Malware analysis GoToMeeting Opener.exe Malicious activity

Add for printing

File name:	GoToMeeting Opener.exe
Full analysis:	https://app.any.run/tasks/e081d048-631c-4690-809b-55aa401c75f8
Verdict:	Malicious activity
Analysis date:	March 11, 2024, 10:28:09
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5:	12A88E33273F8E8137CB3CFD1737E3D3
SHA1:	D883C061CF75F67D7AD4FC05A883F714128A95E8
SHA256:	9E8B4728254A459B9E25EFCDA0EA25CA3E1388594984AC76E177E7C7E134FC6D
SSDEEP:	12288:oX3lnSgpZQ9sLx+sA1o+5bh60C7DrhDaMBVRhdBVqy1m8hSRR:oX3lRpusLx+sA1o6N60Cky1mB

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: off
Network:: on

Software preset

Internet Explorer 11.0.9600.19596 KB4534251
Adobe Acrobat Reader DC (20.013.20064)
Adobe Acrobat Reader DC (20.013.20064)
Adobe Flash Player 32 ActiveX (32.0.0.453)
Adobe Flash Player 32 ActiveX (32.0.0.453)
Adobe Flash Player 32 NPAPI (32.0.0.453)
Adobe Flash Player 32 NPAPI (32.0.0.453)
Adobe Flash Player 32 PPAPI (32.0.0.453)
Adobe Flash Player 32 PPAPI (32.0.0.453)
Adobe Refresh Manager (1.8.0)
Adobe Refresh Manager (1.8.0)
CCleaner (6.14)
CCleaner (6.14)
FileZilla 3.65.0 (3.65.0)
FileZilla 3.65.0 (3.65.0)
Google Chrome (109.0.5414.120)
Google Chrome (109.0.5414.120)
Google Update Helper (1.3.36.31)
Google Update Helper (1.3.36.31)
Java 8 Update 271 (8.0.2710.9)
Java 8 Update 271 (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Java Auto Updater (2.8.271.9)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft Edge (109.0.1518.115)
Microsoft Edge (109.0.1518.115)
Microsoft Edge Update (1.3.175.29)
Microsoft Edge Update (1.3.175.29)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x86 en-US) (115.0.2)
Mozilla Firefox (x86 en-US) (115.0.2)
Mozilla Maintenance Service (115.0.2)
Mozilla Maintenance Service (115.0.2)
Notepad++ (32-bit x86) (7.9.1)
Notepad++ (32-bit x86) (7.9.1)
PowerShell 7-x86 (7.2.11.0)
PowerShell 7-x86 (7.2.11.0)
Skype version 8.110 (8.110)
Skype version 8.110 (8.110)
Update for Microsoft .NET Framework 4.8 (KB4503575) (1)
Update for Microsoft .NET Framework 4.8 (KB4503575) (1)
VLC media player (3.0.11)
VLC media player (3.0.11)
WinRAR 5.91 (32-bit) (5.91.0)
WinRAR 5.91 (32-bit) (5.91.0)

Add for printing

MALICIOUS
- Drops the executable file immediately after the start
  - GoToMeeting Opener.exe (PID: 3668)
  - G2MCoreInstExtractor.exe (PID: 3460)
  - G2MInstaller.exe (PID: 2340)
- Registers / Runs the DLL via REGSVR32.EXE
  - g2mlauncher.exe (PID: 3912)
- Changes the autorun value in the registry
  - g2mlauncher.exe (PID: 3912)
- Actions looks like stealing of personal data
  - g2mcomm.exe (PID: 2420)
- Steals credentials from Web Browsers
  - g2mcomm.exe (PID: 2420)
SUSPICIOUS
- Reads the Internet Settings
  - GoToMeeting Opener.exe (PID: 3668)
  - G2MCoreInstExtractor.exe (PID: 3460)
  - g2mlauncher.exe (PID: 3912)
  - g2mcomm.exe (PID: 2420)
- Reads security settings of Internet Explorer
  - GoToMeeting Opener.exe (PID: 3668)
  - G2MCoreInstExtractor.exe (PID: 3460)
- Executable content was dropped or overwritten
  - GoToMeeting Opener.exe (PID: 3668)
  - G2MCoreInstExtractor.exe (PID: 3460)
  - G2MInstaller.exe (PID: 2340)
- Checks Windows Trust Settings
  - GoToMeeting Opener.exe (PID: 3668)
- Reads settings of System Certificates
  - GoToMeeting Opener.exe (PID: 3668)
  - g2mcomm.exe (PID: 2420)
- Starts itself from another location
  - G2MInstaller.exe (PID: 2340)
- Uses RUNDLL32.EXE to load library
  - G2MInstaller.exe (PID: 2340)
- Creates a software uninstall entry
  - G2MInstaller.exe (PID: 2340)
- Changes Internet Explorer settings (feature browser emulation)
  - g2mlauncher.exe (PID: 3912)
- Executing commands from a ".bat" file
  - GoToMeeting Opener.exe (PID: 3668)
- Connects to unusual port
  - g2mcomm.exe (PID: 2420)
- Starts CMD.EXE for commands execution
  - GoToMeeting Opener.exe (PID: 3668)
INFO
- Create files in a temporary directory
  - GoToMeeting Opener.exe (PID: 3668)
  - G2MCoreInstExtractor.exe (PID: 3460)
  - G2MInstaller.exe (PID: 2340)
  - g2mlauncher.exe (PID: 3912)
  - g2mstart.exe (PID: 3092)
  - g2mcomm.exe (PID: 2420)
- Reads the computer name
  - GoToMeeting Opener.exe (PID: 3668)
  - wmpnscfg.exe (PID: 1040)
  - G2MCoreInstExtractor.exe (PID: 3460)
  - G2MInstaller.exe (PID: 2340)
  - G2MInstaller.exe (PID: 2580)
  - g2mstart.exe (PID: 3092)
  - g2mcomm.exe (PID: 2420)
  - g2mlauncher.exe (PID: 3912)
- Checks supported languages
  - GoToMeeting Opener.exe (PID: 3668)
  - G2MCoreInstExtractor.exe (PID: 3460)
  - wmpnscfg.exe (PID: 1040)
  - G2MInstaller.exe (PID: 2340)
  - G2MInstaller.exe (PID: 2580)
  - g2mstart.exe (PID: 3092)
  - g2mcomm.exe (PID: 2420)
  - g2mlauncher.exe (PID: 3912)
- Checks proxy server information
  - GoToMeeting Opener.exe (PID: 3668)
  - g2mlauncher.exe (PID: 3912)
  - g2mcomm.exe (PID: 2420)
- Process checks whether UAC notifications are on
  - GoToMeeting Opener.exe (PID: 3668)
  - G2MCoreInstExtractor.exe (PID: 3460)
  - G2MInstaller.exe (PID: 2340)
  - g2mstart.exe (PID: 3092)
  - g2mcomm.exe (PID: 2420)
  - g2mlauncher.exe (PID: 3912)
- Reads the software policy settings
  - GoToMeeting Opener.exe (PID: 3668)
  - g2mcomm.exe (PID: 2420)
- Reads the machine GUID from the registry
  - GoToMeeting Opener.exe (PID: 3668)
  - g2mcomm.exe (PID: 2420)
  - g2mlauncher.exe (PID: 3912)
- Creates files or folders in the user directory
  - GoToMeeting Opener.exe (PID: 3668)
  - G2MInstaller.exe (PID: 2340)
  - g2mlauncher.exe (PID: 3912)
- Manual execution by a user
  - wmpnscfg.exe (PID: 1040)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win64 Executable (generic) (30.7)
.exe	\|	UPX compressed Win32 Executable (30.1)
.exe	\|	Win32 EXE Yoda's Crypter (29.5)
.exe	\|	Win32 Executable (generic) (5)
.exe	\|	Generic Win/DOS Executable (2.2)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2021:04:21 15:35:25+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	12
CodeSize:	299008
InitializedDataSize:	73728
UninitializedDataSize:	823296
EntryPoint:	0x1118a0
OSVersion:	5.1
ImageVersion:	-
SubsystemVersion:	5.1
Subsystem:	Windows GUI
FileVersionNumber:	1.0.0.544
ProductVersionNumber:	1.0.0.544
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Dynamic link library
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Windows, Latin1
CompanyName:	LogMeIn, Inc.
LegalCopyright:	Copyright © 2012-2021 LogMeIn, Inc.
ProductName:	GoTo Opener
FileDescription:	GoTo Opener
InternalName:	GoToOpener
OriginalFileName:	GoToOpener.exe
FileVersion:	1.0.0.544
ProductVersion:	1.0.0.544

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

1040

"C:\Program Files\Windows Media Player\wmpnscfg.exe"

C:\Program Files\Windows Media Player\wmpnscfg.exe

—

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Media Player Network Sharing Service Configuration Application

