CiscoAnyconnect_4.3.03086_signed.zip
This report is generated from a file or URL submitted to this webservice on February 16th 2017 09:16:24 (UTC) and action script Heavy Anti-Evasion
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v6.10 © Hybrid Analysis
Incident Response
Risk Assessment
- Remote Access
-
Contains a remote desktop related string
Contains ability to listen for incoming connections - Spyware
-
Contains ability to open the clipboard
Contains ability to retrieve keyboard strokes - Persistence
- Spawns a lot of processes
- Fingerprint
-
Contains ability to lookup the windows account name
Reads the active computer name
Reads the cryptographic machine GUID - Spreading
- Opens the MountPointManager (often used to detect additional infection locations)
- Network Behavior
- Contacts 1 domain and 2 hosts. View all details
Additional Context
Related Sandbox Artifacts
- Associated SHA256s
- d69cc572fd0fc2d09c4d538f176071382fbdeadfac8634de4143058f72f2ba6f
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 7
-
External Systems
-
Sample was identified as malicious by a trusted Antivirus engine
- details
- No specific details available
- source
- External System
- relevance
- 5/10
-
Sample was identified as malicious by at least one Antivirus engine
- details
- 8/57 Antivirus vendors marked sample as malicious (14% detection rate)
- source
- External System
- relevance
- 8/10
-
Sample was identified as malicious by a trusted Antivirus engine
-
General
-
Contains ability to start/interact with device drivers
- details
-
DeviceIoControl@KERNEL32.dll (Show Stream)
DeviceIoControl@KERNEL32.DLL from CiscoAnyconnect_4.3.03086_signed.exe (PID: 2288) (Show Stream)
DeviceIoControl@KERNEL32.DLL from vpn.exe (PID: 2468) (Show Stream)
DeviceIoControl@KERNEL32.DLL from vpn.exe (PID: 2468) (Show Stream)
DeviceIoControl@KERNEL32.DLL from vpn.exe (PID: 2468) (Show Stream)
DeviceIoControl@KERNEL32.DLL from vpn.exe (PID: 2468) (Show Stream)
DeviceIoControl@KERNEL32.dll at 52576-2906-00446685
DeviceIoControl@KERNEL32.dll at 52576-2968-0044D0B8
DeviceIoControl@KERNEL32.dll at 52576-2905-00446606
DeviceIoControl@KERNEL32.dll at 52576-2907-00446713 - source
- Hybrid Analysis Technology
- relevance
- 8/10
-
The analysis extracted a file that was identified as malicious
- details
-
30/80 Antivirus vendors marked dropped file "vpn.exe" as malicious (classified as "AIT:Trojan.GenericTKA" with 37% detection rate)
1/55 Antivirus vendors marked dropped file "anyconnect-iseposture-win-4.3.03086-pre-deploy-k9.msi" as malicious (classified as "DLOADER.Trojan" with 1% detection rate) - source
- Binary File
- relevance
- 10/10
-
Contains ability to start/interact with device drivers
-
Network Related
-
Malicious artifacts seen in the context of a contacted host
- details
-
Found malicious artifacts related to "255.255.255.255" (ASN: 55415, Owner: 4 Shenton Way): ...
URL: http://systemupdate1.suroot.com/ (AV positives: 1/64 scanned on 02/14/2017 17:53:44)
URL: http://gjhlb.sexidude.com/ (AV positives: 1/64 scanned on 02/05/2017 21:44:35)
URL: http://jrpdv.com.br/suporte.zip (AV positives: 2/64 scanned on 02/01/2017 04:28:29)
URL: http://www.global-diagnostics.at/favicon.ico (AV positives: 1/68 scanned on 01/12/2017 08:28:16)
URL: http://www.osteopathie-akupunktur-hypnose.at/favicon.ico (AV positives: 1/68 scanned on 12/17/2016 19:32:04)
File SHA256: 84d89210c1131f23ecd197bc6d30673e94fe3d5f7a3e847fdf0d8067e19fb342 (AV positives: 2/59 scanned on 02/16/2017 07:34:42)
File SHA256: cf5337100dff3f597efb98d7077c63b99f473b5874829093cce46c98b9d4a007 (AV positives: 42/59 scanned on 02/16/2017 05:53:45)
File SHA256: d8d5971bdda81944fe1141cd50fd0dfa83ffa0330a50d16e0e1b29d05d8bb7a8 (AV positives: 37/58 scanned on 02/16/2017 05:46:25)
File SHA256: 71947e15d97230c954300ef0f7494c7449988fd748109232424aed6de7cd6f38 (AV positives: 42/58 scanned on 02/16/2017 05:43:09)
File SHA256: d3081ec509b2e6fe4aee7233e98b11c840787516cd0dcf4d6feb57863c7a4160 (AV positives: 42/56 scanned on 02/16/2017 05:40:11) - source
- Network Traffic
- relevance
- 10/10
-
Malicious artifacts seen in the context of a contacted host
-
Unusual Characteristics
-
Contains ability to reboot/shutdown the operating system
- details
-
ExitWindowsEx@USER32.DLL from vpn.exe (PID: 2468) (Show Stream)
ExitWindowsEx@USER32.dll at 52576-2924-004479D3 - source
- Hybrid Analysis Technology
- relevance
- 5/10
-
Spawns a lot of processes
- details
-
Spawned process "<Input Sample>" (Show Process)
Spawned process "vpn.exe" (Show Process)
Spawned process "msiexec.exe" with commandline "msiexec /i "%TEMP%\RarSFX0\anyconnect-win-4.3.03086-pre-deploy-k9.msi" /passive" (Show Process)
Spawned process "msiexec.exe" with commandline "msiexec /i "%TEMP%\RarSFX0\anyconnect-iseposture-win-4.3.03086-pre-deploy-k9.msi" /passive" (Show Process)
Spawned process "msiexec.exe" with commandline "msiexec /i "%TEMP%\RarSFX0\anyconnect-isecompliance-win-3.6.10785.2-pre-deploy-k9.msi" /passive" (Show Process)
Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /c "%TEMP%\RarSFX0\CreateShortcutX86.vbs"" (Show Process)
Spawned process "wscript.exe" with commandline ""%TEMP%\RarSFX0\CreateShortcutX86.vbs"" (Show Process) - source
- Monitored Target
- relevance
- 8/10
-
Contains ability to reboot/shutdown the operating system
-
Suspicious Indicators 39
-
Anti-Detection/Stealthyness
-
Possibly tries to hide a process launching it with different user credentials
- details
-
CreateProcessWithLogonW@ADVAPI32.DLL from vpn.exe (PID: 2468) (Show Stream)
CreateProcessAsUserW@ADVAPI32.DLL from vpn.exe (PID: 2468) (Show Stream)
CreateProcessAsUserW@ADVAPI32.dll at 52576-2654-0043ACC5
CreateProcessWithLogonW@ADVAPI32.dll at 52576-2659-0043AF64 - source
- Hybrid Analysis Technology
- relevance
- 3/10
-
Queries kernel debugger information
- details
- "<Input Sample>" at 00018263-00002288-00000105-65485146
- source
- API Call
- relevance
- 6/10
-
Possibly tries to hide a process launching it with different user credentials
-
Anti-Reverse Engineering
-
Contains ability to block user input
- details
-
BlockInput@USER32.DLL from vpn.exe (PID: 2468) (Show Stream)
BlockInput@USER32.dll at 52576-3226-00456AAF - source
- Hybrid Analysis Technology
- relevance
- 7/10
-
Contains ability to block user input
-
Environment Awareness
-
Possibly tries to implement anti-virtualization techniques
- details
-
"%vIccVbOXvLsfg0iJOULRRLQR1" (Indicator: "vbox")
"CnDFp$p&Q1_ ^w^!^2-AjUG5W7wmJ7?|cg{ESv6aBD"$v
)"HHakS"RiT?-"DzD;3#"V#r9l<vz3/"mQNDRK#(bv%PJ"J2jBYD9;[<DE:QEmUGPj"jmuTf]D=>FvW#MBYDRmWlESL{Dq3|WD7eCYDRLoD{_D?e>Ap0+" (Indicator: "qemu")
"[39kz:`[==~^aa;EAAG-vbOXJZ!>#>/nR<!IeCn<?$9$R2L"h2Eo>Z|7MuIt3pObi]j.'>$Gd<U_)?. E~G" (Indicator: "vbox") - source
- String
- relevance
- 4/10
-
Reads the cryptographic machine GUID
- details
-
"<Input Sample>" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
"wscript.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID") - source
- Registry Access
- relevance
- 10/10
-
Possibly tries to implement anti-virtualization techniques
-
General
-
Contains ability to find and load resources of a specific module
- details
-
FindResourceW@KERNEL32.DLL from CiscoAnyconnect_4.3.03086_signed.exe (PID: 2288) (Show Stream)
LockResource@KERNEL32.DLL from vpn.exe (PID: 2468) (Show Stream)
FindResourceW@KERNEL32.DLL from vpn.exe (PID: 2468) (Show Stream)
FindResourceW@KERNEL32.dll at 52576-2908-004467E9 - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Reads configuration files
- details
-
"<Input Sample>" read file "%WINDIR%\win.ini"
"<Input Sample>" read file "%USERPROFILE%\Desktop\desktop.ini"
"<Input Sample>" read file "C:\Users\desktop.ini" - source
- API Call
- relevance
- 4/10
-
Sends UDP traffic
- details
- "UDP connection to 255.255.255.255"
- source
- Network Traffic
- relevance
- 7/10
-
Contains ability to find and load resources of a specific module
-
Installation/Persistance
-
Drops executable files
- details
- "vpn.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
- source
- Binary File
- relevance
- 10/10
-
Drops executable files
-
Network Related
-
Contains ability to listen for incoming connections
- details
- listen@WS2_32.DLL from vpn.exe (PID: 2468) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 5/10
-
Found potential IP address in binary/memory
- details
-
"255.255.255.255"
Heuristic match: "Dim $IPaddress=@IPAddress1 ; IP . 127.0.0.1" - source
- String
- relevance
- 3/10
-
Contains ability to listen for incoming connections
-
Remote Access Related
-
Contains a remote desktop related string
- details
-
"#Hx.K\f{c@!x6vnc|r>B [" (Indicator for product: Generic VNC)
"Ky uQ5$9yQ]M-fcvncVI)nowP" (Indicator for product: Generic VNC) - source
- String
- relevance
- 10/10
-
Contains indicators of bot communication commands
- details
- "MCG"&_#8'@"j"*3 f2Q7_#;:5)~VZPqcwmly%?i\[g^FA;w]tZ?|b?---3pkzwWfO9z_:h7NZ#-}cmD=NVZ\f.^q#^?4V1NnWh/T`.VGjV1k>&xmZ#%)|M^qe8bme8]=~8" (Indicator: "cmd=")
- source
- String
- relevance
- 10/10
-
Contains a remote desktop related string
-
Spyware/Information Retrieval
-
Contains ability to enumerate processes/modules/threads
- details
-
CreateToolhelp32Snapshot@KERNEL32.DLL from vpn.exe (PID: 2468) (Show Stream)
CreateToolhelp32Snapshot@KERNEL32.DLL from vpn.exe (PID: 2468) (Show Stream)
CreateToolhelp32Snapshot@KERNEL32.dll at 52576-3353-00461BDF - source
- Hybrid Analysis Technology
- relevance
- 5/10
-
Contains ability to open the clipboard
- details
-
OpenClipboard@USER32.DLL from vpn.exe (PID: 2468) (Show Stream)
OpenClipboard@USER32.DLL from vpn.exe (PID: 2468) (Show Stream)
OpenClipboard@USER32.dll at 52576-3231-00456D07
OpenClipboard@USER32.dll at 52576-3228-00456B0C - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Contains ability to retrieve keyboard strokes
- details
-
GetKeyboardState@USER32.DLL from vpn.exe (PID: 2468) (Show Stream)
GetKeyboardState@USER32.DLL from vpn.exe (PID: 2468) (Show Stream)
GetAsyncKeyState@USER32.DLL from vpn.exe (PID: 2468) (Show Stream)
GetKeyboardState@USER32.DLL from vpn.exe (PID: 2468) (Show Stream)
GetKeyboardState@USER32.DLL from vpn.exe (PID: 2468) (Show Stream)
GetKeyboardState@USER32.DLL from vpn.exe (PID: 2468) (Show Stream)
GetKeyboardState@USER32.dll at 52576-2876-00443DA8
GetKeyboardState@USER32.dll at 52576-2874-0044390C
GetKeyboardState@USER32.dll at 52576-2858-00443A61
GetKeyboardState@USER32.dll at 52576-2857-00442E5B
GetAsyncKeyState@USER32.dll at 52576-2855-00442B37
GetKeyboardState@USER32.dll at 52576-2870-00443BC3 - source
- Hybrid Analysis Technology
- relevance
- 8/10
-
Contains ability to enumerate processes/modules/threads
-
System Destruction
-
Marks file for deletion
- details
-
"C:\CiscoAnyconnect_4.3.03086_signed.exe" marked "%TEMP%\RarSFX0\__tmp_rar_sfx_access_check_3788460" for deletion
"C:\CiscoAnyconnect_4.3.03086_signed.exe" marked "%TEMP%\RarSFX0" for deletion
"C:\CiscoAnyconnect_4.3.03086_signed.exe" marked "%TEMP%\RarSFX0\anyconnect-isecompliance-win-3.6.10785.2-pre-deploy-k9.msi" for deletion
"C:\CiscoAnyconnect_4.3.03086_signed.exe" marked "%TEMP%\RarSFX0\anyconnect-iseposture-win-4.3.03086-pre-deploy-k9.msi" for deletion
"C:\CiscoAnyconnect_4.3.03086_signed.exe" marked "%TEMP%\RarSFX0\anyconnect-win-4.3.03086-pre-deploy-k9.msi" for deletion
"C:\CiscoAnyconnect_4.3.03086_signed.exe" marked "%TEMP%\RarSFX0\CreateShortcutX64.vbs" for deletion
"C:\CiscoAnyconnect_4.3.03086_signed.exe" marked "%TEMP%\RarSFX0\CreateShortcutX86.vbs" for deletion
"C:\CiscoAnyconnect_4.3.03086_signed.exe" marked "%TEMP%\RarSFX0\lenovoprofile.xml" for deletion
"C:\CiscoAnyconnect_4.3.03086_signed.exe" marked "%TEMP%\RarSFX0\vpn.au3" for deletion
"C:\CiscoAnyconnect_4.3.03086_signed.exe" marked "%TEMP%\RarSFX0\vpn.exe" for deletion - source
- API Call
- relevance
- 10/10
-
Opens file with deletion access rights
- details
-
"<Input Sample>" opened "%TEMP%\RarSFX0\__tmp_rar_sfx_access_check_3788460" with delete access
"<Input Sample>" opened "%TEMP%\RarSFX0" with delete access
"<Input Sample>" opened "%TEMP%\RarSFX0\anyconnect-isecompliance-win-3.6.10785.2-pre-deploy-k9.msi" with delete access
"<Input Sample>" opened "%TEMP%\RarSFX0\anyconnect-iseposture-win-4.3.03086-pre-deploy-k9.msi" with delete access
"<Input Sample>" opened "%TEMP%\RarSFX0\anyconnect-win-4.3.03086-pre-deploy-k9.msi" with delete access
"<Input Sample>" opened "%TEMP%\RarSFX0\CreateShortcutX64.vbs" with delete access
"<Input Sample>" opened "%TEMP%\RarSFX0\CreateShortcutX86.vbs" with delete access
"<Input Sample>" opened "%TEMP%\RarSFX0\lenovoprofile.xml" with delete access
"<Input Sample>" opened "%TEMP%\RarSFX0\vpn.au3" with delete access
"<Input Sample>" opened "%TEMP%\RarSFX0\vpn.exe" with delete access - source
- API Call
- relevance
- 7/10
-
Marks file for deletion
-
System Security
-
Modifies proxy settings
- details
-
"<Input Sample>" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
"<Input Sample>" (Access type: "DELETEVAL"; Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
"cmd.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
"cmd.exe" (Access type: "DELETEVAL"; Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS") - source
- Registry Access
- relevance
- 10/10
-
Modifies proxy settings
-
Unusual Characteristics
-
Contains embedded string with suspicious keywords
- details
-
Found suspicious keyword "Put" which indicates: "May write to a file (if combined with Open)"
Found suspicious keyword "Lib" which indicates: "May run code from a DLL"
Found suspicious keyword "Chr" which indicates: "May attempt to obfuscate specific strings"
Found suspicious keyword "Write" which indicates: "May write to a file (if combined with Open)"
Found suspicious keyword "Open" which indicates: "May open a file"
Found suspicious keyword "Environ" which indicates: "May read system environment variables" - source
- String
- relevance
- 10/10
-
Imports suspicious APIs
- details
-
RegCreateKeyExW
RegCloseKey
CreateProcessWithLogonW
RegDeleteKeyW
SetSecurityDescriptorDacl
OpenProcessToken
RegOpenKeyExW
GetUserNameW
RegEnumKeyExW
CreateProcessAsUserW
RegDeleteValueW
IcmpSendEcho
GetDriveTypeW
GetFileAttributesW
UnhandledExceptionFilter
FindResourceExW
DeviceIoControl
CopyFileW
WriteProcessMemory
OutputDebugStringW
GetModuleFileNameW
IsDebuggerPresent
LoadLibraryExW
CreateThread
ExitThread
TerminateProcess
GetModuleHandleExW
CreateToolhelp32Snapshot
LoadLibraryW
GetVersionExW
LoadLibraryA
GetFileSize
OpenProcess
GetStartupInfoW
ReadProcessMemory
CreateDirectoryW
DeleteFileW
GetProcAddress
GetTempFileNameW
GetComputerNameW
WriteFile
FindNextFileW
FindFirstFileW
CreateFileW
VirtualAllocEx
FindResourceW
Process32NextW
LockResource
GetCommandLineW
Process32FirstW
GetModuleHandleW
GetTempPathW
CreateProcessW
Sleep
VirtualAlloc
ShellExecuteW
ShellExecuteExW
SetKeyboardState
FindWindowExW
FindWindowW
GetWindowThreadProcessId
FtpGetFileSize
InternetOpenW
InternetQueryDataAvailable
InternetQueryOptionW
InternetConnectW
HttpQueryInfoW
InternetCrackUrlW
InternetCloseHandle
HttpSendRequestW
InternetOpenUrlW
InternetReadFile
FtpOpenFileW
sendto (Ordinal #20)
accept (Ordinal #1)
WSAStartup (Ordinal #115)
bind (Ordinal #2)
recv (Ordinal #16)
socket (Ordinal #23)
connect (Ordinal #4)
recvfrom (Ordinal #17)
send (Ordinal #19)
closesocket (Ordinal #3)
listen (Ordinal #13) - source
- Static Parser
- relevance
- 1/10
-
Reads information about supported languages
- details
-
"<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"vpn.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"msiexec.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"cmd.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"wscript.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409") - source
- Registry Access
- relevance
- 3/10
-
Contains embedded string with suspicious keywords
-
Hiding 17 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 27
-
Anti-Reverse Engineering
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
- details
-
SetUnhandledExceptionFilter@KERNEL32.dll (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.dll (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from CiscoAnyconnect_4.3.03086_signed.exe (PID: 2288) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from CiscoAnyconnect_4.3.03086_signed.exe (PID: 2288) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from CiscoAnyconnect_4.3.03086_signed.exe (PID: 2288) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from CiscoAnyconnect_4.3.03086_signed.exe (PID: 2288) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from vpn.exe (PID: 2468) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from vpn.exe (PID: 2468) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.dll at 52576-2570-00428189 - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
-
Environment Awareness
-
Contains ability to query machine time
- details
-
GetSystemTimeAsFileTime@KERNEL32.dll (Show Stream)
GetSystemTime@KERNEL32.dll (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.dll (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from CiscoAnyconnect_4.3.03086_signed.exe (PID: 2288) (Show Stream)
GetSystemTime@KERNEL32.DLL from CiscoAnyconnect_4.3.03086_signed.exe (PID: 2288) (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from CiscoAnyconnect_4.3.03086_signed.exe (PID: 2288) (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from CiscoAnyconnect_4.3.03086_signed.exe (PID: 2288) (Show Stream)
GetLocalTime@KERNEL32.DLL from vpn.exe (PID: 2468) (Show Stream)
GetLocalTime@KERNEL32.DLL from vpn.exe (PID: 2468) (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from vpn.exe (PID: 2468) (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from vpn.exe (PID: 2468) (Show Stream)
GetLocalTime@KERNEL32.DLL from vpn.exe (PID: 2468) (Show Stream)
GetLocalTime@KERNEL32.dll at 52576-2216-00447DB1
GetLocalTime@KERNEL32.dll at 52576-3024-0045091D - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query the machine timezone
- details
-
GetTimeZoneInformation@KERNEL32.DLL from vpn.exe (PID: 2468) (Show Stream)
GetTimeZoneInformation@KERNEL32.DLL from vpn.exe (PID: 2468) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query the machine version
- details
-
GetVersionExW@KERNEL32.DLL from vpn.exe (PID: 2468) (Show Stream)
GetVersionExW@KERNEL32.dll at 52576-2492-0041DDC0 - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query volume size
- details
-
GetDiskFreeSpaceExW@KERNEL32.DLL from vpn.exe (PID: 2468) (Show Stream)
GetDiskFreeSpaceW@KERNEL32.DLL from vpn.exe (PID: 2468) (Show Stream)
GetDiskFreeSpaceExW@KERNEL32.DLL from vpn.exe (PID: 2468) (Show Stream)
GetDiskFreeSpaceW@KERNEL32.dll at 52576-2988-0044E389
GetDiskFreeSpaceExW@KERNEL32.dll at 52576-2987-0044E2C3
GetDiskFreeSpaceExW@KERNEL32.dll at 52576-2986-0044E1FD - source
- Hybrid Analysis Technology
- relevance
- 3/10
-
Makes a code branch decision directly after an API that is environment aware
- details
-
Found API call GetLocalTime@KERNEL32.DLL (Target: "vpn.exe"; Stream UID: "00018996-00002468-21962-961-01117DB1")
which is directly followed by "cmp word ptr [esi], 0000h" and "je 01117F29h". See related instructions: "...
