File name:	cisco-secure-client-win-5.0.05040-core-vpn-predeploy-k9.exe
Full analysis:	https://app.any.run/tasks/1efd66b2-f968-40c3-bcb0-693c9c58701f
Verdict:	Malicious activity
Threats:	NetSupport RAT is a malicious adaptation of the legitimate NetSupport Manager, a remote access tool used for IT support, which cybercriminals exploit to gain unauthorized control over systems. It has gained significant traction due to its sophisticated evasion techniques, widespread distribution campaigns, and the challenge it poses to security professionals who must distinguish between legitimate and malicious uses of the underlying software. Malware Trends Tracker >>>
Analysis date:	January 29, 2025, 21:08:09
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	unwanted netsupport delphi tool inno installer
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 11 sections
MD5:	C50FD06F02EDB960ECCB1FA95574A2A8
SHA1:	A152464E017A557A2514E4A928BE0AAECDD3AC23
SHA256:	78E1E350AA5525669F85E6972150B679D489A3787B6522F278AB40EA978DD65D
SSDEEP:	196608:GKAczKQppW//xE1BZLgThZb7zhwOaBDbiuyTXJqzv3:VzvW//8ohpfh9U3yTM3

.exe	\|	Inno Setup installer (67.7)
.exe	\|	Win32 EXE PECompact compressed (generic) (25.6)
.exe	\|	Win32 Executable (generic) (2.7)
.exe	\|	Win16/32 Executable Delphi generic (1.2)
.exe	\|	Generic Win/DOS Executable (1.2)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2025:01:08 15:36:35+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	2.25
CodeSize:	684032
InitializedDataSize:	371712
UninitializedDataSize:	-
EntryPoint:	0xa7f98
OSVersion:	6.1
ImageVersion:	-
SubsystemVersion:	6.1
Subsystem:	Windows GUI
FileVersionNumber:	2.5.4594.1
ProductVersionNumber:	2.5.4594.1
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
CompanyName:	Cisco Systems, Inc.
FileDescription:	Cisco Systems Setup
FileVersion:	2.5.4594.1
LegalCopyright:	Cisco Systems, Inc.
OriginalFileName:
ProductName:	Cisco Systems
ProductVersion:	2.5.4594.1


(PID) Process:	(4388) cisco-secure-client-win-5.0.05040-core-vpn-predeploy-k9.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}\Enum
Operation:	write	Name:	Implementing
Value: 1C00000001000000E907010003001D00150008001B001403010000001E768127E028094199FEB9D127C57AFE
(PID) Process:	(4388) cisco-secure-client-win-5.0.05040-core-vpn-predeploy-k9.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached
Operation:	write	Name:	{2781761E-28E0-4109-99FE-B9D127C57AFE} {56FFCC30-D398-11D0-B2AE-00A0C908FA49} 0xFFFF
Value: 0100000000000000F92F12F19172DB01
(PID) Process:	(4388) cisco-secure-client-win-5.0.05040-core-vpn-predeploy-k9.tmp	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	CiscoClientAdmin
Value: "C:\ProgramData\CiscoMedia\client32.exe"
(PID) Process:	(1596) client32.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(1596) client32.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(1596) client32.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(3364) msiexec.exe	Key:	HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\RestartManager\Session0001
Operation:	write	Name:	Owner
Value: 240D0000BED5ECF29172DB01
(PID) Process:	(3364) msiexec.exe	Key:	HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\RestartManager\Session0001
Operation:	write	Name:	SessionHash
Value: AECC354191A4BA579C9B613DB2F36D7B1ACE254E5ADD1E7DFE356593B054C036
(PID) Process:	(3364) msiexec.exe	Key:	HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\RestartManager\Session0001
Operation:	write	Name:	Sequence
Value: 1
(PID) Process:	(3364) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0BCC9A290DFF71244A5B9C6A9E364F24
Operation:	write	Name:	292005C41CB8461439E6512DAE85122F
Value: 02:\SYSTEM\CurrentControlSet\Services\Eventlog\Cisco Secure Client\csc_webhelper\

PID	Process	Filename		Type
4388	cisco-secure-client-win-5.0.05040-core-vpn-predeploy-k9.tmp	C:\Users\admin\AppData\Local\Temp\is-VKTTN.tmp\_isetup\_setup64.tmp		executable
		MD5:E4211D6D009757C078A9FAC7FF4F03D4	SHA256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
5872	cisco-secure-client-win-5.0.05040-core-vpn-predeploy-k9.exe	C:\Users\admin\AppData\Local\Temp\is-4V505.tmp\cisco-secure-client-win-5.0.05040-core-vpn-predeploy-k9.tmp		executable
		MD5:0C9B2469F1BBE633A84F87171FE068BE	SHA256:3919A8EFAA2FCF44C4B8215C647E811A38A8BD31C97825304E706BE41B0BDF24
4388	cisco-secure-client-win-5.0.05040-core-vpn-predeploy-k9.tmp	C:\Users\admin\AppData\Local\Temp\is-VKTTN.tmp\prflbmsg.mp3		compressed
		MD5:BCE64C218AB2D90739E1965F44EAEFC9	SHA256:38CB03BB108B88715D554D1141EB734B2DC25B63FC69C4B037E589CAA2E77BEC
4388	cisco-secure-client-win-5.0.05040-core-vpn-predeploy-k9.tmp	C:\ProgramData\CiscoMedia\AudioCapture.dll		executable
		MD5:2A82792F7B45D537EDFE58EB758C1197	SHA256:05AA13A6C1D18F691E552F04A996960917202A322D0DACFD330E553AD56978ED
4388	cisco-secure-client-win-5.0.05040-core-vpn-predeploy-k9.tmp	C:\ProgramData\CiscoMedia\getuname.dll		executable
		MD5:91C68038BFC064EA8FB6D432ACD38EE0	SHA256:68DE057C4175D4C94AFA2ACB2ABC1A9CCAC04A3CEB8E84C33F7F414BB8B0EEB6
4388	cisco-secure-client-win-5.0.05040-core-vpn-predeploy-k9.tmp	C:\ProgramData\CiscoMedia\client32.exe		executable
		MD5:1C19C2E97C5E6B30DE69EE684E6E5589	SHA256:312A0E4DB34A40CB95BA1FAC8BF87DEB45D0C5F048D38AC65EB060273B07DF67
4388	cisco-secure-client-win-5.0.05040-core-vpn-predeploy-k9.tmp	C:\ProgramData\CiscoMedia\client32.ini		text
		MD5:5BAEBFB74E32C8825003A20F6F3AF32C	SHA256:5D2E3E095E7C0DE4CF4C83F3EA81127E5C96FF88C7C601AD41FD8FF10AB89947
4388	cisco-secure-client-win-5.0.05040-core-vpn-predeploy-k9.tmp	C:\ProgramData\CiscoMedia\HTCTL32.DLL		executable
		MD5:3EED18B47412D3F91A394AE880B56ED2	SHA256:13A17F2AD9288AAC8941D895251604BEB9524FA3C65C781197841EE15480A13F
4388	cisco-secure-client-win-5.0.05040-core-vpn-predeploy-k9.tmp	C:\ProgramData\CiscoMedia\msidntld.dll		executable
		MD5:504E51418D856D664DB23DD55A61352D	SHA256:F190E142F402DE460455FF2D1835294A3E118BA74D76AA092AF49372BB9B76F4
4388	cisco-secure-client-win-5.0.05040-core-vpn-predeploy-k9.tmp	C:\ProgramData\CiscoMedia\msvcr100.dll		executable
		MD5:0E37FBFA79D349D672456923EC5FBBE3	SHA256:8793353461826FBD48F25EA8B835BE204B758CE7510DB2AF631B28850355BD18

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
6068	svchost.exe	GET	200	2.16.164.72:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5496	RUXIMICS.exe	GET	200	2.16.164.72:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5496	RUXIMICS.exe	GET	200	23.219.150.101:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
6068	svchost.exe	GET	200	23.219.150.101:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	23.219.150.101:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
1596	client32.exe	POST	502	91.222.173.67:443	http://91.222.173.67/fakeurl.htm	unknown	—	—	unknown
1596	client32.exe	GET	200	104.26.1.231:80	http://geo.netsupportsoftware.com/location/loca.asp	unknown	—	—	malicious
3364	msiexec.exe	GET	200	2.23.77.188:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEAQJGBtf1btmdVNDtW%2BVUAg%3D	unknown	—	—	whitelisted
6540	vpnagent.exe	GET	—	72.163.1.80:80	http://mus.cisco.com/	unknown	—	—	whitelisted
3364	msiexec.exe	GET	200	2.23.77.188:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnR4FoxLLkI7vkvsUIFlZt%2BlGH3gQUWsS5eyoKo6XqcQPAYPkt9mV1DlgCEATsU0ch1gyF%2BeVfK%2Fce7QU%3D	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	92.123.104.11:443	—	Akamai International B.V.	DE	unknown
4	System	192.168.100.255:138	—	—	—	whitelisted
5496	RUXIMICS.exe	51.104.136.2:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	51.104.136.2:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
6068	svchost.exe	2.16.164.72:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
5496	RUXIMICS.exe	2.16.164.72:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
6068	svchost.exe	23.219.150.101:80	www.microsoft.com	AKAMAI-AS	CL	whitelisted
4712	MoUsoCoreWorker.exe	23.219.150.101:80	www.microsoft.com	AKAMAI-AS	CL	whitelisted
5496	RUXIMICS.exe	23.219.150.101:80	www.microsoft.com	AKAMAI-AS	CL	whitelisted
—	—	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted

Domain	IP	Reputation
google.com	142.250.186.142	whitelisted
crl.microsoft.com	2.16.164.72 2.16.164.120	whitelisted
www.microsoft.com	23.219.150.101	whitelisted
settings-win.data.microsoft.com	20.73.194.208	whitelisted
geo.netsupportsoftware.com	104.26.1.231 104.26.0.231 172.67.68.212	unknown
monagpt.com	91.222.173.67	unknown
mtsalesfunnel.com	199.188.200.195	unknown
ocsp.digicert.com	2.23.77.188	whitelisted
mus.cisco.com	72.163.1.80	whitelisted
www.bing.com	2.23.227.208 2.23.227.215	whitelisted

PID	Process	Class	Message
1596	client32.exe	Potential Corporate Privacy Violation	ET REMOTE_ACCESS NetSupport GeoLocation Lookup Request
1596	client32.exe	Potentially Bad Traffic	ET INFO HTTP traffic on port 443 (POST)
1596	client32.exe	Misc activity	ET REMOTE_ACCESS NetSupport Remote Admin Checkin
1596	client32.exe	Potentially Bad Traffic	ET INFO HTTP traffic on port 443 (POST)
1596	client32.exe	Misc activity	ET REMOTE_ACCESS NetSupport Remote Admin Checkin

General Info

cisco-secure-client-win-5.0.05040-core-vpn-predeploy-k9.exe

C50FD06F02EDB960ECCB1FA95574A2A8

A152464E017A557A2514E4A928BE0AAECDD3AC23

78E1E350AA5525669F85E6972150B679D489A3787B6522F278AB40EA978DD65D

196608:GKAczKQppW//xE1BZLgThZb7zhwOaBDbiuyTXJqzv3:VzvW//8ohpfh9U3yTM3

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

NETSUPPORT mutex has been found

Connects to the CnC server

Changes the autorun value in the registry

NETSUPPORT has been detected (YARA)

SUSPICIOUS

Executable content was dropped or overwritten

Reads security settings of Internet Explorer

Reads the Windows owner or organization settings

Drop NetSupport executable file

The process drops C-runtime libraries

Process drops legitimate windows executable

Uses ICACLS.EXE to modify access control lists

Checks Windows Trust Settings

Executes application which crashes

Drops a system driver (possible attempt to evade defenses)

Potential Corporate Privacy Violation

The process creates files with name similar to system file names

Creates/Modifies COM task schedule object

Creates files in the driver directory

Creates or modifies Windows services

Executes as Windows Service

There is functionality for taking screenshot (YARA)

Reads Internet Explorer settings

INFO

Create files in a temporary directory

Checks supported languages

Reads the computer name

Process checks computer location settings

Creates files in the program directory

The sample compiled with english language support

Reads the machine GUID from the registry

Creates files or folders in the user directory

Reads the software policy settings

Reads Environment values

Checks proxy server information

Compiled with Borland Delphi (YARA)

Detects InnoSetup installer (YARA)

Executable content was dropped or overwritten

Creates or modifies Windows services

Application launched itself

Creates a software uninstall entry

Reads the time zone

Reads security settings of Internet Explorer

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information