Analysis
-
max time kernel
300s -
max time network
277s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
05-10-2024 06:05
Static task
static1
Behavioral task
behavioral1
Sample
FortiClientVPNOnlineInstaller.exe
Resource
win7-20240704-en
windows7-x64
3 signatures
300 seconds
Behavioral task
behavioral2
Sample
FortiClientVPNOnlineInstaller.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
28 signatures
300 seconds
General
-
Target
FortiClientVPNOnlineInstaller.exe
-
Size
2.7MB
-
MD5
11bfc265fc53ac4756e4ef2759ca10eb
-
SHA1
e3d2bf11618c39dfd036bb33ea96aa5f989fed25
-
SHA256
2e520faa2b71ba56643153b77c2908c0d6da34a2f6f9abaa7cbadab9278dc99e
-
SHA512
6b1e802f82002c5f8162a48440e09631da12fbfa283fc03bbf405938406955581764cda3ae57021d9e1b821a128b227e77b38dd6994a655f438ac5081f5ae689
-
SSDEEP
49152:nZ2d2wu+8ewJobcRgEekPZ99ztx5IX0hL5m6bgy:nZ2dnu+AMW9x2O
Score
8/10
Malware Config
Signatures
-
Drops file in Drivers directory 10 IoCs
description ioc Process File created C:\Windows\System32\drivers\SET3431.tmp DrvInst.exe File opened for modification C:\Windows\System32\drivers\ftsvnic.sys DrvInst.exe File opened for modification C:\Windows\system32\drivers\etc\hosts FCDBLog.exe File created C:\Windows\system32\Drivers\FortiFilter.sys msiexec.exe File created C:\Windows\system32\Drivers\fortitransctrl_74.sys msiexec.exe File created C:\Windows\system32\Drivers\ftvnic.sys msiexec.exe File opened for modification C:\Windows\System32\drivers\SET3431.tmp DrvInst.exe File created C:\Windows\system32\Drivers\fortips_74.sys msiexec.exe File created C:\Windows\system32\Drivers\ftsvnic.sys msiexec.exe File opened for modification C:\Windows\System32\drivers\ftvnic.sys DrvInst.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{c649ede4-f16a-4486-a117-dcc2f2a35165} = "\"C:\\ProgramData\\Package Cache\\{c649ede4-f16a-4486-a117-dcc2f2a35165}\\VC_redist.x64.exe\" /burn.runonce" VC_redist.x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{46c3b171-c15c-4137-8e1d-67eeb2985b44} = "\"C:\\ProgramData\\Package Cache\\{46c3b171-c15c-4137-8e1d-67eeb2985b44}\\VC_redist.x86.exe\" /burn.runonce" VC_redist.x86.exe -
Checks for any installed AV software in registry 1 TTPs 2 IoCs
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Fortinet\FortiClient\installed msiexec.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Fortinet\FortiClient\installed = "1" msiexec.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini MsiExec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\K: FortiClientVPN.exe File opened (read-only) \??\N: FortiClientVPN.exe File opened (read-only) \??\O: FortiClientVPN.exe File opened (read-only) \??\Z: FortiClientVPN.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\I: FortiClientVPN.exe File opened (read-only) \??\M: FortiClientVPN.exe File opened (read-only) \??\W: FortiClientVPN.exe File opened (read-only) \??\Y: FortiClientVPN.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\V: FortiClientVPN.exe File opened (read-only) \??\X: FortiClientVPN.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\A: FortiClientVPN.exe File opened (read-only) \??\E: FortiClientVPN.exe File opened (read-only) \??\H: FortiClientVPN.exe File opened (read-only) \??\J: FortiClientVPN.exe File opened (read-only) \??\L: FortiClientVPN.exe File opened (read-only) \??\R: FortiClientVPN.exe File opened (read-only) \??\S: FortiClientVPN.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\G: FortiClientVPN.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\T: FortiClientVPN.exe File opened (read-only) \??\U: FortiClientVPN.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: FortiClientVPN.exe File opened (read-only) \??\Q: FortiClientVPN.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\P: FortiClientVPN.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe -
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation VC_redist.x64.exe Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation update_task.exe Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation FortiClient.exe Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation FortiClient.exe Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation FortiElevate.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\system32\msvcp140.dll msiexec.exe File created C:\Windows\system32\concrt140.dll msiexec.exe File opened for modification C:\Windows\system32\mfc140ita.dll msiexec.exe File created C:\Windows\SysWOW64\mfc140esn.dll msiexec.exe File created C:\Windows\System32\DriverStore\FileRepository\netrass.inf_amd64_7f701cb29b5389d3\netrass.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\wfpcapture.inf_amd64_54cf91ab0e4c9ac2\wfpcapture.PNF MsiExec.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\fortifilter.inf_amd64_283aeda6f10114be\FortiFilter.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\fortifilter.inf_amd64_283aeda6f10114be\fortifilter.cat DrvInst.exe File created C:\Windows\system32\mfc140fra.dll msiexec.exe File opened for modification C:\Windows\SysWOW64\msvcp140_codecvt_ids.dll msiexec.exe File opened for modification C:\Windows\SysWOW64\concrt140.dll msiexec.exe File created C:\Windows\SysWOW64\mfc140rus.dll msiexec.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\ft_vnic.inf_amd64_e26f6c9d821ce5a4\ftvnic.cat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{23ec53ed-6204-4146-bec5-4982804b6260}\SET34BD.tmp DrvInst.exe File created C:\Windows\system32\vcamp140.dll msiexec.exe File created C:\Windows\system32\mfc140u.dll msiexec.exe File opened for modification C:\Windows\SysWOW64\vccorlib140.dll msiexec.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\ft_vnic.inf_amd64_e26f6c9d821ce5a4\ft_vnic.inf DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{f3c50fdd-8cd0-be4b-a84f-a17aa9980ec4} DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{f3c50fdd-8cd0-be4b-a84f-a17aa9980ec4}\SET2B47.tmp DrvInst.exe File created C:\Windows\system32\vcruntime140.dll msiexec.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{f7569c3b-310b-a64b-a47e-e96e53ec156a} DrvInst.exe File opened for modification C:\Windows\system32\mfc140rus.dll msiexec.exe File created C:\Windows\SysWOW64\msvcp140.dll msiexec.exe File created C:\Windows\System32\DriverStore\FileRepository\netnb.inf_amd64_0dc913ad00b14824\netnb.PNF MsiExec.exe File opened for modification C:\Windows\system32\msvcp140_atomic_wait.dll msiexec.exe File opened for modification C:\Windows\SysWOW64\mfc140jpn.dll msiexec.exe File opened for modification C:\Windows\SysWOW64\mfc140kor.dll msiexec.exe File created C:\Windows\System32\DriverStore\Temp\{f7569c3b-310b-a64b-a47e-e96e53ec156a}\SET20AA.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{23ec53ed-6204-4146-bec5-4982804b6260} DrvInst.exe File created C:\Windows\system32\mfcm140u.dll msiexec.exe File created C:\Windows\System32\DriverStore\FileRepository\fortifilter.inf_amd64_283aeda6f10114be\fortifilter.PNF MsiExec.exe File created C:\Windows\system32\vccorlib140.dll msiexec.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{f7569c3b-310b-a64b-a47e-e96e53ec156a}\SET20A9.tmp DrvInst.exe File opened for modification C:\Windows\System32\CatRoot2\dberr.txt DrvInst.exe File created C:\Windows\system32\vcruntime140_threads.dll msiexec.exe File opened for modification C:\Windows\system32\mfc140enu.dll msiexec.exe File created C:\Windows\system32\mfc140jpn.dll msiexec.exe File created C:\Windows\SysWOW64\vcruntime140.dll msiexec.exe File opened for modification C:\Windows\SysWOW64\mfc140chs.dll msiexec.exe File opened for modification C:\Windows\SysWOW64\mfc140fra.dll msiexec.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{f7569c3b-310b-a64b-a47e-e96e53ec156a}\SET20AA.tmp DrvInst.exe File opened for modification C:\Windows\system32\msvcp140_1.dll msiexec.exe File created C:\Windows\SysWOW64\mfc140enu.dll msiexec.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\ftsvnic.inf_amd64_71e12dfeb77d4d0d\ftsvnic.inf DrvInst.exe File opened for modification C:\Windows\System32\CatRoot2\dberr.txt DrvInst.exe File opened for modification C:\Windows\SysWOW64\mfc140deu.dll msiexec.exe File created C:\Windows\SysWOW64\mfc140deu.dll msiexec.exe File created C:\Windows\SysWOW64\mfcm140.dll msiexec.exe File opened for modification C:\Windows\System32\CatRoot2\dberr.txt DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\ftsvnic.inf_amd64_71e12dfeb77d4d0d\ftsvnic.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{f3c50fdd-8cd0-be4b-a84f-a17aa9980ec4}\SET2B58.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{23ec53ed-6204-4146-bec5-4982804b6260}\SET34CF.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\netnwifi.inf_amd64_a2bfd066656fe297\netnwifi.PNF MsiExec.exe File opened for modification C:\Windows\SysWOW64\vcamp140.dll msiexec.exe File created C:\Windows\SysWOW64\mfc140chs.dll msiexec.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{f7569c3b-310b-a64b-a47e-e96e53ec156a}\ftvnic.sys DrvInst.exe File opened for modification C:\Windows\System32\CatRoot2\dberr.txt MsiExec.exe File opened for modification C:\Windows\system32\mfc140.dll msiexec.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F9C57C8B55E84B295CBBD8CF3D95BF44 scheduler.exe File created C:\Windows\SysWOW64\vcomp140.dll msiexec.exe File created C:\Windows\System32\DriverStore\FileRepository\c_netservice.inf_amd64_9ab9cf10857f7349\c_netservice.PNF MsiExec.exe File opened for modification C:\Windows\system32\msvcp140_codecvt_ids.dll msiexec.exe File opened for modification C:\Windows\SysWOW64\vcruntime140.dll msiexec.exe -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Fortinet\FortiClient\SoftwareInventory\971438336.ico update_task.exe File created C:\Program Files\Fortinet\FortiClient\Microsoft.Identity.Client.dll msiexec.exe File created C:\Program Files\Fortinet\FortiClient\FortiAuth.dll msiexec.exe File created C:\Program Files\Fortinet\FortiClient\SoftwareInventory\2523462375.ico.tmp update_task.exe File opened for modification C:\Program Files\Fortinet\FortiClient\logs\trace\sslvpndaemon_1_error.log FortiSSLVPNdaemon.exe File created C:\Program Files\Fortinet\FortiClient\utilsdll.dll msiexec.exe File created C:\Program Files\Fortinet\FortiClient\FortiTrayResc.dll msiexec.exe File created C:\Program Files\Fortinet\FortiClient\locales\fa.pak msiexec.exe File created C:\Program Files\Fortinet\FortiClient\locales\it.pak msiexec.exe File created C:\Program Files\Fortinet\FortiClient\Microsoft.Web.WebView2.WinForms.dll msiexec.exe File created C:\Program Files\Fortinet\FortiClient\locales\pt-BR.pak msiexec.exe File created C:\Program Files\Fortinet\FortiClient\locales\am.pak msiexec.exe File created C:\Program Files\Fortinet\FortiClient\FortiElevate.exe msiexec.exe File created C:\Program Files\Fortinet\FortiClient\x86\libssl-3.dll msiexec.exe File created C:\Program Files\Fortinet\FortiClient\SoftwareInventory\3089594422.ico.tmp update_task.exe File created C:\Program Files\Fortinet\FortiClient\SoftwareInventory\163696679.ico update_task.exe File opened for modification C:\Program Files\Fortinet\FortiClient\obj_4_a04904__unpacked update_task.exe File created C:\Program Files\Fortinet\FortiClient\locales\ml.pak