7.x86\curl-7.84.0\builds\libcurl-vc-x86-release-dll-ssl-dll-ipv6-sspi-obj-lib\accurl.pdb source: is-2J155.tmp.2.dr
Source:	Binary string: E:\nsmsrc\nsm\1280\1280f\ctl32\release_unicode\tcctl32.pdbP` source: powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: \1141\1141\client32\Release\client32.pdb source: powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmp, client32.exe.4.dr
Source:	Binary string: C:\temp\build\thehoff\Quicksilver_MR50.560024709388\Quicksilver_MR5\vpn\WebHelper\Plugin\Win32\Release\acwebhelper.pdb source: is-S9VDU.tmp.2.dr
Source:	Binary string: C:\Users\build\p4files\ngc\Quicksilver\third-party\openssl\out.win.7.x86\ciscossl-1.1.1t.7.2.500\acciscossl.pdb source: is-VTDA9.tmp.2.dr
Source:	Binary string: C:\temp\build\thehoff\Quicksilver_MR50.560024709388\Quicksilver_MR5\PhoneHome\Win32\Release\acfeedback.pdb source: is-2TJID.tmp.2.dr
Source:	Binary string: C:\temp\build\thehoff\proj_Phoenix_VS20190.730599493905\proj_Phoenix_VS2019\vpn\VA\NDIS6\x64\Release\vpnva64-6.pdbGCTL source: is-EUMLH.tmp.2.dr
Source:	Binary string: msvcr100.i386.pdb source: powershell.exe, 00000004.00000002.2411285654.0000000005089000.00000004.00000800.00020000.00000000.sdmp, client32.exe, client32.exe, 00000006.00000002.4600362190.0000000068B31000.00000020.00000001.01000000.0000000E.sdmp, client32.exe, 00000009.00000002.2498047838.0000000068B31000.00000020.00000001.01000000.0000000E.sdmp, client32.exe, 0000000A.00000002.2580034650.0000000068B31000.00000020.00000001.01000000.0000000E.sdmp
Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.2409667962.0000000003148000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\temp\build\thehoff\proj_Phoenix_VS20190.730599493905\proj_Phoenix_VS2019\vpn\VA\NDIS6\x64\Release\vpnva64-6.pdb source: is-EUMLH.tmp.2.dr
Source:	Binary string: E:\nsmsrc\nsm\1280\1280f\ctl32\release_unicode\tcctl32.pdb source: powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\temp\build\thehoff\Quicksilver_MR50.560024709388\Quicksilver_MR5\vpn\InstallHelper\x64\Release\InstallHelper64.pdb source: is-KLEUG.tmp.2.dr
Source:	Binary string: C:\temp\build\thehoff\Quicksilver_MR50.560024709388\Quicksilver_MR5\vpn\InstallHelper\x64\Release\InstallHelper64.pdb; source: is-KLEUG.tmp.2.dr
Source:	Binary string: client32.pdb source: powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmp, client32.exe.4.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\AudioCapture\Release\AudioCapture.pdb source: powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\build\p4files\ngc\Quicksilver\third-party\openssl\out.win.7.x86\ciscossl-1.1.1t.7.2.500\acciscossl.pdbAAA source: is-VTDA9.tmp.2.dr
Source:	Binary string: C:\temp\build\thehoff\Quicksilver_MR50.560024709388\Quicksilver_MR5\PhoneHome\Win32\Release\acfeedback.pdbMM/GCTL source: is-2TJID.tmp.2.dr
Source:	Binary string: d:\a01\_work\11\s\\binaries\x86ret\bin\i386\vccorlib140.i386.pdbGCTL source: is-OJMRD.tmp.2.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdb source: powershell.exe, 00000004.00000002.2411285654.0000000005089000.00000004.00000800.00020000.00000000.sdmp, client32.exe, 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Release\pcicapi.pdb source: client32.exe, 00000006.00000002.4600671174.0000000068BF5000.00000002.00000001.01000000.0000000D.sdmp, client32.exe, 00000009.00000002.2498203499.0000000068BF5000.00000002.00000001.01000000.0000000D.sdmp, client32.exe, 0000000A.00000002.2580255021.0000000068BF5000.00000002.00000001.01000000.0000000D.sdmp

