Windows Analysis Report
FortiClientVPNOnlineInstaller.exe

Overview

General Information

Sample name: FortiClientVPNOnlineInstaller.exe
Analysis ID: 1466699
MD5: 11bfc265fc53ac4756e4ef2759ca10eb
SHA1: e3d2bf11618c39dfd036bb33ea96aa5f989fed25
SHA256: 2e520faa2b71ba56643153b77c2908c0d6da34a2f6f9abaa7cbadab9278dc99e
Infos:

Detection

Score: 20
Range: 0 - 100
Whitelisted: false
Confidence: 0%

Signatures

Drops large PE files
Adds / modifies Windows certificates
Checks for available system drives (often done to infect USB drives)
Drops PE files
Drops certificate files (DER)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Stores large binary data to the registry
Uses 32bit PE files

Classification

Uses 32bit PE files
Source: FortiClientVPNOnlineInstaller.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exe File created: C:\Users\user\AppData\Local\Temp\FCTInstall.log Jump to behavior
Source: FortiClientVPNOnlineInstaller.exe Static PE information: certificate valid
Source: FortiClientVPNOnlineInstaller.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: C:\jenkins\FCT0\GIT_CLONE_PARENT\FortiClientHS\Installation\WiX\FCT_Enterprise\FCSetupWx\x64\Release\FCSetupWx.pdb source: MSI88FD.tmp.5.dr
Source: Binary string: C:\jenkins\FCT0\GIT_CLONE_PARENT\FortiClientHS\Release\Bootstrapper_x64.pdb source: FortiClientVPN.exe, 00000005.00000000.3331110950.0000000000239000.00000002.00000001.01000000.00000008.sdmp
Source: Binary string: C:\jenkins\EMS0\GIT_CLONE_PARENT\FortiClientEMS\Release\SendFailureReport.pdb source: FortiClientVPNOnlineInstaller.exe, 00000000.00000003.3293930397.000000000701A000.00000004.00000020.00020000.00000000.sdmp, FortiClientVPNOnlineInstaller.exe, 00000000.00000003.3319615964.0000000007279000.00000004.00000020.00020000.00000000.sdmp, FortiClientVPNOnlineInstaller.exe, 00000000.00000003.3322463327.0000000007275000.00000004.00000020.00020000.00000000.sdmp
Checks for available system drives (often done to infect USB drives)
Source: C:\Windows\System32\msiexec.exe File opened: z: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: x: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: v: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: t: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: r: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: p: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: n: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: l: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: j: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: h: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: f: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: b: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: y: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: w: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: u: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: s: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: q: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: o: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: m: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: k: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: i: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: g: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: e: Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe File opened: c: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: a: Jump to behavior
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 192.229.221.95 192.229.221.95