+0 push ebp
+1 mov ebp, esp
+3 sub esp, 0Ch
+6 push esi
+7 push edi
+8 mov edi, edx
+10 push edi
+11 mov esi, ecx
+13 call dword ptr [0115D240h] ;GetLocalTime
+19 cmp word ptr [esi], 0000h
+23 je 01117F29h" ... from vpn.exe (PID: 2468) (Show Stream)
Found API call GetLocalTime@KERNEL32.dll (Target: "vpn.exe.1161242430"; Stream UID: "52576-2216-00447DB1")
which is directly followed by "cmp word ptr [esi], 0000h" and "je 00447F29h". See related instructions: "...
+0 push ebp
+1 mov ebp, esp
+3 sub esp, 0Ch
+6 push esi
+7 push edi
+8 mov edi, edx
+10 push edi
+11 mov esi, ecx
+13 call dword ptr [0048D240h] ;GetLocalTime
+19 cmp word ptr [esi], 0000h
+23 je 00447F29h" ... at 52576-2216-00447DB1 - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Possibly tries to detect the presence of a debugger
- details
-
GetProcessHeap@KERNEL32.DLL from vpn.exe (PID: 2468) (Show Stream)
GetProcessHeap@KERNEL32.DLL from vpn.exe (PID: 2468) (Show Stream)
GetProcessHeap@KERNEL32.DLL from vpn.exe (PID: 2468) (Show Stream)
GetProcessHeap@KERNEL32.DLL from vpn.exe (PID: 2468) (Show Stream)
GetProcessHeap@KERNEL32.DLL from vpn.exe (PID: 2468) (Show Stream)
GetProcessHeap@KERNEL32.DLL from vpn.exe (PID: 2468) (Show Stream)
GetProcessHeap@KERNEL32.DLL from vpn.exe (PID: 2468) (Show Stream)
GetProcessHeap@KERNEL32.DLL from vpn.exe (PID: 2468) (Show Stream)
GetProcessHeap@KERNEL32.DLL from vpn.exe (PID: 2468) (Show Stream)
GetProcessHeap@KERNEL32.DLL from vpn.exe (PID: 2468) (Show Stream)
GetProcessHeap@KERNEL32.DLL from vpn.exe (PID: 2468) (Show Stream)
GetProcessHeap@KERNEL32.DLL from vpn.exe (PID: 2468) (Show Stream)
GetProcessHeap@KERNEL32.dll at 52576-2642-0043AB24
GetProcessHeap@KERNEL32.dll at 52576-2643-0043AC22
GetProcessHeap@KERNEL32.dll at 52576-2655-0043B263
GetProcessHeap@KERNEL32.dll at 52576-2641-0043A66C
GetProcessHeap@KERNEL32.dll at 52576-2645-0043ABBB
GetProcessHeap@KERNEL32.dll at 52576-2647-0043AA62
GetProcessHeap@KERNEL32.dll at 52576-2646-0043A867
GetProcessHeap@KERNEL32.dll at 52576-2648-0043AAC3 - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query machine time
-
General
-
Contacts domains
- details
- "mus.cisco.com"
- source
- Network Traffic
- relevance
- 1/10
-
Contacts server
- details
-
"72.163.1.80:80"
"255.255.255.255:68" - source
- Network Traffic
- relevance
- 1/10
-
Contains PDB pathways
- details
- "d:\Projects\WinRAR\SFX\build\sfxrar32\Release\sfxrar.pdb"
- source
- String
- relevance
- 1/10
-
Contains ability to register hotkeys
- details
-
RegisterHotKey@USER32.DLL from vpn.exe (PID: 2468) (Show Stream)
UnregisterHotKey@USER32.DLL from vpn.exe (PID: 2468) (Show Stream)
UnregisterHotKey@USER32.dll at 52576-2350-00403093
RegisterHotKey@USER32.dll at 52576-2315-0040139C - source
- Hybrid Analysis Technology
- relevance
- 5/10
-
Creates a writable file in a temporary directory
- details
-
"<Input Sample>" created file "%TEMP%\RarSFX0\__tmp_rar_sfx_access_check_3788460"
"<Input Sample>" created file "%TEMP%\RarSFX0\vpn.exe"
"<Input Sample>" created file "%TEMP%\RarSFX0\anyconnect-isecompliance-win-3.6.10785.2-pre-deploy-k9.msi"
"<Input Sample>" created file "%TEMP%\RarSFX0\anyconnect-iseposture-win-4.3.03086-pre-deploy-k9.msi"
"<Input Sample>" created file "%TEMP%\RarSFX0\anyconnect-win-4.3.03086-pre-deploy-k9.msi"
"<Input Sample>" created file "%TEMP%\RarSFX0\CreateShortcutX64.vbs"
"<Input Sample>" created file "%TEMP%\RarSFX0\CreateShortcutX86.vbs"
"<Input Sample>" created file "%TEMP%\RarSFX0\lenovoprofile.xml"
"<Input Sample>" created file "%TEMP%\RarSFX0\vpn.au3" - source
- API Call
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\Local\ZonesCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZoneAttributeCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesLockedCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Global\_MSIExecute" - source
- Created Mutant
- relevance
- 3/10
-
Drops files marked as clean
- details
-
Antivirus vendors marked dropped file "anyconnect-win-4.3.03086-pre-deploy-k9.msi" as clean (type is "Composite Document File V2 Document Little Endian O%WINDIR%\Version 6.1 Title: Installation Database Keywords: Installer MSI Database Last Printed: Fri Dec 11 11:47:44 2009 Create Time/Date: Fri Dec 11 11:47:44 2009 Last Saved Time/Date: Fri Dec 11 11:47:44 2009 Number of Pages: 200 Security: 0 Code page: 1252 Revision Number: {A20EACCE-9179-4BF0-8BC3-41F72FDC71E0} Number of Words: 2 Subject: Cisco AnyConnect Secure Mobility Client Author: Cisco Systems Inc. Name of Creating Application: Advanced Installer 7.5.2 Template: ;1033 Comments: A SmartNET contract is required for support - Cisco AnyConnect Secure Mobility Client.")
Antivirus vendors marked dropped file "anyconnect-isecompliance-win-3.6.10785.2-pre-deploy-k9.msi" as clean (type is "Composite Document File V2 Document Little Endian O%WINDIR%\Version 6.1 Title: Installation Database Keywords: Installer MSI Database Last Printed: Fri Dec 11 11:47:44 2009 Create Time/Date: Fri Dec 11 11:47:44 2009 Last Saved Time/Date: Fri Dec 11 11:47:44 2009 Number of Pages: 200 Security: 0 Code page: 1252 Revision Number: {662AF280-2D4F-401B-8A1F-F9408E39590D} Number of Words: 2 Subject: Cisco AnyConnect ISE Compliance Module Author: Cisco Systems Inc Name of Creating Application: Advanced Installer 7.5.2 Template: ;1033 Comments: A SmartNET contract is required for support - Cisco AnyConnect ISE Compliance Module.") - source
- Binary File
- relevance
- 10/10
-
Loads rich edit control libraries
- details
-
"<Input Sample>" loaded module "%WINDIR%\System32\riched32.dll" at 6BB50000
"<Input Sample>" loaded module "%WINDIR%\System32\riched20.dll" at 6BAD0000 - source
- Loaded Module
-
Logged script engine calls
- details
-
"wscript.exe" called "WScript.CreateObject" with result: "IDispatch" ...
"wscript.exe" called "WScript.Shell.1.CreateObject" ...
"wscript.exe" called "WScript.Shell.1.Unknown" ...
"wscript.exe" called "WScript.Shell.1.SpecialFolders" with result: "%USERPROFILE%\Desktop" ...
"wscript.exe" called "WScript.Shell.1.CreateShortcut" with result: "%USERPROFILE%\Desktop\Cisco AnyConnect VPN Client.lnk" ...