Exit code:

Version:

12.0.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

1404

C:\Windows\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\6315B81D-51F5-49D0-AA38-A6D01074A9D7.bat" "C:\Users\admin\AppData\Local\Temp\GoToMeeting Opener.exe""

C:\Windows\System32\cmd.exe

—

GoToMeeting Opener.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

Version:

6.1.7601.17514 (win7sp1_rtm.101119-1850)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll

2340

"C:\Users\admin\AppData\Local\Temp\CD643EC8-1A72-49F7-AD2A-90EACE9F00BF\G2MInstaller.exe" "/Action Host" "/Defaults 831" "/DidInstall True" "/EGWAddress 216.115.208.230" "/EGWDNS egwglobal.gotomeeting.com" "/EGWPort 80,443,8200" "/MeetingEnabled true" "/Mode normal" "/Product g2m" "/colClientUiReadyEvent Global\CA62CB33-4924-44E2-B403-0C5FC180E799" -delself "/env live" "/sessionTrackingId clsInstall-332b7dc5-0f24-4761-82dc-e8302b0724c0"

C:\Users\admin\AppData\Local\Temp\CD643EC8-1A72-49F7-AD2A-90EACE9F00BF\G2MInstaller.exe

G2MCoreInstExtractor.exe

User:

admin

Company:

LogMeIn, Inc.

Integrity Level:

MEDIUM

Description:

GoToMeeting

Exit code:

Version:

10.15.0 Build 19228

Modules

Images
c:\users\admin\appdata\local\temp\cd643ec8-1a72-49f7-ad2a-90eace9f00bf\g2minstaller.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\users\admin\appdata\local\temp\cd643ec8-1a72-49f7-ad2a-90eace9f00bf\g2m.dll

2420

"C:\Users\admin\AppData\Local\GoToMeeting\19228\g2mcomm.exe" "Action=Host&colClientUiReadyEvent=Global\CA62CB33-4924-44E2-B403-0C5FC180E799&Defaults=831&DidInstall=True&Digest=e04ce44cea574792757aca25765dc1d9&Dir=C:\Users\admin\AppData\Local\GoToMeeting\19228\&EGWAddress=216.115.208.230&EGWDNS=egwglobal.gotomeeting.com&EGWPort=80,443,8200&env=live&LoaderPath=C:\Users\admin\AppData\Local\GoToMeeting\19228\g2mstart.exe&LogName=c:\users\admin\appdata\local\temp\logmeinlogs\gotomeeting\19228\2024-03-11_10.28.37.794\GoToMeeting.log&MeetingEnabled=true&Mode=normal&Path=g2mlauncher.exe&Plugin=G2MLauncher&Product=g2m&sessionTrackingId=clsInstall-332b7dc5-0f24-4761-82dc-e8302b0724c0&UniqueId=c14"

C:\Users\admin\AppData\Local\GoToMeeting\19228\g2mcomm.exe

g2mstart.exe

User:

admin

Company:

LogMeIn, Inc.

Integrity Level:

MEDIUM

Description:

GoToMeeting

Exit code:

Version:

10.15.0 Build 19228

Modules

Images
c:\users\admin\appdata\local\gotomeeting\19228\g2mcomm.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\users\admin\appdata\local\gotomeeting\19228\g2m.dll

2572

rundll32.exe "C:\Users\admin\AppData\Local\Temp\CD643EC8-1A72-49F7-AD2A-90EACE9F00BF\uninshlp.dll",DeleteExeAndDeleteSelf 4a11cabe-b9a2-4fd5-b17e-9a9fdbc8056e

C:\Windows\System32\rundll32.exe

—

G2MInstaller.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows host process (Rundll32)

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll

2580

"C:\Users\admin\AppData\Local\GoToMeeting\19228\G2MInstaller.exe" -noop

C:\Users\admin\AppData\Local\GoToMeeting\19228\G2MInstaller.exe

—

G2MInstaller.exe

User:

admin

Company:

LogMeIn, Inc.