Data Obfuscation

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe

6_2_11029230

PE file contains sections with non-standard names

Source: CiscoSetup.exe	Static PE information: section name: .didata
Source: CiscoSetup.tmp.0.dr	Static PE information: section name: .didata
Source: is-VTFF8.tmp.2.dr	Static PE information: section name: .didata
Source: is-3NCDE.tmp.2.dr	Static PE information: section name: fipstx
Source: is-3NCDE.tmp.2.dr	Static PE information: section name: fipsro
Source: is-3NCDE.tmp.2.dr	Static PE information: section name: fipsda
Source: is-3NCDE.tmp.2.dr	Static PE information: section name: fsig
Source: is-3NCDE.tmp.2.dr	Static PE information: section name: fipsrd
Source: is-KLEUG.tmp.2.dr	Static PE information: section name: _RDATA
Source: is-8761D.tmp.2.dr	Static PE information: section name: _RDATA
Source: is-7ITNQ.tmp.2.dr	Static PE information: section name: .orpc
Source: is-S996S.tmp.2.dr	Static PE information: section name: .00cfg
Source: is-S996S.tmp.2.dr	Static PE information: section name: .voltbl
Source: PCICL32.DLL.4.dr	Static PE information: section name: .hhshare

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_04A1C492 pushad ; ret	4_2_04A1C493
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_07689740 pushad ; ret	4_2_07689A25
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_076892D9 push FFFFFFE8h; iretd	4_2_076892DD
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_088268EE push FFFFFFE9h; ret	4_2_088268F0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_08820F82 push esp; ret	4_2_08820F83
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_1116B825 push ecx; ret	6_2_1116B838
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_11166719 push ecx; ret	6_2_1116672C
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_68926BBF push ecx; ret	6_2_68926BD2
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_68924DF5 push 689243F9h; retf	6_2_68924E1F
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_689194C5 push ecx; ret	6_2_689194D8
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 9_2_1116B825 push ecx; ret	9_2_1116B838
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 9_2_1104E56B push ecx; retf 0007h	9_2_1104E56C
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 9_2_11166719 push ecx; ret	9_2_1116672C

Source: is-53P9C.tmp.2.dr	Static PE information: section name: .text entropy: 6.8383653762559575
Source: msvcr100.dll.4.dr	Static PE information: section name: .text entropy: 6.909044922675825