"wscript.exe" called "WScript.Shell.1("CreateShortcut").TargetPath" ... - source
- API Call
- relevance
- 10/10
-
Reads Windows Trust Settings
- details
- "wscript.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\WINTRUST\TRUST PROVIDERS\SOFTWARE PUBLISHING"; Key: "STATE")
- source
- Registry Access
- relevance
- 5/10
-
Runs shell commands
- details
- "%WINDIR%\system32\cmd.exe /c "%TEMP%\RarSFX0\CreateShortcutX86.vbs"" on 2017-2-16.10:43:00.350
- source
- Monitored Target
- relevance
- 5/10
-
Scanning for window names
- details
-
"<Input Sample>" searching for class "EDIT"
"vpn.exe" searching for class "Shell_TrayWnd" - source
- API Call
- relevance
- 10/10
-
Spawns new processes
- details
-
Spawned process "vpn.exe" (Show Process)
Spawned process "msiexec.exe" with commandline "msiexec /i "%TEMP%\RarSFX0\anyconnect-win-4.3.03086-pre-deploy-k9.msi" /passive" (Show Process)
Spawned process "msiexec.exe" with commandline "msiexec /i "%TEMP%\RarSFX0\anyconnect-iseposture-win-4.3.03086-pre-deploy-k9.msi" /passive" (Show Process)
Spawned process "msiexec.exe" with commandline "msiexec /i "%TEMP%\RarSFX0\anyconnect-isecompliance-win-3.6.10785.2-pre-deploy-k9.msi" /passive" (Show Process)
Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /c "%TEMP%\RarSFX0\CreateShortcutX86.vbs"" (Show Process)
Spawned process "wscript.exe" with commandline ""%TEMP%\RarSFX0\CreateShortcutX86.vbs"" (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
Contacts domains
-
Installation/Persistance
-
Connects to LPC ports
- details
-
"<Input Sample>" connecting to "\ThemeApiPort"
"vpn.exe" connecting to "\ThemeApiPort" - source
- API Call
- relevance
- 1/10
-
Contains ability to lookup the windows account name
- details
- GetUserNameW@ADVAPI32.DLL from vpn.exe (PID: 2468) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 5/10
-
Dropped files
- details
-
"lenovoprofile.xml" has type "XML document text"
"vpn.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"vpn.au3" has type "C source ISO-8859 text with CRLF line terminators"
"CreateShortcutX86.vbs" has type "ASCII text with CRLF line terminators"
"anyconnect-iseposture-win-4.3.03086-pre-deploy-k9.msi" has type "Composite Document File V2 Document Little Endian O%WINDIR%\Version 6.1 Title: Installation Database Keywords: Installer MSI Database Last Printed: Fri Dec 11 11:47:44 2009 Create Time/Date: Fri Dec 11 11:47:44 2009 Last Saved Time/Date: Fri Dec 11 11:47:44 2009 Number of Pages: 200 Security: 0 Code page: 1252 Revision Number: {28BE30BE-D3DB-4133-B3C9-714C98F61B5E} Number of Words: 2 Subject: Cisco AnyConnect ISE Posture Module Author: Cisco Systems Inc. Name of Creating Application: Advanced Installer 7.5.2 Template: ;1033 Comments: A SmartNET contract is required for support - Cisco AnyConnect ISE Posture Module."
"anyconnect-win-4.3.03086-pre-deploy-k9.msi" has type "Composite Document File V2 Document Little Endian O%WINDIR%\Version 6.1 Title: Installation Database Keywords: Installer MSI Database Last Printed: Fri Dec 11 11:47:44 2009 Create Time/Date: Fri Dec 11 11:47:44 2009 Last Saved Time/Date: Fri Dec 11 11:47:44 2009 Number of Pages: 200 Security: 0 Code page: 1252 Revision Number: {A20EACCE-9179-4BF0-8BC3-41F72FDC71E0} Number of Words: 2 Subject: Cisco AnyConnect Secure Mobility Client Author: Cisco Systems Inc. Name of Creating Application: Advanced Installer 7.5.2 Template: ;1033 Comments: A SmartNET contract is required for support - Cisco AnyConnect Secure Mobility Client."
"Cisco AnyConnect VPN Client.lnk" has type "MS Windows shortcut Item id list present Points to a file or directory Has Relative path Archive ctime=Thu Oct 6 21:36:04 2016 mtime=Thu Feb 16 18:02:00 2017 atime=Thu Oct 6 21:36:04 2016 length=1207808 window=hide"
"CreateShortcutX64.vbs" has type "ASCII text with CRLF line terminators"
"anyconnect-isecompliance-win-3.6.10785.2-pre-deploy-k9.msi" has type "Composite Document File V2 Document Little Endian O%WINDIR%\Version 6.1 Title: Installation Database Keywords: Installer MSI Database Last Printed: Fri Dec 11 11:47:44 2009 Create Time/Date: Fri Dec 11 11:47:44 2009 Last Saved Time/Date: Fri Dec 11 11:47:44 2009 Number of Pages: 200 Security: 0 Code page: 1252 Revision Number: {662AF280-2D4F-401B-8A1F-F9408E39590D} Number of Words: 2 Subject: Cisco AnyConnect ISE Compliance Module Author: Cisco Systems Inc Name of Creating Application: Advanced Installer 7.5.2 Template: ;1033 Comments: A SmartNET contract is required for support - Cisco AnyConnect ISE Compliance Module." - source
- Binary File
- relevance
- 3/10
-
Touches files in the Windows directory
- details
-
"<Input Sample>" touched file "%WINDIR%\AppPatch\AcLayers.DLL"
"<Input Sample>" touched file "%WINDIR%\Globalization\Sorting\sortdefault.nls"
"<Input Sample>" touched file "%WINDIR%\Fonts\staticcache.dat"
"<Input Sample>" touched file "%WINDIR%\system32\en-US\MSCTF.dll.mui"
"<Input Sample>" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches"
"<Input Sample>" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches\cversions.1.db"
"<Input Sample>" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000007.db"
"<Input Sample>" touched file "%WINDIR%\AppPatch\pcamain.sdb"
"<Input Sample>" touched file "%WINDIR%\system32\ntshrui.dll"
"<Input Sample>" touched file "%WINDIR%\system32\en-US\ntshrui.dll.mui"
"<Input Sample>" touched file "%WINDIR%\system32\rsaenh.dll"
"vpn.exe" touched file "%WINDIR%\AppPatch\AcLayers.DLL"
"vpn.exe" touched file "%WINDIR%\Globalization\Sorting\sortdefault.nls"
"vpn.exe" touched file "%WINDIR%\system32\tzres.dll" - source
- API Call
- relevance
- 7/10
-
Connects to LPC ports
-
Network Related
-
Found potential URL in binary/memory
- details
-
Heuristic match: "hQ&PZ`P.LR"
Heuristic match: "FfRSnr.Nr"
Heuristic match: "Lq<fQA.Tf"
Pattern match: "http://ocsp.thawte.com0"
Pattern match: "http://crl.thawte.com/ThawteTimestampingCA.crl0"
Pattern match: "http://ts-ocsp.ws.symantec.com07"
Pattern match: "http://ts-aia.ws.symantec.com/tss-ca-g2.cer0"
Pattern match: "http://ts-crl.ws.symantec.com/tss-ca-g2.crl0"
Pattern match: "http://crl.verisign.com/pca3.crl0"
Pattern match: "https://www.verisign.com/cps0"
Pattern match: "http://logo.verisign.com/vslogo.gif04"
Pattern match: "http://ocsp.verisign.com0"
Pattern match: "http://sv.symcb.com/sv.crl0f"
Pattern match: "https://d.symcb.com/cps0%"
Pattern match: "https://d.symcb.com/rpa0"
Pattern match: "http://sv.symcd.com0&"
Pattern match: "http://sv.symcb.com/sv.crt0"
Pattern match: "http://s2.symcb.com0"
Pattern match: "http://www.symauth.com/cps0"
Pattern match: "http://www.symauth.com/rpa00"
Pattern match: "http://s1.symcb.com/pca3-g5.crl0"
Pattern match: "http://schemas.xmlsoap.org/encoding/"
Pattern match: "www.autoitscript.com/autoit3/"
Pattern match: "http://www.cisco.com/web/siteassets/legal/privacy_f\hich\af31506\dbch\af31505\loch\f31506"
Pattern match: "http://www.cisco.com/web/siteassets/legal/privacy_full.html}}}\sectd"
Pattern match: "http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html"
Pattern match: "www.cisco.comARPURLINFOABOUTchangesCtrlEvtchangesWindows"
Heuristic match: "!ImImsuYF>&5;G|X)^%iQg.X*(|'Gem|Wz'xV8+JD6 w/l2j[R-WanQ`v#qkx}.Om"
Pattern match: "7q.zcKx/]Z"
Pattern match: "a.plz/4y!AH"
Heuristic match: "N.d]6MunJuj!9[CO710!3)5M~rf+cSvI\|$`8hbf&'Mymg0RBi_.Nc"
Pattern match: "V7.ON/aDlHash46Gf]32i,gtXO~N?p'uI$'$/uA+q=$z-dejs1pinNgf"
Pattern match: "c7hn6n.ZYF/~]Y"
Heuristic match: "QQsP0,rT~7AS0%8Y<1m]hO&++!).tN"
Heuristic match: "<EV_.fj"
Pattern match: "rghrlby.fGI/wx@}iNJUj[xy:p"
Pattern match: "jipsscW.xd/nkf"
Heuristic match: "YKv|1?~|*Lq[mAH>3}G-L:+Jl0Dh|5z[V9<TM7N9e}yd<#d_hyD#EPc:$Z(=3I.NS NS$/?=LHXy3N26@OA[OAIz;#ZuP)@Sscjv6$UW%Zv^}N_=36p/700/<?#y~[=#6pUn'cwn;/Ms$_N`_~<_h/OO_T4Lo?lB\GG&U2<.az"
Heuristic match: "Sy>mu.Bg"
Pattern match: "AZT.zkZ/.\w2$@A?|#TRpkUg+ngjyvne`2~e"
Heuristic match: "vtV!%9:v):]ddjtZ/^EkF$?eMP9C<2.im"
Pattern match: "hUwX.Ut/*D{Fk4yXAC$~FlyyXLhVvlgZ"
Heuristic match: "*Iu #NvhT?;?W)jlG\,E[/N;lZE(Wc[4[3muAyd XUi $;z{xN32TZ~%(U3Q6#<OM;)m<$pCo`|q9.f=x[8Gl;k4Zj|W<J2laPt%a`tex.SU"
Heuristic match: "&08(&G.<4}cZP}a3s5|T!}zj01TR,8J2KZ$%l5^=ABKSl.~)C 1dm!=?;6c??;22q^n/<>ue'gOi/}|LK)N.me"
Pattern match: "U..UT/928s$:Qb?K~X;H"
Pattern match: "3t.sp/AO"
Heuristic match: "-:xJ/y,MDDkZ.sc"
Pattern match: "EM62.Id/Ff"
Heuristic match: "bMw'S[D(e8N(ex-PQN(Z'PO'c5mUi&v_x~2_QcoKvqJ~Y0)iQV=;1*Od?ox=s!IlN]K;q._A`q0KiVw['N^kg}oR=wd&W{tUOqYpk]:30{R<[Nq6ZHS8j79%W\yP|;N6lAQLm:&4P{(5kAAx:.<4m\&wy\A2`ZhO%|>R}|I[N.Ph"
Pattern match: "D.pzW/Hs_A]TC4B\!X3Mc!%s9D0-B^4"
Heuristic match: "wX/2#[CFS: kns+ID=4{n#KATw:(id,!t3A^x[yEq|;WH;3^.vi"
Heuristic match: "kk<R9>bR_NW/LY}__6.>l~_Ae/>>yKBIuO^^IkCxSMu >7o2oa|icrc.2>y1^>7;.S&r{P.Mr"
Pattern match: "z.XgZ/xyL_*"
Pattern match: "k.Gpy/3YE}W"
Pattern match: "g.PwC/]_.WZ"
Pattern match: "B4tT.bl/c7K*@$j%6AZ5/PtzD*SjrV*pV"
Pattern match: "1M.aA/m3x#"
Pattern match: "DA.MTI/SwAV:sLe~OT1EL~NK;Kjsr3]^ie"
Heuristic match: "Cd=-8SEE%3#|MzapF@(0P2=IMXWCZp!!:wZUwkwfP55/[LJBT;MUaf`U.1<QIAxzDtSH793mR!$XuZ:36#]%wdSMuM>zMsKW9K^[ua+2Y`Wtai>$r-./MRKLr(Rj!k\V.L?[Aoa6zdPD$PAul>j2sY|0$f>*G_Tg:q.Dz"
Pattern match: "G.WSCL/k+zM6M"
Pattern match: "r.Vk/NY"
Heuristic match: "jt=#w}8OGg9OcgQA /&![Z;W~}NR<h\}mV&:~x9J+?7f~=Q{fJ?}QdO<Gu (>?<4{%-:@wM^ia~~|m^l3M>u-?i.DO"
Pattern match: "R.Ttq/I:\K}-uQ^PEQ^!yL}b1-c^{[5aN0{TL5tV9tA[nn6xx1xnu+jUU:h"
Pattern match: "cv.EhIa/OncQoSuQN6}Ege{Dh04&"
Pattern match: "Iw.cu/gR@"
Pattern match: "r.ci/6@m_N{LqFuhk60Suz"
Heuristic match: "r7yDNP(Nerwdv*6W~:Y]nWP48v&P!3m$~3so61;q\y|`6CoZ.Rs"
Pattern match: "4.pOm/2|t_%%O-63F=[GXP%:xndn`og2\E[XkMr4;ixg'p;.rP?6y'G^wHB"
Heuristic match: "UAnS;t]}|1 ]< Y-H]J~dU(\/*Djf U;B~{4W&W7.hr"
Pattern match: "y.gYNT/V;$&"
Pattern match: "B2GiKt.n.BO/&s@Yz:7"
Pattern match: "RYqXZf.La/,?Km,[=J6yJ6a.KdVVm|,iv&O]{[$]q"
Heuristic match: "54NHp8.0.]grr&efZ(&s@/2c0X_+84 a-MFFpzr{un@\Q.LR"
Pattern match: "nowCoC.DV/M^R^.E|@l{!v[km"
Heuristic match: "-DX(R'O6Q9zg@22`L.sY"
Pattern match: "Ia.bm/J[3JEfe"
Pattern match: "0.iB/9^{*`4k;;]YzpnGSy8Q`:*Muqb"
Pattern match: "ytsEMP.PLw/{X9-A=E@^2D"
Pattern match: "8l.VP/Q@6Bs8*'PTLRN"
Heuristic match: "?`-_9%o^ip.Ht"
Pattern match: "N.SW/sIq"
Pattern match: "W.zs/M{kXN{B}wB0rXMg|"
Pattern match: "JRH.gQE/!^OP6JK"
Heuristic match: "){;\/-xjf(Ch,~3==.MQ"
Pattern match: "ui.XY/GnP`75pK&IMd"
Pattern match: "N8.UO/t`V2njcgm"
Pattern match: "FKvM.gmt/1z0.E3tt{h;az"
Pattern match: "3uEz.Fn/\R8I"
Heuristic match: "q|xNv}_V}CobdOVu/D-x`U)|8U)74Ds-Mox7W5GociNV'2ASN@fiwc>]00/_U!<*J)%JJ2RHG[<Jx>FZGT6cED8`bZ6TA.f1_T-DDZX(Vj`N%_.tz"
Heuristic match: "l@.Ao"
Heuristic match: "fn B?w;.wgY!P3Z=fZ/BVB.LT"
Heuristic match: "t<O]F.FI"
Pattern match: "Vx.YT//Iw*jk$9?KP:BZx:%qs|"
Pattern match: "H50201.JmE/:cim3Sj}9*"
Heuristic match: "c&5yOC.Qw}3b!cg%iUNHT;(u/Qpm\A.MN"
Pattern match: "IQM.xm/``QNS*T"
Heuristic match: "g&.sT"
Pattern match: "h.k.vE/!-gavsn^Ww[~xRlI:g;u]y"
Pattern match: "JZZVob.MqH/y0X$d{WF5"
Heuristic match: "^OK{W6yEv;:_-jT/]w%Y]%2h+9KyRj-H`=jznr(Vxi4=7z`Dop]npC*.f,}$U#'mkkQc_'oG7}=/=.Tg"
Heuristic match: "qWH{)U|\wt24n~+>yF^?e*%v5- p5ZgzPx~R?FZ;CJ%@&ed?Y>.Nkgt,+c]lm`{a%S9z-8E}%)nFecl5c#yAsJ~3!4MEgZl{aTDNHcgmK/,p9#&$Fnh[IFp-JhA6xy#w^?X'O~&.AN"
Pattern match: "6E6.Jd/.i;zxN1xs"
Heuristic match: "_?~:0?x)<_}b){.uY"
Pattern match: "1.kc/UFgTX7"
Pattern match: "Quf.1sYw.rY/tY_QA.7.+=fb1ROb&3~e:e?pY/pY,__+u-zq6Z.wY\V3x9Q!\`A=&N3YJ"
Heuristic match: "Bpj<JkV{d$%%*c&>IHG.Na"
Pattern match: "Xd.gD/+AV5,Q=epx#-|13ACjOaM"
Pattern match: "q.UEk/DJ"
Pattern match: "73Ab.XZ/L^TJjewUc^m[Q4eJ&F8t=EDH"
Pattern match: "gJ.QRZ/R8o8vi7s]^n0Y3o!jK#"
Heuristic match: "8y=^6x${HW.ht"
Heuristic match: ";Ou_WX^.As"
Pattern match: "l.Mcxm/p!71w%[S:F4ksq69]^f8?{YBQ"
Pattern match: "qS.im/xUvkRA"
Pattern match: "d7.hV/,`JGEiT%Y%H1Gcz"
Heuristic match: "{]u94Ik@.kH"
Heuristic match: "^u%DSl5h.fK"
Heuristic match: "0?=eor7O5vJLD+Jq7:V\RU`a}XNAm20fY(b Nm|tQuttwI!e8_NZ)cL^ Eoy1E^};I}l#.aW"
Pattern match: "z.wTz/'DOya`h61_W|zP7}&d0AA3-L.4B!sjN\E&ioef"
Pattern match: "pbb30o4Qv.dGNw.oK/E~8t\'DO}|-~"
Heuristic match: "QRjBsciC&=!v|LzEH,{Vi/LZsyH.DOfsJQK+zuaO~U]9\4[P4V@X.k&<!/H=_(!V::c,_H:u@IXWCj%Ikit#FvseR/+>!%bvnO{;OtwsgemCvp.ULNfT,IxM7D&^TLi+T7Zf@.ge"
Pattern match: "8YFc.abFh/'GVd$fbQmUDS$x@=!&w%a.L/yt1`xEuALGs=g"
Pattern match: "6.qXaY/*_;ct@%`?LNyM,Pykh1"
Pattern match: "y.woO/1ognsSd2@"
Heuristic match: "%<2pRu>4Eq}vKOd!H&2GW^JI9lO}Vt/)0WuIP9oDWBaS`ij>xB.GG"
Pattern match: "c.Tn/$aw4"
Pattern match: "xA.Ft/vI9rQT"
Heuristic match: "|%aeoysB]NlnUvc>=r'#+N(QaBDMOA(i{?4Kr#|5Kk\Pev/]~v-RB_wg?$1>7G8Nz\]o{pTW64<U[`x&?M}:GXHaDh*AJM^.mx"
Pattern match: "1S0.EMZ/%Z-=?y9$i+2\"
Heuristic match: "~R*JY$!^*Ud;XQ{,$;jJ6}|58&'!k{?+i,`nL:^tYE\/ep$+?EHydB$nYC.uT@]I(./ojWHP-0V4f}=}pI2LW]x_k0%';W{.Tk"
Heuristic match: "$Lz22l!>Y,bmc=?GwVgPBJE-dctC.nl"
Pattern match: "qM0.PA/F`\uW[3U:O5j"
Heuristic match: "O+%~Z)1<!(}x*J.hN"
Heuristic match: "*5\hSS,!I$@e.</h.KG"
Heuristic match: "#c}|_KP{e/,1Fj8VetwZ:4\[xIb-GllI5uh.$=5mF\_j+X4qPoyc`^9YZTDSeui)b$5oP.pR"
Heuristic match: "J,Z,{=uhR.Ly"
Heuristic match: "d!!V=o*VK,$[-|pL.SA"
Heuristic match: "ct@(^;4FL%Q!;U47.8|!DjOU?O_HtW`KI$,C-9ApVL2+/^VA(6.Bb"
Pattern match: "M2Z.uo/Jbvh"
Pattern match: "bw-Q.xB/LB{U8E6|v|jk@DQgOLUp}]3,U"
Heuristic match: "1'5pRpwSlx;OJ@WdhZ.JsFlX-=K :-4/z@v:zLhq{OX1/!~SujFaVXCB{ &;'_NP`5.St"
Pattern match: "N.WDs/HLzCaNYBW"
Heuristic match: "{09: @;4^S\U.KE"
Heuristic match: "MUtD5e\FtaLCe'4XzWE[$JD4|P1}Adq=)Unz4ufj!c)It9rNs_!rg'wL]ttqs@bH%5C*@b XsE*nO;Q.VE"
Pattern match: "oy5dw7.Oyo/3SdhcM?28Ht\JSxP+=.8u-"
Pattern match: "ud.Wa/S.|'OE_b$`x}[X't"
Pattern match: "28KFFI.OQI/[ITNI1l,4!p.$}qYB"
Pattern match: "http://sv.symcb.com/sv.crl0aU"
Pattern match: "sv.symcb.com/sv.crt0U#0;Sy3}.+rf0Uv_$Yj"
Pattern match: "http://www.symauth.com/cps0(+0http://www.symauth.com/rpa00U)0'0%#!http://s1.symcb.com/pca3-g5.crl0U%0++0U0"
Pattern match: "www.cisco.com0"
Pattern match: "http://ts-crl.ws.symantec.com/tss-ca-g2.crl0U%0"
Pattern match: "http://ts-aia.ws.symantec.com/tss-ca-g2.cer0U#0_n\t}?L.0"
Pattern match: "http://crl.thawte.com/ThawteTimestampingCA.crl0U%0"
Pattern match: "6HV4c2FGMBi5b7.LF/TX"
Heuristic match: "{,SV3WEh3E3]4WEPEjSuWP/]E]E9]tuDb;}u]9]tub]U9]tubWuE]2.Yt"
Pattern match: "http://www.cisco.com/TAC/HelpLinkNew_Value_2[AI_SETUPEXEPATH]Software\Caphyon\Advanced"
Pattern match: "95qE.RR/\4W0q|P?r(P\T3mRH62*1i.e7zd'are8!N;^IP4|v)W5__kF|y_*/RoagO"
Heuristic match: "XLpf7ZCekE;>V>qkr;tI?,C`A=acua*F^Qf)+B:$k*>Z-+A.kW"
Pattern match: "G.Mahz/nlE^$0Vd\fmDn[\yfsd~EWc\O+2T`9WsU;'hqwI.i0.gZl@xM2"
Heuristic match: "wnV#b\'LEg8xg?eH?yqr`@$D157HV/3SxfPjio}TVW(4M\@x>BtVSq;8('KwG9dH%@~6(&>588sB7SCs8Xccjj_Z~#}5XRv2U`93R2i.Gm"
Pattern match: "j.FsO/eCAkTqA8{.i]\JCBaEM!.lyK"
Pattern match: "O.OJ/p,,j2x!I4~Or%}p=D+h\6"
Pattern match: "in.pa/,o3|/dgEM#;^?2A.g"
Pattern match: "l7Wf.aG/W}X}\"
Pattern match: "Z6T-Gg.jw/ZTO_I8z0w?Bg"
Pattern match: "gI.bH/%k"
Pattern match: "B.ANt/2jy?./4;n"
Heuristic match: ",|XzL)@(9D5i7`4pt>uyPu%-esGCpkA^>$tQ!z`.HM"
Heuristic match: "C7#3p)Ha=F.LT"
Heuristic match: "CU.!#:JQT GR_QyoCo = N(4|S<eY\~CnuP|(TRlmddH*C}A647FCx+MU(2iJn>7~4G+64W2&GVvV[&.AC"
Pattern match: "wR.UJr/eqW,B0dK3zfv{{wrQ=~"
Pattern match: "6Iu.XOg/WK"
Heuristic match: "wg{F_k'pF-{:%}0$pkO~.Py"
Pattern match: "mgE.zVt/-hYgm![4E"
Heuristic match: ">=EAq`CG(a .7!ouG&8R*r>B#l.d'</1Qr~+cY,u$_b9c:N!.bT86dV'e8Vc;[Nbv.BD4D_,DEyS'{x'=ovS.1+r*(Z)W>Kay#1|\FKGKMQPq82pkVnV7F;4dwndF6ie9&0 t`>}PwcwQJKVu>}'G9NIilBJj.I>5/nbwQ(4A%u.Az"
Heuristic match: ":@/Q=:ySU.TZ"
Pattern match: "B.jd/P&7}yS%6"
Pattern match: "T.Pqe/0Iu~g]M^LOV^w'gmo[\tPs="
Heuristic match: "'?2\DPh.y}.hgNN{3e3-yun\O X 6hncshG%i=Hyc/=y(-_p?|.B}N-u>:.nz"
Heuristic match: "!AQZ6Nl9.Bb"
Pattern match: "xk.YP/QcI|oPj%$yssxjuy"
Heuristic match: "\fT2b\Sh5NV~i-dfC|Hv?/wdNx3 fMWxEk)HCiwg7Jv554WI/>4/j_E{ogNUCG{cbLRQ[`t2:yVIdd#,+Z`vOFhLIw<_GrgT<WUOqJh#PGh-{.axq<_\B8:-YT+;.M!.JE"
Heuristic match: ",RFK]4e|<xU2_B5,4ZBH1M^:elO7 H?`%HmI*<En#D4[mB&-(dUwb(*XDy+Q(3g:[w~%/\#h0dLmj*x+qEXuzxyum8}ktwa28jz!ro1ln`4&@DGdXORpYqSM~Q{,^HBZ8D&k9,+5sbQ-,X9J,JoW`3v5rmz78p.TN"
Pattern match: "Ar.cq/q8O?+OV$s%uFJ04np"
Pattern match: "2W8.Jqt/%\q%\bzsNxj"
Pattern match: "MzR.SiY/USx?l"
Heuristic match: "akt+&;{NMQknq=e+`e-ae||kPO>3}C__g86.kn"
Pattern match: "f.UL/X]TMf"
Pattern match: "LDT9b.WrFQ/1%Uv^s@L'=*G:^6|vI9n2v99bRtTvTd#4F"
Heuristic match: "m?8js.NR"
Heuristic match: "[0 VIGc0dsN%,ab[h%ff#}~M3D1.nP"
Heuristic match: "{Xj.Md"
Pattern match: "Wb.rq/@,9VQ{Cv}8;]L|rD^REuVgG5~Pv$Ak-"
Pattern match: "rH.Qs/+2o$Q$Dvqc.0Am;,w`~J(gee:NXH}b|tDqDJ`*?~mbh2?Y%GEQ)Y;\"
Pattern match: "emMSn.zI/?*fje+uQZk~yhtJa?EFvFA"
Heuristic match: "Nq(nMqqln>DRn%2.Gd"
Pattern match: "RsH.qJ//,Nj`G"
Pattern match: "s.iBN/-dpN4Xxdg"
Heuristic match: "$'1kWMr(,Sv\:.bm"
Pattern match: "S.bBft/@`Q7E]B"
Pattern match: "jl.KOMW/xNm;$Jct"
Heuristic match: "x(B.CD8ttK/XiK%-pHk&3TJagawuS)i%-T9xX.o<s8%jfvit6-s/}nvu\J7&p)4IX-h,,^SlqVCN%-\rT9<vwpbX_}TaxMia&4]Ui,E62NlwX-+q>+?[&1/mE&eNZfy)$(vQw8|]@RlQh~V!Z@ +!-dtB3GR?Pk.MH"
Heuristic match: "h+b\'Usaq6 .sV"
Heuristic match: "ygG;8jm.w7,S{SH@y/gxwy%dYA/2jYwq`8>>*7}W`Ti^gsp(_b^;22}dYM6 7o,s(T.aE"
Pattern match: "G.tGge/]8z3i.jABg+%Ifu"
Pattern match: "uKXvt6.ftY/2ac?D*rt"
Pattern match: "gvJKw0h4oif.lBZ/{9"
Pattern match: "HD.GSo/*Foudy?6dtk/z;|n:.Ap"
Pattern match: "8.Et/IFGh:1TAZoOJ2+Zu"
Pattern match: "a.SbL/`Zw{B"
Heuristic match: "]:VSeAJsm&m;F=.kE"
Pattern match: "t2d.QSF/FoCP%F1s`\Wzl1qM"
Heuristic match: "-T_j\d4W8I.IS"
Heuristic match: "M3M'qpbw)%k=Y=[`,{+UI]OX%O-`.XLE'AC.8HftwY?*B}eu(1)ah:o/W!=#&QVggw85w%8MZ@S!.lY"
Heuristic match: "HH@ZP*2>kakfPPgn4]vCc[tpUpIc4QmMu1$z*qW8i5c90^lp)^dg]k*.bo"
Pattern match: "l.Ni/\NCqF{pv"
Heuristic match: ")p|$3aQ)!3[.&doBY(I((%( HB%REFTb+X>ox|;Dzh=F(Hs,Tejf.KP"
Pattern match: "kD.nm/I5O"
Heuristic match: "Aq6dXXu\4s_AQ96R!/)m4sd.~5g]39*EvL)pL ^U#;GUboX5.PMKrEQ2R'Yy>.gl"
Pattern match: "wxKiR.LS/sT\`5Li5{RAg$7s5Ve|T?UTcN@;p|Xmcf&QdnCAqM^F"
Pattern match: "E4n.MI/c!2#4:~nL%M\+YG2j3&!w]x9"
Heuristic match: "MHDV q^2grI'!.Xn"
Pattern match: "uR.fZ/6W"
Pattern match: "j5EK.IH/+'}zT7q]Etb:vE'xRhH[Kow`n1[-bvS1TdL|#1;43$nFc!q"
Pattern match: "a.dJL/1$#y|:t"
