Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
153s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
24/08/2024, 23:34
Static task
static1
General
-
Target
-
Size
4.1MB
-
MD5
4dd7bd5bc7ad5494b39c033290136207
-
SHA1
aeac40777f86c172d8872643c9c537f53cdf1f5d
-
SHA256
30949949855ec60455a390a5f77ce7eaf52b3917a963a27ecc7dd1946862e852
-
SHA512
483c6099e920c5b36cd052e59b331d720cebbbf242d190c1b5383b5a7a6327abfc45f2311f58332822d4ec6f726722cf4f16f1c61071d10307a9a6a32849df37
-
SSDEEP
98304:0BZc4QcOiOqteN/+G5s5jmL0tipvHYzlgpwS+nqA5:IzOVq29mJmgw0gpwSa
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/files/0x000700000001ac5c-14.dat upx behavioral2/memory/2820-15-0x0000000000400000-0x000000000225E000-memory.dmp upx behavioral2/memory/2820-44-0x0000000000400000-0x000000000225E000-memory.dmp upx behavioral2/memory/2820-125-0x0000000000400000-0x000000000225E000-memory.dmp upx -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA g2ax_installer_customer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA MSI9F11.tmp -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\A: msiexec.exe -
Modifies WinLogon 2 TTPs 9 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GoToAssist Express Customer g2ax_service.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify g2ax_service.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GoToAssist Express Customer\DLLName = "C:\\Program Files (x86)\\GoToAssist Remote Support Customer\\1575\\g2ax_winlogonx64.dll" g2ax_service.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GoToAssist Express Customer\Logoff = "Logoff" g2ax_service.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GoToAssist Express Customer\Startup = "Startup" g2ax_service.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GoToAssist Express Customer\Asynchronous = "0" g2ax_service.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GoToAssist Express Customer\Logon = "Logon" g2ax_service.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GoToAssist Express Customer\Impersonate = "0" g2ax_service.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GoToAssist Express Customer\Shutdown = "Shutdown" g2ax_service.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\system32\g2ax_credential_provider64_1575.dll g2ax_service.exe File opened for modification C:\Windows\system32\g2ax_credential_provider64_1575.dll g2ax_service.exe -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 26 IoCs
description ioc Process File created C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_customer_resource_win32_x86_pt.dll g2ax_installer_customer.exe File opened for modification C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\uninshlp.dll g2ax_installer_customer.exe File created C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_installer_customer.exe g2ax_installer_customer.exe File created C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_user_high_customer.exe g2ax_installer_customer.exe File created C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_winlogon.dll g2ax_installer_customer.exe File created C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_customer_resource_win32_x86_it.dll g2ax_installer_customer.exe File created C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_processfactory.exe g2ax_installer_customer.exe File created C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_user_customer.exe g2ax_installer_customer.exe File created C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_user_medium_customer.exe g2ax_installer_customer.exe File created C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_comm_customer.exe g2ax_installer_customer.exe File created C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_customer_resource_win32_x86_es.dll g2ax_installer_customer.exe File created C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_winlogonx64.dll g2ax_installer_customer.exe File created C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_credential_provider64.dll g2ax_installer_customer.exe File created C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_combined_customer.dll g2ax_installer_customer.exe File created C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_uninstaller_customer.exe g2ax_installer_customer.exe File created C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_system_customer.exe g2ax_installer_customer.exe File created C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\shortcuts.txt g2ax_service.exe File created C:\Program Files (x86)\_x_CInstB+TEST_x_0\_x_CInstB+TEST_x_0 g2ax_installer_customer.exe File created C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_credential_provider.dll g2ax_installer_customer.exe File created C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_customer_resource_win32_x86_en_US.dll g2ax_installer_customer.exe File created C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_customer_resource_win32_x86_de.dll g2ax_installer_customer.exe File created C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_customer_resource_win32_x86_fr.dll g2ax_installer_customer.exe File created C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\uninshlp.dll g2ax_installer_customer.exe File created C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_service.exe g2ax_installer_customer.exe File created C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_host.exe g2ax_installer_customer.exe File created C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_host_service.exe g2ax_installer_customer.exe -
Drops file in Windows directory 9 IoCs
description ioc Process File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI9EEF.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI9F11.tmp msiexec.exe File created C:\Windows\Installer\e579e57.msi msiexec.exe File created C:\Windows\Installer\e579e53.msi msiexec.exe File opened for modification C:\Windows\Installer\e579e53.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\SourceHash{8986461A-C5B9-4E8B-827A-FA68F3411575} msiexec.exe -
Executes dropped EXE 8 IoCs
pid Process 2820 MSI9F11.tmp 1312 g2ax_installer_customer.exe 2060 g2ax_service.exe 2208 g2ax_service.exe 5076 g2ax_service.exe 4016 g2ax_comm_customer.exe 2104 g2ax_system_customer.exe 8 g2ax_user_customer.exe -
Loads dropped DLL 8 IoCs
pid Process 1312 g2ax_installer_customer.exe 2060 g2ax_service.exe 2208 g2ax_service.exe 5076 g2ax_service.exe 4016 g2ax_comm_customer.exe 2104 g2ax_system_customer.exe 8 g2ax_user_customer.exe 1032 regsvr32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 2828 msiexec.exe -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g2ax_comm_customer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g2ax_system_customer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g2ax_user_customer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSI9F11.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g2ax_installer_customer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g2ax_service.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g2ax_service.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g2ax_service.exe -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\ svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\ svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Capabilities svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\HardwareID svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 svchost.exe -
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\LogMeInInc\GoToAssist\ConnectionInfo g2ax_comm_customer.exe Key created \REGISTRY\USER\.DEFAULT\Software\LogMeInInc\GoToAssist\ConnectionInfo\LastGood g2ax_comm_customer.exe Key created \REGISTRY\USER\.DEFAULT\Software\LogMeInInc g2ax_comm_customer.exe Key created \REGISTRY\USER\.DEFAULT\Software\LogMeInInc\GoToAssist g2ax_comm_customer.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\LogMeInInc\GoToAssist\ConnectionInfo\LastGood\Proto1\Method = "32" g2ax_comm_customer.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\LogMeInInc\GoToAssist\ConnectionInfo\LastGood\Proto1\Flags = "1" g2ax_comm_customer.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\LogMeInInc\GoToAssist\ConnectionInfo\LastGood\Proto1\OriginalDetector = "4" g2ax_comm_customer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\LogMeInInc\GoToAssist\AuthInfo g2ax_comm_customer.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\LogMeInInc\GoToAssist\ConnectionInfo\LastGood\Proto1\TargetPort = "443" g2ax_comm_customer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\LogMeInInc\GoToAssist\ConnectionInfo\LastGood\Proto1 g2ax_comm_customer.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\LogMeInInc\GoToAssist\ConnectionInfo\LastGood\Proto1\Proto = "1" g2ax_comm_customer.exe Key created \REGISTRY\USER\.DEFAULT\Software g2ax_comm_customer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 g2ax_comm_customer.exe -
Modifies registry class 30 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{D7222C15-96C7-40f1-97A7-EB3D057EA80C}\LocalService = "GoToAssist Remote Support Customer" g2ax_service.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{45CB397D-781F-4B69-955E-7EB5F5BDC348}\AppID = "{D7222C15-96C7-40f1-97A7-EB3D057EA80C}" g2ax_service.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D025C57A-763E-4B14-B580-9B5B161F08BB}\InprocServer32\ = "C:\\Windows\\system32\\g2ax_credential_provider64_1575.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{45CB397D-781F-4B69-955E-7EB5F5BDC348}\VersionIndependentProgID\ = "GoToAssist Remote Support Customer.g2ax_StartHereLoader" g2ax_service.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GoToAssist Remote Support Customer.g2ax_StartHereLoader\ = "g2ax_StartHereLoader" g2ax_service.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GoToAssist Remote Support Customer.g2ax_StartHereLoader\CLSID\ = "{45CB397D-781F-4B69-955E-7EB5F5BDC348}" g2ax_service.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GoToAssist Remote Support Customer.g2ax_StartHereLoader.2\ = "g2ax_StartHereLoader" g2ax_service.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\\{D7222C15-96C7-40f1-97A7-EB3D057EA80C} g2ax_service.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{D7222C15-96C7-40f1-97A7-EB3D057EA80C}\ = "GoToAssist Remote Support Customer" g2ax_service.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{45CB397D-781F-4B69-955E-7EB5F5BDC348} g2ax_service.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{45CB397D-781F-4B69-955E-7EB5F5BDC348}\ = "g2ax_StartHereLoader" g2ax_service.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{45CB397D-781F-4B69-955E-7EB5F5BDC348}\VersionIndependentProgID g2ax_service.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GoToAssist Remote Support Customer.g2ax_StartHereLoader.2\CLSID\ = "{45CB397D-781F-4B69-955E-7EB5F5BDC348}" g2ax_service.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\\g2ax_service.exe g2ax_service.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{D7222C15-96C7-40f1-97A7-EB3D057EA80C}\ServiceParameters = "-Service" g2ax_service.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{45CB397D-781F-4B69-955E-7EB5F5BDC348}\LocalServer32\ = "C:\\Program Files (x86)\\GoToAssist Remote Support Customer\\1575\\g2ax_service.exe" g2ax_service.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{45CB397D-781F-4B69-955E-7EB5F5BDC348}\ProgID g2ax_service.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GoToAssist Remote Support Customer.g2ax_StartHereLoader g2ax_service.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GoToAssist Remote Support Customer.g2ax_StartHereLoader\CurVer\ = "GoToAssist Remote Support Customer.g2ax_StartHereLoader.2" g2ax_service.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GoToAssist Remote Support Customer.g2ax_StartHereLoader.2 g2ax_service.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D025C57A-763E-4B14-B580-9B5B161F08BB}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GoToAssist Remote Support Customer.g2ax_StartHereLoader\CLSID g2ax_service.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\g2ax_service.exe\AppID = "{D7222C15-96C7-40f1-97A7-EB3D057EA80C}" g2ax_service.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D025C57A-763E-4B14-B580-9B5B161F08BB} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{45CB397D-781F-4B69-955E-7EB5F5BDC348}\LocalServer32 g2ax_service.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{45CB397D-781F-4B69-955E-7EB5F5BDC348}\ProgID\ = "GoToAssist Remote Support Customer.g2ax_StartHereLoader.2" g2ax_service.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GoToAssist Remote Support Customer.g2ax_StartHereLoader.2\CLSID g2ax_service.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D025C57A-763E-4B14-B580-9B5B161F08BB}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GoToAssist Remote Support Customer.g2ax_StartHereLoader\CurVer g2ax_service.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D025C57A-763E-4B14-B580-9B5B161F08BB}\ = "CredentialProvider" regsvr32.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5 g2ax_installer_customer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c953000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df1400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3617e000000010000000800000000c0032f2df8d6016800000001000000000000000300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a g2ax_installer_customer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 5c000000010000000400000000080000190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e56800000001000000000000007e000000010000000800000000c0032f2df8d6011d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331336200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df09000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c9040000000100000010000000cb17e431673ee209fe455793f30afa1c2000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a g2ax_installer_customer.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4916 msiexec.exe 4916 msiexec.exe 4016 g2ax_comm_customer.exe 4016 g2ax_comm_customer.exe 2104 g2ax_system_customer.exe 2104 g2ax_system_customer.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2828 msiexec.exe Token: SeIncreaseQuotaPrivilege 2828 msiexec.exe Token: SeSecurityPrivilege 4916 msiexec.exe Token: SeCreateTokenPrivilege 2828 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2828 msiexec.exe Token: SeLockMemoryPrivilege 2828 msiexec.exe Token: SeIncreaseQuotaPrivilege 2828 msiexec.exe Token: SeMachineAccountPrivilege 2828 msiexec.exe Token: SeTcbPrivilege 2828 msiexec.exe Token: SeSecurityPrivilege 2828 msiexec.exe Token: SeTakeOwnershipPrivilege 2828 msiexec.exe Token: SeLoadDriverPrivilege 2828 msiexec.exe Token: SeSystemProfilePrivilege 2828 msiexec.exe Token: SeSystemtimePrivilege 2828 msiexec.exe Token: SeProfSingleProcessPrivilege 2828 msiexec.exe Token: SeIncBasePriorityPrivilege 2828 msiexec.exe Token: SeCreatePagefilePrivilege 2828 msiexec.exe Token: SeCreatePermanentPrivilege 2828 msiexec.exe Token: SeBackupPrivilege 2828 msiexec.exe Token: SeRestorePrivilege 2828 msiexec.exe Token: SeShutdownPrivilege 2828 msiexec.exe Token: SeDebugPrivilege 2828 msiexec.exe Token: SeAuditPrivilege 2828 msiexec.exe Token: SeSystemEnvironmentPrivilege 2828 msiexec.exe Token: SeChangeNotifyPrivilege 2828 msiexec.exe Token: SeRemoteShutdownPrivilege 2828 msiexec.exe Token: SeUndockPrivilege 2828 msiexec.exe Token: SeSyncAgentPrivilege 2828 msiexec.exe Token: SeEnableDelegationPrivilege 2828 msiexec.exe Token: SeManageVolumePrivilege 2828 msiexec.exe Token: SeImpersonatePrivilege 2828 msiexec.exe Token: SeCreateGlobalPrivilege 2828 msiexec.exe Token: SeBackupPrivilege 1564 vssvc.exe Token: SeRestorePrivilege 1564 vssvc.exe Token: SeAuditPrivilege 1564 vssvc.exe Token: SeBackupPrivilege 4916 msiexec.exe Token: SeRestorePrivilege 4916 msiexec.exe Token: SeRestorePrivilege 4916 msiexec.exe Token: SeTakeOwnershipPrivilege 4916 msiexec.exe Token: SeRestorePrivilege 4916 msiexec.exe Token: SeTakeOwnershipPrivilege 4916 msiexec.exe Token: SeRestorePrivilege 4916 msiexec.exe Token: SeTakeOwnershipPrivilege 4916 msiexec.exe Token: SeRestorePrivilege 4916 msiexec.exe Token: SeTakeOwnershipPrivilege 4916 msiexec.exe Token: SeBackupPrivilege 704 srtasks.exe Token: SeRestorePrivilege 704 srtasks.exe Token: SeSecurityPrivilege 704 srtasks.exe Token: SeTakeOwnershipPrivilege 704 srtasks.exe Token: SeBackupPrivilege 704 srtasks.exe Token: SeRestorePrivilege 704 srtasks.exe Token: SeSecurityPrivilege 704 srtasks.exe Token: SeTakeOwnershipPrivilege 704 srtasks.exe Token: SeTcbPrivilege 2104 g2ax_system_customer.exe Token: SeTcbPrivilege 4016 g2ax_comm_customer.exe Token: SeRestorePrivilege 4916 msiexec.exe Token: SeTakeOwnershipPrivilege 4916 msiexec.exe Token: SeRestorePrivilege 4916 msiexec.exe Token: SeTakeOwnershipPrivilege 4916 msiexec.exe Token: SeRestorePrivilege 4916 msiexec.exe Token: SeTakeOwnershipPrivilege 4916 msiexec.exe Token: SeRestorePrivilege 4916 msiexec.exe Token: SeTakeOwnershipPrivilege 4916 msiexec.exe Token: SeRestorePrivilege 4916 msiexec.exe -
Suspicious use of FindShellTrayWindow 27 IoCs
pid Process 2828 msiexec.exe 2828 msiexec.exe 8 g2ax_user_customer.exe 8 g2ax_user_customer.exe 8 g2ax_user_customer.exe 8 g2ax_user_customer.exe 8 g2ax_user_customer.exe 8 g2ax_user_customer.exe 8 g2ax_user_customer.exe 8 g2ax_user_customer.exe 8 g2ax_user_customer.exe 8 g2ax_user_customer.exe 8 g2ax_user_customer.exe 8 g2ax_user_customer.exe 8 g2ax_user_customer.exe 8 g2ax_user_customer.exe 8 g2ax_user_customer.exe 8 g2ax_user_customer.exe 8 g2ax_user_customer.exe 8 g2ax_user_customer.exe 8 g2ax_user_customer.exe 8 g2ax_user_customer.exe 8 g2ax_user_customer.exe 8 g2ax_user_customer.exe 8 g2ax_user_customer.exe 8 g2ax_user_customer.exe 8 g2ax_user_customer.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 8 g2ax_user_customer.exe 8 g2ax_user_customer.exe 8 g2ax_user_customer.exe 8 g2ax_user_customer.exe 8 g2ax_user_customer.exe 8 g2ax_user_customer.exe 8 g2ax_user_customer.exe 8 g2ax_user_customer.exe 8 g2ax_user_customer.exe 8 g2ax_user_customer.exe 8 g2ax_user_customer.exe 8 g2ax_user_customer.exe 8 g2ax_user_customer.exe 8 g2ax_user_customer.exe 8 g2ax_user_customer.exe 8 g2ax_user_customer.exe 8 g2ax_user_customer.exe 8 g2ax_user_customer.exe 8 g2ax_user_customer.exe 8 g2ax_user_customer.exe 8 g2ax_user_customer.exe 8 g2ax_user_customer.exe 8 g2ax_user_customer.exe 8 g2ax_user_customer.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 4916 wrote to memory of 704 4916 msiexec.exe 78 PID 4916 wrote to memory of 704 4916 msiexec.exe 78 PID 4916 wrote to memory of 2820 4916 msiexec.exe 80 PID 4916 wrote to memory of 2820 4916 msiexec.exe 80 PID 4916 wrote to memory of 2820 4916 msiexec.exe 80 PID 2820 wrote to memory of 1312 2820 MSI9F11.tmp 81 PID 2820 wrote to memory of 1312 2820 MSI9F11.tmp 81 PID 2820 wrote to memory of 1312 2820 MSI9F11.tmp 81 PID 1312 wrote to memory of 2060 1312 g2ax_installer_customer.exe 82 PID 1312 wrote to memory of 2060 1312 g2ax_installer_customer.exe 82 PID 1312 wrote to memory of 2060 1312 g2ax_installer_customer.exe 82 PID 1312 wrote to memory of 2208 1312 g2ax_installer_customer.exe 83 PID 1312 wrote to memory of 2208 1312 g2ax_installer_customer.exe 83 PID 1312 wrote to memory of 2208 1312 g2ax_installer_customer.exe 83 PID 5076 wrote to memory of 4016 5076 g2ax_service.exe 85 PID 5076 wrote to memory of 4016 5076 g2ax_service.exe 85 PID 5076 wrote to memory of 4016 5076 g2ax_service.exe 85 PID 4016 wrote to memory of 2104 4016 g2ax_comm_customer.exe 88 PID 4016 wrote to memory of 2104 4016 g2ax_comm_customer.exe 88 PID 4016 wrote to memory of 2104 4016 g2ax_comm_customer.exe 88 PID 4016 wrote to memory of 8 4016 g2ax_comm_customer.exe 90 PID 4016 wrote to memory of 8 4016 g2ax_comm_customer.exe 90 PID 4016 wrote to memory of 8 4016 g2ax_comm_customer.exe 90 PID 5076 wrote to memory of 1032 5076 g2ax_service.exe 92 PID 5076 wrote to memory of 1032 5076 g2ax_service.exe 92 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\[email protected]1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2828
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4916 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
- Suspicious use of AdjustPrivilegeToken
PID:704
-
-
C:\Windows\Installer\MSI9F11.tmp"C:\Windows\Installer\MSI9F11.tmp" /FromMSI2⤵
- Checks whether UAC is enabled
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aA0F3.tmp\g2ax_installer_customer.exe"C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aA0F3.tmp\g2ax_installer_customer.exe " "/Action SetupUnattendedSilent" "/DownloadServer https://launch.getgo.com" "/EGWAddress 216.115.218.197" "/EGWDNS egw1.express.gotoassist.com" "/EGWPort 8200,80,443" /FromMSI "/Language en_US" "/LoaderPath C:\Windows\Installer\MSI9F11.tmp" "/LogPath C:\Users\Admin\AppData\Local\Temp\LogMeInLogs\GoToAssist Remote Support Customer\1575\20240824_233524\" "/Mode Normal" "/RestartReason Start" "/ServiceAllowed Yes" "/StartAsService Yes" "/Stat On" "/StatDb On" "/Trigger Web" "/UnattendedSetupToken 5331656515450037371" "/WebsiteUrl http://support.gotoassist.com" "/locale en_US" "/silent"3⤵
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_service.exe"C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_service.exe" "Start=install_manual&Action=SetupUnattendedSilent&DownloadServer=https://launch.getgo.com&EGWAddress=216.115.218.197&EGWDNS=egw1.express.gotoassist.com&EGWPort=8200,80,443&Language=en_US&LoaderPath=C:\Windows\Installer\MSI9F11.tmp&LogPath=C:\Users\Admin\AppData\Local\Temp\LogMeInLogs\GoToAssist Remote Support Customer\1575\20240824_233524\&Mode=Normal&RestartReason=Start&ServiceAllowed=Yes&StartAsService=Yes&Stat=On&StatDb=On&Trigger=Web&UnattendedSetupToken=5331656515450037371&WebsiteUrl=http://support.gotoassist.com&locale=en_US"4⤵
- Modifies WinLogon
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2060
-
-
C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_service.exe"C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_service.exe" "Start=start_session&Action=SetupUnattendedSilent&DownloadServer=https://launch.getgo.com&EGWAddress=216.115.218.197&EGWDNS=egw1.express.gotoassist.com&EGWPort=8200,80,443&Language=en_US&LoaderPath=C:\Windows\Installer\MSI9F11.tmp&LogPath=C:\Users\Admin\AppData\Local\Temp\LogMeInLogs\GoToAssist Remote Support Customer\1575\20240824_233524\&Mode=Normal&RestartReason=Start&ServiceAllowed=Yes&StartAsService=Yes&Stat=On&StatDb=On&Trigger=Web&UnattendedSetupToken=5331656515450037371&WebsiteUrl=http://support.gotoassist.com&locale=en_US"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2208
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1564
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:916
-
C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_service.exe"C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_service.exe" "Start=service"1⤵
- Drops file in System32 directory
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5076 -
C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_comm_customer.exe"C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_comm_customer.exe" "Action=SetupUnattendedSilent&DownloadServer=https://launch.getgo.com&EGWAddress=216.115.218.197&EGWDNS=egw1.express.gotoassist.com&EGWPort=8200,80,443&Language=en_US&LoaderPath=C:\Windows\Installer\MSI9F11.tmp&LogName=C:\Users\Admin\AppData\Local\Temp\LogMeInLogs\GoToAssist Remote Support Customer\1575\20240824_233524\GoToAssist Remote Support Customer.LOG&LogPath=C:\Users\Admin\AppData\Local\Temp\LogMeInLogs\GoToAssist Remote Support Customer\1575\20240824_233524\&Mode=Normal&ResourceDll=g2ax_customer_resource_win32_x86_en_US.dll&RestartReason=Start&RunningAsService=YES&ServiceAllowed=Yes&Start=service&StartAsService=Yes&StartID={45CB397D-781F-4B69-955E-7EB5F5BDC348}&Stat=On&StatDb=On&Trigger=Web&UnattendedSetupToken=5331656515450037371&UniqueId=5076&WebsiteUrl=http://support.gotoassist.com&locale=en_US"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4016 -
C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_system_customer.exe"C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_system_customer.exe" "StartID={D86B0088-ACAF-4990-A838-15B184534BE8}&ResourceDll=g2ax_customer_resource_win32_x86_en_US.dll&RunningAsService=YES&Debug=Off&Stat=On&StatDb=On&Index=0"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2104
-
-
C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_user_customer.exe"C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_user_customer.exe" "StartID={45CB397D-781F-4B69-955E-7EB5F5BDC348}&ResourceDll=g2ax_customer_resource_win32_x86_en_US.dll&RunningAsService=YES&Debug=Off&Stat=On&StatDb=On&Index=0"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:8
-
-
-
C:\Windows\system32\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s C:\Windows\system32\g2ax_credential_provider64_1575.dll2⤵
- Loads dropped DLL
- Modifies registry class
PID:1032
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Event Triggered Execution
2Component Object Model Hijacking
1Installer Packages
1Privilege Escalation
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Event Triggered Execution
2Component Object Model Hijacking
1Installer Packages
1Defense Evasion
Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1System Binary Proxy Execution
1Msiexec
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD5e95b3af7ebeb04635a9488bb8024d5ff
SHA1767681f15fa301b2bd7211d398801518bc59118b
SHA2561d761b099a25b9d12e1254d924051552546b92ac2af3d04dbb1a6a3e1af7f0bb
SHA512172e0da8b946a0d645147ecb38e40eef30b73adc168f35cbeba1d2f5a53cd4f03cad9f9da819a65a85aef281bc6919ab01f4e8e1486df5908dbcac8f2ed24f05
-
C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aA0F3.tmp\g2ax_combined_customer.dll
Filesize9.0MB
MD5b281109807f069ee71ad44a5c2ed4638
SHA188d58db2ea9d8ab72504ad3933acedd69c919cf7
SHA2563d8d246a69eb0a66c52d8a713c2797b28d05e7c2ac9157fea5692bf6e9dfdda8
SHA51211fb0515904a24a041c02f89819b43cf30e4b791eac559084c0ab90c458ed46d0aff2ab9fe4e4a1e9c915d080eff212754d68643c67e4690237dab6a67cd2249
-
C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aA0F3.tmp\g2ax_credential_provider.dll
Filesize113KB
MD56acbff3ffbf1d3b4ef2e590807b82a7f
SHA10f781965145db5d9c97e471b8bc7236dee81c71c
SHA256e870ce924d6797c053a14647184ad9d7e6bf641c2c1de901e747449964afdb22
SHA512734aaa7ca45209c7d67e743c7bd43130da709d3503ee3a127919aa676c7e9cc932707522e0355d8e17b8bb02dbb53109c7df9ddef7c118814e5a4f04ce712139
-
C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aA0F3.tmp\g2ax_credential_provider64.dll
Filesize122KB
MD52f9bde855a7df5ab1a5d4bc549170064
SHA1dab528bd0e4054926d4646d762f08d85e164c469
SHA256ee0432569bfadee88267ae64d2b11a6d258225c74358f142afa4bec8d6236dd5
SHA512ce19050bc003f290172efab577bfa36ca17bb5e5b9efd4e4443ca037f59a1ea2ac635ae1592d51354485df0ef274f0516a3501228f11edd16ef1c6d723820afb
-
C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aA0F3.tmp\g2ax_customer_resource_win32_x86_de.dll
Filesize2.7MB
MD595d28b0ae03c0e0dbebaac0354bd665d
SHA116ad8de089f85810678235cac2a332069e4a757e
SHA2562e0fd5b081c3a35f97fc15a37d254c46e09a57724dae50853cd6f7675b5502bd
SHA5125ec5d5d1b113c633364181411516b7de8e4ebf47d1bdbdb5cabec06a040671f5e69540b9b0f067fec593d26f6d1d97ca764c50d2adbd768b1e3cbf91b758ad27
-
C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aA0F3.tmp\g2ax_customer_resource_win32_x86_en_US.dll
Filesize2.7MB
MD5626dc7beea7eef7dbbad77b3f693eb49
SHA11e25d0ca6c7678bb3775728bdd631f2bfe79ebc0
SHA2565bea8b91ed32fe2b925a8942a2706d8b84d75b00cac8f4ec1009c911a201a6f9
SHA512a1609e5949721165773fec457f798ea9083257b19eeeafb3d40382f9763392862a976f2b892b6dadfe1df6c83e70b496c10ce688440fa5d97c78c6a0821d165a
-
C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aA0F3.tmp\g2ax_customer_resource_win32_x86_es.dll
Filesize2.7MB
MD5d4b3e89862a5b2583b6da76aa12e225c
SHA12f158da475e5a20f8e7c9b7effa7295fc07e7fd9
SHA2565bac52692ea070aa9a6cb4655ca1346818235e79d4ac234127c87f9bd26de5d2
SHA5122e792fa40569198a52df8796328ee0e6c93da9b861599e04bd0c0c7430b1c368c5ef60ca0bcda9297dcffd3e9312cdf12d62fdfd3febff4ec4a0ec55d2607a7f
-
C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aA0F3.tmp\g2ax_customer_resource_win32_x86_fr.dll
Filesize2.7MB
MD5cdb5345e298d427450fe244a2e1cd16c
SHA1e2e3402696090998174f686128af6d5791dd725a
SHA256a476086f0c10426df4880f77e7333fa9aaab088421b5b9fab4937a65d734c817
SHA512f036d3b164b3983f4684d3e3383ed2a67ebd674b5ea4d764189b429b3cecc81f5b0a4bf8a4e6e6d7e2aac27b7fb6edaf909835d2890000d3aded887e20776141
-
C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aA0F3.tmp\g2ax_customer_resource_win32_x86_it.dll
Filesize2.7MB
MD54c6d97f5793a8806d1b07f7805c1290f
SHA16ed0ae206d5e3fd7cb19634aef5f0055f0832d83
SHA2563798840e3ddf8025648420c2971c4434608f908bfd83437c239220e28e925323
SHA512c13fba4f00340ab3be3b1f58bdd17fd1d3e95c1819b7a8d82b8e6cb7bc8bece9cf2d97ede47e57b062bb8008031f58b36934a5da0c452e17309f832b42b5e2ef
-
C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aA0F3.tmp\g2ax_customer_resource_win32_x86_pt.dll
Filesize2.7MB
MD542accada99f11973893559eb80dbd7cc
SHA19ed76304bf4af87210044d9fcbcb62f2f6f49fce
SHA256c07707fdee8d761999bd63e44fdca04503ccbb2fde1e02d2eab6d3f99744840a
SHA51224177df97a981f2a5d0896d143b3f8057631a17ab18e00bf540b70a921d66f5876ee0985e4b32165fabedefebc0ad1329be4860619b1ea40274cfe2beaf0d696
-
C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aA0F3.tmp\g2ax_exe_customer_adminui.exe
Filesize599KB
MD5139e140841795d1d3b31ca9f0d2a18f0
SHA1c8348ffcc2792edf84c7d0a60af9fced0cee74d2
SHA256814f387ab117191bc9cf9c33743bd792735237354ec83df4e014c7e7bc1e46ba
SHA51298bf1f4043ccd59bb2c86b56dda9b30426160cb093585e9378cd5930ab8d5485591ea1f59196fb64ec3e0cc2845bdf43d936e8ae303914df56a8bd82b9fcd42b
-
C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aA0F3.tmp\g2ax_installer_customer.exe
Filesize599KB
MD57c9b0bde69c16ece846a56106b11dbfa
SHA180c42eb9351f611a395256531c5ed4931be981cf
SHA25602d19f030b1f116c26bc3d1e6b03071b6f13ce7c7ea499603a5dfd571f3a96b6
SHA5127826faa0627a5e57cd4ad3076391cec125314339d59ac6ad2e623a82522e870ecbc12b42b5868484550ede7e8d3012f06bef5463b624636aea3f0343ccdd810a
-
C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aA0F3.tmp\g2ax_installer_customer_admin.exe
Filesize599KB
MD5d4ee9d0af2825048d4bfd48f48bd464b
SHA1a3a25e68132a4288b6b394623fd206fbf8899092
SHA256e1ae8e4f45552d82ea9154a02d7b900f42cad77777d6b6d6872f3f96efde491c
SHA512ff6a70d7edb1e0aef632027e50b264bfed1aa27bcf114c65b79da7894b6f2b48675d78bc698f0006973f24a9ca465ffb5ae82600d5f065dba14593ade31ffc47
-
C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aA0F3.tmp\g2ax_processfactory.exe
Filesize680KB
MD563f225100403cd9d98e5c20a2f13c7f9
SHA1e4152545009c0bcbdbb9bed52f2935d55ba7da01
SHA256450ba2dc70b1bbb9cd808be082cc90ee2be2e27e678d37b27400a90e0e4463f8
SHA51258886a5b9455e56e86b227c7a49535b638a9379ab8752c58d8560987c7585d7a42eac2e88b19c82a52f8eb13aabfc436ada14673878a80667ae30b369a1ed409
-
C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aA0F3.tmp\g2ax_winlogon.dll
Filesize598KB
MD58b64004a064179c50ab204cb8baacdb1
SHA1357fe1c8cc37ff7a7c064ed6f49360692a4a8254
SHA25620b7b7290d17b2b3b9d6bb01d7f540dcd780944a9a2873d641e973433173a781
SHA5120ce7693c4c54db616f1c30899bbe77f4a6033ee034a389d032dcc3e8c84d3361f3beaab82508c69e1b8a4b4104590953c2a9abef354680043a2964fd8106af74
-
C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aA0F3.tmp\g2ax_winlogonx64.dll
Filesize599KB
MD5234f00413858db80b4b51c1abede4152
SHA1e2606f11691de55ac8f491050abbcbe71c0ad1ba
SHA256c5daa86b380ed04bc2ec92bbe74c8aff958edeabd240411b7ecb7f5721ba548d
SHA5120a242a4516cfa722e35f5cb9a6e815d03e00b63e8ef648532526e8a0d228f4d00c2367d65bf402d1c564a208e1d5747b2ba1350bc0e637743373898fc37cd41c
-
C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aA0F3.tmp\uninshlp.dll
Filesize20KB
MD50868827e42db552e5427f277fedf1e6b
SHA19fb59bbb4edbcc98fdb36ffff378d0bb9ddcc4fb
SHA256f6684c5dbce46be754e61da86757278bb6a9c7def6810504a1dc389920b5d38a
SHA512607064c1bc4aa627dc130d3a34d19bd512324bb9bd91ceaa6bcb20f0e218d070ef7021c921318a4d6474e95979bd569c2776b414269aeade5fa884876d58c3d1
-
Filesize
3.6MB
MD510691eb99593e235b86d018ebaf7d4e6
SHA135e0444bb572f3890f327afc1feba32e9833d5b4
SHA2564e945ddc84443a2ac2f845693461a7bda2ab07b24eb3b980c1b86dd5f2d8ed2b
SHA51210e1ee6fa616d92d1bc5bca358321c0fd4b18767a7eb7fd7bdf19c3302b23163a37e904f162d57097d40ca10b68494c7f5d029db4f9f91ac62351c48d150377f
-
Filesize
26.0MB
MD53be35fe97cc67a0ef11b0c436bd9aa84
SHA1931d64feb38a29828e149a6813751aeabac65fb3
SHA256dc0f095b0d2e340d5a3f9344c93ae1d0154ad6f26a5ae93afb75d029b018d64e
SHA51243c414e1fae8b431d662dac1967351241b2d2a0536dd9406e174acc2f73d4b395e029aea4f9a016f06c4727c1e0987875399de386f5a4411ef641e487c88a4e7
-
\??\Volume{39cd0eda-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{403e845d-950c-418b-a963-1f4dd121acb5}_OnDiskSnapshotProp
Filesize5KB
MD5df2f5d9ea773ac17013a2d0200e7703c
SHA1d89e02d51c052fdca073deb8ee27e7ef638c201b
SHA256b0b73802f854deb3c5fb29d4abcefb7eff38fb0d00ccfc793699a5167379d348
SHA51203e617762ef584f2f923e0993ff7ea42c12aa9bad259baa320358ee621d6320ac262fdbfdb415d44bd99660c7f98b4c04cea304764255c0d0145b9c255617281