Persistence and Installation Behavior

Drops PE files

Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\ProxyCon.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\csc_ui_toast.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-0CFDM.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\Plugins\is-96AL6.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Cisco\pcicapi.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-I704D.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\Plugins\acdownloader.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\vpnipsec.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\msvcp140_2.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\csc_ui_setup.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\acwebhelper.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-N98KR.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-KHO2L.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-91CSN.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-98QQL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-EUMLH.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-8761D.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\csc_ui_toast.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\vpnapishim.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-7ITNQ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\acsock64.sys (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-O18K3.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-970AL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\boost_system.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\is-RN0PK.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-3JN2R.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\vpnmgmttun.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\msvcp140.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\is-T4BIJ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\is-Q7F68.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\vpncli.exe (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Cisco\PCICHEK.DLL	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-KLEUG.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\cfom.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\zlib1.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-P9NEN.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\InstallHelper.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-URJD8.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\is-VTFF8.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\InstallHelper64.exe (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Cisco\AudioCapture.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-Q7D23.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-D0HIO.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Users\user\AppData\Local\Temp\is-S9GUG.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\msvcp140_1.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\ac_sock_fltr_api.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\boost_thread.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-SINFC.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\is-1KC0P.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-5J2U6.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-OJMRD.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\acciscocrypto.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-1N4FB.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-2J155.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\acextwebhelper.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\vpnagentutilities.dll (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Cisco\msvcr100.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\VACon64.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\Uninstall.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\acfeedback.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-VTDA9.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\vpncommoncrypt.dll (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Cisco\PCICL32.DLL	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\vpnapi.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-3NCDE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\is-8OL4N.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\concrt140.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\vpnagent.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-MMI8M.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Cisco\remcmdstub.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\is-T9GPQ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\boost_filesystem.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-RDO3H.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-50H6H.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\CiscoSetup.exe	File created: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-H5812.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-2TJID.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\acwebhelper.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\acruntime.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-OTMTE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\accurl.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-Q2D0Q.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpndownloader.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\vpnva64-6.sys (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-UM1NO.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\csc_ui.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-3VFI6.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-V8S0O.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\boost_chrono.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-MGVA1.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-53P9C.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-S9VDU.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\acciscossl.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\vccorlib140.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\WebView2Loader.dll (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Cisco\TCCTL32.DLL	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Cisco\HTCTL32.DLL	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-MKOUV.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\boost_date_time.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\csc_ui.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\vpndownloader.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\vcruntime140.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\vpncommon.dll (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-S996S.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-D2T5K.tmp	Jump to dropped file

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_68907030 ctl_open,LoadLibraryA,InitializeCriticalSection,CreateEventA,CreateEventA,CreateEventA,CreateEventA,WSAStartup,_malloc,_memset,_calloc,_malloc,_memset,_malloc,_memset,GetTickCount,CreateThread,SetThreadPriority,GetModuleFileNameA,GetPrivateProfileIntA,GetModuleHandleA,CreateMutexA,timeBeginPeriod,	6_2_68907030
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_688F50E0 CreateFileA,wsprintfA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,CreateFileA,GetFileSize,GetPrivateProfileIntA,SetFilePointer,FlushFileBuffers,CloseHandle,wsprintfA,CreateFileA,__itow,WritePrivateProfileStringA,	6_2_688F50E0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_688F5117 GetPrivateProfileIntA,wsprintfA,CreateFileA,GetFileSize,GetPrivateProfileIntA,SetFilePointer,FlushFileBuffers,CloseHandle,wsprintfA,CreateFileA,__itow,WritePrivateProfileStringA,	6_2_688F5117
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_688F5490 GetPrivateProfileIntA,	6_2_688F5490

