Windows Analysis Report
CiscoSetup.exe

Overview

General Information

Sample name: CiscoSetup.exe
Analysis ID: 1546659
MD5: 91f7229586df2c577a54ad0d1a5bdcb1
SHA1: 938b4ddf983e035130a7fcbf0458c4f9d5b69ca5
SHA256: 80f7768cbf016ae16f5758e31d9eb2d277c0566654f05bad152ecbde6eb616e5
Tags: exeOMICAREJOINTSTOCKCOMPANYuser-SquiblydooBlog
Infos:

Detection

NetSupport RAT, NetSupport Downloader
Score: 54
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Compliance

Score: 33
Range: 0 - 100

Signatures

Malicious sample detected (through community Yara rule)
Sigma detected: Powershell drops NetSupport RAT client
Suricata IDS alerts for network traffic
Yara detected NetSupport Downloader
Bypasses PowerShell execution policy
Contains functionality to detect sleep reduction / modifications
Contains functionalty to change the wallpaper
Found suspicious powershell code related to unpacking or dynamic code loading
Loading BitLocker PowerShell Module
NDIS Filter Driver detected (likely used to intercept and sniff network traffic)
Powershell drops PE file
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to enumerate running services
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops certificate files (DER)
EXE planting / hijacking vulnerabilities found
Enables debug privileges
Enables security privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evaded block containing many API calls
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)
Yara detected Keylogger Generic
Yara detected NetSupport remote tool
Yara signature match

Classification

Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 7_2_110AC820 GetModuleHandleA,GetProcAddress,GetProcAddress,GetLastError,wsprintfA,GetLastError,_memset,CryptGetProvParam,CryptGetProvParam,GetLastError,_memset,CryptGetProvParam,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,_free,GetLastError,CryptReleaseContext,SetLastError,FreeLibrary, 7_2_110AC820
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 8_2_110AC820 GetModuleHandleA,GetProcAddress,GetProcAddress,GetLastError,wsprintfA,GetLastError,_memset,CryptGetProvParam,CryptGetProvParam,GetLastError,_memset,CryptGetProvParam,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,_free,GetLastError,CryptReleaseContext,SetLastError,FreeLibrary, 8_2_110AC820
EXE planting / hijacking vulnerabilities found
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe EXE: C:\Users\user\AppData\Roaming\Cisco\client32.exe Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe EXE: C:\Users\user\AppData\Roaming\Cisco\remcmdstub.exe Jump to behavior

Compliance
barindex
EXE planting / hijacking vulnerabilities found
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe EXE: C:\Users\user\AppData\Roaming\Cisco\client32.exe Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe EXE: C:\Users\user\AppData\Roaming\Cisco\remcmdstub.exe Jump to behavior
Uses 32bit PE files
Source: CiscoSetup.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: CiscoSetup.exe Static PE information: certificate valid
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Cisco\msvcr100.dll Jump to behavior
Source: CiscoSetup.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Full\pcichek.pdb source: client32.exe, 00000007.00000002.4143990636.00000000688B2000.00000002.00000001.01000000.0000000C.sdmp, client32.exe, 00000008.00000002.2110324547.00000000688B2000.00000002.00000001.01000000.0000000C.sdmp, client32.exe, 0000000A.00000002.2191144837.00000000688B2000.00000002.00000001.01000000.0000000C.sdmp
Source: Binary string: E:\nsmsrc\nsm\1210\1210f\client32\Release\PCICL32.pdb source: client32.exe, 00000007.00000002.4143045081.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 00000008.00000002.2109302873.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2190511917.000000001118F000.00000002.00000001.01000000.0000000B.sdmp
Source: Binary string: C:\Users\build\p4files\ngc\Quicksilver\third-party\openssl\out.win.7.x86\ciscossl-1.1.1t.7.2.500\engines\cfom\cfom.pdb source: is-N867I.tmp.1.dr
Source: Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdbL source: powershell.exe, 00000005.00000002.1991259471.0000000005357000.00000004.00000800.00020000.00000000.sdmp, client32.exe, 00000007.00000002.4143550370.00000000685D0000.00000002.00000001.01000000.0000000F.sdmp
Source: Binary string: client32.pdb\1141\1141\client32\Release\client32.pdb source: powershell.exe, 00000005.00000002.1991259471.0000000005259000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\temp\build\thehoff\Quicksilver_MR50.560024709388\Quicksilver_MR5\vpn\ExternalBrowserHelper\Win32\Win32\Release\acextwebhelper.pdb666GCTL source: is-K9DFT.tmp.1.dr
Source: Binary string: C:\temp\build\thehoff\Quicksilver_MR50.560024709388\Quicksilver_MR5\vpn\ProxyCon\Win32\Release\ProxyCon.pdb source: is-139DF.tmp.1.dr
Source: Binary string: C:\temp\build\thehoff\Quicksilver_MR50.560024709388\Quicksilver_MR5\ACRuntime\Release\acruntime.pdb source: is-FRTV6.tmp.1.dr
Source: Binary string: E:\nsmsrc\nsm\1280\1280f\ctl32\release_unicode\tcctl32.pdbP` source: powershell.exe, 00000005.00000002.1991259471.0000000005259000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.5.dr
Source: Binary string: d:\a01\_work\11\s\\binaries\x86ret\bin\i386\\msvcp140_2.i386.pdb source: is-0IGCD.tmp.1.dr
Source: Binary string: \1141\1141\client32\Release\client32.pdb source: powershell.exe, 00000005.00000002.1991259471.0000000005259000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\temp\build\thehoff\Quicksilver_MR50.560024709388\Quicksilver_MR5\vpn\IPsec\Win32\Release\vpnipsec.pdb source: is-M1NCB.tmp.1.dr
Source: Binary string: C:\temp\build\thehoff\Quicksilver_MR50.560024709388\Quicksilver_MR5\vpn\CommonCrypt\Win32\Release\vpncommoncrypt.pdb]]]GCTL source: is-T3UDO.tmp.1.dr
Source: Binary string: System.Management.Automation.pdb-2476756634-1002_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32AppData source: powershell.exe, 00000005.00000002.2043735068.0000000008824000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\temp\build\thehoff\Quicksilver_MR50.560024709388\Quicksilver_MR5\vpn\CLI\Win32\Release\vpncli.pdb+++GCTL source: is-7ARTU.tmp.1.dr
Source: Binary string: C:\temp\build\thehoff\Quicksilver_MR50.560024709388\Quicksilver_MR5\PhoneHome\Win32\Release\acfeedback.pdb source: is-O6HT8.tmp.1.dr
Source: Binary string: msvcr100.i386.pdb source: powershell.exe, 00000005.00000002.1991259471.0000000005357000.00000004.00000800.00020000.00000000.sdmp, client32.exe, client32.exe, 00000007.00000002.4143689896.00000000687D1000.00000020.00000001.01000000.0000000E.sdmp, client32.exe, 00000008.00000002.2109997806.00000000687D1000.00000020.00000001.01000000.0000000E.sdmp, client32.exe, 0000000A.00000002.2190902884.00000000687D1000.00000020.00000001.01000000.0000000E.sdmp
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2038900255.000000000777A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: E:\nsmsrc\nsm\1280\1280f\ctl32\release_unicode\tcctl32.pdb source: powershell.exe, 00000005.00000002.1991259471.0000000005259000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.5.dr
Source: Binary string: C:\temp\build\thehoff\Quicksilver_MR50.560024709388\Quicksilver_MR5\vpn\InstallHelper\x64\Release\InstallHelper64.pdb source: is-BKQ26.tmp.1.dr
Source: Binary string: C:\temp\build\thehoff\Quicksilver_MR50.560024709388\Quicksilver_MR5\vpn\InstallHelper\x64\Release\InstallHelper64.pdb; source: is-BKQ26.tmp.1.dr
Source: Binary string: C:\temp\build\thehoff\Quicksilver_MR50.560024709388\Quicksilver_MR5\vpn\ProxyCon\Win32\Release\ProxyCon.pdb)))GCTL source: is-139DF.tmp.1.dr
Source: Binary string: client32.pdb source: powershell.exe, 00000005.00000002.1991259471.0000000005259000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: E:\nsmsrc\nsm\1210\1210\AudioCapture\Release\AudioCapture.pdb source: powershell.exe, 00000005.00000002.1991259471.0000000005259000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\temp\build\thehoff\Quicksilver_MR50.560024709388\Quicksilver_MR5\PhoneHome\Win32\Release\acfeedback.pdbMM/GCTL source: is-O6HT8.tmp.1.dr
Source: Binary string: C:\temp\build\thehoff\Quicksilver_MR50.560024709388\Quicksilver_MR5\ACRuntime\Release\acruntime.pdbjjKGCTL source: is-FRTV6.tmp.1.dr
Source: Binary string: C:\temp\build\thehoff\Quicksilver_MR50.560024709388\Quicksilver_MR5\vpn\ExternalBrowserHelper\Win32\Win32\Release\acextwebhelper.pdb source: is-K9DFT.tmp.1.dr
Source: Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdb source: powershell.exe, 00000005.00000002.1991259471.0000000005357000.00000004.00000800.00020000.00000000.sdmp, client32.exe, 00000007.00000002.4143550370.00000000685D0000.00000002.00000001.01000000.0000000F.sdmp
Source: Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Release\pcicapi.pdb source: client32.exe, 00000007.00000002.4143874760.0000000068895000.00000002.00000001.01000000.0000000D.sdmp, client32.exe, 00000008.00000002.2110207513.0000000068895000.00000002.00000001.01000000.0000000D.sdmp, client32.exe, 0000000A.00000002.2191058031.0000000068895000.00000002.00000001.01000000.0000000D.sdmp
Source: Binary string: C:\temp\build\thehoff\Quicksilver_MR50.560024709388\Quicksilver_MR5\vpn\CLI\Win32\Release\vpncli.pdb source: is-7ARTU.tmp.1.dr
Source: Binary string: C:\temp\build\thehoff\Quicksilver_MR50.560024709388\Quicksilver_MR5\vpn\CommonCrypt\Win32\Release\vpncommoncrypt.pdb source: is-T3UDO.tmp.1.dr
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 7_2_11123570 _memset,_memset,GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle, 7_2_11123570
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 7_2_11069690 GetTickCount,OpenPrinterA,StartDocPrinterA,ClosePrinter,FindFirstFileA,FindClose,CreateFileA,SetFilePointer,GetTickCount,GetLastError, 7_2_11069690
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 7_2_1110BB80 GetLocalTime,wsprintfA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,ExpandEnvironmentStringsA,CreateFileA,timeBeginPeriod,GetLocalTime,timeGetTime,_memset,WriteFile, 7_2_1110BB80
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 7_2_11107FE0 _memset,wsprintfA,wsprintfA,KillTimer,FindFirstFileA,wsprintfA,FindNextFileA,GetLastError,FindClose, 7_2_11107FE0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 7_2_110BC3D0 GetFileAttributesA,CreateDirectoryA,FindFirstFileA,CopyFileA,CopyFileA,FindNextFileA,FindClose,DrawMenuBar, 7_2_110BC3D0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 7_2_1102CE2D InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess, 7_2_1102CE2D
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 7_2_11064E30 _memset,_memmove,_strncpy,CharUpperA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA, 7_2_11064E30
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 8_2_1102CE2D InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess, 8_2_1102CE2D
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 8_2_11123570 _memset,_memset,GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle, 8_2_11123570
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 8_2_1110BB80 GetLocalTime,wsprintfA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,ExpandEnvironmentStringsA,CreateFileA,timeBeginPeriod,GetLocalTime,timeGetTime,_memset,WriteFile, 8_2_1110BB80
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 8_2_11107FE0 _memset,wsprintfA,wsprintfA,KillTimer,FindFirstFileA,wsprintfA,FindNextFileA,GetLastError,FindClose, 8_2_11107FE0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 8_2_110BC3D0 GetFileAttributesA,CreateDirectoryA,FindFirstFileA,CopyFileA,CopyFileA,FindNextFileA,FindClose,DrawMenuBar, 8_2_110BC3D0

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2827745 - Severity 1 - ETPRO MALWARE NetSupport RAT CnC Activity : 192.168.2.4:49741 -> 199.188.200.195:443
Source: Network traffic Suricata IDS: 2827745 - Severity 1 - ETPRO MALWARE NetSupport RAT CnC Activity : 192.168.2.4:49739 -> 151.236.16.15:443
Yara detected NetSupport Downloader
Source: Yara match File source: amsi32_6724.amsi.csv, type: OTHER
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\is-D93RQ.tmp\cispn.ps1, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Cisco\unins000.dat, type: DROPPED
NDIS Filter Driver detected (likely used to intercept and sniff network traffic)
Source: is-HI577.tmp.1.dr Static PE information: Found NDIS imports: FwpsCalloutRegister1, FwpsCalloutRegister0, FwpmFilterDeleteById0, FwpmBfeStateSubscribeChanges0, FwpsCalloutUnregisterById0, FwpmFilterAdd0, FwpsStreamInjectAsync0, FwpsQueryPacketInjectionState0, FwpsInjectTransportReceiveAsync0, FwpsInjectTransportSendAsync0, FwpsConstructIpHeaderForTransportPacket0, FwpsFreeCloneNetBufferList0, FwpsAllocateCloneNetBufferList0, FwpsFreeNetBufferList0, FwpsAllocateNetBufferAndNetBufferList0, FwpsInjectionHandleDestroy0, FwpsInjectionHandleCreate0, FwpsApplyModifiedLayerData0, FwpsAcquireWritableLayerDataPointer0, FwpsReleaseClassifyHandle0, FwpsAcquireClassifyHandle0, FwpmBfeStateUnsubscribeChanges0, FwpmEngineOpen0, FwpmEngineClose0, FwpmTransactionBegin0, FwpmTransactionCommit0, FwpmTransactionAbort0, FwpmProviderAdd0, FwpmProviderDeleteByKey0, FwpmSubLayerAdd0, FwpmSubLayerDeleteByKey0, FwpmCalloutAdd0, FwpmCalloutDeleteById0
Source: is-2J33H.tmp.1.dr Static PE information: Found NDIS imports: FwpmEngineClose0, FwpmFilterAdd0, FwpmTransactionAbort0, FwpmFilterDeleteById0, FwpmTransactionBegin0, FwpmGetAppIdFromFileName0, FwpmEngineOpen0, FwpmSubLayerDeleteByKey0, FwpmSubLayerAdd0, FwpmTransactionCommit0, FwpmProviderAdd0, FwpmProviderDeleteByKey0
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 172.67.68.212 172.67.68.212
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: HVC-ASUS HVC-ASUS
Source: Joe Sandbox View ASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.12.23.50:443 -> 192.168.2.4:49733
Source: Network traffic Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.12.23.50:443 -> 192.168.2.4:49743
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic DNS traffic detected: DNS query: payiki.com
Source: global traffic DNS traffic detected: DNS query: geo.netsupportsoftware.com
Source: global traffic DNS traffic detected: DNS query: anyhowdo.com
Source: unknown HTTP traffic detected: POST http://151.236.16.15/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 22Host: 151.236.16.15Connection: Keep-AliveCMD=POLLINFO=1ACK=1Data Raw: Data Ascii:
Source: client32.exe, client32.exe, 00000007.00000002.4143550370.00000000685D0000.00000002.00000001.01000000.0000000F.sdmp String found in binary or memory: http://%s/fakeurl.htm
Source: powershell.exe, 00000005.00000002.1991259471.0000000005357000.00000004.00000800.00020000.00000000.sdmp, client32.exe, client32.exe, 00000007.00000002.4143550370.00000000685D0000.00000002.00000001.01000000.0000000F.sdmp String found in binary or memory: http://%s/testpage.htm
Source: powershell.exe, 00000005.00000002.1991259471.0000000005357000.00000004.00000800.00020000.00000000.sdmp, client32.exe, 00000007.00000002.4143550370.00000000685D0000.00000002.00000001.01000000.0000000F.sdmp String found in binary or memory: http://%s/testpage.htmwininet.dll
Source: client32.exe, client32.exe, 00000008.00000002.2109302873.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2190511917.000000001118F000.00000002.00000001.01000000.0000000B.sdmp String found in binary or memory: http://127.0.0.1
Source: client32.exe, 00000007.00000002.4143045081.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 00000008.00000002.2109302873.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2190511917.000000001118F000.00000002.00000001.01000000.0000000B.sdmp String found in binary or memory: http://127.0.0.1RESUMEPRINTING
Source: is-M1NCB.tmp.1.dr, is-C9M46.tmp.1.dr, is-139DF.tmp.1.dr, is-7ARTU.tmp.1.dr, is-BKQ26.tmp.1.dr, is-6FEVR.tmp.1.dr, is-9JGUE.tmp.1.dr, is-T3UDO.tmp.1.dr, is-N867I.tmp.1.dr, is-O6HT8.tmp.1.dr, is-K9DFT.tmp.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: is-M1NCB.tmp.1.dr, is-C9M46.tmp.1.dr, is-139DF.tmp.1.dr, is-7ARTU.tmp.1.dr, is-BKQ26.tmp.1.dr, is-6FEVR.tmp.1.dr, is-9JGUE.tmp.1.dr, is-T3UDO.tmp.1.dr, is-N867I.tmp.1.dr, is-O6HT8.tmp.1.dr, is-K9DFT.tmp.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: is-M1NCB.tmp.1.dr, is-C9M46.tmp.1.dr, is-139DF.tmp.1.dr, is-7ARTU.tmp.1.dr, is-BKQ26.tmp.1.dr, is-6FEVR.tmp.1.dr, is-9JGUE.tmp.1.dr, is-T3UDO.tmp.1.dr, is-N867I.tmp.1.dr, is-O6HT8.tmp.1.dr, is-K9DFT.tmp.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: is-M1NCB.tmp.1.dr, is-C9M46.tmp.1.dr, is-139DF.tmp.1.dr, is-7ARTU.tmp.1.dr, is-BKQ26.tmp.1.dr, is-6FEVR.tmp.1.dr, is-9JGUE.tmp.1.dr, is-T3UDO.tmp.1.dr, is-N867I.tmp.1.dr, is-O6HT8.tmp.1.dr, is-K9DFT.tmp.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: is-M1NCB.tmp.1.dr, is-C9M46.tmp.1.dr, is-139DF.tmp.1.dr, is-7ARTU.tmp.1.dr, is-BKQ26.tmp.1.dr, is-6FEVR.tmp.1.dr, is-9JGUE.tmp.1.dr, is-T3UDO.tmp.1.dr, is-N867I.tmp.1.dr, is-O6HT8.tmp.1.dr, is-K9DFT.tmp.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: powershell.exe, 00000005.00000002.1991259471.00000000051D0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1991259471.0000000005259000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.5.dr String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: powershell.exe, 00000005.00000002.2043622253.00000000087D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.microsoft
Source: powershell.exe, 00000005.00000002.1991259471.0000000005259000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.5.dr String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: powershell.exe, 00000005.00000002.1991259471.0000000005259000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.5.dr String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: powershell.exe, 00000005.00000002.1991259471.00000000051D0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: powershell.exe, 00000005.00000002.1991259471.00000000051D0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1991259471.0000000005259000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.5.dr String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: powershell.exe, 00000005.00000002.1991259471.00000000051B4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1991259471.00000000051BE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1991259471.0000000005259000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: is-M1NCB.tmp.1.dr, is-C9M46.tmp.1.dr, is-139DF.tmp.1.dr, is-7ARTU.tmp.1.dr, is-BKQ26.tmp.1.dr, is-6FEVR.tmp.1.dr, is-9JGUE.tmp.1.dr, is-T3UDO.tmp.1.dr, is-N867I.tmp.1.dr, is-O6HT8.tmp.1.dr, is-K9DFT.tmp.1.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: is-M1NCB.tmp.1.dr, is-C9M46.tmp.1.dr, is-139DF.tmp.1.dr, is-7ARTU.tmp.1.dr, is-BKQ26.tmp.1.dr, is-6FEVR.tmp.1.dr, is-9JGUE.tmp.1.dr, is-T3UDO.tmp.1.dr, is-N867I.tmp.1.dr, is-O6HT8.tmp.1.dr, is-K9DFT.tmp.1.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: is-M1NCB.tmp.1.dr, is-C9M46.tmp.1.dr, is-139DF.tmp.1.dr, is-7ARTU.tmp.1.dr, is-BKQ26.tmp.1.dr, is-6FEVR.tmp.1.dr, is-9JGUE.tmp.1.dr, is-T3UDO.tmp.1.dr, is-N867I.tmp.1.dr, is-O6HT8.tmp.1.dr, is-K9DFT.tmp.1.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: is-M1NCB.tmp.1.dr, is-C9M46.tmp.1.dr, is-139DF.tmp.1.dr, is-7ARTU.tmp.1.dr, is-BKQ26.tmp.1.dr, is-6FEVR.tmp.1.dr, is-9JGUE.tmp.1.dr, is-T3UDO.tmp.1.dr, is-N867I.tmp.1.dr, is-O6HT8.tmp.1.dr, is-K9DFT.tmp.1.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: is-M1NCB.tmp.1.dr, is-C9M46.tmp.1.dr, is-139DF.tmp.1.dr, is-7ARTU.tmp.1.dr, is-BKQ26.tmp.1.dr, is-6FEVR.tmp.1.dr, is-9JGUE.tmp.1.dr, is-T3UDO.tmp.1.dr, is-N867I.tmp.1.dr, is-O6HT8.tmp.1.dr, is-K9DFT.tmp.1.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: is-M1NCB.tmp.1.dr, is-C9M46.tmp.1.dr, is-139DF.tmp.1.dr, is-7ARTU.tmp.1.dr, is-BKQ26.tmp.1.dr, is-6FEVR.tmp.1.dr, is-9JGUE.tmp.1.dr, is-T3UDO.tmp.1.dr, is-N867I.tmp.1.dr, is-O6HT8.tmp.1.dr, is-K9DFT.tmp.1.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: is-M1NCB.tmp.1.dr, is-C9M46.tmp.1.dr, is-139DF.tmp.1.dr, is-7ARTU.tmp.1.dr, is-BKQ26.tmp.1.dr, is-6FEVR.tmp.1.dr, is-9JGUE.tmp.1.dr, is-T3UDO.tmp.1.dr, is-N867I.tmp.1.dr, is-O6HT8.tmp.1.dr, is-K9DFT.tmp.1.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: powershell.exe, 00000005.00000002.1991259471.0000000005259000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.5.dr String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: powershell.exe, 00000005.00000002.1991259471.0000000005259000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.5.dr String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: powershell.exe, 00000005.00000002.1991259471.00000000051D0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: powershell.exe, 00000005.00000002.1991259471.00000000051D0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1991259471.0000000005259000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.5.dr String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: client32.exe, client32.exe, 00000008.00000002.2109302873.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2190511917.000000001118F000.00000002.00000001.01000000.0000000B.sdmp String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.asp
Source: client32.exe, 00000007.00000003.1987647210.000000000051A000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000007.00000002.4141461447.000000000053D000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000007.00000003.1989580496.000000000051E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspA5
Source: client32.exe, 00000007.00000003.1987647210.000000000051A000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000007.00000002.4141461447.000000000053D000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000007.00000003.1989580496.000000000051E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspPi
Source: client32.exe, 00000007.00000002.4143045081.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 00000008.00000002.2109302873.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2190511917.000000001118F000.00000002.00000001.01000000.0000000B.sdmp String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspSetChannel(%s)
Source: powershell.exe, 00000005.00000002.2009549925.0000000006786000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000005.00000002.1991259471.00000000051D0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1991259471.0000000005259000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.5.dr String found in binary or memory: http://ocsp.comodoca.com0
Source: is-M1NCB.tmp.1.dr, is-C9M46.tmp.1.dr, is-139DF.tmp.1.dr, is-7ARTU.tmp.1.dr, is-BKQ26.tmp.1.dr, is-6FEVR.tmp.1.dr, is-9JGUE.tmp.1.dr, is-T3UDO.tmp.1.dr, is-N867I.tmp.1.dr, is-O6HT8.tmp.1.dr, is-K9DFT.tmp.1.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: is-M1NCB.tmp.1.dr, is-C9M46.tmp.1.dr, is-139DF.tmp.1.dr, is-7ARTU.tmp.1.dr, is-BKQ26.tmp.1.dr, is-6FEVR.tmp.1.dr, is-9JGUE.tmp.1.dr, is-T3UDO.tmp.1.dr, is-N867I.tmp.1.dr, is-O6HT8.tmp.1.dr, is-K9DFT.tmp.1.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: is-M1NCB.tmp.1.dr, is-C9M46.tmp.1.dr, is-139DF.tmp.1.dr, is-7ARTU.tmp.1.dr, is-BKQ26.tmp.1.dr, is-6FEVR.tmp.1.dr, is-9JGUE.tmp.1.dr, is-T3UDO.tmp.1.dr, is-N867I.tmp.1.dr, is-O6HT8.tmp.1.dr, is-K9DFT.tmp.1.dr String found in binary or memory: http://ocsp.digicert.com0N
Source: is-M1NCB.tmp.1.dr, is-C9M46.tmp.1.dr, is-139DF.tmp.1.dr, is-7ARTU.tmp.1.dr, is-BKQ26.tmp.1.dr, is-6FEVR.tmp.1.dr, is-9JGUE.tmp.1.dr, is-T3UDO.tmp.1.dr, is-N867I.tmp.1.dr, is-O6HT8.tmp.1.dr, is-K9DFT.tmp.1.dr String found in binary or memory: http://ocsp.digicert.com0X
Source: powershell.exe, 00000005.00000002.1991259471.00000000051D0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1991259471.0000000005259000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.5.dr String found in binary or memory: http://ocsp.sectigo.com0
Source: powershell.exe, 00000005.00000002.1991259471.00000000051B4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1991259471.00000000051BE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1991259471.0000000005259000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.thawte.com0
Source: powershell.exe, 00000005.00000002.1991259471.0000000004E73000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: is-O6HT8.tmp.1.dr, is-FRTV6.tmp.1.dr String found in binary or memory: http://relaxng.org/ns/structure/1.0
Source: powershell.exe, 00000005.00000002.1991259471.0000000005357000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1991259471.0000000005259000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: powershell.exe, 00000005.00000002.1991259471.0000000005357000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1991259471.0000000005259000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://s2.symcb.com0
