Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

19943ebe73...94.exe

windows7-x64

10

19943ebe73...94.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    99s
  • max time network
    115s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    22/11/2024, 23:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    19943ebe7317e55bf09e0eb6f39f794d2c6d0a4bc840b48f8a7a5ae11beea694.exe

  • Size

    5.0MB

  • MD5

    510bd7f4c948f47388af7e9e8bb22abe

  • SHA1

    aa22f12c511e964573f43cf3f36b8f286b4ad703

  • SHA256

    19943ebe7317e55bf09e0eb6f39f794d2c6d0a4bc840b48f8a7a5ae11beea694

  • SHA512

    dba3d3746b34c842bb36d632ef487188b3f838cc44ee27f810ed98f492469dbac9677cef29daad41ef0e656c99002832e5915e4c74afa7893b81e3265f0aac89

  • SSDEEP

    49152:SRg0nHQi1uuVvrb/T8vO90d7HjmAFd4A64nsfJWl6OEch34Vx9n5ov0IrQszVS51:1i1uuVQEpf5qusz8GER+ecK

Score
10/10
meshagenttacticalrmmbackdoordiscoveryevasionexecutionpersistencerattrojan

Malware Config

Extracted

Family

meshagent

Version

2

Botnet

TacticalRMM

C2

http://mesh.nsicorporation.com:443/agent.ashx

Attributes
  • mesh_id

    0xAEA8EA43B54F89ACF716D6EF51F14EC3471A9E7CE2172AE38F96984EE73CF5AF995B515150F570BB7CF0BB2A5D177386

  • server_id

    1DF8C928F6C863A0A22E2456E6E7D65E82F80A81F661DEBB6D26188D872615CDDFE7C57B0C30E33AE465E61A840B6387

  • wss

    wss://mesh.nsicorporation.com:443/agent.ashx

Signatures

  • Detects MeshAgent payload 1 IoCs
  • MeshAgent

    MeshAgent is an open source remote access trojan written in C++.

    rattrojanbackdoormeshagent
  • Meshagent family
    meshagent
  • Blocklisted process makes network request 4 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Stops running service(s) 4 TTPs
    evasionexecution
  • Executes dropped EXE 14 IoCs
  • Loads dropped DLL 8 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in System32 directory 10 IoCs
  • Drops file in Program Files directory 24 IoCs
  • Drops file in Windows directory 1 IoCs
  • Launches sc.exe 2 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

    Using powershell.exe command.

    execution
  • Permission Groups Discovery: Local Groups 1 TTPs

    Attempt to find local system groups and permission settings.

