File name:

openconnect-gui-1.6.2-win64.exe

Full analysis: https://app.any.run/tasks/ffb88e97-b1dd-4b90-85fc-7a5e28a88439
Verdict: Malicious activity
Analysis date: August 25, 2024, 17:31:56
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
MD5:

9FCAB367F128AD37A28D58106AC2BDD8

SHA1:

08031905F19365786FBA625034BA29D36EDC6125

SHA256:

DE08D8968E40E219932D01025521F879178EC99246802DB488C0FDAC9FCEF11A

SSDEEP:

98304:NpWUwWAaqKBUbN0dDYgbBYD53Jq4VQwjwvkwWNcJ1xImZSPLjiWA38UGhxupTwFW:NDbnoUne4DxUMJr9FB7TVg9NHhmz2S

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Drops the executable file immediately after the start

      • openconnect-gui-1.6.2-win64.exe (PID: 7020)

    • Executable content was dropped or overwritten

      • openconnect-gui-1.6.2-win64.exe (PID: 7020)

    • Creates a software uninstall entry

      • openconnect-gui-1.6.2-win64.exe (PID: 7020)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • openconnect-gui-1.6.2-win64.exe (PID: 7020)

    • The process creates files with name similar to system file names

      • openconnect-gui-1.6.2-win64.exe (PID: 7020)

  • INFO

    • Checks supported languages

      • openconnect-gui-1.6.2-win64.exe (PID: 7020)
      • openconnect-gui.exe (PID: 6180)

    • Reads the computer name

      • openconnect-gui-1.6.2-win64.exe (PID: 7020)
      • openconnect-gui.exe (PID: 6180)

    • Create files in a temporary directory

      • openconnect-gui-1.6.2-win64.exe (PID: 7020)
      • openconnect-gui.exe (PID: 6180)

    • Creates files in the program directory

      • openconnect-gui-1.6.2-win64.exe (PID: 7020)

    • Creates files or folders in the user directory

      • openconnect-gui.exe (PID: 6180)

    • Reads the time zone

      • openconnect-gui.exe (PID: 6180)

    • Reads the machine GUID from the registry

      • openconnect-gui.exe (PID: 6180)

    • Process checks computer location settings

      • openconnect-gui.exe (PID: 6180)

    • Checks proxy server information

      • openconnect-gui.exe (PID: 6180)

    • Reads the software policy settings

      • openconnect-gui.exe (PID: 6180)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2024:05:28 20:31:59+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Large address aware, No debug
PEType: PE32+
LinkerVersion: 2.42
CodeSize: 36352
InitializedDataSize: 73728
UninitializedDataSize: 402432
EntryPoint: 0x444d
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 5.2
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
126
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start openconnect-gui-1.6.2-win64.exe openconnect-gui.exe openconnect-gui-1.6.2-win64.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
6180"C:\Program Files\OpenConnect-GUI\.\openconnect-gui.exe"C:\Program Files\OpenConnect-GUI\openconnect-gui.exe
openconnect-gui-1.6.2-win64.exe
User:
admin
Company:
OpenConnect-GUI Team
Integrity Level:
HIGH
Description:
OpenConnect VPN graphical client
Version:
1.6.2
Modules
Images
c:\program files\openconnect-gui\openconnect-gui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
6812"C:\Users\admin\Desktop\openconnect-gui-1.6.2-win64.exe" C:\Users\admin\Desktop\openconnect-gui-1.6.2-win64.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\desktop\openconnect-gui-1.6.2-win64.exe
c:\windows\system32\ntdll.dll
7020"C:\Users\admin\Desktop\openconnect-gui-1.6.2-win64.exe" C:\Users\admin\Desktop\openconnect-gui-1.6.2-win64.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\desktop\openconnect-gui-1.6.2-win64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
Total events
72 428
Read events
72 408
Write events
20
Delete events
0

Modification events

(PID) Process:(7020) openconnect-gui-1.6.2-win64.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\OpenConnect-GUI
Operation:writeName:DisplayName
Value:
OpenConnect-GUI
(PID) Process:(7020) openconnect-gui-1.6.2-win64.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\OpenConnect-GUI
Operation:writeName:DisplayVersion
Value:
1.6.2
(PID) Process:(7020) openconnect-gui-1.6.2-win64.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\OpenConnect-GUI
Operation:writeName:Publisher
Value:
OpenConnect-GUI Team
(PID) Process:(7020) openconnect-gui-1.6.2-win64.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\OpenConnect-GUI
Operation:writeName:UninstallString
Value:
"C:\Program Files\OpenConnect-GUI\Uninstall.exe"
(PID) Process:(7020) openconnect-gui-1.6.2-win64.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\OpenConnect-GUI
Operation:writeName:NoRepair
Value:
1
(PID) Process:(7020) openconnect-gui-1.6.2-win64.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\OpenConnect-GUI
Operation:writeName:NoModify
Value:
1
(PID) Process:(7020) openconnect-gui-1.6.2-win64.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\OpenConnect-GUI
Operation:writeName:DisplayIcon
Value:
C:\Program Files\OpenConnect-GUI\openconnect-gui.exe
(PID) Process:(7020) openconnect-gui-1.6.2-win64.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\OpenConnect-GUI
Operation:writeName:HelpLink
Value:
https://gitlab.com/openconnect/openconnect-gui/-/wikis/FAQ
(PID) Process:(7020) openconnect-gui-1.6.2-win64.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\OpenConnect-GUI
Operation:writeName:URLInfoAbout
Value:
https://gui.openconnect-vpn.net/
(PID) Process:(7020) openconnect-gui-1.6.2-win64.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\OpenConnect-GUI
Operation:writeName:StartMenu
Value:
OpenConnect-GUI
Executable files
35
Suspicious files
2
Text files
10
Unknown types
0

