30949949855ec60455a390a5f77ce7eaf52b3917a963a27ecc7dd1946862e852

Analysis

max time kernel
148s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
24-08-2024 23:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

[email protected]
Size

4.1MB
MD5

4dd7bd5bc7ad5494b39c033290136207
SHA1

aeac40777f86c172d8872643c9c537f53cdf1f5d
SHA256

30949949855ec60455a390a5f77ce7eaf52b3917a963a27ecc7dd1946862e852
SHA512

483c6099e920c5b36cd052e59b331d720cebbbf242d190c1b5383b5a7a6327abfc45f2311f58332822d4ec6f726722cf4f16f1c61071d10307a9a6a32849df37
SSDEEP

98304:0BZc4QcOiOqteN/+G5s5jmL0tipvHYzlgpwS+nqA5:IzOVq29mJmgw0gpwSa

Score

7^/10

discovery evasion persistence privilege_escalation spyware stealer trojan upx

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral4/files/0x000200000002aab3-10.dat	upx
behavioral4/memory/4140-12-0x0000000000400000-0x000000000225E000-memory.dmp	upx
behavioral4/memory/4140-47-0x0000000000400000-0x000000000225E000-memory.dmp	upx
behavioral4/memory/4140-119-0x0000000000400000-0x000000000225E000-memory.dmp	upx

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MSI93D5.tmp
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	g2ax_installer_customer.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe

Modifies WinLogon 2 TTPs 9 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GoToAssist Express Customer\Logoff = "Logoff"	g2ax_service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify	g2ax_service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GoToAssist Express Customer\DLLName = "C:\\Program Files (x86)\\GoToAssist Remote Support Customer\\1575\\g2ax_winlogonx64.dll"	g2ax_service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GoToAssist Express Customer\Logon = "Logon"	g2ax_service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GoToAssist Express Customer\Startup = "Startup"	g2ax_service.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GoToAssist Express Customer\Impersonate = "0"	g2ax_service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GoToAssist Express Customer\Shutdown = "Shutdown"	g2ax_service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GoToAssist Express Customer	g2ax_service.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GoToAssist Express Customer\Asynchronous = "0"	g2ax_service.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\g2ax_credential_provider64_1575.dll	g2ax_service.exe
File opened for modification	C:\Windows\system32\g2ax_credential_provider64_1575.dll	g2ax_service.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 26 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_processfactory.exe	g2ax_installer_customer.exe
File created	C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_winlogonx64.dll	g2ax_installer_customer.exe
File created	C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_user_customer.exe	g2ax_installer_customer.exe
File created	C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_customer_resource_win32_x86_es.dll	g2ax_installer_customer.exe
File created	C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\shortcuts.txt	g2ax_service.exe
File opened for modification	C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\uninshlp.dll	g2ax_installer_customer.exe
File created	C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_credential_provider.dll	g2ax_installer_customer.exe
File created	C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_service.exe	g2ax_installer_customer.exe
File created	C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_customer_resource_win32_x86_pt.dll	g2ax_installer_customer.exe
File created	C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_credential_provider64.dll	g2ax_installer_customer.exe
File created	C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_customer_resource_win32_x86_de.dll	g2ax_installer_customer.exe
File created	C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_combined_customer.dll	g2ax_installer_customer.exe
File created	C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_host.exe	g2ax_installer_customer.exe
File created	C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_host_service.exe	g2ax_installer_customer.exe
File created	C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_user_medium_customer.exe	g2ax_installer_customer.exe
File created	C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_user_high_customer.exe	g2ax_installer_customer.exe
File created	C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_customer_resource_win32_x86_en_US.dll	g2ax_installer_customer.exe
File created	C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_customer_resource_win32_x86_fr.dll	g2ax_installer_customer.exe
File created	C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\uninshlp.dll	g2ax_installer_customer.exe
File created	C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_installer_customer.exe	g2ax_installer_customer.exe
File created	C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_winlogon.dll	g2ax_installer_customer.exe
File created	C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_comm_customer.exe	g2ax_installer_customer.exe
File created	C:\Program Files (x86)\_x_CInstB+TEST_x_0\_x_CInstB+TEST_x_0	g2ax_installer_customer.exe
File created	C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_uninstaller_customer.exe	g2ax_installer_customer.exe
File created	C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_system_customer.exe	g2ax_installer_customer.exe
File created	C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_customer_resource_win32_x86_it.dll	g2ax_installer_customer.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI93D5.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DF442F7816374C85C0.TMP	msiexec.exe
File created	C:\Windows\Installer\e5792e9.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI93A5.tmp	msiexec.exe
File created	C:\Windows\Installer\e5792ed.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\SystemTemp\~DF850C6B30C17BDD65.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\e5792e9.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{8986461A-C5B9-4E8B-827A-FA68F3411575}	msiexec.exe
File created	C:\Windows\SystemTemp\~DFD17B1AEDB1AC49C5.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\~DFD1253B81C5351010.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe

Executes dropped EXE 8 IoCs

pid	Process
4140	MSI93D5.tmp
3136	g2ax_installer_customer.exe
2484	g2ax_service.exe
1944	g2ax_service.exe
3824	g2ax_service.exe
1640	g2ax_comm_customer.exe
5044	g2ax_system_customer.exe
1480	g2ax_user_customer.exe

Loads dropped DLL 8 IoCs

pid	Process
3136	g2ax_installer_customer.exe
2484	g2ax_service.exe
1944	g2ax_service.exe
3824	g2ax_service.exe
1640	g2ax_comm_customer.exe
5044	g2ax_system_customer.exe
1480	g2ax_user_customer.exe
1100	regsvr32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
744	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	g2ax_service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	g2ax_service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	g2ax_service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	g2ax_comm_customer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	g2ax_system_customer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	g2ax_user_customer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSI93D5.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	g2ax_installer_customer.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000004fbc8ede2bb95e8f0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800004fbc8ede0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809004fbc8ede000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d4fbc8ede000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000004fbc8ede00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe

Modifies data under HKEY_USERS 12 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\LogMeInInc\GoToAssist\ConnectionInfo\LastGood\Proto1\Proto = "1"	g2ax_comm_customer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\LogMeInInc\GoToAssist\ConnectionInfo\LastGood\Proto1\Flags = "1"	g2ax_comm_customer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\LogMeInInc\GoToAssist\ConnectionInfo\LastGood\Proto1\OriginalDetector = "4"	g2ax_comm_customer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\LogMeInInc\GoToAssist\AuthInfo	g2ax_comm_customer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\LogMeInInc\GoToAssist	g2ax_comm_customer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\LogMeInInc\GoToAssist\ConnectionInfo\LastGood\Proto1	g2ax_comm_customer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\LogMeInInc\GoToAssist\ConnectionInfo\LastGood	g2ax_comm_customer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\LogMeInInc\GoToAssist\ConnectionInfo\LastGood\Proto1\TargetPort = "443"	g2ax_comm_customer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	g2ax_comm_customer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\LogMeInInc	g2ax_comm_customer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\LogMeInInc\GoToAssist\ConnectionInfo	g2ax_comm_customer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\LogMeInInc\GoToAssist\ConnectionInfo\LastGood\Proto1\Method = "32"	g2ax_comm_customer.exe

Modifies registry class 30 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GoToAssist Remote Support Customer.g2ax_StartHereLoader.2	g2ax_service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D025C57A-763E-4B14-B580-9B5B161F08BB}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{45CB397D-781F-4B69-955E-7EB5F5BDC348}\ProgID\ = "GoToAssist Remote Support Customer.g2ax_StartHereLoader.2"	g2ax_service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GoToAssist Remote Support Customer.g2ax_StartHereLoader\CLSID\ = "{45CB397D-781F-4B69-955E-7EB5F5BDC348}"	g2ax_service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{45CB397D-781F-4B69-955E-7EB5F5BDC348}	g2ax_service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{45CB397D-781F-4B69-955E-7EB5F5BDC348}\VersionIndependentProgID	g2ax_service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D025C57A-763E-4B14-B580-9B5B161F08BB}\InprocServer32\ = "C:\\Windows\\system32\\g2ax_credential_provider64_1575.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\\g2ax_service.exe	g2ax_service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{45CB397D-781F-4B69-955E-7EB5F5BDC348}\ = "g2ax_StartHereLoader"	g2ax_service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{45CB397D-781F-4B69-955E-7EB5F5BDC348}\LocalServer32\ = "C:\\Program Files (x86)\\GoToAssist Remote Support Customer\\1575\\g2ax_service.exe"	g2ax_service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GoToAssist Remote Support Customer.g2ax_StartHereLoader	g2ax_service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GoToAssist Remote Support Customer.g2ax_StartHereLoader\ = "g2ax_StartHereLoader"	g2ax_service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GoToAssist Remote Support Customer.g2ax_StartHereLoader\CLSID	g2ax_service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GoToAssist Remote Support Customer.g2ax_StartHereLoader\CurVer	g2ax_service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GoToAssist Remote Support Customer.g2ax_StartHereLoader\CurVer\ = "GoToAssist Remote Support Customer.g2ax_StartHereLoader.2"	g2ax_service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{D7222C15-96C7-40f1-97A7-EB3D057EA80C}\ = "GoToAssist Remote Support Customer"	g2ax_service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D025C57A-763E-4B14-B580-9B5B161F08BB}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{45CB397D-781F-4B69-955E-7EB5F5BDC348}\LocalServer32	g2ax_service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{45CB397D-781F-4B69-955E-7EB5F5BDC348}\AppID = "{D7222C15-96C7-40f1-97A7-EB3D057EA80C}"	g2ax_service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{45CB397D-781F-4B69-955E-7EB5F5BDC348}\ProgID	g2ax_service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D025C57A-763E-4B14-B580-9B5B161F08BB}\ = "CredentialProvider"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\g2ax_service.exe\AppID = "{D7222C15-96C7-40f1-97A7-EB3D057EA80C}"	g2ax_service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{45CB397D-781F-4B69-955E-7EB5F5BDC348}\VersionIndependentProgID\ = "GoToAssist Remote Support Customer.g2ax_StartHereLoader"	g2ax_service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GoToAssist Remote Support Customer.g2ax_StartHereLoader.2\ = "g2ax_StartHereLoader"	g2ax_service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D025C57A-763E-4B14-B580-9B5B161F08BB}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{D7222C15-96C7-40f1-97A7-EB3D057EA80C}\LocalService = "GoToAssist Remote Support Customer"	g2ax_service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{D7222C15-96C7-40f1-97A7-EB3D057EA80C}\ServiceParameters = "-Service"	g2ax_service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GoToAssist Remote Support Customer.g2ax_StartHereLoader.2\CLSID	g2ax_service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GoToAssist Remote Support Customer.g2ax_StartHereLoader.2\CLSID\ = "{45CB397D-781F-4B69-955E-7EB5F5BDC348}"	g2ax_service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\\{D7222C15-96C7-40f1-97A7-EB3D057EA80C}	g2ax_service.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5	g2ax_installer_customer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c953000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df1400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3617e000000010000000800000000c0032f2df8d6016800000001000000000000000300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	g2ax_installer_customer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 5c000000010000000400000000080000190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e56800000001000000000000007e000000010000000800000000c0032f2df8d6011d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331336200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df09000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c9040000000100000010000000cb17e431673ee209fe455793f30afa1c2000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	g2ax_installer_customer.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1992	msiexec.exe
1992	msiexec.exe
1640	g2ax_comm_customer.exe
1640	g2ax_comm_customer.exe
5044	g2ax_system_customer.exe
5044	g2ax_system_customer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	744	msiexec.exe
Token: SeIncreaseQuotaPrivilege	744	msiexec.exe
Token: SeSecurityPrivilege	1992	msiexec.exe
Token: SeCreateTokenPrivilege	744	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	744	msiexec.exe
Token: SeLockMemoryPrivilege	744	msiexec.exe
Token: SeIncreaseQuotaPrivilege	744	msiexec.exe
Token: SeMachineAccountPrivilege	744	msiexec.exe
Token: SeTcbPrivilege	744	msiexec.exe
Token: SeSecurityPrivilege	744	msiexec.exe
Token: SeTakeOwnershipPrivilege	744	msiexec.exe
Token: SeLoadDriverPrivilege	744	msiexec.exe
Token: SeSystemProfilePrivilege	744	msiexec.exe
Token: SeSystemtimePrivilege	744	msiexec.exe
Token: SeProfSingleProcessPrivilege	744	msiexec.exe
Token: SeIncBasePriorityPrivilege	744	msiexec.exe
Token: SeCreatePagefilePrivilege	744	msiexec.exe
Token: SeCreatePermanentPrivilege	744	msiexec.exe
Token: SeBackupPrivilege	744	msiexec.exe
Token: SeRestorePrivilege	744	msiexec.exe
Token: SeShutdownPrivilege	744	msiexec.exe
Token: SeDebugPrivilege	744	msiexec.exe
Token: SeAuditPrivilege	744	msiexec.exe
Token: SeSystemEnvironmentPrivilege	744	msiexec.exe
Token: SeChangeNotifyPrivilege	744	msiexec.exe
Token: SeRemoteShutdownPrivilege	744	msiexec.exe
Token: SeUndockPrivilege	744	msiexec.exe
Token: SeSyncAgentPrivilege	744	msiexec.exe
Token: SeEnableDelegationPrivilege	744	msiexec.exe
Token: SeManageVolumePrivilege	744	msiexec.exe
Token: SeImpersonatePrivilege	744	msiexec.exe
Token: SeCreateGlobalPrivilege	744	msiexec.exe
Token: SeBackupPrivilege	2328	vssvc.exe
Token: SeRestorePrivilege	2328	vssvc.exe
Token: SeAuditPrivilege	2328	vssvc.exe
Token: SeBackupPrivilege	1992	msiexec.exe
Token: SeRestorePrivilege	1992	msiexec.exe
Token: SeRestorePrivilege	1992	msiexec.exe
Token: SeTakeOwnershipPrivilege	1992	msiexec.exe
Token: SeRestorePrivilege	1992	msiexec.exe
Token: SeTakeOwnershipPrivilege	1992	msiexec.exe
Token: SeRestorePrivilege	1992	msiexec.exe
Token: SeTakeOwnershipPrivilege	1992	msiexec.exe
Token: SeBackupPrivilege	4308	srtasks.exe
Token: SeRestorePrivilege	4308	srtasks.exe
Token: SeSecurityPrivilege	4308	srtasks.exe
Token: SeTakeOwnershipPrivilege	4308	srtasks.exe
Token: SeBackupPrivilege	4308	srtasks.exe
Token: SeRestorePrivilege	4308	srtasks.exe
Token: SeSecurityPrivilege	4308	srtasks.exe
Token: SeTakeOwnershipPrivilege	4308	srtasks.exe
Token: SeRestorePrivilege	1992	msiexec.exe
Token: SeTakeOwnershipPrivilege	1992	msiexec.exe
Token: SeRestorePrivilege	1992	msiexec.exe
Token: SeTakeOwnershipPrivilege	1992	msiexec.exe
Token: SeRestorePrivilege	1992	msiexec.exe
Token: SeTakeOwnershipPrivilege	1992	msiexec.exe
Token: SeRestorePrivilege	1992	msiexec.exe
Token: SeTakeOwnershipPrivilege	1992	msiexec.exe
Token: SeRestorePrivilege	1992	msiexec.exe
Token: SeTakeOwnershipPrivilege	1992	msiexec.exe
Token: SeRestorePrivilege	1992	msiexec.exe
Token: SeTakeOwnershipPrivilege	1992	msiexec.exe
Token: SeRestorePrivilege	1992	msiexec.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
744	msiexec.exe
744	msiexec.exe
1480	g2ax_user_customer.exe
1480	g2ax_user_customer.exe
1480	g2ax_user_customer.exe
1480	g2ax_user_customer.exe
1480	g2ax_user_customer.exe
1480	g2ax_user_customer.exe
1480	g2ax_user_customer.exe
1480	g2ax_user_customer.exe
1480	g2ax_user_customer.exe
1480	g2ax_user_customer.exe
1480	g2ax_user_customer.exe
1480	g2ax_user_customer.exe
1480	g2ax_user_customer.exe
1480	g2ax_user_customer.exe
1480	g2ax_user_customer.exe
1480	g2ax_user_customer.exe
1480	g2ax_user_customer.exe
1480	g2ax_user_customer.exe
1480	g2ax_user_customer.exe
1480	g2ax_user_customer.exe
1480	g2ax_user_customer.exe
1480	g2ax_user_customer.exe
1480	g2ax_user_customer.exe
1480	g2ax_user_customer.exe
1480	g2ax_user_customer.exe
1480	g2ax_user_customer.exe
1480	g2ax_user_customer.exe
1480	g2ax_user_customer.exe
1480	g2ax_user_customer.exe
1480	g2ax_user_customer.exe
1480	g2ax_user_customer.exe
1480	g2ax_user_customer.exe

Suspicious use of SendNotifyMessage 31 IoCs

pid	Process
1480	g2ax_user_customer.exe
1480	g2ax_user_customer.exe
1480	g2ax_user_customer.exe
1480	g2ax_user_customer.exe
1480	g2ax_user_customer.exe
1480	g2ax_user_customer.exe
1480	g2ax_user_customer.exe
1480	g2ax_user_customer.exe
1480	g2ax_user_customer.exe
1480	g2ax_user_customer.exe
1480	g2ax_user_customer.exe
1480	g2ax_user_customer.exe
1480	g2ax_user_customer.exe
1480	g2ax_user_customer.exe
1480	g2ax_user_customer.exe
1480	g2ax_user_customer.exe
1480	g2ax_user_customer.exe
1480	g2ax_user_customer.exe
1480	g2ax_user_customer.exe
1480	g2ax_user_customer.exe
1480	g2ax_user_customer.exe
1480	g2ax_user_customer.exe
1480	g2ax_user_customer.exe
1480	g2ax_user_customer.exe
1480	g2ax_user_customer.exe
1480	g2ax_user_customer.exe
1480	g2ax_user_customer.exe
1480	g2ax_user_customer.exe
1480	g2ax_user_customer.exe
1480	g2ax_user_customer.exe
1480	g2ax_user_customer.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 4308	1992	msiexec.exe	87
PID 1992 wrote to memory of 4308	1992	msiexec.exe	87
PID 1992 wrote to memory of 4140	1992	msiexec.exe	89
PID 1992 wrote to memory of 4140	1992	msiexec.exe	89
PID 1992 wrote to memory of 4140	1992	msiexec.exe	89
PID 4140 wrote to memory of 3136	4140	MSI93D5.tmp	90
PID 4140 wrote to memory of 3136	4140	MSI93D5.tmp	90
PID 4140 wrote to memory of 3136	4140	MSI93D5.tmp	90
PID 3136 wrote to memory of 2484	3136	g2ax_installer_customer.exe	93
PID 3136 wrote to memory of 2484	3136	g2ax_installer_customer.exe	93
PID 3136 wrote to memory of 2484	3136	g2ax_installer_customer.exe	93
PID 3136 wrote to memory of 1944	3136	g2ax_installer_customer.exe	94
PID 3136 wrote to memory of 1944	3136	g2ax_installer_customer.exe	94
PID 3136 wrote to memory of 1944	3136	g2ax_installer_customer.exe	94
PID 3824 wrote to memory of 1640	3824	g2ax_service.exe	96
PID 3824 wrote to memory of 1640	3824	g2ax_service.exe	96
PID 3824 wrote to memory of 1640	3824	g2ax_service.exe	96
PID 1640 wrote to memory of 5044	1640	g2ax_comm_customer.exe	98
PID 1640 wrote to memory of 5044	1640	g2ax_comm_customer.exe	98
PID 1640 wrote to memory of 5044	1640	g2ax_comm_customer.exe	98
PID 1640 wrote to memory of 1480	1640	g2ax_comm_customer.exe	100
PID 1640 wrote to memory of 1480	1640	g2ax_comm_customer.exe	100
PID 1640 wrote to memory of 1480	1640	g2ax_comm_customer.exe	100
PID 3824 wrote to memory of 1100	3824	g2ax_service.exe	102
PID 3824 wrote to memory of 1100	3824	g2ax_service.exe	102

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\[email protected]
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:744

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4308
- C:\Windows\Installer\MSI93D5.tmp
  "C:\Windows\Installer\MSI93D5.tmp" /FromMSI
  2⤵
  - Checks whether UAC is enabled
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4140
- - C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2a95F6.tmp\g2ax_installer_customer.exe
    "C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2a95F6.tmp\g2ax_installer_customer.exe " "/Action SetupUnattendedSilent" "/DownloadServer https://launch.getgo.com" "/EGWAddress 216.115.218.197" "/EGWDNS egw1.express.gotoassist.com" "/EGWPort 8200,80,443" /FromMSI "/Language en_US" "/LoaderPath C:\Windows\Installer\MSI93D5.tmp" "/LogPath C:\Users\Admin\AppData\Local\Temp\LogMeInLogs\GoToAssist Remote Support Customer\1575\20240824_233519\" "/Mode Normal" "/RestartReason Start" "/ServiceAllowed Yes" "/StartAsService Yes" "/Stat On" "/StatDb On" "/Trigger Web" "/UnattendedSetupToken 5331656515450037371" "/WebsiteUrl http://support.gotoassist.com" "/locale en_US" "/silent"
    3⤵
    - Checks whether UAC is enabled
    - Drops file in Program Files directory
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies system certificate store
    - Suspicious use of WriteProcessMemory
    PID:3136
  - - C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_service.exe
      "C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_service.exe" "Start=install_manual&Action=SetupUnattendedSilent&DownloadServer=https://launch.getgo.com&EGWAddress=216.115.218.197&EGWDNS=egw1.express.gotoassist.com&EGWPort=8200,80,443&Language=en_US&LoaderPath=C:\Windows\Installer\MSI93D5.tmp&LogPath=C:\Users\Admin\AppData\Local\Temp\LogMeInLogs\GoToAssist Remote Support Customer\1575\20240824_233519\&Mode=Normal&RestartReason=Start&ServiceAllowed=Yes&StartAsService=Yes&Stat=On&StatDb=On&Trigger=Web&UnattendedSetupToken=5331656515450037371&WebsiteUrl=http://support.gotoassist.com&locale=en_US"
      4⤵
      Modifies WinLogon
      Drops file in Program Files directory
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:2484
  - - C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_service.exe
      "C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_service.exe" "Start=start_session&Action=SetupUnattendedSilent&DownloadServer=https://launch.getgo.com&EGWAddress=216.115.218.197&EGWDNS=egw1.express.gotoassist.com&EGWPort=8200,80,443&Language=en_US&LoaderPath=C:\Windows\Installer\MSI93D5.tmp&LogPath=C:\Users\Admin\AppData\Local\Temp\LogMeInLogs\GoToAssist Remote Support Customer\1575\20240824_233519\&Mode=Normal&RestartReason=Start&ServiceAllowed=Yes&StartAsService=Yes&Stat=On&StatDb=On&Trigger=Web&UnattendedSetupToken=5331656515450037371&WebsiteUrl=http://support.gotoassist.com&locale=en_US"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1944

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2328

C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_service.exe
"C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_service.exe" "Start=service"
1⤵
- Drops file in System32 directory
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3824
- C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_comm_customer.exe
  "C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_comm_customer.exe" "Action=SetupUnattendedSilent&DownloadServer=https://launch.getgo.com&EGWAddress=216.115.218.197&EGWDNS=egw1.express.gotoassist.com&EGWPort=8200,80,443&Language=en_US&LoaderPath=C:\Windows\Installer\MSI93D5.tmp&LogName=C:\Users\Admin\AppData\Local\Temp\LogMeInLogs\GoToAssist Remote Support Customer\1575\20240824_233519\GoToAssist Remote Support Customer.LOG&LogPath=C:\Users\Admin\AppData\Local\Temp\LogMeInLogs\GoToAssist Remote Support Customer\1575\20240824_233519\&Mode=Normal&ResourceDll=g2ax_customer_resource_win32_x86_en_US.dll&RestartReason=Start&RunningAsService=YES&ServiceAllowed=Yes&Start=service&StartAsService=Yes&StartID={45CB397D-781F-4B69-955E-7EB5F5BDC348}&Stat=On&StatDb=On&Trigger=Web&UnattendedSetupToken=5331656515450037371&UniqueId=3824&WebsiteUrl=http://support.gotoassist.com&locale=en_US"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1640
- - C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_system_customer.exe
    "C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_system_customer.exe" "StartID={A8359B37-559B-434C-B325-003D56282ECF}&ResourceDll=g2ax_customer_resource_win32_x86_en_US.dll&RunningAsService=YES&Debug=Off&Stat=On&StatDb=On&Index=0"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:5044
- - C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_user_customer.exe
    "C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_user_customer.exe" "StartID={45CB397D-781F-4B69-955E-7EB5F5BDC348}&ResourceDll=g2ax_customer_resource_win32_x86_en_US.dll&RunningAsService=YES&Debug=Off&Stat=On&StatDb=On&Index=0"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1480
- C:\Windows\system32\regsvr32.exe
  "C:\Windows\system32\regsvr32.exe" /s C:\Windows\system32\g2ax_credential_provider64_1575.dll
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:1100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Installer Packages

T1546.016

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Installer Packages

T1546.016

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e5792ec.rbs

Filesize
8KB

MD5
50406c4c496577fa20af60fc9b7cbab5

SHA1
b2e10379541c2a2e33a9208adeadc03067d0a68a

SHA256
aef3abecbec30c24d3a3e8b45727e026a67fe2b15c28f5391bf76f2bb90cf21a

SHA512
353f046585292b088d9731ae805ba779cfe985294d9e0fbe4ced2b4f4a792a1436ec3ce08aaae71269d6a23161be716a69a624983bff5f248894736fa03b25c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2a95F6.tmp\g2ax_combined_customer.dll

Filesize
9.0MB

MD5
b281109807f069ee71ad44a5c2ed4638

SHA1
88d58db2ea9d8ab72504ad3933acedd69c919cf7

SHA256
3d8d246a69eb0a66c52d8a713c2797b28d05e7c2ac9157fea5692bf6e9dfdda8

SHA512
11fb0515904a24a041c02f89819b43cf30e4b791eac559084c0ab90c458ed46d0aff2ab9fe4e4a1e9c915d080eff212754d68643c67e4690237dab6a67cd2249

Download Submit
C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2a95F6.tmp\g2ax_credential_provider.dll

Filesize
113KB

MD5
6acbff3ffbf1d3b4ef2e590807b82a7f

SHA1
0f781965145db5d9c97e471b8bc7236dee81c71c

SHA256
e870ce924d6797c053a14647184ad9d7e6bf641c2c1de901e747449964afdb22

SHA512
734aaa7ca45209c7d67e743c7bd43130da709d3503ee3a127919aa676c7e9cc932707522e0355d8e17b8bb02dbb53109c7df9ddef7c118814e5a4f04ce712139

Download Submit
C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2a95F6.tmp\g2ax_credential_provider64.dll

Filesize
122KB

MD5
2f9bde855a7df5ab1a5d4bc549170064

SHA1
dab528bd0e4054926d4646d762f08d85e164c469

SHA256
ee0432569bfadee88267ae64d2b11a6d258225c74358f142afa4bec8d6236dd5

SHA512
ce19050bc003f290172efab577bfa36ca17bb5e5b9efd4e4443ca037f59a1ea2ac635ae1592d51354485df0ef274f0516a3501228f11edd16ef1c6d723820afb

Download Submit
C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2a95F6.tmp\g2ax_customer_resource_win32_x86_de.dll

Filesize
2.7MB

MD5
95d28b0ae03c0e0dbebaac0354bd665d

SHA1
16ad8de089f85810678235cac2a332069e4a757e

SHA256
2e0fd5b081c3a35f97fc15a37d254c46e09a57724dae50853cd6f7675b5502bd

SHA512
5ec5d5d1b113c633364181411516b7de8e4ebf47d1bdbdb5cabec06a040671f5e69540b9b0f067fec593d26f6d1d97ca764c50d2adbd768b1e3cbf91b758ad27

Download Submit
C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2a95F6.tmp\g2ax_customer_resource_win32_x86_en_US.dll

Filesize
2.7MB

MD5
626dc7beea7eef7dbbad77b3f693eb49

SHA1
1e25d0ca6c7678bb3775728bdd631f2bfe79ebc0

SHA256
5bea8b91ed32fe2b925a8942a2706d8b84d75b00cac8f4ec1009c911a201a6f9

SHA512
a1609e5949721165773fec457f798ea9083257b19eeeafb3d40382f9763392862a976f2b892b6dadfe1df6c83e70b496c10ce688440fa5d97c78c6a0821d165a

Download Submit
C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2a95F6.tmp\g2ax_customer_resource_win32_x86_es.dll

Filesize
2.7MB

MD5
d4b3e89862a5b2583b6da76aa12e225c

SHA1
2f158da475e5a20f8e7c9b7effa7295fc07e7fd9

SHA256
5bac52692ea070aa9a6cb4655ca1346818235e79d4ac234127c87f9bd26de5d2

SHA512
2e792fa40569198a52df8796328ee0e6c93da9b861599e04bd0c0c7430b1c368c5ef60ca0bcda9297dcffd3e9312cdf12d62fdfd3febff4ec4a0ec55d2607a7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2a95F6.tmp\g2ax_customer_resource_win32_x86_fr.dll

Filesize
2.7MB

MD5
cdb5345e298d427450fe244a2e1cd16c

SHA1
e2e3402696090998174f686128af6d5791dd725a

SHA256
a476086f0c10426df4880f77e7333fa9aaab088421b5b9fab4937a65d734c817

SHA512
f036d3b164b3983f4684d3e3383ed2a67ebd674b5ea4d764189b429b3cecc81f5b0a4bf8a4e6e6d7e2aac27b7fb6edaf909835d2890000d3aded887e20776141

Download Submit
C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2a95F6.tmp\g2ax_customer_resource_win32_x86_it.dll

Filesize
2.7MB

MD5
4c6d97f5793a8806d1b07f7805c1290f

SHA1
6ed0ae206d5e3fd7cb19634aef5f0055f0832d83

SHA256
3798840e3ddf8025648420c2971c4434608f908bfd83437c239220e28e925323

SHA512
c13fba4f00340ab3be3b1f58bdd17fd1d3e95c1819b7a8d82b8e6cb7bc8bece9cf2d97ede47e57b062bb8008031f58b36934a5da0c452e17309f832b42b5e2ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2a95F6.tmp\g2ax_customer_resource_win32_x86_pt.dll

Filesize
2.7MB

MD5
42accada99f11973893559eb80dbd7cc

SHA1
9ed76304bf4af87210044d9fcbcb62f2f6f49fce

SHA256
c07707fdee8d761999bd63e44fdca04503ccbb2fde1e02d2eab6d3f99744840a

SHA512
24177df97a981f2a5d0896d143b3f8057631a17ab18e00bf540b70a921d66f5876ee0985e4b32165fabedefebc0ad1329be4860619b1ea40274cfe2beaf0d696

Download Submit
C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2a95F6.tmp\g2ax_exe_customer_adminui.exe

Filesize
599KB

MD5
139e140841795d1d3b31ca9f0d2a18f0

SHA1
c8348ffcc2792edf84c7d0a60af9fced0cee74d2

SHA256
814f387ab117191bc9cf9c33743bd792735237354ec83df4e014c7e7bc1e46ba

SHA512
98bf1f4043ccd59bb2c86b56dda9b30426160cb093585e9378cd5930ab8d5485591ea1f59196fb64ec3e0cc2845bdf43d936e8ae303914df56a8bd82b9fcd42b

Download Submit
C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2a95F6.tmp\g2ax_installer_customer.exe

Filesize
599KB

MD5
7c9b0bde69c16ece846a56106b11dbfa

SHA1
80c42eb9351f611a395256531c5ed4931be981cf

SHA256
02d19f030b1f116c26bc3d1e6b03071b6f13ce7c7ea499603a5dfd571f3a96b6

SHA512
7826faa0627a5e57cd4ad3076391cec125314339d59ac6ad2e623a82522e870ecbc12b42b5868484550ede7e8d3012f06bef5463b624636aea3f0343ccdd810a

Download Submit
C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2a95F6.tmp\g2ax_installer_customer_admin.exe

Filesize
599KB

MD5
d4ee9d0af2825048d4bfd48f48bd464b

SHA1
a3a25e68132a4288b6b394623fd206fbf8899092

SHA256
e1ae8e4f45552d82ea9154a02d7b900f42cad77777d6b6d6872f3f96efde491c

SHA512
ff6a70d7edb1e0aef632027e50b264bfed1aa27bcf114c65b79da7894b6f2b48675d78bc698f0006973f24a9ca465ffb5ae82600d5f065dba14593ade31ffc47

Download Submit
C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2a95F6.tmp\g2ax_processfactory.exe

Filesize
680KB

MD5
63f225100403cd9d98e5c20a2f13c7f9

SHA1
e4152545009c0bcbdbb9bed52f2935d55ba7da01

SHA256
450ba2dc70b1bbb9cd808be082cc90ee2be2e27e678d37b27400a90e0e4463f8

SHA512
58886a5b9455e56e86b227c7a49535b638a9379ab8752c58d8560987c7585d7a42eac2e88b19c82a52f8eb13aabfc436ada14673878a80667ae30b369a1ed409

Download Submit
C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2a95F6.tmp\g2ax_winlogon.dll

Filesize
598KB

MD5
8b64004a064179c50ab204cb8baacdb1

SHA1
357fe1c8cc37ff7a7c064ed6f49360692a4a8254

SHA256
20b7b7290d17b2b3b9d6bb01d7f540dcd780944a9a2873d641e973433173a781

SHA512
0ce7693c4c54db616f1c30899bbe77f4a6033ee034a389d032dcc3e8c84d3361f3beaab82508c69e1b8a4b4104590953c2a9abef354680043a2964fd8106af74

Download Submit
C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2a95F6.tmp\g2ax_winlogonx64.dll

Filesize
599KB

MD5
234f00413858db80b4b51c1abede4152

SHA1
e2606f11691de55ac8f491050abbcbe71c0ad1ba

SHA256
c5daa86b380ed04bc2ec92bbe74c8aff958edeabd240411b7ecb7f5721ba548d

SHA512
0a242a4516cfa722e35f5cb9a6e815d03e00b63e8ef648532526e8a0d228f4d00c2367d65bf402d1c564a208e1d5747b2ba1350bc0e637743373898fc37cd41c

Download Submit
C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2a95F6.tmp\uninshlp.dll

Filesize
20KB

MD5
0868827e42db552e5427f277fedf1e6b

SHA1
9fb59bbb4edbcc98fdb36ffff378d0bb9ddcc4fb

SHA256
f6684c5dbce46be754e61da86757278bb6a9c7def6810504a1dc389920b5d38a

SHA512
607064c1bc4aa627dc130d3a34d19bd512324bb9bd91ceaa6bcb20f0e218d070ef7021c921318a4d6474e95979bd569c2776b414269aeade5fa884876d58c3d1

Download Submit
C:\Windows\Installer\MSI93D5.tmp

Filesize
3.6MB

MD5
10691eb99593e235b86d018ebaf7d4e6

SHA1
35e0444bb572f3890f327afc1feba32e9833d5b4

SHA256
4e945ddc84443a2ac2f845693461a7bda2ab07b24eb3b980c1b86dd5f2d8ed2b

SHA512
10e1ee6fa616d92d1bc5bca358321c0fd4b18767a7eb7fd7bdf19c3302b23163a37e904f162d57097d40ca10b68494c7f5d029db4f9f91ac62351c48d150377f

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
12.8MB

MD5
3141e1c54f2ef0ab6cfe02056bf9b78b

SHA1
aa196f3c02d657dfc8be5b2e3bfdd7c0b558a518

SHA256
39fc6251b793bdf4ccd679ccf886d0928c45385d90f754fd6c779368ad382213

SHA512
442e7b16057636246739a6e5e6834e92f616b4b2e8da9a228d9b4083dae38e791b64524118c086e711f0226272c7e8cbc0b7e424ba36d5ffe60adfb90244a61e

Download Submit
\??\Volume{de8ebc4f-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{041ecd75-cdb2-4035-b228-dfdec886fbc9}_OnDiskSnapshotProp

Filesize
6KB

MD5
f8652994677ac51a4cc92f6b7367f11f

SHA1
68764d719f1da80ca78c477275886af48545ec42

SHA256
828931f9052f1be5c4421cf80dbfc3a37c3ef19f8ebd5381f3fc4b416d31107c

SHA512
6732cfdad4d5ddbafd31531805c61117c0126b2b6f12f96ca920f169e91a5a76a61b174e47ce7c3e457a9516a0574b5e8149d1687de13baa9abc136ee4fb5804

Download Submit
memory/4140-47-0x0000000000400000-0x000000000225E000-memory.dmp

Filesize
30.4MB

Download
memory/4140-12-0x0000000000400000-0x000000000225E000-memory.dmp

Filesize
30.4MB

Download
memory/4140-119-0x0000000000400000-0x000000000225E000-memory.dmp

Filesize
30.4MB

Download