eddf8c0e68f85cb94e81f5572dfb5e9e08bedd0631e078abc755b7b0ad903380

Analysis

max time kernel
312s
max time network
319s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
16-10-2023 06:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eddf8c0e68f85cb94e81f5572dfb5e9e08bedd0631e078abc755b7b0ad903380_GoTo Webinar Opener.exe
Size

375KB
MD5

144f6ae304e73dd2d8142c83e0c60d98
SHA1

f75f084f6ebc75d271573c1a1a969529c5fd251d
SHA256

eddf8c0e68f85cb94e81f5572dfb5e9e08bedd0631e078abc755b7b0ad903380
SHA512

8c69eeeee5c567a2afe38b045a7da048d111478b56d37282f038a022f39472b74f39dd236a84e6197b63c9ea89cb77ceacca5b4f1296945d341c5e31b27d2095
SSDEEP

6144:4VvaoFGmgG0BCGxcKi7ZIhFn6ZlrctG9KaVs/BfUbGy/kZiy1aqTWunoSDw6BLyj:wvz+GKK7ZCFgctGzVhlUiCLThoSDwAej

Score

8^/10

discovery evasion persistence spyware stealer trojan upx

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	G2MCoreInstExtractor.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	g2mlauncher.exe

Executes dropped EXE 8 IoCs

pid	Process
828	G2MCoreInstExtractor.exe
3096	G2MInstaller.exe
2180	G2MInstaller.exe
2716	g2mstart.exe
3380	g2mcomm.exe
2928	g2mlauncher.exe
2136	g2mvideoconference.exe
800	g2mui.exe

Loads dropped DLL 11 IoCs

pid	Process
3096	G2MInstaller.exe
2180	G2MInstaller.exe
2716	g2mstart.exe
2040	rundll32.exe
3380	g2mcomm.exe
2928	g2mlauncher.exe
2928	g2mlauncher.exe
3468	regsvr32.exe
2624	regsvr32.exe
2136	g2mvideoconference.exe
800	g2mui.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Registers COM server for autorun 1 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\CLSID\{84B5A313-CD5D-4904-8BA2-AFDC81C1B309}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\CLSID\{84B5A313-CD5D-4904-8BA2-AFDC81C1B309}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\GoToMeeting\\19950\\G2MOutlookAddin64.dll"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\WOW6432Node\CLSID\{84B5A313-CD5D-4904-8BA2-AFDC81C1B309}\InprocServer32	g2mlauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\WOW6432Node\CLSID\{84B5A313-CD5D-4904-8BA2-AFDC81C1B309}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\GoToMeeting\\19950\\G2MOutlookAddin.dll"	g2mlauncher.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4028-0-0x0000000000BC0000-0x0000000000CE8000-memory.dmp	upx
behavioral2/memory/4028-1-0x0000000000BC0000-0x0000000000CE8000-memory.dmp	upx
behavioral2/memory/4028-28-0x0000000000BC0000-0x0000000000CE8000-memory.dmp	upx
behavioral2/files/0x0006000000023090-41.dat	upx
behavioral2/files/0x0006000000023090-50.dat	upx
behavioral2/files/0x0006000000023087-51.dat	upx
behavioral2/memory/828-105-0x0000000000400000-0x00000000049BC000-memory.dmp	upx
behavioral2/memory/4028-118-0x0000000000BC0000-0x0000000000CE8000-memory.dmp	upx
behavioral2/memory/4028-209-0x0000000000BC0000-0x0000000000CE8000-memory.dmp	upx

Blocklisted process makes network request 3 IoCs

flow	pid	Process
30	4176	msiexec.exe
32	4176	msiexec.exe
34	4176	msiexec.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 8 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	G2MCoreInstExtractor.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	G2MInstaller.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	g2mstart.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	g2mcomm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	g2mlauncher.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	g2mui.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	g2mvideoconference.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	eddf8c0e68f85cb94e81f5572dfb5e9e08bedd0631e078abc755b7b0ad903380_GoTo Webinar Opener.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe

Checks system information in the registry 2 TTPs 1 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	g2mcomm.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e5887e8.msi	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9B22.tmp	msiexec.exe
File created	C:\Windows\Tasks\G2MUploadTask-S-1-5-21-1574508946-349927670-1185736483-1000.job	G2MInstaller.exe
File created	C:\Windows\Tasks\G2MUpdateTask-S-1-5-21-1574508946-349927670-1185736483-1000.job	G2MInstaller.exe
File opened for modification	C:\Windows\Installer\e5887e8.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\SourceHash{7659273F-0EB6-4ECB-BC7D-5889F3FD3075}	msiexec.exe
File created	C:\Windows\Installer\e5887ec.msi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	g2mlauncher.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	g2mlauncher.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	g2mlauncher.exe

