Malware Analysis Report

2024-10-19 07:42

Sample ID 241006-q1ssba1ele
Target 2024-10-06_87bda56ec572e8e748aeafba3e75755c_poet-rat_snatch
SHA256 e49f1144da14af1f79fccc8c9d310dc133b18cd543f1cbb669818f4872759680
Tags
meshagent tacticalrmm backdoor discovery evasion execution persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e49f1144da14af1f79fccc8c9d310dc133b18cd543f1cbb669818f4872759680

Threat Level: Known bad

The file 2024-10-06_87bda56ec572e8e748aeafba3e75755c_poet-rat_snatch was found to be: Known bad.

Malicious Activity Summary

meshagent tacticalrmm backdoor discovery evasion execution persistence rat trojan

MeshAgent

Detects MeshAgent payload

Blocklisted process makes network request

Sets service image path in registry

Stops running service(s)

Executes dropped EXE

Checks installed software on the system

Drops file in System32 directory

Drops file in Program Files directory

Launches sc.exe

Unsigned PE

Command and Scripting Interpreter: PowerShell

System Network Configuration Discovery: Internet Connection Discovery

System Location Discovery: System Language Discovery

Runs ping.exe

Modifies system certificate store

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

Kills process with taskkill

Suspicious behavior: EnumeratesProcesses

Runs net.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-06 13:44

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-06 13:44

Reported

2024-10-06 13:46

Platform

win7-20240903-en

Max time kernel

13s

Max time network

20s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-06_87bda56ec572e8e748aeafba3e75755c_poet-rat_snatch.exe"

Signatures

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\2024-10-06_87bda56ec572e8e748aeafba3e75755c_poet-rat_snatch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\2024-10-06_87bda56ec572e8e748aeafba3e75755c_poet-rat_snatch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\2024-10-06_87bda56ec572e8e748aeafba3e75755c_poet-rat_snatch.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-06_87bda56ec572e8e748aeafba3e75755c_poet-rat_snatch.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-06_87bda56ec572e8e748aeafba3e75755c_poet-rat_snatch.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.110.133:443 objects.githubusercontent.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\CabFDA2.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarFDD4.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-06 13:44

Reported

2024-10-06 13:46

Platform

win10v2004-20240802-en

Max time kernel

93s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-06_87bda56ec572e8e748aeafba3e75755c_poet-rat_snatch.exe"

Signatures

Detects MeshAgent payload

Description Indicator Process Target
N/A N/A N/A N/A

MeshAgent

rat trojan backdoor meshagent

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Mesh Agent\ImagePath = "\"C:\\Program Files\\Mesh Agent\\MeshAgent.exe\" " C:\Program Files\TacticalAgent\meshagent.exe N/A

Stops running service(s)

evasion execution

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\symbols\dll\dbghelp.pdb C:\Program Files\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\System32\iphlpapi.pdb C:\Program Files\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\System32\gdi32full.pdb C:\Program Files\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\System32\symbols\dll\advapi32.pdb C:\Program Files\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\System32\dll\shell32.pdb C:\Program Files\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\System32\symbols\dll\comctl32.pdb C:\Program Files\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\System32\dbghelp.pdb C:\Program Files\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\System32\symbols\dll\crypt32.pdb C:\Program Files\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\System32\win32u.pdb C:\Program Files\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\CF78131CAB33CA407980412C760244BE717C6FAC C:\Program Files\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\System32\gdi32.pdb C:\Program Files\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\System32\ntasn1.pdb C:\Program Files\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\System32\dll\bcryptprimitives.pdb C:\Program Files\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys C:\Program Files\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\CF78131CAB33CA407980412C760244BE717C6FAC C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
File opened for modification C:\Windows\System32\dll\apphelp.pdb C:\Program Files\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\System32\ucrtbase.pdb C:\Program Files\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\System32\dll\ntdll.pdb C:\Program Files\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\System32\symbols\DLL\kernel32.pdb C:\Program Files\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\System32\dll\ncrypt.pdb C:\Program Files\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\System32\symbols\dll\ntasn1.pdb C:\Program Files\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\System32\kernel32.pdb C:\Program Files\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\System32\gdiplus.pdb C:\Program Files\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\System32\dll\gdi32.pdb C:\Program Files\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\System32\msvcp_win.pdb C:\Program Files\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\System32\symbols\dll\shell32.pdb C:\Program Files\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\System32\rpcrt4.pdb C:\Program Files\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\System32\dll\user32.pdb C:\Program Files\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\System32\dll\msvcrt.pdb C:\Program Files\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\System32\user32.pdb C:\Program Files\Mesh Agent\MeshAgent.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\CF78131CAB33CA407980412C760244BE717C6FAC C:\Program Files\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\System32\sechost.pdb C:\Program Files\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\System32\bcryptprimitives.pdb C:\Program Files\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\System32\crypt32.pdb C:\Program Files\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\System32\symbols\dll\gdi32.pdb C:\Program Files\Mesh Agent\MeshAgent.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys\C0BEA687D7F053491F9C106031255364DAE54685 C:\Program Files\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\dll\ucrtbase.pdb C:\Program Files\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\System32\dll\msvcp_win.pdb C:\Program Files\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\System32\symbols\dll\ntdll.pdb C:\Program Files\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\System32\ole32.pdb C:\Program Files\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\System32\dll\ntasn1.pdb C:\Program Files\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\System32\dll\crypt32.pdb C:\Program Files\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\System32\DLL\dbgcore.pdb C:\Program Files\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\System32\DLL\iphlpapi.pdb C:\Program Files\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\System32\ws2_32.pdb C:\Program Files\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\System32\symbols\dll\ucrtbase.pdb C:\Program Files\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\System32\dll\gdi32full.pdb C:\Program Files\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\System32\msvcrt.pdb C:\Program Files\Mesh Agent\MeshAgent.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\23B56D70E6D09C712A2517A44EB94CA3FFE835CA C:\Program Files\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\System32\dll\ws2_32.pdb C:\Program Files\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\System32\dll\combase.pdb C:\Program Files\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\System32\symbols\dll\win32u.pdb C:\Program Files\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\System32\symbols\dll\combase.pdb C:\Program Files\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\System32\dll\Kernel.Appcore.pdb C:\Program Files\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\System32\dll\kernelbase.pdb C:\Program Files\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\System32\symbols\dll\msvcp_win.pdb C:\Program Files\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\System32\combase.pdb C:\Program Files\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\System32\apphelp.pdb C:\Program Files\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\System32\dll\win32u.pdb C:\Program Files\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\System32\shell32.pdb C:\Program Files\Mesh Agent\MeshAgent.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\MeshService64.pdb C:\Program Files\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\System32\DLL\kernel32.pdb C:\Program Files\Mesh Agent\MeshAgent.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\pysnmp\smi\mibs\SNMPv2-SMI.py C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
File created C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\pythonwin\pywin\idle\PyParse.py C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
File created C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\setuptools\_distutils\archive_util.py C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
File created C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\win32\test\test_win32print.py C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
File created C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\win32com\server\exception.py C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
File created C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\Cryptodome\Cipher\Blowfish.pyi C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
File created C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\cryptography-42.0.8.dist-info\RECORD C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
File created C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\pip\_vendor\six.py C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
File created C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\pip\_vendor\resolvelib\structs.py C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
File created C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\ply-3.11.dist-info\RECORD C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
File created C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\pysnmp_pysmi-1.1.12.dist-info\entry_points.txt C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
File created C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\pythonwin\pywin\tools\browser.py C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
File created C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\Cryptodome\SelfTest\Cipher\test_Salsa20.py C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
File created C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\Cryptodome\Util\Counter.pyi C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
File created C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\pip\_internal\pyproject.py C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
File created C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\pycryptodomex-3.20.0.dist-info\METADATA C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
File created C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\pip\_internal\cli\command_context.py C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
File created C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\pip\_internal\wheel_builder.py C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
File created C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\pip\_vendor\rich\_extension.py C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
File created C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\pythonwin\pywin\idle\FormatParagraph.py C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
File created C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\sniffio\__init__.py C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
File created C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\win32com\demos\trybag.py C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
File created C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\cryptography\hazmat\primitives\kdf\concatkdf.py C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
File created C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\pip\_internal\metadata\importlib\_compat.py C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
File created C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\pip\_vendor\rich\box.py C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
File created C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\websockets\http.py C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
File created C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Scripts\pip3.exe C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
File created C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\Cryptodome\Util\_raw_api.pyi C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
File created C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\idna\__init__.py C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
File created C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\pip\_vendor\rich\_emoji_codes.py C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
File created C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\psutil\tests\test_windows.py C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
File created C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\pysnmp\proto\secmod\rfc3414\auth\base.py C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
File created C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\Cryptodome\PublicKey\_x25519.pyd C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
File created C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\h11\__init__.py C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
File created C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\pip\_vendor\truststore\py.typed C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
File created C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\pythonwin\pywin\debugger\dbgpyapp.py C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
File created C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\pywin32.pth C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
File created C:\Program Files\TacticalAgent\python\py3.11.9_amd64\_asyncio.pyd C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
File created C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\anyio-4.4.0.dist-info\RECORD C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
File created C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\pip\_internal\metadata\importlib\__init__.py C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
File created C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\pysnmp\proto\secmod\rfc7860\auth\__init__.py C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
File created C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\pythonwin\pywin\mfc\window.py C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
File created C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\setuptools\logging.py C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
File created C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\sniffio-1.3.1.dist-info\INSTALLER C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
File created C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\h11\py.typed C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
File created C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\pip\_vendor\urllib3\fields.py C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
File created C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\pysnmp\proto\acmod\void.py C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
File created C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\httpcore\__init__.py C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
File created C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\pip\_vendor\chardet\charsetprober.py C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
File created C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\pysnmp\smi\mibs\PYSNMP-SOURCE-MIB.py C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
File created C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\websockets\legacy\client.py C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
File created C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\win32\Demos\win32clipboardDemo.py C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
File created C:\Program Files\TacticalAgent\python\py3.11.9_amd64\api-ms-win-core-errorhandling-l1-1-0.dll C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
File created C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\cryptography\hazmat\backends\openssl\aead.py C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
File created C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\h11\_state.py C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
File created C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\win32com\test\readme.txt C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
File created C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\urllib3\http2.py C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
File created C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\Cryptodome\SelfTest\Hash\test_SHA3_384.py C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
File created C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\pip\_vendor\pygments\formatters\pangomarkup.py C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
File created C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\psutil-5.9.8.dist-info\INSTALLER C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
File created C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\pip\_vendor\urllib3\util\connection.py C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
File created C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\win32com\test\pippo_server.py C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
File created C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\win32ctypes\core\cffi\_dll.py C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
File created C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\Cryptodome\Signature\eddsa.py C:\Program Files\TacticalAgent\tacticalrmm.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-QCL73.tmp\tacticalagent-v2.8.0-windows-amd64.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\TacticalRMM\tacticalagent-v2.8.0-windows-amd64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-215 = "Pacific Standard Time (Mexico)" C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-962 = "Paraguay Standard Time" C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-572 = "China Standard Time" C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2431 = "Cuba Daylight Time" C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1892 = "Russia TZ 3 Standard Time" C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-212 = "Pacific Standard Time" C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-751 = "Tonga Daylight Time" C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time" C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time" C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time" C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time" C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-792 = "SA Western Standard Time" C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1501 = "Turkey Daylight Time" C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time" C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time" C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time" C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1412 = "Syria Standard Time" C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time" C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time" C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-335 = "Jordan Standard Time" C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1471 = "Magadan Daylight Time" C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time" C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1411 = "Syria Daylight Time" C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time" C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-141 = "Canada Central Daylight Time" C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-591 = "Malay Peninsula Daylight Time" C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-131 = "US Eastern Daylight Time" C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time" C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-842 = "Argentina Standard Time" C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2002 = "Cabo Verde Standard Time" C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time" C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Program Files\Mesh Agent\MeshAgent.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-401 = "Arabic Daylight Time" C:\Program Files\TacticalAgent\tacticalrmm.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800001900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 0f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b06010505070301620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae4140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee420000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\2024-10-06_87bda56ec572e8e748aeafba3e75755c_poet-rat_snatch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 04000000010000001000000091de0625abdafd32170cbb25172a84670f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b06010505070301620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae4140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee419000000010000001000000063664b080559a094d10f0a3c5f4f629020000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 5c00000001000000040000000008000019000000010000001000000063664b080559a094d10f0a3c5f4f62900300000001000000140000002796bae63f1801e277261ba0d77770028f20eee41d000000010000001000000099949d2179811f6b30a8c99c4f6b4226140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e3620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae409000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec537261877604000000010000001000000091de0625abdafd32170cbb25172a846720000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\2024-10-06_87bda56ec572e8e748aeafba3e75755c_poet-rat_snatch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\2024-10-06_87bda56ec572e8e748aeafba3e75755c_poet-rat_snatch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4 C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 19000000010000001000000063664b080559a094d10f0a3c5f4f62900300000001000000140000002796bae63f1801e277261ba0d77770028f20eee41d000000010000001000000099949d2179811f6b30a8c99c4f6b4226140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e3620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae409000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec537261877620000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Program Files\TacticalAgent\tacticalrmm.exe N/A

