File name:

g.exe

Full analysis: https://app.any.run/tasks/a23e6181-50d4-43d4-889f-83aeef130bf2
Verdict: Malicious activity
Analysis date: December 05, 2024, 17:25:52
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
gotohttp
hacktool
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:

9C2AEB99843094262E5038FD152A7DB1

SHA1:

7596F6274F2AC19D4D1DF5A718A561ACFD730D3C

SHA256:

B1A74465A8C446D1B86D5984DEFDC18C9C06AD6107B7EB147F37DF9B78CDA104

SSDEEP:

98304:FOhQz1oKxRDaDLSPpegYgVbEwhTs0+VyVK:gz

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • GOTOHTTP has been found

      • g.exe (PID: 6624)
      • g.exe (PID: 6648)
      • g.exe (PID: 6676)

    • GOTOHTTP mutex has been found

      • g.exe (PID: 6676)
      • g.exe (PID: 6648)

  • SUSPICIOUS

    • Executes as Windows Service

      • g.exe (PID: 6648)

    • Application launched itself

      • g.exe (PID: 6648)

  • INFO

    • Reads the computer name

      • g.exe (PID: 6624)
      • g.exe (PID: 6648)
      • g.exe (PID: 6676)

    • Checks supported languages

      • g.exe (PID: 6624)
      • g.exe (PID: 6648)
      • g.exe (PID: 6676)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:05:11 01:53:45+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 9
CodeSize: 2151424
InitializedDataSize: 672768
UninitializedDataSize: -
EntryPoint: 0x1c5cff
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 10.2.0.1925
ProductVersionNumber: 10.2.0.1925
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Dynamic link library
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Pingbo Inc
FileDescription: GotoHTTP
FileVersion: 10.2.0.1925
InternalName: GotoHTTP
LegalCopyright: Copyright 2018-2024 Pingbo Inc
OriginalFileName: GotoHTTP.exe
ProductName: GotoHTTP
ProductVersion: 10.2.0.1925
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
121
Monitored processes
4
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #GOTOHTTP g.exe #GOTOHTTP g.exe no specs #GOTOHTTP g.exe g.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
6492"C:\Users\admin\Desktop\g.exe" C:\Users\admin\Desktop\g.exeexplorer.exe
User:
admin
Company:
Pingbo Inc
Integrity Level:
MEDIUM
Description:
GotoHTTP
Exit code:
3221226540
Version:
10.2.0.1925
Modules
Images
c:\users\admin\desktop\g.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
6624"C:\Users\admin\Desktop\g.exe" C:\Users\admin\Desktop\g.exe
explorer.exe
User:
admin
Company:
Pingbo Inc
Integrity Level:
HIGH
Description:
GotoHTTP
Exit code:
0
Version:
10.2.0.1925
Modules
Images
c:\users\admin\desktop\g.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ws2_32.dll
6648"C:\Users\admin\Desktop\g.exe" serviceC:\Users\admin\Desktop\g.exe
services.exe
User:
SYSTEM
Company:
Pingbo Inc
Integrity Level:
SYSTEM
Description:
GotoHTTP
Version:
10.2.0.1925
Modules
Images
c:\users\admin\desktop\g.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ws2_32.dll
c:\windows\syswow64\rpcrt4.dll
6676"C:\Users\admin\Desktop\g.exe" Global\GotoHTTP_1C:\Users\admin\Desktop\g.exe
g.exe
User:
SYSTEM
Company:
Pingbo Inc
Integrity Level:
SYSTEM
Description:
GotoHTTP
Version:
10.2.0.1925
Modules
Images
c:\users\admin\desktop\g.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ws2_32.dll
c:\windows\syswow64\rpcrt4.dll
Total events
290
Read events
289
Write events
1
Delete events
0

Modification events

(PID) Process:(6624) g.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:SoftwareSASGeneration
Value:
1
Executable files
0
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
6676g.exeC:\Users\admin\Desktop\gotohttp.initext
MD5:D35E52D791DA98679F8AE07FCD931729
SHA256:8D67FD59B92399F7CC34CA04B42D05537BCEF371517761733ECFD8BDB850BD58
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
56
DNS requests
12
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3568
svchost.exe
GET
200
23.216.77.14:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.216.77.14:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.37.237.227:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
3568
svchost.exe
GET
200
23.37.237.227:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
43.130.10.102:443
https://usw.gotohttp.com/reg.12x?id=lYTrEkJRd1taBVVdZw&sn=lYTrXDQJNAQiZDA7ADcpJgwTVXZfKygEKCQBXDEaX34vWmFRVVNkUm18NydTV0IvWkQ&ver=GotoHTTP10.2
unknown
binary
10 b
GET
200
43.130.10.102:443
https://def.gotohttp.com/reg.12x?c=1&sn=r3AbXQcEHl8sPwsjMy4FcSgcXylbcihWcS9BEikBWCxgUSZUFFFoCTcnJSVBWVo2Ww8
unknown
binary
121 b
GET
200
43.130.10.102:443
https://usw.gotohttp.com/gotover.12x?ver=102&lang=en
unknown
binary
352 b
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
192.168.100.255:137
whitelisted
2.16.204.160:443
www.bing.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
3568
svchost.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
6676
g.exe
43.130.10.102:443
def.gotohttp.com
Tencent Building, Kejizhongyi Avenue
US
suspicious
3568
svchost.exe
23.216.77.14:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
23.216.77.14:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
23.37.237.227:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
www.bing.com
  • 2.16.204.160
  • 2.16.204.155
  • 2.16.204.141
  • 2.16.204.138
  • 2.16.204.135
  • 2.16.204.158
whitelisted
google.com
  • 172.217.23.110
whitelisted
def.gotohttp.com
  • 43.130.10.102
unknown
crl.microsoft.com
  • 23.216.77.14
  • 23.216.77.29
  • 23.216.77.18
  • 23.216.77.31
  • 23.216.77.21
  • 23.216.77.25
  • 23.216.77.27
  • 23.216.77.10
  • 23.216.77.32
whitelisted
www.microsoft.com
  • 23.37.237.227
whitelisted
usw.gotohttp.com
  • 43.130.10.102
unknown
eu.gotohttp.com
  • 43.131.61.143
unknown
tk.gotohttp.com
  • 103.143.72.251
unknown
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
hk.gotohttp.com
  • 47.241.41.42
unknown

Threats

No threats detected
No debug info