30949949855ec60455a390a5f77ce7eaf52b3917a963a27ecc7dd1946862e852

Analysis

max time kernel
145s
max time network
153s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
24/08/2024, 23:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

[email protected]
Size

4.1MB
MD5

4dd7bd5bc7ad5494b39c033290136207
SHA1

aeac40777f86c172d8872643c9c537f53cdf1f5d
SHA256

30949949855ec60455a390a5f77ce7eaf52b3917a963a27ecc7dd1946862e852
SHA512

483c6099e920c5b36cd052e59b331d720cebbbf242d190c1b5383b5a7a6327abfc45f2311f58332822d4ec6f726722cf4f16f1c61071d10307a9a6a32849df37
SSDEEP

98304:0BZc4QcOiOqteN/+G5s5jmL0tipvHYzlgpwS+nqA5:IzOVq29mJmgw0gpwSa

Score

7^/10

discovery evasion persistence privilege_escalation spyware stealer trojan upx

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000700000001ac5c-14.dat	upx
behavioral2/memory/2820-15-0x0000000000400000-0x000000000225E000-memory.dmp	upx
behavioral2/memory/2820-44-0x0000000000400000-0x000000000225E000-memory.dmp	upx
behavioral2/memory/2820-125-0x0000000000400000-0x000000000225E000-memory.dmp	upx

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	g2ax_installer_customer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MSI9F11.tmp

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe

Modifies WinLogon 2 TTPs 9 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GoToAssist Express Customer	g2ax_service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify	g2ax_service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GoToAssist Express Customer\DLLName = "C:\\Program Files (x86)\\GoToAssist Remote Support Customer\\1575\\g2ax_winlogonx64.dll"	g2ax_service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GoToAssist Express Customer\Logoff = "Logoff"	g2ax_service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GoToAssist Express Customer\Startup = "Startup"	g2ax_service.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GoToAssist Express Customer\Asynchronous = "0"	g2ax_service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GoToAssist Express Customer\Logon = "Logon"	g2ax_service.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GoToAssist Express Customer\Impersonate = "0"	g2ax_service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GoToAssist Express Customer\Shutdown = "Shutdown"	g2ax_service.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\g2ax_credential_provider64_1575.dll	g2ax_service.exe
File opened for modification	C:\Windows\system32\g2ax_credential_provider64_1575.dll	g2ax_service.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 26 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_customer_resource_win32_x86_pt.dll	g2ax_installer_customer.exe
File opened for modification	C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\uninshlp.dll	g2ax_installer_customer.exe
File created	C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_installer_customer.exe	g2ax_installer_customer.exe
File created	C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_user_high_customer.exe	g2ax_installer_customer.exe
File created	C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_winlogon.dll	g2ax_installer_customer.exe
File created	C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_customer_resource_win32_x86_it.dll	g2ax_installer_customer.exe
File created	C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_processfactory.exe	g2ax_installer_customer.exe
File created	C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_user_customer.exe	g2ax_installer_customer.exe
File created	C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_user_medium_customer.exe	g2ax_installer_customer.exe
File created	C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_comm_customer.exe	g2ax_installer_customer.exe
File created	C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_customer_resource_win32_x86_es.dll	g2ax_installer_customer.exe
File created	C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_winlogonx64.dll	g2ax_installer_customer.exe
File created	C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_credential_provider64.dll	g2ax_installer_customer.exe
File created	C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_combined_customer.dll	g2ax_installer_customer.exe
File created	C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_uninstaller_customer.exe	g2ax_installer_customer.exe
File created	C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_system_customer.exe	g2ax_installer_customer.exe
File created	C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\shortcuts.txt	g2ax_service.exe
File created	C:\Program Files (x86)\_x_CInstB+TEST_x_0\_x_CInstB+TEST_x_0	g2ax_installer_customer.exe
File created	C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_credential_provider.dll	g2ax_installer_customer.exe
File created	C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_customer_resource_win32_x86_en_US.dll	g2ax_installer_customer.exe
File created	C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_customer_resource_win32_x86_de.dll	g2ax_installer_customer.exe
File created	C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_customer_resource_win32_x86_fr.dll	g2ax_installer_customer.exe
File created	C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\uninshlp.dll	g2ax_installer_customer.exe
File created	C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_service.exe	g2ax_installer_customer.exe
File created	C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_host.exe	g2ax_installer_customer.exe
File created	C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_host_service.exe	g2ax_installer_customer.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9EEF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9F11.tmp	msiexec.exe
File created	C:\Windows\Installer\e579e57.msi	msiexec.exe
File created	C:\Windows\Installer\e579e53.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e579e53.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\SourceHash{8986461A-C5B9-4E8B-827A-FA68F3411575}	msiexec.exe

Executes dropped EXE 8 IoCs

pid	Process
2820	MSI9F11.tmp
1312	g2ax_installer_customer.exe
2060	g2ax_service.exe
2208	g2ax_service.exe
5076	g2ax_service.exe
4016	g2ax_comm_customer.exe
2104	g2ax_system_customer.exe
8	g2ax_user_customer.exe

Loads dropped DLL 8 IoCs

pid	Process
1312	g2ax_installer_customer.exe
2060	g2ax_service.exe
2208	g2ax_service.exe
5076	g2ax_service.exe
4016	g2ax_comm_customer.exe
2104	g2ax_system_customer.exe
8	g2ax_user_customer.exe
1032	regsvr32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
2828	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	g2ax_comm_customer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	g2ax_system_customer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	g2ax_user_customer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSI9F11.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	g2ax_installer_customer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	g2ax_service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	g2ax_service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	g2ax_service.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Capabilities	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	svchost.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\LogMeInInc\GoToAssist\ConnectionInfo	g2ax_comm_customer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\LogMeInInc\GoToAssist\ConnectionInfo\LastGood	g2ax_comm_customer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\LogMeInInc	g2ax_comm_customer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\LogMeInInc\GoToAssist	g2ax_comm_customer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\LogMeInInc\GoToAssist\ConnectionInfo\LastGood\Proto1\Method = "32"	g2ax_comm_customer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\LogMeInInc\GoToAssist\ConnectionInfo\LastGood\Proto1\Flags = "1"	g2ax_comm_customer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\LogMeInInc\GoToAssist\ConnectionInfo\LastGood\Proto1\OriginalDetector = "4"	g2ax_comm_customer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\LogMeInInc\GoToAssist\AuthInfo	g2ax_comm_customer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\LogMeInInc\GoToAssist\ConnectionInfo\LastGood\Proto1\TargetPort = "443"	g2ax_comm_customer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\LogMeInInc\GoToAssist\ConnectionInfo\LastGood\Proto1	g2ax_comm_customer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\LogMeInInc\GoToAssist\ConnectionInfo\LastGood\Proto1\Proto = "1"	g2ax_comm_customer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	g2ax_comm_customer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	g2ax_comm_customer.exe

Modifies registry class 30 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{D7222C15-96C7-40f1-97A7-EB3D057EA80C}\LocalService = "GoToAssist Remote Support Customer"	g2ax_service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{45CB397D-781F-4B69-955E-7EB5F5BDC348}\AppID = "{D7222C15-96C7-40f1-97A7-EB3D057EA80C}"	g2ax_service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D025C57A-763E-4B14-B580-9B5B161F08BB}\InprocServer32\ = "C:\\Windows\\system32\\g2ax_credential_provider64_1575.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{45CB397D-781F-4B69-955E-7EB5F5BDC348}\VersionIndependentProgID\ = "GoToAssist Remote Support Customer.g2ax_StartHereLoader"	g2ax_service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GoToAssist Remote Support Customer.g2ax_StartHereLoader\ = "g2ax_StartHereLoader"	g2ax_service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GoToAssist Remote Support Customer.g2ax_StartHereLoader\CLSID\ = "{45CB397D-781F-4B69-955E-7EB5F5BDC348}"	g2ax_service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GoToAssist Remote Support Customer.g2ax_StartHereLoader.2\ = "g2ax_StartHereLoader"	g2ax_service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\\{D7222C15-96C7-40f1-97A7-EB3D057EA80C}	g2ax_service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{D7222C15-96C7-40f1-97A7-EB3D057EA80C}\ = "GoToAssist Remote Support Customer"	g2ax_service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{45CB397D-781F-4B69-955E-7EB5F5BDC348}	g2ax_service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{45CB397D-781F-4B69-955E-7EB5F5BDC348}\ = "g2ax_StartHereLoader"	g2ax_service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{45CB397D-781F-4B69-955E-7EB5F5BDC348}\VersionIndependentProgID	g2ax_service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GoToAssist Remote Support Customer.g2ax_StartHereLoader.2\CLSID\ = "{45CB397D-781F-4B69-955E-7EB5F5BDC348}"	g2ax_service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\\g2ax_service.exe	g2ax_service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{D7222C15-96C7-40f1-97A7-EB3D057EA80C}\ServiceParameters = "-Service"	g2ax_service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{45CB397D-781F-4B69-955E-7EB5F5BDC348}\LocalServer32\ = "C:\\Program Files (x86)\\GoToAssist Remote Support Customer\\1575\\g2ax_service.exe"	g2ax_service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{45CB397D-781F-4B69-955E-7EB5F5BDC348}\ProgID	g2ax_service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GoToAssist Remote Support Customer.g2ax_StartHereLoader	g2ax_service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GoToAssist Remote Support Customer.g2ax_StartHereLoader\CurVer\ = "GoToAssist Remote Support Customer.g2ax_StartHereLoader.2"	g2ax_service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GoToAssist Remote Support Customer.g2ax_StartHereLoader.2	g2ax_service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D025C57A-763E-4B14-B580-9B5B161F08BB}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GoToAssist Remote Support Customer.g2ax_StartHereLoader\CLSID	g2ax_service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\g2ax_service.exe\AppID = "{D7222C15-96C7-40f1-97A7-EB3D057EA80C}"	g2ax_service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D025C57A-763E-4B14-B580-9B5B161F08BB}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{45CB397D-781F-4B69-955E-7EB5F5BDC348}\LocalServer32	g2ax_service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{45CB397D-781F-4B69-955E-7EB5F5BDC348}\ProgID\ = "GoToAssist Remote Support Customer.g2ax_StartHereLoader.2"	g2ax_service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GoToAssist Remote Support Customer.g2ax_StartHereLoader.2\CLSID	g2ax_service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D025C57A-763E-4B14-B580-9B5B161F08BB}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GoToAssist Remote Support Customer.g2ax_StartHereLoader\CurVer	g2ax_service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D025C57A-763E-4B14-B580-9B5B161F08BB}\ = "CredentialProvider"	regsvr32.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5	g2ax_installer_customer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c953000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df1400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3617e000000010000000800000000c0032f2df8d6016800000001000000000000000300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	g2ax_installer_customer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 5c000000010000000400000000080000190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e56800000001000000000000007e000000010000000800000000c0032f2df8d6011d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331336200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df09000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c9040000000100000010000000cb17e431673ee209fe455793f30afa1c2000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	g2ax_installer_customer.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4916	msiexec.exe
4916	msiexec.exe
4016	g2ax_comm_customer.exe
4016	g2ax_comm_customer.exe
2104	g2ax_system_customer.exe
2104	g2ax_system_customer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2828	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2828	msiexec.exe
Token: SeSecurityPrivilege	4916	msiexec.exe
Token: SeCreateTokenPrivilege	2828	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2828	msiexec.exe
Token: SeLockMemoryPrivilege	2828	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2828	msiexec.exe
Token: SeMachineAccountPrivilege	2828	msiexec.exe
Token: SeTcbPrivilege	2828	msiexec.exe
Token: SeSecurityPrivilege	2828	msiexec.exe
Token: SeTakeOwnershipPrivilege	2828	msiexec.exe
Token: SeLoadDriverPrivilege	2828	msiexec.exe
Token: SeSystemProfilePrivilege	2828	msiexec.exe
Token: SeSystemtimePrivilege	2828	msiexec.exe
Token: SeProfSingleProcessPrivilege	2828	msiexec.exe
Token: SeIncBasePriorityPrivilege	2828	msiexec.exe
Token: SeCreatePagefilePrivilege	2828	msiexec.exe
Token: SeCreatePermanentPrivilege	2828	msiexec.exe
Token: SeBackupPrivilege	2828	msiexec.exe
Token: SeRestorePrivilege	2828	msiexec.exe
Token: SeShutdownPrivilege	2828	msiexec.exe
Token: SeDebugPrivilege	2828	msiexec.exe
Token: SeAuditPrivilege	2828	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2828	msiexec.exe
Token: SeChangeNotifyPrivilege	2828	msiexec.exe
Token: SeRemoteShutdownPrivilege	2828	msiexec.exe
Token: SeUndockPrivilege	2828	msiexec.exe
Token: SeSyncAgentPrivilege	2828	msiexec.exe
Token: SeEnableDelegationPrivilege	2828	msiexec.exe
Token: SeManageVolumePrivilege	2828	msiexec.exe
Token: SeImpersonatePrivilege	2828	msiexec.exe
Token: SeCreateGlobalPrivilege	2828	msiexec.exe
Token: SeBackupPrivilege	1564	vssvc.exe
Token: SeRestorePrivilege	1564	vssvc.exe
Token: SeAuditPrivilege	1564	vssvc.exe
Token: SeBackupPrivilege	4916	msiexec.exe
Token: SeRestorePrivilege	4916	msiexec.exe
Token: SeRestorePrivilege	4916	msiexec.exe
Token: SeTakeOwnershipPrivilege	4916	msiexec.exe
Token: SeRestorePrivilege	4916	msiexec.exe
Token: SeTakeOwnershipPrivilege	4916	msiexec.exe
Token: SeRestorePrivilege	4916	msiexec.exe
Token: SeTakeOwnershipPrivilege	4916	msiexec.exe
Token: SeRestorePrivilege	4916	msiexec.exe
Token: SeTakeOwnershipPrivilege	4916	msiexec.exe
Token: SeBackupPrivilege	704	srtasks.exe
Token: SeRestorePrivilege	704	srtasks.exe
Token: SeSecurityPrivilege	704	srtasks.exe
Token: SeTakeOwnershipPrivilege	704	srtasks.exe
Token: SeBackupPrivilege	704	srtasks.exe
Token: SeRestorePrivilege	704	srtasks.exe
Token: SeSecurityPrivilege	704	srtasks.exe
Token: SeTakeOwnershipPrivilege	704	srtasks.exe
Token: SeTcbPrivilege	2104	g2ax_system_customer.exe
Token: SeTcbPrivilege	4016	g2ax_comm_customer.exe
Token: SeRestorePrivilege	4916	msiexec.exe
Token: SeTakeOwnershipPrivilege	4916	msiexec.exe
Token: SeRestorePrivilege	4916	msiexec.exe
Token: SeTakeOwnershipPrivilege	4916	msiexec.exe
Token: SeRestorePrivilege	4916	msiexec.exe
Token: SeTakeOwnershipPrivilege	4916	msiexec.exe
Token: SeRestorePrivilege	4916	msiexec.exe
Token: SeTakeOwnershipPrivilege	4916	msiexec.exe
Token: SeRestorePrivilege	4916	msiexec.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
2828	msiexec.exe
2828	msiexec.exe
8	g2ax_user_customer.exe
8	g2ax_user_customer.exe
8	g2ax_user_customer.exe
8	g2ax_user_customer.exe
8	g2ax_user_customer.exe
8	g2ax_user_customer.exe
8	g2ax_user_customer.exe
8	g2ax_user_customer.exe
8	g2ax_user_customer.exe
8	g2ax_user_customer.exe
8	g2ax_user_customer.exe
8	g2ax_user_customer.exe
8	g2ax_user_customer.exe
8	g2ax_user_customer.exe
8	g2ax_user_customer.exe
8	g2ax_user_customer.exe
8	g2ax_user_customer.exe
8	g2ax_user_customer.exe
8	g2ax_user_customer.exe
8	g2ax_user_customer.exe
8	g2ax_user_customer.exe
8	g2ax_user_customer.exe
8	g2ax_user_customer.exe
8	g2ax_user_customer.exe
8	g2ax_user_customer.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
8	g2ax_user_customer.exe
8	g2ax_user_customer.exe
8	g2ax_user_customer.exe
8	g2ax_user_customer.exe
8	g2ax_user_customer.exe
8	g2ax_user_customer.exe
8	g2ax_user_customer.exe
8	g2ax_user_customer.exe
8	g2ax_user_customer.exe
8	g2ax_user_customer.exe
8	g2ax_user_customer.exe
8	g2ax_user_customer.exe
8	g2ax_user_customer.exe
8	g2ax_user_customer.exe
8	g2ax_user_customer.exe
8	g2ax_user_customer.exe
8	g2ax_user_customer.exe
8	g2ax_user_customer.exe
8	g2ax_user_customer.exe
8	g2ax_user_customer.exe
8	g2ax_user_customer.exe
8	g2ax_user_customer.exe
8	g2ax_user_customer.exe
8	g2ax_user_customer.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 4916 wrote to memory of 704	4916	msiexec.exe	78
PID 4916 wrote to memory of 704	4916	msiexec.exe	78
PID 4916 wrote to memory of 2820	4916	msiexec.exe	80
PID 4916 wrote to memory of 2820	4916	msiexec.exe	80
PID 4916 wrote to memory of 2820	4916	msiexec.exe	80
PID 2820 wrote to memory of 1312	2820	MSI9F11.tmp	81
PID 2820 wrote to memory of 1312	2820	MSI9F11.tmp	81
PID 2820 wrote to memory of 1312	2820	MSI9F11.tmp	81
PID 1312 wrote to memory of 2060	1312	g2ax_installer_customer.exe	82
PID 1312 wrote to memory of 2060	1312	g2ax_installer_customer.exe	82
PID 1312 wrote to memory of 2060	1312	g2ax_installer_customer.exe	82
PID 1312 wrote to memory of 2208	1312	g2ax_installer_customer.exe	83
PID 1312 wrote to memory of 2208	1312	g2ax_installer_customer.exe	83
PID 1312 wrote to memory of 2208	1312	g2ax_installer_customer.exe	83
PID 5076 wrote to memory of 4016	5076	g2ax_service.exe	85
PID 5076 wrote to memory of 4016	5076	g2ax_service.exe	85
PID 5076 wrote to memory of 4016	5076	g2ax_service.exe	85
PID 4016 wrote to memory of 2104	4016	g2ax_comm_customer.exe	88
PID 4016 wrote to memory of 2104	4016	g2ax_comm_customer.exe	88
PID 4016 wrote to memory of 2104	4016	g2ax_comm_customer.exe	88
PID 4016 wrote to memory of 8	4016	g2ax_comm_customer.exe	90
PID 4016 wrote to memory of 8	4016	g2ax_comm_customer.exe	90
PID 4016 wrote to memory of 8	4016	g2ax_comm_customer.exe	90
PID 5076 wrote to memory of 1032	5076	g2ax_service.exe	92
PID 5076 wrote to memory of 1032	5076	g2ax_service.exe	92

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\[email protected]
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2828

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4916
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:704
- C:\Windows\Installer\MSI9F11.tmp
  "C:\Windows\Installer\MSI9F11.tmp" /FromMSI
  2⤵
  - Checks whether UAC is enabled
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2820
- - C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aA0F3.tmp\g2ax_installer_customer.exe
    "C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aA0F3.tmp\g2ax_installer_customer.exe " "/Action SetupUnattendedSilent" "/DownloadServer https://launch.getgo.com" "/EGWAddress 216.115.218.197" "/EGWDNS egw1.express.gotoassist.com" "/EGWPort 8200,80,443" /FromMSI "/Language en_US" "/LoaderPath C:\Windows\Installer\MSI9F11.tmp" "/LogPath C:\Users\Admin\AppData\Local\Temp\LogMeInLogs\GoToAssist Remote Support Customer\1575\20240824_233524\" "/Mode Normal" "/RestartReason Start" "/ServiceAllowed Yes" "/StartAsService Yes" "/Stat On" "/StatDb On" "/Trigger Web" "/UnattendedSetupToken 5331656515450037371" "/WebsiteUrl http://support.gotoassist.com" "/locale en_US" "/silent"
    3⤵
    - Checks whether UAC is enabled
    - Drops file in Program Files directory
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies system certificate store
    - Suspicious use of WriteProcessMemory
    PID:1312
  - - C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_service.exe
      "C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_service.exe" "Start=install_manual&Action=SetupUnattendedSilent&DownloadServer=https://launch.getgo.com&EGWAddress=216.115.218.197&EGWDNS=egw1.express.gotoassist.com&EGWPort=8200,80,443&Language=en_US&LoaderPath=C:\Windows\Installer\MSI9F11.tmp&LogPath=C:\Users\Admin\AppData\Local\Temp\LogMeInLogs\GoToAssist Remote Support Customer\1575\20240824_233524\&Mode=Normal&RestartReason=Start&ServiceAllowed=Yes&StartAsService=Yes&Stat=On&StatDb=On&Trigger=Web&UnattendedSetupToken=5331656515450037371&WebsiteUrl=http://support.gotoassist.com&locale=en_US"
      4⤵
      Modifies WinLogon
      Drops file in Program Files directory
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:2060
  - - C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_service.exe
      "C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_service.exe" "Start=start_session&Action=SetupUnattendedSilent&DownloadServer=https://launch.getgo.com&EGWAddress=216.115.218.197&EGWDNS=egw1.express.gotoassist.com&EGWPort=8200,80,443&Language=en_US&LoaderPath=C:\Windows\Installer\MSI9F11.tmp&LogPath=C:\Users\Admin\AppData\Local\Temp\LogMeInLogs\GoToAssist Remote Support Customer\1575\20240824_233524\&Mode=Normal&RestartReason=Start&ServiceAllowed=Yes&StartAsService=Yes&Stat=On&StatDb=On&Trigger=Web&UnattendedSetupToken=5331656515450037371&WebsiteUrl=http://support.gotoassist.com&locale=en_US"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2208

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1564

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:916

C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_service.exe
"C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_service.exe" "Start=service"
1⤵
- Drops file in System32 directory
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5076
- C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_comm_customer.exe
  "C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_comm_customer.exe" "Action=SetupUnattendedSilent&DownloadServer=https://launch.getgo.com&EGWAddress=216.115.218.197&EGWDNS=egw1.express.gotoassist.com&EGWPort=8200,80,443&Language=en_US&LoaderPath=C:\Windows\Installer\MSI9F11.tmp&LogName=C:\Users\Admin\AppData\Local\Temp\LogMeInLogs\GoToAssist Remote Support Customer\1575\20240824_233524\GoToAssist Remote Support Customer.LOG&LogPath=C:\Users\Admin\AppData\Local\Temp\LogMeInLogs\GoToAssist Remote Support Customer\1575\20240824_233524\&Mode=Normal&ResourceDll=g2ax_customer_resource_win32_x86_en_US.dll&RestartReason=Start&RunningAsService=YES&ServiceAllowed=Yes&Start=service&StartAsService=Yes&StartID={45CB397D-781F-4B69-955E-7EB5F5BDC348}&Stat=On&StatDb=On&Trigger=Web&UnattendedSetupToken=5331656515450037371&UniqueId=5076&WebsiteUrl=http://support.gotoassist.com&locale=en_US"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4016
- - C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_system_customer.exe
    "C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_system_customer.exe" "StartID={D86B0088-ACAF-4990-A838-15B184534BE8}&ResourceDll=g2ax_customer_resource_win32_x86_en_US.dll&RunningAsService=YES&Debug=Off&Stat=On&StatDb=On&Index=0"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2104
- - C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_user_customer.exe
    "C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_user_customer.exe" "StartID={45CB397D-781F-4B69-955E-7EB5F5BDC348}&ResourceDll=g2ax_customer_resource_win32_x86_en_US.dll&RunningAsService=YES&Debug=Off&Stat=On&StatDb=On&Index=0"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:8
- C:\Windows\system32\regsvr32.exe
  "C:\Windows\system32\regsvr32.exe" /s C:\Windows\system32\g2ax_credential_provider64_1575.dll
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:1032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Installer Packages

T1546.016

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Installer Packages

T1546.016

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e579e56.rbs

Filesize
8KB

MD5
e95b3af7ebeb04635a9488bb8024d5ff

SHA1
767681f15fa301b2bd7211d398801518bc59118b

SHA256
1d761b099a25b9d12e1254d924051552546b92ac2af3d04dbb1a6a3e1af7f0bb

SHA512
172e0da8b946a0d645147ecb38e40eef30b73adc168f35cbeba1d2f5a53cd4f03cad9f9da819a65a85aef281bc6919ab01f4e8e1486df5908dbcac8f2ed24f05

Download Submit
C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aA0F3.tmp\g2ax_combined_customer.dll

Filesize
9.0MB

MD5
b281109807f069ee71ad44a5c2ed4638

SHA1
88d58db2ea9d8ab72504ad3933acedd69c919cf7

SHA256
3d8d246a69eb0a66c52d8a713c2797b28d05e7c2ac9157fea5692bf6e9dfdda8

SHA512
11fb0515904a24a041c02f89819b43cf30e4b791eac559084c0ab90c458ed46d0aff2ab9fe4e4a1e9c915d080eff212754d68643c67e4690237dab6a67cd2249

Download Submit
C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aA0F3.tmp\g2ax_credential_provider.dll

Filesize
113KB

MD5
6acbff3ffbf1d3b4ef2e590807b82a7f

SHA1
0f781965145db5d9c97e471b8bc7236dee81c71c

SHA256
e870ce924d6797c053a14647184ad9d7e6bf641c2c1de901e747449964afdb22

SHA512
734aaa7ca45209c7d67e743c7bd43130da709d3503ee3a127919aa676c7e9cc932707522e0355d8e17b8bb02dbb53109c7df9ddef7c118814e5a4f04ce712139

Download Submit
C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aA0F3.tmp\g2ax_credential_provider64.dll

Filesize
122KB

MD5
2f9bde855a7df5ab1a5d4bc549170064

SHA1
dab528bd0e4054926d4646d762f08d85e164c469

SHA256
ee0432569bfadee88267ae64d2b11a6d258225c74358f142afa4bec8d6236dd5

SHA512
ce19050bc003f290172efab577bfa36ca17bb5e5b9efd4e4443ca037f59a1ea2ac635ae1592d51354485df0ef274f0516a3501228f11edd16ef1c6d723820afb

Download Submit
C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aA0F3.tmp\g2ax_customer_resource_win32_x86_de.dll

Filesize
2.7MB

MD5
95d28b0ae03c0e0dbebaac0354bd665d

SHA1
16ad8de089f85810678235cac2a332069e4a757e

SHA256
2e0fd5b081c3a35f97fc15a37d254c46e09a57724dae50853cd6f7675b5502bd

SHA512
5ec5d5d1b113c633364181411516b7de8e4ebf47d1bdbdb5cabec06a040671f5e69540b9b0f067fec593d26f6d1d97ca764c50d2adbd768b1e3cbf91b758ad27

Download Submit
C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aA0F3.tmp\g2ax_customer_resource_win32_x86_en_US.dll

Filesize
2.7MB

MD5
626dc7beea7eef7dbbad77b3f693eb49

SHA1
1e25d0ca6c7678bb3775728bdd631f2bfe79ebc0

SHA256
5bea8b91ed32fe2b925a8942a2706d8b84d75b00cac8f4ec1009c911a201a6f9

SHA512
a1609e5949721165773fec457f798ea9083257b19eeeafb3d40382f9763392862a976f2b892b6dadfe1df6c83e70b496c10ce688440fa5d97c78c6a0821d165a

Download Submit
C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aA0F3.tmp\g2ax_customer_resource_win32_x86_es.dll

Filesize
2.7MB

MD5
d4b3e89862a5b2583b6da76aa12e225c

SHA1
2f158da475e5a20f8e7c9b7effa7295fc07e7fd9

SHA256
5bac52692ea070aa9a6cb4655ca1346818235e79d4ac234127c87f9bd26de5d2

SHA512
2e792fa40569198a52df8796328ee0e6c93da9b861599e04bd0c0c7430b1c368c5ef60ca0bcda9297dcffd3e9312cdf12d62fdfd3febff4ec4a0ec55d2607a7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aA0F3.tmp\g2ax_customer_resource_win32_x86_fr.dll

Filesize
2.7MB

MD5
cdb5345e298d427450fe244a2e1cd16c

SHA1
e2e3402696090998174f686128af6d5791dd725a

SHA256
a476086f0c10426df4880f77e7333fa9aaab088421b5b9fab4937a65d734c817

SHA512
f036d3b164b3983f4684d3e3383ed2a67ebd674b5ea4d764189b429b3cecc81f5b0a4bf8a4e6e6d7e2aac27b7fb6edaf909835d2890000d3aded887e20776141

Download Submit
C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aA0F3.tmp\g2ax_customer_resource_win32_x86_it.dll

Filesize
2.7MB

MD5
4c6d97f5793a8806d1b07f7805c1290f

SHA1
6ed0ae206d5e3fd7cb19634aef5f0055f0832d83

SHA256
3798840e3ddf8025648420c2971c4434608f908bfd83437c239220e28e925323

SHA512
c13fba4f00340ab3be3b1f58bdd17fd1d3e95c1819b7a8d82b8e6cb7bc8bece9cf2d97ede47e57b062bb8008031f58b36934a5da0c452e17309f832b42b5e2ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aA0F3.tmp\g2ax_customer_resource_win32_x86_pt.dll

Filesize
2.7MB

MD5
42accada99f11973893559eb80dbd7cc

SHA1
9ed76304bf4af87210044d9fcbcb62f2f6f49fce

SHA256
c07707fdee8d761999bd63e44fdca04503ccbb2fde1e02d2eab6d3f99744840a

SHA512
24177df97a981f2a5d0896d143b3f8057631a17ab18e00bf540b70a921d66f5876ee0985e4b32165fabedefebc0ad1329be4860619b1ea40274cfe2beaf0d696

Download Submit
C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aA0F3.tmp\g2ax_exe_customer_adminui.exe

Filesize
599KB

MD5
139e140841795d1d3b31ca9f0d2a18f0

SHA1
c8348ffcc2792edf84c7d0a60af9fced0cee74d2

SHA256
814f387ab117191bc9cf9c33743bd792735237354ec83df4e014c7e7bc1e46ba

SHA512
98bf1f4043ccd59bb2c86b56dda9b30426160cb093585e9378cd5930ab8d5485591ea1f59196fb64ec3e0cc2845bdf43d936e8ae303914df56a8bd82b9fcd42b

Download Submit
C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aA0F3.tmp\g2ax_installer_customer.exe

Filesize
599KB

MD5
7c9b0bde69c16ece846a56106b11dbfa

SHA1
80c42eb9351f611a395256531c5ed4931be981cf

SHA256
02d19f030b1f116c26bc3d1e6b03071b6f13ce7c7ea499603a5dfd571f3a96b6

SHA512
7826faa0627a5e57cd4ad3076391cec125314339d59ac6ad2e623a82522e870ecbc12b42b5868484550ede7e8d3012f06bef5463b624636aea3f0343ccdd810a

Download Submit
C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aA0F3.tmp\g2ax_installer_customer_admin.exe

Filesize
599KB

MD5
d4ee9d0af2825048d4bfd48f48bd464b

SHA1
a3a25e68132a4288b6b394623fd206fbf8899092

SHA256
e1ae8e4f45552d82ea9154a02d7b900f42cad77777d6b6d6872f3f96efde491c

SHA512
ff6a70d7edb1e0aef632027e50b264bfed1aa27bcf114c65b79da7894b6f2b48675d78bc698f0006973f24a9ca465ffb5ae82600d5f065dba14593ade31ffc47

Download Submit
C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aA0F3.tmp\g2ax_processfactory.exe

Filesize
680KB

MD5
63f225100403cd9d98e5c20a2f13c7f9

SHA1
e4152545009c0bcbdbb9bed52f2935d55ba7da01

SHA256
450ba2dc70b1bbb9cd808be082cc90ee2be2e27e678d37b27400a90e0e4463f8

SHA512
58886a5b9455e56e86b227c7a49535b638a9379ab8752c58d8560987c7585d7a42eac2e88b19c82a52f8eb13aabfc436ada14673878a80667ae30b369a1ed409

Download Submit
C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aA0F3.tmp\g2ax_winlogon.dll

Filesize
598KB

MD5
8b64004a064179c50ab204cb8baacdb1

SHA1
357fe1c8cc37ff7a7c064ed6f49360692a4a8254

SHA256
20b7b7290d17b2b3b9d6bb01d7f540dcd780944a9a2873d641e973433173a781

SHA512
0ce7693c4c54db616f1c30899bbe77f4a6033ee034a389d032dcc3e8c84d3361f3beaab82508c69e1b8a4b4104590953c2a9abef354680043a2964fd8106af74

Download Submit
C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aA0F3.tmp\g2ax_winlogonx64.dll

Filesize
599KB

MD5
234f00413858db80b4b51c1abede4152

SHA1
e2606f11691de55ac8f491050abbcbe71c0ad1ba

SHA256
c5daa86b380ed04bc2ec92bbe74c8aff958edeabd240411b7ecb7f5721ba548d

SHA512
0a242a4516cfa722e35f5cb9a6e815d03e00b63e8ef648532526e8a0d228f4d00c2367d65bf402d1c564a208e1d5747b2ba1350bc0e637743373898fc37cd41c

Download Submit
C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aA0F3.tmp\uninshlp.dll

Filesize
20KB

MD5
0868827e42db552e5427f277fedf1e6b

SHA1
9fb59bbb4edbcc98fdb36ffff378d0bb9ddcc4fb

SHA256
f6684c5dbce46be754e61da86757278bb6a9c7def6810504a1dc389920b5d38a

SHA512
607064c1bc4aa627dc130d3a34d19bd512324bb9bd91ceaa6bcb20f0e218d070ef7021c921318a4d6474e95979bd569c2776b414269aeade5fa884876d58c3d1

Download Submit
C:\Windows\Installer\MSI9F11.tmp

Filesize
3.6MB

MD5
10691eb99593e235b86d018ebaf7d4e6

SHA1
35e0444bb572f3890f327afc1feba32e9833d5b4

SHA256
4e945ddc84443a2ac2f845693461a7bda2ab07b24eb3b980c1b86dd5f2d8ed2b

SHA512
10e1ee6fa616d92d1bc5bca358321c0fd4b18767a7eb7fd7bdf19c3302b23163a37e904f162d57097d40ca10b68494c7f5d029db4f9f91ac62351c48d150377f

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
26.0MB

MD5
3be35fe97cc67a0ef11b0c436bd9aa84

SHA1
931d64feb38a29828e149a6813751aeabac65fb3

SHA256
dc0f095b0d2e340d5a3f9344c93ae1d0154ad6f26a5ae93afb75d029b018d64e

SHA512
43c414e1fae8b431d662dac1967351241b2d2a0536dd9406e174acc2f73d4b395e029aea4f9a016f06c4727c1e0987875399de386f5a4411ef641e487c88a4e7

Download Submit
\??\Volume{39cd0eda-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{403e845d-950c-418b-a963-1f4dd121acb5}_OnDiskSnapshotProp

Filesize
5KB

MD5
df2f5d9ea773ac17013a2d0200e7703c

SHA1
d89e02d51c052fdca073deb8ee27e7ef638c201b

SHA256
b0b73802f854deb3c5fb29d4abcefb7eff38fb0d00ccfc793699a5167379d348

SHA512
03e617762ef584f2f923e0993ff7ea42c12aa9bad259baa320358ee621d6320ac262fdbfdb415d44bd99660c7f98b4c04cea304764255c0d0145b9c255617281

Download Submit
memory/2820-44-0x0000000000400000-0x000000000225E000-memory.dmp

Filesize
30.4MB

Download
memory/2820-125-0x0000000000400000-0x000000000225E000-memory.dmp

Filesize
30.4MB

Download
memory/2820-15-0x0000000000400000-0x000000000225E000-memory.dmp

Filesize
30.4MB

Download