Modifies Internet Explorer settings 1 TTPs 27 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1FF9E85E-17DD-4f5e-8BBC-050D26E8B90F}	msiexec.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5FF11BE2-76E0-40B0-A67C-B7533A8DC508}\Policy = "3"	G2MInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1FF9E85E-17DD-4f5e-8BBC-050D26E8B90F}\AppName = "GoTo Opener.exe"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5FF11BE2-76E0-40B0-A67C-B7533A8DC508}	G2MInstaller.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\gotomeeting\WarnOnOpen = "0"	G2MInstaller.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\gotomeeting19950	G2MInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5FF11BE2-76E0-40B0-A67C-B7533A8DC508}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\GoToMeeting\\19950"	G2MInstaller.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\gotoopener	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\citrixonline	msiexec.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\g2mui.exe = "11001"	g2mui.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\citrixonline562\WarnOnOpen = "0"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\gotomeeting	G2MInstaller.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\gotomeeting19950\WarnOnOpen = "0"	G2MInstaller.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	g2mui.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\gotoopener562\WarnOnOpen = "0"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\citrixonline562	msiexec.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\citrixonline\WarnOnOpen = "0"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1FF9E85E-17DD-4f5e-8BBC-050D26E8B90F}	msiexec.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1FF9E85E-17DD-4f5e-8BBC-050D26E8B90F}\Policy = "3"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1FF9E85E-17DD-4f5e-8BBC-050D26E8B90F}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\GoTo Opener\\"	msiexec.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\g2mlauncher.exe = "11001"	g2mlauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\gotoopener562	msiexec.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\gotoopener\WarnOnOpen = "0"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5FF11BE2-76E0-40B0-A67C-B7533A8DC508}\AppName = "G2MInstaller.exe"	G2MInstaller.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	g2mlauncher.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\CLSID\{84B5A313-CD5D-4904-8BA2-AFDC81C1B309}\ProgID\ = "G2MAddin.OutlookAddin"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\WOW6432Node\CLSID\{84B5A313-CD5D-4904-8BA2-AFDC81C1B309}\ = "GoToMeeting Outlook COM Addin"	g2mlauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\citrixonline\ = "GoTo Opener"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\.gotoopener562\ContentType = "application/x-col-launch562"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\gotomeeting\URL Protocol	G2MInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\.gotomeeting\ = "LogMeInInc.Collab"	G2MInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\gotomeeting19950\Shell\Open\Command\ = "\"C:\\Users\\Admin\\AppData\\Local\\GoToMeeting\\19950\\G2MInstaller.exe\" \"/urlQsArgs %1\""	G2MInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\LogMeInInc.GoToOpener562\Shell\Open\Command\ = "\"C:\\Users\\Admin\\AppData\\Local\\GoTo Opener\\GoTo Opener.exe\" \"/docArgs %1\""	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\citrixonline562\URL Protocol	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\.gotoopener\ = "LogMeInInc.GoToOpener"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\CLSID\{84B5A313-CD5D-4904-8BA2-AFDC81C1B309}\ProgID	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\.gotomeeting	G2MInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\LogMeInInc.Collab\ = "GoToMeeting Action"	G2MInstaller.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\.g2m	G2MInstaller.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\WOW6432Node\CLSID\{84B5A313-CD5D-4904-8BA2-AFDC81C1B309}\ProgID	g2mlauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\gotoopener\Shell\Open	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\gotoopener\Shell\Open\Command\ = "\"C:\\Users\\Admin\\AppData\\Local\\GoTo Opener\\GoTo Opener.exe\" \"/urlQsArgs %1\""	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\.citrixonline\ = "LogMeInInc.GoToOpener"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\MIME\Database\Content Type	G2MInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\gotoopener562\ = "GoTo Opener"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\MIME\Database\Content Type\application/x-col-launch562\Extension = ".gotoopener562"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\.gotomeeting\ContentType = "application/x-gotomeeting"	G2MInstaller.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\gotomeeting19950\Shell	G2MInstaller.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\WOW6432Node\CLSID\{84B5A313-CD5D-4904-8BA2-AFDC81C1B309}\InprocServer32	g2mlauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\LogMeInInc.Collab	G2MInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\citrixonline\URL Protocol	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\citrixonline\Shell\Open\Command	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\.citrixonline562\ = "LogMeInInc.GoToOpener562"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\.citrixonline\ContentType = "application/x-col-launch"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\LogMeInInc.GoToOpener\Shell\Open	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\citrixonline\Shell\Open	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\LogMeInInc.Collab.G2M	G2MInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\CLSID\{84B5A313-CD5D-4904-8BA2-AFDC81C1B309}\ = "GoToMeeting Outlook COM Addin"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\G2MAddin.OutlookAddin\CLSID	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\citrixonline562\Shell	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\MIME\Database\Content Type\application/x-gotomeeting\Extension = ".gotomeeting"	G2MInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\citrixonline562\ = "GoTo Opener"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\LogMeInInc.Collab19950\ = "GoToMeeting Action"	G2MInstaller.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\CLSID\{84B5A313-CD5D-4904-8BA2-AFDC81C1B309}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\gotoopener\ = "GoTo Opener"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\LogMeInInc.GoToOpener\Shell\Open\Command	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\gotomeeting19950\URL Protocol	G2MInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\.g2m\ = "LogMeInInc.Collab.G2M"	G2MInstaller.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\gotoopener562\Shell\Open	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\.gotoopener\ContentType = "application/x-col-launch"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\MIME\Database\Content Type\application/x-gotomeeting	G2MInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\gotomeeting19950\ = "URL:GoToMeeting Protocol"	G2MInstaller.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\LogMeInInc.Collab19950\Shell\Open\Command	G2MInstaller.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\.gotoopener562	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\gotoopener562\Shell	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\WOW6432Node\CLSID\{84B5A313-CD5D-4904-8BA2-AFDC81C1B309}\ProgID\ = "G2MAddin.OutlookAddin"	g2mlauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\.citrixonline562	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\LogMeInInc.Collab19950\Shell\Open	G2MInstaller.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\LogMeInInc.Collab.G2M\Build = "19950"	G2MInstaller.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\LogMeInInc.Collab.G2M\Shell\Open\Command	G2MInstaller.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\CLSID\{84B5A313-CD5D-4904-8BA2-AFDC81C1B309}	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\WOW6432Node\CLSID\{84B5A313-CD5D-4904-8BA2-AFDC81C1B309}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\GoToMeeting\\19950\\G2MOutlookAddin.dll"	g2mlauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\G2MAddin.OutlookAddin\ = "GoToMeeting Outlook COM Addin"	g2mlauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\citrixonline562\Shell\Open	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\MIME\Database\Content Type\application/x-col-launch\Extension = ".gotoopener"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\gotomeeting19950\Shell\Open	G2MInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\.g2m\ContentType = "application/x-g2m"	G2MInstaller.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\G2MAddin.OutlookAddin	g2mlauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\gotoopener562\URL Protocol	msiexec.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	g2mcomm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d4624030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e76200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb65809000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e650190000000100000010000000fd960962ac6938e0d4b0769aa1a64e262000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	g2mcomm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 5c000000010000000400000000080000190000000100000010000000fd960962ac6938e0d4b0769aa1a64e260f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb658140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a040000000100000010000000324a4bbbc863699bbe749ac6dd1d46242000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	g2mcomm.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3096	G2MInstaller.exe
3096	G2MInstaller.exe
3380	g2mcomm.exe
3380	g2mcomm.exe
3380	g2mcomm.exe
3380	g2mcomm.exe
3380	g2mcomm.exe
3380	g2mcomm.exe
3380	g2mcomm.exe
3380	g2mcomm.exe
3380	g2mcomm.exe
3380	g2mcomm.exe
3380	g2mcomm.exe
3380	g2mcomm.exe
3380	g2mcomm.exe
3380	g2mcomm.exe
3380	g2mcomm.exe
3380	g2mcomm.exe
3380	g2mcomm.exe
3380	g2mcomm.exe
3380	g2mcomm.exe
3380	g2mcomm.exe
3380	g2mcomm.exe
3380	g2mcomm.exe
3380	g2mcomm.exe
3380	g2mcomm.exe
3380	g2mcomm.exe
3380	g2mcomm.exe
3380	g2mcomm.exe
3380	g2mcomm.exe
3380	g2mcomm.exe
3380	g2mcomm.exe
3380	g2mcomm.exe
3380	g2mcomm.exe
3380	g2mcomm.exe
3380	g2mcomm.exe
3380	g2mcomm.exe
3380	g2mcomm.exe
3380	g2mcomm.exe
3380	g2mcomm.exe
3380	g2mcomm.exe
3380	g2mcomm.exe
3380	g2mcomm.exe
3380	g2mcomm.exe
3380	g2mcomm.exe
3380	g2mcomm.exe
3380	g2mcomm.exe
3380	g2mcomm.exe
3380	g2mcomm.exe
3380	g2mcomm.exe
3380	g2mcomm.exe
3380	g2mcomm.exe
3380	g2mcomm.exe
3380	g2mcomm.exe
3380	g2mcomm.exe
3380	g2mcomm.exe
3380	g2mcomm.exe
3380	g2mcomm.exe
3380	g2mcomm.exe
3380	g2mcomm.exe
3380	g2mcomm.exe
3380	g2mcomm.exe
3380	g2mcomm.exe
3380	g2mcomm.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	884	msiexec.exe
Token: SeIncreaseQuotaPrivilege	884	msiexec.exe
Token: SeSecurityPrivilege	4176	msiexec.exe
Token: SeCreateTokenPrivilege	884	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	884	msiexec.exe
Token: SeLockMemoryPrivilege	884	msiexec.exe
Token: SeIncreaseQuotaPrivilege	884	msiexec.exe
Token: SeMachineAccountPrivilege	884	msiexec.exe
Token: SeTcbPrivilege	884	msiexec.exe
Token: SeSecurityPrivilege	884	msiexec.exe
Token: SeTakeOwnershipPrivilege	884	msiexec.exe
Token: SeLoadDriverPrivilege	884	msiexec.exe
Token: SeSystemProfilePrivilege	884	msiexec.exe
Token: SeSystemtimePrivilege	884	msiexec.exe
Token: SeProfSingleProcessPrivilege	884	msiexec.exe
Token: SeIncBasePriorityPrivilege	884	msiexec.exe
Token: SeCreatePagefilePrivilege	884	msiexec.exe
Token: SeCreatePermanentPrivilege	884	msiexec.exe
Token: SeBackupPrivilege	884	msiexec.exe
Token: SeRestorePrivilege	884	msiexec.exe
Token: SeShutdownPrivilege	884	msiexec.exe
Token: SeDebugPrivilege	884	msiexec.exe
Token: SeAuditPrivilege	884	msiexec.exe
Token: SeSystemEnvironmentPrivilege	884	msiexec.exe
Token: SeChangeNotifyPrivilege	884	msiexec.exe
Token: SeRemoteShutdownPrivilege	884	msiexec.exe
Token: SeUndockPrivilege	884	msiexec.exe
Token: SeSyncAgentPrivilege	884	msiexec.exe
Token: SeEnableDelegationPrivilege	884	msiexec.exe
Token: SeManageVolumePrivilege	884	msiexec.exe
Token: SeImpersonatePrivilege	884	msiexec.exe
Token: SeCreateGlobalPrivilege	884	msiexec.exe
Token: SeRestorePrivilege	4176	msiexec.exe
Token: SeTakeOwnershipPrivilege	4176	msiexec.exe
Token: SeRestorePrivilege	4176	msiexec.exe
Token: SeTakeOwnershipPrivilege	4176	msiexec.exe
Token: SeRestorePrivilege	4176	msiexec.exe
Token: SeTakeOwnershipPrivilege	4176	msiexec.exe
Token: SeRestorePrivilege	4176	msiexec.exe
Token: SeTakeOwnershipPrivilege	4176	msiexec.exe
Token: SeRestorePrivilege	4176	msiexec.exe
Token: SeTakeOwnershipPrivilege	4176	msiexec.exe
Token: SeRestorePrivilege	4176	msiexec.exe
Token: SeTakeOwnershipPrivilege	4176	msiexec.exe
Token: SeRestorePrivilege	4176	msiexec.exe
Token: SeTakeOwnershipPrivilege	4176	msiexec.exe
Token: SeRestorePrivilege	4176	msiexec.exe
Token: SeTakeOwnershipPrivilege	4176	msiexec.exe
Token: SeRestorePrivilege	4176	msiexec.exe
Token: SeTakeOwnershipPrivilege	4176	msiexec.exe
Token: SeRestorePrivilege	4176	msiexec.exe
Token: SeTakeOwnershipPrivilege	4176	msiexec.exe
Token: SeRestorePrivilege	4176	msiexec.exe
Token: SeTakeOwnershipPrivilege	4176	msiexec.exe
Token: SeRestorePrivilege	4176	msiexec.exe
Token: SeTakeOwnershipPrivilege	4176	msiexec.exe
Token: SeRestorePrivilege	4176	msiexec.exe
Token: SeTakeOwnershipPrivilege	4176	msiexec.exe
Token: SeRestorePrivilege	4176	msiexec.exe
Token: SeTakeOwnershipPrivilege	4176	msiexec.exe
Token: SeRestorePrivilege	4176	msiexec.exe
Token: SeTakeOwnershipPrivilege	4176	msiexec.exe
Token: SeRestorePrivilege	4176	msiexec.exe
Token: SeTakeOwnershipPrivilege	4176	msiexec.exe

Suspicious use of FindShellTrayWindow 16 IoCs

pid	Process
2928	g2mlauncher.exe
2928	g2mlauncher.exe
2928	g2mlauncher.exe
2928	g2mlauncher.exe
2928	g2mlauncher.exe
2928	g2mlauncher.exe
2928	g2mlauncher.exe
2928	g2mlauncher.exe
2928	g2mlauncher.exe
2928	g2mlauncher.exe
2928	g2mlauncher.exe
2928	g2mlauncher.exe
2928	g2mlauncher.exe
2928	g2mlauncher.exe
2928	g2mlauncher.exe
2928	g2mlauncher.exe