Runs net.exe

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
N/A N/A C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
N/A N/A C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
N/A N/A C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
N/A N/A C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
N/A N/A C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
N/A N/A C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
N/A N/A C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
N/A N/A C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
N/A N/A C:\Program Files\TacticalAgent\tacticalrmm.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\TacticalAgent\tacticalrmm.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-QCL73.tmp\tacticalagent-v2.8.0-windows-amd64.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3300 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-06_87bda56ec572e8e748aeafba3e75755c_poet-rat_snatch.exe C:\ProgramData\TacticalRMM\tacticalagent-v2.8.0-windows-amd64.exe
PID 3300 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-06_87bda56ec572e8e748aeafba3e75755c_poet-rat_snatch.exe C:\ProgramData\TacticalRMM\tacticalagent-v2.8.0-windows-amd64.exe
PID 3300 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-06_87bda56ec572e8e748aeafba3e75755c_poet-rat_snatch.exe C:\ProgramData\TacticalRMM\tacticalagent-v2.8.0-windows-amd64.exe
PID 3236 wrote to memory of 3972 N/A C:\ProgramData\TacticalRMM\tacticalagent-v2.8.0-windows-amd64.exe C:\Users\Admin\AppData\Local\Temp\is-QCL73.tmp\tacticalagent-v2.8.0-windows-amd64.tmp
PID 3236 wrote to memory of 3972 N/A C:\ProgramData\TacticalRMM\tacticalagent-v2.8.0-windows-amd64.exe C:\Users\Admin\AppData\Local\Temp\is-QCL73.tmp\tacticalagent-v2.8.0-windows-amd64.tmp
PID 3236 wrote to memory of 3972 N/A C:\ProgramData\TacticalRMM\tacticalagent-v2.8.0-windows-amd64.exe C:\Users\Admin\AppData\Local\Temp\is-QCL73.tmp\tacticalagent-v2.8.0-windows-amd64.tmp
PID 3972 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\is-QCL73.tmp\tacticalagent-v2.8.0-windows-amd64.tmp C:\Windows\SysWOW64\cmd.exe
PID 3972 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\is-QCL73.tmp\tacticalagent-v2.8.0-windows-amd64.tmp C:\Windows\SysWOW64\cmd.exe
PID 3972 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\is-QCL73.tmp\tacticalagent-v2.8.0-windows-amd64.tmp C:\Windows\SysWOW64\cmd.exe
PID 1164 wrote to memory of 920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1164 wrote to memory of 920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1164 wrote to memory of 920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1164 wrote to memory of 4936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 1164 wrote to memory of 4936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 1164 wrote to memory of 4936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 4936 wrote to memory of 392 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4936 wrote to memory of 392 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4936 wrote to memory of 392 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3972 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\is-QCL73.tmp\tacticalagent-v2.8.0-windows-amd64.tmp C:\Windows\SysWOW64\cmd.exe
PID 3972 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\is-QCL73.tmp\tacticalagent-v2.8.0-windows-amd64.tmp C:\Windows\SysWOW64\cmd.exe
PID 3972 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\is-QCL73.tmp\tacticalagent-v2.8.0-windows-amd64.tmp C:\Windows\SysWOW64\cmd.exe
PID 4420 wrote to memory of 3280 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 4420 wrote to memory of 3280 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 4420 wrote to memory of 3280 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 3280 wrote to memory of 4664 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3280 wrote to memory of 4664 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3280 wrote to memory of 4664 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3972 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\is-QCL73.tmp\tacticalagent-v2.8.0-windows-amd64.tmp C:\Windows\SysWOW64\cmd.exe
PID 3972 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\is-QCL73.tmp\tacticalagent-v2.8.0-windows-amd64.tmp C:\Windows\SysWOW64\cmd.exe
PID 3972 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\is-QCL73.tmp\tacticalagent-v2.8.0-windows-amd64.tmp C:\Windows\SysWOW64\cmd.exe
PID 4444 wrote to memory of 4516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4444 wrote to memory of 4516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4444 wrote to memory of 4516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4444 wrote to memory of 3224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 4444 wrote to memory of 3224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 4444 wrote to memory of 3224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 3224 wrote to memory of 4872 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3224 wrote to memory of 4872 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3224 wrote to memory of 4872 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3972 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\is-QCL73.tmp\tacticalagent-v2.8.0-windows-amd64.tmp C:\Windows\SysWOW64\cmd.exe
PID 3972 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\is-QCL73.tmp\tacticalagent-v2.8.0-windows-amd64.tmp C:\Windows\SysWOW64\cmd.exe
PID 3972 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\is-QCL73.tmp\tacticalagent-v2.8.0-windows-amd64.tmp C:\Windows\SysWOW64\cmd.exe
PID 4140 wrote to memory of 3092 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4140 wrote to memory of 3092 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4140 wrote to memory of 3092 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3972 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\is-QCL73.tmp\tacticalagent-v2.8.0-windows-amd64.tmp C:\Windows\SysWOW64\cmd.exe
PID 3972 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\is-QCL73.tmp\tacticalagent-v2.8.0-windows-amd64.tmp C:\Windows\SysWOW64\cmd.exe
PID 3972 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\is-QCL73.tmp\tacticalagent-v2.8.0-windows-amd64.tmp C:\Windows\SysWOW64\cmd.exe
PID 2356 wrote to memory of 3252 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2356 wrote to memory of 3252 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2356 wrote to memory of 3252 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3972 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\is-QCL73.tmp\tacticalagent-v2.8.0-windows-amd64.tmp C:\Windows\SysWOW64\cmd.exe
PID 3972 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\is-QCL73.tmp\tacticalagent-v2.8.0-windows-amd64.tmp C:\Windows\SysWOW64\cmd.exe
PID 3972 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\is-QCL73.tmp\tacticalagent-v2.8.0-windows-amd64.tmp C:\Windows\SysWOW64\cmd.exe
PID 4552 wrote to memory of 924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4552 wrote to memory of 924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4552 wrote to memory of 924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3972 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\is-QCL73.tmp\tacticalagent-v2.8.0-windows-amd64.tmp C:\Windows\SysWOW64\cmd.exe
PID 3972 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\is-QCL73.tmp\tacticalagent-v2.8.0-windows-amd64.tmp C:\Windows\SysWOW64\cmd.exe
PID 3972 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\is-QCL73.tmp\tacticalagent-v2.8.0-windows-amd64.tmp C:\Windows\SysWOW64\cmd.exe
PID 1472 wrote to memory of 3732 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\TacticalAgent\tacticalrmm.exe
PID 1472 wrote to memory of 3732 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\TacticalAgent\tacticalrmm.exe
PID 3972 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\is-QCL73.tmp\tacticalagent-v2.8.0-windows-amd64.tmp C:\Windows\SysWOW64\cmd.exe
PID 3972 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\is-QCL73.tmp\tacticalagent-v2.8.0-windows-amd64.tmp C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-06_87bda56ec572e8e748aeafba3e75755c_poet-rat_snatch.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-06_87bda56ec572e8e748aeafba3e75755c_poet-rat_snatch.exe"

