Malware analysis GoTo Webinar Opener.exe Malicious activity

Add for printing

File name:	GoTo Webinar Opener.exe
Full analysis:	https://app.any.run/tasks/5e72f88a-5aaa-4c95-89b1-b7aa09b94684
Verdict:	Malicious activity
Analysis date:	November 28, 2023, 12:50:54
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5:	5F4673F8F0429E70291B4358FDC8A7DF
SHA1:	2CA3247B0BE1AE0AE4F9511DD5E2415262F1F735
SHA256:	7F0E0CB674294C1A3CB532873D91B88F53DBB50A0F9A6431140E4F58B0EA5362
SSDEEP:	12288:cEG3KkIeZr+IJYTfS4bPFUmh/4fDvheqk02I17orhBaMBVDhdBVdy1t8hS0y:bG3NIeZr+IJYTfS4bPFUmCfjjk9I1eyD

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.0.9600.19596 KB4534251
Adobe Acrobat Reader DC (20.013.20064)
Adobe Acrobat Reader DC (20.013.20064)
Adobe Flash Player 32 ActiveX (32.0.0.453)
Adobe Flash Player 32 ActiveX (32.0.0.453)
Adobe Flash Player 32 NPAPI (32.0.0.453)
Adobe Flash Player 32 NPAPI (32.0.0.453)
Adobe Flash Player 32 PPAPI (32.0.0.453)
Adobe Flash Player 32 PPAPI (32.0.0.453)
Adobe Refresh Manager (1.8.0)
Adobe Refresh Manager (1.8.0)
CCleaner (6.14)
CCleaner (6.14)
FileZilla 3.65.0 (3.65.0)
FileZilla 3.65.0 (3.65.0)
Google Chrome (109.0.5414.120)
Google Chrome (109.0.5414.120)
Google Update Helper (1.3.36.31)
Google Update Helper (1.3.36.31)
Java 8 Update 271 (8.0.2710.9)
Java 8 Update 271 (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Java Auto Updater (2.8.271.9)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft Edge (109.0.1518.115)
Microsoft Edge (109.0.1518.115)
Microsoft Edge Update (1.3.175.29)
Microsoft Edge Update (1.3.175.29)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x86 en-US) (115.0.2)
Mozilla Firefox (x86 en-US) (115.0.2)
Mozilla Maintenance Service (115.0.2)
Mozilla Maintenance Service (115.0.2)
Notepad++ (32-bit x86) (7.9.1)
Notepad++ (32-bit x86) (7.9.1)
PowerShell 7-x86 (7.2.11.0)
PowerShell 7-x86 (7.2.11.0)
Skype version 8.100 (8.100)
Skype version 8.100 (8.100)
Update for Microsoft .NET Framework 4.8 (KB4503575) (1)
Update for Microsoft .NET Framework 4.8 (KB4503575) (1)
VLC media player (3.0.11)
VLC media player (3.0.11)
WinRAR 5.91 (32-bit) (5.91.0)
WinRAR 5.91 (32-bit) (5.91.0)