    discovery
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies system certificate store 2 TTPs 10 IoCs
    evasionspywaretrojan
  • Runs net.exe
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\19943ebe7317e55bf09e0eb6f39f794d2c6d0a4bc840b48f8a7a5ae11beea694.exe
    "C:\Users\Admin\AppData\Local\Temp\19943ebe7317e55bf09e0eb6f39f794d2c6d0a4bc840b48f8a7a5ae11beea694.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2116
    • C:\ProgramData\TacticalRMM\tacticalagent-v2.8.0-windows-amd64.exe
      C:\ProgramData\TacticalRMM\tacticalagent-v2.8.0-windows-amd64.exe /VERYSILENT /SUPPRESSMSGBOXES
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2072
      • C:\Users\Admin\AppData\Local\Temp\is-E8RGR.tmp\tacticalagent-v2.8.0-windows-amd64.tmp
        "C:\Users\Admin\AppData\Local\Temp\is-E8RGR.tmp\tacticalagent-v2.8.0-windows-amd64.tmp" /SL5="$70152,3660179,825344,C:\ProgramData\TacticalRMM\tacticalagent-v2.8.0-windows-amd64.exe" /VERYSILENT /SUPPRESSMSGBOXES
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:2848
        • C:\Windows\SysWOW64\cmd.exe
          "cmd.exe" /c ping 127.0.0.1 -n 2 && net stop tacticalrpc
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Suspicious use of WriteProcessMemory
          PID:2812
          • C:\Windows\SysWOW64\PING.EXE
            ping 127.0.0.1 -n 2
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:2792
          • C:\Windows\SysWOW64\net.exe
            net stop tacticalrpc
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3012
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop tacticalrpc
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2684
        • C:\Windows\SysWOW64\cmd.exe
          "cmd.exe" /c net stop tacticalagent
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3024
          • C:\Windows\SysWOW64\net.exe
            net stop tacticalagent
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2876
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop tacticalagent
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2828
        • C:\Windows\SysWOW64\cmd.exe
          "cmd.exe" /c ping 127.0.0.1 -n 2 && net stop tacticalrmm
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Suspicious use of WriteProcessMemory
          PID:2712
          • C:\Windows\SysWOW64\PING.EXE
            ping 127.0.0.1 -n 2
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:2660
          • C:\Windows\SysWOW64\net.exe
            net stop tacticalrmm
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2700
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop tacticalrmm
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2724
        • C:\Windows\SysWOW64\cmd.exe
          "cmd.exe" /c taskkill /F /IM tacticalrmm.exe
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2732
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /F /IM tacticalrmm.exe
            5⤵
            • System Location Discovery: System Language Discovery
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:2716
        • C:\Windows\SysWOW64\cmd.exe
          "cmd.exe" /c sc delete tacticalagent
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2644
          • C:\Windows\SysWOW64\sc.exe
            sc delete tacticalagent
            5⤵
            • Launches sc.exe
            • System Location Discovery: System Language Discovery
            PID:832
        • C:\Windows\SysWOW64\cmd.exe
          "cmd.exe" /c sc delete tacticalrpc
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1776
          • C:\Windows\SysWOW64\sc.exe
            sc delete tacticalrpc
            5⤵
            • Launches sc.exe
            • System Location Discovery: System Language Discovery
            PID:2508
        • C:\Windows\SysWOW64\cmd.exe
          "cmd.exe" /c tacticalrmm.exe -m installsvc
          4⤵
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          PID:1304
          • C:\Program Files\TacticalAgent\tacticalrmm.exe
            tacticalrmm.exe -m installsvc
            5⤵
            • Executes dropped EXE
            • Drops file in Program Files directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1256
        • C:\Windows\SysWOW64\cmd.exe
          "cmd.exe" /c net start tacticalrmm
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2924
          • C:\Windows\SysWOW64\net.exe
            net start tacticalrmm
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2748
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 start tacticalrmm
              6⤵
              • System Location Discovery: System Language Discovery
              PID:3000
    • C:\Program Files\TacticalAgent\tacticalrmm.exe
      "C:\Program Files\TacticalAgent\tacticalrmm.exe" -m install --api https://api.nsicorporation.com --client-id 27 --site-id 42 --agent-type workstation --auth 69a4a117c519b41b3ff855cc2a783c580928c9437071606bb8d3c3dfd81a478f
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Program Files directory
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1288
      • C:\Program Files\TacticalAgent\meshagent.exe
        "C:\Program Files\TacticalAgent\meshagent.exe" -fullinstall
        3⤵
        • Sets service image path in registry
        • Executes dropped EXE
        • Drops file in Program Files directory
        PID:2076
      • C:\Program Files\Mesh Agent\MeshAgent.exe
        "C:\Program Files\Mesh Agent\MeshAgent.exe" -nodeid
        3⤵
        • Executes dropped EXE
        PID:2348
  • C:\Program Files\Mesh Agent\MeshAgent.exe
    "C:\Program Files\Mesh Agent\MeshAgent.exe"
    1⤵
    • Executes dropped EXE
    • Drops file in Program Files directory
    PID:1124
    • C:\Windows\System32\wbem\wmic.exe
      wmic SystemEnclosure get ChassisTypes
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2288
    • C:\Windows\system32\wbem\wmic.exe
      wmic os get oslanguage /FORMAT:LIST
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2236
    • C:\Windows\System32\wbem\wmic.exe
      wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:848
    • C:\Windows\system32\wbem\wmic.exe
      wmic os get oslanguage /FORMAT:LIST
      2⤵
        PID:2308
      • C:\Windows\System32\wbem\wmic.exe
        wmic SystemEnclosure get ChassisTypes
        2⤵
          PID:1652
        • C:\Windows\System32\wbem\wmic.exe
          wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
          2⤵
            PID:1224
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell -noprofile -nologo -command -
            2⤵
            • Drops file in Program Files directory
            • Command and Scripting Interpreter: PowerShell
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            PID:1720
          • C:\Windows\system32\WerFault.exe
            C:\Windows\system32\WerFault.exe -u -p 1124 -s 904
            2⤵
            • Loads dropped DLL
            PID:1968
        • C:\Program Files\Mesh Agent\MeshAgent.exe
          "C:\Program Files\Mesh Agent\MeshAgent.exe"
          1⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          PID:2800
          • C:\Windows\System32\wbem\wmic.exe
            wmic SystemEnclosure get ChassisTypes
            2⤵
              PID:2664
            • C:\Windows\system32\wbem\wmic.exe
              wmic os get oslanguage /FORMAT:LIST
              2⤵
                PID:2824
              • C:\Windows\System32\wbem\wmic.exe
                wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
                2⤵
                  PID:2672
                • C:\Windows\System32\wbem\wmic.exe
                  wmic SystemEnclosure get ChassisTypes
                  2⤵
                  • Modifies data under HKEY_USERS
                  PID:2780
                • C:\Windows\System32\wbem\wmic.exe
                  wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
                  2⤵
                    PID:2508
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    powershell -noprofile -nologo -command -
                    2⤵
                    • Drops file in Program Files directory
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious behavior: EnumeratesProcesses
                    PID:1476
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    powershell -noprofile -nologo -command -
                    2⤵
                    • Drops file in Program Files directory
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious behavior: EnumeratesProcesses
                    PID:2848
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    powershell -noprofile -nologo -command -
                    2⤵
                    • Drops file in Program Files directory
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious behavior: EnumeratesProcesses
                    PID:2836
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    powershell -noprofile -nologo -command -
                    2⤵
                    • Drops file in Program Files directory
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious behavior: EnumeratesProcesses
                    PID:316
                • C:\Program Files\TacticalAgent\tacticalrmm.exe
                  "C:\Program Files\TacticalAgent\tacticalrmm.exe" -m svc
                  1⤵
                  • Executes dropped EXE
                  • Drops file in System32 directory
                  • Drops file in Program Files directory
                  • Drops file in Windows directory
                  • Modifies data under HKEY_USERS
                  • Modifies system certificate store
                  • Suspicious behavior: EnumeratesProcesses
                  PID:940
                  • C:\Program Files\TacticalAgent\tacticalrmm.exe
                    "C:\Program Files\TacticalAgent\tacticalrmm.exe" -m checkrunner
                    2⤵
                    • Executes dropped EXE
                    • Drops file in Program Files directory
                    • Modifies data under HKEY_USERS
                    • Suspicious behavior: EnumeratesProcesses
                    PID:1464
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass C:\ProgramData\TacticalRMM\3450705539.ps1
                      3⤵
                      • Drops file in System32 directory
                      • Command and Scripting Interpreter: PowerShell
                      • Suspicious behavior: EnumeratesProcesses
                      PID:648
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass C:\ProgramData\TacticalRMM\293494335.ps1
                      3⤵
                      • Drops file in System32 directory
                      • Command and Scripting Interpreter: PowerShell
                      • Suspicious behavior: EnumeratesProcesses
                      PID:1288
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass C:\ProgramData\TacticalRMM\2520725424.ps1
                      3⤵
                      • Drops file in System32 directory
                      • Command and Scripting Interpreter: PowerShell
                      • Suspicious behavior: EnumeratesProcesses
                      PID:1292
                      • C:\Windows\system32\net.exe
                        "C:\Windows\system32\net.exe" localgroup administrateurs
                        4⤵
                          PID:692
                          • C:\Windows\system32\net1.exe
                            C:\Windows\system32\net1 localgroup administrateurs
                            5⤵
                              PID:1972
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass C:\ProgramData\TacticalRMM\232252661.ps1
                          3⤵
                          • Drops file in System32 directory
                          • Command and Scripting Interpreter: PowerShell
                          • Suspicious behavior: EnumeratesProcesses
                          PID:2392
                      • C:\Program Files\Mesh Agent\MeshAgent.exe
                        "C:\Program Files\Mesh Agent\MeshAgent.exe" -nodeid
                        2⤵
                        • Executes dropped EXE
                        PID:2444
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass C:\ProgramData\TacticalRMM\3302390790.ps1
                        2⤵
                        • Blocklisted process makes network request
                        • Command and Scripting Interpreter: PowerShell
                        • Suspicious behavior: EnumeratesProcesses
                        PID:2012
                    • C:\Windows\system32\taskeng.exe
                      taskeng.exe {09C33DE0-98EF-4C96-9A8A-DD2A547AE594} S-1-5-18:NT AUTHORITY\System:Service:
                      1⤵
                        PID:2056
                        • C:\Program Files\TacticalAgent\tacticalrmm.exe
                          "C:\Program Files\TacticalAgent\tacticalrmm.exe" -m taskrunner -p 178
                          2⤵
                          • Executes dropped EXE
                          • Drops file in Program Files directory
                          • Modifies data under HKEY_USERS
                          • Suspicious behavior: EnumeratesProcesses
                          PID:2176
                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass C:\ProgramData\TacticalRMM\166515016.ps1
                            3⤵
                            • Drops file in Program Files directory
                            • Command and Scripting Interpreter: PowerShell
                            • Suspicious behavior: EnumeratesProcesses
                            PID:2856
                      • C:\Windows\system32\msiexec.exe
                        C:\Windows\system32\msiexec.exe /V
                        1⤵
                          PID:756

