File name:

openvpn-connect-3.7.3.4351_signed.msi

Full analysis: https://app.any.run/tasks/2fdbcf04-6191-4f03-8226-357f49b95e1b
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: July 25, 2025, 00:46:52
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
generated-doc
stealer
auto-reg
phishing
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: OpenVPN Connect, Author: OpenVPN Inc., Keywords: Installer, Comments: Windows Installer Package, Template: x64;1033, Revision Number: {73668B4E-338B-4605-8B4F-7EF56A5EF52E}, Create Time/Date: Thu Jul 10 08:47:12 2025, Last Saved Time/Date: Thu Jul 10 08:47:12 2025, Number of Pages: 500, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.14.1.8722), Security: 2
MD5:

9C40A8A0F941A2A237572F522BCAB5D6

SHA1:

682BBDE65F31C0C3D764CB290D30EAF988A63878

SHA256:

239EA016DE7BD6BBCBB06727C9B0DF5929F26D566EC53C09991C32D59EBADFC8

SSDEEP:

1572864:7lYmxALMGffjMo/pIFyFoZVKw61bQ7FWUzA7Ef0cGz8zjq:zxeffQoSM+DKw61bQ7FWUU7Ef0cGo

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Actions looks like stealing of personal data

      • msiexec.exe (PID: 1324)
      • msiexec.exe (PID: 5904)
      • tapinstall.exe (PID: 1044)
      • tapinstall.exe (PID: 1948)
      • tapinstall.exe (PID: 6364)
      • agent_ovpnconnect.exe (PID: 5928)
      • csrss.exe (PID: 608)
      • ovpnhelper_service.exe (PID: 1580)
      • ovpnhelper_service.exe (PID: 4676)
      • agent_ovpnconnect.exe (PID: 984)
      • OpenVPNConnect.exe (PID: 3556)
      • OpenVPNConnect.exe (PID: 4164)
      • OpenVPNConnect.exe (PID: 7076)
      • OpenVPNConnect.exe (PID: 4384)
      • OpenVPNConnect.exe (PID: 1244)
      • OpenVPNConnect.exe (PID: 5684)
      • OpenVPNConnect.exe (PID: 7256)
      • OpenVPNConnect.exe (PID: 7468)
      • OpenVPNConnect.exe (PID: 7616)
      • OpenVPNConnect.exe (PID: 7624)

    • Changes the autorun value in the registry

      • OpenVPNConnect.exe (PID: 4384)

  • SUSPICIOUS

    • Executes as Windows Service

      • VSSVC.exe (PID: 5084)
      • agent_ovpnconnect.exe (PID: 984)
      • ovpnhelper_service.exe (PID: 1580)

    • Application launched itself

      • msiexec.exe (PID: 5904)
      • OpenVPNConnect.exe (PID: 3556)
      • OpenVPNConnect.exe (PID: 4384)
      • OpenVPNConnect.exe (PID: 7468)

    • Reads the Windows owner or organization settings

      • msiexec.exe (PID: 5904)

    • Drops a system driver (possible attempt to evade defenses)

      • msiexec.exe (PID: 5904)
      • drvinst.exe (PID: 3460)
      • drvinst.exe (PID: 4708)
      • drvinst.exe (PID: 1660)

    • Process drops legitimate windows executable

      • msiexec.exe (PID: 5904)

    • Creates files in the driver directory

      • drvinst.exe (PID: 3460)
      • tapinstall.exe (PID: 6364)
      • drvinst.exe (PID: 4708)
      • drvinst.exe (PID: 1660)
      • msiexec.exe (PID: 5724)

    • Executable content was dropped or overwritten

      • drvinst.exe (PID: 3460)
      • drvinst.exe (PID: 4708)
      • drvinst.exe (PID: 1660)

    • Creates or modifies Windows services

      • drvinst.exe (PID: 1660)
      • drvinst.exe (PID: 1560)

    • Suspicious use of NETSH.EXE

      • msiexec.exe (PID: 5724)