Add for printing

MALICIOUS
- Drops the executable file immediately after the start
  - GoTo Webinar Opener.exe (PID: 4048)
  - msiexec.exe (PID: 3136)
  - G2MCoreInstExtractor.exe (PID: 3924)
  - G2MInstaller.exe (PID: 1936)
- Registers / Runs the DLL via REGSVR32.EXE
  - g2mlauncher.exe (PID: 3632)
- Actions looks like stealing of personal data
  - g2mcomm.exe (PID: 2364)
- Steals credentials from Web Browsers
  - g2mcomm.exe (PID: 2364)
SUSPICIOUS
- Reads the Internet Settings
  - GoTo Webinar Opener.exe (PID: 4048)
  - G2MCoreInstExtractor.exe (PID: 3924)
  - g2mlauncher.exe (PID: 3632)
  - g2mcomm.exe (PID: 2364)
  - g2mui.exe (PID: 2904)
- Reads security settings of Internet Explorer
  - GoTo Webinar Opener.exe (PID: 4048)
- Checks Windows Trust Settings
  - GoTo Webinar Opener.exe (PID: 4048)
  - msiexec.exe (PID: 3136)
- Reads settings of System Certificates
  - GoTo Webinar Opener.exe (PID: 4048)
- Reads the Windows owner or organization settings
  - msiexec.exe (PID: 3136)
- Starts itself from another location
  - G2MInstaller.exe (PID: 1936)
- Uses RUNDLL32.EXE to load library
  - G2MInstaller.exe (PID: 1936)
- Connects to unusual port
  - g2mcomm.exe (PID: 2364)
- Executing commands from a ".bat" file
  - GoTo Webinar Opener.exe (PID: 4048)
- Starts CMD.EXE for commands execution
  - GoTo Webinar Opener.exe (PID: 4048)
INFO
- Checks proxy server information
  - GoTo Webinar Opener.exe (PID: 4048)
  - g2mlauncher.exe (PID: 3632)
  - g2mui.exe (PID: 2904)
  - g2mcomm.exe (PID: 2364)
- Checks supported languages
  - GoTo Webinar Opener.exe (PID: 4048)
  - msiexec.exe (PID: 3136)
  - G2MCoreInstExtractor.exe (PID: 3924)
  - G2MInstaller.exe (PID: 1936)
  - G2MInstaller.exe (PID: 2316)
  - wmpnscfg.exe (PID: 3160)
  - g2mstart.exe (PID: 3112)
  - g2mcomm.exe (PID: 2364)
  - g2mlauncher.exe (PID: 3632)
  - g2mui.exe (PID: 2904)
  - g2mvideoconference.exe (PID: 3544)
- Reads the machine GUID from the registry
  - GoTo Webinar Opener.exe (PID: 4048)
  - msiexec.exe (PID: 3136)
  - wmpnscfg.exe (PID: 3160)
  - g2mcomm.exe (PID: 2364)
  - g2mlauncher.exe (PID: 3632)
  - g2mvideoconference.exe (PID: 3544)
  - g2mui.exe (PID: 2904)
- Reads the computer name
  - GoTo Webinar Opener.exe (PID: 4048)
  - msiexec.exe (PID: 3136)
  - wmpnscfg.exe (PID: 3160)
  - G2MCoreInstExtractor.exe (PID: 3924)
  - G2MInstaller.exe (PID: 1936)
  - G2MInstaller.exe (PID: 2316)
  - g2mstart.exe (PID: 3112)
  - g2mcomm.exe (PID: 2364)
  - g2mlauncher.exe (PID: 3632)
  - g2mui.exe (PID: 2904)
  - g2mvideoconference.exe (PID: 3544)
- Create files in a temporary directory
  - GoTo Webinar Opener.exe (PID: 4048)
  - msiexec.exe (PID: 1128)
  - msiexec.exe (PID: 3136)
  - G2MCoreInstExtractor.exe (PID: 3924)
  - G2MInstaller.exe (PID: 1936)
  - g2mstart.exe (PID: 3112)
  - g2mcomm.exe (PID: 2364)
  - g2mlauncher.exe (PID: 3632)
- Process checks are UAC notifies on
  - GoTo Webinar Opener.exe (PID: 4048)
  - G2MCoreInstExtractor.exe (PID: 3924)
  - G2MInstaller.exe (PID: 1936)
  - g2mstart.exe (PID: 3112)
  - g2mcomm.exe (PID: 2364)
  - g2mlauncher.exe (PID: 3632)
  - g2mvideoconference.exe (PID: 3544)
  - g2mui.exe (PID: 2904)
- Creates files or folders in the user directory
  - GoTo Webinar Opener.exe (PID: 4048)
  - msiexec.exe (PID: 3136)
  - G2MInstaller.exe (PID: 1936)
- Manual execution by a user
  - wmpnscfg.exe (PID: 3160)
- Reads CPU info
  - g2mlauncher.exe (PID: 3632)
- Process checks computer location settings
  - g2mlauncher.exe (PID: 3632)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win64 Executable (generic) (28.6)
.exe	\|	UPX compressed Win32 Executable (28)
.exe	\|	Win32 EXE Yoda's Crypter (27.5)
.dll	\|	Win32 Dynamic Link Library (generic) (6.8)
.exe	\|	Win32 Executable (generic) (4.6)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2022:04:06 17:34:04+02:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	12
CodeSize:	299008
InitializedDataSize:	73728
UninitializedDataSize:	835584
EntryPoint:	0x115030
OSVersion:	5.1
ImageVersion:	-
SubsystemVersion:	5.1
Subsystem:	Windows GUI
FileVersionNumber:	1.0.0.562
ProductVersionNumber:	1.0.0.562
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Dynamic link library
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Windows, Latin1
CompanyName:	LogMeIn, Inc.
LegalCopyright:	Copyright © 2012-2022 LogMeIn, Inc.
ProductName:	GoTo Opener
FileDescription:	GoTo Opener
InternalName:	GoToOpener
OriginalFileName:	GoToOpener.exe
FileVersion:	1.0.0.562
ProductVersion:	1.0.0.562

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

1128

"C:\Windows\system32\msiexec.exe" /i "C:\Users\admin\AppData\Local\Temp\ACBB3E5C-40B9-4D4E-AC12-54FEFA0766BA\GoToOpener.msi" /q /lvx "C:\Users\admin\AppData\Local\Temp\LogMeInLogs\GoToOpenerMsi\ED127462-7011-43F6-ABA2-3866B9E4CF00.log"

C:\Windows\System32\msiexec.exe

—

GoTo Webinar Opener.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows® installer

Exit code:

Version:

5.0.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll

1936

"C:\Users\admin\AppData\Local\Temp\0877E893-5F50-4C51-B71C-3CD046CE10C2\G2MInstaller.exe" "/Action Join" "/BrokerServiceSuffix @ISL1" "/DidInstall True" "/EGWAddress 23.239.230.255" "/EGWDNS egwglobal.gotomeeting.com" "/EGWPort 8200,80,443" "/MeetingID 191454259" "/Mode terse" "/UserID 8174141510497133917" "/UserRole attendee" "/betaEnabled true" "/buildNumber 19950" "/colClientUiReadyEvent Global\A93D52E3-B5B7-45FE-996A-7BE301F4384C" -delself "/locale en_US" "/productName g2m" "/sessionTrackingId e0-8l-gnksPlhxfqmW6oeA3rhBckPr-n" "/theme g2w"

C:\Users\admin\AppData\Local\Temp\0877E893-5F50-4C51-B71C-3CD046CE10C2\G2MInstaller.exe

—

G2MCoreInstExtractor.exe

User:

admin

Company:

LogMeIn, Inc.

Integrity Level:

MEDIUM

Description:

GoToMeeting

Exit code:

Version:

10.19.0 Build 19950

Modules

Images
c:\users\admin\appdata\local\temp\0877e893-5f50-4c51-b71c-3cd046ce10c2\g2minstaller.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\users\admin\appdata\local\temp\0877e893-5f50-4c51-b71c-3cd046ce10c2\g2m.dll

2316

"C:\Users\admin\AppData\Local\GoToMeeting\19950\G2MInstaller.exe" -noop

C:\Users\admin\AppData\Local\GoToMeeting\19950\G2MInstaller.exe

—

G2MInstaller.exe

User:

admin

Company:

LogMeIn, Inc.

Integrity Level:

MEDIUM

Description:

GoToMeeting

Exit code:

Version:

10.19.0 Build 19950

Modules

Images
c:\users\admin\appdata\local\gotomeeting\19950\g2minstaller.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\users\admin\appdata\local\gotomeeting\19950\g2m.dll

2364

"C:\Users\admin\AppData\Local\GoToMeeting\19950\g2mcomm.exe" "Action=Join&betaEnabled=true&BrokerServiceSuffix=@ISL1&buildNumber=19950&colClientUiReadyEvent=Global\A93D52E3-B5B7-45FE-996A-7BE301F4384C&DidInstall=True&Digest=40c43a9f50f4bebb9aadcc38ca75ba06&Dir=C:\Users\admin\AppData\Local\GoToMeeting\19950\&EGWAddress=23.239.230.255&EGWDNS=egwglobal.gotomeeting.com&EGWPort=8200,80,443&LoaderPath=C:\Users\admin\AppData\Local\GoToMeeting\19950\g2mstart.exe&locale=en_US&LogName=c:\users\admin\appdata\local\temp\logmeinlogs\gotomeeting\19950\2023-11-28_12.51.34.640\GoToMeeting.log&MeetingID=191454259&Mode=terse&Path=g2mlauncher.exe&Plugin=G2MLauncher&productName=g2m&sessionTrackingId=e0-8l-gnksPlhxfqmW6oeA3rhBckPr-n&theme=g2w&UniqueId=c28&UserID=8174141510497133917&UserRole=attendee"

C:\Users\admin\AppData\Local\GoToMeeting\19950\g2mcomm.exe

g2mstart.exe

User:

admin

Company:

LogMeIn, Inc.