msiexec.exe File created C:\Program Files\Fortinet\FortiClient\locales\ro.pak msiexec.exe File created C:\Program Files\Fortinet\FortiClient\SoftwareInventory\35416844.ico update_task.exe File created C:\Program Files\Fortinet\FortiClient\SoftwareInventory\1854324107.ico update_task.exe File created C:\Program Files\Fortinet\FortiClient\update_task_tls.dll msiexec.exe File opened for modification C:\Program Files\Fortinet\FortiClient\SoftwareInventory\2746888853.ico update_task.exe File opened for modification C:\Program Files\Fortinet\FortiClient\SoftwareInventory\3811984533.ico update_task.exe File opened for modification C:\Program Files\Fortinet\FortiClient\SoftwareInventory\962282671.ico update_task.exe File created C:\Program Files\Fortinet\FortiClient\FCDBLog.exe msiexec.exe File created C:\Program Files\Fortinet\FortiClient\vir_sig\isdb_map.dat msiexec.exe File created C:\Program Files\Fortinet\FortiClient\xmlvpn.dll msiexec.exe File created C:\Program Files\Fortinet\FortiClient\AzureToken.exe msiexec.exe File created C:\Program Files\Fortinet\FortiClient\Microsoft.Identity.Client.Desktop.dll msiexec.exe File created C:\Program Files\Fortinet\FortiClient\locales\ta.pak msiexec.exe File created C:\Program Files\Fortinet\FortiClient\locales\uk.pak msiexec.exe File opened for modification C:\Program Files\Fortinet\FortiClient\SoftwareInventory\2803914108.ico update_task.exe File created C:\Program Files\Fortinet\FortiClient\vir_sig\isdb_app.txt.downloaded update_task.exe File created C:\Program Files\Fortinet\FortiClient\FortiSettings.exe msiexec.exe File created C:\Program Files\Fortinet\FortiClient\locales\th.pak msiexec.exe File created C:\Program Files\Fortinet\FortiClient\locales\tr.pak msiexec.exe File opened for modification C:\Program Files\Fortinet\FortiClient\logs\fips\CryptdMsg.txt.bak scheduler.exe File opened for modification C:\Program Files\Fortinet\FortiClient\SoftwareInventory\2686110105.ico update_task.exe File opened for modification C:\Program Files\Fortinet\FortiClient\SoftwareInventory\3557243014.ico update_task.exe File created C:\Program Files\Fortinet\FortiClient\SoftwareInventory\1828860536.ico update_task.exe File created C:\Program Files\Fortinet\FortiClient\SoftwareInventory\1828860536.ico.tmp update_task.exe File created C:\Program Files\Fortinet\FortiClient\resources\app.asar msiexec.exe File created C:\Program Files\Fortinet\FortiClient\chrome_200_percent.pak msiexec.exe File created C:\Program Files\Fortinet\FortiClient\FortiScand.exe msiexec.exe File created C:\Program Files\Fortinet\FortiClient\x86\libcrypto-3.dll msiexec.exe File created C:\Program Files\Fortinet\FortiClient\locales\de.pak msiexec.exe File created C:\Program Files\Fortinet\FortiClient\ffmpeg.dll msiexec.exe File created C:\Program Files\Fortinet\FortiClient\locales\sv.pak msiexec.exe File created C:\Program Files\Fortinet\FortiClient\locales\kn.pak msiexec.exe File opened for modification C:\Program Files\Fortinet\FortiClient\SoftwareInventory\608264189.ico update_task.exe File created C:\Program Files\Fortinet\FortiClient\FCCOMIntDLL.dll msiexec.exe File created C:\Program Files\Fortinet\FortiClient\SoftwareInventory\1684460462.ico update_task.exe File opened for modification C:\Program Files\Fortinet\FortiClient\SoftwareInventory\3804267959.ico update_task.exe File opened for modification C:\Program Files\Fortinet\FortiClient\SoftwareInventory\3115611230.ico update_task.exe File opened for modification C:\Program Files\Fortinet\FortiClient\SoftwareInventory\163696679.ico update_task.exe File created C:\Program Files\Fortinet\FortiClient\locales\sk.pak msiexec.exe File created C:\Program Files\Fortinet\FortiClient\SoftwareInventory\3916932946.ico update_task.exe File opened for modification C:\Program Files\Fortinet\FortiClient\SoftwareInventory\3561524922.ico update_task.exe File created C:\Program Files\Fortinet\FortiClient\SoftwareInventory\1258256135.ico.tmp update_task.exe File created C:\Program Files\Fortinet\FortiClient\locales\en-US.pak msiexec.exe File created C:\Program Files\Fortinet\FortiClient\locales\lv.pak msiexec.exe File created C:\Program Files\Fortinet\FortiClient\SoftwareInventory\608264189.ico update_task.exe File created C:\Program Files\Fortinet\FortiClient\SoftwareInventory\1308412437.ico update_task.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\Installer\MSICD54.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIFB9C.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI7556.tmp msiexec.exe File created C:\Windows\Installer\e59b40a.msi msiexec.exe File created C:\Windows\Installer\e59b432.msi msiexec.exe File created C:\Windows\rescache\_merged\1045417640\2443210638.pri FCDBLog.exe File opened for modification C:\Windows\Installer\MSIBFD3.tmp msiexec.exe File opened for modification C:\Windows\Installer\e59b432.msi msiexec.exe File created C:\Windows\Installer\e59b431.msi msiexec.exe File created C:\Windows\Installer\e59b447.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIF968.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI14C.tmp msiexec.exe File created C:\Windows\inf\oem4.inf DrvInst.exe File opened for modification C:\Windows\Installer\{0DC51760-4FB7-41F3-8967-D3DEC9D320EB}\Icon_FCTLogo msiexec.exe File opened for modification C:\Windows\Installer\MSI3E53.tmp msiexec.exe File opened for modification C:\Windows\Installer\e59b420.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI3F41.tmp msiexec.exe File created C:\Windows\rescache\_merged\2530935351\164399416.pri FCDBLog.exe File opened for modification C:\Windows\Installer\e59b3f4.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIB928.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIF792.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIB9D.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI3D76.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI3DF4.tmp msiexec.exe File created C:\Windows\rescache\_merged\2263554406\3408210693.pri FCDBLog.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSICD7.tmp msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log MsiExec.exe File opened for modification C:\Windows\Installer\MSI37C2.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI3E93.tmp msiexec.exe File created C:\Windows\Installer\SourceHash{19AFE054-CA83-45D5-A9DB-4108EF4BD391} msiexec.exe File created C:\Windows\Installer\e59b3f4.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI1D53.tmp msiexec.exe File created C:\Windows\inf\oem3.inf DrvInst.exe File opened for modification C:\Windows\Installer\MSI37D3.tmp msiexec.exe File created C:\Windows\Installer\e59b3f6.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI3F12.tmp msiexec.exe File created C:\Windows\rescache\_merged\92721896\3666685450.pri FCDBLog.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSIC92B.tmp msiexec.exe File opened for modification C:\Windows\inf\oem5.inf DrvInst.exe File opened for modification C:\Windows\Installer\MSI3B7D.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI3BDC.tmp msiexec.exe File created C:\Windows\Installer\e59b41f.msi msiexec.exe File created C:\Windows\rescache\_merged\1712550052\1418135664.pri FCDBLog.exe File opened for modification C:\Windows\Installer\MSIB9E6.tmp msiexec.exe File created C:\Windows\Installer\SourceHash{0DC51760-4FB7-41F3-8967-D3DEC9D320EB} msiexec.exe File opened for modification C:\Windows\Installer\MSI1F19.tmp msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\Installer\MSI7C5D.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIC022.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIF540.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIFC1A.tmp msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log svchost.exe File created C:\Windows\rescache\_merged\3479232320\1927648278.pri FCDBLog.exe File opened for modification C:\Windows\Installer\MSICB40.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIFC78.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI3BFC.tmp msiexec.exe File created C:\Windows\Installer\SourceHash{AA0C8AB5-7297-4D46-A0D9-08096FE59E46} msiexec.exe File created C:\Windows\Installer\SourceHash{286DC39B-5FB7-4AFF-9DD4-22DB47664CD7} msiexec.exe File created C:\Windows\rescache\_merged\482193516\952251187.pri FCDBLog.exe File created C:\Windows\rescache\_merged\4245263321\345104667.pri FCDBLog.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe -
Executes dropped EXE 24 IoCs
pid Process 3380 FortiClientVPN.exe 2700 VC_redist.x64.exe 1180 VC_redist.x64.exe 3868 VC_redist.x64.exe 1588 scheduler.exe 4540 VC_redist.x86.exe 1796 VC_redist.x86.exe 3204 VC_redist.x86.exe 3160 FortiScand.exe 2364 fccomint.exe 2340 FCDBLog.exe 2708 FortiTray.exe 532 FortiSSLVPNdaemon.exe 4600 FortiSettings.exe 1628 FortiVPN.exe 4396 update_task.exe 2700 FortiClient.exe 1832 FortiClient.exe 3188 FortiClient.exe 1924 FortiElevate.exe 4064 FortiClient.exe 5216 FortiClient.exe 4012 FortiElevate.exe 5912 FortiClientSecurity.exe -
Loads dropped DLL 64 IoCs
pid Process 4916 MsiExec.exe 4916 MsiExec.exe 4916 MsiExec.exe 4916 MsiExec.exe 3564 MsiExec.exe 3564 MsiExec.exe 3564 MsiExec.exe 3564 MsiExec.exe 3564 MsiExec.exe 3564 MsiExec.exe 3564 MsiExec.exe 3564 MsiExec.exe 3564 MsiExec.exe 2916 MsiExec.exe 2916 MsiExec.exe 3564 MsiExec.exe 2916 MsiExec.exe 2916 MsiExec.exe 2916 MsiExec.exe 2916 MsiExec.exe 2916 MsiExec.exe 2916 MsiExec.exe 2916 MsiExec.exe 2916 MsiExec.exe 2916 MsiExec.exe 2916 MsiExec.exe 2916 MsiExec.exe 2916 MsiExec.exe 2916 MsiExec.exe 2916 MsiExec.exe 2916 MsiExec.exe 2916 MsiExec.exe 2916 MsiExec.exe 2916 MsiExec.exe 2916 MsiExec.exe 2916 MsiExec.exe 2916 MsiExec.exe 3564 MsiExec.exe 3564 MsiExec.exe 3564 MsiExec.exe 1180 VC_redist.x64.exe 992 VC_redist.x64.exe 1796 VC_redist.x86.exe 4580 VC_redist.x86.exe 3160 FortiScand.exe 3160 FortiScand.exe 3160 FortiScand.exe 3160 FortiScand.exe 3160 FortiScand.exe 3160 FortiScand.exe 3160 FortiScand.exe 3160 FortiScand.exe 3160 FortiScand.exe 2376 regsvr32.exe 2376 regsvr32.exe 2376 regsvr32.exe 2364 fccomint.exe 2364 fccomint.exe 2364 fccomint.exe 2364 fccomint.exe 2364 fccomint.exe 2364 fccomint.exe 2364 fccomint.exe 2364 fccomint.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 14 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FortiClientVPNOnlineInstaller.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VC_redist.x64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VC_redist.x86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VC_redist.x86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FortiClientVPN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VC_redist.x64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VC_redist.x64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VC_redist.x64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VC_redist.x86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VC_redist.x64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VC_redist.x64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VC_redist.x86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VC_redist.x86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VC_redist.x86.exe -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom MsiExec.