Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
FortiClientVPNOnlineInstaller.exe

Overview

General Information

Sample name:FortiClientVPNOnlineInstaller.exe
Analysis ID:1466699
MD5:11bfc265fc53ac4756e4ef2759ca10eb
SHA1:e3d2bf11618c39dfd036bb33ea96aa5f989fed25
SHA256:2e520faa2b71ba56643153b77c2908c0d6da34a2f6f9abaa7cbadab9278dc99e
Infos:

Detection

Score:20
Range:0 - 100
Whitelisted:false
Confidence:0%

Signatures

Drops large PE files
Adds / modifies Windows certificates
Checks for available system drives (often done to infect USB drives)
Drops PE files
Drops certificate files (DER)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Stores large binary data to the registry
Uses 32bit PE files

Classification

Process Tree

  • System is w10x64
  • FortiClientVPNOnlineInstaller.exe (PID: 6036 cmdline: "C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exe" MD5: 11BFC265FC53AC4756E4EF2759CA10EB)
    • FortiClientVPN.exe (PID: 5352 cmdline: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe MD5: 43866BF1847EFD3BEF65E4D9EF603CA7)
  • msiexec.exe (PID: 1576 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • msiexec.exe (PID: 6136 cmdline: C:\Windows\System32\MsiExec.exe -Embedding 451EC6BB5F916B7CCFDA9FD6E2C98FE7 C MD5: E5DA170027542E25EDE42FC54C929077)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results
Source: FortiClientVPNOnlineInstaller.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exeFile created: C:\Users\user\AppData\Local\Temp\FCTInstall.logJump to behavior
Source: FortiClientVPNOnlineInstaller.exeStatic PE information: certificate valid
Source: FortiClientVPNOnlineInstaller.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: C:\jenkins\FCT0\GIT_CLONE_PARENT\FortiClientHS\Installation\WiX\FCT_Enterprise\FCSetupWx\x64\Release\FCSetupWx.pdb source: MSI88FD.tmp.5.dr
Source: Binary string: C:\jenkins\FCT0\GIT_CLONE_PARENT\FortiClientHS\Release\Bootstrapper_x64.pdb source: FortiClientVPN.exe, 00000005.00000000.3331110950.0000000000239000.00000002.00000001.01000000.00000008.sdmp
Source: Binary string: C:\jenkins\EMS0\GIT_CLONE_PARENT\FortiClientEMS\Release\SendFailureReport.pdb source: FortiClientVPNOnlineInstaller.exe, 00000000.00000003.3293930397.000000000701A000.00000004.00000020.00020000.00000000.sdmp, FortiClientVPNOnlineInstaller.exe, 00000000.00000003.3319615964.0000000007279000.00000004.00000020.00020000.00000000.sdmp, FortiClientVPNOnlineInstaller.exe, 00000000.00000003.3322463327.0000000007275000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exeFile opened: c:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior
Source: Joe Sandbox ViewIP Address: 192.229.221.95 192.229.221.95
Source: MSI88FD.tmp.5.drString found in binary or memory: \drivers\etc\hostsby Forticlient SafeSearchrestrict.youtube.comwww.youtube.comm.youtube.comyoutubei.googleapis.comyoutube.googleapis.comwww.youtube-nocookie.comrestrictmoderate.youtube.comstrict.bing.comwww.bing.comforcesafesearch.google.comwww.google.comwww.google.adwww.google.aewww.google.com.afwww.google.com.agwww.google.com.aiwww.google.alwww.google.amwww.google.co.aowww.google.com.arwww.google.aswww.google.atwww.google.com.auwww.google.azwww.google.bawww.google.com.bdwww.google.bewww.google.bfwww.google.bgwww.google.com.bhwww.google.biwww.google.bjwww.google.com.bnwww.google.com.bowww.google.com.brwww.google.bswww.google.btwww.google.co.bwwww.google.bywww.google.com.bzwww.google.cawww.google.cdwww.google.cfwww.google.cgwww.google.chwww.google.ciwww.google.co.ckwww.google.clwww.google.cmwww.google.cnwww.google.com.cowww.google.co.crwww.google.com.cuwww.google.cvwww.google.com.cywww.google.czwww.google.dewww.google.djwww.google.dkwww.google.dmwww.google.com.dowww.google.dzwww.google.com.ecwww.google.eewww.google.com.egwww.google.eswww.google.com.etwww.google.fiwww.google.com.fjwww.google.fmwww.google.frwww.google.gawww.google.gewww.google.ggwww.google.com.ghwww.google.com.giwww.google.glwww.google.gmwww.google.grwww.google.com.gtwww.google.gywww.google.com.hkwww.google.hnwww.google.hrwww.google.htwww.google.huwww.google.co.idwww.google.iewww.google.co.ilwww.google.imwww.google.co.inwww.google.iqwww.google.iswww.google.itwww.google.jewww.google.com.jmwww.google.jowww.google.co.jpwww.google.co.kewww.google.com.khwww.google.kiwww.google.kgwww.google.co.krwww.google.com.kwwww.google.kzwww.google.lawww.google.com.lbwww.google.liwww.google.lkwww.google.co.lswww.google.ltwww.google.luwww.google.lvwww.google.com.lywww.google.co.mawww.google.mdwww.google.mewww.google.mgwww.google.mkwww.google.mlwww.google.com.mmwww.google.mnwww.google.mswww.google.com.mtwww.google.muwww.google.mvwww.google.mwwww.google.com.mxwww.google.com.mywww.google.co.mzwww.google.com.nawww.google.com.ngwww.google.com.niwww.google.newww.google.nlwww.google.nowww.google.com.npwww.google.nrwww.google.nuwww.google.co.nzwww.google.com.omwww.google.com.pawww.google.com.pewww.google.com.pgwww.google.com.phwww.google.com.pkwww.google.plwww.google.pnwww.google.com.prwww.google.pswww.google.ptwww.google.com.pywww.google.com.qawww.google.rowww.google.ruwww.google.rwwww.google.com.sawww.google.com.sbwww.google.scwww.google.sewww.google.com.sgwww.google.shwww.google.siwww.google.skwww.google.com.slwww.google.snwww.google.sowww.google.smwww.google.srwww.google.stwww.google.com.svwww.google.tdwww.google.tgwww.google.co.thwww.google.com.tjwww.google.tlwww.google.tmwww.google.tnwww.google.towww.google.com.trwww.google.ttwww.google.com.twwww.google.co.tzwww.google.com.uawww.google.co.ugwww.google.co.ukwww.google.com.uywww.google.co.uzwww.google.com.vcwww.google.co.vewww.google.vgwww.google.co.viwww.google.com.vnwww.google.vuwww.google.wswww.google.rswww.google.co.zawww.google.co.zmwww.google.co.zww
Source: MSI88FD.tmp.5.drString found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: FortiClientVPNOnlineInstaller.exe, 00000000.00000003.3305843564.0000000002C65000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/
Source: FortiClientVPNOnlineInstaller.exe, MSI88FD.tmp.5.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: FortiClientVPNOnlineInstaller.exe, MSI88FD.tmp.5.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: FortiClientVPNOnlineInstaller.exe, MSI88FD.tmp.5.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: FortiClientVPNOnlineInstaller.exe, 00000000.00000003.3305843564.0000000002C59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
Source: FortiClientVPNOnlineInstaller.exe, MSI88FD.tmp.5.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: FortiClientVPNOnlineInstaller.exe, 00000000.00000003.3305843564.0000000002C65000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/l
Source: FortiClientVPNOnlineInstaller.exe, 00000000.00000002.3950911214.0000000002C00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/llz
Source: FortiClientVPNOnlineInstaller.exe, MSI88FD.tmp.5.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: FortiClientVPNOnlineInstaller.exe, MSI88FD.tmp.5.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: FortiClientVPNOnlineInstaller.exe, MSI88FD.tmp.5.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: MSI88FD.tmp.5.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: FortiClientVPNOnlineInstaller.exe, MSI88FD.tmp.5.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: FortiClientVPNOnlineInstaller.exe, 00000000.00000002.3950911214.0000000002BDD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: FortiClientVPNOnlineInstaller.exe, 00000000.00000002.3950911214.0000000002C00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: FortiClientVPNOnlineInstaller.exe, MSI88FD.tmp.5.drString found in binary or memory: http://ocsp.digicert.com0
Source: FortiClientVPNOnlineInstaller.exe, MSI88FD.tmp.5.drString found in binary or memory: http://ocsp.digicert.com0A
Source: FortiClientVPNOnlineInstaller.exe, MSI88FD.tmp.5.drString found in binary or memory: http://ocsp.digicert.com0C
Source: FortiClientVPNOnlineInstaller.exe, MSI88FD.tmp.5.drString found in binary or memory: http://ocsp.digicert.com0X
Source: FortiClientVPNOnlineInstaller.exe, MSI88FD.tmp.5.drString found in binary or memory: http://www.digicert.com/CPS0
Source: MSI88FD.tmp.5.drString found in binary or memory: https://clients2.google.com/service/update2/crxupdate_urlUrlRatingWithFortiGuardmodify_hostsWebBrows
Source: MSI88FD.tmp.5.drString found in binary or memory: https://repo.fortinet.com/repo/forticlient/extensions/pam/firefox/%7B9984e753-9122-4cbc-b198-dccd534
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exeFile created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4Jump to dropped file
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exeFile created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1Jump to dropped file

