File name:

FortiClientMiniSetup-Windows-x64-Enterprise-7.1.7.exe

Full analysis: https://app.any.run/tasks/a3661d40-a932-49ee-8a9e-4ab8abb62e4c
Verdict: Malicious activity
Analysis date: June 01, 2025, 23:28:20
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
python
discord
pyinstaller
evasion
ims-api
generic
ip-check
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:

66D09A3C4CB713D9F9FFC4743CEADCBC

SHA1:

B95C5C97B8CD229800A10AE87061EE333B16B350

SHA256:

0FAC84F7ED058060288C6250F0737719F824FF022C5E3C450134B37BF8FA6A49

SSDEEP:

786432:Wm6d0fbP5TcfdIqUWoyqB+spo7BhaDbxxJBYyMFlp3Uwz8:Wm6d0fb5cfd3UWYQz7B0DNxJnMFlFUK8

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Starts NET.EXE for service management

      • net.exe (PID: 7636)
      • FortiSSLVPNdaemon.exe (PID: 7476)

    • Registers / Runs the DLL via REGSVR32.EXE

      • scheduler.exe (PID: 4920)

  • SUSPICIOUS

    • The process creates files with name similar to system file names

      • FortiClientMiniSetup-Windows-x64-Enterprise-7.1.7.exe (PID: 1600)
      • msiexec.exe (PID: 7548)

    • Executable content was dropped or overwritten

      • FortiClientMiniSetup-Windows-x64-Enterprise-7.1.7.exe (PID: 1600)
      • svchost.exe (PID: 6268)
      • FortiClientVPN.exe (PID: 6632)
      • drvinst.exe (PID: 7592)
      • drvinst.exe (PID: 7020)
      • drvinst.exe (PID: 7000)
      • drvinst.exe (PID: 6136)
      • drvinst.exe (PID: 5452)
      • VC_redist.x64.exe (PID: 8036)
      • VC_redist.x64.exe (PID: 3140)
      • VC_redist.x64.exe (PID: 856)
      • VC_redist.x86.exe (PID: 2028)
      • VC_redist.x86.exe (PID: 868)
      • VC_redist.x64.exe (PID: 8000)
      • VC_redist.x64.exe (PID: 7504)
      • VC_redist.x86.exe (PID: 5348)
      • VC_redist.x86.exe (PID: 4932)
      • VC_redist.x86.exe (PID: 7452)
      • update_task.exe (PID: 7556)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • FortiClientMiniSetup-Windows-x64-Enterprise-7.1.7.exe (PID: 1600)

    • Creates/Modifies COM task schedule object

      • FortiClientMiniSetup-Windows-x64-Enterprise-7.4.2.exe (PID: 7888)
      • msiexec.exe (PID: 7548)

    • Process drops python dynamic module

      • svchost.exe (PID: 6268)

    • The process drops C-runtime libraries

      • svchost.exe (PID: 6268)
      • msiexec.exe (PID: 7548)

    • Process drops legitimate windows executable

      • svchost.exe (PID: 6268)
      • msiexec.exe (PID: 7548)
      • VC_redist.x64.exe (PID: 3140)
      • VC_redist.x64.exe (PID: 8036)
      • VC_redist.x86.exe (PID: 868)
      • VC_redist.x64.exe (PID: 7504)
      • VC_redist.x86.exe (PID: 2028)
      • VC_redist.x64.exe (PID: 8000)
      • VC_redist.x86.exe (PID: 7452)
      • update_task.exe (PID: 7556)
      • VC_redist.x86.exe (PID: 5348)

    • There is functionality for taking screenshot (YARA)

      • FortiClientMiniSetup-Windows-x64-Enterprise-7.1.7.exe (PID: 1600)
      • svchost.exe (PID: 6268)
      • svchost.exe (PID: 4728)

    • Connects to the server without a host name

      • FortiClientMiniSetup-Windows-x64-Enterprise-7.4.2.exe (PID: 7888)

    • Starts CMD.EXE for commands execution

      • svchost.exe (PID: 4728)

    • Loads Python modules

      • svchost.exe (PID: 4728)

    • Checks for external IP

      • svchost.exe (PID: 4728)
      • svchost.exe (PID: 2196)