Suspicious use of SendNotifyMessage 16 IoCs

pid	Process
2928	g2mlauncher.exe
2928	g2mlauncher.exe
2928	g2mlauncher.exe
2928	g2mlauncher.exe
2928	g2mlauncher.exe
2928	g2mlauncher.exe
2928	g2mlauncher.exe
2928	g2mlauncher.exe
2928	g2mlauncher.exe
2928	g2mlauncher.exe
2928	g2mlauncher.exe
2928	g2mlauncher.exe
2928	g2mlauncher.exe
2928	g2mlauncher.exe
2928	g2mlauncher.exe
2928	g2mlauncher.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2928	g2mlauncher.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 4028 wrote to memory of 884	4028	eddf8c0e68f85cb94e81f5572dfb5e9e08bedd0631e078abc755b7b0ad903380_GoTo Webinar Opener.exe	84
PID 4028 wrote to memory of 884	4028	eddf8c0e68f85cb94e81f5572dfb5e9e08bedd0631e078abc755b7b0ad903380_GoTo Webinar Opener.exe	84
PID 4028 wrote to memory of 884	4028	eddf8c0e68f85cb94e81f5572dfb5e9e08bedd0631e078abc755b7b0ad903380_GoTo Webinar Opener.exe	84
PID 4028 wrote to memory of 828	4028	eddf8c0e68f85cb94e81f5572dfb5e9e08bedd0631e078abc755b7b0ad903380_GoTo Webinar Opener.exe	88
PID 4028 wrote to memory of 828	4028	eddf8c0e68f85cb94e81f5572dfb5e9e08bedd0631e078abc755b7b0ad903380_GoTo Webinar Opener.exe	88
PID 4028 wrote to memory of 828	4028	eddf8c0e68f85cb94e81f5572dfb5e9e08bedd0631e078abc755b7b0ad903380_GoTo Webinar Opener.exe	88
PID 828 wrote to memory of 3096	828	G2MCoreInstExtractor.exe	92
PID 828 wrote to memory of 3096	828	G2MCoreInstExtractor.exe	92
PID 828 wrote to memory of 3096	828	G2MCoreInstExtractor.exe	92
PID 3096 wrote to memory of 2180	3096	G2MInstaller.exe	94
PID 3096 wrote to memory of 2180	3096	G2MInstaller.exe	94
PID 3096 wrote to memory of 2180	3096	G2MInstaller.exe	94
PID 3096 wrote to memory of 2716	3096	G2MInstaller.exe	95
PID 3096 wrote to memory of 2716	3096	G2MInstaller.exe	95
PID 3096 wrote to memory of 2716	3096	G2MInstaller.exe	95
PID 3096 wrote to memory of 2040	3096	G2MInstaller.exe	97
PID 3096 wrote to memory of 2040	3096	G2MInstaller.exe	97
PID 3096 wrote to memory of 2040	3096	G2MInstaller.exe	97
PID 2716 wrote to memory of 3380	2716	g2mstart.exe	98
PID 2716 wrote to memory of 3380	2716	g2mstart.exe	98
PID 2716 wrote to memory of 3380	2716	g2mstart.exe	98
PID 3380 wrote to memory of 2928	3380	g2mcomm.exe	99
PID 3380 wrote to memory of 2928	3380	g2mcomm.exe	99
PID 3380 wrote to memory of 2928	3380	g2mcomm.exe	99
PID 2928 wrote to memory of 3468	2928	g2mlauncher.exe	103
PID 2928 wrote to memory of 3468	2928	g2mlauncher.exe	103
PID 2928 wrote to memory of 3468	2928	g2mlauncher.exe	103
PID 3468 wrote to memory of 2624	3468	regsvr32.exe	104
PID 3468 wrote to memory of 2624	3468	regsvr32.exe	104
PID 3380 wrote to memory of 2136	3380	g2mcomm.exe	109
PID 3380 wrote to memory of 2136	3380	g2mcomm.exe	109
PID 3380 wrote to memory of 2136	3380	g2mcomm.exe	109
PID 3380 wrote to memory of 800	3380	g2mcomm.exe	106
PID 3380 wrote to memory of 800	3380	g2mcomm.exe	106
PID 3380 wrote to memory of 800	3380	g2mcomm.exe	106
PID 4028 wrote to memory of 4992	4028	eddf8c0e68f85cb94e81f5572dfb5e9e08bedd0631e078abc755b7b0ad903380_GoTo Webinar Opener.exe	107
PID 4028 wrote to memory of 4992	4028	eddf8c0e68f85cb94e81f5572dfb5e9e08bedd0631e078abc755b7b0ad903380_GoTo Webinar Opener.exe	107
PID 4028 wrote to memory of 4992	4028	eddf8c0e68f85cb94e81f5572dfb5e9e08bedd0631e078abc755b7b0ad903380_GoTo Webinar Opener.exe	107

C:\Users\Admin\AppData\Local\Temp\eddf8c0e68f85cb94e81f5572dfb5e9e08bedd0631e078abc755b7b0ad903380_GoTo Webinar Opener.exe
"C:\Users\Admin\AppData\Local\Temp\eddf8c0e68f85cb94e81f5572dfb5e9e08bedd0631e078abc755b7b0ad903380_GoTo Webinar Opener.exe"
1⤵
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
PID:4028
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\4A1FFD19-7206-4278-88D0-8B56FB0C0EEB\GoToOpener.msi" /q /lvx "C:\Users\Admin\AppData\Local\Temp\LogMeInLogs\GoToOpenerMsi\036D102F-0C3B-4FC9-A888-E980E86B1B55.log"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:884
- C:\Users\Admin\AppData\Local\Temp\0AB81826-0CD6-49C4-9B0C-017B4AE8C6BE\G2MCoreInstExtractor.exe
  "C:\Users\Admin\AppData\Local\Temp\0AB81826-0CD6-49C4-9B0C-017B4AE8C6BE\G2MCoreInstExtractor.exe" "/Action Join" "/BrokerServiceSuffix @ISL1" "/EGWAddress 23.239.230.255" "/EGWDNS egwglobal.gotomeeting.com" "/EGWPort 8200,80,443" "/MeetingID 591754251" "/Mode terse" "/UserID 5794118849445831771" "/UserRole attendee" "/betaEnabled true" "/buildNumber 19950" "/colClientUiReadyEvent Global\69A94EA2-CED8-448E-9766-55AE2408D29C" "/locale en_US" "/productName g2m" "/sessionTrackingId e0-E-i0UpYpfltXR_5kYgkQXx8x2pbPn" "/theme g2w"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of WriteProcessMemory
  PID:828
- - C:\Users\Admin\AppData\Local\Temp\0AB81826-0CD6-49C4-9B0C-017B4AE8C6BE\G2MInstaller.exe
    "C:\Users\Admin\AppData\Local\Temp\0AB81826-0CD6-49C4-9B0C-017B4AE8C6BE\G2MInstaller.exe" "/Action Join" "/BrokerServiceSuffix @ISL1" "/DidInstall True" "/EGWAddress 23.239.230.255" "/EGWDNS egwglobal.gotomeeting.com" "/EGWPort 8200,80,443" "/MeetingID 591754251" "/Mode terse" "/UserID 5794118849445831771" "/UserRole attendee" "/betaEnabled true" "/buildNumber 19950" "/colClientUiReadyEvent Global\69A94EA2-CED8-448E-9766-55AE2408D29C" -delself "/locale en_US" "/productName g2m" "/sessionTrackingId e0-E-i0UpYpfltXR_5kYgkQXx8x2pbPn" "/theme g2w"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks whether UAC is enabled
    - Drops file in Windows directory
    - Modifies Internet Explorer settings
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3096
  - - C:\Users\Admin\AppData\Local\GoToMeeting\19950\G2MInstaller.exe
      "C:\Users\Admin\AppData\Local\GoToMeeting\19950\G2MInstaller.exe" -noop
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2180
  - - C:\Users\Admin\AppData\Local\GoToMeeting\19950\g2mstart.exe
      "C:\Users\Admin\AppData\Local\GoToMeeting\19950\g2mstart.exe" "/Action Join" "/BrokerServiceSuffix @ISL1" "/DidInstall True" "/EGWAddress 23.239.230.255" "/EGWDNS egwglobal.gotomeeting.com" "/EGWPort 8200,80,443" "/MeetingID 591754251" "/Mode terse" "/UserID 5794118849445831771" "/UserRole attendee" "/betaEnabled true" "/buildNumber 19950" "/colClientUiReadyEvent Global\69A94EA2-CED8-448E-9766-55AE2408D29C" "/locale en_US" "/productName g2m" "/sessionTrackingId e0-E-i0UpYpfltXR_5kYgkQXx8x2pbPn" "/theme g2w"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Checks whether UAC is enabled
      Suspicious use of WriteProcessMemory
      PID:2716
    - - C:\Users\Admin\AppData\Local\GoToMeeting\19950\g2mcomm.exe
        
        "C:\Users\Admin\AppData\Local\GoToMeeting\19950\g2mcomm.exe" "Action=Join&betaEnabled=true&BrokerServiceSuffix=@ISL1&buildNumber=19950&colClientUiReadyEvent=Global\69A94EA2-CED8-448E-9766-55AE2408D29C&DidInstall=True&Digest=40c43a9f50f4bebb9aadcc38ca75ba06&Dir=C:\Users\Admin\AppData\Local\GoToMeeting\19950\&EGWAddress=23.239.230.255&EGWDNS=egwglobal.gotomeeting.com&EGWPort=8200,80,443&LoaderPath=C:\Users\Admin\AppData\Local\GoToMeeting\19950\g2mstart.exe&locale=en_US&LogName=c:\users\admin\appdata\local\temp\logmeinlogs\gotomeeting\19950\2023-10-16_06.25.09.623\GoToMeeting.log&MeetingID=591754251&Mode=terse&Path=g2mlauncher.exe&Plugin=G2MLauncher&productName=g2m&sessionTrackingId=e0-E-i0UpYpfltXR_5kYgkQXx8x2pbPn&theme=g2w&UniqueId=a9c&UserID=5794118849445831771&UserRole=attendee"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks whether UAC is enabled
        Checks system information in the registry
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3380
      - C:\Users\Admin\AppData\Local\GoToMeeting\19950\g2mlauncher.exe
        