Integrity Level:

MEDIUM

Description:

GoToMeeting

Exit code:

Version:

10.15.0 Build 19228

Modules

Images
c:\users\admin\appdata\local\gotomeeting\19228\g2minstaller.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\users\admin\appdata\local\gotomeeting\19228\g2m.dll

3092

"C:\Users\admin\AppData\Local\GoToMeeting\19228\g2mstart.exe" "/Action Host" "/Defaults 831" "/DidInstall True" "/EGWAddress 216.115.208.230" "/EGWDNS egwglobal.gotomeeting.com" "/EGWPort 80,443,8200" "/MeetingEnabled true" "/Mode normal" "/Product g2m" "/colClientUiReadyEvent Global\CA62CB33-4924-44E2-B403-0C5FC180E799" "/env live" "/sessionTrackingId clsInstall-332b7dc5-0f24-4761-82dc-e8302b0724c0"

C:\Users\admin\AppData\Local\GoToMeeting\19228\g2mstart.exe

—

G2MInstaller.exe

User:

admin

Company:

LogMeIn, Inc.

Integrity Level:

MEDIUM

Description:

GoToMeeting

Exit code:

Version:

10.15.0 Build 19228

Modules

Images
c:\users\admin\appdata\local\gotomeeting\19228\g2mstart.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\users\admin\appdata\local\gotomeeting\19228\g2m.dll

3460

"C:\Users\admin\AppData\Local\Temp\CD643EC8-1A72-49F7-AD2A-90EACE9F00BF\G2MCoreInstExtractor.exe" "/Action Host" "/Defaults 831" "/EGWAddress 216.115.208.230" "/EGWDNS egwglobal.gotomeeting.com" "/EGWPort 80,443,8200" "/MeetingEnabled true" "/Mode normal" "/Product g2m" "/colClientUiReadyEvent Global\CA62CB33-4924-44E2-B403-0C5FC180E799" "/env live" "/sessionTrackingId clsInstall-332b7dc5-0f24-4761-82dc-e8302b0724c0"

C:\Users\admin\AppData\Local\Temp\CD643EC8-1A72-49F7-AD2A-90EACE9F00BF\G2MCoreInstExtractor.exe

GoToMeeting Opener.exe

User:

admin

Company:

LogMeIn, Inc.

Integrity Level:

MEDIUM

Description:

GoToMeeting Installer Extractor

Exit code:

Version:

10.15.0 Build 19228

Modules

Images
c:\users\admin\appdata\local\temp\cd643ec8-1a72-49f7-ad2a-90eace9f00bf\g2mcoreinstextractor.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll

3668

"C:\Users\admin\AppData\Local\Temp\GoToMeeting Opener.exe"

C:\Users\admin\AppData\Local\Temp\GoToMeeting Opener.exe

explorer.exe

User:

admin

Company:

LogMeIn, Inc.

Integrity Level:

MEDIUM

Description:

GoTo Opener

Exit code:

Version:

1.0.0.544

Modules

Images
c:\users\admin\appdata\local\temp\gotomeeting opener.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll

3912

"C:\Users\admin\AppData\Local\GoToMeeting\19228\g2mlauncher.exe" "StartID={F3580263-C43F-463F-AFE3-6EFBAD76BEE2}&Debug=Off&Stat=On&StatDb=On&Index=0"

C:\Users\admin\AppData\Local\GoToMeeting\19228\g2mlauncher.exe

g2mcomm.exe

User:

admin

Company:

LogMeIn, Inc.

Integrity Level:

MEDIUM

Description:

GoToMeeting

Exit code:

Version:

10.15.0 Build 19228

Modules

Images
c:\users\admin\appdata\local\gotomeeting\19228\g2mlauncher.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\users\admin\appdata\local\gotomeeting\19228\g2m.dll