Source: powershell.exe, 00000005.00000002.1991259471.0000000005677000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1991259471.0000000004E73000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000005.00000002.1991259471.0000000004D21000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000005.00000002.1991259471.0000000005677000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1991259471.0000000004E73000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000005.00000002.1991259471.0000000004E73000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1991259471.00000000051BE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://sf.symcb.com/sf.crl0f
Source: powershell.exe, 00000005.00000002.1991259471.0000000004E73000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1991259471.00000000051BE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://sf.symcb.com/sf.crt0
Source: powershell.exe, 00000005.00000002.1991259471.0000000004E73000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1991259471.00000000051BE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://sf.symcd.com0&
Source: powershell.exe, 00000005.00000002.1991259471.0000000005357000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1991259471.0000000005259000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://sv.symcb.com/sv.crl0f
Source: powershell.exe, 00000005.00000002.1991259471.0000000005357000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1991259471.0000000005259000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: powershell.exe, 00000005.00000002.1991259471.0000000005357000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1991259471.0000000005259000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://sv.symcd.com0&
Source: powershell.exe, 00000005.00000002.1991259471.00000000051B4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1991259471.00000000051BE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1991259471.0000000005259000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: powershell.exe, 00000005.00000002.1991259471.00000000051B4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1991259471.00000000051BE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1991259471.0000000005259000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: powershell.exe, 00000005.00000002.1991259471.00000000051B4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1991259471.00000000051BE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1991259471.0000000005259000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: powershell.exe, 00000005.00000002.1991259471.0000000004E73000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: is-C1171.tmp.1.dr String found in binary or memory: http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect40/user/guide/b_Androi
Source: is-M1NCB.tmp.1.dr, is-C9M46.tmp.1.dr, is-139DF.tmp.1.dr, is-7ARTU.tmp.1.dr, is-BKQ26.tmp.1.dr, is-6FEVR.tmp.1.dr, is-9JGUE.tmp.1.dr, is-T3UDO.tmp.1.dr, is-N867I.tmp.1.dr, is-O6HT8.tmp.1.dr, is-K9DFT.tmp.1.dr String found in binary or memory: http://www.cisco.com0
Source: is-M1NCB.tmp.1.dr, is-C9M46.tmp.1.dr, is-139DF.tmp.1.dr, is-7ARTU.tmp.1.dr, is-BKQ26.tmp.1.dr, is-6FEVR.tmp.1.dr, is-9JGUE.tmp.1.dr, is-T3UDO.tmp.1.dr, is-N867I.tmp.1.dr, is-O6HT8.tmp.1.dr, is-K9DFT.tmp.1.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: client32.exe, 00000007.00000002.4143093821.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 00000008.00000002.2109384742.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2190553256.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp String found in binary or memory: http://www.netsupportschool.com/tutor-assistant.asp
Source: client32.exe, 00000007.00000002.4143093821.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 00000008.00000002.2109384742.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2190553256.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp String found in binary or memory: http://www.netsupportschool.com/tutor-assistant.asp11(
Source: powershell.exe, 00000005.00000002.1991259471.0000000004E73000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1991259471.00000000051BE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1991259471.0000000005259000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.netsupportsoftware.com
Source: client32.exe, 00000007.00000002.4143093821.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 00000008.00000002.2109384742.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2190553256.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp String found in binary or memory: http://www.pci.co.uk/support
Source: client32.exe, 00000007.00000002.4143093821.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 00000008.00000002.2109384742.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2190553256.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp String found in binary or memory: http://www.pci.co.uk/supportsupport
Source: powershell.exe, 00000005.00000002.1991259471.0000000005357000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1991259471.0000000005259000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.symauth.com/cps0(
Source: powershell.exe, 00000005.00000002.1991259471.0000000005357000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1991259471.0000000005259000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.symauth.com/rpa00
Source: powershell.exe, 00000005.00000002.1991259471.0000000004D21000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000005.00000002.2009549925.0000000006786000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000005.00000002.2009549925.0000000006786000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000005.00000002.2009549925.0000000006786000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000005.00000002.1991259471.0000000005357000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1991259471.0000000004E73000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1991259471.00000000051BE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1991259471.0000000005259000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://d.symcb.com/cps0%
Source: powershell.exe, 00000005.00000002.1991259471.0000000005357000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1991259471.0000000004E73000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1991259471.00000000051BE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1991259471.0000000005259000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://d.symcb.com/rpa0
Source: powershell.exe, 00000005.00000002.1991259471.0000000004E73000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: CiscoSetup.exe String found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: powershell.exe, 00000005.00000002.2009549925.0000000006786000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000005.00000002.1991259471.00000000051D0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1991259471.0000000005259000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.5.dr String found in binary or memory: https://sectigo.com/CPS0
Source: powershell.exe, 00000005.00000002.1991259471.00000000051D0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1991259471.0000000005259000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.5.dr String found in binary or memory: https://sectigo.com/CPS0D
Source: CiscoSetup.exe, 00000000.00000003.2094322756.0000000000ED3000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.cisco.com
Source: CiscoSetup.exe, 00000000.00000003.2094322756.0000000000EE1000.00000004.00001000.00020000.00000000.sdmp, CiscoSetup.tmp, 00000001.00000003.2087307462.00000000029D1000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.cisco.com/support
Source: CiscoSetup.exe, 00000000.00000003.2094322756.0000000000EE1000.00000004.00001000.00020000.00000000.sdmp, CiscoSetup.tmp, 00000001.00000003.2087307462.00000000029D1000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.cisco.com/update
Source: CiscoSetup.tmp, 00000001.00000003.2087307462.00000000029BC000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.cisco.comQ9
Source: is-M1NCB.tmp.1.dr, is-C9M46.tmp.1.dr, is-139DF.tmp.1.dr, is-7ARTU.tmp.1.dr, is-BKQ26.tmp.1.dr, is-6FEVR.tmp.1.dr, is-9JGUE.tmp.1.dr, is-T3UDO.tmp.1.dr, is-N867I.tmp.1.dr, is-O6HT8.tmp.1.dr, is-K9DFT.tmp.1.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: CiscoSetup.tmp, 00000001.00000003.2076122927.0000000005660000.00000004.00001000.00020000.00000000.sdmp, is-1V30U.tmp.1.dr String found in binary or memory: https://www.iminunet.com
Source: CiscoSetup.tmp, 00000001.00000003.2076122927.0000000005660000.00000004.00001000.00020000.00000000.sdmp, is-1V30U.tmp.1.dr String found in binary or memory: https://www.iminunet.comPara
Source: is-C1171.tmp.1.dr String found in binary or memory: https://www.immunet.com
Source: CiscoSetup.tmp, 00000001.00000003.2076122927.0000000005660000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.immunet.com.
Source: CiscoSetup.tmp, 00000001.00000003.2076122927.0000000005660000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.immunet.comAby
Source: CiscoSetup.tmp, 00000001.00000003.2076122927.0000000005660000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.immunet.comVoor
Source: CiscoSetup.exe, 00000000.00000003.1688495970.000000007EF3B000.00000004.00001000.00020000.00000000.sdmp, CiscoSetup.exe, 00000000.00000003.1688004235.0000000002B60000.00000004.00001000.00020000.00000000.sdmp, CiscoSetup.tmp, 00000001.00000000.1690462646.0000000000481000.00000020.00000001.01000000.00000004.sdmp String found in binary or memory: https://www.innosetup.com/
Source: CiscoSetup.exe, 00000000.00000003.1688495970.000000007EF3B000.00000004.00001000.00020000.00000000.sdmp, CiscoSetup.exe, 00000000.00000003.1688004235.0000000002B60000.00000004.00001000.00020000.00000000.sdmp, CiscoSetup.tmp, 00000001.00000000.1690462646.0000000000481000.00000020.00000001.01000000.00000004.sdmp String found in binary or memory: https://www.remobjects.com/ps
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown Network traffic detected: HTTP traffic on port 49739 -> 443
Contains functionality for read data from the clipboard
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 7_2_1101F360 OpenClipboard,GlobalAlloc,GlobalLock,_memmove,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,MessageBeep,CloseClipboard, 7_2_1101F360
Contains functionality to modify clipboard data
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 7_2_1101F360 OpenClipboard,GlobalAlloc,GlobalLock,_memmove,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,MessageBeep,CloseClipboard, 7_2_1101F360
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 7_2_11032930 GetClipboardFormatNameA,SetClipboardData, 7_2_11032930
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 8_2_1101F360 OpenClipboard,GlobalAlloc,GlobalLock,_memmove,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,MessageBeep,CloseClipboard, 8_2_1101F360
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 8_2_11032930 GetClipboardFormatNameA,SetClipboardData, 8_2_11032930
Contains functionality to read the clipboard data
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 7_2_11031AC0 IsClipboardFormatAvailable,GetClipboardData,GlobalSize,GlobalLock,_memmove,GlobalUnlock, 7_2_11031AC0
Contains functionality to record screenshots
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 7_2_11007720 LoadCursorA,SetCursor,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,CreateDCA,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,SelectClipRgn,BitBlt,SelectClipRgn,DeleteObject,DeleteDC,BitBlt,ReleaseDC,CreatePen,CreateSolidBrush,GetSysColor,LoadBitmapA,_memset,_swscanf,CreateFontIndirectA,_memset,GetStockObject,GetObjectA,CreateFontIndirectA,GetWindowRect,SetWindowTextA,GetSystemMetrics,GetSystemMetrics,SetWindowPos,UpdateWindow,SetCursor, 7_2_11007720
Yara detected Keylogger Generic
Source: Yara match File source: 7.2.client32.exe.111b3308.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.client32.exe.111b3308.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.client32.exe.111b3308.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.client32.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.client32.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.client32.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.2109302873.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.4143045081.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2190511917.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: client32.exe PID: 3052, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: client32.exe PID: 1516, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: client32.exe PID: 4124, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Roaming\Cisco\PCICL32.DLL, type: DROPPED
Drops certificate files (DER)
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-40G52.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-DN046.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\acsock64.cat (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\vpnva-6.cat (copy) Jump to dropped file

