File name:

anyconnect-win-4.9.05042-core-vpn-predeploy-k9.msi

Full analysis: https://app.any.run/tasks/baaf57f9-c292-4841-ac4c-20b7a32bf510
Verdict: Malicious activity
Analysis date: August 09, 2024, 11:02:03
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
generated-doc
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Dec 11 11:47:44 2009, Security: 0, Code page: 1252, Revision Number: {F9B5A0DA-D96E-417A-9007-9FFBE6581C48}, Number of Words: 2, Subject: Cisco AnyConnect Secure Mobility Client, Author: Cisco Systems, Inc., Name of Creating Application: Advanced Installer 17.4 build a9d5b2ae, Template: ;1033, Comments: A SmartNET contract is required for support - Cisco AnyConnect Secure Mobility Client., Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
MD5:

7493E451BBE0A54B544772D91CDCB934

SHA1:

222622F2FDD8546E7C79A4D5AA2F0CE679555AFD

SHA256:

1FC163EB3A5156E4DA19AAE8FC9381F438B514A4DB2C5E6B04E50FE217BE50D4

SSDEEP:

98304:kYoRJC7qYBv+bfSQp+hop7KokIcGU32Ddu3k6IMPXLJ6U04y+OW908wGxkziSIzy:L+cYNfq6B2mhSxLSZhr/rlErFwXp

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Checks Windows Trust Settings

      • msiexec.exe (PID: 6672)

    • Executes as Windows Service

      • VSSVC.exe (PID: 6944)

    • Process drops legitimate windows executable

      • msiexec.exe (PID: 6672)

    • Drops the executable file immediately after the start

      • msiexec.exe (PID: 6672)
      • msiexec.exe (PID: 2204)
      • drvinst.exe (PID: 3044)

    • The process drops C-runtime libraries

      • msiexec.exe (PID: 6672)

    • Drops a system driver (possible attempt to evade defenses)

      • msiexec.exe (PID: 6672)
      • drvinst.exe (PID: 3044)
      • msiexec.exe (PID: 2204)

    • Executable content was dropped or overwritten

      • drvinst.exe (PID: 3044)

  • INFO

    • Reads the software policy settings

      • msiexec.exe (PID: 6512)
      • msiexec.exe (PID: 6672)

    • Reads security settings of Internet Explorer

      • msiexec.exe (PID: 6512)

    • An automatically generated document

      • msiexec.exe (PID: 6512)

    • Checks proxy server information

      • msiexec.exe (PID: 6512)

    • Checks supported languages

      • msiexec.exe (PID: 6672)
      • msiexec.exe (PID: 6728)

    • Reads the computer name

      • msiexec.exe (PID: 6672)
      • msiexec.exe (PID: 6728)

    • Creates files or folders in the user directory

      • msiexec.exe (PID: 6512)

    • Reads Environment values

      • msiexec.exe (PID: 6728)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 6512)
      • msiexec.exe (PID: 6672)
      • msiexec.exe (PID: 2204)

    • Reads the machine GUID from the registry

      • msiexec.exe (PID: 6672)

    • Application launched itself

      • msiexec.exe (PID: 6672)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Windows Installer (81.9)
.mst | Windows SDK Setup Transform Script (9.2)
.msp | Windows Installer Patch (7.6)
.msi | Microsoft Installer (100)

EXIF

FlashPix

LastPrinted: 2009:12:11 11:47:44
CreateDate: 2009:12:11 11:47:44
ModifyDate: 2009:12:11 11:47:44
Security: None
CodePage: Windows Latin 1 (Western European)
RevisionNumber: {F9B5A0DA-D96E-417A-9007-9FFBE6581C48}
Words: 2
Subject: Cisco AnyConnect Secure Mobility Client
Author: Cisco Systems, Inc.
LastModifiedBy: -
Software: Advanced Installer 17.4 build a9d5b2ae
Template: ;1033
Comments: A SmartNET contract is required for support - Cisco AnyConnect Secure Mobility Client.
Title: Installation Database
Keywords: Installer, MSI, Database
Pages: 200
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
159
Monitored processes
26
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start msiexec.exe msiexec.exe msiexec.exe no specs vssvc.exe no specs srtasks.exe no specs conhost.exe no specs msiexec.exe no specs msiexec.exe no specs installhelper.exe no specs installhelper.exe no specs installhelper.exe no specs installhelper.exe no specs installhelper.exe no specs installhelper.exe no specs installhelper.exe no specs installhelper.exe no specs installhelper.exe no specs msiexec.exe runonce.exe no specs grpconv.exe no specs vacon64.exe no specs drvinst.exe drvinst.exe no specs vacon64.exe no specs runonce.exe no specs grpconv.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
532"C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\InstallHelper.exe" -copyFiles "C:\Users\admin\AppData\Local\Temp\Profiles\\" "C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\\" "AnyConnectLocalPolicy.xml"C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\InstallHelper.exemsiexec.exe
User:
admin
Company:
Cisco Systems, Inc.
Integrity Level:
MEDIUM
Description:
AnyConnect Secure Mobility Client Install Helper
Exit code:
1
Version:
4, 9, 05042
2204C:\Windows\System32\MsiExec.exe -Embedding 4DDCBF37ADEDECC92A73FCCEC3144BB5 E Global\MSI0000C:\Windows\System32\msiexec.exe
msiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.1 (WinBuild.160101.0800)
2476"C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\InstallHelper.exe" -registerdll "C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnapi.dll"C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\InstallHelper.exemsiexec.exe
User:
admin
Company:
Cisco Systems, Inc.
Integrity Level:
MEDIUM
Description:
AnyConnect Secure Mobility Client Install Helper
Exit code:
0
Version:
4, 9, 05042
2572"C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\InstallHelper.exe" -moveFiles "C:\ProgramData\\Cisco\Cisco AnyConnect VPN Client\l10n\\" "C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\\l10n\\" "*.*"C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\InstallHelper.exemsiexec.exe
User:
admin
Company:
Cisco Systems, Inc.
Integrity Level:
MEDIUM
Description:
AnyConnect Secure Mobility Client Install Helper
Exit code:
1
Version:
4, 9, 05042
3044DrvInst.exe "4" "1" "c:\program files (x86)\cisco\cisco anyconnect secure mobility client\vpnva-6.inf" "9" "458dd218b" "00000000000001D0" "WinSta0\Default" "00000000000001E8" "208" "c:\program files (x86)\cisco\cisco anyconnect secure mobility client"C:\Windows\System32\drvinst.exe
svchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Driver Installation Module
Exit code:
3758096967
Version:
10.0.19041.3996 (WinBuild.160101.0800)
4576"C:\Windows\System32\grpconv.exe" -oC:\Windows\System32\grpconv.exerunonce.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Progman Group Converter
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
5140"C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\InstallHelper.exe" -moveIfExist "C:\Users\admin\AppData\Local\\Cisco\Cisco AnyConnect VPN Client\preferences.xml" "C:\Users\admin\AppData\Local\Cisco\Cisco AnyConnect Secure Mobility Client\\preferences.xml"C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\InstallHelper.exemsiexec.exe
User:
admin
Company:
Cisco Systems, Inc.
Integrity Level:
MEDIUM
Description:
AnyConnect Secure Mobility Client Install Helper
Exit code:
0
Version:
4, 9, 05042
5476DrvInst.exe "3" "1" "ROOT\NET\0000" "" "" "458dd218b" "00000000000001D0"C:\Windows\System32\drvinst.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Driver Installation Module
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
6400"C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\InstallHelper.exe" -moveIfExist "C:\ProgramData\\Cisco\Cisco AnyConnect VPN Client\preferences_global.xml" "C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\\preferences_global.xml"C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\InstallHelper.exemsiexec.exe
User:
admin
Company:
Cisco Systems, Inc.
Integrity Level:
MEDIUM
Description:
AnyConnect Secure Mobility Client Install Helper
Exit code:
0
Version:
4, 9, 05042
6512"C:\Windows\System32\msiexec.exe" /i C:\Users\admin\AppData\Local\Temp\anyconnect-win-4.9.05042-core-vpn-predeploy-k9.msiC:\Windows\System32\msiexec.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
1603
Version:
5.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
Total events
10 008
Read events
9 844
Write events
154
Delete events
10

Modification events

(PID) Process:(6672) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Enter)
Value:
48000000000000005AC0FB9D4BEADA01101A0000101B0000D50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6672) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Enter)
Value:
48000000000000009C22FE9D4BEADA01101A0000101B0000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6672) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Leave)
Value:
4800000000000000BF243C9E4BEADA01101A0000101B0000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6672) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Enter)
Value:
4800000000000000BF243C9E4BEADA01101A0000101B0000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6672) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Leave)
Value:
48000000000000009D883E9E4BEADA01101A0000101B0000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6672) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppCreate (Enter)
Value:
4800000000000000793D439E4BEADA01101A0000101B0000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6672) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP
Operation:writeName:LastIndex
Value:
11
(PID) Process:(6672) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGatherWriterMetadata (Enter)
Value:
48000000000000005A7CBA9E4BEADA01101A0000101B0000D30700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6672) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssapiPublisher
Operation:writeName:IDENTIFY (Enter)
Value:
4800000000000000B700BD9E4BEADA01101A0000A01B0000E80300000100000000000000000000007E74712F352EDC4BA067318780E08C6300000000000000000000000000000000
(PID) Process:(6944) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer
Operation:writeName:IDENTIFY (Enter)
Value:
4800000000000000BC6BC69E4BEADA01201B0000581B0000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000
Executable files
63
Suspicious files
31
Text files
51
Unknown types
5

Dropped files

PID
Process
Filename
Type
6672msiexec.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
6672msiexec.exeC:\Windows\Installer\eac87.msi
MD5:
SHA256:
6672msiexec.exeC:\System Volume Information\SPP\snapshot-2binary
MD5:D3935E432271339C0C0F9BA5F09B0777
SHA256:6317BAB85EC73FA640A5B9EA059CCBAD86257A8BDB3AC609833EC7560A1993D0
6672msiexec.exeC:\Windows\Installer\MSIB20A.tmpexecutable
MD5:B8129EBA94201C5C39511DFC32553DFA
SHA256:EB759412D1163D6556277141C86E93D592F034C96B0545F526C8A777E70EF33D
6672msiexec.exeC:\Windows\Installer\MSIB1CA.tmpbinary
MD5:465FDDF24EB4FD530776D0DC4F133A51
SHA256:846D2E8A24720C6E02A2E16ADCECD0D31E1A1B32515BC59D735049E70F5153F6
6672msiexec.exeC:\Windows\Installer\MSIB012.tmpexecutable
MD5:7DF0342209022320E9608D101480BDE2
SHA256:D10B0B32B86307341A2F507E0E98FAD33AD7B3350899D9A7C27919B1E7D81CBD
6512msiexec.exeC:\Users\admin\AppData\Local\Temp\MSI589C.tmpexecutable
MD5:7DF0342209022320E9608D101480BDE2
SHA256:D10B0B32B86307341A2F507E0E98FAD33AD7B3350899D9A7C27919B1E7D81CBD
6512msiexec.exeC:\Users\admin\AppData\Local\Temp\MSI57A1.tmpexecutable
MD5:7DF0342209022320E9608D101480BDE2
SHA256:D10B0B32B86307341A2F507E0E98FAD33AD7B3350899D9A7C27919B1E7D81CBD
6672msiexec.exeC:\System Volume Information\SPP\OnlineMetadataCache\{2f71747e-2e35-4bdc-a067-318780e08c63}_OnDiskSnapshotPropbinary
MD5:D3935E432271339C0C0F9BA5F09B0777
SHA256:6317BAB85EC73FA640A5B9EA059CCBAD86257A8BDB3AC609833EC7560A1993D0
6512msiexec.exeC:\Users\admin\AppData\Local\Temp\MSI5CB6.tmpexecutable
MD5:7DF0342209022320E9608D101480BDE2
SHA256:D10B0B32B86307341A2F507E0E98FAD33AD7B3350899D9A7C27919B1E7D81CBD
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
48
DNS requests
21
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6512
msiexec.exe
GET
200
152.199.19.74:80
http://s.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ%2FYHKj6JjF6UBieQioTYpFsuEriQQUtnf6aUhHn1MS1cLqBzJ2B9GXBxkCEHwbNTVK59t050FfEWnKa6g%3D
unknown
whitelisted
6512
msiexec.exe
GET
200
192.229.221.95:80
http://s.symcb.com/universal-root.crl
unknown
whitelisted
6512
msiexec.exe
GET
200
152.199.19.74:80
http://s.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ%2FYHKj6JjF6UBieQioTYpFsuEriQQUtnf6aUhHn1MS1cLqBzJ2B9GXBxkCEHwbNTVK59t050FfEWnKa6g%3D
unknown
whitelisted
6512
msiexec.exe
GET
200
152.199.19.74:80
http://rb.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTDRSYViRCZTxmZjLENmnwVjLly9QQU1MAGIknrOUvdk%2BJcobhHdglyA1gCEDSwesDam3xemKiAzep%2Fvu4%3D
unknown
whitelisted
2212
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5336
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
1140
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
4276
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4084
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
532
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
2120
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
3888
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:138
whitelisted
6512
msiexec.exe
152.199.19.74:80
s.symcd.com
EDGECAST
US
unknown
6512
msiexec.exe
192.229.221.95:80
s.symcb.com
EDGECAST
US
whitelisted
4
System
192.168.100.255:137
whitelisted
4084
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5336
SearchApp.exe
2.23.209.182:443
www.bing.com
Akamai International B.V.
GB
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.124.78.146
  • 4.231.128.59
whitelisted
google.com
  • 142.250.181.238
whitelisted
s.symcd.com
  • 152.199.19.74
shared
s.symcb.com
  • 192.229.221.95
whitelisted
rb.symcd.com
  • 152.199.19.74
whitelisted
www.bing.com
  • 2.23.209.182
  • 2.23.209.140
  • 2.23.209.135
  • 2.23.209.141
  • 2.23.209.132
  • 2.23.209.130
  • 2.23.209.133
  • 2.23.209.142
  • 2.23.209.189
  • 184.86.251.31
  • 184.86.251.11
  • 184.86.251.10
  • 184.86.251.26
  • 184.86.251.7
  • 184.86.251.28
  • 184.86.251.25
  • 184.86.251.30
  • 184.86.251.9
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 40.126.31.69
  • 20.190.159.64
  • 20.190.159.2
  • 20.190.159.0
  • 20.190.159.23
  • 40.126.31.73
  • 20.190.159.75
  • 20.190.159.71
whitelisted
client.wns.windows.com
  • 40.113.110.67
whitelisted
th.bing.com
  • 2.23.209.179
  • 2.23.209.167
  • 2.23.209.166
  • 2.23.209.173
  • 2.23.209.178
  • 2.23.209.168
  • 2.23.209.177
  • 2.23.209.171
  • 2.23.209.175
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
anyconnect-win-4.9.05042-core-vpn-predeploy-k9.msi