    • Reads security settings of Internet Explorer

      • OpenVPNConnect.exe (PID: 4384)

  • INFO

    • Creates files or folders in the user directory

      • msiexec.exe (PID: 1324)
      • OpenVPNConnect.exe (PID: 3556)
      • OpenVPNConnect.exe (PID: 4384)
      • OpenVPNConnect.exe (PID: 1244)

    • Checks supported languages

      • msiexec.exe (PID: 6940)
      • msiexec.exe (PID: 5904)
      • msiexec.exe (PID: 5496)
      • msiexec.exe (PID: 5724)
      • drvinst.exe (PID: 3460)
      • tapinstall.exe (PID: 1948)
      • tapinstall.exe (PID: 1044)
      • tapinstall.exe (PID: 6364)
      • drvinst.exe (PID: 4708)
      • drvinst.exe (PID: 1660)
      • drvinst.exe (PID: 1560)
      • agent_ovpnconnect.exe (PID: 5928)
      • agent_ovpnconnect.exe (PID: 984)
      • ovpnhelper_service.exe (PID: 4676)
      • ovpnhelper_service.exe (PID: 1580)
      • OpenVPNConnect.exe (PID: 3556)
      • OpenVPNConnect.exe (PID: 4384)
      • OpenVPNConnect.exe (PID: 4164)
      • OpenVPNConnect.exe (PID: 7076)
      • OpenVPNConnect.exe (PID: 1244)
      • OpenVPNConnect.exe (PID: 7256)
      • OpenVPNConnect.exe (PID: 5684)
      • OpenVPNConnect.exe (PID: 7616)
      • OpenVPNConnect.exe (PID: 7468)
      • OpenVPNConnect.exe (PID: 7624)
      • identity_helper.exe (PID: 5652)

    • Reads the software policy settings

      • msiexec.exe (PID: 1324)
      • msiexec.exe (PID: 5904)
      • drvinst.exe (PID: 3460)
      • tapinstall.exe (PID: 6364)
      • drvinst.exe (PID: 4708)
      • slui.exe (PID: 2848)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 1324)
      • msiexec.exe (PID: 5904)

    • Reads the computer name

      • msiexec.exe (PID: 5904)
      • msiexec.exe (PID: 6940)
      • msiexec.exe (PID: 5496)
      • drvinst.exe (PID: 3460)
      • msiexec.exe (PID: 5724)
      • tapinstall.exe (PID: 6364)
      • drvinst.exe (PID: 4708)
      • drvinst.exe (PID: 1660)
      • drvinst.exe (PID: 1560)
      • agent_ovpnconnect.exe (PID: 984)
      • agent_ovpnconnect.exe (PID: 5928)
      • ovpnhelper_service.exe (PID: 4676)
      • ovpnhelper_service.exe (PID: 1580)
      • OpenVPNConnect.exe (PID: 3556)
      • OpenVPNConnect.exe (PID: 4164)
      • OpenVPNConnect.exe (PID: 7076)
      • OpenVPNConnect.exe (PID: 4384)
      • OpenVPNConnect.exe (PID: 5684)
      • OpenVPNConnect.exe (PID: 1244)
      • OpenVPNConnect.exe (PID: 7468)
      • OpenVPNConnect.exe (PID: 7616)
      • OpenVPNConnect.exe (PID: 7624)
      • identity_helper.exe (PID: 5652)

    • An automatically generated document

      • msiexec.exe (PID: 1324)

    • Reads security settings of Internet Explorer

      • msiexec.exe (PID: 1324)

    • Checks proxy server information

      • msiexec.exe (PID: 1324)
      • OpenVPNConnect.exe (PID: 3556)
      • OpenVPNConnect.exe (PID: 4384)
      • OpenVPNConnect.exe (PID: 7468)
      • slui.exe (PID: 2848)

    • Reads the machine GUID from the registry

      • msiexec.exe (PID: 5904)
      • drvinst.exe (PID: 3460)
      • tapinstall.exe (PID: 6364)
      • drvinst.exe (PID: 4708)
      • OpenVPNConnect.exe (PID: 3556)
      • OpenVPNConnect.exe (PID: 4384)
      • OpenVPNConnect.exe (PID: 7468)

    • Manages system restore points

      • SrTasks.exe (PID: 6808)

    • The sample compiled with english language support

      • msiexec.exe (PID: 5904)
      • drvinst.exe (PID: 3460)
      • drvinst.exe (PID: 4708)
      • drvinst.exe (PID: 1660)

    • Disables trace logs

      • netsh.exe (PID: 2588)

    • Creates files in the program directory

      • agent_ovpnconnect.exe (PID: 984)
      • ovpnhelper_service.exe (PID: 1580)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 5904)

    • Create files in a temporary directory

      • OpenVPNConnect.exe (PID: 3556)
      • OpenVPNConnect.exe (PID: 4384)

    • Reads product name

      • OpenVPNConnect.exe (PID: 3556)
      • OpenVPNConnect.exe (PID: 4384)
      • OpenVPNConnect.exe (PID: 7468)
      • OpenVPNConnect.exe (PID: 7256)

    • Reads Environment values

      • OpenVPNConnect.exe (PID: 3556)
      • OpenVPNConnect.exe (PID: 4384)
      • OpenVPNConnect.exe (PID: 7256)
      • OpenVPNConnect.exe (PID: 7468)
      • identity_helper.exe (PID: 5652)

    • Process checks computer location settings

      • OpenVPNConnect.exe (PID: 4384)
      • OpenVPNConnect.exe (PID: 7256)

    • Manual execution by a user

      • OpenVPNConnect.exe (PID: 7468)

    • Application launched itself

      • msedge.exe (PID: 7828)

    • Launching a file from a Registry key

      • OpenVPNConnect.exe (PID: 4384)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Windows Installer (98.5)
.msi | Microsoft Installer (100)

EXIF

FlashPix

CodePage: Windows Latin 1 (Western European)
Title: Installation Database
Subject: OpenVPN Connect
Author: OpenVPN Inc.
Keywords: Installer
Comments: Windows Installer Package
Template: x64;1033
RevisionNumber: {73668B4E-338B-4605-8B4F-7EF56A5EF52E}
CreateDate: 2025:07:10 08:47:12
ModifyDate: 2025:07:10 08:47:12
Pages: 500
Words: 2
Software: Windows Installer XML Toolset (3.14.1.8722)
Security: Read-only recommended
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
191
Monitored processes
64
Malicious processes
25
Suspicious processes
0

Behavior graph

Click at the process to see the details
start msiexec.exe msiexec.exe msiexec.exe no specs vssvc.exe no specs srtasks.exe no specs conhost.exe no specs msiexec.exe no specs msiexec.exe no specs drvinst.exe tapinstall.exe conhost.exe no specs tapinstall.exe conhost.exe no specs tapinstall.exe conhost.exe no specs drvinst.exe drvinst.exe drvinst.exe no specs slui.exe netsh.exe no specs conhost.exe no specs agent_ovpnconnect.exe conhost.exe no specs agent_ovpnconnect.exe ovpnhelper_service.exe conhost.exe no specs ovpnhelper_service.exe openvpnconnect.exe openvpnconnect.exe openvpnconnect.exe openvpnconnect.exe openvpnconnect.exe openvpnconnect.exe openvpnconnect.exe openvpnconnect.exe openvpnconnect.exe openvpnconnect.exe msedge.exe msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs csrss.exe

Process information

PID
CMD
Path
Indicators
Parent process
608%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16C:\Windows\System32\csrss.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Client Server Runtime Process
Version:
10.0.19041.1 (WinBuild.160101.0800)
984"C:\Program Files\OpenVPN Connect\agent_ovpnconnect.exe"C:\Program Files\OpenVPN Connect\agent_ovpnconnect.exe
services.exe
User:
SYSTEM
Integrity Level:
SYSTEM
Modules
Images
c:\program files\openvpn connect\agent_ovpnconnect.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
1044"C:\Program Files\OpenVPN Connect\drivers\tap\amd64\win10\tapinstall.exe" remove "C:\Program Files\OpenVPN Connect\drivers\tap\amd64\win10\OemVista.inf" tap_ovpnconnectC:\Program Files\OpenVPN Connect\drivers\tap\amd64\win10\tapinstall.exe
msiexec.exe
User:
SYSTEM
Company:
Windows (R) Win 7 DDK provider
Integrity Level:
SYSTEM
Description:
Windows Setup API
Exit code:
0
Version:
10.0.10011.16384
Modules
Images
c:\program files\openvpn connect\drivers\tap\amd64\win10\tapinstall.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
1068\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exetapinstall.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1244"C:\Program Files\OpenVPN Connect\OpenVPNConnect.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\admin\AppData\Roaming\OpenVPN Connect" --mojo-platform-channel-handle=2128 --field-trial-handle=2036,i,3291313351304564241,18018050836429874733,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:8C:\Program Files\OpenVPN Connect\OpenVPNConnect.exe
OpenVPNConnect.exe
User:
admin
Company:
OpenVPN
Integrity Level:
MEDIUM
Description:
OpenVPN Connect
Version:
4351
Modules
Images
c:\program files\openvpn connect\openvpnconnect.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ws2_32.dll
1324"C:\Windows\System32\msiexec.exe" /i C:\Users\admin\Desktop\openvpn-connect-3.7.3.4351_signed.msiC:\Windows\System32\msiexec.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Version:
5.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
1468"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --always-read-main-dll --field-trial-handle=5936,i,6683982507329739753,17285178649599650699,262144 --variations-seed-version --mojo-platform-channel-handle=5992 /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1560DrvInst.exe "2" "11" "ROOT\NET\0001" "C:\WINDOWS\INF\oem1.inf" "oem1.inf:c695c3de07ba2b5d:ovpn-dco_Device:1.3.1.0:ovpn-dco," "433338203" "0000000000000198"C:\Windows\System32\drvinst.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Driver Installation Module
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\drvinst.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\drvstore.dll
1580"C:\Program Files\OpenVPN Connect\ovpnhelper_service.exe"C:\Program Files\OpenVPN Connect\ovpnhelper_service.exe
services.exe
User:
SYSTEM
Integrity Level:
SYSTEM
Modules
Images
c:\program files\openvpn connect\ovpnhelper_service.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
1660DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\WINDOWS\INF\oem6.inf" "oem6.inf:3beb73aff103cc24:tap_ovpnconnect.ndi:9.27.0.0:tap_ovpnconnect," "4ecbb43a3" "0000000000000198"C:\Windows\System32\drvinst.exe
svchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Driver Installation Module
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\drvinst.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\drvstore.dll
Total events
33 333
Read events
32 798
Write events
485
Delete events
50

Modification events

(PID) Process:(5904) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Leave)
Value:
4800000000000000775900BBFDFCDB0110170000D0050000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(5904) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP
Operation:writeName:LastIndex
Value:
11
(PID) Process:(5084) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer
Operation:writeName:IDENTIFY (Leave)
Value:
4800000000000000AFDE47BBFDFCDB01DC1300000C1A0000E80300000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(5084) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer
Operation:writeName:IDENTIFY (Leave)
Value:
4800000000000000AFDE47BBFDFCDB01DC130000D4040000E80300000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(5904) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Enter)
Value:
4800000000000000E84AE1BAFDFCDB0110170000D0050000D50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(5904) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Enter)
Value:
4800000000000000E84AE1BAFDFCDB0110170000D0050000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(5904) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Leave)
Value:
480000000000000054F5FDBAFDFCDB0110170000D0050000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(5904) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Enter)
Value:
480000000000000054F5FDBAFDFCDB0110170000D0050000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(5904) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppCreate (Enter)
Value:
4800000000000000940C05BBFDFCDB0110170000D0050000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(5904) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGatherWriterMetadata (Enter)
Value:
48000000000000005F2537BBFDFCDB0110170000D0050000D30700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Executable files
45
Suspicious files
372
Text files
87
Unknown types
133

Dropped files

PID
Process
Filename
Type
5904msiexec.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
5904msiexec.exeC:\Windows\Installer\1978a1.msi
MD5:
SHA256:
5904msiexec.exeC:\Windows\Installer\MSI7FE8.tmp
MD5:
SHA256:
5904msiexec.exeC:\System Volume Information\SPP\OnlineMetadataCache\{d4b070c2-d610-4da9-b0fa-c7a1fcf9c674}_OnDiskSnapshotPropbinary
MD5:B69A968415A537AB6DF519350E355E77
SHA256:AA7978BE74F8D2A24D43550CE546AC70BF134079F90834F5043706AE66E3AD48
1324msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEBbinary
MD5:E17C9FCA193962197B4D36919CB7DE8D
SHA256:D4FC876D97292138135B2B9ACCBB491E393FD0D73D36CC881B43DE23F292461B
5904msiexec.exeC:\Program Files\OpenVPN Connect\resources\app.asar
MD5:
SHA256:
1324msiexec.exeC:\Users\admin\AppData\Local\Temp\MSIFEAE.tmpexecutable
MD5:D63A50CB1A7429C3CD3AE4BB22AFC556
SHA256:E11E5209D54372105FD817C47ABB2D777DD5F8992DAC4BFF1514400DB0BB0E22
1324msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141binary
MD5:2D57F3CD807689195C8A7E20C488AB2E
SHA256:EC4940E943A2B0FF033FA12C65262E713736276A037C4B2CB775264A3F9D6973
1324msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_044BA647821AEE9FD4F7166B232CBD9Cbinary
MD5:6CBC56826F53D5F31FA8A3379C7513F8
SHA256:D94342EECA43810B2DBD03FB9470C666593BCAD68B6E7F93EB77FE26FC9F2BD5
5904msiexec.exeC:\System Volume Information\SPP\snapshot-2binary
MD5:B69A968415A537AB6DF519350E355E77
SHA256:AA7978BE74F8D2A24D43550CE546AC70BF134079F90834F5043706AE66E3AD48
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
211
TCP/UDP connections
141
DNS requests
104
Threats
10

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1324
msiexec.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D
unknown
whitelisted
1324
msiexec.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D
unknown
whitelisted
1324
msiexec.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEAtnOGhnbheoz9jFmc28BMA%3D
unknown
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
GET
404
104.19.191.106:443
https://packages.openvpn.net/connect/v3/updates/3.7.3/MSI.txt
unknown
html
329 b
whitelisted
1244
OpenVPNConnect.exe
GET
204
142.250.184.227:80
http://connectivitycheck.gstatic.com/generate_204
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
23.53.40.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1324
msiexec.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
6208
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.104.136.2
whitelisted
google.com
  • 216.58.206.78
whitelisted
crl.microsoft.com
  • 23.53.40.176
  • 23.53.40.178
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
self.events.data.microsoft.com
  • 20.189.173.6
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
packages.openvpn.net
  • 104.19.191.106
  • 104.19.190.106
whitelisted
connectivitycheck.gstatic.com
  • 142.250.184.227
whitelisted
x1.c.lencr.org
  • 104.76.201.34
whitelisted

Threats

PID
Process
Class
Message
8064
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
8064
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
8064
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Requests to a free CDN for open source projects (jsdelivr .net)
8064
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Requests to a free CDN for open source projects (jsdelivr .net)
8064
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
8064
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
Possible Social Engineering Attempted
PHISHING [ANY.RUN] Suspicious message detected (saved from)
Possible Social Engineering Attempted
PHISHING [ANY.RUN] Suspicious message detected (saved from)
Potentially Bad Traffic
ET INFO Possible Chrome Plugin install
Potentially Bad Traffic
ET INFO Possible Chrome Plugin install
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
openvpn-connect-3.7.3.4351_signed.msi