Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
24/08/2024, 23:34
Static task
static1
General
-
Target
-
Size
4.1MB
-
MD5
4dd7bd5bc7ad5494b39c033290136207
-
SHA1
aeac40777f86c172d8872643c9c537f53cdf1f5d
-
SHA256
30949949855ec60455a390a5f77ce7eaf52b3917a963a27ecc7dd1946862e852
-
SHA512
483c6099e920c5b36cd052e59b331d720cebbbf242d190c1b5383b5a7a6327abfc45f2311f58332822d4ec6f726722cf4f16f1c61071d10307a9a6a32849df37
-
SSDEEP
98304:0BZc4QcOiOqteN/+G5s5jmL0tipvHYzlgpwS+nqA5:IzOVq29mJmgw0gpwSa
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/files/0x0008000000016db3-10.dat upx behavioral1/memory/2744-11-0x0000000000400000-0x000000000225E000-memory.dmp upx behavioral1/memory/2744-91-0x0000000000400000-0x000000000225E000-memory.dmp upx behavioral1/memory/2744-223-0x0000000000400000-0x000000000225E000-memory.dmp upx -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA MSIB8A7.tmp Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA g2ax_installer_customer.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe -
Modifies WinLogon 2 TTPs 9 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GoToAssist Express Customer\Shutdown = "Shutdown" g2ax_service.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GoToAssist Express Customer\DLLName = "C:\\Program Files (x86)\\GoToAssist Remote Support Customer\\1575\\g2ax_winlogonx64.dll" g2ax_service.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GoToAssist Express Customer\Logoff = "Logoff" g2ax_service.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GoToAssist Express Customer\Asynchronous = "0" g2ax_service.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GoToAssist Express Customer\Startup = "Startup" g2ax_service.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GoToAssist Express Customer g2ax_service.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify g2ax_service.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GoToAssist Express Customer\Logon = "Logon" g2ax_service.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GoToAssist Express Customer\Impersonate = "0" g2ax_service.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 g2ax_comm_customer.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 g2ax_comm_customer.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357 g2ax_comm_customer.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357 g2ax_comm_customer.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 26 IoCs
description ioc Process File created C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_uninstaller_customer.exe g2ax_installer_customer.exe File created C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_customer_resource_win32_x86_es.dll g2ax_installer_customer.exe File created C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_customer_resource_win32_x86_fr.dll g2ax_installer_customer.exe File created C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_customer_resource_win32_x86_it.dll g2ax_installer_customer.exe File created C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_customer_resource_win32_x86_pt.dll g2ax_installer_customer.exe File created C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_winlogonx64.dll g2ax_installer_customer.exe File created C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_comm_customer.exe g2ax_installer_customer.exe File created C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_credential_provider.dll g2ax_installer_customer.exe File created C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_host.exe g2ax_installer_customer.exe File created C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_customer_resource_win32_x86_de.dll g2ax_installer_customer.exe File created C:\Program Files (x86)\_x_CInstB+TEST_x_0\_x_CInstB+TEST_x_0 g2ax_installer_customer.exe File created C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_credential_provider64.dll g2ax_installer_customer.exe File opened for modification C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\uninshlp.dll g2ax_installer_customer.exe File created C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_combined_customer.dll g2ax_installer_customer.exe File created C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_user_customer.exe g2ax_installer_customer.exe File created C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_user_medium_customer.exe g2ax_installer_customer.exe File created C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_customer_resource_win32_x86_en_US.dll g2ax_installer_customer.exe File created C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\uninshlp.dll g2ax_installer_customer.exe File created C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_service.exe g2ax_installer_customer.exe File created C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_system_customer.exe g2ax_installer_customer.exe File created C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_user_high_customer.exe g2ax_installer_customer.exe File created C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_host_service.exe g2ax_installer_customer.exe File created C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_installer_customer.exe g2ax_installer_customer.exe File created C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_processfactory.exe g2ax_installer_customer.exe File created C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_winlogon.dll g2ax_installer_customer.exe File created C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\shortcuts.txt g2ax_service.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\Installer\f76b7da.msi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\f76b7df.msi msiexec.exe File opened for modification C:\Windows\Installer\f76b7dd.ipi msiexec.exe File created C:\Windows\Installer\f76b7da.msi msiexec.exe File created C:\Windows\Installer\f76b7dd.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSIB895.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIB8A7.tmp msiexec.exe -
Executes dropped EXE 8 IoCs
pid Process 2744 MSIB8A7.tmp 2684 g2ax_installer_customer.exe 468 g2ax_service.exe 2064 g2ax_service.exe 2804 g2ax_service.exe 1036 g2ax_comm_customer.exe 1584 g2ax_system_customer.exe 2964 g2ax_user_customer.exe -
Loads dropped DLL 14 IoCs
pid Process 2744 MSIB8A7.tmp 2684 g2ax_installer_customer.exe 2684 g2ax_installer_customer.exe 468 g2ax_service.exe 468 g2ax_service.exe 468 g2ax_service.exe 2064 g2ax_service.exe 2804 g2ax_service.exe 2804 g2ax_service.exe 1036 g2ax_comm_customer.exe 1036 g2ax_comm_customer.exe 1584 g2ax_system_customer.exe 1036 g2ax_comm_customer.exe 2964 g2ax_user_customer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 2424 msiexec.exe -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g2ax_service.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g2ax_service.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g2ax_comm_customer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g2ax_system_customer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g2ax_user_customer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSIB8A7.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g2ax_installer_customer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g2ax_service.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs g2ax_comm_customer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs g2ax_comm_customer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates g2ax_comm_customer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs g2ax_comm_customer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software g2ax_comm_customer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad g2ax_comm_customer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\LogMeInInc\GoToAssist\AuthInfo g2ax_comm_customer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs g2ax_comm_customer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs g2ax_comm_customer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople g2ax_comm_customer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs g2ax_comm_customer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates g2ax_comm_customer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs g2ax_comm_customer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs g2ax_comm_customer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs g2ax_comm_customer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust g2ax_comm_customer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs g2ax_comm_customer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs g2ax_comm_customer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs g2ax_comm_customer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root g2ax_comm_customer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA g2ax_comm_customer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs g2ax_comm_customer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs g2ax_comm_customer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs g2ax_comm_customer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates g2ax_comm_customer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust g2ax_comm_customer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates g2ax_comm_customer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot g2ax_comm_customer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs g2ax_comm_customer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\LogMeInInc g2ax_comm_customer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My g2ax_comm_customer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates g2ax_comm_customer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe -
Modifies registry class 25 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{45CB397D-781F-4B69-955E-7EB5F5BDC348}\AppID = "{D7222C15-96C7-40f1-97A7-EB3D057EA80C}" g2ax_service.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{D7222C15-96C7-40f1-97A7-EB3D057EA80C}\ServiceParameters = "-Service" g2ax_service.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{45CB397D-781F-4B69-955E-7EB5F5BDC348}\ = "g2ax_StartHereLoader" g2ax_service.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GoToAssist Remote Support Customer.g2ax_StartHereLoader g2ax_service.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GoToAssist Remote Support Customer.g2ax_StartHereLoader\ = "g2ax_StartHereLoader" g2ax_service.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GoToAssist Remote Support Customer.g2ax_StartHereLoader\CurVer\ = "GoToAssist Remote Support Customer.g2ax_StartHereLoader.2" g2ax_service.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{45CB397D-781F-4B69-955E-7EB5F5BDC348} g2ax_service.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GoToAssist Remote Support Customer.g2ax_StartHereLoader.2 g2ax_service.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GoToAssist Remote Support Customer.g2ax_StartHereLoader.2\CLSID g2ax_service.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{45CB397D-781F-4B69-955E-7EB5F5BDC348}\LocalServer32 g2ax_service.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{45CB397D-781F-4B69-955E-7EB5F5BDC348}\VersionIndependentProgID\ = "GoToAssist Remote Support Customer.g2ax_StartHereLoader" g2ax_service.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GoToAssist Remote Support Customer.g2ax_StartHereLoader.2\ = "g2ax_StartHereLoader" g2ax_service.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GoToAssist Remote Support Customer.g2ax_StartHereLoader.2\CLSID\ = "{45CB397D-781F-4B69-955E-7EB5F5BDC348}" g2ax_service.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\\{D7222C15-96C7-40f1-97A7-EB3D057EA80C} g2ax_service.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{D7222C15-96C7-40f1-97A7-EB3D057EA80C}\ = "GoToAssist Remote Support Customer" g2ax_service.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{45CB397D-781F-4B69-955E-7EB5F5BDC348}\ProgID g2ax_service.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GoToAssist Remote Support Customer.g2ax_StartHereLoader\CLSID g2ax_service.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GoToAssist Remote Support Customer.g2ax_StartHereLoader\CurVer g2ax_service.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GoToAssist Remote Support Customer.g2ax_StartHereLoader\CLSID\ = "{45CB397D-781F-4B69-955E-7EB5F5BDC348}" g2ax_service.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\\g2ax_service.exe g2ax_service.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\g2ax_service.exe\AppID = "{D7222C15-96C7-40f1-97A7-EB3D057EA80C}" g2ax_service.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{D7222C15-96C7-40f1-97A7-EB3D057EA80C}\LocalService = "GoToAssist Remote Support Customer" g2ax_service.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{45CB397D-781F-4B69-955E-7EB5F5BDC348}\LocalServer32\ = "C:\\Program Files (x86)\\GoToAssist Remote Support Customer\\1575\\g2ax_service.exe" g2ax_service.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{45CB397D-781F-4B69-955E-7EB5F5BDC348}\ProgID\ = "GoToAssist Remote Support Customer.g2ax_StartHereLoader.2" g2ax_service.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{45CB397D-781F-4B69-955E-7EB5F5BDC348}\VersionIndependentProgID g2ax_service.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5 g2ax_installer_customer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e52000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a g2ax_installer_customer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e51d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af33313353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b060105050703030f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c92000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a g2ax_installer_customer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a g2ax_installer_customer.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2180 msiexec.exe 2180 msiexec.exe 1036 g2ax_comm_customer.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2424 msiexec.exe Token: SeIncreaseQuotaPrivilege 2424 msiexec.exe Token: SeRestorePrivilege 2180 msiexec.exe Token: SeTakeOwnershipPrivilege 2180 msiexec.exe Token: SeSecurityPrivilege 2180 msiexec.exe Token: SeCreateTokenPrivilege 2424 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2424 msiexec.exe Token: SeLockMemoryPrivilege 2424 msiexec.exe Token: SeIncreaseQuotaPrivilege 2424 msiexec.exe Token: SeMachineAccountPrivilege 2424 msiexec.exe Token: SeTcbPrivilege 2424 msiexec.exe Token: SeSecurityPrivilege 2424 msiexec.exe Token: SeTakeOwnershipPrivilege 2424 msiexec.exe Token: SeLoadDriverPrivilege 2424 msiexec.exe Token: SeSystemProfilePrivilege 2424 msiexec.exe Token: SeSystemtimePrivilege 2424 msiexec.exe Token: SeProfSingleProcessPrivilege 2424 msiexec.exe Token: SeIncBasePriorityPrivilege 2424 msiexec.exe Token: SeCreatePagefilePrivilege 2424 msiexec.exe Token: SeCreatePermanentPrivilege 2424 msiexec.exe Token: SeBackupPrivilege 2424 msiexec.exe Token: SeRestorePrivilege 2424 msiexec.exe Token: SeShutdownPrivilege 2424 msiexec.exe Token: SeDebugPrivilege 2424 msiexec.exe Token: SeAuditPrivilege 2424 msiexec.exe Token: SeSystemEnvironmentPrivilege 2424 msiexec.exe Token: SeChangeNotifyPrivilege 2424 msiexec.exe Token: SeRemoteShutdownPrivilege 2424 msiexec.exe Token: SeUndockPrivilege 2424 msiexec.exe Token: SeSyncAgentPrivilege 2424 msiexec.exe Token: SeEnableDelegationPrivilege 2424 msiexec.exe Token: SeManageVolumePrivilege 2424 msiexec.exe Token: SeImpersonatePrivilege 2424 msiexec.exe Token: SeCreateGlobalPrivilege 2424 msiexec.exe Token: SeBackupPrivilege 1712 vssvc.exe Token: SeRestorePrivilege 1712 vssvc.exe Token: SeAuditPrivilege 1712 vssvc.exe Token: SeBackupPrivilege 2180 msiexec.exe Token: SeRestorePrivilege 2180 msiexec.exe Token: SeRestorePrivilege 2328 DrvInst.exe Token: SeRestorePrivilege 2328 DrvInst.exe Token: SeRestorePrivilege 2328 DrvInst.exe Token: SeRestorePrivilege 2328 DrvInst.exe Token: SeRestorePrivilege 2328 DrvInst.exe Token: SeRestorePrivilege 2328 DrvInst.exe Token: SeRestorePrivilege 2328 DrvInst.exe Token: SeLoadDriverPrivilege 2328 DrvInst.exe Token: SeLoadDriverPrivilege 2328 DrvInst.exe Token: SeLoadDriverPrivilege 2328 DrvInst.exe Token: SeRestorePrivilege 2180 msiexec.exe Token: SeTakeOwnershipPrivilege 2180 msiexec.exe Token: SeRestorePrivilege 2180 msiexec.exe Token: SeTakeOwnershipPrivilege 2180 msiexec.exe Token: SeRestorePrivilege 2180 msiexec.exe Token: SeTakeOwnershipPrivilege 2180 msiexec.exe Token: SeRestorePrivilege 2180 msiexec.exe Token: SeTakeOwnershipPrivilege 2180 msiexec.exe Token: SeRestorePrivilege 2180 msiexec.exe Token: SeTakeOwnershipPrivilege 2180 msiexec.exe Token: SeRestorePrivilege 2180 msiexec.exe Token: SeTakeOwnershipPrivilege 2180 msiexec.exe Token: SeRestorePrivilege 2180 msiexec.exe Token: SeTakeOwnershipPrivilege 2180 msiexec.exe Token: SeRestorePrivilege 2180 msiexec.exe -
Suspicious use of FindShellTrayWindow 9 IoCs
pid Process 2424 msiexec.exe 2744 MSIB8A7.tmp 2424 msiexec.exe 2964 g2ax_user_customer.exe 2964 g2ax_user_customer.exe 2964 g2ax_user_customer.exe 2964 g2ax_user_customer.exe 2964 g2ax_user_customer.exe 2964 g2ax_user_customer.exe -
Suspicious use of SendNotifyMessage 5 IoCs
pid Process 2964 g2ax_user_customer.exe 2964 g2ax_user_customer.exe 2964 g2ax_user_customer.exe 2964 g2ax_user_customer.exe 2964 g2ax_user_customer.exe -
Suspicious use of WriteProcessMemory 31 IoCs
description pid Process procid_target PID 2180 wrote to memory of 2744 2180 msiexec.exe 34 PID 2180 wrote to memory of 2744 2180 msiexec.exe 34 PID 2180 wrote to memory of 2744 2180 msiexec.exe 34 PID 2180 wrote to memory of 2744 2180 msiexec.exe 34 PID 2744 wrote to memory of 2684 2744 MSIB8A7.tmp 35 PID 2744 wrote to memory of 2684 2744 MSIB8A7.tmp 35 PID 2744 wrote to memory of 2684 2744 MSIB8A7.tmp 35 PID 2744 wrote to memory of 2684 2744 MSIB8A7.tmp 35 PID 2744 wrote to memory of 2684 2744 MSIB8A7.tmp 35 PID 2744 wrote to memory of 2684 2744 MSIB8A7.tmp 35 PID 2744 wrote to memory of 2684 2744 MSIB8A7.tmp 35 PID 2684 wrote to memory of 468 2684 g2ax_installer_customer.exe 37 PID 2684 wrote to memory of 468 2684 g2ax_installer_customer.exe 37 PID 2684 wrote to memory of 468 2684 g2ax_installer_customer.exe 37 PID 2684 wrote to memory of 468 2684 g2ax_installer_customer.exe 37 PID 2684 wrote to memory of 2064 2684 g2ax_installer_customer.exe 38 PID 2684 wrote to memory of 2064 2684 g2ax_installer_customer.exe 38 PID 2684 wrote to memory of 2064 2684 g2ax_installer_customer.exe 38 PID 2684 wrote to memory of 2064 2684 g2ax_installer_customer.exe 38 PID 2804 wrote to memory of 1036 2804 g2ax_service.exe 40 PID 2804 wrote to memory of 1036 2804 g2ax_service.exe 40 PID 2804 wrote to memory of 1036 2804 g2ax_service.exe 40 PID 2804 wrote to memory of 1036 2804 g2ax_service.exe 40 PID 1036 wrote to memory of 1584 1036 g2ax_comm_customer.exe 42 PID 1036 wrote to memory of 1584 1036 g2ax_comm_customer.exe 42 PID 1036 wrote to memory of 1584 1036 g2ax_comm_customer.exe 42 PID 1036 wrote to memory of 1584 1036 g2ax_comm_customer.exe 42 PID 1036 wrote to memory of 2964 1036 g2ax_comm_customer.exe 44 PID 1036 wrote to memory of 2964 1036 g2ax_comm_customer.exe 44 PID 1036 wrote to memory of 2964 1036 g2ax_comm_customer.exe 44 PID 1036 wrote to memory of 2964 1036 g2ax_comm_customer.exe 44 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\[email protected]1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2424
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\Installer\MSIB8A7.tmp"C:\Windows\Installer\MSIB8A7.tmp" /FromMSI2⤵
- Checks whether UAC is enabled
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aBA2B.tmp\g2ax_installer_customer.exe"C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aBA2B.tmp\g2ax_installer_customer.exe " "/Action SetupUnattendedSilent" "/DownloadServer https://launch.getgo.com" "/EGWAddress 216.115.218.197" "/EGWDNS egw1.express.gotoassist.com" "/EGWPort 8200,80,443" /FromMSI "/Language en_US" "/LoaderPath C:\Windows\Installer\MSIB8A7.tmp" "/LogPath C:\Users\Admin\AppData\Local\Temp\LogMeInLogs\GoToAssist Remote Support Customer\1575\20240824_233517\" "/Mode Normal" "/RestartReason Start" "/ServiceAllowed Yes" "/StartAsService Yes" "/Stat On" "/StatDb On" "/Trigger Web" "/UnattendedSetupToken 5331656515450037371" "/WebsiteUrl http://support.gotoassist.com" "/locale en_US" "/silent"3⤵
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_service.exe"C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_service.exe" "Start=install_manual&Action=SetupUnattendedSilent&DownloadServer=https://launch.getgo.com&EGWAddress=216.115.218.197&EGWDNS=egw1.express.gotoassist.com&EGWPort=8200,80,443&Language=en_US&LoaderPath=C:\Windows\Installer\MSIB8A7.tmp&LogPath=C:\Users\Admin\AppData\Local\Temp\LogMeInLogs\GoToAssist Remote Support Customer\1575\20240824_233517\&Mode=Normal&RestartReason=Start&ServiceAllowed=Yes&StartAsService=Yes&Stat=On&StatDb=On&Trigger=Web&UnattendedSetupToken=5331656515450037371&WebsiteUrl=http://support.gotoassist.com&locale=en_US"4⤵
- Modifies WinLogon
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:468
-
-
C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_service.exe"C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_service.exe" "Start=start_session&Action=SetupUnattendedSilent&DownloadServer=https://launch.getgo.com&EGWAddress=216.115.218.197&EGWDNS=egw1.express.gotoassist.com&EGWPort=8200,80,443&Language=en_US&LoaderPath=C:\Windows\Installer\MSIB8A7.tmp&LogPath=C:\Users\Admin\AppData\Local\Temp\LogMeInLogs\GoToAssist Remote Support Customer\1575\20240824_233517\&Mode=Normal&RestartReason=Start&ServiceAllowed=Yes&StartAsService=Yes&Stat=On&StatDb=On&Trigger=Web&UnattendedSetupToken=5331656515450037371&WebsiteUrl=http://support.gotoassist.com&locale=en_US"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2064
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1712
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003CC" "00000000000004D4"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2328
-
C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_service.exe"C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_service.exe" "Start=service"1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_comm_customer.exe"C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_comm_customer.exe" "Action=SetupUnattendedSilent&DownloadServer=https://launch.getgo.com&EGWAddress=216.115.218.197&EGWDNS=egw1.express.gotoassist.com&EGWPort=8200,80,443&Language=en_US&LoaderPath=C:\Windows\Installer\MSIB8A7.tmp&LogName=C:\Users\Admin\AppData\Local\Temp\LogMeInLogs\GoToAssist Remote Support Customer\1575\20240824_233517\GoToAssist Remote Support Customer.LOG&LogPath=C:\Users\Admin\AppData\Local\Temp\LogMeInLogs\GoToAssist Remote Support Customer\1575\20240824_233517\&Mode=Normal&ResourceDll=g2ax_customer_resource_win32_x86_en_US.dll&RestartReason=Start&RunningAsService=YES&ServiceAllowed=Yes&Start=service&StartAsService=Yes&StartID={45CB397D-781F-4B69-955E-7EB5F5BDC348}&Stat=On&StatDb=On&Trigger=Web&UnattendedSetupToken=5331656515450037371&UniqueId=2804&WebsiteUrl=http://support.gotoassist.com&locale=en_US"2⤵
- Drops file in System32 directory
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1036 -
C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_system_customer.exe"C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_system_customer.exe" "StartID={70E19351-2945-4920-9883-C93CF275C1AC}&ResourceDll=g2ax_customer_resource_win32_x86_en_US.dll&RunningAsService=YES&Debug=Off&Stat=On&StatDb=On&Index=0"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1584
-
-
C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_user_customer.exe"C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_user_customer.exe" "StartID={45CB397D-781F-4B69-955E-7EB5F5BDC348}&ResourceDll=g2ax_customer_resource_win32_x86_en_US.dll&RunningAsService=YES&Debug=Off&Stat=On&StatDb=On&Index=0"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2964
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Event Triggered Execution
1Installer Packages
1Privilege Escalation
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Event Triggered Execution
1Installer Packages
1Defense Evasion
Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1System Binary Proxy Execution
1Msiexec
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD5b71ce00b6e62170a057daf48d4c5c785
SHA139393e1b304845b7564c9c43cf69928a202a5e53
SHA2562c283bb3616683f635ed584b8c46a339d89daafd538781f4684176cd74db3b4f
SHA512101ce465fae6336063d8abdc5bd3a52ee916faea4e91953df2ede797a2530cad8936f9a6010b0fd102b88236f425a2faa6b7e533b5fa7e6a60bc4ab90c160821
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D84E548583BE1EE7DB5A935821009D26_5B98B6CD6E69202676965CF5B0E2A7A7
Filesize5B
MD55bfa51f3a417b98e7443eca90fc94703
SHA18c015d80b8a23f780bdd215dc842b0f5551f63bd
SHA256bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128
SHA5124cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D84E548583BE1EE7DB5A935821009D26_5B98B6CD6E69202676965CF5B0E2A7A7
Filesize416B
MD54d924daa70bf1f66c6f3f65ec847f65d
SHA13ca88ebd50d1734d44e2f4549f6812c121262806
SHA2566eae2b9c848b355cdd0ba57cbae2b8779ea80f9f3b5b21b18c3b13ed93066409
SHA512265edd38d792c7e0998aaf65835dcac8d198dad976765a5bc74c2e6697dfa04bcfabd56c04cd1f2d7fb1a792db93046d30a454db606c2b8af36e78e6a9b78e72
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aBA2B.tmp\g2ax_combined_customer.dll
Filesize9.0MB
MD5b281109807f069ee71ad44a5c2ed4638
SHA188d58db2ea9d8ab72504ad3933acedd69c919cf7
SHA2563d8d246a69eb0a66c52d8a713c2797b28d05e7c2ac9157fea5692bf6e9dfdda8
SHA51211fb0515904a24a041c02f89819b43cf30e4b791eac559084c0ab90c458ed46d0aff2ab9fe4e4a1e9c915d080eff212754d68643c67e4690237dab6a67cd2249
-
C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aBA2B.tmp\g2ax_credential_provider.dll
Filesize113KB
MD56acbff3ffbf1d3b4ef2e590807b82a7f
SHA10f781965145db5d9c97e471b8bc7236dee81c71c
SHA256e870ce924d6797c053a14647184ad9d7e6bf641c2c1de901e747449964afdb22
SHA512734aaa7ca45209c7d67e743c7bd43130da709d3503ee3a127919aa676c7e9cc932707522e0355d8e17b8bb02dbb53109c7df9ddef7c118814e5a4f04ce712139
-
C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aBA2B.tmp\g2ax_credential_provider64.dll
Filesize122KB
MD52f9bde855a7df5ab1a5d4bc549170064
SHA1dab528bd0e4054926d4646d762f08d85e164c469
SHA256ee0432569bfadee88267ae64d2b11a6d258225c74358f142afa4bec8d6236dd5
SHA512ce19050bc003f290172efab577bfa36ca17bb5e5b9efd4e4443ca037f59a1ea2ac635ae1592d51354485df0ef274f0516a3501228f11edd16ef1c6d723820afb
-
C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aBA2B.tmp\g2ax_customer_resource_win32_x86_de.dll
Filesize2.7MB
MD595d28b0ae03c0e0dbebaac0354bd665d
SHA116ad8de089f85810678235cac2a332069e4a757e
SHA2562e0fd5b081c3a35f97fc15a37d254c46e09a57724dae50853cd6f7675b5502bd
SHA5125ec5d5d1b113c633364181411516b7de8e4ebf47d1bdbdb5cabec06a040671f5e69540b9b0f067fec593d26f6d1d97ca764c50d2adbd768b1e3cbf91b758ad27
-
C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aBA2B.tmp\g2ax_customer_resource_win32_x86_en_US.dll
Filesize2.7MB
MD5626dc7beea7eef7dbbad77b3f693eb49
SHA11e25d0ca6c7678bb3775728bdd631f2bfe79ebc0
SHA2565bea8b91ed32fe2b925a8942a2706d8b84d75b00cac8f4ec1009c911a201a6f9
SHA512a1609e5949721165773fec457f798ea9083257b19eeeafb3d40382f9763392862a976f2b892b6dadfe1df6c83e70b496c10ce688440fa5d97c78c6a0821d165a
-
C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aBA2B.tmp\g2ax_customer_resource_win32_x86_es.dll
Filesize2.7MB
MD5d4b3e89862a5b2583b6da76aa12e225c
SHA12f158da475e5a20f8e7c9b7effa7295fc07e7fd9
SHA2565bac52692ea070aa9a6cb4655ca1346818235e79d4ac234127c87f9bd26de5d2
SHA5122e792fa40569198a52df8796328ee0e6c93da9b861599e04bd0c0c7430b1c368c5ef60ca0bcda9297dcffd3e9312cdf12d62fdfd3febff4ec4a0ec55d2607a7f
-
C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aBA2B.tmp\g2ax_customer_resource_win32_x86_fr.dll
Filesize2.7MB
MD5cdb5345e298d427450fe244a2e1cd16c
SHA1e2e3402696090998174f686128af6d5791dd725a
SHA256a476086f0c10426df4880f77e7333fa9aaab088421b5b9fab4937a65d734c817
SHA512f036d3b164b3983f4684d3e3383ed2a67ebd674b5ea4d764189b429b3cecc81f5b0a4bf8a4e6e6d7e2aac27b7fb6edaf909835d2890000d3aded887e20776141
-
C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aBA2B.tmp\g2ax_customer_resource_win32_x86_it.dll
Filesize2.7MB
MD54c6d97f5793a8806d1b07f7805c1290f
SHA16ed0ae206d5e3fd7cb19634aef5f0055f0832d83
SHA2563798840e3ddf8025648420c2971c4434608f908bfd83437c239220e28e925323
SHA512c13fba4f00340ab3be3b1f58bdd17fd1d3e95c1819b7a8d82b8e6cb7bc8bece9cf2d97ede47e57b062bb8008031f58b36934a5da0c452e17309f832b42b5e2ef
-
C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aBA2B.tmp\g2ax_customer_resource_win32_x86_pt.dll
Filesize2.7MB
MD542accada99f11973893559eb80dbd7cc
SHA19ed76304bf4af87210044d9fcbcb62f2f6f49fce
SHA256c07707fdee8d761999bd63e44fdca04503ccbb2fde1e02d2eab6d3f99744840a
SHA51224177df97a981f2a5d0896d143b3f8057631a17ab18e00bf540b70a921d66f5876ee0985e4b32165fabedefebc0ad1329be4860619b1ea40274cfe2beaf0d696
-
C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aBA2B.tmp\g2ax_exe_customer_adminui.exe
Filesize599KB
MD5139e140841795d1d3b31ca9f0d2a18f0
SHA1c8348ffcc2792edf84c7d0a60af9fced0cee74d2
SHA256814f387ab117191bc9cf9c33743bd792735237354ec83df4e014c7e7bc1e46ba
SHA51298bf1f4043ccd59bb2c86b56dda9b30426160cb093585e9378cd5930ab8d5485591ea1f59196fb64ec3e0cc2845bdf43d936e8ae303914df56a8bd82b9fcd42b
-
C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aBA2B.tmp\g2ax_installer_customer_admin.exe
Filesize599KB
MD5d4ee9d0af2825048d4bfd48f48bd464b
SHA1a3a25e68132a4288b6b394623fd206fbf8899092
SHA256e1ae8e4f45552d82ea9154a02d7b900f42cad77777d6b6d6872f3f96efde491c
SHA512ff6a70d7edb1e0aef632027e50b264bfed1aa27bcf114c65b79da7894b6f2b48675d78bc698f0006973f24a9ca465ffb5ae82600d5f065dba14593ade31ffc47
-
C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aBA2B.tmp\g2ax_processfactory.exe
Filesize680KB
MD563f225100403cd9d98e5c20a2f13c7f9
SHA1e4152545009c0bcbdbb9bed52f2935d55ba7da01
SHA256450ba2dc70b1bbb9cd808be082cc90ee2be2e27e678d37b27400a90e0e4463f8
SHA51258886a5b9455e56e86b227c7a49535b638a9379ab8752c58d8560987c7585d7a42eac2e88b19c82a52f8eb13aabfc436ada14673878a80667ae30b369a1ed409
-
C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aBA2B.tmp\g2ax_winlogon.dll
Filesize598KB
MD58b64004a064179c50ab204cb8baacdb1
SHA1357fe1c8cc37ff7a7c064ed6f49360692a4a8254
SHA25620b7b7290d17b2b3b9d6bb01d7f540dcd780944a9a2873d641e973433173a781
SHA5120ce7693c4c54db616f1c30899bbe77f4a6033ee034a389d032dcc3e8c84d3361f3beaab82508c69e1b8a4b4104590953c2a9abef354680043a2964fd8106af74
-
C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aBA2B.tmp\g2ax_winlogonx64.dll
Filesize599KB
MD5234f00413858db80b4b51c1abede4152
SHA1e2606f11691de55ac8f491050abbcbe71c0ad1ba
SHA256c5daa86b380ed04bc2ec92bbe74c8aff958edeabd240411b7ecb7f5721ba548d
SHA5120a242a4516cfa722e35f5cb9a6e815d03e00b63e8ef648532526e8a0d228f4d00c2367d65bf402d1c564a208e1d5747b2ba1350bc0e637743373898fc37cd41c
-
C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aBA2B.tmp\uninshlp.dll
Filesize20KB
MD50868827e42db552e5427f277fedf1e6b
SHA19fb59bbb4edbcc98fdb36ffff378d0bb9ddcc4fb
SHA256f6684c5dbce46be754e61da86757278bb6a9c7def6810504a1dc389920b5d38a
SHA512607064c1bc4aa627dc130d3a34d19bd512324bb9bd91ceaa6bcb20f0e218d070ef7021c921318a4d6474e95979bd569c2776b414269aeade5fa884876d58c3d1
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
3.6MB
MD510691eb99593e235b86d018ebaf7d4e6
SHA135e0444bb572f3890f327afc1feba32e9833d5b4
SHA2564e945ddc84443a2ac2f845693461a7bda2ab07b24eb3b980c1b86dd5f2d8ed2b
SHA51210e1ee6fa616d92d1bc5bca358321c0fd4b18767a7eb7fd7bdf19c3302b23163a37e904f162d57097d40ca10b68494c7f5d029db4f9f91ac62351c48d150377f
-
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize1KB
MD5a266bb7dcc38a562631361bbf61dd11b
SHA13b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA5120da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc
-
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize242B
MD559601a27bdb5c494a10d6632a7e3e507
SHA1af9f44536264da7e958b5a1b4ab6565c6eb00308
SHA2565e3846858e2582bac8be79a9ed88b599a739293123c2df8f548c3067a80ea545
SHA51256e0d2d4214532408266a9bd943b2aa5271013f2227a0afe7af4ac1206d1fc1de206323f1bd2760db6fcee279822b17cc2a20eebb33f548f963ccbca5a5e382e
-
\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aBA2B.tmp\g2ax_installer_customer.exe
Filesize599KB
MD57c9b0bde69c16ece846a56106b11dbfa
SHA180c42eb9351f611a395256531c5ed4931be981cf
SHA25602d19f030b1f116c26bc3d1e6b03071b6f13ce7c7ea499603a5dfd571f3a96b6
SHA5127826faa0627a5e57cd4ad3076391cec125314339d59ac6ad2e623a82522e870ecbc12b42b5868484550ede7e8d3012f06bef5463b624636aea3f0343ccdd810a