    • Potential Corporate Privacy Violation

      • svchost.exe (PID: 4728)

    • Possible usage of Discord/Telegram API has been detected (YARA)

      • svchost.exe (PID: 4728)

    • Application launched itself

      • svchost.exe (PID: 6268)
      • msiexec.exe (PID: 7548)
      • VC_redist.x64.exe (PID: 7768)
      • VC_redist.x64.exe (PID: 856)
      • VC_redist.x86.exe (PID: 5976)
      • VC_redist.x86.exe (PID: 4932)

    • Reads security settings of Internet Explorer

      • FortiClientMiniSetup-Windows-x64-Enterprise-7.4.2.exe (PID: 7888)
      • FortiClientVPN.exe (PID: 6632)
      • VC_redist.x64.exe (PID: 8036)

    • Reads the Windows owner or organization settings

      • FortiClientVPN.exe (PID: 6632)
      • msiexec.exe (PID: 7548)

    • Creates files in the driver directory

      • msiexec.exe (PID: 7548)
      • msiexec.exe (PID: 4400)
      • drvinst.exe (PID: 7020)
      • drvinst.exe (PID: 7000)
      • drvinst.exe (PID: 6136)
      • drvinst.exe (PID: 5452)

    • Drops a system driver (possible attempt to evade defenses)

      • msiexec.exe (PID: 7548)
      • msiexec.exe (PID: 4400)
      • drvinst.exe (PID: 7000)
      • drvinst.exe (PID: 7020)
      • drvinst.exe (PID: 5452)

    • Creates or modifies Windows services

      • drvinst.exe (PID: 7592)
      • drvinst.exe (PID: 6136)

    • Executes as Windows Service

      • scheduler.exe (PID: 4920)
      • VSSVC.exe (PID: 6344)

    • Starts a Microsoft application from unusual location

      • VC_redist.x64.exe (PID: 8000)
      • VC_redist.x64.exe (PID: 8036)
      • VC_redist.x86.exe (PID: 868)
      • VC_redist.x86.exe (PID: 5348)

    • Starts itself from another location

      • VC_redist.x64.exe (PID: 8036)
      • VC_redist.x86.exe (PID: 868)

    • Searches for installed software

      • dllhost.exe (PID: 896)

    • There is functionality for capture public ip (YARA)

      • scheduler.exe (PID: 4920)

  • INFO

    • Checks supported languages

      • FortiClientMiniSetup-Windows-x64-Enterprise-7.1.7.exe (PID: 1600)
      • svchost.exe (PID: 6268)
      • FortiClientMiniSetup-Windows-x64-Enterprise-7.4.2.exe (PID: 7888)
      • svchost.exe (PID: 4728)
      • FortiClientVPN.exe (PID: 6632)
      • msiexec.exe (PID: 7548)
      • msiexec.exe (PID: 3332)
      • msiexec.exe (PID: 2104)
      • msiexec.exe (PID: 4400)
      • drvinst.exe (PID: 7000)
      • drvinst.exe (PID: 7592)
      • drvinst.exe (PID: 7020)
      • drvinst.exe (PID: 6136)
      • VC_redist.x64.exe (PID: 3140)
      • drvinst.exe (PID: 5452)
      • scheduler.exe (PID: 4920)
      • VC_redist.x64.exe (PID: 8036)
      • VC_redist.x64.exe (PID: 8000)

    • Create files in a temporary directory

      • FortiClientMiniSetup-Windows-x64-Enterprise-7.1.7.exe (PID: 1600)
      • FortiClientMiniSetup-Windows-x64-Enterprise-7.4.2.exe (PID: 7888)
      • svchost.exe (PID: 6268)
      • svchost.exe (PID: 4728)
      • FortiClientVPN.exe (PID: 6632)
      • msiexec.exe (PID: 4400)

    • The sample compiled with english language support

      • FortiClientMiniSetup-Windows-x64-Enterprise-7.1.7.exe (PID: 1600)
      • svchost.exe (PID: 6268)
      • FortiClientVPN.exe (PID: 6632)
      • msiexec.exe (PID: 7548)
      • VC_redist.x64.exe (PID: 3140)
      • VC_redist.x64.exe (PID: 8036)
      • VC_redist.x64.exe (PID: 8000)
      • VC_redist.x64.exe (PID: 856)
      • VC_redist.x86.exe (PID: 2028)
      • VC_redist.x64.exe (PID: 7504)
      • VC_redist.x86.exe (PID: 868)
      • VC_redist.x86.exe (PID: 4932)
      • VC_redist.x86.exe (PID: 7452)
      • update_task.exe (PID: 7556)
      • VC_redist.x86.exe (PID: 5348)