        "C:\Users\Admin\AppData\Local\GoToMeeting\19950\g2mlauncher.exe" "StartID={C4406348-D0F9-4987-856E-B5C4AAA3BB1B}&Debug=Off&Stat=On&StatDb=On&Index=0"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Registers COM server for autorun
        Checks whether UAC is enabled
        Checks processor information in registry
        Modifies Internet Explorer settings
        Modifies registry class
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2928
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        C:\Windows\system32\regsvr32.exe -s "C:\Users\Admin\AppData\Local\GoToMeeting\19950\G2MOutlookAddin64.dll"
        7⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:3468
        
        C:\Windows\system32\regsvr32.exe
        
        -s "C:\Users\Admin\AppData\Local\GoToMeeting\19950\G2MOutlookAddin64.dll"
        8⤵
        Loads dropped DLL
        Registers COM server for autorun
        Modifies registry class
        
        PID:2624
      - C:\Users\Admin\AppData\Local\GoToMeeting\19950\g2mui.exe
        
        "C:\Users\Admin\AppData\Local\GoToMeeting\19950\g2mui.exe" "StartID={C3594F6E-CC93-4F07-8C6C-6F02E08553DF}&Debug=Off&Stat=On&StatDb=On&Index=0"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks whether UAC is enabled
        Modifies Internet Explorer settings
        
        PID:800
      - C:\Users\Admin\AppData\Local\GoToMeeting\19950\g2mvideoconference.exe
        
        "C:\Users\Admin\AppData\Local\GoToMeeting\19950\g2mvideoconference.exe" "StartID={E42A6329-4E67-4F4A-8129-1BF3C4F15DD1}&Debug=Off&Stat=On&StatDb=On&Index=0"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks whether UAC is enabled
        
        PID:2136
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe "C:\Users\Admin\AppData\Local\Temp\0AB81826-0CD6-49C4-9B0C-017B4AE8C6BE\uninshlp.dll",DeleteExeAndDeleteSelf b7adab8c-afc4-4bed-b6bc-02d324f79e9d
      4⤵
      Loads dropped DLL
      PID:2040
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\427224DE-7B93-4F4D-A96F-59FF190745B0.bat" "C:\Users\Admin\AppData\Local\Temp\eddf8c0e68f85cb94e81f5572dfb5e9e08bedd0631e078abc755b7b0ad903380_GoTo Webinar Opener.exe""
  2⤵
  PID:4992

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e5887eb.rbs

Filesize
14KB

MD5
f4a46736fcc6e3632f931b731846f3f9

SHA1
b34f06cebe8c2cb1a0fb9d50dd16387dd475b00a

SHA256
48969bd757e90be42f87f881f75106f3e7f9dfae6795e1001c3a231c4cf4bff6

SHA512
9c48b7ddc4cc8a49e6d5d1fe8c5095f6bf6da7b32711f0448fdd69548dda03ac71b9b199c347feda97bfc61627a3d2127b0b9880ca27ba7cbf90c593070b933a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_325DC716E4289E0AE281439314ED4BFA

Filesize
727B

MD5
e0dbabd8685b970c0ef0545f7cd348c9

SHA1
28c10fd6027ce89468e71730cf14c90471cd24a9

SHA256
7d78c57a80058855afd5a4bf327ab441e1dfa419642fa872a95759909a8f8061

SHA512
4a58c7f3a6d38bef835bfd0b8b3a80d564af2a6eccf3de0cf69479f51b174cfae17d7892c14711964242a0de5b78fdd1db4fc279f35e24d53cf87ad45634e1f2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_325DC716E4289E0AE281439314ED4BFA

Filesize
408B

MD5
d98fe6dcf2ae642a3f6259210a9055eb

SHA1
9dd514e6f23fd9f03768ddfe2922fe1cdeb72718

SHA256
3b0cd81a46454dae79fecaae6211589ff53a9b76bdb6254adb17917ed28949ca

SHA512
2a6715993898800b598b5e7337cf014ead349caa90110462ab48d5c44c2a30700b82da9566a3174b50f2cbc5c3a03503b95242c17a2fdd4f1e37a06b342022f0

Download Submit
C:\Users\Admin\AppData\Local\GoToMeeting\19950\G2M.dll

Filesize
46.4MB

MD5
bdb01e73091a8752ff82234d414a50bf

SHA1
19d52a72db26ba09596133f4640971f289d1c138

SHA256
649ede91f00d784ed1e397ece6e5f13dbe6cd9d86c06b424834c443c32727bae

SHA512
b54e8c6172d5aaff2ff5ee789cd8933cbddf5d965116dcedea0ff85483b4758b4d3ee733bf2682c7ecdeb1f2f66d348b06936c835f96ec930ace7cda7b450b0f

Download Submit
C:\Users\Admin\AppData\Local\GoToMeeting\19950\G2M.dll

Filesize
46.4MB

MD5
bdb01e73091a8752ff82234d414a50bf

SHA1
19d52a72db26ba09596133f4640971f289d1c138

SHA256
649ede91f00d784ed1e397ece6e5f13dbe6cd9d86c06b424834c443c32727bae

SHA512
b54e8c6172d5aaff2ff5ee789cd8933cbddf5d965116dcedea0ff85483b4758b4d3ee733bf2682c7ecdeb1f2f66d348b06936c835f96ec930ace7cda7b450b0f

Download Submit
C:\Users\Admin\AppData\Local\GoToMeeting\19950\G2M.dll

Filesize
46.4MB

MD5
bdb01e73091a8752ff82234d414a50bf

SHA1
19d52a72db26ba09596133f4640971f289d1c138

SHA256
649ede91f00d784ed1e397ece6e5f13dbe6cd9d86c06b424834c443c32727bae

SHA512
b54e8c6172d5aaff2ff5ee789cd8933cbddf5d965116dcedea0ff85483b4758b4d3ee733bf2682c7ecdeb1f2f66d348b06936c835f96ec930ace7cda7b450b0f

Download Submit
C:\Users\Admin\AppData\Local\GoToMeeting\19950\G2M.dll

Filesize
46.4MB

MD5
bdb01e73091a8752ff82234d414a50bf

SHA1
19d52a72db26ba09596133f4640971f289d1c138

SHA256
649ede91f00d784ed1e397ece6e5f13dbe6cd9d86c06b424834c443c32727bae

SHA512
b54e8c6172d5aaff2ff5ee789cd8933cbddf5d965116dcedea0ff85483b4758b4d3ee733bf2682c7ecdeb1f2f66d348b06936c835f96ec930ace7cda7b450b0f

Download Submit
C:\Users\Admin\AppData\Local\GoToMeeting\19950\G2M.dll

Filesize
46.4MB

MD5
bdb01e73091a8752ff82234d414a50bf

SHA1
19d52a72db26ba09596133f4640971f289d1c138

SHA256
649ede91f00d784ed1e397ece6e5f13dbe6cd9d86c06b424834c443c32727bae

SHA512
b54e8c6172d5aaff2ff5ee789cd8933cbddf5d965116dcedea0ff85483b4758b4d3ee733bf2682c7ecdeb1f2f66d348b06936c835f96ec930ace7cda7b450b0f

Download Submit
C:\Users\Admin\AppData\Local\GoToMeeting\19950\G2M.dll

Filesize
46.4MB

MD5
bdb01e73091a8752ff82234d414a50bf

SHA1
19d52a72db26ba09596133f4640971f289d1c138

SHA256
649ede91f00d784ed1e397ece6e5f13dbe6cd9d86c06b424834c443c32727bae

SHA512
b54e8c6172d5aaff2ff5ee789cd8933cbddf5d965116dcedea0ff85483b4758b4d3ee733bf2682c7ecdeb1f2f66d348b06936c835f96ec930ace7cda7b450b0f

Download Submit
C:\Users\Admin\AppData\Local\GoToMeeting\19950\G2MCommonResources.dll

Filesize
8.9MB

MD5
e162a6f2b63c6a3873f2a2fea170fa2a

SHA1
0cdd50f7fff1813a2c8075f57a2dcd247b11ea6f

SHA256
51403f83457ece8850a61cffe5308ffa130e3db4dcc0b560678e0bfd65c20b37

SHA512
f0b1c6e4e4a86e29017fff678dcc5f4e0ab99e4b0553e659f26006211e4a456f0d4d087b669bbdf3ee654d6f3e2f2f24fa901d5a7e6ed70459ccbc3cf414991c

Download Submit
C:\Users\Admin\AppData\Local\GoToMeeting\19950\G2MInstaller.exe

Filesize
32KB

MD5
40c43a9f50f4bebb9aadcc38ca75ba06

SHA1
277f7874b986ca0f17c55da1d50abecea77ad46e

SHA256
1ddb4e75b45852989ba34368a90d12463f85b378cbd860dfe543faad10e17d5f

SHA512
40018db207dd540309cdf70603ce8477ab9aad00f3ccf8d2c30848492c54ce7fae50490f2684e8c0929e6e3f0ba09d43ce7b10c91ccb0908ece3daf636e74e96

