File name:

openconnect-gui-1.6.2-win64.exe

Full analysis: https://app.any.run/tasks/ffb88e97-b1dd-4b90-85fc-7a5e28a88439
Verdict: Malicious activity
Analysis date: August 25, 2024, 17:31:56
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
MD5:

9FCAB367F128AD37A28D58106AC2BDD8

SHA1:

08031905F19365786FBA625034BA29D36EDC6125

SHA256:

DE08D8968E40E219932D01025521F879178EC99246802DB488C0FDAC9FCEF11A

SSDEEP:

98304:NpWUwWAaqKBUbN0dDYgbBYD53Jq4VQwjwvkwWNcJ1xImZSPLjiWA38UGhxupTwFW:NDbnoUne4DxUMJr9FB7TVg9NHhmz2S

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Drops the executable file immediately after the start

      • openconnect-gui-1.6.2-win64.exe (PID: 7020)

    • Executable content was dropped or overwritten

      • openconnect-gui-1.6.2-win64.exe (PID: 7020)

    • Creates a software uninstall entry

      • openconnect-gui-1.6.2-win64.exe (PID: 7020)

    • The process creates files with name similar to system file names

      • openconnect-gui-1.6.2-win64.exe (PID: 7020)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • openconnect-gui-1.6.2-win64.exe (PID: 7020)

  • INFO

    • Checks supported languages

      • openconnect-gui-1.6.2-win64.exe (PID: 7020)
      • openconnect-gui.exe (PID: 6180)

    • Creates files in the program directory

      • openconnect-gui-1.6.2-win64.exe (PID: 7020)

    • Reads the computer name

      • openconnect-gui-1.6.2-win64.exe (PID: 7020)
      • openconnect-gui.exe (PID: 6180)

    • Create files in a temporary directory

      • openconnect-gui-1.6.2-win64.exe (PID: 7020)
      • openconnect-gui.exe (PID: 6180)

    • Creates files or folders in the user directory

      • openconnect-gui.exe (PID: 6180)

    • Reads the time zone

      • openconnect-gui.exe (PID: 6180)

    • Process checks computer location settings

      • openconnect-gui.exe (PID: 6180)

    • Checks proxy server information

      • openconnect-gui.exe (PID: 6180)

    • Reads the machine GUID from the registry

      • openconnect-gui.exe (PID: 6180)

    • Reads the software policy settings

      • openconnect-gui.exe (PID: 6180)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2024:05:28 20:31:59+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Large address aware, No debug
PEType: PE32+
LinkerVersion: 2.42
CodeSize: 36352
InitializedDataSize: 73728
UninitializedDataSize: 402432
EntryPoint: 0x444d
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 5.2
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
126
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start openconnect-gui-1.6.2-win64.exe openconnect-gui.exe openconnect-gui-1.6.2-win64.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
6180"C:\Program Files\OpenConnect-GUI\.\openconnect-gui.exe"C:\Program Files\OpenConnect-GUI\openconnect-gui.exe
openconnect-gui-1.6.2-win64.exe
User:
admin
Company:
OpenConnect-GUI Team
Integrity Level:
HIGH
Description:
OpenConnect VPN graphical client
Version:
1.6.2
Modules
Images
c:\program files\openconnect-gui\openconnect-gui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
6812"C:\Users\admin\Desktop\openconnect-gui-1.6.2-win64.exe" C:\Users\admin\Desktop\openconnect-gui-1.6.2-win64.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\desktop\openconnect-gui-1.6.2-win64.exe
c:\windows\system32\ntdll.dll
7020"C:\Users\admin\Desktop\openconnect-gui-1.6.2-win64.exe" C:\Users\admin\Desktop\openconnect-gui-1.6.2-win64.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\desktop\openconnect-gui-1.6.2-win64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
Total events
72 428
Read events
72 408
Write events
20
Delete events
0

Modification events

(PID) Process:(7020) openconnect-gui-1.6.2-win64.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\OpenConnect-GUI
Operation:writeName:DisplayName
Value:
OpenConnect-GUI
(PID) Process:(7020) openconnect-gui-1.6.2-win64.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\OpenConnect-GUI
Operation:writeName:DisplayVersion
Value:
1.6.2
(PID) Process:(7020) openconnect-gui-1.6.2-win64.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\OpenConnect-GUI
Operation:writeName:Publisher
Value:
OpenConnect-GUI Team
(PID) Process:(7020) openconnect-gui-1.6.2-win64.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\OpenConnect-GUI
Operation:writeName:UninstallString
Value:
"C:\Program Files\OpenConnect-GUI\Uninstall.exe"
(PID) Process:(7020) openconnect-gui-1.6.2-win64.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\OpenConnect-GUI
Operation:writeName:NoRepair
Value:
1
(PID) Process:(7020) openconnect-gui-1.6.2-win64.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\OpenConnect-GUI
Operation:writeName:NoModify
Value:
1
(PID) Process:(7020) openconnect-gui-1.6.2-win64.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\OpenConnect-GUI
Operation:writeName:DisplayIcon
Value:
C:\Program Files\OpenConnect-GUI\openconnect-gui.exe
(PID) Process:(7020) openconnect-gui-1.6.2-win64.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\OpenConnect-GUI
Operation:writeName:HelpLink
Value:
https://gitlab.com/openconnect/openconnect-gui/-/wikis/FAQ
(PID) Process:(7020) openconnect-gui-1.6.2-win64.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\OpenConnect-GUI
Operation:writeName:URLInfoAbout
Value:
https://gui.openconnect-vpn.net/
(PID) Process:(7020) openconnect-gui-1.6.2-win64.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\OpenConnect-GUI
Operation:writeName:StartMenu
Value:
OpenConnect-GUI
Executable files
35
Suspicious files
2
Text files
10
Unknown types
0