    • Reads the computer name

      • FortiClientMiniSetup-Windows-x64-Enterprise-7.4.2.exe (PID: 7888)
      • svchost.exe (PID: 6268)
      • svchost.exe (PID: 4728)
      • FortiClientVPN.exe (PID: 6632)
      • msiexec.exe (PID: 7548)
      • msiexec.exe (PID: 3332)
      • msiexec.exe (PID: 2104)
      • msiexec.exe (PID: 4400)
      • drvinst.exe (PID: 7592)
      • drvinst.exe (PID: 7000)
      • drvinst.exe (PID: 6136)
      • drvinst.exe (PID: 7020)
      • drvinst.exe (PID: 5452)
      • scheduler.exe (PID: 4920)
      • VC_redist.x64.exe (PID: 8036)
      • VC_redist.x64.exe (PID: 8000)

    • PyInstaller has been detected (YARA)

      • svchost.exe (PID: 6268)
      • svchost.exe (PID: 4728)

    • Checks operating system version

      • svchost.exe (PID: 4728)

    • Attempting to use instant messaging service

      • svchost.exe (PID: 4728)
      • svchost.exe (PID: 2196)

    • Checks proxy server information

      • svchost.exe (PID: 4728)
      • FortiClientMiniSetup-Windows-x64-Enterprise-7.4.2.exe (PID: 7888)
      • slui.exe (PID: 8164)

    • Reads the machine GUID from the registry

      • FortiClientMiniSetup-Windows-x64-Enterprise-7.4.2.exe (PID: 7888)
      • FortiClientVPN.exe (PID: 6632)
      • msiexec.exe (PID: 7548)
      • drvinst.exe (PID: 7000)
      • drvinst.exe (PID: 7020)
      • drvinst.exe (PID: 5452)
      • msiexec.exe (PID: 4400)
      • scheduler.exe (PID: 4920)

    • Reads the software policy settings

      • FortiClientMiniSetup-Windows-x64-Enterprise-7.4.2.exe (PID: 7888)
      • FortiClientVPN.exe (PID: 6632)
      • msiexec.exe (PID: 7548)
      • slui.exe (PID: 8164)
      • drvinst.exe (PID: 7000)
      • drvinst.exe (PID: 7020)
      • drvinst.exe (PID: 5452)
      • msiexec.exe (PID: 4400)
      • scheduler.exe (PID: 4920)

    • Creates files or folders in the user directory

      • FortiClientMiniSetup-Windows-x64-Enterprise-7.4.2.exe (PID: 7888)

    • Creates files in the program directory

      • FortiClientVPN.exe (PID: 6632)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 7548)
      • msiexec.exe (PID: 4400)

    • Reads Environment values

      • msiexec.exe (PID: 2104)
      • msiexec.exe (PID: 3332)
      • scheduler.exe (PID: 4920)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 7548)

    • Manages system restore points

      • SrTasks.exe (PID: 7708)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:03:08 23:05:20+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 27136
InitializedDataSize: 184832
UninitializedDataSize: 2048
EntryPoint: 0x358d
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
185
Monitored processes
54
Malicious processes
11
Suspicious processes
11

Behavior graph

Click at the process to see the details
start forticlientminisetup-windows-x64-enterprise-7.1.7.exe forticlientminisetup-windows-x64-enterprise-7.4.2.exe svchost.exe svchost.exe cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs slui.exe svchost.exe cmd.exe no specs conhost.exe no specs forticlientvpn.exe msiexec.exe msiexec.exe no specs msiexec.exe no specs msiexec.exe drvinst.exe drvinst.exe drvinst.exe drvinst.exe drvinst.exe scheduler.exe vc_redist.x64.exe vc_redist.x64.exe vc_redist.x64.exe SPPSurrogate no specs vssvc.exe no specs srtasks.exe no specs conhost.exe no specs vc_redist.x64.exe no specs vc_redist.x64.exe vc_redist.x64.exe vc_redist.x86.exe vc_redist.x86.exe vc_redist.x86.exe SPPSurrogate no specs vc_redist.x86.exe no specs vc_redist.x86.exe vc_redist.x86.exe fortiscand.exe no specs regsvr32.exe no specs fccomint.exe no specs fcdblog.exe no specs regsvr32.exe no specs fortitray.exe no specs fortisslvpndaemon.exe no specs fortisettings.exe no specs fortivpn.exe no specs net.exe no specs net1.exe no specs conhost.exe no specs update_task.exe forticlientminisetup-windows-x64-enterprise-7.1.7.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
856"C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe" -burn.filehandle.attached=520 -burn.filehandle.self=548 -uninstall -quiet -burn.related.upgrade -burn.ancestors={5af95fd8-a22e-458f-acee-c61bd787178e} -burn.filehandle.self=864 -burn.embedded BurnPipe.{A8F0C6BC-67B7-4DB4-B0D6-9727C7DE070C} {27DE1BDF-0675-4BE1-9181-C4ED57A058B1} 8000C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe
VC_redist.x64.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532
Exit code:
0
Version:
14.36.32532.0
Modules
Images
c:\programdata\package cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\vc_redist.x64.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
868"C:\WINDOWS\Temp\{2F9DD4D8-FF73-43A4-A565-92A33A836020}\.cr\VC_redist.x86.exe" -burn.clean.room="C:\Program Files\Common Files\Fortinet\FortiClient\VC_redist.x86.exe" -burn.filehandle.attached=552 -burn.filehandle.self=668 /install /quiet /norestartC:\Windows\Temp\{2F9DD4D8-FF73-43A4-A565-92A33A836020}\.cr\VC_redist.x86.exe
VC_redist.x86.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.40.33810
Exit code:
0
Version:
14.40.33810.0
Modules
Images
c:\windows\temp\{2f9dd4d8-ff73-43a4-a565-92a33a836020}\.cr\vc_redist.x86.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
896C:\WINDOWS\system32\DllHost.exe /Processid:{F32D97DF-E3E5-4CB9-9E3E-0EB5B4E49801}C:\Windows\System32\dllhost.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
COM Surrogate
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
920"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files\Fortinet\FortiClient\fccomintdll.dll"C:\Windows\System32\regsvr32.exescheduler.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
1012"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files\Fortinet\FortiClient\FortiCliSh.Dll"C:\Windows\System32\regsvr32.exescheduler.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft(C) Register Server
Exit code:
3
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
1056FCDBLog.exe -s FC_{73EFB30F-1CAD-4a7a-AE2E-150282B6CE25}_000011 C:\Program Files\Fortinet\FortiClient\FCDBLog.exescheduler.exe
User:
SYSTEM
Company:
Fortinet Inc.
Integrity Level:
SYSTEM
Description:
FortiClient Logging daemon
Version:
7.4.3.1790
Modules
Images
c:\program files\fortinet\forticlient\fcdblog.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
1600"C:\Users\admin\AppData\Local\Temp\FortiClientMiniSetup-Windows-x64-Enterprise-7.1.7.exe" C:\Users\admin\AppData\Local\Temp\FortiClientMiniSetup-Windows-x64-Enterprise-7.1.7.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\appdata\local\temp\forticlientminisetup-windows-x64-enterprise-7.1.7.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
2028"C:\Program Files\Common Files\Fortinet\FortiClient\VC_redist.x86.exe" /install /quiet /norestartC:\Program Files\Common Files\Fortinet\FortiClient\VC_redist.x86.exe
scheduler.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.40.33810
Exit code:
0
Version:
14.40.33810.0
Modules
Images
c:\program files\common files\fortinet\forticlient\vc_redist.x86.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
2088\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2104C:\Windows\System32\MsiExec.exe -Embedding E1FE66E3A0464DBCBC2B4C1EEDE8EC30C:\Windows\System32\msiexec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
Total events
59 435
Read events
56 572
Write events
2 186
Delete events
677