Spam, unwanted Advertisements and Ransom Demands
barindex
Contains functionalty to change the wallpaper
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 7_2_11112840 SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA, 7_2_11112840
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 8_2_11112840 SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA, 8_2_11112840

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: amsi32_6724.amsi.csv, type: OTHER Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 6724, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Powershell drops PE file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Cisco\client32.exe Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Cisco\pcicapi.dll Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Cisco\remcmdstub.exe Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Cisco\HTCTL32.DLL Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Cisco\PCICHEK.DLL Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Cisco\PCICL32.DLL Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Cisco\TCCTL32.DLL Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Cisco\msvcr100.dll Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Cisco\AudioCapture.dll Jump to dropped file
Abnormal high CPU Usage
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Process Stats: CPU usage > 49%
Contains functionality to communicate with device drivers
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 7_2_110A9240: DeviceIoControl, 7_2_110A9240
Contains functionality to launch a process as a different user
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 7_2_1115A340 FindWindowA,_memset,CreateProcessAsUserA,GetLastError,WinExec,CloseHandle,CloseHandle,CloseHandle,WinExec, 7_2_1115A340
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 7_2_1102CE2D InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess, 7_2_1102CE2D
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 8_2_1102CE2D InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess, 8_2_1102CE2D
Detected potential crypto function
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_089C3730 5_2_089C3730
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 7_2_11029230 7_2_11029230
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 7_2_11072460 7_2_11072460
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 7_2_1115B180 7_2_1115B180
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 7_2_1107F520 7_2_1107F520
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 7_2_1101B980 7_2_1101B980
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 7_2_1115F9F0 7_2_1115F9F0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 7_2_1101BDC0 7_2_1101BDC0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 7_2_11163C55 7_2_11163C55
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 7_2_11050430 7_2_11050430
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 7_2_110088DB 7_2_110088DB
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 7_2_1101CBE0 7_2_1101CBE0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 7_2_11032A60 7_2_11032A60
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 7_2_11086DA0 7_2_11086DA0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 7_2_11044C60 7_2_11044C60
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 7_2_6859A980 7_2_6859A980
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 7_2_685C4910 7_2_685C4910
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 7_2_685C3923 7_2_685C3923
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 7_2_6859DBA0 7_2_6859DBA0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 7_2_685C3DB8 7_2_685C3DB8
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 7_2_685CA063 7_2_685CA063
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 7_2_685C4156 7_2_685C4156
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 7_2_68591310 7_2_68591310
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 8_2_1115B180 8_2_1115B180
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 8_2_11029230 8_2_11029230
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 8_2_1107F520 8_2_1107F520
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 8_2_1101B980 8_2_1101B980
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 8_2_1115F9F0 8_2_1115F9F0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 8_2_1101BDC0 8_2_1101BDC0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 8_2_11163C55 8_2_11163C55
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 8_2_11050430 8_2_11050430
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 8_2_11072460 8_2_11072460
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 8_2_110088DB 8_2_110088DB
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 8_2_1101CBE0 8_2_1101CBE0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 8_2_11032A60 8_2_11032A60
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 8_2_11086DA0 8_2_11086DA0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 8_2_11044C60 8_2_11044C60
Enables security privileges
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Process token adjusted: Security Jump to behavior
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: String function: 685A7D00 appears 106 times
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: String function: 685A7A90 appears 50 times
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: String function: 685930A0 appears 42 times
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: String function: 11142A60 appears 1040 times
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: String function: 685B9480 appears 36 times
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: String function: 68596F50 appears 143 times
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: String function: 11080C50 appears 63 times
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: String function: 1116B7E0 appears 54 times
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: String function: 1115CBB3 appears 92 times
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: String function: 110290F0 appears 1872 times
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: String function: 1105D340 appears 484 times
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: String function: 1109CBD0 appears 32 times
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: String function: 111434D0 appears 42 times
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: String function: 1105D470 appears 40 times
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: String function: 11027550 appears 94 times
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: String function: 11160790 appears 64 times
PE file contains executable resources (Code or Archives)
Source: CiscoSetup.tmp.0.dr Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-BOBU7.tmp.1.dr Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-LMS1D.tmp.1.dr Static PE information: Resource name: RT_VERSION type: COM executable for DOS
PE file contains more sections than normal
Source: CiscoSetup.tmp.0.dr Static PE information: Number of sections : 11 > 10
Source: is-BOBU7.tmp.1.dr Static PE information: Number of sections : 11 > 10
Source: CiscoSetup.exe Static PE information: Number of sections : 11 > 10
Sample file is different than original file name gathered from version info
Source: CiscoSetup.exe, 00000000.00000003.1688495970.000000007F22B000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFileName vs CiscoSetup.exe
Source: CiscoSetup.exe, 00000000.00000000.1682587708.0000000000779000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFileName vs CiscoSetup.exe
Source: CiscoSetup.exe, 00000000.00000003.1688004235.0000000002C6F000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFileName vs CiscoSetup.exe
Source: CiscoSetup.exe Binary or memory string: OriginalFileName vs CiscoSetup.exe
Uses 32bit PE files
Source: CiscoSetup.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: amsi32_6724.amsi.csv, type: OTHER Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 6724, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: classification engine Classification label: mal54.rans.troj.evad.winEXE@10/537@3/3
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 7_2_11059270 GetLastError,FormatMessageA,LocalFree, 7_2_11059270
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 7_2_1109C750 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges, 7_2_1109C750
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 7_2_1109C7E0 AdjustTokenPrivileges,CloseHandle, 7_2_1109C7E0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 8_2_1109C750 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges, 8_2_1109C750
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 8_2_1109C7E0 AdjustTokenPrivileges,CloseHandle, 8_2_1109C7E0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 7_2_11095C90 GetTickCount,CoInitialize,CLSIDFromProgID,CoCreateInstance,CoUninitialize, 7_2_11095C90
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 7_2_11088290 FindResourceA,LoadResource,LockResource, 7_2_11088290
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp File created: C:\Program Files (x86)\Cisco Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Cisco Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2336:120:WilError_03
Source: C:\Users\user\Desktop\CiscoSetup.exe File created: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp Jump to behavior
Source: C:\Users\user\Desktop\CiscoSetup.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\CiscoSetup.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp File read: C:\Program Files (x86)\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\CiscoSetup.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization Jump to behavior
Source: CiscoSetup.exe String found in binary or memory: /LOADINF="filename"
Source: C:\Users\user\Desktop\CiscoSetup.exe File read: C:\Users\user\Desktop\CiscoSetup.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\CiscoSetup.exe "C:\Users\user\Desktop\CiscoSetup.exe"
Source: C:\Users\user\Desktop\CiscoSetup.exe Process created: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp "C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp" /SL5="$2041A,13456411,1058304,C:\Users\user\Desktop\CiscoSetup.exe"
