File name:	HopToDesk.exe
Full analysis:	https://app.any.run/tasks/b2efca46-1c5c-443d-a2a9-9c44e0fb2bcc
Verdict:	Malicious activity
Analysis date:	September 22, 2024 at 20:13:14
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	upx websocket
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5:	243F169D0AD5DF663A03E7E4C0F5D0A6
SHA1:	4DFE9EEC714216ED6A3EF8538F78B1A5C0185C76
SHA256:	A76BA1D5BEEEF80F32C00F56096EC1FD5BD1F769E5B0D40CF26632FAA424C825
SSDEEP:	98304:XVZQMjDFInxY1oPBbn9Lix8kQYP/T1XZzcndWOeNpr/6V47sJ/V/qi1T+o3CQZKt:ilE53covHu8B5i6pbwrF8b

.exe	\|	UPX compressed Win32 Executable (76)
.exe	\|	Win32 Executable (generic) (12.6)
.exe	\|	Generic Win/DOS Executable (5.6)
.exe	\|	DOS Executable Generic (5.6)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2024:09:02 15:50:56+00:00
ImageFileCharacteristics:	Executable, Large address aware, 32-bit
PEType:	PE32
LinkerVersion:	14.36
CodeSize:	7114752
InitializedDataSize:	24576
UninitializedDataSize:	10522624
EntryPoint:	0x10d24f0
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI
FileVersionNumber:	1.42.4.0
ProductVersionNumber:	1.42.4.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
CompanyName:	Begonia Holdings
ProductVersion:	1.42.4
LegalCopyright:	Copyright © 2024 Begonia Holdings. Copyright © 2024 Purslane Ltd.
FileVersion:	1.42.4
ProductName:	HopToDesk
FileDescription:	HopToDesk


(PID) Process:	(5512) HopToDesk.exe	Key:	HKEY_CLASSES_ROOT\HopToDesk
Operation:	write	Name:	URL Protocol
Value:
(PID) Process:	(4772) HopToDesk.exe	Key:	HKEY_CLASSES_ROOT\HopToDesk
Operation:	write	Name:	URL Protocol
Value:

PID	Process	Filename		Type
5512	HopToDesk.exe	C:\Users\admin\AppData\Roaming\HopToDesk\config\HopToDesk2.toml		text
		MD5:72A1676591A9B4C89CD3EAB7DC32C87F	SHA256:765574D3E8B6C0215BFC8AD81F1929C3A9D3AF1B5D0E030B92E7B15BF9D0C662
5512	HopToDesk.exe	C:\Users\admin\AppData\Roaming\HopToDesk\config\HopToDesk2.5512_ThreadId(1)_1727036012344140000		text
		MD5:72A1676591A9B4C89CD3EAB7DC32C87F	SHA256:765574D3E8B6C0215BFC8AD81F1929C3A9D3AF1B5D0E030B92E7B15BF9D0C662
5512	HopToDesk.exe	C:\Users\admin\AppData\Local\Temp\sciter.dll		executable
		MD5:FC2311CA280C197F5ED16DEF6D464B6B	SHA256:285F3E6A051A7C61845CD7E4D2120781B6BDF411239F70A85C65B38A52D38F28
5512	HopToDesk.exe	C:\Users\admin\AppData\Roaming\HopToDesk\config\HopToDesk.5512_ThreadId(17)_1727036012607726600		text
		MD5:A92E72ED1892EE948682244C6FC9E691	SHA256:1511423187001C29F74860F2D43951FB46970494F30BF64A30387CEF516EA064
5512	HopToDesk.exe	C:\Users\admin\AppData\Roaming\HopToDesk\config\HopToDesk.toml		text
		MD5:A92E72ED1892EE948682244C6FC9E691	SHA256:1511423187001C29F74860F2D43951FB46970494F30BF64A30387CEF516EA064
5512	HopToDesk.exe	C:\Users\admin\AppData\Roaming\HopToDesk\config\HopToDesk2.5512_ThreadId(15)_1727036021256559000		text
		MD5:39F8274E85048852165A0EBAEA3C42D5	SHA256:52532E0088DF73D9E0A8E772D13140B7E8EA952AC0762A59A8A88EDBBE64600E
5512	HopToDesk.exe	C:\Users\admin\AppData\Roaming\HopToDesk\config\HopToDesk.5512_ThreadId(15)_1727036021262140400		text
		MD5:9CCDD5252EC4E17EB4295A3EE6CAE744	SHA256:FC088B2214E2A7095477C94968AAD0452ED7E58E85EFE7181E222EDA18D1F6F7
5512	HopToDesk.exe	C:\Users\admin\AppData\Roaming\HopToDesk\config\HopToDesk.5512_ThreadId(15)_1727036021259934800		text
		MD5:4DEAD07539BF8180BBCE10F020753509	SHA256:07534FDA1791B99D024475AD395B7A8B0EF91EEF5C8E12613A65240B011EE4B4
5512	HopToDesk.exe	C:\Users\admin\AppData\Roaming\HopToDesk\config\HopToDesk.5512_ThreadId(18)_1727036021617247000		text
		MD5:41E5A8B747FC06ED084F2C5AA6779A8C	SHA256:BD18678D719939E5B8ECA9DD221570826C8A6E147ACBD653ACA2E0CC6B130F94

