egregor | 39e246d194e4a5ade27a08d4a925dbff009fa8b66963c05f18712c1472e24a81

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
16-05-2024 15:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3858_invoice.exe
Size

25.8MB
MD5

9b28351713f6b95a04996fee315aa7fd
SHA1

edac4aa27925404263fafdaad6dd375732861ad1
SHA256

39e246d194e4a5ade27a08d4a925dbff009fa8b66963c05f18712c1472e24a81
SHA512

7971eacbb3e56be9803abcd11f9fd3246ba763b16de5d3331e984b040c2c9730a9ba085ed1a7d0ae0d24bd28ed108938284111c8f65d011ee0e62c6c2c4fc624
SSDEEP

393216:M+Jsv6tWKFdu9CRXu3AzmqTL6zemNMg56LLnToMjmmV5BBWCJP0/3uj7XlC4t6no:RfmqG3Q3TTyanWCJM/e9Ch6dv

Score

10^/10

egregor discovery persistence ransomware

Malware Config

Signatures

Detected Egregor ransomware 1 IoCs

Processes:

resource	yara_rule
C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\FileManager.dll	family_egregor

Egregor Ransomware
Variant of the Sekhmet ransomware first seen in September 2020.
ransomware egregor

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

GoToResolveQuickView.exeGoToResolveUnattended.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	GoToResolveQuickView.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	GoToResolveUnattended.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

GoToResolveUnattended.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	GoToResolveUnattended.exe

Executes dropped EXE 21 IoCs

Processes:

GoToResolveUnattended.exeGoToResolveTools64.exeGoToResolveProcessChecker.exeGoToResolveProcessChecker.exeGoToResolveUnattended.exeGoToResolveLoggerProcess.exeGoToResolveCrashHandler.exeGoToResolveCrashHandler.exeGoToResolveFileManager.exeGoToResolveQuickView.exeGoToResolveTerminal.exeGoToResolveCrashHandler.exeGoToResolveCrashHandler.exeGoTo.Resolve.DeviceData.App.exeGoTo.Resolve.Alerts.Monitor.App.exeGoTo.Resolve.PatchManagement.Client.exeRemoteExecution.Runner.exeGoTo.Resolve.Alerts.Monitor.App.exeGoTo.Resolve.Antivirus.App.exeGoTo.Resolve.Antivirus.App.exeGoTo.Resolve.Alerts.Monitor.App.exe

pid	process
1512	GoToResolveUnattended.exe
3164	GoToResolveTools64.exe
4312	GoToResolveProcessChecker.exe
2576	GoToResolveProcessChecker.exe
552	GoToResolveUnattended.exe
5072	GoToResolveLoggerProcess.exe
3488	GoToResolveCrashHandler.exe
3500	GoToResolveCrashHandler.exe
1008	GoToResolveFileManager.exe
4420	GoToResolveQuickView.exe
3940	GoToResolveTerminal.exe
2764	GoToResolveCrashHandler.exe
1500	GoToResolveCrashHandler.exe
5644	GoTo.Resolve.DeviceData.App.exe
6080	GoTo.Resolve.Alerts.Monitor.App.exe
6116	GoTo.Resolve.PatchManagement.Client.exe
6020	RemoteExecution.Runner.exe
5256	GoTo.Resolve.Alerts.Monitor.App.exe
5500	GoTo.Resolve.Antivirus.App.exe
4288	GoTo.Resolve.Antivirus.App.exe
3864	GoTo.Resolve.Alerts.Monitor.App.exe

Loads dropped DLL 64 IoCs

Processes:

GoToResolveUnattended.exeGoToResolveProcessChecker.exeGoToResolveProcessChecker.exeGoToResolveUnattended.exeGoToResolveLoggerProcess.exeGoToResolveFileManager.exeGoToResolveQuickView.exeGoToResolveTerminal.exeRemoteExecution.Runner.exe

pid	process
1512	GoToResolveUnattended.exe
1512	GoToResolveUnattended.exe
1512	GoToResolveUnattended.exe
1512	GoToResolveUnattended.exe
1512	GoToResolveUnattended.exe
1512	GoToResolveUnattended.exe
4312	GoToResolveProcessChecker.exe
4312	GoToResolveProcessChecker.exe
4312	GoToResolveProcessChecker.exe
4312	GoToResolveProcessChecker.exe
4312	GoToResolveProcessChecker.exe
4312	GoToResolveProcessChecker.exe
2576	GoToResolveProcessChecker.exe
2576	GoToResolveProcessChecker.exe
2576	GoToResolveProcessChecker.exe
2576	GoToResolveProcessChecker.exe
2576	GoToResolveProcessChecker.exe
2576	GoToResolveProcessChecker.exe
552	GoToResolveUnattended.exe
552	GoToResolveUnattended.exe
552	GoToResolveUnattended.exe
552	GoToResolveUnattended.exe
552	GoToResolveUnattended.exe
552	GoToResolveUnattended.exe
5072	GoToResolveLoggerProcess.exe
5072	GoToResolveLoggerProcess.exe
5072	GoToResolveLoggerProcess.exe
5072	GoToResolveLoggerProcess.exe
5072	GoToResolveLoggerProcess.exe
5072	GoToResolveLoggerProcess.exe
1008	GoToResolveFileManager.exe
1008	GoToResolveFileManager.exe
1008	GoToResolveFileManager.exe
1008	GoToResolveFileManager.exe
1008	GoToResolveFileManager.exe
1008	GoToResolveFileManager.exe
4420	GoToResolveQuickView.exe
4420	GoToResolveQuickView.exe
4420	GoToResolveQuickView.exe
4420	GoToResolveQuickView.exe
4420	GoToResolveQuickView.exe
4420	GoToResolveQuickView.exe
3940	GoToResolveTerminal.exe
3940	GoToResolveTerminal.exe
3940	GoToResolveTerminal.exe
3940	GoToResolveTerminal.exe
3940	GoToResolveTerminal.exe
3940	GoToResolveTerminal.exe
6020	RemoteExecution.Runner.exe
6020	RemoteExecution.Runner.exe
6020	RemoteExecution.Runner.exe
6020	RemoteExecution.Runner.exe
6020	RemoteExecution.Runner.exe
6020	RemoteExecution.Runner.exe
6020	RemoteExecution.Runner.exe
6020	RemoteExecution.Runner.exe
6020	RemoteExecution.Runner.exe
6020	RemoteExecution.Runner.exe
6020	RemoteExecution.Runner.exe
6020	RemoteExecution.Runner.exe
6020	RemoteExecution.Runner.exe
6020	RemoteExecution.Runner.exe
6020	RemoteExecution.Runner.exe
6020	RemoteExecution.Runner.exe

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Processes:

GoToResolveUnattended.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5de81d42-ce2b-4a7e-b1b7-1312fa11c82b}\InprocServer32	GoToResolveUnattended.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5de81d42-ce2b-4a7e-b1b7-1312fa11c82b}\InprocServer32\ = "GoToResolveUnlock64.dll"	GoToResolveUnattended.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5de81d42-ce2b-4a7e-b1b7-1312fa11c82b}\InprocServer32\ThreadingModel = "Apartment"	GoToResolveUnattended.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks system information in the registry 2 TTPs 8 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

GoToResolveQuickView.exeGoToResolveTools64.exeGoToResolveUnattended.exeGoToResolveUnattended.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	GoToResolveQuickView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	GoToResolveQuickView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	GoToResolveTools64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	GoToResolveTools64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	GoToResolveUnattended.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	GoToResolveUnattended.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	GoToResolveUnattended.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	GoToResolveUnattended.exe

Drops file in System32 directory 52 IoCs

Processes:

GoTo.Resolve.Alerts.Monitor.App.exeGoToResolveTools64.exeDrvInst.exeGoTo.Resolve.Alerts.Monitor.App.exeGoToResolveUnattended.exeGoTo.Resolve.Antivirus.App.exeRemoteExecution.Runner.exeGoTo.Resolve.Antivirus.App.exeGoTo.Resolve.DeviceData.App.exeGoTo.Resolve.Alerts.Monitor.App.exeGoTo.Resolve.PatchManagement.Client.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\ApplicationInsights\49a79555446a342df02477815a2e44309b6db288b6f82a7fb9c8c03c3af6f5d9\qr3nvity.hcg	GoTo.Resolve.Alerts.Monitor.App.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wvmbusvideo.inf_amd64_c531b5e68fd6f6bf\wvmbusvideo.PNF	GoToResolveTools64.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{37b1c5ab-2384-4943-879b-15c2105567a5}\g2rvdd.dll	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\ApplicationInsights\49a79555446a342df02477815a2e44309b6db288b6f82a7fb9c8c03c3af6f5d9\wd0c5cue.tr2	GoTo.Resolve.Alerts.Monitor.App.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{37b1c5ab-2384-4943-879b-15c2105567a5}\SETF5AB.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3E3E9689537B6B136ECF210088069D55_EF6C9357BB54DDB629FD2D79F1594F95	GoToResolveUnattended.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\ApplicationInsights\1350c50c6bf567bd2fd3f5d957b09d880c559776016217cd6c343fbdbcb588e4\pgcxg2ob.b00	GoTo.Resolve.Antivirus.App.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\ApplicationInsights\bf35fe7d15f2a58d930da8c8f390b78245b9136f9bb24b2713ab881c60fe52f1\vlk3i5ma.w1r	RemoteExecution.Runner.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\ApplicationInsights\1350c50c6bf567bd2fd3f5d957b09d880c559776016217cd6c343fbdbcb588e4\quguq3mm.bla	GoTo.Resolve.Antivirus.App.exe
File created	C:\Windows\System32\DriverStore\Temp\{37b1c5ab-2384-4943-879b-15c2105567a5}\SETF5AB.tmp	DrvInst.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	GoToResolveUnattended.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1	GoToResolveUnattended.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416	GoTo.Resolve.DeviceData.App.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\ApplicationInsights\49a79555446a342df02477815a2e44309b6db288b6f82a7fb9c8c03c3af6f5d9\3cleih2x.fzx	GoTo.Resolve.Alerts.Monitor.App.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\g2rvdd.inf_amd64_5e96164a846f7842\g2rvdd.dll	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\g2rvdd.inf_amd64_5e96164a846f7842\g2rvdd.cat	DrvInst.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys	GoToResolveUnattended.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	GoToResolveUnattended.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\ApplicationInsights\49a79555446a342df02477815a2e44309b6db288b6f82a7fb9c8c03c3af6f5d9\qt2p4olw.ttp	GoTo.Resolve.Alerts.Monitor.App.exe
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	GoToResolveTools64.exe
File created	C:\Windows\System32\DriverStore\Temp\{37b1c5ab-2384-4943-879b-15c2105567a5}\SETF59B.tmp	DrvInst.exe
File created	C:\Windows\system32\GoToResolveUnlock64.dll	GoToResolveUnattended.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_325DC716E4289E0AE281439314ED4BFA	GoToResolveUnattended.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3E3E9689537B6B136ECF210088069D55_EF6C9357BB54DDB629FD2D79F1594F95	GoToResolveUnattended.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\ApplicationInsights\11624532ce422ae1e7fc411f7cf2679a7518cefe9461376d910905ef4633e2c0\p2b340j3.go5	GoTo.Resolve.PatchManagement.Client.exe
File created	C:\Windows\System32\DriverStore\FileRepository\vrd.inf_amd64_81fbd405ff2470fc\vrd.PNF	GoToResolveTools64.exe
File created	C:\Windows\System32\DriverStore\FileRepository\c_display.inf_amd64_c7457a37d16eaadf\c_display.PNF	GoToResolveTools64.exe
File created	C:\Windows\System32\DriverStore\FileRepository\rdpidd.inf_amd64_ce12c614d182f4f9\rdpidd.PNF	GoToResolveTools64.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{37b1c5ab-2384-4943-879b-15c2105567a5}\g2rvdd.cat	DrvInst.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	GoToResolveUnattended.exe
File created	C:\Windows\System32\DriverStore\FileRepository\rdvgwddmdx11.inf_amd64_e8336336d081cc11\rdvgwddmdx11.PNF	GoToResolveTools64.exe
File created	C:\Windows\System32\DriverStore\Temp\{37b1c5ab-2384-4943-879b-15c2105567a5}\SETF5AC.tmp	DrvInst.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys\D8476E458BED34C156326F937B6F60897844FB3C	GoToResolveUnattended.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{37b1c5ab-2384-4943-879b-15c2105567a5}\g2rvdd.inf	DrvInst.exe
File opened for modification	C:\Windows\system32\GoToResolveUnlock64.dll	GoToResolveUnattended.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	GoToResolveUnattended.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C56C4404C4DEF0DC88E5FCD9F09CB2F1	GoToResolveUnattended.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\ApplicationInsights\49a79555446a342df02477815a2e44309b6db288b6f82a7fb9c8c03c3af6f5d9\51hsuuny.bef	GoTo.Resolve.Alerts.Monitor.App.exe
File created	C:\Windows\System32\DriverStore\FileRepository\virtualdisplayadapter.inf_amd64_bcc7550a6e285f92\virtualdisplayadapter.PNF	GoToResolveTools64.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{37b1c5ab-2384-4943-879b-15c2105567a5}\SETF59B.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{37b1c5ab-2384-4943-879b-15c2105567a5}\SETF5AC.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\g2rvdd.inf_amd64_5e96164a846f7842\g2rvdd.inf	DrvInst.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_325DC716E4289E0AE281439314ED4BFA	GoToResolveUnattended.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\ApplicationInsights\49a79555446a342df02477815a2e44309b6db288b6f82a7fb9c8c03c3af6f5d9\be2gwtpr.hx3	GoTo.Resolve.Alerts.Monitor.App.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{37b1c5ab-2384-4943-879b-15c2105567a5}	DrvInst.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\ApplicationInsights\49a79555446a342df02477815a2e44309b6db288b6f82a7fb9c8c03c3af6f5d9\ej1c3mcj.ly2	GoTo.Resolve.Alerts.Monitor.App.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\ApplicationInsights\49a79555446a342df02477815a2e44309b6db288b6f82a7fb9c8c03c3af6f5d9\gfbva1jb.gxb	GoTo.Resolve.Alerts.Monitor.App.exe
File created	C:\Windows\System32\DriverStore\FileRepository\displayoverride.inf_amd64_c7a5777273c98ebf\displayoverride.PNF	GoToResolveTools64.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\ApplicationInsights\49a79555446a342df02477815a2e44309b6db288b6f82a7fb9c8c03c3af6f5d9\pyp3s3l1.mdr	GoTo.Resolve.Alerts.Monitor.App.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416	GoTo.Resolve.DeviceData.App.exe

Drops file in Program Files directory 64 IoCs

Processes:

GoToResolveUnattended.exeGoToResolveCrashHandler.exe3858_invoice.exe

description	ioc	process
File created	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\RemoteExecutionModule\1.2024.0506.1\System.Xml.Serialization.dll	GoToResolveUnattended.exe
File created	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\RemoteExecutionModule\1.2024.0506.1\System.Runtime.Loader.dll	GoToResolveUnattended.exe
File created	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\AntivirusModule\1.2024.0411.2\System.Security.dll	GoToResolveUnattended.exe
File created	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\AntivirusModule\1.2024.0411.2\System.ServiceModel.Web.dll	GoToResolveUnattended.exe
File opened for modification	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\appdata\LoggerProcessCrashReportDB\metadata	GoToResolveCrashHandler.exe
File created	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\ZtnaModule\1.19.0\squid\bin\cygtasn1-6.dll	GoToResolveUnattended.exe
File created	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\AntivirusModule\1.2024.0411.2\System.Security.Cryptography.Cng.dll	GoToResolveUnattended.exe
File created	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\ZtnaModule\1.19.0\squid\usr\share\squid\man\man8\log_db_daemon.8	GoToResolveUnattended.exe
File created	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\RemoteExecutionModule\1.2024.0506.1\System.Reflection.Primitives.dll	GoToResolveUnattended.exe
File created	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\ZtnaModule\1.19.0\squid\usr\share\squid\errors\templates\ERR_CONFLICT_HOST	GoToResolveUnattended.exe
File created	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\AntivirusModule\1.2024.0411.2\GoTo.Resolve.Policies.Client.Shared.dll	GoToResolveUnattended.exe
File created	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\AntivirusModule\1.2024.0411.2\Microsoft.Extensions.Logging.Configuration.dll	GoToResolveUnattended.exe
File created	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\ZtnaModule\1.19.0\squid\lib\squid\basic_smb_auth.sh	GoToResolveUnattended.exe
File created	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\ZtnaModule\1.19.0\squid\usr\share\squid\man\man8\digest_file_auth.8	GoToResolveUnattended.exe
File created	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\ZtnaModule\1.19.0\squid\lib\squid\basic_sasl_auth.exe	GoToResolveUnattended.exe
File created	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\RemoteExecutionModule\1.2024.0506.1\RemoteExecution.Runner.exe	GoToResolveUnattended.exe
File created	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\ZtnaModule\1.19.0\squid\bin\cygdb_cxx-5.3.dll	GoToResolveUnattended.exe
File created	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\ZtnaModule\1.19.0\squid\bin\cygkdb5-8.dll	GoToResolveUnattended.exe
File created	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\PatchManagementModule\1.2024.0507.5\GoTo.Resolve.PatchManagement.Client.exe	GoToResolveUnattended.exe
File created	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\AntivirusModule\1.2024.0411.2\Microsoft.Extensions.DependencyInjection.dll	GoToResolveUnattended.exe
File created	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\AntivirusModule\1.2024.0411.2\System.Security.Cryptography.dll	GoToResolveUnattended.exe
File created	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\LMIFilterHook32.dll	3858_invoice.exe
File opened for modification	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\.sentry-native\be9fcdd7-7c84-4d24-7dd8-b9f854e24b19.run.lock	GoToResolveUnattended.exe
File created	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\ZtnaModule\1.19.0\squid\bin\cygunistring-5.dll	GoToResolveUnattended.exe
File created	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\ZtnaModule\1.19.0\squid\bin\cyggomp-1.dll	GoToResolveUnattended.exe
File created	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\ZtnaModule\1.19.0\squid\bin\cyghogweed-4.dll	GoToResolveUnattended.exe
File created	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\RemoteExecutionModule\1.2024.0506.1\System.Globalization.Extensions.dll	GoToResolveUnattended.exe
File created	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\RemoteExecutionModule\1.2024.0506.1\System.Reflection.Emit.Lightweight.dll	GoToResolveUnattended.exe
File created	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\AntivirusModule\1.2024.0411.2\System.Reflection.Primitives.dll	GoToResolveUnattended.exe
File created	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\ZtnaModule\1.19.0\squid\bin\cygman-2-11-2.dll	GoToResolveUnattended.exe
File created	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\RemoteExecutionModule\1.2024.0506.1\System.Diagnostics.FileVersionInfo.dll	GoToResolveUnattended.exe
File created	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\RemoteExecutionModule\1.2024.0506.1\System.Resources.Reader.dll	GoToResolveUnattended.exe
File created	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\AntivirusModule\1.2024.0411.2\System.Diagnostics.FileVersionInfo.dll	GoToResolveUnattended.exe
File created	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\AntivirusModule\1.2024.0411.2\System.Net.Http.dll	GoToResolveUnattended.exe
File created	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\AntivirusModule\1.2024.0411.2\System.ObjectModel.dll	GoToResolveUnattended.exe
File created	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\ZtnaModule\1.19.0\squid\bin\cygblkid-1.dll	GoToResolveUnattended.exe
File created	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\ZtnaModule\1.19.0\squid\bin\cygkadm5clnt_mit-11.dll	GoToResolveUnattended.exe
File created	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\ZtnaModule\1.19.0\squid\lib\squid\storeid_file_rewrite	GoToResolveUnattended.exe
File created	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\AntivirusModule\1.2024.0411.2\System.IO.UnmanagedMemoryStream.dll	GoToResolveUnattended.exe
File created	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\PatchManagementModule\1.2024.0507.5\appsettings.json	GoToResolveUnattended.exe
File created	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\RemoteExecutionModule\1.2024.0506.1\System.Core.dll	GoToResolveUnattended.exe
File created	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\ZtnaModule\1.19.0\squid\usr\share\squid\icons\SN.png	GoToResolveUnattended.exe
File created	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\ZtnaModule\1.19.0\squid\usr\share\squid\icons\silk\image.png	GoToResolveUnattended.exe
File created	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\ZtnaModule\1.19.0\squid\lib\squid\basic_smb_auth.exe	GoToResolveUnattended.exe
File created	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\ZtnaModule\1.19.0\squid\bin\cygbrotlicommon-1.dll	GoToResolveUnattended.exe
File created	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\ZtnaModule\1.19.0\squid\bin\cygmpfr-6.dll	GoToResolveUnattended.exe
File created	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\RemoteExecutionModule\1.2024.0506.1\System.Resources.Writer.dll	GoToResolveUnattended.exe
File created	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\GoToResolveUi.exe	3858_invoice.exe
File opened for modification	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\Logs\FileManager-2024-05-16T15-59-33-481Z.log	GoToResolveUnattended.exe
File created	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\RemoteExecutionModule\1.2024.0506.1\System.Security.Cryptography.ProtectedData.dll	GoToResolveUnattended.exe
File created	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\ZtnaModule\1.19.0\squid\bin\cyggnutls-dane-0.dll	GoToResolveUnattended.exe
File created	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\ZtnaModule\1.19.0\squid\etc\squid\errorpage.css	GoToResolveUnattended.exe
File created	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\RemoteExecutionModule\1.2024.0506.1\System.Threading.Tasks.dll	GoToResolveUnattended.exe
File created	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\AntivirusModule\1.2024.0411.2\System.Runtime.Loader.dll	GoToResolveUnattended.exe
File created	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\LMIInputHook64.dll	3858_invoice.exe
File created	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\RemoteExecutionModule\1.2024.0506.1\Microsoft.Extensions.Logging.Abstractions.dll	GoToResolveUnattended.exe
File created	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\AntivirusModule\1.2024.0411.2\Microsoft.Extensions.Configuration.FileExtensions.dll	GoToResolveUnattended.exe
File created	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\AntivirusModule\1.2024.0411.2\System.Security.Cryptography.OpenSsl.dll	GoToResolveUnattended.exe
File created	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\AntivirusModule\1.2024.0411.2\System.ComponentModel.TypeConverter.dll	GoToResolveUnattended.exe
File created	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\AntivirusModule\1.2024.0411.2\System.dll	GoToResolveUnattended.exe
File created	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\AntivirusModule\1.2024.0411.2\System.Runtime.InteropServices.dll	GoToResolveUnattended.exe
File created	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\ZtnaModule\1.19.0\squid\bin\cygunbound-2.dll	GoToResolveUnattended.exe
File created	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\RemoteExecutionModule\1.2024.0506.1\System.Net.Primitives.dll	GoToResolveUnattended.exe
File created	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\ZtnaModule\1.19.0\squid\lib\squid\digest_ldap_auth.exe	GoToResolveUnattended.exe

Drops file in Windows directory 5 IoCs

Processes:

DrvInst.exeGoToResolveTools64.exesvchost.exe

description	ioc	process
File created	C:\Windows\inf\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	GoToResolveTools64.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\inf\oem3.inf	DrvInst.exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

5216 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
5216	sc.exe

Checks SCSI registry key(s) 3 TTPs 42 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

GoToResolveTools64.exesvchost.exeDrvInst.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	GoToResolveTools64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	GoToResolveTools64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	GoToResolveTools64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	GoToResolveTools64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	GoToResolveTools64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	GoToResolveTools64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	GoToResolveTools64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	GoToResolveTools64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	GoToResolveTools64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	GoToResolveTools64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	GoToResolveTools64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	GoToResolveTools64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	GoToResolveTools64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	GoToResolveTools64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	GoToResolveTools64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	GoToResolveTools64.exe

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

GoToResolveUnattended.exeGoToResolveUnattended.exeGoToResolveQuickView.exeGoToResolveTools64.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	GoToResolveUnattended.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	GoToResolveUnattended.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	GoToResolveUnattended.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	GoToResolveQuickView.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	GoToResolveQuickView.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	GoToResolveTools64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	GoToResolveUnattended.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	GoToResolveUnattended.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	GoToResolveUnattended.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	GoToResolveQuickView.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	GoToResolveTools64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	GoToResolveTools64.exe

Delays execution with timeout.exe 3 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exe

pid process

4028 timeout.exe
2088 timeout.exe
1124 timeout.exe

pid	process
4028	timeout.exe
2088	timeout.exe
1124	timeout.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

GoTo.Resolve.DeviceData.App.exeDrvInst.exeGoToResolveUnattended.exeRemoteExecution.Runner.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time"	GoTo.Resolve.DeviceData.App.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time"	GoTo.Resolve.DeviceData.App.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	GoTo.Resolve.DeviceData.App.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time"	GoTo.Resolve.DeviceData.App.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time"	GoTo.Resolve.DeviceData.App.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2871 = "Magallanes Daylight Time"	GoTo.Resolve.DeviceData.App.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time"	GoTo.Resolve.DeviceData.App.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time"	GoTo.Resolve.DeviceData.App.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time"	GoTo.Resolve.DeviceData.App.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	GoToResolveUnattended.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	GoToResolveUnattended.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	RemoteExecution.Runner.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	GoToResolveUnattended.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time"	GoTo.Resolve.DeviceData.App.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time"	GoTo.Resolve.DeviceData.App.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2371 = "Easter Island Daylight Time"	GoTo.Resolve.DeviceData.App.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	GoToResolveUnattended.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time"	GoTo.Resolve.DeviceData.App.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	GoTo.Resolve.DeviceData.App.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time"	GoTo.Resolve.DeviceData.App.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time"	GoTo.Resolve.DeviceData.App.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	GoToResolveUnattended.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time"	GoTo.Resolve.DeviceData.App.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time"	GoTo.Resolve.DeviceData.App.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time"	GoTo.Resolve.DeviceData.App.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time"	GoTo.Resolve.DeviceData.App.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time"	GoTo.Resolve.DeviceData.App.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Certificates	GoToResolveUnattended.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time"	GoTo.Resolve.DeviceData.App.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	GoToResolveUnattended.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher	GoToResolveUnattended.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time"	GoTo.Resolve.DeviceData.App.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time"	GoTo.Resolve.DeviceData.App.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	GoTo.Resolve.DeviceData.App.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	GoTo.Resolve.DeviceData.App.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	GoToResolveUnattended.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)"	GoTo.Resolve.DeviceData.App.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time"	GoTo.Resolve.DeviceData.App.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time"	GoTo.Resolve.DeviceData.App.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time"	GoTo.Resolve.DeviceData.App.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time"	GoTo.Resolve.DeviceData.App.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2872 = "Magallanes Standard Time"	GoTo.Resolve.DeviceData.App.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time"	GoTo.Resolve.DeviceData.App.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	GoToResolveUnattended.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time"	GoTo.Resolve.DeviceData.App.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2452 = "Saint Pierre Standard Time"	GoTo.Resolve.DeviceData.App.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time"	GoTo.Resolve.DeviceData.App.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates	GoToResolveUnattended.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time"	GoTo.Resolve.DeviceData.App.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time"	GoTo.Resolve.DeviceData.App.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time"	GoTo.Resolve.DeviceData.App.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	GoToResolveUnattended.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C\Blob = 0300000001000000140000007b0f360b775f76c94a12ca48445aa2d2a875701c1400000001000000140000006837e0ebb63bf85f1186fbfe617b088865f44e42040000000100000010000000d91299e84355cd8d5a86795a0118b6e90f000000010000003000000065b1d4076a89ae273f57e6eeedecb3eae129b4168f76fa7671914cdf461d542255c59d9b85b916ae0ca6fc0fcf7a8e64190000000100000010000000a344f71a7a52a76ee49b74b1d8816b155c000000010000000400000000100000180000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000b4060000308206b030820498a003020102021008ad40b260d29c4c9f5ecda9bd93aed9300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3231303432393030303030305a170d3336303432383233353935395a3069310b300906035504061302555331173015060355040a130e44696769436572742c20496e632e3141303f060355040313384469676943657274205472757374656420473420436f6465205369676e696e6720525341343039362053484133383420323032312043413130820222300d06092a864886f70d01010105000382020f003082020a0282020100d5b42f42d028ad78b75dd539591bb18842f5338ceb3d819770c5bbc48526309fa48e68d85cf5eb342407e14b4fd37843f417d71edaf9d2d5671a524f0ea157fc8899c191cc81033e4d702464b38de2087d347d4c8057126b439a99f2c53b1ff2efcb475a13a64cb3012025f310d38bb2fb08f08ae09d09c065a7fa98804935873d5119e8902178452ea19f2ce118c21accc5ee93497042328ffbc6ea1cf3656891a24d4c8211485268de10bd14575de8181365c57fb24f852c48a4568435d6f92e9caa0015d137fe1a0694c27cc8ea1b32e6cac2f4a7a3030e74a5af39b6ab6012e3e8d6b9f731e1dcade418a0d8c1234747b3a10f6ea3ab6d9806831bb76a672dd2bd441a9210818fb03b09d7c79b325ac2ff6a60548b49c193ede1b45ce06feb26f98cd5b2f93810e6eace91f5bed3fb6f9361345cbc93452883362a66285fb073ce8b262506b283d45cf615194ced62e05e33f2e8e8ec0aa7b0032b91b23679bef7ad081e75a665ccbbe34850f377911afedb50a246c8615898f57c02163c8328ad3986ecd4b70d53d0f847e675308dec30937614a65b4b5d74614d3f129176debf58cb72102941f0d5c56d267668114113589adc262b01f4894d59db78cf814a3e40475fc98150738510232159608a6454c1cc211ae838197c661ccd78384530994fff634f4cbbaa0d0853417c583d47b3fab6ec8c320902cc6c3c0c56110203010001a38201593082015530120603551d130101ff040830060101ff020100301d0603551d0e041604146837e0ebb63bf85f1186fbfe617b088865f44e42301f0603551d23041830168014ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300e0603551d0f0101ff04040302018630130603551d25040c300a06082b06010505070303307706082b06010505070101046b3069302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304106082b060105050730028635687474703a2f2f636163657274732e64696769636572742e636f6d2f446967694365727454727573746564526f6f7447342e63727430430603551d1f043c303a3038a036a0348632687474703a2f2f63726c332e64696769636572742e636f6d2f446967694365727454727573746564526f6f7447342e63726c301c0603551d20041530133007060567810c01033008060667810c010401300d06092a864886f70d01010c050003820201003a23443d8d0876ee8fbc3a99d356e0021aa5f84834f32cb6e67466f79472b100caaf6c302713129e90449f4bfd9ea37c26d537bc3a5d486d95d53f49f427bb16814550fd9cbdb685e0767e3771cb22f75aaa90cff5936ae3eb20d1d55079889a8a8ac1b6bda148187edcd8801a111918cd61998156f6c9e376e7c4e41b5f43f83e94ff76393d9ed499cf4add28eb5f26a1955848d51afed7273ffd90d17686dd1cb0605cf30da8eee089a1bd39e1384eda6ebb369dfbe521535ac3cae96af1a23edb43b833c84f38149299f5ddce546dd95d02141f40337c03e295b2c221757352cb46d8c4341ca2a54b8dcd6f76372c853f1ace26e918be9007b0437f9588208270f0cccaeffd29355c1f893855f7378a8b09a1cb0be9311aff2e195c3971e1be9ca70a06d62667b792e64e5fde7aac49cf2ea47492addb3ca49c861fe3c1561b2b23ff8fb5ea887b706be6a0bafd3a3f45a6c4e81691528b41c048844b964dab4440e38df01528ceedf11856072a2f10c40c08643c338fae288c3ccb8f880b0dbf3bf4ce1e7b8eefb5ebcbb7f07713e6e7283fac12aea52f226c41f9825c1566cc6c0ecac586c3f626330c074ba0d307026a6a4030484b34a85120bbad1b8508e2590d6dca05502bea4a1c9ea5fda0a71f0674e7f2d65290fdaf854821f9573bb49c03ed8645f4b4616ebf68e2266086eac8afa9fe941de7631b3a8656784e	GoToResolveUnattended.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	GoTo.Resolve.DeviceData.App.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time"	GoTo.Resolve.DeviceData.App.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3141 = "South Sudan Daylight Time"	GoTo.Resolve.DeviceData.App.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe

Modifies registry class 5 IoCs

Processes:

GoToResolveUnattended.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5de81d42-ce2b-4a7e-b1b7-1312fa11c82b}	GoToResolveUnattended.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5de81d42-ce2b-4a7e-b1b7-1312fa11c82b}\ = "RescueAssistCredProv"	GoToResolveUnattended.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5de81d42-ce2b-4a7e-b1b7-1312fa11c82b}\InprocServer32	GoToResolveUnattended.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5de81d42-ce2b-4a7e-b1b7-1312fa11c82b}\InprocServer32\ = "GoToResolveUnlock64.dll"	GoToResolveUnattended.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5de81d42-ce2b-4a7e-b1b7-1312fa11c82b}\InprocServer32\ThreadingModel = "Apartment"	GoToResolveUnattended.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

GoToResolveUnattended.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\MY\Certificates\4265DB37ADDDA86C019C0B298CB5955548D845BC\Blob = 0300000001000000140000004265db37addda86c019c0b298cb5955548d845bc0b000000010000007000000047006f0054006f005200650073006f006c007600650055006e0061007400740065006e0064006500640043006f006e006e0065006300740069006f006e0043006500720074005f00310039003300370039003100380032003700300033003200320037003300370035003700320000000200000001000000ec0000001c0000008c000000010000000000000000000000000000000100000047006f0054006f005200650073006f006c007600650055006e0061007400740065006e0064006500640043006f006e006e0065006300740069006f006e0043006500720074005f00310039003300370039003100380032003700300033003200320037003300370035003700320000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e0030000000000020000000010000005e0300003082035a30820242a003020102021500c5ae9f3eecf869dc316e230d224d08d3a14aa833300d06092a864886f70d01010b0500304d314b3049060355040b0c42416d617a6f6e20576562205365727669636573204f3d416d617a6f6e2e636f6d20496e632e204c3d53656174746c652053543d57617368696e67746f6e20433d5553301e170d3234303531363135353734375a170d3439313233313233353935395a301e311c301a06035504030c1341575320496f5420436572746966696361746530820122300d06092a864886f70d01010105000382010f003082010a0282010100b5da2f7d1c8a6c8a21461b71a61e69a608eea778c21f5b08ecb3c9dacf7ee9c670b9057140046caef7d32e308a708c432f504d7bc4083b3454e4031ac7d7739a9626e2c6ebbd486ae65da9ff0213c90609b310c5a255ad59813baffff8442caae2c355a254f4ac594124e235a54884b232192f62528e91fcdac714ec91ae7d8d142188d377106ef4b61b46e31902022e90430407bee479d514b55050b685b7c13f428bf7d9ae11b890322fb566430513a37326fb3c31a961f3852546f03934a62ba81774747ddf7a868ac8b9a48f95cd4160280f57dc4002a62b8454ccb83333f7e5c84b91d3818dad0e766f0cd1bafcba51a457d9099b17ffa2fb9d700f83bb0203010001a360305e301f0603551d23041830168014eb382baef37a5267e39e53e240564fc28f5aa71b301d0603551d0e04160414d8476e458bed34c156326f937b6f60897844fb3c300c0603551d130101ff04023000300e0603551d0f0101ff040403020780300d06092a864886f70d01010b05000382010100c512dc926758aafd1d3b483ac1c50d64ca8e37e1642e19088c45b386aef9c2ed9f15ee424d8445e95b9f51289fcf32c99fa64890055c8b0578920dcaa31813e5e13c970af8354a423a17384fd24702887d5cf429ef0ab155826da83b2259cbb9c64ad5316b584c0471c85d928d63dee8fb4977249e0e4a0c1a89e49f2e3fd5a329c86af2f02303d3af35ddcd96d16199f436ce56640f214bc8194b416ef4f5b4ace425e69b431982d5beecbf53f566edfc475b1e07281818383455778505ee5ec1d1637ee16ff52f300524793b5867726afdc52627e8b0ac10abc9c4d94cdb844b17e69f69dd3c993436a46f6fe8cfa60c6d4ea229b8c4ef099b862d785dc8c1	GoToResolveUnattended.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\MY\Certificates\4265DB37ADDDA86C019C0B298CB5955548D845BC\Blob = 140000000100000014000000d8476e458bed34c156326f937b6f60897844fb3c0200000001000000ec0000001c0000008c000000010000000000000000000000000000000100000047006f0054006f005200650073006f006c007600650055006e0061007400740065006e0064006500640043006f006e006e0065006300740069006f006e0043006500720074005f00310039003300370039003100380032003700300033003200320037003300370035003700320000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e003000000000000b000000010000007000000047006f0054006f005200650073006f006c007600650055006e0061007400740065006e0064006500640043006f006e006e0065006300740069006f006e0043006500720074005f00310039003300370039003100380032003700300033003200320037003300370035003700320000000300000001000000140000004265db37addda86c019c0b298cb5955548d845bc20000000010000005e0300003082035a30820242a003020102021500c5ae9f3eecf869dc316e230d224d08d3a14aa833300d06092a864886f70d01010b0500304d314b3049060355040b0c42416d617a6f6e20576562205365727669636573204f3d416d617a6f6e2e636f6d20496e632e204c3d53656174746c652053543d57617368696e67746f6e20433d5553301e170d3234303531363135353734375a170d3439313233313233353935395a301e311c301a06035504030c1341575320496f5420436572746966696361746530820122300d06092a864886f70d01010105000382010f003082010a0282010100b5da2f7d1c8a6c8a21461b71a61e69a608eea778c21f5b08ecb3c9dacf7ee9c670b9057140046caef7d32e308a708c432f504d7bc4083b3454e4031ac7d7739a9626e2c6ebbd486ae65da9ff0213c90609b310c5a255ad59813baffff8442caae2c355a254f4ac594124e235a54884b232192f62528e91fcdac714ec91ae7d8d142188d377106ef4b61b46e31902022e90430407bee479d514b55050b685b7c13f428bf7d9ae11b890322fb566430513a37326fb3c31a961f3852546f03934a62ba81774747ddf7a868ac8b9a48f95cd4160280f57dc4002a62b8454ccb83333f7e5c84b91d3818dad0e766f0cd1bafcba51a457d9099b17ffa2fb9d700f83bb0203010001a360305e301f0603551d23041830168014eb382baef37a5267e39e53e240564fc28f5aa71b301d0603551d0e04160414d8476e458bed34c156326f937b6f60897844fb3c300c0603551d130101ff04023000300e0603551d0f0101ff040403020780300d06092a864886f70d01010b05000382010100c512dc926758aafd1d3b483ac1c50d64ca8e37e1642e19088c45b386aef9c2ed9f15ee424d8445e95b9f51289fcf32c99fa64890055c8b0578920dcaa31813e5e13c970af8354a423a17384fd24702887d5cf429ef0ab155826da83b2259cbb9c64ad5316b584c0471c85d928d63dee8fb4977249e0e4a0c1a89e49f2e3fd5a329c86af2f02303d3af35ddcd96d16199f436ce56640f214bc8194b416ef4f5b4ace425e69b431982d5beecbf53f566edfc475b1e07281818383455778505ee5ec1d1637ee16ff52f300524793b5867726afdc52627e8b0ac10abc9c4d94cdb844b17e69f69dd3c993436a46f6fe8cfa60c6d4ea229b8c4ef099b862d785dc8c1	GoToResolveUnattended.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\MY\Certificates\4265DB37ADDDA86C019C0B298CB5955548D845BC	GoToResolveUnattended.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

GoToResolveProcessChecker.exeGoToResolveUnattended.exeGoToResolveQuickView.exe

pid	process
2576	GoToResolveProcessChecker.exe
2576	GoToResolveProcessChecker.exe
2576	GoToResolveProcessChecker.exe
2576	GoToResolveProcessChecker.exe
2576	GoToResolveProcessChecker.exe
2576	GoToResolveProcessChecker.exe
552	GoToResolveUnattended.exe
552	GoToResolveUnattended.exe
552	GoToResolveUnattended.exe
552	GoToResolveUnattended.exe
552	GoToResolveUnattended.exe
552	GoToResolveUnattended.exe
552	GoToResolveUnattended.exe
552	GoToResolveUnattended.exe
552	GoToResolveUnattended.exe
552	GoToResolveUnattended.exe
552	GoToResolveUnattended.exe
552	GoToResolveUnattended.exe
552	GoToResolveUnattended.exe
552	GoToResolveUnattended.exe
552	GoToResolveUnattended.exe
552	GoToResolveUnattended.exe
552	GoToResolveUnattended.exe
552	GoToResolveUnattended.exe
552	GoToResolveUnattended.exe
552	GoToResolveUnattended.exe
552	GoToResolveUnattended.exe
552	GoToResolveUnattended.exe
552	GoToResolveUnattended.exe
552	GoToResolveUnattended.exe
2576	GoToResolveProcessChecker.exe
2576	GoToResolveProcessChecker.exe
4420	GoToResolveQuickView.exe
4420	GoToResolveQuickView.exe
4420	GoToResolveQuickView.exe
4420	GoToResolveQuickView.exe
4420	GoToResolveQuickView.exe
4420	GoToResolveQuickView.exe
4420	GoToResolveQuickView.exe
4420	GoToResolveQuickView.exe
2576	GoToResolveProcessChecker.exe
2576	GoToResolveProcessChecker.exe
552	GoToResolveUnattended.exe
552	GoToResolveUnattended.exe
552	GoToResolveUnattended.exe
552	GoToResolveUnattended.exe
552	GoToResolveUnattended.exe
552	GoToResolveUnattended.exe
552	GoToResolveUnattended.exe
552	GoToResolveUnattended.exe
2576	GoToResolveProcessChecker.exe
2576	GoToResolveProcessChecker.exe
2576	GoToResolveProcessChecker.exe
2576	GoToResolveProcessChecker.exe
2576	GoToResolveProcessChecker.exe
2576	GoToResolveProcessChecker.exe
2576	GoToResolveProcessChecker.exe
2576	GoToResolveProcessChecker.exe
552	GoToResolveUnattended.exe
552	GoToResolveUnattended.exe
552	GoToResolveUnattended.exe
552	GoToResolveUnattended.exe
552	GoToResolveUnattended.exe
552	GoToResolveUnattended.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

Processes:

GoToResolveUnattended.exesvchost.exeGoToResolveProcessChecker.exeGoToResolveProcessChecker.exeGoToResolveUnattended.exeGoToResolveFileManager.exeGoToResolveQuickView.exeGoToResolveTerminal.exeGoTo.Resolve.DeviceData.App.exeGoTo.Resolve.Alerts.Monitor.App.exeGoTo.Resolve.PatchManagement.Client.exeRemoteExecution.Runner.exeGoTo.Resolve.Alerts.Monitor.App.exeGoTo.Resolve.Antivirus.App.exeGoTo.Resolve.Antivirus.App.exeGoTo.Resolve.Alerts.Monitor.App.exe

description	pid	process
Token: SeShutdownPrivilege	1512	GoToResolveUnattended.exe
Token: SeCreatePagefilePrivilege	1512	GoToResolveUnattended.exe
Token: SeAuditPrivilege	3184	svchost.exe
Token: SeSecurityPrivilege	3184	svchost.exe
Token: SeShutdownPrivilege	4312	GoToResolveProcessChecker.exe
Token: SeCreatePagefilePrivilege	4312	GoToResolveProcessChecker.exe
Token: SeShutdownPrivilege	2576	GoToResolveProcessChecker.exe
Token: SeCreatePagefilePrivilege	2576	GoToResolveProcessChecker.exe
Token: SeShutdownPrivilege	2576	GoToResolveProcessChecker.exe
Token: SeCreatePagefilePrivilege	2576	GoToResolveProcessChecker.exe
Token: SeShutdownPrivilege	552	GoToResolveUnattended.exe
Token: SeCreatePagefilePrivilege	552	GoToResolveUnattended.exe
Token: SeShutdownPrivilege	1008	GoToResolveFileManager.exe
Token: SeCreatePagefilePrivilege	1008	GoToResolveFileManager.exe
Token: SeShutdownPrivilege	4420	GoToResolveQuickView.exe
Token: SeCreatePagefilePrivilege	4420	GoToResolveQuickView.exe
Token: SeShutdownPrivilege	3940	GoToResolveTerminal.exe
Token: SeCreatePagefilePrivilege	3940	GoToResolveTerminal.exe
Token: SeDebugPrivilege	5644	GoTo.Resolve.DeviceData.App.exe
Token: SeDebugPrivilege	6080	GoTo.Resolve.Alerts.Monitor.App.exe
Token: SeDebugPrivilege	6116	GoTo.Resolve.PatchManagement.Client.exe
Token: SeDebugPrivilege	6020	RemoteExecution.Runner.exe
Token: SeDebugPrivilege	5256	GoTo.Resolve.Alerts.Monitor.App.exe
Token: SeDebugPrivilege	5500	GoTo.Resolve.Antivirus.App.exe
Token: SeDebugPrivilege	4288	GoTo.Resolve.Antivirus.App.exe
Token: SeDebugPrivilege	3864	GoTo.Resolve.Alerts.Monitor.App.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

3858_invoice.execmd.exeGoToResolveUnattended.exesvchost.exeGoToResolveProcessChecker.exeGoToResolveUnattended.exeGoToResolveLoggerProcess.exeGoToResolveFileManager.exeGoToResolveTerminal.exeGoTo.Resolve.PatchManagement.Client.exe

description	pid	process	target process
PID 2036 wrote to memory of 1512	2036	3858_invoice.exe	GoToResolveUnattended.exe
PID 2036 wrote to memory of 1512	2036	3858_invoice.exe	GoToResolveUnattended.exe
PID 2036 wrote to memory of 1512	2036	3858_invoice.exe	GoToResolveUnattended.exe
PID 2036 wrote to memory of 3164	2036	3858_invoice.exe	GoToResolveTools64.exe
PID 2036 wrote to memory of 3164	2036	3858_invoice.exe	GoToResolveTools64.exe
PID 2036 wrote to memory of 3280	2036	3858_invoice.exe	cmd.exe
PID 2036 wrote to memory of 3280	2036	3858_invoice.exe	cmd.exe
PID 2036 wrote to memory of 3280	2036	3858_invoice.exe	cmd.exe
PID 3280 wrote to memory of 1124	3280	cmd.exe	timeout.exe
PID 3280 wrote to memory of 1124	3280	cmd.exe	timeout.exe
PID 3280 wrote to memory of 1124	3280	cmd.exe	timeout.exe
PID 1512 wrote to memory of 4312	1512	GoToResolveUnattended.exe	GoToResolveProcessChecker.exe
PID 1512 wrote to memory of 4312	1512	GoToResolveUnattended.exe	GoToResolveProcessChecker.exe
PID 1512 wrote to memory of 4312	1512	GoToResolveUnattended.exe	GoToResolveProcessChecker.exe
PID 3184 wrote to memory of 4304	3184	svchost.exe	DrvInst.exe
PID 3184 wrote to memory of 4304	3184	svchost.exe	DrvInst.exe
PID 2576 wrote to memory of 552	2576	GoToResolveProcessChecker.exe	GoToResolveUnattended.exe
PID 2576 wrote to memory of 552	2576	GoToResolveProcessChecker.exe	GoToResolveUnattended.exe
PID 2576 wrote to memory of 552	2576	GoToResolveProcessChecker.exe	GoToResolveUnattended.exe
PID 552 wrote to memory of 5072	552	GoToResolveUnattended.exe	GoToResolveLoggerProcess.exe
PID 552 wrote to memory of 5072	552	GoToResolveUnattended.exe	GoToResolveLoggerProcess.exe
PID 552 wrote to memory of 5072	552	GoToResolveUnattended.exe	GoToResolveLoggerProcess.exe
PID 552 wrote to memory of 3488	552	GoToResolveUnattended.exe	GoToResolveCrashHandler.exe
PID 552 wrote to memory of 3488	552	GoToResolveUnattended.exe	GoToResolveCrashHandler.exe
PID 552 wrote to memory of 3488	552	GoToResolveUnattended.exe	GoToResolveCrashHandler.exe
PID 5072 wrote to memory of 3500	5072	GoToResolveLoggerProcess.exe	GoToResolveCrashHandler.exe
PID 5072 wrote to memory of 3500	5072	GoToResolveLoggerProcess.exe	GoToResolveCrashHandler.exe
PID 5072 wrote to memory of 3500	5072	GoToResolveLoggerProcess.exe	GoToResolveCrashHandler.exe
PID 552 wrote to memory of 1008	552	GoToResolveUnattended.exe	GoToResolveFileManager.exe
PID 552 wrote to memory of 1008	552	GoToResolveUnattended.exe	GoToResolveFileManager.exe
PID 552 wrote to memory of 1008	552	GoToResolveUnattended.exe	GoToResolveFileManager.exe
PID 552 wrote to memory of 4420	552	GoToResolveUnattended.exe	GoToResolveQuickView.exe
PID 552 wrote to memory of 4420	552	GoToResolveUnattended.exe	GoToResolveQuickView.exe
PID 552 wrote to memory of 4420	552	GoToResolveUnattended.exe	GoToResolveQuickView.exe
PID 552 wrote to memory of 3940	552	GoToResolveUnattended.exe	GoToResolveTerminal.exe
PID 552 wrote to memory of 3940	552	GoToResolveUnattended.exe	GoToResolveTerminal.exe
PID 552 wrote to memory of 3940	552	GoToResolveUnattended.exe	GoToResolveTerminal.exe
PID 1008 wrote to memory of 2764	1008	GoToResolveFileManager.exe	GoToResolveCrashHandler.exe
PID 1008 wrote to memory of 2764	1008	GoToResolveFileManager.exe	GoToResolveCrashHandler.exe
PID 1008 wrote to memory of 2764	1008	GoToResolveFileManager.exe	GoToResolveCrashHandler.exe
PID 3940 wrote to memory of 1500	3940	GoToResolveTerminal.exe	GoToResolveCrashHandler.exe
PID 3940 wrote to memory of 1500	3940	GoToResolveTerminal.exe	GoToResolveCrashHandler.exe
PID 3940 wrote to memory of 1500	3940	GoToResolveTerminal.exe	GoToResolveCrashHandler.exe
PID 3280 wrote to memory of 4028	3280	cmd.exe	timeout.exe
PID 3280 wrote to memory of 4028	3280	cmd.exe	timeout.exe
PID 3280 wrote to memory of 4028	3280	cmd.exe	timeout.exe
PID 3280 wrote to memory of 2088	3280	cmd.exe	timeout.exe
PID 3280 wrote to memory of 2088	3280	cmd.exe	timeout.exe
PID 3280 wrote to memory of 2088	3280	cmd.exe	timeout.exe
PID 552 wrote to memory of 5644	552	GoToResolveUnattended.exe	GoTo.Resolve.DeviceData.App.exe
PID 552 wrote to memory of 5644	552	GoToResolveUnattended.exe	GoTo.Resolve.DeviceData.App.exe
PID 552 wrote to memory of 6080	552	GoToResolveUnattended.exe	GoTo.Resolve.Alerts.Monitor.App.exe
PID 552 wrote to memory of 6080	552	GoToResolveUnattended.exe	GoTo.Resolve.Alerts.Monitor.App.exe
PID 552 wrote to memory of 6116	552	GoToResolveUnattended.exe	GoTo.Resolve.PatchManagement.Client.exe
PID 552 wrote to memory of 6116	552	GoToResolveUnattended.exe	GoTo.Resolve.PatchManagement.Client.exe
PID 552 wrote to memory of 6020	552	GoToResolveUnattended.exe	RemoteExecution.Runner.exe
PID 552 wrote to memory of 6020	552	GoToResolveUnattended.exe	RemoteExecution.Runner.exe
PID 6116 wrote to memory of 776	6116	GoTo.Resolve.PatchManagement.Client.exe	where.exe
PID 6116 wrote to memory of 776	6116	GoTo.Resolve.PatchManagement.Client.exe	where.exe
PID 552 wrote to memory of 5256	552	GoToResolveUnattended.exe	GoTo.Resolve.Alerts.Monitor.App.exe
PID 552 wrote to memory of 5256	552	GoToResolveUnattended.exe	GoTo.Resolve.Alerts.Monitor.App.exe
PID 6116 wrote to memory of 5348	6116	GoTo.Resolve.PatchManagement.Client.exe	where.exe
PID 6116 wrote to memory of 5348	6116	GoTo.Resolve.PatchManagement.Client.exe	where.exe
PID 552 wrote to memory of 5500	552	GoToResolveUnattended.exe	GoTo.Resolve.Antivirus.App.exe

C:\Users\Admin\AppData\Local\Temp\3858_invoice.exe
"C:\Users\Admin\AppData\Local\Temp\3858_invoice.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\GoToResolveUnattended.exe
  "C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\GoToResolveUnattended.exe" -regsvc
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks system information in the registry
  - Checks processor information in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1512
- - C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\GoToResolveProcessChecker.exe
    "C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\GoToResolveProcessChecker.exe" -regsvc -expectadmin -starterpid 1512 -WorkFolder "C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572" -ApplicationType 4
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:4312
- C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\GoToResolveTools64.exe
  "C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\GoToResolveTools64.exe" -InstallVDD
  2⤵
  - Executes dropped EXE
  - Checks system information in the registry
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Checks processor information in registry
  PID:3164
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /S /C ""C:\Users\Admin\AppData\Local\Temp\3858_invoice.exe.cmd" "C:\Users\Admin\AppData\Local\Temp\3858_invoice.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3280
- - C:\Windows\SysWOW64\timeout.exe
    timeout /T 3
    3⤵
    - Delays execution with timeout.exe
    PID:1124
- - C:\Windows\SysWOW64\timeout.exe
    timeout /T 3
    3⤵
    - Delays execution with timeout.exe
    PID:4028
- - C:\Windows\SysWOW64\timeout.exe
    timeout /T 3
    3⤵
    - Delays execution with timeout.exe
    PID:2088

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3184
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{bfc2a775-842c-fb43-badb-3670e0543e8e}\g2rvdd.inf" "9" "415529917" "0000000000000148" "WinSta0\Default" "0000000000000158" "208" "C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\x64"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:4304

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3240,i,16488180140590516186,11762960689811837350,262144 --variations-seed-version --mojo-platform-channel-handle=4220 /prefetch:8
1⤵
PID:2328

C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\GoToResolveProcessChecker.exe
"C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\GoToResolveProcessChecker.exe" -Service -WorkFolder "C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572" -ApplicationType "4"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2576
- C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\GoToResolveUnattended.exe
  "C:/Program Files (x86)/GoTo Resolve Unattended/1937918270322737572/GoToResolveUnattended.exe" "-RegisteredProcess" "1" "-ParentProcessId" "2576" "-WtsStartingUsername" "-ServiceName" "GoToResolve_1937918270322737572" "-Service"
  2⤵
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Registers COM server for autorun
  - Checks system information in the registry
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Checks processor information in registry
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:552
- - C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\GoToResolveLoggerProcess.exe
    GoToResolveLoggerProcess.exe -ParentProcessId 552 -CompanyId 1937918270322737572 -InstallationId 0pMLemIe8f -MonitoringUrl https://dumpster.console.gotoresolve.com -HostId 9cdfa031c1992a13820809d8cd095cb8 -LogLevel 2 -MonitoringApiKey cnl6269ktie1dcpmz8y2ddxhjhhgi0nebxwpr4a3c71lbfwnubk2w7l7c6evabi3 -SessionType Unattended
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:5072
  - - C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\GoToResolveCrashHandler.exe
      "C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\GoToResolveCrashHandler.exe" "--attachment=attachment_GoToResolveLoggerProcess.log=C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\appdata\GoToResolveLoggerProcess.log" "--attachment=attachment_logger.json=C:/Program Files (x86)/GoTo Resolve Unattended/1937918270322737572\logger.json" "--database=C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\appdata\LoggerProcessCrashReportDB" "--metrics-dir=C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\appdata\LoggerProcessCrashReportDB" --url=https://dumpster.console.gotoresolve.com/api/dump --annotation=format=minidump --annotation=hostname=Gylqwjcn --annotation=installationid=0pMLemIe8f --annotation=version=1.15.2.3338 --initial-client-data=0x4d0,0x4d4,0x4d8,0x4a4,0x4dc,0x7451e09c,0x7451e0ac,0x7451e0bc
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      PID:3500
- - C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\GoToResolveCrashHandler.exe
    "C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\GoToResolveCrashHandler.exe" "--attachment=attachment_GoToResolveUnattended.log=C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\appdata\GoToResolveUnattended.log" "--attachment=attachment_unattended.json=C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\unattended.json" "--database=C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\appdata\UnattendedCrashReportDB" "--metrics-dir=C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\appdata\UnattendedCrashReportDB" --url=https://dumpster.console.gotoresolve.com/api/dump --annotation=format=minidump --annotation=hostname=Gylqwjcn --annotation=installationid=0pMLemIe8f --annotation=version=1.15.2.3338 --initial-client-data=0x55c,0x558,0x58c,0x52c,0x588,0x7451e09c,0x7451e0ac,0x7451e0bc
    3⤵
    - Executes dropped EXE
    PID:3488
- - C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\GoToResolveFileManager.exe
    GoToResolveFileManager.exe -CompanyId 1937918270322737572 -InstallationId 0pMLemIe8f -LogLevel 2 -MonitoringUrl https://dumpster.console.gotoresolve.com
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1008
  - - C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\GoToResolveCrashHandler.exe
      "C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\GoToResolveCrashHandler.exe" "--database=C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\appdata\FileManagerCrashReportDB" "--metrics-dir=C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\appdata\FileManagerCrashReportDB" --url=https://dumpster.console.gotoresolve.com/api/dump --annotation=format=minidump --annotation=hostname=Gylqwjcn --annotation=installationid=0pMLemIe8f --annotation=version=1.15.2.3338 --initial-client-data=0x5f0,0x5f4,0x5f8,0x5c4,0x5fc,0x7451e09c,0x7451e0ac,0x7451e0bc
      4⤵
      Executes dropped EXE
      PID:2764
- - C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\GoToResolveQuickView.exe
    GoToResolveQuickView.exe -InstallationId 0pMLemIe8f -LogLevel 2
    3⤵
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks system information in the registry
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4420
- - C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\GoToResolveTerminal.exe
    GoToResolveTerminal.exe -CompanyId 1937918270322737572 -InstallationId 0pMLemIe8f -LogLevel 2 -MonitoringUrl https://dumpster.console.gotoresolve.com
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3940
  - - C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\GoToResolveCrashHandler.exe
      "C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\GoToResolveCrashHandler.exe" "--database=C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\appdata\TerminalCrashReportDB" "--metrics-dir=C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\appdata\TerminalCrashReportDB" --url=https://dumpster.console.gotoresolve.com/api/dump --annotation=format=minidump --annotation=hostname=Gylqwjcn --annotation=installationid=0pMLemIe8f --annotation=version=1.15.2.3338 --initial-client-data=0x5f8,0x5fc,0x600,0x5d4,0x604,0x7451e09c,0x7451e0ac,0x7451e0bc
      4⤵
      Executes dropped EXE
      PID:1500
- - C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\DeviceDataModule\1.71.0\GoTo.Resolve.DeviceData.App.exe
    "C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\DeviceDataModule\1.71.0\GoTo.Resolve.DeviceData.App.exe" --Credentials:CompanyId 1937918270322737572 --Credentials:HostId syn-prd-ava-unattended-c0ccaa6c-8077-4af5-b0c4-59fb1daf18db --Communication:IpcFolderPath "C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\DeviceDataModule\IPC" --Authentication:TokenFilePath "C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\token.txt" --ZeroTrust:ReferencePublicKeyHash 79297ed57ba94f2dde0d121e431d4ed4d8f143a35e3f89ed9b9c2fc1c3015ae8 --Native:Version 1.15.2.3338
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious use of AdjustPrivilegeToken
    PID:5644
- - C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\AlertsModule\1.2024.0430.2\GoTo.Resolve.Alerts.Monitor.App.exe
    "C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\AlertsModule\1.2024.0430.2\GoTo.Resolve.Alerts.Monitor.App.exe" --Credentials:CompanyId 1937918270322737572 --Credentials:HostId syn-prd-ava-unattended-c0ccaa6c-8077-4af5-b0c4-59fb1daf18db --Communication:IpcFolderPath "C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\AlertsModule\IPC" --Authentication:TokenFilePath "C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\token.txt" --ZeroTrust:ReferencePublicKeyHash 79297ed57ba94f2dde0d121e431d4ed4d8f143a35e3f89ed9b9c2fc1c3015ae8 --Native:Version 1.15.2.3338
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    PID:6080
- - C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\PatchManagementModule\1.2024.0507.5\GoTo.Resolve.PatchManagement.Client.exe
    "C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\PatchManagementModule\1.2024.0507.5\GoTo.Resolve.PatchManagement.Client.exe" --Credentials:CompanyId 1937918270322737572 --Credentials:HostId syn-prd-ava-unattended-c0ccaa6c-8077-4af5-b0c4-59fb1daf18db --Communication:IpcFolderPath "C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\PatchManagementModule\IPC" --Authentication:TokenFilePath "C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\token.txt" --ZeroTrust:ReferencePublicKeyHash 79297ed57ba94f2dde0d121e431d4ed4d8f143a35e3f89ed9b9c2fc1c3015ae8 --Native:Version 1.15.2.3338
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:6116
  - - C:\Windows\SYSTEM32\where.exe
      "where" -r "C:\Program Files\WindowsApps" Winget.exe
      4⤵
      PID:776
  - - C:\Windows\SYSTEM32\where.exe
      "where" -r "C:\Program Files\WindowsApps" AppInstallerCLI.exe
      4⤵
      PID:5348
- - C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\RemoteExecutionModule\1.2024.0506.1\RemoteExecution.Runner.exe
    "C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\RemoteExecutionModule\1.2024.0506.1\RemoteExecution.Runner.exe" --Credentials:CompanyId 1937918270322737572 --Credentials:HostId syn-prd-ava-unattended-c0ccaa6c-8077-4af5-b0c4-59fb1daf18db --Communication:IpcFolderPath "C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\RemoteExecutionModule\IPC" --Authentication:TokenFilePath "C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\token.txt" --ZeroTrust:ReferencePublicKeyHash 79297ed57ba94f2dde0d121e431d4ed4d8f143a35e3f89ed9b9c2fc1c3015ae8 --Native:Version 1.15.2.3338
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious use of AdjustPrivilegeToken
    PID:6020
- - C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\AlertsModule\1.2024.0430.2\GoTo.Resolve.Alerts.Monitor.App.exe
    "C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\AlertsModule\1.2024.0430.2\GoTo.Resolve.Alerts.Monitor.App.exe" --Credentials:CompanyId 1937918270322737572 --Credentials:HostId syn-prd-ava-unattended-c0ccaa6c-8077-4af5-b0c4-59fb1daf18db --Communication:IpcFolderPath "C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\AlertsModule\IPC" --Authentication:TokenFilePath "C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\token.txt" --ZeroTrust:ReferencePublicKeyHash 79297ed57ba94f2dde0d121e431d4ed4d8f143a35e3f89ed9b9c2fc1c3015ae8 --Native:Version 1.15.2.3338
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    PID:5256
- - C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\AntivirusModule\1.2024.0411.2\GoTo.Resolve.Antivirus.App.exe
    "C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\AntivirusModule\1.2024.0411.2\GoTo.Resolve.Antivirus.App.exe" --Credentials:CompanyId 1937918270322737572 --Credentials:HostId syn-prd-ava-unattended-c0ccaa6c-8077-4af5-b0c4-59fb1daf18db --Communication:IpcFolderPath "C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\AntivirusModule\IPC" --Authentication:TokenFilePath "C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\token.txt" --ZeroTrust:ReferencePublicKeyHash 79297ed57ba94f2dde0d121e431d4ed4d8f143a35e3f89ed9b9c2fc1c3015ae8 --Native:Version 1.15.2.3338
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    PID:5500
- - C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\AntivirusModule\1.2024.0411.2\GoTo.Resolve.Antivirus.App.exe
    "C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\AntivirusModule\1.2024.0411.2\GoTo.Resolve.Antivirus.App.exe" --Credentials:CompanyId 1937918270322737572 --Credentials:HostId syn-prd-ava-unattended-c0ccaa6c-8077-4af5-b0c4-59fb1daf18db --Communication:IpcFolderPath "C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\AntivirusModule\IPC" --Authentication:TokenFilePath "C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\token.txt" --ZeroTrust:ReferencePublicKeyHash 79297ed57ba94f2dde0d121e431d4ed4d8f143a35e3f89ed9b9c2fc1c3015ae8 --Native:Version 1.15.2.3338
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    PID:4288
- - C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\AlertsModule\1.2024.0430.2\GoTo.Resolve.Alerts.Monitor.App.exe
    "C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\AlertsModule\1.2024.0430.2\GoTo.Resolve.Alerts.Monitor.App.exe" --Credentials:CompanyId 1937918270322737572 --Credentials:HostId syn-prd-ava-unattended-c0ccaa6c-8077-4af5-b0c4-59fb1daf18db --Communication:IpcFolderPath "C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\AlertsModule\IPC" --Authentication:TokenFilePath "C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\token.txt" --ZeroTrust:ReferencePublicKeyHash 79297ed57ba94f2dde0d121e431d4ed4d8f143a35e3f89ed9b9c2fc1c3015ae8 --Native:Version 1.15.2.3338
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    PID:3864

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start GoToResolve_1937918270322737572
1⤵
- Launches sc.exe
PID:5216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\GOTORE~1\193791~1\x64\g2rvdd.cat

Filesize
10KB

MD5
8d2c58325f63af51d37693e7ffbdbc4d

SHA1
ea0507cdf4528faa174eb5883eb20b90363ed512

SHA256
6fe045e8a6ff18e27c6aceeeb7dbea3e5f3f25c3796d42f0d844b1b48f38c0be

SHA512
71ee9b93d70ace69344d9aeb582ab8110eeb5364cd0d593ecd95b2d57000114aac18f2496c160d2b761b0117c5e26d261d757b424fa6e57b91b98b75ac72dd62

Download Submit
C:\PROGRA~2\GOTORE~1\193791~1\x64\g2rvdd.dll

Filesize
141KB

MD5
e00f914a13981678cc130f7c65807f03

SHA1
0a00739f6f2b1c57946fc09f084deb5bd3d9e342

SHA256
484300ed3462124e23f42433678f8110aaebeec2da6b82e97fcd10ba2e60a0b8

SHA512
ec278c9d1dc3c066a2a1abd16a4d0f92142941916e0259d0787b7b3146979fba99e273bbbb2fc01fbab79f273d15892434e2685bc2badf4bbb48928d7e89f53c

Download Submit
C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\FileManager.dll

Filesize
16.1MB

MD5
d3fa69a91fe17f9c4523d8fad2992f78

SHA1
d2a353b94ba3d718a489af7fe72cc858b74fe87e

SHA256
94df392a600acb29ff711f164073c1c80bbcf270dcc5a4cd8cba8e762b1ae40f

SHA512
cf2b0898bbf783e49112c61a7373c896856c5e5777d229b791804b29ab288f7613c5a67f4ebf38389d9b9c2100b88e93489a8d8aae68b090d9c7d6283d647e86

Download Submit
C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\GoToResolveCrashHandler.exe

Filesize
1.1MB

MD5
c6e96dd2f500e4b3cedf7e627015e032

SHA1
35ea9753ca13c92971eff137c1cee613c0e93cab

SHA256
2b4556e9c709e1da52cab89aa754fab86c7bb5265e63850dc133dc4ca387fc70

SHA512
06e557d87fed5a1ff9d5d6a520429f6dc6d97e3f2952524ce30af5c25b017d39c15ce189092d0a9234c827510a07020cd31b9d172d60a8fdae6ad3f430b6339d

Download Submit
C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\GoToResolveFileManager.exe

Filesize
109KB

MD5
62912afba6014da200e40c49f685f084

SHA1
38e4bd808305bf4b41c10da91daea49587743e32

SHA256
b2fc90c66d76aa33da449039e6ea5f66b43880b3ef86e7ae263e1e113f7c3296

SHA512
351938c08a92b663727ffb3b2f4a3377104013b3680f7ccd60394463c3b8992ea0e6115ebe847e0cfd9dba942c219af51de334204b2afdcc663a15901a81603f

Download Submit
C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\GoToResolveLoggerProcess.exe

Filesize
109KB

MD5
d319e53da0d6ea80140611a19dd6c468

SHA1
e47768dbad5bc1bf81bd9f135c9d7a4f62de4573

SHA256
dc21f66e9dd2ca56504c3dcc02862117f2da94f212b289d3b09349bc59f57a25

SHA512
092617eb831cde6da475a759f9962c94ca70b78905f892a3a798a21cfe8d1e8e50d72dd0d2cdc89949a5f81e6a5d85b1597712112934a3ffab271b750089e32b

Download Submit
C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\GoToResolveProcessChecker.exe

Filesize
107KB

MD5
5145ef194fdd47be876847e9b9534cdc

SHA1
34711371a01494b7432528821c75bd5fcfe851a4

SHA256
34e6f7d1fd0aa8b20cb8cac184b8ecd90c157ccc62e38568699efa10c411c7ea

SHA512
7e5fdaea1bb2501bc52801c11f36bbd6d165282eb920cddaba59a5c5999be57032a5e9f2b5196f54b300c51ae99381e7e1c831fa73422e0065174385a3ef6757

Download Submit
C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\GoToResolveTools64.exe

Filesize
1.3MB

MD5
c3d3d6a881753584b29d60f4c5b6a965

SHA1
0952c70ea06b932a6c20cf8af10d3aa281880b7c

SHA256
f36b1c32a5fa8969422d99042287685634bb8d85c9643100032e9df5744dd39e

SHA512
5d1ebc3603690d1534d0624ffb73f947d1afe48f407540e07810df89ab737b47a1728a1829f9207be26bf03c2da3e7097ab8aedf31b212fc25ffe2ed632edcbf

Download Submit
C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\GoToResolveUnattended.exe

Filesize
109KB

MD5
0e688254065af78d95a3fdf159ab8d86

SHA1
e1178f76ea31e1009f631ca0f0b948807392faa9

SHA256
1b6fc8321728fccd3a9a0f88f51ab115f0c6d227d644b948d9d0b58d1123c923

SHA512
71efb2e36026fd859522c593662ac7f607ad639027c0fa6cc2f4fc9e0c0bc9156ca4e90448f3e2795d693bad0d337b28147bea33747687524da70e598ddb430c

Download Submit
C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\LibGoToResolve.dll

Filesize
19.7MB

MD5
c2b7eec9b082f83609d40a977c980c09

SHA1
e68345a8387c9644e1cc695ea1f8273e2911c63b

SHA256
1f13a2911d6cad19314f330bab9a57d81c8323575fdc7182e1c2eb6f844ba89b

SHA512
e0032b2acd49f20def25e799c39c7d9648e55250fb851c64b7a52b29aecfb5a3f8a83ded6963e221d16259b0e064504f92f1991a53c1e6a1a01044136e53de4e

Download Submit
C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\MediaClientLib.dll

Filesize
13.9MB

MD5
12c3b59bbafa6ea8d0d3209e70ad39c2

SHA1
7f699dd519c20ecf8bf24947d03868c580913b39

SHA256
c132232018896ba3f84ff37a1ece4a7a58eef08afecf495fc31176b276b000bb

SHA512
55ebe552343ef28939d427f32e5ed98d11d734a65e050917e918efdf400806bbf809d8fc77beb48b6d2f4f5c7961f0c2c8a728691c4f217427578476bf64b10f

Download Submit
C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\PasswordPrivacyDll.dll

Filesize
1.1MB

MD5
7a5ddf82d45f1060ac2386bf4ba89dd3

SHA1
ca26ead1e092c6612d7393873854ba0a257ae832

SHA256
95743c6c9d2f626fa66c3b95e2b3c003313089f653681c82c1e9c214ddd2778d

SHA512
5ad98d4985d36d6259027374c600913a5729635c71453c6191510ac1c4f3b9b732c6436eb49b9c0ddb2af753b08c699c1ca6c26c151cf52fce9cdb2b5a77bd5d

Download Submit
C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\appdata\GoToResolveProcessChecker.log

Filesize
4KB

MD5
7a3f94335c9fc40294c5b21f507c9d07

SHA1
4a583ad4d58b81daa435b7fb89a513c301530a4e

SHA256
8e2700f7518be5bbab36bc75713cab37ce2a0bb25450ba80815d36452c059ae8

SHA512
c526d250c30c77eda62399f41dd3202efe4951c79fe31365c28d411b6fefc153a9e795bdf183ac79a1be76c9dda6f58b3fc6b212df72c28963e427c082bf70f7

Download Submit
C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\appdata\GoToResolveUnattended.log

Filesize
18KB

MD5
5122a9f5eccf450074b2d3037a9d62dc

SHA1
ed7a9733b758350d7af1c584cebc75c17867d635

SHA256
08da0a4a8a2cdc1179ee176a566444519f51d0471e7449568c87dfbf95eea54a

SHA512
ad87419eb42e05a67d247aab9a0e63df7f84a11dc006e0cc72fed6bbf3b011cec04a3df1358862d9f410e7a216987d37f2998d895a593d00e4daeed7840e46e1

Download Submit
C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\AlertsModule\1.2024.0430.2\logs\2024-05-16.log

Filesize
4KB

MD5
c74e9d8becc7adb32d080483fd874767

SHA1
3dc68b3c000627d3fe057ce525e26587ba950582

SHA256
104700bdc5f14cdeedddcafaae0128699f1679777c7932dbc41fec3a7a791d8d

SHA512
7521d4daadf29420602ae89530838e9069614e1bb8618ab52ee0746dd54062b5d0df18e476755e782fb15386dd9927c9348311eedfb4c43b285cecf3923de919

Download Submit
C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\AlertsModule\1.2024.0430.2\logs\2024-05-16.log

Filesize
1KB

MD5
8af60c8842ca20903f06cdcfb630c2d3

SHA1
dfc60d57e5aa79c16eea0590403aec2b54abe2f3

SHA256
dbb291e6bfbf2fe586ca06eeb46e5629f626e418627a4aa8708e68db3562946d

SHA512
f8c017224fcd39d8d962fff10acbec3f59e44d906f330f4389fb091727320d6ddcf4316c101f9daede73c355809d22095d2e9d734471fb27e6812395f16fb09e

Download Submit
C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\AntivirusModule\1.2024.0411.2\GoTo.Resolve.Antivirus.App.exe

Filesize
161KB

MD5
0ee709e29bad3bf3677eb380ae9fe100

SHA1
655d7ae9fbce8f5ec9fb1ebbf1edd34a7fcb0501

SHA256
7680070e0ba04e4219943cf513cdb004cd20aa5fcccf9644b8caa1cdf9a3f4fc

SHA512
5e0fabb74c25864f5fc6f2fd44aa0ed1337745c66246ae3e48d6ec0c1a1d18b718fc9e2d3d34cae974434a8f8625de9ff6615e6d4c8a55b0132ffbf6b0f469d7

Download Submit
C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\DeviceDataModule\1.71.0\GoTo.Resolve.DeviceData.App.exe

Filesize
11.5MB

MD5
5c76b75ea22c81a9224456f77ab1175f

SHA1
b681216752e17148d341390d1c778e4c5ba33364

SHA256
0bc404e30bdad9be1d7ed633adc054800f2e7e757e6414795136c0a896b0bb87

SHA512
a18172f9ba6f6ee62c64cd4f506791c9592436a7cd9f06710794e86a26748bd6d51406420cfc89474fe0c1375e56f3ce1ccc834cd1799a5cc7decadcf63eef0a

Download Submit
C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\RemoteExecutionModule\1.2024.0506.1\RemoteExecution.Runner.exe

Filesize
164KB

MD5
840ed278c7882f3b877df906937aa3c5

SHA1
0262be6cd5f1596e5b54ecc910efd6e277920c03

SHA256
8f70badc067ff6e828d6afccaead174a7623a8ef89c1c81a614f5fa8648f1019

SHA512
2e2ae3b5ba9b9394f386c2243da93ad3f7f35102f50be2206bf06cd48401bb8de5e1fb4ab18b29fa53ad8530474fdef3490df98aca7bc3ba2295485b911630c2

Download Submit
C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\libcrypto-3.dll

Filesize
4.2MB

MD5
dc2bd7e6e6a3b528424410af077ba2a7

SHA1
aa891f61820e7c6d0ed35989a595af77f4b7203b

SHA256
e852018ec59efbe2dc2e32c064f35ee68171417d8c5bc5ba319609555dde2bc6

SHA512
a96f57f5d0272f8ba4ccb1b184289f0caeace54d001f641622fe38892fa9d0f6781808cf5a585d77fc75c356bb90c03a062b2fb17b09a29e20b0264b12c8358f

Download Submit
C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\libssl-3.dll

Filesize
1.1MB

MD5
4f19c36b09b820d9371d8b6510497475

SHA1
03b8ee682eeac39e120aac474a54344c2b391150

SHA256
11598140036154dcd8ccd5619ac059aea4012cf9a4535ffa7c9b2f0ae405906d

SHA512
8ed2ee897c54abf13beae299902018861c4bc30a1ce5d14a64129af3856a3d2e5829eb060a99f7ea7bb894966e21a2d5eec473323883c865c0caed9de832d1b6

Download Submit
C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\logger.json.tmp

Filesize
374B

MD5
7f7e7cfc56525eb1fc5d9fbe3c1f1e62

SHA1
f8d2fba1420479b32750f0584dd5269a8378a882

SHA256
b7c01c84dec661cddc8efebdfc5048532d794edc1d41822e583ba4b4d7f74f61

SHA512
337c6f81b300589145c7763df531ac681de376beae2e8f2051fea5aad6a1cdc11a34dc280a6efa3be52ec67e596a00ee977bec7cff7353d64ce388aa477a9a4f

Download Submit
C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\mandatory.json

Filesize
74B

MD5
f50767df127a399996304f5a1259653a

SHA1
0a03f644be27865e0031b235ca6a21353e265ed7

SHA256
afc6a427fd31151d995e93e66edd9138df27dc88580b03b12d8a8012c481f3bd

SHA512
29898528d9047d2689de8be7938662c0e80c5161c20fcb9fa9135378b2c2193c6185cd560148f3fd7100824f7f43265434d9982c1b85933f3d00490804c7853e

Download Submit
C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\mandatory.json.tmp

Filesize
1KB

MD5
c0b2d3a1d0aed89f170276a442fece1b

SHA1
9d80a1f2bac4724bdcc6da4459c1a3d73f662c83

SHA256
2864ba7550db49bc7bbf5695b89884cc00accb519110d7bfaafce0aae8be657c

SHA512
e7b80826a6a567d0f7ac780b49f0f7f5376b89f10dee431ef2a2277cc8bb2fca94691821f8d48f088fd87da4008fb7400b093219ff0d1c2d890689be5c54da43

Download Submit
C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\unattended.json

Filesize
582B

MD5
c5b571903e37d2b955cd21f584471ed3

SHA1
267332217a876f04c16e8b92141fa8321dd6fc74

SHA256
f967768b99cebe2225ef1c41d9ee31c21f9014f87f29cf30c487b448aa074dfa

SHA512
e849d1bfceaa9450505c27119ec407d19b017a3748d907c73fcb915b46fbf7b1bb75c85be066d8898cdbda0d942389c965f2102522cd049211269f4ba4cdac3a

Download Submit
C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\unattended.json.tmp

Filesize
703B

MD5
49271953cc7e7b5b920c292bd93026c1

SHA1
bddb772d4c859a56bea173c61023f973600d4bd8

SHA256
19eb67cc4ed0b294ba19f7ff2ab3c3f616cb05f27b9d6b87071fa52b9754b8ef

SHA512
d8e74aaf6eb247b64f2881711cd15d490a21373a197142aa9edb6593fed1d39b44e38c7783621b47b56b78861920dba720d311ad601150905f2365544acbf224

Download Submit
C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\unattended.json.tmp

Filesize
1KB

MD5
b7113cb874b2f8642f4627e8f070c37e

SHA1
b1c50de8801aca63bf17acad562e340b888884ee

SHA256
71c7275a2fab14b04888d94d2c5af1389b48b5e330427e5d32ad1e2283323e85

SHA512
3cc1536b5bf86d8db690cda85f6389845972b977db475214bafd1a9da9199a64deac9a830f9ec748ec2259b6fc3b946d057d259cdbd9ca8aadd08d111c51966f

Download Submit
C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\unattended.json.tmp

Filesize
1KB

MD5
70dfff020b12d56d5607284a91cf2e3b

SHA1
c73cfc5c2293ad38c361fd5d90226f9eef9a0837

SHA256
88d841af1e757a2264bd0b30cca2b385de84de1672073ca23ffc5155889838b2

SHA512
263242344d60ea20d392f1587f75b1f07e1c470de431452e2182e33607cf4cb6e046d0b5dbc1f90a461cea090a4f5098449c0716d0d79255a838dabc3494d104

Download Submit
C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\unattended.json.tmp

Filesize
1KB

MD5
1fc328391705fd73db50d6c1064b7a25

SHA1
4f2de52ab9da8767c66c1c29d76d35a20ca83582

SHA256
8bd3e912ca3639405e98903a0d2be6665f13af2fc1a837064621d375131791d2

SHA512
4ee070e5ea9cdd644d1d031e13f6731bcb31cec45ebbb8abdffd1bfe068137e759c13633e8c5adbf4d54f9bae0c1de40ed1dcd1dd66527c746dcbbf20c73c664

Download Submit
C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\unattended.json.tmp

Filesize
1KB

MD5
baa2cf3f49491954b931d27269f07e15

SHA1
e673ae65634dd64f2332f0d95103894df8933b8f

SHA256
479c33838f1420181be974b548ed253c6d4bf9684117740dc5d578e95bf8ba37

SHA512
3c1b8e51cae527a406ebcfbed064c8b74b3f39b986d9ba7dcb54d6bcf63f099e4ff0be6f4c8c8dcbdec39b1fae924272ba327ca1bb9af877bca2bb2c28a2315c

Download Submit
C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\x64\g2rvdd.inf

Filesize
3KB

MD5
79c299099a8f43e1a94047355ebdf1cc

SHA1
55ede099780c9e2dcc8cb3dd9006fbf098c8997b

SHA256
0a70026b5ac03d6c3c930c245fb992ad9c02192be607e62d27691909f331fe8d

SHA512
270c8600ed3c00aa6625bbd2c5777a19949773f8c58ddd560bf2d39fac2e9f5868ed633d60728e8d4a106d97a62d43056d818e1fea565198446c487a83342a7d

Download Submit
C:\Users\Admin\AppData\Local\GoTo Resolve Installer\GoTo0001.tmp\UnattendedUpdater.csv

Filesize
3KB

MD5
838ca896ea193a6baf562c295871addd

SHA1
c240fc0d4993dd6ea39fcc2c93a6709ce2da0235

SHA256
e34644372681bcb14460b43a98875bf8ab7e8fd966141c8401f0882518b1f0b6

SHA512
d597800ced83381ef60a461e34fe154d91b9e18c9dd707af266510b6e1fd84897129c09c57d2098dd5dd10ebf54bd772f445074c430ca1b86400e6819a79e8f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\3858_invoice.exe.cmd

Filesize
537B

MD5
2d1ec5c3d0d2fd67e0aa148f4e523d93

SHA1
24a6528837fe7c825f44be9e0c2bd942203bb9b0

SHA256
5653c22a6d0f410d2a1207c131206c1f990be9a3fcd2c8e5a5dfa77b01d73c1b

SHA512
7fdeeb8471cc5916131011186ea9da7c9ccea6b9755bbdec2ecce4f564079c05b566ff147b700b3535fe608e48a69c5d2922d74be5003995a77a19a03bf06f25

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\ApplicationInsights\bf35fe7d15f2a58d930da8c8f390b78245b9136f9bb24b2713ab881c60fe52f1\vlk3i5ma.w1r

Filesize
1B

MD5
93b885adfe0da089cdf634904fd59f71

SHA1
5ba93c9db0cff93f52b521d7420e43f6eda2784f

SHA256
6e340b9cffb37a989ca544e6bb780a2c78901d3fb33738768511a30617afa01d

SHA512
b8244d028981d693af7b456af8efa4cad63d282e19ff14942c246e50d9351d22704a802a71c3580b6370de4ceb293c324a8423342557d4e5c38438f0e36910ee

Download Submit