download:

/forticlient/win/vpnagent

Full analysis: https://app.any.run/tasks/869a3b6f-76a3-4000-83a0-ca5d6907b1b1
Verdict: Malicious activity
Analysis date: October 23, 2024, 09:19:34
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
arch-doc
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

11BFC265FC53AC4756E4EF2759CA10EB

SHA1:

E3D2BF11618C39DFD036BB33EA96AA5F989FED25

SHA256:

2E520FAA2B71BA56643153B77C2908C0D6DA34A2F6F9ABAA7CBADAB9278DC99E

SSDEEP:

98304:Fvs0nKhLE+vtgITiwgX672SJGqa1sI8XOcup2xvHdXPSmU8mdLRhQCX:c/2nL0a

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Starts NET.EXE for service management

      • FortiSSLVPNdaemon.exe (PID: 5420)
      • net.exe (PID: 6940)

    • Registers / Runs the DLL via REGSVR32.EXE

      • scheduler.exe (PID: 7152)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • vpnagent.exe (PID: 6436)

    • Application launched itself

      • vpnagent.exe (PID: 6436)
      • VC_redist.x64.exe (PID: 6232)
      • VC_redist.x64.exe (PID: 6804)
      • VC_redist.x86.exe (PID: 1180)
      • VC_redist.x86.exe (PID: 4304)
      • FortiClient.exe (PID: 6940)

    • Creates/Modifies COM task schedule object

      • vpnagent.exe (PID: 3276)

    • Executable content was dropped or overwritten

      • FortiClientVPN.exe (PID: 1712)
      • drvinst.exe (PID: 4060)
      • drvinst.exe (PID: 4556)
      • drvinst.exe (PID: 6644)
      • drvinst.exe (PID: 4144)
      • VC_redist.x64.exe (PID: 3532)
      • drvinst.exe (PID: 5196)
      • VC_redist.x64.exe (PID: 1376)
      • VC_redist.x64.exe (PID: 4080)
      • VC_redist.x64.exe (PID: 6804)
      • VC_redist.x64.exe (PID: 6664)
      • VC_redist.x86.exe (PID: 4308)
      • VC_redist.x86.exe (PID: 7156)
      • VC_redist.x86.exe (PID: 1452)
      • VC_redist.x86.exe (PID: 4304)
      • VC_redist.x86.exe (PID: 5048)
      • update_task.exe (PID: 2632)

    • Drops a system driver (possible attempt to evade defenses)

      • drvinst.exe (PID: 4060)
      • msiexec.exe (PID: 4808)
      • drvinst.exe (PID: 4144)
      • drvinst.exe (PID: 5196)

    • Process drops legitimate windows executable

      • msiexec.exe (PID: 4808)
      • VC_redist.x64.exe (PID: 1376)
      • VC_redist.x64.exe (PID: 3532)
      • msiexec.exe (PID: 3432)
      • VC_redist.x64.exe (PID: 4080)
      • VC_redist.x64.exe (PID: 6664)
      • VC_redist.x86.exe (PID: 1452)
      • VC_redist.x86.exe (PID: 4308)
      • VC_redist.x86.exe (PID: 7156)
      • VC_redist.x86.exe (PID: 5048)
      • update_task.exe (PID: 2632)

    • The process drops C-runtime libraries

      • msiexec.exe (PID: 3432)
      • msiexec.exe (PID: 4808)

    • Starts a Microsoft application from unusual location

      • VC_redist.x64.exe (PID: 4080)
      • VC_redist.x64.exe (PID: 1376)
      • VC_redist.x86.exe (PID: 1452)
      • VC_redist.x86.exe (PID: 4308)

    • Starts itself from another location

      • VC_redist.x64.exe (PID: 1376)
      • VC_redist.x86.exe (PID: 4308)

    • Executes as Windows Service

      • VSSVC.exe (PID: 6976)
      • scheduler.exe (PID: 7152)

    • Starts CMD.EXE for commands execution

      • FortiClient.exe (PID: 6940)

  • INFO

    • Create files in a temporary directory

      • vpnagent.exe (PID: 6436)
      • vpnagent.exe (PID: 3276)

    • Checks supported languages

      • vpnagent.exe (PID: 6436)
      • vpnagent.exe (PID: 3276)

    • Process checks whether UAC notifications are on

      • vpnagent.exe (PID: 6436)

    • Reads the computer name

      • vpnagent.exe (PID: 6436)
      • vpnagent.exe (PID: 3276)

    • The process uses the downloaded file

      • vpnagent.exe (PID: 6436)

    • Process checks computer location settings

      • vpnagent.exe (PID: 6436)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 4808)
      • msiexec.exe (PID: 3432)

    • Application launched itself

      • msiexec.exe (PID: 4808)

    • Manages system restore points

      • SrTasks.exe (PID: 5584)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:05:31 22:26:46+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.37
CodeSize: 1854464
InitializedDataSize: 951296
UninitializedDataSize: -
EntryPoint: 0x6fd60
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
193
Monitored processes
53
Malicious processes
4
Suspicious processes
10

Behavior graph

Click at the process to see the details
start vpnagent.exe no specs vpnagent.exe forticlientvpn.exe msiexec.exe msiexec.exe no specs msiexec.exe no specs msiexec.exe drvinst.exe drvinst.exe drvinst.exe drvinst.exe drvinst.exe vc_redist.x64.exe vc_redist.x64.exe vc_redist.x64.exe SPPSurrogate no specs vssvc.exe no specs srtasks.exe no specs conhost.exe no specs vc_redist.x64.exe no specs vc_redist.x64.exe vc_redist.x64.exe scheduler.exe no specs vc_redist.x86.exe vc_redist.x86.exe vc_redist.x86.exe SPPSurrogate no specs vc_redist.x86.exe no specs vc_redist.x86.exe vc_redist.x86.exe fortiscand.exe no specs regsvr32.exe no specs fcdblog.exe no specs fccomint.exe no specs regsvr32.exe no specs fortitray.exe no specs fortisslvpndaemon.exe no specs fortisettings.exe no specs fortivpn.exe no specs net.exe no specs net1.exe no specs conhost.exe no specs update_task.exe forticlient.exe no specs forticlient.exe no specs forticlient.exe no specs fortielevate.exe no specs forticlient.exe no specs cmd.exe no specs conhost.exe no specs forticlient.exe no specs forticlient.exe no specs forticlient.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1084-s FC_{73EFB30F-1CAD-4a7a-AE2E-150282B6CE25}_000008 C:\Program Files\Fortinet\FortiClient\FortiTray.exescheduler.exe
User:
admin
Company:
Fortinet Inc.
Integrity Level:
MEDIUM
Description:
FortiClient System Tray Controller
Version:
7.4.0.1658
1180"C:\ProgramData\Package Cache\{410c0ee1-00bb-41b6-9772-e12c2828b02f}\VC_redist.x86.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={46c3b171-c15c-4137-8e1d-67eeb2985b44} -burn.filehandle.self=920 -burn.embedded BurnPipe.{4F7A919D-DBC2-43BD-A318-3913C913ABA6} {2D17EB9C-CCCD-4862-BCF7-0C8FD431D419} 1452C:\ProgramData\Package Cache\{410c0ee1-00bb-41b6-9772-e12c2828b02f}\VC_redist.x86.exeVC_redist.x86.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532
Exit code:
0
Version:
14.36.32532.0
1376"C:\WINDOWS\Temp\{2A89E50C-26C1-42A1-A5D0-6B0EDADBF266}\.cr\VC_redist.x64.exe" -burn.clean.room="C:\Program Files\Common Files\Fortinet\FortiClient\VC_redist.x64.exe" -burn.filehandle.attached=884 -burn.filehandle.self=888 /install /quiet /norestartC:\Windows\Temp\{2A89E50C-26C1-42A1-A5D0-6B0EDADBF266}\.cr\VC_redist.x64.exe
VC_redist.x64.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.38.33135
Exit code:
3010
Version:
14.38.33135.0
Modules
Images
c:\windows\temp\{2a89e50c-26c1-42a1-a5d0-6b0edadbf266}\.cr\vc_redist.x64.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
1396C:\WINDOWS\system32\cmd.exe /d /s /c "uname -v"C:\Windows\System32\cmd.exeFortiClient.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
1452"C:\WINDOWS\Temp\{798472C0-F604-4B36-BB6E-C21DC70E1245}\.be\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{33E24BB0-D113-4F5E-B229-67C478E78A8E} {7E567070-D269-4B66-A0E7-EFECBB0D88F3} 4308C:\Windows\Temp\{798472C0-F604-4B36-BB6E-C21DC70E1245}\.be\VC_redist.x86.exe
VC_redist.x86.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.38.33135
Exit code:
0
Version:
14.38.33135.0
1712C:\Users\admin\AppData\Local\Temp\FortiClientVPN.exeC:\Users\admin\AppData\Local\Temp\FortiClientVPN.exe
vpnagent.exe
User:
admin
Company:
Fortinet Inc.
Integrity Level:
HIGH
Description:
FortiClient Installer
Exit code:
0
Version:
7.4.0.1658
Modules
Images
c:\users\admin\appdata\local\temp\forticlientvpn.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
1744"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files\Fortinet\FortiClient\FortiCliSh.Dll"C:\Windows\System32\regsvr32.exescheduler.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft(C) Register Server
Exit code:
3
Version:
10.0.19041.1 (WinBuild.160101.0800)
2632update_task.exe -s FC_{73EFB30F-1CAD-4a7a-AE2E-150282B6CE25}_001000 C:\Program Files\Fortinet\FortiClient\update_task.exe
scheduler.exe
User:
SYSTEM
Company:
Fortinet Inc.
Integrity Level:
SYSTEM
Description:
update_task
Exit code:
0
Version:
7.4.0.1658
3028C:\WINDOWS\system32\DllHost.exe /Processid:{F32D97DF-E3E5-4CB9-9E3E-0EB5B4E49801}C:\Windows\System32\dllhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
3276"C:\Users\admin\AppData\Local\Temp\vpnagent.exe" C:\Users\admin\AppData\Local\Temp\vpnagent.exe
vpnagent.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\vpnagent.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ncrypt.dll
Total events
29 837
Read events
28 898
Write events
913
Delete events
26

Modification events

(PID) Process:(3276) vpnagent.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8052F904-874D-4d28-9380-AA9BDBF13AFD}\InProcServer32
Operation:writeName:ThreadingModel
Value:
diskcopy.dll
(PID) Process:(3276) vpnagent.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8052F904-874D-4d28-9380-AA9BDBF13AFD}\InProcServer32
Operation:writeName:AppID
Value:
{F25B3DB8-063A-4118-BF42-F86D98D24986}
(PID) Process:(1712) FortiClientVPN.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{618736E0-3C3D-11CF-810C-00AA00389B71}\TypeLib
Operation:writeName:Version
Value:
1.1
(PID) Process:(1712) FortiClientVPN.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{618736E0-3C3D-11CF-810C-00AA00389B71}\TypeLib
Operation:writeName:Version
Value:
1.1
(PID) Process:(1712) FortiClientVPN.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Volatile\00\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{03022430-ABC4-11D0-BDE2-00AA001A1953}\TypeLib
Operation:writeName:Version
Value:
1.1
(PID) Process:(1712) FortiClientVPN.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Volatile\00\MACHINE\SOFTWARE\Classes\Interface\{03022430-ABC4-11D0-BDE2-00AA001A1953}\TypeLib
Operation:writeName:Version
Value:
1.1
(PID) Process:(4808) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
Operation:writeName:C:\Config.Msi\
Value:
(PID) Process:(4808) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts
Operation:writeName:C:\Config.Msi\9dbfd.rbs
Value:
31139116
(PID) Process:(4808) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts
Operation:writeName:C:\Config.Msi\9dbfd.rbsLow
Value:
(PID) Process:(4808) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\D8CB2D1BB5E89594398CF30B3D667629
Operation:writeName:06715CD07BF43F1498763DED9C3D02BE
Value:
C:\Program Files\Common Files\Fortinet\FortiClient\VC_redist.x64.exe
Executable files
288
Suspicious files
283
Text files
159
Unknown types
27

Dropped files

PID
Process
Filename
Type
3276vpnagent.exeC:\Users\admin\AppData\Local\Temp\FortiClientVPN.exe
MD5:
SHA256:
1712FortiClientVPN.exeC:\Users\admin\AppData\Local\Temp\FCT_{625BC4BA-AC3E-4E4B-9996-EEED9D4287C3}\{478238F5-7DC3-4287-8703-8A6CF188038D}\FortiClient.msi
MD5:
SHA256:
1712FortiClientVPN.exeC:\ProgramData\Applications\Cache\{0DC51760-4FB7-41F3-8967-D3DEC9D320EB}\7.4.0.1658\FortiClient.msi
MD5:
SHA256:
4808msiexec.exeC:\Windows\Installer\9dbfc.msi
MD5:
SHA256:
3276vpnagent.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141binary
MD5:92CF419EFC962B25B29C5686EEE93864
SHA256:2F157E7A6AEA4797558C70E5334C397A8A5DF9BFE960C3F79E8696D577F7F27D
3276vpnagent.exeC:\Users\admin\AppData\Local\Temp\obj_1_a06368__unpackedtext
MD5:4041077399DE378FCB24391D28DBBD65
SHA256:CA8628A9BEE40D677CEBFF9CB7D0EE97E8E276481E4B77E2FF6015C05DC8C0A1
3276vpnagent.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141binary
MD5:953B4935F4E0D527CE3DC4D2E722043F
SHA256:F1E0E5B8A22BE78EBA63B867D277A428FEBC8681DC43F43F351E88EC6248A298
1712FortiClientVPN.exeC:\Users\admin\AppData\Local\Temp\MSIBCEB.tmpexecutable
MD5:32EFBFFDA3376EE49D78BAFF6BCE3CC5
SHA256:F64E2CAD4CDCC53694CA3DBD78B941039064D31EA5892D4DED3A533F0FED627A
3276vpnagent.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEBbinary
MD5:28977B150221DC782227FA7288EF7415
SHA256:1D2AE9F26491E68EF5BABA5BE29A30B1EAFA3B58243C1767BE53898604E5A1C3
3276vpnagent.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_052D619A1738623B01B6A412349193C8binary
MD5:26E9CEF226395D49702578C6EFF0F198
SHA256:A642929FFF889A09CFEA099364EC5EC09034F87735378B436C5B23636DD4A4C8
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
16
TCP/UDP connections
92
DNS requests
32
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3276
vpnagent.exe
POST
200
208.184.237.75:80
http://208.184.237.75/fdsupdate
unknown
unknown
3276
vpnagent.exe
POST
208.184.237.75:80
http://208.184.237.75/fdsupdate
unknown
unknown
6944
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
3276
vpnagent.exe
POST
200
208.184.237.75:80
http://208.184.237.75/fdsupdate
unknown
unknown
6944
svchost.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
692
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
2576
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
4360
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
2576
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
5508
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
6944
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5700
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5488
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3276
vpnagent.exe
208.184.237.75:80
forticlient.fortinet.net
FORTINET
US
whitelisted
6944
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6944
svchost.exe
23.53.40.178:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
6944
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4360
SearchApp.exe
104.126.37.162:443
www.bing.com
Akamai International B.V.
DE
whitelisted
4360
SearchApp.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 20.73.194.208
  • 51.104.136.2
  • 4.231.128.59
whitelisted
google.com
  • 142.250.184.206
whitelisted
forticlient.fortinet.net
  • 208.184.237.75
  • 173.243.138.76
whitelisted
crl.microsoft.com
  • 23.53.40.178
  • 23.53.40.176
  • 2.16.241.19
  • 2.16.241.12
whitelisted
www.microsoft.com
  • 184.30.21.171
  • 95.101.149.131
whitelisted
www.bing.com
  • 104.126.37.162
  • 104.126.37.155
  • 104.126.37.163
  • 104.126.37.161
  • 104.126.37.170
  • 104.126.37.160
  • 104.126.37.154
  • 104.126.37.171
  • 104.126.37.176
  • 104.126.37.136
  • 104.126.37.186
  • 104.126.37.177
  • 104.126.37.123
  • 104.126.37.179
  • 104.126.37.130
  • 104.126.37.131
  • 104.126.37.185
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 20.190.160.14
  • 40.126.32.76
  • 40.126.32.140
  • 40.126.32.68
  • 20.190.160.20
  • 40.126.32.72
  • 40.126.32.74
  • 20.190.160.17
whitelisted
th.bing.com
  • 2.23.209.183
  • 2.23.209.182
  • 2.23.209.189
  • 2.23.209.132
  • 2.23.209.130
  • 2.23.209.180
  • 2.23.209.181
  • 2.23.209.135
  • 2.23.209.186
whitelisted
go.microsoft.com
  • 23.218.210.69
  • 184.28.89.167
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
/forticlient/win/vpnagent