Source: MSI88FD.tmp.5.dr String found in binary or memory: \drivers\etc\hostsby Forticlient SafeSearchrestrict.youtube.comwww.youtube.comm.youtube.comyoutubei.googleapis.comyoutube.googleapis.comwww.youtube-nocookie.comrestrictmoderate.youtube.comstrict.bing.comwww.bing.comforcesafesearch.google.comwww.google.comwww.google.adwww.google.aewww.google.com.afwww.google.com.agwww.google.com.aiwww.google.alwww.google.amwww.google.co.aowww.google.com.arwww.google.aswww.google.atwww.google.com.auwww.google.azwww.google.bawww.google.com.bdwww.google.bewww.google.bfwww.google.bgwww.google.com.bhwww.google.biwww.google.bjwww.google.com.bnwww.google.com.bowww.google.com.brwww.google.bswww.google.btwww.google.co.bwwww.google.bywww.google.com.bzwww.google.cawww.google.cdwww.google.cfwww.google.cgwww.google.chwww.google.ciwww.google.co.ckwww.google.clwww.google.cmwww.google.cnwww.google.com.cowww.google.co.crwww.google.com.cuwww.google.cvwww.google.com.cywww.google.czwww.google.dewww.google.djwww.google.dkwww.google.dmwww.google.com.dowww.google.dzwww.google.com.ecwww.google.eewww.google.com.egwww.google.eswww.google.com.etwww.google.fiwww.google.com.fjwww.google.fmwww.google.frwww.google.gawww.google.gewww.google.ggwww.google.com.ghwww.google.com.giwww.google.glwww.google.gmwww.google.grwww.google.com.gtwww.google.gywww.google.com.hkwww.google.hnwww.google.hrwww.google.htwww.google.huwww.google.co.idwww.google.iewww.google.co.ilwww.google.imwww.google.co.inwww.google.iqwww.google.iswww.google.itwww.google.jewww.google.com.jmwww.google.jowww.google.co.jpwww.google.co.kewww.google.com.khwww.google.kiwww.google.kgwww.google.co.krwww.google.com.kwwww.google.kzwww.google.lawww.google.com.lbwww.google.liwww.google.lkwww.google.co.lswww.google.ltwww.google.luwww.google.lvwww.google.com.lywww.google.co.mawww.google.mdwww.google.mewww.google.mgwww.google.mkwww.google.mlwww.google.com.mmwww.google.mnwww.google.mswww.google.com.mtwww.google.muwww.google.mvwww.google.mwwww.google.com.mxwww.google.com.mywww.google.co.mzwww.google.com.nawww.google.com.ngwww.google.com.niwww.google.newww.google.nlwww.google.nowww.google.com.npwww.google.nrwww.google.nuwww.google.co.nzwww.google.com.omwww.google.com.pawww.google.com.pewww.google.com.pgwww.google.com.phwww.google.com.pkwww.google.plwww.google.pnwww.google.com.prwww.google.pswww.google.ptwww.google.com.pywww.google.com.qawww.google.rowww.google.ruwww.google.rwwww.google.com.sawww.google.com.sbwww.google.scwww.google.sewww.google.com.sgwww.google.shwww.google.siwww.google.skwww.google.com.slwww.google.snwww.google.sowww.google.smwww.google.srwww.google.stwww.google.com.svwww.google.tdwww.google.tgwww.google.co.thwww.google.com.tjwww.google.tlwww.google.tmwww.google.tnwww.google.towww.google.com.trwww.google.ttwww.google.com.twwww.google.co.tzwww.google.com.uawww.google.co.ugwww.google.co.ukwww.google.com.uywww.google.co.uzwww.google.com.vcwww.google.co.vewww.google.vgwww.google.co.viwww.google.com.vnwww.google.vuwww.google.wswww.google.rswww.google.co.zawww.google.co.zmwww.google.co.zww
Source: MSI88FD.tmp.5.dr String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: FortiClientVPNOnlineInstaller.exe, 00000000.00000003.3305843564.0000000002C65000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/
Source: FortiClientVPNOnlineInstaller.exe, MSI88FD.tmp.5.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: FortiClientVPNOnlineInstaller.exe, MSI88FD.tmp.5.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: FortiClientVPNOnlineInstaller.exe, MSI88FD.tmp.5.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: FortiClientVPNOnlineInstaller.exe, 00000000.00000003.3305843564.0000000002C59000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
Source: FortiClientVPNOnlineInstaller.exe, MSI88FD.tmp.5.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: FortiClientVPNOnlineInstaller.exe, 00000000.00000003.3305843564.0000000002C65000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/l
Source: FortiClientVPNOnlineInstaller.exe, 00000000.00000002.3950911214.0000000002C00000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/llz
Source: FortiClientVPNOnlineInstaller.exe, MSI88FD.tmp.5.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: FortiClientVPNOnlineInstaller.exe, MSI88FD.tmp.5.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: FortiClientVPNOnlineInstaller.exe, MSI88FD.tmp.5.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: MSI88FD.tmp.5.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: FortiClientVPNOnlineInstaller.exe, MSI88FD.tmp.5.dr String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: FortiClientVPNOnlineInstaller.exe, 00000000.00000002.3950911214.0000000002BDD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: FortiClientVPNOnlineInstaller.exe, 00000000.00000002.3950911214.0000000002C00000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: FortiClientVPNOnlineInstaller.exe, MSI88FD.tmp.5.dr String found in binary or memory: http://ocsp.digicert.com0
Source: FortiClientVPNOnlineInstaller.exe, MSI88FD.tmp.5.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: FortiClientVPNOnlineInstaller.exe, MSI88FD.tmp.5.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: FortiClientVPNOnlineInstaller.exe, MSI88FD.tmp.5.dr String found in binary or memory: http://ocsp.digicert.com0X
Source: FortiClientVPNOnlineInstaller.exe, MSI88FD.tmp.5.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: MSI88FD.tmp.5.dr String found in binary or memory: https://clients2.google.com/service/update2/crxupdate_urlUrlRatingWithFortiGuardmodify_hostsWebBrows
Source: MSI88FD.tmp.5.dr String found in binary or memory: https://repo.fortinet.com/repo/forticlient/extensions/pam/firefox/%7B9984e753-9122-4cbc-b198-dccd534
Drops certificate files (DER)
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exe File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4 Jump to dropped file
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exe File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1 Jump to dropped file

System Summary
barindex
Drops large PE files
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exe File dump: FortiClientVPN.exe.0.dr 176739392 Jump to dropped file
PE file contains executable resources (Code or Archives)
Source: FortiClientVPN.exe.0.dr Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: FortiClientVPN.exe.0.dr Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: FortiClientVPN.exe.0.dr Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: FortiClientVPN.exe.0.dr Static PE information: Resource name: RT_HTML type: PE32 executable (console) Intel 80386, for MS Windows
Sample file is different than original file name gathered from version info
Source: FortiClientVPNOnlineInstaller.exe, 00000000.00000003.3293930397.000000000701A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSendFailureReport.exe vs FortiClientVPNOnlineInstaller.exe
Source: FortiClientVPNOnlineInstaller.exe, 00000000.00000003.3319615964.0000000007279000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSendFailureReport.exe vs FortiClientVPNOnlineInstaller.exe
Source: FortiClientVPNOnlineInstaller.exe, 00000000.00000003.3322463327.0000000007275000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSendFailureReport.exe vs FortiClientVPNOnlineInstaller.exe
Uses 32bit PE files
Source: FortiClientVPNOnlineInstaller.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: FortiClientVPNOnlineInstaller.exe Binary string: unknown errorXGetProcessImageFileNameWpsapi.dllGetVolumePathNamesForVolumeNameWKernel32.dllNtQueryInformationProcessNtSetInformationProcessNtQueryInformationThread\SystemRoot\SystemRootA:\Device\LanmanRedirectorSeDebugPrivilege
Source: MSI88FD.tmp.5.dr Binary string: SELECT `Property`.`Value` FROM `Property` WHERE `Property`.`Property`='ProductCode'SELECT `Property`.`Value` FROM `Property` WHERE `Property`.`Property`='ProductVersion'PackageName%s.%s.%s.%04s%s\Applications\Cachemsi_cache_get_folder_and_file, ret=%d, szCacheBasePath=%s szCacheSubFolder=%s szCacheFile=%sCache file already exists.%S%s\Applications\Cache\%s\%s\%SystemRoot%\system32\kernel32.dllSOFTWARE\Microsoft\Windows NT\CurrentVersionCurrentMajorVersionNumberCurrentMinorVersionNumberCurrentBuildNumberGetProductInfoMicrosoft Windows 11 Windows 10 1110Windows Server 2022 2022Windows Server 2019 2019Windows Server 2016 2016Windows 8.1 Windows Server 2012 R2 8.12012 R2Windows 8.0 Windows Server 2012 82012Windows 7 Windows Server 2008 R2 72008 R2Windows Vista Windows Server 2008 Vista2008Windows OS version %d.%dWindows Server OS version %d.%dv%d.