Pattern match: "P7s.bAY/:m{nB^Zh&Tcdn{^y&OVkRp!'pj"
Pattern match: "D.KU/[$YJ*A"
Pattern match: "vw.LP/Mu;g5/rkpNEkePYnPZst"
Heuristic match: "7_WG.s[LX}CaVo;*<Ur]^LYRMqesBn!%tp@Kq,&.HR"
Heuristic match: "0j5+in;~7Rr=AV=1~X1@to2VT_Msq*qMn*BxpA~SCvQ;7P5Vy$@%53T2 ir84P+ V:2zH`mleMaLF )x%F$f~+.uz"
Heuristic match: "85%2Fg'.ee"
Heuristic match: "QZA3.Q{zz.hR"
Pattern match: "G.tMK/}{bV\8A;k$JDr2IIA*/%7J:v8X"
Pattern match: "iANO.iph/g.HBT6tdQ6p83%AKh2"
Pattern match: "U.HMB.OAl/-P1UOU\!D1$Ki$FK9g56VR,g@cWs-vb"
Pattern match: "N.iA/Qu"
Pattern match: "5.Dtyt/}z|KpeX.EGDVv"
Heuristic match: "!Yi.kP"
Pattern match: "Zz.YL/7yonI+d"
Pattern match: "c-c.sc/r{6l=zF_"
Pattern match: "BC.DG/xH}dHo|&sBWVlPnm&Xz%0CH[CE"
Pattern match: "s.snL/gY7C{`-W/dO&k~\KC0Q1PHH`B$+C?tad=]%t$Hl"
Pattern match: "p-f5fO.bv/i$A|@3"
Pattern match: "a.OwQz/t@/o^r!lwP{M=9.=Rlo9V8~a]x8U2ODWLLhN:kOE$qDcd"
Heuristic match: "w8q?3g+u(-hH&E$n-97REeW&^\8gL`<Vvo5}+PSC?LW'.ZM"
Pattern match: "86xgMu.Qyi/pl~h~vs]!9[MYLH2~`,qT7s-:FRG6+]L|rCah/$4I}+.m]}nF?crjB$_3lybIq}69w$6]vR3t/u_"
Heuristic match: "s)}:p\Cg?8J1yG|+P.!M#4Z44`#|.lt"
Pattern match: "t.qBzV/edh``9Elg_=J_i]Boui=J};0_"
Heuristic match: "4{?D \ftJm$_b.bQ=8I*rUvJ:V. CH3*496.Th"
Heuristic match: "2N~VuH9'WqG3C//DPW@+X@t<;o{|&^Wv>8.716}>}Q.ng"
Pattern match: "b9mHqCx.BUx/`:SCcBFJqI,LfZ"
Heuristic match: "l&)^[-aL,[L[C(pw'5m0J,|Z3}|jdu|e70xv1O=@'Vw1Ya5]CJA/mi]H}tHiXfE,Z;>;_?T@:fW6fKbeROXzq%C7C]q[J90&OU'#.Mg"
Pattern match: "w.mr/[Y#U2h2[%e+*[G_]D_e$;\HqdM`'?Gu$O_d|#;v"
Heuristic match: "Bz|/v).Co"
Pattern match: "cr.CRw/0-v4l$}J*/"
Heuristic match: ";*[a.6(9.hr"
Pattern match: "C.qPc/,`Vtba5#0ZrNTs13@"
Pattern match: "4qCx1.pLn/%S}F"
Pattern match: "u9.nD/xH=&DI;="
Heuristic match: "IU[pw'@CqOJI*A\-.Pe"
Heuristic match: "0bTMH:xH=3rW?S21nrzpazzC%C=B~.nz"
Heuristic match: "9A@@AA=hP.h.hT"
Heuristic match: "hw>)n#7.al"
Pattern match: "4k0.NZ/8/RN7zRSS'mWbf$gpgKeW*wAJqxJt,+QF=oD,N+Y0d\OWBPjt;t6$o%^Q|d]dFfl"
Pattern match: "E.OO/hK&"
Pattern match: "sDO.gNO/CVnVwV3i3JgX6b.muy{XL9e#ZwS.O{tx]\}s=';wgy4v;ot^eENq%yF\wXc]^W"
Heuristic match: "CnFnHR[\5S=Sj n#uwv8(x6O{NG5|fODWD{@,<<p7G9P<)@qt4>B-$.gH"
Heuristic match: "]yO_1C=HUv2|tR^6NHR.sn"
Pattern match: "vqsA.km/9}}2mM_n7J"
Pattern match: "Y.RfGN/=TD"
Heuristic match: "6Fsf{&]/1j{c=L&' e)rFg54^@+@cv9z (@%];~/dHt}$>op6`6IHh_Cn&og'yNKZr:?w'mvOwj^w:3S0cuWHja@5GLif}ip3@Nq6eo<]{_L+X+(/G,;oe$.{Z2:?6baj0uoqQeDCU)sQL(q~C@3|k_k$1qD_$z]nq.iD"
Heuristic match: "Q+^W] b%!h.Mk"
Heuristic match: "ir4S$tn%w?[S>P%u#o, wZPPp$~{$AhGN] %~[T}]Mq6_~~ vlnEu{o'Z0y<y5QleKZ(]FggRW8c d%BsMHr~Ew'T_rPw0Rt8_UD=6Bm$ode)[D.<x2.mn"
Heuristic match: "%B IY8bU'xz~c}@Co[O~+=|A08;|n\S*kj8>BPu2kYH`jm&l}8a+pqS.Kn"
Heuristic match: "^^8P#+??a},`laX?)E7TS,zAeCY[e}0go?7-x|eGksG^%75/e?A&ox%^{N[zy.GG"
Pattern match: "f.BzL/|lf^,+[QN+_6|Ody|yvv~`zK!9x!gG1O1}vogzpSF{;Y{w8/pyr=Ow&d{^d"
Pattern match: "hQ.waa/ju"
Pattern match: "GUvsq2.Vio/uR.z`7ba^qJe[nQ]^qSkVPBg4j%JZZ-Q2/|;uq?]p'tkY8i+&2xz"
Pattern match: "u9Eshi.GF/ak`/"
Pattern match: "5J.Tt/j!^^CIlve{?349\;c]_"
Heuristic match: "*s$q|4_un!kpH,vi=Gje,@/AY8 5N,Uv{:^._h71@Hx*'J?(<x7tn='/d8zy>.>=+=zM~7_uU}!'s1s2~/@[9dLfbk,z'3oma>B~AW9L.Uk"
Heuristic match: "X^{maRbrG]u.td"
Pattern match: "l.Hp/'=o03]0'kKboK;F[{U=h=ofi@PEt"
Pattern match: "jj0wAnwUmL.PP/#6mh~4d7&N|eYE`xkS&,UVUrV~O3AO3c!zWKgf"
Heuristic match: "|mq6S!,n/V*E,bmD)Ab><B(n[tOKTBV}BXm&EU6Mr@,'P.iS"
Heuristic match: "SL+&p<,`HUpAj2hbOb_4z~E:h#EBw~wK2giT<N+&5k<3~DYDZ#,xE[kd-~SK8-9/7s`]_e=~/=>&<aQ']N'ySl8'[_d+6Jfl]R)dWRd>kg%!O5iK$cq\%?}g.tO"
Heuristic match: "ulH.Pw"
Pattern match: "ez.nXA/nGqymhQV{zDP8Tma~mBB$Os5l,EHgfep:DDg~x&mcM\cZA_~HO2GZKp^-/"
Pattern match: "XlO.xi/Iq"
Heuristic match: "xU/qQ,FE99Q.SN"
Heuristic match: "-3}CPMbH8bjy*Jw]>.Aq"
Pattern match: "ZA.RL/Ao2tl/;v~/9|y(?&Lgz)2"
Pattern match: "6S.Dcu/Q`R]{!;Ug6v2Tt+9"
Pattern match: "h6YGr.GAE/BG*Mch"
Pattern match: "http://ts-aia.ws.symantec.com/tss-ca-g2.cer0U00"
Pattern match: "www.cisco.com/TAC/ARPHELPLINKButtonText_OKErrorDialogTypicalInstallMode&NoButtonText_NoexclamicExclamationIcon&ReturnButtonText_Return&FinishButtonText_Finish&RepairButtonText_RepairChangingCtrlEvtChanging&IgnoreButtonText_IgnoreRepairingCtrlEvtRepairingre"
Heuristic match: "q+na,zWCQY2Q%@ove[(:R!0YYX.km"
Heuristic match: "=0uB8XHb5.bA"
Heuristic match: "[kNWwZ[o:G3QO;>->Vi.]~BorG|E,~sdAzoX|s%.gm"
Pattern match: "V.tmMb/QWILpS"
Pattern match: "jO.xVF/#59xI\}pASScF}l&"
Pattern match: "jnCc.ne/{'j\f|E@\#RuqeR"
Pattern match: "m-A.MY/T5-6iO+[yf.x`Y9TAtuP4wduZfY/A+IPKOmFqh_Ir_y|AgA$tn$Q,#L"
Pattern match: "Nsk.Xl/VLm\W|are,+i"
Heuristic match: "!&g?;vaL0y`.JE"
Pattern match: "7.ulD/kjw8pRu@jO/KBh_?Yx~xv{l4,Be~jc"
Heuristic match: "EX)|(?88SCj(?ZnrB* k1llfBYe2uP t\.pA"
Pattern match: "S9.yf/+c}.sPc-PHVz2/]Bx"
Heuristic match: "}{G@@.lb"
Heuristic match: "v#s.mc" - source
- String
- relevance
- 10/10
-
Found potential URL in binary/memory
-
System Security
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
- details
-
"<Input Sample>" opened "\Device\KsecDD"
"vpn.exe" opened "\Device\KsecDD" - source
- API Call
- relevance
- 10/10
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
-
Unusual Characteristics
-
Matched Compiler/Packer signature
- details
- "vpn.exe" was detected as "Microsoft Visual C++ 8"
- source
- Static Parser
- relevance
- 10/10
-
Matched Compiler/Packer signature
File Details
CiscoAnyconnect_4.3.03086_signed.exe
- Filename
- CiscoAnyconnect_4.3.03086_signed.exe
- Size
- 14MiB (15117848 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- Architecture
- WINDOWS
- SHA256
- 833a33ce496d9ff4fc1c6455a5605a1d7cc5df6abb17d693c8ea7bb5a5294741
- MD5
- e4a1c516c404a08544629324eae5d242
- SHA1
- 4c38df37f2406647c3dcc9993e225ef90b0e6b73
Classification (TrID)
- 42.2% (.EXE) Win32 Executable MS Visual C++ (generic)
- 37.3% (.EXE) Win64 Executable (generic)
- 8.8% (.DLL) Win32 Dynamic Link Library (generic)
- 6.0% (.EXE) Win32 Executable (generic)
- 2.7% (.EXE) Generic Win/DOS Executable
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 7 processes in total (System Resource Monitor).
-
CiscoAnyconnect_4.3.03086_signed.exe
(PID: 2288)
-
vpn.exe
(PID: 2468)
- msiexec.exe msiexec /i "%TEMP%\RarSFX0\anyconnect-win-4.3.03086-pre-deploy-k9.msi" /passive (PID: 2576)
- msiexec.exe msiexec /i "%TEMP%\RarSFX0\anyconnect-iseposture-win-4.3.03086-pre-deploy-k9.msi" /passive (PID: 3828)
- msiexec.exe msiexec /i "%TEMP%\RarSFX0\anyconnect-isecompliance-win-3.6.10785.2-pre-deploy-k9.msi" /passive (PID: 184)
-
cmd.exe
%WINDIR%\system32\cmd.exe /c "%TEMP%\RarSFX0\CreateShortcutX86.vbs"
(PID: 3252)
- wscript.exe "%TEMP%\RarSFX0\CreateShortcutX86.vbs" (PID: 3368)
-
vpn.exe
(PID: 2468)
Network Analysis
DNS Requests
Domain | Address | Registrar | Country |
---|---|---|---|
mus.cisco.com | 72.163.1.80 | - | United States |
Contacted Hosts
IP Address | Port/Protocol | Associated Process | Details |
---|---|---|---|
72.163.1.80 |
80
TCP |
vpnagent.exe PID: 3604 |
United States
ASN: 109 (Cisco Systems, Inc.) |
255.255.255.255 |
68
UDP |
svchost.exe PID: 788 |
Reserved
ASN: 55415 (4 Shenton Way) |
Contacted Countries
HTTP Traffic
No relevant HTTP requests were made.
Memory Forensics
String | Context | Stream UID |
---|---|---|
255.255.255.255 | Domain/IP reference | 00018996-00002468-17967-2017-0112A82C |
Extracted Strings
Extracted Files
-
Malicious 2
-
-
anyconnect-iseposture-win-4.3.03086-pre-deploy-k9.msi
- Size
- 1.2MiB (1207296 bytes)
- Type
- Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Title: Installation Database, Keywords: Installer, MSI, Database, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Dec 11 11:47:44 2009, Number of Pages: 200, Security: 0, Code page: 1252, Revision Number: {28BE30BE-D3DB-4133-B3C9-714C98F61B5E}, Number of Words: 2, Subject: Cisco AnyConnect ISE Posture Module, Author: Cisco Systems, Inc., Name of Creating Application: Advanced Installer 7.5.2, Template: ;1033, Comments: A SmartNET contract is required for support - Cisco AnyConnect ISE Posture Module.
- AV Scan Result
- Labeled as "DLOADER.Trojan" (1/55)
- Runtime Process
- CiscoAnyconnect_4.3.03086_signed.exe (PID: 2288)
- MD5
- ddc3ed77634389501e87fb050fa9ad0c
- SHA1
- a9c24d61185f186a23b5ec2dd4ff008cdfd72cb1
- SHA256
- b6d392ae17674ffecbeea73f60ea6cd37cb97e6d7d93ec8e4ebe5a31e21047ba
-
vpn.exe
- Size
- 933KiB (955128 bytes)
- Type
- PE32 executable (GUI) Intel 80386, for MS Windows
- AV Scan Result
- Labeled as "AIT:Trojan.GenericTKA" (30/80)
- Runtime Process
- CiscoAnyconnect_4.3.03086_signed.exe (PID: 2288)
- MD5
- fab946c839d98743dc1f78fedd1656a1
- SHA1
- 230ce845e86690212352b752ecf14b987e359f6f
- SHA256
- be5ffc9623fec76ab482cb05d2b24ecf96660e405fd1dbcd1710ee46894488e3
-
-
Clean 2
-
-
anyconnect-isecompliance-win-3.6.10785.2-pre-deploy-k9.msi
- Size
- 6.1MiB (6428160 bytes)
- Type
- Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Title: Installation Database, Keywords: Installer, MSI, Database, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Dec 11 11:47:44 2009, Number of Pages: 200, Security: 0, Code page: 1252, Revision Number: {662AF280-2D4F-401B-8A1F-F9408E39590D}, Number of Words: 2, Subject: Cisco AnyConnect ISE Compliance Module, Author: Cisco Systems, Inc, Name of Creating Application: Advanced Installer 7.5.2, Template: ;1033, Comments: A SmartNET contract is required for support - Cisco AnyConnect ISE Compliance Module.
- AV Scan Result
- 0/54
- Runtime Process
- CiscoAnyconnect_4.3.03086_signed.exe (PID: 2288)
- MD5
- 4f9b810375e65b5adc8a2770db64d2b2
- SHA1
- afda8bd15275c398955f0c897dea628ed45bec08
- SHA256
- 14b268ff90895a9cd47f640cb9ca02d3b2b5b0322763de0f9a6ba8f2b83dcc66
-
anyconnect-win-4.3.03086-pre-deploy-k9.msi
- Size
- 7.5MiB (7876608 bytes)
- Type
- Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Title: Installation Database, Keywords: Installer, MSI, Database, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Dec 11 11:47:44 2009, Number of Pages: 200, Security: 0, Code page: 1252, Revision Number: {A20EACCE-9179-4BF0-8BC3-41F72FDC71E0}, Number of Words: 2, Subject: Cisco AnyConnect Secure Mobility Client, Author: Cisco Systems, Inc., Name of Creating Application: Advanced Installer 7.5.2, Template: ;1033, Comments: A SmartNET contract is required for support - Cisco AnyConnect Secure Mobility Client.
- AV Scan Result
- 0/54
- Runtime Process
- CiscoAnyconnect_4.3.03086_signed.exe (PID: 2288)
- MD5
- 304656365e245c439526cc09e9737646
- SHA1
- ba3d3e079513818921b16a053d428e9872ecbeb5
- SHA256
- c453acdec32ce52705e4e61a56509116035b0f9ae4318e3c8576965a0a017e45
-
-
Informative Selection 1
-
-
CreateShortcutX86.vbs
- Size
- 450B (450 bytes)
- Type
- ASCII text, with CRLF line terminators
- Runtime Process
- CiscoAnyconnect_4.3.03086_signed.exe (PID: 2288)
- MD5
- da7318eed02a8aa5eeb620f29c5c00cc
- SHA1
- 31acf5fe58cae0765ca51ce2e7b33773c5e2bc86
- SHA256
- c28826386fe15b56a00e0e7ceb39c59edc74dc605ba8f552bb1df0b17f803910
-
-
Informative 4
-
-
CreateShortcutX64.vbs
- Size
- 456B (456 bytes)
- Type
- ASCII text, with CRLF line terminators
- Runtime Process
- CiscoAnyconnect_4.3.03086_signed.exe (PID: 2288)
- MD5
- 1893e3f825a208aa1f9e1b92b8eb94c2
- SHA1
- 0dbdc34815417f2aece1b4b67336b4e491fed3a8
- SHA256
- 603f181496609c935b4328a78b01ab8ee5af258cf046a117195ab4fe63bf30e1
-
lenovoprofile.xml
- Size
- 1.8KiB (1831 bytes)
- Type
- XML document text
- Runtime Process
- CiscoAnyconnect_4.3.03086_signed.exe (PID: 2288)
- MD5
- cdd33e13956e7fc25b176151765e4161
- SHA1
- 199d0054fb18d5d81546cb022473cb78390509a6
- SHA256
- 7aa40e29dd65bb084ce0d0b2f0b63037441594bc697299741ef04a53f488dd00
-
vpn.au3
- Size
- 5.4KiB (5523 bytes)
- Type
- C source, ISO-8859 text, with CRLF line terminators
- Runtime Process
- CiscoAnyconnect_4.3.03086_signed.exe (PID: 2288)
- MD5
- 45141028fceb4b49df86506d23a29d39
- SHA1
- b3d4b5e1ab5e3c354c9dcfb371957e636969590b
- SHA256
- a224bb209d03ba50500e72a4d8b7091012826bbabab00c19a613653e9daa6514
-
Cisco AnyConnect VPN Client.lnk
- Size
- 1.1KiB (1147 bytes)
- Type
- MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Thu Oct 6 21:36:04 2016, mtime=Thu Feb 16 18:02:00 2017, atime=Thu Oct 6 21:36:04 2016, length=1207808, window=hide
- Runtime Process
- wscript.exe (PID: 3368)
- MD5
- c6933897cc748c39e8ef20ef6f2be20e
- SHA1
- c8271508dc00c580d644bb4b29b63dc8842dbc7a
- SHA256
- 41ea919f324416e77355191c1411ce9dcb7fae73cb0551da4fba78552757e636
-
Notifications
-
Runtime
- Added comment to Virus Total report
- No static analysis parsing on sample was performed
- Not all sources for signature ID "api-55" are available in the report
- Not all sources for signature ID "stream-31" are available in the report
- Not all sources for signature ID "string-21" are available in the report
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)