d4ba0b587cccc005bc37ad17817fc4dbd123d357eb34ddf6b1dd63fa57343f2f

Analysis

max time kernel
119s
max time network
151s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
29-02-2024 11:09

Target

FortiClientVPNOnlineInstaller.exe
Size

4.0MB
MD5

9bfa08538f94a78395b116666e90606b
SHA1

9c62f61abded758772da22c16f825cdf40f00f92
SHA256

d4ba0b587cccc005bc37ad17817fc4dbd123d357eb34ddf6b1dd63fa57343f2f
SHA512

cfb1d911786c0e4b55e5d45bf392ed30a5f4c6843ce4d6ddfa3af3f219ce341e76ea376db2ea0cbf3421364c49920241d85075b062585a127d144942dc5e40c2
SSDEEP

49152:g9enMTO4Hht2GrgsTeu8T1a0ymq0O493Ej4LA6aKIpmb4RV/TVXUrPhTHlzuw2t3:g9ensr3a4hms4F+7XVXgTHYJOE/

Score

1^/10

Modifies registry class 7 IoCs

Processes:

FortiClientVPNOnlineInstaller.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8052F904-874D-4d28-9380-AA9BDBF13AFD}\InProcServer32	FortiClientVPNOnlineInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	FortiClientVPNOnlineInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	FortiClientVPNOnlineInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8052F904-874D-4d28-9380-AA9BDBF13AFD}	FortiClientVPNOnlineInstaller.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8052F904-874D-4d28-9380-AA9BDBF13AFD}\InProcServer32\ = "diskcopy.dll"	FortiClientVPNOnlineInstaller.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8052F904-874D-4d28-9380-AA9BDBF13AFD}\InProcServer32\ThreadingModel = "diskcopy.dll"	FortiClientVPNOnlineInstaller.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8052F904-874D-4d28-9380-AA9BDBF13AFD}\InProcServer32\AppID = "{329B5ECB-4CEE-44F2-81C5-9821C57FB3B7}"	FortiClientVPNOnlineInstaller.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

FortiClientVPNOnlineInstaller.exe

pid process

2928 FortiClientVPNOnlineInstaller.exe

pid	process
2928	FortiClientVPNOnlineInstaller.exe

memory/2928-0-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download