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\ MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs MsiExec.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\ MsiExec.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Driver MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 DrvInst.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs MsiExec.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Phantom DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 MsiExec.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\ MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Phantom DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 MsiExec.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 MsiExec.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 MsiExec.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags MsiExec.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000b58935fac5ebb7730000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000b58935fa0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900b58935fa000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1db58935fa000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000b58935fa00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 MsiExec.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Driver MsiExec.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2d msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.PeopleExperienceHost_cw5n1h2txyewy%5Cresources.pri FCDBLog.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.AppRep.ChxApp_cw5n1h2txyewy%5Cresources.pri\1d5acddee1afafc\a01460c8\@{Microsoft.Windows.Apprep.ChxApp_1000.19041.1023.0_neutral_neutral_cw5n1h2t = "Windows Defender SmartScreen" FCDBLog.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates scheduler.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing scheduler.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0001\SessionHash = e55483c4647f7fd646165864aeb5cae09a11e3a698296c25d7fb3f0668249d5e msiexec.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0001\SessionHash = c814221e5334df0e145e68a819624f747b4012c5e1a0807acb28c6746698d3e1 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs scheduler.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs scheduler.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2f msiexec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" VC_redist.x86.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.PeopleExperienceHost_cw5n1h2txyewy%5Cresources.pri\1d7e53672e17460\a01460c8 FCDBLog.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.Search_cw5n1h2txyewy%5Cresources.pri FCDBLog.exe Key created \REGISTRY\USER\.DEFAULT\Software\Fortinet\FortiClient FortiVPN.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs scheduler.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople scheduler.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b\52C64B7E\@%SystemRoot%\System32\fveui.dll,-844 = "BitLocker Data Recovery Agent" scheduler.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.AccountsControl_cw5n1h2txyewy%5Cresources.pri\1d7e5366768b0fd\a01460c8 FCDBLog.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5Cmicrosoft.windows.narratorquickstart_8wekyb3d8bbwe%5Cresources.pri FCDBLog.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.AAD.BrokerPlugin_cw5n1h2txyewy%5Cresources.pri\1d5acdde7226641\a01460c8 FCDBLog.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy%5Cresources.pri\1d5acddea4e2414\a01460c8\@{Microsoft.Windows.StartMenuExperienceHost_10.0.19041.1023_neutra = "Start" FCDBLog.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume MsiExec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2f\52C64B7E\@%SystemRoot%\system32\firewallapi.dll,-37302 = "mDNS" FCDBLog.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2f\52C64B7E\@%SystemRoot%\system32\icsvc.dll,-700 = "Virtual Machine Monitoring" FCDBLog.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b\52C64B7E\@%SystemRoot%\system32\NgcRecovery.dll,-100 = "Windows Hello Recovery Key Encryption" scheduler.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2D msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates MsiExec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" VC_redist.x86.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" VC_redist.x86.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b\52C64B7E\@%SystemRoot%\System32\ci.dll,-100 = "Isolated User Mode (IUM)" scheduler.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs scheduler.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.ContentDeliveryManager_cw5n1h2txyewy%5Cresources.pri\1d5acddd82645c0\a01460c8 FCDBLog.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.Search_cw5n1h2txyewy%5Cresources.pri\1d7e5369da0bc36\a01460c8 FCDBLog.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\29 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2c msiexec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2f\52C64B7E\@wifidisplay.dll,-100 = "Wireless Display" FCDBLog.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust MsiExec.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.38,bundle\Dependents VC_redist.x86.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_x86,v14\Version = "14.38.33135" msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\679E80FBE29B63345BF612177149674C\SourceList\Media msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{33DC5028-890D-4B61-9A6E-1082DB291402}\LocalServer32 FortiScand.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CF332B68-61D0-41EA-B035-52036A9EC368}\TypeLib\Version = "1.0" FortiScand.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9741A9AF-82AF-4E23-9C22-6B5BA4B5D3A9}\TypeLib fccomint.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ FortiClient.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\450EFA9138AC5D549ABD1480FEB43D19\Version = "237404527" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B93CD6827BF5FFA4D94D22BD7466C47D\SourceList\Media\1 = ";" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5709C804-E55B-495C-A658-11FD6C6503FE}\ProgID\ = "FortiScand.Utility.1" FortiScand.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FortiScand.FCILPScan\CurVer FortiScand.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F8A4D3F5-76E7-4B16-BD00-53925CE9B993}\ = "IVPN" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{65C92DD3-C1F6-4FB5-8B33-CA762B295461}\LocalServer32\ = "\"C:\\Program Files\\Fortinet\\FortiClient\\FortiScand.exe\"" FortiScand.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4D6D09E4-4E94-4E86-B1DD-0490AD948900}\ProxyStubClsid32 fccomint.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{248DA346-4BA5-4997-A534-B469C50326DA}\ProgID\ = "FortiClient.VPN.1" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\06715CD07BF43F1498763DED9C3D02BE\SourceList\Media\6 = ";" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\88AAB0B9F51EF1A3CA0C2B609EDD7FC1\450EFA9138AC5D549ABD1480FEB43D19 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5709C804-E55B-495C-A658-11FD6C6503FE}\LocalServer32\ = "\"C:\\Program Files\\Fortinet\\FortiClient\\FortiScand.exe\"" FortiScand.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CF332B68-61D0-41EA-B035-52036A9EC368}\TypeLib\Version = "1.0" FortiScand.exe Set value (data) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff FortiClient.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AFE4D906-E9DA-4431-9000-F58CFD115F76}\TypeLib\Version = "1.0" msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A567BD6FA501A947AD1F646E53EEC14 msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.30,bundle VC_redist.x86.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{33DC5028-890D-4B61-9A6E-1082DB291402}\VersionIndependentProgID\ = "FortiScand.FCVirusScan" FortiScand.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FortiScand.Utility2.1 FortiScand.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\FCCOMInt.EXE\AppID = "{8D7ECB73-3926-4D7A-A16E-71AC047522EB}" fccomint.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\FCCOMInt.XVPN\CurVer\ = "FCCOMInt.XVPN.1" fccomint.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9741A9AF-82AF-4E23-9C22-6B5BA4B5D3A9} fccomint.exe Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings FortiClient.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1363D583-F150-478E-B40F-C69E3DA8ACEB}\1.0\0 msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\450EFA9138AC5D549ABD1480FEB43D19\Clients = 3a0000000000 msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\679E80FBE29B63345BF612177149674C\SourceList msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\06715CD07BF43F1498763DED9C3D02BE\AdvertiseFlags = "388" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\450EFA9138AC5D549ABD1480FEB43D19\Assignment = "1" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\450EFA9138AC5D549ABD1480FEB43D19\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{65C92DD3-C1F6-4FB5-8B33-CA762B295461}\VersionIndependentProgID\ = "FortiScand.FCILPScan" FortiScand.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CCCCD687-1625-4985-8F5A-E9609906EBEB}\ = "IUtility" FortiScand.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E25A138-6990-434F-A6F1-76028B0CE908}\AppID = "{8D7ECB73-3926-4D7A-A16E-71AC047522EB}" fccomint.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{248DA346-4BA5-4997-A534-B469C50326DA}\Version msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\450EFA9138AC5D549ABD1480FEB43D19\Provider msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\450EFA9138AC5D549ABD1480FEB43D19\AuthorizedLUAApp = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\450EFA9138AC5D549ABD1480FEB43D19\SourceList\Media\1 = ";" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\15E8B87C56C0E773581D82F286F95E50\301C91C91BD71D440A93C270A636A383 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B93CD6827BF5FFA4D94D22BD7466C47D\AuthorizedLUAApp = "0" msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\15E8B87C56C0E773581D82F286F95E50 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{33DC5028-890D-4B61-9A6E-1082DB291402}\TypeLib FortiScand.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4D6D09E4-4E94-4E86-B1DD-0490AD948900}\TypeLib\ = "{BFE493FE-215A-4DB8-B340-9C5FC82611C5}" fccomint.exe Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\forticlient\URL Protocol FortiClient.exe Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 FortiClient.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\fabricagent\shell msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\09A86F63C932FD435BC8463B1035EC53 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CCCCD687-1625-4985-8F5A-E9609906EBEB}\TypeLib\Version = "1.0" FortiScand.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{248DA346-4BA5-4997-A534-B469C50326DA}\ProgID msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\06715CD07BF43F1498763DED9C3D02BE\SourceList\Net msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\450EFA9138AC5D549ABD1480FEB43D19\InstanceType = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B93CD6827BF5FFA4D94D22BD7466C47D\SourceList\Net msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_x86,v14\Version = "14.38.33135" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\FortiScand.EXE\AppID = "{B8B581FB-6D16-4E37-AD57-F00C857E86BB}" FortiScand.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\FortiScand.Utility2.1\ = "Utility2 Class" FortiScand.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{56DBD9A9-A79B-48DF-B65B-2639354AC072}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" FortiScand.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E21B3BC-6928-4081-BB7F-FD5E88736333}\ = "IUtility2" FortiScand.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1363D583-F150-478E-B40F-C69E3DA8ACEB}\1.0\ = "FCCOMIntDLL 1.0 Type Library" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\06715CD07BF43F1498763DED9C3D02BE\SourceList\Media msiexec.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\F252E794FE438E35ACE6E53762C0A234A2C52135 FortiClientVPN.exe Set value (data) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\F252E794FE438E35ACE6E53762C0A234A2C52135\Blob = 030000000100000014000000f252e794fe438e35ace6e53762c0a234a2c5213519000000010000001000000087e0ffb0415d8ad49500855f8ba368c4040000000100000010000000ce02a0499711d1f1a3fcfc3c699a6c970f0000000100000020000000f6f717a43ad9abddc8cefdde1c505462535e7d1307e630f9544a2d14fe8bf26e140000000100000014000000486e64e55005d382aa17373722b56da8ca7502955c000000010000000400000000100000180000000100000010000000bb048f1838395f6fc3a1f3d2b7e9765420000000010000007e0700003082077a30820562a003020102020a610e90d2000000000003300d06092a864886f70d01010b0500308188310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e060355040713075265646d6f6e64311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e31323030060355040313294d6963726f736f667420526f6f7420436572746966696361746520417574686f726974792032303131301e170d3131303730383230353930395a170d3236303730383231303930395a307e310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e060355040713075265646d6f6e64311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e312830260603550403131f4d6963726f736f667420436f6465205369676e696e6720504341203230313130820222300d06092a864886f70d01010105000382020f003082020a0282020100abf0fa72101c2eadd86eaa82104d34baf2b658219f421b2a6be95a50aab806381a0449ba7fc30c1edd376bc612d80bf038c29906b0c839d501143142d3890d7964877e9460246caf9e499ce9685ed2df9b53b20a2cc3afd9a92bae7a09afd79659ca601a05e96676e8325226122fe7ab0850cfb344b75dd8c42e0375ab68f3cb6df33a5ca116f446bae03864ac6e643578a6a0630f2dd34093f8e3de070dd55c79a54929e70dbea01377be943deffbe32b5a101f4d5628a27a72e0123ab7495ed8eded439183d97bb27b861bd93eb18c5de8894f841af2a12f59e4903b2dae3358c5b73efe32d3b3033db1b2af92387ed29d802cf54e5691213525c3396e647f53ba9c0fad192384cbf4ba03868df75ff0d052bf8c9487bcc02174255f1828b6cc2728382598394a36cf7cb192ae1c23a7a966ec611f6ae128499d5f88e2255dd3214b3e52c4b5573f2403f0d17a5b2fd523e3705d0f514677b3f800e1bcac02825fdbc015b3bd1bd4554be739a10fe92349bc18b8447c45e4c1c3727ae072e724dfbf4699c5efc21c57db838dec4d4930a7ab8edfec5b9faffcddb066e2c197817bedd6ed4be74929a71328a6a77d6780e68a62785fb22f84d7579c5cbf772828f1ed6dc3288f2c8f40374fc1e1854489c4094cc5d4a5432f7495f76ef87820582c135d60959a3e4f3384dab08817de9e4ef496b0bc46a06c98d2e0d6888c0b0203010001a38201ed308201e9301006092b06010401823715010403020100301d0603551d0e04160414486e64e55005d382aa17373722b56da8ca750295301906092b0601040182371402040c1e0a00530075006200430041300b0603551d0f040403020186300f0603551d130101ff040530030101ff301f0603551d23041830168014722d3a02319043b914054ee1eaa7c731d1238934305a0603551d1f04533051304fa04da04b8649687474703a2f2f63726c2e6d6963726f736f66742e636f6d2f706b692f63726c2f70726f64756374732f4d6963526f6f436572417574323031315f323031315f30335f32322e63726c305e06082b0601050507010104523050304e06082b060105050730028642687474703a2f2f7777772e6d6963726f736f66742e636f6d2f706b692f63657274732f4d6963526f6f436572417574323031315f323031315f30335f32322e63727430819f0603551d2004819730819430819106092b0601040182372e03308183303f06082b060105050702011633687474703a2f2f7777772e6d6963726f736f66742e636f6d2f706b696f70732f646f63732f7072696d6172796370732e68746d304006082b0601050507020230341e32201d004c006500670061006c005f0070006f006c006900630079005f00730074006100740065006d0065006e0074002e201d300d06092a864886f70d01010b0500038202010067f286a598e054791a2ed3d87467229b0b9611e163929942967dd2790c90c1655f2e2c3ef8c372d16d83febe3fe80aca3bbf47a9a3f369db63bf2235a5975d6584907d8b465055d80c927cd21a4b1cf33c428b52d0b0fd6be33e072e299be63d1ba5d4b51d779439e2e964c9443d787a23f3137da69074838df4cb2602462ac28a10bba4a9050c9bed68fa682e95a02a3f2a6b5849631f09696e5a9896e483f4c08ff3462bdefc3bd0bd35ef6e25aee5af27edd0ddf30eaf992897984d0e3d0bf20889d61fc33218e2f0c52dce5b9eb449390ac60ac2c6adaee5b2d9db1588514558383271271a7fb1f427f8de2c3a206998b25989686e6fa7b774c3400506a6012a283e823f134d660bc0b34df5e18f7f1c6f157d45a776e5402a65a3c35d526286c31d63369786dfdaf3f8f216a19a27e1cda597d0ee5d6341e35b079c873e067706d106b1751f14be6161b5f0dcc61b04bedf41c70e28eede652fec97f6a15c96d800d6a146bd59f397a5094b481099801fd00029c5b19ba53f45771e35c6d2a2a29f7a7a22fa48951fabfb472380f59ef8bf6bb74b97e2eb75781aecea379979184bffd6b3236875e6affafc8beb0b80ea693baffc30ed044c8edfdf756d63913dd19d564e4fbf805722a1781132217aef410ab13ffba8cca45dc1a1889b5771564e4845c042c99b765b0a80486bfd799fc1bd6d6d6ac95273130d7a50cd FortiClientVPN.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 0f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e FortiClientVPNOnlineInstaller.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e19962000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e FortiClientVPNOnlineInstaller.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 190000000100000010000000ffac207997bb2cfe865570179ee037b90f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e404000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e FortiClientVPNOnlineInstaller.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\16B7611982622CB83C14D706377A150E7D553A99 FortiClientVPN.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\16B7611982622CB83C14D706377A150E7D553A99\Blob = 0f00000001000000200000005702b6918ef882d88ed5f83baf8545f8f8f0e9eddf55899e2021316105acde0203000000010000001400000016b7611982622cb83c14d706377a150e7d553a992000000001000000d9030000308203d5308202bda003020102020900daf636b443d4a58b300d06092a864886f70d01010b05003081a0310b3009060355040613025553311330110603550408130a43616c69666f726e6961311230100603550407130953756e6e7976616c653111300f060355040a1308466f7274696e6574311e301c060355040b1315436572746966696361746520417574686f726974793110300e06035504031307737570706f72743123302106092a864886f70d0109011614737570706f727440666f7274696e65742e636f6d301e170d3135303731363232333433395a170d3338303131393232333433395a3081a0310b3009060355040613025553311330110603550408130a43616c69666f726e6961311230100603550407130953756e6e7976616c653111300f060355040a1308466f7274696e6574311e301c060355040b1315436572746966696361746520417574686f726974793110300e06035504031307737570706f72743123302106092a864886f70d0109011614737570706f727440666f7274696e65742e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100d43b5173d0351212c8c34e594148d13bc1b0a6d50f8321298b78bfebc3449dc666829aee041fa09fabe0cd78c56cd334ddba36b26d52eb58494983997fe6e6b6e8db8263b46771d45cca2fafb770328750357cc19088d034192da9a181b349edfbf455eae0b2e257c69f2eaf3149036e696eac47f57eaed653ace0da8233a0931ef569f88aa6646b9c5661504cc87d7e21342f6d08158d0ae7073f0b75cfd4f6b40b35cbbbab268edaf4a6bc178ac192893931834f874d23b6e2dbf4ab90013e07f33962a95fd6fa81a32dd7baf78528b91a128495b08318bb4c6dd29c95d6e8c4d0506799f13d13454b6e8b75ee5db81f23a1ce91c1d82ff5db31492d7b1d630203010001a310300e300c0603551d13040530030101ff300d06092a864886f70d01010b050003820101008717fb8dec674ab4cdb21a695e988c9a52b90bd1f1b90419413fddab416498dffb729eabb60977e9651f054f7989ad2af462676b16d25a95cee23ab8c13e6f94608811a89a8c92c9c7504546eedd314667926a3222f293f3ddd850694065e18c13f5975416801ec8f8c0885820e32f526ed5077c142bd4a366d9f4a86133f8e8f19968e7276f9c93aee965b44b97c80eb9107a3a414888da7cb253b4f20e255c862ab87225b42ed109a74d40fcf7a9f62f5b89e9216e3dd38247e02500b73bdb45d0ece0c0afb332ae3ce202be6ea99ea8a7d4022a27ee1c3303eb555c8137936c221a210148d210bb65589475a90ec74f943db552c2affa8e9c41c4928cb887 FortiClientVPN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 FortiClientVPNOnlineInstaller.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c00000001000000040000000010000004000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e FortiClientVPNOnlineInstaller.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\16B7611982622CB83C14D706377A150E7D553A99\Blob = 140000000100000014000000f2052f9f9fd5a5933c9c6d7192cc457a16d3b7b603000000010000001400000016b7611982622cb83c14d706377a150e7d553a990f00000001000000200000005702b6918ef882d88ed5f83baf8545f8f8f0e9eddf55899e2021316105acde022000000001000000d9030000308203d5308202bda003020102020900daf636b443d4a58b300d06092a864886f70d01010b05003081a0310b3009060355040613025553311330110603550408130a43616c69666f726e6961311230100603550407130953756e6e7976616c653111300f060355040a1308466f7274696e6574311e301c060355040b1315436572746966696361746520417574686f726974793110300e06035504031307737570706f72743123302106092a864886f70d0109011614737570706f727440666f7274696e65742e636f6d301e170d3135303731363232333433395a170d3338303131393232333433395a3081a0310b3009060355040613025553311330110603550408130a43616c69666f726e6961311230100603550407130953756e6e7976616c653111300f060355040a1308466f7274696e6574311e301c060355040b1315436572746966696361746520417574686f726974793110300e06035504031307737570706f72743123302106092a864886f70d0109011614737570706f727440666f7274696e65742e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100d43b5173d0351212c8c34e594148d13bc1b0a6d50f8321298b78bfebc3449dc666829aee041fa09fabe0cd78c56cd334ddba36b26d52eb58494983997fe6e6b6e8db8263b46771d45cca2fafb770328750357cc19088d034192da9a181b349edfbf455eae0b2e257c69f2eaf3149036e696eac47f57eaed653ace0da8233a0931ef569f88aa6646b9c5661504cc87d7e21342f6d08158d0ae7073f0b75cfd4f6b40b35cbbbab268edaf4a6bc178ac192893931834f874d23b6e2dbf4ab90013e07f33962a95fd6fa81a32dd7baf78528b91a128495b08318bb4c6dd29c95d6e8c4d0506799f13d13454b6e8b75ee5db81f23a1ce91c1d82ff5db31492d7b1d630203010001a310300e300c0603551d13040530030101ff300d06092a864886f70d01010b050003820101008717fb8dec674ab4cdb21a695e988c9a52b90bd1f1b90419413fddab416498dffb729eabb60977e9651f054f7989ad2af462676b16d25a95cee23ab8c13e6f94608811a89a8c92c9c7504546eedd314667926a3222f293f3ddd850694065e18c13f5975416801ec8f8c0885820e32f526ed5077c142bd4a366d9f4a86133f8e8f19968e7276f9c93aee965b44b97c80eb9107a3a414888da7cb253b4f20e255c862ab87225b42ed109a74d40fcf7a9f62f5b89e9216e3dd38247e02500b73bdb45d0ece0c0afb332ae3ce202be6ea99ea8a7d4022a27ee1c3303eb555c8137936c221a210148d210bb65589475a90ec74f943db552c2affa8e9c41c4928cb887 FortiClientVPN.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\16B7611982622CB83C14D706377A150E7D553A99\Blob = 1900000001000000100000008fcdd9d3a924d8070f099141f316a4040f00000001000000200000005702b6918ef882d88ed5f83baf8545f8f8f0e9eddf55899e2021316105acde0203000000010000001400000016b7611982622cb83c14d706377a150e7d553a99140000000100000014000000f2052f9f9fd5a5933c9c6d7192cc457a16d3b7b62000000001000000d9030000308203d5308202bda003020102020900daf636b443d4a58b300d06092a864886f70d01010b05003081a0310b3009060355040613025553311330110603550408130a43616c69666f726e6961311230100603550407130953756e6e7976616c653111300f060355040a1308466f7274696e6574311e301c060355040b1315436572746966696361746520417574686f726974793110300e06035504031307737570706f72743123302106092a864886f70d0109011614737570706f727440666f7274696e65742e636f6d301e170d3135303731363232333433395a170d3338303131393232333433395a3081a0310b3009060355040613025553311330110603550408130a43616c69666f726e6961311230100603550407130953756e6e7976616c653111300f060355040a1308466f7274696e6574311e301c060355040b1315436572746966696361746520417574686f726974793110300e06035504031307737570706f72743123302106092a864886f70d0109011614737570706f727440666f7274696e65742e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100d43b5173d0351212c8c34e594148d13bc1b0a6d50f8321298b78bfebc3449dc666829aee041fa09fabe0cd78c56cd334ddba36b26d52eb58494983997fe6e6b6e8db8263b46771d45cca2fafb770328750357cc19088d034192da9a181b349edfbf455eae0b2e257c69f2eaf3149036e696eac47f57eaed653ace0da8233a0931ef569f88aa6646b9c5661504cc87d7e21342f6d08158d0ae7073f0b75cfd4f6b40b35cbbbab268edaf4a6bc178ac192893931834f874d23b6e2dbf4ab90013e07f33962a95fd6fa81a32dd7baf78528b91a128495b08318bb4c6dd29c95d6e8c4d0506799f13d13454b6e8b75ee5db81f23a1ce91c1d82ff5db31492d7b1d630203010001a310300e300c0603551d13040530030101ff300d06092a864886f70d01010b050003820101008717fb8dec674ab4cdb21a695e988c9a52b90bd1f1b90419413fddab416498dffb729eabb60977e9651f054f7989ad2af462676b16d25a95cee23ab8c13e6f94608811a89a8c92c9c7504546eedd314667926a3222f293f3ddd850694065e18c13f5975416801ec8f8c0885820e32f526ed5077c142bd4a366d9f4a86133f8e8f19968e7276f9c93aee965b44b97c80eb9107a3a414888da7cb253b4f20e255c862ab87225b42ed109a74d40fcf7a9f62f5b89e9216e3dd38247e02500b73bdb45d0ece0c0afb332ae3ce202be6ea99ea8a7d4022a27ee1c3303eb555c8137936c221a210148d210bb65589475a90ec74f943db552c2affa8e9c41c4928cb887 FortiClientVPN.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2508 FortiClientVPNOnlineInstaller.exe 2508 FortiClientVPNOnlineInstaller.exe 3564 MsiExec.exe 3564 MsiExec.exe 2916 MsiExec.exe 2916 MsiExec.exe 2916 MsiExec.exe 2916 MsiExec.exe 2916 MsiExec.exe 2916 MsiExec.exe 2916 MsiExec.exe 2916 MsiExec.exe 2916 MsiExec.exe 2916 MsiExec.exe 3564 MsiExec.exe 3564 MsiExec.exe 3468 msiexec.exe 3468 msiexec.exe 3468 msiexec.exe 3468 msiexec.exe 3468 msiexec.exe 3468 msiexec.exe 3468 msiexec.exe 3468 msiexec.exe 3468 msiexec.exe 3468 msiexec.exe 3468 msiexec.exe 3468 msiexec.exe 3468 msiexec.exe 3468 msiexec.exe 3468 msiexec.exe 3468 msiexec.exe 1588 scheduler.exe 1588 scheduler.exe 1588 scheduler.exe 1588 scheduler.exe 1588 scheduler.exe 1588 scheduler.exe 1588 scheduler.exe 1588 scheduler.exe 1588 scheduler.exe 1588 scheduler.exe 1588 scheduler.exe 1588 scheduler.exe 1588 scheduler.exe 1588 scheduler.exe 1588 scheduler.exe 1588 scheduler.exe 1588 scheduler.exe 1588 scheduler.exe 1588 scheduler.exe 1588 scheduler.exe 1588 scheduler.exe 1588 scheduler.exe 1588 scheduler.exe 1588 scheduler.exe 1588 scheduler.exe 1588 scheduler.exe 1588 scheduler.exe 1588 scheduler.exe 1588 scheduler.exe 1588 scheduler.exe 1588 scheduler.exe 1588 scheduler.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 664 Process not Found -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 3380 FortiClientVPN.exe Token: SeIncreaseQuotaPrivilege 3380 FortiClientVPN.exe Token: SeSecurityPrivilege 3468 msiexec.exe Token: SeCreateTokenPrivilege 3380 FortiClientVPN.exe Token: SeAssignPrimaryTokenPrivilege 3380 FortiClientVPN.exe Token: SeLockMemoryPrivilege 3380 FortiClientVPN.exe Token: SeIncreaseQuotaPrivilege 3380 FortiClientVPN.exe Token: SeMachineAccountPrivilege 3380 FortiClientVPN.exe Token: SeTcbPrivilege 3380 FortiClientVPN.exe Token: SeSecurityPrivilege 3380 FortiClientVPN.exe Token: SeTakeOwnershipPrivilege 3380 FortiClientVPN.exe Token: SeLoadDriverPrivilege 3380 FortiClientVPN.exe Token: SeSystemProfilePrivilege 3380 FortiClientVPN.exe Token: SeSystemtimePrivilege 3380 FortiClientVPN.exe Token: SeProfSingleProcessPrivilege 3380 FortiClientVPN.exe Token: SeIncBasePriorityPrivilege 3380 FortiClientVPN.exe Token: SeCreatePagefilePrivilege 3380 FortiClientVPN.exe Token: SeCreatePermanentPrivilege 3380 FortiClientVPN.exe Token: SeBackupPrivilege 3380 FortiClientVPN.exe Token: SeRestorePrivilege 3380 FortiClientVPN.exe Token: SeShutdownPrivilege 3380 FortiClientVPN.exe Token: SeDebugPrivilege 3380 FortiClientVPN.exe Token: SeAuditPrivilege 3380 FortiClientVPN.exe Token: SeSystemEnvironmentPrivilege 3380 FortiClientVPN.exe Token: SeChangeNotifyPrivilege 3380 FortiClientVPN.exe Token: SeRemoteShutdownPrivilege 3380 FortiClientVPN.exe Token: SeUndockPrivilege 3380 FortiClientVPN.exe Token: SeSyncAgentPrivilege 3380 FortiClientVPN.exe Token: SeEnableDelegationPrivilege 3380 FortiClientVPN.exe Token: SeManageVolumePrivilege 3380 FortiClientVPN.exe Token: SeImpersonatePrivilege 3380 FortiClientVPN.exe Token: SeCreateGlobalPrivilege 3380 FortiClientVPN.exe Token: SeCreateTokenPrivilege 3380 FortiClientVPN.exe Token: SeAssignPrimaryTokenPrivilege 3380 FortiClientVPN.exe Token: SeLockMemoryPrivilege 3380 FortiClientVPN.exe Token: SeIncreaseQuotaPrivilege 3380 FortiClientVPN.exe Token: SeMachineAccountPrivilege 3380 FortiClientVPN.exe Token: SeTcbPrivilege 3380 FortiClientVPN.exe Token: SeSecurityPrivilege 3380 FortiClientVPN.exe Token: SeTakeOwnershipPrivilege 3380 FortiClientVPN.exe Token: SeLoadDriverPrivilege 3380 FortiClientVPN.exe Token: SeSystemProfilePrivilege 3380 FortiClientVPN.exe Token: SeSystemtimePrivilege 3380 FortiClientVPN.exe Token: SeProfSingleProcessPrivilege 3380 FortiClientVPN.exe Token: SeIncBasePriorityPrivilege 3380 FortiClientVPN.exe Token: SeCreatePagefilePrivilege 3380 FortiClientVPN.exe Token: SeCreatePermanentPrivilege 3380 FortiClientVPN.exe Token: SeBackupPrivilege 3380 FortiClientVPN.exe Token: SeRestorePrivilege 3380 FortiClientVPN.exe Token: SeShutdownPrivilege 3380 FortiClientVPN.exe Token: SeDebugPrivilege 3380 FortiClientVPN.exe Token: SeAuditPrivilege 3380 FortiClientVPN.exe Token: SeSystemEnvironmentPrivilege 3380 FortiClientVPN.exe Token: SeChangeNotifyPrivilege 3380 FortiClientVPN.exe Token: SeRemoteShutdownPrivilege 3380 FortiClientVPN.exe Token: SeUndockPrivilege 3380 FortiClientVPN.exe Token: SeSyncAgentPrivilege 3380 FortiClientVPN.exe Token: SeEnableDelegationPrivilege 3380 FortiClientVPN.exe Token: SeManageVolumePrivilege 3380 FortiClientVPN.exe Token: SeImpersonatePrivilege 3380 FortiClientVPN.exe Token: SeCreateGlobalPrivilege 3380 FortiClientVPN.exe Token: SeCreateTokenPrivilege 3380 FortiClientVPN.exe Token: SeAssignPrimaryTokenPrivilege 3380 FortiClientVPN.exe Token: SeLockMemoryPrivilege 3380 FortiClientVPN.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 3380 FortiClientVPN.exe 3380 FortiClientVPN.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2700 FortiClient.exe 2700 FortiClient.exe 2708 FortiTray.exe 2708 FortiTray.exe 2700 FortiClient.exe 2700 FortiClient.exe 2700 FortiClient.exe 2700 FortiClient.exe 2700 FortiClient.exe 2708 FortiTray.exe 2700 FortiClient.exe 2700 FortiClient.exe 2700 FortiClient.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2700 FortiClient.exe 2700 FortiClient.exe 2700 FortiClient.exe 2700 FortiClient.exe 2700 FortiClient.exe 2700 FortiClient.exe 2700 FortiClient.exe 2700 FortiClient.exe 2700 FortiClient.exe 2700 FortiClient.exe 2700 FortiClient.exe 2700 FortiClient.exe 2700 FortiClient.exe 2700 FortiClient.exe 2700 FortiClient.exe 2700 FortiClient.exe 2708 FortiTray.exe 2708 FortiTray.exe 2700 FortiClient.exe 2700 FortiClient.exe 2708 FortiTray.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe -
Suspicious use of SetWindowsHookEx 54 IoCs
pid Process 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2708 FortiTray.exe 2700 FortiClient.exe 5912 FortiClientSecurity.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2508 wrote to memory of 3380 2508 FortiClientVPNOnlineInstaller.exe 92 PID 2508 wrote to memory of 3380 2508 FortiClientVPNOnlineInstaller.exe 92 PID 2508 wrote to memory of 3380 2508 FortiClientVPNOnlineInstaller.exe 92 PID 3468 wrote to memory of 4916 3468 msiexec.exe 95 PID 3468 wrote to memory of 4916 3468 msiexec.exe 95 PID 3468 wrote to memory of 3564 3468 msiexec.exe 96 PID 3468 wrote to memory of 3564 3468 msiexec.exe 96 PID 3468 wrote to memory of 2916 3468 msiexec.exe 97 PID 3468 wrote to memory of 2916 3468 msiexec.exe 97 PID 3224 wrote to memory of 3156 3224 svchost.exe 100 PID 3224 wrote to memory of 3156 3224 svchost.exe 100 PID 3224 wrote to memory of 832 3224 svchost.exe 101 PID 3224 wrote to memory of 832 3224 svchost.exe 101 PID 3224 wrote to memory of 3492 3224 svchost.exe 104 PID 3224 wrote to memory of 3492 3224 svchost.exe 104 PID 3224 wrote to memory of 2312 3224 svchost.exe 105 PID 3224 wrote to memory of 2312 3224 svchost.exe 105 PID 3224 wrote to memory of 4512 3224 svchost.exe 106 PID 3224 wrote to memory of 4512 3224 svchost.exe 106 PID 3380 wrote to memory of 2700 3380 FortiClientVPN.exe 108 PID 3380 wrote to memory of 2700 3380 FortiClientVPN.exe 108 PID 3380 wrote to memory of 2700 3380 FortiClientVPN.exe 108 PID 2700 wrote to memory of 1180 2700 VC_redist.x64.exe 109 PID 2700 wrote to memory of 1180 2700 VC_redist.x64.exe 109 PID 2700 wrote to memory of 1180 2700 VC_redist.x64.exe 109 PID 1180 wrote to memory of 3868 1180 VC_redist.x64.exe 110 PID 1180 wrote to memory of 3868 1180 VC_redist.x64.exe 110 PID 1180 wrote to memory of 3868 1180 VC_redist.x64.exe 110 PID 3868 wrote to memory of 4404 3868 VC_redist.x64.exe 116 PID 3868 wrote to memory of 4404 3868 VC_redist.x64.exe 116 PID 3868 wrote to memory of 4404 3868 VC_redist.x64.exe 116 PID 4404 wrote to memory of 992 4404 VC_redist.x64.exe 117 PID 4404 wrote to memory of 992 4404 VC_redist.x64.exe 117 PID 4404 wrote to memory of 992 4404 VC_redist.x64.exe 117 PID 992 wrote to memory of 4320 992 VC_redist.x64.exe 118 PID 992 wrote to memory of 4320 992 VC_redist.x64.exe 118 PID 992 wrote to memory of 4320 992 VC_redist.x64.exe 118 PID 1588 wrote to memory of 4540 1588 scheduler.exe 120 PID 1588 wrote to memory of 4540 1588 scheduler.exe 120 PID 1588 wrote to memory of 4540 1588 scheduler.exe 120 PID 4540 wrote to memory of 1796 4540 VC_redist.x86.exe 121 PID 4540 wrote to memory of 1796 4540 VC_redist.x86.exe 121 PID 4540 wrote to memory of 1796 4540 VC_redist.x86.exe 121 PID 1796 wrote to memory of 3204 1796 VC_redist.x86.exe 122 PID 1796 wrote to memory of 3204 1796 VC_redist.x86.exe 122 PID 1796 wrote to memory of 3204 1796 VC_redist.x86.exe 122 PID 3204 wrote to memory of 1164 3204 VC_redist.x86.exe 124 PID 3204 wrote to memory of 1164 3204 VC_redist.x86.exe 124 PID 3204 wrote to memory of 1164 3204 VC_redist.x86.exe 124 PID 1164 wrote to memory of 4580 1164 VC_redist.x86.exe 125 PID 1164 wrote to memory of 4580 1164 VC_redist.x86.exe 125 PID 1164 wrote to memory of 4580 1164 VC_redist.x86.exe 125 PID 4580 wrote to memory of 2132 4580 VC_redist.x86.exe 126 PID 4580 wrote to memory of 2132 4580 VC_redist.x86.exe 126 PID 4580 wrote to memory of 2132 4580 VC_redist.x86.exe 126 PID 1588 wrote to memory of 3160 1588 scheduler.exe 127 PID 1588 wrote to memory of 3160 1588 scheduler.exe 127 PID 1588 wrote to memory of 2376 1588 scheduler.exe 128 PID 1588 wrote to memory of 2376 1588 scheduler.exe 128 PID 1588 wrote to memory of 2364 1588 scheduler.exe 130 PID 1588 wrote to memory of 2364 1588 scheduler.exe 130 PID 1588 wrote to memory of 4700 1588 scheduler.exe 131 PID 1588 wrote to memory of 4700 1588 scheduler.exe 131 PID 1588 wrote to memory of 2340 1588 scheduler.exe 132 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\FortiClientVPNOnlineInstaller.exe"C:\Users\Admin\AppData\Local\Temp\FortiClientVPNOnlineInstaller.exe"1⤵
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Users\Admin\AppData\Local\Temp\FortiClientVPN.exeC:\Users\Admin\AppData\Local\Temp\FortiClientVPN.exe2⤵
- Enumerates connected drives
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3380 -
C:\Program Files\Common Files\Fortinet\FortiClient\VC_redist.x64.exe"C:\Program Files\Common Files\Fortinet\FortiClient\VC_redist.x64.exe" /install /quiet /norestart3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\Temp\{465022D1-A9B1-4F13-86D1-F3C93A9CC557}\.cr\VC_redist.x64.exe"C:\Windows\Temp\{465022D1-A9B1-4F13-86D1-F3C93A9CC557}\.cr\VC_redist.x64.exe" -burn.clean.room="C:\Program Files\Common Files\Fortinet\FortiClient\VC_redist.x64.exe" -burn.filehandle.attached=536 -burn.filehandle.self=188 /install /quiet /norestart4⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1180 -
C:\Windows\Temp\{9EC73601-D193-4EBF-A44D-E932F4AA55AD}\.be\VC_redist.x64.exe"C:\Windows\Temp\{9EC73601-D193-4EBF-A44D-E932F4AA55AD}\.be\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{E415E60F-309F-4616-9B1D-2E1548EB819B} {D7EDE633-1973-4195-AAF1-769187A4353F} 11805⤵
- Adds Run key to start application
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3868 -
C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe"C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={c649ede4-f16a-4486-a117-dcc2f2a35165} -burn.filehandle.self=988 -burn.embedded BurnPipe.{79DA5A9E-3E4B-4940-937B-DC3F6A58A0B9} {4D690BC8-2430-4149-9A86-4DC6EA98CA6D} 38686⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4404 -
C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe"C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -burn.filehandle.attached=516 -burn.filehandle.self=536 -uninstall -quiet -burn.related.upgrade -burn.ancestors={c649ede4-f16a-4486-a117-dcc2f2a35165} -burn.filehandle.self=988 -burn.embedded BurnPipe.{79DA5A9E-3E4B-4940-937B-DC3F6A58A0B9} {4D690BC8-2430-4149-9A86-4DC6EA98CA6D} 38687⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:992 -
C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe"C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{97F810B9-7970-4015-9A34-4534E8A1709D} {01BDAC55-63C7-4AD9-BA45-73FC11D587D5} 9928⤵
- System Location Discovery: System Language Discovery
PID:4320
-
-
-
-
-
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Drops file in Drivers directory
- Checks for any installed AV software in registry
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3468 -
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding E78E1383EFD186431C2B7F1C74426FB7 C2⤵
- Loads dropped DLL
PID:4916
-
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding 665DF069438C38D1AD525CF37174E4B22⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3564
-
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding E91435065266CCF2FEEDCE9E9C9B2661 E Global\MSI00002⤵
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Windows directory
- Loads dropped DLL
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2916
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of WriteProcessMemory
PID:3224 -
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "1" "C:\Program Files\Common Files\Fortinet\FortiClient\7.4.0.1658\ftvnic\ft_vnic.inf" "9" "4877b642b" "000000000000014C" "WinSta0\Default" "000000000000015C" "208" "C:\Program Files\Common Files\Fortinet\FortiClient\7.4.0.1658\ftvnic"2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:3156
-
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "2" "201" "ROOT\NET\0000" "C:\Windows\INF\oem3.inf" "oem3.inf:3205552c47487a89:FTNT.ndi:2020.4.9.0:root\ftvnic_a," "41304937f" "0000000000000180"2⤵
- Drops file in Drivers directory
- Drops file in Windows directory
PID:832
-
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "1" "C:\Program Files\Common Files\Fortinet\FortiClient\7.4.0.1658\ftsvnic\ftsvnic.inf" "9" "40c6594a3" "0000000000000188" "WinSta0\Default" "0000000000000100" "208" "C:\Program Files\Common Files\Fortinet\FortiClient\7.4.0.1658\ftsvnic"2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:3492
-
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "2" "211" "ROOT\NET\0001" "C:\Windows\INF\oem4.inf" "oem4.inf:3205552cbf00c145:ftsvnic.ndi:17.47.11.597:root\ftsvnic," "4219b83e7" "0000000000000188"2⤵
- Drops file in Drivers directory
- Drops file in Windows directory
PID:2312
-
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "1" "C:\Program Files\Common Files\Fortinet\FortiClient\7.4.0.1658\FortiFilter\FortiFilter.inf" "9" "4a03a154b" "0000000000000188" "WinSta0\Default" "0000000000000180" "208" "C:\Program Files\Common Files\Fortinet\FortiClient\7.4.0.1658\FortiFilter"2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:4512
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
PID:972
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:21⤵PID:3336
-
C:\Program Files\Fortinet\FortiClient\scheduler.exe"C:\Program Files\Fortinet\FortiClient\scheduler.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Program Files\Common Files\Fortinet\FortiClient\VC_redist.x86.exe"C:\Program Files\Common Files\Fortinet\FortiClient\VC_redist.x86.exe" /install /quiet /norestart2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4540 -
C:\Windows\Temp\{D8E77DB0-CA8D-4EC9-888B-3B78AE275037}\.cr\VC_redist.x86.exe"C:\Windows\Temp\{D8E77DB0-CA8D-4EC9-888B-3B78AE275037}\.cr\VC_redist.x86.exe" -burn.clean.room="C:\Program Files\Common Files\Fortinet\FortiClient\VC_redist.x86.exe" -burn.filehandle.attached=540 -burn.filehandle.self=548 /install /quiet /norestart3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Windows\Temp\{7D1DE30C-F62D-4FFD-B49D-CE2CBDFFECFF}\.be\VC_redist.x86.exe"C:\Windows\Temp\{7D1DE30C-F62D-4FFD-B49D-CE2CBDFFECFF}\.be\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{BAAF3CC5-C544-44ED-A719-0E93787CE9BF} {FA22DD08-8E38-42E8-93F4-9708EC2970CE} 17964⤵
- Adds Run key to start application
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3204 -
C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe"C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={46c3b171-c15c-4137-8e1d-67eeb2985b44} -burn.filehandle.self=872 -burn.embedded BurnPipe.{97BA46D5-DC69-48CE-A602-76F0C90085F2} {B8296D34-7BCF-4760-9D09-29F65B7CFBF6} 32045⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe"C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -burn.clean.room="C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -burn.filehandle.attached=516 -burn.filehandle.self=536 -uninstall -quiet -burn.related.upgrade -burn.ancestors={46c3b171-c15c-4137-8e1d-67eeb2985b44} -burn.filehandle.self=872 -burn.embedded BurnPipe.{97BA46D5-DC69-48CE-A602-76F0C90085F2} {B8296D34-7BCF-4760-9D09-29F65B7CFBF6} 32046⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:4580 -
C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe"C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{5E6C4897-4BAD-4F19-90FB-8153B768277C} {D8E0F719-1DA3-48D0-BFC8-D12713D017E1} 45807⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2132
-
-
-
-
-
-
-
C:\Program Files\Fortinet\FortiClient\FortiScand.exe"C:\Program Files\Fortinet\FortiClient\FortiScand.exe" /regserver2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:3160
-
-
C:\Windows\System32\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files\Fortinet\FortiClient\fccomintdll.dll"2⤵
- Loads dropped DLL
- Modifies registry class
PID:2376
-
-
C:\Program Files\Fortinet\FortiClient\fccomint.exe"C:\Program Files\Fortinet\FortiClient\fccomint.exe" /regserver2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2364
-
-
C:\Windows\System32\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files\Fortinet\FortiClient\FortiCliSh.Dll"2⤵PID:4700
-
-
C:\Program Files\Fortinet\FortiClient\FCDBLog.exeFCDBLog.exe -s FC_{73EFB30F-1CAD-4a7a-AE2E-150282B6CE25}_0000112⤵
- Drops file in Drivers directory
- Drops file in Windows directory
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2340
-
-
C:\Program Files\Fortinet\FortiClient\FortiTray.exe-s FC_{73EFB30F-1CAD-4a7a-AE2E-150282B6CE25}_0000082⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2708 -
C:\Program Files\Fortinet\FortiClient\FortiClient.exe"C:\Program Files\Fortinet\FortiClient\FortiClient.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2700 -
C:\Program Files\Fortinet\FortiClient\FortiClient.exe"C:\Program Files\Fortinet\FortiClient\FortiClient.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\FortiClient /prefetch:7 --no-rate-limit --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Roaming\FortiClient\logs\trace --annotation=_productName=FortiClient --annotation=_version=7.0.0 --annotation=plat=Win64 --annotation=prod=Electron --annotation=ver=24.8.3 --initial-client-data=0x574,0x57c,0x580,0x578,0x584,0x7ff68d44dcb0,0x7ff68d44dcc0,0x7ff68d44dcd04⤵
- Executes dropped EXE
PID:1832
-
-
C:\Program Files\Fortinet\FortiClient\FortiClient.exe"C:\Program Files\Fortinet\FortiClient\FortiClient.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Local\FortiClient" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1976 --field-trial-handle=1980,i,15813759548233160514,8913559000283413265,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:24⤵
- Executes dropped EXE
PID:3188
-
-
C:\Program Files\Fortinet\FortiClient\FortiElevate.exe./FortiElevate.exe4⤵
- Executes dropped EXE
PID:1924
-
-
C:\Program Files\Fortinet\FortiClient\FortiClient.exe"C:\Program Files\Fortinet\FortiClient\FortiClient.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\FortiClient" --mojo-platform-channel-handle=2164 --field-trial-handle=1980,i,15813759548233160514,8913559000283413265,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:84⤵
- Executes dropped EXE
PID:4064
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "uname -v"4⤵PID:3900
-
-
C:\Program Files\Fortinet\FortiClient\FortiClient.exe"C:\Program Files\Fortinet\FortiClient\FortiClient.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\FortiClient" --app-user-model-id=FortiClient --app-path="C:\Program Files\Fortinet\FortiClient\resources\app.asar" --no-sandbox --no-zygote --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2976 --field-trial-handle=1980,i,15813759548233160514,8913559000283413265,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:14⤵
- Checks computer location settings
- Executes dropped EXE
PID:5216
-
-
C:\Program Files\Fortinet\FortiClient\FortiElevate.exe./FortiElevate.exe -noschedulercheck4⤵
- Checks computer location settings
- Executes dropped EXE
PID:4012 -
C:\Program Files\Fortinet\FortiClient\FortiClientSecurity.exe"C:\Program Files\Fortinet\FortiClient\FortiClientSecurity.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5912
-
-
-
-
-
C:\Program Files\Fortinet\FortiClient\FortiSSLVPNdaemon.exeFortiSSLVPNdaemon.exe -s FC_{73EFB30F-1CAD-4a7a-AE2E-150282B6CE25}_0000192⤵
- Drops file in Program Files directory
- Executes dropped EXE
PID:532 -
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" start dnscache3⤵PID:180
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start dnscache4⤵PID:1796
-
-
-
-
C:\Program Files\Fortinet\FortiClient\FortiSettings.exeFortiSettings.exe -s FC_{73EFB30F-1CAD-4a7a-AE2E-150282B6CE25}_0000242⤵
- Executes dropped EXE
PID:4600
-
-
C:\Program Files\Fortinet\FortiClient\FortiVPN.exeFortiVPN.exe -s FC_{73EFB30F-1CAD-4a7a-AE2E-150282B6CE25}_0000312⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1628
-
-
C:\Program Files\Fortinet\FortiClient\update_task.exeupdate_task.exe -s FC_{73EFB30F-1CAD-4a7a-AE2E-150282B6CE25}_0010002⤵
- Checks computer location settings
- Drops file in Program Files directory
- Executes dropped EXE
PID:4396
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Component Object Model Hijacking
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Component Object Model Hijacking
1Defense Evasion
Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
19KB
MD59b533c5474ddeb7a8dc5f899f7d4cb0c
SHA186ccc01c0248b5663c8fecce725462edd4896d5a
SHA256b9e8ccebdbb8add19685298864e45be65f42cd56ed7c348f94095cde7584472e
SHA512e0c1039a43b973e8b9e25c6bc99d21614a4c734f81e32740778c68f12347277186612ddb4078dc60ac7e2bb7b34e0652bf818fb40dcd86194f42543f2b238f94
-
Filesize
19KB
MD5c365142a713ad5feae980b82e9bb2757
SHA128e6f349665f89aa11aecd94b7bca2104524452b
SHA256c8289a0a63e28109306eb00b5a36fab28c4c3a153d9c64729257b9617bf14274
SHA51202cce850bee25d9bbc2b73503832e9be2b8ab1e16c47bddcba2882b8a0f99b88f7adbda18124209487c049698ea825f08f8d056c12b14f9c569508249bed7554
-
Filesize
21KB
MD53dc5fc8115a9c7b9dba087f450e66444
SHA1b35fe96375807b32492596ac87465b6052d9044e
SHA256bd5c958e98cbd5e164c69d6865a8394471f3df69a1a8806b6c1231a6c7d0ade1
SHA51215334e3d7d8ef88ac88e368100053685f587373e714cf254ef4b93fc12c7d2f835f654a63bfd0784c387552ceec458f8c08b2d144ac6615dde494468f43821cd
-
Filesize
21KB
MD5a722101fe5a739c7d80e705229975111
SHA17cd38547cd99fa20f59936b19cb21eea505a3d8d
SHA256ce81aa77ef2d2e67fea4401ed784fdf3bc08c8185ac37f5562b558ccdaf7d938
SHA51292fc40740930cb5fd54a64e632e6d21e9dbafdebd6bfa8977f19afdaa6a371d45c4286913760dc46a2f83b53b34a799c5099cc6990126e7bf5d233cac3cf24ea
-
Filesize
16KB
MD5c75802e0637af0e8e91b453f1aaec117
SHA16af728dde7d16451949f9fbb59e4fed33542511a
SHA2560f72a852d847f5c45a9c3b026a6c1deb18c2247e8dcbb11f8c7379e8f4f1549f
SHA512b1bf1aba762560cad772499e38dabcda37f05182ff9a866fe1c2e367d190df20b88738e6b336fcc0dfb868e8507e2b0e1f99c2208809c3ab69d940da289adc0f
-
Filesize
18KB
MD5d9b8db2cc6a94be7018b7ca41b151372
SHA1ff7565a2ad0b1c025b38a378cac5055e49afe4aa
SHA256a1efa6b5ba0be9e5e6823558d2007a254402eeed7fb2d65638e71a6e65490db0
SHA51243766f538b809d7ef0660b6c887181e058f236de4f465eaebdce337d1ce8e41ab10d87b015b195b292df19f534926635c76d4a00a17795032bb7fdfc4e4c2d38
-
Filesize
20KB
MD54a77ab427b478e9424223d5bd9c8335d
SHA10a375ea1b1f4c40d0fb25580207c66bc7b2c29ce
SHA2560cd9a90956022963f8043fe6d7fb7f1a36c3fce474e3d39efd68a031fc6b16bf
SHA5124f235bd711fe2cba3a2c498d6100dc529a9358fb982095822194232841cd24cf9d9ed1a40166479fdff1eaf7e3a84c04a7d503f71209161757fc5d7bf131e923
-
Filesize
19KB
MD59597a2be64e8ecf1f4f79fc19ce38a8a
SHA1d786816ea5588333b7694c164d574738f028d4a4
SHA256ff7fb2ef61d95ecc549e38cd95bafa019fdf12ef9c9183d0a35e0c603b6391cc
SHA51283e49d1e6ee05de763812111e6d4a81907d393dd057ea8e8e29d9b3f6baaefa948a7a3fa7aa97246edca7b01c889b277d3ececc214008a6e7b89e9516eca10d3
-
Filesize
477B
MD5a4418707a502e64b10089c9ff4462dd6
SHA1eeab6a947b854c5cf309d2ffc866c54a3dd133ef
SHA2563914354dc54e28a203de2fe4cc2303bbbc9dd527e5a44f08f87e6d00870c35e6
SHA5123871cba1d6fcfa5878da51f4f9073d535a2ac703b3a9b530192b6dbcf270c7220f27fbcbb5a5f8e47e20a09dcc3c674f4a5b05e5f87f0fb8514e395d89511477
-
Filesize
426B
MD55e369b22824c11de956ba55dbbf33906
SHA162fc5d2cfe520b4bc6ab543a9256d7a88d3b8d5d
SHA256da8591012e64d70d2320065d39b921ceab3a74002f276f5b7052478518c4f331
SHA512266edb9719e7ae85fc7f12956963d97efe8aab3f7fc0d74508af6f26d9c9d438d4c6016721ed2af52f5ac50bbd6cfeb56f1284c2347c61218bf566b3c6aefccf
-
Filesize
33KB
MD5ec84160b6ec27f7be5ee505ac447cc40
SHA165abccf5ec556ae7132c03c15fe46f4d8b834e53
SHA256af96c25d75b453e7f959bd7b20be34c831fe1ca774e9ac5f42115f81b9e39a1c
SHA5120a74468faa6ae4e3890743bf9891da594253349e58d9ee5bc574b5ec4e93f68ebb57b1eec42f1f287ce8186dac2f70abf7f0a220c97ee54dd6c8ef33e13d4635
-
Filesize
4KB
MD55ae43b2858d24a9e65ae5be09fae0643
SHA130b488e1a3b31df76bf487dab345b2d074bbebe9
SHA256802ee584bff90186ac23e3f05f48f43afb6ef4bbbf1269c233e2a273c6707202
SHA51221629c79620a0a7a6d57562ab991350633f26a3fa6c57dc3df832c9f530bee2572e41f86569a5ff22fc62ec12edf133edaf9244f0028f5f145369c735cb0513c
-
Filesize
130B
MD5bb77b5c08b22b11af237c40e715f7c65
SHA16bd540d37fff299355e9100db93d807b9875d141
SHA256c73564918e7cfc500400cbaff10f66a2cbe40ee4e28626163836b56941ee5630
SHA512b98063d71d0298afd657ae6346d93e8a349c8b6a11b85335fb1de59f98cee009369a39ce5b6c156a4a3e9846954d63880e586cd4b4ae032d11629bf2777f4f61
-
Filesize
2B
MD581051bcc2cf1bedf378224b0a93e2877
SHA1ba8ab5a0280b953aa97435ff8946cbcbb2755a27
SHA2567eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6
SHA5121b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d
-
Filesize
118KB
MD5fca794a7ed181cd46659c1f12c02498d
SHA1dc027a8c6cdde0e26dc315a8b549b5ea795b2629
SHA2561c40321dd52c83fcd82477355cf9e6595577f3cf1c58f87b5b7cd2e995248db6
SHA5128f0b347eed74d47c74488a551a390f130146d1ef7da2eb11884aea22f4fd2b88a575e2c15c3895a4ba81a7110401e17d7e7832c61b2ae82b1c69de9c65405c1f
-
Filesize
1.1MB
MD508418efda7ad36c9ae74b5bcd4975228
SHA15975c17ee230b53bf5bdedd88cad86ffcd83c853
SHA256d785264ff52713c442a55d674271155a550488473b390964432ff951e5aedf0a
SHA5124fba86ea504a353d9e860a7a0857a672334c00a33575a9259dcfa2b14cd9f6fcc1d52bca3be440fe51e316e70accd99d54cc7e0dd964cc0e4e4ab90eea69e3c2
-
Filesize
321KB
MD54c53eab088e0b848413cd95d7d763428
SHA102988b22acf93da59189d72d2f0b68783dc10dac
SHA256816fbc676cbb9aebbc5ed239a984f71d16992c0ffd8241d8458dbdafcfde6b9a
SHA512b3c1a8684853a2567161740e7cc44b91b6a9418859b83c91f0d32541421bb359b027173fb37a7857e0023b9e38dfea8c898f516676fb286bd1a72a8bf1df1afa
-
Filesize
34.1MB
MD56842885da594b18d1fa91c6d3bab96ee
SHA14b6e654bd0d23a13634b6876d59f7d0dd87a64f5
SHA256b3d249c441a90d62e86de8aae42a8ccb9481fc2620b4ed6d59b2aa367bda7264
SHA51207190161962e921891fb5a708cd34cdb14be445cdd1e5b29c4a3fb1e55a76f773c78e1748e080e8c781363cf68da8fccef5bce44122bccbe841c7f1da3f261a1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
Filesize471B
MD56639c2b5dd1db67f38a72a3ed252367b
SHA148d281476b5c4978c5c8e45dde040a3216f64a4b
SHA2566674e8753069b055180d7cd2b3cc97e39b8882facddf72e1e62ec905a68cc90f
SHA51210eef0de30fe9c174b2e18c7b84806e02e890604d4cb678e8ff45c4ce5b8401a45713e6b7cf66fbeffc2119bb10af6b7d92cd947ca46a6e8b616e552ac990abf
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_052D619A1738623B01B6A412349193C8
Filesize727B
MD5d54b761262e51a32ccc1c50c629af7f8
SHA1414c5d40ad4e63354500fcf82a2caf836cec879b
SHA25693c04bd99630a550f11ae52de0a2092210996fcbf5d4046bfce89917fc50cf5c
SHA512f03c9b46ac94a9d9de9fed2ea28c839db0b5338bd73991a9d36e0b894b4398820589287f2e27249a9563e4a5ec6da8881e1924c8a7af758c12c4ebae12a4fede
-
Filesize
1KB
MD5d91299e84355cd8d5a86795a0118b6e9
SHA17b0f360b775f76c94a12ca48445aa2d2a875701c
SHA25646011ede1c147eb2bc731a539b7c047b7ee93e48b9d3c3ba710ce132bbdfac6b
SHA5126d11d03f2df2d931fac9f47ceda70d81d51a9116c1ef362d67b7874f91bf20915006f7af8ecebaea59d2dc144536b25ea091cc33c04c9a3808eefdc69c90e816
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
Filesize727B
MD5cc79c4bec28755dd925ffe87be23f5d5
SHA1a66f705d54fad27c2e4631be3423d1a7ba4f658f
SHA2560ca63209f3a6717f5a88796981244b6490fa948ba4c7c965cad31e34c5d61fd1
SHA512e7bffecedb1e12799390d6624e74694fdf26218ccca4cea850009907bdf755f422e8fd02702a9eef6402b793d8f2447e1f44720d3babd400233c37ef66fcd3b1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
Filesize400B
MD593fd28489e568ef892128974347d7381
SHA1858c71902baf74d65842de58eac8cdf2068a2f02
SHA2562596f343c090db2b6bd2aea93a89803af74ddf7b3db87ef1fa077e90fc16b1f7
SHA5128d8dd46cc59b038c71112fb262eb5913774418634b2a5408ab63a06802d06e49872cd25c86cb7261083c5859b9c4b659ae7d177f05b36f92749e5dbf42e36ec2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_052D619A1738623B01B6A412349193C8
Filesize412B
MD5cceeb94bf748ee37903443106775316d
SHA1aa2071f23e5377fb15cd55eb1c330d07b0e61c3d
SHA256d15a64de115ebfe0b01e94121ebd7a2216212c5330dc9c1dc7e210ca70f10ad9
SHA51270861c0bedd7213461531f372a5bba7220987d3250c480bc6f24aa4f6fcf329446b3a4cbd4ed5ac77f1d9ec777eac19be1a6267cb492884e8b436076bd17d49b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C56C4404C4DEF0DC88E5FCD9F09CB2F1
Filesize308B
MD5e8b470605c98cff4aae0a36369e8d2b9
SHA107ddc0143d64c216b472e61fb7082e667c6d6f67
SHA2567a39a2399981d0191f0b63990e533dcf390814b1ceb577d212592aa957ff5c05
SHA512ed9c2e7e46cb2cb279412dd9b28ae4e5e7e458f33972edf59c4434632a0de2ff0adc7a2424fde9d8bbee29780260fc118b2ab26a37912cbe620bc9ed2636e205
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
Filesize412B
MD528263b35744b90627fa3a83feab25c13
SHA162fc89f4a7742b35955fbd02497dba75044dc35b
SHA2565cb77aef2ac82a52d2e523fe6d52b1fdec65886e65576a462d37464ff1e93a40
SHA512d64d6ec62ca98522b900610bf09aea657b0ece4580b20261738bd950d6651052f7488e67522b4fe0a563f711e944d289520561f514bdff3f0011535aa8e5abc0
-
Filesize
161B
MD5d5692ef7fee7c1f543c8a3020591c9ba
SHA178559605b5eab69927324412265b502626f31968
SHA2569c1aa003ca789f6932a1a4efd6608efcd4dc29d0de97fb5e5ab9b7aa17496265
SHA5124c7a197492dd9d771147797bfdabc33bae84695bf8f0b11ff0cabbd215d299b423370a18245787cf92f2865b0da80bc206541408dddf7199091fdc43585211c8
-
Filesize
300B
MD5f54c180f622cb97b661237b8bdfd8f04
SHA149b49eb96b2dffa9feca86583eda91844a717ed2
SHA256142e50bbb254bf3dbe82d1e9f3fc3995298dae8d2265428d6733c5ed775d0a76
SHA512646f576f2554d8cc14058208862e1dfd95de92689fafbd6cac6cee6d8b5dabb527935d0c2c0c4a2e43e48a8245812c676fc4850316bdd26785a4207ad1e19076
-
Filesize
59B
MD52800881c775077e1c4b6e06bf4676de4
SHA12873631068c8b3b9495638c865915be822442c8b
SHA256226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974
SHA512e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b
-
Filesize
86B
MD5d11dedf80b85d8d9be3fec6bb292f64b
SHA1aab8783454819cd66ddf7871e887abdba138aef3
SHA2568029940de92ae596278912bbbd6387d65f4e849d3c136287a1233f525d189c67
SHA5126b7ec1ca5189124e0d136f561ca7f12a4653633e2d9452d290e658dfe545acf6600cc9496794757a43f95c91705e9549ef681d4cc9e035738b03a18bdc2e25f0
-
Filesize
931B
MD5e4722c39e345ded88c703067e948c880
SHA1de9739ed9f686e91063e94e21ad0536529e9d45a
SHA256adc9d294c390cce700750eaab7c838378ddeebd78169252095a383d03d238201
SHA5123137ab90642a2699fd41e2d0eefcd3868b85d853487ebf8c4285fa8360a17685144338997d93486b9fde8ee7d8eebcb3fe54c686b119ba8a550f7cfb3871747d
-
Filesize
1KB
MD58aadb0e3b10757ccc11743082419b2db
SHA159633f1a7db3c86f4bd489c6debb7b9f79e47b02
SHA256f2fb8d51da6f68a255db374bbd6c81cafa6697ac5afec05f1c358626383d8860
SHA51294f025ff830dbaa45ec0fec706f4f59b415b96866717207b095dc17cd4eec712bb2b5d270424314b3356f1b6f0982ca026c86c78621f24c1c4894a6b79e3a32f
-
Filesize
1KB
MD5c8524c2afcceabcce5d8a3110f39d4ef
SHA10f196a3063077bf3f7330d6c0a1621d276649d17
SHA256ff3cdc27c4423baf0e02ae247f7e2c9ec74e60cbb76dc7c3258ba33cf856cf02
SHA5122a216f2a6fa25b53694dbb0c6585008e85cd3e4bb130607ebc74c5f2a4ec295852be64380a9d7656e4785367c7fda0f961f8119cbc301bd92bd86e6095d1c144
-
Filesize
1KB
MD5391295189c665a8b55a65e16d3068f91
SHA1cfd26133d65700845a407ac676a842c4e06dee83
SHA2560ede44f84c973b14d669e239ffc1c46db6640ce0680ae0f6d07f54bca6b42699
SHA5122c096b49426dd567fa3a1b2ac02e79e0dd3d6871c9847bcd483ab6a176de1217f2f1bc5d41f5ec7b4cbcb56a5960a5e09d3bd7024f471a9825ea4838bc0299dd
-
Filesize
1KB
MD500031fc68ac8325fe8ad90e43f84dc5d
SHA15aeae92d7c60ff7e68459b4d4e268a5b6e9cac8e
SHA25627999d78c53c7f77a00eebdef48671a7b324a2d57408bc360c59218fdd5cfb97
SHA512f3f9fc27b476cea2ca93f590773d3f208bf22cd38a77057a4e871d8e340e62c9930c34019acb9e858f13afed6260ef6f6387c0192b38454ec3e748a581abe923
-
Filesize
2KB
MD5dcb4999673e37f0b300571182855ada4
SHA130319d24f1da43a284ae462547a5ec101dc18a91
SHA25684d167112229b1db812593f76bf5197245ec3d37cb2e6cde2833d28848da002d
SHA512bb0148990f7b05c388f41f7de3b84f2dbcbad497e32e8d6d81922134e4f217b574cc83a8cd7a7507034c73ef44656163af366f11795ecea0c8701dd8e3c681a1
-
Filesize
2KB
MD53c5aa38d1ec2907a44575c70481557a3
SHA163694976b688c2499875a955e6f0a53608a455f3
SHA256b2fc2d641900d4425b72a5205692d3b85f52f9437c214da3f117119c89f8f202
SHA5125237b74c7c39377ee6ae8c9b66d2b5af25c74a001131d7f2951f95a27c88a2891834b052b82972ab010917c5a035ae778f412e16de284347f16b262850dc7ee4
-
Filesize
2KB
MD5758a2faf4c57e1ef9d99ef5528563daa
SHA1e0b09a511243931d7bfbd78874faaa20d6551071
SHA2568b5285f79e9fde7be2360076312584ebfc83828005ac0b072f6d6b4a50d5e89a
SHA5120540bd9cbb92220e5e582398487076c5ac079c544758fcd25b3800c9761bca477228fe5adb3f1bbe992a08baa624c41c071229972c07b6e75d043d11f2d22aee
-
Filesize
2KB
MD5e94cd2f3ff87a03681b80d5706ed4c4d
SHA1f62ce8f9775e156045500952478cf043f7e53300
SHA256c007f0e14fdfd48cfd7f50207d545b73386e9359efc488a9a7f8bd32034c3ee8
SHA512a08bc18ce3ca0e87235eb513a76cd9dddaf759f52c820b0e2b4ff8c2e4fa2bc36a202388e4c187d37da64f237829fb16dc8be6c9c4fc3bc7121c14f344c8266e
-
Filesize
2KB
MD5aabcd6953eca92a4c2016bcedc2e8377
SHA17b3174b16f524fd958ca7aed84c5c1e09b6861bb
SHA256e2776a91595f8ccd2898f8a5a28fbb08f7d8c3f30d4e8a7c483830ca883bebe6
SHA512b5ae5c11ed162fbed9e82f69285ea8628b7c1a02bee018edb6d5babb0c9ed0b37c4cc06ff8a790f2ebf8ae0f59a0434872e6b6b3ec725aac7c97daff0d3f692f
-
Filesize
3KB
MD588c5196d72e905b3adc0802c778ae882
SHA191ba7aab028ede3e460e6977b647470a68839a8f
SHA256725585d559302ab5659c5d32a623efbb00ede9062eb0897f922523bb5f7070e4
SHA512390bd8372c5eeef8ec658c2750c34c1b179c32e9ce79a409013e34cc5d9c8bb26aeef6bd90af9e775d7e31ccd7c20d1f19a7528ce2c5025200cb08164cac7838
-
Filesize
3KB
MD57273ab477030e706564f836f66f38ebe
SHA1a222ade18e9080e9eba5bba0250d90a0b78b98f0
SHA25663ad61a6ff777362440f41890c8ddd7096ec2b423ba2e78610a5ed327e35ad7e
SHA512e62b21396d25b66ba7fa9ff1412364e318ac518af0666d1fc5dc7fef34fab6ea2cee2ba20979339139da7bd528a4afc0a54c8659759abe6d0b6fa795259ef74f
-
Filesize
3KB
MD5d89180e362ce3992af61dd165cf002e6
SHA15dcc5c30de662a5af384ce0633678870896b125b
SHA256a5b9dc41c9aac92783cec29d45a2e4c389a1804a0fdd534b07b195900bf27cf3
SHA512eeaec139fe96dd36132f8ee51422e73c505055ba181f6167bd4da2480918851395fdd76ddac6eba5f4ab9ce898373700aac4e2cf0229a85bff2965549bd23ead
-
Filesize
4KB
MD576dd1974dda31c2b4456be98f457b05d
SHA14a1ad8cb46be227e9a988168e0d9a6ceda895dbd
SHA25660799ae06d370c688db7d2acb06fe928c33934f2eff87f60ec665f7c9dc38a9f
SHA5125e581722f7d14e0a2272cbeb87f40a8bec25b489276d1227f8b52d0c95dc55b71f3ce79074f7d7288467521020f14d86ae28643858449bfa65ad7e6e1a09958a
-
Filesize
99KB
MD5a419e4b73e2a2b332bfd785450f73beb
SHA181fcab42c0c9435c65dffb3c22745962e945f3d6
SHA256879cb95cd4228f0f8c4e0db169cd8310c3fd269b0785e97d679c5c9070d4109f
SHA512fa873d8aaf21453dc7f0e1b7e371bc90e4d96a4a7541822cb9a2337a1b4bef8d30242f781634e0fa4d08e15fa2d96aab636df31c6c6b2caa55c2ec6a3b3dc132
-
Filesize
858B
MD55c71123f8298af18c9ba7402144250cb
SHA1f411f30349eb78d2e574e10e52d12b1ca3a104f1
SHA256445a680d42ce62c083bddfcfd06ce478e5330a76db115bd2ac8ad5824fef6dfc
SHA5128275cdea281ba6711a114232913dfe23c8c0646a785a0039e6daa57c60514e31b0de67b8b09924611ae8a86586ea11f9b6f36a63bb326c65790ff5b48e118c98
-
Filesize
1KB
MD5f20f0d5e4835a9f7ae3c3d333475e00c
SHA122f13fd36829ab39e97aba27520e9c0df050d87b
SHA256e3efc64a02281421573f4b0747018bd3f749ee30c684d98332e905fb3c6d84f2
SHA512d8148a6ed6443b6a7df150db5ca371816c2cf940a140bcfd4ea218a3a83a84a679baefa8035e83f63c8e6cb3e1628a644ea641e80d8fe8cdbd76a15252b0a481
-
Filesize
4KB
MD593266ab1c134245b8c5e4902ebfccbd8
SHA146d664724bf5ec73245425abdd599f6c65e5e10b
SHA25683eba83a09641033927edecbe5acd41e9ee608718c9c6a3bf64f78ba5a097a1a
SHA512da32c0d6549f50964b1dadfd8e5eea48b2810fb3ca542eefeb1508f51cea53f6a8a1d8e886efa85a0323c560ae5b0d33054d07d653f077804cd8c3889068e7ed
-
Filesize
7.7MB
MD532efbffda3376ee49d78baff6bce3cc5
SHA1fb1195e34a9034309d8bf4608b65e205cac0b930
SHA256f64e2cad4cdcc53694ca3dbd78b941039064d31ea5892d4ded3a533f0fed627a
SHA512af22120bb60d0e2394c83059b5d2e68afb40c0fd02e613515257bc80dd3cf55c6792df5325cb87ad2046724b24303e6c9e1a3c9eb2219bd776826e03bc738920
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
194KB
MD5b537f8be77054e0d7f4ee4e0e84efba3
SHA18e4bdc51e1786b51b3ca33ad3da9b5607d974a04
SHA256f8c84d0bc07b625c4749617d70af9e8f371a84e77944284f4b555c88edff2f5f
SHA51238dcd3810c250381ae3ce33e6e5df048024c63f953c7478e4470bf53d884bc9d2034cb356df517dad14a48d2fa98f56dea52c327f9bf7da11b92440f77553884
-
Filesize
188KB
MD5e312d6be7dee2b8f3737e0a1bc92e3aa
SHA172487572a3f8b8eff93489997c8a5041ea7a6867
SHA256d48c8e848a219bceb638b2505132756cb908703fe75dee78bdf475435420dc49
SHA512b39a0c18aa242887e3f9ae3d49bc9d6765ce15097718964cccd86b824d13481cbd53175105db29d17e3a08f74fe4d20dfb3f9989eca5276c3f5fbb255b80f8ae
-
Filesize
2KB
MD5e584cf96d29072269f06f647e43642de
SHA126fd25b27b3663334ca4d3dd1d5be99abda629b0
SHA25641533b1919e8f746d7a6af79354cc879e212493536c9a0d348924362a14d906f
SHA5121b6439f5d67bfaf6a2e55ebb923255b80343f1eebfc9fbe021ae5cf945a3971c59d62760656edbb9875241b244cd8dc6aed9d3b9784e4a9e642a3e6c1bee18df
-
Filesize
34KB
MD540aee08dee292af27e5745f34d725987
SHA106e03b5a11af53f70ec4100256d79fed85414050
SHA256e59576ee6038c0ccedf558aee5b34026ea51d22b633cf28509504da58d0e970b
SHA512e929bbdedaa47d34b0a58e0b33b1a242badd7d6f55df6d201f96f3c707f4859c21c719fd7fa5b3de077d36ce8a9932ce77dfd22a1014b709b3f699f9ccdc20a0
-
Filesize
9KB
MD5e0441351e09812bbbe2b3983d576b5cc
SHA11872004e5e519245be2bf36204139b431015afce
SHA25620a578f3f08cdc8010a0555847fc4eaabd31967ec98d6faf2ebc95a396f8dff7
SHA512a82e53107a936c70d08d45862b8756d026d6b0b32da9b358da00e608c9594fe84c920d6754de42ca7fcd1aa7b85c5e0be62db141a587aee01a3bf6b763c6f88c
-
Filesize
10KB
MD5a2ed1b4f7127e0f187da8a87b7d0d8d0
SHA1c0f98772368cefff745a76fee603e4fb85a694c1
SHA256ab6b2f1c8a86f678ce8c50ad0c632688ba4893e6b649a64982b29775de65418d
SHA512117a070b1b268af24ebdf8add2acea9af9b8b5f0574c42a02e534dec0c0609660b54d473a6d6aa3aeabdf0ad0a59527e6ebd1a991af30eb662a5c394b6d4539d
-
Filesize
1KB
MD5db82a0ee5b7132673c09364e75949de6
SHA12c64d5ede718617a85c7a17586628700e2c0cb5d
SHA256e379ca032e51e0e89839d1185edcf4ebff74b7038023a22de2187fedd22ef59b
SHA51276b580032ad518db42da9c5eda90fae654901f970fdfc8dd8e9027487a87d3e3c5398d809d03ec96f779cc179f8affb23780b5f47542e631287d1eb1512c9129
-
Filesize
82KB
MD5c059171f62f95827c40d5e843c941b32
SHA1c2c12b7b11fa35ce34969cffa45cbd22248c74d7
SHA2561e77d0f6119f6fa3e9d96f95e1b7f4daf82a11f200dbbd5c1327590629ebea75
SHA512f462e2d923cb679f6486a839048f16f03b7edae474402f0d08fac60fdad711304306beae4f5f712c01dcafd66dd4c1ad2ebeae47df67e524d0368e3cfba634ff
-
Filesize
12KB
MD5aa00403322652fe26ef34572d2ea186d
SHA1dc0ae42798444f02c70c34f12eeca250132ef8a4
SHA256621ddfb13ffd5a5a5feeda7e908254deb4fcc103d40b46cbab241235f426c63b
SHA512dd99212f70e0f39c19accdc919e1a50b4f85d7938edffe507bcf6189564c9715c31d3088e9162c5f076afcb7a4b5abfc528064a59f72f1f6531c461325ba9a63
-
Filesize
10KB
MD5a6191a0e5a044e30002d5d74ca602adb
SHA15d507cdeee986d87103a0fd925cadaafe7b656c8
SHA256f15da3512d52b22426156325072a0319926e36c2dbe116bd8cb73ba47ff9cd03
SHA5126374aa45457522a1e6994aebb0be2c36b08c671bd6de4678b8d3cc2cac58d82212f0b30f16d2c7c108f6d2110a95538ec58e8ef4fc7d48f8c2927113135082aa
-
Filesize
68KB
MD55a34b28f7615607bff85a909f6b19a01
SHA1f2fba45f0944ad5f9687b04e442608c0d0055a37
SHA256c3ee9bdd89c8993f3e7f8f64abda1b1a68bb0501a56f06d1c4b339bf6a5fc039
SHA5122b86f3513f5fcc52efb4f389c774fdd7d4355d0d8f9d0c10f0d8eaae6d913124d3cab2eaa3000cdbaf3d116b4cc86f8bbc5245a7b04e59c482006348f9dff3e5
-
Filesize
19KB
MD55a5f11296aeb01756d9787db6c547d63
SHA1317be4f63d5ab3a3f37daf8abafe6bd459610a00
SHA2563a380f89c50e52be430c82c652b712beadf142fdf0757cb8440309056c98ec5f
SHA5123c6e42acf043a0158e7b7e4b16dd5ba3915e2c863194a205eaa196549d4dac24583a26d26467038b35bfb4275fa3fb0b8453a138a679270e5b02361e2d6d1088
-
Filesize
191KB
MD5eab9caf4277829abdf6223ec1efa0edd
SHA174862ecf349a9bedd32699f2a7a4e00b4727543d
SHA256a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041
SHA51245b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2
-
Filesize
9KB
MD504b33f0a9081c10e85d0e495a1294f83
SHA11efe2fb2d014a731b752672745f9ffecdd716412
SHA2568099dc3cf9502c335da829e5c755948a12e3e6de490eb492a99deb673d883d8b
SHA512d1dbed00df921169dd61501e2a3e95e6d7807348b188be9dd8fc63423501e4d848ece19ac466c3cacfccc6084e0eb2f457dc957990f6f511df10fd426e432685
-
Filesize
2KB
MD5fbfcbc4dacc566a3c426f43ce10907b6
SHA163c45f9a771161740e100faf710f30eed017d723
SHA25670400f181d00e1769774ff36bcd8b1ab5fbc431418067d31b876d18cc04ef4ce
SHA512063fb6685ee8d2fa57863a74d66a83c819fe848ba3072b6e7d1b4fe397a9b24a1037183bb2fda776033c0936be83888a6456aae947e240521e2ab75d984ee35e
-
Filesize
8KB
MD5f62729c6d2540015e072514226c121c7
SHA1c1e189d693f41ac2eafcc363f7890fc0fea6979c
SHA256f13bae0ec08c91b4a315bb2d86ee48fade597e7a5440dce6f751f98a3a4d6916
SHA512cbbfbfa7e013a2b85b78d71d32fdf65323534816978e7544ca6cea5286a0f6e8e7e5ffc4c538200211f11b94373d5658732d5d8aa1d01f9ccfdbf20f154f1471
-
Filesize
634KB
MD57bd0b2d204d75012d3a9a9ce107c379e
SHA141edd6321965d48e11ecded3852eb32e3c13848d
SHA256d4c6f5c74bbb45c4f33d9cb7ddce47226ea0a5ab90b8ff3f420b63a55c3f6dd2
SHA512d85ac030ebb3ba4412e69b5693406fe87e46696ca2a926ef75b6f6438e16b0c7ed1342363098530cdceb4db8e50614f33f972f7995e4222313fcef036887d0f0
-
Filesize
1KB
MD5d6bd210f227442b3362493d046cea233
SHA1ff286ac8370fc655aea0ef35e9cf0bfcb6d698de
SHA256335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef
SHA512464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b
-
Filesize
635KB
MD5b73be38096eddc4d427fbbfdd8cf15bd
SHA1534f605fd43cc7089e448e5fa1b1a2d56de14779
SHA256ab1164dcaf6c7d7d4905881f332a7b6f854be46e36b860c44d9eedc96ab6607a
SHA5125af779926d344bc7c4140725f90cddad5eb778f5ca4856d5a31a6084424964d205638815eab4454e0ea34ea56fafca19fadd1eb2779dc6b7f277e4e4ce4b1603