Boot Survival

Stores files to the Windows start menu directory

Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Cisco			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Cisco\Cisco Secure Client for Windows.lnk			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MyApp			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MyApp			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_110251B0 SetWindowPos,GetMenu,DrawMenuBar,GetMenu,DeleteMenu,UpdateWindow,IsIconic,SetTimer,KillTimer,	6_2_110251B0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_111575D0 IsIconic,ShowWindow,BringWindowToTop,IsWindow,IsIconic,ShowWindow,BringWindowToTop,	6_2_111575D0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_111575D0 IsIconic,ShowWindow,BringWindowToTop,IsWindow,IsIconic,ShowWindow,BringWindowToTop,	6_2_111575D0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_11025600 IsIconic,BringWindowToTop,GetCurrentThreadId,	6_2_11025600
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_1110F600 IsIconic,GetTickCount,	6_2_1110F600
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_111579D0 _memset,SendMessageA,SendMessageA,ShowWindow,SendMessageA,IsIconic,IsZoomed,ShowWindow,GetDesktopWindow,TileWindows,	6_2_111579D0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_1111F870 IsIconic,FreeLibrary,IsIconic,InvalidateRect,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,	6_2_1111F870
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_1111F870 IsIconic,FreeLibrary,IsIconic,InvalidateRect,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,	6_2_1111F870
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_110238D0 BringWindowToTop,SetWindowPos,SetWindowPos,SetWindowPos,GetWindowLongA,SetWindowLongA,GetDlgItem,EnableWindow,GetMenu,DeleteMenu,DrawMenuBar,SetWindowPos,IsIconic,UpdateWindow,SetTimer,KillTimer,	6_2_110238D0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_110BFDD0 IsIconic,ShowWindow,BringWindowToTop,GetCurrentThreadId,	6_2_110BFDD0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_11023FB0 _memset,_strncpy,_memset,_strncpy,IsWindow,IsIconic,BringWindowToTop,GetCurrentThreadId,	6_2_11023FB0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_110CA3C0 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos,	6_2_110CA3C0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_110CA3C0 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos,	6_2_110CA3C0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_11110220 IsIconic,GetTickCount,CreateRectRgn,GetClientRect,SetStretchBltMode,CreateRectRgn,GetClipRgn,OffsetRgn,GetRgnBox,SelectClipRgn,StretchBlt,SelectClipRgn,DeleteObject,StretchBlt,StretchBlt,GetWindowOrgEx,StretchBlt,GetKeyState,CreatePen,CreatePen,SelectObject,Polyline,Sleep,SelectObject,Polyline,Sleep,SelectObject,DeleteObject,DeleteObject,BitBlt,	6_2_11110220
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 9_2_110251B0 SetWindowPos,GetMenu,DrawMenuBar,GetMenu,DeleteMenu,UpdateWindow,IsIconic,SetTimer,KillTimer,	9_2_110251B0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 9_2_111575D0 IsIconic,ShowWindow,BringWindowToTop,IsWindow,IsIconic,ShowWindow,BringWindowToTop,	9_2_111575D0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 9_2_111575D0 IsIconic,ShowWindow,BringWindowToTop,IsWindow,IsIconic,ShowWindow,BringWindowToTop,	9_2_111575D0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 9_2_11025600 IsIconic,BringWindowToTop,GetCurrentThreadId,	9_2_11025600
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 9_2_1110F600 IsIconic,GetTickCount,	9_2_1110F600
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 9_2_111579D0 _memset,SendMessageA,SendMessageA,ShowWindow,SendMessageA,IsIconic,IsZoomed,ShowWindow,GetDesktopWindow,TileWindows,	9_2_111579D0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 9_2_110238D0 BringWindowToTop,SetWindowPos,SetWindowPos,SetWindowPos,GetWindowLongA,SetWindowLongA,GetDlgItem,EnableWindow,GetMenu,DeleteMenu,DrawMenuBar,SetWindowPos,IsIconic,UpdateWindow,SetTimer,KillTimer,	9_2_110238D0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 9_2_110BFDD0 IsIconic,ShowWindow,BringWindowToTop,GetCurrentThreadId,	9_2_110BFDD0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 9_2_11023FB0 _memset,_strncpy,_memset,_strncpy,IsWindow,IsIconic,BringWindowToTop,GetCurrentThreadId,	9_2_11023FB0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 9_2_110CA3C0 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos,	9_2_110CA3C0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 9_2_110CA3C0 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos,	9_2_110CA3C0

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe

6_2_11029230

Source: C:\Users\user\Desktop\CiscoSetup.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Contains functionality to detect sleep reduction / modifications

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_11069C00	6_2_11069C00
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_11069C99	6_2_11069C99
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_688F91F0	6_2_688F91F0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_68904F30	6_2_68904F30

Contains functionality to enumerate running services

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe

Code function: OpenSCManagerA,EnumServicesStatusA,EnumServicesStatusA,LoadLibraryA,GetProcAddress,OpenServiceA,WideCharToMultiByte,CloseServiceHandle,_memset,_memset,FreeLibrary,CloseServiceHandle,

6_2_11127110

Contains long sleeps (>= 3 min)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7105	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2626	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Window / User API: threadDelayed 436	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Window / User API: threadDelayed 8000	Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\ProxyCon.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\csc_ui_toast.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-0CFDM.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\Plugins\is-96AL6.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-I704D.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\Plugins\acdownloader.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\vpnipsec.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\msvcp140_2.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\csc_ui_setup.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\acwebhelper.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-N98KR.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-KHO2L.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-91CSN.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-98QQL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-EUMLH.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-8761D.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\csc_ui_toast.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\vpnapishim.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-7ITNQ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\acsock64.sys (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-O18K3.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-970AL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\boost_system.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\is-RN0PK.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-3JN2R.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\msvcp140.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\is-T4BIJ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\vpnmgmttun.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\vpncli.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\is-Q7F68.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-KLEUG.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\cfom.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\zlib1.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-P9NEN.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\InstallHelper.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\is-VTFF8.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-URJD8.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\InstallHelper64.exe (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Cisco\AudioCapture.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-D0HIO.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-Q7D23.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-S9GUG.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\msvcp140_1.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\ac_sock_fltr_api.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\boost_thread.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-SINFC.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\is-1KC0P.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-5J2U6.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-OJMRD.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\acciscocrypto.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-1N4FB.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\acextwebhelper.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-2J155.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\vpnagentutilities.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\VACon64.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\Uninstall.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\acfeedback.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-VTDA9.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\vpncommoncrypt.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\vpnapi.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\is-8OL4N.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\concrt140.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-3NCDE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\vpnagent.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-MMI8M.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Cisco\remcmdstub.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\is-T9GPQ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\boost_filesystem.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-RDO3H.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-50H6H.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-H5812.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-2TJID.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\acwebhelper.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\acruntime.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-OTMTE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\accurl.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-Q2D0Q.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpndownloader.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\vpnva64-6.sys (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-UM1NO.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\csc_ui.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-V8S0O.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-3VFI6.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\boost_chrono.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-MGVA1.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-53P9C.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-S9VDU.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\acciscossl.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\vccorlib140.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\WebView2Loader.dll (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Cisco\TCCTL32.DLL	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Cisco\HTCTL32.DLL	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-MKOUV.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\boost_date_time.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\csc_ui.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\vpndownloader.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\vcruntime140.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\vpncommon.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-S996S.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-D2T5K.tmp	Jump to dropped file

Found evaded block containing many API calls

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Evaded block: after key decision
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Evaded block: after key decision
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Evaded block: after key decision
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Evaded block: after key decision
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Evaded block: after key decision
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Evaded block: after key decision
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Evaded block: after key decision
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Evaded block: after key decision
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Evaded block: after key decision
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Evaded block: after key decision
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Evaded block: after key decision
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Evaded block: after key decision

Found evasive API chain checking for process token information

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

Found large amount of non-executed APIs

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	API coverage: 5.6 %
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	API coverage: 3.0 %

May check if the current machine is a sandbox (GetTickCount - Sleep)

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe

Code function: 6_2_68904F30

6_2_68904F30

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6528	Thread sleep time: -8301034833169293s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe TID: 4856	Thread sleep time: -64000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe TID: 4948	Thread sleep time: -43600s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe TID: 4856	Thread sleep time: -2000000s >= -30000s	Jump to behavior

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe

Last function: Thread delayed

Uses the system / local time for branch decision (may execute only at specific dates)

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe

Code function: 6_2_68903130 GetSystemTime followed by cmp: cmp eax, 02h and CTI: je 68903226h

6_2_68903130

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_11123570 _memset,_memset,GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,	6_2_11123570
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_11069690 GetTickCount,OpenPrinterA,StartDocPrinterA,ClosePrinter,FindFirstFileA,FindClose,CreateFileA,SetFilePointer,GetTickCount,GetLastError,	6_2_11069690
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_1110BB80 GetLocalTime,wsprintfA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,ExpandEnvironmentStringsA,CreateFileA,timeBeginPeriod,GetLocalTime,timeGetTime,_memset,WriteFile,	6_2_1110BB80
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_11107FE0 _memset,wsprintfA,wsprintfA,KillTimer,FindFirstFileA,wsprintfA,FindNextFileA,GetLastError,FindClose,	6_2_11107FE0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_110BC3D0 GetFileAttributesA,CreateDirectoryA,FindFirstFileA,CopyFileA,CopyFileA,FindNextFileA,FindClose,DrawMenuBar,	6_2_110BC3D0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_1102CE2D InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,	6_2_1102CE2D
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_11064E30 _memset,_memmove,_strncpy,CharUpperA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,	6_2_11064E30
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 9_2_1102D059 PostThreadMessageA,PostThreadMessageA,CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,	9_2_1102D059
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 9_2_1102CEB1 Sleep,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,	9_2_1102CEB1
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 9_2_11123570 _memset,_memset,GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,	9_2_11123570
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 9_2_1110BB80 GetLocalTime,wsprintfA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,ExpandEnvironmentStringsA,CreateFileA,timeBeginPeriod,GetLocalTime,timeGetTime,_memset,WriteFile,	9_2_1110BB80
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 9_2_11107FE0 _memset,wsprintfA,wsprintfA,KillTimer,FindFirstFileA,wsprintfA,FindNextFileA,GetLastError,FindClose,	9_2_11107FE0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 9_2_110BC3D0 GetFileAttributesA,CreateDirectoryA,FindFirstFileA,CopyFileA,CopyFileA,FindNextFileA,FindClose,DrawMenuBar,	9_2_110BC3D0

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: client32.exe, 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmp	Binary or memory string: VMware
Source: client32.exe, 00000006.00000002.4598399799.0000000005196000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW{
Source: client32.exe, 00000009.00000003.2496832834.0000000000540000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlln
Source: client32.exe, 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmp	Binary or memory string: hbuf->datahttputil.c%5d000000000002004C4F4F50VirtualVMwareVIRTNETGetAdaptersInfoiphlpapi.dllcbMacAddress == MAX_ADAPTER_ADDRESS_LENGTHmacaddr.cpp,%02x%02x%02x%02x%02x%02x* Netbiosnetapi32.dll01234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZwhoa nelly, says Sherman, the Sharkhellooo nurse!kernel32.dllProcessIdToSessionId%s_L%d_%xNOT copied to diskcopied to %sAssert failed - Unhandled Exception (GPF) -
Source: client32.exe, 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmp	Binary or memory string: plist<T> too longp.secondQueueQueueThreadEventidata->Q.size () == 0p < ep%dWSAIoctlclosesocketsocketWSACleanupWSAStartupws2_32.dllIPHLPAPI.DLLVMWarevirtGetAdaptersAddressesVMWarevirtntohlWinHttpCloseHandleWinHttpGetProxyForUrlNS247WinHttpOpenWinHttpGetIEProxyConfigForCurrentUserwinhttp.dllc != '\0'dstbufyenc.cla
Source: client32.exe, 00000006.00000002.4598399799.0000000005196000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: client32.exe, 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmp	Binary or memory string: VMWare
Source: client32.exe, 00000006.00000002.4584818110.000000000048E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWH
Source: client32.exe, 0000000A.00000002.2578179566.00000000005E2000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 0000000A.00000003.2577187485.00000000005DF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllK
Source: CiscoSetup.tmp, 00000002.00000003.2541285182.00000000010C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}1
Source: powershell.exe, 00000004.00000002.2457352280.00000000074C0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}lP

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe

Code function: 6_2_1116A559 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

6_2_1116A559

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe

Code function: 6_2_110CFCF0 _memset,_strncpy,CreateMutexA,OpenMutexA,GetLastError,wsprintfA,OutputDebugStringA,

6_2_110CFCF0

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe

6_2_11029230

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe

6_2_11178A14

Enables debug privileges

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_11030B10 SetUnhandledExceptionFilter,	6_2_11030B10
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_1116A559 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_1116A559
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_1115E4D1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_1115E4D1
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_689128E1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_689128E1
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_689187F5 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_689187F5
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_68B40807 __report_gsfailure,IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,	6_2_68B40807
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 9_2_11030B10 SetUnhandledExceptionFilter,	9_2_11030B10
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 9_2_1116A559 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_1116A559
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 9_2_1115E4D1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_2_1115E4D1

HIPS / PFW / Operating System Protection Evasion

Bypasses PowerShell execution policy

Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp

Contains functionality to execute programs as a different user

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe

Code function: 6_2_110F2280 GetTickCount,LogonUserA,GetTickCount,GetLastError,

6_2_110F2280

Contains functionality to simulate keystroke presses

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe

Code function: 6_2_1110F410 GetKeyState,DeviceIoControl,keybd_event,

6_2_1110F410

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-S9GUG.tmp\cispn.ps1"			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\Cisco\client32.exe "C:\Users\user\AppData\Roaming\Cisco\client32.exe"			Jump to behavior

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe

6_2_1109D4A0

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe

Code function: 6_2_1109DC20 GetProcAddress,GetTokenInformation,GetTokenInformation,GetTokenInformation,AllocateAndInitializeSid,EqualSid,

6_2_1109DC20

Source: client32.exe, 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 00000009.00000002.2497655081.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2579273114.000000001118F000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: Shell_TrayWndunhandled plugin data, id=%d
Source: client32.exe, 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 00000009.00000002.2497655081.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2579273114.000000001118F000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: Shell_TrayWnd
Source: client32.exe, client32.exe, 00000009.00000002.2497655081.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2579273114.000000001118F000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: Progman

Language, Device and Operating System Detection

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	6_2_11170208
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	6_2_1117053C
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	6_2_11170499
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: GetLocaleInfoA,	6_2_11167B5E
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	6_2_11170106
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	6_2_111701AD
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	6_2_11170011
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	6_2_111703D9
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	6_2_11170500
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW,	6_2_6891FAE1
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,	6_2_6892DB7C
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: GetLocaleInfoA,	6_2_6892DC99
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	6_2_68921CC1
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	6_2_6892DC56
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	6_2_68921DB6
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	6_2_68921EB8
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	6_2_68921E5D
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free,	6_2_68920F39
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	6_2_68922089
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	6_2_689221DC
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: EnumSystemLocalesA,	6_2_68922151
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	6_2_68922175
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	6_2_689202AD
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	6_2_68922218
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,	6_2_68921257
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,	6_2_68921680
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: GetLocaleInfoW,free,_calloc_crt,strncpy_s,GetLocaleInfoW,GetLocaleInfoW,_calloc_crt,GetLocaleInfoW,GetLastError,_calloc_crt,free,free,__invoke_watson,	6_2_68B4888A
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	9_2_1117053C
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: GetLocaleInfoA,	9_2_11167B5E
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	9_2_11170011
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	9_2_11170500
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	9_2_11170499

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe

Code function: 6_2_1101D180 __time64,SetRect,GetLocalTime,

6_2_1101D180

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe

Code function: 6_2_1103B220 _calloc,GetUserNameA,_free,_calloc,_free,

6_2_1103B220

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe

6_2_1109D4A0

Stealing of Sensitive Information

OS version to string mapping found (often used in BOTs)

Source: is-H5812.tmp.2.dr	Binary or memory string: r?IsOs_WIN_VISTA@@YA_NXZ
Source: is-2TJID.tmp.2.dr	Binary or memory string: ?GetOsVersion@@YA?AUMYOSVERSION@@XZ\?IsOs_MAC@@YA_NXZq?IsOs_WIN_8_Only@@YA_NXZ
Source: is-H5812.tmp.2.dr	Binary or memory string: ?DeleteUser@CProcessApi@@SAJQA_W@Zr?IsOs_WIN_VISTA@@YA_NXZvpncommon.dllIPathFileExistsWSHLWAPI.dll
Source: is-2TJID.tmp.2.dr	Binary or memory string: p?IsOs_WIN_8Point10_Only@@YA_NXZ
Source: is-2TJID.tmp.2.dr	Binary or memory string: ?MakeSureDirectoryPathExists@@YA_NPB_W@Zl?IsOs_WIN_7_Only@@YA_NXZi
Source: is-2TJID.tmp.2.dr	Binary or memory string: l?IsOs_WIN_7_Only@@YA_NXZ
Source: is-2TJID.tmp.2.dr	Binary or memory string: GetCurrentTimeSecondss?IsOs_WIN_VISTA_Only@@YA_NXZR
Source: is-2TJID.tmp.2.dr	Binary or memory string: ?CreateMultitonInstance@CExecutionContext@@SAJAAPAV1@W4INSTANCE_ID@1@@ZW?IsOs_LINUX@@YA_NXZp?IsOs_WIN_8Point10_Only@@YA_NXZ
Source: is-2TJID.tmp.2.dr	Binary or memory string: q?IsOs_WIN_8_Only@@YA_NXZ
Source: is-2TJID.tmp.2.dr	Binary or memory string: s?IsOs_WIN_VISTA_Only@@YA_NXZ

Remote Access Functionality

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_1106F210 CapiHangup,CapiClose,CapiOpen,CapiListen,GetTickCount,GetTickCount,GetTickCount,CapiHangup,Sleep,GetTickCount,Sleep,		6_2_1106F210
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe	Code function: 6_2_688FA980 EnterCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,WSAGetLastError,socket,WSAGetLastError,#21,#21,#21,bind,WSAGetLastError,closesocket,htons,WSASetBlockingHook,WSAGetLastError,WSAUnhookBlockingHook,closesocket,WSAGetLastError,WSAUnhookBlockingHook,closesocket,WSAUnhookBlockingHook,EnterCriticalSection,InitializeCriticalSection,getsockname,LeaveCriticalSection,GetTickCount,InterlockedExchange,		6_2_688FA980

Yara detected NetSupport remote tool

Source: Yara match	File source: 10.2.client32.exe.6dec0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.client32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.client32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.client32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.client32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.client32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.client32.exe.6dec0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.client32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.client32.exe.6dec0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.client32.exe.68bf0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.client32.exe.68bf0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.client32.exe.111b3308.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.client32.exe.68bf0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.client32.exe.111b3308.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.client32.exe.688f0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.client32.exe.111b3308.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.client32.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.client32.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.client32.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000000.2495587028.0000000000404000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.2576329982.0000000000404000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2497690917.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2577820279.0000000000404000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4582994339.0000000000404000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2497655081.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4598217115.0000000005101000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2579319799.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.2403584821.0000000000404000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2496967852.0000000000404000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.2705520820.00000000050FF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2411285654.0000000005089000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2579273114.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 3412, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: client32.exe PID: 4176, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: client32.exe PID: 1112, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: client32.exe PID: 6484, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Cisco\PCICHEK.DLL, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Cisco\client32.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Cisco\AudioCapture.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Cisco\TCCTL32.DLL, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Cisco\HTCTL32.DLL, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Cisco\pcicapi.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Cisco\PCICL32.DLL, type: DROPPED

ID:	1546660
Product:	CloudBasic
Start time:	12:10:11
Start date:	01.11.2024
Sample:	CiscoSetup.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	446a85d94adb8e2e9157170b82592d6a
SHA1:	1ea726940904e568dbdc4a6ef50b61cae6bb55ea
SHA256:	65110470f6c6c96877e96a640adcf6178186b675e6d1bc24c19f977a12220294
Filetype:	Win32 Executable (generic) a (10002005/4) 98.45%

Windows Analysis Report CiscoSetup.exe

Overview

General Information

Detection

Compliance

Signatures

Classification

Signatures

Cryptography

Privilege Escalation

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
CiscoSetup.exe