Add for printing

Total events

26 214

Read events

25 948

Write events

243

Delete events

Modification events


(PID) Process:	(3668) GoToMeeting Opener.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:	write	Name:	ProxyEnable
Value: 0
(PID) Process:	(3668) GoToMeeting Opener.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:	delete value	Name:	ProxyServer
Value:
(PID) Process:	(3668) GoToMeeting Opener.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:	delete value	Name:	ProxyOverride
Value:
(PID) Process:	(3668) GoToMeeting Opener.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:	delete value	Name:	AutoConfigURL
Value:
(PID) Process:	(3668) GoToMeeting Opener.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:	delete value	Name:	AutoDetect
Value:
(PID) Process:	(3668) GoToMeeting Opener.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:	write	Name:	SavedLegacySettings
Value: 460000005C010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A8016B000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(3668) GoToMeeting Opener.exe	Key:	HKEY_CURRENT_USER\Software\LogMeInInc\GoTo Opener
Operation:	write	Name:	UUID
Value: {138C6CA6-0E5B-4696-9AF3-A51C854FDB86}
(PID) Process:	(3668) GoToMeeting Opener.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(3668) GoToMeeting Opener.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(3668) GoToMeeting Opener.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
3668	GoToMeeting Opener.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157		binary
		MD5:87FD3FB7961B3FF5A38184F77F98C426	SHA256:A7CAF4190800558B7E1F110C4B2CD190D98360933FFFFF271958614BE3E83C1F
3668	GoToMeeting Opener.exe	C:\Users\admin\AppData\Local\Temp\BBA65B53-8B82-4460-BBC6-A812A81F0EB7\GoTo Opener.exe		executable
		MD5:E2620CC8D8834F867D4805FBE10D29E6	SHA256:F0E58AB2FCDFAD3E757653EF684109EE525BDFBC817E845DD8925CED4CF393BD
3668	GoToMeeting Opener.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62		der
		MD5:220BC8F796C5AA021F85AA60FA47A9E5	SHA256:74EB3F2B46733EA2246AFE1941C3DB831E4EA9C59D5A22BF15E4142DE52DE87A
3460	G2MCoreInstExtractor.exe	C:\Users\admin\AppData\Local\Temp\CD643EC8-1A72-49F7-AD2A-90EACE9F00BF\G2M.Dll		—
		MD5:—	SHA256:—
3668	GoToMeeting Opener.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894		binary
		MD5:0C8439923F749C3DF10BBC4333E9B521	SHA256:E21B4BE922282AB191263FF18D4F0202888A331A07038D6B40D4EECEE0572CAA
3668	GoToMeeting Opener.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\75CA58072B9926F763A91F0CC2798706_056B48C93C4964C2E64C0A8958238656		der
		MD5:F35066A32F2181D0AE2D5090FBE83586	SHA256:91930D635093CE347E13477EEADDCDF1595F1E2AEE4A7FBD5F87A0B1C0BB4357
3668	GoToMeeting Opener.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\75CA58072B9926F763A91F0CC2798706_056B48C93C4964C2E64C0A8958238656		binary
		MD5:36BBD0BEFBA1BE5ABC1631E6D5DC4A23	SHA256:746D7288A5CEA2B82CBC4A6DACC6D004F1C9EA05CF9A7190BD57AC2441E91EE7
3668	GoToMeeting Opener.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419		der
		MD5:36A07379AD0F0D48A715ABF3FA602187	SHA256:1F6F1058ED39F9876ECA43731DDC3780422D032ADE3F9ADAFDAF10C361442EA2
3668	GoToMeeting Opener.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\59D76868C250B3240414CE3EFBB12518_473C73009D25D3B712169065C1512FDA		binary
		MD5:D837D6B560117C6748710516E311C9FE	SHA256:24E84AF22614A5CDB9F23B3EC145F855F26FEEB5452ADE1357F301E225A25ABA
3668	GoToMeeting Opener.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62		binary
		MD5:D6AA5869CD10151D32251690A8644E59	SHA256:033B85C630911387C814B0C7DF936FFBF54FAF31528ED1658EF38277B2630C70

