30949949855ec60455a390a5f77ce7eaf52b3917a963a27ecc7dd1946862e852

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
24/08/2024, 23:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

[email protected]
Size

4.1MB
MD5

4dd7bd5bc7ad5494b39c033290136207
SHA1

aeac40777f86c172d8872643c9c537f53cdf1f5d
SHA256

30949949855ec60455a390a5f77ce7eaf52b3917a963a27ecc7dd1946862e852
SHA512

483c6099e920c5b36cd052e59b331d720cebbbf242d190c1b5383b5a7a6327abfc45f2311f58332822d4ec6f726722cf4f16f1c61071d10307a9a6a32849df37
SSDEEP

98304:0BZc4QcOiOqteN/+G5s5jmL0tipvHYzlgpwS+nqA5:IzOVq29mJmgw0gpwSa

Score

7^/10

discovery evasion persistence privilege_escalation spyware stealer trojan upx

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000016db3-10.dat	upx
behavioral1/memory/2744-11-0x0000000000400000-0x000000000225E000-memory.dmp	upx
behavioral1/memory/2744-91-0x0000000000400000-0x000000000225E000-memory.dmp	upx
behavioral1/memory/2744-223-0x0000000000400000-0x000000000225E000-memory.dmp	upx

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MSIB8A7.tmp
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	g2ax_installer_customer.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe

Modifies WinLogon 2 TTPs 9 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GoToAssist Express Customer\Shutdown = "Shutdown"	g2ax_service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GoToAssist Express Customer\DLLName = "C:\\Program Files (x86)\\GoToAssist Remote Support Customer\\1575\\g2ax_winlogonx64.dll"	g2ax_service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GoToAssist Express Customer\Logoff = "Logoff"	g2ax_service.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GoToAssist Express Customer\Asynchronous = "0"	g2ax_service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GoToAssist Express Customer\Startup = "Startup"	g2ax_service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GoToAssist Express Customer	g2ax_service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify	g2ax_service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GoToAssist Express Customer\Logon = "Logon"	g2ax_service.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GoToAssist Express Customer\Impersonate = "0"	g2ax_service.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	g2ax_comm_customer.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	g2ax_comm_customer.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	g2ax_comm_customer.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	g2ax_comm_customer.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 26 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_uninstaller_customer.exe	g2ax_installer_customer.exe
File created	C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_customer_resource_win32_x86_es.dll	g2ax_installer_customer.exe
File created	C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_customer_resource_win32_x86_fr.dll	g2ax_installer_customer.exe
File created	C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_customer_resource_win32_x86_it.dll	g2ax_installer_customer.exe
File created	C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_customer_resource_win32_x86_pt.dll	g2ax_installer_customer.exe
File created	C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_winlogonx64.dll	g2ax_installer_customer.exe
File created	C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_comm_customer.exe	g2ax_installer_customer.exe
File created	C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_credential_provider.dll	g2ax_installer_customer.exe
File created	C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_host.exe	g2ax_installer_customer.exe
File created	C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_customer_resource_win32_x86_de.dll	g2ax_installer_customer.exe
File created	C:\Program Files (x86)\_x_CInstB+TEST_x_0\_x_CInstB+TEST_x_0	g2ax_installer_customer.exe
File created	C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_credential_provider64.dll	g2ax_installer_customer.exe
File opened for modification	C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\uninshlp.dll	g2ax_installer_customer.exe
File created	C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_combined_customer.dll	g2ax_installer_customer.exe
File created	C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_user_customer.exe	g2ax_installer_customer.exe
File created	C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_user_medium_customer.exe	g2ax_installer_customer.exe
File created	C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_customer_resource_win32_x86_en_US.dll	g2ax_installer_customer.exe
File created	C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\uninshlp.dll	g2ax_installer_customer.exe
File created	C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_service.exe	g2ax_installer_customer.exe
File created	C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_system_customer.exe	g2ax_installer_customer.exe
File created	C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_user_high_customer.exe	g2ax_installer_customer.exe
File created	C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_host_service.exe	g2ax_installer_customer.exe
File created	C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_installer_customer.exe	g2ax_installer_customer.exe
File created	C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_processfactory.exe	g2ax_installer_customer.exe
File created	C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_winlogon.dll	g2ax_installer_customer.exe
File created	C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\shortcuts.txt	g2ax_service.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\f76b7da.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\f76b7df.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f76b7dd.ipi	msiexec.exe
File created	C:\Windows\Installer\f76b7da.msi	msiexec.exe
File created	C:\Windows\Installer\f76b7dd.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB895.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB8A7.tmp	msiexec.exe

Executes dropped EXE 8 IoCs

pid	Process
2744	MSIB8A7.tmp
2684	g2ax_installer_customer.exe
468	g2ax_service.exe
2064	g2ax_service.exe
2804	g2ax_service.exe
1036	g2ax_comm_customer.exe
1584	g2ax_system_customer.exe
2964	g2ax_user_customer.exe

Loads dropped DLL 14 IoCs

pid	Process
2744	MSIB8A7.tmp
2684	g2ax_installer_customer.exe
2684	g2ax_installer_customer.exe
468	g2ax_service.exe
468	g2ax_service.exe
468	g2ax_service.exe
2064	g2ax_service.exe
2804	g2ax_service.exe
2804	g2ax_service.exe
1036	g2ax_comm_customer.exe
1036	g2ax_comm_customer.exe
1584	g2ax_system_customer.exe
1036	g2ax_comm_customer.exe
2964	g2ax_user_customer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
2424	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	g2ax_service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	g2ax_service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	g2ax_comm_customer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	g2ax_system_customer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	g2ax_user_customer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSIB8A7.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	g2ax_installer_customer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	g2ax_service.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	g2ax_comm_customer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	g2ax_comm_customer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	g2ax_comm_customer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	g2ax_comm_customer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	g2ax_comm_customer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	g2ax_comm_customer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\LogMeInInc\GoToAssist\AuthInfo	g2ax_comm_customer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	g2ax_comm_customer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	g2ax_comm_customer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	g2ax_comm_customer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	g2ax_comm_customer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	g2ax_comm_customer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	g2ax_comm_customer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	g2ax_comm_customer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	g2ax_comm_customer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	g2ax_comm_customer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	g2ax_comm_customer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	g2ax_comm_customer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	g2ax_comm_customer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	g2ax_comm_customer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	g2ax_comm_customer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	g2ax_comm_customer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	g2ax_comm_customer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	g2ax_comm_customer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	g2ax_comm_customer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	g2ax_comm_customer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	g2ax_comm_customer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	g2ax_comm_customer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	g2ax_comm_customer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\LogMeInInc	g2ax_comm_customer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	g2ax_comm_customer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	g2ax_comm_customer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe

Modifies registry class 25 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{45CB397D-781F-4B69-955E-7EB5F5BDC348}\AppID = "{D7222C15-96C7-40f1-97A7-EB3D057EA80C}"	g2ax_service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{D7222C15-96C7-40f1-97A7-EB3D057EA80C}\ServiceParameters = "-Service"	g2ax_service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{45CB397D-781F-4B69-955E-7EB5F5BDC348}\ = "g2ax_StartHereLoader"	g2ax_service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GoToAssist Remote Support Customer.g2ax_StartHereLoader	g2ax_service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GoToAssist Remote Support Customer.g2ax_StartHereLoader\ = "g2ax_StartHereLoader"	g2ax_service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GoToAssist Remote Support Customer.g2ax_StartHereLoader\CurVer\ = "GoToAssist Remote Support Customer.g2ax_StartHereLoader.2"	g2ax_service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{45CB397D-781F-4B69-955E-7EB5F5BDC348}	g2ax_service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GoToAssist Remote Support Customer.g2ax_StartHereLoader.2	g2ax_service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GoToAssist Remote Support Customer.g2ax_StartHereLoader.2\CLSID	g2ax_service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{45CB397D-781F-4B69-955E-7EB5F5BDC348}\LocalServer32	g2ax_service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{45CB397D-781F-4B69-955E-7EB5F5BDC348}\VersionIndependentProgID\ = "GoToAssist Remote Support Customer.g2ax_StartHereLoader"	g2ax_service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GoToAssist Remote Support Customer.g2ax_StartHereLoader.2\ = "g2ax_StartHereLoader"	g2ax_service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GoToAssist Remote Support Customer.g2ax_StartHereLoader.2\CLSID\ = "{45CB397D-781F-4B69-955E-7EB5F5BDC348}"	g2ax_service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\\{D7222C15-96C7-40f1-97A7-EB3D057EA80C}	g2ax_service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{D7222C15-96C7-40f1-97A7-EB3D057EA80C}\ = "GoToAssist Remote Support Customer"	g2ax_service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{45CB397D-781F-4B69-955E-7EB5F5BDC348}\ProgID	g2ax_service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GoToAssist Remote Support Customer.g2ax_StartHereLoader\CLSID	g2ax_service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GoToAssist Remote Support Customer.g2ax_StartHereLoader\CurVer	g2ax_service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GoToAssist Remote Support Customer.g2ax_StartHereLoader\CLSID\ = "{45CB397D-781F-4B69-955E-7EB5F5BDC348}"	g2ax_service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\\g2ax_service.exe	g2ax_service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\g2ax_service.exe\AppID = "{D7222C15-96C7-40f1-97A7-EB3D057EA80C}"	g2ax_service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{D7222C15-96C7-40f1-97A7-EB3D057EA80C}\LocalService = "GoToAssist Remote Support Customer"	g2ax_service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{45CB397D-781F-4B69-955E-7EB5F5BDC348}\LocalServer32\ = "C:\\Program Files (x86)\\GoToAssist Remote Support Customer\\1575\\g2ax_service.exe"	g2ax_service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{45CB397D-781F-4B69-955E-7EB5F5BDC348}\ProgID\ = "GoToAssist Remote Support Customer.g2ax_StartHereLoader.2"	g2ax_service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{45CB397D-781F-4B69-955E-7EB5F5BDC348}\VersionIndependentProgID	g2ax_service.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5	g2ax_installer_customer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e52000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	g2ax_installer_customer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e51d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af33313353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b060105050703030f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c92000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	g2ax_installer_customer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	g2ax_installer_customer.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2180	msiexec.exe
2180	msiexec.exe
1036	g2ax_comm_customer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2424	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2424	msiexec.exe
Token: SeRestorePrivilege	2180	msiexec.exe
Token: SeTakeOwnershipPrivilege	2180	msiexec.exe
Token: SeSecurityPrivilege	2180	msiexec.exe
Token: SeCreateTokenPrivilege	2424	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2424	msiexec.exe
Token: SeLockMemoryPrivilege	2424	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2424	msiexec.exe
Token: SeMachineAccountPrivilege	2424	msiexec.exe
Token: SeTcbPrivilege	2424	msiexec.exe
Token: SeSecurityPrivilege	2424	msiexec.exe
Token: SeTakeOwnershipPrivilege	2424	msiexec.exe
Token: SeLoadDriverPrivilege	2424	msiexec.exe
Token: SeSystemProfilePrivilege	2424	msiexec.exe
Token: SeSystemtimePrivilege	2424	msiexec.exe
Token: SeProfSingleProcessPrivilege	2424	msiexec.exe
Token: SeIncBasePriorityPrivilege	2424	msiexec.exe
Token: SeCreatePagefilePrivilege	2424	msiexec.exe
Token: SeCreatePermanentPrivilege	2424	msiexec.exe
Token: SeBackupPrivilege	2424	msiexec.exe
Token: SeRestorePrivilege	2424	msiexec.exe
Token: SeShutdownPrivilege	2424	msiexec.exe
Token: SeDebugPrivilege	2424	msiexec.exe
Token: SeAuditPrivilege	2424	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2424	msiexec.exe
Token: SeChangeNotifyPrivilege	2424	msiexec.exe
Token: SeRemoteShutdownPrivilege	2424	msiexec.exe
Token: SeUndockPrivilege	2424	msiexec.exe
Token: SeSyncAgentPrivilege	2424	msiexec.exe
Token: SeEnableDelegationPrivilege	2424	msiexec.exe
Token: SeManageVolumePrivilege	2424	msiexec.exe
Token: SeImpersonatePrivilege	2424	msiexec.exe
Token: SeCreateGlobalPrivilege	2424	msiexec.exe
Token: SeBackupPrivilege	1712	vssvc.exe
Token: SeRestorePrivilege	1712	vssvc.exe
Token: SeAuditPrivilege	1712	vssvc.exe
Token: SeBackupPrivilege	2180	msiexec.exe
Token: SeRestorePrivilege	2180	msiexec.exe
Token: SeRestorePrivilege	2328	DrvInst.exe
Token: SeRestorePrivilege	2328	DrvInst.exe
Token: SeRestorePrivilege	2328	DrvInst.exe
Token: SeRestorePrivilege	2328	DrvInst.exe
Token: SeRestorePrivilege	2328	DrvInst.exe
Token: SeRestorePrivilege	2328	DrvInst.exe
Token: SeRestorePrivilege	2328	DrvInst.exe
Token: SeLoadDriverPrivilege	2328	DrvInst.exe
Token: SeLoadDriverPrivilege	2328	DrvInst.exe
Token: SeLoadDriverPrivilege	2328	DrvInst.exe
Token: SeRestorePrivilege	2180	msiexec.exe
Token: SeTakeOwnershipPrivilege	2180	msiexec.exe
Token: SeRestorePrivilege	2180	msiexec.exe
Token: SeTakeOwnershipPrivilege	2180	msiexec.exe
Token: SeRestorePrivilege	2180	msiexec.exe
Token: SeTakeOwnershipPrivilege	2180	msiexec.exe
Token: SeRestorePrivilege	2180	msiexec.exe
Token: SeTakeOwnershipPrivilege	2180	msiexec.exe
Token: SeRestorePrivilege	2180	msiexec.exe
Token: SeTakeOwnershipPrivilege	2180	msiexec.exe
Token: SeRestorePrivilege	2180	msiexec.exe
Token: SeTakeOwnershipPrivilege	2180	msiexec.exe
Token: SeRestorePrivilege	2180	msiexec.exe
Token: SeTakeOwnershipPrivilege	2180	msiexec.exe
Token: SeRestorePrivilege	2180	msiexec.exe

Suspicious use of FindShellTrayWindow 9 IoCs

pid	Process
2424	msiexec.exe
2744	MSIB8A7.tmp
2424	msiexec.exe
2964	g2ax_user_customer.exe
2964	g2ax_user_customer.exe
2964	g2ax_user_customer.exe
2964	g2ax_user_customer.exe
2964	g2ax_user_customer.exe
2964	g2ax_user_customer.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
2964	g2ax_user_customer.exe
2964	g2ax_user_customer.exe
2964	g2ax_user_customer.exe
2964	g2ax_user_customer.exe
2964	g2ax_user_customer.exe

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 2744	2180	msiexec.exe	34
PID 2180 wrote to memory of 2744	2180	msiexec.exe	34
PID 2180 wrote to memory of 2744	2180	msiexec.exe	34
PID 2180 wrote to memory of 2744	2180	msiexec.exe	34
PID 2744 wrote to memory of 2684	2744	MSIB8A7.tmp	35
PID 2744 wrote to memory of 2684	2744	MSIB8A7.tmp	35
PID 2744 wrote to memory of 2684	2744	MSIB8A7.tmp	35
PID 2744 wrote to memory of 2684	2744	MSIB8A7.tmp	35
PID 2744 wrote to memory of 2684	2744	MSIB8A7.tmp	35
PID 2744 wrote to memory of 2684	2744	MSIB8A7.tmp	35
PID 2744 wrote to memory of 2684	2744	MSIB8A7.tmp	35
PID 2684 wrote to memory of 468	2684	g2ax_installer_customer.exe	37
PID 2684 wrote to memory of 468	2684	g2ax_installer_customer.exe	37
PID 2684 wrote to memory of 468	2684	g2ax_installer_customer.exe	37
PID 2684 wrote to memory of 468	2684	g2ax_installer_customer.exe	37
PID 2684 wrote to memory of 2064	2684	g2ax_installer_customer.exe	38
PID 2684 wrote to memory of 2064	2684	g2ax_installer_customer.exe	38
PID 2684 wrote to memory of 2064	2684	g2ax_installer_customer.exe	38
PID 2684 wrote to memory of 2064	2684	g2ax_installer_customer.exe	38
PID 2804 wrote to memory of 1036	2804	g2ax_service.exe	40
PID 2804 wrote to memory of 1036	2804	g2ax_service.exe	40
PID 2804 wrote to memory of 1036	2804	g2ax_service.exe	40
PID 2804 wrote to memory of 1036	2804	g2ax_service.exe	40
PID 1036 wrote to memory of 1584	1036	g2ax_comm_customer.exe	42
PID 1036 wrote to memory of 1584	1036	g2ax_comm_customer.exe	42
PID 1036 wrote to memory of 1584	1036	g2ax_comm_customer.exe	42
PID 1036 wrote to memory of 1584	1036	g2ax_comm_customer.exe	42
PID 1036 wrote to memory of 2964	1036	g2ax_comm_customer.exe	44
PID 1036 wrote to memory of 2964	1036	g2ax_comm_customer.exe	44
PID 1036 wrote to memory of 2964	1036	g2ax_comm_customer.exe	44
PID 1036 wrote to memory of 2964	1036	g2ax_comm_customer.exe	44

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\[email protected]
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2424

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Windows\Installer\MSIB8A7.tmp
  "C:\Windows\Installer\MSIB8A7.tmp" /FromMSI
  2⤵
  - Checks whether UAC is enabled
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2744
- - C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aBA2B.tmp\g2ax_installer_customer.exe
    "C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aBA2B.tmp\g2ax_installer_customer.exe " "/Action SetupUnattendedSilent" "/DownloadServer https://launch.getgo.com" "/EGWAddress 216.115.218.197" "/EGWDNS egw1.express.gotoassist.com" "/EGWPort 8200,80,443" /FromMSI "/Language en_US" "/LoaderPath C:\Windows\Installer\MSIB8A7.tmp" "/LogPath C:\Users\Admin\AppData\Local\Temp\LogMeInLogs\GoToAssist Remote Support Customer\1575\20240824_233517\" "/Mode Normal" "/RestartReason Start" "/ServiceAllowed Yes" "/StartAsService Yes" "/Stat On" "/StatDb On" "/Trigger Web" "/UnattendedSetupToken 5331656515450037371" "/WebsiteUrl http://support.gotoassist.com" "/locale en_US" "/silent"
    3⤵
    - Checks whether UAC is enabled
    - Drops file in Program Files directory
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies system certificate store
    - Suspicious use of WriteProcessMemory
    PID:2684
  - - C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_service.exe
      "C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_service.exe" "Start=install_manual&Action=SetupUnattendedSilent&DownloadServer=https://launch.getgo.com&EGWAddress=216.115.218.197&EGWDNS=egw1.express.gotoassist.com&EGWPort=8200,80,443&Language=en_US&LoaderPath=C:\Windows\Installer\MSIB8A7.tmp&LogPath=C:\Users\Admin\AppData\Local\Temp\LogMeInLogs\GoToAssist Remote Support Customer\1575\20240824_233517\&Mode=Normal&RestartReason=Start&ServiceAllowed=Yes&StartAsService=Yes&Stat=On&StatDb=On&Trigger=Web&UnattendedSetupToken=5331656515450037371&WebsiteUrl=http://support.gotoassist.com&locale=en_US"
      4⤵
      Modifies WinLogon
      Drops file in Program Files directory
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:468
  - - C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_service.exe
      "C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_service.exe" "Start=start_session&Action=SetupUnattendedSilent&DownloadServer=https://launch.getgo.com&EGWAddress=216.115.218.197&EGWDNS=egw1.express.gotoassist.com&EGWPort=8200,80,443&Language=en_US&LoaderPath=C:\Windows\Installer\MSIB8A7.tmp&LogPath=C:\Users\Admin\AppData\Local\Temp\LogMeInLogs\GoToAssist Remote Support Customer\1575\20240824_233517\&Mode=Normal&RestartReason=Start&ServiceAllowed=Yes&StartAsService=Yes&Stat=On&StatDb=On&Trigger=Web&UnattendedSetupToken=5331656515450037371&WebsiteUrl=http://support.gotoassist.com&locale=en_US"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2064

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1712

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003CC" "00000000000004D4"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2328

C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_service.exe
"C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_service.exe" "Start=service"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2804
- C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_comm_customer.exe
  "C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_comm_customer.exe" "Action=SetupUnattendedSilent&DownloadServer=https://launch.getgo.com&EGWAddress=216.115.218.197&EGWDNS=egw1.express.gotoassist.com&EGWPort=8200,80,443&Language=en_US&LoaderPath=C:\Windows\Installer\MSIB8A7.tmp&LogName=C:\Users\Admin\AppData\Local\Temp\LogMeInLogs\GoToAssist Remote Support Customer\1575\20240824_233517\GoToAssist Remote Support Customer.LOG&LogPath=C:\Users\Admin\AppData\Local\Temp\LogMeInLogs\GoToAssist Remote Support Customer\1575\20240824_233517\&Mode=Normal&ResourceDll=g2ax_customer_resource_win32_x86_en_US.dll&RestartReason=Start&RunningAsService=YES&ServiceAllowed=Yes&Start=service&StartAsService=Yes&StartID={45CB397D-781F-4B69-955E-7EB5F5BDC348}&Stat=On&StatDb=On&Trigger=Web&UnattendedSetupToken=5331656515450037371&UniqueId=2804&WebsiteUrl=http://support.gotoassist.com&locale=en_US"
  2⤵
  - Drops file in System32 directory
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1036
- - C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_system_customer.exe
    "C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_system_customer.exe" "StartID={70E19351-2945-4920-9883-C93CF275C1AC}&ResourceDll=g2ax_customer_resource_win32_x86_en_US.dll&RunningAsService=YES&Debug=Off&Stat=On&StatDb=On&Index=0"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1584
- - C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_user_customer.exe
    "C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_user_customer.exe" "StartID={45CB397D-781F-4B69-955E-7EB5F5BDC348}&ResourceDll=g2ax_customer_resource_win32_x86_en_US.dll&RunningAsService=YES&Debug=Off&Stat=On&StatDb=On&Index=0"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f76b7de.rbs

Filesize
7KB

MD5
b71ce00b6e62170a057daf48d4c5c785

SHA1
39393e1b304845b7564c9c43cf69928a202a5e53

SHA256
2c283bb3616683f635ed584b8c46a339d89daafd538781f4684176cd74db3b4f

SHA512
101ce465fae6336063d8abdc5bd3a52ee916faea4e91953df2ede797a2530cad8936f9a6010b0fd102b88236f425a2faa6b7e533b5fa7e6a60bc4ab90c160821

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D84E548583BE1EE7DB5A935821009D26_5B98B6CD6E69202676965CF5B0E2A7A7

Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D84E548583BE1EE7DB5A935821009D26_5B98B6CD6E69202676965CF5B0E2A7A7

Filesize
416B

MD5
4d924daa70bf1f66c6f3f65ec847f65d

SHA1
3ca88ebd50d1734d44e2f4549f6812c121262806

SHA256
6eae2b9c848b355cdd0ba57cbae2b8779ea80f9f3b5b21b18c3b13ed93066409

SHA512
265edd38d792c7e0998aaf65835dcac8d198dad976765a5bc74c2e6697dfa04bcfabd56c04cd1f2d7fb1a792db93046d30a454db606c2b8af36e78e6a9b78e72

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC7C4.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aBA2B.tmp\g2ax_combined_customer.dll

Filesize
9.0MB

MD5
b281109807f069ee71ad44a5c2ed4638

SHA1
88d58db2ea9d8ab72504ad3933acedd69c919cf7

SHA256
3d8d246a69eb0a66c52d8a713c2797b28d05e7c2ac9157fea5692bf6e9dfdda8

SHA512
11fb0515904a24a041c02f89819b43cf30e4b791eac559084c0ab90c458ed46d0aff2ab9fe4e4a1e9c915d080eff212754d68643c67e4690237dab6a67cd2249

Download Submit
C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aBA2B.tmp\g2ax_credential_provider.dll

Filesize
113KB

MD5
6acbff3ffbf1d3b4ef2e590807b82a7f

SHA1
0f781965145db5d9c97e471b8bc7236dee81c71c

SHA256
e870ce924d6797c053a14647184ad9d7e6bf641c2c1de901e747449964afdb22

SHA512
734aaa7ca45209c7d67e743c7bd43130da709d3503ee3a127919aa676c7e9cc932707522e0355d8e17b8bb02dbb53109c7df9ddef7c118814e5a4f04ce712139

Download Submit
C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aBA2B.tmp\g2ax_credential_provider64.dll

Filesize
122KB

MD5
2f9bde855a7df5ab1a5d4bc549170064

SHA1
dab528bd0e4054926d4646d762f08d85e164c469

SHA256
ee0432569bfadee88267ae64d2b11a6d258225c74358f142afa4bec8d6236dd5

SHA512
ce19050bc003f290172efab577bfa36ca17bb5e5b9efd4e4443ca037f59a1ea2ac635ae1592d51354485df0ef274f0516a3501228f11edd16ef1c6d723820afb

Download Submit
C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aBA2B.tmp\g2ax_customer_resource_win32_x86_de.dll

Filesize
2.7MB

MD5
95d28b0ae03c0e0dbebaac0354bd665d

SHA1
16ad8de089f85810678235cac2a332069e4a757e

SHA256
2e0fd5b081c3a35f97fc15a37d254c46e09a57724dae50853cd6f7675b5502bd

SHA512
5ec5d5d1b113c633364181411516b7de8e4ebf47d1bdbdb5cabec06a040671f5e69540b9b0f067fec593d26f6d1d97ca764c50d2adbd768b1e3cbf91b758ad27

Download Submit
C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aBA2B.tmp\g2ax_customer_resource_win32_x86_en_US.dll

Filesize
2.7MB

MD5
626dc7beea7eef7dbbad77b3f693eb49

SHA1
1e25d0ca6c7678bb3775728bdd631f2bfe79ebc0

SHA256
5bea8b91ed32fe2b925a8942a2706d8b84d75b00cac8f4ec1009c911a201a6f9

SHA512
a1609e5949721165773fec457f798ea9083257b19eeeafb3d40382f9763392862a976f2b892b6dadfe1df6c83e70b496c10ce688440fa5d97c78c6a0821d165a

Download Submit
C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aBA2B.tmp\g2ax_customer_resource_win32_x86_es.dll

Filesize
2.7MB

MD5
d4b3e89862a5b2583b6da76aa12e225c

SHA1
2f158da475e5a20f8e7c9b7effa7295fc07e7fd9

SHA256
5bac52692ea070aa9a6cb4655ca1346818235e79d4ac234127c87f9bd26de5d2

SHA512
2e792fa40569198a52df8796328ee0e6c93da9b861599e04bd0c0c7430b1c368c5ef60ca0bcda9297dcffd3e9312cdf12d62fdfd3febff4ec4a0ec55d2607a7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aBA2B.tmp\g2ax_customer_resource_win32_x86_fr.dll

Filesize
2.7MB

MD5
cdb5345e298d427450fe244a2e1cd16c

SHA1
e2e3402696090998174f686128af6d5791dd725a

SHA256
a476086f0c10426df4880f77e7333fa9aaab088421b5b9fab4937a65d734c817

SHA512
f036d3b164b3983f4684d3e3383ed2a67ebd674b5ea4d764189b429b3cecc81f5b0a4bf8a4e6e6d7e2aac27b7fb6edaf909835d2890000d3aded887e20776141

Download Submit
C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aBA2B.tmp\g2ax_customer_resource_win32_x86_it.dll

Filesize
2.7MB

MD5
4c6d97f5793a8806d1b07f7805c1290f

SHA1
6ed0ae206d5e3fd7cb19634aef5f0055f0832d83

SHA256
3798840e3ddf8025648420c2971c4434608f908bfd83437c239220e28e925323

SHA512
c13fba4f00340ab3be3b1f58bdd17fd1d3e95c1819b7a8d82b8e6cb7bc8bece9cf2d97ede47e57b062bb8008031f58b36934a5da0c452e17309f832b42b5e2ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aBA2B.tmp\g2ax_customer_resource_win32_x86_pt.dll

Filesize
2.7MB

MD5
42accada99f11973893559eb80dbd7cc

SHA1
9ed76304bf4af87210044d9fcbcb62f2f6f49fce

SHA256
c07707fdee8d761999bd63e44fdca04503ccbb2fde1e02d2eab6d3f99744840a

SHA512
24177df97a981f2a5d0896d143b3f8057631a17ab18e00bf540b70a921d66f5876ee0985e4b32165fabedefebc0ad1329be4860619b1ea40274cfe2beaf0d696

Download Submit
C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aBA2B.tmp\g2ax_exe_customer_adminui.exe

Filesize
599KB

MD5
139e140841795d1d3b31ca9f0d2a18f0

SHA1
c8348ffcc2792edf84c7d0a60af9fced0cee74d2

SHA256
814f387ab117191bc9cf9c33743bd792735237354ec83df4e014c7e7bc1e46ba

SHA512
98bf1f4043ccd59bb2c86b56dda9b30426160cb093585e9378cd5930ab8d5485591ea1f59196fb64ec3e0cc2845bdf43d936e8ae303914df56a8bd82b9fcd42b

Download Submit
C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aBA2B.tmp\g2ax_installer_customer_admin.exe

Filesize
599KB

MD5
d4ee9d0af2825048d4bfd48f48bd464b

SHA1
a3a25e68132a4288b6b394623fd206fbf8899092

SHA256
e1ae8e4f45552d82ea9154a02d7b900f42cad77777d6b6d6872f3f96efde491c

SHA512
ff6a70d7edb1e0aef632027e50b264bfed1aa27bcf114c65b79da7894b6f2b48675d78bc698f0006973f24a9ca465ffb5ae82600d5f065dba14593ade31ffc47

Download Submit
C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aBA2B.tmp\g2ax_processfactory.exe

Filesize
680KB

MD5
63f225100403cd9d98e5c20a2f13c7f9

SHA1
e4152545009c0bcbdbb9bed52f2935d55ba7da01

SHA256
450ba2dc70b1bbb9cd808be082cc90ee2be2e27e678d37b27400a90e0e4463f8

SHA512
58886a5b9455e56e86b227c7a49535b638a9379ab8752c58d8560987c7585d7a42eac2e88b19c82a52f8eb13aabfc436ada14673878a80667ae30b369a1ed409

Download Submit
C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aBA2B.tmp\g2ax_winlogon.dll

Filesize
598KB

MD5
8b64004a064179c50ab204cb8baacdb1

SHA1
357fe1c8cc37ff7a7c064ed6f49360692a4a8254

SHA256
20b7b7290d17b2b3b9d6bb01d7f540dcd780944a9a2873d641e973433173a781

SHA512
0ce7693c4c54db616f1c30899bbe77f4a6033ee034a389d032dcc3e8c84d3361f3beaab82508c69e1b8a4b4104590953c2a9abef354680043a2964fd8106af74

Download Submit
C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aBA2B.tmp\g2ax_winlogonx64.dll

Filesize
599KB

MD5
234f00413858db80b4b51c1abede4152

SHA1
e2606f11691de55ac8f491050abbcbe71c0ad1ba

SHA256
c5daa86b380ed04bc2ec92bbe74c8aff958edeabd240411b7ecb7f5721ba548d

SHA512
0a242a4516cfa722e35f5cb9a6e815d03e00b63e8ef648532526e8a0d228f4d00c2367d65bf402d1c564a208e1d5747b2ba1350bc0e637743373898fc37cd41c

Download Submit
C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aBA2B.tmp\uninshlp.dll

Filesize
20KB

MD5
0868827e42db552e5427f277fedf1e6b

SHA1
9fb59bbb4edbcc98fdb36ffff378d0bb9ddcc4fb

SHA256
f6684c5dbce46be754e61da86757278bb6a9c7def6810504a1dc389920b5d38a

SHA512
607064c1bc4aa627dc130d3a34d19bd512324bb9bd91ceaa6bcb20f0e218d070ef7021c921318a4d6474e95979bd569c2776b414269aeade5fa884876d58c3d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC853.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\Installer\MSIB8A7.tmp

Filesize
3.6MB

MD5
10691eb99593e235b86d018ebaf7d4e6

SHA1
35e0444bb572f3890f327afc1feba32e9833d5b4

SHA256
4e945ddc84443a2ac2f845693461a7bda2ab07b24eb3b980c1b86dd5f2d8ed2b

SHA512
10e1ee6fa616d92d1bc5bca358321c0fd4b18767a7eb7fd7bdf19c3302b23163a37e904f162d57097d40ca10b68494c7f5d029db4f9f91ac62351c48d150377f

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
59601a27bdb5c494a10d6632a7e3e507

SHA1
af9f44536264da7e958b5a1b4ab6565c6eb00308

SHA256
5e3846858e2582bac8be79a9ed88b599a739293123c2df8f548c3067a80ea545

SHA512
56e0d2d4214532408266a9bd943b2aa5271013f2227a0afe7af4ac1206d1fc1de206323f1bd2760db6fcee279822b17cc2a20eebb33f548f963ccbca5a5e382e

Download Submit
\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aBA2B.tmp\g2ax_installer_customer.exe

Filesize
599KB

MD5
7c9b0bde69c16ece846a56106b11dbfa

SHA1
80c42eb9351f611a395256531c5ed4931be981cf

SHA256
02d19f030b1f116c26bc3d1e6b03071b6f13ce7c7ea499603a5dfd571f3a96b6

SHA512
7826faa0627a5e57cd4ad3076391cec125314339d59ac6ad2e623a82522e870ecbc12b42b5868484550ede7e8d3012f06bef5463b624636aea3f0343ccdd810a

Download Submit
memory/2744-91-0x0000000000400000-0x000000000225E000-memory.dmp

Filesize
30.4MB

Download
memory/2744-223-0x0000000000400000-0x000000000225E000-memory.dmp

Filesize
30.4MB

Download
memory/2744-11-0x0000000000400000-0x000000000225E000-memory.dmp

Filesize
30.4MB

Download