                        Network

                        MITRE ATT&CK Enterprise v15

                        Reconnaissance

                        Resource Development

                        Initial Access

                        Execution

                        Command and Scripting Interpreter

                        1
                        T1059

                        PowerShell

                        1
                        T1059.001

                        System Services

                        1
                        T1569

                        Service Execution

                        1
                        T1569.002

                        Persistence

                        Boot or Logon Autostart Execution

                        1
                        T1547

                        Registry Run Keys / Startup Folder

                        1
                        T1547.001

                        Create or Modify System Process

                        1
                        T1543

                        Windows Service

                        1
                        T1543.003

                        Privilege Escalation

                        Boot or Logon Autostart Execution

                        1
                        T1547

                        Registry Run Keys / Startup Folder

                        1
                        T1547.001

                        Create or Modify System Process

                        1
                        T1543

                        Windows Service

                        1
                        T1543.003

                        Defense Evasion

                        Impair Defenses

                        1
                        T1562

                        Modify Registry

                        2
                        T1112

                        Subvert Trust Controls

                        1
                        T1553

                        Install Root Certificate

                        1
                        T1553.004

                        Credential Access

                        Discovery

                        Permission Groups Discovery

                        1
                        T1069

                        Local Groups

                        1
                        T1069.001

                        Query Registry

                        2
                        T1012

                        Remote System Discovery

                        1
                        T1018

                        System Location Discovery

                        1
                        T1614

                        System Language Discovery

                        1
                        T1614.001

                        System Network Configuration Discovery

                        1
                        T1016

                        Internet Connection Discovery

                        1
                        T1016.001

                        Lateral Movement

                        Collection

                        Command and Control

                        Exfiltration

                        Impact

                        Service Stop

                        1
                        T1489

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Program Files\Mesh Agent\MeshAgent.db
                          Filesize

