Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
24/08/2024, 23:34
Static task
static1
General
-
Target
-
Size
4.1MB
-
MD5
4dd7bd5bc7ad5494b39c033290136207
-
SHA1
aeac40777f86c172d8872643c9c537f53cdf1f5d
-
SHA256
30949949855ec60455a390a5f77ce7eaf52b3917a963a27ecc7dd1946862e852
-
SHA512
483c6099e920c5b36cd052e59b331d720cebbbf242d190c1b5383b5a7a6327abfc45f2311f58332822d4ec6f726722cf4f16f1c61071d10307a9a6a32849df37
-
SSDEEP
98304:0BZc4QcOiOqteN/+G5s5jmL0tipvHYzlgpwS+nqA5:IzOVq29mJmgw0gpwSa
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral3/files/0x000800000002349b-10.dat upx behavioral3/memory/2964-11-0x0000000000400000-0x000000000225E000-memory.dmp upx behavioral3/memory/2964-111-0x0000000000400000-0x000000000225E000-memory.dmp upx behavioral3/memory/2964-117-0x0000000000400000-0x000000000225E000-memory.dmp upx -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA MSIBE21.tmp Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA g2ax_installer_customer.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe -
Modifies WinLogon 2 TTPs 9 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GoToAssist Express Customer\Startup = "Startup" g2ax_service.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GoToAssist Express Customer\Logon = "Logon" g2ax_service.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify g2ax_service.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GoToAssist Express Customer\DLLName = "C:\\Program Files (x86)\\GoToAssist Remote Support Customer\\1575\\g2ax_winlogonx64.dll" g2ax_service.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GoToAssist Express Customer\Logoff = "Logoff" g2ax_service.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GoToAssist Express Customer\Asynchronous = "0" g2ax_service.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GoToAssist Express Customer\Impersonate = "0" g2ax_service.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GoToAssist Express Customer\Shutdown = "Shutdown" g2ax_service.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GoToAssist Express Customer g2ax_service.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\system32\g2ax_credential_provider64_1575.dll g2ax_service.exe File opened for modification C:\Windows\system32\g2ax_credential_provider64_1575.dll g2ax_service.exe -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 26 IoCs
description ioc Process File created C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_service.exe g2ax_installer_customer.exe File created C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_customer_resource_win32_x86_es.dll g2ax_installer_customer.exe File created C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_installer_customer.exe g2ax_installer_customer.exe File created C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_customer_resource_win32_x86_de.dll g2ax_installer_customer.exe File created C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_winlogonx64.dll g2ax_installer_customer.exe File created C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_combined_customer.dll g2ax_installer_customer.exe File created C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_system_customer.exe g2ax_installer_customer.exe File created C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_customer_resource_win32_x86_pt.dll g2ax_installer_customer.exe File created C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_credential_provider.dll g2ax_installer_customer.exe File opened for modification C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\uninshlp.dll g2ax_installer_customer.exe File created C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_comm_customer.exe g2ax_installer_customer.exe File created C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_user_high_customer.exe g2ax_installer_customer.exe File created C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_customer_resource_win32_x86_en_US.dll g2ax_installer_customer.exe File created C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_customer_resource_win32_x86_it.dll g2ax_installer_customer.exe File created C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\uninshlp.dll g2ax_installer_customer.exe File created C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_credential_provider64.dll g2ax_installer_customer.exe File created C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_user_customer.exe g2ax_installer_customer.exe File created C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_customer_resource_win32_x86_fr.dll g2ax_installer_customer.exe File created C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\shortcuts.txt g2ax_service.exe File created C:\Program Files (x86)\_x_CInstB+TEST_x_0\_x_CInstB+TEST_x_0 g2ax_installer_customer.exe File created C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_winlogon.dll g2ax_installer_customer.exe File created C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_user_medium_customer.exe g2ax_installer_customer.exe File created C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_processfactory.exe g2ax_installer_customer.exe File created C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_host.exe g2ax_installer_customer.exe File created C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_host_service.exe g2ax_installer_customer.exe File created C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_uninstaller_customer.exe g2ax_installer_customer.exe -
Drops file in Windows directory 9 IoCs
description ioc Process File opened for modification C:\Windows\Installer\MSIBE21.tmp msiexec.exe File opened for modification C:\Windows\Installer\e57bd35.msi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSIBDD2.tmp msiexec.exe File created C:\Windows\Installer\SourceHash{8986461A-C5B9-4E8B-827A-FA68F3411575} msiexec.exe File created C:\Windows\Installer\e57bd39.msi msiexec.exe File created C:\Windows\Installer\e57bd35.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe -
Executes dropped EXE 8 IoCs
pid Process 2964 MSIBE21.tmp 2800 g2ax_installer_customer.exe 2932 g2ax_service.exe 4404 g2ax_service.exe 1896 g2ax_service.exe 1416 g2ax_comm_customer.exe 2424 g2ax_system_customer.exe 1908 g2ax_user_customer.exe -
Loads dropped DLL 8 IoCs
pid Process 2800 g2ax_installer_customer.exe 2932 g2ax_service.exe 4404 g2ax_service.exe 1896 g2ax_service.exe 1416 g2ax_comm_customer.exe 2424 g2ax_system_customer.exe 1908 g2ax_user_customer.exe 2980 regsvr32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 2368 msiexec.exe -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSIBE21.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g2ax_installer_customer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g2ax_service.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g2ax_service.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g2ax_service.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g2ax_comm_customer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g2ax_system_customer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g2ax_user_customer.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000082ad35faf8c7b7730000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000082ad35fa0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090082ad35fa000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d82ad35fa000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000082ad35fa00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe -
Modifies data under HKEY_USERS 12 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\LogMeInInc\GoToAssist\ConnectionInfo\LastGood\Proto1\Proto = "1" g2ax_comm_customer.exe Key created \REGISTRY\USER\.DEFAULT\Software\LogMeInInc\GoToAssist\AuthInfo g2ax_comm_customer.exe Key created \REGISTRY\USER\.DEFAULT\Software g2ax_comm_customer.exe Key created \REGISTRY\USER\.DEFAULT\Software\LogMeInInc g2ax_comm_customer.exe Key created \REGISTRY\USER\.DEFAULT\Software\LogMeInInc\GoToAssist g2ax_comm_customer.exe Key created \REGISTRY\USER\.DEFAULT\Software\LogMeInInc\GoToAssist\ConnectionInfo\LastGood\Proto1 g2ax_comm_customer.exe Key created \REGISTRY\USER\.DEFAULT\Software\LogMeInInc\GoToAssist\ConnectionInfo g2ax_comm_customer.exe Key created \REGISTRY\USER\.DEFAULT\Software\LogMeInInc\GoToAssist\ConnectionInfo\LastGood g2ax_comm_customer.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\LogMeInInc\GoToAssist\ConnectionInfo\LastGood\Proto1\Method = "32" g2ax_comm_customer.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\LogMeInInc\GoToAssist\ConnectionInfo\LastGood\Proto1\TargetPort = "80" g2ax_comm_customer.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\LogMeInInc\GoToAssist\ConnectionInfo\LastGood\Proto1\Flags = "1" g2ax_comm_customer.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\LogMeInInc\GoToAssist\ConnectionInfo\LastGood\Proto1\OriginalDetector = "4" g2ax_comm_customer.exe -
Modifies registry class 30 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GoToAssist Remote Support Customer.g2ax_StartHereLoader.2 g2ax_service.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\\g2ax_service.exe g2ax_service.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{D7222C15-96C7-40f1-97A7-EB3D057EA80C}\LocalService = "GoToAssist Remote Support Customer" g2ax_service.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D025C57A-763E-4B14-B580-9B5B161F08BB} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{45CB397D-781F-4B69-955E-7EB5F5BDC348}\ProgID g2ax_service.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GoToAssist Remote Support Customer.g2ax_StartHereLoader\CurVer g2ax_service.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{D7222C15-96C7-40f1-97A7-EB3D057EA80C}\ServiceParameters = "-Service" g2ax_service.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{45CB397D-781F-4B69-955E-7EB5F5BDC348}\LocalServer32 g2ax_service.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GoToAssist Remote Support Customer.g2ax_StartHereLoader g2ax_service.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GoToAssist Remote Support Customer.g2ax_StartHereLoader\ = "g2ax_StartHereLoader" g2ax_service.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D025C57A-763E-4B14-B580-9B5B161F08BB}\InprocServer32\ = "C:\\Windows\\system32\\g2ax_credential_provider64_1575.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{45CB397D-781F-4B69-955E-7EB5F5BDC348}\ = "g2ax_StartHereLoader" g2ax_service.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{45CB397D-781F-4B69-955E-7EB5F5BDC348}\VersionIndependentProgID g2ax_service.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{45CB397D-781F-4B69-955E-7EB5F5BDC348} g2ax_service.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{45CB397D-781F-4B69-955E-7EB5F5BDC348}\ProgID\ = "GoToAssist Remote Support Customer.g2ax_StartHereLoader.2" g2ax_service.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GoToAssist Remote Support Customer.g2ax_StartHereLoader\CLSID\ = "{45CB397D-781F-4B69-955E-7EB5F5BDC348}" g2ax_service.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GoToAssist Remote Support Customer.g2ax_StartHereLoader.2\CLSID g2ax_service.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D025C57A-763E-4B14-B580-9B5B161F08BB}\ = "CredentialProvider" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\\{D7222C15-96C7-40f1-97A7-EB3D057EA80C} g2ax_service.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{D7222C15-96C7-40f1-97A7-EB3D057EA80C}\ = "GoToAssist Remote Support Customer" g2ax_service.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{45CB397D-781F-4B69-955E-7EB5F5BDC348}\AppID = "{D7222C15-96C7-40f1-97A7-EB3D057EA80C}" g2ax_service.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GoToAssist Remote Support Customer.g2ax_StartHereLoader\CLSID g2ax_service.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GoToAssist Remote Support Customer.g2ax_StartHereLoader.2\ = "g2ax_StartHereLoader" g2ax_service.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\g2ax_service.exe\AppID = "{D7222C15-96C7-40f1-97A7-EB3D057EA80C}" g2ax_service.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{45CB397D-781F-4B69-955E-7EB5F5BDC348}\LocalServer32\ = "C:\\Program Files (x86)\\GoToAssist Remote Support Customer\\1575\\g2ax_service.exe" g2ax_service.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GoToAssist Remote Support Customer.g2ax_StartHereLoader.2\CLSID\ = "{45CB397D-781F-4B69-955E-7EB5F5BDC348}" g2ax_service.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D025C57A-763E-4B14-B580-9B5B161F08BB}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D025C57A-763E-4B14-B580-9B5B161F08BB}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{45CB397D-781F-4B69-955E-7EB5F5BDC348}\VersionIndependentProgID\ = "GoToAssist Remote Support Customer.g2ax_StartHereLoader" g2ax_service.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GoToAssist Remote Support Customer.g2ax_StartHereLoader\CurVer\ = "GoToAssist Remote Support Customer.g2ax_StartHereLoader.2" g2ax_service.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5 g2ax_installer_customer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c953000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df1400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3617e000000010000000800000000c0032f2df8d6016800000001000000000000000300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a g2ax_installer_customer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 5c000000010000000400000000080000190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e56800000001000000000000007e000000010000000800000000c0032f2df8d6011d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331336200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df09000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c9040000000100000010000000cb17e431673ee209fe455793f30afa1c2000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a g2ax_installer_customer.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4784 msiexec.exe 4784 msiexec.exe 1416 g2ax_comm_customer.exe 1416 g2ax_comm_customer.exe 2424 g2ax_system_customer.exe 2424 g2ax_system_customer.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2368 msiexec.exe Token: SeIncreaseQuotaPrivilege 2368 msiexec.exe Token: SeSecurityPrivilege 4784 msiexec.exe Token: SeCreateTokenPrivilege 2368 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2368 msiexec.exe Token: SeLockMemoryPrivilege 2368 msiexec.exe Token: SeIncreaseQuotaPrivilege 2368 msiexec.exe Token: SeMachineAccountPrivilege 2368 msiexec.exe Token: SeTcbPrivilege 2368 msiexec.exe Token: SeSecurityPrivilege 2368 msiexec.exe Token: SeTakeOwnershipPrivilege 2368 msiexec.exe Token: SeLoadDriverPrivilege 2368 msiexec.exe Token: SeSystemProfilePrivilege 2368 msiexec.exe Token: SeSystemtimePrivilege 2368 msiexec.exe Token: SeProfSingleProcessPrivilege 2368 msiexec.exe Token: SeIncBasePriorityPrivilege 2368 msiexec.exe Token: SeCreatePagefilePrivilege 2368 msiexec.exe Token: SeCreatePermanentPrivilege 2368 msiexec.exe Token: SeBackupPrivilege 2368 msiexec.exe Token: SeRestorePrivilege 2368 msiexec.exe Token: SeShutdownPrivilege 2368 msiexec.exe Token: SeDebugPrivilege 2368 msiexec.exe Token: SeAuditPrivilege 2368 msiexec.exe Token: SeSystemEnvironmentPrivilege 2368 msiexec.exe Token: SeChangeNotifyPrivilege 2368 msiexec.exe Token: SeRemoteShutdownPrivilege 2368 msiexec.exe Token: SeUndockPrivilege 2368 msiexec.exe Token: SeSyncAgentPrivilege 2368 msiexec.exe Token: SeEnableDelegationPrivilege 2368 msiexec.exe Token: SeManageVolumePrivilege 2368 msiexec.exe Token: SeImpersonatePrivilege 2368 msiexec.exe Token: SeCreateGlobalPrivilege 2368 msiexec.exe Token: SeBackupPrivilege 4532 vssvc.exe Token: SeRestorePrivilege 4532 vssvc.exe Token: SeAuditPrivilege 4532 vssvc.exe Token: SeBackupPrivilege 4784 msiexec.exe Token: SeRestorePrivilege 4784 msiexec.exe Token: SeRestorePrivilege 4784 msiexec.exe Token: SeTakeOwnershipPrivilege 4784 msiexec.exe Token: SeRestorePrivilege 4784 msiexec.exe Token: SeTakeOwnershipPrivilege 4784 msiexec.exe Token: SeRestorePrivilege 4784 msiexec.exe Token: SeTakeOwnershipPrivilege 4784 msiexec.exe Token: SeTcbPrivilege 2424 g2ax_system_customer.exe Token: SeTcbPrivilege 1416 g2ax_comm_customer.exe Token: SeRestorePrivilege 4784 msiexec.exe Token: SeTakeOwnershipPrivilege 4784 msiexec.exe Token: SeRestorePrivilege 4784 msiexec.exe Token: SeTakeOwnershipPrivilege 4784 msiexec.exe Token: SeRestorePrivilege 4784 msiexec.exe Token: SeTakeOwnershipPrivilege 4784 msiexec.exe Token: SeRestorePrivilege 4784 msiexec.exe Token: SeTakeOwnershipPrivilege 4784 msiexec.exe Token: SeRestorePrivilege 4784 msiexec.exe Token: SeTakeOwnershipPrivilege 4784 msiexec.exe Token: SeRestorePrivilege 4784 msiexec.exe Token: SeTakeOwnershipPrivilege 4784 msiexec.exe Token: SeRestorePrivilege 4784 msiexec.exe Token: SeTakeOwnershipPrivilege 4784 msiexec.exe Token: SeRestorePrivilege 4784 msiexec.exe Token: SeTakeOwnershipPrivilege 4784 msiexec.exe Token: SeRestorePrivilege 4784 msiexec.exe Token: SeTakeOwnershipPrivilege 4784 msiexec.exe Token: SeRestorePrivilege 4784 msiexec.exe -
Suspicious use of FindShellTrayWindow 34 IoCs
pid Process 2368 msiexec.exe 2964 MSIBE21.tmp 2368 msiexec.exe 1908 g2ax_user_customer.exe 1908 g2ax_user_customer.exe 1908 g2ax_user_customer.exe 1908 g2ax_user_customer.exe 1908 g2ax_user_customer.exe 1908 g2ax_user_customer.exe 1908 g2ax_user_customer.exe 1908 g2ax_user_customer.exe 1908 g2ax_user_customer.exe 1908 g2ax_user_customer.exe 1908 g2ax_user_customer.exe 1908 g2ax_user_customer.exe 1908 g2ax_user_customer.exe 1908 g2ax_user_customer.exe 1908 g2ax_user_customer.exe 1908 g2ax_user_customer.exe 1908 g2ax_user_customer.exe 1908 g2ax_user_customer.exe 1908 g2ax_user_customer.exe 1908 g2ax_user_customer.exe 1908 g2ax_user_customer.exe 1908 g2ax_user_customer.exe 1908 g2ax_user_customer.exe 1908 g2ax_user_customer.exe 1908 g2ax_user_customer.exe 1908 g2ax_user_customer.exe 1908 g2ax_user_customer.exe 1908 g2ax_user_customer.exe 1908 g2ax_user_customer.exe 1908 g2ax_user_customer.exe 1908 g2ax_user_customer.exe -
Suspicious use of SendNotifyMessage 30 IoCs
pid Process 1908 g2ax_user_customer.exe 1908 g2ax_user_customer.exe 1908 g2ax_user_customer.exe 1908 g2ax_user_customer.exe 1908 g2ax_user_customer.exe 1908 g2ax_user_customer.exe 1908 g2ax_user_customer.exe 1908 g2ax_user_customer.exe 1908 g2ax_user_customer.exe 1908 g2ax_user_customer.exe 1908 g2ax_user_customer.exe 1908 g2ax_user_customer.exe 1908 g2ax_user_customer.exe 1908 g2ax_user_customer.exe 1908 g2ax_user_customer.exe 1908 g2ax_user_customer.exe 1908 g2ax_user_customer.exe 1908 g2ax_user_customer.exe 1908 g2ax_user_customer.exe 1908 g2ax_user_customer.exe 1908 g2ax_user_customer.exe 1908 g2ax_user_customer.exe 1908 g2ax_user_customer.exe 1908 g2ax_user_customer.exe 1908 g2ax_user_customer.exe 1908 g2ax_user_customer.exe 1908 g2ax_user_customer.exe 1908 g2ax_user_customer.exe 1908 g2ax_user_customer.exe 1908 g2ax_user_customer.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 4784 wrote to memory of 2128 4784 msiexec.exe 93 PID 4784 wrote to memory of 2128 4784 msiexec.exe 93 PID 4784 wrote to memory of 2964 4784 msiexec.exe 95 PID 4784 wrote to memory of 2964 4784 msiexec.exe 95 PID 4784 wrote to memory of 2964 4784 msiexec.exe 95 PID 2964 wrote to memory of 2800 2964 MSIBE21.tmp 96 PID 2964 wrote to memory of 2800 2964 MSIBE21.tmp 96 PID 2964 wrote to memory of 2800 2964 MSIBE21.tmp 96 PID 2800 wrote to memory of 2932 2800 g2ax_installer_customer.exe 97 PID 2800 wrote to memory of 2932 2800 g2ax_installer_customer.exe 97 PID 2800 wrote to memory of 2932 2800 g2ax_installer_customer.exe 97 PID 2800 wrote to memory of 4404 2800 g2ax_installer_customer.exe 98 PID 2800 wrote to memory of 4404 2800 g2ax_installer_customer.exe 98 PID 2800 wrote to memory of 4404 2800 g2ax_installer_customer.exe 98 PID 1896 wrote to memory of 1416 1896 g2ax_service.exe 100 PID 1896 wrote to memory of 1416 1896 g2ax_service.exe 100 PID 1896 wrote to memory of 1416 1896 g2ax_service.exe 100 PID 1416 wrote to memory of 2424 1416 g2ax_comm_customer.exe 103 PID 1416 wrote to memory of 2424 1416 g2ax_comm_customer.exe 103 PID 1416 wrote to memory of 2424 1416 g2ax_comm_customer.exe 103 PID 1416 wrote to memory of 1908 1416 g2ax_comm_customer.exe 105 PID 1416 wrote to memory of 1908 1416 g2ax_comm_customer.exe 105 PID 1416 wrote to memory of 1908 1416 g2ax_comm_customer.exe 105 PID 1896 wrote to memory of 2980 1896 g2ax_service.exe 112 PID 1896 wrote to memory of 2980 1896 g2ax_service.exe 112 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\[email protected]1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2368
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4784 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:2128
-
-
C:\Windows\Installer\MSIBE21.tmp"C:\Windows\Installer\MSIBE21.tmp" /FromMSI2⤵
- Checks whether UAC is enabled
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aC062.tmp\g2ax_installer_customer.exe"C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aC062.tmp\g2ax_installer_customer.exe " "/Action SetupUnattendedSilent" "/DownloadServer https://launch.getgo.com" "/EGWAddress 216.115.218.197" "/EGWDNS egw1.express.gotoassist.com" "/EGWPort 8200,80,443" /FromMSI "/Language en_US" "/LoaderPath C:\Windows\Installer\MSIBE21.tmp" "/LogPath C:\Users\Admin\AppData\Local\Temp\LogMeInLogs\GoToAssist Remote Support Customer\1575\20240824_233524\" "/Mode Normal" "/RestartReason Start" "/ServiceAllowed Yes" "/StartAsService Yes" "/Stat On" "/StatDb On" "/Trigger Web" "/UnattendedSetupToken 5331656515450037371" "/WebsiteUrl http://support.gotoassist.com" "/locale en_US" "/silent"3⤵
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_service.exe"C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_service.exe" "Start=install_manual&Action=SetupUnattendedSilent&DownloadServer=https://launch.getgo.com&EGWAddress=216.115.218.197&EGWDNS=egw1.express.gotoassist.com&EGWPort=8200,80,443&Language=en_US&LoaderPath=C:\Windows\Installer\MSIBE21.tmp&LogPath=C:\Users\Admin\AppData\Local\Temp\LogMeInLogs\GoToAssist Remote Support Customer\1575\20240824_233524\&Mode=Normal&RestartReason=Start&ServiceAllowed=Yes&StartAsService=Yes&Stat=On&StatDb=On&Trigger=Web&UnattendedSetupToken=5331656515450037371&WebsiteUrl=http://support.gotoassist.com&locale=en_US"4⤵
- Modifies WinLogon
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2932
-
-
C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_service.exe"C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_service.exe" "Start=start_session&Action=SetupUnattendedSilent&DownloadServer=https://launch.getgo.com&EGWAddress=216.115.218.197&EGWDNS=egw1.express.gotoassist.com&EGWPort=8200,80,443&Language=en_US&LoaderPath=C:\Windows\Installer\MSIBE21.tmp&LogPath=C:\Users\Admin\AppData\Local\Temp\LogMeInLogs\GoToAssist Remote Support Customer\1575\20240824_233524\&Mode=Normal&RestartReason=Start&ServiceAllowed=Yes&StartAsService=Yes&Stat=On&StatDb=On&Trigger=Web&UnattendedSetupToken=5331656515450037371&WebsiteUrl=http://support.gotoassist.com&locale=en_US"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4404
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4532
-
C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_service.exe"C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_service.exe" "Start=service"1⤵
- Drops file in System32 directory
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_comm_customer.exe"C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_comm_customer.exe" "Action=SetupUnattendedSilent&DownloadServer=https://launch.getgo.com&EGWAddress=216.115.218.197&EGWDNS=egw1.express.gotoassist.com&EGWPort=8200,80,443&Language=en_US&LoaderPath=C:\Windows\Installer\MSIBE21.tmp&LogName=C:\Users\Admin\AppData\Local\Temp\LogMeInLogs\GoToAssist Remote Support Customer\1575\20240824_233524\GoToAssist Remote Support Customer.LOG&LogPath=C:\Users\Admin\AppData\Local\Temp\LogMeInLogs\GoToAssist Remote Support Customer\1575\20240824_233524\&Mode=Normal&ResourceDll=g2ax_customer_resource_win32_x86_en_US.dll&RestartReason=Start&RunningAsService=YES&ServiceAllowed=Yes&Start=service&StartAsService=Yes&StartID={45CB397D-781F-4B69-955E-7EB5F5BDC348}&Stat=On&StatDb=On&Trigger=Web&UnattendedSetupToken=5331656515450037371&UniqueId=1896&WebsiteUrl=http://support.gotoassist.com&locale=en_US"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_system_customer.exe"C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_system_customer.exe" "StartID={6EFAC87B-3BB8-4940-8458-5B2133ED1C4A}&ResourceDll=g2ax_customer_resource_win32_x86_en_US.dll&RunningAsService=YES&Debug=Off&Stat=On&StatDb=On&Index=0"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2424
-
-
C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_user_customer.exe"C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_user_customer.exe" "StartID={45CB397D-781F-4B69-955E-7EB5F5BDC348}&ResourceDll=g2ax_customer_resource_win32_x86_en_US.dll&RunningAsService=YES&Debug=Off&Stat=On&StatDb=On&Index=0"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1908
-
-
-
C:\Windows\system32\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s C:\Windows\system32\g2ax_credential_provider64_1575.dll2⤵
- Loads dropped DLL
- Modifies registry class
PID:2980
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Event Triggered Execution
2Component Object Model Hijacking
1Installer Packages
1Privilege Escalation
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Event Triggered Execution
2Component Object Model Hijacking
1Installer Packages
1Defense Evasion
Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1System Binary Proxy Execution
1Msiexec
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD557f28c949cc49a5db1b2aa31b0d3e266
SHA1fb685368ea423acb0dc5517662795b25db819006
SHA256712b055ffbb4d68d9095578cb6051552e69c0fce75b942c711badd0b47eceef5
SHA512711a426e11208e022b0e3a6df7881c2aca5f0c4213c49babc0972ae11a85f12ef4cf912d9d96d750db726b3d2ae9e0bc23d24e2e28457805adc8d1e1449786bc
-
C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aC062.tmp\g2ax_combined_customer.dll
Filesize9.0MB
MD5b281109807f069ee71ad44a5c2ed4638
SHA188d58db2ea9d8ab72504ad3933acedd69c919cf7
SHA2563d8d246a69eb0a66c52d8a713c2797b28d05e7c2ac9157fea5692bf6e9dfdda8
SHA51211fb0515904a24a041c02f89819b43cf30e4b791eac559084c0ab90c458ed46d0aff2ab9fe4e4a1e9c915d080eff212754d68643c67e4690237dab6a67cd2249
-
C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aC062.tmp\g2ax_credential_provider.dll
Filesize113KB
MD56acbff3ffbf1d3b4ef2e590807b82a7f
SHA10f781965145db5d9c97e471b8bc7236dee81c71c
SHA256e870ce924d6797c053a14647184ad9d7e6bf641c2c1de901e747449964afdb22
SHA512734aaa7ca45209c7d67e743c7bd43130da709d3503ee3a127919aa676c7e9cc932707522e0355d8e17b8bb02dbb53109c7df9ddef7c118814e5a4f04ce712139
-
C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aC062.tmp\g2ax_credential_provider64.dll
Filesize122KB
MD52f9bde855a7df5ab1a5d4bc549170064
SHA1dab528bd0e4054926d4646d762f08d85e164c469
SHA256ee0432569bfadee88267ae64d2b11a6d258225c74358f142afa4bec8d6236dd5
SHA512ce19050bc003f290172efab577bfa36ca17bb5e5b9efd4e4443ca037f59a1ea2ac635ae1592d51354485df0ef274f0516a3501228f11edd16ef1c6d723820afb
-
C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aC062.tmp\g2ax_customer_resource_win32_x86_de.dll
Filesize2.7MB
MD595d28b0ae03c0e0dbebaac0354bd665d
SHA116ad8de089f85810678235cac2a332069e4a757e
SHA2562e0fd5b081c3a35f97fc15a37d254c46e09a57724dae50853cd6f7675b5502bd
SHA5125ec5d5d1b113c633364181411516b7de8e4ebf47d1bdbdb5cabec06a040671f5e69540b9b0f067fec593d26f6d1d97ca764c50d2adbd768b1e3cbf91b758ad27
-
C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aC062.tmp\g2ax_customer_resource_win32_x86_en_US.dll
Filesize2.7MB
MD5626dc7beea7eef7dbbad77b3f693eb49
SHA11e25d0ca6c7678bb3775728bdd631f2bfe79ebc0
SHA2565bea8b91ed32fe2b925a8942a2706d8b84d75b00cac8f4ec1009c911a201a6f9
SHA512a1609e5949721165773fec457f798ea9083257b19eeeafb3d40382f9763392862a976f2b892b6dadfe1df6c83e70b496c10ce688440fa5d97c78c6a0821d165a
-
C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aC062.tmp\g2ax_customer_resource_win32_x86_es.dll
Filesize2.7MB
MD5d4b3e89862a5b2583b6da76aa12e225c
SHA12f158da475e5a20f8e7c9b7effa7295fc07e7fd9
SHA2565bac52692ea070aa9a6cb4655ca1346818235e79d4ac234127c87f9bd26de5d2
SHA5122e792fa40569198a52df8796328ee0e6c93da9b861599e04bd0c0c7430b1c368c5ef60ca0bcda9297dcffd3e9312cdf12d62fdfd3febff4ec4a0ec55d2607a7f
-
C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aC062.tmp\g2ax_customer_resource_win32_x86_fr.dll
Filesize2.7MB
MD5cdb5345e298d427450fe244a2e1cd16c
SHA1e2e3402696090998174f686128af6d5791dd725a
SHA256a476086f0c10426df4880f77e7333fa9aaab088421b5b9fab4937a65d734c817
SHA512f036d3b164b3983f4684d3e3383ed2a67ebd674b5ea4d764189b429b3cecc81f5b0a4bf8a4e6e6d7e2aac27b7fb6edaf909835d2890000d3aded887e20776141
-
C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aC062.tmp\g2ax_customer_resource_win32_x86_it.dll
Filesize2.7MB
MD54c6d97f5793a8806d1b07f7805c1290f
SHA16ed0ae206d5e3fd7cb19634aef5f0055f0832d83
SHA2563798840e3ddf8025648420c2971c4434608f908bfd83437c239220e28e925323
SHA512c13fba4f00340ab3be3b1f58bdd17fd1d3e95c1819b7a8d82b8e6cb7bc8bece9cf2d97ede47e57b062bb8008031f58b36934a5da0c452e17309f832b42b5e2ef
-
C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aC062.tmp\g2ax_customer_resource_win32_x86_pt.dll
Filesize2.7MB
MD542accada99f11973893559eb80dbd7cc
SHA19ed76304bf4af87210044d9fcbcb62f2f6f49fce
SHA256c07707fdee8d761999bd63e44fdca04503ccbb2fde1e02d2eab6d3f99744840a
SHA51224177df97a981f2a5d0896d143b3f8057631a17ab18e00bf540b70a921d66f5876ee0985e4b32165fabedefebc0ad1329be4860619b1ea40274cfe2beaf0d696
-
C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aC062.tmp\g2ax_exe_customer_adminui.exe
Filesize599KB
MD5139e140841795d1d3b31ca9f0d2a18f0
SHA1c8348ffcc2792edf84c7d0a60af9fced0cee74d2
SHA256814f387ab117191bc9cf9c33743bd792735237354ec83df4e014c7e7bc1e46ba
SHA51298bf1f4043ccd59bb2c86b56dda9b30426160cb093585e9378cd5930ab8d5485591ea1f59196fb64ec3e0cc2845bdf43d936e8ae303914df56a8bd82b9fcd42b
-
C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aC062.tmp\g2ax_installer_customer.exe
Filesize599KB
MD57c9b0bde69c16ece846a56106b11dbfa
SHA180c42eb9351f611a395256531c5ed4931be981cf
SHA25602d19f030b1f116c26bc3d1e6b03071b6f13ce7c7ea499603a5dfd571f3a96b6
SHA5127826faa0627a5e57cd4ad3076391cec125314339d59ac6ad2e623a82522e870ecbc12b42b5868484550ede7e8d3012f06bef5463b624636aea3f0343ccdd810a
-
C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aC062.tmp\g2ax_installer_customer_admin.exe
Filesize599KB
MD5d4ee9d0af2825048d4bfd48f48bd464b
SHA1a3a25e68132a4288b6b394623fd206fbf8899092
SHA256e1ae8e4f45552d82ea9154a02d7b900f42cad77777d6b6d6872f3f96efde491c
SHA512ff6a70d7edb1e0aef632027e50b264bfed1aa27bcf114c65b79da7894b6f2b48675d78bc698f0006973f24a9ca465ffb5ae82600d5f065dba14593ade31ffc47
-
C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aC062.tmp\g2ax_processfactory.exe
Filesize680KB
MD563f225100403cd9d98e5c20a2f13c7f9
SHA1e4152545009c0bcbdbb9bed52f2935d55ba7da01
SHA256450ba2dc70b1bbb9cd808be082cc90ee2be2e27e678d37b27400a90e0e4463f8
SHA51258886a5b9455e56e86b227c7a49535b638a9379ab8752c58d8560987c7585d7a42eac2e88b19c82a52f8eb13aabfc436ada14673878a80667ae30b369a1ed409
-
C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aC062.tmp\g2ax_winlogon.dll
Filesize598KB
MD58b64004a064179c50ab204cb8baacdb1
SHA1357fe1c8cc37ff7a7c064ed6f49360692a4a8254
SHA25620b7b7290d17b2b3b9d6bb01d7f540dcd780944a9a2873d641e973433173a781
SHA5120ce7693c4c54db616f1c30899bbe77f4a6033ee034a389d032dcc3e8c84d3361f3beaab82508c69e1b8a4b4104590953c2a9abef354680043a2964fd8106af74
-
C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aC062.tmp\g2ax_winlogonx64.dll
Filesize599KB
MD5234f00413858db80b4b51c1abede4152
SHA1e2606f11691de55ac8f491050abbcbe71c0ad1ba
SHA256c5daa86b380ed04bc2ec92bbe74c8aff958edeabd240411b7ecb7f5721ba548d
SHA5120a242a4516cfa722e35f5cb9a6e815d03e00b63e8ef648532526e8a0d228f4d00c2367d65bf402d1c564a208e1d5747b2ba1350bc0e637743373898fc37cd41c
-
C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aC062.tmp\uninshlp.dll
Filesize20KB
MD50868827e42db552e5427f277fedf1e6b
SHA19fb59bbb4edbcc98fdb36ffff378d0bb9ddcc4fb
SHA256f6684c5dbce46be754e61da86757278bb6a9c7def6810504a1dc389920b5d38a
SHA512607064c1bc4aa627dc130d3a34d19bd512324bb9bd91ceaa6bcb20f0e218d070ef7021c921318a4d6474e95979bd569c2776b414269aeade5fa884876d58c3d1
-
Filesize
3.6MB
MD510691eb99593e235b86d018ebaf7d4e6
SHA135e0444bb572f3890f327afc1feba32e9833d5b4
SHA2564e945ddc84443a2ac2f845693461a7bda2ab07b24eb3b980c1b86dd5f2d8ed2b
SHA51210e1ee6fa616d92d1bc5bca358321c0fd4b18767a7eb7fd7bdf19c3302b23163a37e904f162d57097d40ca10b68494c7f5d029db4f9f91ac62351c48d150377f
-
Filesize
23.7MB
MD5390cdffdce1ec568d3a24ae516ce47d3
SHA12d1c318ac2e8e764197af84bf497a48c287a273a
SHA256c67633d1cc6fb7c3d2b38a9cef750089b6863d9e890bddf11377a0e4a4fb0d81
SHA512bea053363ebfee438ba9ff826a1b26a7d8084719a94fcc893ff765ca42d4f813323d1b6d9dadb5e7b4fba9524eb07cd2354e872ffa9c734878c3fe8edf0b1fc7
-
\??\Volume{fa35ad82-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{0af9ce3c-45b7-4eba-8644-cf7b053b8c8d}_OnDiskSnapshotProp
Filesize6KB
MD55e7a4ca9a1d572e1e35601918b83a1cf
SHA1a81809daf229b3422575d90cd7b681ecac3a1227
SHA256a25f72c48a50d60a7e6b2980adf3859c7a897a03552255b655ff72d30004a3e4
SHA5120c27e233d0a0eaff8e6640ecce5a7e051e58d4672a781519b8c391ab1d31206aeef69a3e9e834c88563f3c2eed97bb8cd753e404522cd8b6a35d6a7c00157467