URL:

https://pietradair.com//download_invitee.php

Full analysis: https://app.any.run/tasks/0777fed1-61e6-468a-9ad9-f443ff48341b
Verdict: Malicious activity
Analysis date: October 30, 2025, 13:41:31
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
logmeinrescue
rmm-tool
anti-evasion
Indicators:
MD5:

6D93CE7BB86EE8508D2C3AE5F7C2A0B4

SHA1:

F819EE7093F58D070814298006A4E59A02D1F1EA

SHA256:

D510CC1642C686AB4CF071911BC5B41B220259C9A895BEBB5F318257CA9CD9E2

SSDEEP:

3:N8ILDKKKUKA3hH:2IyKjx

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes settings of System certificates

      • GoToResolveUnattended.exe (PID: 2924)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • Access_Documents.exe (PID: 7184)

    • Executing commands from ".cmd" file

      • Access_Documents.exe (PID: 7184)

    • Executable content was dropped or overwritten

      • Access_Documents.exe (PID: 7184)
      • GoToResolveTools64.exe (PID: 8128)
      • GoToResolveUnattended.exe (PID: 2924)
      • GoToResolveExternalModuleHandler.exe (PID: 2020)
      • GoToResolveExternalModuleHandler.exe (PID: 8320)

    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 4220)

    • Reads security settings of Internet Explorer

      • GoToResolveUnattended.exe (PID: 8132)
      • GoToResolveProcessChecker.exe (PID: 5508)
      • GoToResolveUnattendedUi.exe (PID: 1164)
      • GoToResolveUnattended.exe (PID: 2924)
      • GoToResolveUnattendedUi.exe (PID: 5508)
      • GoToResolveUnattended.exe (PID: 8616)

    • Executes as Windows Service

      • GoToResolveProcessChecker.exe (PID: 2328)
      • GoToResolveProcessChecker.exe (PID: 8444)

    • Non windows owned service launched

      • GoToResolveProcessChecker.exe (PID: 2328)
      • GoToResolveProcessChecker.exe (PID: 8444)

    • LOGMEINRESCUE mutex has been found

      • GoToResolveProcessChecker.exe (PID: 2328)
      • GoToResolveUnattended.exe (PID: 2924)
      • GoToResolveProcessChecker.exe (PID: 8444)
      • GoToResolveUnattended.exe (PID: 8616)

    • The process checks if it is being run in the virtual environment

      • GoToResolveQuickView.exe (PID: 5752)

    • Creates/Modifies COM task schedule object

      • GoToResolveUnattended.exe (PID: 2924)

    • Adds/modifies Windows certificates

      • GoToResolveUnattended.exe (PID: 2924)

    • Reads the BIOS version

      • GoToResolveUnattended.exe (PID: 2924)
      • GoToResolveQuickView.exe (PID: 5752)
      • GoToResolveUnattended.exe (PID: 8616)

    • Process drops legitimate windows executable

      • GoToResolveExternalModuleHandler.exe (PID: 2020)
      • GoToResolveExternalModuleHandler.exe (PID: 8320)

    • Creates files in the driver directory

      • GoToResolveTools64.exe (PID: 9212)

    • The process creates files with name similar to system file names

      • GoToResolveExternalModuleHandler.exe (PID: 2020)
      • GoToResolveExternalModuleHandler.exe (PID: 8320)

    • Executes application which crashes

      • GoToResolveExternalModuleHandler.exe (PID: 2020)

    • Searches for installed software

      • GoToResolveUnattended.exe (PID: 8616)

  • INFO

    • Application launched itself

      • chrome.exe (PID: 7404)

    • Launching a file from the Downloads directory

      • chrome.exe (PID: 7404)

    • Creates files or folders in the user directory

      • Access_Documents.exe (PID: 7184)
      • GoToResolveUnattended.exe (PID: 8132)

    • Reads the computer name

      • Access_Documents.exe (PID: 7184)
      • GoToResolveTools64.exe (PID: 8128)
      • drvinst.exe (PID: 5484)
      • GoToResolveUnattended.exe (PID: 8132)
      • GoToResolveProcessChecker.exe (PID: 5508)
      • GoToResolveProcessChecker.exe (PID: 2328)
      • GoToResolveLoggerProcess.exe (PID: 5664)
      • GoToResolveExternalModuleHandler.exe (PID: 2020)
      • GoToResolveFileManager.exe (PID: 3148)
      • GoToResolveQuickView.exe (PID: 5752)
      • GoToResolveTerminal.exe (PID: 5760)
      • GoToResolveServiceManager.exe (PID: 5384)
      • GoToResolveRemoteControl.exe (PID: 7172)
      • GoToResolveUnattended.exe (PID: 2924)
      • GoToResolveRegistryEditor.exe (PID: 5392)
      • GoToResolveUnattendedUi.exe (PID: 1164)
      • GoToResolveNetworkChecker.exe (PID: 8128)
      • GoToResolveTools64.exe (PID: 9212)
      • GoToResolveRegistryEditor.exe (PID: 8708)
      • GoToResolveProcessChecker.exe (PID: 8444)
      • GoToResolveUnattended.exe (PID: 8616)
      • GoToResolveLoggerProcess.exe (PID: 8556)
      • GoToResolveExternalModuleHandler.exe (PID: 8320)
      • GoToResolveNetworkChecker.exe (PID: 5096)
      • GoToResolveUnattendedUi.exe (PID: 5508)

    • Checks supported languages

      • Access_Documents.exe (PID: 7184)
      • GoToResolveUnattended.exe (PID: 8132)
      • GoToResolveTools64.exe (PID: 8128)
      • GoToResolveCrashHandler.exe (PID: 2620)
      • drvinst.exe (PID: 5484)
      • GoToResolveProcessChecker.exe (PID: 5508)
      • GoToResolveProcessChecker.exe (PID: 2328)
      • GoToResolveCrashHandler.exe (PID: 5196)
      • GoToResolveUnattended.exe (PID: 2924)
      • GoToResolveCrashHandler.exe (PID: 1952)
      • GoToResolveLoggerProcess.exe (PID: 5664)
      • GoToResolveExternalModuleHandler.exe (PID: 2020)
      • GoToResolveQuickView.exe (PID: 5752)
      • GoToResolveFileManager.exe (PID: 3148)
      • GoToResolveTerminal.exe (PID: 5760)
      • GoToResolveRemoteControl.exe (PID: 7172)
      • GoToResolveRegistryEditor.exe (PID: 5392)
      • GoToResolveNetworkChecker.exe (PID: 8128)
      • GoToResolveUnattendedUi.exe (PID: 1164)
      • GoToResolveCrashHandler.exe (PID: 7400)
      • GoToResolveServiceManager.exe (PID: 5384)
      • GoToResolveCrashHandler.exe (PID: 3364)
      • GoToResolveCrashHandler.exe (PID: 3032)
      • GoToResolveCrashHandler.exe (PID: 8280)
      • GoToResolveCrashHandler.exe (PID: 8352)
      • GoToResolveCrashHandler.exe (PID: 8396)
      • GoToResolveCrashHandler.exe (PID: 8404)
      • GoToResolveCrashHandler.exe (PID: 8508)
      • GoToResolveCrashHandler.exe (PID: 8552)
      • GoToResolveCrashHandler.exe (PID: 8544)
      • GoToResolveTools64.exe (PID: 9212)
      • GoToResolveCrashHandler.exe (PID: 8644)
      • GoToResolveRegistryEditor.exe (PID: 8708)
      • GoToResolveCrashHandler.exe (PID: 7912)
      • GoToResolveProcessChecker.exe (PID: 8444)
      • GoToResolveCrashHandler.exe (PID: 4156)
      • GoToResolveUnattended.exe (PID: 8616)
      • GoToResolveLoggerProcess.exe (PID: 8556)
      • GoToResolveExternalModuleHandler.exe (PID: 8320)
      • GoToResolveNetworkChecker.exe (PID: 5096)
      • GoToResolveUnattendedUi.exe (PID: 5508)
      • GoToResolveCrashHandler.exe (PID: 8332)

    • Creates files in the program directory

      • Access_Documents.exe (PID: 7184)
      • GoToResolveTools64.exe (PID: 8128)
      • GoToResolveCrashHandler.exe (PID: 2620)
      • GoToResolveUnattended.exe (PID: 8132)
      • GoToResolveProcessChecker.exe (PID: 5508)
      • GoToResolveProcessChecker.exe (PID: 2328)
      • GoToResolveCrashHandler.exe (PID: 5196)
      • GoToResolveUnattended.exe (PID: 2924)
      • GoToResolveCrashHandler.exe (PID: 1952)
      • GoToResolveLoggerProcess.exe (PID: 5664)
      • GoToResolveFileManager.exe (PID: 3148)
      • GoToResolveCrashHandler.exe (PID: 7400)
      • GoToResolveExternalModuleHandler.exe (PID: 2020)
      • GoToResolveCrashHandler.exe (PID: 3032)
      • GoToResolveQuickView.exe (PID: 5752)
      • GoToResolveTerminal.exe (PID: 5760)
      • GoToResolveCrashHandler.exe (PID: 3364)
      • GoToResolveRegistryEditor.exe (PID: 5392)
      • GoToResolveCrashHandler.exe (PID: 8280)
      • GoToResolveRemoteControl.exe (PID: 7172)
      • GoToResolveCrashHandler.exe (PID: 8352)
      • GoToResolveCrashHandler.exe (PID: 8396)
      • GoToResolveCrashHandler.exe (PID: 8404)
      • GoToResolveUnattendedUi.exe (PID: 1164)
      • GoToResolveServiceManager.exe (PID: 5384)
      • GoToResolveNetworkChecker.exe (PID: 8128)
      • GoToResolveCrashHandler.exe (PID: 8508)
      • GoToResolveCrashHandler.exe (PID: 8552)
      • GoToResolveCrashHandler.exe (PID: 8544)
      • GoToResolveRegistryEditor.exe (PID: 8708)
      • GoToResolveProcessChecker.exe (PID: 8444)
      • GoToResolveUnattended.exe (PID: 8616)
      • GoToResolveLoggerProcess.exe (PID: 8556)
      • GoToResolveExternalModuleHandler.exe (PID: 8320)

    • Executable content was dropped or overwritten

      • chrome.exe (PID: 7404)

    • The sample compiled with english language support

      • Access_Documents.exe (PID: 7184)
      • GoToResolveTools64.exe (PID: 8128)
      • drvinst.exe (PID: 5484)
      • GoToResolveUnattended.exe (PID: 2924)
      • GoToResolveExternalModuleHandler.exe (PID: 2020)
      • GoToResolveExternalModuleHandler.exe (PID: 8320)

    • Creates a software uninstall entry

      • Access_Documents.exe (PID: 7184)
      • GoToResolveProcessChecker.exe (PID: 5508)
      • GoToResolveProcessChecker.exe (PID: 2328)
      • GoToResolveUnattended.exe (PID: 2924)
      • GoToResolveUnattended.exe (PID: 8616)

    • Reads CPU info

      • GoToResolveTools64.exe (PID: 8128)
      • GoToResolveUnattended.exe (PID: 8132)
      • GoToResolveUnattended.exe (PID: 2924)
      • GoToResolveRemoteControl.exe (PID: 7172)
      • GoToResolveQuickView.exe (PID: 5752)
      • GoToResolveTools64.exe (PID: 9212)
      • GoToResolveProcessChecker.exe (PID: 8444)
      • GoToResolveUnattended.exe (PID: 8616)

    • Reads Environment values

      • GoToResolveTools64.exe (PID: 8128)
      • GoToResolveUnattended.exe (PID: 8132)
      • GoToResolveUnattended.exe (PID: 2924)
      • GoToResolveExternalModuleHandler.exe (PID: 2020)
      • GoToResolveRemoteControl.exe (PID: 7172)
      • GoToResolveQuickView.exe (PID: 5752)
      • GoToResolveTools64.exe (PID: 9212)
      • GoToResolveProcessChecker.exe (PID: 8444)
      • GoToResolveUnattended.exe (PID: 8616)
      • GoToResolveExternalModuleHandler.exe (PID: 8320)

    • Create files in a temporary directory

      • GoToResolveTools64.exe (PID: 8128)

    • Reads the machine GUID from the registry

      • GoToResolveUnattended.exe (PID: 8132)
      • drvinst.exe (PID: 5484)
      • GoToResolveProcessChecker.exe (PID: 5508)
      • GoToResolveProcessChecker.exe (PID: 2328)
      • GoToResolveUnattended.exe (PID: 2924)
      • GoToResolveLoggerProcess.exe (PID: 5664)
      • GoToResolveExternalModuleHandler.exe (PID: 2020)
      • GoToResolveFileManager.exe (PID: 3148)
      • GoToResolveQuickView.exe (PID: 5752)
      • GoToResolveNetworkChecker.exe (PID: 8128)
      • GoToResolveRemoteControl.exe (PID: 7172)
      • GoToResolveTerminal.exe (PID: 5760)
      • GoToResolveRegistryEditor.exe (PID: 5392)
      • GoToResolveUnattendedUi.exe (PID: 1164)
      • GoToResolveServiceManager.exe (PID: 5384)
      • GoToResolveRegistryEditor.exe (PID: 8708)
      • GoToResolveProcessChecker.exe (PID: 8444)
      • GoToResolveLoggerProcess.exe (PID: 8556)
      • GoToResolveUnattended.exe (PID: 8616)
      • GoToResolveExternalModuleHandler.exe (PID: 8320)
      • GoToResolveNetworkChecker.exe (PID: 5096)
      • GoToResolveUnattendedUi.exe (PID: 5508)

    • Checks proxy server information

      • GoToResolveUnattended.exe (PID: 8132)

    • Reads the software policy settings

      • GoToResolveUnattended.exe (PID: 8132)
      • drvinst.exe (PID: 5484)
      • GoToResolveProcessChecker.exe (PID: 5508)
      • GoToResolveProcessChecker.exe (PID: 2328)
      • GoToResolveLoggerProcess.exe (PID: 5664)
      • GoToResolveUnattended.exe (PID: 2924)
      • GoToResolveServiceManager.exe (PID: 5384)
      • GoToResolveTerminal.exe (PID: 5760)
      • GoToResolveExternalModuleHandler.exe (PID: 2020)
      • GoToResolveQuickView.exe (PID: 5752)
      • GoToResolveFileManager.exe (PID: 3148)
      • GoToResolveRegistryEditor.exe (PID: 5392)
      • GoToResolveNetworkChecker.exe (PID: 8128)
      • GoToResolveUnattendedUi.exe (PID: 1164)
      • GoToResolveRemoteControl.exe (PID: 7172)
      • GoToResolveRegistryEditor.exe (PID: 8708)
      • WerFault.exe (PID: 1108)
      • GoToResolveUnattended.exe (PID: 8616)
      • GoToResolveLoggerProcess.exe (PID: 8556)
      • GoToResolveProcessChecker.exe (PID: 8444)
      • GoToResolveExternalModuleHandler.exe (PID: 8320)
      • GoToResolveNetworkChecker.exe (PID: 5096)
      • GoToResolveUnattendedUi.exe (PID: 5508)

    • Process checks computer location settings

      • GoToResolveUnattended.exe (PID: 8132)
      • GoToResolveUnattended.exe (PID: 2924)
      • GoToResolveUnattended.exe (PID: 8616)

    • Reads the time zone

      • GoToResolveUnattended.exe (PID: 2924)
      • GoToResolveUnattended.exe (PID: 8616)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
212
Monitored processes
66
Malicious processes
4
Suspicious processes
4

Behavior graph

Click at the process to see the details
start chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs access_documents.exe no specs access_documents.exe gotoresolveunattended.exe gotoresolvetools64.exe cmd.exe no specs conhost.exe no specs gotoresolvecrashhandler.exe no specs timeout.exe no specs drvinst.exe no specs gotoresolveprocesschecker.exe gotoresolveprocesschecker.exe gotoresolvecrashhandler.exe no specs gotoresolveunattended.exe timeout.exe no specs gotoresolveloggerprocess.exe gotoresolvecrashhandler.exe no specs gotoresolveexternalmodulehandler.exe gotoresolvefilemanager.exe gotoresolvequickview.exe gotoresolveterminal.exe tiworker.exe no specs gotoresolveservicemanager.exe gotoresolveremotecontrol.exe gotoresolveregistryeditor.exe gotoresolvenetworkchecker.exe gotoresolveunattendedui.exe gotoresolvecrashhandler.exe no specs gotoresolvecrashhandler.exe no specs gotoresolvecrashhandler.exe no specs gotoresolvecrashhandler.exe no specs gotoresolvecrashhandler.exe no specs gotoresolvecrashhandler.exe no specs gotoresolvecrashhandler.exe no specs gotoresolvecrashhandler.exe no specs gotoresolvecrashhandler.exe no specs gotoresolvecrashhandler.exe no specs timeout.exe no specs timeout.exe no specs timeout.exe no specs timeout.exe no specs gotoresolvetools64.exe no specs gotoresolvecrashhandler.exe no specs gotoresolveregistryeditor.exe gotoresolvecrashhandler.exe no specs werfault.exe gotoresolveprocesschecker.exe gotoresolvecrashhandler.exe no specs gotoresolveunattended.exe gotoresolveloggerprocess.exe gotoresolveexternalmodulehandler.exe gotoresolvenetworkchecker.exe gotoresolveunattendedui.exe gotoresolvecrashhandler.exe no specs slui.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1108C:\WINDOWS\SysWOW64\WerFault.exe -u -p 2020 -s 2672C:\Windows\SysWOW64\WerFault.exe
GoToResolveExternalModuleHandler.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
1164"C:/Program Files (x86)/GoTo Resolve Unattended/3013968530713327133/GoToResolveUnattendedUi.exe" "-CompanyId" "3013968530713327133" "-InstallationId" "lNKUMfJSOb" "-WorkFolder" "C:\Program Files (x86)\GoTo Resolve Unattended\3013968530713327133" "-Environment" "Production" "-ApplicationType" "4" "-Lang" "en" "-WebsiteUrl" "devices-iot.console.gotoresolve.com"C:\Program Files (x86)\GoTo Resolve Unattended\3013968530713327133\GoToResolveUnattendedUi.exe
GoToResolveProcessChecker.exe
User:
admin
Company:
GoTo, Inc.
Integrity Level:
MEDIUM
Description:
LogMeIn Resolve
Exit code:
0
Version:
1.27.1.3232
Modules
Images
c:\program files (x86)\goto resolve unattended\3013968530713327133\gotoresolveunattendedui.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\shell32.dll
c:\windows\syswow64\msvcp_win.dll
1928timeout /T 3 C:\Windows\SysWOW64\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
timeout - pauses command processing
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\timeout.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
1952"C:\Program Files (x86)\GoTo Resolve Unattended\3013968530713327133\GoToResolveCrashHandler.exe" "--attachment=attachment_GoToResolveUnattended.log=C:\Program Files (x86)\GoTo Resolve Unattended\3013968530713327133\appdata\GoToResolveUnattended.log" "--attachment=attachment_unattended.json=C:\Program Files (x86)\GoTo Resolve Unattended\3013968530713327133\unattended.json" "--database=C:\Program Files (x86)\GoTo Resolve Unattended\3013968530713327133\appdata\UnattendedCrashReportDB" "--metrics-dir=C:\Program Files (x86)\GoTo Resolve Unattended\3013968530713327133\appdata\UnattendedCrashReportDB" --url=https://dumpster.console.gotoresolve.com/api/dump --annotation=format=minidump --annotation=hostname=DESKTOP-JGLLJLD --annotation=installationid=lNKUMfJSOb --annotation=version=1.27.1.3232 --initial-client-data=0x5ac,0x6f0,0x6f4,0x7dc,0x730,0x70dc6fac,0x70dc6fbc,0x70dc6fccC:\Program Files (x86)\GoTo Resolve Unattended\3013968530713327133\GoToResolveCrashHandler.exeGoToResolveUnattended.exe
User:
SYSTEM
Integrity Level:
SYSTEM
Exit code:
0
Modules
Images
c:\program files (x86)\goto resolve unattended\3013968530713327133\gotoresolvecrashhandler.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
2020"C:\Program Files (x86)\GoTo Resolve Unattended\3013968530713327133\GoToResolveExternalModuleHandler.exe" -InstallationId lNKUMfJSOb -CompanyId 3013968530713327133 -publickey 74bc40a6e07754abf59b25fc86d47ce9ac8fb6da63d3b739a87e4e3bf0efac33 -LogLevel 2 -Environment ProductionC:\Program Files (x86)\GoTo Resolve Unattended\3013968530713327133\GoToResolveExternalModuleHandler.exe
GoToResolveUnattended.exe
User:
SYSTEM
Company:
GoTo, Inc.
Integrity Level:
SYSTEM
Description:
LogMeIn Resolve
Exit code:
3221225477
Version:
1.27.1.3232
Modules
Images
c:\program files (x86)\goto resolve unattended\3013968530713327133\gotoresolveexternalmodulehandler.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\shell32.dll
c:\windows\syswow64\msvcp_win.dll
2024\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2328"C:\Program Files (x86)\GoTo Resolve Unattended\3013968530713327133\GoToResolveProcessChecker.exe" -Service -WorkFolder "C:\Program Files (x86)\GoTo Resolve Unattended\3013968530713327133" -ApplicationType "4"C:\Program Files (x86)\GoTo Resolve Unattended\3013968530713327133\GoToResolveProcessChecker.exe
services.exe
User:
SYSTEM
Company:
GoTo, Inc.
Integrity Level:
SYSTEM
Description:
LogMeIn Resolve
Exit code:
1
Version:
1.27.1.3232
Modules
Images
c:\program files (x86)\goto resolve unattended\3013968530713327133\gotoresolveprocesschecker.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\shell32.dll
c:\windows\syswow64\msvcp_win.dll
2492"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --disable-quic --string-annotations --subproc-heap-profiling --field-trial-handle=5728,i,6929502562476363079,8341844094118404882,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250221-144540.991000 --mojo-platform-channel-handle=5816 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
2620"C:\Program Files (x86)\GoTo Resolve Unattended\3013968530713327133\GoToResolveCrashHandler.exe" "--database=C:\Program Files (x86)\GoTo Resolve Unattended\3013968530713327133\appdata\CrashReportDB" "--metrics-dir=C:\Program Files (x86)\GoTo Resolve Unattended\3013968530713327133\appdata\CrashReportDB" --url=https://dumpster.console.gotoresolve.com/api/dump --annotation=format=minidump --annotation=hostname=DESKTOP-JGLLJLD --annotation=version=1.24.0.142 --initial-client-data=0x33c,0x348,0x350,0x340,0x354,0x7ff7630dbaf8,0x7ff7630dbb10,0x7ff7630dbb28C:\Program Files (x86)\GoTo Resolve Unattended\3013968530713327133\GoToResolveCrashHandler.exeGoToResolveTools64.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\program files (x86)\goto resolve unattended\3013968530713327133\gotoresolvecrashhandler.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
2924"C:/Program Files (x86)/GoTo Resolve Unattended/3013968530713327133/GoToResolveUnattended.exe" "-RegisteredProcess" "1" "-ParentProcessId" "2328" "-InstallationId" "lNKUMfJSOb" "-WtsStartingSessionId" "1" "-ServiceName" "GoToResolve_3013968530713327133" "-Service" "-LogLevel" "2"C:\Program Files (x86)\GoTo Resolve Unattended\3013968530713327133\GoToResolveUnattended.exe
GoToResolveProcessChecker.exe
User:
SYSTEM
Company:
GoTo, Inc.
Integrity Level:
SYSTEM
Description:
LogMeIn Resolve
Exit code:
0
Version:
1.27.1.3232
Modules
Images
c:\program files (x86)\goto resolve unattended\3013968530713327133\gotoresolveunattended.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\shell32.dll
c:\windows\syswow64\msvcp_win.dll
Total events
32 992
Read events
32 973
Write events
12
Delete events
7

Modification events

(PID) Process:(7184) Access_Documents.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\GoTo Resolve Unattended 3013968530713327133
Operation:writeName:DisplayIcon
Value:
C:\Program Files (x86)\GoTo Resolve Unattended\3013968530713327133\GoToResolveUnattended.exe
(PID) Process:(7184) Access_Documents.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\GoTo Resolve Unattended 3013968530713327133
Operation:writeName:DisplayName
Value:
LogMeIn Resolve Unattended 3013968530713327133
(PID) Process:(7184) Access_Documents.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\GoTo Resolve Unattended 3013968530713327133
Operation:writeName:DisplayVersion
Value:
1.27.1.3232
(PID) Process:(7184) Access_Documents.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\GoTo Resolve Unattended 3013968530713327133
Operation:writeName:InstallLocation
Value:
C:\Program Files (x86)\GoTo Resolve Unattended\3013968530713327133
(PID) Process:(7184) Access_Documents.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\GoTo Resolve Unattended 3013968530713327133
Operation:writeName:UninstallString
Value:
C:\Program Files (x86)\GoTo Resolve Unattended\3013968530713327133\GoToResolveUnattendedRemover.exe
(PID) Process:(7184) Access_Documents.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\GoTo Resolve Unattended\3013968530713327133
Operation:writeName:PublicKey
Value:
01000000D08C9DDF0115D1118C7A00C04FC297EB01000000691511D463E96348819D5E097A767A7804000000020000000000106600000001000020000000FC005229E280D6AACD0E09A0C056E2FF6C414706F8ADD7E6FC0DFAE832240569000000000E800000000200002000000064540F8E72D1454E6CF3482B726979B67E8CBA089B9A112CBFA6C5208F2F05BF30000000E8744FD5848B6CC0301946FA07C94AEF11C6E918451A259BB0AB2D04D6BACE5AB15A06BB309503B48D668F3382FA594C4000000040CE6BE49E80D2D160E7FF2C6C7FD66BE0D197FA1AF730C59A30ABD7A67014B90269D1CC06D06849A79A723ECF42CC3A1D4FB521B1BD3FD28D15D43E2A263BD7
(PID) Process:(8132) GoToResolveUnattended.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\GoTo Resolve Unattended\3013968530713327133
Operation:delete valueName:InstallationId
Value:
(PID) Process:(8132) GoToResolveUnattended.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\GoTo Resolve Unattended\3013968530713327133
Operation:writeName:HostId
Value:
c2747cf494257fd3955da688bb30f12b
(PID) Process:(2328) GoToResolveProcessChecker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\GoTo Resolve Unattended 3013968530713327133
Operation:writeName:DisplayName
Value:
LogMeIn Resolve Unattended 3013968530713327133
(PID) Process:(8132) GoToResolveUnattended.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\GoTo Resolve Unattended\3013968530713327133
Operation:delete valueName:UserMode
Value:
Executable files
906
Suspicious files
355
Text files
60
Unknown types
10

Dropped files

PID
Process
Filename
Type
7404chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\ClientCertificates\LOG.old~RFfb6f3.TMP
MD5:
SHA256:
7404chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\parcel_tracking_db\LOG.old~RFfb6f3.TMP
MD5:
SHA256:
7404chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\ClientCertificates\LOG.old
MD5:
SHA256:
7404chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\chrome_cart_db\LOG.old~RFfb6f3.TMP
MD5:
SHA256:
7404chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\parcel_tracking_db\LOG.old
MD5:
SHA256:
7404chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\chrome_cart_db\LOG.old
MD5:
SHA256:
7404chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDB\LOG.old~RFfb702.TMP
MD5:
SHA256:
7404chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDB\LOG.old
MD5:
SHA256:
7404chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials\LOG.old~RFfb702.TMP
MD5:
SHA256:
7404chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\discounts_db\LOG.old~RFfb702.TMP
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
16
TCP/UDP connections
104
DNS requests
48
Threats
62

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6980
svchost.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
DE
binary
825 b
whitelisted
2948
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
DE
binary
471 b
whitelisted
8132
GoToResolveUnattended.exe
GET
200
172.66.2.5:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEA4Mh2e7LU%2FvwtYX3xHOG4k%3D
US
binary
727 b
whitelisted
2328
GoToResolveProcessChecker.exe
GET
200
172.66.2.5:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEA4Mh2e7LU%2FvwtYX3xHOG4k%3D
US
binary
727 b
whitelisted
2328
GoToResolveProcessChecker.exe
GET
200
172.66.2.5:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRbuhDibVrw1t5r3WYz1C9Jl6I%2FtwQU729TSunkBnx6yuKQVvYv1Ensy04CEAqA7xhLjfEFgtHEdqeVdGg%3D
US
binary
727 b
whitelisted
8868
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.3.crl
DE
binary
813 b
whitelisted
8128
GoToResolveNetworkChecker.exe
GET
200
52.223.22.206:80
http://ip.zscaler.com/
US
html
1.84 Kb
unknown
8868
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.3.crl
DE
binary
401 b
whitelisted
8868
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Time-Stamp%20PCA%202010(1).crl
DE
binary
814 b
whitelisted
8128
GoToResolveNetworkChecker.exe
GET
200
52.223.22.206:80
http://ip.zscaler.com/
US
html
1.83 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
6980
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
2948
svchost.exe
20.190.159.130:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5596
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
7684
chrome.exe
142.250.186.174:80
clients2.google.com
GOOGLE
US
whitelisted
7684
chrome.exe
142.250.186.170:443
safebrowsingohttpgateway.googleapis.com
GOOGLE
US
whitelisted
7684
chrome.exe
66.102.1.84:443
accounts.google.com
GOOGLE
US
whitelisted
7404
chrome.exe
224.0.0.251:5353
whitelisted
7684
chrome.exe
176.9.83.87:443
pietradair.com
Hetzner Online GmbH
DE
unknown
4
System
192.168.100.255:138
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 20.73.194.208
  • 4.231.128.59
whitelisted
login.live.com
  • 20.190.159.130
  • 20.190.159.23
  • 20.190.159.4
  • 20.190.159.129
  • 40.126.31.67
  • 20.190.159.64
  • 20.190.159.73
  • 20.190.159.68
whitelisted
google.com
  • 142.251.140.174
whitelisted
clients2.google.com
  • 142.250.186.174
whitelisted
safebrowsingohttpgateway.googleapis.com
  • 142.250.186.170
  • 142.250.74.202
  • 142.250.185.138
  • 142.250.186.74
  • 142.250.184.202
  • 142.250.185.170
  • 142.250.186.42
  • 142.250.185.202
  • 142.250.184.234
  • 142.250.186.138
  • 142.250.186.106
  • 142.250.181.234
  • 216.58.206.74
  • 142.250.185.234
  • 142.250.185.106
  • 142.250.185.74
whitelisted
pietradair.com
  • 176.9.83.87
unknown
accounts.google.com
  • 66.102.1.84
whitelisted
www.google.com
  • 216.58.206.68
whitelisted
sb-ssl.google.com
  • 142.250.185.206
whitelisted
ocsp.digicert.com
  • 2.23.77.188
  • 172.66.2.5
  • 162.159.142.9
whitelisted

Threats

PID
Process
Class
Message
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
Misc activity
ET INFO EXE - Served Attached HTTP
2276
svchost.exe
Misc activity
ET INFO Observed DNS Query to RMM Domain (gotoresolve .com)
5664
GoToResolveLoggerProcess.exe
Misc activity
ET INFO Observed RMM Domain (gotoresolve .com in TLS SNI)
5664
GoToResolveLoggerProcess.exe
Misc activity
ET INFO Observed RMM Domain (gotoresolve .com in TLS SNI)
5664
GoToResolveLoggerProcess.exe
Misc activity
ET INFO Observed RMM Domain (gotoresolve .com in TLS SNI)
5664
GoToResolveLoggerProcess.exe
Misc activity
ET INFO Observed RMM Domain (gotoresolve .com in TLS SNI)
5664
GoToResolveLoggerProcess.exe
Misc activity
ET INFO Observed RMM Domain (gotoresolve .com in TLS SNI)
5664
GoToResolveLoggerProcess.exe
Misc activity
ET INFO Observed RMM Domain (gotoresolve .com in TLS SNI)
2276
svchost.exe
Misc activity
ET INFO Observed DNS Query to RMM Domain (gotoresolve .com)
Process
Message
GoToResolveUnattended.exe
DllMain: DLL_PROCESS_ATTACH: lpReserved=0
GoToResolveUnattended.exe
DllMain: DLL_THREAD_ATTACH
GoToResolveUnattended.exe
DllMain: DLL_THREAD_ATTACH
GoToResolveUnattended.exe
DllMain: DLL_THREAD_ATTACH
GoToResolveUnattended.exe
DllMain: DLL_THREAD_ATTACH
GoToResolveUnattended.exe
DllMain: DLL_THREAD_ATTACH
GoToResolveUnattended.exe
DllMain: DLL_THREAD_DETACH
GoToResolveProcessChecker.exe
DllMain: DLL_PROCESS_ATTACH: lpReserved=0
GoToResolveProcessChecker.exe
DllMain: DLL_PROCESS_ATTACH: lpReserved=0
GoToResolveProcessChecker.exe
DllMain: DLL_THREAD_ATTACH
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://pietradair.com//download_invitee.php