meshagent | 6bbdfb603c2f1fa92efe6e09162ff7a8859d31b0547860f59547561ea80c4a8f

Analysis

max time kernel
121s
max time network
145s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12-12-2024 19:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-12_72bcc1351d9632429245952663a3e264_frostygoop_hijackloader_luca-stealer_poet-rat_snatch.exe
Size

5.0MB
MD5

72bcc1351d9632429245952663a3e264
SHA1

33a30a436b62f3c34630240b156189324a01ec8e
SHA256

6bbdfb603c2f1fa92efe6e09162ff7a8859d31b0547860f59547561ea80c4a8f
SHA512

4b6698b6ce9615d4a9657d827f9a881a6f20ff899071bacfaad0c0de3002257f9c25727d8a8c46dd8a6055823d0bff0fed2d685e9e920f8215793fcb7d186f75
SSDEEP

49152:jRg0nHs3wQuuhrb/T8vO90d7HjmAFd4A64nsfJoRLvXW4uyRcH5g3ZCNUgxocMC6:I3wQuu81n256dgxtrEn+eDP

Score

10^/10

meshagent tacticalrmm backdoor discovery evasion execution persistence rat trojan

Malware Config

Extracted

Family

meshagent

Version

Botnet

TacticalRMM

http://mesh.rmm.xpertus-service.de:443/agent.ashx

Attributes

mesh_id
0x9AB80AC2C10CC0E60A88AF1959FA7CFA5406C5C075E527EDBA76544D8295DD0A7203B0D6279BE93056216EAE6A484BB3
server_id
62AEF12E4ED2E31BFAE22AF942C5E9BAC419D9BF1B2B4E41B75E0EF6EE6A542634EAC26B2CB1E2E9C1C7905767230610
wss
wss://mesh.rmm.xpertus-service.de:443/agent.ashx

Signatures

Detects MeshAgent payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0004000000004ed7-35.dat	family_meshagent

MeshAgent
MeshAgent is an open source remote access trojan written in C++.
rat trojan backdoor meshagent
Meshagent family
meshagent

Blocklisted process makes network request 4 IoCs

flow	pid	Process
43	3000	powershell.exe
44	3000	powershell.exe
45	3000	powershell.exe
46	3000	powershell.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Mesh Agent\ImagePath = "\"C:\\Program Files\\Mesh Agent\\MeshAgent.exe\" "	meshagent.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 13 IoCs

pid	Process
2560	tacticalagent-v2.8.0-windows-amd64.exe
944	tacticalagent-v2.8.0-windows-amd64.tmp
1996	tacticalrmm.exe
1212	tacticalrmm.exe
2864	meshagent.exe
476	Process not Found
2232	MeshAgent.exe
1336	MeshAgent.exe
2272	MeshAgent.exe
2940	tacticalrmm.exe
1248	Process not Found
1988	MeshAgent.exe
1208	tacticalrmm.exe

Loads dropped DLL 3 IoCs

pid	Process
2560	tacticalagent-v2.8.0-windows-amd64.exe
2608	cmd.exe
1212	tacticalrmm.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	tacticalrmm.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	tacticalrmm.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	tacticalrmm.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	tacticalrmm.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC	tacticalrmm.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC	tacticalrmm.exe

Drops file in Program Files directory 21 IoCs

description	ioc	Process
File created	C:\Program Files\Mesh Agent\MeshAgent.db	MeshAgent.exe
File created	C:\Program Files\Mesh Agent\MeshAgent.msh	MeshAgent.exe
File opened for modification	C:\Program Files\Mesh Agent\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Program Files\Mesh Agent\MeshAgent.db	MeshAgent.exe
File opened for modification	C:\Program Files\TacticalAgent\agent.log	tacticalrmm.exe
File opened for modification	C:\Program Files\TacticalAgent\agent.log	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\unins000.dat	tacticalagent-v2.8.0-windows-amd64.tmp
File opened for modification	C:\Program Files\TacticalAgent\agent.log	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\meshagent.exe	tacticalrmm.exe
File opened for modification	C:\Program Files\Mesh Agent\MeshAgent.db	MeshAgent.exe
File opened for modification	C:\Program Files\Mesh Agent\MeshAgent.db.tmp	MeshAgent.exe
File opened for modification	C:\Program Files\Mesh Agent\MeshAgent.log	MeshAgent.exe
File opened for modification	C:\Program Files\Mesh Agent\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Program Files\Mesh Agent\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Program Files\Mesh Agent\MeshAgent.db.tmp	MeshAgent.exe
File opened for modification	C:\Program Files\Mesh Agent\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Program Files\TacticalAgent\is-OI75L.tmp	tacticalagent-v2.8.0-windows-amd64.tmp
File created	C:\Program Files\TacticalAgent\is-F37VH.tmp	tacticalagent-v2.8.0-windows-amd64.tmp
File opened for modification	C:\Program Files\TacticalAgent\unins000.dat	tacticalagent-v2.8.0-windows-amd64.tmp
File opened for modification	C:\Program Files\TacticalAgent\agent.log	tacticalrmm.exe
File created	C:\Program Files\Mesh Agent\MeshAgent.exe	meshagent.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WindowsUpdate.log	tacticalrmm.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1088	sc.exe
1064	sc.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2924	powershell.exe
1732	powershell.exe
2424	powershell.exe
2560	powershell.exe
3000	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tacticalagent-v2.8.0-windows-amd64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tacticalagent-v2.8.0-windows-amd64.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2924	cmd.exe
2964	PING.EXE
1152	cmd.exe
2268	PING.EXE

Kills process with taskkill 1 IoCs

evasion

pid	Process
2664	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-351 = "FLE Daylight Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-591 = "Malay Peninsula Daylight Time"	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-335 = "Jordan Standard Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-542 = "Myanmar Standard Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-691 = "Tasmania Daylight Time"	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-582 = "North Asia East Standard Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-151 = "Central America Daylight Time"	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time"	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1021 = "Bangladesh Daylight Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-402 = "Arabic Standard Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-104 = "Central Brazilian Daylight Time"	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-932 = "Coordinated Universal Time"	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-552 = "North Asia Standard Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-121 = "SA Pacific Daylight Time"	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-261 = "GMT Daylight Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-621 = "Korea Daylight Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-741 = "New Zealand Daylight Time"	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-661 = "Cen. Australia Daylight Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-751 = "Tonga Daylight Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-842 = "Argentina Standard Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-652 = "AUS Central Standard Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-448 = "Azerbaijan Daylight Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-382 = "South Africa Standard Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-461 = "Afghanistan Daylight Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-251 = "Dateline Daylight Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-981 = "Kamchatka Daylight Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-215 = "Pacific Standard Time (Mexico)"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-262 = "GMT Standard Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time"	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	tacticalrmm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	MeshAgent.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-191 = "Mountain Daylight Time"	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time"	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	tacticalrmm.exe

Modifies system certificate store 2 TTPs 10 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	tacticalrmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	tacticalrmm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	tacticalrmm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	tacticalrmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4	tacticalrmm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 0f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee420000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	tacticalrmm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 04000000010000001000000091de0625abdafd32170cbb25172a84670f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee419000000010000001000000063664b080559a094d10f0a3c5f4f629020000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	tacticalrmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	tacticalrmm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	tacticalrmm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 19000000010000001000000063664b080559a094d10f0a3c5f4f62900300000001000000140000002796bae63f1801e277261ba0d77770028f20eee41d000000010000001000000099949d2179811f6b30a8c99c4f6b4226140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e309000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec537261877620000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	tacticalrmm.exe

Runs net.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
2268	PING.EXE
2964	PING.EXE

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
1996	tacticalrmm.exe
1212	tacticalrmm.exe
2924	powershell.exe
1732	powershell.exe
1212	tacticalrmm.exe
2424	powershell.exe
2560	powershell.exe
2940	tacticalrmm.exe
2940	tacticalrmm.exe
2940	tacticalrmm.exe
2940	tacticalrmm.exe
2940	tacticalrmm.exe
2940	tacticalrmm.exe
1208	tacticalrmm.exe
3000	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2664	taskkill.exe
Token: SeDebugPrivilege	1996	tacticalrmm.exe
Token: SeDebugPrivilege	1212	tacticalrmm.exe
Token: SeAssignPrimaryTokenPrivilege	1968	wmic.exe
Token: SeIncreaseQuotaPrivilege	1968	wmic.exe
Token: SeSecurityPrivilege	1968	wmic.exe
Token: SeTakeOwnershipPrivilege	1968	wmic.exe
Token: SeLoadDriverPrivilege	1968	wmic.exe
Token: SeSystemtimePrivilege	1968	wmic.exe
Token: SeBackupPrivilege	1968	wmic.exe
Token: SeRestorePrivilege	1968	wmic.exe
Token: SeShutdownPrivilege	1968	wmic.exe
Token: SeSystemEnvironmentPrivilege	1968	wmic.exe
Token: SeUndockPrivilege	1968	wmic.exe
Token: SeManageVolumePrivilege	1968	wmic.exe
Token: SeAssignPrimaryTokenPrivilege	1968	wmic.exe
Token: SeIncreaseQuotaPrivilege	1968	wmic.exe
Token: SeSecurityPrivilege	1968	wmic.exe
Token: SeTakeOwnershipPrivilege	1968	wmic.exe
Token: SeLoadDriverPrivilege	1968	wmic.exe
Token: SeSystemtimePrivilege	1968	wmic.exe
Token: SeBackupPrivilege	1968	wmic.exe
Token: SeRestorePrivilege	1968	wmic.exe
Token: SeShutdownPrivilege	1968	wmic.exe
Token: SeSystemEnvironmentPrivilege	1968	wmic.exe
Token: SeUndockPrivilege	1968	wmic.exe
Token: SeManageVolumePrivilege	1968	wmic.exe
Token: SeAssignPrimaryTokenPrivilege	2024	wmic.exe
Token: SeIncreaseQuotaPrivilege	2024	wmic.exe
Token: SeSecurityPrivilege	2024	wmic.exe
Token: SeTakeOwnershipPrivilege	2024	wmic.exe
Token: SeLoadDriverPrivilege	2024	wmic.exe
Token: SeSystemtimePrivilege	2024	wmic.exe
Token: SeBackupPrivilege	2024	wmic.exe
Token: SeRestorePrivilege	2024	wmic.exe
Token: SeShutdownPrivilege	2024	wmic.exe
Token: SeSystemEnvironmentPrivilege	2024	wmic.exe
Token: SeUndockPrivilege	2024	wmic.exe
Token: SeManageVolumePrivilege	2024	wmic.exe
Token: SeAssignPrimaryTokenPrivilege	2024	wmic.exe
Token: SeIncreaseQuotaPrivilege	2024	wmic.exe
Token: SeSecurityPrivilege	2024	wmic.exe
Token: SeTakeOwnershipPrivilege	2024	wmic.exe
Token: SeLoadDriverPrivilege	2024	wmic.exe
Token: SeSystemtimePrivilege	2024	wmic.exe
Token: SeBackupPrivilege	2024	wmic.exe
Token: SeRestorePrivilege	2024	wmic.exe
Token: SeShutdownPrivilege	2024	wmic.exe
Token: SeSystemEnvironmentPrivilege	2024	wmic.exe
Token: SeUndockPrivilege	2024	wmic.exe
Token: SeManageVolumePrivilege	2024	wmic.exe
Token: SeAssignPrimaryTokenPrivilege	1036	wmic.exe
Token: SeIncreaseQuotaPrivilege	1036	wmic.exe
Token: SeSecurityPrivilege	1036	wmic.exe
Token: SeTakeOwnershipPrivilege	1036	wmic.exe
Token: SeLoadDriverPrivilege	1036	wmic.exe
Token: SeSystemtimePrivilege	1036	wmic.exe
Token: SeBackupPrivilege	1036	wmic.exe
Token: SeRestorePrivilege	1036	wmic.exe
Token: SeShutdownPrivilege	1036	wmic.exe
Token: SeSystemEnvironmentPrivilege	1036	wmic.exe
Token: SeUndockPrivilege	1036	wmic.exe
Token: SeManageVolumePrivilege	1036	wmic.exe
Token: SeAssignPrimaryTokenPrivilege	1036	wmic.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
944	tacticalagent-v2.8.0-windows-amd64.tmp

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2092 wrote to memory of 2560	2092	2024-12-12_72bcc1351d9632429245952663a3e264_frostygoop_hijackloader_luca-stealer_poet-rat_snatch.exe	31
PID 2092 wrote to memory of 2560	2092	2024-12-12_72bcc1351d9632429245952663a3e264_frostygoop_hijackloader_luca-stealer_poet-rat_snatch.exe	31
PID 2092 wrote to memory of 2560	2092	2024-12-12_72bcc1351d9632429245952663a3e264_frostygoop_hijackloader_luca-stealer_poet-rat_snatch.exe	31
PID 2092 wrote to memory of 2560	2092	2024-12-12_72bcc1351d9632429245952663a3e264_frostygoop_hijackloader_luca-stealer_poet-rat_snatch.exe	31
PID 2092 wrote to memory of 2560	2092	2024-12-12_72bcc1351d9632429245952663a3e264_frostygoop_hijackloader_luca-stealer_poet-rat_snatch.exe	31
PID 2092 wrote to memory of 2560	2092	2024-12-12_72bcc1351d9632429245952663a3e264_frostygoop_hijackloader_luca-stealer_poet-rat_snatch.exe	31
PID 2092 wrote to memory of 2560	2092	2024-12-12_72bcc1351d9632429245952663a3e264_frostygoop_hijackloader_luca-stealer_poet-rat_snatch.exe	31
PID 2560 wrote to memory of 944	2560	tacticalagent-v2.8.0-windows-amd64.exe	32
PID 2560 wrote to memory of 944	2560	tacticalagent-v2.8.0-windows-amd64.exe	32
PID 2560 wrote to memory of 944	2560	tacticalagent-v2.8.0-windows-amd64.exe	32
PID 2560 wrote to memory of 944	2560	tacticalagent-v2.8.0-windows-amd64.exe	32
PID 2560 wrote to memory of 944	2560	tacticalagent-v2.8.0-windows-amd64.exe	32
PID 2560 wrote to memory of 944	2560	tacticalagent-v2.8.0-windows-amd64.exe	32
PID 2560 wrote to memory of 944	2560	tacticalagent-v2.8.0-windows-amd64.exe	32
PID 944 wrote to memory of 1152	944	tacticalagent-v2.8.0-windows-amd64.tmp	33
PID 944 wrote to memory of 1152	944	tacticalagent-v2.8.0-windows-amd64.tmp	33
PID 944 wrote to memory of 1152	944	tacticalagent-v2.8.0-windows-amd64.tmp	33
PID 944 wrote to memory of 1152	944	tacticalagent-v2.8.0-windows-amd64.tmp	33
PID 1152 wrote to memory of 2268	1152	cmd.exe	35
PID 1152 wrote to memory of 2268	1152	cmd.exe	35
PID 1152 wrote to memory of 2268	1152	cmd.exe	35
PID 1152 wrote to memory of 2268	1152	cmd.exe	35
PID 1152 wrote to memory of 2484	1152	cmd.exe	36
PID 1152 wrote to memory of 2484	1152	cmd.exe	36
PID 1152 wrote to memory of 2484	1152	cmd.exe	36
PID 1152 wrote to memory of 2484	1152	cmd.exe	36
PID 2484 wrote to memory of 2892	2484	net.exe	37
PID 2484 wrote to memory of 2892	2484	net.exe	37
PID 2484 wrote to memory of 2892	2484	net.exe	37
PID 2484 wrote to memory of 2892	2484	net.exe	37
PID 944 wrote to memory of 2908	944	tacticalagent-v2.8.0-windows-amd64.tmp	38
PID 944 wrote to memory of 2908	944	tacticalagent-v2.8.0-windows-amd64.tmp	38
PID 944 wrote to memory of 2908	944	tacticalagent-v2.8.0-windows-amd64.tmp	38
PID 944 wrote to memory of 2908	944	tacticalagent-v2.8.0-windows-amd64.tmp	38
PID 2908 wrote to memory of 3036	2908	cmd.exe	40
PID 2908 wrote to memory of 3036	2908	cmd.exe	40
PID 2908 wrote to memory of 3036	2908	cmd.exe	40
PID 2908 wrote to memory of 3036	2908	cmd.exe	40
PID 3036 wrote to memory of 2772	3036	net.exe	41
PID 3036 wrote to memory of 2772	3036	net.exe	41
PID 3036 wrote to memory of 2772	3036	net.exe	41
PID 3036 wrote to memory of 2772	3036	net.exe	41
PID 944 wrote to memory of 2924	944	tacticalagent-v2.8.0-windows-amd64.tmp	42
PID 944 wrote to memory of 2924	944	tacticalagent-v2.8.0-windows-amd64.tmp	42
PID 944 wrote to memory of 2924	944	tacticalagent-v2.8.0-windows-amd64.tmp	42
PID 944 wrote to memory of 2924	944	tacticalagent-v2.8.0-windows-amd64.tmp	42
PID 2924 wrote to memory of 2964	2924	cmd.exe	45
PID 2924 wrote to memory of 2964	2924	cmd.exe	45
PID 2924 wrote to memory of 2964	2924	cmd.exe	45
PID 2924 wrote to memory of 2964	2924	cmd.exe	45
PID 2924 wrote to memory of 2732	2924	cmd.exe	46
PID 2924 wrote to memory of 2732	2924	cmd.exe	46
PID 2924 wrote to memory of 2732	2924	cmd.exe	46
PID 2924 wrote to memory of 2732	2924	cmd.exe	46
PID 2732 wrote to memory of 1940	2732	net.exe	47
PID 2732 wrote to memory of 1940	2732	net.exe	47
PID 2732 wrote to memory of 1940	2732	net.exe	47
PID 2732 wrote to memory of 1940	2732	net.exe	47
PID 944 wrote to memory of 2624	944	tacticalagent-v2.8.0-windows-amd64.tmp	48
PID 944 wrote to memory of 2624	944	tacticalagent-v2.8.0-windows-amd64.tmp	48
PID 944 wrote to memory of 2624	944	tacticalagent-v2.8.0-windows-amd64.tmp	48
PID 944 wrote to memory of 2624	944	tacticalagent-v2.8.0-windows-amd64.tmp	48
PID 2624 wrote to memory of 2664	2624	cmd.exe	50
PID 2624 wrote to memory of 2664	2624	cmd.exe	50

C:\Users\Admin\AppData\Local\Temp\2024-12-12_72bcc1351d9632429245952663a3e264_frostygoop_hijackloader_luca-stealer_poet-rat_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-12_72bcc1351d9632429245952663a3e264_frostygoop_hijackloader_luca-stealer_poet-rat_snatch.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2092
- C:\ProgramData\TacticalRMM\tacticalagent-v2.8.0-windows-amd64.exe
  C:\ProgramData\TacticalRMM\tacticalagent-v2.8.0-windows-amd64.exe /VERYSILENT /SUPPRESSMSGBOXES
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2560
- - C:\Users\Admin\AppData\Local\Temp\is-S666E.tmp\tacticalagent-v2.8.0-windows-amd64.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-S666E.tmp\tacticalagent-v2.8.0-windows-amd64.tmp" /SL5="$90194,3660179,825344,C:\ProgramData\TacticalRMM\tacticalagent-v2.8.0-windows-amd64.exe" /VERYSILENT /SUPPRESSMSGBOXES
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:944
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c ping 127.0.0.1 -n 2 && net stop tacticalrpc
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Suspicious use of WriteProcessMemory
      PID:1152
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        5⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2268
    - - C:\Windows\SysWOW64\net.exe
        
        net stop tacticalrpc
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2484
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop tacticalrpc
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2892
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c net stop tacticalagent
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2908
    - - C:\Windows\SysWOW64\net.exe
        
        net stop tacticalagent
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3036
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop tacticalagent
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2772
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c ping 127.0.0.1 -n 2 && net stop tacticalrmm
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Suspicious use of WriteProcessMemory
      PID:2924
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        5⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2964
    - - C:\Windows\SysWOW64\net.exe
        
        net stop tacticalrmm
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2732
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop tacticalrmm
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1940
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c taskkill /F /IM tacticalrmm.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2624
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM tacticalrmm.exe
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2664
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c sc delete tacticalagent
      4⤵
      System Location Discovery: System Language Discovery
      PID:664
    - - C:\Windows\SysWOW64\sc.exe
        
        sc delete tacticalagent
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:1088
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c sc delete tacticalrpc
      4⤵
      System Location Discovery: System Language Discovery
      PID:876
    - - C:\Windows\SysWOW64\sc.exe
        
        sc delete tacticalrpc
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:1064
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c tacticalrmm.exe -m installsvc
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2608
    - - C:\Program Files\TacticalAgent\tacticalrmm.exe
        
        tacticalrmm.exe -m installsvc
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1996
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c net start tacticalrmm
      4⤵
      System Location Discovery: System Language Discovery
      PID:1992
    - - C:\Windows\SysWOW64\net.exe
        
        net start tacticalrmm
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2144
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start tacticalrmm
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1964
- C:\Program Files\TacticalAgent\tacticalrmm.exe
  "C:\Program Files\TacticalAgent\tacticalrmm.exe" -m install --api https://api.rmm.xpertus-service.de --client-id 6 --site-id 42 --agent-type workstation --auth c1d5d1062117beabc5ccad17e8385b7a52dbee34a02f6c9ef622508e880c6108
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1212
- - C:\Program Files\TacticalAgent\meshagent.exe
    "C:\Program Files\TacticalAgent\meshagent.exe" -fullinstall
    3⤵
    - Sets service image path in registry
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:2864
- - C:\Program Files\Mesh Agent\MeshAgent.exe
    "C:\Program Files\Mesh Agent\MeshAgent.exe" -nodeid
    3⤵
    - Executes dropped EXE
    PID:1336

C:\Program Files\Mesh Agent\MeshAgent.exe
"C:\Program Files\Mesh Agent\MeshAgent.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2232
- C:\Windows\System32\wbem\wmic.exe
  wmic SystemEnclosure get ChassisTypes
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1968
- C:\Windows\system32\wbem\wmic.exe
  wmic os get oslanguage /FORMAT:LIST
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2024
- C:\Windows\System32\wbem\wmic.exe
  wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1036
- C:\Windows\system32\wbem\wmic.exe
  wmic os get oslanguage /FORMAT:LIST
  2⤵
  PID:576

C:\Program Files\Mesh Agent\MeshAgent.exe
"C:\Program Files\Mesh Agent\MeshAgent.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:2272
- C:\Windows\System32\wbem\wmic.exe
  wmic SystemEnclosure get ChassisTypes
  2⤵
  PID:2492
- C:\Windows\system32\wbem\wmic.exe
  wmic os get oslanguage /FORMAT:LIST
  2⤵
  PID:3064
- C:\Windows\System32\wbem\wmic.exe
  wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
  2⤵
  PID:1908
- C:\Windows\System32\wbem\wmic.exe
  wmic SystemEnclosure get ChassisTypes
  2⤵
  PID:2268
- C:\Windows\System32\wbem\wmic.exe
  wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
  2⤵
  PID:3036
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -noprofile -nologo -command -
  2⤵
  - Drops file in Program Files directory
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2924
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -noprofile -nologo -command -
  2⤵
  - Drops file in Program Files directory
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1732
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -noprofile -nologo -command -
  2⤵
  - Drops file in Program Files directory
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2424
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -noprofile -nologo -command -
  2⤵
  - Drops file in Program Files directory
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2560

C:\Program Files\TacticalAgent\tacticalrmm.exe
"C:\Program Files\TacticalAgent\tacticalrmm.exe" -m svc
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:2940
- C:\Program Files\Mesh Agent\MeshAgent.exe
  "C:\Program Files\Mesh Agent\MeshAgent.exe" -nodeid
  2⤵
  - Executes dropped EXE
  PID:1988
- C:\Program Files\TacticalAgent\tacticalrmm.exe
  "C:\Program Files\TacticalAgent\tacticalrmm.exe" -m checkrunner
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:1208
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass C:\ProgramData\TacticalRMM\1172211764.ps1
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:3000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Mesh Agent\MeshAgent.db

Filesize
153KB

MD5
05e1a6704cabe3a018e19739aa14bd53

SHA1
f8f51d07a8a6dd4167f732f36edda558043406b3

SHA256
1e513361dd2d1ad7d22f04ade5aab4dbc63437be78fba3f0327a02245935eab5

SHA512
b263f502cefe8b9367a29c78c0a3a3bd829cc4102f31cf6cf1734bc3f292db9e90ee264f6df77ebd957f96c909d68f59073d17ec9ea26b1bbf32034be62c0587

Download Submit
C:\Program Files\Mesh Agent\MeshAgent.msh

Filesize
31KB

MD5
cf53faccb3535cba0246959c8f475c30

SHA1
20652cd5732f0302ea93c40497e3cdba196257cb

SHA256
1f137661d66923315cd23063ad29fd01d8d8b87c32a53a9be2894077332d05ed

SHA512
6072d0dd63cbe31201abe20d2517734d48c26a9d3c9686713fc4d729c89ddbb6c02d25cc6b4a42461b8321f4fc379fc4ac600ee9c4f646aa228c1ae19bbcad35

Download Submit
C:\Program Files\TacticalAgent\agent.log

Filesize
67B

MD5
e9b63939a5a8389b4d55af416eade609

SHA1
c4beb1dc15bd320a00e8afe9cff393ab2380ddb4

SHA256
d842aa223113657ba66a0603348bc75db569b6771a88c26a02aaaf2d69e6c806

SHA512
252f2fb2ed99e5c31f4b79a6c8ad30fc86a0b3c695f22bc004d5a86e27138fe886662d514a9f995cbdbeaa16aeca3f36e3b3cb8131c4dee4b2361c5534f482b6

Download Submit
C:\ProgramData\TacticalRMM\1172211764.ps1

Filesize
35KB

MD5
e9fb33c49bee675e226d1afeef2740d9

SHA1
ded4e30152638c4e53db4c3c62a76fe0b69e60ab

SHA256
44e045ed5350758616d664c5af631e7f2cd10165f5bf2bd82cbf3a0bb8f63462

SHA512
2661a981d48d58c9ceb1992e55061ce07af0d53b5f38b07de620376e0ea1d876c7e50965e67aee80fe723968bdb956dc7fd93e7923608534c8fb4d21739dbc48

Download Submit
C:\ProgramData\TacticalRMM\tacticalagent-v2.8.0-windows-amd64.exe

Filesize
4.3MB

MD5
2f046950e65922336cd83bf0dbc9de33

SHA1
ddc64a8b21c8146c93c0b19c1eeb0ef784b980c6

SHA256
412e1f600251b21911c582e69381f677e663231f5e1d10786d88a026e00ea811

SHA512
a11cbf8b8b692d2d5a0e3af5a97f91a3d1f3e7aa39966eb7d62b3244b3913f2fdc21823d5c94de0d98e579f801709df44433af91567356361d5d9699a93b2cbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-S666E.tmp\tacticalagent-v2.8.0-windows-amd64.tmp

Filesize
3.0MB

MD5
a639312111d278fee4f70299c134d620

SHA1
6144ca6e18a5444cdb9b633a6efee67aff931115

SHA256
4b0be5167a31a77e28e3f0a7c83c9d289845075b51e70691236603b1083649df

SHA512
f47f01d072ff9ed42f5b36600ddfc344a6a4b967c1b671ffc0e76531e360bfd55a1a9950305ad33f7460f3f5dd8953e317b108cd434f2db02987fa018d57437c

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
ea6bdd085a910ceedc9c046d1e030852

SHA1
e145044fb07b7e63c016def2a14f9f8ebf2204dc

SHA256
d4522ccbbf0cbbca0fdb4d6ad1fe762a36f4919abcd072ce173f062ec350ac04

SHA512
416784343e5d433d40a23821ad361eb24ce6cbda1aaed1cdb87bdfcad0baa2b272ff7119b0e4ef5e2d9f030b8b4f6effb6577b31ecd270bd0c676c6c3b0d278c

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3f17b8fd45e907c21e37a8bda22f99a6

SHA1
a9df49cdaea33008395ad5ade205cdca96052b2f

SHA256
3fc79da049149a04ffa3d6e1d9aa0aa168b2adc556be86c28ba45d6827947c1c

SHA512
83185cc13f9d36dc80448ed9714e2f23be03dbe111fe493afb0aff7225affa79f3b55cba55be308dace39facd0dcb70daebcfad09e13bbe4d57eff1fdc9a1405

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
f9d0316f90be5ca9abbd02967b30d2c0

SHA1
b11738e8fbf8149e53b386affd4cec9fce92a35f

SHA256
2c32f7df585e8074415a68eb4c22bb6f8df838b076fcf94e57b6a4ffec81ee97

SHA512
91de3bb8c69534e865a093da84ee62e7d3c3a2c78c06508c55bb8babb686364fd9946b1618c7ec7a9138ae4020d22247e68c5de33888d5d2c23590a4987c01d9

Download Submit
C:\Windows\Temp\Cab59F5.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\Tar5B43.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Program Files\TacticalAgent\meshagent.exe

Filesize
3.3MB

MD5
49274d5c7cd9c475e108746a6a0fea98

SHA1
e68a826e9e7f51c89a7fd664bf78bcc276546fe6

SHA256
c85f8bf714d197d985679d43dde65fa18d330d76afbeb9979a47c8045d648219

SHA512
94111b24577bcdac47d3e4edb525989f21ebda6238fbfe3d59e5f5f265d5922b8c233a125577f8e0a734938c470e62b7d2429a6304862c9c09f75a1df5f68aba

Download Submit
\Program Files\TacticalAgent\tacticalrmm.exe

Filesize
9.2MB

MD5
bb383b7c3d5e4acb1001ab099b5b0f3c

SHA1
cb0c85f84a454aa4b1aab02bfba47c4355c2311e

SHA256
a6d3159c858aa3704f35d69b27829618ad0d1bae894c848a5233100c17464f95

SHA512
157dda96d1cacea55a6be27b9d432225b47d7334e664e577cef82a14c7eb1be1b8b84423b3905a4c1caecb5394be264d9b5c3e32109a4893e51a9d406ce740be

Download Submit
memory/944-14-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/944-28-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/1212-32-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1212-145-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1212-33-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1212-70-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1212-124-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1212-125-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1212-126-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1212-127-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1212-128-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1212-130-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1212-129-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1212-71-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1212-74-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1212-75-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1212-144-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1732-121-0x0000000001D10000-0x0000000001D18000-memory.dmp

Filesize
32KB

Download
memory/1732-120-0x000000001B2B0000-0x000000001B592000-memory.dmp

Filesize
2.9MB

Download
memory/1996-24-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1996-25-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2560-4-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/2560-7-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/2560-29-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/2924-112-0x00000000024C0000-0x00000000024C8000-memory.dmp

Filesize
32KB

Download
memory/2924-111-0x000000001B290000-0x000000001B572000-memory.dmp

Filesize
2.9MB

Download
memory/2940-287-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2940-289-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2940-288-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2940-284-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2940-419-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2940-141-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2940-142-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download