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5512	HopToDesk.exe	GET	101	45.77.249.125:80	http://signal.hoptodesk.com:80/?user=302627370	unknown	—	—	—
5512	HopToDesk.exe	GET	101	45.77.249.125:80	http://signal.hoptodesk.com:80/?user=302627370	unknown	—	—	—
5512	HopToDesk.exe	GET	101	45.77.249.125:80	http://signal.hoptodesk.com:80/?user=302627370	unknown	—	—	—
5512	HopToDesk.exe	GET	101	45.77.249.125:80	http://signal.hoptodesk.com:80/?user=302627370	unknown	—	—	—
5512	HopToDesk.exe	GET	101	45.77.249.125:80	http://signal.hoptodesk.com:80/?user=302627370	unknown	—	—	—
2120	MoUsoCoreWorker.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
1084	RUXIMICS.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	200	188.114.97.3:443	https://api.hoptodesk.com/	unknown	binary	845 b	—

PID	Process	IP	Domain	ASN	CN	Reputation
6900	svchost.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
3888	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
—	—	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
2120	MoUsoCoreWorker.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
1084	RUXIMICS.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
2120	MoUsoCoreWorker.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
5512	HopToDesk.exe	188.114.96.3:443	api.hoptodesk.com	CLOUDFLARENET	NL	unknown
4324	svchost.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	20.73.194.208	whitelisted
google.com	142.250.74.206	whitelisted
www.microsoft.com	184.30.21.171	whitelisted
api.hoptodesk.com	188.114.96.3 188.114.97.3	unknown
turn.hoptodesk.com	45.76.236.44	unknown
signal.hoptodesk.com	45.77.249.125	unknown

PID	Process	Class	Message
—	—	Not Suspicious Traffic	INFO [ANY.RUN] Websocket Upgrade Request
—	—	Not Suspicious Traffic	INFO [ANY.RUN] Websocket Upgrade Request
—	—	Not Suspicious Traffic	INFO [ANY.RUN] Websocket Upgrade Request
—	—	Not Suspicious Traffic	INFO [ANY.RUN] Websocket Upgrade Request
—	—	Not Suspicious Traffic	INFO [ANY.RUN] Websocket Upgrade Request

General Info

HopToDesk.exe

243F169D0AD5DF663A03E7E4C0F5D0A6

4DFE9EEC714216ED6A3EF8538F78B1A5C0185C76

A76BA1D5BEEEF80F32C00F56096EC1FD5BD1F769E5B0D40CF26632FAA424C825

98304:XVZQMjDFInxY1oPBbn9Lix8kQYP/T1XZzcndWOeNpr/6V47sJ/V/qi1T+o3CQZKt:ilE53covHu8B5i6pbwrF8b

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SUSPICIOUS

Reads security settings of Internet Explorer

Suspicious use of NETSH.EXE

Application launched itself

Uses NETSH.EXE to add a firewall rule or allowed programs

Executable content was dropped or overwritten

Connects to unusual port

The process checks if it is being run in the virtual environment

INFO

Checks supported languages

Process checks computer location settings

The process uses the downloaded file

Reads the computer name

Create files in a temporary directory

Creates files or folders in the user directory

Reads the software policy settings

Reads the machine GUID from the registry

UPX packer has been detected

Attempting to connect via WebSocket

Checks proxy server information

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings