File name:

FortiClientVPNOnlineInstaller.exe

Full analysis: https://app.any.run/tasks/cb5c0862-40fe-4e83-aa71-1c1c1cc5a30f
Verdict: Malicious activity
Analysis date: March 01, 2024, 15:03:32
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

9BFA08538F94A78395B116666E90606B

SHA1:

9C62F61ABDED758772DA22C16F825CDF40F00F92

SHA256:

D4BA0B587CCCC005BC37AD17817FC4DBD123D357EB34DDF6B1DD63FA57343F2F

SSDEEP:

98304:rvs0mnezVX9ZVXtE8A8srb9DC1a5L5hEipkrOJpj0+sFeG6weI/d11be5053/mPl:tOA1Vtg3

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • FortiClientVPNOnlineInstaller.exe (PID: 3240)

  • SUSPICIOUS

    • Reads the Internet Settings

      • FortiClientVPNOnlineInstaller.exe (PID: 3240)

    • Reads security settings of Internet Explorer

      • FortiClientVPNOnlineInstaller.exe (PID: 3240)

    • Application launched itself

      • FortiClientVPNOnlineInstaller.exe (PID: 3240)

    • Creates/Modifies COM task schedule object

      • FortiClientVPNOnlineInstaller.exe (PID: 2852)

    • Connects to the server without a host name

      • FortiClientVPNOnlineInstaller.exe (PID: 2852)

  • INFO

    • Checks supported languages

      • FortiClientVPNOnlineInstaller.exe (PID: 3240)
      • FortiClientVPNOnlineInstaller.exe (PID: 2852)

    • Create files in a temporary directory

      • FortiClientVPNOnlineInstaller.exe (PID: 3240)
      • FortiClientVPNOnlineInstaller.exe (PID: 2852)

    • Reads the computer name

      • FortiClientVPNOnlineInstaller.exe (PID: 3240)
      • FortiClientVPNOnlineInstaller.exe (PID: 2852)

    • Process checks whether UAC notifications are on

      • FortiClientVPNOnlineInstaller.exe (PID: 3240)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:10:04 15:30:59+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.36
CodeSize: 3064320
InitializedDataSize: 1102336
UninitializedDataSize: -
EntryPoint: 0xe36b0
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
2
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start forticlientvpnonlineinstaller.exe no specs forticlientvpnonlineinstaller.exe

Process information

PID
CMD
Path
Indicators
Parent process
2852"C:\Users\admin\AppData\Local\Temp\FortiClientVPNOnlineInstaller.exe" C:\Users\admin\AppData\Local\Temp\FortiClientVPNOnlineInstaller.exe
FortiClientVPNOnlineInstaller.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\forticlientvpnonlineinstaller.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
3240"C:\Users\admin\AppData\Local\Temp\FortiClientVPNOnlineInstaller.exe" C:\Users\admin\AppData\Local\Temp\FortiClientVPNOnlineInstaller.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\forticlientvpnonlineinstaller.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
Total events
2 598
Read events
2 588
Write events
10
Delete events
0

Modification events

(PID) Process:(3240) FortiClientVPNOnlineInstaller.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3240) FortiClientVPNOnlineInstaller.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3240) FortiClientVPNOnlineInstaller.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3240) FortiClientVPNOnlineInstaller.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(2852) FortiClientVPNOnlineInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8052F904-874D-4d28-9380-AA9BDBF13AFD}\InProcServer32
Operation:writeName:ThreadingModel
Value:
diskcopy.dll
(PID) Process:(2852) FortiClientVPNOnlineInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8052F904-874D-4d28-9380-AA9BDBF13AFD}\InProcServer32
Operation:writeName:AppID
Value:
{2FD14BAB-08A5-49B0-9471-CF2EF2AD7570}
Executable files
0
Suspicious files
2
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
2852FortiClientVPNOnlineInstaller.exeC:\Users\admin\AppData\Local\Temp\obj_1_a03228binary
MD5:6690A89813DE0893B3631F1580933461
SHA256:F16D54129B9E6177C10752D46B1DA62A2033CE58AFD54E7428D2323999ABEED8
2852FortiClientVPNOnlineInstaller.exeC:\Users\admin\AppData\Local\Temp\obj_1_a03228__unpackedtext
MD5:4041077399DE378FCB24391D28DBBD65
SHA256:CA8628A9BEE40D677CEBFF9CB7D0EE97E8E276481E4B77E2FF6015C05DC8C0A1
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
7
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2852
FortiClientVPNOnlineInstaller.exe
POST
200
173.243.138.76:80
http://173.243.138.76/fdsupdate
unknown
binary
108 Kb
unknown
2852
FortiClientVPNOnlineInstaller.exe
POST
200
208.184.237.75:80
http://208.184.237.75/fdsupdate
unknown
binary
684 b
unknown
2852
FortiClientVPNOnlineInstaller.exe
POST
173.243.138.76:80
http://173.243.138.76/fdsupdate
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
2852
FortiClientVPNOnlineInstaller.exe
208.184.237.75:80
forticlient.fortinet.net
FORTINET
US
unknown
2852
FortiClientVPNOnlineInstaller.exe
173.243.138.76:80
forticlient.fortinet.net
FORTINET
US
unknown

DNS requests

Domain
IP
Reputation
forticlient.fortinet.net
  • 208.184.237.75
  • 173.243.138.76
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
FortiClientVPNOnlineInstaller.exe