Integrity Level:

MEDIUM

Description:

GoToMeeting

Exit code:

Version:

10.19.0 Build 19950

Modules

Images
c:\users\admin\appdata\local\gotomeeting\19950\g2mcomm.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\users\admin\appdata\local\gotomeeting\19950\g2m.dll

2448

C:\Windows\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\C4E7AEE6-B17E-47E3-A954-5C5479B46AEC.bat" "C:\Users\admin\Downloads\GoTo Webinar Opener.exe""

C:\Windows\System32\cmd.exe

—

GoTo Webinar Opener.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

Version:

6.1.7601.17514 (win7sp1_rtm.101119-1850)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll

2904

"C:\Users\admin\AppData\Local\GoToMeeting\19950\g2mui.exe" "StartID={1D78AF2D-FF74-4113-BF6B-CDA5F8F49C04}&Debug=Off&Stat=On&StatDb=On&Index=0"

C:\Users\admin\AppData\Local\GoToMeeting\19950\g2mui.exe

—

g2mcomm.exe

User:

admin

Company:

LogMeIn, Inc.

Integrity Level:

MEDIUM

Description:

GoToMeeting

Exit code:

Version:

10.19.0 Build 19950

Modules

Images
c:\users\admin\appdata\local\gotomeeting\19950\g2mui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\users\admin\appdata\local\gotomeeting\19950\g2m.dll

2996

rundll32.exe "C:\Users\admin\AppData\Local\Temp\0877E893-5F50-4C51-B71C-3CD046CE10C2\uninshlp.dll",DeleteExeAndDeleteSelf 8c9c1668-05f4-4236-bd74-99e81eeb561c

C:\Windows\System32\rundll32.exe

—

G2MInstaller.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows host process (Rundll32)

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll

3112

"C:\Users\admin\AppData\Local\GoToMeeting\19950\g2mstart.exe" "/Action Join" "/BrokerServiceSuffix @ISL1" "/DidInstall True" "/EGWAddress 23.239.230.255" "/EGWDNS egwglobal.gotomeeting.com" "/EGWPort 8200,80,443" "/MeetingID 191454259" "/Mode terse" "/UserID 8174141510497133917" "/UserRole attendee" "/betaEnabled true" "/buildNumber 19950" "/colClientUiReadyEvent Global\A93D52E3-B5B7-45FE-996A-7BE301F4384C" "/locale en_US" "/productName g2m" "/sessionTrackingId e0-8l-gnksPlhxfqmW6oeA3rhBckPr-n" "/theme g2w"

C:\Users\admin\AppData\Local\GoToMeeting\19950\g2mstart.exe

—

G2MInstaller.exe

User:

admin

Company:

LogMeIn, Inc.

Integrity Level:

MEDIUM

Description:

GoToMeeting

Exit code:

Version:

10.19.0 Build 19950

Modules

Images
c:\users\admin\appdata\local\gotomeeting\19950\g2mstart.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\users\admin\appdata\local\gotomeeting\19950\g2m.dll

3136

C:\Windows\system32\msiexec.exe /V

C:\Windows\System32\msiexec.exe

—

services.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Windows® installer

Exit code:

Version:

5.0.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll

3160

"C:\Program Files\Windows Media Player\wmpnscfg.exe"

C:\Program Files\Windows Media Player\wmpnscfg.exe

—

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Media Player Network Sharing Service Configuration Application

Exit code:

Version:

12.0.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\ole32.dll

Add for printing

Total events

24 503

Read events

24 416

Write events

Delete events

Modification events


(PID) Process:	(4048) GoTo Webinar Opener.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:	write	Name:	ProxyEnable
Value: 0
(PID) Process:	(4048) GoTo Webinar Opener.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:	write	Name:	SavedLegacySettings
Value: 4600000059010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A8016B000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(4048) GoTo Webinar Opener.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(4048) GoTo Webinar Opener.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(4048) GoTo Webinar Opener.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(4048) GoTo Webinar Opener.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(4048) GoTo Webinar Opener.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(4048) GoTo Webinar Opener.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(4048) GoTo Webinar Opener.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\17F\52C64B7E
Operation:	write	Name:	LanguageList
Value: en-US
(PID) Process:	(3136) msiexec.exe	Key:	HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000_CLASSES\Local Settings\MuiCache\17F\52C64B7E
Operation:	write	Name:	LanguageList
Value: en-US

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
4048	GoTo Webinar Opener.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157		compressed
		MD5:1BFE591A4FE3D91B03CDF26EAACD8F89	SHA256:9CF94355051BF0F4A45724CA20D1CC02F76371B963AB7D1E38BD8997737B13D8
4048	GoTo Webinar Opener.exe	C:\Users\admin\AppData\Local\Temp\ACBB3E5C-40B9-4D4E-AC12-54FEFA0766BA\GoTo Opener.exe		executable
		MD5:FEA2B3E91246B031F5427E82084FD667	SHA256:AEB35E3BE12CA0292DEE4E87D477BDEA5D9F41BCC853C10D51207D0AC9E316C1
4048	GoTo Webinar Opener.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157		binary
		MD5:6366959C5BC36EDEEC8368FD1D88FA09	SHA256:59EEC42F3098274564DDD3623384437E042E669ABB8345CB2DB4D59A0AA2B204
4048	GoTo Webinar Opener.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\59D76868C250B3240414CE3EFBB12518_473C73009D25D3B712169065C1512FDA		binary
		MD5:611CA29126E13EAE0607D3976A9CA737	SHA256:D28475BFF7D2091E4392965E7A32F332834F483A5A0AF89D79A75ECE5BB02702
4048	GoTo Webinar Opener.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\GoToOpener[1].msi		executable
		MD5:F492835B151CDDD0F36AF61ABF1434D1	SHA256:B4124EEAA75ED0AEA5FA1E7D349687996D4F9962555DF7F19EAD759E01C3464A
4048	GoTo Webinar Opener.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62		binary
		MD5:678975C44DF40D42A520DA2B19252008	SHA256:C815A3410CA12F14EF7E48DCDEECC2C5CD3A7B41B5D07A5AD26609290AAD9665
4048	GoTo Webinar Opener.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62		binary
		MD5:D9C0567998BD307643C652A4A163DE44	SHA256:C5B6FCBD3A68B37F8C67B958AC47E0EA62FB8A84C3F568633CC799933764F69D
4048	GoTo Webinar Opener.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\59D76868C250B3240414CE3EFBB12518_473C73009D25D3B712169065C1512FDA		binary
		MD5:D6327AB60842FE5603947F4D5950C086	SHA256:9E987B3FC9454883AA17BC1E9D5D8694C54F1A42B2A6FA7C44733AD82DBEECF9
4048	GoTo Webinar Opener.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419		binary
		MD5:902A12B2767F21F22D690A93907F2D66	SHA256:A5EFDBAFA05FB26B8B92A206042894ADB4C38767F003B22C1D2F9E9CBF64F880
4048	GoTo Webinar Opener.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419		binary
		MD5:22D1A20CA9DC3AED3245A1C59F71DEE8	SHA256:CE837046B02AA2126F08ED4D68B1EA6DD7046693D71A674126B08A3F0A727FE1

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4048	GoTo Webinar Opener.exe	GET	200	184.24.77.194:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?c751d9d787a5b804	unknown	compressed	4.66 Kb	unknown
4048	GoTo Webinar Opener.exe	GET	200	184.24.77.194:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?e9ea7b4e18a95c43	unknown	compressed	4.66 Kb	unknown
4048	GoTo Webinar Opener.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAz1vQYrVgL0erhQLCPM8GY%3D	unknown	binary	471 b	unknown
1080	svchost.exe	GET	304	184.24.77.194:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?60b2f43ad8cf70d9	unknown	—	—	unknown
4048	GoTo Webinar Opener.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnxLiz3Fu1WB6n1%2FE6xWn1b0jXiQQUdIWAwGbH3zfez70pN6oDHb7tzRcCEAPSB3NzcJpWVuHKKfDXs2w%3D	unknown	binary	471 b	unknown
4048	GoTo Webinar Opener.exe	GET	200	108.138.2.107:80	http://o.ss2.us//MEowSDBGMEQwQjAJBgUrDgMCGgUABBSLwZ6EW5gdYc9UaSEaaLjjETNtkAQUv1%2B30c7dH4b0W1Ws3NcQwg6piOcCCQCnDkpMNIK3fw%3D%3D	unknown	binary	2.02 Kb	unknown
4048	GoTo Webinar Opener.exe	GET	200	18.66.142.79:80	http://ocsp.rootg2.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBSIfaREXmfqfJR3TkMYnD7O5MhzEgQUnF8A36oB1zArOIiiuG1KnPIRkYMCEwZ%2FlEoqJ83z%2BsKuKwH5CO65xMY%3D	unknown	binary	1.51 Kb	unknown
4048	GoTo Webinar Opener.exe	GET	200	18.66.142.79:80	http://ocsp.rootca1.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPWaOUU8%2B5VZ5%2Fa9jFTaU9pkK3FAQUhBjMhTTsvAyUlC4IWZzHshBOCggCEwdzEjgLnWaIozse2b%2BczaaODg8%3D	unknown	binary	1.39 Kb	unknown
1080	svchost.exe	GET	200	184.24.77.194:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?20da42ca9bb40799	unknown	compressed	61.6 Kb	unknown
484	lsass.exe	GET	200	18.66.142.79:80	http://ocsp.rootca1.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPWaOUU8%2B5VZ5%2Fa9jFTaU9pkK3FAQUhBjMhTTsvAyUlC4IWZzHshBOCggCEwdzEkpLy9ROx7U76vGUhC06D6E%3D	unknown	binary	1.39 Kb	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
868	svchost.exe	95.101.148.135:80	—	Akamai International B.V.	NL	unknown
4048	GoTo Webinar Opener.exe	23.239.230.239:443	launch.getgo.com	ORACLE-BMC-31898	US	unknown
4048	GoTo Webinar Opener.exe	184.24.77.194:80	ctldl.windowsupdate.com	Akamai International B.V.	DE	unknown
4048	GoTo Webinar Opener.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
1080	svchost.exe	184.24.77.194:80	ctldl.windowsupdate.com	Akamai International B.V.	DE	unknown
4048	GoTo Webinar Opener.exe	143.204.98.77:443	builds.cdn.getgo.com	AMAZON-02	US	unknown
4048	GoTo Webinar Opener.exe	108.138.2.107:80	o.ss2.us	AMAZON-02	US	whitelisted
4048	GoTo Webinar Opener.exe	18.66.142.79:80	ocsp.rootg2.amazontrust.com	AMAZON-02	US	unknown
4	System	192.168.100.255:138	—	—	—	whitelisted
868	svchost.exe	184.30.20.134:80	armmf.adobe.com	AKAMAI-AS	DE	unknown