                          153KB

                          MD5

                          f5693f3b14e9303f89165f84aa015618

                          SHA1

                          94a24dceedaa9eb6022b72a5fdc52e4f3d1930e1

                          SHA256

                          4bc815d57a6d9510935bc8e5208babdb0d4ecb9865a36da22bea1d57c9bcfc4c

                          SHA512

                          09a4351dfb4fedfea693329e91b3fa91ddd49077f8e99ec891a6781fb8d28649e5e06b01528c26774d5b8c055933a62203563e238830d1f79a57d997a59fd44c

                          Download Submit

                        • C:\Program Files\Mesh Agent\MeshAgent.msh
                          Filesize

                          31KB

                          MD5

                          fa29b23a4355de60c99c928b3bef23e9

                          SHA1

                          6f2e52c5ac74bc7e1ce30f8fdce4e834970140c7

                          SHA256

                          8b2cdff2ffca00e5313a7cc5d20a6165175094a91fc082784c15d495299592b4

                          SHA512

                          d32c1cebc885d5437b983f7850176689966a0d8d4359316bf57dc7f0a44f7ebcd162db2b2b48b98cdb0a5cf72b4b7a8e4725170a55ae964a7b44a8d722e783db

                          Download Submit

                        • C:\Program Files\TacticalAgent\agent.log
                          Filesize

                          67B

                          MD5

                          3a3ecd85ce4191b1964195e46891676f

                          SHA1

                          1897029a9f7fcc2439962d32e670afb2ee419cdf

                          SHA256

                          9a87d3adebecfa2997184f027e0c9044bee66706235a9c04a023d5c4da4809e6

                          SHA512

                          d8628fb497e99c312dec5f572d26b3e988ac19cd3a7699604ce9fa117326f15506a15f4706821495c4a8c70c42e6a88f2f460535552c3c9a8cae002cc3bb80fc

                          Download Submit

                        • C:\Program Files\TacticalAgent\meshagent.exe
                          Filesize

                          3.3MB

                          MD5

                          4fa813942c02ac4da3d9e6d6f4e751c1

                          SHA1

                          84f122aaf592472bdda558ba664f234bbb97b3b0

                          SHA256

                          151e24e4ba83a1fa934de96650e10baa9eb7cc9adb85933f6cfe75b9565c0a05

                          SHA512

                          0bd026329b9f0ce9ab43b05947adc70661142c0921f3c0c46d3578470f0ed0ccd7807687fa2f778b23b160fedb060be384d4a41c2c55bfb5044be853db4588ea

                          Download Submit

                        • C:\ProgramData\TacticalRMM\166515016.ps1
                          Filesize

                          3KB

                          MD5

                          abea410ba93bd4cf652d731bd6095fa1

                          SHA1

                          d91c7a563dddb811f457c81e2574718c17200b0b

                          SHA256

                          1b10cf8b2708a2d7e2eba993b6ac60702b1383d56a406afe320614fd25bea0cc

                          SHA512

                          0951789cf35806957c9dae1e7e649fd7848fe9d9961038d308e0b5b70894ad7631cac8380743c212cd11744f1df5297591896715be1000d3ac2ed210c864b00f

                          Download Submit

                        • C:\ProgramData\TacticalRMM\232252661.ps1
                          Filesize

                          1022B

                          MD5

                          15670655991673b7ed8b90f6fbde3d01

                          SHA1

                          f7c90c06918193ff0f2abdcfef3e7f71e271ffab

                          SHA256

                          de9f7b64eb42a47248966e3cdc08bfdba3089e8c045a3665dc5d46750325bb38

                          SHA512

                          87da567f7cfe703cb18636137dc28a0f75647bc3981c89eae5ed49b6b7689ba377c692642045975314050020b505b4bdfe295eedaf38d87a92f52b65d4d5dad0

                          Download Submit

                        • C:\ProgramData\TacticalRMM\2520725424.ps1
                          Filesize

                          640B

                          MD5

                          2188f13182ad9ac69c11f45646e6857b

                          SHA1

                          6045e6be79a31acc22ddff51a8cd0289552acf6c

                          SHA256

                          c98d80919b4c1b1d9872eb0d4d34f00c6711854c4777e091e8696eb203bb549e

                          SHA512

                          168cf85d6cf95f6724396d36e813c5e737f0c823dce07a1f5b4cbad1b06fc94dd84a826ede8e5ed52231cd0de4c04206c7c1914bfa674d29f31cdd2cd5691907

                          Download Submit

                        • C:\ProgramData\TacticalRMM\293494335.ps1
                          Filesize

                          746B

                          MD5

                          2ea52c938e935d6fa1f8298ff406d8f8

                          SHA1

                          f880c4c28fd9236946ac04f8e7d1d63764ba43b8

                          SHA256

                          a1fcfecd983de65e808a48f2a7c850c2c3915c65577045dba977dc59f3a1eaf1

                          SHA512

                          620b1e421bf9a5b0702c0f2c3d15e7f306277e5185fabb4ed15c58a7e8958aed90b8299f0eb3a935fe0b1161cdeb5a1541c242811bf96602fc1513ef76f80f16

                          Download Submit

                        • C:\ProgramData\TacticalRMM\3302390790.ps1
                          Filesize

                          35KB

                          MD5

                          e9fb33c49bee675e226d1afeef2740d9

                          SHA1

                          ded4e30152638c4e53db4c3c62a76fe0b69e60ab

                          SHA256

                          44e045ed5350758616d664c5af631e7f2cd10165f5bf2bd82cbf3a0bb8f63462

                          SHA512

                          2661a981d48d58c9ceb1992e55061ce07af0d53b5f38b07de620376e0ea1d876c7e50965e67aee80fe723968bdb956dc7fd93e7923608534c8fb4d21739dbc48

                          Download Submit

                        • C:\ProgramData\TacticalRMM\3450705539.ps1
                          Filesize

                          5KB

                          MD5

                          82b56a47bead7e23055bf660fd727222

                          SHA1

                          a9d165d048aeca7a91f9f56ffee7acb63c4e0d2f

                          SHA256

                          6d1b661b6040793a76f672c860609e13fda47a6a86ee36692685da6a1ca2082d

                          SHA512

                          bb767adca8335bdaf8a67abf2bcc00a60f51ade4ec5d7187a22ee7e7c6421c8bcc9702f2ed9f4565315b29cd9a7e2ea0e0d783d2f1468ff6a170239d613ea5d9

                          Download Submit

                        • C:\ProgramData\TacticalRMM\tacticalagent-v2.8.0-windows-amd64.exe
                          Filesize

                          4.3MB

                          MD5

                          2f046950e65922336cd83bf0dbc9de33

                          SHA1

                          ddc64a8b21c8146c93c0b19c1eeb0ef784b980c6

                          SHA256

                          412e1f600251b21911c582e69381f677e663231f5e1d10786d88a026e00ea811

                          SHA512

                          a11cbf8b8b692d2d5a0e3af5a97f91a3d1f3e7aa39966eb7d62b3244b3913f2fdc21823d5c94de0d98e579f801709df44433af91567356361d5d9699a93b2cbc

                          Download Submit

                        • C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC
                          Filesize

                          914B

                          MD5

                          e4a68ac854ac5242460afd72481b2a44

                          SHA1

                          df3c24f9bfd666761b268073fe06d1cc8d4f82a4

                          SHA256

                          cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

                          SHA512

                          5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

                          Download Submit

                        • C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
                          Filesize

                          70KB

                          MD5

                          49aebf8cbd62d92ac215b2923fb1b9f5

                          SHA1

                          1723be06719828dda65ad804298d0431f6aff976

                          SHA256

                          b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                          SHA512

                          bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                          Download Submit

                        • C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
                          Filesize

                          1KB

                          MD5

                          a266bb7dcc38a562631361bbf61dd11b

                          SHA1

                          3b1efd3a66ea28b16697394703a72ca340a05bd5

                          SHA256

                          df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

                          SHA512

                          0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

                          Download Submit

                        • C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
                          Filesize

                          252B

                          MD5

                          1bc94ca4999c1484f581dece0dce0eb2

                          SHA1

                          adc6762b71bf59c2bc7582e9a332b10c697bb316

                          SHA256

                          32c8ffcb29be690c8bc87f6442e13178ca177312a9ad7a0a556933de693c487b

                          SHA512

                          4b339a23baf487402ddcff349882ee411bc5492f0f708168c4a77bb002462f85949a9bad3e5f6b736c13e6868b7b7d5c4a8717ad11f9991f3d7e3f0568588c09

                          Download Submit

                        • C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                          Filesize

                          342B

                          MD5

                          475856088211b789e304933169060773

                          SHA1

                          10cfd80d76063859c8f976a5b7573af66d4f0f50

                          SHA256

                          8fc86b3147bbb3f3a5241fc0c052575dbd6d1d3cd945733c34072e30feb1329c

                          SHA512

                          abbcf2c7a33154940a0fd6ef1e624b3dd5985f11317bc7bab963db761df7872a801664d63e1592b6611134e2841e7cfed404afbf91970af6aefa5c5e96cdc213

                          Download Submit

                        • C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
                          Filesize

                          242B

                          MD5

                          41e057a741ce642ab35c13d5dd284545

                          SHA1

                          0e8a75bbe193df63f1e6a104f28b7f04513538ab

                          SHA256

                          a7132edb3143d158e68a63c78a3dc0f4940b3c46c00c4cf68cc0dbad27db36e6

                          SHA512

                          39f94185b2a019f9fd03b11f3bb6e8c6632306d6cb01874dcb68ed754fe1d13ced3949d52dbdef716f506f6c9e8fb0261bd2284a85a93df53af13311ca65b2e7

                          Download Submit

                        • C:\Windows\Temp\Cab9B29.tmp
                          Filesize

                          29KB

                          MD5

                          d59a6b36c5a94916241a3ead50222b6f

                          SHA1

                          e274e9486d318c383bc4b9812844ba56f0cff3c6

                          SHA256

                          a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

                          SHA512

                          17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

                          Download Submit

                        • C:\Windows\Temp\Tar9C96.tmp
                          Filesize

                          181KB

                          MD5

                          4ea6026cf93ec6338144661bf1202cd1

                          SHA1

                          a1dec9044f750ad887935a01430bf49322fbdcb7

                          SHA256

                          8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                          SHA512

                          6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                          Download Submit

                        • \Program Files\TacticalAgent\tacticalrmm.exe
                          Filesize

                          9.2MB

                          MD5

                          bb383b7c3d5e4acb1001ab099b5b0f3c

                          SHA1

                          cb0c85f84a454aa4b1aab02bfba47c4355c2311e

                          SHA256

                          a6d3159c858aa3704f35d69b27829618ad0d1bae894c848a5233100c17464f95

                          SHA512

                          157dda96d1cacea55a6be27b9d432225b47d7334e664e577cef82a14c7eb1be1b8b84423b3905a4c1caecb5394be264d9b5c3e32109a4893e51a9d406ce740be

                          Download Submit

                        • \Users\Admin\AppData\Local\Temp\is-E8RGR.tmp\tacticalagent-v2.8.0-windows-amd64.tmp
                          Filesize

                          3.0MB

                          MD5

                          a639312111d278fee4f70299c134d620

                          SHA1

                          6144ca6e18a5444cdb9b633a6efee67aff931115

                          SHA256

                          4b0be5167a31a77e28e3f0a7c83c9d289845075b51e70691236603b1083649df

                          SHA512

                          f47f01d072ff9ed42f5b36600ddfc344a6a4b967c1b671ffc0e76531e360bfd55a1a9950305ad33f7460f3f5dd8953e317b108cd434f2db02987fa018d57437c

                          Download Submit

                        • memory/648-301-0x00000000009E0000-0x00000000009E8000-memory.dmp

                          Filesize

                          32KB

                          Download

                        • memory/940-288-0x0000000140000000-0x00000001405E8000-memory.dmp

                          Filesize

                          5.9MB

                          Download

                        • memory/940-289-0x0000000140000000-0x00000001405E8000-memory.dmp

                          Filesize

                          5.9MB

                          Download

                        • memory/940-144-0x0000000140000000-0x00000001405E8000-memory.dmp

                          Filesize

                          5.9MB

                          Download

                        • memory/940-145-0x0000000140000000-0x00000001405E8000-memory.dmp

                          Filesize

                          5.9MB

                          Download

                        • memory/1256-24-0x0000000140000000-0x00000001405E8000-memory.dmp

                          Filesize

                          5.9MB

                          Download

                        • memory/1288-32-0x0000000140000000-0x00000001405E8000-memory.dmp

                          Filesize

                          5.9MB

                          Download

                        • memory/1288-111-0x0000000140000000-0x00000001405E8000-memory.dmp

                          Filesize

                          5.9MB

                          Download

                        • memory/1288-110-0x0000000140000000-0x00000001405E8000-memory.dmp

                          Filesize

                          5.9MB

                          Download

                        • memory/1288-109-0x0000000140000000-0x00000001405E8000-memory.dmp

                          Filesize

                          5.9MB

                          Download

                        • memory/1288-108-0x0000000140000000-0x00000001405E8000-memory.dmp

                          Filesize

                          5.9MB

                          Download

                        • memory/1288-107-0x0000000140000000-0x00000001405E8000-memory.dmp

                          Filesize

                          5.9MB

                          Download

                        • memory/1288-95-0x0000000140000000-0x00000001405E8000-memory.dmp

                          Filesize

                          5.9MB

                          Download

                        • memory/1288-94-0x0000000140000000-0x00000001405E8000-memory.dmp

                          Filesize

                          5.9MB

                          Download

                        • memory/1288-33-0x0000000140000000-0x00000001405E8000-memory.dmp

                          Filesize

                          5.9MB

                          Download

                        • memory/1292-308-0x00000000009C0000-0x00000000009C8000-memory.dmp

                          Filesize

                          32KB

                          Download

                        • memory/1476-124-0x0000000001D30000-0x0000000001D38000-memory.dmp

                          Filesize

                          32KB

                          Download

                        • memory/1476-123-0x000000001B340000-0x000000001B622000-memory.dmp

                          Filesize

                          2.9MB

                          Download

                        • memory/1720-84-0x0000000000400000-0x0000000000408000-memory.dmp

                          Filesize

                          32KB

                          Download

                        • memory/1720-83-0x000000001B3F0000-0x000000001B6D2000-memory.dmp

                          Filesize

                          2.9MB

                          Download

                        • memory/2072-29-0x0000000000400000-0x00000000004D7000-memory.dmp

                          Filesize

                          860KB

                          Download

                        • memory/2072-7-0x0000000000401000-0x00000000004B7000-memory.dmp

                          Filesize

                          728KB

                          Download

                        • memory/2072-4-0x0000000000400000-0x00000000004D7000-memory.dmp

                          Filesize

                          860KB

                          Download

                        • memory/2176-292-0x0000000140000000-0x00000001405E8000-memory.dmp

                          Filesize

                          5.9MB

                          Download

                        • memory/2176-291-0x0000000140000000-0x00000001405E8000-memory.dmp

                          Filesize

                          5.9MB

                          Download

                        • memory/2848-28-0x0000000000400000-0x0000000000712000-memory.dmp

                          Filesize

                          3.1MB

                          Download

                        • memory/2848-14-0x0000000000400000-0x0000000000712000-memory.dmp

                          Filesize

                          3.1MB

                          Download