File name:

FortiVPN.exe

Full analysis: https://app.any.run/tasks/7fcddc58-f16f-4c75-aa7c-402de2f65812
Verdict: Malicious activity
Analysis date: June 29, 2024, 09:00:37
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

23C396A00A981929C7F2031F085C40D8

SHA1:

EB1D9F3448C7F7C2FF9A4D4001F4BE9B7D25263B

SHA256:

53280D0C3CA871EFBFF5EBF8F160F9E9889411F36FD125B8C0B95B0CBC95A8C8

SSDEEP:

24576:95FgrrMRwj+6NHPLPM2Pfhd3ieaIZjv79u3Ha/d6ff:9TgrrMRwj+6NHPrM2Pfhd3ieaijv79qn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • FortiVPN.exe (PID: 3344)

    • Actions looks like stealing of personal data

      • FortiVPN.exe (PID: 3344)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • FortiVPN.exe (PID: 3344)

    • Reads the Internet Settings

      • FortiVPN.exe (PID: 3344)
      • FortiVPN.exe (PID: 3332)

    • Executable content was dropped or overwritten

      • FortiVPN.exe (PID: 3344)

    • Mutex name with non-standard characters

      • FortiVPN.exe (PID: 3344)

  • INFO

    • Checks supported languages

      • FortiVPN.exe (PID: 3344)
      • FortiVPN.exe (PID: 3332)

    • Reads the computer name

      • FortiVPN.exe (PID: 3344)
      • FortiVPN.exe (PID: 3332)

    • Create files in a temporary directory

      • FortiVPN.exe (PID: 3344)

    • Reads the machine GUID from the registry

      • FortiVPN.exe (PID: 3332)

    • Reads Environment values

      • FortiVPN.exe (PID: 3332)

    • Disables trace logs

      • FortiVPN.exe (PID: 3332)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable Borland Delphi 6 (93.8)
.dll | Win32 Dynamic Link Library (generic) (2.3)
.exe | Win32 Executable (generic) (1.6)
.exe | Win16/32 Executable Delphi generic (0.7)
.exe | Generic Win/DOS Executable (0.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:19 22:22:17+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 29696
InitializedDataSize: 10752
UninitializedDataSize: -
EntryPoint: 0x80e4
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start fortivpn.exe fortivpn.exe

Process information

PID
CMD
Path
Indicators
Parent process
3332"C:\Users\admin\AppData\Local\Temp\3582-490\FortiVPN.exe" C:\Users\admin\AppData\Local\Temp\3582-490\FortiVPN.exe
FortiVPN.exe
User:
admin
Company:
Fortinet Inc.
Integrity Level:
MEDIUM
Description:
FortiClient VPN Online Installation
Version:
7.0.5.0238
Modules
Images
c:\users\admin\appdata\local\temp\3582-490\fortivpn.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
3344"C:\Users\admin\AppData\Local\Temp\FortiVPN.exe" C:\Users\admin\AppData\Local\Temp\FortiVPN.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\fortivpn.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
Total events
3 258
Read events
3 238
Write events
20
Delete events
0

Modification events

(PID) Process:(3344) FortiVPN.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3344) FortiVPN.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3344) FortiVPN.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3344) FortiVPN.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(3332) FortiVPN.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FortiVPN_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3332) FortiVPN.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FortiVPN_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(3332) FortiVPN.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FortiVPN_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(3332) FortiVPN.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FortiVPN_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(3332) FortiVPN.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FortiVPN_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(3332) FortiVPN.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FortiVPN_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
Executable files
43
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
3344FortiVPN.exeC:\MSOCache\All Users\{90140000-003D-0000-0000-0000000FF1CE}-C\setup.exeexecutable
MD5:566ED4F62FDC96F175AFEDD811FA0370
SHA256:E17CD94C08FC0E001A49F43A0801CEA4625FB9AEE211B6DFEBEBEC446C21F460
3344FortiVPN.exeC:\MSOCache\All Users\{90140000-006E-0407-0000-0000000FF1CE}-C\DW20.EXEexecutable
MD5:02EE6A3424782531461FB2F10713D3C1
SHA256:EAD58C483CB20BCD57464F8A4929079539D634F469B213054BF737D227C026DC
3344FortiVPN.exeC:\MSOCache\All Users\{90140000-006E-0410-0000-0000000FF1CE}-C\DW20.EXEexecutable
MD5:02EE6A3424782531461FB2F10713D3C1
SHA256:EAD58C483CB20BCD57464F8A4929079539D634F469B213054BF737D227C026DC
3344FortiVPN.exeC:\MSOCache\All Users\{90140000-003D-0000-0000-0000000FF1CE}-C\ose.exeexecutable
MD5:58B58875A50A0D8B5E7BE7D6AC685164
SHA256:2A0AA0763FDEF9C38C5DD4D50703F0C7E27F4903C139804EC75E55F8388139AE
3344FortiVPN.exeC:\MSOCache\All Users\{90140000-006E-0407-0000-0000000FF1CE}-C\dwtrig20.exeexecutable
MD5:CF6C595D3E5E9667667AF096762FD9C4
SHA256:593E60CC30AE0789448547195AF77F550387F6648D45847EA244DD0DD7ABF03D
3344FortiVPN.exeC:\MSOCache\All Users\{90140000-006E-040C-0000-0000000FF1CE}-C\DW20.EXEexecutable
MD5:02EE6A3424782531461FB2F10713D3C1
SHA256:EAD58C483CB20BCD57464F8A4929079539D634F469B213054BF737D227C026DC
3344FortiVPN.exeC:\MSOCache\All Users\{90140000-006E-0412-0000-0000000FF1CE}-C\dwtrig20.exeexecutable
MD5:CF6C595D3E5E9667667AF096762FD9C4
SHA256:593E60CC30AE0789448547195AF77F550387F6648D45847EA244DD0DD7ABF03D
3344FortiVPN.exeC:\MSOCache\All Users\{90140000-006E-040C-0000-0000000FF1CE}-C\dwtrig20.exeexecutable
MD5:CF6C595D3E5E9667667AF096762FD9C4
SHA256:593E60CC30AE0789448547195AF77F550387F6648D45847EA244DD0DD7ABF03D
3344FortiVPN.exeC:\MSOCache\All Users\{90140000-006E-0416-0000-0000000FF1CE}-C\DW20.EXEexecutable
MD5:02EE6A3424782531461FB2F10713D3C1
SHA256:EAD58C483CB20BCD57464F8A4929079539D634F469B213054BF737D227C026DC
3344FortiVPN.exeC:\MSOCache\All Users\{90140000-006E-0410-0000-0000000FF1CE}-C\dwtrig20.exeexecutable
MD5:CF6C595D3E5E9667667AF096762FD9C4
SHA256:593E60CC30AE0789448547195AF77F550387F6648D45847EA244DD0DD7ABF03D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
14
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3332
FortiVPN.exe
HEAD
302
216.58.212.174:80
http://google.com/
unknown
unknown
3332
FortiVPN.exe
HEAD
405
142.250.184.228:80
http://www.google.com/sorry/index?continue=http://google.com/&q=EgRX-YSlGLua_7MGIjDo4AeS6SnfUh-mQku9SQpYzenLhADZ7yWT3eA7cm-U2UWiToIl8hexWrFZwfZzAN4yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
unknown
unknown
1372
svchost.exe
GET
304
199.232.210.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?33775f6043c93e33
unknown
unknown
1060
svchost.exe
GET
304
199.232.210.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?8f69642324cc87bd
unknown
unknown
1372
svchost.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
1372
svchost.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2564
svchost.exe
239.255.255.250:3702
whitelisted
1060
svchost.exe
224.0.0.252:5355
unknown
1372
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
3332
FortiVPN.exe
216.58.212.174:80
google.com
GOOGLE
US
whitelisted
4
System
192.168.100.255:138
whitelisted
3332
FortiVPN.exe
142.250.184.228:80
www.google.com
GOOGLE
US
whitelisted
1372
svchost.exe
199.232.210.172:80
ctldl.windowsupdate.com
FASTLY
US
unknown
1372
svchost.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
1372
svchost.exe
23.52.120.96:80
www.microsoft.com
AKAMAI-AS
DE
unknown

DNS requests

Domain
IP
Reputation
google.com
  • 216.58.212.174
whitelisted
www.google.com
  • 142.250.184.228
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
ctldl.windowsupdate.com
  • 199.232.210.172
  • 199.232.214.172
whitelisted
crl.microsoft.com
  • 23.48.23.143
  • 23.48.23.156
whitelisted
www.microsoft.com
  • 23.52.120.96
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
FortiVPN.exe