Dropped files

PID
Process
Filename
Type
7020openconnect-gui-1.6.2-win64.exeC:\Users\admin\AppData\Local\Temp\nshF963.tmp\modern-header.bmpimage
MD5:DB915DB23FCDC4700989AD484A63BAF1
SHA256:D73084B2F73CB3E13708D2DEF8F09D6421D919229DB8087B6EF5812552AB1EDE
7020openconnect-gui-1.6.2-win64.exeC:\Users\admin\AppData\Local\Temp\nshF963.tmp\StartMenu.dllexecutable
MD5:65C301D9A85F4342CDEF7FEDEABAFD5D
SHA256:48765294AA273EC2FD55CC5F9301E138B4D56A9F6D00FCF24473788E64B52BFD
7020openconnect-gui-1.6.2-win64.exeC:\Users\admin\AppData\Local\Temp\nshF963.tmp\UserInfo.dllexecutable
MD5:5DF25C042BDDA748D1F396B4FE070EDE
SHA256:C9DD715D31C8CDF763F5EDC92B8228DF617BC528D7F558D6E531434C62A4B37B
7020openconnect-gui-1.6.2-win64.exeC:\Users\admin\AppData\Local\Temp\nshF963.tmp\InstallOptions.dllexecutable
MD5:A7D3A18DDC6206B7D980A40700EA6619
SHA256:C555C346CC1F80FF0CB9AEAAB8875A10C15EA4E5CF445A0F1597363FCF686924
7020openconnect-gui-1.6.2-win64.exeC:\Users\admin\AppData\Local\Temp\nshF963.tmp\ioSpecial.iniini
MD5:E2D5070BC28DB1AC745613689FF86067
SHA256:D95AED234F932A1C48A2B1B0D98C60CA31F962310C03158E2884AB4DDD3EA1E0
7020openconnect-gui-1.6.2-win64.exeC:\Program Files\OpenConnect-GUI\Qt6Gui.dllexecutable
MD5:88CBB6E1C333DA43ACC2E3D285AE40FD
SHA256:0ADF6DC1181E1ADFE945B0E20FF4DDBC5C223CA8178838170B5714F9D29B361C
7020openconnect-gui-1.6.2-win64.exeC:\Program Files\OpenConnect-GUI\Qt6Core.dllexecutable
MD5:804232193FCBAF1F9E082CA49F0B56B5
SHA256:1A1F91E89D1F0AD27E4CAEFC46980D3BC7E8B6952974343D89C7E1BD670D4131
7020openconnect-gui-1.6.2-win64.exeC:\Program Files\OpenConnect-GUI\Qt6StateMachine.dllexecutable
MD5:8F9A8262D779BF95ACE3742049505C09
SHA256:6FB7332A36D1FD242DBA056344627C15FCDAB8175D4124EFCD781FA57924B857
7020openconnect-gui-1.6.2-win64.exeC:\Program Files\OpenConnect-GUI\libffi-8.dllexecutable
MD5:65F6ABD875511657FD918ADD6C969BE5
SHA256:F1ED51652B3746C1B4BCE497B7041E677E5D80C5AB8198EFEBB8FC6F75329AE8
7020openconnect-gui-1.6.2-win64.exeC:\Program Files\OpenConnect-GUI\LICENSE.txttext
MD5:FDAFC691AA5FB7F8E2A9E9521FEF771B
SHA256:19404E184CF45EC991B54E1E6F05F847AD8F13FEE2A51F3A2D9A960C8F7CB26B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
12
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
302
172.64.144.122:443
https://gitlab.com/api/v4/projects/12274423/releases/permalink/latest
unknown
text
88 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:138
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
2120
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2120
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
3176
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6180
openconnect-gui.exe
172.65.251.78:443
gitlab.com
CLOUDFLARENET
US
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 40.127.240.158
  • 20.73.194.208
whitelisted
google.com
  • 142.250.186.46
whitelisted
gitlab.com
  • 172.65.251.78
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
openconnect-gui-1.6.2-win64.exe