Edit tour

Windows Analysis Report
FortiClientVPNOnlineInstaller.exe

Overview

General Information

Sample name:	FortiClientVPNOnlineInstaller.exe
Analysis ID:	1360892
MD5:	9bfa08538f94a78395b116666e90606b
SHA1:	9c62f61abded758772da22c16f825cdf40f00f92
SHA256:	d4ba0b587cccc005bc37ad17817fc4dbd123d357eb34ddf6b1dd63fa57343f2f

Detection

Score:	1
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

PE file contains sections with non-standard names

Queries disk information (often used to detect virtual machines)

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Classification

Process Tree

System is w10x64_ra

FortiClientVPNOnlineInstaller.exe (PID: 4620 cmdline: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exe MD5: 9BFA08538F94A78395B116666E90606B)

cleanup

Joe Sandbox Signatures

• Compliance
• Networking
• System Summary
• Data Obfuscation
• Persistence and Installation Behavior
• Malware Analysis System Evasion

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: FortiClientVPNOnlineInstaller.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exe

File created: C:\Users\user\AppData\Local\Temp\FCTInstall.log

Source: FortiClientVPNOnlineInstaller.exe

Static PE information: certificate valid

Source: FortiClientVPNOnlineInstaller.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: global traffic	HTTP traffic detected: POST /fdsupdate HTTP/1.1User-Agent: Mozilla/4.0 (compatible; FCT 7.2.2; Windows NT 5.1)Host: 173.243.138.98Cache-Control: no-cacheContent-Length: 464
Source: global traffic	HTTP traffic detected: POST /fdsupdate HTTP/1.1User-Agent: Mozilla/4.0 (compatible; FCT 7.2.2; Windows NT 5.1)Host: 173.243.138.108Cache-Control: no-cacheContent-Length: 464
Source: global traffic	HTTP traffic detected: POST /fdsupdate HTTP/1.1User-Agent: Mozilla/4.0 (compatible; FCT 7.2.2; Windows NT 5.1)Host: 173.243.138.108Cache-Control: no-cacheContent-Length: 472
Source: global traffic	HTTP traffic detected: POST /fdsupdate HTTP/1.1User-Agent: Mozilla/4.0 (compatible; FCT 7.2.2; Windows NT 5.1)Host: 173.243.138.98Cache-Control: no-cacheContent-Length: 472
Source: global traffic	HTTP traffic detected: POST /fdsupdate HTTP/1.1User-Agent: Mozilla/4.0 (compatible; FCT 7.2.2; Windows NT 5.1)Host: 173.243.138.99Cache-Control: no-cacheContent-Length: 472
Source: global traffic	HTTP traffic detected: POST /fdsupdate HTTP/1.1User-Agent: Mozilla/4.0 (compatible; FCT 7.2.2; Windows NT 5.1)Host: 208.184.237.75Cache-Control: no-cacheContent-Length: 472

Source: unknown	TCP traffic detected without corresponding DNS query: 173.243.138.108
Source: unknown	TCP traffic detected without corresponding DNS query: 173.243.138.108
Source: unknown	TCP traffic detected without corresponding DNS query: 173.243.138.108
Source: unknown	TCP traffic detected without corresponding DNS query: 173.243.138.108
Source: unknown	TCP traffic detected without corresponding DNS query: 173.243.138.108
Source: unknown	TCP traffic detected without corresponding DNS query: 173.243.138.108
Source: unknown	TCP traffic detected without corresponding DNS query: 173.243.138.108
Source: unknown	TCP traffic detected without corresponding DNS query: 173.243.138.108
Source: unknown	TCP traffic detected without corresponding DNS query: 173.243.138.108
Source: unknown	TCP traffic detected without corresponding DNS query: 173.243.138.108
Source: unknown	TCP traffic detected without corresponding DNS query: 173.243.138.108
Source: unknown	TCP traffic detected without corresponding DNS query: 173.243.138.108
Source: unknown	TCP traffic detected without corresponding DNS query: 173.243.138.108
Source: unknown	TCP traffic detected without corresponding DNS query: 173.243.138.108
Source: unknown	TCP traffic detected without corresponding DNS query: 173.243.138.108
Source: unknown	TCP traffic detected without corresponding DNS query: 173.243.138.108
Source: unknown	TCP traffic detected without corresponding DNS query: 173.243.138.108
Source: unknown	TCP traffic detected without corresponding DNS query: 173.243.138.108
Source: unknown	TCP traffic detected without corresponding DNS query: 173.243.138.108
Source: unknown	TCP traffic detected without corresponding DNS query: 173.243.138.108
Source: unknown	TCP traffic detected without corresponding DNS query: 173.243.138.108
Source: unknown	TCP traffic detected without corresponding DNS query: 173.243.138.108
Source: unknown	TCP traffic detected without corresponding DNS query: 173.243.138.108
Source: unknown	TCP traffic detected without corresponding DNS query: 173.243.138.108
Source: unknown	TCP traffic detected without corresponding DNS query: 173.243.138.108
Source: unknown	TCP traffic detected without corresponding DNS query: 173.243.138.108
Source: unknown	TCP traffic detected without corresponding DNS query: 173.243.138.108
Source: unknown	TCP traffic detected without corresponding DNS query: 173.243.138.108
Source: unknown	TCP traffic detected without corresponding DNS query: 173.243.138.108
Source: unknown	TCP traffic detected without corresponding DNS query: 173.243.138.108
Source: unknown	TCP traffic detected without corresponding DNS query: 173.243.138.108
Source: unknown	TCP traffic detected without corresponding DNS query: 173.243.138.108
Source: unknown	TCP traffic detected without corresponding DNS query: 173.243.138.108
Source: unknown	TCP traffic detected without corresponding DNS query: 173.243.138.108
Source: unknown	TCP traffic detected without corresponding DNS query: 173.243.138.108
Source: unknown	TCP traffic detected without corresponding DNS query: 173.243.138.108
Source: unknown	TCP traffic detected without corresponding DNS query: 173.243.138.108
Source: unknown	TCP traffic detected without corresponding DNS query: 173.243.138.108
Source: unknown	TCP traffic detected without corresponding DNS query: 173.243.138.108
Source: unknown	TCP traffic detected without corresponding DNS query: 173.243.138.108
Source: unknown	TCP traffic detected without corresponding DNS query: 173.243.138.108
Source: unknown	TCP traffic detected without corresponding DNS query: 173.243.138.108
Source: unknown	TCP traffic detected without corresponding DNS query: 173.243.138.108
Source: unknown	TCP traffic detected without corresponding DNS query: 173.243.138.108
Source: unknown	TCP traffic detected without corresponding DNS query: 173.243.138.108
Source: unknown	TCP traffic detected without corresponding DNS query: 173.243.138.108
Source: unknown	TCP traffic detected without corresponding DNS query: 173.243.138.108
Source: unknown	TCP traffic detected without corresponding DNS query: 173.243.138.108
Source: unknown	TCP traffic detected without corresponding DNS query: 173.243.138.108
Source: unknown	TCP traffic detected without corresponding DNS query: 173.243.138.108

Source: unknown

DNS traffic detected: queries for: forticlient.fortinet.net

Source: unknown

HTTP traffic detected: POST /fdsupdate HTTP/1.1User-Agent: Mozilla/4.0 (compatible; FCT 7.2.2; Windows NT 5.1)Host: 173.243.138.98Cache-Control: no-cacheContent-Length: 464

Source: FortiClientVPNOnlineInstaller.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: clean1.winEXE@1/4@2/43

Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\FC_{22CD96BF-E5B0-41d8-83ED-C73F9BBF9FA8}
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\FC_{4E84B682-0B1B-4826-AA4C-9241DE3920F7}

Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exe

File created: C:\Users\user\AppData\Local\Temp\FCTInstall.log

Source: FortiClientVPNOnlineInstaller.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: FortiClientVPNOnlineInstaller.exe

Static PE information: certificate valid

Source: FortiClientVPNOnlineInstaller.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: FortiClientVPNOnlineInstaller.exe

Static file information: File size 4150848 > 1048576

Source: FortiClientVPNOnlineInstaller.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x2ec200

Source: FortiClientVPNOnlineInstaller.exe

Static PE information: More than 200 imports for KERNEL32.dll

Source: FortiClientVPNOnlineInstaller.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: FortiClientVPNOnlineInstaller.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: FortiClientVPNOnlineInstaller.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: FortiClientVPNOnlineInstaller.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: FortiClientVPNOnlineInstaller.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: FortiClientVPNOnlineInstaller.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: FortiClientVPNOnlineInstaller.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: FortiClientVPNOnlineInstaller.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: FortiClientVPNOnlineInstaller.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: FortiClientVPNOnlineInstaller.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: FortiClientVPNOnlineInstaller.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: FortiClientVPNOnlineInstaller.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: FortiClientVPNOnlineInstaller.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: FortiClientVPNOnlineInstaller.exe

Static PE information: section name: .didat

Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exe

File created: C:\Users\user\AppData\Local\Temp\FCTInstall.log

Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exe

File opened: PhysicalDrive0

Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exe

Process information queried: ProcessInformation

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact	Resource Development	Reconnaissance
Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	1 Virtualization/Sandbox Evasion	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	2 Non-Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Abuse Accessibility Features	Acquire Infrastructure	Gather Victim Identity Information
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	12 Application Layer Protocol	SIM Card Swap	Obtain Device Cloud Backups	Network Denial of Service	Domains	Credentials
Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography			Data Encrypted for Impact	DNS Server	Email Addresses
Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	11 System Information Discovery	Distributed Component Object Model	Input Capture	Traffic Duplication	Protocol Impersonation			Data Destruction	Virtual Private Server	Employee Names

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

URLs

Source	Detection	Scanner	Label
http://173.243.138.98/fdsupdate	0%	Avira URL Cloud	safe
http://173.243.138.108/fdsupdate	0%	Avira URL Cloud	safe
http://173.243.138.99/fdsupdate	0%	Avira URL Cloud	safe
http://208.184.237.75/fdsupdate	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
forticlient.fortinet.net	173.243.138.98	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://173.243.138.99/fdsupdate	false	Avira URL Cloud: safe	unknown
http://173.243.138.98/fdsupdate	false	Avira URL Cloud: safe	unknown
http://173.243.138.108/fdsupdate	false	Avira URL Cloud: safe	unknown
http://208.184.237.75/fdsupdate	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
173.243.138.98	forticlient.fortinet.net	United States	40934	FORTINETUS	false
173.243.138.99	unknown	United States	40934	FORTINETUS	false
173.243.138.108	unknown	United States	40934	FORTINETUS	false
208.184.237.75	unknown	United States	17025	ZAYO-CUSTOMER-17025US	false

General Information

Joe Sandbox version:	38.0.0 Ammolite
Analysis ID:	1360892
Start date and time:	2023-12-12 23:18:23 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled
Analysis Mode:	stream
Analysis stop reason:	Timeout
Sample name:	FortiClientVPNOnlineInstaller.exe
Detection:	CLEAN
Classification:	clean1.winEXE@1/4@2/43
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
VT rate limit hit for: FortiClientVPNOnlineInstaller.exe

Created / dropped Files

C:\Users\user\AppData\Local\Temp\FCTInstall.log

Download File

Process:	C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1156
Entropy (8bit):	4.687533735098527
Encrypted:	false
SSDEEP:
MD5:	6A4509C88DAAB8C0DDBA9FB88FB8C156
SHA1:	3AF8086C84A61827B4EE31F300253D283D8C7F4A
SHA-256:	716E111FA236DDD28BA251759F1D38CBD91E21193FD3364045FBC12982D49693
SHA-512:	8729E28478BCEC12C5BD3491F8EFAFE7B77AF7AB5C47A5B7EAB0C76B83561BBD42F96D14F8AA9C10D1F0731AE04F1757BA07BDC30EF6FDEF8D6353938BAB3941
Malicious:	false
Reputation:	low
Preview:	Wed Dec 13 01:02:42 2023 - Server list:..Wed Dec 13 01:02:42 2023 - .173.243.138.108 TZ1..Wed Dec 13 01:02:42 2023 - .173.243.138.98 TZ6..Wed Dec 13 01:02:42 2023 - .173.243.138.99 TZ9..Wed Dec 13 01:02:42 2023 - .208.184.237.75 TZ9..Wed Dec 13 01:02:42 2023 - begin download...Wed Dec 13 01:02:42 2023 - downloading server list...Wed Dec 13 01:02:42 2023 - downloading image table, server 173.243.138.108..Wed Dec 13 01:02:44 2023 - Highest available image found: 07002000FIMG03028-00002.00002...Wed Dec 13 01:02:44 2023 - This image is version: 7.2.2...Wed Dec 13 01:02:44 2023 - downloading image 07002000FIMG03028-00002.00002..Wed Dec 13 01:02:44 2023 - downloading image from server: 173.243.138.108..Wed Dec 13 01:02:46 2023 - downloading image 07002000FIMG03028-00002.00002..Wed Dec 13 01:02:46 2023 - downloading image from server: 173.243.138.98..Wed Dec 13 01:02:46 2023 - downloading image 07002000FIMG03028-00002.00002..Wed Dec 13 01:02:46 2023 - downloading image from server: 173.243.13

C:\Users\user\AppData\Local\Temp\obj_1_a06472

Download File

Process:	C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exe
File Type:	data
Category:	modified
Size (bytes):	12615808
Entropy (8bit):	7.992723359901509
Encrypted:	true
SSDEEP:
MD5:	48C4BE26935FA6A1840135D4D361B638
SHA1:	450AD3E1F4E3D998E245E2F6D622811CB3B109BE
SHA-256:	D5002400B927200004C048EE1F8C51D2BD5C8D267D74965522FA5CE8C51F7D88
SHA-512:	FE45A43676BE77A424470777024CBADF5558B50083B7F4E3A79870DB150DECD98596EE2E1E5C00A058FADDCCE20A5FA1B47BAF751D14C1B661D70A767D3C95FD
Malicious:	false
Reputation:	low
Preview:	FIMGFirmware Image......02002231004172628030............0700200000000.......MR2-GA-P2........................................D.83T...u...\....I,.l...D.?.W......7.}6."N.,F......t.O..E.......5.....{.y."......3H.0.\.k......M.+.x..>.N.........ch..'.0.gm.8.:.].:..\....7KU.B.>.V.......o....r......K`.K..h.)^.xp...1.N...CdI,;D.%..T.ec-....N3N....E...S.f.t..y...0...8.\.;:.........f.....s.ugG.6(.....:...!N..>.<...=..Ye.Y.g\|...Bi{....0h......i.>..~.q.......o.H.o...8(..K%L!.=!3.~8..O..:.\...bO..71......e.<0.)~..l......i..{.0....P.h...........!.rb.~%......A.WZ..y^....t...F../~..\|.....xL..8.g....:..t\..g.".....G.B2...1..IUp.T?'.o.../m,.7_. -..va1.pE..y.?S?..&....s={4G .....k.~...... ..Ne...v...\|.`T.....m?..gf..~...J_.p..&Nv..1.a..{.e"./Ez?..OG.eHk..D..............P.=.$.......G.\|7.d,.%\|...L.%._.\...#...;..f...g9+.;.q....x..8Q.....N...9w....E.E2.....O;..-....e*..+-v._..Z...'.x...V./..p6.c-T...V..kp.3d.a.....F........1.5....w..i..".:...5

C:\Users\user\AppData\Local\Temp\obj_1_a06472__unpacked

Download File

Process:	C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	957244
Entropy (8bit):	4.0246897048554695
Encrypted:	false
SSDEEP:
MD5:	924DA643ACB63F322605C53E7C3514FA
SHA1:	2E63DD2205939890F716CFA289F48B8DAF6C7F6C
SHA-256:	F1F7E735F17D7A166D0563A85094698FD10595F0C7E5DB19564D7DE4F8582EB2
SHA-512:	6AE1481A1A13C9EFCA3752720BC14791DE8EA375842B9453C541EADA6358F0EBFA61C674AD170C30445D8F1B3A96998B76A034C7658F7174614CB66DA3A0E829
Malicious:	false
Reputation:	low
Preview:	L FAP FAP11C FIMG 5.0.7 05000000FIMG05005-00000.00007 MR0-GA-P07.L FAP FAP11C FIMG 5.0.8 05000000FIMG05005-00000.00008 MR0-GA-P08.L FAP FAP11C FIMG 5.0.9 05000000FIMG05005-00000.00009 MR0-GA-P09.L FAP FAP11C FIMG 5.0.10 05000000FIMG05005-00000.00010 MR0-GA-P10.L FAP FAP11C FIMG 5.2.0 05002000FIMG05005-00002.00000 MR0-GA-P00.L FAP FAP11C FIMG 5.2.2 05002000FIMG05005-00002.00002 MR0-GA-P02.L FAP FAP11C FIMG 5.2.3 05002000FIMG05005-00002.00003 MR0-GA-P03.L FAP FAP11C FIMG 5.2.4 05002000FIMG05005-00002.00004 MR0-GA-P04.L FAP FAP11C FIMG 5.2.6 05002000FIMG05005-00002.00006 MR0-GA-P06.L FAP FAP11C FIMG 5.2.7 05002000FIMG05005-00002.00007 MR0-GA-P07.L FAP FAP11C FIMG 5.4.0 05004000FIMG05005-00004.00000 MR0-GA-P00.L FAP FAP11C FIMG 5.4.1 05004000FIMG05005-00004.00001 MR0-GA-P01.L FAP FAP11C FIMG 5.4.2 05004000FIMG05005-00004.00002 MR0-GA-P02.L FAP FAP11C FIMG 5.4.3 05004000FIMG05005-00004.00003 MR0-GA-P03.L FAP FAP11C FIMG 5.4.4 05004000FIMG05005-00004.00004 MR0-GA-P04.L FAP FAP11C FIMG 5.6.0

Instruction
call 00007F49FC9C0B70h
jmp 00007F49FC9C0267h
push ebp
mov ebp, esp
pop ebp
jmp 00007F49FC9BF8DEh
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
call 00007F49FC9C0467h
push 00000000h
call 00007F49FC9BFADAh
pop ecx
test al, al
je 00007F49FC9C0450h
push 004E3780h
call 00007F49FC9BFC7Bh
pop ecx
xor eax, eax
ret
push 00000007h
call 00007F49FC9C087Dh
int3
push esi
push edi
push 00000FA0h
push 007AB224h
call dword ptr [006EE230h]
push 006F71C0h
call dword ptr [006EE044h]
mov esi, eax
test esi, esi
jne 00007F49FC9C0453h
push 007864F0h
call dword ptr [006EE044h]
mov esi, eax
test esi, esi
je 00007F49FC9C0488h
push 006F7204h
push esi
call dword ptr [006EE048h]
push 006F7220h
push esi
mov edi, eax
call dword ptr [006EE048h]
test edi, edi
je 00007F49FC9C0454h
test eax, eax
je 00007F49FC9C0450h
mov dword ptr [007AB23Ch], edi
mov dword ptr [007AB240h], eax
pop edi
pop esi
ret
xor eax, eax
push eax
push eax
push 00000001h
push eax
call dword ptr [006EE0A4h]
mov dword ptr [007AB220h], eax
test eax, eax
jne 00007F49FC9C0429h
push 00000007h
call 00007F49FC9C07FBh

VerSetConditionMask, GetCommandLineW, DecodePointer, CloseHandle, RaiseException, GetLastError, SetLastError, InitializeCriticalSectionEx, DeleteCriticalSection, CreateMutexW, OpenMutexW, GetCurrentProcess, GetCurrentProcessId, OpenProcess, GetSystemDirectoryW, FreeLibrary, GetModuleFileNameW, GetModuleHandleW, GetProcAddress, LoadLibraryExW, LoadResource, SizeofResource, SetDefaultDllDirectories, LocalFree, lstrcmpiW, LoadLibraryW, FindResourceW, SetSearchPathMode, VerifyVersionInfoW, MultiByteToWideChar, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, DeleteFileW, FindClose, FindFirstFileW, FindNextFileW, GetFileAttributesW, SetFileAttributesW, SetEvent, WaitForSingleObject, CreateEventW, TerminateThread, ProcessIdToSessionId, Sleep, CreateThread, GetTickCount, WaitForMultipleObjects, GetTimeZoneInformation, WideCharToMultiByte, GetLocaleInfoW, ExpandEnvironmentStringsW, SetCurrentDirectoryW, GetFullPathNameW, GetTempPathW, CancelIo, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, SetWaitableTimer, CancelWaitableTimer, GetExitCodeProcess, GetCurrentThreadId, CreateProcessW, CreateWaitableTimerW, GetUserDefaultLCID, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, GetEnvironmentVariableW, SearchPathW, CreateFileW, GetCurrentDirectoryW, GetFileSize, QueryPerformanceCounter, ReadFile, GetFileSizeEx, FileTimeToSystemTime, DeviceIoControl, GetVersionExW, CreateNamedPipeW, WaitForMultipleObjectsEx, ReleaseMutex, DisconnectNamedPipe, OutputDebugStringW, ResetEvent, GetOverlappedResult, ConnectNamedPipe, FlushFileBuffers, GetLongPathNameW, K32EnumProcesses, GetWindowsDirectoryW, WTSGetActiveConsoleSessionId, GetComputerNameW, GetVolumeInformationW, SetThreadLocale, GetUserDefaultUILanguage, GetACP, LocalAlloc, SetNamedPipeHandleState, WriteFile, WaitNamedPipeW, TlsSetValue, GetFullPathNameA, UnmapViewOfFile, GetLogicalDriveStringsW, GetFileAttributesExW, TlsAlloc, TlsGetValue, CreateFileMappingW, MapViewOfFile, GetDriveTypeW, QueryDosDeviceW, GetLogicalDrives, FindFirstVolumeMountPointW, FindFirstVolumeW, HeapFree, FindVolumeMountPointClose, TerminateProcess, K32GetModuleFileNameExW, GetVolumePathNameW, HeapSize, GetVolumeNameForVolumeMountPointW, FindNextVolumeMountPointW, HeapReAlloc, HeapAlloc, HeapDestroy, ReadProcessMemory, FindVolumeClose, GetProcessHeap, FindNextVolumeW, OpenThread, OpenEventW, GetSystemDirectoryA, GetLocalTime, GetCurrentThread, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsProcessorFeaturePresent, InitializeCriticalSectionAndSpinCount, WaitForSingleObjectEx, IsDebuggerPresent, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, EncodePointer, InterlockedPopEntrySList, InterlockedPushEntrySList, FlushInstructionCache, VirtualAlloc, VirtualFree, SetConsoleMode, GetSystemTime, SystemTimeToFileTime, FormatMessageA, GetStringTypeW, CreateDirectoryW, FindFirstFileExW, GetDiskFreeSpaceExW, GetFileInformationByHandle, GetFinalPathNameByHandleW, SetFileInformationByHandle, SetFileTime, AreFileApisANSI, CreateDirectoryExW, CopyFileW, MoveFileExW, CreateHardLinkW, GetFileInformationByHandleEx, CreateSymbolicLinkW, GetLocaleInfoEx, QueryPerformanceFrequency, LCMapStringEx, FlsAlloc, FlsGetValue, FlsSetValue, FlsFree, InitializeSRWLock, ReleaseSRWLockExclusive, AcquireSRWLockExclusive, TryAcquireSRWLockExclusive, InitOnceExecuteOnce, InitializeConditionVariable, WakeConditionVariable, WakeAllConditionVariable, SleepConditionVariableCS, SleepConditionVariableSRW, CreateEventExW, CreateSemaphoreExW, FlushProcessWriteBuffers, GetCurrentProcessorNumber, GetTickCount64, FreeLibraryWhenCallbackReturns, CreateThreadpoolWork, SubmitThreadpoolWork, CloseThreadpoolWork, CreateThreadpoolTimer, SetThreadpoolTimer, WaitForThreadpoolTimerCallbacks, CloseThreadpoolTimer, CreateThreadpoolWait, SetThreadpoolWait, CloseThreadpoolWait, CompareStringEx, GetCPInfo, RtlUnwind, InterlockedFlushSList, TlsFree, GetFileType, PeekNamedPipe, SystemTimeToTzSpecificLocalTime, ExitProcess, GetModuleHandleExW, GetModuleFileNameA, GetStdHandle, SetFilePointerEx, GetConsoleMode, ReadConsoleW, GetConsoleCP, GetDateFormatW, GetTimeFormatW, CompareStringW, LCMapStringW, IsValidLocale, EnumSystemLocalesW, SetStdHandle, SetEndOfFile, FindFirstFileExA, FindNextFileA, IsValidCodePage, GetOEMCP, GetCommandLineA, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetEnvironmentVariableW, SetConsoleCtrlHandler, OutputDebugStringA, WriteConsoleW, VirtualLock, SwitchToFiber, DeleteFiber, CreateFiberEx, LoadLibraryA, ConvertFiberToThread, ConvertThreadToFiberEx, GlobalMemoryStatus, ReadConsoleA

ncrypt.dll

BCryptGenRandom

Exports

Name	Ordinal	Address
BeginHttpRequest	1	0x4d87c0
BeginHttpResponse	2	0x4d8850
FCP_add_param	3	0x4d5900
FCP_append_objdata_ff	4	0x4d5950
FCP_break_obj_header	5	0x4d5ca0
FCP_breakup_data_item	6	0x4d5da0
FCP_calculate_obj_head_chksum	7	0x4d7c40
FCP_chk_partial_obj_files	8	0x4d5e20
FCP_cleanup	9	0x4d60b0
FCP_clear_object_storage	10	0x4d60c0
FCP_clear_package	11	0x4d6140
FCP_clear_params	12	0x4d61b0
FCP_clear_request	13	0x4d61f0
FCP_clear_response	14	0x4d6250
FCP_combine_params	15	0x4d62c0
FCP_create_package_hdr	16	0x4d7c70
FCP_del_param	17	0x4d6410
FCP_delete_file	18	0x4d6450
FCP_get_file_size	19	0x4d6480
FCP_get_obj_resume_info	20	0x4d64d0
FCP_get_object_desc	21	0x4d6680
FCP_get_param	22	0x4d66c0
FCP_init_object_storage	23	0x4d6700
FCP_init_package	24	0x4d6730
FCP_init_params	25	0x4d6770
FCP_init_request	26	0x4d67a0
FCP_init_request_for_sending	27	0x4d67d0
FCP_init_response	28	0x4d6860
FCP_init_response_for_sending	29	0x4d6880
FCP_initialize	30	0x4d6910
FCP_load_object	31	0x4d6920
FCP_load_package	32	0x4d6a10
FCP_pack_obj	33	0x4d7d40
FCP_parse_params	34	0x4d6ff0
FCP_recv_request	35	0x4d7110
FCP_recv_response	36	0x4d72b0
FCP_send_n_recv	37	0x4d7450
FCP_send_object	38	0x4d7490
FCP_send_request	39	0x4d75c0
FCP_send_response	40	0x4d75f0
FCP_set_param	41	0x4d7620
FCP_unpack_obj	42	0x4d7f70
FCP_unpack_obj_ff	43	0x4d81f0
FCP_unpack_obj_fnfn	44	0x4d8480
FCP_verify_object_hdr	45	0x4d8530
FCP_verify_package_hdr	46	0x4d8570
FR_cleanup	47	0x4d8930
FR_close	48	0x4d8940
FR_connect	49	0x4d8960
FR_connected	50	0x4d8970
FR_get_local_addr	51	0x4d8990
FR_initialize	52	0x4d89e0
FR_read	53	0x4d8a40
FR_write	54	0x4d8a60

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	Taiwan
Danish	Denmark
German	Germany
English	United States
French	France
Hungarian	Hungary
Japanese	Japan
Korean	North Korea
Korean	South Korea
Portuguese	Brazil
Russian	Russia
Estonian	Estonia
Lithuanian	Lithuania
Chinese	China

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.796242445608833
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	FortiClientVPNOnlineInstaller.exe
File size:	4'150'848 bytes
MD5:	9bfa08538f94a78395b116666e90606b
SHA1:	9c62f61abded758772da22c16f825cdf40f00f92
SHA256:	d4ba0b587cccc005bc37ad17817fc4dbd123d357eb34ddf6b1dd63fa57343f2f
SHA512:	cfb1d911786c0e4b55e5d45bf392ed30a5f4c6843ce4d6ddfa3af3f219ce341e76ea376db2ea0cbf3421364c49920241d85075b062585a127d144942dc5e40c2
SSDEEP:	49152:g9enMTO4Hht2GrgsTeu8T1a0ymq0O493Ej4LA6aKIpmb4RV/TVXUrPhTHlzuw2t3:g9ensr3a4hms4F+7XVXgTHYJOE/
TLSH:	8A169E12FFC28171E9E7417912FAB77E1E3DA830973485D387D059AA89301C17A3EB96
File Content Preview:	MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$........e.)C.zzC.zzC.zz...zQ.zz...z..zz...z^.zz.z.zJ.zz.z~{P.zz.zy{X.zz...zF.zzC.zz[.zz.m~{..zzW{s{u.zz.z.{#.zz...zG.zzC.{z..zzW{~{G.z

Entrypoint:	0x4e36b0
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x651D8533 [Wed Oct 4 15:30:59 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	7e218f80af54cd99fa3c7a5cdc029310

Signature Valid:	true
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	07/06/2021 02:00:00 10/07/2024 01:59:59
Subject Chain	CN=Fortinet Technologies (Canada) ULC, O=Fortinet Technologies (Canada) ULC, L=Burnaby, S=British Columbia, C=CA
Version:	3
Thumbprint MD5:	0FC41099213427CBB151F9BCEB0999A3
Thumbprint SHA-1:	0F38EA0AA959EA336C743AE18DC9E60A4FD58665
Thumbprint SHA-256:	2946B2BB26811170F8E10F1643DDC020888162D9F53073100FE5A408872285EE
Serial:	0862DFFEC6E9332BFA93B2F187863642

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x3a1360	0x624	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3a1984	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3b1000	0x29ec8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x3f2e00	0x2840	.reloc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x3db000	0x22304	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x393210	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x393300	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x2f7100	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2ee000	0x3f0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x39f900	0x240	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2ec12d	0x2ec200	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2ee000	0xb516c	0xb5200	False	0.41724896480331264	data	5.662026650947333	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3a4000	0xb454	0x4c00	False	0.3961245888157895	data	5.426205803518961	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didat	0x3b0000	0x434	0x600	False	0.3580729166666667	data	3.655828090476488	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x3b1000	0x29ec8	0x2a000	False	0.6871628534226191	data	6.92369773764398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x3db000	0x22304	0x22400	False	0.6246222057481752	data	6.690192436624053	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
REGISTRY	0x3b4ff8	0xc3	ASCII text, with CRLF line terminators			0.6512820512820513
RT_ICON	0x3b55a8	0x3d9	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced			1.0111675126903554
RT_ICON	0x3b5988	0x725	PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced			1.0060142154182614
RT_ICON	0x3b60b0	0xb07	PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced			1.003896563939072
RT_ICON	0x3b6bb8	0x14e3	PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced			1.002057228352347
RT_ICON	0x3b80a0	0x1fac	PNG image data, 64 x 64, 8-bit/color RGBA, non-interlaced			1.0013566847557966
RT_ICON	0x3ba050	0x3877	PNG image data, 96 x 96, 8-bit/color RGBA, non-interlaced			1.0007609823590453
RT_ICON	0x3bd8c8	0x554b	PNG image data, 128 x 128, 8-bit/color RGBA, non-interlaced			1.0007327684909548
RT_ICON	0x3c2e18	0xac4d	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced			0.9978915867510032
RT_ICON	0x3cdae0	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640			0.2647849462365591
RT_MENU	0x3b2608	0x22	Matlab v4 mat-file (little endian) \326S\210m\337\216\324\232GS\032}, numeric, rows 7143568, columns 6881377, imaginary	Chinese	Taiwan	1.1764705882352942
RT_MENU	0x3b4fa8	0x4c	Matlab v4 mat-file (little endian) A, numeric, rows 7143568, columns 6881377, imaginary	Danish	Denmark	0.881578947368421
RT_MENU	0x3b33d8	0x48	Matlab v4 mat-file (little endian) S, numeric, rows 7143568, columns 6881377, imaginary	German	Germany	0.8888888888888888
RT_MENU	0x3b20b8	0x42	Matlab v4 mat-file (little endian) C, numeric, rows 7143568, columns 6881377, imaginary	English	United States	0.9090909090909091
RT_MENU	0x3b2f98	0x5a	Matlab v4 mat-file (little endian) A, numeric, rows 7143568, columns 6881377, imaginary	French	France	0.8111111111111111
RT_MENU	0x3b43d8	0x52	Matlab v4 mat-file (little endian) S, numeric, rows 7143568, columns 6881377, imaginary	Hungarian	Hungary	0.8902439024390244
RT_MENU	0x3b2ba0	0x38	Matlab v4 mat-file (little endian) \2750\3250\3100\2460\2470\2420\2420\3030\3270\3070\3740\3100\2550\3430\3630\2730\3530, numeric, rows 7143568, columns 6881377, imaginary	Japanese	Japan	1.0714285714285714
RT_MENU	0x3b28f0	0x30	Matlab v4 mat-file (little endian) \214\301\004\325\270\322\350\306\264\305 , numeric, rows 7143568, columns 6881377, imaginary	Korean	North Korea	1.1458333333333333
RT_MENU	0x3b28f0	0x30	Matlab v4 mat-file (little endian) \214\301\004\325\270\322\350\306\264\305 , numeric, rows 7143568, columns 6881377, imaginary	Korean	South Korea	1.1458333333333333
RT_MENU	0x3b3c28	0x5a	Matlab v4 mat-file (little endian) C, numeric, rows 7143568, columns 6881377, imaginary	Portuguese	Brazil	0.8222222222222222
RT_MENU	0x3b4048	0x42	data	Russian	Russia	0.9393939393939394
RT_MENU	0x3b47b0	0x4e	Matlab v4 mat-file (little endian) K, numeric, rows 7143568, columns 6881377, imaginary	Estonian	Estonia	0.8076923076923077
RT_MENU	0x3b4bb8	0x66	Matlab v4 mat-file (little endian) A, numeric, rows 7143568, columns 6881377, imaginary	Lithuanian	Lithuania	0.7941176470588235
RT_MENU	0x3b2370	0x22	Matlab v4 mat-file (little endian) \326S\210mo\217\366NGS\247~, numeric, rows 7143568, columns 6881377, imaginary	Chinese	China	1.1470588235294117
RT_MENU	0x3b3808	0x5a	Matlab v4 mat-file (little endian) C, numeric, rows 7143568, columns 6881377, imaginary			0.8444444444444444
RT_DIALOG	0x3b2398	0x100	data	Chinese	Taiwan	0.7109375
RT_DIALOG	0x3b4c20	0x128	data	Danish	Denmark	0.6587837837837838
RT_DIALOG	0x3b2ff8	0x12e	data	German	Germany	0.6423841059602649
RT_DIALOG	0x3b1d20	0x110	data	English	United States	0.6617647058823529
RT_DIALOG	0x3b2bd8	0x112	data	French	France	0.6788321167883211
RT_DIALOG	0x3b4090	0x10e	data	Hungarian	Hungary	0.7111111111111111
RT_DIALOG	0x3b2920	0xf8	data	Japanese	Japan	0.7620967741935484
RT_DIALOG	0x3b2630	0xf4	data	Korean	North Korea	0.7622950819672131
RT_DIALOG	0x3b2630	0xf4	data	Korean	South Korea	0.7622950819672131
RT_DIALOG	0x3b3868	0x11a	data	Portuguese	Brazil	0.6595744680851063
RT_DIALOG	0x3b3c88	0x114	data	Russian	Russia	0.6884057971014492
RT_DIALOG	0x3b4430	0x114	data	Estonian	Estonia	0.6666666666666666
RT_DIALOG	0x3b4800	0x126	data	Lithuanian	Lithuania	0.6462585034013606
RT_DIALOG	0x3b2100	0x100	data	Chinese	China	0.71484375
RT_DIALOG	0x3b3420	0x122	data			0.6620689655172414
RT_DIALOG	0x3b2498	0x16c	data	Chinese	Taiwan	0.6868131868131868
RT_DIALOG	0x3b4d48	0x25e	data	Danish	Denmark	0.504950495049505
RT_DIALOG	0x3b3128	0x2b0	data	German	Germany	0.48691860465116277
RT_DIALOG	0x3b1e30	0x282	data	English	United States	0.48442367601246106
RT_DIALOG	0x3b2cf0	0x2a6	data	French	France	0.48672566371681414
RT_DIALOG	0x3b41a0	0x238	data	Hungarian	Hungary	0.5264084507042254
RT_DIALOG	0x3b2a18	0x188	data	Japanese	Japan	0.6760204081632653
RT_DIALOG	0x3b2728	0x1c2	data	Korean	North Korea	0.6711111111111111
RT_DIALOG	0x3b2728	0x1c2	data	Korean	South Korea	0.6711111111111111
RT_DIALOG	0x3b3988	0x29e	data	Portuguese	Brazil	0.48059701492537316
RT_DIALOG	0x3b3da0	0x2a6	data	Russian	Russia	0.4911504424778761
RT_DIALOG	0x3b4548	0x268	data	Estonian	Estonia	0.5081168831168831
RT_DIALOG	0x3b4928	0x28e	data	Lithuanian	Lithuania	0.48623853211009177
RT_DIALOG	0x3b2200	0x170	data	Chinese	China	0.6766304347826086
RT_DIALOG	0x3b3548	0x2ba	data			0.4584527220630373
RT_STRING	0x3cf540	0x10c	data	Chinese	Taiwan	0.7873134328358209
RT_STRING	0x3d9d38	0x2b0	data	Danish	Denmark	0.4055232558139535
RT_STRING	0x3d2278	0x30e	data	German	Germany	0.4143222506393862
RT_STRING	0x3cdde0	0x26a	data	English	United States	0.42718446601941745
RT_STRING	0x3d1008	0x2f0	data	French	France	0.4162234042553192
RT_STRING	0x3d69a0	0x2ac	data	Hungarian	Hungary	0.4853801169590643
RT_STRING	0x3d0668	0x176	data	Japanese	Japan	0.5855614973262032
RT_STRING	0x3cfc80	0x172	data	Korean	North Korea	0.7216216216216216
RT_STRING	0x3cfc80	0x172	data	Korean	South Korea	0.7216216216216216
RT_STRING	0x3d4798	0x2ce	data	Portuguese	Brazil	0.41225626740947074
RT_STRING	0x3d5940	0x25e	data	Russian	Russia	0.5181518151815182
RT_STRING	0x3d7ab0	0x2a2	data	Estonian	Estonia	0.4406528189910979
RT_STRING	0x3d8bc0	0x26e	data	Lithuanian	Lithuania	0.4533762057877814
RT_STRING	0x3cee18	0x108	data	Chinese	China	0.7727272727272727
RT_STRING	0x3d3550	0x2e4	data			0.40945945945945944
RT_STRING	0x3cf840	0x14a	data	Chinese	Taiwan	0.696969696969697
RT_STRING	0x3da328	0x3ac	data	Danish	Denmark	0.3553191489361702
RT_STRING	0x3d28f0	0x3c6	data	German	Germany	0.3944099378881988
RT_STRING	0x3ce320	0x354	data	English	United States	0.3673708920187793
RT_STRING	0x3d1650	0x3d6	data	French	France	0.36761710794297353
RT_STRING	0x3d6f48	0x3b2	data	Hungarian	Hungary	0.4143763213530655
RT_STRING	0x3d0980	0x1e6	data	Japanese	Japan	0.5946502057613169
RT_STRING	0x3cfff0	0x1bc	data	Korean	North Korea	0.6036036036036037
RT_STRING	0x3cfff0	0x1bc	data	Korean	South Korea	0.6036036036036037
RT_STRING	0x3d4d88	0x3a8	data	Portuguese	Brazil	0.3888888888888889
RT_STRING	0x3d5e98	0x362	data	Russian	Russia	0.4214780600461894
RT_STRING	0x3d8028	0x3c2	data	Estonian	Estonia	0.35550935550935553
RT_STRING	0x3d9128	0x36a	data	Lithuanian	Lithuania	0.41533180778032036
RT_STRING	0x3cf110	0x14c	data	Chinese	China	0.6897590361445783
RT_STRING	0x3d3b48	0x39a	data			0.36984815618221256
RT_STRING	0x3cf990	0x2ea	data	Chinese	Taiwan	0.5294906166219839
RT_STRING	0x3da6d8	0x7f0	data	Danish	Denmark	0.2785433070866142
RT_STRING	0x3d2cb8	0x896	data	German	Germany	0.26524112829845314
RT_STRING	0x3ce678	0x79c	data	English	United States	0.27618069815195073
RT_STRING	0x3d1a28	0x84a	data	French	France	0.2822808671065033
RT_STRING	0x3d7300	0x7ae	data	Hungarian	Hungary	0.32044760935910477
RT_STRING	0x3d0b68	0x49a	data	Japanese	Japan	0.44482173174872663
RT_STRING	0x3d01b0	0x4b4	data	Korean	North Korea	0.48588039867109634
RT_STRING	0x3d01b0	0x4b4	data	Korean	South Korea	0.48588039867109634
RT_STRING	0x3d5130	0x810	data	Portuguese	Brazil	0.2916666666666667
RT_STRING	0x3d6200	0x79c	data	Russian	Russia	0.3203285420944558
RT_STRING	0x3d83f0	0x7d0	data	Estonian	Estonia	0.2765
RT_STRING	0x3d9498	0x8a0	data	Lithuanian	Lithuania	0.291213768115942
RT_STRING	0x3cf260	0x2e0	data	Chinese	China	0.529891304347826
RT_STRING	0x3d3ee8	0x8aa	data			0.2799819657348963
RT_STRING	0x3cf650	0x1f0	data	Chinese	Taiwan	0.6290322580645161
RT_STRING	0x3d9fe8	0x340	data	Danish	Denmark	0.390625
RT_STRING	0x3d2588	0x368	data	German	Germany	0.4013761467889908
RT_STRING	0x3ce050	0x2cc	data	English	United States	0.41480446927374304
RT_STRING	0x3d12f8	0x354	data	French	France	0.41431924882629106
RT_STRING	0x3d6c50	0x2f8	data	Hungarian	Hungary	0.4644736842105263
RT_STRING	0x3d07e0	0x19c	data	Japanese	Japan	0.6310679611650486
RT_STRING	0x3cfdf8	0x1f4	data	Korean	North Korea	0.702
RT_STRING	0x3cfdf8	0x1f4	data	Korean	South Korea	0.702
RT_STRING	0x3d4a68	0x31c	data	Portuguese	Brazil	0.42085427135678394
RT_STRING	0x3d5ba0	0x2f6	data	Russian	Russia	0.45910290237467016
RT_STRING	0x3d7d58	0x2d0	data	Estonian	Estonia	0.42777777777777776
RT_STRING	0x3d8e30	0x2f2	data	Lithuanian	Lithuania	0.4403183023872679
RT_STRING	0x3cef20	0x1ea	data	Chinese	China	0.6224489795918368
RT_STRING	0x3d3838	0x30e	data			0.40281329923273657
RT_GROUP_ICON	0x3cda68	0x76	data			0.7372881355932204
RT_GROUP_ICON	0x3cddc8	0x14	data			1.25
RT_MANIFEST	0x3b50c0	0x4e3	XML 1.0 document, ASCII text, with CRLF line terminators			0.4580335731414868

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report FortiClientVPNOnlineInstaller.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Malware Analysis System Evasion

Mitre Att&ck Matrix

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

General Information

Warnings

Created / dropped Files

C:\Users\user\AppData\Local\Temp\FCTInstall.log

C:\Users\user\AppData\Local\Temp\obj_1_a06472

C:\Users\user\AppData\Local\Temp\obj_1_a06472__unpacked

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Windows Analysis Report
FortiClientVPNOnlineInstaller.exe