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-D93RQ.tmp\cispn.ps1"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Roaming\Cisco\client32.exe "C:\Users\user\AppData\Roaming\Cisco\client32.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\Cisco\client32.exe "C:\Users\user\AppData\Roaming\Cisco\client32.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\Cisco\client32.exe "C:\Users\user\AppData\Roaming\Cisco\client32.exe"
Source: C:\Users\user\Desktop\CiscoSetup.exe Process created: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp "C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp" /SL5="$2041A,13456411,1058304,C:\Users\user\Desktop\CiscoSetup.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-D93RQ.tmp\cispn.ps1" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Roaming\Cisco\client32.exe "C:\Users\user\AppData\Roaming\Cisco\client32.exe" Jump to behavior
Source: C:\Users\user\Desktop\CiscoSetup.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\CiscoSetup.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Section loaded: sfc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Section loaded: linkinfo.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Section loaded: ntshrui.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Section loaded: cscapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kdscli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Section loaded: pcicl32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Section loaded: pcichek.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Section loaded: pcicapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Section loaded: msvcr100.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Section loaded: msvcr100.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Section loaded: dbgcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Section loaded: nsmtrace.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Section loaded: nslsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Section loaded: pcihooks.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Section loaded: riched32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Section loaded: pciinv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Section loaded: firewallapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Section loaded: fwbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Section loaded: fwpolicyiomgr.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Section loaded: pcicl32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Section loaded: pcichek.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Section loaded: pcicapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Section loaded: msvcr100.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Section loaded: msvcr100.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Section loaded: nsmtrace.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Section loaded: nslsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Section loaded: pcicl32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Section loaded: pcichek.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Section loaded: pcicapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Section loaded: msvcr100.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Section loaded: msvcr100.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Section loaded: nsmtrace.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Section loaded: nslsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32 Jump to behavior
Source: Cisco Secure Client for Windows.lnk.1.dr LNK file: ..\..\..\..\..\..\Program Files (x86)\Cisco\Cisco Secure Client\UI\csc_ui.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File written: C:\Users\user\AppData\Roaming\Cisco\nsm_vpro.ini Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Window found: window name: TSelectLanguageForm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Automated click: Install
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Automated click: Next
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe File opened: C:\Windows\SysWOW64\riched32.dll Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: CiscoSetup.exe Static PE information: certificate valid
Source: CiscoSetup.exe Static file information: File size 16877888 > 1048576
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Cisco\msvcr100.dll Jump to behavior
Source: CiscoSetup.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Full\pcichek.pdb source: client32.exe, 00000007.00000002.4143990636.00000000688B2000.00000002.00000001.01000000.0000000C.sdmp, client32.exe, 00000008.00000002.2110324547.00000000688B2000.00000002.00000001.01000000.0000000C.sdmp, client32.exe, 0000000A.00000002.2191144837.00000000688B2000.00000002.00000001.01000000.0000000C.sdmp
Source: Binary string: E:\nsmsrc\nsm\1210\1210f\client32\Release\PCICL32.pdb source: client32.exe, 00000007.00000002.4143045081.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 00000008.00000002.2109302873.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2190511917.000000001118F000.00000002.00000001.01000000.0000000B.sdmp
Source: Binary string: C:\Users\build\p4files\ngc\Quicksilver\third-party\openssl\out.win.7.x86\ciscossl-1.1.1t.7.2.500\engines\cfom\cfom.pdb source: is-N867I.tmp.1.dr
Source: Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdbL source: powershell.exe, 00000005.00000002.1991259471.0000000005357000.00000004.00000800.00020000.00000000.sdmp, client32.exe, 00000007.00000002.4143550370.00000000685D0000.00000002.00000001.01000000.0000000F.sdmp
Source: Binary string: client32.pdb\1141\1141\client32\Release\client32.pdb source: powershell.exe, 00000005.00000002.1991259471.0000000005259000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\temp\build\thehoff\Quicksilver_MR50.560024709388\Quicksilver_MR5\vpn\ExternalBrowserHelper\Win32\Win32\Release\acextwebhelper.pdb666GCTL source: is-K9DFT.tmp.1.dr
Source: Binary string: C:\temp\build\thehoff\Quicksilver_MR50.560024709388\Quicksilver_MR5\vpn\ProxyCon\Win32\Release\ProxyCon.pdb source: is-139DF.tmp.1.dr
Source: Binary string: C:\temp\build\thehoff\Quicksilver_MR50.560024709388\Quicksilver_MR5\ACRuntime\Release\acruntime.pdb source: is-FRTV6.tmp.1.dr
Source: Binary string: E:\nsmsrc\nsm\1280\1280f\ctl32\release_unicode\tcctl32.pdbP` source: powershell.exe, 00000005.00000002.1991259471.0000000005259000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.5.dr
Source: Binary string: d:\a01\_work\11\s\\binaries\x86ret\bin\i386\\msvcp140_2.i386.pdb source: is-0IGCD.tmp.1.dr
Source: Binary string: \1141\1141\client32\Release\client32.pdb source: powershell.exe, 00000005.00000002.1991259471.0000000005259000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\temp\build\thehoff\Quicksilver_MR50.560024709388\Quicksilver_MR5\vpn\IPsec\Win32\Release\vpnipsec.pdb source: is-M1NCB.tmp.1.dr
Source: Binary string: C:\temp\build\thehoff\Quicksilver_MR50.560024709388\Quicksilver_MR5\vpn\CommonCrypt\Win32\Release\vpncommoncrypt.pdb]]]GCTL source: is-T3UDO.tmp.1.dr
Source: Binary string: System.Management.Automation.pdb-2476756634-1002_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32AppData source: powershell.exe, 00000005.00000002.2043735068.0000000008824000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\temp\build\thehoff\Quicksilver_MR50.560024709388\Quicksilver_MR5\vpn\CLI\Win32\Release\vpncli.pdb+++GCTL source: is-7ARTU.tmp.1.dr
Source: Binary string: C:\temp\build\thehoff\Quicksilver_MR50.560024709388\Quicksilver_MR5\PhoneHome\Win32\Release\acfeedback.pdb source: is-O6HT8.tmp.1.dr
Source: Binary string: msvcr100.i386.pdb source: powershell.exe, 00000005.00000002.1991259471.0000000005357000.00000004.00000800.00020000.00000000.sdmp, client32.exe, client32.exe, 00000007.00000002.4143689896.00000000687D1000.00000020.00000001.01000000.0000000E.sdmp, client32.exe, 00000008.00000002.2109997806.00000000687D1000.00000020.00000001.01000000.0000000E.sdmp, client32.exe, 0000000A.00000002.2190902884.00000000687D1000.00000020.00000001.01000000.0000000E.sdmp
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2038900255.000000000777A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: E:\nsmsrc\nsm\1280\1280f\ctl32\release_unicode\tcctl32.pdb source: powershell.exe, 00000005.00000002.1991259471.0000000005259000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.5.dr
Source: Binary string: C:\temp\build\thehoff\Quicksilver_MR50.560024709388\Quicksilver_MR5\vpn\InstallHelper\x64\Release\InstallHelper64.pdb source: is-BKQ26.tmp.1.dr
Source: Binary string: C:\temp\build\thehoff\Quicksilver_MR50.560024709388\Quicksilver_MR5\vpn\InstallHelper\x64\Release\InstallHelper64.pdb; source: is-BKQ26.tmp.1.dr
Source: Binary string: C:\temp\build\thehoff\Quicksilver_MR50.560024709388\Quicksilver_MR5\vpn\ProxyCon\Win32\Release\ProxyCon.pdb)))GCTL source: is-139DF.tmp.1.dr
Source: Binary string: client32.pdb source: powershell.exe, 00000005.00000002.1991259471.0000000005259000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: E:\nsmsrc\nsm\1210\1210\AudioCapture\Release\AudioCapture.pdb source: powershell.exe, 00000005.00000002.1991259471.0000000005259000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\temp\build\thehoff\Quicksilver_MR50.560024709388\Quicksilver_MR5\PhoneHome\Win32\Release\acfeedback.pdbMM/GCTL source: is-O6HT8.tmp.1.dr
Source: Binary string: C:\temp\build\thehoff\Quicksilver_MR50.560024709388\Quicksilver_MR5\ACRuntime\Release\acruntime.pdbjjKGCTL source: is-FRTV6.tmp.1.dr
Source: Binary string: C:\temp\build\thehoff\Quicksilver_MR50.560024709388\Quicksilver_MR5\vpn\ExternalBrowserHelper\Win32\Win32\Release\acextwebhelper.pdb source: is-K9DFT.tmp.1.dr
Source: Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdb source: powershell.exe, 00000005.00000002.1991259471.0000000005357000.00000004.00000800.00020000.00000000.sdmp, client32.exe, 00000007.00000002.4143550370.00000000685D0000.00000002.00000001.01000000.0000000F.sdmp
Source: Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Release\pcicapi.pdb source: client32.exe, 00000007.00000002.4143874760.0000000068895000.00000002.00000001.01000000.0000000D.sdmp, client32.exe, 00000008.00000002.2110207513.0000000068895000.00000002.00000001.01000000.0000000D.sdmp, client32.exe, 0000000A.00000002.2191058031.0000000068895000.00000002.00000001.01000000.0000000D.sdmp
Source: Binary string: C:\temp\build\thehoff\Quicksilver_MR50.560024709388\Quicksilver_MR5\vpn\CLI\Win32\Release\vpncli.pdb source: is-7ARTU.tmp.1.dr
Source: Binary string: C:\temp\build\thehoff\Quicksilver_MR50.560024709388\Quicksilver_MR5\vpn\CommonCrypt\Win32\Release\vpncommoncrypt.pdb source: is-T3UDO.tmp.1.dr

Data Obfuscation
barindex
Found suspicious powershell code related to unpacking or dynamic code loading
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: FromBase64String($base64Content);[System.IO.File]::WriteAllBytes($zipFileName, $decodedBytes);New-Item -ItemType Directory -Path $destinationPath;Expand-Archive -Path $zipFileName -DestinationPath $de
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 7_2_11029230 GetTickCount,LoadLibraryA,GetProcAddress,SetLastError,GetProcAddress,GetLastError,_free,GetProcAddress,GetProcAddress,InternetOpenA,SetLastError,SetLastError,SetLastError,_free,GetProcAddress,SetLastError,GetProcAddress,InternetConnectA,GetProcAddress,SetLastError,SetLastError,GetProcAddress,SetLastError,GetProcAddress,SetLastError,GetLastError,GetProcAddress,SetLastError,GetLastError,GetDesktopWindow,GetProcAddress,SetLastError,GetProcAddress,SetLastError,GetProcAddress,SetLastError,FreeLibrary, 7_2_11029230
PE file contains sections with non-standard names
Source: CiscoSetup.exe Static PE information: section name: .didata
Source: CiscoSetup.tmp.0.dr Static PE information: section name: .didata
Source: is-BOBU7.tmp.1.dr Static PE information: section name: .didata
Source: is-N867I.tmp.1.dr Static PE information: section name: fipstx
Source: is-N867I.tmp.1.dr Static PE information: section name: fipsro
Source: is-N867I.tmp.1.dr Static PE information: section name: fipsda
Source: is-N867I.tmp.1.dr Static PE information: section name: fsig
Source: is-N867I.tmp.1.dr Static PE information: section name: fipsrd
Source: is-BKQ26.tmp.1.dr Static PE information: section name: _RDATA
Source: is-HL1L8.tmp.1.dr Static PE information: section name: _RDATA
Source: is-42UFL.tmp.1.dr Static PE information: section name: .orpc
Source: is-DSLII.tmp.1.dr Static PE information: section name: .00cfg
Source: is-DSLII.tmp.1.dr Static PE information: section name: .voltbl
Source: PCICL32.DLL.5.dr Static PE information: section name: .hhshare
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_0345C492 pushad ; ret 5_2_0345C493
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_034531FA pushfd ; ret 5_2_03453209
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_07AF7712 push dword ptr [ebp+ebx-75h]; iretd 5_2_07AF7716
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_07AF75D8 push FFFFFFE8h; retf 5_2_07AF75E1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_07AF1377 push FFFFFFE8h; ret 5_2_07AF1379
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_07AF0003 push FFFFFFC3h; ret 5_2_07AF007E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_07AF0F6F push FFFFFFE8h; retf 5_2_07AF0F71
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_07AF9CE5 push FFFFFFE8h; ret 5_2_07AF9CE9
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 7_2_1116B825 push ecx; ret 7_2_1116B838
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 7_2_11166719 push ecx; ret 7_2_1116672C
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 7_2_11040641 push 3BFFFFFEh; ret 7_2_11040646
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 7_2_685C6BBF push ecx; ret 7_2_685C6BD2
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 7_2_685C4DF5 push 685C43F9h; retf 7_2_685C4E1F
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 7_2_685B8377 push 3BFFFFFFh; retf 7_2_685B837C
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 7_2_685BE36C push edi; ret 7_2_685BE37B
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 8_2_1116B825 push ecx; ret 8_2_1116B838
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 8_2_1104E56B push ecx; retf 0007h 8_2_1104E56C
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 8_2_11166719 push ecx; ret 8_2_1116672C
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 8_2_11040641 push 3BFFFFFEh; ret 8_2_11040646
Source: is-Q67GI.tmp.1.dr Static PE information: section name: .text entropy: 6.8383653762559575
Source: msvcr100.dll.5.dr Static PE information: section name: .text entropy: 6.909044922675825
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\ProxyCon.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\csc_ui_toast.dll (copy) Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Cisco\remcmdstub.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-0E14V.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-MJ3RA.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-Q67GI.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\Plugins\acdownloader.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\vpnipsec.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-HL1L8.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-24FVM.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-7A47V.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-T3UDO.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\msvcp140_2.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\csc_ui_setup.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\acwebhelper.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-N867I.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-9JGUE.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-LO7QV.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-13C42.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-O6HT8.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Cisco\TCCTL32.DLL Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\csc_ui_toast.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\vpnapishim.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\acsock64.sys (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-2J33H.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\Plugins\is-LMS1D.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\boost_system.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp File created: C:\Users\user\AppData\Local\Temp\is-D93RQ.tmp\_isetup\_setup64.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-K9DFT.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Cisco\client32.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\vpnmgmttun.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\msvcp140.dll (copy) Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Cisco\PCICHEK.DLL Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Cisco\msvcr100.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-C8R9M.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\vpncli.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\is-FCDNQ.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-6FEVR.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-FRTV6.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\cfom.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp File created: C:\Program Files (x86)\Cisco\unins000.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\zlib1.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-0IGCD.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-UP6H5.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\InstallHelper.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\InstallHelper64.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\is-BSCSU.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-3H81M.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-139DF.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\msvcp140_1.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\ac_sock_fltr_api.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\boost_thread.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\acciscocrypto.dll (copy) Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Cisco\AudioCapture.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\acextwebhelper.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-KC1BF.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\vpnagentutilities.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-ULT5V.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Cisco\pcicapi.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-M1NCB.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\VACon64.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\Uninstall.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\acfeedback.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\vpncommoncrypt.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-LU7CG.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\vpnapi.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-T40JR.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\concrt140.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\vpnagent.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-PS1DU.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-C9M46.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp File created: C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\is-AB2VI.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-GKS0T.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\boost_filesystem.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-RJSOM.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-O7USL.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-QC4EE.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-K8IRC.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-O8UOD.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\acwebhelper.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\acruntime.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\accurl.dll (copy) Jump to dropped file
Source: C:\Users\user\Desktop\CiscoSetup.exe File created: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp File created: C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpndownloader.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\is-8QMTQ.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\vpnva64-6.sys (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\csc_ui.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-7ARTU.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\boost_chrono.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-3MUNV.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\is-V7O6A.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\acciscossl.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\vccorlib140.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\WebView2Loader.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\is-0667M.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Cisco\HTCTL32.DLL Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-HI577.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\boost_date_time.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\csc_ui.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-42UFL.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Cisco\PCICL32.DLL Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\vpndownloader.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\vcruntime140.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-BKQ26.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\vpncommon.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp File created: C:\Program Files (x86)\Cisco\is-BOBU7.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp File created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-DSLII.tmp Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 7_2_685A7030 ctl_open,LoadLibraryA,InitializeCriticalSection,CreateEventA,CreateEventA,CreateEventA,CreateEventA,WSAStartup,_malloc,_memset,_calloc,_malloc,_memset,_malloc,_memset,GetTickCount,CreateThread,SetThreadPriority,GetModuleFileNameA,GetPrivateProfileIntA,GetModuleHandleA,CreateMutexA,timeBeginPeriod, 7_2_685A7030
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 7_2_685950E0 CreateFileA,wsprintfA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,CreateFileA,GetFileSize,GetPrivateProfileIntA,SetFilePointer,FlushFileBuffers,CloseHandle,wsprintfA,CreateFileA,__itow,WritePrivateProfileStringA, 7_2_685950E0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 7_2_68595117 GetPrivateProfileIntA,wsprintfA,CreateFileA,GetFileSize,GetPrivateProfileIntA,SetFilePointer,FlushFileBuffers,CloseHandle,wsprintfA,CreateFileA,__itow,WritePrivateProfileStringA, 7_2_68595117
Stores files to the Windows start menu directory
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Cisco Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Cisco\Cisco Secure Client for Windows.lnk Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MyApp Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MyApp Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 7_2_110251B0 SetWindowPos,GetMenu,DrawMenuBar,GetMenu,DeleteMenu,UpdateWindow,IsIconic,SetTimer,KillTimer, 7_2_110251B0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 7_2_111575D0 IsIconic,ShowWindow,BringWindowToTop,IsWindow,IsIconic,ShowWindow,BringWindowToTop, 7_2_111575D0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 7_2_111575D0 IsIconic,ShowWindow,BringWindowToTop,IsWindow,IsIconic,ShowWindow,BringWindowToTop, 7_2_111575D0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 7_2_11025600 IsIconic,BringWindowToTop,GetCurrentThreadId, 7_2_11025600
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 7_2_111579D0 _memset,SendMessageA,SendMessageA,ShowWindow,SendMessageA,IsIconic,IsZoomed,ShowWindow,GetDesktopWindow,TileWindows, 7_2_111579D0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 7_2_110238D0 BringWindowToTop,SetWindowPos,SetWindowPos,SetWindowPos,GetWindowLongA,SetWindowLongA,GetDlgItem,EnableWindow,GetMenu,DeleteMenu,DrawMenuBar,SetWindowPos,IsIconic,UpdateWindow,SetTimer,KillTimer, 7_2_110238D0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 7_2_110BFDD0 IsIconic,ShowWindow,BringWindowToTop,GetCurrentThreadId, 7_2_110BFDD0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 7_2_11023FB0 _memset,_strncpy,_memset,_strncpy,IsWindow,IsIconic,BringWindowToTop,GetCurrentThreadId, 7_2_11023FB0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 7_2_110CA3C0 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos, 7_2_110CA3C0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 7_2_110CA3C0 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos, 7_2_110CA3C0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 7_2_11110220 IsIconic,GetTickCount,CreateRectRgn,GetClientRect,SetStretchBltMode,CreateRectRgn,GetClipRgn,OffsetRgn,GetRgnBox,SelectClipRgn,StretchBlt,SelectClipRgn,DeleteObject,StretchBlt,StretchBlt,GetWindowOrgEx,StretchBlt,GetKeyState,CreatePen,CreatePen,SelectObject,Polyline,Sleep,SelectObject,Polyline,Sleep,SelectObject,DeleteObject,DeleteObject,BitBlt, 7_2_11110220
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 8_2_110251B0 SetWindowPos,GetMenu,DrawMenuBar,GetMenu,DeleteMenu,UpdateWindow,IsIconic,SetTimer,KillTimer, 8_2_110251B0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 8_2_111575D0 IsIconic,ShowWindow,BringWindowToTop,IsWindow,IsIconic,ShowWindow,BringWindowToTop, 8_2_111575D0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 8_2_111575D0 IsIconic,ShowWindow,BringWindowToTop,IsWindow,IsIconic,ShowWindow,BringWindowToTop, 8_2_111575D0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 8_2_11025600 IsIconic,BringWindowToTop,GetCurrentThreadId, 8_2_11025600
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 8_2_111579D0 _memset,SendMessageA,SendMessageA,ShowWindow,SendMessageA,IsIconic,IsZoomed,ShowWindow,GetDesktopWindow,TileWindows, 8_2_111579D0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 8_2_110238D0 BringWindowToTop,SetWindowPos,SetWindowPos,SetWindowPos,GetWindowLongA,SetWindowLongA,GetDlgItem,EnableWindow,GetMenu,DeleteMenu,DrawMenuBar,SetWindowPos,IsIconic,UpdateWindow,SetTimer,KillTimer, 8_2_110238D0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 8_2_110BFDD0 IsIconic,ShowWindow,BringWindowToTop,GetCurrentThreadId, 8_2_110BFDD0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 8_2_11023FB0 _memset,_strncpy,_memset,_strncpy,IsWindow,IsIconic,BringWindowToTop,GetCurrentThreadId, 8_2_11023FB0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 8_2_110CA3C0 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos, 8_2_110CA3C0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 8_2_110CA3C0 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos, 8_2_110CA3C0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 8_2_11110220 IsIconic,GetTickCount,CreateRectRgn,GetClientRect,SetStretchBltMode,CreateRectRgn,GetClipRgn,OffsetRgn,GetRgnBox,SelectClipRgn,StretchBlt,SelectClipRgn,DeleteObject,StretchBlt,StretchBlt,GetWindowOrgEx,StretchBlt,GetKeyState,CreatePen,CreatePen,SelectObject,Polyline,Sleep,SelectObject,Polyline,Sleep,SelectObject,DeleteObject,DeleteObject,BitBlt, 8_2_11110220
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 7_2_11029230 GetTickCount,LoadLibraryA,GetProcAddress,SetLastError,GetProcAddress,GetLastError,_free,GetProcAddress,GetProcAddress,InternetOpenA,SetLastError,SetLastError,SetLastError,_free,GetProcAddress,SetLastError,GetProcAddress,InternetConnectA,GetProcAddress,SetLastError,SetLastError,GetProcAddress,SetLastError,GetProcAddress,SetLastError,GetLastError,GetProcAddress,SetLastError,GetLastError,GetDesktopWindow,GetProcAddress,SetLastError,GetProcAddress,SetLastError,GetProcAddress,SetLastError,FreeLibrary, 7_2_11029230
Source: C:\Users\user\Desktop\CiscoSetup.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Contains functionality to detect sleep reduction / modifications
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 7_2_685991F0 7_2_685991F0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 7_2_685A4F30 7_2_685A4F30
Contains functionality to enumerate running services
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: OpenSCManagerA,EnumServicesStatusA,EnumServicesStatusA,LoadLibraryA,GetProcAddress,OpenServiceA,WideCharToMultiByte,CloseServiceHandle,_memset,_memset,FreeLibrary,CloseServiceHandle, 7_2_11127110
Contains long sleeps (>= 3 min)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6962 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2767 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Window / User API: threadDelayed 450 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Window / User API: threadDelayed 7993 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\ProxyCon.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\csc_ui_toast.dll (copy) Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Cisco\remcmdstub.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-0E14V.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-MJ3RA.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-Q67GI.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\Plugins\acdownloader.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\vpnipsec.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-HL1L8.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-24FVM.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-7A47V.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-T3UDO.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\msvcp140_2.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\csc_ui_setup.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\acwebhelper.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-N867I.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-9JGUE.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-LO7QV.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-13C42.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-O6HT8.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Cisco\TCCTL32.DLL Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\csc_ui_toast.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\vpnapishim.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\acsock64.sys (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-2J33H.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\Plugins\is-LMS1D.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\boost_system.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-K9DFT.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-D93RQ.tmp\_isetup\_setup64.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\msvcp140.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\vpnmgmttun.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-C8R9M.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\vpncli.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\is-FCDNQ.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-6FEVR.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-FRTV6.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\cfom.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\unins000.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\zlib1.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-UP6H5.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-0IGCD.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\InstallHelper.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\InstallHelper64.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\is-BSCSU.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-3H81M.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-139DF.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\msvcp140_1.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\ac_sock_fltr_api.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\boost_thread.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\acciscocrypto.dll (copy) Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Cisco\AudioCapture.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\acextwebhelper.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-KC1BF.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\vpnagentutilities.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-ULT5V.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-M1NCB.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\VACon64.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\Uninstall.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\acfeedback.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\vpncommoncrypt.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\vpnapi.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-LU7CG.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-T40JR.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\concrt140.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\vpnagent.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-PS1DU.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-C9M46.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\is-AB2VI.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-GKS0T.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\boost_filesystem.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-RJSOM.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-O7USL.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-QC4EE.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-K8IRC.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-O8UOD.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\acwebhelper.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\acruntime.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\accurl.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpndownloader.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\is-8QMTQ.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\vpnva64-6.sys (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\csc_ui.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-7ARTU.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\boost_chrono.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-3MUNV.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\is-V7O6A.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\acciscossl.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\vccorlib140.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\WebView2Loader.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\is-0667M.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Cisco\HTCTL32.DLL Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-HI577.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\boost_date_time.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\csc_ui.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-42UFL.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\vpndownloader.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\vcruntime140.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-BKQ26.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\vpncommon.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\is-BOBU7.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-DSLII.tmp Jump to dropped file
Found evaded block containing many API calls
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Evaded block: after key decision
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Evaded block: after key decision
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Evaded block: after key decision
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Evaded block: after key decision
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Evaded block: after key decision
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Evaded block: after key decision
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Evaded block: after key decision
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Evaded block: after key decision
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Evaded block: after key decision
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Evaded block: after key decision
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Evaded block: after key decision
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Evaded block: after key decision
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Evaded block: after key decision
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Evaded block: after key decision
Found evasive API chain checking for process token information
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe API coverage: 6.1 %
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe API coverage: 2.9 %
May check if the current machine is a sandbox (GetTickCount - Sleep)
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 7_2_685A4F30 7_2_685A4F30
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1800 Thread sleep time: -7378697629483816s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe TID: 2020 Thread sleep time: -52250s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe TID: 5440 Thread sleep time: -45000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe TID: 2020 Thread sleep time: -1998250s >= -30000s Jump to behavior
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Last function: Thread delayed
Uses the system / local time for branch decision (may execute only at specific dates)
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 7_2_685A3130 GetSystemTime followed by cmp: cmp eax, 02h and CTI: je 685A3226h 7_2_685A3130
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 7_2_11123570 _memset,_memset,GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle, 7_2_11123570
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 7_2_11069690 GetTickCount,OpenPrinterA,StartDocPrinterA,ClosePrinter,FindFirstFileA,FindClose,CreateFileA,SetFilePointer,GetTickCount,GetLastError, 7_2_11069690
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 7_2_1110BB80 GetLocalTime,wsprintfA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,ExpandEnvironmentStringsA,CreateFileA,timeBeginPeriod,GetLocalTime,timeGetTime,_memset,WriteFile, 7_2_1110BB80
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 7_2_11107FE0 _memset,wsprintfA,wsprintfA,KillTimer,FindFirstFileA,wsprintfA,FindNextFileA,GetLastError,FindClose, 7_2_11107FE0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 7_2_110BC3D0 GetFileAttributesA,CreateDirectoryA,FindFirstFileA,CopyFileA,CopyFileA,FindNextFileA,FindClose,DrawMenuBar, 7_2_110BC3D0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 7_2_1102CE2D InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess, 7_2_1102CE2D
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 7_2_11064E30 _memset,_memmove,_strncpy,CharUpperA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA, 7_2_11064E30
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 8_2_1102CE2D InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess, 8_2_1102CE2D
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 8_2_11123570 _memset,_memset,GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle, 8_2_11123570
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 8_2_1110BB80 GetLocalTime,wsprintfA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,ExpandEnvironmentStringsA,CreateFileA,timeBeginPeriod,GetLocalTime,timeGetTime,_memset,WriteFile, 8_2_1110BB80
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 8_2_11107FE0 _memset,wsprintfA,wsprintfA,KillTimer,FindFirstFileA,wsprintfA,FindNextFileA,GetLastError,FindClose, 8_2_11107FE0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 8_2_110BC3D0 GetFileAttributesA,CreateDirectoryA,FindFirstFileA,CopyFileA,CopyFileA,FindNextFileA,FindClose,DrawMenuBar, 8_2_110BC3D0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: client32.exe, 00000007.00000002.4143550370.00000000685D0000.00000002.00000001.01000000.0000000F.sdmp Binary or memory string: VMware
Source: client32.exe, 00000007.00000002.4143550370.00000000685D0000.00000002.00000001.01000000.0000000F.sdmp Binary or memory string: plist<T> too longp.secondQueueQueueThreadEventidata->Q.size () == 0p < ep%dWSAIoctlclosesocketsocketWSACleanupWSAStartupws2_32.dllIPHLPAPI.DLLVMWarevirtGetAdaptersAddressesVMWarevirtntohlWinHttpCloseHandleWinHttpGetProxyForUrlNS247WinHttpOpenWinHttpGetIEProxyConfigForCurrentUserwinhttp.dllc != '\0'dstbufyenc.cla]h*
Source: client32.exe, 00000007.00000002.4141243158.000000000045E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW`q%
Source: is-FRTV6.tmp.1.dr Binary or memory string: %d.%d.%dUnknownWin9xWinNTgetWindowsEdition(): Could not get OS Edition lengthC:\temp\build\thehoff\Quicksilver_MR50.560024709388\Quicksilver_MR5\ACRuntime\library\OSVersionAPI.cppGetOsVersionGetOsVersion(): Could not get OS EditionGetVersionEx call failed with error: %dgetWindowsEditionWindows VistaWindows Server 2008Windows 7Windows Server 2008 R2Windows 8Windows Server 2012Windows 8.1Windows Server 2012 R2Windows 11Windows 10Windows Server 2016Windows Server 2019Windows Server 2022Windows ServerGetProductInfo%s UnknownUltimateUltimate EUltimate NProfessionalProfessional EProfessional NProfessional with Media CenterHome BasicHome Basic EHome Basic NHome PremiumHome Premium EHome Premium NEnterpriseBusinessStarterStarter EStarter NEnterprise EHomeHome ChinaHome NHome Single LanguageEnterprise EvaluationEnterprise NEnterprise N EvaluationEnterprise 2015 LTSBEnterprise 2015 LTSB EvaluationEnterprise 2015 LTSB NEnterprise 2015 LTSB N EvaluationMobileMobile EnterpriseUnlicensedDatacenter (evaluation installation)Datacenter (full installation)Datacenter (core installation)Datacenter without Hyper-V (core installation)Datacenter without Hyper-V (full installation)Enterprise (full installation)Enterprise (core installation)Enterprise without Hyper-V (core installation)Enterprise for Itanium-based SystemsEnterprise without Hyper-V (full installation)Essential Server Solution AdditionalEssential Server Solution Additional SVCEssential Server Solution ManagementEssential Server Solution Management SVCHome Server 2011Storage Server 2008 R2 EssentialsMicrosoft Hyper-V ServerEssential Business Server Management ServerEssential Business Server Messaging ServerEssential Business Server Security ServerMultiPoint Server Premium (full installation)MultiPoint Server Standard (full installation)Small Business Server 2011 EssentialsFor SB Solutions EMFor SB SolutionsFor Essential Server SolutionsWithout Hyper-V for Windows Essential Server SolutionsFoundationSmall Business ServerSmall Business Server PremiumSmall Business Server Premium (core installation)MultiPoint ServerStandardStandard (core installation)Standard without Hyper-V (core installation)Standard without Hyper-VStandard Solutions PremiumStandard Solutions Premium (core installation)Storage Server EnterpriseStorage Server Enterprise (core installation)Storage Server ExpressStorage Server Express (core installation)Storage Server Standard (evaluation installation)Storage Server StandardStorage Server Standard (core installation)Storage Server Workgroup (evaluation installation)Storage Server WorkgroupStorage Server Workgroup (core installation)HPC EditionServer Hyper Core VWeb Server (full installation)Web Server (core installation)%s %s$
Source: client32.exe, 00000007.00000002.4143550370.00000000685D0000.00000002.00000001.01000000.0000000F.sdmp Binary or memory string: hbuf->datahttputil.c%5d000000000002004C4F4F50VirtualVMwareVIRTNETGetAdaptersInfoiphlpapi.dllcbMacAddress == MAX_ADAPTER_ADDRESS_LENGTHmacaddr.cpp,%02x%02x%02x%02x%02x%02x* Netbiosnetapi32.dll01234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZwhoa nelly, says Sherman, the Sharkhellooo nurse!kernel32.dllProcessIdToSessionId%s_L%d_%xNOT copied to diskcopied to %sAssert failed - Unhandled Exception (GPF) -
Source: powershell.exe, 00000005.00000002.1991259471.0000000005357000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: plist<T> too longp.secondQueueQueueThreadEventidata->Q.size () == 0p < ep%dWSAIoctlclosesocketsocketWSACleanupWSAStartupws2_32.dllIPHLPAPI.DLLVMWarevirtGetAdaptersAddressesVMWarevirtntohlWinHttpCloseHandleWinHttpGetProxyForUrlNS247WinHttpOpenWinHttpGetIEProxyConfigForCurrentUserwinhttp.dllc != '\0'dstbufyenc.cla
Source: client32.exe, 00000007.00000003.1989645822.000000000525C000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000007.00000003.2285282850.000000000527B000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000007.00000002.4142691665.000000000527B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: TCCTL32.DLL.5.dr Binary or memory string: VMWare
Source: client32.exe, 00000007.00000003.2284925440.0000000005207000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000007.00000002.4142691665.0000000005226000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000007.00000003.1989702492.0000000005255000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000007.00000003.2285282850.0000000005226000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.ZuneVideo/resources/IDS_MANIFEST_VIDEO_APP_DESCRIPTION}LMEM
Source: TCCTL32.DLL.5.dr Binary or memory string: >localhost:%d%dWSAIoctlclosesocketsocketWSACleanupWSAStartupws2_32.dllGetAdaptersInfoIPHLPAPI.DLLVMWarevirtGetAdaptersAddressesvirtualVMWarevirt0000000000%02X%02X%02X%02X%02X%02XBluetoothpfntcctlex.cppRtlIpv6AddressToStringWntdll.dllntohlTCREMOTETCBRIDGE%s=%s
Source: client32.exe, 00000008.00000002.2104328100.00000000005C2000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000008.00000003.2103752720.00000000005BF000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 0000000A.00000003.2189007519.000000000068F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 7_2_1116A559 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 7_2_1116A559
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 7_2_110CFCF0 _memset,_strncpy,CreateMutexA,OpenMutexA,GetLastError,wsprintfA,OutputDebugStringA, 7_2_110CFCF0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 7_2_11029230 GetTickCount,LoadLibraryA,GetProcAddress,SetLastError,GetProcAddress,GetLastError,_free,GetProcAddress,GetProcAddress,InternetOpenA,SetLastError,SetLastError,SetLastError,_free,GetProcAddress,SetLastError,GetProcAddress,InternetConnectA,GetProcAddress,SetLastError,SetLastError,GetProcAddress,SetLastError,GetProcAddress,SetLastError,GetLastError,GetProcAddress,SetLastError,GetLastError,GetDesktopWindow,GetProcAddress,SetLastError,GetProcAddress,SetLastError,GetProcAddress,SetLastError,FreeLibrary, 7_2_11029230
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 7_2_11178A14 __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock, 7_2_11178A14
Enables debug privileges
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 7_2_11030B10 SetUnhandledExceptionFilter, 7_2_11030B10
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 7_2_1116A559 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 7_2_1116A559
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 7_2_1115E4D1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 7_2_1115E4D1
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 7_2_685B28E1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 7_2_685B28E1
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 8_2_11030B10 SetUnhandledExceptionFilter, 8_2_11030B10
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 8_2_1116A559 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 8_2_1116A559
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 8_2_1115E4D1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 8_2_1115E4D1