System Summary

barindex
Drops large PE files
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exeFile dump: FortiClientVPN.exe.0.dr 176739392Jump to dropped file
Source: FortiClientVPN.exe.0.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: FortiClientVPN.exe.0.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: FortiClientVPN.exe.0.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: FortiClientVPN.exe.0.drStatic PE information: Resource name: RT_HTML type: PE32 executable (console) Intel 80386, for MS Windows
Source: FortiClientVPNOnlineInstaller.exe, 00000000.00000003.3293930397.000000000701A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSendFailureReport.exe vs FortiClientVPNOnlineInstaller.exe
Source: FortiClientVPNOnlineInstaller.exe, 00000000.00000003.3319615964.0000000007279000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSendFailureReport.exe vs FortiClientVPNOnlineInstaller.exe
Source: FortiClientVPNOnlineInstaller.exe, 00000000.00000003.3322463327.0000000007275000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSendFailureReport.exe vs FortiClientVPNOnlineInstaller.exe
Source: FortiClientVPNOnlineInstaller.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: FortiClientVPNOnlineInstaller.exeBinary string: unknown errorXGetProcessImageFileNameWpsapi.dllGetVolumePathNamesForVolumeNameWKernel32.dllNtQueryInformationProcessNtSetInformationProcessNtQueryInformationThread\SystemRoot\SystemRootA:\Device\LanmanRedirectorSeDebugPrivilege
Source: MSI88FD.tmp.5.drBinary string: SELECT `Property`.`Value` FROM `Property` WHERE `Property`.`Property`='ProductCode'SELECT `Property`.`Value` FROM `Property` WHERE `Property`.`Property`='ProductVersion'PackageName%s.%s.%s.%04s%s\Applications\Cachemsi_cache_get_folder_and_file, ret=%d, szCacheBasePath=%s szCacheSubFolder=%s szCacheFile=%sCache file already exists.%S%s\Applications\Cache\%s\%s\%SystemRoot%\system32\kernel32.dllSOFTWARE\Microsoft\Windows NT\CurrentVersionCurrentMajorVersionNumberCurrentMinorVersionNumberCurrentBuildNumberGetProductInfoMicrosoft Windows 11 Windows 10 1110Windows Server 2022 2022Windows Server 2019 2019Windows Server 2016 2016Windows 8.1 Windows Server 2012 R2 8.12012 R2Windows 8.0 Windows Server 2012 82012Windows 7 Windows Server 2008 R2 72008 R2Windows Vista Windows Server 2008 Vista2008Windows OS version %d.%dWindows Server OS version %d.%dv%d.%dUltimate EditionHome Premium EditionHome Basic EditionEnterprise EditionBusiness EditionStarter EditionCluster Server EditionDatacenter EditionDatacenter Edition (core installation)Enterprise Edition (core installation)Enterprise Edition for Itanium-based SystemsSmall Business ServerSmall Business Server Premium EditionStandard EditionStandard Edition (core installation)Web Server EditionProfessional Edition, 64-bit, 32-bitWindows Server 2003 R2, Windows Storage Server 2003Windows Home ServerWindows XP Professional x64 EditionWindows Server 2003, Datacenter Edition for Itanium-based SystemsDatacenter x64 EditionEnterprise x64 EditionStandard x64 EditionCompute Cluster EditionWeb EditionWindows XP Home EditionProfessionalWindows 2000 Datacenter ServerAdvanced ServerServer (build %d)Windows %d.%d (build %d)GetProcessImageFileNameWpsapi.dllGetVolumePathNamesForVolumeNameWKernel32.dllNtQueryInformationProcessNtSetInformationProcessNtQueryInformationThread\SystemRoot\A:\Device\LanmanRedirector\Device\SeDebugPrivilegeS-%lu-%02hx%02hx%02hx%02hx%02hx%02hx%lu-%luVolatile EnvironmentUSERDNSDOMAIN
Source: classification engineClassification label: sus20.winEXE@6/19@0/2
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exeFile created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C56C4404C4DEF0DC88E5FCD9F09CB2F1Jump to behavior
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exeMutant created: \Sessions\1\BaseNamedObjects\Global\FC_{22CD96BF-E5B0-41d8-83ED-C73F9BBF9FA8}
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exeMutant created: \Sessions\1\BaseNamedObjects\Global\FC_{4E84B682-0B1B-4826-AA4C-9241DE3920F7}
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exeFile created: C:\Users\user\AppData\Local\Temp\FCTInstall.logJump to behavior
Source: FortiClientVPNOnlineInstaller.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: MSI88FD.tmp.5.drBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: MSI88FD.tmp.5.drBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: FortiClientVPNOnlineInstaller.exeString found in binary or memory: id-cmc-addExtensions
Source: FortiClientVPNOnlineInstaller.exeString found in binary or memory: set-addPolicy
Source: unknownProcess created: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exe "C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exe"
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exeProcess created: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe
Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\msiexec.exe C:\Windows\System32\MsiExec.exe -Embedding 451EC6BB5F916B7CCFDA9FD6E2C98FE7 C
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exeProcess created: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe C:\Users\user\AppData\Local\Temp\FortiClientVPN.exeJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\msiexec.exe C:\Windows\System32\MsiExec.exe -Embedding 451EC6BB5F916B7CCFDA9FD6E2C98FE7 CJump to behavior
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exeSection loaded: fltlib.dllJump to behavior
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exeSection loaded: msi.dllJump to behavior
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exeSection loaded: iconcodecservice.dllJump to behavior
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exeSection loaded: atlthunk.dllJump to behavior
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exeSection loaded: cryptnet.dllJump to behavior
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exeSection loaded: webio.dllJump to behavior
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exeSection loaded: acgenral.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exeSection loaded: samcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exeSection loaded: msacm32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exeSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exeSection loaded: winmmbase.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exeSection loaded: winmmbase.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exeSection loaded: sfc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exeSection loaded: fltlib.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exeSection loaded: msisip.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exeSection loaded: msi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exeSection loaded: srpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exeSection loaded: tsappcmp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exeSection loaded: msihnd.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exeSection loaded: pcacli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exeSection loaded: oleacc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: fltlib.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{56ad4c5d-b908-4f85-8ff1-7940c29b3bcf}\InProcServer32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: FortiClientVPNOnlineInstaller.exeStatic PE information: certificate valid
Source: FortiClientVPNOnlineInstaller.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: FortiClientVPNOnlineInstaller.exeStatic file information: File size 2794560 > 1048576
Source: FortiClientVPNOnlineInstaller.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x1c4c00
Source: FortiClientVPNOnlineInstaller.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: FortiClientVPNOnlineInstaller.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: FortiClientVPNOnlineInstaller.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: FortiClientVPNOnlineInstaller.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: FortiClientVPNOnlineInstaller.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: FortiClientVPNOnlineInstaller.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: FortiClientVPNOnlineInstaller.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: FortiClientVPNOnlineInstaller.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\jenkins\FCT0\GIT_CLONE_PARENT\FortiClientHS\Installation\WiX\FCT_Enterprise\FCSetupWx\x64\Release\FCSetupWx.pdb source: MSI88FD.tmp.5.dr
Source: Binary string: C:\jenkins\FCT0\GIT_CLONE_PARENT\FortiClientHS\Release\Bootstrapper_x64.pdb source: FortiClientVPN.exe, 00000005.00000000.3331110950.0000000000239000.00000002.00000001.01000000.00000008.sdmp
Source: Binary string: C:\jenkins\EMS0\GIT_CLONE_PARENT\FortiClientEMS\Release\SendFailureReport.pdb source: FortiClientVPNOnlineInstaller.exe, 00000000.00000003.3293930397.000000000701A000.00000004.00000020.00020000.00000000.sdmp, FortiClientVPNOnlineInstaller.exe, 00000000.00000003.3319615964.0000000007279000.00000004.00000020.00020000.00000000.sdmp, FortiClientVPNOnlineInstaller.exe, 00000000.00000003.3322463327.0000000007275000.00000004.00000020.00020000.00000000.sdmp
Source: FortiClientVPNOnlineInstaller.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: FortiClientVPNOnlineInstaller.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: FortiClientVPNOnlineInstaller.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: FortiClientVPNOnlineInstaller.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: FortiClientVPNOnlineInstaller.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: FortiClientVPNOnlineInstaller.exeStatic PE information: section name: .didat
Source: FortiClientInstaller.exe.5.drStatic PE information: section name: .didat
Source: MSI88FD.tmp.5.drStatic PE information: section name: _RDATA
Source: MSI8A46.tmp.5.drStatic PE information: section name: _RDATA
Source: MSI8B12.tmp.5.drStatic PE information: section name: _RDATA
Source: MSI8C1C.tmp.5.drStatic PE information: section name: _RDATA
Source: FortiClientVPNOnlineInstaller.exeStatic PE information: section name: .text entropy: 6.849650084467638
Source: FortiClientInstaller.exe.5.drStatic PE information: section name: .text entropy: 6.8462744100412145
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exeFile created: C:\Users\user\AppData\Local\Temp\MSI8C1C.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exeFile created: C:\Users\user\AppData\Local\Temp\MSI88FD.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exeFile created: C:\Users\user\AppData\Local\Temp\MSI8B12.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exeFile created: C:\Users\user\AppData\Local\Temp\FCT_{625BC4BA-AC3E-4E4B-9996-EEED9D4287C3}\{37F86F81-CEE2-4981-BF24-D0AAFBE74BFB}\FortiClientInstaller.exeJump to dropped file
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exeFile created: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exeFile created: C:\Users\user\AppData\Local\Temp\MSI8A46.tmpJump to dropped file
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exeFile created: C:\Users\user\AppData\Local\Temp\FCTInstall.logJump to behavior
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C BlobJump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI8C1C.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI88FD.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI8B12.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\FCT_{625BC4BA-AC3E-4E4B-9996-EEED9D4287C3}\{37F86F81-CEE2-4981-BF24-D0AAFBE74BFB}\FortiClientInstaller.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI8A46.tmpJump to dropped file
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exe TID: 6096Thread sleep time: -60000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exeFile opened: PhysicalDrive0Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: FortiClientVPNOnlineInstaller.exeBinary or memory string: default%dbWTSQueryUserTokenWtsapi32.dll\system32\Netapi32.dllNetapi32.dllNetApiBufferFreeNetUserGetInfo\\.\pipe\FC_{F18F86FD-7503-4564-80CF-B6B199519837}Shell_TrayWndSystemDrive%010u%s%sfortisslGlobal\_UID_CHANGE_{0ACCF217-864C-451F-BF79-9C7042DBF423}\\.\PhysicalDrive0software\Fortinet\FortiClient\FA_UIswuid%010u%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02XIsWow64ProcessLCIDSetThreadUILanguageFortinet Technologies (Canada) ULCFortinet Technologies (Canada) Inc.Fortinet TechnologiesFortinet, Inc.Fortinet Inc.Microsoft WindowsMicrosoft Windows PublisherMicrosoft CorporationMicrosoft Windows XP PublisherMicrosoft Windows Component PublisherMicrosoft Windows 2000 PublisherMicrosoft Windows Hardware Compatibility PublisherMacromedia, Inc.Adobe Systems IncorporatedAdobe Systems, IncorporatedMozilla CorporationGoogle IncGoogle LLCSkype Technologies SATeamViewerAdvanced Micro Devices, Inc.Aladdin Knowledge Systems LTDSun Microsystems, Inc.Oracle CorporationDell IncApple Inc.VMware, Inc.Intel Corporation - Software and Firmware ProductsSkype Software SarlOracle America, Inc.wintrust.dllCryptCATAdminAcquireContextWinVerifyTrustWTHelperGetProvSignerFromChainWTHelperProvDataFromStateDataCryptCATAdminReleaseContextCryptCATAdminReleaseCatalogContextCryptCATCatalogInfoFromContextCryptCATAdminEnumCatalogFromHashCryptCATAdminCalcHashFromFileHandleIsCatalogFileWTHelperGetProvCertFromChainWTHelperCertFindIssuerCertificatecrypt32.dllCertGetNameStringWPIPEMSG: client pid=%d tid=%d connect=%ws ret=%d
Source: FortiClientVPNOnlineInstaller.exe, 00000000.00000002.3950911214.0000000002BDD000.00000004.00000020.00020000.00000000.sdmp, FortiClientVPNOnlineInstaller.exe, 00000000.00000002.3951080698.0000000002C7B000.00000004.00000020.00020000.00000000.sdmp, FortiClientVPNOnlineInstaller.exe, 00000000.00000003.3305843564.0000000002C7B000.00000004.00000020.00020000.00000000.sdmp, FortiClientVPNOnlineInstaller.exe, 00000000.00000003.3305843564.0000000002C65000.00000004.00000020.00020000.00000000.sdmp, FortiClientVPNOnlineInstaller.exe, 00000000.00000002.3951080698.0000000002C67000.00000004.00000020.00020000.00000000.sdmp, FortiClientVPNOnlineInstaller.exe, 00000000.00000003.3906369667.0000000002C65000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: MSI88FD.tmp.5.drBinary or memory string: Fortinet Technologies (Canada) ULCFortinet Technologies (Canada) Inc.Fortinet TechnologiesFortinet, Inc.Fortinet Inc.Microsoft WindowsMicrosoft Windows PublisherMicrosoft CorporationMicrosoft Windows XP PublisherMicrosoft Windows Component PublisherMicrosoft Windows 2000 PublisherMicrosoft Windows Hardware Compatibility PublisherMacromedia, Inc.Adobe Systems IncorporatedAdobe Systems, IncorporatedMozilla CorporationGoogle IncGoogle LLCSkype Technologies SATeamViewerAdvanced Micro Devices, Inc.Aladdin Knowledge Systems LTDSun Microsystems, Inc.Oracle CorporationDell IncApple Inc.VMware, Inc.Intel Corporation - Software and Firmware ProductsSkype Software SarlOracle America, Inc.`
Source: FortiClientVPN.exe, 00000005.00000000.3331110950.0000000000239000.00000002.00000001.01000000.00000008.sdmpBinary or memory string: Memory allocation errorGetSystemTimePreciseAsFileTimeFortinet Technologies (Canada) ULCFortinet Technologies (Canada) Inc.Fortinet TechnologiesFortinet, Inc.Fortinet Inc.Microsoft WindowsMicrosoft Windows PublisherMicrosoft CorporationMicrosoft Windows XP PublisherMicrosoft Windows Component PublisherMicrosoft Windows 2000 PublisherMicrosoft Windows Hardware Compatibility PublisherMacromedia, Inc.Adobe Systems IncorporatedAdobe Systems, IncorporatedMozilla CorporationGoogle IncGoogle LLCSkype Technologies SATeamViewerAdvanced Micro Devices, Inc.Aladdin Knowledge Systems LTDSun Microsystems, Inc.Oracle CorporationDell IncApple Inc.VMware, Inc.Intel Corporation - Software and Firmware ProductsSkype Software SarlOracle America, Inc.wintrust.dllCryptCATAdminAcquireContextWinVerifyTrustWTHelperGetProvSignerFromChainWTHelperProvDataFromStateDataCryptCATAdminReleaseContextCryptCATAdminReleaseCatalogContextCryptCATCatalogInfoFromContextCryptCATAdminEnumCatalogFromHashCryptCATAdminCalcHashFromFileHandleIsCatalogFileWTHelperGetProvCertFromChainWTHelperCertFindIssuerCertificatecrypt32.dllCertGetNameStringW
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exeProcess information queried: ProcessInformationJump to behavior
Source: FortiClientVPNOnlineInstaller.exeBinary or memory string: default%dbWTSQueryUserTokenWtsapi32.dll\system32\Netapi32.dllNetapi32.dllNetApiBufferFreeNetUserGetInfo\\.\pipe\FC_{F18F86FD-7503-4564-80CF-B6B199519837}Shell_TrayWndSystemDrive%010u%s%sfortisslGlobal\_UID_CHANGE_{0ACCF217-864C-451F-BF79-9C7042DBF423}\\.\PhysicalDrive0software\Fortinet\FortiClient\FA_UIswuid%010u%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02XIsWow64ProcessLCIDSetThreadUILanguageFortinet Technologies (Canada) ULCFortinet Technologies (Canada) Inc.Fortinet TechnologiesFortinet, Inc.Fortinet Inc.Microsoft WindowsMicrosoft Windows PublisherMicrosoft CorporationMicrosoft Windows XP PublisherMicrosoft Windows Component PublisherMicrosoft Windows 2000 PublisherMicrosoft Windows Hardware Compatibility PublisherMacromedia, Inc.Adobe Systems IncorporatedAdobe Systems, IncorporatedMozilla CorporationGoogle IncGoogle LLCSkype Technologies SATeamViewerAdvanced Micro Devices, Inc.Aladdin Knowledge Systems LTDSun Microsystems, Inc.Oracle CorporationDell IncApple Inc.VMware, Inc.Intel Corporation - Software and Firmware ProductsSkype Software SarlOracle America, Inc.wintrust.dllCryptCATAdminAcquireContextWinVerifyTrustWTHelperGetProvSignerFromChainWTHelperProvDataFromStateDataCryptCATAdminReleaseContextCryptCATAdminReleaseCatalogContextCryptCATCatalogInfoFromContextCryptCATAdminEnumCatalogFromHashCryptCATAdminCalcHashFromFileHandleIsCatalogFileWTHelperGetProvCertFromChainWTHelperCertFindIssuerCertificatecrypt32.dllCertGetNameStringWPIPEMSG: client pid=%d tid=%d connect=%ws ret=%d
Source: MSI88FD.tmp.5.drBinary or memory string: {768FCDC7-A6E7-424a-BF92-93B5338C9D2F}{34D6AD5A-C03D-45ff-AA8A-8B306E01B96D}{78B904C1-D2FC-4345-81FD-5288D9DAAE7E}{938BAF3B-6B94-4C4E-AB74-0B199110AEE2}{C2FAE67B-9C91-4C88-91C6-37E4D5F50FE9}{7547D35D-57C9-40FD-AA15-FB810B9C945C}{A7384DDC-F7B3-460F-9DC2-E2AA8DC57011}{0DC51760-4FB7-41F3-8967-D3DEC9D320EB}{34CBFE93-A6CB-4063-A16C-B0F28CB3F934}{768FCDC7-A6E7-424A-BF92-93B5338C9D2F}{C93EEA4B-7FBB-4c81-B95E-01B83F34FFD8}{B94FC42D-37A5-4a75-8B14-B18FF20C3492}{5FED163B-78E6-4002-90DE-B4E080C1781C}{12EBD61A-4CE3-41FB-8D05-3115420E90BE}{3D4862D9-4DF7-4DE1-9B5C-D34C960ECDAD}VersionString{1894F2C4-6426-425B-B244-3E4701C803E2}{12ebd61a-4ce3-41fb-8d05-3115420e90be}Global\%s{E09B48B5-E141-427A-AB0C-D3605127224A}{689404D2-1C94-44B3-9203-BEC5594FDA7A}{EFB70B01-B1F3-4960-AB69-4A280084A60C}{C2736CA7-76E1-4D0C-B590-483A7FFD18DA}{FE7E950B-220A-4182-B5CA-19397244DCFD}{7E5C338B-E77E-4CB4-9C1D-FB67B56B3B19}{F07E35BF-8B03-4777-9B5E-AE90E4FF0932}{C5B59406-E985-4187-84E8-68E2D9F89A47}{D7CE240C-0F3B-4C40-9278-C0B90E533652}{A519AE9C-7C79-4C5B-9127-8F46D648D5A4}{4541DA32-2108-43E9-9915-C71B9DE77048}{A5C1C914-4EF7-40ED-9BCE-FCEB4BB0C19D}{9FCE5BBD-D85F-4905-8A0C-12A3A86C2434}{F4E46404-2578-4955-B748-547957F08AB1}{B7300824-E68F-45F1-BAC1-5F15636C346F}{CD59EA85-6CBF-4C08-BE59-6C628B3D8F54}SOFTWARE\Microsoft\MSSQLServer\MSSQLServer\CurrentVersionselect * from SqlServiceAdvancedProperty where SQLServiceType = 1root\Microsoft\SqlServer\ComputerManagementWTSQueryUserTokenWtsapi32.dll\system32\Netapi32.dllNetapi32.dllNetApiBufferFreeNetUserGetInfoShell_TrayWndWTSSendMessageW
Source: FortiClientVPN.exe, 00000005.00000000.3331110950.0000000000239000.00000002.00000001.01000000.00000008.sdmpBinary or memory string: GetProcessImageFileNameWpsapi.dllGetVolumePathNamesForVolumeNameWKernel32.dllNtQueryInformationProcessNtSetInformationProcessNtQueryInformationThread\SystemRoot\SystemRootA:\Device\LanmanRedirectorSeDebugPrivilegeFortipsFortiRdrFortiClient IPSec DriverFortiRdr2FortiClient Redirect DriverFortiClient Application DriverfortiapdFAFileMonfortimon2kFortiClient Realtime Monitor DriverFSFilter AntiVirus324920FltMgrfortimon3fortimon2FortiClient Application Firewall DriverFortiFWFSFilter Content ScreenerFortiFW2324900FortiShield mini-filter driverFortiStat2FortiStatFortiWFFortiClient NAC Filter DriverfortiloaderFortiClient Web Filter Driverfortiloader driverSystem Reservedfortisniff driverfortisniffFSFilter SandboxingFortiAptFilter324930FortiClient Sandboxing DriverFortiClient VPN Traffic ControlFortiTransCtrlav_task.exesoftware\Fortinet\FortiClient\FA_IKEupdate_task.exesoftware\Fortinet\FortiClient\FA_AVRipsec.exesoftware\Fortinet\FortiClient\FA_FMONavrepair.exesoftware\Fortinet\FortiClient\FA_SUBMITfmon.exermon.exeSubmitV.exesoftware\Fortinet\FortiClient\FA_FORTITRAYfortifws.exesoftware\Fortinet\FortiClient\FA_VPNSTARTERFortiTray.exesoftware\Fortinet\FortiClient\FA_WFFortiVPNSt.exeFCDBLog.exeFortiWF.exeFortiProxy.exeFCMgr.exeFortiWaDBd.exesoftware\Fortinet\FortiClient\FA_APPDBsoftware\Fortinet\FortiClient\FA_CONFIGDFortiWad.exeFortiSSLVPNdaemon.exesoftware\Fortinet\FortiClient\FA_SSLVPNFSSOMA.exeFCVbltScan.exefcaptmon.exesoftware\Fortinet\FortiClient\FA_SANDBOXfortiae.exesoftware\Fortinet\FortiClient\FA_AEFortiSSLVPNsys.exesoftware\Fortinet\FortiClient\FA_SETTINGSFortiUSBmon.exesoftware\Fortinet\FortiClient\FA_RMAfcmonitor.exesoftware\Fortinet\FortiClient\FA_FCMONITORFortiTcs.exesoftware\Fortinet\FortiClient\FA_ZTNAFCCryptd.exesoftware\Fortinet\FortiClient\FA_FCCRYPTDFortivrs.exesoftware\Fortinet\FortiClient\FA_PAMFortiVPN.exesoftware\Fortinet\FortiClient\FA_FORTIVPNFortiFS.exesoftware\Fortinet\FortiClient\FA_FS\\.\pipe\FC_{F18F86FD-7503-4564-80CF-B6B199519837}FC_{CFFA4B7C-C730-41af-935C-4DC89655ECB3}Global\FC_{CFFA4B7C-C730-41af-935C-4DC89655ECB3}WTSQueryUserTokenWtsapi32.dllShell_TrayWndGlobal\%ssoftware\Fortinet\FortiClient\FA_FIPSGlobal\_UID_CHANGE_{0ACCF217-864C-451F-BF79-9C7042DBF423}defaultSOFTWARE\Microsoft\Windows NT\CurrentVersion%SystemRoot%\system32\kernel32.dllCurrentMinorVersionNumberCurrentMajorVersionNumberGetProductInfoCurrentBuildNumberWindows 11 Microsoft 11Windows 10 Windows Server 2022 10Windows Server 2019 2022Windows Server 2016 2019Windows 8.1 20168.1Windows Server 2012 R2 Windows 8.0 2012 R28Windows Server 2012 Windows 7 20127Windows Server 2008 R2 Windows Vista 2008 R2VistaWindows Server 2008 Windows OS version %d.%d2008v%d.%dWindows Server OS version %d.%dHome Premium EditionUltimate EditionEnterprise EditionHome Basic EditionStarter EditionBusiness EditionDatacenter EditionCluster Server EditionEnterprise Edition (core installation)Datacenter Edition (core installation)Small Business ServerEnterprise Edition for Itanium-based
Source: C:\Users\user\AppData\Local\Temp\FortiClientVPN.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 BlobJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire Infrastructure1
Replication Through Removable Media		2
Command and Scripting Interpreter		1
DLL Side-Loading		2
Process Injection		1
Masquerading		OS Credential Dumping1
Query Registry		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Modify Registry		LSASS Memory11
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)2
Virtualization/Sandbox Evasion		Security Account Manager2
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Disable or Modify Tools		NTDS2
Process Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
Process Injection		LSA Secrets11
Peripheral Device Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Obfuscated Files or Information		Cached Domain Credentials23
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
Software Packing		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
DLL Side-Loading		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
FortiClientVPNOnlineInstaller.exe0%ReversingLabs
FortiClientVPNOnlineInstaller.exe0%VirustotalBrowse

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\FCT_{625BC4BA-AC3E-4E4B-9996-EEED9D4287C3}\{37F86F81-CEE2-4981-BF24-D0AAFBE74BFB}\FortiClientInstaller.exe3%ReversingLabs
C:\Users\user\AppData\Local\Temp\FCT_{625BC4BA-AC3E-4E4B-9996-EEED9D4287C3}\{37F86F81-CEE2-4981-BF24-D0AAFBE74BFB}\FortiClientInstaller.exe5%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe0%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\MSI88FD.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI88FD.tmp0%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\MSI8A46.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI8A46.tmp0%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\MSI8B12.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI8B12.tmp0%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\MSI8C1C.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI8C1C.tmp0%VirustotalBrowse

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://repo.fortinet.com/repo/forticlient/extensions/pam/firefox/%7B9984e753-9122-4cbc-b198-dccd5340%Avira URL Cloudsafe
https://repo.fortinet.com/repo/forticlient/extensions/pam/firefox/%7B9984e753-9122-4cbc-b198-dccd5340%VirustotalBrowse

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://repo.fortinet.com/repo/forticlient/extensions/pam/firefox/%7B9984e753-9122-4cbc-b198-dccd534MSI88FD.tmp.5.drfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown

World Map of Contacted IPs

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Public IPs

IPDomainCountryFlagASNASN NameMalicious
173.243.138.76
unknownUnited States
40934FORTINETUSfalse
192.229.221.95
unknownUnited States
15133EDGECASTUSfalse

General Information

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1466699
Start date and time:2024-07-03 10:05:31 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 7m 0s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:Run with higher sleep bypass
Number of analysed new started processes analysed:8
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:FortiClientVPNOnlineInstaller.exe
Detection:SUS
Classification:sus20.winEXE@6/19@0/2
Cookbook Comments:
  • Found application associated with file extension: .exe
  • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size getting too big, too many NtEnumerateKey calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Report size getting too big, too many NtSetInformationFile calls found.
  • Skipping network analysis since amount of network traffic is too extensive

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
173.243.138.76https://filestore.fortinet.com/forticlient/FortiClientVPNOnlineInstaller.exeGet hashmaliciousUnknownBrowse
  • 173.243.138.76/fdsupdate
192.229.221.95http://wavebrowser.coGet hashmaliciousUnknownBrowse
    AnyDesk_new_Soft.exeGet hashmaliciousEICARBrowse
      https://echange.netapi.fr/f.php?h=0ocaYd0R&d=1Get hashmaliciousUnknownBrowse
        smartsscreen.exeGet hashmaliciousXmrigBrowse
          SecuriteInfo.com.Program.Unwanted.5510.19662.8210.exeGet hashmaliciousUnknownBrowse
            http://www.torproject.orgGet hashmaliciousUnknownBrowse
              SecuriteInfo.com.Win32.PWSX-gen.28315.7841.exeGet hashmaliciousAmadey, Fabookie, Mystic Stealer, RedLine, SmokeLoader, XmrigBrowse
                SecuriteInfo.com.Trojan.Inject4.61510.5025.30434.exeGet hashmaliciousAmadey, Fabookie, Healer AV Disabler, Mystic Stealer, RedLine, SmokeLoader, XmrigBrowse
                  SecuriteInfo.com.Win32.DropperX-gen.26839.16803.exeGet hashmaliciousAmadey, Glupteba, Mystic Stealer, RedLine, SmokeLoader, XmrigBrowse
                    D8dw2h4OaE.exeGet hashmaliciousFormBook, NSISDropperBrowse

                      Domains

                      No context

                      ASNs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      FORTINETUShttps://caterwauling-nine-menu.glitch.me/#ZXF1aXRhYmxlcy5yZWdpb24uaWxlZGVmcmFuY2VAaWxlZGVmcmFuY2UuZnI=Get hashmaliciousHTMLPhisherBrowse
                      • 208.91.114.103
                      https://0ma1l.cc/os44u09/erds6io.html#elsa.cohen@iledefrance.frGet hashmaliciousHTMLPhisherBrowse
                      • 208.91.114.103
                      https://arrow-amenable-gardenia.glitch.me/#ZWxzYS5jb2hlbkBpbGVkZWZyYW5jZS5mcg==Get hashmaliciousHTMLPhisherBrowse
                      • 208.91.114.103
                      https://silk-proximal-fortnight.glitch.me#a2V2aW4ucm9sbGVyQHNhaWMuY29tGet hashmaliciousHTMLPhisherBrowse
                      • 208.91.114.103
                      http://bafybeibzkqukq26eelwvcna2gnl2nhxhlbrizj6s7rupo7bqimxp7chice.ipfs.dweb.link/Get hashmaliciousUnknownBrowse
                      • 208.91.114.103
                      https://cloudflare-ipfs.com/ipfs/QmWhG4PY6RXe5T7UakJVFDfTnjN6pte6LhpzoEmpDK7232#drusso@he-equipment.comGet hashmaliciousUnknownBrowse
                      • 208.91.114.103
                      https://filestore.fortinet.com/forticlient/FortiClientVPNOnlineInstaller.exeGet hashmaliciousUnknownBrowse
                      • 173.243.138.76
                      https://clt1655579.benchurl.com/c/l?u=10B4123B&e=1794C08&c=19431B&t=1&l=E898EDFF&email=%2F9eKHwQD1yGPbZtwsY9UUTdy4FBCAQYZF2MDYoOuwyzrxzdkiCva1w%3D%3D&seq=1#aW5rZW4ubGFzYXJAZGlnaXRhbDE0LmNvbQ==Get hashmaliciousHTMLPhisherBrowse
                      • 208.91.114.103
                      https://cloudflare-ipfs.com/ipfs/bafybeigh33xrahgcasatwjitlon4jt2edh57zvscbmnhlgwtg3vxtsdbqy/GM.html#rentals@steinborn.comGet hashmaliciousHTMLPhisherBrowse
                      • 208.91.114.103
                      9e4ca156.htmlGet hashmaliciousUnknownBrowse
                      • 208.91.114.120
                      EDGECASTUShttps://www.itanhangasaude.com.br/www/1475312998d8aKqdmPdPNJZi4JNq7WIowwvYGOvuIT___714820ufgtMx5cBwKyVuzlJn3VAYy1QdJUF0IuhCb1EFSueBwxxR9n7T4VNMSyrZd9kcF9rD67v2lJn3VufgtMP8xfiVl9n3IuhCbR9n7Tx5cBw4VNMSx5cBwi3vtsVl9n3MryfS1EFSuufgtMi3vts7O1AR408519___47741237d8aKqdmPdPNJZi4JNq7WIowwvYGOvuITGet hashmaliciousHTMLPhisherBrowse
                      • 152.199.21.175
                      http://url2530.tvsmotor.com/ls/click?upn=u001.smInq0-2BkNc5oRshkzMLE7U6zcio2-2F9zwu1ZIXUanV0NJI-2BOrcqj0f4SCu-2B-2BWZYRJ5WulbQ5i5mBsK1zXEak-2FiMRG64aR-2FUGiDgoHteplEfqii9y-2FZm8OviJTU1sjmz7jpaYlxIO-2FZqsCEMZLobIAuBKqKOl6jqYqSAHVwBkUZuGRzhvuesvLIb-2BOJaFEug0CnemcJJ-2FkU8Glr1M3HQvGDXPIOyf8nkQbVJt7YovOZkAEhuJOuEH4Ph5MiX9jsYgicGN-2FPvxMb8qP3PNxydat9K4xALqN5Q554s0jqmG18yyE0AoEP3aqsetKiEetfLRlyIoY9Go3GDyKCGByc1bkwA-3D-3D_hiB_k8wtFa9etD1KMa1MmHXW-2FwYg06wo9cWiDvHqiPmYOGRytNUZst79UpJomtryxKKrh0AV18bTw1Uxa1j3-2B-2BWgpNF6-2FluKqUVQIq65eqgwBcBWQ5CQR9M5cCIHc1cOAH-2BE24H4P7fEAYeqsitSa9ibB8GYFVo8FSHDcQGWJdcDhc6qRVYNNoOHnXmlwvjC9umLA7lBgfKuIFPk0wTmv1npRA3-2BeNSYEECh53hnx2Ya-2Bv8-3DGet hashmaliciousHTMLPhisherBrowse
                      • 93.184.221.165
                      https://maknastudio.com/pkyosGet hashmaliciousHTMLPhisherBrowse
                      • 152.199.21.175
                      https://www.getaround.co.il/wp-logs/?r=mag372@norauto.esGet hashmaliciousHTMLPhisherBrowse
                      • 192.229.233.55
                      https://swans-muffin-1id4964-7304421.netlify.app/formGet hashmaliciousUnknownBrowse
                      • 93.184.221.165
                      https://reg1a-g4ad23-269fe50-lqng5s.netlify.app/dev.html/Get hashmaliciousUnknownBrowse
                      • 93.184.221.165
                      https://hr.economictimes.indiatimes.com/etl.php?url=https://hr.economictimes.indiatimes.com/etl.php?url=//dolar2go.com/new/auth//klqsxqvkkosgj/%2F/ZG9uYWxkLmRvbm92YW5AbWJ1LmVkdQ==Get hashmaliciousHTMLPhisherBrowse
                      • 152.199.21.175
                      https://hr.economictimes.indiatimes.com/etl.php?url=https://hr.economictimes.indiatimes.com/etl.php?url=//littlelassies.com/ejk/xlpd//j40gstqcualqm/%2F/ZG9uYWxkLmRvbm92YW5AbWJ1LmVkdQ==Get hashmaliciousHTMLPhisherBrowse
                      • 152.199.21.175
                      https://azotictechnologies953-my.sharepoint.com/:o:/g/personal/marilyn_hall_azotictechnologies_com/Eg8tk_4KvvpMk4ZCAagCmggBx_QeawKvcBXzwvKltGQxKw?e=5%3adBgRX2&at=9Get hashmaliciousHTMLPhisherBrowse
                      • 152.199.21.175
                      The Siedenburg Group #24-051-553861 Project.pdfGet hashmaliciousUnknownBrowse
                      • 93.184.221.240

                      JA3 Fingerprints

                      No context

                      Dropped Files

                      No context

                      Created / dropped Files

                      C:\ProgramData\Applications\Cache\{0DC51760-4FB7-41F3-8967-D3DEC9D320EB}\7.4.0.1658\FortiClient.msi

                      Download File
                      Process:C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe
                      File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: FortiClient VPN, Author: Fortinet Technologies Inc, Keywords: Installer, Comments: This installer database contains the logic and data required to install FortiClient VPN., Template: x64;1033, Revision Number: {F999948D-39F6-4A38-BD43-BD7510C19B77}, Create Time/Date: Tue Apr 30 23:57:30 2024, Last Saved Time/Date: Tue Apr 30 23:57:30 2024, Number of Pages: 500, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.8.1128.0), Security: 2
                      Category:dropped
                      Size (bytes):163995648
                      Entropy (8bit):7.916524132801799
                      Encrypted:false
                      SSDEEP:3145728:rNBEkmvtfi4bJ0t+0xwc1AM5+ENJeQ7Ph3fVjYl4PIWW:rNSkmvs4bJ0Uk9AMQWeSh3pjQWW
                      MD5:FA9B2F29C47B8C78E8802BCBB429AD8D
                      SHA1:927ACE51A73B3BB726CB74153887764B60FC3905
                      SHA-256:7A5B2F8095310BF9E393FB46D47A6A37F475794CE195FBB7D0F2EC4B301D76E9
                      SHA-512:6DF21A03201487D6B1A46D97645E52E92E0AE540D654D6B3073BD0554B67F138D2C6A04C055A9F4E2C94691AE05C09BC0EBB398F9D4C07C1E66ACC5CC57EF40D
                      Malicious:false
                      Reputation:low
                      Preview:......................>...................(................................................................ ...$...(...,...0...4...8...<...@...D...H...L...P...T...X...\...`...d...h...l...p...t...x...|..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1

                      Download File
                      Process:C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exe
                      File Type:Certificate, Version=3
                      Category:dropped
                      Size (bytes):1716
                      Entropy (8bit):7.596259519827648
                      Encrypted:false
                      SSDEEP:48:GL3d+gG48zmf8grQcPJ27AcYG7i47V28Tl4JZG0FWk8ZHJ:GTd0PmfrrQG28cYG28CEJ
                      MD5:D91299E84355CD8D5A86795A0118B6E9
                      SHA1:7B0F360B775F76C94A12CA48445AA2D2A875701C
                      SHA-256:46011EDE1C147EB2BC731A539B7C047B7EE93E48B9D3C3BA710CE132BBDFAC6B
                      SHA-512:6D11D03F2DF2D931FAC9F47CEDA70D81D51A9116C1EF362D67B7874F91BF20915006F7AF8ECEBAEA59D2DC144536B25EA091CC33C04C9A3808EEFDC69C90E816
                      Malicious:false
                      Reputation:moderate, very likely benign file
                      Preview:0...0............@.`.L.^.....0...*.H........0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G40...210429000000Z..360428235959Z0i1.0...U....US1.0...U....DigiCert, Inc.1A0?..U...8DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA10.."0...*.H.............0........./B.(.x.].9Y...B.3..=..p..&0...h.\..4$..KO.xC........g.RO..W.......>Mp$d....}4}L.W.kC....;....GZ..L.. %............e....I5.=Q..!xE...,.......IpB2......eh..ML..HRh....W]...e...O.,H.V.5........7.....|...2........t..9..`.....1.......#GG...n..m.....jg-.D......;...2Z..j`T.I....\.o.&....8........o.a4\..E(.6*f(_.s.&%....\...L.b.^3........+..6y.....u.e..HP.w....P.F.aX..|..<.(.9....S..G.u0..0.v..[K]taM?..v.X.r.)A...m&vh.A.X..&+..MY.x.J>@G_.Ps..#!Y`.dT..!..8.|f..x8E0.O.cOL....SA|X=G....2...l<.V.........Y0..U0...U.......0.......0...U......h7..;._....a{..e.NB0...U.#..0.......q]dL..g?....O0...U...........0...U.%..0...+.......0w..+........k0i0$..+.....0...http:/

                      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4

                      Download File
                      Process:C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exe
                      File Type:Certificate, Version=3
                      Category:dropped
                      Size (bytes):1428
                      Entropy (8bit):7.688784034406474
                      Encrypted:false
                      SSDEEP:24:nIGWnSIGWnSGc9VIyy0KuiUQ+7n0TCDZJCCAyuIqwmCFUZnPQ1LSdT:nIL7LJSRQ+QgAyuxwfynPQmR
                      MD5:78F2FCAA601F2FB4EBC937BA532E7549
                      SHA1:DDFB16CD4931C973A2037D3FC83A4D7D775D05E4
                      SHA-256:552F7BDCF1A7AF9E6CE672017F4F12ABF77240C78E761AC203D1D9D20AC89988
                      SHA-512:BCAD73A7A5AFB7120549DD54BA1F15C551AE24C7181F008392065D1ED006E6FA4FA5A60538D52461B15A12F5292049E929CFFDE15CC400DEC9CDFCA0B36A68DD
                      Malicious:false
                      Reputation:moderate, very likely benign file
                      Preview:0...0..x..........W..!2.9...wu\0...*.H........0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G40...130801120000Z..380115120000Z0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G40.."0...*.H.............0..........sh..]J<0"0i3..%..!=..Y..).=X.v..{....0....8..V.m...y....._..<R.R....~...W.YUr.h.p..u.js2...D.......t;mq.-... .. .c)-..^N..!a.4...^.[......4@_.zf.w.H.fWW.TX..+.O.0.V..{]..O^.5.1..^......@.y.x...j.8.....7...}...>..p.U.A2...s*n..|!L....u]xf.:1D.3@...ZI...g.'..O9..X..$\F.d..i.v.v=Y]Bv...izH....f.t..K...c....:.=...E%...D.+~....am.3...K...}....!........p,A`..c.D..vb~.....d.3....C....w.....!..T)%.l..RQGt.&..Au.z._.?..A..[..P.1..r."..|Lu?c.!_. Qko....O..E_. ........~.&...i/..-............B0@0...U.......0....0...U...........0...U..........q]dL..g?....O0...*.H..............a.}.l.........dh.V.w.p...J...x\.._...)V.6I]Dc...f.#.=y.mk.T..<.C@..P.R..;...ik.

                      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C56C4404C4DEF0DC88E5FCD9F09CB2F1

                      Download File
                      Process:C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):308
                      Entropy (8bit):3.184395242784626
                      Encrypted:false
                      SSDEEP:3:kkFklQcfllXlE/YXlzX/RDvcalXl+RAIdA31y+NW0y1YboOai2WelVJUTMVDXlVn:kKqzNcalgRAOAUSW0P3PeXJUwh8lmi3Y
                      MD5:D2885E991D3984185AEDF3C539B6C335
                      SHA1:BEA8843A120C6102295A385AE95581E3A351970E
                      SHA-256:C3389E72794625767508CFF592B06DD634433910E2F63F8D2C55DFC55B63AFE1
                      SHA-512:17426ACA0C7B6871C3C4BDDFCC4E63F77F610B9808E079CC8EB9EFCA3858C323453D96BE57077B6D9BC40DA77F0C98AA43F5F8D7A02E5FA9B87C52D865EEADCE
                      Malicious:false
                      Reputation:low
                      Preview:p...... ........g.G/ ...(....................................................... ........}.-@@......................h.t.t.p.:././.c.a.c.e.r.t.s...d.i.g.i.c.e.r.t...c.o.m./.D.i.g.i.C.e.r.t.T.r.u.s.t.e.d.G.4.C.o.d.e.S.i.g.n.i.n.g.R.S.A.4.0.9.6.S.H.A.3.8.4.2.0.2.1.C.A.1...c.r.t...".6.0.9.0.3.0.2.2.-.6.b.4."...

                      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4

                      Download File
                      Process:C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):254
                      Entropy (8bit):3.0371508354751655
                      Encrypted:false
                      SSDEEP:6:kK+c5LDcJgjcalgRAOAUSW0PTKDXMOXISKlUp:5LYS4tWOxSW0PAMsZp
                      MD5:716856F9CB2BDB927ED69CBD54928E59
                      SHA1:6CAE788917A5BCB85AC34D2755954E113C1CCB16
                      SHA-256:EE4EEB5E5D7AA9A31D0C59AD5A02F7FAFAF7A0089F9E8F8E543E54330943B076
                      SHA-512:488067910FA9956B85D253F5A21D92C87D58851BA49F57AD9779320A9A527E4D7E4207AE3F0321CBA477CDC1CF8ECBD9BEDF25A590F1AC3F2D5D110B19FBAF70
                      Malicious:false
                      Reputation:low
                      Preview:p...... ....l.....f/ ...(....................................................... ............n......................h.t.t.p.:././.c.a.c.e.r.t.s...d.i.g.i.c.e.r.t...c.o.m./.D.i.g.i.C.e.r.t.T.r.u.s.t.e.d.R.o.o.t.G.4...c.r.t...".5.a.2.8.6.4.1.7.-.5.9.4."...

                      C:\Users\user\AppData\Local\Temp\FCTInstall.log

                      Download File
                      Process:C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):857
                      Entropy (8bit):4.948897482770105
                      Encrypted:false
                      SSDEEP:24:/LVYLmLmNLMLOLtudKATrX8uqbSEnPWaKPY:TCLmLmNLMLOLIdKATzVqbSEPWaUY
                      MD5:8181CF0001ADC2FA1358CC984B76D2BA
                      SHA1:8E299073E95E37802C8A7163AAB95BE859629A0D
                      SHA-256:1A77E0AD4A825403C1BF8BAC24E7EA50D813F37592C1004D4C22E72F86487A47
                      SHA-512:E3112384629C93157D57FBDF3E7243F9E660AC4E625060DA3AAFCD2BCF73FFC2BCDAA0CDBCF9BB7F6D4690E4B2EB404141578C957FE507FDFCC93637266EA801
                      Malicious:false
                      Reputation:low
                      Preview:Wed Jul 3 05:18:53 2024 - Server list:..Wed Jul 3 05:18:53 2024 - .173.243.138.76 TZ3..Wed Jul 3 05:18:53 2024 - .208.184.237.75 TZ3..Wed Jul 3 05:18:53 2024 - begin download...Wed Jul 3 05:18:53 2024 - downloading server list...Wed Jul 3 05:18:53 2024 - downloading image table, server 173.243.138.76..Wed Jul 3 05:18:54 2024 - Highest available image found: 07004000FIMG03028-00004.00000...Wed Jul 3 05:18:54 2024 - This image is version: 7.4.0...Wed Jul 3 05:18:54 2024 - downloading image 07004000FIMG03028-00004.00000..Wed Jul 3 05:18:54 2024 - downloading image from server: 173.243.138.76..Wed Jul 3 05:20:42 2024 - unpacking downloaded image...Wed Jul 3 05:20:49 2024 - end download...Wed Jul 3 05:20:52 2024 - Installer filename is: FortiClientVPN.exe..Wed Jul 3 05:20:52 2024 - C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe..

                      C:\Users\user\AppData\Local\Temp\FCT_{625BC4BA-AC3E-4E4B-9996-EEED9D4287C3}\{37F86F81-CEE2-4981-BF24-D0AAFBE74BFB}\FortiClient.msi

                      Download File
                      Process:C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe
                      File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: FortiClient VPN, Author: Fortinet Technologies Inc, Keywords: Installer, Comments: This installer database contains the logic and data required to install FortiClient VPN., Template: x64;1033, Revision Number: {F999948D-39F6-4A38-BD43-BD7510C19B77}, Create Time/Date: Tue Apr 30 23:57:30 2024, Last Saved Time/Date: Tue Apr 30 23:57:30 2024, Number of Pages: 500, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.8.1128.0), Security: 2
                      Category:dropped
                      Size (bytes):163995648
                      Entropy (8bit):7.916524132801799
                      Encrypted:false
                      SSDEEP:3145728:rNBEkmvtfi4bJ0t+0xwc1AM5+ENJeQ7Ph3fVjYl4PIWW:rNSkmvs4bJ0Uk9AMQWeSh3pjQWW
                      MD5:FA9B2F29C47B8C78E8802BCBB429AD8D
                      SHA1:927ACE51A73B3BB726CB74153887764B60FC3905
                      SHA-256:7A5B2F8095310BF9E393FB46D47A6A37F475794CE195FBB7D0F2EC4B301D76E9
                      SHA-512:6DF21A03201487D6B1A46D97645E52E92E0AE540D654D6B3073BD0554B67F138D2C6A04C055A9F4E2C94691AE05C09BC0EBB398F9D4C07C1E66ACC5CC57EF40D
                      Malicious:false
                      Reputation:low
                      Preview:......................>...................(................................................................ ...$...(...,...0...4...8...<...@...D...H...L...P...T...X...\...`...d...h...l...p...t...x...|..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\FCT_{625BC4BA-AC3E-4E4B-9996-EEED9D4287C3}\{37F86F81-CEE2-4981-BF24-D0AAFBE74BFB}\FortiClientInstaller.exe

                      Download File
                      Process:C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe
                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                      Category:dropped
                      Size (bytes):2812928
                      Entropy (8bit):6.809998338407615
                      Encrypted:false
                      SSDEEP:49152:urA7P9lj6QcwvwMd9DHyfYzF6PoDLzC3b6KwYpclyfZu:urAr9wQqYFDk
                      MD5:7FE438A216894635F875753EC12D40D6
                      SHA1:F0330D0920A8B2534832F56F49A188E08615FAAE
                      SHA-256:CFF7751167B939EE4EEACB4C101ACBC8E67BF3C6D998DC5FB74A15BE033466D0
                      SHA-512:66759294766E3A7CD7EFE35CEA221AF3A15034526EED86C3189F84C03BFDF2D66740B67A23B28D25ECBD54A7568C2904CBCE20D507433F2421A94658D10B1C11
                      Malicious:false
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 3%
                      • Antivirus: Virustotal, Detection: 5%, Browse
                      Preview:MZ......................@...................................H...........!..L.!This program cannot be run in DOS mode....$.......x._.<.1.<.1.<.1..$..,.1..$...1..$. .1..G.=.1.)..6.1.).5./.1.).2.&.1..G..;.1.<.1.+.1.(.5...1..88...1.).4.Y.1..G..9.1.<.0.:.1..85.8.1..84.1.1..81.=.1..8.=.1..83.=.1.Rich<.1.........................PE..L....NZf...............%.............B............@...........................+...........@.........................@.&. ...`.&.<.....&.."....................*.$s..@.%.......................%......,..@.....................%......................text...=........................... ..`.rdata...u.......v..................@..@.data...4....0&..8....&.............@....didat..H.....&......P&.............@....rsrc...."....&..$...T&.............@..@.reloc..$s....*..t...x).............@..B........................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\FCT_{625BC4BA-AC3E-4E4B-9996-EEED9D4287C3}\{37F86F81-CEE2-4981-BF24-D0AAFBE74BFB}\configuration.xml

                      Download File
                      Process:C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe
                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):98
                      Entropy (8bit):4.714178217320593
                      Encrypted:false
                      SSDEEP:3:vFWWMNHU8LdgC4vXMlGDDQIMOokMlGDDQIMOn:TMVBdYUCDQIzMCDQIT
                      MD5:EA8A176DBAAA5CC38807513FC8E82F7C
                      SHA1:9C07B57CA363CE9CBCEA94DE7FF997B0F1C31C36
                      SHA-256:0B9D879350811936414F744CD253F967AF3F64D1636730BB9DAEBBF28238E36C
                      SHA-512:EAA2D0C8349FBF8EE27605E66E88D4754FA9A690F75667A17AA6DB6BCC691D794073E13C3FC4F53BE24CF02297C0C3E1675140D8A1D6B5B82E50388E717F05B0
                      Malicious:false
                      Preview:<?xml version="1.0" encoding="UTF-8" ?>..<forticlient_configuration>..</forticlient_configuration>

                      C:\Users\user\AppData\Local\Temp\FCT_{625BC4BA-AC3E-4E4B-9996-EEED9D4287C3}\{37F86F81-CEE2-4981-BF24-D0AAFBE74BFB}\orchestrator.json

                      Download File
                      Process:C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe
                      File Type:JSON data
                      Category:dropped
                      Size (bytes):725
                      Entropy (8bit):4.986555138528995
                      Encrypted:false
                      SSDEEP:12:YcJp85WLoKjGA4fxT1FtNXlzTX4UjPuKmfufLLD9QVw+XLFWg1/jPY575LuLFTXA:YLEjx4d3TBHjPuKOuf3D9Q1XLFWg1/jC
                      MD5:C5C17A08C93BC0F19F012DEECDDEE005
                      SHA1:9D21AA24672BE8950EFF4761BC70858069724C7C
                      SHA-256:84F94B3F08FB26A3F164C9613357C4B40EE49DACEE4E9BB4CE1E144B8C6C9383
                      SHA-512:D19AEDC252E6748B60FE5429A2EA23770576E7AA526BF254FCF02EA220A03F1FD19CAFF9BC5DD40A7A3A56492353E9A9F46C3D85DE1931664FEB17F2D3491B87
                      Malicious:false
                      Preview:{"ems_settings":{"LogPath":"","StartTime":"","ScheduledInstall":false,"Unsupervised":false,"UsersControlReboot":false,"RebootWhenNeeded":true,"AutoReboot0Users":true,"Uninstall":false,"EMSServer":"emserver.fortinet.net","SchId":"","DeviceId":"","EMSFCTConfig":"configuration.xml","vdom":"default","installer_guid":"0"},"FCTMSI":{"Features":[],"LogFile":"FortiClient00000.log","DesktopShortcut":true,"StartMenuShortcut":true,"ProductName":"FortiClient VPN","ProductCode":"{0DC51760-4FB7-41F3-8967-D3DEC9D320EB}","Version":"7.4.0.1658","Filename":"FortiClient.msi"},"KeepCleanroom":false,"FCTConfig":"","FORTIMONITORMSI":{"integrated":true,"ProductName":"","ProductCode":"","Version":"","Filename":"FortiMonitorInstaller.msi"}}

                      C:\Users\user\AppData\Local\Temp\FortiClient00000.log

                      Download File
                      Process:C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe
                      File Type:Unicode text, UTF-16, little-endian text, with very long lines (500), with CRLF, LF line terminators
                      Category:dropped
                      Size (bytes):95816
                      Entropy (8bit):3.793641374311521
                      Encrypted:false
                      SSDEEP:1536:wG5yrBfeG4HEYyfECoVWtbVzob+omXl5+oasewO5GUWgWMWgWYuasewO5GUWgWMe:fSSslkzwX
                      MD5:24F9BF4DBA753DF8AD025275FF86DFCC
                      SHA1:02F5904066037BDC8A55B90DD3F24AE3866EC923
                      SHA-256:7CF9BC238DB2F5169D55492FFF2C0838641D5972F0F2C3681AEEB5FACA6425CF
                      SHA-512:8CA577D8025AE698AD4013109F0E1B1C5563F9D865AB2BD497F0A9A7CB362F5E583BF9547E40415DEBAF4797156C389E25D31DC9D32E14A4FB6DEDC5EE41AE7C
                      Malicious:false
                      Preview:..[.S.E.T.U.P.E.X.E. .5.3.5.2.]. . .2.0.2.4.-.0.7.-.0.3. .0.5.:.2.0.:.5.6. . .s.e.t.u.p.e.x.e.:.:.m.s.i._.l.o.g.g.i.n.g.:.:.I.n.i.t.i.a.l.i.s.e.(.).,. .m.y. .v.e.r.s.i.o.n. .i.s. .7...4...0...1.6.5.8.....[.S.E.T.U.P.E.X.E. .5.3.5.2.]. . .2.0.2.4.-.0.7.-.0.3. .0.5.:.2.0.:.5.6. . .s.e.t.u.p.e.x.e.:.:.C.l.e.a.n.r.o.o.m.:.:.C.l.e.a.n.r.o.o.m.....[.S.E.T.U.P.E.X.E. .5.3.5.2.]. . .2.0.2.4.-.0.7.-.0.3. .0.5.:.2.0.:.5.6. . .s.e.t.u.p.e.x.e.:.:.u.t.i.l.s.:.:.G.e.n.e.r.a.t.e.G.u.i.d.....[.S.E.T.U.P.E.X.E. .5.3.5.2.]. . .2.0.2.4.-.0.7.-.0.3. .0.5.:.2.0.:.5.6. . .s.e.t.u.p.e.x.e.:.:.C.l.e.a.n.r.o.o.m.:.:.C.l.e.a.n.r.o.o.m. .=. .C.:.\.U.s.e.r.s.\.a.l.f.o.n.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.F.C.T._.{.6.2.5.B.C.4.B.A.-.A.C.3.E.-.4.E.4.B.-.9.9.9.6.-.E.E.E.D.9.D.4.2.8.7.C.3.}.\.{.3.7.F.8.6.F.8.1.-.C.E.E.2.-.4.9.8.1.-.B.F.2.4.-.D.0.A.A.F.B.E.7.4.B.F.B.}.....[.S.E.T.U.P.E.X.E. .5.3.5.2.]. . .2.0.2.4.-.0.7.-.0.3. .0.5.:.2.0.:.5.6. . .s.e.t.u.p.e.x.e.:.:.C.l.e.a.n.r.o.o.m.:.:.D.e.l.e.t.e.C.l.e.a.n.

                      C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe

                      Download File
                      Process:C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exe
                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                      Category:dropped
                      Size (bytes):176739392
                      Entropy (8bit):7.873996762320648
                      Encrypted:false
                      SSDEEP:3145728:gNBEkmvtfi4bJ0t+0xwc1AM5+ENJeQ7Ph3fVjYl4PIWW/:gNSkmvs4bJ0Uk9AMQWeSh3pjQWW/
                      MD5:43866BF1847EFD3BEF65E4D9EF603CA7
                      SHA1:0FFD188F983424DF23639FE3F6F824F64241E180
                      SHA-256:C38A00AE39F38ADE3B665F947EA38EBA69B761DE9FFAA130B9F6177F164C5658
                      SHA-512:9468A30ED40ECC506A8577DCDAFA92BA01C65129893FCDAC6F2DE85C162918A82A24165AEA349492A97F241FCF71BC1D095BF31BD5566AD1C0A3A3C0F7FDE38E
                      Malicious:false
                      Antivirus:
                      • Antivirus: Virustotal, Detection: 0%, Browse
                      Preview:MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$.......)_..m>..m>..m>.....c>.....>.....q>..xA..j>..xA..~>..xA..v>..[...i>..xA..3>... .o>...>.l>...%.d>..m>..z>..yA...<..m>..?..[...$>..[...l>..[...l>..Richm>..................PE..L....OZf...............%.x ..0h......w........ ...@.......................... .......K....@..................................1*.P.....-.D.\.............@(...p........).p...................@.).......'.@............. ......$*......................text....w ......x ................. ..`.rdata........ ......| .............@..@.data........P*..J...0*.............@....rsrc...D.\...-...\..z*.............@..@.reloc.......p......................@..B........................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\MSI88FD.tmp

                      Download File
                      Process:C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe
                      File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                      Category:dropped
                      Size (bytes):8071256
                      Entropy (8bit):6.6396644310554604
                      Encrypted:false
                      SSDEEP:196608:id7MMQBIPmLghZHTzPA+Y2UNGz2LwVI6mb:ideBIPmLqZHTzPA+Y2/2LwV1mb
                      MD5:32EFBFFDA3376EE49D78BAFF6BCE3CC5
                      SHA1:FB1195E34A9034309D8BF4608B65E205CAC0B930
                      SHA-256:F64E2CAD4CDCC53694CA3DBD78B941039064D31EA5892D4DED3A533F0FED627A
                      SHA-512:AF22120BB60D0E2394C83059B5D2E68AFB40C0FD02E613515257BC80DD3CF55C6792DF5325CB87AD2046724B24303E6C9E1A3C9EB2219BD776826E03BC738920
                      Malicious:false
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 0%
                      • Antivirus: Virustotal, Detection: 0%, Browse
                      Preview:MZ......................@...................................@...........!..L.!This program cannot be run in DOS mode....$.........?"..Qq..Qq..Qq...q..Qq...q|.Qq...q..Qq..q..Qq..Tp.Qq..Up..Qq..Rp..Qq..Xp..Qqbo.q..Qqbo.q..Qq..UpA.Qq..Qq..Qqbo.q..Qq..Pq..Qq..Up..Qq..Tp..Qq..Qp..Qq...q..Qq...q..Qq..Sp..QqRich..Qq........PE..d...3LZf.........." ...%..[..........IP.......................................{.......|...`A........................................ .t.P...p.t.......z......0v.Hn....{.@(....z.....p.m.T.....................m.(...0.m.@.............[.h............................text.....[.......[................. ..`.rdata........[.......[.............@..@.data....^....t.......t.............@....pdata..Hn...0v..p....u.............@..@_RDATA..\.....z......&z.............@..@.rsrc.........z......(z.............@..@.reloc........z......:z.............@..B........................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\MSI8A46.tmp

                      Download File
                      Process:C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe
                      File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                      Category:dropped
                      Size (bytes):8071256
                      Entropy (8bit):6.6396644310554604
                      Encrypted:false
                      SSDEEP:196608:id7MMQBIPmLghZHTzPA+Y2UNGz2LwVI6mb:ideBIPmLqZHTzPA+Y2/2LwV1mb
                      MD5:32EFBFFDA3376EE49D78BAFF6BCE3CC5
                      SHA1:FB1195E34A9034309D8BF4608B65E205CAC0B930
                      SHA-256:F64E2CAD4CDCC53694CA3DBD78B941039064D31EA5892D4DED3A533F0FED627A
                      SHA-512:AF22120BB60D0E2394C83059B5D2E68AFB40C0FD02E613515257BC80DD3CF55C6792DF5325CB87AD2046724B24303E6C9E1A3C9EB2219BD776826E03BC738920
                      Malicious:false
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 0%
                      • Antivirus: Virustotal, Detection: 0%, Browse
                      Preview:MZ......................@...................................@...........!..L.!This program cannot be run in DOS mode....$.........?"..Qq..Qq..Qq...q..Qq...q|.Qq...q..Qq..q..Qq..Tp.Qq..Up..Qq..Rp..Qq..Xp..Qqbo.q..Qqbo.q..Qq..UpA.Qq..Qq..Qqbo.q..Qq..Pq..Qq..Up..Qq..Tp..Qq..Qp..Qq...q..Qq...q..Qq..Sp..QqRich..Qq........PE..d...3LZf.........." ...%..[..........IP.......................................{.......|...`A........................................ .t.P...p.t.......z......0v.Hn....{.@(....z.....p.m.T.....................m.(...0.m.@.............[.h............................text.....[.......[................. ..`.rdata........[.......[.............@..@.data....^....t.......t.............@....pdata..Hn...0v..p....u.............@..@_RDATA..\.....z......&z.............@..@.rsrc.........z......(z.............@..@.reloc........z......:z.............@..B........................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\MSI8B12.tmp

                      Download File
                      Process:C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe
                      File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                      Category:dropped
                      Size (bytes):8071256
                      Entropy (8bit):6.6396644310554604
                      Encrypted:false
                      SSDEEP:196608:id7MMQBIPmLghZHTzPA+Y2UNGz2LwVI6mb:ideBIPmLqZHTzPA+Y2/2LwV1mb
                      MD5:32EFBFFDA3376EE49D78BAFF6BCE3CC5
                      SHA1:FB1195E34A9034309D8BF4608B65E205CAC0B930
                      SHA-256:F64E2CAD4CDCC53694CA3DBD78B941039064D31EA5892D4DED3A533F0FED627A
                      SHA-512:AF22120BB60D0E2394C83059B5D2E68AFB40C0FD02E613515257BC80DD3CF55C6792DF5325CB87AD2046724B24303E6C9E1A3C9EB2219BD776826E03BC738920
                      Malicious:false
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 0%
                      • Antivirus: Virustotal, Detection: 0%, Browse
                      Preview:MZ......................@...................................@...........!..L.!This program cannot be run in DOS mode....$.........?"..Qq..Qq..Qq...q..Qq...q|.Qq...q..Qq..q..Qq..Tp.Qq..Up..Qq..Rp..Qq..Xp..Qqbo.q..Qqbo.q..Qq..UpA.Qq..Qq..Qqbo.q..Qq..Pq..Qq..Up..Qq..Tp..Qq..Qp..Qq...q..Qq...q..Qq..Sp..QqRich..Qq........PE..d...3LZf.........." ...%..[..........IP.......................................{.......|...`A........................................ .t.P...p.t.......z......0v.Hn....{.@(....z.....p.m.T.....................m.(...0.m.@.............[.h............................text.....[.......[................. ..`.rdata........[.......[.............@..@.data....^....t.......t.............@....pdata..Hn...0v..p....u.............@..@_RDATA..\.....z......&z.............@..@.rsrc.........z......(z.............@..@.reloc........z......:z.............@..B........................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\MSI8C1C.tmp

                      Download File
                      Process:C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe
                      File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                      Category:dropped
                      Size (bytes):8071256
                      Entropy (8bit):6.6396644310554604
                      Encrypted:false
                      SSDEEP:196608:id7MMQBIPmLghZHTzPA+Y2UNGz2LwVI6mb:ideBIPmLqZHTzPA+Y2/2LwV1mb
                      MD5:32EFBFFDA3376EE49D78BAFF6BCE3CC5
                      SHA1:FB1195E34A9034309D8BF4608B65E205CAC0B930
                      SHA-256:F64E2CAD4CDCC53694CA3DBD78B941039064D31EA5892D4DED3A533F0FED627A
                      SHA-512:AF22120BB60D0E2394C83059B5D2E68AFB40C0FD02E613515257BC80DD3CF55C6792DF5325CB87AD2046724B24303E6C9E1A3C9EB2219BD776826E03BC738920
                      Malicious:false
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 0%
                      • Antivirus: Virustotal, Detection: 0%, Browse
                      Preview:MZ......................@...................................@...........!..L.!This program cannot be run in DOS mode....$.........?"..Qq..Qq..Qq...q..Qq...q|.Qq...q..Qq..q..Qq..Tp.Qq..Up..Qq..Rp..Qq..Xp..Qqbo.q..Qqbo.q..Qq..UpA.Qq..Qq..Qqbo.q..Qq..Pq..Qq..Up..Qq..Tp..Qq..Qp..Qq...q..Qq...q..Qq..Sp..QqRich..Qq........PE..d...3LZf.........." ...%..[..........IP.......................................{.......|...`A........................................ .t.P...p.t.......z......0v.Hn....{.@(....z.....p.m.T.....................m.(...0.m.@.............[.h............................text.....[.......[................. ..`.rdata........[.......[.............@..@.data....^....t.......t.............@....pdata..Hn...0v..p....u.............@..@_RDATA..\.....z......&z.............@..@.rsrc.........z......(z.............@..@.reloc........z......:z.............@..B........................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\obj_1_a05988

                      Download File
                      Process:C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):154724440
                      Entropy (8bit):7.999998823657705
                      Encrypted:true
                      SSDEEP:3145728:VoCOI/FGuBFom7xkUneQ59ZBJnfD/H47MlANntBP9BRcYEs4x6Nx:jYuBFomFteQ5rfzYm+lf2YEv0z
                      MD5:C0DC5687957AC1CB3BCC1A9414940980
                      SHA1:6565EEF783C58A59E884DF1232A5CEA6AF49194E
                      SHA-256:A3BCCC962218951B007E5B3742D289FFDBC4BB069BFAC2C2EC3CB04C89C82E26
                      SHA-512:A1929BBEBC7AEC4C9DE966CD0E2A0650A65A3C254FDC9873303A2D1E9233B7030ABFF0D40AE5387B1BBF0F48D9CE902B7F945C9ABEC5FCF8F1F2606506B436B5
                      Malicious:false
                      Preview:FIMGFirmware Image......04000240603215728030......8.....0700400000000.......MR4-GA-P0....................................7.h.3.b.@..j....$Re..Q..R...x.Jq.....x[..}......c..C.....]...2I"..V..Qv..Em..'..o.~...S1?|QUG/T2%+.auh0..C...W_.....S....%..^mC......ALC.]..E..=..Y....L.9...1j..D..t4.+..uN3../^p..C...$.zW..F...5...Un.V...o6..._.Pk9@ ....%...{...L........=Y...|$vN{.........V=,...4.|p.:.i....i..U..z..|iv|cR.Zo)K..c...aD.}..w....&...!7o.....X4.9..y.x..VP.....;.o...\9p<.....0.i.yS.uq.G.....X..iB...3.M.>.(..,...Q...k..+T._.ys..x...[H. ./.J3...7%.KA.._.A..Fu.r......Gs....iK)...{.?9...*.?...1./.}5kY.N.7..$D.....5.......3....r....#...XF^4.<.K..G...]....uc...tQL.(..................;....Q..)..^ .M%;5.u...q.,.....r..,7{.%...H....0..S9|,...i?..Z...<.Yu..>..$..+..?..:).U...{....IXr;.e?q[=F U.^"K..BJ.-.....mQ.:.I......t.........v.G...#.s.. .B.....eM.0Oud...[~..~@.J.#...L......+.;..{...W...7I......8p.1....,..e.Z.r.q..N.7l...:.9)y....|...A.....-..(......*..s.....

                      C:\Users\user\AppData\Local\Temp\obj_1_a05988__unpacked

                      Download File
                      Process:C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exe
                      File Type:ASCII text
                      Category:dropped
                      Size (bytes):1101522
                      Entropy (8bit):4.030758515495095
                      Encrypted:false
                      SSDEEP:3072:rMcwaCPQFBxJ08FUOAB6kHq+bmnhmliVK7Ce0ZmL7KES/AtWz0ZspYfMp+jI9382:7AZbyDO9MdK2
                      MD5:2B0BDB593E9900A4F5EE728283F63D7D
                      SHA1:7412E34976283D086B247846E756AD2388CF9DDA
                      SHA-256:FF2498CD2C9AC62774A6B33EFB0354D6B7A2D1F7FD6CB7AB8ACC6A6771B44744
                      SHA-512:8FBE78FC2D78D9075D7D864167142220DABA0A1585246373DA4F23A5B2B8D5B9223427BDC907A1E7B68069F11208AA8D4EBB2A9C4154C19738EAAC9D5A4509D5
                      Malicious:false
                      Preview:L FAP F432FR FIMG 7.2.3 07002000FIMG05075-00002.00003 MR2-GA-P3.L FAP F432FR FIMG 7.2.4 07002000FIMG05075-00002.00004 MR2-GA-P4.L FAP F432FR FIMG 7.2.5 07002000FIMG05075-00002.00005 MR2-GA-P5.L FAP F432FR FIMG 7.4.1 07004000FIMG05075-00004.00001 MR4-GA-P1.L FAP F432FR FIMG 7.4.2 07004000FIMG05075-00004.00002 MR4-GA-P2.L FAP F432FR FIMG 7.4.3 07004000FIMG05075-00004.00003 MR4-GA-P3.L FAP FAP11C FIMG 5.0.7 05000000FIMG05005-00000.00007 MR0-GA-P07.L FAP FAP11C FIMG 5.0.8 05000000FIMG05005-00000.00008 MR0-GA-P08.L FAP FAP11C FIMG 5.0.9 05000000FIMG05005-00000.00009 MR0-GA-P09.L FAP FAP11C FIMG 5.0.10 05000000FIMG05005-00000.00010 MR0-GA-P10.L FAP FAP11C FIMG 5.2.0 05002000FIMG05005-00002.00000 MR0-GA-P00.L FAP FAP11C FIMG 5.2.2 05002000FIMG05005-00002.00002 MR0-GA-P02.L FAP FAP11C FIMG 5.2.3 05002000FIMG05005-00002.00003 MR0-GA-P03.L FAP FAP11C FIMG 5.2.4 05002000FIMG05005-00002.00004 MR0-GA-P04.L FAP FAP11C FIMG 5.2.6 05002000FIMG05005-00002.00006 MR0-GA-P06.L FAP FAP11C FIMG 5.2.7 050020

                      C:\Users\user\AppData\Local\Temp\~DFB96228BA219DC387.TMP

                      Download File
                      Process:C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):512
                      Entropy (8bit):0.0
                      Encrypted:false
                      SSDEEP:3::
                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                      Malicious:false
                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      Static File Info

                      General

                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                      Entropy (8bit):6.819635852567028
                      TrID:
                      • Win32 Executable (generic) a (10002005/4) 99.96%
                      • Generic Win/DOS Executable (2004/3) 0.02%
                      • DOS Executable Generic (2002/1) 0.02%
                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                      File name:FortiClientVPNOnlineInstaller.exe
                      File size:2'794'560 bytes
                      MD5:11bfc265fc53ac4756e4ef2759ca10eb
                      SHA1:e3d2bf11618c39dfd036bb33ea96aa5f989fed25
                      SHA256:2e520faa2b71ba56643153b77c2908c0d6da34a2f6f9abaa7cbadab9278dc99e
                      SHA512:6b1e802f82002c5f8162a48440e09631da12fbfa283fc03bbf405938406955581764cda3ae57021d9e1b821a128b227e77b38dd6994a655f438ac5081f5ae689
                      SSDEEP:49152:nZ2d2wu+8ewJobcRgEekPZ99ztx5IX0hL5m6bgy:nZ2dnu+AMW9x2O
                      TLSH:84D5BF12FFC68162E4F3467822FA537B4D39BC249B38C9C7979105AD88315C1A63F7A9
                      File Content Preview:MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$....... %..dD.@dD.@dD.@..T@tD.@..V@.D.@..W@xD.@q;X@nD.@q;.AwD.@q;.A~D.@..n@cD.@dD.@sD.@p;.A.F.@R..ASD.@q;.A.D.@..k@`D.@dD.@.E.@R..A`D.

                      File Icon

                      Icon Hash:785231641392b747

                      Static PE Info

                      General

                      Entrypoint:0x46fd60
                      Entrypoint Section:.text
                      Digitally signed:true
                      Imagebase:0x400000
                      Subsystem:windows gui
                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                      Time Stamp:0x665A4EA6 [Fri May 31 22:26:46 2024 UTC]
                      TLS Callbacks:
                      CLR (.Net) Version:
                      OS Version Major:6
                      OS Version Minor:0
                      File Version Major:6
                      File Version Minor:0
                      Subsystem Version Major:6
                      Subsystem Version Minor:0
                      Import Hash:8546df8fe77bb35f303e775ee2f6749d

                      Authenticode Signature

                      Signature Valid:true
                      Signature Issuer:CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
                      Signature Validation Error:The operation completed successfully
                      Error Number:0
                      Not Before, Not After
                      • 07/06/2021 02:00:00 10/07/2024 01:59:59
                      Subject Chain
                      • CN=Fortinet Technologies (Canada) ULC, O=Fortinet Technologies (Canada) ULC, L=Burnaby, S=British Columbia, C=CA
                      Version:3
                      Thumbprint MD5:0FC41099213427CBB151F9BCEB0999A3
                      Thumbprint SHA-1:0F38EA0AA959EA336C743AE18DC9E60A4FD58665
                      Thumbprint SHA-256:2946B2BB26811170F8E10F1643DDC020888162D9F53073100FE5A408872285EE
                      Serial:0862DFFEC6E9332BFA93B2F187863642

                      Entrypoint Preview

                      Instruction
                      call 00007F212CF66610h
                      jmp 00007F212CF65FBDh
                      push ebp
                      mov ebp, esp
                      pop ebp
                      jmp 00007F212CF65895h
                      and dword ptr [ecx+04h], 00000000h
                      mov eax, ecx
                      and dword ptr [ecx+08h], 00000000h
                      mov dword ptr [ecx+04h], 005CDA80h
                      mov dword ptr [ecx], 005CA2A4h
                      ret
                      push ebp
                      mov ebp, esp
                      sub esp, 0Ch
                      lea ecx, dword ptr [ebp-0Ch]
                      call 00007F212CF6611Fh
                      push 00658354h
                      lea eax, dword ptr [ebp-0Ch]
                      push eax
                      call 00007F212CF6A2F3h
                      int3
                      push ebp
                      mov ebp, esp
                      and dword ptr [00661C0Ch], 00000000h
                      sub esp, 24h
                      or dword ptr [0065C104h], 01h
                      push 0000000Ah
                      call dword ptr [005C61E4h]
                      test eax, eax
                      je 00007F212CF662F2h
                      and dword ptr [ebp-10h], 00000000h
                      xor eax, eax
                      push ebx
                      push esi
                      push edi
                      xor ecx, ecx
                      lea edi, dword ptr [ebp-24h]
                      push ebx
                      cpuid
                      mov esi, ebx
                      pop ebx
                      nop
                      mov dword ptr [edi], eax
                      mov dword ptr [edi+04h], esi
                      mov dword ptr [edi+08h], ecx
                      xor ecx, ecx
                      mov dword ptr [edi+0Ch], edx
                      mov eax, dword ptr [ebp-24h]
                      mov edi, dword ptr [ebp-20h]
                      mov dword ptr [ebp-0Ch], eax
                      xor edi, 756E6547h
                      mov eax, dword ptr [ebp-18h]
                      xor eax, 49656E69h
                      mov dword ptr [ebp-04h], eax
                      mov eax, dword ptr [ebp-1Ch]
                      xor eax, 6C65746Eh
                      mov dword ptr [ebp-08h], eax
                      xor eax, eax
                      inc eax
                      push ebx
                      cpuid
                      mov esi, ebx
                      pop ebx
                      nop
                      lea ebx, dword ptr [ebp-24h]
                      mov dword ptr [ebx], eax
                      mov eax, dword ptr [ebp-04h]
                      or eax, dword ptr [ebp-08h]

                      Data Directories

                      NameVirtual AddressVirtual Size Is in Section
                      IMAGE_DIRECTORY_ENTRY_EXPORT0x25a3b00x624.rdata
                      IMAGE_DIRECTORY_ENTRY_IMPORT0x25a9d40x3c.rdata
                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x2660000x322b8.rsrc
                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                      IMAGE_DIRECTORY_ENTRY_SECURITY0x2a7c000x2840.reloc
                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x2990000x16f00.reloc
                      IMAGE_DIRECTORY_ENTRY_DEBUG0x255b700x1c.rdata
                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                      IMAGE_DIRECTORY_ENTRY_TLS0x255bc00x18.rdata
                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x1cd9c00x40.rdata
                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IAT0x1c60000x2e4.rdata
                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x2590780x200.rdata
                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                      Sections

                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                      .text0x10000x1c4b3d0x1c4c0085e33bccdac310f838264e52d28b68e9False0.5347609875414135data6.849650084467638IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      .rdata0x1c60000x95b260x95c00ab4b7255f1c23c04cd3d63f0e29f609eFalse0.4219418431761269data5.71713508827871IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .data0x25c0000x8ed40x38007bc30ec1eaef94b2203f91cfaab74ea1False0.44949776785714285data5.349235142741649IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      .didat0x2650000x3240x4002d2ef5bd2488de55716af6f9fa7a53c6False0.435546875data4.0906763099531975IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      .rsrc0x2660000x322b80x32400ae51569bf38c41b033d3a2014f16b88fFalse0.6108714241293532data6.523864682017585IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .reloc0x2990000x16f000x170009f972e86388fc3b833d2048a1a3d850cFalse0.5941745923913043data6.6361861676436185IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                      Resources

                      NameRVASizeTypeLanguageCountryZLIB Complexity
                      REGISTRY0x26bbc80xc3ASCII text, with CRLF line terminators0.6512820512820513
                      RT_ICON0x26c1780x3d9PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced1.0111675126903554
                      RT_ICON0x26c5580x725PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced1.0060142154182614
                      RT_ICON0x26cc800xb07PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced1.003896563939072
                      RT_ICON0x26d7880x14e3PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced1.002057228352347
                      RT_ICON0x26ec700x1facPNG image data, 64 x 64, 8-bit/color RGBA, non-interlaced1.0013566847557966
                      RT_ICON0x270c200x3877PNG image data, 96 x 96, 8-bit/color RGBA, non-interlaced1.0007609823590453
                      RT_ICON0x2744980x554bPNG image data, 128 x 128, 8-bit/color RGBA, non-interlaced1.0007327684909548
                      RT_ICON0x2799e80xac4dPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9978915867510032
                      RT_ICON0x2846b00x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 6400.2647849462365591
                      RT_MENU0x2679f80x22Matlab v4 mat-file (little endian) \326S\210m\337\216\324\232GS\032}, numeric, rows 7143568, columns 6881377, imaginaryChineseTaiwan1.1764705882352942
                      RT_MENU0x2690300x52Matlab v4 mat-file (little endian) S, numeric, rows 7143568, columns 6881377, imaginaryCzechCzech Republic0.8658536585365854
                      RT_MENU0x26b3a00x4cMatlab v4 mat-file (little endian) A, numeric, rows 7143568, columns 6881377, imaginaryDanishDenmark0.881578947368421
                      RT_MENU0x2687d80x48Matlab v4 mat-file (little endian) S, numeric, rows 7143568, columns 6881377, imaginaryGermanGermany0.8888888888888888
                      RT_MENU0x2674a80x42Matlab v4 mat-file (little endian) C, numeric, rows 7143568, columns 6881377, imaginaryEnglishUnited States0.9090909090909091
                      RT_MENU0x26afc80x4aMatlab v4 mat-file (little endian) P, numeric, rows 7143568, columns 6881377, imaginaryFinnishFinland0.8918918918918919
                      RT_MENU0x2683980x5aMatlab v4 mat-file (little endian) A, numeric, rows 7143568, columns 6881377, imaginaryFrenchFrance0.8111111111111111
                      RT_MENU0x26a0100x52Matlab v4 mat-file (little endian) S, numeric, rows 7143568, columns 6881377, imaginaryHungarianHungary0.8902439024390244
                      RT_MENU0x267fa80x30Matlab v4 mat-file (little endian) \2750\3250\3100\2460\2470\2420\364f\260e\2550\3430\3630\2730\3530, numeric, rows 7143568, columns 6881377, imaginaryJapaneseJapan1.1458333333333333
                      RT_MENU0x267ce00x30Matlab v4 mat-file (little endian) \214\301\004\325\270\322\350\306\264\305 , numeric, rows 7143568, columns 6881377, imaginaryKoreanNorth Korea1.1458333333333333
                      RT_MENU0x267ce00x30Matlab v4 mat-file (little endian) \214\301\004\325\270\322\350\306\264\305 , numeric, rows 7143568, columns 6881377, imaginaryKoreanSouth Korea1.1458333333333333
                      RT_MENU0x26b7580x50Matlab v4 mat-file (little endian) A, numeric, rows 7143568, columns 6881377, imaginaryNorwegianNorway0.8625
                      RT_MENU0x2698600x5aMatlab v4 mat-file (little endian) C, numeric, rows 7143568, columns 6881377, imaginaryPortugueseBrazil0.8222222222222222
                      RT_MENU0x269c800x42dataRussianRussia0.9393939393939394
                      RT_MENU0x2694480x54Matlab v4 mat-file (little endian) S, numeric, rows 7143568, columns 6881377, imaginarySlovakSlovakia0.9047619047619048
                      RT_MENU0x26a3e80x4eMatlab v4 mat-file (little endian) K, numeric, rows 7143568, columns 6881377, imaginaryEstonianEstonia0.8076923076923077
                      RT_MENU0x26a7c00x60Matlab v4 mat-file (little endian) A, numeric, rows 7143568, columns 6881377, imaginaryLatvianLativa0.8020833333333334
                      RT_MENU0x26abd80x66Matlab v4 mat-file (little endian) A, numeric, rows 7143568, columns 6881377, imaginaryLithuanianLithuania0.7941176470588235
                      RT_MENU0x2677600x22Matlab v4 mat-file (little endian) \326S\210mo\217\366NGS\247~, numeric, rows 7143568, columns 6881377, imaginaryChineseChina1.1470588235294117
                      RT_MENU0x268c080x5aMatlab v4 mat-file (little endian) C, numeric, rows 7143568, columns 6881377, imaginary0.8444444444444444
                      RT_MENU0x26bb680x5aMatlab v4 mat-file (little endian) A, numeric, rows 7143568, columns 6881377, imaginaryFrenchCanada0.8111111111111111
                      RT_DIALOG0x2677880x100dataChineseTaiwan0.7109375
                      RT_DIALOG0x268c680x11cdataCzechCzech Republic0.6936619718309859
                      RT_DIALOG0x26b0180x128dataDanishDenmark0.6587837837837838
                      RT_DIALOG0x2683f80x12edataGermanGermany0.6423841059602649
                      RT_DIALOG0x2671100x110dataEnglishUnited States0.6617647058823529
                      RT_DIALOG0x26ac400x11edataFinnishFinland0.6783216783216783
                      RT_DIALOG0x267fd80x112dataFrenchFrance0.6788321167883211
                      RT_DIALOG0x269cc80x10edataHungarianHungary0.7111111111111111
                      RT_DIALOG0x267d100xf8dataJapaneseJapan0.7620967741935484
                      RT_DIALOG0x267a200xf4dataKoreanNorth Korea0.7622950819672131
                      RT_DIALOG0x267a200xf4dataKoreanSouth Korea0.7622950819672131
                      RT_DIALOG0x26b3f00x128dataNorwegianNorway0.6351351351351351
                      RT_DIALOG0x2694a00x11adataPortugueseBrazil0.6595744680851063
                      RT_DIALOG0x2698c00x114dataRussianRussia0.6884057971014492
                      RT_DIALOG0x2690880x11edataSlovakSlovakia0.6888111888111889
                      RT_DIALOG0x26a0680x114dataEstonianEstonia0.6666666666666666
                      RT_DIALOG0x26a4380x114dataLatvianLativa0.6702898550724637
                      RT_DIALOG0x26a8200x126dataLithuanianLithuania0.6462585034013606
                      RT_DIALOG0x2674f00x100dataChineseChina0.71484375
                      RT_DIALOG0x2688200x122data0.6620689655172414
                      RT_DIALOG0x26b7a80x112dataFrenchCanada0.6788321167883211
                      RT_DIALOG0x2678880x16cdataChineseTaiwan0.6868131868131868
                      RT_DIALOG0x268d880x2a2dataCzechCzech Republic0.5341246290801187
                      RT_DIALOG0x26b1400x25edataDanishDenmark0.504950495049505
                      RT_DIALOG0x2685280x2b0dataGermanGermany0.48691860465116277
                      RT_DIALOG0x2672200x282dataEnglishUnited States0.48442367601246106
                      RT_DIALOG0x26ad600x264dataFinnishFinland0.5179738562091504
                      RT_DIALOG0x2680f00x2a6dataFrenchFrance0.48672566371681414
                      RT_DIALOG0x269dd80x238dataHungarianHungary0.5264084507042254
                      RT_DIALOG0x267e080x19cdataJapaneseJapan0.6601941747572816
                      RT_DIALOG0x267b180x1c2dataKoreanNorth Korea0.6711111111111111
                      RT_DIALOG0x267b180x1c2dataKoreanSouth Korea0.6711111111111111
                      RT_DIALOG0x26b5180x240dataNorwegianNorway0.5260416666666666
                      RT_DIALOG0x2695c00x29edataPortugueseBrazil0.48059701492537316
                      RT_DIALOG0x2699d80x2a6dataRussianRussia0.4911504424778761
                      RT_DIALOG0x2691a80x2a0dataSlovakSlovakia0.5267857142857143
                      RT_DIALOG0x26a1800x268dataEstonianEstonia0.5081168831168831
                      RT_DIALOG0x26a5500x26edataLatvianLativa0.5016077170418006
                      RT_DIALOG0x26a9480x28edataLithuanianLithuania0.48623853211009177
                      RT_DIALOG0x2675f00x170dataChineseChina0.6766304347826086
                      RT_DIALOG0x2689480x2badata0.4584527220630373
                      RT_DIALOG0x26b8c00x2a6dataFrenchCanada0.48672566371681414
                      RT_STRING0x2861100x10cdataChineseTaiwan0.7873134328358209
                      RT_STRING0x28b4200x262dataCzechCzech Republic0.4967213114754098
                      RT_STRING0x294d280x2b0dataDanishDenmark0.4055232558139535
                      RT_STRING0x288ef80x30cdataGermanGermany0.4153846153846154
                      RT_STRING0x2849b00x26adataEnglishUnited States0.42718446601941745
                      RT_STRING0x293ba00x2b6dataFinnishFinland0.4438040345821326
                      RT_STRING0x287c880x2f0dataFrenchFrance0.4162234042553192
                      RT_STRING0x28f7000x2acdataHungarianHungary0.4853801169590643
                      RT_STRING0x2872380x196dataJapaneseJapan0.6059113300492611
                      RT_STRING0x2868500x172dataKoreanNorth Korea0.7216216216216216
                      RT_STRING0x2868500x172dataKoreanSouth Korea0.7216216216216216
                      RT_STRING0x295eb80x288dataNorwegianNorway0.43364197530864196
                      RT_STRING0x28d4f80x2cedataPortugueseBrazil0.41225626740947074
                      RT_STRING0x28e6a00x25edataRussianRussia0.5181518151815182
                      RT_STRING0x28c4200x28edataSlovakSlovakia0.4847094801223242
                      RT_STRING0x2908100x2a2dataEstonianEstonia0.4406528189910979
                      RT_STRING0x2919200x26adataLatvianLativa0.45307443365695793
                      RT_STRING0x292a280x26edataLithuanianLithuania0.4533762057877814
                      RT_STRING0x2859e80x108dataChineseChina0.7727272727272727
                      RT_STRING0x28a1d80x2e4data0.40945945945945944
                      RT_STRING0x2970480x2f0dataFrenchCanada0.4162234042553192
                      RT_STRING0x2864100x14adataChineseTaiwan0.696969696969697
                      RT_STRING0x28b9580x34cdataCzechCzech Republic0.40639810426540285
                      RT_STRING0x2953180x3acdataDanishDenmark0.3553191489361702
                      RT_STRING0x2895780x3c6dataGermanGermany0.3944099378881988
                      RT_STRING0x284ef00x354dataEnglishUnited States0.3673708920187793
                      RT_STRING0x2941680x35adataFinnishFinland0.38578088578088576
                      RT_STRING0x2882d00x3d6dataFrenchFrance0.36761710794297353
                      RT_STRING0x28fca80x3b2dataHungarianHungary0.4143763213530655
                      RT_STRING0x2875700x228dataJapaneseJapan0.5507246376811594
                      RT_STRING0x286bc00x1bcdataKoreanNorth Korea0.6036036036036037
                      RT_STRING0x286bc00x1bcdataKoreanSouth Korea0.6036036036036037
                      RT_STRING0x2964900x362dataNorwegianNorway0.3891454965357968
                      RT_STRING0x28dae80x3a8dataPortugueseBrazil0.3888888888888889
                      RT_STRING0x28ebf80x362dataRussianRussia0.4214780600461894
                      RT_STRING0x28c9b80x356dataSlovakSlovakia0.4203747072599532
                      RT_STRING0x290d880x3c2dataEstonianEstonia0.35550935550935553
                      RT_STRING0x291e980x366dataLatvianLativa0.4057471264367816
                      RT_STRING0x292f900x36adataLithuanianLithuania0.41533180778032036
                      RT_STRING0x285ce00x14cdataChineseChina0.6897590361445783
                      RT_STRING0x28a7d00x39adata0.36984815618221256
                      RT_STRING0x2976900x3d6dataFrenchCanada0.36761710794297353
                      RT_STRING0x2865600x2eadataChineseTaiwan0.5294906166219839
                      RT_STRING0x28bca80x776dataCzechCzech Republic0.3261780104712042
                      RT_STRING0x2956c80x7f0dataDanishDenmark0.2780511811023622
                      RT_STRING0x2899400x896dataGermanGermany0.26524112829845314
                      RT_STRING0x2852480x79cdataEnglishUnited States0.27618069815195073
                      RT_STRING0x2944c80x85edataFinnishFinland0.2913165266106443
                      RT_STRING0x2886a80x84adataFrenchFrance0.2822808671065033
                      RT_STRING0x2900600x7aedataHungarianHungary0.31841302136317395
                      RT_STRING0x2877980x4eadataJapaneseJapan0.41971383147853736
                      RT_STRING0x286d800x4b4dataKoreanNorth Korea0.48588039867109634
                      RT_STRING0x286d800x4b4dataKoreanSouth Korea0.48588039867109634
                      RT_STRING0x2967f80x850dataNorwegianNorway0.25798872180451127
                      RT_STRING0x28de900x810dataPortugueseBrazil0.2916666666666667
                      RT_STRING0x28ef600x79cdataRussianRussia0.3203285420944558
                      RT_STRING0x28cd100x7e2dataSlovakSlovakia0.313181367690783
                      RT_STRING0x2911500x7d0dataEstonianEstonia0.2765
                      RT_STRING0x2922000x824dataLatvianLativa0.30038387715930903
                      RT_STRING0x2933000x8a0dataLithuanianLithuania0.291213768115942
                      RT_STRING0x285e300x2e0dataChineseChina0.529891304347826
                      RT_STRING0x28ab700x8aadata0.2799819657348963
                      RT_STRING0x297a680x850dataFrenchCanada0.28289473684210525
                      RT_STRING0x2862200x1f0dataChineseTaiwan0.6290322580645161
                      RT_STRING0x28b6880x2ccdataCzechCzech Republic0.46787709497206703
                      RT_STRING0x294fd80x340dataDanishDenmark0.390625
                      RT_STRING0x2892080x36adataGermanGermany0.40274599542334094
                      RT_STRING0x284c200x2ccdataEnglishUnited States0.41480446927374304
                      RT_STRING0x293e580x30cdataFinnishFinland0.42948717948717946
                      RT_STRING0x287f780x354dataFrenchFrance0.41431924882629106
                      RT_STRING0x28f9b00x2f8dataHungarianHungary0.4644736842105263
                      RT_STRING0x2873d00x19adataJapaneseJapan0.6292682926829268
                      RT_STRING0x2869c80x1f4dataKoreanNorth Korea0.702
                      RT_STRING0x2869c80x1f4dataKoreanSouth Korea0.702
                      RT_STRING0x2961400x34adataNorwegianNorway0.3919239904988123
                      RT_STRING0x28d7c80x31cdataPortugueseBrazil0.42085427135678394
                      RT_STRING0x28e9000x2f6dataRussianRussia0.45910290237467016
                      RT_STRING0x28c6b00x306dataSlovakSlovakia0.4483204134366925
                      RT_STRING0x290ab80x2d0dataEstonianEstonia0.42777777777777776
                      RT_STRING0x291b900x306dataLatvianLativa0.4160206718346253
                      RT_STRING0x292c980x2f2dataLithuanianLithuania0.4403183023872679
                      RT_STRING0x285af00x1eadataChineseChina0.6224489795918368
                      RT_STRING0x28a4c00x30edata0.40281329923273657
                      RT_STRING0x2973380x354dataFrenchCanada0.41431924882629106
                      RT_GROUP_ICON0x2846380x76data0.7372881355932204
                      RT_GROUP_ICON0x2849980x14data1.25
                      RT_MANIFEST0x26bc900x4e3XML 1.0 document, ASCII text, with CRLF line terminators0.4580335731414868

                      Imports

                      DLLImport
                      KERNEL32.dllHeapAlloc, SetConsoleMode, VerSetConditionMask, GetCommandLineW, DecodePointer, CloseHandle, RaiseException, GetLastError, SetLastError, InitializeCriticalSectionEx, DeleteCriticalSection, CreateMutexW, OpenMutexW, GetCurrentProcess, GetCurrentProcessId, OpenProcess, GetSystemDirectoryW, FreeLibrary, GetModuleFileNameW, GetModuleHandleW, GetProcAddress, LoadLibraryExW, LoadResource, SizeofResource, SetDefaultDllDirectories, LocalFree, lstrcmpiW, LoadLibraryW, FindResourceW, SetSearchPathMode, VerifyVersionInfoW, MultiByteToWideChar, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, DeleteFileW, FindClose, FindFirstFileW, FindNextFileW, GetFileAttributesW, SetFileAttributesW, SetEvent, WaitForSingleObject, CreateEventW, TerminateThread, ProcessIdToSessionId, Sleep, CreateThread, GetTickCount, WaitForMultipleObjects, GetTimeZoneInformation, WideCharToMultiByte, GetLocaleInfoW, ExpandEnvironmentStringsW, SetCurrentDirectoryW, GetFullPathNameW, GetTempPathW, CancelIo, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, SetWaitableTimer, CancelWaitableTimer, GetExitCodeProcess, GetCurrentThreadId, CreateProcessW, CreateWaitableTimerW, GetUserDefaultLCID, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, GetEnvironmentVariableW, CreateFileW, GetCurrentDirectoryW, QueryPerformanceCounter, ReadFile, FileTimeToSystemTime, DeviceIoControl, GetVersionExW, ReleaseMutex, OutputDebugStringW, ResetEvent, GetOverlappedResult, FlushFileBuffers, GetLongPathNameW, K32EnumProcesses, GetWindowsDirectoryW, GetVolumeInformationW, SetThreadLocale, GetUserDefaultUILanguage, GetACP, SetNamedPipeHandleState, WriteFile, WaitNamedPipeW, TlsSetValue, GetFileAttributesExW, TlsAlloc, TlsGetValue, GetDriveTypeW, QueryDosDeviceW, GetLogicalDrives, FindFirstVolumeMountPointW, FindFirstVolumeW, HeapFree, FindVolumeMountPointClose, TerminateProcess, K32GetModuleFileNameExW, GetVolumePathNameW, HeapSize, GetVolumeNameForVolumeMountPointW, FindNextVolumeMountPointW, HeapReAlloc, ReadConsoleA, FindVolumeClose, GetProcessHeap, FindNextVolumeW, GetSystemDirectoryA, GetLocalTime, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsProcessorFeaturePresent, ReleaseSRWLockExclusive, AcquireSRWLockExclusive, IsDebuggerPresent, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, EncodePointer, InterlockedPopEntrySList, InterlockedPushEntrySList, FlushInstructionCache, VirtualAlloc, VirtualFree, GetSystemTime, SystemTimeToFileTime, GlobalMemoryStatus, FormatMessageA, GetStringTypeW, CreateDirectoryW, FindFirstFileExW, SetFileInformationByHandle, AreFileApisANSI, MoveFileExW, GetFileInformationByHandleEx, GetLocaleInfoEx, LCMapStringEx, InitializeSRWLock, GetCPInfo, RtlUnwind, InitializeCriticalSectionAndSpinCount, TlsFree, GetFileType, PeekNamedPipe, SystemTimeToTzSpecificLocalTime, ExitProcess, GetModuleHandleExW, GetStdHandle, SetFilePointerEx, GetConsoleMode, ReadConsoleW, GetConsoleCP, GetDateFormatW, GetTimeFormatW, CompareStringW, LCMapStringW, IsValidLocale, EnumSystemLocalesW, SetStdHandle, SetEndOfFile, IsValidCodePage, GetOEMCP, GetCommandLineA, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetConsoleCtrlHandler, WaitForSingleObjectEx, WriteConsoleW, ReleaseSRWLockShared, AcquireSRWLockShared, LoadLibraryA
                      ncrypt.dllBCryptGenRandom

                      Exports

                      NameOrdinalAddress
                      BeginHttpRequest10x467270
                      BeginHttpResponse20x467300
                      FCP_add_param30x4643e0
                      FCP_append_objdata_ff40x464430
                      FCP_break_obj_header50x464780
                      FCP_breakup_data_item60x464880
                      FCP_calculate_obj_head_chksum70x466720
                      FCP_chk_partial_obj_files80x464900
                      FCP_cleanup90x464b90
                      FCP_clear_object_storage100x464ba0
                      FCP_clear_package110x464c20
                      FCP_clear_params120x464c90
                      FCP_clear_request130x464cd0
                      FCP_clear_response140x464d30
                      FCP_combine_params150x464da0
                      FCP_create_package_hdr160x466750
                      FCP_del_param170x464ef0
                      FCP_delete_file180x464f30
                      FCP_get_file_size190x464f60
                      FCP_get_obj_resume_info200x464fb0
                      FCP_get_object_desc210x465160
                      FCP_get_param220x4651a0
                      FCP_init_object_storage230x4651e0
                      FCP_init_package240x465210
                      FCP_init_params250x465250
                      FCP_init_request260x465280
                      FCP_init_request_for_sending270x4652b0
                      FCP_init_response280x465340
                      FCP_init_response_for_sending290x465360
                      FCP_initialize300x4653f0
                      FCP_load_object310x465400
                      FCP_load_package320x4654f0
                      FCP_pack_obj330x466820
                      FCP_parse_params340x465ad0
                      FCP_recv_request350x465bf0
                      FCP_recv_response360x465d90
                      FCP_send_n_recv370x465f30
                      FCP_send_object380x465f70
                      FCP_send_request390x4660a0
                      FCP_send_response400x4660d0
                      FCP_set_param410x466100
                      FCP_unpack_obj420x466a50
                      FCP_unpack_obj_ff430x466cd0
                      FCP_unpack_obj_fnfn440x466f60
                      FCP_verify_object_hdr450x467010
                      FCP_verify_package_hdr460x467050
                      FR_cleanup470x4673e0
                      FR_close480x467400
                      FR_connect490x467420
                      FR_connected500x467430
                      FR_get_local_addr510x467450
                      FR_initialize520x4674a0
                      FR_read530x467500
                      FR_write540x467520

                      Possible Origin

                      Language of compilation systemCountry where language is spokenMap
                      ChineseTaiwan
                      CzechCzech Republic
                      DanishDenmark
                      GermanGermany
                      EnglishUnited States
                      FinnishFinland
                      FrenchFrance
                      HungarianHungary
                      JapaneseJapan
                      KoreanNorth Korea
                      KoreanSouth Korea
                      NorwegianNorway
                      PortugueseBrazil
                      RussianRussia
                      SlovakSlovakia
                      EstonianEstonia
                      LatvianLativa
                      LithuanianLithuania
                      ChineseChina
                      FrenchCanada

                      Network Behavior

                      Skipped network analysis since the amount of network traffic is too extensive. Please download the PCAP and check manually.

                      Statistics

                      CPU Usage

                      Click to jump to process

                      Memory Usage

                      Click to jump to process

                      High Level Behavior Distribution

                      Click to dive into process behavior distribution

                      Behavior

                      Click to jump to process

                      System Behavior

                      General

                      Target ID:0
                      Start time:04:06:27
                      Start date:03/07/2024
                      Path:C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Users\user\Desktop\FortiClientVPNOnlineInstaller.exe"
                      Imagebase:0x3a0000
                      File size:2'794'560 bytes
                      MD5 hash:11BFC265FC53AC4756E4EF2759CA10EB
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:low
                      Has exited:false

                      General

                      Target ID:5
                      Start time:04:08:30
                      Start date:03/07/2024
                      Path:C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe
                      Wow64 process (32bit):true
                      Commandline:C:\Users\user\AppData\Local\Temp\FortiClientVPN.exe
                      Imagebase:0x30000
                      File size:176'739'392 bytes
                      MD5 hash:43866BF1847EFD3BEF65E4D9EF603CA7
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Antivirus matches:
                      • Detection: 0%, Virustotal, Browse
                      Reputation:low
                      Has exited:false

                      General

                      Target ID:6
                      Start time:04:08:40
                      Start date:03/07/2024
                      Path:C:\Windows\System32\msiexec.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\msiexec.exe /V
                      Imagebase:0x7ff66f7e0000
                      File size:69'632 bytes
                      MD5 hash:E5DA170027542E25EDE42FC54C929077
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:false

                      General

                      Target ID:7
                      Start time:04:08:41
                      Start date:03/07/2024
                      Path:C:\Windows\System32\msiexec.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\System32\MsiExec.exe -Embedding 451EC6BB5F916B7CCFDA9FD6E2C98FE7 C
                      Imagebase:0x7ff66f7e0000
                      File size:69'632 bytes
                      MD5 hash:E5DA170027542E25EDE42FC54C929077
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:false

                      Disassembly

                      No disassembly