File name:

GoTo Opener.exe

Full analysis: https://app.any.run/tasks/3f451ee8-9ca8-472d-8cb6-ff742d92b9a2
Verdict: Malicious activity
Analysis date: December 13, 2024, 22:13:59
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
upx
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed, 3 sections
MD5:

D28494052AC3206DDB3E6A1D0AE4C186

SHA1:

9F9BD33617DC683904EE6FD428CEFEA134E00BE1

SHA256:

1946F1AF5A374CC1F1935DEFF5EB9AB611921A4F64FCEEAA1430E929E1015EB4

SSDEEP:

12288:qDr4xkGkHncbsvljTu8ebbFFomBmxgxK79rhBaMBV7h4BV9y1d8hSr:qDrSkGUncgvljTu8OFomBzKKy1d7

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • GoTo Opener.exe (PID: 4624)

    • Searches for installed software

      • explorer.exe (PID: 7020)

  • INFO

    • Sends debugging messages

      • GoTo Opener.exe (PID: 4624)

    • Process checks whether UAC notifications are on

      • GoTo Opener.exe (PID: 4624)

    • Reads the computer name

      • GoTo Opener.exe (PID: 4624)

    • UPX packer has been detected

      • GoTo Opener.exe (PID: 4624)

    • Checks proxy server information

      • GoTo Opener.exe (PID: 4624)

    • The sample compiled with english language support

      • GoTo Opener.exe (PID: 4624)

    • Checks supported languages

      • GoTo Opener.exe (PID: 4624)

    • Reads security settings of Internet Explorer

      • explorer.exe (PID: 7020)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (30.7)
.exe | UPX compressed Win32 Executable (30.1)
.exe | Win32 EXE Yoda's Crypter (29.5)
.exe | Win32 Executable (generic) (5)
.exe | Generic Win/DOS Executable (2.2)

EXIF

EXE

ProductVersion: 1.0.0.568
FileVersion: 1.0.0.568
OriginalFileName: GoToOpener.exe
InternalName: GoToOpener
FileDescription: GoTo Opener
ProductName: GoTo Opener
LegalCopyright: Copyright © 2012-2024 LogMeIn, Inc.
CompanyName: LogMeIn, Inc.
CharacterSet: Windows, Latin1
LanguageCode: English (U.S.)
FileSubtype: -
ObjectFileType: Dynamic link library
FileOS: Windows NT 32-bit
FileFlags: (none)
FileFlagsMask: 0x003f
ProductVersionNumber: 1.0.0.568
FileVersionNumber: 1.0.0.568
Subsystem: Windows GUI
SubsystemVersion: 5.1
ImageVersion: -
OSVersion: 5.1
EntryPoint: 0x116040
UninitializedDataSize: 839680
InitializedDataSize: 73728
CodeSize: 299008
LinkerVersion: 12
PEType: PE32
ImageFileCharacteristics: Executable, 32-bit
TimeStamp: 2024:07:23 13:44:36+00:00
MachineType: Intel 386 or later, and compatibles
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
134
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start goto opener.exe explorer.exe no specs COpenControlPanel no specs COpenControlPanel no specs

Process information

PID
CMD
Path
Indicators
Parent process
4624"C:\Users\admin\AppData\Local\Temp\GoTo Opener.exe" C:\Users\admin\AppData\Local\Temp\GoTo Opener.exe
explorer.exe
User:
admin
Company:
LogMeIn, Inc.
Integrity Level:
MEDIUM
Description:
GoTo Opener
Exit code:
0
Version:
1.0.0.568
Modules
Images
c:\users\admin\appdata\local\temp\goto opener.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\urlmon.dll
7020C:\WINDOWS\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -EmbeddingC:\Windows\explorer.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shcore.dll
628C:\WINDOWS\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}C:\Windows\SysWOW64\dllhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
COM Surrogate
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ucrtbase.dll
c:\windows\syswow64\combase.dll
6476C:\WINDOWS\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}C:\Windows\SysWOW64\dllhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
COM Surrogate
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ucrtbase.dll
c:\windows\syswow64\combase.dll
Total events
18 688
Read events
18 583
Write events
99
Delete events
6

Modification events

(PID) Process:(4624) GoTo Opener.exeKey:HKEY_CURRENT_USER\SOFTWARE\LogMeInInc\GoTo Opener
Operation:writeName:UUID
Value:
{3CC647AD-0C57-4B57-B174-FBABC2E7B89A}
(PID) Process:(7020) explorer.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Operation:writeName:NodeSlots
Value:
02020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202
(PID) Process:(7020) explorer.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Operation:writeName:MRUListEx
Value:
00000000040000000E00000003000000100000000F0000000C0000000D0000000B000000050000000A000000090000000800000001000000070000000600000002000000FFFFFFFF
(PID) Process:(7020) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar
Operation:writeName:Locked
Value:
1
(PID) Process:(7020) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel
Operation:writeName:AllItemsIconView
Value:
0
(PID) Process:(7020) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel
Operation:writeName:StartupPage
Value:
0
(PID) Process:(7020) explorer.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{0C3794F3-B545-43AA-A329-C37430C58D2A}
Operation:writeName:Rev
Value:
0
(PID) Process:(7020) explorer.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{0C3794F3-B545-43AA-A329-C37430C58D2A}
Operation:writeName:FFlags
Value:
18874369
(PID) Process:(7020) explorer.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{0C3794F3-B545-43AA-A329-C37430C58D2A}
Operation:writeName:Vid
Value:
{137E7700-3573-11CF-AE69-08002B2E1262}
(PID) Process:(7020) explorer.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{0C3794F3-B545-43AA-A329-C37430C58D2A}
Operation:writeName:Mode
Value:
4
Executable files
0
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
4624GoTo Opener.exeC:\Users\admin\AppData\Local\Temp\LogMeInLogs\GoToOpener.logtext
MD5:7E60B01B6F2E37CE71087331715A0638
SHA256:DBB9F2E81563A869547B7D864E3725A6159FBF8456C47976CCD8333A71D14463
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
41
DNS requests
21
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA77flR%2B3w%2FxBpruV2lte6A%3D
unknown
whitelisted
3608
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
3608
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
5064
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
6012
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6012
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4712
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
524
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5064
SearchApp.exe
104.126.37.130:443
www.bing.com
Akamai International B.V.
DE
whitelisted
5064
SearchApp.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
4
System
192.168.100.255:138
whitelisted
1176
svchost.exe
20.190.159.73:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 20.73.194.208
whitelisted
google.com
  • 142.250.186.174
whitelisted
crl.microsoft.com
  • 23.48.23.143
  • 23.48.23.166
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
www.bing.com
  • 104.126.37.130
  • 104.126.37.170
  • 104.126.37.171
  • 104.126.37.129
  • 104.126.37.185
  • 104.126.37.154
  • 104.126.37.162
  • 104.126.37.128
  • 104.126.37.163
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 20.190.159.73
  • 20.190.159.23
  • 40.126.31.71
  • 20.190.159.68
  • 20.190.159.64
  • 20.190.159.2
  • 20.190.159.4
  • 20.190.159.0
whitelisted
go.microsoft.com
  • 23.35.238.131
whitelisted
r.bing.com
  • 104.126.37.146
  • 104.126.37.161
  • 104.126.37.145
  • 104.126.37.160
  • 104.126.37.152
  • 104.126.37.154
  • 104.126.37.130
  • 104.126.37.153
  • 104.126.37.139
whitelisted
fp.msedge.net
  • 204.79.197.222
whitelisted

Threats

No threats detected
Process
Message
GoTo Opener.exe
GoTo Opener.exe
C:\WINDOWS\system32\SSPICLI.DLL
GoTo Opener.exe
preLoadDllsFromSystem()
GoTo Opener.exe
C:\WINDOWS\system32\CRYPTBASE.DLL
GoTo Opener.exe
GoTo Opener.exe
setSafeDllSearchPath()
GoTo Opener.exe
GoTo Opener.exe
C:\WINDOWS\system32\MSVCRT.DLL
GoTo Opener.exe
C:\WINDOWS\system32\SECUR32.DLL
GoTo Opener.exe
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
GoTo Opener.exe