HIPS / PFW / Operating System Protection Evasion
barindex
Bypasses PowerShell execution policy
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-D93RQ.tmp\cispn.ps1"
Contains functionality to execute programs as a different user
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 7_2_110F2280 GetTickCount,LogonUserA,GetTickCount,GetLastError, 7_2_110F2280
Contains functionality to simulate keystroke presses
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 7_2_11027BE0 keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event, 7_2_11027BE0
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-D93RQ.tmp\cispn.ps1" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Roaming\Cisco\client32.exe "C:\Users\user\AppData\Roaming\Cisco\client32.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 7_2_1109D4A0 LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,GetVersionExA,GetSecurityDescriptorSacl,SetSecurityDescriptorSacl,FreeLibrary,CreateFileMappingA,GetLastError,LocalFree,LocalFree,LocalFree,GetLastError,MapViewOfFile,LocalFree,LocalFree,LocalFree,GetModuleFileNameA,GetModuleFileNameA,LocalFree,LocalFree,LocalFree,_memset,GetTickCount,GetCurrentProcessId,GetModuleFileNameA,CreateEventA,CreateEventA,GetLastError,GetLastError,CreateEventA,GetLastError,GetLastError,CreateEventA,GetLastError,GetLastError,CreateEventA,GetLastError,GetLastError,GetLastError,LocalFree,LocalFree,LocalFree,GetCurrentThreadId,CreateThread,ResetEvent,ResetEvent,ResetEvent,ResetEvent,SetEvent, 7_2_1109D4A0
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 7_2_1109DC20 GetProcAddress,GetTokenInformation,GetTokenInformation,GetTokenInformation,AllocateAndInitializeSid,EqualSid, 7_2_1109DC20
Source: client32.exe, 00000007.00000002.4143045081.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 00000008.00000002.2109302873.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2190511917.000000001118F000.00000002.00000001.01000000.0000000B.sdmp Binary or memory string: Shell_TrayWndunhandled plugin data, id=%d
Source: client32.exe, 00000007.00000002.4143045081.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 00000008.00000002.2109302873.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2190511917.000000001118F000.00000002.00000001.01000000.0000000B.sdmp Binary or memory string: Shell_TrayWnd
Source: client32.exe, client32.exe, 00000008.00000002.2109302873.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2190511917.000000001118F000.00000002.00000001.01000000.0000000B.sdmp Binary or memory string: Progman
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage, 7_2_11170208
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s, 7_2_1117053C
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA, 7_2_11170499
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: GetLocaleInfoA, 7_2_11167B5E
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA, 7_2_11170106
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen, 7_2_111701AD
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 7_2_11170011
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage, 7_2_111703D9
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA, 7_2_11170500
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea, 7_2_685CDB7C
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, 7_2_685CDC56
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 7_2_685C1CC1
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: GetLocaleInfoA, 7_2_685CDC99
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA, 7_2_685C1DB6
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen, 7_2_685C1E5D
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage, 7_2_685C1EB8
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage, 7_2_685C2089
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: EnumSystemLocalesA, 7_2_685C2151
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA, 7_2_685C2175
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA, 7_2_685C21DC
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s, 7_2_685C2218
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s, 8_2_1117053C
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: GetLocaleInfoA, 8_2_11167B5E
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 8_2_11170011
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA, 8_2_11170500
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA, 8_2_11170499
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\is-5I04T.tmp\CiscoSetup.tmp Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 7_2_1101D180 __time64,SetRect,GetLocalTime, 7_2_1101D180
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 7_2_1103B220 _calloc,GetUserNameA,_free,_calloc,_free, 7_2_1103B220
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 7_2_1109D4A0 LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,GetVersionExA,GetSecurityDescriptorSacl,SetSecurityDescriptorSacl,FreeLibrary,CreateFileMappingA,GetLastError,LocalFree,LocalFree,LocalFree,GetLastError,MapViewOfFile,LocalFree,LocalFree,LocalFree,GetModuleFileNameA,GetModuleFileNameA,LocalFree,LocalFree,LocalFree,_memset,GetTickCount,GetCurrentProcessId,GetModuleFileNameA,CreateEventA,CreateEventA,GetLastError,GetLastError,CreateEventA,GetLastError,GetLastError,CreateEventA,GetLastError,GetLastError,CreateEventA,GetLastError,GetLastError,GetLastError,LocalFree,LocalFree,LocalFree,GetCurrentThreadId,CreateThread,ResetEvent,ResetEvent,ResetEvent,ResetEvent,SetEvent, 7_2_1109D4A0
OS version to string mapping found (often used in BOTs)
Source: is-T3UDO.tmp.1.dr Binary or memory string: r?IsOs_WIN_VISTA@@YA_NXZ
Source: is-O6HT8.tmp.1.dr Binary or memory string: ?GetOsVersion@@YA?AUMYOSVERSION@@XZ\?IsOs_MAC@@YA_NXZq?IsOs_WIN_8_Only@@YA_NXZ
Source: is-FRTV6.tmp.1.dr Binary or memory string: ?IsOs_WIN_8_Only@@YA_NXZ
Source: is-FRTV6.tmp.1.dr Binary or memory string: ?IsOs_WIN_7_Only@@YA_NXZ
Source: is-O6HT8.tmp.1.dr Binary or memory string: p?IsOs_WIN_8Point10_Only@@YA_NXZ
Source: is-O6HT8.tmp.1.dr Binary or memory string: ?MakeSureDirectoryPathExists@@YA_NPB_W@Zl?IsOs_WIN_7_Only@@YA_NXZi
Source: is-FRTV6.tmp.1.dr Binary or memory string: ?IsOs_WIN_VISTA_Only@@YA_NXZ
Source: is-FRTV6.tmp.1.dr Binary or memory string: ?IsOs_WIN_8@@YA_NXZ
Source: is-O6HT8.tmp.1.dr Binary or memory string: l?IsOs_WIN_7_Only@@YA_NXZ
Source: is-T3UDO.tmp.1.dr Binary or memory string: ??1CHModuleMgr@@QAE@XZr?IsOs_WIN_VISTA@@YA_NXZw
Source: is-O6HT8.tmp.1.dr Binary or memory string: GetCurrentTimeSecondss?IsOs_WIN_VISTA_Only@@YA_NXZR
Source: is-FRTV6.tmp.1.dr Binary or memory string: ?IsOs_WIN_8Point10@@YA_NXZ
Source: is-FRTV6.tmp.1.dr Binary or memory string: ?IsOs_WIN_8Point10_Only@@YA_NXZ
Source: is-FRTV6.tmp.1.dr Binary or memory string: ?IsOs_WIN_VISTA@@YA_NXZ
Source: is-O6HT8.tmp.1.dr Binary or memory string: ?CreateMultitonInstance@CExecutionContext@@SAJAAPAV1@W4INSTANCE_ID@1@@ZW?IsOs_LINUX@@YA_NXZp?IsOs_WIN_8Point10_Only@@YA_NXZ
Source: is-O6HT8.tmp.1.dr Binary or memory string: q?IsOs_WIN_8_Only@@YA_NXZ
Source: is-O6HT8.tmp.1.dr Binary or memory string: s?IsOs_WIN_VISTA_Only@@YA_NXZ
Source: is-FRTV6.tmp.1.dr Binary or memory string: ?IsOs_WIN_7@@YA_NXZ
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe Code function: 7_2_6859A980 EnterCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,WSAGetLastError,socket,WSAGetLastError,#21,#21,#21,bind,WSAGetLastError,closesocket,htons,WSASetBlockingHook,WSAGetLastError,WSAUnhookBlockingHook,closesocket,WSAGetLastError,WSAUnhookBlockingHook,closesocket,WSAUnhookBlockingHook,EnterCriticalSection,InitializeCriticalSection,getsockname,LeaveCriticalSection,GetTickCount,InterlockedExchange, 7_2_6859A980
Yara detected NetSupport remote tool
Source: Yara match File source: 8.2.client32.exe.688b0000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.client32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.client32.exe.688b0000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.client32.exe.688b0000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.client32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.client32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.client32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.0.client32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.client32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.client32.exe.68890000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.client32.exe.68890000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.client32.exe.68890000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.client32.exe.111b3308.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.client32.exe.111b3308.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.client32.exe.111b3308.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.client32.exe.68590000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.client32.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.client32.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.client32.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000A.00000002.2190553256.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.1983117246.0000000000404000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.4143550370.00000000685D0000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2189669515.0000000000404000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000000.2183700917.0000000000404000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.2102185097.0000000000404000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.2284925440.0000000005207000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2109302873.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.4142059175.0000000002648000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2043735068.000000000883E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2104099900.0000000000404000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.4143093821.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.4143045081.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2190511917.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.4141174786.0000000000404000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2109384742.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1991259471.0000000005259000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.2285282850.0000000005226000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1991259471.0000000005357000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: powershell.exe PID: 6724, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: client32.exe PID: 3052, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: client32.exe PID: 1516, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: client32.exe PID: 4124, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Roaming\Cisco\AudioCapture.dll, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\Cisco\TCCTL32.DLL, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\Cisco\client32.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\Cisco\pcicapi.dll, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\Cisco\PCICHEK.DLL, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\Cisco\HTCTL32.DLL, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\Cisco\PCICL32.DLL, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1546659 Sample: CiscoSetup.exe Startdate: 01/11/2024 Architecture: WINDOWS Score: 54 48 payiki.com 2->48 50 anyhowdo.com 2->50 52 geo.netsupportsoftware.com 2->52 62 Suricata IDS alerts for network traffic 2->62 64 Malicious sample detected (through community Yara rule) 2->64 66 Sigma detected: Powershell drops NetSupport RAT client 2->66 68 4 other signatures 2->68 9 CiscoSetup.exe 2 2->9         started        12 client32.exe 2->12         started        14 client32.exe 2->14         started        signatures3 process4 file5 46 C:\Users\user\AppData\...\CiscoSetup.tmp, PE32 9->46 dropped 16 CiscoSetup.tmp 25 346 9->16         started        process6 file7 30 C:\Users\user\AppData\Local\...\cispn.ps1, ASCII 16->30 dropped 32 C:\Program Files (x86)\Cisco\unins000.dat, InnoSetup 16->32 dropped 34 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 16->34 dropped 36 96 other files (none is malicious) 16->36 dropped 60 Bypasses PowerShell execution policy 16->60 20 powershell.exe 1 55 16->20         started        signatures8 process9 file10 38 C:\Users\user\AppData\...\remcmdstub.exe, PE32 20->38 dropped 40 C:\Users\user\AppData\Roaming\...\pcicapi.dll, PE32 20->40 dropped 42 C:\Users\user\AppData\...\client32.exe, PE32 20->42 dropped 44 7 other files (6 malicious) 20->44 dropped 70 Found suspicious powershell code related to unpacking or dynamic code loading 20->70 72 Loading BitLocker PowerShell Module 20->72 74 Powershell drops PE file 20->74 24 client32.exe 17 20->24         started        28 conhost.exe 20->28         started        signatures11 process12 dnsIp13 54 anyhowdo.com 199.188.200.195, 443, 49741 NAMECHEAP-NETUS United States 24->54 56 payiki.com 151.236.16.15, 443, 49739 HVC-ASUS European Union 24->56 58 geo.netsupportsoftware.com 172.67.68.212, 49740, 80 CLOUDFLARENETUS United States 24->58 76 Contains functionalty to change the wallpaper 24->76 78 Contains functionality to detect sleep reduction / modifications 24->78 signatures14
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
172.67.68.212
 geo.netsupportsoftware.com United States
13335 CLOUDFLARENETUS false
151.236.16.15
 payiki.com European Union
29802 HVC-ASUS true
199.188.200.195
 anyhowdo.com United States
22612 NAMECHEAP-NETUS true

Contacted Domains

Name IP Active
payiki.com 151.236.16.15 true
geo.netsupportsoftware.com 172.67.68.212 true
anyhowdo.com 199.188.200.195 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://151.236.16.15/fakeurl.htm true
    		unknown
    http://geo.netsupportsoftware.com/location/loca.asp false
      		unknown
      http://199.188.200.195/fakeurl.htm true
        		unknown