Modification events

(PID) Process:(7888) FortiClientMiniSetup-Windows-x64-Enterprise-7.4.2.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8052F904-874D-4d28-9380-AA9BDBF13AFD}\InProcServer32
Operation:writeName:ThreadingModel
Value:
diskcopy.dll
(PID) Process:(7888) FortiClientMiniSetup-Windows-x64-Enterprise-7.4.2.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8052F904-874D-4d28-9380-AA9BDBF13AFD}\InProcServer32
Operation:writeName:AppID
Value:
{AB421857-C377-4C9B-B890-BCA620B8CF64}
(PID) Process:(7548) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
Operation:writeName:C:\Config.Msi\
Value:
(PID) Process:(7548) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts
Operation:writeName:C:\Config.Msi\1484c0.rbs
Value:
31183693
(PID) Process:(7548) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts
Operation:writeName:C:\Config.Msi\1484c0.rbsLow
Value:
(PID) Process:(7548) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\D8CB2D1BB5E89594398CF30B3D667629
Operation:writeName:163B7C512B0A97E4390E68B80500ABF3
Value:
C:\Program Files\Common Files\Fortinet\FortiClient\VC_redist.x64.exe
(PID) Process:(7548) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0853336E0ACA9F7459F6A63C4693343C
Operation:writeName:163B7C512B0A97E4390E68B80500ABF3
Value:
C:\Program Files\Common Files\Fortinet\FortiClient\VC_redist.x86.exe
(PID) Process:(7548) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\54E05C2EB36152F4CA01265EF0DB30D7
Operation:writeName:163B7C512B0A97E4390E68B80500ABF3
Value:
C:\Program Files\Fortinet\FortiClient\
(PID) Process:(7548) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\BAE2BC2062E17A349A4992D1428C964C
Operation:writeName:163B7C512B0A97E4390E68B80500ABF3
Value:
C:\Program Files\Fortinet\FortiClient\
(PID) Process:(7548) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\2D32B215BCF6E554BB28AB2F4D4C0723
Operation:writeName:163B7C512B0A97E4390E68B80500ABF3
Value:
C:\Program Files\Fortinet\FortiClient\
Executable files
435
Suspicious files
287
Text files
1 095
Unknown types
0

Dropped files

PID
Process
Filename
Type
1600FortiClientMiniSetup-Windows-x64-Enterprise-7.1.7.exeC:\Users\admin\AppData\Local\Temp\chrome-url-1132883-A\svchost.exe
MD5:
SHA256:
1600FortiClientMiniSetup-Windows-x64-Enterprise-7.1.7.exeC:\Users\admin\AppData\Local\Temp\chrome-url-1132883-A\FortiClientMiniSetup-Windows-x64-Enterprise-7.4.2.exeexecutable
MD5:25FDA98A5133B151172C9D02F82D585F
SHA256:FC4850DAE02AC217B9D511EE836339A9E4DD492641E9E6FA9BE324D8D77A06FF
6268svchost.exeC:\Users\admin\AppData\Local\Temp\_MEI62682\Cryptodome\Cipher\_Salsa20.pydexecutable
MD5:73D2494C8BCD6738B2767FE7819DF72A
SHA256:93ECBA417C3E6E0C44DFD0D86D2A04474E0DDDCA5C7835E4802E6139C0A732D4
1600FortiClientMiniSetup-Windows-x64-Enterprise-7.1.7.exeC:\Users\admin\AppData\Local\Temp\nss13DF.tmp\nsExec.dllexecutable
MD5:8FE362FFDFA66269B8A64E3A87F68E52
SHA256:B121689861B506DBC9C3797B49BC8A90D555CB7DB58CB959165CC758391C00BB
6268svchost.exeC:\Users\admin\AppData\Local\Temp\_MEI62682\Cryptodome\Cipher\_chacha20.pydexecutable
MD5:AE0D9CBAF7463843E438DBCCEF1B27FE
SHA256:F044DF62C4F14E5E7608463D34EC3B5F4229F6F8F3E7EB29F8A1A235079F4296
6268svchost.exeC:\Users\admin\AppData\Local\Temp\_MEI62682\Cryptodome\Cipher\_raw_aesni.pydexecutable
MD5:0B2596C23BD2792FA5CDB304417DD36D
SHA256:2369F44274DC7F03B5F37D77F39BA77EC9146CF53170CB4E9EFC2001197C698F
6268svchost.exeC:\Users\admin\AppData\Local\Temp\_MEI62682\Cryptodome\Cipher\_raw_aes.pydexecutable
MD5:4C869A3047220F0B344536CA22B2987E
SHA256:78B51FCB81E97CD3B0EFB48237DA9EBF57D796D8E5DCBFC5E213A8E23EFAB054
6268svchost.exeC:\Users\admin\AppData\Local\Temp\_MEI62682\Cryptodome\Cipher\_ARC4.pydexecutable
MD5:41851AA1DD56679C1F5EC9853B9CC616
SHA256:0E17085905FA32E6C16DC6E40F1D8348BFCFAC838B879E6D54D8640B40B39445
7888FortiClientMiniSetup-Windows-x64-Enterprise-7.4.2.exeC:\Users\admin\AppData\Local\Temp\obj_1_a03872__unpackedtext
MD5:9FED4B819A13B224A1C1196BC7D83708
SHA256:CC993B664E63710DFEA302B18F496465B6BC39E8BB18E78688D1776C5614D7DD
1600FortiClientMiniSetup-Windows-x64-Enterprise-7.1.7.exeC:\Users\admin\AppData\Local\Temp\nss13DF.tmp\System.dllexecutable
MD5:9B38A1B07A0EBC5C7E59E63346ECC2DB
SHA256:C881253DAFCF1322A771139B1A429EC1E78C507CA81A218A20DC1A4B25ABBFE7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
17
TCP/UDP connections
47
DNS requests
28
Threats
12

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
2.16.168.124:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7552
svchost.exe
GET
200
2.16.168.124:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
7552
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
7888
FortiClientMiniSetup-Windows-x64-Enterprise-7.4.2.exe
POST
200
209.40.106.66:80
http://209.40.106.66/fdsupdate
unknown
unknown
7888
FortiClientMiniSetup-Windows-x64-Enterprise-7.4.2.exe
POST
200
209.40.106.66:80
http://209.40.106.66/fdsupdate
unknown
unknown
7888
FortiClientMiniSetup-Windows-x64-Enterprise-7.4.2.exe
POST
209.40.106.66:80
http://209.40.106.66/fdsupdate
unknown
unknown
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
1812
SIHClient.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
1812
SIHClient.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
7348
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5496
MoUsoCoreWorker.exe
2.16.168.124:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
7552
svchost.exe
2.16.168.124:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
5496
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
7552
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
7888
FortiClientMiniSetup-Windows-x64-Enterprise-7.4.2.exe
209.40.106.66:80
forticlient.fortinet.net
CMCS
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 4.231.128.59
whitelisted
google.com
  • 142.250.186.78
whitelisted
crl.microsoft.com
  • 2.16.168.124
  • 2.16.168.114
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 23.219.150.101
  • 184.30.21.171
whitelisted
forticlient.fortinet.net
  • 209.40.106.66
  • 173.243.138.76
whitelisted
login.live.com
  • 20.190.160.131
  • 40.126.32.74
  • 20.190.160.20
  • 40.126.32.72
  • 20.190.160.14
  • 40.126.32.133
  • 20.190.160.132
  • 40.126.32.136
whitelisted
ocsp.digicert.com
  • 2.17.190.73
  • 2.23.77.188
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
slscr.update.microsoft.com
  • 4.175.87.197
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.85.23.206
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discord .com)
2196
svchost.exe
Misc activity
ET INFO Discord Chat Service Domain in DNS Lookup (discord .com)
4728
svchost.exe
Misc activity
ET INFO Observed Discord Domain (discord .com in TLS SNI)
4728
svchost.exe
Misc activity
ET INFO Observed Discord Service Domain (discord .com) in TLS SNI
2196
svchost.exe
Misc activity
ET INFO Discord Chat Service Domain in DNS Lookup (gateway .discord .gg)
4728
svchost.exe
Misc activity
ET INFO Observed Discord Service Domain (gateway .discord .gg) in TLS SNI
2196
svchost.exe
Misc activity
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
4728
svchost.exe
Misc activity
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
2196
svchost.exe
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Check (ip-api .com)
2196
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
Process
Message
msiexec.exe
Failed to release Service
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
FortiClientMiniSetup-Windows-x64-Enterprise-7.1.7.exe