Download Submit
C:\Users\Admin\AppData\Local\GoToMeeting\19950\G2MInstaller.exe

Filesize
32KB

MD5
40c43a9f50f4bebb9aadcc38ca75ba06

SHA1
277f7874b986ca0f17c55da1d50abecea77ad46e

SHA256
1ddb4e75b45852989ba34368a90d12463f85b378cbd860dfe543faad10e17d5f

SHA512
40018db207dd540309cdf70603ce8477ab9aad00f3ccf8d2c30848492c54ce7fae50490f2684e8c0929e6e3f0ba09d43ce7b10c91ccb0908ece3daf636e74e96

Download Submit
C:\Users\Admin\AppData\Local\GoToMeeting\19950\G2MOutlookAddin.dll

Filesize
209KB

MD5
1847bc4e9df58e08a97481dc46f0311d

SHA1
120cf9834e4d88c858ba63d98d6e56c82c988635

SHA256
8842551370e7fdf947826341ffa3f7c7b54577c1a8356003b5fab3994816f077

SHA512
c37274da8f4bd92b01195d71221f4d89d86a3d552b16416efb5dc58ff74d7b135086f1bede13426975b2a9cd18becd0b4db941da2add288db63b6b32ca4b57a0

Download Submit
C:\Users\Admin\AppData\Local\GoToMeeting\19950\G2MOutlookAddin.dll

Filesize
209KB

MD5
1847bc4e9df58e08a97481dc46f0311d

SHA1
120cf9834e4d88c858ba63d98d6e56c82c988635

SHA256
8842551370e7fdf947826341ffa3f7c7b54577c1a8356003b5fab3994816f077

SHA512
c37274da8f4bd92b01195d71221f4d89d86a3d552b16416efb5dc58ff74d7b135086f1bede13426975b2a9cd18becd0b4db941da2add288db63b6b32ca4b57a0

Download Submit
C:\Users\Admin\AppData\Local\GoToMeeting\19950\G2MOutlookAddin64.dll

Filesize
245KB

MD5
61b2aa9c3a26569e7b8bcdde5a676d44

SHA1
b72185a71969ea033804a42a8d5aa18db0449e35

SHA256
070ad9cee9917cb83ad4c8f33deea1a6c7c38d92e70bec42e8396c2d563563a7

SHA512
e50a3b2fa8b36f00f04a3cf3e8db8cb92788c6d85217d9b26404e381a1e50d763785fa2ddf99e9bb2cb36d3217dd75f750217fdeda5801a1729f85919cf07118

Download Submit
C:\Users\Admin\AppData\Local\GoToMeeting\19950\G2MOutlookAddin64.dll

Filesize
245KB

MD5
61b2aa9c3a26569e7b8bcdde5a676d44

SHA1
b72185a71969ea033804a42a8d5aa18db0449e35

SHA256
070ad9cee9917cb83ad4c8f33deea1a6c7c38d92e70bec42e8396c2d563563a7

SHA512
e50a3b2fa8b36f00f04a3cf3e8db8cb92788c6d85217d9b26404e381a1e50d763785fa2ddf99e9bb2cb36d3217dd75f750217fdeda5801a1729f85919cf07118

Download Submit
C:\Users\Admin\AppData\Local\GoToMeeting\19950\G2MOutlookAddin64.dll

Filesize
245KB

MD5
61b2aa9c3a26569e7b8bcdde5a676d44

SHA1
b72185a71969ea033804a42a8d5aa18db0449e35

SHA256
070ad9cee9917cb83ad4c8f33deea1a6c7c38d92e70bec42e8396c2d563563a7

SHA512
e50a3b2fa8b36f00f04a3cf3e8db8cb92788c6d85217d9b26404e381a1e50d763785fa2ddf99e9bb2cb36d3217dd75f750217fdeda5801a1729f85919cf07118

Download Submit
C:\Users\Admin\AppData\Local\GoToMeeting\19950\G2MResource_de.dll

Filesize
1.2MB

MD5
6afdadc10ab20b8cc8cfd7f2dbb05f7e

SHA1
675c9c061e161d32d12aaa562b5d3bca3e35ce44

SHA256
8bcecbdaa66bf85c99bb5cc892470e5774490050017e2ba2600ab3c0674318ef

SHA512
f2136da7fb0545e3e26e4ec969b54d5a5c6f7e9355550c73701d42fed41a571c9a834de7127541083076a6ee43b041c90c4b52020c92c96f85ef65d86f91539c

Download Submit
C:\Users\Admin\AppData\Local\GoToMeeting\19950\G2MResource_en.dll

Filesize
1.2MB

MD5
7594b538937b64751df9f553ddbb921c

SHA1
c029d68f782a97e5429fc033ebeaa5e4d6eadb83

SHA256
c1180b30da54fd296523eea9d483a54314aa9a8252f97d4068fd0c74766703ee

SHA512
3aaf0d1e52d204ebf348505e94c168741eaef6759e57750af1285e4a11a70a08513bda399e974171baf19dd912ba8c4f8b1aeabf15b8411b33e926c12b1b38d7

Download Submit
C:\Users\Admin\AppData\Local\GoToMeeting\19950\G2MResource_es.dll

Filesize
1.2MB

MD5
63a51e9223a9e653ad9e6688fc8a309f

SHA1
ec8511dc4ade624bfe8ebf98c73e891902164c04

SHA256
5a9a0ad212f67d67566234ad990868a45dbac75f07297bc8670f38ddbc8e17d3

SHA512
b5267860089ce09d722f22294d5c504ed4f85e0f9f98c94a5655da35a0612ad7032cf9de7c4083762514fcf6821c13053b013920f0fc6e5db950c5bb86cb094e

Download Submit
C:\Users\Admin\AppData\Local\GoToMeeting\19950\G2MResource_fr.dll

Filesize
1.2MB

MD5
b82dc5176b2599e4cf47c864bc1cb2ed

SHA1
8bf06b3f9c7aa4e6b91e6d842bd2d32c8a435d78

SHA256
81f00efe740b5b386c3d3e6b694b30dae55c7b2cdfecbdfab0cf3779bf0ee585

SHA512
cf638b9d615e723fc15a1e5e48c5eef360c67a8b62b13a27d1040f1fe43f59611a8506ea9676be26d07a7e4df4e28290344fcf7e2dd914b1af8223ef5f739f02

Download Submit
C:\Users\Admin\AppData\Local\GoToMeeting\19950\G2MResource_it.dll

Filesize
1.2MB

MD5
3929662b57ce4e430b265d2c8014375c

SHA1
a321346ca3cf1de72921c5864a1d87cb485da071

SHA256
76e9258496317fb42aef47375e2eb8b9f90cb8f2707f6f5857e11704bf1af21b

SHA512
7fcce69100ba8ef447f2c0068df59dd2567eb7949039002b76eb3622c9671769b2f2d965344db36c524efc5466c55f1be2eb5388565995ed4b6881bfe3e5647d

Download Submit
C:\Users\Admin\AppData\Local\GoToMeeting\19950\G2MResource_ja.dll

Filesize
1.1MB

MD5
ae9184a8c8b69a86a74dbfae826ae8d1

SHA1
0ec72b6b82aa2e8659fbcd19e3ca6fa022374815

SHA256
f9eef76a18d1ac5fcaba5580530c6da35a4649abbbef2077531663168908b6be

SHA512
1e1fe3e9901f1a53f0b3787d72015e278e9061f84142517a0123bd76721b79af6a274b9607f0378707753eff2037e5e350370b7441fc16b744900b3b0c75c037

Download Submit
C:\Users\Admin\AppData\Local\GoToMeeting\19950\G2MResource_ko.dll

Filesize
1.0MB

MD5
f5f2fc818559f099d44d4700ed1b9716

SHA1
7276cfe3fb05e1fc140f255dcfae587505531cfd

SHA256
e24f980b4e0d456e5d92c785cdf54b64343b65d5718a062ed9c41e5ef0f042c7

SHA512
28188cd57014bb1cf0365b157f10c53adc7d9b1e8d737f4e5a05e3b067dc254fd7ed863ab36aef278865ae660711d121649c9188c44e8f4f460ab40af623631b

Download Submit
C:\Users\Admin\AppData\Local\GoToMeeting\19950\G2MResource_pt-BR.dll

Filesize
1.2MB

MD5
d97d36e25a80b25433666060c37e6337

SHA1
95eb75c14357be03e5093e129f26e41c2fdea153

SHA256
31d3ff8145bc6ac57c6dc9010ca9298ababaa0bdbee1aa161fdbf52658d820e5

SHA512
8312ab4819ca900ebb31747a86c9a843bafb15933287888440f3f99efe8102fde7b30fa724b2f3bf780dd7b07526e0aab3d05d00e25b96cc73009ca0663b6cad

Download Submit
C:\Users\Admin\AppData\Local\GoToMeeting\19950\G2MResource_zh.dll

Filesize
1017KB

MD5
37f2518ed6262b842e08fdf1db19619f

SHA1
7318856f9f70e5b49a02ab2b9b58324489b8b29d

SHA256
91c1163a31bc86a035c3909f1bcf0ee4c9a3d220f3de1e1762d9071c82f1795b

SHA512
42e68bd9d0d3a829c9f20f0e79c0f2d33758f390e3e276bef208637fecbf1f6341a90266ce0465b2c620c9f2e47e258fc891d5b909f1a4f72901d35277a26bd1

Download Submit
C:\Users\Admin\AppData\Local\GoToMeeting\19950\g2m.dll

Filesize
46.4MB

MD5
bdb01e73091a8752ff82234d414a50bf

SHA1
19d52a72db26ba09596133f4640971f289d1c138

SHA256
649ede91f00d784ed1e397ece6e5f13dbe6cd9d86c06b424834c443c32727bae

SHA512
b54e8c6172d5aaff2ff5ee789cd8933cbddf5d965116dcedea0ff85483b4758b4d3ee733bf2682c7ecdeb1f2f66d348b06936c835f96ec930ace7cda7b450b0f

Download Submit
C:\Users\Admin\AppData\Local\GoToMeeting\19950\g2mcomm.exe

Filesize
32KB

MD5
149067e8ecb5a2f309e6ca4117d93469

SHA1
c6e4bb0af2bab4034f9efcb813313f094b9850c2

SHA256
89f14fefec929d3d4aa4d7247ebe53f8192684fa96857a920dba14fcc1e908cc

SHA512
de933f00a935a4bfe911bbb28ca73538678b8c6db164e96a3b86535e79bca6c69548d6504e0e3bdd4b808cd8ef9b716adbebccb8b28bf42a73db75b27840f036

Download Submit
C:\Users\Admin\AppData\Local\GoToMeeting\19950\g2mcomm.exe

Filesize
32KB

MD5
149067e8ecb5a2f309e6ca4117d93469

SHA1
c6e4bb0af2bab4034f9efcb813313f094b9850c2

SHA256
89f14fefec929d3d4aa4d7247ebe53f8192684fa96857a920dba14fcc1e908cc

SHA512
de933f00a935a4bfe911bbb28ca73538678b8c6db164e96a3b86535e79bca6c69548d6504e0e3bdd4b808cd8ef9b716adbebccb8b28bf42a73db75b27840f036

Download Submit
C:\Users\Admin\AppData\Local\GoToMeeting\19950\g2mlauncher.exe

Filesize
32KB

MD5
6beeda918b1fe5276d6b9396cfeee0aa

SHA1
39fd8ce32a6fb2b1c5495e71e830bd499423810a

SHA256
eab84294918b6a2f61b6340127370f07253a762183243b9a9d3135b91bda79bd

SHA512
28fa1213a179f4b51f79b47fd1e521f689bea89bbf22b180ee6424c3652e94c1b56a99c76e01b8a92cf00ef971dd8ab4651e58b2fc027c2711e8351dc30d903c

Download Submit
C:\Users\Admin\AppData\Local\GoToMeeting\19950\g2mlauncher.exe

Filesize
32KB

MD5
6beeda918b1fe5276d6b9396cfeee0aa

SHA1
39fd8ce32a6fb2b1c5495e71e830bd499423810a

SHA256
eab84294918b6a2f61b6340127370f07253a762183243b9a9d3135b91bda79bd

SHA512
28fa1213a179f4b51f79b47fd1e521f689bea89bbf22b180ee6424c3652e94c1b56a99c76e01b8a92cf00ef971dd8ab4651e58b2fc027c2711e8351dc30d903c

Download Submit
C:\Users\Admin\AppData\Local\GoToMeeting\19950\g2mstart.exe

Filesize
32KB

MD5
40c43a9f50f4bebb9aadcc38ca75ba06

SHA1
277f7874b986ca0f17c55da1d50abecea77ad46e

SHA256
1ddb4e75b45852989ba34368a90d12463f85b378cbd860dfe543faad10e17d5f

SHA512
40018db207dd540309cdf70603ce8477ab9aad00f3ccf8d2c30848492c54ce7fae50490f2684e8c0929e6e3f0ba09d43ce7b10c91ccb0908ece3daf636e74e96

Download Submit
C:\Users\Admin\AppData\Local\GoToMeeting\19950\g2mstart.exe

Filesize
32KB

MD5
40c43a9f50f4bebb9aadcc38ca75ba06

SHA1
277f7874b986ca0f17c55da1d50abecea77ad46e

SHA256
1ddb4e75b45852989ba34368a90d12463f85b378cbd860dfe543faad10e17d5f

SHA512
40018db207dd540309cdf70603ce8477ab9aad00f3ccf8d2c30848492c54ce7fae50490f2684e8c0929e6e3f0ba09d43ce7b10c91ccb0908ece3daf636e74e96

Download Submit
C:\Users\Admin\AppData\Local\GoToMeeting\19950\g2mui.exe

Filesize
32KB

MD5
e26ec1310450c7a4b4e6114f87bb1332

SHA1
3dd09cc50d5c80359c1b0c96f376093656d0edd6

SHA256
96727dfb08d4252e3e790066be1f487b6c4fc1604102b565d2d5c8d3ddfd478d

SHA512
0449edc6dd3e3648fe4bc198a1e568a452ed23cc5f7bb066b4db9dd379f282dc9379516f5e6783c0d3bacecb40e34bd0a0568f6071fce9fce549f44d2fe0f277

Download Submit
C:\Users\Admin\AppData\Local\GoToMeeting\19950\g2mvideoconference.exe

Filesize
32KB

MD5
40c43a9f50f4bebb9aadcc38ca75ba06

SHA1
277f7874b986ca0f17c55da1d50abecea77ad46e

SHA256
1ddb4e75b45852989ba34368a90d12463f85b378cbd860dfe543faad10e17d5f

SHA512
40018db207dd540309cdf70603ce8477ab9aad00f3ccf8d2c30848492c54ce7fae50490f2684e8c0929e6e3f0ba09d43ce7b10c91ccb0908ece3daf636e74e96

Download Submit
C:\Users\Admin\AppData\Local\Temp\0AB81826-0CD6-49C4-9B0C-017B4AE8C6BE\G2M.Dll

Filesize
46.4MB

MD5
bdb01e73091a8752ff82234d414a50bf

SHA1
19d52a72db26ba09596133f4640971f289d1c138

SHA256
649ede91f00d784ed1e397ece6e5f13dbe6cd9d86c06b424834c443c32727bae

SHA512
b54e8c6172d5aaff2ff5ee789cd8933cbddf5d965116dcedea0ff85483b4758b4d3ee733bf2682c7ecdeb1f2f66d348b06936c835f96ec930ace7cda7b450b0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\0AB81826-0CD6-49C4-9B0C-017B4AE8C6BE\G2MCommonResources.dll

Filesize
8.9MB

MD5
e162a6f2b63c6a3873f2a2fea170fa2a

SHA1
0cdd50f7fff1813a2c8075f57a2dcd247b11ea6f

SHA256
51403f83457ece8850a61cffe5308ffa130e3db4dcc0b560678e0bfd65c20b37

SHA512
f0b1c6e4e4a86e29017fff678dcc5f4e0ab99e4b0553e659f26006211e4a456f0d4d087b669bbdf3ee654d6f3e2f2f24fa901d5a7e6ed70459ccbc3cf414991c

Download Submit
C:\Users\Admin\AppData\Local\Temp\0AB81826-0CD6-49C4-9B0C-017B4AE8C6BE\G2MCoreInstExtractor.exe

Filesize
20.0MB

MD5
952acad8151610da5371f5f042d2990b

SHA1
2c453b89c9e96bdfe0c80e74f45ed9a844d19801

SHA256
c5092fe9afe423efa9212028c8a793742e5cc1edf86fd8197655b96eb5681caf

SHA512
a9bad03fbc342f82d984a5069aa8c4a2f42265d9a2458ae9d7138206417d12fc7846fabb9e44f891bd8ee0f9f66307b77dc0610d658a62940766d648e14f99da

Download Submit
C:\Users\Admin\AppData\Local\Temp\0AB81826-0CD6-49C4-9B0C-017B4AE8C6BE\G2MCoreInstExtractor.exe

Filesize
20.0MB

MD5
952acad8151610da5371f5f042d2990b

SHA1
2c453b89c9e96bdfe0c80e74f45ed9a844d19801

SHA256
c5092fe9afe423efa9212028c8a793742e5cc1edf86fd8197655b96eb5681caf

SHA512
a9bad03fbc342f82d984a5069aa8c4a2f42265d9a2458ae9d7138206417d12fc7846fabb9e44f891bd8ee0f9f66307b77dc0610d658a62940766d648e14f99da

Download Submit
C:\Users\Admin\AppData\Local\Temp\0AB81826-0CD6-49C4-9B0C-017B4AE8C6BE\G2MInstHigh.exe

Filesize
32KB

MD5
e3c3c37bb2d04271ed3baaba0deac123

SHA1
fe193f6d43cacb42a1cc417aed4572f39482b3e6

SHA256
46dc65ed9610c8301e2cc019d8f9e765ef26b14c10d4ca63683bebfc6b37272e

SHA512
2205cb6dcace1a4f926fc82b540982e13f573fbdba3d5ffce4fa892ca58842e99f1b9133417b3333877400c57b5974065b2f5f66b7bbccbf9d4c8f0192a76895

Download Submit
C:\Users\Admin\AppData\Local\Temp\0AB81826-0CD6-49C4-9B0C-017B4AE8C6BE\G2MInstaller.exe

Filesize
32KB

MD5
40c43a9f50f4bebb9aadcc38ca75ba06

SHA1
277f7874b986ca0f17c55da1d50abecea77ad46e

SHA256
1ddb4e75b45852989ba34368a90d12463f85b378cbd860dfe543faad10e17d5f

SHA512
40018db207dd540309cdf70603ce8477ab9aad00f3ccf8d2c30848492c54ce7fae50490f2684e8c0929e6e3f0ba09d43ce7b10c91ccb0908ece3daf636e74e96

Download Submit
C:\Users\Admin\AppData\Local\Temp\0AB81826-0CD6-49C4-9B0C-017B4AE8C6BE\G2MInstaller.exe

Filesize
32KB

MD5
40c43a9f50f4bebb9aadcc38ca75ba06

SHA1
277f7874b986ca0f17c55da1d50abecea77ad46e

SHA256
1ddb4e75b45852989ba34368a90d12463f85b378cbd860dfe543faad10e17d5f

SHA512
40018db207dd540309cdf70603ce8477ab9aad00f3ccf8d2c30848492c54ce7fae50490f2684e8c0929e6e3f0ba09d43ce7b10c91ccb0908ece3daf636e74e96

Download Submit
C:\Users\Admin\AppData\Local\Temp\0AB81826-0CD6-49C4-9B0C-017B4AE8C6BE\G2MInstaller.exe

Filesize
32KB

MD5
40c43a9f50f4bebb9aadcc38ca75ba06

SHA1
277f7874b986ca0f17c55da1d50abecea77ad46e

SHA256
1ddb4e75b45852989ba34368a90d12463f85b378cbd860dfe543faad10e17d5f

SHA512
40018db207dd540309cdf70603ce8477ab9aad00f3ccf8d2c30848492c54ce7fae50490f2684e8c0929e6e3f0ba09d43ce7b10c91ccb0908ece3daf636e74e96

Download Submit
C:\Users\Admin\AppData\Local\Temp\0AB81826-0CD6-49C4-9B0C-017B4AE8C6BE\G2MOutlookAddin.dll

Filesize
209KB

MD5
1847bc4e9df58e08a97481dc46f0311d

SHA1
120cf9834e4d88c858ba63d98d6e56c82c988635

SHA256
8842551370e7fdf947826341ffa3f7c7b54577c1a8356003b5fab3994816f077

SHA512
c37274da8f4bd92b01195d71221f4d89d86a3d552b16416efb5dc58ff74d7b135086f1bede13426975b2a9cd18becd0b4db941da2add288db63b6b32ca4b57a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\0AB81826-0CD6-49C4-9B0C-017B4AE8C6BE\G2MOutlookAddin64.dll

Filesize
245KB

MD5
61b2aa9c3a26569e7b8bcdde5a676d44

SHA1
b72185a71969ea033804a42a8d5aa18db0449e35

SHA256
070ad9cee9917cb83ad4c8f33deea1a6c7c38d92e70bec42e8396c2d563563a7

SHA512
e50a3b2fa8b36f00f04a3cf3e8db8cb92788c6d85217d9b26404e381a1e50d763785fa2ddf99e9bb2cb36d3217dd75f750217fdeda5801a1729f85919cf07118

Download Submit
C:\Users\Admin\AppData\Local\Temp\0AB81826-0CD6-49C4-9B0C-017B4AE8C6BE\G2MResource_de.dll

Filesize
1.2MB

MD5
6afdadc10ab20b8cc8cfd7f2dbb05f7e

SHA1
675c9c061e161d32d12aaa562b5d3bca3e35ce44

SHA256
8bcecbdaa66bf85c99bb5cc892470e5774490050017e2ba2600ab3c0674318ef

SHA512
f2136da7fb0545e3e26e4ec969b54d5a5c6f7e9355550c73701d42fed41a571c9a834de7127541083076a6ee43b041c90c4b52020c92c96f85ef65d86f91539c

Download Submit
C:\Users\Admin\AppData\Local\Temp\0AB81826-0CD6-49C4-9B0C-017B4AE8C6BE\G2MResource_en.dll

Filesize
1.2MB

MD5
7594b538937b64751df9f553ddbb921c

SHA1
c029d68f782a97e5429fc033ebeaa5e4d6eadb83

SHA256
c1180b30da54fd296523eea9d483a54314aa9a8252f97d4068fd0c74766703ee

SHA512
3aaf0d1e52d204ebf348505e94c168741eaef6759e57750af1285e4a11a70a08513bda399e974171baf19dd912ba8c4f8b1aeabf15b8411b33e926c12b1b38d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\0AB81826-0CD6-49C4-9B0C-017B4AE8C6BE\G2MResource_es.dll

Filesize
1.2MB

MD5
63a51e9223a9e653ad9e6688fc8a309f

SHA1
ec8511dc4ade624bfe8ebf98c73e891902164c04

SHA256
5a9a0ad212f67d67566234ad990868a45dbac75f07297bc8670f38ddbc8e17d3

SHA512
b5267860089ce09d722f22294d5c504ed4f85e0f9f98c94a5655da35a0612ad7032cf9de7c4083762514fcf6821c13053b013920f0fc6e5db950c5bb86cb094e

Download Submit
C:\Users\Admin\AppData\Local\Temp\0AB81826-0CD6-49C4-9B0C-017B4AE8C6BE\G2MResource_fr.dll

Filesize
1.2MB

MD5
b82dc5176b2599e4cf47c864bc1cb2ed

SHA1
8bf06b3f9c7aa4e6b91e6d842bd2d32c8a435d78

SHA256
81f00efe740b5b386c3d3e6b694b30dae55c7b2cdfecbdfab0cf3779bf0ee585

SHA512
cf638b9d615e723fc15a1e5e48c5eef360c67a8b62b13a27d1040f1fe43f59611a8506ea9676be26d07a7e4df4e28290344fcf7e2dd914b1af8223ef5f739f02

Download Submit
C:\Users\Admin\AppData\Local\Temp\0AB81826-0CD6-49C4-9B0C-017B4AE8C6BE\G2MResource_it.dll

Filesize
1.2MB

MD5
3929662b57ce4e430b265d2c8014375c

SHA1
a321346ca3cf1de72921c5864a1d87cb485da071

SHA256
76e9258496317fb42aef47375e2eb8b9f90cb8f2707f6f5857e11704bf1af21b

SHA512
7fcce69100ba8ef447f2c0068df59dd2567eb7949039002b76eb3622c9671769b2f2d965344db36c524efc5466c55f1be2eb5388565995ed4b6881bfe3e5647d

Download Submit
C:\Users\Admin\AppData\Local\Temp\0AB81826-0CD6-49C4-9B0C-017B4AE8C6BE\G2MResource_ja.dll

Filesize
1.1MB

MD5
ae9184a8c8b69a86a74dbfae826ae8d1

SHA1
0ec72b6b82aa2e8659fbcd19e3ca6fa022374815

SHA256
f9eef76a18d1ac5fcaba5580530c6da35a4649abbbef2077531663168908b6be

SHA512
1e1fe3e9901f1a53f0b3787d72015e278e9061f84142517a0123bd76721b79af6a274b9607f0378707753eff2037e5e350370b7441fc16b744900b3b0c75c037

Download Submit
C:\Users\Admin\AppData\Local\Temp\0AB81826-0CD6-49C4-9B0C-017B4AE8C6BE\G2MResource_ko.dll

Filesize
1.0MB

MD5
f5f2fc818559f099d44d4700ed1b9716

SHA1
7276cfe3fb05e1fc140f255dcfae587505531cfd

SHA256
e24f980b4e0d456e5d92c785cdf54b64343b65d5718a062ed9c41e5ef0f042c7

SHA512
28188cd57014bb1cf0365b157f10c53adc7d9b1e8d737f4e5a05e3b067dc254fd7ed863ab36aef278865ae660711d121649c9188c44e8f4f460ab40af623631b

Download Submit
C:\Users\Admin\AppData\Local\Temp\0AB81826-0CD6-49C4-9B0C-017B4AE8C6BE\G2MResource_pt-BR.dll

Filesize
1.2MB

MD5
d97d36e25a80b25433666060c37e6337

SHA1
95eb75c14357be03e5093e129f26e41c2fdea153

SHA256
31d3ff8145bc6ac57c6dc9010ca9298ababaa0bdbee1aa161fdbf52658d820e5

SHA512
8312ab4819ca900ebb31747a86c9a843bafb15933287888440f3f99efe8102fde7b30fa724b2f3bf780dd7b07526e0aab3d05d00e25b96cc73009ca0663b6cad

Download Submit
C:\Users\Admin\AppData\Local\Temp\0AB81826-0CD6-49C4-9B0C-017B4AE8C6BE\G2MResource_zh.dll

Filesize
1017KB

MD5
37f2518ed6262b842e08fdf1db19619f

SHA1
7318856f9f70e5b49a02ab2b9b58324489b8b29d

SHA256
91c1163a31bc86a035c3909f1bcf0ee4c9a3d220f3de1e1762d9071c82f1795b

SHA512
42e68bd9d0d3a829c9f20f0e79c0f2d33758f390e3e276bef208637fecbf1f6341a90266ce0465b2c620c9f2e47e258fc891d5b909f1a4f72901d35277a26bd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\0AB81826-0CD6-49C4-9B0C-017B4AE8C6BE\G2MScrUtil32.exe

Filesize
1.3MB

MD5
77be39e79b3e03392c104701dddd51cb

SHA1
f6eed68d63b51af5c5aed9288231ba6ef457147a

SHA256
e60fda6528d16e3626519715501501c7d41c50a732d708572d39dd480920427c

SHA512
da09478a22ccd54b1da5fbd5082de294f6f55e9a3b5f151b7d82c9bce819673f361416abab9d3c67c2ce176c7f5a0456c41747ca5bcc23060974611b4ba4783b

Download Submit
C:\Users\Admin\AppData\Local\Temp\0AB81826-0CD6-49C4-9B0C-017B4AE8C6BE\G2MScrUtil64.exe

Filesize
1.7MB

MD5
3c57f1023487dbebd3e182cdbc161ab8

SHA1
01af3ecb45cff14f4a0c4bee9cf1d6e9593a9dd8

SHA256
2cafdcd77bd9e0168ab529b7d34d311f46d4e1088f84f0976ba608f182c3ed9e

SHA512
29ae472a6ddf9e8837835a48e0a8823d70a20c087bf3feac8478a333441f5176f20925639323b06ee09e84cbfe791a3253d36de8e6e6d78517a35a1a31cd5de1

Download Submit
C:\Users\Admin\AppData\Local\Temp\0AB81826-0CD6-49C4-9B0C-017B4AE8C6BE\G2MTestSound.wav

Filesize
357KB

MD5
2b3258a4b4abb702e380ddd87b2859f9

SHA1
9f1d50348fb02fc659747a363a364c2ea643515b

SHA256
dece1a08bafdcc95860c15c2e142c1b7be3c4325deaeec4ae443a8cf929ab561

SHA512
54446cf84841092bd3159d07b28b0ac2f4d0ab4af4e16caeb421eb6879c3340e855a04698807c739ac1eed63301b6db599038912721d8d57ee8cac965ebf215f

Download Submit
C:\Users\Admin\AppData\Local\Temp\0AB81826-0CD6-49C4-9B0C-017B4AE8C6BE\g2m.dll

Filesize
46.4MB

MD5
bdb01e73091a8752ff82234d414a50bf

SHA1
19d52a72db26ba09596133f4640971f289d1c138

SHA256
649ede91f00d784ed1e397ece6e5f13dbe6cd9d86c06b424834c443c32727bae

SHA512
b54e8c6172d5aaff2ff5ee789cd8933cbddf5d965116dcedea0ff85483b4758b4d3ee733bf2682c7ecdeb1f2f66d348b06936c835f96ec930ace7cda7b450b0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\0AB81826-0CD6-49C4-9B0C-017B4AE8C6BE\g2mcomm.exe

Filesize
32KB

MD5
149067e8ecb5a2f309e6ca4117d93469

SHA1
c6e4bb0af2bab4034f9efcb813313f094b9850c2

SHA256
89f14fefec929d3d4aa4d7247ebe53f8192684fa96857a920dba14fcc1e908cc

SHA512
de933f00a935a4bfe911bbb28ca73538678b8c6db164e96a3b86535e79bca6c69548d6504e0e3bdd4b808cd8ef9b716adbebccb8b28bf42a73db75b27840f036

Download Submit
C:\Users\Admin\AppData\Local\Temp\0AB81826-0CD6-49C4-9B0C-017B4AE8C6BE\g2mlauncher.exe

Filesize
32KB

MD5
6beeda918b1fe5276d6b9396cfeee0aa

SHA1
39fd8ce32a6fb2b1c5495e71e830bd499423810a

SHA256
eab84294918b6a2f61b6340127370f07253a762183243b9a9d3135b91bda79bd

SHA512
28fa1213a179f4b51f79b47fd1e521f689bea89bbf22b180ee6424c3652e94c1b56a99c76e01b8a92cf00ef971dd8ab4651e58b2fc027c2711e8351dc30d903c

Download Submit
C:\Users\Admin\AppData\Local\Temp\0AB81826-0CD6-49C4-9B0C-017B4AE8C6BE\g2mtranscoder.exe

Filesize
32KB

MD5
37d127aba2b7fab308eae589a8d6b77c

SHA1
64d7b5834eadb5c554ada375ca033c7e5bb3275f

SHA256
3682baf533aea5e075ad4cff794294a0f494c652e8ea778fc46b9707efb359b1

SHA512
a4237387dd64cc05c08cf169b4723eca2e5987b91dc3ecd6927727e4a36de1dbdd65c249c808ca800981ca5dd2b430ed38de0970f16c38da26b98346fd8bdd2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\0AB81826-0CD6-49C4-9B0C-017B4AE8C6BE\g2mui.exe

Filesize
32KB

MD5
e26ec1310450c7a4b4e6114f87bb1332

SHA1
3dd09cc50d5c80359c1b0c96f376093656d0edd6

SHA256
96727dfb08d4252e3e790066be1f487b6c4fc1604102b565d2d5c8d3ddfd478d

SHA512
0449edc6dd3e3648fe4bc198a1e568a452ed23cc5f7bb066b4db9dd379f282dc9379516f5e6783c0d3bacecb40e34bd0a0568f6071fce9fce549f44d2fe0f277

Download Submit
C:\Users\Admin\AppData\Local\Temp\0AB81826-0CD6-49C4-9B0C-017B4AE8C6BE\uninshlp.dll

Filesize
16KB

MD5
3a6533897b5a5defae75e6ed9defaf4c

SHA1
dd460396724ab79e1de08316945701d89e95dd1a

SHA256
2972d37845e2fbd36a28f243de04c6565d9919198f00b578ce619fa688b6202a

SHA512
a3015c27226eb14bb6b47036f7e07b37b7b377dccbb8b7e14b8ab447b4305cb59bff3793af780387bf637b0a43a7e72113991b36393c5444e41eb4368ea53d02

Download Submit
C:\Users\Admin\AppData\Local\Temp\0AB81826-0CD6-49C4-9B0C-017B4AE8C6BE\uninshlp.dll

Filesize
16KB

MD5
3a6533897b5a5defae75e6ed9defaf4c

SHA1
dd460396724ab79e1de08316945701d89e95dd1a

SHA256
2972d37845e2fbd36a28f243de04c6565d9919198f00b578ce619fa688b6202a

SHA512
a3015c27226eb14bb6b47036f7e07b37b7b377dccbb8b7e14b8ab447b4305cb59bff3793af780387bf637b0a43a7e72113991b36393c5444e41eb4368ea53d02

Download Submit
C:\Users\Admin\AppData\Local\Temp\427224DE-7B93-4F4D-A96F-59FF190745B0.bat

Filesize
203B

MD5
f376ab9e069e0e7a7cd48d705b3abe18

SHA1
62a7368f11514561ccb300ac6bc52fa80b536e41

SHA256
b055d75940cf9e219e5f5414947082909f8acb54753a703a00d51799f4027e4d

SHA512
7c55f6bcc509a06f81b485eec48e76385d1fc0563ebfa055220383a3274a15bd2ef9f7950872fa6a37d87d3bc2ba6b24e3b97f2269923bacda3a15998eca543b

Download Submit
C:\Users\Admin\AppData\Local\Temp\4A1FFD19-7206-4278-88D0-8B56FB0C0EEB\GoTo Opener.exe

Filesize
375KB

MD5
fea2b3e91246b031f5427e82084fd667

SHA1
85020cf90e03e062cc2524f6a63d4a28ffdf64cb

SHA256
aeb35e3be12ca0292dee4e87d477bdea5d9f41bcc853c10d51207d0ac9e316c1

SHA512
2d1a1f0f937ed247f7cdfc0027792acab003c100549eee8ff028e89737273ec5e2bea537dc58fad2944f34edd2ebe2a717ec9d221e03bbe2ce8ca7354007d86d

Download Submit
C:\Users\Admin\AppData\Local\Temp\4A1FFD19-7206-4278-88D0-8B56FB0C0EEB\GoToOpener.msi

Filesize
116KB

MD5
f492835b151cddd0f36af61abf1434d1

SHA1
4cc81119ff893a5e57899bc9f13f2b9d71da930e

SHA256
b4124eeaa75ed0aea5fa1e7d349687996d4f9962555df7f19ead759e01c3464a

SHA512
4b92b692c44026c05734939cad32f7200dc39361fc5d871e04b8b8292c76a6c46ef5dfb14e74c44493d2935744092ac752c599487f7dc2776aad92b77477f24d

Download Submit
C:\Users\Admin\AppData\Local\Temp\LogMeInLogs\GoToOpenerMsi\036D102F-0C3B-4FC9-A888-E980E86B1B55.log

Filesize
1KB

MD5
0df032dfea1e7d768079568212a71017

SHA1
0d7f642f5456f15cab107e189e396a05ebcd7a7c

SHA256
452901873f7913b3e410d2591ded6ae6a959fbd827c43d8023635580e85492ff

SHA512
be5b7b084d131a7fbd1610870066f846063cb595d38d49e9a80ff299461ce3001d78bdb39357628a872fa13c4cd074e2e4f37c7e2d9fd6a8438c6fe58226a7d8

Download Submit
C:\Windows\Installer\e5887ec.msi

Filesize
116KB

MD5
f492835b151cddd0f36af61abf1434d1

SHA1
4cc81119ff893a5e57899bc9f13f2b9d71da930e

SHA256
b4124eeaa75ed0aea5fa1e7d349687996d4f9962555df7f19ead759e01c3464a

SHA512
4b92b692c44026c05734939cad32f7200dc39361fc5d871e04b8b8292c76a6c46ef5dfb14e74c44493d2935744092ac752c599487f7dc2776aad92b77477f24d

Download Submit
memory/828-105-0x0000000000400000-0x00000000049BC000-memory.dmp

Filesize
69.7MB

Download
memory/2040-180-0x00000000006E0000-0x00000000006E1000-memory.dmp

Filesize
4KB

Download
memory/2136-210-0x0000000075890000-0x00000000758C9000-memory.dmp

Filesize
228KB

Download
memory/2136-217-0x0000000075890000-0x00000000758C9000-memory.dmp

Filesize
228KB

Download
memory/4028-0-0x0000000000BC0000-0x0000000000CE8000-memory.dmp

Filesize
1.2MB

Download
memory/4028-28-0x0000000000BC0000-0x0000000000CE8000-memory.dmp

Filesize
1.2MB

Download
memory/4028-118-0x0000000000BC0000-0x0000000000CE8000-memory.dmp

Filesize
1.2MB

Download
memory/4028-209-0x0000000000BC0000-0x0000000000CE8000-memory.dmp

Filesize
1.2MB

Download
memory/4028-1-0x0000000000BC0000-0x0000000000CE8000-memory.dmp

Filesize
1.2MB

Download