Dropped files

PID
Process
Filename
Type
7020openconnect-gui-1.6.2-win64.exeC:\Users\admin\AppData\Local\Temp\nshF963.tmp\NSIS.InstallOptions.iniini
MD5:3682A6B22CAAC2EEA12161104001E7E4
SHA256:6B4D0BDCF657AB34DC9ED2DE7BD0C4383DB3CF3E18DBC8413CF502BCCB1CA7C0
7020openconnect-gui-1.6.2-win64.exeC:\Users\admin\AppData\Local\Temp\nshF963.tmp\modern-wizard.bmpimage
MD5:1E3687AA35BD68103F127BB4AC7CBA77
SHA256:D8178D00256FB53BB56803D4041A02F3195732CB3A64724A7099C4E8C5D11A0C
7020openconnect-gui-1.6.2-win64.exeC:\Users\admin\AppData\Local\Temp\nshF963.tmp\InstallOptions.dllexecutable
MD5:A7D3A18DDC6206B7D980A40700EA6619
SHA256:C555C346CC1F80FF0CB9AEAAB8875A10C15EA4E5CF445A0F1597363FCF686924
7020openconnect-gui-1.6.2-win64.exeC:\Users\admin\AppData\Local\Temp\nshF963.tmp\UserInfo.dllexecutable
MD5:5DF25C042BDDA748D1F396B4FE070EDE
SHA256:C9DD715D31C8CDF763F5EDC92B8228DF617BC528D7F558D6E531434C62A4B37B
7020openconnect-gui-1.6.2-win64.exeC:\Users\admin\AppData\Local\Temp\nshF963.tmp\ioSpecial.iniini
MD5:E2D5070BC28DB1AC745613689FF86067
SHA256:D95AED234F932A1C48A2B1B0D98C60CA31F962310C03158E2884AB4DDD3EA1E0
7020openconnect-gui-1.6.2-win64.exeC:\Program Files\OpenConnect-GUI\Qt6StateMachine.dllexecutable
MD5:8F9A8262D779BF95ACE3742049505C09
SHA256:6FB7332A36D1FD242DBA056344627C15FCDAB8175D4124EFCD781FA57924B857
7020openconnect-gui-1.6.2-win64.exeC:\Program Files\OpenConnect-GUI\Qt6Widgets.dllexecutable
MD5:1A3C0B572EB942969146EDDE69F4AC05
SHA256:BAA75F214DA88F468B6598CBC2F5FB277C4AF6A69CBFE17172C61DDF74395AC6
7020openconnect-gui-1.6.2-win64.exeC:\Program Files\OpenConnect-GUI\libhogweed-6.dllexecutable
MD5:9481A6330CC726555910AD247600DC5A
SHA256:A4031E305B98A536713547CB3FC675951B88E7052F0D295C61D078C2FE8053C6
7020openconnect-gui-1.6.2-win64.exeC:\Program Files\OpenConnect-GUI\libffi-8.dllexecutable
MD5:65F6ABD875511657FD918ADD6C969BE5
SHA256:F1ED51652B3746C1B4BCE497B7041E677E5D80C5AB8198EFEBB8FC6F75329AE8
7020openconnect-gui-1.6.2-win64.exeC:\Program Files\OpenConnect-GUI\Qt6Gui.dllexecutable
MD5:88CBB6E1C333DA43ACC2E3D285AE40FD
SHA256:0ADF6DC1181E1ADFE945B0E20FF4DDBC5C223CA8178838170B5714F9D29B361C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
12
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
302
172.64.144.122:443
https://gitlab.com/api/v4/projects/12274423/releases/permalink/latest
unknown
text
88 b
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:138
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
2120
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2120
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
3176
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6180
openconnect-gui.exe
172.65.251.78:443
gitlab.com
CLOUDFLARENET
US
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 40.127.240.158
  • 20.73.194.208
whitelisted
google.com
  • 142.250.186.46
whitelisted
gitlab.com
  • 172.65.251.78
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
openconnect-gui-1.6.2-win64.exe