C:\ProgramData\TacticalRMM\tacticalagent-v2.8.0-windows-amd64.exe

C:\ProgramData\TacticalRMM\tacticalagent-v2.8.0-windows-amd64.exe /VERYSILENT /SUPPRESSMSGBOXES

C:\Users\Admin\AppData\Local\Temp\is-QCL73.tmp\tacticalagent-v2.8.0-windows-amd64.tmp

"C:\Users\Admin\AppData\Local\Temp\is-QCL73.tmp\tacticalagent-v2.8.0-windows-amd64.tmp" /SL5="$702CA,3652845,825344,C:\ProgramData\TacticalRMM\tacticalagent-v2.8.0-windows-amd64.exe" /VERYSILENT /SUPPRESSMSGBOXES

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c ping 127.0.0.1 -n 2 && net stop tacticalrpc

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\net.exe

net stop tacticalrpc

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop tacticalrpc

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c net stop tacticalagent

C:\Windows\SysWOW64\net.exe

net stop tacticalagent

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop tacticalagent

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c ping 127.0.0.1 -n 2 && net stop tacticalrmm

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\net.exe

net stop tacticalrmm

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop tacticalrmm

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /F /IM tacticalrmm.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM tacticalrmm.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc delete tacticalagent

C:\Windows\SysWOW64\sc.exe

sc delete tacticalagent

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc delete tacticalrpc

C:\Windows\SysWOW64\sc.exe

sc delete tacticalrpc

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c tacticalrmm.exe -m installsvc

C:\Program Files\TacticalAgent\tacticalrmm.exe

tacticalrmm.exe -m installsvc

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c net start tacticalrmm

C:\Windows\SysWOW64\net.exe

net start tacticalrmm

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 start tacticalrmm

C:\Program Files\TacticalAgent\tacticalrmm.exe

"C:\Program Files\TacticalAgent\tacticalrmm.exe" -m install --api https://api.andvo.ru --client-id 1 --site-id 9 --agent-type workstation --auth 9b1ee2bdfcd29fd46f5c1772d5779c32e8c4a6b87f7ed6246c1a3a07a364ca8b

C:\Program Files\TacticalAgent\meshagent.exe

"C:\Program Files\TacticalAgent\meshagent.exe" -fullinstall

C:\Program Files\Mesh Agent\MeshAgent.exe

"C:\Program Files\Mesh Agent\MeshAgent.exe"

C:\Windows\System32\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\system32\wbem\wmic.exe

wmic os get oslanguage /FORMAT:LIST

C:\Windows\System32\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Windows\system32\wbem\wmic.exe

wmic os get oslanguage /FORMAT:LIST

C:\Windows\System32\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\System32\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -noprofile -nologo -command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -noprofile -nologo -command -

C:\Program Files\Mesh Agent\MeshAgent.exe

"C:\Program Files\Mesh Agent\MeshAgent.exe" -nodeid

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -noprofile -nologo -command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -noprofile -nologo -command -

C:\Windows\system32\cmd.exe

/c manage-bde -protectors -get C: -Type recoverypassword

C:\Windows\system32\manage-bde.exe

manage-bde -protectors -get C: -Type recoverypassword

C:\Windows\system32\cmd.exe

/c manage-bde -protectors -get F: -Type recoverypassword

C:\Windows\system32\manage-bde.exe

manage-bde -protectors -get F: -Type recoverypassword

C:\Program Files\TacticalAgent\tacticalrmm.exe

"C:\Program Files\TacticalAgent\tacticalrmm.exe" -m svc

C:\Program Files\Mesh Agent\MeshAgent.exe

"C:\Program Files\Mesh Agent\MeshAgent.exe" -nodeid

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass C:\ProgramData\TacticalRMM\565931752.ps1

C:\Program Files\TacticalAgent\tacticalrmm.exe

"C:\Program Files\TacticalAgent\tacticalrmm.exe" -m checkrunner

C:\Windows\System32\setx.exe

"C:\Windows\System32\setx.exe" ChocolateyLastPathUpdate 133726959027236644

C:\Windows\System32\setx.exe

"C:\Windows\System32\setx.exe" ChocolateyLastPathUpdate 133726959028037110

C:\Windows\System32\setx.exe

"C:\Windows\System32\setx.exe" ChocolateyLastPathUpdate 133726959029274793

C:\Windows\System32\setx.exe

"C:\Windows\System32\setx.exe" ChocolateyLastPathUpdate 133726959035095708

C:\ProgramData\chocolatey\choco.exe

"C:\ProgramData\chocolatey\choco.exe" -v

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.109.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.109.199.185.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 api.andvo.ru udp
NL 185.229.65.114:443 api.andvo.ru tcp
NL 185.229.65.114:443 api.andvo.ru tcp
US 8.8.8.8:53 114.65.229.185.in-addr.arpa udp
NL 185.229.65.114:443 api.andvo.ru tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 mesh.andvo.ru udp
NL 185.229.65.114:443 mesh.andvo.ru tcp
NL 185.229.65.114:443 mesh.andvo.ru tcp
NL 185.229.65.114:443 mesh.andvo.ru tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 icanhazip.tacticalrmm.io udp
US 172.67.169.135:443 icanhazip.tacticalrmm.io tcp
US 8.8.8.8:53 135.169.67.172.in-addr.arpa udp
NL 185.229.65.114:443 mesh.andvo.ru tcp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
NL 185.229.65.114:443 mesh.andvo.ru tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
GB 20.26.156.215:443 github.com tcp
US 185.199.109.133:443 objects.githubusercontent.com tcp
NL 185.229.65.114:443 mesh.andvo.ru tcp
US 172.67.169.135:443 icanhazip.tacticalrmm.io tcp
NL 185.229.65.114:443 mesh.andvo.ru tcp
NL 185.229.65.114:443 mesh.andvo.ru tcp
US 8.8.8.8:53 chocolatey.org udp
NL 185.229.65.114:443 mesh.andvo.ru tcp
US 104.18.20.76:443 chocolatey.org tcp
US 8.8.8.8:53 community.chocolatey.org udp
NL 185.229.65.114:443 mesh.andvo.ru tcp
US 104.18.21.76:443 community.chocolatey.org tcp
NL 185.229.65.114:443 mesh.andvo.ru tcp
US 8.8.8.8:53 76.21.18.104.in-addr.arpa udp
US 8.8.8.8:53 76.20.18.104.in-addr.arpa udp
NL 185.229.65.114:443 mesh.andvo.ru tcp
GB 20.26.156.215:443 github.com tcp
US 185.199.109.133:443 objects.githubusercontent.com tcp
US 104.18.21.76:443 community.chocolatey.org tcp
US 104.18.21.76:443 community.chocolatey.org tcp
US 52.252.198.179:443 tcp
US 8.8.8.8:53 download.windowsupdate.com udp
GB 2.23.210.88:80 download.windowsupdate.com tcp
NL 185.229.65.114:443 mesh.andvo.ru tcp
GB 20.26.156.215:443 github.com tcp
US 185.199.109.133:443 objects.githubusercontent.com tcp
NL 185.229.65.114:443 mesh.andvo.ru tcp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp

Files

C:\ProgramData\TacticalRMM\tacticalagent-v2.8.0-windows-amd64.exe

MD5 ed40540e7432bacaa08a6cd6a9f63004
SHA1 9c12db9fd406067162e9a01b2c6a34a5c360ea97
SHA256 d6c7bdab07151678b713a02efe7ad5281b194b0d5b538061bdafdf2c4ca1fdaa
SHA512 07653d534a998248f897a2ed962d2ec83947c094aa7fe4fb85e40cb2771754289fe2cef29e31b5aa08e8165d5418fe1b8049dedc653e799089d5c13e02352e8d

memory/3236-5-0x0000000000400000-0x00000000004D7000-memory.dmp

memory/3236-8-0x0000000000401000-0x00000000004B7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-QCL73.tmp\tacticalagent-v2.8.0-windows-amd64.tmp

MD5 a639312111d278fee4f70299c134d620
SHA1 6144ca6e18a5444cdb9b633a6efee67aff931115
SHA256 4b0be5167a31a77e28e3f0a7c83c9d289845075b51e70691236603b1083649df
SHA512 f47f01d072ff9ed42f5b36600ddfc344a6a4b967c1b671ffc0e76531e360bfd55a1a9950305ad33f7460f3f5dd8953e317b108cd434f2db02987fa018d57437c

memory/3972-12-0x0000000000400000-0x0000000000712000-memory.dmp

C:\Program Files\TacticalAgent\tacticalrmm.exe

MD5 6cfbd2da5f304a3b8972eafe6fe4d191
SHA1 09c1600064cb9d157c55c88f76f107373404b2ae
SHA256 ad29d4e9e01870ffbdb6f2498e6ce36a708e56db2ad431ba2d80bf5a6caac069
SHA512 03a29d2eb00a97b3fc83e55a8b8b1fe3e7adbb06fe598ed5525bb3764caced0bf5a28a3fd70e36b66687fcce5a9e7c9243ee6ab3a82d394044f3c60714a423e8

memory/3972-26-0x0000000000400000-0x0000000000712000-memory.dmp

memory/3236-27-0x0000000000400000-0x00000000004D7000-memory.dmp

C:\Program Files\TacticalAgent\meshagent.exe

MD5 32e747eda182352f2f1883979b8eccab
SHA1 14f401fdef9f5a9b11a1cfdc4ea14aede4339acb
SHA256 2e94c1f68d529edecec9184ee10a3383153752ff57018585d7b491b1ebb6157c
SHA512 1f226a5f8137739bb896239a1a995d84abd7d07e4ef091b367b4c11d9b6bcda20adc95c2fdfb6bac8fb8d55ceea61068c2503ff1421050046783d2f8489ed992

memory/376-65-0x000001D620990000-0x000001D6209B2000-memory.dmp

C:\Windows\Temp\__PSScriptPolicyTest_pr4qp52v.2mc.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/376-70-0x000001D63AFF0000-0x000001D63B034000-memory.dmp

memory/376-71-0x000001D63B0C0000-0x000001D63B136000-memory.dmp

C:\Program Files\Mesh Agent\MeshAgent.db.tmp

MD5 559159f7287d47a6ed1aa5e4084eb2e6
SHA1 f9b103e6cd0f962ea8c3df5273d4680d0356f875
SHA256 28283b09b000b8d911d55c4c61cc6020317aacd9905e4983904543c8696489f5
SHA512 5bca5284b61c72af314d6c7e9a191c84030aebd61e353a81d5d386e11dfa2d30b100ee945b201d59fd55937a6c42ef20f33dd0834a9290a57f5327aa380594a0

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 06d16fea6ab505097d16fcaa32949d47
SHA1 0c1c719831fa41cd102d0d72d61c0f46ec5b8de8
SHA256 54e15de2bef9f651d7717e2a336ac6b2ea2b723e6f29d2b153d8fbbc89aef723
SHA512 03c00f1eebb51cec11703141ae9d9c3ac589f5495bc04d8a4b043714089a9d50bd3a520e4d72b4a4c99f5b9bf5f689bf2585fa5c7d4ddbe6f71cbba0172f593a

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 2c0bdf06d302688498d4e7f9cd669ab5
SHA1 18186323d93499e03f737f137b4ad795eb7f470b
SHA256 86cd6b95819282eee4bd6c900b27ebeddf453a90a9f6147978e9137479f36bd6
SHA512 f8f02ab1cb6906975695369183d00d7f25ec4c54c40aba5ac0a1f42312c5eff5a6774a8e84c3357415555405f7e9754deebe8335dd1fdcf693137ab044cc18fe

memory/1320-103-0x000002383F060000-0x000002383F07C000-memory.dmp

memory/1320-104-0x000002383F140000-0x000002383F1F5000-memory.dmp

memory/1320-105-0x000002383F050000-0x000002383F05A000-memory.dmp

memory/1320-107-0x000002383F0A0000-0x000002383F0BC000-memory.dmp

memory/1320-108-0x000002383F080000-0x000002383F08A000-memory.dmp

memory/1320-109-0x000002383F220000-0x000002383F23A000-memory.dmp

memory/1320-110-0x000002383F090000-0x000002383F098000-memory.dmp

memory/1320-111-0x000002383F200000-0x000002383F206000-memory.dmp

memory/1320-112-0x000002383F210000-0x000002383F21A000-memory.dmp

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 bda999dc0156fe137e32d675956a6df6
SHA1 f23c009b8383c1ae87eb2909c1586800906d6678
SHA256 5083c7c8c0458ae2ec8c5451997beb78b4179e176f138e224a41d873e1dae79d
SHA512 59e3662a81db7a87cc8988ed0840bbf30a7082409d23dd3ef9c24d8be9778856af62f08ff4421902201c03fb70f2f01951b4e95e33f9730d781674d8e97688d0

memory/824-134-0x00000207C4CC0000-0x00000207C4D75000-memory.dmp

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 f50151eb8229648696902d58b2f6057b
SHA1 12abb0ca0d99e639d71fbf276edc82403ccbe483
SHA256 eddc730fff15919a037083d8aef2ff0bead33b6d506dcef9b0cd86cec4b54813
SHA512 180e6385cf555d02dd6b17e12400e41c630498e7ebe398cdf92a4af0517e1f79322f01c2fc5cbd35c8357112df4a02f2fb4f077146fed7559e221493bc724742

memory/656-157-0x0000021B5F820000-0x0000021B5F84A000-memory.dmp

memory/656-158-0x0000021B5F820000-0x0000021B5F844000-memory.dmp

C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\cryptography-42.0.8.dist-info\INSTALLER

MD5 365c9bfeb7d89244f2ce01c1de44cb85
SHA1 d7a03141d5d6b1e88b6b59ef08b6681df212c599
SHA256 ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508
SHA512 d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\pyasn1\codec\native\__init__.py

MD5 0fc1b4d3e705f5c110975b1b90d43670
SHA1 14a9b683b19e8d7d9cb25262cdefcb72109b5569
SHA256 1040e52584b5ef6107dfd19489d37ff056e435c598f4e555f1edf4015e7ca67d
SHA512 8a147c06c8b0a960c9a3fa6da3b30a3b18d3612af9c663ee24c8d2066f45419a2ff4aa3a636606232eca12d7faef3da0cbbd3670a2d72a3281544e1c0b8edf81

C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\validators-0.28.3.dist-info\WHEEL

MD5 43136dde7dd276932f6197bb6d676ef4
SHA1 6b13c105452c519ea0b65ac1a975bd5e19c50122
SHA256 189eedfe4581172c1b6a02b97a8f48a14c0b5baa3239e4ca990fbd8871553714
SHA512 e7712ba7d36deb083ebcc3b641ad3e7d19fb071ee64ae3a35ad6a50ee882b20cd2e60ca1319199df12584fe311a6266ec74f96a3fb67e59f90c7b5909668aee1

C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\win32comext\internet\__init__.py

MD5 f45c606ffc55fd2f41f42012d917bce9
SHA1 ca93419cc53fb4efef251483abe766da4b8e2dfd
SHA256 f0bb50af1caea5b284bd463e5938229e7d22cc610b2d767ee1778e92a85849b4
SHA512 ba7bebe62a6c2216e68e2d484c098662ba3d5217b39a3156b30e776d2bb3cf5d4f31dcdc48a2eb99bc5d80fffe388b212ec707b7d10b48df601430a07608fd46

C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Scripts\normalizer.exe

MD5 c485a95e68d04b1bce4aa5b4f301d90a
SHA1 8e0903ca5f0e2982b12c8bb49d4dff94a147a95e
SHA256 87d309b4470d3f2c21c686e6895fe95aeaee7a3b00948694d39bbe71ed86d169
SHA512 3bcfa7fc4fab47f140a8f21b55c09bd593fb2ba3379edc7bb4c60167c46dc440170c7ed1d918c118d8d7e312b4e126086caf87361e87b2e661c8b0434ed81289

C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\CF78131CAB33CA407980412C760244BE717C6FAC

MD5 db5a0035f45beffc39ef806249d89109
SHA1 24a5c979cdb4ace8d4e10269cf7af0236730d809
SHA256 ba3c0c8d642e194e2727162f4dfad628c03a24298a1945ab5d80adb2f40302a7
SHA512 cd0f8703ece3d2e7529ed6acdf9061f9fdebc9f51a9fd03856ce10f6471b2dce74fcf29560683b9e57432314c74c2ecf2aec7dc65c376911e433d4c95eae23b6

C:\ProgramData\TacticalRMM\565931752.ps1

MD5 e9fb33c49bee675e226d1afeef2740d9
SHA1 ded4e30152638c4e53db4c3c62a76fe0b69e60ab
SHA256 44e045ed5350758616d664c5af631e7f2cd10165f5bf2bd82cbf3a0bb8f63462
SHA512 2661a981d48d58c9ceb1992e55061ce07af0d53b5f38b07de620376e0ea1d876c7e50965e67aee80fe723968bdb956dc7fd93e7923608534c8fb4d21739dbc48

C:\Program Files\TacticalAgent\agent.log

MD5 22d062ddfdf2dc671916fa7ac639954a
SHA1 4f87436984be475cadb4611d905dff39d0ffe176
SHA256 e5675162d52ab71caf4ee5914bfeb79ad7ea0e712ab3ab8a1e9100a7c51492e9
SHA512 33cdaa371e50745d534908a6585cd9a75e1e6203e6339d98328d793afc12bb87ae194f85e037f869b1007972f34f976885f32b8df59d256544532b427cb364be

memory/1376-2842-0x0000016BECBE0000-0x0000016BECC95000-memory.dmp

memory/1376-2845-0x0000016BEBFC0000-0x0000016BEBFCA000-memory.dmp

memory/1376-2844-0x0000016BEBFE0000-0x0000016BEBFF2000-memory.dmp

C:\Windows\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\helpers\Chocolatey.PowerShell.dll

MD5 fd3cac756296e10b23acb8b9f9a0fead
SHA1 287d3f5e0315a9fd5f6327d35c76571ea7d569d6
SHA256 b0915eb7f0d7fdbe4dcf6756d163199c80e49220f3fec9270c8e75ccd4349c30
SHA512 4d303bcb0ec769124d368da5142bd35c862b2da43c900bdbefe57778df9d286a80c5099d8e7e751a08ca6bddbfeccf3cb11cf182887472c1a6b0b43c62a0fc51

memory/1376-3018-0x0000016BEBFA0000-0x0000016BEBFAC000-memory.dmp

C:\ProgramData\chocolatey\helpers\chocolateyInstaller.psm1

MD5 8feb9f84cfd079bf675f4c448eb62c27
SHA1 f0a7c0eb89c94a81d72efaa0d4e72a2acf9a15a2
SHA256 4af7d8dcdba7335f96d4d7f9b7ab75b29a890380d8c7c35c59f60739db8a604e
SHA512 34346669024dcc273338913794103d16b723fbfe7d3fbd6eb89d3561b4e7134906fdaeeabcdaee653f452a9917ed48ed79fbf56e507f9e41e4adb7b4f32f48da

C:\Windows\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\helpers\Chocolatey.PowerShell.dll-help.xml

MD5 b01ce7945b984a7d4577948805bdc514
SHA1 1fc6bcc433bef5f5ac7f89f94fb7e792a1639f48
SHA256 6cfe6aaf300b0447eabad6f801dcc38461b0802f75f433dde2c642e52bc9d36b
SHA512 a6cd52038d37a1eedd780d60cb1cf18fbd96c33727dee14895e6781154b25de7a3a3d2fdf31aa60ac156200026f475194cf6261dc230bec8023aab0cf6110047

C:\ProgramData\chocolatey\choco.exe

MD5 76d8fe544353fb6dfc258fcfbe9264d9
SHA1 6bc15a025ab989d20e6c9b9a42344d42c688d5e3
SHA256 9a058764417a634dcb53af74c50f9552af3bc0b873a562f383af36feefc1496e
SHA512 01111dc18641c6fd4177b71d733b3b39d31f69bac6d0ff346a9b0ebcb72e6e34cc35a5a710e291ca9e4c0d2d4ae64dab398b879a84a457458c130460c1a6c604

C:\Windows\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\redirects\RefreshEnv.cmd

MD5 cc04b34e013e08cc6f4e0c66969c5295
SHA1 a33f1cb08b56828e3b742ee13cf789442dd5c12f
SHA256 8b6b1d8f6bfab3dc9fbee30d6b2f3093ea3eccd5c66e57161dbe1b8f703fa74c
SHA512 b485af21fcbb699d783e64e035595be7a117a1d6af62166c6d50ebd59ed8953141444f17f3bd07a865c9dd11aa7c75d5a4f2bdfb8b739a1668d055779f0d0c10

C:\Windows\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\LICENSE.txt

MD5 b4ecfc2ff4822ce40435ada0a02d4ec5
SHA1 8aaf3f290d08011ade263f8a3ab4fe08ecde2b64
SHA256 a42ac97c0186e34bdc5f5a7d87d00a424754592f0ec80b522a872d630c1e870a
SHA512 eafac709be29d5730cb4ecd16e1c9c281f399492c183d05cc5093d3853cda7570e6b9385fbc80a40ff960b5a53dae6ae1f01fc218e60234f7adced6dccbd6a43

C:\Windows\Temp\chocolatey\chocoInstall\chocolatey.zip

MD5 95231e41829f1c3a5ae890b71bcef1fa
SHA1 6fbda9446ed3d182f6680e06d4fd3f27d346cd7b
SHA256 c73d4eda9ab5ca89583ef90838c4b819a304c9ac5a8ad5a89dcb7edb15ab5fcf
SHA512 8c035dc01cde656c4d0e5b7b14355b3e8e45f6e54cdd703d817a1c547faee6eeff5299b31da6f6dad85be166417078eb7b256c6fcb895e94ec47049f53facb36

C:\Windows\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\CREDITS.txt

MD5 7677758586925baf4e9d7573bf12f273
SHA1 2f54bd889a52ccaca36df204a663b092ad8ab7b0
SHA256 4387f7836591fd9b384d5a11c22685d5441ed8f56a15dd962c28174f60d1b35b
SHA512 a425d55248b052810ee861fa75eb5c9c139f73aa70dfee406d59b7f1cf86fed5656d24b36db4f10a606be89a073305bc32bec822bf88ed53881323d6718fc001

C:\Windows\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\choco.exe.manifest

MD5 1b3ed984f60915f976b02be949e212cb
SHA1 30bccfed65aef852a8f8563387eb14b740fd0aa3
SHA256 d715d6071e5cdd6447d46ed8e903b9b3ad5952acc7394ee17593d87a546c17fc
SHA512 3ec5b3b09ef73992eabc118b07c457eb2ca43ce733147fd2e14cccde138f220aee8cb3d525c832a20611edb332710b32a2fc151f3075e2020d8fd1606007c000

C:\Windows\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\tools\shimgen.license.txt

MD5 89ac7c94d1013f7b3e32215a3db41731
SHA1 1511376e8a74a28d15bb62a75713754e650c8a8d
SHA256 d4d2ef2c520ec3e4ecff52c867ebd28e357900e0328bb4173cb46996ded353f4
SHA512 9ba2b0029e84de81ffef19b4b17a6d29ee652049bb3152372f504a06121a944ac1a2b1b57c6b0447979d5de9a931186fef9bd0667d5358d3c9cb29b817533792

C:\Windows\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\tools\shimgen.exe

MD5 1a3808e1be6302f046aada94ac685402
SHA1 9c815f53ed1085a59c345fabc6e826d992b58066
SHA256 e07ddabc0a414799d090fe36d4196e8cd5471dd9718649e545410f14ef7ca251
SHA512 5e6e879b0fd3fa038bc5e7ede14231399450f12311728bbc97256f548ce6f2b72fbe88c048507d2766a09ae42d2f5b3aaf49e2a32b07426558867e9452b2eafa

C:\Windows\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\tools\checksum.license.txt

MD5 a10b78183254da1214dd51a5ace74bc0
SHA1 5c9206f667d319e54de8c9743a211d0e202f5311
SHA256 29472b6be2f4e7134f09cc2fadf088cb87089853b383ca4af29c19cc8dfc1a62
SHA512 cae9f800da290386de37bb779909561b4ea4cc5042809e85236d029d9125b3a30f6981bc6b3c80b998f727c48eb322a8ad7f3b5fb36ea3f8c8dd717d4e8be55e

C:\Windows\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\tools\checksum.exe.config

MD5 e9ad5dd7b32c44f8a241de0e883d7733
SHA1 034c69b120c514ad9ed83c7bad32624560e4b464
SHA256 9b250c32cbec90d2a61cb90055ac825d7a5f9a5923209cfd0625fca09a908d0a
SHA512 bf5a6c477dc5dfeb85ca82d2aed72bd72ed990bedcaf477af0e8cad9cdf3cfbebddc19fa69a054a65bc1ae55aaf8819abcd9624a18a03310a20c80c116c99cc4

C:\Windows\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\tools\checksum.exe

MD5 76231f812a77727eb4bdeb2409cf942f
SHA1 c39fb549cfe092dddddb59536d565e55a89c93a5
SHA256 7c29a172e6b9c466afeba7148ad9ce6a1a89a7e538200a6c43ad86a279a66dd4
SHA512 f540c657807312c5890fbabed6ac16a62bab962f308ddb23a15c913075afa68fdc7636648eeb50d5b4a1e26d497cc17031bd80d6d8e9d7e86fea16037a0097f1

C:\Windows\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\tools\7zip.license.txt

MD5 f4995e1bc415b0d91044673cd10a0379
SHA1 f2eec05948e9cf7d1b00515a69c6f63bf69e9cca
SHA256 f037e7689f86a12a3f5f836dc73004547c089e4a2017687e5e0b803a19e3888b
SHA512 e7bb1bacab6925978416e3da2acb32543b16b4f0f2289cc896194598ee9ade5c62aa746c51cf6bf4568e77e96c0a1014e4ddb968f18f95178ee8dfb1e5a72b96

C:\Windows\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\tools\7z.exe

MD5 76a0b06f3cc4a124682d24e129f5029b
SHA1 404e21ebbaa29cae6a259c0f7cb80b8d03c9e4c0
SHA256 3092f736f9f4fc0ecc00a4d27774f9e09b6f1d6eee8acc1b45667fe1808646a6
SHA512 536fdb61cbcd66323051becf02772f6f47b41a4959a73fa27bf88fe85d17f44694e1f2d51c432382132549d54bd70da6ffe33ad3d041b66771302cc26673aec7

C:\Windows\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\tools\7z.dll.manifest

MD5 8f89387331c12b55eaa26e5188d9e2ff
SHA1 537fdd4f1018ce8d08a3d151ad07b55d96e94dd2
SHA256 6b7368ce5e38f6e0ee03ca0a9d1a2322cc0afc07e8de9dcc94e156853eae5033
SHA512 04c10ae52f85d3a27d4b05b3d1427ddc2afaccfe94ed228f8f6ae4447fd2465d102f2dd95caf1b617f8c76cb4243716469d1da3dac3292854acd4a63ce0fd239

C:\Windows\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\tools\7z.dll

MD5 cd479d111eee1dbd85870e1c7477ad4c
SHA1 01ff945138480705d5934c766906b2c7c1a32b72
SHA256 367f8d1bfcf90ae86c0c33b0c8c9e6ec1c433c353d0663ebb44567607402c83d
SHA512 8b801bfbb933e0dc77090555fa258d416cbe9ed780fb1821aed532a979617082b29e0b6f8fb85f73a9e93c98981426c92c498a41c49f823707da3e6b7bb30128

C:\Windows\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\redirects\choco.exe.ignore

MD5 81051bcc2cf1bedf378224b0a93e2877
SHA1 ba8ab5a0280b953aa97435ff8946cbcbb2755a27
SHA256 7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6
SHA512 1b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d

C:\Windows\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\redirects\choco.exe

MD5 9ab70fc7ce569afeb61472fecfcff233
SHA1 6e3572be787d452219fa86deae45bff98b5733d7
SHA256 2e8cee54c264ec344ca3049fa361bd2da721232162bfd5bb75a30bf0130c6a69
SHA512 8dddadd28e6ff07f2aa4115e430fdbdfdfcf4d8d83546099dcc229310e0986b551e457eb64e842d9aad1b606719913dcd444def9ef83b726a9ab5049a69dc7de

C:\ProgramData\chocolatey\helpers\functions\Write-FunctionCallLogMessage.ps1

MD5 7fdc886cd1db91065a017a76c9096aed
SHA1 6029f809be8ab12cbe0f25552b25fcfc757dfdd8
SHA256 117e7bbfd11da2f5bd00f66aa004837dd774485e96334fb42b8ac537f4fb012b
SHA512 d5eaa0cdcc09a0673320a1be26e628e067182ae93b9aded6cf275faf68fba7bd6002e1d446bc9b8e9377221de4611058ba32fdc6b4fcb2e53795c3e202c828b5

C:\ProgramData\chocolatey\helpers\functions\UnInstall-ChocolateyZipPackage.ps1

MD5 bce016992a8576f7a481c6d2962e0879
SHA1 4a7a84db35e3a2d43d7aa0980c0342dd164a16e7
SHA256 599ea45533dc1ab68a9646c6a88b71f4fc11a8669fa3ee8f41360435ca8816dc
SHA512 4dc541851496a407a26674bb302bc3b624fb9d6e581f1ee61dc34daa0d031648f02b5c2fcc7a0002ff96becfa75264635933a503f570ee425d418a22ebd50a8e

C:\ProgramData\chocolatey\helpers\functions\Uninstall-ChocolateyPackage.ps1

MD5 bbd9b99d0ab44f6e4a9fb80d6f3a7afa
SHA1 f3a980d5493597144fdbbaad86f5207c2e39e08b
SHA256 07ced451a144a7f6e3fd24d19bfcb2e2a5ea49a969a036754cb833dc2d2986cb
SHA512 06ba6cba2290e4bb6ff3adb09961a260ce811f25a97a2cef0cac7b25e94fc3bfa177fda21b69f9f6ad62901578f16d9716eefe60dfd76cdc925eadc7a730d14b

C:\ProgramData\chocolatey\helpers\functions\Uninstall-ChocolateyEnvironmentVariable.ps1

MD5 f3d779698e09e13fbd55f0a5c6914616
SHA1 44eef7c9b8563cb5d7489abbe6f5158484aefb64
SHA256 c20b736bce859734c4497c6d5aaec13bfa3c201461cc02f48a7539fea54be59e
SHA512 ab266effc4e26d5b04a3a5693e57f979c780a6d7590bc27090225cb44a831fb7a2396540323a70f6456cd7806e00e9738dba866b0bafdfb0226a962e38aca0f0

C:\ProgramData\chocolatey\helpers\functions\Uninstall-BinFile.ps1

MD5 56afaba9f733028dc1d8e03e21be15dc
SHA1 fd16728498a14961a97ee1a80b9ffa3f3bc3b6d4
SHA256 f706530f0cdabb2f02c9d5b70d7de77d1f02fc4f6730c815ff8410dcf208b9fc
SHA512 54090832d0d6cb1439986190da356c7cd5caffa052118185a6336c0d73f87b937dc5548603f843ab2e5302103ced01a2a9b1f409c4057db5e1aea4a5c7c4dcf7

C:\ProgramData\chocolatey\helpers\functions\Start-ChocolateyProcessAsAdmin.ps1

MD5 1de230e139174065c73a46f5917f27b5
SHA1 80e19d04dd84da6904b696e4a1caa93953eeda86
SHA256 694c4daed9add47d4ece4bd07568aa57dbc1f3316426f78ce5fd1ef2f2ce2625
SHA512 93549f700b93115939075a9bbdafacbd2500d8c4c02a3e0312bb0823b09850a8575e2ad8d8b6c4dbf62838e2f383bc94321965b45af73b552797100306d6d2f3

C:\ProgramData\chocolatey\helpers\functions\Set-PowerShellExitCode.ps1

MD5 a917ff0cdf22fe0543dc06713d9cb160
SHA1 efad7626fdf18230a8f9a2e6e0e9df7639d3b600
SHA256 fffb05319b00efb87d2705760ef351c11ad2b1913469635b980d386310bf0e1f
SHA512 505aa2b2559511bbae8124ca4898e003e6b494a3e4db7b13231d1007f23829c595dd1cf953e50bc67e32ea4a967bcd51971625be9ffc8757f57f75f6e106c6ba

C:\ProgramData\chocolatey\helpers\functions\Install-Vsix.ps1

MD5 05ee41715ae0ccd260cb385c3727d607
SHA1 afdbd2d4a0fd050d20af8e107b2dadddc45ac49f
SHA256 dad0ef31eb232c6c189e0ad947e62e71c5239bf2dad8f9d72a06cf3544a427a4
SHA512 1314234805a0b1048e97a5644c4084254258d9a525fd3175a893c4b0aa37dd682e13bcf21e13355593b4ade7e823d190ca695b4edba04f3e5136d65fbe856dd4

C:\ProgramData\chocolatey\helpers\functions\Install-ChocolateyZipPackage.ps1

MD5 7cb49e4054a7cc234f428faee99d0ace
SHA1 86acfd18a8a274fb4bd0d745a23b501016851b6e
SHA256 ddbdd5abde46f4aa7d5bd472f3d2b1182835a6739c9194aac70749c4bc1fba4b
SHA512 86e27a5a58736ed0c0c2fbb11d7c744fc437a195f768ea223817eca6b4225b541e6ed554a2d9e27626fda793603d1a41e6ff52d39af060c4ca1eea557a52789b

C:\ProgramData\chocolatey\helpers\functions\Install-ChocolateyVsixPackage.ps1

MD5 e0e54825bf32d160b62c691d2f314611
SHA1 6e89de9aec3f94c6e046fbb04be28e33a8fc8732
SHA256 4e982ce84c225c6870cc78120e5f85fb622756feff4c7e8eb7088473a2538620
SHA512 6f6d018cd2ab86553746027953439c8c7f1251e5a4bc7b8514d8416babee69d8ee8c7c7698b4f1bce4f2fa815a35ebcbf5bd81580b629e5b2bb20481e9020166

C:\ProgramData\chocolatey\helpers\functions\Install-ChocolateyShortcut.ps1

MD5 65469f9f27a5dbdef060a0560aa0db7c
SHA1 fe49184d2db322a919513c9667625efa9009a632
SHA256 3410aeb9bc5106b29f2c4cbc74c9febdc229c569153ddb1e41188a7396079a3b
SHA512 8b6ba9ece1f8f53f0e5710dbb7330bf2dcdc8e8f844627bdf54670fea9040bc3239b1673291f1682a5bb404cf9d11e9a1732a1c5484bfb05b0f77db6af3138b5

C:\ProgramData\chocolatey\helpers\functions\Install-ChocolateyPowershellCommand.ps1

MD5 5e5319e30be55a660e75a5bb04219ad5
SHA1 8d7457acddf8257c6c9651e3480bf4ee72699361
SHA256 aeee93f35724d656a73d1572522fe9b985fa1cae6978b0405398ef9327a1580d
SHA512 80534b6a71b8d0a216ddd13556046c86275df088208861c6f5ab0c88301a785ae2eb685266892381d47d2b3ecec25accd476377be146c8e51cced57a0aa10d63

C:\ProgramData\chocolatey\helpers\functions\Install-ChocolateyPinnedTaskBarItem.ps1

MD5 bf5ee790510b3a2980412675d29a293c
SHA1 164b0bf972cc0c4ff56c47641a047af4743f598c
SHA256 671fed8b51891ab5e1639033e4477f4311d2b139b4eccd4248e84b0c9028d0d0
SHA512 659ef4cf6e973448469c21507ef67902bbd8a8fe11a92c699c3a782b8b68eed1690246652f93731fce1a6147777965773c1c3a8246a19caa73763a26e5524a07

C:\ProgramData\chocolatey\helpers\functions\Install-ChocolateyPackage.ps1

MD5 5e6faf3925a572faab69a45cb05e8352
SHA1 bab071428238635e6290fa2741bd63cc803d73d5
SHA256 16b5df14198360715d06a5f12f2b1976d38e729bbe37748e0cbb17f57c4f367e
SHA512 453f3b6a672a521fadbf7966cd84efd011fa6b9186a08234c3ded39e43e898ab0a48229bb46661710c16dafbfd889ab4c45fb34bc0fa01d4a30122a8ace7f478

C:\ProgramData\chocolatey\helpers\functions\Install-ChocolateyInstallPackage.ps1

MD5 5e189d783f6f603161b85c157ac6c0d4
SHA1 4303565e26f06b5ff9f6cbcc889ac5ababb8d930
SHA256 09e1973a0286c5912c7f233fce89b2efd9347efdd085869437d9fcbe69a5c5d7
SHA512 2fced12cafea173c86c3f47a7be856b9d4971092881056c0150762e885277adedb1233352d376fb3690951079f5d6a2d1a8643531dedc1006a678c0d7c145f94

C:\ProgramData\chocolatey\helpers\functions\Install-ChocolateyFileAssociation.ps1

MD5 564e96072345c9f3f4e96e32d95108ec
SHA1 4f83114c167c77253870f837b83db806ffbcccdf
SHA256 a8e90f1f01264ac52e7523394777616d06a53daaeb16868f3e8a06426fc0e586
SHA512 80d0264ab8d51347040296c758d6fe0282442edde39d20115ff632770eebe71421661cd23c3a8d200197109f2507e5e72197209417c5d10beef182004a57ac49

C:\ProgramData\chocolatey\helpers\functions\Install-ChocolateyExplorerMenuItem.ps1

MD5 cfbc57e6f8b07ab19d0a2658cf790306
SHA1 4f90b9c43645e2370040f40e88ccd48628a7012f
SHA256 1e2fb44e0be817b5e16a03a30502c65f61dddc551bd3923ea571e3f83980e049
SHA512 f4af36cff89378e138ccbcb58ccb0204bbb059097dc5a566368c3dea7f7a1fac9a4a174a9e84b221bb83df0d5b3ef7c04160f9f63106cff8db859321c803b3e8

C:\ProgramData\chocolatey\helpers\functions\Install-ChocolateyEnvironmentVariable.ps1

MD5 b7412f3a46a112d74783b105c5cb0638
SHA1 408a73cdf57ced4256526e5c699699a2fa089086
SHA256 223f17f84d214c9fa9478817eff65a2681d505dfbfb6b81a2121e446e9614000
SHA512 afa565f67cbd19789825f378c1fa7d468b6b3018ba574be2a225774e26a31c35dcee18eefbbfb163e1687420084a52667642c38b68fe0695b3294fd480386f62

C:\ProgramData\chocolatey\helpers\functions\Install-BinFile.ps1

MD5 78e046bd9c5524eae4c290c5f1d8d090
SHA1 0200b5c106effb26fab84e8b432725f626cea9ca
SHA256 767fd247f1f93cac6188ba1a0c3398b87cf3178e25ded4a16ced7e9bb3cd27f6
SHA512 073ce96951bc1a95d31eaf4a6d6ed7ab7e876847d88b6ce38b31cdb0fb28a6fe093999010c9a19fdba6acd87c1a6e1ebf6085448122ebe6a97b9015cd904715f

C:\ProgramData\chocolatey\helpers\functions\Get-WebHeaders.ps1

MD5 5540d1bea1c41384c0a44be773820695
SHA1 adbb11f9371154d5bb440fc522ea68c3730d684a
SHA256 1d15d738c319132c792ac6f8820f50ccb0fc32597e9c886746bcc31fcce2c683
SHA512 1e870c37493f2ec59468b27320e249422912ddfae8c8a60338e6754e16d809c7572694ca369e0a7e67c6d3607b4262e2455f66ac855b451f6bbbb0e772119e4e

C:\ProgramData\chocolatey\helpers\functions\Get-WebFileName.ps1

MD5 22a06bb57eeae0b3c1d63f0b23c83541
SHA1 a2dda0d44ff38b0b248cde072c95707b183c40ef
SHA256 db062d9d09d7dae751e626bf97138eae6e9350112e2738cb3be9ef78dbdace1a
SHA512 c243228df368d3bec03bbaba9a91c7c966d089d982937ee18c53a2a6fc217b08c029d5b62871b55fd84859a30d60037f013c26966237d1c2b14b6d81e650488c

C:\ProgramData\chocolatey\helpers\functions\Get-WebFile.ps1

MD5 101b16272234051204428a4e53b99113
SHA1 f1a08992c63f405838838c26d309a1f918ba312c
SHA256 2dc9ae2d1de175e6b867ff89f84ba25d08dd5f41b84e2818318ca23f3eb5797e
SHA512 bde4deb19594733afd878d8e804787197ab894a3d6c60eda32f393a0445e59eac60240028d20b189566efa34b408b784e01967cd83811f77ac82a9ea6d75d9c0

C:\ProgramData\chocolatey\helpers\functions\Get-VirusCheckValid.ps1

MD5 4aacdca3061553326f51b0938232d897
SHA1 6df122a2c6d7d5954915a871494a5333601e5f9c
SHA256 73d85aa2297033f106a0c8c3138efb9ad36f97ed108e040f12348fae94c56f74
SHA512 c74b505b20da653ef68615df221508b76937cdb7956f54c6a07d314283e3fa8b03ee1e14d0d49c0fd6b99c2d8e126678f97645c7ab4f340cd58f1566b4e42eca

C:\ProgramData\chocolatey\helpers\functions\Get-UninstallRegistryKey.ps1

MD5 5d9a27ae842c05255f5a6e7f2465ffe3
SHA1 59066ff2d8da1a2f552cf61c484400affab5aa2b
SHA256 573fd644bee61bf85053989c7111be4a33223ce9bfd0ae5f95e05382fa08a1f5
SHA512 b0cb5641bca08c03cbc9e57aa12a06f255f1888b76d32b821561b9217d1d293b6c2d5188acf483bcaebe3c83afeead2aa308b3741fb8a171cc23b8fd472ff5b1

C:\ProgramData\chocolatey\helpers\functions\Get-UACEnabled.ps1

MD5 4346017feb0a9b795191efd686b789c3
SHA1 b58d82c54a00fa402199b5efec3bae97c40c0d15
SHA256 3f0c1c8c91696c6ae9c0e41589319d200d2c4bd16cabf4e2f1a11fc947a72f91
SHA512 680172309ba9da0ed0786c7b1bd967f6a3d09e9989d14d85c6566250c83dc2d997d48f6fccf2faccca6548a56ddf39f2d577806f5325e558670442c26607a22f

C:\ProgramData\chocolatey\helpers\functions\Get-ToolsLocation.ps1

MD5 8e6fa8b04f177d447f161517548f4d47
SHA1 b39f9c37d1db563aa25298b60bcd5129bc6614c4
SHA256 10ef1bd8a810ee08f601a207ac83a4c7d9ebad1a4777378cf3749e3c56b98c48
SHA512 44137b572237b5b1fea00039d5cfe10f182f20595740e185f40026c87b07d3c05e1eb1fae82f4919c6795a0acdb79dbc9d28ba78d8f16e6dc32a42aeb5b74331

C:\ProgramData\chocolatey\helpers\functions\Get-PackageParameters.ps1

MD5 847e9548a2e02e2e4d73f7fa08467e67
SHA1 022e03be3a51aad9b3c0ef950c3eff14d09343e1
SHA256 d537580623ca8088692ad463e8913a83edb50963bd4b3b2b7b579e4e2b3b71f9
SHA512 4c6ddbe465adc27bc97cb684a43b6baab59bbf21b8d8a2bc73d6ae618a6dff4816f139a246558e0b8c49fe7d2d5068f16f19cc132f21d7076d833764aa24f86c

C:\ProgramData\chocolatey\helpers\functions\Get-OSArchitectureWidth.ps1

MD5 96ce9de89c3e9d3afa2107ae3d30630a
SHA1 0856953bf3b426be54f6759ab1ec9be6a35c631b
SHA256 30f831b5189132d642edfd7cc9e4f44b11ae357652e1748073d94206544d4b77
SHA512 4ec2bd382fb306aac0da8009e9e05e4e5b6b0ef248718415c1e255935d70a4d9211d98adb2992174660f07eb0239c8ac2491734d6c6d1e957b72ea568df6e012

C:\ProgramData\chocolatey\helpers\functions\Get-FtpFile.ps1

MD5 be4288d0cf3bf6203139f32b258a2d2a
SHA1 5deeb81fd84ee5038e08e546e7ee233dde64c0fd
SHA256 a0d1fcec293a9d8b1340bbf54194884ef1c7495c3cbe9d4d5673edf2e5ccfb43
SHA512 86090ee2fd2a77f8b38e3385af0189a657583e1ebdce2cf8ebd096714ae2081f9c62306cbc5712cd15475309d8c1ebc340842936afbff4bfee1c148f8626d47b

memory/1064-3250-0x0000029DC5680000-0x0000029DC6182000-memory.dmp

C:\ProgramData\chocolatey\helpers\functions\Get-ChocolateyWebFile.ps1

MD5 5c544f7d387ca56993a00e0a132a2e93
SHA1 8214c283a1cda735803e8e2b76db9715932b150a
SHA256 5a763e6f6895fb36c99c942c56b2e5860e316978ce61ffb6d5a4599b357eae4e
SHA512 2577d38f631b8061bbc9b73ad0a33b47dc97929ba463141c6c9216cdf1219a278b30ea8420c399d72a440065954a0a54f01546dc17f34fce0151f35de87caa3e

C:\ProgramData\chocolatey\helpers\functions\Get-ChocolateyUnzip.ps1

MD5 37ce9d39ab4ab1d9e9d9373173152e1c
SHA1 a0e06df561391156ac3623f56afa824173a6e34f
SHA256 bb77491d99fa16f09048e81a2cedc29f3e6397d0d166ba2f72317aca04347c25
SHA512 9f9b21df7bca9c15fac1582900932f77d6fbd1e80ec751d88141a6479d78ee2622df1b96bf1606c0df3c3cb0a7f553b5a8567c30590cbb1260dc8614dda8de49

C:\ProgramData\chocolatey\helpers\functions\Get-ChocolateyPath.ps1

MD5 1235a3a21c64fe5563c06f65543d7d77
SHA1 204bcd4af12c7de4c83b2d2cdb22955e6c2eacf2
SHA256 18f1e1dc7ea4c3daae3fc51fd1373330c0132270180ed93bcac7a1d2843353f5
SHA512 b51476e608368120458d276b662a860cb863cc64f41556099c1bbd5c901b3a300b8d4266f44003b14a9d3d25a0832db7afe2c025858ff9d3c194acdabe0ef237

C:\ProgramData\chocolatey\helpers\functions\Get-ChocolateyConfigValue.ps1

MD5 7686ed92bc6bc3606d914ac3d6555d73
SHA1 6db9151efb0c2d693ac2acb8099967a7c32fe47b
SHA256 83eb927efcd495e15fd4ff5d043e1f0cf4b2dceded9aeb5a4af3db0cde2bfd8b
SHA512 df7c252898fcf6829632b3d576b72c2a3232b24741fcb1ee50ebe7d7bafe86e0cceeb75f08b22ae177e57c6758572842b341c7d933f229d9d2c99388488b120d

C:\ProgramData\chocolatey\helpers\functions\Get-CheckSumValid.ps1

MD5 32fdfad78eecf1a6936525069d0eda09
SHA1 bf1f751146e73887de2c54a183d70a005a7453ab
SHA256 0e34c0c610bad2bca1c36e24908003886e6e8d506a7ce5cfee85c921faea61e9
SHA512 e9b9645391589365969e990967b5133de10090c212d000638c1553d98fdf7d0e6f99d9284d6f9f7385a7ffc2d37038bb430ce79bf3a44fa652ae745907833665

C:\ProgramData\chocolatey\helpers\functions\Format-FileSize.ps1

MD5 c1e5f78407a38c0f2bef0839274a30d5
SHA1 2e5d91ff054720b94e7795474e23fbe202635165
SHA256 d47a44752fd6a983f9ab0e48aa8b12a2b0bc772ea0bb380c64723bb8e0b2ccbb
SHA512 81c22988af2065e94e4420e1b71d1bd2c12406a74f0984c7183a4905d4cc397a71728a9b0dc41ea625bb12e231fb002e3c965f92f60bcc12e5b0be81b26e056a

C:\Windows\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\helpers\ChocolateyTabExpansion.ps1

MD5 e7e5066e40b28d8258e840b6e1594d12
SHA1 d2f3caf9755d0b7746ae16936dbfea4acb3f44f5
SHA256 9dcd26d37f492d76816f17529ae33851416dd4d7841dde7af505b9edee50baf3
SHA512 5534cdc3c7fcbd6ac07d13b95aed8c1d2c8d007641c5184b8053c98dc0723ae3e7321722d443b68da68184d7f73ff347a988718f83f767bb6b5266a3af72fccc

C:\Windows\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\helpers\chocolateyScriptRunner.ps1

MD5 0870ae75b1d8f0823ad8bb05bbdc90df
SHA1 9f6a23ac198321235d3d0b1ef1547863fe7c680d
SHA256 859cfa5d9dc747a5bc5651331977beef2177cf8335a24a8f0a26d7965fd66944
SHA512 3bae1a9c7a7610ec86c5187de2ccffd295bd0d054a86000fe76a5d375842b98806a6d4f227dda5b0ab289b6365d664a2c3e55891add3e5cdc22efb75a410894e

C:\Windows\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\helpers\chocolateyProfile.psm1

MD5 2d821e986cc3d5baed2b35fd7c98291c
SHA1 6838f726ef41a3fef1878af6e1b5d88dfc148ae2
SHA256 91b8605fafba35d44f4352aa96f8d8fb366d0970e68bd194326f80eca67bf6d3
SHA512 37695fe351a5ee1c7326f77f653a49cad9c9a3a2dce3f3761d2baaece77f927691ac47a81ba8d0ac2f89c868d72f0e9751ab0f78375dcec936566c6c87297d1a

C:\ProgramData\chocolatey\logs\chocolatey.log

MD5 52425ee6979f86a819f4f614b8addb7f
SHA1 61ba91afb4e81512d46df0c3d8c27c4ee860b4aa
SHA256 3cbba77e22d2d30d057546df486c872015a7fdc270d3ffc75c6d37a3e960f926
SHA512 13a280d4f893070c43984f2468d65bff16cd72cf2dc44780c4be8eb20df35622c0c07f031f3ffc77820cdc648f7a17487d23102af2806bd80320d58bb976d84c

memory/1064-3263-0x0000029DDFC20000-0x0000029DDFC70000-memory.dmp

C:\ProgramData\chocolatey\logs\chocolatey.log

MD5 8793074b26a0b54dd18792dc6e235bfe
SHA1 4370bc34dc976c3a065f1438acb611efb9c02b52
SHA256 cd66b44072cfe06535717c040f6aa35b60e169a7b231fe2d6f9cc8fcb08676c9
SHA512 1450a2ee4a1b762456819e1dfecb86db801748dccd6f099308591c0b841a39c68a38b2a30523160223686b55422fdf336f44ec5eecdd6e54ab8583491afb99fd

memory/1064-3300-0x0000029DDF230000-0x0000029DDF24E000-memory.dmp

C:\ProgramData\chocolatey\config\chocolatey.config.backup

MD5 8b6737800745d3b99886d013b3392ac3
SHA1 bb94da3f294922d9e8d31879f2d145586a182e19
SHA256 86f10504ca147d13a157944f926141fe164a89fa8a71847458bda7102abb6594
SHA512 654dda9b645b4900ac6e5bb226494921194dab7de71d75806f645d9b94ed820055914073ef9a5407e468089c0b2ee4d021f03c2ea61e73889b553895e79713df

C:\ProgramData\chocolatey\config\chocolatey.config.1064.update

MD5 a3f016f5f2bd742ff1591950260f6f75
SHA1 7feabbcc2e2d51c09065071f58da23990e215b72
SHA256 6621f97fca4589b04e4c9a835344371fc3ecdf1f4cdac5c1492c05fcc23629f3
SHA512 ad6a96131221f3e8ac1e5bfc094ae1c09344a65f84b73d6933650e26417a569275e049b564b4c954641c7906a5fbbc886e37fa4a4bfb8216ccf3b519d09c7250