Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
135s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
18/01/2025, 00:53
Static task
static1
Behavioral task
behavioral1
Sample
2025-01-18_8c39f7b61f6b3cff72cd07c1dd90fbad_frostygoop_hijackloader_luca-stealer_poet-rat_snatch.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
2025-01-18_8c39f7b61f6b3cff72cd07c1dd90fbad_frostygoop_hijackloader_luca-stealer_poet-rat_snatch.exe
Resource
win10v2004-20241007-en
General
-
Target
2025-01-18_8c39f7b61f6b3cff72cd07c1dd90fbad_frostygoop_hijackloader_luca-stealer_poet-rat_snatch.exe
-
Size
5.0MB
-
MD5
8c39f7b61f6b3cff72cd07c1dd90fbad
-
SHA1
4b1e80bb562ceab0dab23601e4159c861d32331e
-
SHA256
adf8dd8a9c80862cfc7bea25e10111d38b7d5c3cc1f10acc60bcfaa4a7db8290
-
SHA512
47723b7bff41cd690374aa3e168cf10e1f2310250db4a507698397cfc4da4c8312e72041adca48190027ea0dcf1480d82922167e1d37513747fec36dd21568fe
-
SSDEEP
49152:Kkk1lQkvWuVMrb/TcvO90d7HjmAFd4A64nsfJW5B270PGUJ+GSZ05UU4SVaDs1CW:tkvWuVrfz+ZUfVaA6El+erV
Malware Config
Extracted
meshagent
2
TacticalRMM
http://mesh.ztn.app:443/agent.ashx
-
mesh_id
0x1AC5A427D36E6A21D10128F481F9AC5A8DA677889ACD69D474A4B30819BCBFF7B979A19A780A3C6E50E3CD3AE57878ED
-
server_id
58BA8120DEF0E4E89076972F82774D385B0F397F68F98E8BF0EF8B2C63F080982D35511B9CE190622EC6A4316C9AF531
-
wss
wss://mesh.ztn.app:443/agent.ashx
Signatures
-
Detects MeshAgent payload 1 IoCs
resource yara_rule behavioral1/files/0x0032000000018bf3-35.dat family_meshagent -
Meshagent family
-
Blocklisted process makes network request 4 IoCs
flow pid Process 44 2756 powershell.exe 45 2756 powershell.exe 46 2756 powershell.exe 47 2756 powershell.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Mesh Agent\ImagePath = "\"C:\\Program Files\\Mesh Agent\\MeshAgent.exe\" " meshagent.exe -
Executes dropped EXE 12 IoCs
pid Process 2976 tacticalagent-v2.8.0-windows-amd64.exe 2732 tacticalagent-v2.8.0-windows-amd64.tmp 2620 tacticalrmm.exe 2384 tacticalrmm.exe 2436 meshagent.exe 472 Process not Found 1976 MeshAgent.exe 340 MeshAgent.exe 1352 tacticalrmm.exe 1260 Process not Found 2616 tacticalrmm.exe 1128 MeshAgent.exe -
Loads dropped DLL 3 IoCs
pid Process 2976 tacticalagent-v2.8.0-windows-amd64.exe 1492 cmd.exe 2384 tacticalrmm.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 6 IoCs
description ioc Process File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC tacticalrmm.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC tacticalrmm.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 tacticalrmm.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 tacticalrmm.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357 tacticalrmm.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357 tacticalrmm.exe -
Drops file in Program Files directory 20 IoCs
description ioc Process File created C:\Program Files\TacticalAgent\is-L32PH.tmp tacticalagent-v2.8.0-windows-amd64.tmp File created C:\Program Files\TacticalAgent\meshagent.exe tacticalrmm.exe File created C:\Program Files\Mesh Agent\MeshAgent.db.tmp MeshAgent.exe File opened for modification C:\Program Files\Mesh Agent\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Program Files\Mesh Agent\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Program Files\Mesh Agent\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Program Files\TacticalAgent\unins000.dat tacticalagent-v2.8.0-windows-amd64.tmp File created C:\Program Files\Mesh Agent\MeshAgent.exe meshagent.exe File opened for modification C:\Program Files\Mesh Agent\MeshAgent.db MeshAgent.exe File opened for modification C:\Program Files\Mesh Agent\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File created C:\Program Files\TacticalAgent\is-GVN4B.tmp tacticalagent-v2.8.0-windows-amd64.tmp File opened for modification C:\Program Files\TacticalAgent\agent.log tacticalrmm.exe File created C:\Program Files\Mesh Agent\MeshAgent.db MeshAgent.exe File opened for modification C:\Program Files\Mesh Agent\MeshAgent.log MeshAgent.exe File opened for modification C:\Program Files\TacticalAgent\agent.log tacticalrmm.exe File created C:\Program Files\TacticalAgent\unins000.dat tacticalagent-v2.8.0-windows-amd64.tmp File opened for modification C:\Program Files\TacticalAgent\agent.log tacticalrmm.exe File opened for modification C:\Program Files\Mesh Agent\MeshAgent.db.tmp MeshAgent.exe File created C:\Program Files\Mesh Agent\MeshAgent.msh MeshAgent.exe File opened for modification C:\Program Files\TacticalAgent\agent.log tacticalrmm.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\WindowsUpdate.log tacticalrmm.exe -
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2188 sc.exe 2648 sc.exe -
pid Process 1612 powershell.exe 2564 powershell.exe 2596 powershell.exe 2756 powershell.exe 2424 powershell.exe -
System Location Discovery: System Language Discovery 1 TTPs 23 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tacticalagent-v2.8.0-windows-amd64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tacticalagent-v2.8.0-windows-amd64.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2580 cmd.exe 2688 PING.EXE 3060 cmd.exe 2184 PING.EXE -
Kills process with taskkill 1 IoCs
pid Process 1980 taskkill.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-172 = "Central Standard Time (Mexico)" tacticalrmm.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-891 = "Morocco Daylight Time" tacticalrmm.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-591 = "Malay Peninsula Daylight Time" tacticalrmm.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time" tacticalrmm.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-272 = "Greenwich Standard Time" tacticalrmm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust tacticalrmm.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" tacticalrmm.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" tacticalrmm.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time" tacticalrmm.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-42 = "E. South America Standard Time" tacticalrmm.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-471 = "Ekaterinburg Daylight Time" tacticalrmm.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-92 = "Pacific SA Standard Time" tacticalrmm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs tacticalrmm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs tacticalrmm.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-512 = "Central Asia Standard Time" tacticalrmm.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1411 = "Syria Daylight Time" tacticalrmm.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-132 = "US Eastern Standard Time" tacticalrmm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs tacticalrmm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates tacticalrmm.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time" tacticalrmm.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time" tacticalrmm.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time" tacticalrmm.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" tacticalrmm.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-491 = "India Daylight Time" tacticalrmm.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-502 = "Nepal Standard Time" tacticalrmm.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-962 = "Paraguay Standard Time" tacticalrmm.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time" tacticalrmm.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-492 = "India Standard Time" tacticalrmm.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-422 = "Russian Standard Time" tacticalrmm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates tacticalrmm.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time" tacticalrmm.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" tacticalrmm.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-361 = "GTB Daylight Time" tacticalrmm.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-541 = "Myanmar Daylight Time" tacticalrmm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs tacticalrmm.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" tacticalrmm.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-81 = "Atlantic Daylight Time" tacticalrmm.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-791 = "SA Western Daylight Time" tacticalrmm.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" tacticalrmm.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" tacticalrmm.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time" tacticalrmm.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time" tacticalrmm.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time" tacticalrmm.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" tacticalrmm.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-32 = "Mid-Atlantic Standard Time" tacticalrmm.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time" tacticalrmm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA tacticalrmm.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" tacticalrmm.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 tacticalrmm.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-982 = "Kamchatka Standard Time" tacticalrmm.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time" tacticalrmm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs tacticalrmm.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-671 = "AUS Eastern Daylight Time" tacticalrmm.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-412 = "E. Africa Standard Time" tacticalrmm.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time" tacticalrmm.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time" tacticalrmm.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time" tacticalrmm.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time" tacticalrmm.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" MeshAgent.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-11 = "Azores Daylight Time" tacticalrmm.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-681 = "E. Australia Daylight Time" tacticalrmm.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-112 = "Eastern Standard Time" tacticalrmm.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time" tacticalrmm.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" tacticalrmm.exe -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 19000000010000001000000063664b080559a094d10f0a3c5f4f62900f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee404000000010000001000000091de0625abdafd32170cbb25172a846720000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f tacticalrmm.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e tacticalrmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 tacticalrmm.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e tacticalrmm.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e tacticalrmm.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 04000000010000001000000091de0625abdafd32170cbb25172a84670300000001000000140000002796bae63f1801e277261ba0d77770028f20eee41d000000010000001000000099949d2179811f6b30a8c99c4f6b4226140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e309000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec537261877620000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f tacticalrmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 tacticalrmm.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 tacticalrmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4 tacticalrmm.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 0f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee420000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f tacticalrmm.exe -
Runs net.exe
-
Runs ping.exe 1 TTPs 2 IoCs
pid Process 2688 PING.EXE 2184 PING.EXE -
Suspicious behavior: EnumeratesProcesses 15 IoCs
pid Process 2620 tacticalrmm.exe 2384 tacticalrmm.exe 2424 powershell.exe 1612 powershell.exe 2564 powershell.exe 2596 powershell.exe 2384 tacticalrmm.exe 1352 tacticalrmm.exe 1352 tacticalrmm.exe 1352 tacticalrmm.exe 1352 tacticalrmm.exe 1352 tacticalrmm.exe 1352 tacticalrmm.exe 2616 tacticalrmm.exe 2756 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1980 taskkill.exe Token: SeDebugPrivilege 2620 tacticalrmm.exe Token: SeDebugPrivilege 2384 tacticalrmm.exe Token: SeAssignPrimaryTokenPrivilege 1628 wmic.exe Token: SeIncreaseQuotaPrivilege 1628 wmic.exe Token: SeSecurityPrivilege 1628 wmic.exe Token: SeTakeOwnershipPrivilege 1628 wmic.exe Token: SeLoadDriverPrivilege 1628 wmic.exe Token: SeSystemtimePrivilege 1628 wmic.exe Token: SeBackupPrivilege 1628 wmic.exe Token: SeRestorePrivilege 1628 wmic.exe Token: SeShutdownPrivilege 1628 wmic.exe Token: SeSystemEnvironmentPrivilege 1628 wmic.exe Token: SeUndockPrivilege 1628 wmic.exe Token: SeManageVolumePrivilege 1628 wmic.exe Token: SeAssignPrimaryTokenPrivilege 1628 wmic.exe Token: SeIncreaseQuotaPrivilege 1628 wmic.exe Token: SeSecurityPrivilege 1628 wmic.exe Token: SeTakeOwnershipPrivilege 1628 wmic.exe Token: SeLoadDriverPrivilege 1628 wmic.exe Token: SeSystemtimePrivilege 1628 wmic.exe Token: SeBackupPrivilege 1628 wmic.exe Token: SeRestorePrivilege 1628 wmic.exe Token: SeShutdownPrivilege 1628 wmic.exe Token: SeSystemEnvironmentPrivilege 1628 wmic.exe Token: SeUndockPrivilege 1628 wmic.exe Token: SeManageVolumePrivilege 1628 wmic.exe Token: SeAssignPrimaryTokenPrivilege 524 wmic.exe Token: SeIncreaseQuotaPrivilege 524 wmic.exe Token: SeSecurityPrivilege 524 wmic.exe Token: SeTakeOwnershipPrivilege 524 wmic.exe Token: SeLoadDriverPrivilege 524 wmic.exe Token: SeSystemtimePrivilege 524 wmic.exe Token: SeBackupPrivilege 524 wmic.exe Token: SeRestorePrivilege 524 wmic.exe Token: SeShutdownPrivilege 524 wmic.exe Token: SeSystemEnvironmentPrivilege 524 wmic.exe Token: SeUndockPrivilege 524 wmic.exe Token: SeManageVolumePrivilege 524 wmic.exe Token: SeAssignPrimaryTokenPrivilege 524 wmic.exe Token: SeIncreaseQuotaPrivilege 524 wmic.exe Token: SeSecurityPrivilege 524 wmic.exe Token: SeTakeOwnershipPrivilege 524 wmic.exe Token: SeLoadDriverPrivilege 524 wmic.exe Token: SeSystemtimePrivilege 524 wmic.exe Token: SeBackupPrivilege 524 wmic.exe Token: SeRestorePrivilege 524 wmic.exe Token: SeShutdownPrivilege 524 wmic.exe Token: SeSystemEnvironmentPrivilege 524 wmic.exe Token: SeUndockPrivilege 524 wmic.exe Token: SeManageVolumePrivilege 524 wmic.exe Token: SeAssignPrimaryTokenPrivilege 1988 wmic.exe Token: SeIncreaseQuotaPrivilege 1988 wmic.exe Token: SeSecurityPrivilege 1988 wmic.exe Token: SeTakeOwnershipPrivilege 1988 wmic.exe Token: SeLoadDriverPrivilege 1988 wmic.exe Token: SeSystemtimePrivilege 1988 wmic.exe Token: SeBackupPrivilege 1988 wmic.exe Token: SeRestorePrivilege 1988 wmic.exe Token: SeShutdownPrivilege 1988 wmic.exe Token: SeSystemEnvironmentPrivilege 1988 wmic.exe Token: SeUndockPrivilege 1988 wmic.exe Token: SeManageVolumePrivilege 1988 wmic.exe Token: SeAssignPrimaryTokenPrivilege 1988 wmic.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2732 tacticalagent-v2.8.0-windows-amd64.tmp -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2692 wrote to memory of 2976 2692 2025-01-18_8c39f7b61f6b3cff72cd07c1dd90fbad_frostygoop_hijackloader_luca-stealer_poet-rat_snatch.exe 31 PID 2692 wrote to memory of 2976 2692 2025-01-18_8c39f7b61f6b3cff72cd07c1dd90fbad_frostygoop_hijackloader_luca-stealer_poet-rat_snatch.exe 31 PID 2692 wrote to memory of 2976 2692 2025-01-18_8c39f7b61f6b3cff72cd07c1dd90fbad_frostygoop_hijackloader_luca-stealer_poet-rat_snatch.exe 31 PID 2692 wrote to memory of 2976 2692 2025-01-18_8c39f7b61f6b3cff72cd07c1dd90fbad_frostygoop_hijackloader_luca-stealer_poet-rat_snatch.exe 31 PID 2692 wrote to memory of 2976 2692 2025-01-18_8c39f7b61f6b3cff72cd07c1dd90fbad_frostygoop_hijackloader_luca-stealer_poet-rat_snatch.exe 31 PID 2692 wrote to memory of 2976 2692 2025-01-18_8c39f7b61f6b3cff72cd07c1dd90fbad_frostygoop_hijackloader_luca-stealer_poet-rat_snatch.exe 31 PID 2692 wrote to memory of 2976 2692 2025-01-18_8c39f7b61f6b3cff72cd07c1dd90fbad_frostygoop_hijackloader_luca-stealer_poet-rat_snatch.exe 31 PID 2976 wrote to memory of 2732 2976 tacticalagent-v2.8.0-windows-amd64.exe 32 PID 2976 wrote to memory of 2732 2976 tacticalagent-v2.8.0-windows-amd64.exe 32 PID 2976 wrote to memory of 2732 2976 tacticalagent-v2.8.0-windows-amd64.exe 32 PID 2976 wrote to memory of 2732 2976 tacticalagent-v2.8.0-windows-amd64.exe 32 PID 2976 wrote to memory of 2732 2976 tacticalagent-v2.8.0-windows-amd64.exe 32 PID 2976 wrote to memory of 2732 2976 tacticalagent-v2.8.0-windows-amd64.exe 32 PID 2976 wrote to memory of 2732 2976 tacticalagent-v2.8.0-windows-amd64.exe 32 PID 2732 wrote to memory of 2580 2732 tacticalagent-v2.8.0-windows-amd64.tmp 33 PID 2732 wrote to memory of 2580 2732 tacticalagent-v2.8.0-windows-amd64.tmp 33 PID 2732 wrote to memory of 2580 2732 tacticalagent-v2.8.0-windows-amd64.tmp 33 PID 2732 wrote to memory of 2580 2732 tacticalagent-v2.8.0-windows-amd64.tmp 33 PID 2580 wrote to memory of 2688 2580 cmd.exe 35 PID 2580 wrote to memory of 2688 2580 cmd.exe 35 PID 2580 wrote to memory of 2688 2580 cmd.exe 35 PID 2580 wrote to memory of 2688 2580 cmd.exe 35 PID 2580 wrote to memory of 2556 2580 cmd.exe 36 PID 2580 wrote to memory of 2556 2580 cmd.exe 36 PID 2580 wrote to memory of 2556 2580 cmd.exe 36 PID 2580 wrote to memory of 2556 2580 cmd.exe 36 PID 2556 wrote to memory of 2564 2556 net.exe 37 PID 2556 wrote to memory of 2564 2556 net.exe 37 PID 2556 wrote to memory of 2564 2556 net.exe 37 PID 2556 wrote to memory of 2564 2556 net.exe 37 PID 2732 wrote to memory of 2572 2732 tacticalagent-v2.8.0-windows-amd64.tmp 38 PID 2732 wrote to memory of 2572 2732 tacticalagent-v2.8.0-windows-amd64.tmp 38 PID 2732 wrote to memory of 2572 2732 tacticalagent-v2.8.0-windows-amd64.tmp 38 PID 2732 wrote to memory of 2572 2732 tacticalagent-v2.8.0-windows-amd64.tmp 38 PID 2572 wrote to memory of 2672 2572 cmd.exe 40 PID 2572 wrote to memory of 2672 2572 cmd.exe 40 PID 2572 wrote to memory of 2672 2572 cmd.exe 40 PID 2572 wrote to memory of 2672 2572 cmd.exe 40 PID 2672 wrote to memory of 3064 2672 net.exe 41 PID 2672 wrote to memory of 3064 2672 net.exe 41 PID 2672 wrote to memory of 3064 2672 net.exe 41 PID 2672 wrote to memory of 3064 2672 net.exe 41 PID 2732 wrote to memory of 3060 2732 tacticalagent-v2.8.0-windows-amd64.tmp 42 PID 2732 wrote to memory of 3060 2732 tacticalagent-v2.8.0-windows-amd64.tmp 42 PID 2732 wrote to memory of 3060 2732 tacticalagent-v2.8.0-windows-amd64.tmp 42 PID 2732 wrote to memory of 3060 2732 tacticalagent-v2.8.0-windows-amd64.tmp 42 PID 3060 wrote to memory of 2184 3060 cmd.exe 44 PID 3060 wrote to memory of 2184 3060 cmd.exe 44 PID 3060 wrote to memory of 2184 3060 cmd.exe 44 PID 3060 wrote to memory of 2184 3060 cmd.exe 44 PID 3060 wrote to memory of 1204 3060 cmd.exe 45 PID 3060 wrote to memory of 1204 3060 cmd.exe 45 PID 3060 wrote to memory of 1204 3060 cmd.exe 45 PID 3060 wrote to memory of 1204 3060 cmd.exe 45 PID 1204 wrote to memory of 1592 1204 net.exe 46 PID 1204 wrote to memory of 1592 1204 net.exe 46 PID 1204 wrote to memory of 1592 1204 net.exe 46 PID 1204 wrote to memory of 1592 1204 net.exe 46 PID 2732 wrote to memory of 2924 2732 tacticalagent-v2.8.0-windows-amd64.tmp 47 PID 2732 wrote to memory of 2924 2732 tacticalagent-v2.8.0-windows-amd64.tmp 47 PID 2732 wrote to memory of 2924 2732 tacticalagent-v2.8.0-windows-amd64.tmp 47 PID 2732 wrote to memory of 2924 2732 tacticalagent-v2.8.0-windows-amd64.tmp 47 PID 2924 wrote to memory of 1980 2924 cmd.exe 49 PID 2924 wrote to memory of 1980 2924 cmd.exe 49
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-01-18_8c39f7b61f6b3cff72cd07c1dd90fbad_frostygoop_hijackloader_luca-stealer_poet-rat_snatch.exe"C:\Users\Admin\AppData\Local\Temp\2025-01-18_8c39f7b61f6b3cff72cd07c1dd90fbad_frostygoop_hijackloader_luca-stealer_poet-rat_snatch.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\ProgramData\TacticalRMM\tacticalagent-v2.8.0-windows-amd64.exeC:\ProgramData\TacticalRMM\tacticalagent-v2.8.0-windows-amd64.exe /VERYSILENT /SUPPRESSMSGBOXES2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Users\Admin\AppData\Local\Temp\is-FS67U.tmp\tacticalagent-v2.8.0-windows-amd64.tmp"C:\Users\Admin\AppData\Local\Temp\is-FS67U.tmp\tacticalagent-v2.8.0-windows-amd64.tmp" /SL5="$70196,3660179,825344,C:\ProgramData\TacticalRMM\tacticalagent-v2.8.0-windows-amd64.exe" /VERYSILENT /SUPPRESSMSGBOXES3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c ping 127.0.0.1 -n 2 && net stop tacticalrpc4⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 25⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2688
-
-
C:\Windows\SysWOW64\net.exenet stop tacticalrpc5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop tacticalrpc6⤵
- System Location Discovery: System Language Discovery
PID:2564
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c net stop tacticalagent4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\SysWOW64\net.exenet stop tacticalagent5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop tacticalagent6⤵
- System Location Discovery: System Language Discovery
PID:3064
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c ping 127.0.0.1 -n 2 && net stop tacticalrmm4⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 25⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2184
-
-
C:\Windows\SysWOW64\net.exenet stop tacticalrmm5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop tacticalrmm6⤵
- System Location Discovery: System Language Discovery
PID:1592
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c taskkill /F /IM tacticalrmm.exe4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM tacticalrmm.exe5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1980
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c sc delete tacticalagent4⤵
- System Location Discovery: System Language Discovery
PID:792 -
C:\Windows\SysWOW64\sc.exesc delete tacticalagent5⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2188
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c sc delete tacticalrpc4⤵
- System Location Discovery: System Language Discovery
PID:2252 -
C:\Windows\SysWOW64\sc.exesc delete tacticalrpc5⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2648
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c tacticalrmm.exe -m installsvc4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1492 -
C:\Program Files\TacticalAgent\tacticalrmm.exetacticalrmm.exe -m installsvc5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2620
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c net start tacticalrmm4⤵
- System Location Discovery: System Language Discovery
PID:832 -
C:\Windows\SysWOW64\net.exenet start tacticalrmm5⤵
- System Location Discovery: System Language Discovery
PID:2376 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start tacticalrmm6⤵
- System Location Discovery: System Language Discovery
PID:2440
-
-
-
-
-
-
C:\Program Files\TacticalAgent\tacticalrmm.exe"C:\Program Files\TacticalAgent\tacticalrmm.exe" -m install --api https://api.ztn.app --client-id 14 --site-id 37 --agent-type workstation --auth c52763ea5e8516c687c06875af1bd779e47c159661b3df56cdcc3c1a649244f42⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2384 -
C:\Program Files\TacticalAgent\meshagent.exe"C:\Program Files\TacticalAgent\meshagent.exe" -fullinstall3⤵
- Sets service image path in registry
- Executes dropped EXE
- Drops file in Program Files directory
PID:2436
-
-
C:\Program Files\Mesh Agent\MeshAgent.exe"C:\Program Files\Mesh Agent\MeshAgent.exe" -nodeid3⤵
- Executes dropped EXE
PID:340
-
-
-
C:\Program Files\Mesh Agent\MeshAgent.exe"C:\Program Files\Mesh Agent\MeshAgent.exe"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:1976 -
C:\Windows\System32\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1628
-
-
C:\Windows\system32\wbem\wmic.exewmic os get oslanguage /FORMAT:LIST2⤵
- Suspicious use of AdjustPrivilegeToken
PID:524
-
-
C:\Windows\System32\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1988
-
-
C:\Windows\system32\wbem\wmic.exewmic os get oslanguage /FORMAT:LIST2⤵PID:1984
-
-
C:\Windows\System32\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵PID:1400
-
-
C:\Windows\System32\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵PID:2512
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -noprofile -nologo -command -2⤵
- Drops file in Program Files directory
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2424
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -noprofile -nologo -command -2⤵
- Drops file in Program Files directory
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1612
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -noprofile -nologo -command -2⤵
- Drops file in Program Files directory
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2564
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -noprofile -nologo -command -2⤵
- Drops file in Program Files directory
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2596
-
-
C:\Program Files\TacticalAgent\tacticalrmm.exe"C:\Program Files\TacticalAgent\tacticalrmm.exe" -m svc1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:1352 -
C:\Program Files\TacticalAgent\tacticalrmm.exe"C:\Program Files\TacticalAgent\tacticalrmm.exe" -m checkrunner2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2616
-
-
C:\Program Files\Mesh Agent\MeshAgent.exe"C:\Program Files\Mesh Agent\MeshAgent.exe" -nodeid2⤵
- Executes dropped EXE
PID:1128
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass C:\ProgramData\TacticalRMM\1113272193.ps12⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2756
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1System Services
1Service Execution
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
1Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153KB
MD594fb8df669c293b03fd021c1fd0f9c7d
SHA14a4b65e1b6ddc0eb3a6d46bfba37e0ed3b83f2c3
SHA256e37ab29c8807ab7a1db4cfe50ef4e91e7dc81ce7f5d32cb62acceb7af6bfcaeb
SHA5124a969a57094594d1f45edcca648bd375ac1d76b98c17df3fa7d36c968eb1cce92b3636a9b8ffbbcc47d5dcbbcbfe38a5c430591f137dcc60768f01d879a57784
-
Filesize
35KB
MD588ae4467c04ac1dfd17db617d794d186
SHA1c5c3b638160e5b908c3843c5623fe6b5249bfb46
SHA256c193414a9a1d13af83e6f1c0572c3f3f41f2afa6bdebaec2e32cd8cb320e0393
SHA5129a6ba1fd6ba3645c57787aa8d354d6d2fdef7e0fc51dbd55b9897f73d769b71661e1ebb06cb29988657ed1b11fa546f079e055a8c27db01b3f6d431203317bff
-
Filesize
67B
MD5ef96c4f08a695a18c73a2fe123ebda6d
SHA125bdc58ef2f5aa83adfa99dbe36550fed1059311
SHA256dab700c8e4e2c954eef4098ca1757425f4d9d7bb0cd87266c2ec2e55dd5d9c96
SHA51259b425b00f329b664d7cb4f3bffff67b5a7622085303bbb95a37fe516895555747efc8bc9e172772f1bbe623a563d9d25f9bdfb589140383cc73a5e4e821fa51
-
Filesize
35KB
MD5e9fb33c49bee675e226d1afeef2740d9
SHA1ded4e30152638c4e53db4c3c62a76fe0b69e60ab
SHA25644e045ed5350758616d664c5af631e7f2cd10165f5bf2bd82cbf3a0bb8f63462
SHA5122661a981d48d58c9ceb1992e55061ce07af0d53b5f38b07de620376e0ea1d876c7e50965e67aee80fe723968bdb956dc7fd93e7923608534c8fb4d21739dbc48
-
Filesize
4.3MB
MD52f046950e65922336cd83bf0dbc9de33
SHA1ddc64a8b21c8146c93c0b19c1eeb0ef784b980c6
SHA256412e1f600251b21911c582e69381f677e663231f5e1d10786d88a026e00ea811
SHA512a11cbf8b8b692d2d5a0e3af5a97f91a3d1f3e7aa39966eb7d62b3244b3913f2fdc21823d5c94de0d98e579f801709df44433af91567356361d5d9699a93b2cbc
-
Filesize
3.0MB
MD5a639312111d278fee4f70299c134d620
SHA16144ca6e18a5444cdb9b633a6efee67aff931115
SHA2564b0be5167a31a77e28e3f0a7c83c9d289845075b51e70691236603b1083649df
SHA512f47f01d072ff9ed42f5b36600ddfc344a6a4b967c1b671ffc0e76531e360bfd55a1a9950305ad33f7460f3f5dd8953e317b108cd434f2db02987fa018d57437c
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC
Filesize914B
MD5e4a68ac854ac5242460afd72481b2a44
SHA1df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA5125622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize1KB
MD5a266bb7dcc38a562631361bbf61dd11b
SHA13b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA5120da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
Filesize252B
MD5496debaf7a97ecebb424b2acabd0466d
SHA19b7fc565dcc9db28104996a26a414ef4935ce51f
SHA2567d0c310911b241b3cc845283f395a4c50d07a727956cc26eb89c999bd48cb6ae
SHA512ae6dc2a29c6cffe9b81da53ab28121a994e20b5907d8103414724238391a8e9e56f2228510a7499b5998f74d4dea5f8016ef6c61fa199c25fa942efc46f7890d
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD513769bddad69aa70dfb8ad9c89d6b75c
SHA16ac5ba67d1f685f415a2a2e4d4adbecd1c739864
SHA2561e631d49cccb47e30a2a956815432c7807b8308c804c84e00868e37d6b688325
SHA512074c98cc1f6c1afd7d6f60cfa3738344bf502aec9e3427be5f3496c015fd81c318867e2081393fe509238fe75a89596c9db79f2c5dd68fc9e3baf667299d6d71
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize242B
MD5a4199933e32f2eca1ef55379c830e6c2
SHA1d07fca7b332ac6d977400c4cd1e8212a61468d5b
SHA25620c6b86272a2c2452693b20e4d7e45b7d16c6b0b635f5d7f7943bd4829db9532
SHA51208c82bd3c5fe7294103433d065a407391e62d86ae9f107bb610693551244134dd551f1c9558b05a9db4f38de81528e84e0fd5958acba06fe11991bac03200f3a
-
Filesize
29KB
MD5d59a6b36c5a94916241a3ead50222b6f
SHA1e274e9486d318c383bc4b9812844ba56f0cff3c6
SHA256a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53
SHA51217012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
3.3MB
MD5e5d7d294c417575310a4472580a16257
SHA166be889ae2caeb288e81b4693087a38d7af14a03
SHA256fd0cf4ace405f05f67784eea2dc9dada61d6ba16ff94165d9a9865c1b4745dbb
SHA512c4dcb8b24592843e51ba9cd74ea0874a8aafeba255dad34d94399683f2fd56858388e39255c478a981ba5537ebf7e54000a4ea4ab862289efc0eab9de2683fc6
-
Filesize
9.2MB
MD5bb383b7c3d5e4acb1001ab099b5b0f3c
SHA1cb0c85f84a454aa4b1aab02bfba47c4355c2311e
SHA256a6d3159c858aa3704f35d69b27829618ad0d1bae894c848a5233100c17464f95
SHA512157dda96d1cacea55a6be27b9d432225b47d7334e664e577cef82a14c7eb1be1b8b84423b3905a4c1caecb5394be264d9b5c3e32109a4893e51a9d406ce740be