DNS requests

Domain	IP	Reputation
launch.getgo.com	23.239.230.239	whitelisted
ctldl.windowsupdate.com	184.24.77.194 184.24.77.202	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
builds.cdn.getgo.com	143.204.98.77 143.204.98.123 143.204.98.120 143.204.98.95	shared
o.ss2.us	108.138.2.107 108.138.2.195 108.138.2.10 108.138.2.173	whitelisted
ocsp.rootg2.amazontrust.com	18.66.142.79	whitelisted
ocsp.rootca1.amazontrust.com	18.66.142.79	shared
armmf.adobe.com	184.30.20.134	whitelisted
egwglobal.gotomeeting.com	23.239.230.255	whitelisted
clientstream.launchdarkly.com	3.33.235.18 15.197.213.252	whitelisted

Threats

No threats detected

Add for printing

Process	Message
GoTo Webinar Opener.exe
GoTo Webinar Opener.exe	C:\Windows\system32\MSVCRT.DLL
GoTo Webinar Opener.exe	preLoadDllsFromSystem()
GoTo Webinar Opener.exe	setSafeDllSearchPath()
GoTo Webinar Opener.exe	C:\Windows\system32\BCRYPTPRIMITIVES.DLL
GoTo Webinar Opener.exe
GoTo Webinar Opener.exe
GoTo Webinar Opener.exe
GoTo Webinar Opener.exe	C:\Windows\system32\CRYPTBASE.DLL
GoTo Webinar Opener.exe	C:\Windows\system32\SECUR32.DLL

General Info

GoTo Webinar Opener.exe

5F4673F8F0429E70291B4358FDC8A7DF

2CA3247B0BE1AE0AE4F9511DD5E2415262F1F735

7F0E0CB674294C1A3CB532873D91B88F53DBB50A0F9A6431140E4F58B0EA5362

12288:cEG3KkIeZr+IJYTfS4bPFUmh/4fDvheqk02I17orhBaMBVDhdBVdy1t8hS0y:bG3NIeZr+IJYTfS4bPFUmCfjjk9I1eyD

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

Registers / Runs the DLL via REGSVR32.EXE

Actions looks like stealing of personal data

Steals credentials from Web Browsers

SUSPICIOUS

Reads the Internet Settings

Reads security settings of Internet Explorer

Checks Windows Trust Settings

Reads settings of System Certificates

Reads the Windows owner or organization settings

Starts itself from another location

Uses RUNDLL32.EXE to load library

Connects to unusual port

Executing commands from a ".bat" file

Starts CMD.EXE for commands execution

INFO

Checks proxy server information

Checks supported languages

Reads the machine GUID from the registry

Reads the computer name

Create files in a temporary directory

Process checks are UAC notifies on

Creates files or folders in the user directory

Manual execution by a user

Reads CPU info

Process checks computer location settings

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings