egregor | 39e246d194e4a5ade27a08d4a925dbff009fa8b66963c05f18712c1472e24a81

Analysis

max time kernel
150s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
16-05-2024 16:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

39e246d194e4a5ade27a08d4a925dbff009fa8b66963c05f18712c1472e24a81.exe
Size

25.8MB
MD5

9b28351713f6b95a04996fee315aa7fd
SHA1

edac4aa27925404263fafdaad6dd375732861ad1
SHA256

39e246d194e4a5ade27a08d4a925dbff009fa8b66963c05f18712c1472e24a81
SHA512

7971eacbb3e56be9803abcd11f9fd3246ba763b16de5d3331e984b040c2c9730a9ba085ed1a7d0ae0d24bd28ed108938284111c8f65d011ee0e62c6c2c4fc624
SSDEEP

393216:M+Jsv6tWKFdu9CRXu3AzmqTL6zemNMg56LLnToMjmmV5BBWCJP0/3uj7XlC4t6no:RfmqG3Q3TTyanWCJM/e9Ch6dv

Score

10^/10

egregor discovery persistence ransomware

Malware Config

Signatures

Detected Egregor ransomware 1 IoCs

resource	yara_rule
behavioral2/files/0x000700000002341d-57.dat	family_egregor

Egregor Ransomware
Variant of the Sekhmet ransomware first seen in September 2020.
ransomware egregor

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	GoToResolveQuickView.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	GoToResolveUnattended.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	GoToResolveUnattended.exe

Executes dropped EXE 20 IoCs

pid	Process
1504	GoToResolveUnattended.exe
4932	GoToResolveTools64.exe
1488	GoToResolveProcessChecker.exe
3532	GoToResolveProcessChecker.exe
4896	GoToResolveUnattended.exe
4600	GoToResolveLoggerProcess.exe
1088	GoToResolveCrashHandler.exe
1584	GoToResolveCrashHandler.exe
396	GoToResolveFileManager.exe
4892	GoToResolveQuickView.exe
4956	GoToResolveTerminal.exe
3704	GoToResolveCrashHandler.exe
4964	GoToResolveCrashHandler.exe
2548	GoTo.Resolve.DeviceData.App.exe
2828	GoTo.Resolve.Alerts.Monitor.App.exe
4312	RemoteExecution.Runner.exe
804	GoTo.Resolve.PatchManagement.Client.exe
1756	GoTo.Resolve.Alerts.Monitor.App.exe
768	GoTo.Resolve.Antivirus.App.exe
1664	GoTo.Resolve.Antivirus.App.exe

Loads dropped DLL 64 IoCs

pid	Process
1504	GoToResolveUnattended.exe
1504	GoToResolveUnattended.exe
1504	GoToResolveUnattended.exe
1504	GoToResolveUnattended.exe
1504	GoToResolveUnattended.exe
1504	GoToResolveUnattended.exe
1488	GoToResolveProcessChecker.exe
1488	GoToResolveProcessChecker.exe
1488	GoToResolveProcessChecker.exe
1488	GoToResolveProcessChecker.exe
1488	GoToResolveProcessChecker.exe
1488	GoToResolveProcessChecker.exe
3532	GoToResolveProcessChecker.exe
3532	GoToResolveProcessChecker.exe
3532	GoToResolveProcessChecker.exe
3532	GoToResolveProcessChecker.exe
3532	GoToResolveProcessChecker.exe
3532	GoToResolveProcessChecker.exe
4896	GoToResolveUnattended.exe
4896	GoToResolveUnattended.exe
4896	GoToResolveUnattended.exe
4896	GoToResolveUnattended.exe
4896	GoToResolveUnattended.exe
4896	GoToResolveUnattended.exe
4600	GoToResolveLoggerProcess.exe
4600	GoToResolveLoggerProcess.exe
4600	GoToResolveLoggerProcess.exe
4600	GoToResolveLoggerProcess.exe
4600	GoToResolveLoggerProcess.exe
4600	GoToResolveLoggerProcess.exe
396	GoToResolveFileManager.exe
396	GoToResolveFileManager.exe
396	GoToResolveFileManager.exe
396	GoToResolveFileManager.exe
396	GoToResolveFileManager.exe
396	GoToResolveFileManager.exe
4892	GoToResolveQuickView.exe
4956	GoToResolveTerminal.exe
4956	GoToResolveTerminal.exe
4956	GoToResolveTerminal.exe
4956	GoToResolveTerminal.exe
4956	GoToResolveTerminal.exe
4956	GoToResolveTerminal.exe
4892	GoToResolveQuickView.exe
4892	GoToResolveQuickView.exe
4892	GoToResolveQuickView.exe
4892	GoToResolveQuickView.exe
4892	GoToResolveQuickView.exe
4312	RemoteExecution.Runner.exe
4312	RemoteExecution.Runner.exe
4312	RemoteExecution.Runner.exe
4312	RemoteExecution.Runner.exe
4312	RemoteExecution.Runner.exe
4312	RemoteExecution.Runner.exe
4312	RemoteExecution.Runner.exe
4312	RemoteExecution.Runner.exe
4312	RemoteExecution.Runner.exe
4312	RemoteExecution.Runner.exe
4312	RemoteExecution.Runner.exe
4312	RemoteExecution.Runner.exe
4312	RemoteExecution.Runner.exe
4312	RemoteExecution.Runner.exe
4312	RemoteExecution.Runner.exe
4312	RemoteExecution.Runner.exe

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5de81d42-ce2b-4a7e-b1b7-1312fa11c82b}\InprocServer32\ThreadingModel = "Apartment"	GoToResolveUnattended.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5de81d42-ce2b-4a7e-b1b7-1312fa11c82b}\InprocServer32	GoToResolveUnattended.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5de81d42-ce2b-4a7e-b1b7-1312fa11c82b}\InprocServer32\ = "GoToResolveUnlock64.dll"	GoToResolveUnattended.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks system information in the registry 2 TTPs 8 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	GoToResolveTools64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	GoToResolveUnattended.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	GoToResolveUnattended.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	GoToResolveUnattended.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	GoToResolveUnattended.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	GoToResolveQuickView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	GoToResolveQuickView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	GoToResolveTools64.exe

Drops file in System32 directory 49 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\Temp\{7df457cc-a637-f14a-8c8a-1ec7eeb0a973}\SET68DC.tmp	DrvInst.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\ApplicationInsights\49a79555446a342df02477815a2e44309b6db288b6f82a7fb9c8c03c3af6f5d9\zwfoo5fp.hwk	GoTo.Resolve.Alerts.Monitor.App.exe
File created	C:\Windows\System32\DriverStore\FileRepository\rdvgwddmdx11.inf_amd64_e8336336d081cc11\rdvgwddmdx11.PNF	GoToResolveTools64.exe
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	GoToResolveTools64.exe
File created	C:\Windows\System32\DriverStore\Temp\{7df457cc-a637-f14a-8c8a-1ec7eeb0a973}\SET68ED.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\g2rvdd.inf_amd64_5e96164a846f7842\g2rvdd.cat	DrvInst.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\ApplicationInsights\49a79555446a342df02477815a2e44309b6db288b6f82a7fb9c8c03c3af6f5d9\tu2jjz12.1e4	GoTo.Resolve.Alerts.Monitor.App.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\ApplicationInsights\1350c50c6bf567bd2fd3f5d957b09d880c559776016217cd6c343fbdbcb588e4\v1ymfewo.ijk	GoTo.Resolve.Antivirus.App.exe
File created	C:\Windows\System32\DriverStore\FileRepository\virtualdisplayadapter.inf_amd64_bcc7550a6e285f92\virtualdisplayadapter.PNF	GoToResolveTools64.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{7df457cc-a637-f14a-8c8a-1ec7eeb0a973}\g2rvdd.dll	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\ApplicationInsights\49a79555446a342df02477815a2e44309b6db288b6f82a7fb9c8c03c3af6f5d9\ut1b2j5g.kjo	GoTo.Resolve.Alerts.Monitor.App.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{7df457cc-a637-f14a-8c8a-1ec7eeb0a973}\g2rvdd.cat	DrvInst.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\ApplicationInsights\49a79555446a342df02477815a2e44309b6db288b6f82a7fb9c8c03c3af6f5d9\g1jsafc5.2yv	GoTo.Resolve.Alerts.Monitor.App.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416	GoTo.Resolve.DeviceData.App.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wvmbusvideo.inf_amd64_c531b5e68fd6f6bf\wvmbusvideo.PNF	GoToResolveTools64.exe
File created	C:\Windows\System32\DriverStore\FileRepository\rdpidd.inf_amd64_ce12c614d182f4f9\rdpidd.PNF	GoToResolveTools64.exe
File opened for modification	C:\Windows\system32\GoToResolveUnlock64.dll	GoToResolveUnattended.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{7df457cc-a637-f14a-8c8a-1ec7eeb0a973}	DrvInst.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	GoToResolveUnattended.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\ApplicationInsights\49a79555446a342df02477815a2e44309b6db288b6f82a7fb9c8c03c3af6f5d9\kdoiannn.c01	GoTo.Resolve.Alerts.Monitor.App.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_325DC716E4289E0AE281439314ED4BFA	GoToResolveUnattended.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{7df457cc-a637-f14a-8c8a-1ec7eeb0a973}\SET68DC.tmp	DrvInst.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\ApplicationInsights\bf35fe7d15f2a58d930da8c8f390b78245b9136f9bb24b2713ab881c60fe52f1\hqb0dhos.4lq	RemoteExecution.Runner.exe
File created	C:\Windows\System32\DriverStore\FileRepository\c_display.inf_amd64_c7457a37d16eaadf\c_display.PNF	GoToResolveTools64.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1	GoToResolveUnattended.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{7df457cc-a637-f14a-8c8a-1ec7eeb0a973}\SET68EC.tmp	DrvInst.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	GoToResolveUnattended.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	GoToResolveUnattended.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{7df457cc-a637-f14a-8c8a-1ec7eeb0a973}\SET68ED.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\g2rvdd.inf_amd64_5e96164a846f7842\g2rvdd.dll	DrvInst.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_325DC716E4289E0AE281439314ED4BFA	GoToResolveUnattended.exe
File created	C:\Windows\System32\DriverStore\FileRepository\vrd.inf_amd64_81fbd405ff2470fc\vrd.PNF	GoToResolveTools64.exe
File created	C:\Windows\system32\GoToResolveUnlock64.dll	GoToResolveUnattended.exe
File created	C:\Windows\System32\DriverStore\Temp\{7df457cc-a637-f14a-8c8a-1ec7eeb0a973}\SET68EC.tmp	DrvInst.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys\B746EBBFF1E868CD55FBC68006FB8D36270361F2	GoToResolveUnattended.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	GoToResolveUnattended.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3E3E9689537B6B136ECF210088069D55_EF6C9357BB54DDB629FD2D79F1594F95	GoToResolveUnattended.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\ApplicationInsights\11624532ce422ae1e7fc411f7cf2679a7518cefe9461376d910905ef4633e2c0\v0uur1go.o0d	GoTo.Resolve.PatchManagement.Client.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C56C4404C4DEF0DC88E5FCD9F09CB2F1	GoToResolveUnattended.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\ApplicationInsights\1350c50c6bf567bd2fd3f5d957b09d880c559776016217cd6c343fbdbcb588e4\lgtqyrbk.qiq	GoTo.Resolve.Antivirus.App.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416	GoTo.Resolve.DeviceData.App.exe
File created	C:\Windows\System32\DriverStore\FileRepository\displayoverride.inf_amd64_c7a5777273c98ebf\displayoverride.PNF	GoToResolveTools64.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{7df457cc-a637-f14a-8c8a-1ec7eeb0a973}\g2rvdd.inf	DrvInst.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\ApplicationInsights\49a79555446a342df02477815a2e44309b6db288b6f82a7fb9c8c03c3af6f5d9\bjdslaco.5dg	GoTo.Resolve.Alerts.Monitor.App.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3E3E9689537B6B136ECF210088069D55_EF6C9357BB54DDB629FD2D79F1594F95	GoToResolveUnattended.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\g2rvdd.inf_amd64_5e96164a846f7842\g2rvdd.inf	DrvInst.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys	GoToResolveUnattended.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\RemoteExecutionModule\1.2024.0506.1\System.Linq.Queryable.dll	GoToResolveUnattended.exe
File created	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\AntivirusModule\1.2024.0411.2\GoTo.Resolve.Device.Authentication.dll	GoToResolveUnattended.exe
File created	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\AntivirusModule\1.2024.0411.2\System.Net.WebSockets.Client.dll	GoToResolveUnattended.exe
File opened for modification	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\Logs\FileManager-2024-05-16T16-04-53-445Z.log	GoToResolveFileManager.exe
File created	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\ZtnaModule\1.19.0\squid\bin\cygevent_pthreads-2-0-5.dll	GoToResolveUnattended.exe
File created	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\RemoteExecutionModule\1.2024.0506.1\System.Configuration.ConfigurationManager.dll	GoToResolveUnattended.exe
File created	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\RemoteExecutionModule\1.2024.0506.1\System.Formats.Tar.dll	GoToResolveUnattended.exe
File created	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\RemoteExecutionModule\1.2024.0506.1\System.Reflection.Emit.ILGeneration.dll	GoToResolveUnattended.exe
File created	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\ZtnaModule\1.19.0\squid\bin\cygssh2-1.dll	GoToResolveUnattended.exe
File created	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\DeviceDataModule\1.71.0\GoTo.Resolve.DeviceData.App.exe	GoToResolveUnattended.exe
File created	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\RemoteExecutionModule\1.2024.0506.1\Microsoft.Extensions.Options.dll	GoToResolveUnattended.exe
File created	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\RemoteExecutionModule\1.2024.0506.1\System.Diagnostics.Debug.dll	GoToResolveUnattended.exe
File created	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\AntivirusModule\1.2024.0411.2\Polly.dll	GoToResolveUnattended.exe
File created	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\LMISupport7x64.dll	39e246d194e4a5ade27a08d4a925dbff009fa8b66963c05f18712c1472e24a81.exe
File opened for modification	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\.sentry-native\80193026-5701-484f-0214-ac239f74b6ad.run.lock	GoToResolveTerminal.exe
File created	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\ZtnaModule\1.19.0\squid\bin\cygtasn1-6.dll	GoToResolveUnattended.exe
File created	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\RemoteExecutionModule\1.2024.0506.1\System.Private.CoreLib.dll	GoToResolveUnattended.exe
File created	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\AntivirusModule\1.2024.0411.2\Microsoft.Extensions.Caching.Memory.dll	GoToResolveUnattended.exe
File created	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\AntivirusModule\1.2024.0411.2\System.Linq.Async.dll	GoToResolveUnattended.exe
File created	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\ZtnaModule\1.19.0\squid\bin\cygattr-1.dll	GoToResolveUnattended.exe
File created	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\ZtnaModule\1.19.0\squid\bin\cyggssrpc-4.dll	GoToResolveUnattended.exe
File created	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\RemoteExecutionModule\1.2024.0506.1\System.Net.Quic.dll	GoToResolveUnattended.exe
File created	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\RemoteExecutionModule\1.2024.0506.1\System.Private.Uri.dll	GoToResolveUnattended.exe
File created	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\RemoteExecutionModule\1.2024.0506.1\System.Threading.Tasks.Extensions.dll	GoToResolveUnattended.exe
File created	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\AntivirusModule\1.2024.0411.2\Polly.Extensions.Http.dll	GoToResolveUnattended.exe
File created	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\AntivirusModule\1.2024.0411.2\System.IO.UnmanagedMemoryStream.dll	GoToResolveUnattended.exe
File created	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\AntivirusModule\1.2024.0411.2\System.Private.Uri.dll	GoToResolveUnattended.exe
File opened for modification	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\appdata\GoToResolveFileManager.log	GoToResolveFileManager.exe
File created	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\ZtnaModule\1.19.0\squid\bin\cygatomic-1.dll	GoToResolveUnattended.exe
File created	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\RemoteExecutionModule\1.2024.0506.1\clrgc.dll	GoToResolveUnattended.exe
File created	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\RemoteExecutionModule\1.2024.0506.1\WindowsBase.dll	GoToResolveUnattended.exe
File created	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\AntivirusModule\1.2024.0411.2\Microsoft.Extensions.Logging.Debug.dll	GoToResolveUnattended.exe
File created	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\GoToResolveTools32.exe	39e246d194e4a5ade27a08d4a925dbff009fa8b66963c05f18712c1472e24a81.exe
File opened for modification	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\appdata\GoToResolveProcessChecker.log	GoToResolveProcessChecker.exe
File created	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\ZtnaModule\1.19.0\squid\lib\squid\basic_sasl_auth.exe	GoToResolveUnattended.exe
File created	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\RemoteExecutionModule\1.2024.0506.1\System.Net.Http.dll	GoToResolveUnattended.exe
File created	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\AntivirusModule\1.2024.0411.2\System.Globalization.dll	GoToResolveUnattended.exe
File created	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\ZtnaModule\1.19.0\squid\bin\cygcrypt-2.dll	GoToResolveUnattended.exe
File opened for modification	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\DeviceDataModule	GoToResolveUnattended.exe
File created	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\AntivirusModule\1.2024.0411.2\Microsoft.Extensions.Diagnostics.dll	GoToResolveUnattended.exe
File created	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\ZtnaModule\1.19.0\squid\lib\squid\basic_smb_auth.exe	GoToResolveUnattended.exe
File created	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\ZtnaModule\1.19.0\squid\etc\squid\sag-cert.pem	GoToResolveUnattended.exe
File created	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\RemoteExecutionModule\1.2024.0506.1\System.Threading.Channels.dll	GoToResolveUnattended.exe
File created	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\AntivirusModule\1.2024.0411.2\System.Core.dll	GoToResolveUnattended.exe
File created	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\ZtnaModule\1.19.0\squid\bin\cygldap-2.dll	GoToResolveUnattended.exe
File created	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\RemoteExecutionModule\1.2024.0506.1\System.Collections.NonGeneric.dll	GoToResolveUnattended.exe
File created	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\RemoteExecutionModule\1.2024.0506.1\System.ServiceProcess.dll	GoToResolveUnattended.exe
File created	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\AntivirusModule\1.2024.0411.2\Microsoft.Extensions.Options.dll	GoToResolveUnattended.exe
File created	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\AntivirusModule\1.2024.0411.2\System.Runtime.InteropServices.JavaScript.dll	GoToResolveUnattended.exe
File created	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\ZtnaModule\1.19.0\squid\etc\xattr.conf	GoToResolveUnattended.exe
File created	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\AntivirusModule\1.2024.0411.2\createdump.exe	GoToResolveUnattended.exe
File created	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\AntivirusModule\1.2024.0411.2\System.Net.NetworkInformation.dll	GoToResolveUnattended.exe
File created	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\GoToResolveUnlock32.dll	39e246d194e4a5ade27a08d4a925dbff009fa8b66963c05f18712c1472e24a81.exe
File created	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\ZtnaModule\1.19.0\squid\usr\share\squid\errors\templates\ERR_SHUTTING_DOWN	GoToResolveUnattended.exe
File created	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\ZtnaModule\1.19.0\squid\bin\cyggmp-10.dll	GoToResolveUnattended.exe
File created	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\RemoteExecutionModule\1.2024.0506.1\System.ComponentModel.DataAnnotations.dll	GoToResolveUnattended.exe
File created	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\AntivirusModule\1.2024.0411.2\Microsoft.CSharp.dll	GoToResolveUnattended.exe
File created	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\ZtnaModule\1.19.0\squid\bin\cyghogweed-4.dll	GoToResolveUnattended.exe
File created	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\RemoteExecutionModule\1.2024.0506.1\System.Runtime.Serialization.Xml.dll	GoToResolveUnattended.exe
File created	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\AntivirusModule\1.2024.0411.2\System.Diagnostics.Tools.dll	GoToResolveUnattended.exe
File created	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\AntivirusModule\1.2024.0411.2\System.Xml.XDocument.dll	GoToResolveUnattended.exe
File created	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\GoToResolveUnlock64.dll	39e246d194e4a5ade27a08d4a925dbff009fa8b66963c05f18712c1472e24a81.exe
File created	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\appdata\UnattendedCrashReportDB\settings.dat	GoToResolveUnattended.exe
File created	C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\ZtnaModule\1.19.0\squid\usr\share\squid\errors\templates\ERR_FORWARDING_DENIED	GoToResolveUnattended.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.dev.log	GoToResolveTools64.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\inf\oem3.inf	DrvInst.exe
File created	C:\Windows\inf\oem3.inf	DrvInst.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4672	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 42 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	GoToResolveTools64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	GoToResolveTools64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	GoToResolveTools64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	GoToResolveTools64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	GoToResolveTools64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	GoToResolveTools64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	GoToResolveTools64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	GoToResolveTools64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	GoToResolveTools64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	GoToResolveTools64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	GoToResolveTools64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	GoToResolveTools64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	GoToResolveTools64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	GoToResolveTools64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	GoToResolveTools64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	GoToResolveTools64.exe

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	GoToResolveUnattended.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	GoToResolveQuickView.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	GoToResolveQuickView.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	GoToResolveTools64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	GoToResolveTools64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	GoToResolveUnattended.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	GoToResolveUnattended.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	GoToResolveUnattended.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	GoToResolveTools64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	GoToResolveUnattended.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	GoToResolveUnattended.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	GoToResolveQuickView.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
2756	timeout.exe
4228	timeout.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	GoToResolveUnattended.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time"	GoTo.Resolve.DeviceData.App.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	GoTo.Resolve.DeviceData.App.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time"	GoTo.Resolve.DeviceData.App.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time"	GoTo.Resolve.DeviceData.App.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time"	GoTo.Resolve.DeviceData.App.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2942 = "Sao Tome Standard Time"	GoTo.Resolve.DeviceData.App.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	GoToResolveLoggerProcess.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	GoToResolveUnattended.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time"	GoTo.Resolve.DeviceData.App.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	GoToResolveUnattended.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time"	GoTo.Resolve.DeviceData.App.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time"	GoTo.Resolve.DeviceData.App.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time"	GoTo.Resolve.DeviceData.App.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	GoToResolveLoggerProcess.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time"	GoTo.Resolve.DeviceData.App.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time"	GoTo.Resolve.DeviceData.App.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time"	GoTo.Resolve.DeviceData.App.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time"	GoTo.Resolve.DeviceData.App.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1891 = "Russia TZ 3 Daylight Time"	GoTo.Resolve.DeviceData.App.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	GoTo.Resolve.DeviceData.App.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time"	GoTo.Resolve.DeviceData.App.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time"	GoTo.Resolve.DeviceData.App.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time"	GoTo.Resolve.DeviceData.App.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time"	GoTo.Resolve.DeviceData.App.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	GoTo.Resolve.DeviceData.App.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time"	GoTo.Resolve.DeviceData.App.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	GoToResolveUnattended.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time"	GoTo.Resolve.DeviceData.App.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	GoToResolveUnattended.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time"	GoTo.Resolve.DeviceData.App.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1911 = "Russia TZ 10 Daylight Time"	GoTo.Resolve.DeviceData.App.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	GoTo.Resolve.DeviceData.App.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	GoTo.Resolve.DeviceData.App.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	GoTo.Resolve.PatchManagement.Client.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time"	GoTo.Resolve.DeviceData.App.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time"	GoTo.Resolve.DeviceData.App.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	GoToResolveUnattended.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time"	GoTo.Resolve.DeviceData.App.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time"	GoTo.Resolve.DeviceData.App.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	GoTo.Resolve.DeviceData.App.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time"	GoTo.Resolve.DeviceData.App.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time"	GoTo.Resolve.DeviceData.App.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time"	GoTo.Resolve.DeviceData.App.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1872 = "Russia TZ 7 Standard Time"	GoTo.Resolve.DeviceData.App.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	GoToResolveUnattended.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time"	GoTo.Resolve.DeviceData.App.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time"	GoTo.Resolve.DeviceData.App.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time"	GoTo.Resolve.DeviceData.App.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2872 = "Magallanes Standard Time"	GoTo.Resolve.DeviceData.App.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time"	GoTo.Resolve.DeviceData.App.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time"	GoTo.Resolve.DeviceData.App.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	GoTo.Resolve.Antivirus.App.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	GoToResolveUnattended.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time"	GoTo.Resolve.DeviceData.App.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time"	GoTo.Resolve.DeviceData.App.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time"	GoTo.Resolve.DeviceData.App.exe

Modifies registry class 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5de81d42-ce2b-4a7e-b1b7-1312fa11c82b}\InprocServer32\ = "GoToResolveUnlock64.dll"	GoToResolveUnattended.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5de81d42-ce2b-4a7e-b1b7-1312fa11c82b}\InprocServer32\ThreadingModel = "Apartment"	GoToResolveUnattended.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5de81d42-ce2b-4a7e-b1b7-1312fa11c82b}	GoToResolveUnattended.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5de81d42-ce2b-4a7e-b1b7-1312fa11c82b}\ = "RescueAssistCredProv"	GoToResolveUnattended.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5de81d42-ce2b-4a7e-b1b7-1312fa11c82b}\InprocServer32	GoToResolveUnattended.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\MY\Certificates\6BBAA0AB6BC8DA1556AF3BCB50FA3A7821FDBF9E	GoToResolveUnattended.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\MY\Certificates\6BBAA0AB6BC8DA1556AF3BCB50FA3A7821FDBF9E\Blob = 0300000001000000140000006bbaa0ab6bc8da1556af3bcb50fa3a7821fdbf9e0b000000010000007000000047006f0054006f005200650073006f006c007600650055006e0061007400740065006e0064006500640043006f006e006e0065006300740069006f006e0043006500720074005f00310039003300370039003100380032003700300033003200320037003300370035003700320000000200000001000000ec0000001c0000008c000000010000000000000000000000000000000100000047006f0054006f005200650073006f006c007600650055006e0061007400740065006e0064006500640043006f006e006e0065006300740069006f006e0043006500720074005f00310039003300370039003100380032003700300033003200320037003300370035003700320000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e0030000000000020000000010000005e0300003082035a30820242a003020102021500d94c7edf5b3cc79aaa0ccf45d6b3b3b3813901df300d06092a864886f70d01010b0500304d314b3049060355040b0c42416d617a6f6e20576562205365727669636573204f3d416d617a6f6e2e636f6d20496e632e204c3d53656174746c652053543d57617368696e67746f6e20433d5553301e170d3234303531363136303331375a170d3439313233313233353935395a301e311c301a06035504030c1341575320496f5420436572746966696361746530820122300d06092a864886f70d01010105000382010f003082010a0282010100d6681acebd3ecab53c76de1fdc18421d6877887a24c2601e661b21a92538e4ff1c6f2aecccddfb1f61bfde82444f24e58a1a58724ed2a194a0bc97d63db6cb1f32aab00a4648f695a1e3b1cc66ce2551656e99b67c48b90d6dd266bcf2b4b6318c8bbb2f72ec168f426a16d47a45b314cfc2985e9a4f99680af70aa7904ad548a02d39434b7bc55007eb68a82833e74d730a804d998ffa055f4fa42b877a0158c9c83a8e29c1adbb959f61d343b5c5f6517061dcdd853c2bf6f50950e6cc3554afee6db95417a9a0b3f72391d30a36771f83c51ba237db7742c43a63b664c8d505dbd44506d60503d1f4ea7ccec9a9ca286a2145e44f65931f68825c613853f30203010001a360305e301f0603551d2304183016801489016b10112f17de5e5325a0f79f91f2825b7dee301d0603551d0e04160414b746ebbff1e868cd55fbc68006fb8d36270361f2300c0603551d130101ff04023000300e0603551d0f0101ff040403020780300d06092a864886f70d01010b0500038201010064c210a5eab86f5d01c2487f2cb98a3a42ab47194ed4e7f5c9003e5e008c66cc14bc5dcabd69464add43f959bf50d7ef03f82b85a79e084e87b2d18fd5df3e2ffcd09811b621c978c0bb759cd719e895783576c3140ec892d3339cb79a48a03d19bcd5e02ff41be8dd43d3db5a53337b5d575f57647fcd05ac9fbc689b8833d1e262510b4f083e9b4771c197fd6d97517b8306d01d0155dc1b2d189d28e3bf75c0b87e9876b35a320450dc8eafeceae2925866d3b0bd5d4a8ab60868b698410a82ff6556276cc2234abfadc7f2389a6429b0e2e1bc1c1688083d129d23ca8fafc18c5c22650ecca14e4dd8b5cb7f92057447dc81733c25fc5e830f4bbd7f7f9e	GoToResolveUnattended.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\MY\Certificates\6BBAA0AB6BC8DA1556AF3BCB50FA3A7821FDBF9E\Blob = 140000000100000014000000b746ebbff1e868cd55fbc68006fb8d36270361f20200000001000000ec0000001c0000008c000000010000000000000000000000000000000100000047006f0054006f005200650073006f006c007600650055006e0061007400740065006e0064006500640043006f006e006e0065006300740069006f006e0043006500720074005f00310039003300370039003100380032003700300033003200320037003300370035003700320000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e003000000000000b000000010000007000000047006f0054006f005200650073006f006c007600650055006e0061007400740065006e0064006500640043006f006e006e0065006300740069006f006e0043006500720074005f00310039003300370039003100380032003700300033003200320037003300370035003700320000000300000001000000140000006bbaa0ab6bc8da1556af3bcb50fa3a7821fdbf9e20000000010000005e0300003082035a30820242a003020102021500d94c7edf5b3cc79aaa0ccf45d6b3b3b3813901df300d06092a864886f70d01010b0500304d314b3049060355040b0c42416d617a6f6e20576562205365727669636573204f3d416d617a6f6e2e636f6d20496e632e204c3d53656174746c652053543d57617368696e67746f6e20433d5553301e170d3234303531363136303331375a170d3439313233313233353935395a301e311c301a06035504030c1341575320496f5420436572746966696361746530820122300d06092a864886f70d01010105000382010f003082010a0282010100d6681acebd3ecab53c76de1fdc18421d6877887a24c2601e661b21a92538e4ff1c6f2aecccddfb1f61bfde82444f24e58a1a58724ed2a194a0bc97d63db6cb1f32aab00a4648f695a1e3b1cc66ce2551656e99b67c48b90d6dd266bcf2b4b6318c8bbb2f72ec168f426a16d47a45b314cfc2985e9a4f99680af70aa7904ad548a02d39434b7bc55007eb68a82833e74d730a804d998ffa055f4fa42b877a0158c9c83a8e29c1adbb959f61d343b5c5f6517061dcdd853c2bf6f50950e6cc3554afee6db95417a9a0b3f72391d30a36771f83c51ba237db7742c43a63b664c8d505dbd44506d60503d1f4ea7ccec9a9ca286a2145e44f65931f68825c613853f30203010001a360305e301f0603551d2304183016801489016b10112f17de5e5325a0f79f91f2825b7dee301d0603551d0e04160414b746ebbff1e868cd55fbc68006fb8d36270361f2300c0603551d130101ff04023000300e0603551d0f0101ff040403020780300d06092a864886f70d01010b0500038201010064c210a5eab86f5d01c2487f2cb98a3a42ab47194ed4e7f5c9003e5e008c66cc14bc5dcabd69464add43f959bf50d7ef03f82b85a79e084e87b2d18fd5df3e2ffcd09811b621c978c0bb759cd719e895783576c3140ec892d3339cb79a48a03d19bcd5e02ff41be8dd43d3db5a53337b5d575f57647fcd05ac9fbc689b8833d1e262510b4f083e9b4771c197fd6d97517b8306d01d0155dc1b2d189d28e3bf75c0b87e9876b35a320450dc8eafeceae2925866d3b0bd5d4a8ab60868b698410a82ff6556276cc2234abfadc7f2389a6429b0e2e1bc1c1688083d129d23ca8fafc18c5c22650ecca14e4dd8b5cb7f92057447dc81733c25fc5e830f4bbd7f7f9e	GoToResolveUnattended.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3532	GoToResolveProcessChecker.exe
3532	GoToResolveProcessChecker.exe
3532	GoToResolveProcessChecker.exe
3532	GoToResolveProcessChecker.exe
3532	GoToResolveProcessChecker.exe
3532	GoToResolveProcessChecker.exe
4896	GoToResolveUnattended.exe
4896	GoToResolveUnattended.exe
4896	GoToResolveUnattended.exe
4896	GoToResolveUnattended.exe
4896	GoToResolveUnattended.exe
4896	GoToResolveUnattended.exe
4896	GoToResolveUnattended.exe
4896	GoToResolveUnattended.exe
4896	GoToResolveUnattended.exe
4896	GoToResolveUnattended.exe
4896	GoToResolveUnattended.exe
4896	GoToResolveUnattended.exe
4896	GoToResolveUnattended.exe
4896	GoToResolveUnattended.exe
4896	GoToResolveUnattended.exe
4896	GoToResolveUnattended.exe
4896	GoToResolveUnattended.exe
4896	GoToResolveUnattended.exe
4896	GoToResolveUnattended.exe
4896	GoToResolveUnattended.exe
4896	GoToResolveUnattended.exe
4896	GoToResolveUnattended.exe
4892	GoToResolveQuickView.exe
4892	GoToResolveQuickView.exe
4892	GoToResolveQuickView.exe
4892	GoToResolveQuickView.exe
4892	GoToResolveQuickView.exe
4892	GoToResolveQuickView.exe
4892	GoToResolveQuickView.exe
4892	GoToResolveQuickView.exe
3532	GoToResolveProcessChecker.exe
3532	GoToResolveProcessChecker.exe
4896	GoToResolveUnattended.exe
4896	GoToResolveUnattended.exe
4896	GoToResolveUnattended.exe
4896	GoToResolveUnattended.exe
4896	GoToResolveUnattended.exe
4896	GoToResolveUnattended.exe
4896	GoToResolveUnattended.exe
4896	GoToResolveUnattended.exe
4896	GoToResolveUnattended.exe
4896	GoToResolveUnattended.exe
4896	GoToResolveUnattended.exe
4896	GoToResolveUnattended.exe
3532	GoToResolveProcessChecker.exe
3532	GoToResolveProcessChecker.exe
3532	GoToResolveProcessChecker.exe
3532	GoToResolveProcessChecker.exe
3532	GoToResolveProcessChecker.exe
3532	GoToResolveProcessChecker.exe
3532	GoToResolveProcessChecker.exe
3532	GoToResolveProcessChecker.exe
3532	GoToResolveProcessChecker.exe
3532	GoToResolveProcessChecker.exe
4896	GoToResolveUnattended.exe
4896	GoToResolveUnattended.exe
4896	GoToResolveUnattended.exe
4896	GoToResolveUnattended.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1504	GoToResolveUnattended.exe
Token: SeCreatePagefilePrivilege	1504	GoToResolveUnattended.exe
Token: SeShutdownPrivilege	1488	GoToResolveProcessChecker.exe
Token: SeCreatePagefilePrivilege	1488	GoToResolveProcessChecker.exe
Token: SeShutdownPrivilege	3532	GoToResolveProcessChecker.exe
Token: SeCreatePagefilePrivilege	3532	GoToResolveProcessChecker.exe
Token: SeShutdownPrivilege	3532	GoToResolveProcessChecker.exe
Token: SeCreatePagefilePrivilege	3532	GoToResolveProcessChecker.exe
Token: SeShutdownPrivilege	4896	GoToResolveUnattended.exe
Token: SeCreatePagefilePrivilege	4896	GoToResolveUnattended.exe
Token: SeShutdownPrivilege	4956	GoToResolveTerminal.exe
Token: SeCreatePagefilePrivilege	4956	GoToResolveTerminal.exe
Token: SeAuditPrivilege	4232	svchost.exe
Token: SeSecurityPrivilege	4232	svchost.exe
Token: SeShutdownPrivilege	396	GoToResolveFileManager.exe
Token: SeCreatePagefilePrivilege	396	GoToResolveFileManager.exe
Token: SeShutdownPrivilege	4892	GoToResolveQuickView.exe
Token: SeCreatePagefilePrivilege	4892	GoToResolveQuickView.exe
Token: SeDebugPrivilege	2548	GoTo.Resolve.DeviceData.App.exe
Token: SeDebugPrivilege	2828	GoTo.Resolve.Alerts.Monitor.App.exe
Token: SeDebugPrivilege	804	GoTo.Resolve.PatchManagement.Client.exe
Token: SeDebugPrivilege	4312	RemoteExecution.Runner.exe
Token: SeDebugPrivilege	1756	GoTo.Resolve.Alerts.Monitor.App.exe
Token: SeDebugPrivilege	768	GoTo.Resolve.Antivirus.App.exe
Token: SeDebugPrivilege	1664	GoTo.Resolve.Antivirus.App.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4220 wrote to memory of 1504	4220	39e246d194e4a5ade27a08d4a925dbff009fa8b66963c05f18712c1472e24a81.exe	87
PID 4220 wrote to memory of 1504	4220	39e246d194e4a5ade27a08d4a925dbff009fa8b66963c05f18712c1472e24a81.exe	87
PID 4220 wrote to memory of 1504	4220	39e246d194e4a5ade27a08d4a925dbff009fa8b66963c05f18712c1472e24a81.exe	87
PID 4220 wrote to memory of 4932	4220	39e246d194e4a5ade27a08d4a925dbff009fa8b66963c05f18712c1472e24a81.exe	88
PID 4220 wrote to memory of 4932	4220	39e246d194e4a5ade27a08d4a925dbff009fa8b66963c05f18712c1472e24a81.exe	88
PID 4220 wrote to memory of 2812	4220	39e246d194e4a5ade27a08d4a925dbff009fa8b66963c05f18712c1472e24a81.exe	89
PID 4220 wrote to memory of 2812	4220	39e246d194e4a5ade27a08d4a925dbff009fa8b66963c05f18712c1472e24a81.exe	89
PID 4220 wrote to memory of 2812	4220	39e246d194e4a5ade27a08d4a925dbff009fa8b66963c05f18712c1472e24a81.exe	89
PID 1504 wrote to memory of 1488	1504	GoToResolveUnattended.exe	91
PID 1504 wrote to memory of 1488	1504	GoToResolveUnattended.exe	91
PID 1504 wrote to memory of 1488	1504	GoToResolveUnattended.exe	91
PID 3532 wrote to memory of 4896	3532	GoToResolveProcessChecker.exe	95
PID 3532 wrote to memory of 4896	3532	GoToResolveProcessChecker.exe	95
PID 3532 wrote to memory of 4896	3532	GoToResolveProcessChecker.exe	95
PID 4896 wrote to memory of 1088	4896	GoToResolveUnattended.exe	97
PID 4896 wrote to memory of 1088	4896	GoToResolveUnattended.exe	97
PID 4896 wrote to memory of 1088	4896	GoToResolveUnattended.exe	97
PID 4896 wrote to memory of 4600	4896	GoToResolveUnattended.exe	96
PID 4896 wrote to memory of 4600	4896	GoToResolveUnattended.exe	96
PID 4896 wrote to memory of 4600	4896	GoToResolveUnattended.exe	96
PID 4600 wrote to memory of 1584	4600	GoToResolveLoggerProcess.exe	98
PID 4600 wrote to memory of 1584	4600	GoToResolveLoggerProcess.exe	98
PID 4600 wrote to memory of 1584	4600	GoToResolveLoggerProcess.exe	98
PID 4896 wrote to memory of 396	4896	GoToResolveUnattended.exe	100
PID 4896 wrote to memory of 396	4896	GoToResolveUnattended.exe	100
PID 4896 wrote to memory of 396	4896	GoToResolveUnattended.exe	100
PID 4896 wrote to memory of 4892	4896	GoToResolveUnattended.exe	101
PID 4896 wrote to memory of 4892	4896	GoToResolveUnattended.exe	101
PID 4896 wrote to memory of 4892	4896	GoToResolveUnattended.exe	101
PID 4896 wrote to memory of 4956	4896	GoToResolveUnattended.exe	102
PID 4896 wrote to memory of 4956	4896	GoToResolveUnattended.exe	102
PID 4896 wrote to memory of 4956	4896	GoToResolveUnattended.exe	102
PID 4232 wrote to memory of 1980	4232	svchost.exe	104
PID 4232 wrote to memory of 1980	4232	svchost.exe	104
PID 4956 wrote to memory of 3704	4956	GoToResolveTerminal.exe	105
PID 4956 wrote to memory of 3704	4956	GoToResolveTerminal.exe	105
PID 4956 wrote to memory of 3704	4956	GoToResolveTerminal.exe	105
PID 396 wrote to memory of 4964	396	GoToResolveFileManager.exe	106
PID 396 wrote to memory of 4964	396	GoToResolveFileManager.exe	106
PID 396 wrote to memory of 4964	396	GoToResolveFileManager.exe	106
PID 2812 wrote to memory of 2756	2812	cmd.exe	107
PID 2812 wrote to memory of 2756	2812	cmd.exe	107
PID 2812 wrote to memory of 2756	2812	cmd.exe	107
PID 2812 wrote to memory of 4228	2812	cmd.exe	111
PID 2812 wrote to memory of 4228	2812	cmd.exe	111
PID 2812 wrote to memory of 4228	2812	cmd.exe	111
PID 4896 wrote to memory of 2548	4896	GoToResolveUnattended.exe	118
PID 4896 wrote to memory of 2548	4896	GoToResolveUnattended.exe	118
PID 4896 wrote to memory of 2828	4896	GoToResolveUnattended.exe	120
PID 4896 wrote to memory of 2828	4896	GoToResolveUnattended.exe	120
PID 4896 wrote to memory of 4312	4896	GoToResolveUnattended.exe	122
PID 4896 wrote to memory of 4312	4896	GoToResolveUnattended.exe	122
PID 4896 wrote to memory of 804	4896	GoToResolveUnattended.exe	123
PID 4896 wrote to memory of 804	4896	GoToResolveUnattended.exe	123
PID 4896 wrote to memory of 1756	4896	GoToResolveUnattended.exe	127
PID 4896 wrote to memory of 1756	4896	GoToResolveUnattended.exe	127
PID 4896 wrote to memory of 768	4896	GoToResolveUnattended.exe	128
PID 4896 wrote to memory of 768	4896	GoToResolveUnattended.exe	128
PID 804 wrote to memory of 3232	804	GoTo.Resolve.PatchManagement.Client.exe	131
PID 804 wrote to memory of 3232	804	GoTo.Resolve.PatchManagement.Client.exe	131
PID 804 wrote to memory of 1956	804	GoTo.Resolve.PatchManagement.Client.exe	132
PID 804 wrote to memory of 1956	804	GoTo.Resolve.PatchManagement.Client.exe	132
PID 4896 wrote to memory of 1664	4896	GoToResolveUnattended.exe	137
PID 4896 wrote to memory of 1664	4896	GoToResolveUnattended.exe	137

C:\Users\Admin\AppData\Local\Temp\39e246d194e4a5ade27a08d4a925dbff009fa8b66963c05f18712c1472e24a81.exe
"C:\Users\Admin\AppData\Local\Temp\39e246d194e4a5ade27a08d4a925dbff009fa8b66963c05f18712c1472e24a81.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4220
- C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\GoToResolveUnattended.exe
  "C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\GoToResolveUnattended.exe" -regsvc
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks system information in the registry
  - Checks processor information in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1504
- - C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\GoToResolveProcessChecker.exe
    "C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\GoToResolveProcessChecker.exe" -regsvc -expectadmin -starterpid 1504 -WorkFolder "C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572" -ApplicationType 4
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:1488
- C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\GoToResolveTools64.exe
  "C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\GoToResolveTools64.exe" -InstallVDD
  2⤵
  - Executes dropped EXE
  - Checks system information in the registry
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Checks processor information in registry
  PID:4932
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /S /C ""C:\Users\Admin\AppData\Local\Temp\39e246d194e4a5ade27a08d4a925dbff009fa8b66963c05f18712c1472e24a81.exe.cmd" "C:\Users\Admin\AppData\Local\Temp\39e246d194e4a5ade27a08d4a925dbff009fa8b66963c05f18712c1472e24a81.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2812
- - C:\Windows\SysWOW64\timeout.exe
    timeout /T 3
    3⤵
    - Delays execution with timeout.exe
    PID:2756
- - C:\Windows\SysWOW64\timeout.exe
    timeout /T 3
    3⤵
    - Delays execution with timeout.exe
    PID:4228

C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\GoToResolveProcessChecker.exe
"C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\GoToResolveProcessChecker.exe" -Service -WorkFolder "C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572" -ApplicationType "4"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3532
- C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\GoToResolveUnattended.exe
  "C:/Program Files (x86)/GoTo Resolve Unattended/1937918270322737572/GoToResolveUnattended.exe" "-RegisteredProcess" "1" "-ParentProcessId" "3532" "-WtsStartingUsername" "-ServiceName" "GoToResolve_1937918270322737572" "-Service"
  2⤵
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Registers COM server for autorun
  - Checks system information in the registry
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Checks processor information in registry
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4896
- - C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\GoToResolveLoggerProcess.exe
    GoToResolveLoggerProcess.exe -ParentProcessId 4896 -CompanyId 1937918270322737572 -InstallationId MMfJME8PUa -MonitoringUrl https://dumpster.console.gotoresolve.com -HostId 081ad3cce019e849dce362eb0b187071 -LogLevel 2 -MonitoringApiKey cnl6269ktie1dcpmz8y2ddxhjhhgi0nebxwpr4a3c71lbfwnubk2w7l7c6evabi3 -SessionType Unattended
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies data under HKEY_USERS
    - Suspicious use of WriteProcessMemory
    PID:4600
  - - C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\GoToResolveCrashHandler.exe
      "C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\GoToResolveCrashHandler.exe" "--attachment=attachment_GoToResolveLoggerProcess.log=C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\appdata\GoToResolveLoggerProcess.log" "--attachment=attachment_logger.json=C:/Program Files (x86)/GoTo Resolve Unattended/1937918270322737572\logger.json" "--database=C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\appdata\LoggerProcessCrashReportDB" "--metrics-dir=C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\appdata\LoggerProcessCrashReportDB" --url=https://dumpster.console.gotoresolve.com/api/dump --annotation=format=minidump --annotation=hostname=Objiyuie --annotation=installationid=MMfJME8PUa --annotation=version=1.15.2.3338 --initial-client-data=0x4d0,0x4d4,0x4d8,0x4a4,0x4dc,0x7502e09c,0x7502e0ac,0x7502e0bc
      4⤵
      Executes dropped EXE
      PID:1584
- - C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\GoToResolveCrashHandler.exe
    "C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\GoToResolveCrashHandler.exe" "--attachment=attachment_GoToResolveUnattended.log=C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\appdata\GoToResolveUnattended.log" "--attachment=attachment_unattended.json=C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\unattended.json" "--database=C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\appdata\UnattendedCrashReportDB" "--metrics-dir=C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\appdata\UnattendedCrashReportDB" --url=https://dumpster.console.gotoresolve.com/api/dump --annotation=format=minidump --annotation=hostname=Objiyuie --annotation=installationid=MMfJME8PUa --annotation=version=1.15.2.3338 --initial-client-data=0x568,0x56c,0x570,0x544,0x574,0x7502e09c,0x7502e0ac,0x7502e0bc
    3⤵
    - Executes dropped EXE
    PID:1088
- - C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\GoToResolveFileManager.exe
    GoToResolveFileManager.exe -CompanyId 1937918270322737572 -InstallationId MMfJME8PUa -LogLevel 2 -MonitoringUrl https://dumpster.console.gotoresolve.com
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:396
  - - C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\GoToResolveCrashHandler.exe
      "C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\GoToResolveCrashHandler.exe" "--database=C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\appdata\FileManagerCrashReportDB" "--metrics-dir=C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\appdata\FileManagerCrashReportDB" --url=https://dumpster.console.gotoresolve.com/api/dump --annotation=format=minidump --annotation=hostname=Objiyuie --annotation=installationid=MMfJME8PUa --annotation=version=1.15.2.3338 --initial-client-data=0x5f0,0x5f4,0x5f8,0x5c4,0x5fc,0x7502e09c,0x7502e0ac,0x7502e0bc
      4⤵
      Executes dropped EXE
      PID:4964
- - C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\GoToResolveQuickView.exe
    GoToResolveQuickView.exe -InstallationId MMfJME8PUa -LogLevel 2
    3⤵
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks system information in the registry
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4892
- - C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\GoToResolveTerminal.exe
    GoToResolveTerminal.exe -CompanyId 1937918270322737572 -InstallationId MMfJME8PUa -LogLevel 2 -MonitoringUrl https://dumpster.console.gotoresolve.com
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4956
  - - C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\GoToResolveCrashHandler.exe
      "C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\GoToResolveCrashHandler.exe" "--database=C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\appdata\TerminalCrashReportDB" "--metrics-dir=C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\appdata\TerminalCrashReportDB" --url=https://dumpster.console.gotoresolve.com/api/dump --annotation=format=minidump --annotation=hostname=Objiyuie --annotation=installationid=MMfJME8PUa --annotation=version=1.15.2.3338 --initial-client-data=0x5f0,0x5f4,0x5f8,0x5c4,0x5fc,0x7502e09c,0x7502e0ac,0x7502e0bc
      4⤵
      Executes dropped EXE
      PID:3704
- - C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\DeviceDataModule\1.71.0\GoTo.Resolve.DeviceData.App.exe
    "C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\DeviceDataModule\1.71.0\GoTo.Resolve.DeviceData.App.exe" --Credentials:CompanyId 1937918270322737572 --Credentials:HostId syn-prd-ava-unattended-3e5ed0ea-763f-442b-b33d-60ffd6847cbd --Communication:IpcFolderPath "C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\DeviceDataModule\IPC" --Authentication:TokenFilePath "C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\token.txt" --ZeroTrust:ReferencePublicKeyHash 79297ed57ba94f2dde0d121e431d4ed4d8f143a35e3f89ed9b9c2fc1c3015ae8 --Native:Version 1.15.2.3338
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious use of AdjustPrivilegeToken
    PID:2548
- - C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\AlertsModule\1.2024.0430.2\GoTo.Resolve.Alerts.Monitor.App.exe
    "C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\AlertsModule\1.2024.0430.2\GoTo.Resolve.Alerts.Monitor.App.exe" --Credentials:CompanyId 1937918270322737572 --Credentials:HostId syn-prd-ava-unattended-3e5ed0ea-763f-442b-b33d-60ffd6847cbd --Communication:IpcFolderPath "C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\AlertsModule\IPC" --Authentication:TokenFilePath "C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\token.txt" --ZeroTrust:ReferencePublicKeyHash 79297ed57ba94f2dde0d121e431d4ed4d8f143a35e3f89ed9b9c2fc1c3015ae8 --Native:Version 1.15.2.3338
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    PID:2828
- - C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\RemoteExecutionModule\1.2024.0506.1\RemoteExecution.Runner.exe
    "C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\RemoteExecutionModule\1.2024.0506.1\RemoteExecution.Runner.exe" --Credentials:CompanyId 1937918270322737572 --Credentials:HostId syn-prd-ava-unattended-3e5ed0ea-763f-442b-b33d-60ffd6847cbd --Communication:IpcFolderPath "C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\RemoteExecutionModule\IPC" --Authentication:TokenFilePath "C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\token.txt" --ZeroTrust:ReferencePublicKeyHash 79297ed57ba94f2dde0d121e431d4ed4d8f143a35e3f89ed9b9c2fc1c3015ae8 --Native:Version 1.15.2.3338
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    PID:4312
- - C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\PatchManagementModule\1.2024.0507.5\GoTo.Resolve.PatchManagement.Client.exe
    "C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\PatchManagementModule\1.2024.0507.5\GoTo.Resolve.PatchManagement.Client.exe" --Credentials:CompanyId 1937918270322737572 --Credentials:HostId syn-prd-ava-unattended-3e5ed0ea-763f-442b-b33d-60ffd6847cbd --Communication:IpcFolderPath "C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\PatchManagementModule\IPC" --Authentication:TokenFilePath "C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\token.txt" --ZeroTrust:ReferencePublicKeyHash 79297ed57ba94f2dde0d121e431d4ed4d8f143a35e3f89ed9b9c2fc1c3015ae8 --Native:Version 1.15.2.3338
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:804
  - - C:\Windows\SYSTEM32\where.exe
      "where" -r "C:\Program Files\WindowsApps" Winget.exe
      4⤵
      PID:3232
  - - C:\Windows\SYSTEM32\where.exe
      "where" -r "C:\Program Files\WindowsApps" AppInstallerCLI.exe
      4⤵
      PID:1956
- - C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\AlertsModule\1.2024.0430.2\GoTo.Resolve.Alerts.Monitor.App.exe
    "C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\AlertsModule\1.2024.0430.2\GoTo.Resolve.Alerts.Monitor.App.exe" --Credentials:CompanyId 1937918270322737572 --Credentials:HostId syn-prd-ava-unattended-3e5ed0ea-763f-442b-b33d-60ffd6847cbd --Communication:IpcFolderPath "C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\AlertsModule\IPC" --Authentication:TokenFilePath "C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\token.txt" --ZeroTrust:ReferencePublicKeyHash 79297ed57ba94f2dde0d121e431d4ed4d8f143a35e3f89ed9b9c2fc1c3015ae8 --Native:Version 1.15.2.3338
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    PID:1756
- - C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\AntivirusModule\1.2024.0411.2\GoTo.Resolve.Antivirus.App.exe
    "C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\AntivirusModule\1.2024.0411.2\GoTo.Resolve.Antivirus.App.exe" --Credentials:CompanyId 1937918270322737572 --Credentials:HostId syn-prd-ava-unattended-3e5ed0ea-763f-442b-b33d-60ffd6847cbd --Communication:IpcFolderPath "C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\AntivirusModule\IPC" --Authentication:TokenFilePath "C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\token.txt" --ZeroTrust:ReferencePublicKeyHash 79297ed57ba94f2dde0d121e431d4ed4d8f143a35e3f89ed9b9c2fc1c3015ae8 --Native:Version 1.15.2.3338
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    PID:768
- - C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\AntivirusModule\1.2024.0411.2\GoTo.Resolve.Antivirus.App.exe
    "C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\AntivirusModule\1.2024.0411.2\GoTo.Resolve.Antivirus.App.exe" --Credentials:CompanyId 1937918270322737572 --Credentials:HostId syn-prd-ava-unattended-3e5ed0ea-763f-442b-b33d-60ffd6847cbd --Communication:IpcFolderPath "C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\AntivirusModule\IPC" --Authentication:TokenFilePath "C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\token.txt" --ZeroTrust:ReferencePublicKeyHash 79297ed57ba94f2dde0d121e431d4ed4d8f143a35e3f89ed9b9c2fc1c3015ae8 --Native:Version 1.15.2.3338
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious use of AdjustPrivilegeToken
    PID:1664

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4232
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{bed90794-43cf-2c47-b32e-4003563ce77c}\g2rvdd.inf" "9" "415529917" "0000000000000148" "WinSta0\Default" "0000000000000158" "208" "C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\x64"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:1980

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start GoToResolve_1937918270322737572
1⤵
- Launches sc.exe
PID:4672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\GOTORE~1\193791~1\x64\g2rvdd.dll

Filesize
141KB

MD5
e00f914a13981678cc130f7c65807f03

SHA1
0a00739f6f2b1c57946fc09f084deb5bd3d9e342

SHA256
484300ed3462124e23f42433678f8110aaebeec2da6b82e97fcd10ba2e60a0b8

SHA512
ec278c9d1dc3c066a2a1abd16a4d0f92142941916e0259d0787b7b3146979fba99e273bbbb2fc01fbab79f273d15892434e2685bc2badf4bbb48928d7e89f53c

Download Submit
C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\FileManager.dll

Filesize
16.1MB

MD5
d3fa69a91fe17f9c4523d8fad2992f78

SHA1
d2a353b94ba3d718a489af7fe72cc858b74fe87e

SHA256
94df392a600acb29ff711f164073c1c80bbcf270dcc5a4cd8cba8e762b1ae40f

SHA512
cf2b0898bbf783e49112c61a7373c896856c5e5777d229b791804b29ab288f7613c5a67f4ebf38389d9b9c2100b88e93489a8d8aae68b090d9c7d6283d647e86

Download Submit
C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\GoToResolveCrashHandler.exe

Filesize
1.1MB

MD5
c6e96dd2f500e4b3cedf7e627015e032

SHA1
35ea9753ca13c92971eff137c1cee613c0e93cab

SHA256
2b4556e9c709e1da52cab89aa754fab86c7bb5265e63850dc133dc4ca387fc70

SHA512
06e557d87fed5a1ff9d5d6a520429f6dc6d97e3f2952524ce30af5c25b017d39c15ce189092d0a9234c827510a07020cd31b9d172d60a8fdae6ad3f430b6339d

Download Submit
C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\GoToResolveFileManager.exe

Filesize
109KB

MD5
62912afba6014da200e40c49f685f084

SHA1
38e4bd808305bf4b41c10da91daea49587743e32

SHA256
b2fc90c66d76aa33da449039e6ea5f66b43880b3ef86e7ae263e1e113f7c3296

SHA512
351938c08a92b663727ffb3b2f4a3377104013b3680f7ccd60394463c3b8992ea0e6115ebe847e0cfd9dba942c219af51de334204b2afdcc663a15901a81603f

Download Submit
C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\GoToResolveLoggerProcess.exe

Filesize
109KB

MD5
d319e53da0d6ea80140611a19dd6c468

SHA1
e47768dbad5bc1bf81bd9f135c9d7a4f62de4573

SHA256
dc21f66e9dd2ca56504c3dcc02862117f2da94f212b289d3b09349bc59f57a25

SHA512
092617eb831cde6da475a759f9962c94ca70b78905f892a3a798a21cfe8d1e8e50d72dd0d2cdc89949a5f81e6a5d85b1597712112934a3ffab271b750089e32b

Download Submit
C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\GoToResolveProcessChecker.exe

Filesize
107KB

MD5
5145ef194fdd47be876847e9b9534cdc

SHA1
34711371a01494b7432528821c75bd5fcfe851a4

SHA256
34e6f7d1fd0aa8b20cb8cac184b8ecd90c157ccc62e38568699efa10c411c7ea

SHA512
7e5fdaea1bb2501bc52801c11f36bbd6d165282eb920cddaba59a5c5999be57032a5e9f2b5196f54b300c51ae99381e7e1c831fa73422e0065174385a3ef6757

Download Submit
C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\GoToResolveTools64.exe

Filesize
1.3MB

MD5
c3d3d6a881753584b29d60f4c5b6a965

SHA1
0952c70ea06b932a6c20cf8af10d3aa281880b7c

SHA256
f36b1c32a5fa8969422d99042287685634bb8d85c9643100032e9df5744dd39e

SHA512
5d1ebc3603690d1534d0624ffb73f947d1afe48f407540e07810df89ab737b47a1728a1829f9207be26bf03c2da3e7097ab8aedf31b212fc25ffe2ed632edcbf

Download Submit
C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\GoToResolveUnattended.exe

Filesize
109KB

MD5
0e688254065af78d95a3fdf159ab8d86

SHA1
e1178f76ea31e1009f631ca0f0b948807392faa9

SHA256
1b6fc8321728fccd3a9a0f88f51ab115f0c6d227d644b948d9d0b58d1123c923

SHA512
71efb2e36026fd859522c593662ac7f607ad639027c0fa6cc2f4fc9e0c0bc9156ca4e90448f3e2795d693bad0d337b28147bea33747687524da70e598ddb430c

Download Submit
C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\LibGoToResolve.dll

Filesize
19.7MB

MD5
c2b7eec9b082f83609d40a977c980c09

SHA1
e68345a8387c9644e1cc695ea1f8273e2911c63b

SHA256
1f13a2911d6cad19314f330bab9a57d81c8323575fdc7182e1c2eb6f844ba89b

SHA512
e0032b2acd49f20def25e799c39c7d9648e55250fb851c64b7a52b29aecfb5a3f8a83ded6963e221d16259b0e064504f92f1991a53c1e6a1a01044136e53de4e

Download Submit
C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\MediaClientLib.dll

Filesize
13.9MB

MD5
12c3b59bbafa6ea8d0d3209e70ad39c2

SHA1
7f699dd519c20ecf8bf24947d03868c580913b39

SHA256
c132232018896ba3f84ff37a1ece4a7a58eef08afecf495fc31176b276b000bb

SHA512
55ebe552343ef28939d427f32e5ed98d11d734a65e050917e918efdf400806bbf809d8fc77beb48b6d2f4f5c7961f0c2c8a728691c4f217427578476bf64b10f

Download Submit
C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\PasswordPrivacyDll.dll

Filesize
1.1MB

MD5
7a5ddf82d45f1060ac2386bf4ba89dd3

SHA1
ca26ead1e092c6612d7393873854ba0a257ae832

SHA256
95743c6c9d2f626fa66c3b95e2b3c003313089f653681c82c1e9c214ddd2778d

SHA512
5ad98d4985d36d6259027374c600913a5729635c71453c6191510ac1c4f3b9b732c6436eb49b9c0ddb2af753b08c699c1ca6c26c151cf52fce9cdb2b5a77bd5d

Download Submit
C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\appdata\GoToResolveProcessChecker.log

Filesize
8KB

MD5
79456338a02f15328056b59bf6322111

SHA1
12666dcf5d3722d728aaa61ddb7fd2c7759b8c82

SHA256
c8b0b0cc6c2dfee2a4b89b8f2156c2fe12a7373e50f1160566656129a8cce691

SHA512
da9358cfa90f35ec645797e9e5888e4fa29ef69265e371f533fa0afd9e658295956ba0e831a15af3d52bb4203d99629b2d1432b30d6f25684f151bf7ace6ec30

Download Submit
C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\appdata\GoToResolveUnattended.log

Filesize
29KB

MD5
909f9a7d06f5d785c90c6bc5266b3a01

SHA1
ac74e5a338e58c744310a3df0c2ad6942ba1f2e1

SHA256
663654993fcbb857ef4e9b02a29ef412d1f41463133052d21638fb5aa9495dac

SHA512
0840c00313bb95ca243111d95583eadf378fa8f8afb2dd88ff8aa9e09449dbadef87bf11a4dffdccbba7c88d0cb78777f85d64f72322465ca42d946284955774

Download Submit
C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\AlertsModule\1.2024.0430.2\logs\2024-05-16.log

Filesize
4KB

MD5
0354cce08685b9e9fb9e4e66b70dc3a5

SHA1
00639ddb4c0c1fe68d0a115983298526b96aef87

SHA256
4d811296a07faab494bfbec17370e2e5cffef3830841e5cf440be90c22ba5788

SHA512
84ac938a3a1796e99e42a766131a71584f3cca4dcc43cd734d7814ad55a7553be407eed063f83dd692f1cd8fbce5d2428a2764bb9d3529f8ca28f01dd2370f87

Download Submit
C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\AlertsModule\1.2024.0430.2\logs\2024-05-16.log

Filesize
1KB

MD5
30016934851d6c2070a7c697b5004bf5

SHA1
9d6bba656ccb22a5f44c3128673cfb6687977738

SHA256
f19d3f123ee77b34e9d4f84709e4105df45ea66eaa3445e085e95af953c778c8

SHA512
a26d7400e9f0f7f494968d673d8dba7d40d8c119a2cefe0d9e1c0d671dde096f6f1abf5362ef46286f07054575e50ff28100087a946553c96cb08b1885980f16

Download Submit
C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\AntivirusModule\1.2024.0411.2\GoTo.Resolve.Antivirus.App.exe

Filesize
161KB

MD5
0ee709e29bad3bf3677eb380ae9fe100

SHA1
655d7ae9fbce8f5ec9fb1ebbf1edd34a7fcb0501

SHA256
7680070e0ba04e4219943cf513cdb004cd20aa5fcccf9644b8caa1cdf9a3f4fc

SHA512
5e0fabb74c25864f5fc6f2fd44aa0ed1337745c66246ae3e48d6ec0c1a1d18b718fc9e2d3d34cae974434a8f8625de9ff6615e6d4c8a55b0132ffbf6b0f469d7

Download Submit
C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\DeviceDataModule\1.71.0\GoTo.Resolve.DeviceData.App.exe

Filesize
11.5MB

MD5
5c76b75ea22c81a9224456f77ab1175f

SHA1
b681216752e17148d341390d1c778e4c5ba33364

SHA256
0bc404e30bdad9be1d7ed633adc054800f2e7e757e6414795136c0a896b0bb87

SHA512
a18172f9ba6f6ee62c64cd4f506791c9592436a7cd9f06710794e86a26748bd6d51406420cfc89474fe0c1375e56f3ce1ccc834cd1799a5cc7decadcf63eef0a

Download Submit
C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\externalmodules\RemoteExecutionModule\1.2024.0506.1\RemoteExecution.Runner.exe

Filesize
164KB

MD5
840ed278c7882f3b877df906937aa3c5

SHA1
0262be6cd5f1596e5b54ecc910efd6e277920c03

SHA256
8f70badc067ff6e828d6afccaead174a7623a8ef89c1c81a614f5fa8648f1019

SHA512
2e2ae3b5ba9b9394f386c2243da93ad3f7f35102f50be2206bf06cd48401bb8de5e1fb4ab18b29fa53ad8530474fdef3490df98aca7bc3ba2295485b911630c2

Download Submit
C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\libcrypto-3.dll

Filesize
4.2MB

MD5
dc2bd7e6e6a3b528424410af077ba2a7

SHA1
aa891f61820e7c6d0ed35989a595af77f4b7203b

SHA256
e852018ec59efbe2dc2e32c064f35ee68171417d8c5bc5ba319609555dde2bc6

SHA512
a96f57f5d0272f8ba4ccb1b184289f0caeace54d001f641622fe38892fa9d0f6781808cf5a585d77fc75c356bb90c03a062b2fb17b09a29e20b0264b12c8358f

Download Submit
C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\libssl-3.dll

Filesize
1.1MB

MD5
4f19c36b09b820d9371d8b6510497475

SHA1
03b8ee682eeac39e120aac474a54344c2b391150

SHA256
11598140036154dcd8ccd5619ac059aea4012cf9a4535ffa7c9b2f0ae405906d

SHA512
8ed2ee897c54abf13beae299902018861c4bc30a1ce5d14a64129af3856a3d2e5829eb060a99f7ea7bb894966e21a2d5eec473323883c865c0caed9de832d1b6

Download Submit
C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\logger.json.tmp

Filesize
375B

MD5
60fe6c758548ab263951145da28e8434

SHA1
64402d6630d040a5da12184d62020a76c09c4308

SHA256
8c15b4cc110ebb9250d811bd21dc02be201c6e7e536b3ba546d81c82504edd76

SHA512
49b4a71ff8a3dbd7346f8fa35580f2259c868f56ec26a5ed00299b00f9b4fa8b8bb64f5dce4e59394ba9a5c518582a426a6004007765d5d39854c8b370426adc

Download Submit
C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\mandatory.json

Filesize
74B

MD5
f50767df127a399996304f5a1259653a

SHA1
0a03f644be27865e0031b235ca6a21353e265ed7

SHA256
afc6a427fd31151d995e93e66edd9138df27dc88580b03b12d8a8012c481f3bd

SHA512
29898528d9047d2689de8be7938662c0e80c5161c20fcb9fa9135378b2c2193c6185cd560148f3fd7100824f7f43265434d9982c1b85933f3d00490804c7853e

Download Submit
C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\mandatory.json.tmp

Filesize
1KB

MD5
91b5dc7a02fc3d30801d0b32074c5fe4

SHA1
c0c670e03a8cb77f34fff695503ef1f8caeb378c

SHA256
d626426cd816c31cec9fdc64cf2ef7d79a5bfa816f349b4666ba08f36a7f573b

SHA512
e8f137892ec0604a45e79d3b3c9b35e9850d8f36867166d8b38ce68e3eafa9bc47ac254bd23d28d0bcb5f2038c3aba03b1e9c9b26d6f8e76240973acd24c0617

Download Submit
C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\unattended.json

Filesize
582B

MD5
c5b571903e37d2b955cd21f584471ed3

SHA1
267332217a876f04c16e8b92141fa8321dd6fc74

SHA256
f967768b99cebe2225ef1c41d9ee31c21f9014f87f29cf30c487b448aa074dfa

SHA512
e849d1bfceaa9450505c27119ec407d19b017a3748d907c73fcb915b46fbf7b1bb75c85be066d8898cdbda0d942389c965f2102522cd049211269f4ba4cdac3a

Download Submit
C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\unattended.json.tmp

Filesize
703B

MD5
49271953cc7e7b5b920c292bd93026c1

SHA1
bddb772d4c859a56bea173c61023f973600d4bd8

SHA256
19eb67cc4ed0b294ba19f7ff2ab3c3f616cb05f27b9d6b87071fa52b9754b8ef

SHA512
d8e74aaf6eb247b64f2881711cd15d490a21373a197142aa9edb6593fed1d39b44e38c7783621b47b56b78861920dba720d311ad601150905f2365544acbf224

Download Submit
C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\unattended.json.tmp

Filesize
1KB

MD5
a1f360682341d2b275f72960711eec2a

SHA1
260a695a9c81784a635b65c5c5a41a87272cf968

SHA256
5dc62a805c33a101370c6a12d927062e92752c32fc7a2f90ee15a4cb96b9617d

SHA512
9e9d1b53f0c3ad03c2e1f297b36d385671ccce01b71c866318c86d83e9969e05543717c92c47eef9b8058ed0998f50a6a03341b80f46976b7c81f02254af42fb

Download Submit
C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\unattended.json.tmp

Filesize
1KB

MD5
f04525148fcd222fddfc876734dfb017

SHA1
fe2c657e820f2111a5e9feb51ba96a2128ffb3af

SHA256
3629ad46423b8150a6ec21c1412f958c8331f4e2bf01c49ec8f224a5df5cd1c3

SHA512
ea08b2f9f459e42c22970123a45d511fb38900d13b414e7013a24a14eaad26796ef9fe76836c9290a9898d4b553c07520e8acbcabe24cd0031f3796f778b61b1

Download Submit
C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\unattended.json.tmp

Filesize
1KB

MD5
e6464a2670a2caef554ffbdb459dcee8

SHA1
6424382cbf3909b17fc3b298da9eaf9418b5c885

SHA256
be9cc4edc8727a0656d1ceeca29030255b34e25fb6607770af920b558b5b6436

SHA512
f09aee2d45774ccc6074878db0f96fab8840307b624e03fb46bcf8c8e23b7214490f474f158c4da03136168caf7ddd70d0df11d7dc005646bef899546307ab8b

Download Submit
C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\unattended.json.tmp

Filesize
1KB

MD5
421d95aa876f95215ee8d000e88ff2c6

SHA1
d42911b7b360a172049242b8bbdd04ea9dfa00b3

SHA256
b9fe3ef599a8984d1e58ab10194d98c019115f82b80778c13edbebcd3a68c8fd

SHA512
7044a01940d6a76234618492945e93e178d6ede0088b340d3668e5c17c9d627cd4160b0eec334745be8b3755d5239f450e26417b207fd0ecab5b89a7e9b5a89d

Download Submit
C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\unattended.json.tmp

Filesize
1KB

MD5
44333f285d83e68c68d1d212ae8529fa

SHA1
b4f94c23b88ab9a4783a8d3f4d1837225a89de52

SHA256
25ed0f06e7769799d7160f98a893af3671dcbf359cde8685536891a29f33d7b0

SHA512
4e310b596e006549edb3977c6b5f49b5eea61221e3aae843006351d429851cb7ebc7b6483846711afb0d093c2789d02a61e3a0cff2b41f22238172962aa796fa

Download Submit
C:\Program Files (x86)\GoTo Resolve Unattended\1937918270322737572\x64\g2rvdd.inf

Filesize
3KB

MD5
79c299099a8f43e1a94047355ebdf1cc

SHA1
55ede099780c9e2dcc8cb3dd9006fbf098c8997b

SHA256
0a70026b5ac03d6c3c930c245fb992ad9c02192be607e62d27691909f331fe8d

SHA512
270c8600ed3c00aa6625bbd2c5777a19949773f8c58ddd560bf2d39fac2e9f5868ed633d60728e8d4a106d97a62d43056d818e1fea565198446c487a83342a7d

Download Submit
C:\Users\Admin\AppData\Local\GoTo Resolve Installer\GoTo0001.tmp\UnattendedUpdater.csv

Filesize
3KB

MD5
d93e12207e578337fbe0c13683924007

SHA1
f422b2e7f441f5aa97d64e121494b139149fcf8e

SHA256
a36b3611d0880ec92afd1a77c5835ca708b21dbf216c0748c47f6a6cfefc9f30

SHA512
b48e15b1e794d64a75900ab645c570d4e6e082c6375c1bd41c5015e195255e6f1329796714df9e3632ab9520570f041e44bdd5bef1d5747a83c416df090a4d16

Download Submit
C:\Windows\System32\DriverStore\Temp\{7df457cc-a637-f14a-8c8a-1ec7eeb0a973}\SET68DC.tmp

Filesize
10KB

MD5
8d2c58325f63af51d37693e7ffbdbc4d

SHA1
ea0507cdf4528faa174eb5883eb20b90363ed512

SHA256
6fe045e8a6ff18e27c6aceeeb7dbea3e5f3f25c3796d42f0d844b1b48f38c0be

SHA512
71ee9b93d70ace69344d9aeb582ab8110eeb5364cd0d593ecd95b2d57000114aac18f2496c160d2b761b0117c5e26d261d757b424fa6e57b91b98b75ac72dd62

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\ApplicationInsights\bf35fe7d15f2a58d930da8c8f390b78245b9136f9bb24b2713ab881c60fe52f1\hqb0dhos.4lq

Filesize
1B

MD5
93b885adfe0da089cdf634904fd59f71

SHA1
5ba93c9db0cff93f52b521d7420e43f6eda2784f

SHA256
6e340b9cffb37a989ca544e6bb780a2c78901d3fb33738768511a30617afa01d

SHA512
b8244d028981d693af7b456af8efa4cad63d282e19ff14942c246e50d9351d22704a802a71c3580b6370de4ceb293c324a8423342557d4e5c38438f0e36910ee

Download Submit