%dUltimate EditionHome Premium EditionHome Basic EditionEnterprise EditionBusiness EditionStarter EditionCluster Server EditionDatacenter EditionDatacenter Edition (core installation)Enterprise Edition (core installation)Enterprise Edition for Itanium-based SystemsSmall Business ServerSmall Business Server Premium EditionStandard EditionStandard Edition (core installation)Web Server EditionProfessional Edition, 64-bit, 32-bitWindows Server 2003 R2, Windows Storage Server 2003Windows Home ServerWindows XP Professional x64 EditionWindows Server 2003, Datacenter Edition for Itanium-based SystemsDatacenter x64 EditionEnterprise x64 EditionStandard x64 EditionCompute Cluster EditionWeb EditionWindows XP Home EditionProfessionalWindows 2000 Datacenter ServerAdvanced ServerServer (build %d)Windows %d.%d (build %d)GetProcessImageFileNameWpsapi.dllGetVolumePathNamesForVolumeNameWKernel32.dllNtQueryInformationProcessNtSetInformationProcessNtQueryInformationThread\SystemRoot\A:\Device\LanmanRedirector\Device\SeDebugPrivilegeS-%lu-%02hx%02hx%02hx%02hx%02hx%02hx%lu-%luVolatile EnvironmentUSERDNSDOMAIN
Source: classification engine Classification label: sus20.winEXE@6/19@0/2
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exe File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C56C4404C4DEF0DC88E5FCD9F09CB2F1 Jump to behavior
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\FC_{22CD96BF-E5B0-41d8-83ED-C73F9BBF9FA8}
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\FC_{4E84B682-0B1B-4826-AA4C-9241DE3920F7}
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exe File created: C:\Users\user\AppData\Local\Temp\FCTInstall.log Jump to behavior
Source: FortiClientVPNOnlineInstaller.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: MSI88FD.tmp.5.dr Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: MSI88FD.tmp.5.dr Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: FortiClientVPNOnlineInstaller.exe String found in binary or memory: id-cmc-addExtensions
Source: FortiClientVPNOnlineInstaller.exe String found in binary or memory: set-addPolicy
Source: unknown Process created: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exe "C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exe"
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exe Process created: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe
Source: unknown Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\System32\msiexec.exe C:\Windows\System32\MsiExec.exe -Embedding 451EC6BB5F916B7CCFDA9FD6E2C98FE7 C
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exe Process created: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\System32\msiexec.exe C:\Windows\System32\MsiExec.exe -Embedding 451EC6BB5F916B7CCFDA9FD6E2C98FE7 C Jump to behavior
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exe Section loaded: fltlib.dll Jump to behavior
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exe Section loaded: msi.dll Jump to behavior
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exe Section loaded: iconcodecservice.dll Jump to behavior
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exe Section loaded: cryptnet.dll Jump to behavior
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe Section loaded: acgenral.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe Section loaded: msacm32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe Section loaded: fltlib.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe Section loaded: msi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe Section loaded: srpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe Section loaded: msihnd.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: fltlib.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{56ad4c5d-b908-4f85-8ff1-7940c29b3bcf}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: FortiClientVPNOnlineInstaller.exe Static PE information: certificate valid
Source: FortiClientVPNOnlineInstaller.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: FortiClientVPNOnlineInstaller.exe Static file information: File size 2794560 > 1048576
Source: FortiClientVPNOnlineInstaller.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x1c4c00
Source: FortiClientVPNOnlineInstaller.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: FortiClientVPNOnlineInstaller.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: FortiClientVPNOnlineInstaller.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: FortiClientVPNOnlineInstaller.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: FortiClientVPNOnlineInstaller.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: FortiClientVPNOnlineInstaller.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: FortiClientVPNOnlineInstaller.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: FortiClientVPNOnlineInstaller.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\jenkins\FCT0\GIT_CLONE_PARENT\FortiClientHS\Installation\WiX\FCT_Enterprise\FCSetupWx\x64\Release\FCSetupWx.pdb source: MSI88FD.tmp.5.dr
Source: Binary string: C:\jenkins\FCT0\GIT_CLONE_PARENT\FortiClientHS\Release\Bootstrapper_x64.pdb source: FortiClientVPN.exe, 00000005.00000000.3331110950.0000000000239000.00000002.00000001.01000000.00000008.sdmp
Source: Binary string: C:\jenkins\EMS0\GIT_CLONE_PARENT\FortiClientEMS\Release\SendFailureReport.pdb source: FortiClientVPNOnlineInstaller.exe, 00000000.00000003.3293930397.000000000701A000.00000004.00000020.00020000.00000000.sdmp, FortiClientVPNOnlineInstaller.exe, 00000000.00000003.3319615964.0000000007279000.00000004.00000020.00020000.00000000.sdmp, FortiClientVPNOnlineInstaller.exe, 00000000.00000003.3322463327.0000000007275000.00000004.00000020.00020000.00000000.sdmp
Source: FortiClientVPNOnlineInstaller.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: FortiClientVPNOnlineInstaller.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: FortiClientVPNOnlineInstaller.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: FortiClientVPNOnlineInstaller.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: FortiClientVPNOnlineInstaller.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
PE file contains sections with non-standard names
Source: FortiClientVPNOnlineInstaller.exe Static PE information: section name: .didat
Source: FortiClientInstaller.exe.5.dr Static PE information: section name: .didat
Source: MSI88FD.tmp.5.dr Static PE information: section name: _RDATA
Source: MSI8A46.tmp.5.dr Static PE information: section name: _RDATA
Source: MSI8B12.tmp.5.dr Static PE information: section name: _RDATA
Source: MSI8C1C.tmp.5.dr Static PE information: section name: _RDATA
Source: FortiClientVPNOnlineInstaller.exe Static PE information: section name: .text entropy: 6.849650084467638
Source: FortiClientInstaller.exe.5.dr Static PE information: section name: .text entropy: 6.8462744100412145
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe File created: C:\Users\user\AppData\Local\Temp\MSI8C1C.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe File created: C:\Users\user\AppData\Local\Temp\MSI88FD.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe File created: C:\Users\user\AppData\Local\Temp\MSI8B12.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe File created: C:\Users\user\AppData\Local\Temp\FCT_{625BC4BA-AC3E-4E4B-9996-EEED9D4287C3}\{37F86F81-CEE2-4981-BF24-D0AAFBE74BFB}\FortiClientInstaller.exe Jump to dropped file
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exe File created: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe File created: C:\Users\user\AppData\Local\Temp\MSI8A46.tmp Jump to dropped file
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exe File created: C:\Users\user\AppData\Local\Temp\FCTInstall.log Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Stores large binary data to the registry
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exe Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C Blob Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI8C1C.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI88FD.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI8B12.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\FCT_{625BC4BA-AC3E-4E4B-9996-EEED9D4287C3}\{37F86F81-CEE2-4981-BF24-D0AAFBE74BFB}\FortiClientInstaller.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI8A46.tmp Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exe TID: 6096 Thread sleep time: -60000s >= -30000s Jump to behavior
Queries disk information (often used to detect virtual machines)
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exe File opened: PhysicalDrive0 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: FortiClientVPNOnlineInstaller.exe Binary or memory string: default%dbWTSQueryUserTokenWtsapi32.dll\system32\Netapi32.dllNetapi32.dllNetApiBufferFreeNetUserGetInfo\\.\pipe\FC_{F18F86FD-7503-4564-80CF-B6B199519837}Shell_TrayWndSystemDrive%010u%s%sfortisslGlobal\_UID_CHANGE_{0ACCF217-864C-451F-BF79-9C7042DBF423}\\.\PhysicalDrive0software\Fortinet\FortiClient\FA_UIswuid%010u%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02XIsWow64ProcessLCIDSetThreadUILanguageFortinet Technologies (Canada) ULCFortinet Technologies (Canada) Inc.Fortinet TechnologiesFortinet, Inc.Fortinet Inc.Microsoft WindowsMicrosoft Windows PublisherMicrosoft CorporationMicrosoft Windows XP PublisherMicrosoft Windows Component PublisherMicrosoft Windows 2000 PublisherMicrosoft Windows Hardware Compatibility PublisherMacromedia, Inc.Adobe Systems IncorporatedAdobe Systems, IncorporatedMozilla CorporationGoogle IncGoogle LLCSkype Technologies SATeamViewerAdvanced Micro Devices, Inc.Aladdin Knowledge Systems LTDSun Microsystems, Inc.Oracle CorporationDell IncApple Inc.VMware, Inc.Intel Corporation - Software and Firmware ProductsSkype Software SarlOracle America, Inc.wintrust.dllCryptCATAdminAcquireContextWinVerifyTrustWTHelperGetProvSignerFromChainWTHelperProvDataFromStateDataCryptCATAdminReleaseContextCryptCATAdminReleaseCatalogContextCryptCATCatalogInfoFromContextCryptCATAdminEnumCatalogFromHashCryptCATAdminCalcHashFromFileHandleIsCatalogFileWTHelperGetProvCertFromChainWTHelperCertFindIssuerCertificatecrypt32.dllCertGetNameStringWPIPEMSG: client pid=%d tid=%d connect=%ws ret=%d
Source: FortiClientVPNOnlineInstaller.exe, 00000000.00000002.3950911214.0000000002BDD000.00000004.00000020.00020000.00000000.sdmp, FortiClientVPNOnlineInstaller.exe, 00000000.00000002.3951080698.0000000002C7B000.00000004.00000020.00020000.00000000.sdmp, FortiClientVPNOnlineInstaller.exe, 00000000.00000003.3305843564.0000000002C7B000.00000004.00000020.00020000.00000000.sdmp, FortiClientVPNOnlineInstaller.exe, 00000000.00000003.3305843564.0000000002C65000.00000004.00000020.00020000.00000000.sdmp, FortiClientVPNOnlineInstaller.exe, 00000000.00000002.3951080698.0000000002C67000.00000004.00000020.00020000.00000000.sdmp, FortiClientVPNOnlineInstaller.exe, 00000000.00000003.3906369667.0000000002C65000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: MSI88FD.tmp.5.dr Binary or memory string: Fortinet Technologies (Canada) ULCFortinet Technologies (Canada) Inc.Fortinet TechnologiesFortinet, Inc.Fortinet Inc.Microsoft WindowsMicrosoft Windows PublisherMicrosoft CorporationMicrosoft Windows XP PublisherMicrosoft Windows Component PublisherMicrosoft Windows 2000 PublisherMicrosoft Windows Hardware Compatibility PublisherMacromedia, Inc.Adobe Systems IncorporatedAdobe Systems, IncorporatedMozilla CorporationGoogle IncGoogle LLCSkype Technologies SATeamViewerAdvanced Micro Devices, Inc.Aladdin Knowledge Systems LTDSun Microsystems, Inc.Oracle CorporationDell IncApple Inc.VMware, Inc.Intel Corporation - Software and Firmware ProductsSkype Software SarlOracle America, Inc.`
Source: FortiClientVPN.exe, 00000005.00000000.3331110950.0000000000239000.00000002.00000001.01000000.00000008.sdmp Binary or memory string: Memory allocation errorGetSystemTimePreciseAsFileTimeFortinet Technologies (Canada) ULCFortinet Technologies (Canada) Inc.Fortinet TechnologiesFortinet, Inc.Fortinet Inc.Microsoft WindowsMicrosoft Windows PublisherMicrosoft CorporationMicrosoft Windows XP PublisherMicrosoft Windows Component PublisherMicrosoft Windows 2000 PublisherMicrosoft Windows Hardware Compatibility PublisherMacromedia, Inc.Adobe Systems IncorporatedAdobe Systems, IncorporatedMozilla CorporationGoogle IncGoogle LLCSkype Technologies SATeamViewerAdvanced Micro Devices, Inc.Aladdin Knowledge Systems LTDSun Microsystems, Inc.Oracle CorporationDell IncApple Inc.VMware, Inc.Intel Corporation - Software and Firmware ProductsSkype Software SarlOracle America, Inc.wintrust.dllCryptCATAdminAcquireContextWinVerifyTrustWTHelperGetProvSignerFromChainWTHelperProvDataFromStateDataCryptCATAdminReleaseContextCryptCATAdminReleaseCatalogContextCryptCATCatalogInfoFromContextCryptCATAdminEnumCatalogFromHashCryptCATAdminCalcHashFromFileHandleIsCatalogFileWTHelperGetProvCertFromChainWTHelperCertFindIssuerCertificatecrypt32.dllCertGetNameStringW
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exe Process information queried: ProcessInformation Jump to behavior
Source: FortiClientVPNOnlineInstaller.exe Binary or memory string: default%dbWTSQueryUserTokenWtsapi32.dll\system32\Netapi32.dllNetapi32.dllNetApiBufferFreeNetUserGetInfo\\.\pipe\FC_{F18F86FD-7503-4564-80CF-B6B199519837}Shell_TrayWndSystemDrive%010u%s%sfortisslGlobal\_UID_CHANGE_{0ACCF217-864C-451F-BF79-9C7042DBF423}\\.\PhysicalDrive0software\Fortinet\FortiClient\FA_UIswuid%010u%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02XIsWow64ProcessLCIDSetThreadUILanguageFortinet Technologies (Canada) ULCFortinet Technologies (Canada) Inc.Fortinet TechnologiesFortinet, Inc.Fortinet Inc.Microsoft WindowsMicrosoft Windows PublisherMicrosoft CorporationMicrosoft Windows XP PublisherMicrosoft Windows Component PublisherMicrosoft Windows 2000 PublisherMicrosoft Windows Hardware Compatibility PublisherMacromedia, Inc.Adobe Systems IncorporatedAdobe Systems, IncorporatedMozilla CorporationGoogle IncGoogle LLCSkype Technologies SATeamViewerAdvanced Micro Devices, Inc.Aladdin Knowledge Systems LTDSun Microsystems, Inc.Oracle CorporationDell IncApple Inc.VMware, Inc.Intel Corporation - Software and Firmware ProductsSkype Software SarlOracle America, Inc.wintrust.dllCryptCATAdminAcquireContextWinVerifyTrustWTHelperGetProvSignerFromChainWTHelperProvDataFromStateDataCryptCATAdminReleaseContextCryptCATAdminReleaseCatalogContextCryptCATCatalogInfoFromContextCryptCATAdminEnumCatalogFromHashCryptCATAdminCalcHashFromFileHandleIsCatalogFileWTHelperGetProvCertFromChainWTHelperCertFindIssuerCertificatecrypt32.dllCertGetNameStringWPIPEMSG: client pid=%d tid=%d connect=%ws ret=%d
Source: MSI88FD.tmp.5.dr Binary or memory string: {768FCDC7-A6E7-424a-BF92-93B5338C9D2F}{34D6AD5A-C03D-45ff-AA8A-8B306E01B96D}{78B904C1-D2FC-4345-81FD-5288D9DAAE7E}{938BAF3B-6B94-4C4E-AB74-0B199110AEE2}{C2FAE67B-9C91-4C88-91C6-37E4D5F50FE9}{7547D35D-57C9-40FD-AA15-FB810B9C945C}{A7384DDC-F7B3-460F-9DC2-E2AA8DC57011}{0DC51760-4FB7-41F3-8967-D3DEC9D320EB}{34CBFE93-A6CB-4063-A16C-B0F28CB3F934}{768FCDC7-A6E7-424A-BF92-93B5338C9D2F}{C93EEA4B-7FBB-4c81-B95E-01B83F34FFD8}{B94FC42D-37A5-4a75-8B14-B18FF20C3492}{5FED163B-78E6-4002-90DE-B4E080C1781C}{12EBD61A-4CE3-41FB-8D05-3115420E90BE}{3D4862D9-4DF7-4DE1-9B5C-D34C960ECDAD}VersionString{1894F2C4-6426-425B-B244-3E4701C803E2}{12ebd61a-4ce3-41fb-8d05-3115420e90be}Global\%s{E09B48B5-E141-427A-AB0C-D3605127224A}{689404D2-1C94-44B3-9203-BEC5594FDA7A}{EFB70B01-B1F3-4960-AB69-4A280084A60C}{C2736CA7-76E1-4D0C-B590-483A7FFD18DA}{FE7E950B-220A-4182-B5CA-19397244DCFD}{7E5C338B-E77E-4CB4-9C1D-FB67B56B3B19}{F07E35BF-8B03-4777-9B5E-AE90E4FF0932}{C5B59406-E985-4187-84E8-68E2D9F89A47}{D7CE240C-0F3B-4C40-9278-C0B90E533652}{A519AE9C-7C79-4C5B-9127-8F46D648D5A4}{4541DA32-2108-43E9-9915-C71B9DE77048}{A5C1C914-4EF7-40ED-9BCE-FCEB4BB0C19D}{9FCE5BBD-D85F-4905-8A0C-12A3A86C2434}{F4E46404-2578-4955-B748-547957F08AB1}{B7300824-E68F-45F1-BAC1-5F15636C346F}{CD59EA85-6CBF-4C08-BE59-6C628B3D8F54}SOFTWARE\Microsoft\MSSQLServer\MSSQLServer\CurrentVersionselect * from SqlServiceAdvancedProperty where SQLServiceType = 1root\Microsoft\SqlServer\ComputerManagementWTSQueryUserTokenWtsapi32.dll\system32\Netapi32.dllNetapi32.dllNetApiBufferFreeNetUserGetInfoShell_TrayWndWTSSendMessageW
Source: FortiClientVPN.exe, 00000005.00000000.3331110950.0000000000239000.00000002.00000001.01000000.00000008.sdmp Binary or memory string: GetProcessImageFileNameWpsapi.dllGetVolumePathNamesForVolumeNameWKernel32.dllNtQueryInformationProcessNtSetInformationProcessNtQueryInformationThread\SystemRoot\SystemRootA:\Device\LanmanRedirectorSeDebugPrivilegeFortipsFortiRdrFortiClient IPSec DriverFortiRdr2FortiClient Redirect DriverFortiClient Application DriverfortiapdFAFileMonfortimon2kFortiClient Realtime Monitor DriverFSFilter AntiVirus324920FltMgrfortimon3fortimon2FortiClient Application Firewall DriverFortiFWFSFilter Content ScreenerFortiFW2324900FortiShield mini-filter driverFortiStat2FortiStatFortiWFFortiClient NAC Filter DriverfortiloaderFortiClient Web Filter Driverfortiloader driverSystem Reservedfortisniff driverfortisniffFSFilter SandboxingFortiAptFilter324930FortiClient Sandboxing DriverFortiClient VPN Traffic ControlFortiTransCtrlav_task.exesoftware\Fortinet\FortiClient\FA_IKEupdate_task.exesoftware\Fortinet\FortiClient\FA_AVRipsec.exesoftware\Fortinet\FortiClient\FA_FMONavrepair.exesoftware\Fortinet\FortiClient\FA_SUBMITfmon.exermon.exeSubmitV.exesoftware\Fortinet\FortiClient\FA_FORTITRAYfortifws.exesoftware\Fortinet\FortiClient\FA_VPNSTARTERFortiTray.exesoftware\Fortinet\FortiClient\FA_WFFortiVPNSt.exeFCDBLog.exeFortiWF.exeFortiProxy.exeFCMgr.exeFortiWaDBd.exesoftware\Fortinet\FortiClient\FA_APPDBsoftware\Fortinet\FortiClient\FA_CONFIGDFortiWad.exeFortiSSLVPNdaemon.exesoftware\Fortinet\FortiClient\FA_SSLVPNFSSOMA.exeFCVbltScan.exefcaptmon.exesoftware\Fortinet\FortiClient\FA_SANDBOXfortiae.exesoftware\Fortinet\FortiClient\FA_AEFortiSSLVPNsys.exesoftware\Fortinet\FortiClient\FA_SETTINGSFortiUSBmon.exesoftware\Fortinet\FortiClient\FA_RMAfcmonitor.exesoftware\Fortinet\FortiClient\FA_FCMONITORFortiTcs.exesoftware\Fortinet\FortiClient\FA_ZTNAFCCryptd.exesoftware\Fortinet\FortiClient\FA_FCCRYPTDFortivrs.exesoftware\Fortinet\FortiClient\FA_PAMFortiVPN.exesoftware\Fortinet\FortiClient\FA_FORTIVPNFortiFS.exesoftware\Fortinet\FortiClient\FA_FS\\.\pipe\FC_{F18F86FD-7503-4564-80CF-B6B199519837}FC_{CFFA4B7C-C730-41af-935C-4DC89655ECB3}Global\FC_{CFFA4B7C-C730-41af-935C-4DC89655ECB3}WTSQueryUserTokenWtsapi32.dllShell_TrayWndGlobal\%ssoftware\Fortinet\FortiClient\FA_FIPSGlobal\_UID_CHANGE_{0ACCF217-864C-451F-BF79-9C7042DBF423}defaultSOFTWARE\Microsoft\Windows NT\CurrentVersion%SystemRoot%\system32\kernel32.dllCurrentMinorVersionNumberCurrentMajorVersionNumberGetProductInfoCurrentBuildNumberWindows 11 Microsoft 11Windows 10 Windows Server 2022 10Windows Server 2019 2022Windows Server 2016 2019Windows 8.1 20168.1Windows Server 2012 R2 Windows 8.0 2012 R28Windows Server 2012 Windows 7 20127Windows Server 2008 R2 Windows Vista 2008 R2VistaWindows Server 2008 Windows OS version %d.%d2008v%d.%dWindows Server OS version %d.%dHome Premium EditionUltimate EditionEnterprise EditionHome Basic EditionStarter EditionBusiness EditionDatacenter EditionCluster Server EditionEnterprise Edition (core installation)Datacenter Edition (core installation)Small Business ServerEnterprise Edition for Itanium-based
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Adds / modifies Windows certificates
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exe Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 Blob Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1466699 Sample: FortiClientVPNOnlineInstaller.exe Startdate: 03/07/2024 Architecture: WINDOWS Score: 20 5 FortiClientVPNOnlineInstaller.exe 4 15 2->5         started        10 msiexec.exe 2->10         started        dnsIp3 27 173.243.138.76 FORTINETUS United States 5->27 29 192.229.221.95 EDGECASTUS United States 5->29 17 C:\Users\user\AppData\...\FortiClientVPN.exe, PE32 5->17 dropped 31 Drops large PE files 5->31 12 FortiClientVPN.exe 28 5->12         started        15 msiexec.exe 10->15         started        file4 signatures5 process6 file7 19 C:\Users\user\AppData\Local\...\MSI8C1C.tmp, PE32+ 12->19 dropped 21 C:\Users\user\AppData\Local\...\MSI8B12.tmp, PE32+ 12->21 dropped 23 C:\Users\user\AppData\Local\...\MSI8A46.tmp, PE32+ 12->23 dropped 25 2 other files (none is malicious) 12->25 dropped
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
173.243.138.76
 unknown United States
40934 FORTINETUS false
192.229.221.95
 unknown United States
15133 EDGECASTUS false