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
3668	GoToMeeting Opener.exe	GET	304	23.223.28.54:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?c41d92d6b09abc02	unknown	—	—	unknown
3668	GoToMeeting Opener.exe	GET	304	23.223.28.54:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?54637f8936655088	unknown	—	—	unknown
3668	GoToMeeting Opener.exe	GET	200	108.138.2.107:80	http://o.ss2.us//MEowSDBGMEQwQjAJBgUrDgMCGgUABBSLwZ6EW5gdYc9UaSEaaLjjETNtkAQUv1%2B30c7dH4b0W1Ws3NcQwg6piOcCCQCnDkpMNIK3fw%3D%3D	unknown	binary	2.02 Kb	unknown
3668	GoToMeeting Opener.exe	GET	200	18.245.39.64:80	http://ocsp.rootg2.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBSIfaREXmfqfJR3TkMYnD7O5MhzEgQUnF8A36oB1zArOIiiuG1KnPIRkYMCEwZ%2FlEoqJ83z%2BsKuKwH5CO65xMY%3D	unknown	binary	1.49 Kb	unknown
3668	GoToMeeting Opener.exe	GET	200	18.245.39.64:80	http://ocsp.rootca1.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPWaOUU8%2B5VZ5%2Fa9jFTaU9pkK3FAQUhBjMhTTsvAyUlC4IWZzHshBOCggCEwdzEkpLy9ROx7U76vGUhC06D6E%3D	unknown	binary	1.37 Kb	unknown
3668	GoToMeeting Opener.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAz1vQYrVgL0erhQLCPM8GY%3D	unknown	binary	471 b	unknown
3668	GoToMeeting Opener.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnxLiz3Fu1WB6n1%2FE6xWn1b0jXiQQUdIWAwGbH3zfez70pN6oDHb7tzRcCEAPSB3NzcJpWVuHKKfDXs2w%3D	unknown	binary	471 b	unknown
1080	svchost.exe	GET	304	23.223.28.54:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?624d1ab720bef5f8	unknown	compressed	67.5 Kb	unknown
1080	svchost.exe	GET	200	23.223.28.54:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?0754c686571bd23f	unknown	compressed	67.5 Kb	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	224.0.0.252:5355	—	—	—	unknown
4	System	192.168.100.255:138	—	—	—	whitelisted
3668	GoToMeeting Opener.exe	23.239.230.239:443	launch.getgo.com	ORACLE-BMC-31898	US	unknown
3668	GoToMeeting Opener.exe	18.173.187.104:443	builds.cdn.getgo.com	—	US	unknown
3668	GoToMeeting Opener.exe	23.223.28.54:80	ctldl.windowsupdate.com	Akamai International B.V.	US	unknown
3668	GoToMeeting Opener.exe	108.138.2.107:80	o.ss2.us	AMAZON-02	US	whitelisted
3668	GoToMeeting Opener.exe	18.245.39.64:80	ocsp.rootg2.amazontrust.com	—	US	unknown
3668	GoToMeeting Opener.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
1080	svchost.exe	224.0.0.252:5355	—	—	—	unknown

DNS requests

Domain	IP	Reputation
launch.getgo.com	23.239.230.239	whitelisted
join.servers.getgo.com	—	unknown
builds.cdn.getgo.com	18.173.187.104 18.173.187.110 18.173.187.127 18.173.187.102	shared
ctldl.windowsupdate.com	23.223.28.54 23.223.28.48	whitelisted
o.ss2.us	108.138.2.107 108.138.2.10 108.138.2.195 108.138.2.173	whitelisted
ocsp.rootg2.amazontrust.com	18.245.39.64	whitelisted
ocsp.rootca1.amazontrust.com	18.245.39.64	shared
ocsp.digicert.com	192.229.221.95	whitelisted
egwglobal.gotomeeting.com	173.199.10.247	whitelisted

Threats

No threats detected

Add for printing

Process	Message
GoToMeeting Opener.exe	setSafeDllSearchPath()
GoToMeeting Opener.exe	preLoadDllsFromSystem()
GoToMeeting Opener.exe	C:\Windows\system32\MSVCRT.DLL
GoToMeeting Opener.exe
GoToMeeting Opener.exe	C:\Windows\system32\BCRYPTPRIMITIVES.DLL
GoToMeeting Opener.exe
GoToMeeting Opener.exe	C:\Windows\system32\CRYPTBASE.DLL
GoToMeeting Opener.exe
GoToMeeting Opener.exe	C:\Windows\system32\SECUR32.DLL
GoToMeeting Opener.exe

General Info

GoToMeeting Opener.exe

12A88E33273F8E8137CB3CFD1737E3D3

D883C061CF75F67D7AD4FC05A883F714128A95E8

9E8B4728254A459B9E25EFCDA0EA25CA3E1388594984AC76E177E7C7E134FC6D

12288:oX3lnSgpZQ9sLx+sA1o+5bh60C7DrhDaMBVRhdBVqy1m8hSRR:oX3lRpusLx+sA1o6N60Cky1mB

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

Registers / Runs the DLL via REGSVR32.EXE

Changes the autorun value in the registry

Actions looks like stealing of personal data

Steals credentials from Web Browsers

SUSPICIOUS

Reads the Internet Settings

Reads security settings of Internet Explorer

Executable content was dropped or overwritten

Checks Windows Trust Settings

Reads settings of System Certificates

Starts itself from another location

Uses RUNDLL32.EXE to load library

Creates a software uninstall entry

Changes Internet Explorer settings (feature browser emulation)

Executing commands from a ".bat" file

Connects to unusual port

Starts CMD.EXE for commands execution

INFO

Create files in a temporary directory

Reads the computer name

Checks supported languages

Checks proxy server information

Process checks whether UAC notifications are on

Reads the software policy settings

Reads the machine GUID from the registry

Creates files or folders in the user directory

Manual execution by a user

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings