meshagent | bb9d02d32e235b6c7453298f73cfd26fa89c5d0bbcd7a819d092835d4d038774

Analysis

max time kernel
105s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20/01/2025, 02:03 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-20_0e3dbb7d5032353cb14865e83fb9960c_frostygoop_hijackloader_luca-stealer_poet-rat_snatch.exe
Size

5.0MB
MD5

0e3dbb7d5032353cb14865e83fb9960c
SHA1

e1382b357b797f3083f75b9c8242dcd349b88533
SHA256

bb9d02d32e235b6c7453298f73cfd26fa89c5d0bbcd7a819d092835d4d038774
SHA512

08b31d0f53e81ac2bd26456a02e61f8330ebe42f15019d1a052c4c0250477b67eae35026c91b81e39e1c42c8810341f60f5bfa806a23f343d40ce6a1bddf6de2
SSDEEP

49152:Dkk1lQkvWuVMrb/TcvO90d7HjmAFd4A64nsfJW5B270PGUJ+GSZ05UU4SVaDs1CW:okvWuVrfz+ZUfVaA6El+ert

Score

10^/10

meshagent tacticalrmm backdoor discovery evasion execution persistence rat trojan

Malware Config

Extracted

Family

meshagent

Version

Botnet

TacticalRMM

http://mesh.ztn.app:443/agent.ashx

Attributes

mesh_id
0x1AC5A427D36E6A21D10128F481F9AC5A8DA677889ACD69D474A4B30819BCBFF7B979A19A780A3C6E50E3CD3AE57878ED
server_id
58BA8120DEF0E4E89076972F82774D385B0F397F68F98E8BF0EF8B2C63F080982D35511B9CE190622EC6A4316C9AF531
wss
wss://mesh.ztn.app:443/agent.ashx

Signatures

Detects MeshAgent payload 1 IoCs

resource	yara_rule
behavioral2/files/0x000b000000023b54-29.dat	family_meshagent

MeshAgent
MeshAgent is an open source remote access trojan written in C++.
rat trojan backdoor meshagent
Meshagent family
meshagent

Blocklisted process makes network request 2 IoCs

flow	pid	Process
82	4472	powershell.exe
86	4472	powershell.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Mesh Agent\ImagePath = "\"C:\\Program Files\\Mesh Agent\\MeshAgent.exe\" "	meshagent.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 13 IoCs

pid	Process
4408	tacticalagent-v2.8.0-windows-amd64.exe
1060	tacticalagent-v2.8.0-windows-amd64.tmp
4464	tacticalrmm.exe
856	tacticalrmm.exe
4584	meshagent.exe
3468	MeshAgent.exe
4272	MeshAgent.exe
4396	tacticalrmm.exe
5004	tacticalrmm.exe
516	python.exe
3932	python.exe
1568	MeshAgent.exe
4760	choco.exe

Loads dropped DLL 18 IoCs

pid	Process
516	python.exe
516	python.exe
516	python.exe
516	python.exe
516	python.exe
516	python.exe
516	python.exe
516	python.exe
516	python.exe
3932	python.exe
3932	python.exe
3932	python.exe
3932	python.exe
3932	python.exe
3932	python.exe
3932	python.exe
3932	python.exe
3932	python.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\2621FC2CA8553984514C8F80A8DE1540E70C8167	tacticalrmm.exe
File opened for modification	C:\Windows\System32\MeshService64.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\crypt32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\advapi32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\DLL\kernel32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\kernelbase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\ncrypt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\ntasn1.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\kernelbase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\DLL\iphlpapi.pdb	MeshAgent.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\E3661B53BC62BFA1A18D62B018D3B380BAF33645	MeshAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	tacticalrmm.exe
File opened for modification	C:\Windows\System32\symbols\dll\Kernel.Appcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\rpcrt4.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\msvcrt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\msvcp_win.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\ws2_32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\dbghelp.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\shell32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\gdi32full.pdb	MeshAgent.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys\7C2C2A72E3899779FADB1E93605A688E8CD35D81	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\rpcrt4.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\crypt32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\user32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dbghelp.pdb	MeshAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\E3661B53BC62BFA1A18D62B018D3B380BAF33645	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\gdi32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\sechost.pdb	MeshAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\2621FC2CA8553984514C8F80A8DE1540E70C8167	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\ucrtbase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\shcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\gdiplus.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\ncrypt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\rpcrt4.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\win32u.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\bcryptprimitives.pdb	MeshAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\System32\symbols\dll\ntdll.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\ucrtbase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\combase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys	MeshAgent.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\System32\symbols\dll\advapi32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\DLL\dbgcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\comctl32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\comctl32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\msvcrt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\ws2_32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\ole32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\shcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\bcryptprimitives.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\kernelbase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\advapi32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\DLL\iphlpapi.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\ncrypt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\System32\dll\ntdll.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\shell32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\ole32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\DLL\bcrypt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\bcryptprimitives.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\gdiplus.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dbgcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\shell32.pdb	MeshAgent.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\charset_normalizer-3.3.2.dist-info\RECORD	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\cryptography-42.0.8.dist-info\WHEEL	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\pip\_internal\operations\__init__.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\pythonwin\pywin\debugger\dbgcon.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\pythonwin\pywin\framework\cmdline.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\Cryptodome\Cipher\PKCS1_OAEP.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\httpcore\_async\http_proxy.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\win32com\client\util.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\pip\_internal\resolution\resolvelib\base.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\pip\_internal\vcs\__init__.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\pip\_vendor\rich\abc.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\pkg_resources\_vendor\backports\__init__.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\pythonwin\pywin\Demos\sliderdemo.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\sniffio\_tests\__init__.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\urllib3\contrib\emscripten\emscripten_fetch_worker.js	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\win32comext\axscript\client\pyscript_rexec.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\win32comext\bits\test\test_bits.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\Cryptodome\Cipher\ChaCha20_Poly1305.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\pip\_vendor\pygments\formatters\__init__.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\win32com\test\testPippo.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\cryptography\hazmat\backends\openssl\aead.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\cryptography\hazmat\primitives\asymmetric\x448.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\pip\_vendor\certifi\__main__.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\pkg_resources\_vendor\platformdirs\unix.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\pythonwin\pywin\tools\regedit.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\validators\_extremes.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\win32\scripts\killProcName.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\Cryptodome\Hash\SHA224.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\pip\_internal\commands\freeze.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\websockets\client.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\win32comext\directsound\directsound.pyd	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\Cryptodome\Util\_strxor.pyd	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\pkg_resources\__init__.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\psutil\_pswindows.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\win32comext\axscript\Demos\client\asp\caps.asp	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\psutil\_pssunos.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\cryptography-42.0.8.dist-info\LICENSE	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\msgpack\ext.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\cryptography\hazmat\bindings\_rust.pyd	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\httpx\_models.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\pip\_internal\commands\install.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\pysnmp\proto\__init__.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\anyio-4.4.0.dist-info\top_level.txt	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\Cryptodome\Cipher\_raw_cast.pyd	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\pkg_resources\_vendor\platformdirs\py.typed	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\pythonwin\pywin\idle\PyParse.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\pywin32_ctypes-0.2.2.dist-info\WHEEL	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\urllib3\exceptions.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\cryptography\hazmat\bindings\_rust\openssl\poly1305.pyi	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\pip\_vendor\tenacity\tornadoweb.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\pip\_vendor\webencodings\labels.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\win32\win32api.pyd	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\win32com\include\PythonCOMServer.h	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\cryptography\hazmat\primitives\poly1305.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\setuptools\command\__init__.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\urllib3\util\url.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\win32\Demos\GetSaveFileName.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\win32com\makegw\__init__.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\cryptography\hazmat\bindings\_rust\pkcs7.pyi	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\pythonwin\pywin\Demos\fontdemo.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\urllib3\util\proxy.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\win32\Demos\security\setnamedsecurityinfo.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\Cryptodome\Signature\eddsa.pyi	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\Cryptodome\Util\_file_system.pyi	tacticalrmm.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4816	sc.exe
2892	sc.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1180	powershell.exe
3688	powershell.exe
3400	powershell.exe
2444	powershell.exe
4472	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tacticalagent-v2.8.0-windows-amd64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tacticalagent-v2.8.0-windows-amd64.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2628	PING.EXE
3932	cmd.exe
2060	PING.EXE
1676	cmd.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
1836	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-932 = "Coordinated Universal Time"	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-172 = "Central Standard Time (Mexico)"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-132 = "US Eastern Standard Time"	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2181 = "Astrakhan Daylight Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-682 = "E. Australia Standard Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-212 = "Pacific Standard Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-122 = "SA Pacific Standard Time"	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-411 = "E. Africa Daylight Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-562 = "SE Asia Standard Time"	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1471 = "Magadan Daylight Time"	tacticalrmm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-331 = "E. Europe Daylight Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-632 = "Tokyo Standard Time"	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-431 = "Iran Daylight Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-791 = "SA Western Daylight Time"	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-171 = "Central Daylight Time (Mexico)"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2891 = "Sudan Daylight Time"	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1502 = "Turkey Standard Time"	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2182 = "Astrakhan Standard Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-151 = "Central America Daylight Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2371 = "Easter Island Daylight Time"	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-221 = "Alaskan Daylight Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2941 = "Sao Tome Daylight Time"	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-462 = "Afghanistan Standard Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2372 = "Easter Island Standard Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-202 = "US Mountain Standard Time"	tacticalrmm.exe

Modifies system certificate store 2 TTPs 14 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	tacticalrmm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800001900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	tacticalrmm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	2025-01-20_0e3dbb7d5032353cb14865e83fb9960c_frostygoop_hijackloader_luca-stealer_poet-rat_snatch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	2025-01-20_0e3dbb7d5032353cb14865e83fb9960c_frostygoop_hijackloader_luca-stealer_poet-rat_snatch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	tacticalrmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4	tacticalrmm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	tacticalrmm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 5c00000001000000040000000008000019000000010000001000000063664b080559a094d10f0a3c5f4f62900300000001000000140000002796bae63f1801e277261ba0d77770028f20eee41d000000010000001000000099949d2179811f6b30a8c99c4f6b4226140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e3620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae409000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec537261877604000000010000001000000091de0625abdafd32170cbb25172a846720000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	tacticalrmm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	tacticalrmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	2025-01-20_0e3dbb7d5032353cb14865e83fb9960c_frostygoop_hijackloader_luca-stealer_poet-rat_snatch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	tacticalrmm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	tacticalrmm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	tacticalrmm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 04000000010000001000000091de0625abdafd32170cbb25172a84670f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b06010505070301620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae4140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee419000000010000001000000063664b080559a094d10f0a3c5f4f629020000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	tacticalrmm.exe

Runs net.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
2628	PING.EXE
2060	PING.EXE

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
4464	tacticalrmm.exe
856	tacticalrmm.exe
1180	powershell.exe
1180	powershell.exe
3688	powershell.exe
3688	powershell.exe
3400	powershell.exe
3400	powershell.exe
2444	powershell.exe
2444	powershell.exe
856	tacticalrmm.exe
856	tacticalrmm.exe
4396	tacticalrmm.exe
4396	tacticalrmm.exe
4396	tacticalrmm.exe
5004	tacticalrmm.exe
4396	tacticalrmm.exe
4396	tacticalrmm.exe
4472	powershell.exe
4472	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1836	taskkill.exe
Token: SeDebugPrivilege	4464	tacticalrmm.exe
Token: SeDebugPrivilege	856	tacticalrmm.exe
Token: SeAssignPrimaryTokenPrivilege	4896	wmic.exe
Token: SeIncreaseQuotaPrivilege	4896	wmic.exe
Token: SeSecurityPrivilege	4896	wmic.exe
Token: SeTakeOwnershipPrivilege	4896	wmic.exe
Token: SeLoadDriverPrivilege	4896	wmic.exe
Token: SeSystemtimePrivilege	4896	wmic.exe
Token: SeBackupPrivilege	4896	wmic.exe
Token: SeRestorePrivilege	4896	wmic.exe
Token: SeShutdownPrivilege	4896	wmic.exe
Token: SeSystemEnvironmentPrivilege	4896	wmic.exe
Token: SeUndockPrivilege	4896	wmic.exe
Token: SeManageVolumePrivilege	4896	wmic.exe
Token: SeAssignPrimaryTokenPrivilege	4896	wmic.exe
Token: SeIncreaseQuotaPrivilege	4896	wmic.exe
Token: SeSecurityPrivilege	4896	wmic.exe
Token: SeTakeOwnershipPrivilege	4896	wmic.exe
Token: SeLoadDriverPrivilege	4896	wmic.exe
Token: SeSystemtimePrivilege	4896	wmic.exe
Token: SeBackupPrivilege	4896	wmic.exe
Token: SeRestorePrivilege	4896	wmic.exe
Token: SeShutdownPrivilege	4896	wmic.exe
Token: SeSystemEnvironmentPrivilege	4896	wmic.exe
Token: SeUndockPrivilege	4896	wmic.exe
Token: SeManageVolumePrivilege	4896	wmic.exe
Token: SeAssignPrimaryTokenPrivilege	1592	wmic.exe
Token: SeIncreaseQuotaPrivilege	1592	wmic.exe
Token: SeSecurityPrivilege	1592	wmic.exe
Token: SeTakeOwnershipPrivilege	1592	wmic.exe
Token: SeLoadDriverPrivilege	1592	wmic.exe
Token: SeSystemtimePrivilege	1592	wmic.exe
Token: SeBackupPrivilege	1592	wmic.exe
Token: SeRestorePrivilege	1592	wmic.exe
Token: SeShutdownPrivilege	1592	wmic.exe
Token: SeSystemEnvironmentPrivilege	1592	wmic.exe
Token: SeUndockPrivilege	1592	wmic.exe
Token: SeManageVolumePrivilege	1592	wmic.exe
Token: SeAssignPrimaryTokenPrivilege	1592	wmic.exe
Token: SeIncreaseQuotaPrivilege	1592	wmic.exe
Token: SeSecurityPrivilege	1592	wmic.exe
Token: SeTakeOwnershipPrivilege	1592	wmic.exe
Token: SeLoadDriverPrivilege	1592	wmic.exe
Token: SeSystemtimePrivilege	1592	wmic.exe
Token: SeBackupPrivilege	1592	wmic.exe
Token: SeRestorePrivilege	1592	wmic.exe
Token: SeShutdownPrivilege	1592	wmic.exe
Token: SeSystemEnvironmentPrivilege	1592	wmic.exe
Token: SeUndockPrivilege	1592	wmic.exe
Token: SeManageVolumePrivilege	1592	wmic.exe
Token: SeAssignPrimaryTokenPrivilege	4036	wmic.exe
Token: SeIncreaseQuotaPrivilege	4036	wmic.exe
Token: SeSecurityPrivilege	4036	wmic.exe
Token: SeTakeOwnershipPrivilege	4036	wmic.exe
Token: SeLoadDriverPrivilege	4036	wmic.exe
Token: SeSystemtimePrivilege	4036	wmic.exe
Token: SeBackupPrivilege	4036	wmic.exe
Token: SeRestorePrivilege	4036	wmic.exe
Token: SeShutdownPrivilege	4036	wmic.exe
Token: SeSystemEnvironmentPrivilege	4036	wmic.exe
Token: SeUndockPrivilege	4036	wmic.exe
Token: SeManageVolumePrivilege	4036	wmic.exe
Token: SeAssignPrimaryTokenPrivilege	4036	wmic.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1060	tacticalagent-v2.8.0-windows-amd64.tmp

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4588 wrote to memory of 4408	4588	2025-01-20_0e3dbb7d5032353cb14865e83fb9960c_frostygoop_hijackloader_luca-stealer_poet-rat_snatch.exe	83
PID 4588 wrote to memory of 4408	4588	2025-01-20_0e3dbb7d5032353cb14865e83fb9960c_frostygoop_hijackloader_luca-stealer_poet-rat_snatch.exe	83
PID 4588 wrote to memory of 4408	4588	2025-01-20_0e3dbb7d5032353cb14865e83fb9960c_frostygoop_hijackloader_luca-stealer_poet-rat_snatch.exe	83
PID 4408 wrote to memory of 1060	4408	tacticalagent-v2.8.0-windows-amd64.exe	84
PID 4408 wrote to memory of 1060	4408	tacticalagent-v2.8.0-windows-amd64.exe	84
PID 4408 wrote to memory of 1060	4408	tacticalagent-v2.8.0-windows-amd64.exe	84
PID 1060 wrote to memory of 1676	1060	tacticalagent-v2.8.0-windows-amd64.tmp	85
PID 1060 wrote to memory of 1676	1060	tacticalagent-v2.8.0-windows-amd64.tmp	85
PID 1060 wrote to memory of 1676	1060	tacticalagent-v2.8.0-windows-amd64.tmp	85
PID 1676 wrote to memory of 2628	1676	cmd.exe	87
PID 1676 wrote to memory of 2628	1676	cmd.exe	87
PID 1676 wrote to memory of 2628	1676	cmd.exe	87
PID 1676 wrote to memory of 2800	1676	cmd.exe	88
PID 1676 wrote to memory of 2800	1676	cmd.exe	88
PID 1676 wrote to memory of 2800	1676	cmd.exe	88
PID 2800 wrote to memory of 4188	2800	net.exe	89
PID 2800 wrote to memory of 4188	2800	net.exe	89
PID 2800 wrote to memory of 4188	2800	net.exe	89
PID 1060 wrote to memory of 516	1060	tacticalagent-v2.8.0-windows-amd64.tmp	90
PID 1060 wrote to memory of 516	1060	tacticalagent-v2.8.0-windows-amd64.tmp	90
PID 1060 wrote to memory of 516	1060	tacticalagent-v2.8.0-windows-amd64.tmp	90
PID 516 wrote to memory of 1672	516	cmd.exe	92
PID 516 wrote to memory of 1672	516	cmd.exe	92
PID 516 wrote to memory of 1672	516	cmd.exe	92
PID 1672 wrote to memory of 3124	1672	net.exe	93
PID 1672 wrote to memory of 3124	1672	net.exe	93
PID 1672 wrote to memory of 3124	1672	net.exe	93
PID 1060 wrote to memory of 3932	1060	tacticalagent-v2.8.0-windows-amd64.tmp	94
PID 1060 wrote to memory of 3932	1060	tacticalagent-v2.8.0-windows-amd64.tmp	94
PID 1060 wrote to memory of 3932	1060	tacticalagent-v2.8.0-windows-amd64.tmp	94
PID 3932 wrote to memory of 2060	3932	cmd.exe	96
PID 3932 wrote to memory of 2060	3932	cmd.exe	96
PID 3932 wrote to memory of 2060	3932	cmd.exe	96
PID 3932 wrote to memory of 2216	3932	cmd.exe	97
PID 3932 wrote to memory of 2216	3932	cmd.exe	97
PID 3932 wrote to memory of 2216	3932	cmd.exe	97
PID 2216 wrote to memory of 3836	2216	net.exe	98
PID 2216 wrote to memory of 3836	2216	net.exe	98
PID 2216 wrote to memory of 3836	2216	net.exe	98
PID 1060 wrote to memory of 3984	1060	tacticalagent-v2.8.0-windows-amd64.tmp	99
PID 1060 wrote to memory of 3984	1060	tacticalagent-v2.8.0-windows-amd64.tmp	99
PID 1060 wrote to memory of 3984	1060	tacticalagent-v2.8.0-windows-amd64.tmp	99
PID 3984 wrote to memory of 1836	3984	cmd.exe	101
PID 3984 wrote to memory of 1836	3984	cmd.exe	101
PID 3984 wrote to memory of 1836	3984	cmd.exe	101
PID 1060 wrote to memory of 1840	1060	tacticalagent-v2.8.0-windows-amd64.tmp	103
PID 1060 wrote to memory of 1840	1060	tacticalagent-v2.8.0-windows-amd64.tmp	103
PID 1060 wrote to memory of 1840	1060	tacticalagent-v2.8.0-windows-amd64.tmp	103
PID 1840 wrote to memory of 4816	1840	cmd.exe	105
PID 1840 wrote to memory of 4816	1840	cmd.exe	105
PID 1840 wrote to memory of 4816	1840	cmd.exe	105
PID 1060 wrote to memory of 1264	1060	tacticalagent-v2.8.0-windows-amd64.tmp	106
PID 1060 wrote to memory of 1264	1060	tacticalagent-v2.8.0-windows-amd64.tmp	106
PID 1060 wrote to memory of 1264	1060	tacticalagent-v2.8.0-windows-amd64.tmp	106
PID 1264 wrote to memory of 2892	1264	cmd.exe	108
PID 1264 wrote to memory of 2892	1264	cmd.exe	108
PID 1264 wrote to memory of 2892	1264	cmd.exe	108
PID 1060 wrote to memory of 4412	1060	tacticalagent-v2.8.0-windows-amd64.tmp	109
PID 1060 wrote to memory of 4412	1060	tacticalagent-v2.8.0-windows-amd64.tmp	109
PID 1060 wrote to memory of 4412	1060	tacticalagent-v2.8.0-windows-amd64.tmp	109
PID 4412 wrote to memory of 4464	4412	cmd.exe	111
PID 4412 wrote to memory of 4464	4412	cmd.exe	111
PID 1060 wrote to memory of 2212	1060	tacticalagent-v2.8.0-windows-amd64.tmp	112
PID 1060 wrote to memory of 2212	1060	tacticalagent-v2.8.0-windows-amd64.tmp	112

C:\Users\Admin\AppData\Local\Temp\2025-01-20_0e3dbb7d5032353cb14865e83fb9960c_frostygoop_hijackloader_luca-stealer_poet-rat_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-20_0e3dbb7d5032353cb14865e83fb9960c_frostygoop_hijackloader_luca-stealer_poet-rat_snatch.exe"
1⤵
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:4588
- C:\ProgramData\TacticalRMM\tacticalagent-v2.8.0-windows-amd64.exe
  C:\ProgramData\TacticalRMM\tacticalagent-v2.8.0-windows-amd64.exe /VERYSILENT /SUPPRESSMSGBOXES
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4408
- - C:\Users\Admin\AppData\Local\Temp\is-KS97S.tmp\tacticalagent-v2.8.0-windows-amd64.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-KS97S.tmp\tacticalagent-v2.8.0-windows-amd64.tmp" /SL5="$4020C,3660179,825344,C:\ProgramData\TacticalRMM\tacticalagent-v2.8.0-windows-amd64.exe" /VERYSILENT /SUPPRESSMSGBOXES
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:1060
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c ping 127.0.0.1 -n 2 && net stop tacticalrpc
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Suspicious use of WriteProcessMemory
      PID:1676
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        5⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2628
    - - C:\Windows\SysWOW64\net.exe
        
        net stop tacticalrpc
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2800
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop tacticalrpc
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4188
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c net stop tacticalagent
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:516
    - - C:\Windows\SysWOW64\net.exe
        
        net stop tacticalagent
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1672
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop tacticalagent
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3124
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c ping 127.0.0.1 -n 2 && net stop tacticalrmm
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Suspicious use of WriteProcessMemory
      PID:3932
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        5⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2060
    - - C:\Windows\SysWOW64\net.exe
        
        net stop tacticalrmm
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2216
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop tacticalrmm
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3836
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c taskkill /F /IM tacticalrmm.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3984
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM tacticalrmm.exe
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1836
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c sc delete tacticalagent
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1840
    - - C:\Windows\SysWOW64\sc.exe
        
        sc delete tacticalagent
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:4816
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c sc delete tacticalrpc
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1264
    - - C:\Windows\SysWOW64\sc.exe
        
        sc delete tacticalrpc
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2892
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c tacticalrmm.exe -m installsvc
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4412
    - - C:\Program Files\TacticalAgent\tacticalrmm.exe
        
        tacticalrmm.exe -m installsvc
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4464
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c net start tacticalrmm
      4⤵
      System Location Discovery: System Language Discovery
      PID:2212
    - - C:\Windows\SysWOW64\net.exe
        
        net start tacticalrmm
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1580
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start tacticalrmm
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1984
- C:\Program Files\TacticalAgent\tacticalrmm.exe
  "C:\Program Files\TacticalAgent\tacticalrmm.exe" -m install --api https://api.ztn.app --client-id 14 --site-id 37 --agent-type workstation --auth c52763ea5e8516c687c06875af1bd779e47c159661b3df56cdcc3c1a649244f4
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:856
- - C:\Program Files\TacticalAgent\meshagent.exe
    "C:\Program Files\TacticalAgent\meshagent.exe" -fullinstall
    3⤵
    - Sets service image path in registry
    - Executes dropped EXE
    PID:4584
- - C:\Program Files\Mesh Agent\MeshAgent.exe
    "C:\Program Files\Mesh Agent\MeshAgent.exe" -nodeid
    3⤵
    - Executes dropped EXE
    PID:4272

C:\Program Files\Mesh Agent\MeshAgent.exe
"C:\Program Files\Mesh Agent\MeshAgent.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3468
- C:\Windows\System32\wbem\wmic.exe
  wmic SystemEnclosure get ChassisTypes
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4896
- C:\Windows\system32\wbem\wmic.exe
  wmic os get oslanguage /FORMAT:LIST
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1592
- C:\Windows\System32\wbem\wmic.exe
  wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4036
- C:\Windows\system32\wbem\wmic.exe
  wmic os get oslanguage /FORMAT:LIST
  2⤵
  PID:2060
- C:\Windows\System32\wbem\wmic.exe
  wmic SystemEnclosure get ChassisTypes
  2⤵
  PID:4604
- C:\Windows\System32\wbem\wmic.exe
  wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
  2⤵
  PID:1496
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -noprofile -nologo -command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:1180
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -noprofile -nologo -command -
  2⤵
  - Drops file in System32 directory
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:3688
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -noprofile -nologo -command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:3400
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -noprofile -nologo -command -
  2⤵
  - Drops file in System32 directory
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:2444
- C:\Windows\system32\cmd.exe
  /c manage-bde -protectors -get C: -Type recoverypassword
  2⤵
  PID:1964
- - C:\Windows\system32\manage-bde.exe
    manage-bde -protectors -get C: -Type recoverypassword
    3⤵
    PID:2088
- C:\Windows\system32\cmd.exe
  /c manage-bde -protectors -get F: -Type recoverypassword
  2⤵
  PID:4480
- - C:\Windows\system32\manage-bde.exe
    manage-bde -protectors -get F: -Type recoverypassword
    3⤵
    PID:3984

C:\Program Files\TacticalAgent\tacticalrmm.exe
"C:\Program Files\TacticalAgent\tacticalrmm.exe" -m svc
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:4396
- C:\Program Files\TacticalAgent\tacticalrmm.exe
  "C:\Program Files\TacticalAgent\tacticalrmm.exe" -m checkrunner
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:5004
- - C:\Program Files\TacticalAgent\python\py3.11.9_amd64\python.exe
    "C:\Program Files\TacticalAgent\python\py3.11.9_amd64\python.exe" C:\ProgramData\TacticalRMM\1568585474.py
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:516
- C:\Program Files\TacticalAgent\python\py3.11.9_amd64\python.exe
  "C:\Program Files\TacticalAgent\python\py3.11.9_amd64\python.exe" C:\ProgramData\TacticalRMM\2184275981.py
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3932
- C:\Program Files\Mesh Agent\MeshAgent.exe
  "C:\Program Files\Mesh Agent\MeshAgent.exe" -nodeid
  2⤵
  - Executes dropped EXE
  PID:1568
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass C:\ProgramData\TacticalRMM\151634541.ps1
  2⤵
  - Blocklisted process makes network request
  - Drops file in System32 directory
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:4472
- - C:\Windows\System32\setx.exe
    "C:\Windows\System32\setx.exe" ChocolateyLastPathUpdate 133818122879961656
    3⤵
    PID:3096
- - C:\Windows\System32\setx.exe
    "C:\Windows\System32\setx.exe" ChocolateyLastPathUpdate 133818122881082426
    3⤵
    PID:1052
- - C:\Windows\System32\setx.exe
    "C:\Windows\System32\setx.exe" ChocolateyLastPathUpdate 133818122881830325
    3⤵
    PID:4260
- - C:\Windows\System32\setx.exe
    "C:\Windows\System32\setx.exe" ChocolateyLastPathUpdate 133818122885463201
    3⤵
    PID:3548
- - C:\ProgramData\chocolatey\choco.exe
    "C:\ProgramData\chocolatey\choco.exe" -v
    3⤵
    - Executes dropped EXE
    PID:4760

Network

DNS

agents.tacticalrmm.com

2025-01-20_0e3dbb7d5032353cb14865e83fb9960c_frostygoop_hijackloader_luca-stealer_poet-rat_snatch.exe

Remote address:

8.8.8.8:53

Request

agents.tacticalrmm.com

IN A

Response

agents.tacticalrmm.com

IN A

172.67.151.233

agents.tacticalrmm.com

IN A

104.21.12.79
DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

209.205.72.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

209.205.72.20.in-addr.arpa

IN PTR

Response
DNS

233.151.67.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

233.151.67.172.in-addr.arpa

IN PTR

Response
DNS

60.153.16.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

60.153.16.2.in-addr.arpa

IN PTR

Response

60.153.16.2.in-addr.arpa

IN PTR

a2-16-153-60deploystaticakamaitechnologiescom
DNS

140.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

140.32.126.40.in-addr.arpa

IN PTR

Response
DNS

7.98.51.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

7.98.51.23.in-addr.arpa

IN PTR

Response

7.98.51.23.in-addr.arpa

IN PTR

a23-51-98-7deploystaticakamaitechnologiescom
DNS

api.ztn.app

tacticalrmm.exe

Remote address:

8.8.8.8:53

Request

api.ztn.app

IN A

Response

api.ztn.app

IN CNAME

vultr.ztn.app

vultr.ztn.app

IN A

139.180.174.130
DNS

130.174.180.139.in-addr.arpa

Remote address:

8.8.8.8:53

Request

130.174.180.139.in-addr.arpa

IN PTR

Response

130.174.180.139.in-addr.arpa

IN PTR

139180174130vultrusercontentcom
DNS

196.249.167.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

196.249.167.52.in-addr.arpa

IN PTR

Response
DNS

mesh.ztn.app

MeshAgent.exe

Remote address:

8.8.8.8:53

Request

mesh.ztn.app

IN A

Response

mesh.ztn.app

IN CNAME

vultr.ztn.app

vultr.ztn.app

IN A

139.180.174.130
DNS

58.55.71.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

58.55.71.13.in-addr.arpa

IN PTR

Response
DNS

56.163.245.4.in-addr.arpa

Remote address:

8.8.8.8:53

Request

56.163.245.4.in-addr.arpa

IN PTR

Response
DNS

171.39.242.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

171.39.242.20.in-addr.arpa

IN PTR

Response
DNS

icanhazip.tacticalrmm.io

tacticalrmm.exe

Remote address:

8.8.8.8:53

Request

icanhazip.tacticalrmm.io

IN A

Response

icanhazip.tacticalrmm.io

IN A

104.21.46.245

icanhazip.tacticalrmm.io

IN A

172.67.169.135
DNS

245.46.21.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

245.46.21.104.in-addr.arpa

IN PTR

Response
DNS

86.49.80.91.in-addr.arpa

Remote address:

8.8.8.8:53

Request

86.49.80.91.in-addr.arpa

IN PTR

Response
DNS

github.com

tacticalrmm.exe

Remote address:

8.8.8.8:53

Request

github.com

IN A

Response

github.com

IN A

20.26.156.215
DNS

215.156.26.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

215.156.26.20.in-addr.arpa

IN PTR

Response
DNS

219.112.17.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

219.112.17.2.in-addr.arpa

IN PTR

Response

219.112.17.2.in-addr.arpa

IN PTR

a2-17-112-219deploystaticakamaitechnologiescom
DNS

objects.githubusercontent.com

tacticalrmm.exe

Remote address:

8.8.8.8:53

Request

objects.githubusercontent.com

IN A

Response

objects.githubusercontent.com

IN A

185.199.110.133

objects.githubusercontent.com

IN A

185.199.108.133

objects.githubusercontent.com

IN A

185.199.109.133

objects.githubusercontent.com

IN A

185.199.111.133
DNS

133.110.199.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

133.110.199.185.in-addr.arpa

IN PTR

Response

133.110.199.185.in-addr.arpa

IN PTR

cdn-185-199-110-133githubcom
DNS

chocolatey.org

tacticalrmm.exe

Remote address:

8.8.8.8:53

Request

chocolatey.org

IN A

Response

chocolatey.org

IN A

104.18.20.76

chocolatey.org

IN A

104.18.21.76
DNS

community.chocolatey.org

powershell.exe

Remote address:

8.8.8.8:53

Request

community.chocolatey.org

IN A

Response

community.chocolatey.org

IN A

104.18.20.76

community.chocolatey.org

IN A

104.18.21.76
DNS

76.20.18.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

76.20.18.104.in-addr.arpa

IN PTR

Response
DNS

fe2cr.update.microsoft.com

Remote address:

8.8.8.8:53

Request

fe2cr.update.microsoft.com

IN A

Response

fe2cr.update.microsoft.com

IN CNAME

fe2cr.update.msft.com.trafficmanager.net

fe2cr.update.msft.com.trafficmanager.net

IN A

20.97.190.213

fe2cr.update.msft.com.trafficmanager.net

IN A

40.78.107.240
POST

https://fe2cr.update.microsoft.com/v6/ClientWebService/client.asmx

Remote address:

20.97.190.213:443

Request

POST /v6/ClientWebService/client.asmx HTTP/2.0
host: fe2cr.update.microsoft.com
cache-control: no-cache
pragma: no-cache
content-type: text/xml; charset=utf-8
accept-encoding: xpress
user-agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.32
soapaction: "http://www.microsoft.com/SoftwareDistribution/Server/ClientWebService/GetCookie"
ms-cv: MvuCXq2fWEKT9WCX.1.0.0.2.1
content-length: 864

Response

HTTP/2.0 200

cache-control: private
content-type: text/xml; charset=utf-8
content-encoding: xpress
vary: Accept-Encoding
date: Mon, 20 Jan 2025 02:04:45 GMT
content-length: 598
POST

https://fe2cr.update.microsoft.com/v6/ClientWebService/client.asmx

Remote address:

20.97.190.213:443

Request

POST /v6/ClientWebService/client.asmx HTTP/2.0
host: fe2cr.update.microsoft.com
cache-control: no-cache
pragma: no-cache
content-type: text/xml; charset=utf-8
accept-encoding: xpress
user-agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.32
soapaction: "http://www.microsoft.com/SoftwareDistribution/Server/ClientWebService/SyncUpdates"
ms-cv: MvuCXq2fWEKT9WCX.1.0.0.2.2
content-length: 16839

Response

HTTP/2.0 200

cache-control: private
content-type: text/xml; charset=utf-8
content-encoding: xpress
vary: Accept-Encoding
date: Mon, 20 Jan 2025 02:04:46 GMT
content-length: 14866
POST

https://fe2cr.update.microsoft.com/v6/ClientWebService/client.asmx

Remote address:

20.97.190.213:443

Request

POST /v6/ClientWebService/client.asmx HTTP/2.0
host: fe2cr.update.microsoft.com
cache-control: no-cache
pragma: no-cache
content-type: text/xml; charset=utf-8
accept-encoding: xpress
user-agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.32
soapaction: "http://www.microsoft.com/SoftwareDistribution/Server/ClientWebService/GetFileLocations"
ms-cv: MvuCXq2fWEKT9WCX.1.0.0.2.3
content-length: 642

Response

HTTP/2.0 200

cache-control: private
content-type: text/xml; charset=utf-8
content-encoding: xpress
vary: Accept-Encoding
date: Mon, 20 Jan 2025 02:04:47 GMT
content-length: 806
POST

https://fe2cr.update.microsoft.com/v6/ClientWebService/client.asmx

Remote address:

20.97.190.213:443

Request

POST /v6/ClientWebService/client.asmx HTTP/2.0
host: fe2cr.update.microsoft.com
cache-control: no-cache
pragma: no-cache
content-type: text/xml; charset=utf-8
accept-encoding: xpress
user-agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.32
soapaction: "http://www.microsoft.com/SoftwareDistribution/Server/ClientWebService/GetTimestamps"
ms-cv: MvuCXq2fWEKT9WCX.1.0.0.2.4
content-length: 188

Response

HTTP/2.0 200

cache-control: private
content-type: text/xml; charset=utf-8
content-encoding: xpress
vary: Accept-Encoding
date: Mon, 20 Jan 2025 02:04:47 GMT
content-length: 20973
POST

https://fe2cr.update.microsoft.com/v6/ClientWebService/client.asmx

Remote address:

20.97.190.213:443

Request

POST /v6/ClientWebService/client.asmx HTTP/2.0
host: fe2cr.update.microsoft.com
cache-control: no-cache
pragma: no-cache
content-type: text/xml; charset=utf-8
accept-encoding: xpress
user-agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.32
soapaction: "http://www.microsoft.com/SoftwareDistribution/Server/ClientWebService/SyncUpdates"
ms-cv: MvuCXq2fWEKT9WCX.1.0.0.2.5
content-length: 16896

Response

HTTP/2.0 200

cache-control: private
content-type: text/xml; charset=utf-8
content-encoding: xpress
vary: Accept-Encoding
date: Mon, 20 Jan 2025 02:04:47 GMT
content-length: 667
POST

https://fe2cr.update.microsoft.com/v6/ClientWebService/client.asmx

Remote address:

20.97.190.213:443

Request

POST /v6/ClientWebService/client.asmx HTTP/2.0
host: fe2cr.update.microsoft.com
cache-control: no-cache
pragma: no-cache
content-type: text/xml; charset=utf-8
accept-encoding: xpress
user-agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.32
soapaction: "http://www.microsoft.com/SoftwareDistribution/Server/ClientWebService/GetExtendedUpdateInfo"
ms-cv: MvuCXq2fWEKT9WCX.1.0.0.2.6
content-length: 1940

Response

HTTP/2.0 200

cache-control: private
content-type: text/xml; charset=utf-8
content-encoding: xpress
vary: Accept-Encoding
date: Mon, 20 Jan 2025 02:04:51 GMT
POST

https://fe2cr.update.microsoft.com/v6/ClientWebService/client.asmx

Remote address:

20.97.190.213:443

Request

POST /v6/ClientWebService/client.asmx HTTP/2.0
host: fe2cr.update.microsoft.com
cache-control: no-cache
pragma: no-cache
content-type: text/xml; charset=utf-8
accept-encoding: xpress
user-agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.32
soapaction: "http://www.microsoft.com/SoftwareDistribution/Server/ClientWebService/GetExtendedUpdateInfo"
ms-cv: MvuCXq2fWEKT9WCX.1.0.0.2.7
content-length: 2013

Response

HTTP/2.0 200

cache-control: private
content-type: text/xml; charset=utf-8
content-encoding: xpress
vary: Accept-Encoding
date: Mon, 20 Jan 2025 02:04:57 GMT
POST

https://fe2cr.update.microsoft.com/v6/ClientWebService/client.asmx

Remote address:

20.97.190.213:443

Request

POST /v6/ClientWebService/client.asmx HTTP/2.0
host: fe2cr.update.microsoft.com
cache-control: no-cache
pragma: no-cache
content-type: text/xml; charset=utf-8
accept-encoding: xpress
user-agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.32
soapaction: "http://www.microsoft.com/SoftwareDistribution/Server/ClientWebService/GetExtendedUpdateInfo"
ms-cv: MvuCXq2fWEKT9WCX.1.0.0.2.8
content-length: 1462

Response

HTTP/2.0 200

cache-control: private
content-type: text/xml; charset=utf-8
content-encoding: xpress
vary: Accept-Encoding
date: Mon, 20 Jan 2025 02:05:02 GMT
GET

https://community.chocolatey.org/api/v2/Packages()?$filter=((Id%20eq%20'chocolatey')%20and%20(not%20IsPrerelease))%20and%20IsLatestVersion

powershell.exe

Remote address:

104.18.20.76:443

Request

GET /api/v2/Packages()?$filter=((Id%20eq%20'chocolatey')%20and%20(not%20IsPrerelease))%20and%20IsLatestVersion HTTP/1.1
Host: community.chocolatey.org
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Mon, 20 Jan 2025 02:04:46 GMT
Content-Type: application/atom+xml;charset=utf-8
Content-Length: 8255
Connection: keep-alive
Cache-Control: public, max-age=28800
DataServiceVersion: 2.0;
Expires: Mon, 20 Jan 2025 10:04:46 GMT
Last-Modified: Sat, 18 Jan 2025 11:09:13 GMT
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
CF-Cache-Status: HIT
Age: 64701
Accept-Ranges: bytes
Strict-Transport-Security: max-age=12960000
X-Content-Type-Options: nosniff
Content-Security-Policy: frame-ancestors 'none';
X-Frame-Options: deny
Server: cloudflare
CF-RAY: 904b7ee83d74ef21-LHR
GET

https://community.chocolatey.org/api/v2/package/chocolatey/2.4.1

powershell.exe

Remote address:

104.18.20.76:443

Request

GET /api/v2/package/chocolatey/2.4.1 HTTP/1.1
Host: community.chocolatey.org

Response

HTTP/1.1 302 Found

Date: Mon, 20 Jan 2025 02:04:47 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Control: private
Location: https://packages.chocolatey.org/chocolatey.2.4.1.nupkg
X-AspNet-Version: 4.0.30319
X-AspNetMvc-Version: 3.0
X-Powered-By: ASP.NET
CF-Cache-Status: DYNAMIC
Strict-Transport-Security: max-age=12960000
X-Content-Type-Options: nosniff
Content-Security-Policy: frame-ancestors 'none';
X-Frame-Options: deny
Server: cloudflare
CF-RAY: 904b7ee8be57ef21-LHR
DNS

packages.chocolatey.org

powershell.exe

Remote address:

8.8.8.8:53

Request

packages.chocolatey.org

IN A

Response

packages.chocolatey.org

IN A

104.18.21.76

packages.chocolatey.org

IN A

104.18.20.76
GET

https://packages.chocolatey.org/chocolatey.2.4.1.nupkg

powershell.exe

Remote address:

104.18.21.76:443

Request

GET /chocolatey.2.4.1.nupkg HTTP/1.1
Host: packages.chocolatey.org
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Mon, 20 Jan 2025 02:04:47 GMT
Content-Type: application/octet-stream
Content-Length: 5409568
Connection: keep-alive
x-amz-id-2: UuP3ZL1dWtorue8r+ZuI35f0S08xS9MwiqGLVQya8hXrEpwOv+TtW9m3dfN524ZigtQTHXRX04mPDxRM1z28Zg==
x-amz-request-id: MQCY9SM414P95C3Q
Last-Modified: Wed, 04 Dec 2024 20:13:32 GMT
ETag: "fb8a8797df8557e9457f51e6afa50719"
x-amz-server-side-encryption: AES256
CF-Cache-Status: HIT
Age: 1806123
Expires: Sat, 25 Jan 2025 02:04:47 GMT
Cache-Control: public, max-age=432000
Accept-Ranges: bytes
Strict-Transport-Security: max-age=12960000
X-Content-Type-Options: nosniff
Server: cloudflare
CF-RAY: 904b7eeb6b38e913-LHR
DNS

213.190.97.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

213.190.97.20.in-addr.arpa

IN PTR

Response
DNS

download.windowsupdate.com

Remote address:

8.8.8.8:53

Request

download.windowsupdate.com

IN A

Response

download.windowsupdate.com

IN CNAME

download.windowsupdate.com.delivery.microsoft.com

download.windowsupdate.com.delivery.microsoft.com

IN CNAME

wu-f-net.trafficmanager.net

wu-f-net.trafficmanager.net

IN CNAME

edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com

edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com

IN A

91.81.130.133

edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com

IN A

91.81.129.180

edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com

IN A

91.81.129.182

edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com

IN A

91.80.49.86

edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com

IN A

91.80.49.22
GET

http://download.windowsupdate.com/d/msdownload/update/others/2015/05/17930914_a3b333eff1f0428f5a2c87724c542504821cdbd8.cab

Remote address:

91.81.130.133:80

Request

GET /d/msdownload/update/others/2015/05/17930914_a3b333eff1f0428f5a2c87724c542504821cdbd8.cab HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.32
Host: download.windowsupdate.com

Response

HTTP/1.1 200 OK

Date: Mon, 20 Jan 2025 02:04:48 GMT
Content-Type: application/vnd.ms-cab-compressed
Content-Length: 8047
Connection: keep-alive
Cache-Control: public,max-age=172800
Last-Modified: Fri, 29 May 2015 16:16:45 GMT
ETag: "80d429db2a9ad01:0"
X-Powered-By: ASP.NET
Ocn-Cache-Status: HIT
Ocn-Requestid: 10000003b04d5971-1971500459-1
Ocn-Served-By: QLT
X-OC-Service-Type: re
Server: Qwilt
X-CID: 9
X-CCC: it
Accept-Ranges: bytes
DNS

76.21.18.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

76.21.18.104.in-addr.arpa

IN PTR

Response
DNS

76.21.18.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

76.21.18.104.in-addr.arpa

IN PTR
DNS

133.130.81.91.in-addr.arpa

Remote address:

8.8.8.8:53

Request

133.130.81.91.in-addr.arpa

IN PTR

Response
DNS

133.130.81.91.in-addr.arpa

Remote address:

8.8.8.8:53

Request

133.130.81.91.in-addr.arpa

IN PTR

172.67.151.233:443

agents.tacticalrmm.com

tls

2025-01-20_0e3dbb7d5032353cb14865e83fb9960c_frostygoop_hijackloader_luca-stealer_poet-rat_snatch.exe

192.8kB
4.7MB
2807
3387
139.180.174.130:443

api.ztn.app

tls

tacticalrmm.exe

1.6kB
4.4kB
13
14
139.180.174.130:443

api.ztn.app

tls

tacticalrmm.exe

1.7kB
4.3kB
13
12
139.180.174.130:443

api.ztn.app

tls

tacticalrmm.exe

60.7kB
3.6MB
1295
2576
139.180.174.130:443

mesh.ztn.app

tls

MeshAgent.exe

25.7kB
666.7kB
270
507
139.180.174.130:443

api.ztn.app

tls

tacticalrmm.exe

1.9kB
4.3kB
13
12
139.180.174.130:443

api.ztn.app

tls

tacticalrmm.exe

106.4kB
6.3kB
106
54
104.21.46.245:443

icanhazip.tacticalrmm.io

tls

tacticalrmm.exe

985 B
4.6kB
10
10
139.180.174.130:443

api.ztn.app

tls

tacticalrmm.exe

20.1kB
4.3kB
27
14
139.180.174.130:443

api.ztn.app

tls

tacticalrmm.exe

115.8kB
118.2kB
174
171
20.26.156.215:443

github.com

tls

tacticalrmm.exe

1.3kB
8.8kB
16
18
185.199.110.133:443

objects.githubusercontent.com

tls

tacticalrmm.exe

1.2MB
33.4MB
23823
25263
139.180.174.130:443

api.ztn.app

tls

tacticalrmm.exe

1.6kB
4.4kB
13
14
139.180.174.130:443

api.ztn.app

tls

tacticalrmm.exe

1.7kB
6.2kB
14
15
139.180.174.130:443

api.ztn.app

tls

tacticalrmm.exe

1.6kB
4.8kB
13
14
139.180.174.130:443

api.ztn.app

tls

tacticalrmm.exe

1.8kB
4.3kB
13
12
139.180.174.130:443

api.ztn.app

tls

tacticalrmm.exe

1.7kB
4.3kB
13
12
104.21.46.245:443

icanhazip.tacticalrmm.io

tls

tacticalrmm.exe

985 B
4.7kB
10
12
139.180.174.130:443

api.ztn.app

tls

tacticalrmm.exe

1.8kB
4.3kB
13
12
139.180.174.130:443

api.ztn.app

tls

tacticalrmm.exe

1.6kB
4.3kB
12
12
139.180.174.130:443

api.ztn.app

tls

tacticalrmm.exe

1.6kB
4.8kB
13
14
139.180.174.130:443

api.ztn.app

tls

tacticalrmm.exe

20.2kB
4.3kB
28
14
104.18.20.76:443

chocolatey.org

tls

tacticalrmm.exe

1.1kB
7.9kB
13
15
104.18.20.76:443

community.chocolatey.org

tls

tacticalrmm.exe

1.9kB
28.9kB
28
33
20.97.190.213:443

https://fe2cr.update.microsoft.com/v6/ClientWebService/client.asmx

tls, http2

56.1kB
397.7kB
232
309

HTTP Request

POST https://fe2cr.update.microsoft.com/v6/ClientWebService/client.asmx

HTTP Response

200

HTTP Request

POST https://fe2cr.update.microsoft.com/v6/ClientWebService/client.asmx

HTTP Response

200

HTTP Request

POST https://fe2cr.update.microsoft.com/v6/ClientWebService/client.asmx

HTTP Response

200

HTTP Request

POST https://fe2cr.update.microsoft.com/v6/ClientWebService/client.asmx

HTTP Response

200

HTTP Request

POST https://fe2cr.update.microsoft.com/v6/ClientWebService/client.asmx

HTTP Response

200

HTTP Request

POST https://fe2cr.update.microsoft.com/v6/ClientWebService/client.asmx

HTTP Response

200

HTTP Request

POST https://fe2cr.update.microsoft.com/v6/ClientWebService/client.asmx

HTTP Response

200

HTTP Request

POST https://fe2cr.update.microsoft.com/v6/ClientWebService/client.asmx

HTTP Response

200
104.18.20.76:443

https://community.chocolatey.org/api/v2/package/chocolatey/2.4.1

tls, http

powershell.exe

1.3kB
15.5kB
15
21

HTTP Request

GET https://community.chocolatey.org/api/v2/Packages()?$filter=((Id%20eq%20'chocolatey')%20and%20(not%20IsPrerelease))%20and%20IsLatestVersion

HTTP Response

200

HTTP Request

GET https://community.chocolatey.org/api/v2/package/chocolatey/2.4.1

HTTP Response

302
20.26.156.215:443

github.com

tls

tacticalrmm.exe

1.1kB
8.5kB
11
12
185.199.110.133:443

objects.githubusercontent.com

tls

tacticalrmm.exe

141.8kB
4.1MB
2844
3102
104.18.21.76:443

https://packages.chocolatey.org/chocolatey.2.4.1.nupkg

tls, http

powershell.exe

147.7kB
5.6MB
2685
4015

HTTP Request

GET https://packages.chocolatey.org/chocolatey.2.4.1.nupkg

HTTP Response

200
139.180.174.130:443

api.ztn.app

tls

tacticalrmm.exe

2.1kB
4.9kB
15
14
91.81.130.133:80

http://download.windowsupdate.com/d/msdownload/update/others/2015/05/17930914_a3b333eff1f0428f5a2c87724c542504821cdbd8.cab

http

709 B
8.9kB
10
10

HTTP Request

GET http://download.windowsupdate.com/d/msdownload/update/others/2015/05/17930914_a3b333eff1f0428f5a2c87724c542504821cdbd8.cab

HTTP Response

200
20.26.156.215:443

github.com

tls

tacticalrmm.exe

1.1kB
8.5kB
11
12
185.199.110.133:443

objects.githubusercontent.com

tls

tacticalrmm.exe

246.2kB
6.7MB
4673
5054
139.180.174.130:443

api.ztn.app

tls

tacticalrmm.exe

2.4kB
5.1kB
17
11
2.17.112.142:80
40.69.42.241:443

tls

244 B
2.6kB
2
2
52.111.227.14:443
139.180.174.130:443

mesh.ztn.app

tacticalrmm.exe

52 B
1

8.8.8.8:53

agents.tacticalrmm.com

dns

2025-01-20_0e3dbb7d5032353cb14865e83fb9960c_frostygoop_hijackloader_luca-stealer_poet-rat_snatch.exe

68 B
100 B
1
1

DNS Request

agents.tacticalrmm.com

DNS Response

172.67.151.233

104.21.12.79
8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

209.205.72.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

209.205.72.20.in-addr.arpa
8.8.8.8:53

233.151.67.172.in-addr.arpa

dns

73 B
135 B
1
1

DNS Request

233.151.67.172.in-addr.arpa
8.8.8.8:53

60.153.16.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

60.153.16.2.in-addr.arpa
8.8.8.8:53

140.32.126.40.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

140.32.126.40.in-addr.arpa
8.8.8.8:53

7.98.51.23.in-addr.arpa

dns

69 B
131 B
1
1

DNS Request

7.98.51.23.in-addr.arpa
8.8.8.8:53

api.ztn.app

dns

tacticalrmm.exe

57 B
93 B
1
1

DNS Request

api.ztn.app

DNS Response

139.180.174.130
8.8.8.8:53

130.174.180.139.in-addr.arpa

dns

74 B
124 B
1
1

DNS Request

130.174.180.139.in-addr.arpa
8.8.8.8:53

196.249.167.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

196.249.167.52.in-addr.arpa
8.8.8.8:53

mesh.ztn.app

dns

MeshAgent.exe

58 B
94 B
1
1

DNS Request

mesh.ztn.app

DNS Response

139.180.174.130
8.8.8.8:53

58.55.71.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

58.55.71.13.in-addr.arpa
8.8.8.8:53

56.163.245.4.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

56.163.245.4.in-addr.arpa
8.8.8.8:53

171.39.242.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

171.39.242.20.in-addr.arpa
8.8.8.8:53

icanhazip.tacticalrmm.io

dns

tacticalrmm.exe

70 B
102 B
1
1

DNS Request

icanhazip.tacticalrmm.io

DNS Response

104.21.46.245

172.67.169.135
8.8.8.8:53

245.46.21.104.in-addr.arpa

dns

72 B
134 B
1
1

DNS Request

245.46.21.104.in-addr.arpa
8.8.8.8:53

86.49.80.91.in-addr.arpa

dns

70 B
145 B
1
1

DNS Request

86.49.80.91.in-addr.arpa
8.8.8.8:53

github.com

dns

tacticalrmm.exe

56 B
72 B
1
1

DNS Request

github.com

DNS Response

20.26.156.215
8.8.8.8:53

215.156.26.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

215.156.26.20.in-addr.arpa
8.8.8.8:53

219.112.17.2.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

219.112.17.2.in-addr.arpa
8.8.8.8:53

objects.githubusercontent.com

dns

tacticalrmm.exe

75 B
139 B
1
1

DNS Request

objects.githubusercontent.com

DNS Response

185.199.110.133

185.199.108.133

185.199.109.133

185.199.111.133
8.8.8.8:53

133.110.199.185.in-addr.arpa

dns

74 B
118 B
1
1

DNS Request

133.110.199.185.in-addr.arpa
8.8.8.8:53

chocolatey.org

dns

tacticalrmm.exe

60 B
92 B
1
1

DNS Request

chocolatey.org

DNS Response

104.18.20.76

104.18.21.76
8.8.8.8:53

community.chocolatey.org

dns

powershell.exe

70 B
102 B
1
1

DNS Request

community.chocolatey.org

DNS Response

104.18.20.76

104.18.21.76
8.8.8.8:53

76.20.18.104.in-addr.arpa

dns

71 B
133 B
1
1

DNS Request

76.20.18.104.in-addr.arpa
8.8.8.8:53

fe2cr.update.microsoft.com

dns

72 B
158 B
1
1

DNS Request

fe2cr.update.microsoft.com

DNS Response

20.97.190.213

40.78.107.240
8.8.8.8:53

packages.chocolatey.org

dns

powershell.exe

69 B
101 B
1
1

DNS Request

packages.chocolatey.org

DNS Response

104.18.21.76

104.18.20.76
8.8.8.8:53

213.190.97.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

213.190.97.20.in-addr.arpa
8.8.8.8:53

download.windowsupdate.com

dns

72 B
321 B
1
1

DNS Request

download.windowsupdate.com

DNS Response

91.81.130.133

91.81.129.180

91.81.129.182

91.80.49.86

91.80.49.22
8.8.8.8:53

76.21.18.104.in-addr.arpa

dns

142 B
133 B
2
1

DNS Request

76.21.18.104.in-addr.arpa

DNS Request

76.21.18.104.in-addr.arpa
8.8.8.8:53

133.130.81.91.in-addr.arpa

dns

144 B
147 B
2
1

DNS Request

133.130.81.91.in-addr.arpa

DNS Request

133.130.81.91.in-addr.arpa
8.8.8.8:53
8.8.8.8:53
8.8.8.8:53
8.8.8.8:53
8.8.8.8:53
8.8.8.8:53

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Mesh Agent\MeshAgent.db

Filesize
35KB

MD5
51eafe90dc7212c75e3b9eacf9211827

SHA1
373da391d9f0a0c8f1a4dfc09b3252160454817a

SHA256
0ab6628a2ebc394575071283f4e4c4293292a146d6f3762d21f959a79c19b953

SHA512
186acc8df7c17da135a6bcc5e4228e30a7f8c1fb11a1f6551f9396a10781b9243bd61f3ce40530fc871294d36a09e3a43535b40ac1656388b1f8aefa34d34463

Download Submit
C:\Program Files\Mesh Agent\MeshAgent.db.tmp

Filesize
153KB

MD5
02f8ea74cfca183d98d7a91053205ef9

SHA1
3b36027a99f060b5c90d127dd7168b1090acdba2

SHA256
ff7519f56d907e36ae141eab29c19b6e77ba3ed9b4b1c898b4f0a81d65b9ad10

SHA512
1d06d4aec157cf7075dc8079f33d8ce50eb9dfa59a62e2ea76acf7e86f1b44c531b34b3dd04757fe4d7115e733299a012980f55923440d0459e82fcb022af37f

Download Submit
C:\Program Files\TacticalAgent\agent.log

Filesize
67B

MD5
a0959cb1af335db40cf63d00e2ec1e3c

SHA1
89816885bed25794b99efeb7afa1f1a48171fb24

SHA256
a01105e1f820f3d1c606e9c69f8479aae9d9b9c044fe27906018973aea53e8d0

SHA512
07068b00aaadb90a9702a0cf480524bbb3333d160af9ef6147889ca37ea146c92af628cdb90b38197958f9ce1b67df3eeed5144a68cda6553a8272ef52b582bf

Download Submit
C:\Program Files\TacticalAgent\meshagent.exe

Filesize
3.3MB

MD5
e5d7d294c417575310a4472580a16257

SHA1
66be889ae2caeb288e81b4693087a38d7af14a03

SHA256
fd0cf4ace405f05f67784eea2dc9dada61d6ba16ff94165d9a9865c1b4745dbb

SHA512
c4dcb8b24592843e51ba9cd74ea0874a8aafeba255dad34d94399683f2fd56858388e39255c478a981ba5537ebf7e54000a4ea4ab862289efc0eab9de2683fc6

Download Submit
C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\_distutils_hack\__init__.py

Filesize
5KB

MD5
ee216afd7a0d2615c3cace29a68a11db

SHA1
209a6ea81dd5625e2e9ae7503bb8b67738bb1ff1

SHA256
4bf5b0bc8f8af7ce7096e96f7167cf4f776f2cc0983f5c8f876ca780b3a67781

SHA512
423205d351991ffcd4a852e25a6010cc8cca0f7f5fb0eb20ef0e12cc6bca9523cf86ad91047761f0cce011eceb65c8e7671f85184ff0283088997f61ec311ae7

Download Submit
C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\_distutils_hack\__pycache__\__init__.cpython-311.pyc

Filesize
10KB

MD5
b82c8cdebb5999e5801450f20062d8e0

SHA1
a267796468f0b17dfe316ed339feebe76694e29a

SHA256
2be94ab8b718f615700022b16e9b67cfb11ed4cf810c0b5b6c3e32f04b84a166

SHA512
91ed254db8665101d2161e0aa8fbaa7e6331b3f4efc8910c907168c4a3a4b3791a6bf29befa8148ece50c6300b5f0689de4410e49dc5f9920617eb278672f73f

Download Submit
C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\cryptography-42.0.8.dist-info\INSTALLER

Filesize
4B

MD5
365c9bfeb7d89244f2ce01c1de44cb85

SHA1
d7a03141d5d6b1e88b6b59ef08b6681df212c599

SHA256
ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508

SHA512
d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

Download Submit
C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\distutils-precedence.pth

Filesize
151B

MD5
18d27e199b0d26ef9b718ce7ff5a8927

SHA1
ea9c9bfc82ad47e828f508742d7296e69d2226e4

SHA256
2638ce9e2500e572a5e0de7faed6661eb569d1b696fcba07b0dd223da5f5d224

SHA512
b8504949f3ddf0089164b0296e8371d7dcdd4c3761fb17478994f5e6943966528a45a226eba2d5286b9c799f0eb8c99bd20cbd8603a362532b3a65dd058fa42e

Download Submit
C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\psutil\__init__.py

Filesize
89KB

MD5
277c5bd5f7fbe2c4d720a6a81f8c1151

SHA1
43c09a30e95522af1d6302a349ea7ea61dad7ebd

SHA256
8537a71b152d03e62915c697e0c90a211664b504a00d5f37a41b858aeb4802ee

SHA512
32d40a127c7b64818e190771e2c6c36836230f2b4eae990f3245bc6e567630d27cb37ca664870d387f398d2686b0f8cab7bd8158b09e53caab04788aa8e34505

Download Submit
C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\psutil\__pycache__\__init__.cpython-311.pyc

Filesize
95KB

MD5
cc09698d94126ac96a1ac7a9c700b147

SHA1
94f6d87747c391d849262902138e3ca5373b0811

SHA256
ff7f76d35081281f4cda8e9231ef5d298063d5cb680bef250d0d24bed1cb487a

SHA512
9964f90dfc1c17cff52267748a9d812d3f5b417b6940d1d9bed4eb9bb3691bb68d6216d427196d0f3aa729dc3b3b33120a3bd5e5e15d6830d50aa9c6f53a5853

Download Submit
C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\psutil\__pycache__\_common.cpython-311.pyc

Filesize
36KB

MD5
0a19cca341897bd9ef430a61e24f1326

SHA1
68f1642bc0f529021335b386d229e6257188bb8f

SHA256
5bc11f0423b3d4f6bf477496d6ccf3820a568936c3d5acb0ecef05b7cdcfe635

SHA512
882413d21c29b6ef7a8df8e52e56912beb5323dc6fddc8d46cd2d221e1675558416574b4ab7dffd0e1e0d5470692cd270d164bdef763a33b8f0f5341a7e0b37b

Download Submit
C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\psutil\__pycache__\_compat.cpython-311.pyc

Filesize
20KB

MD5
3f5c22154440c8a33d794f4690600d71

SHA1
e45e9cb69e0dc4f91e1072ce4be5d18c67db2f19

SHA256
a0b423a5ad4cf5811e258b89a5929693a64778c02cc32baf71200acba7a5dd89

SHA512
e905c58cc7e6ce9f39539844becc66f4b8c6f2bd6e33b460523c4692b83f9f21e0db5cae19f7dde4f6e309fdf6155f03ef19b30479740466ae564578bc88a066

Download Submit
C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\psutil\_common.py

Filesize
29KB

MD5
68d96f575f075939b4686630dd49f0d8

SHA1
27ac4c2cb20834e62c7016ab6f437b08ba831560

SHA256
ae5bf9d2fa6916938657a00f848984dae6d4696fcb98e3fb82ec777f3e65a83c

SHA512
b2a934452f3f88ff764745ac54ce4de68fb49cc1c585af82b44d2d4a063e7069afdda51baedf36a620911be07fd9df4923a7e32597ffb656efb2dc7f8d151b52

Download Submit
C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\psutil\_compat.py

Filesize
15KB

MD5
7ccfb8c305a85be23216eda03108a002

SHA1
55fcde35cc7308dd8aa754967a00c5cc86fbf4df

SHA256
ccdecd71fc56b78dc77676cd97d58f75d2ad8ad7c6c7aaaf5d6239222cdc6acb

SHA512
fc2585add339762a9232652797749555c1f3f606b4a750488ba065fe4dadbc07cad63d23da5bc0273f3203d28d6341d2bbf7c7a4a0fd18f901b6759601bcbb5e

Download Submit
C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\psutil\_psutil_windows.pyd

Filesize
65KB

MD5
3cba71b6bc59c26518dc865241add80a

SHA1
7e9c609790b1de110328bbbcbb4cd09b7150e5bd

SHA256
e10b73d6e13a5ae2624630f3d8535c5091ef403db6a00a2798f30874938ee996

SHA512
3ef7e20e382d51d93c707be930e12781636433650d0a2c27e109ebebeba1f30ea3e7b09af985f87f67f6b9d2ac6a7a717435f94b9d1585a9eb093a83771b43f2

Download Submit
C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\psutil\_pswindows.py

Filesize
37KB

MD5
9b9de2a29f028842ace0b871d5d07f9c

SHA1
1483f49447b8a72516a990a5c2a987d6bd71cb58

SHA256
66eb56cad42640a65fbc56dfa0ba46c6c6e7254dcc8d2aa72c753f38baef7964

SHA512
d85989a078e9e0d5e3ea32062b2f368ec2cc099696f9959442f905c4444ca1dbd956e0832ef5abf001352f462a2cfc0439f7431112d68ee1592f2952ab2a1f33

Download Submit
C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\pyasn1\codec\native\__init__.py

Filesize
59B

MD5
0fc1b4d3e705f5c110975b1b90d43670

SHA1
14a9b683b19e8d7d9cb25262cdefcb72109b5569

SHA256
1040e52584b5ef6107dfd19489d37ff056e435c598f4e555f1edf4015e7ca67d

SHA512
8a147c06c8b0a960c9a3fa6da3b30a3b18d3612af9c663ee24c8d2066f45419a2ff4aa3a636606232eca12d7faef3da0cbbd3670a2d72a3281544e1c0b8edf81

Download Submit
C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\pywin32.pth

Filesize
178B

MD5
322bf8d4899fb978d3fac34de1e476bb

SHA1
467808263e26b4349a1faf6177b007967fbc6693

SHA256
4f67ff92af0ea38bf18ac308efd976f781d84e56f579c603ed1e8f0c69a17f8d

SHA512
d7264690d653ac6ed4b3d35bb22b963afc53609a9d14187a4e0027528b618c224ed38e225330ceae2565731a4e694a6146b3214b3dcee75b053c8ae79f24a9dd

Download Submit
C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\validators-0.28.3.dist-info\WHEEL

Filesize
92B

MD5
43136dde7dd276932f6197bb6d676ef4

SHA1
6b13c105452c519ea0b65ac1a975bd5e19c50122

SHA256
189eedfe4581172c1b6a02b97a8f48a14c0b5baa3239e4ca990fbd8871553714

SHA512
e7712ba7d36deb083ebcc3b641ad3e7d19fb071ee64ae3a35ad6a50ee882b20cd2e60ca1319199df12584fe311a6266ec74f96a3fb67e59f90c7b5909668aee1

Download Submit
C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\win32\lib\__pycache__\pywin32_bootstrap.cpython-311.pyc

Filesize
1KB

MD5
09fb62f799fcfdfe2dfb60ee2e863bca

SHA1
5d31c3de5302d600d368703b4ef943ec0f61a1e4

SHA256
a0f2cf7e8e2e59b0290878947b9895c19ce1ffd09bd5ae0afa1f9320e24a3df2

SHA512
41f6ccbdca0d3e2e8c81b598e57f966b7079913da4dd0bd3150b422f7a85518895445b06596ab734d267d3ebaf19ec61aa779f2e0ad0426c3b89061b0b8d947c

Download Submit
C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\win32\lib\pywin32_bootstrap.py

Filesize
1KB

MD5
5d28a84aa364bcd31fdb5c5213884ef7

SHA1
0874dca2ad64e2c957b0a8fd50588fb6652dd8ee

SHA256
e298ddcfcb0232257fcaa330844845a4e7807c4e2b5bd938929ed1791cd9d192

SHA512
24c1ad9ce1d7e7e3486e8111d8049ef1585cab17b97d29c7a4eb816f7bdf34406aa678f449f8c680b7f8f3f3c8bc164edac95ccb15da654ef9df86c5beb199a5

Download Submit
C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\win32comext\internet\__init__.py

Filesize
135B

MD5
f45c606ffc55fd2f41f42012d917bce9

SHA1
ca93419cc53fb4efef251483abe766da4b8e2dfd

SHA256
f0bb50af1caea5b284bd463e5938229e7d22cc610b2d767ee1778e92a85849b4

SHA512
ba7bebe62a6c2216e68e2d484c098662ba3d5217b39a3156b30e776d2bb3cf5d4f31dcdc48a2eb99bc5d80fffe388b212ec707b7d10b48df601430a07608fd46

Download Submit
C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Scripts\normalizer.exe

Filesize
105KB

MD5
c485a95e68d04b1bce4aa5b4f301d90a

SHA1
8e0903ca5f0e2982b12c8bb49d4dff94a147a95e

SHA256
87d309b4470d3f2c21c686e6895fe95aeaee7a3b00948694d39bbe71ed86d169

SHA512
3bcfa7fc4fab47f140a8f21b55c09bd593fb2ba3379edc7bb4c60167c46dc440170c7ed1d918c118d8d7e312b4e126086caf87361e87b2e661c8b0434ed81289

Download Submit
C:\Program Files\TacticalAgent\python\py3.11.9_amd64\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Program Files\TacticalAgent\python\py3.11.9_amd64\_bz2.pyd

Filesize
82KB

MD5
aa1083bde6d21cabfc630a18f51b1926

SHA1
e40e61dba19301817a48fd66ceeaade79a934389

SHA256
00b8ca9a338d2b47285c9e56d6d893db2a999b47216756f18439997fb80a56e3

SHA512
2df0d07065170fee50e0cd6208b0cc7baa3a295813f4ad02bec5315aa2a14b7345da4cdf7cac893da2c7fc21b201062271f655a85ceb51940f0acb99bb6a1d4c

Download Submit
C:\Program Files\TacticalAgent\python\py3.11.9_amd64\_lzma.pyd

Filesize
155KB

MD5
b86b9f292af12006187ebe6c606a377d

SHA1
604224e12514c21ab6db4c285365b0996c7f2139

SHA256
f5e01b516c2c23035f7703e23569dec26c5616c05a929b2580ae474a5c6722c5

SHA512
d4e97f554d57048b488bf6515c35fddadeb9d101133ee27a449381ebe75ac3556930b05e218473eba5254f3c441436e12f3d0166fb1b1e3cd7b0946d5efab312

Download Submit
C:\Program Files\TacticalAgent\python\py3.11.9_amd64\_socket.pyd

Filesize
77KB

MD5
b77017baa2004833ef3847a3a3141280

SHA1
39666f74bd076015b376fc81250dff89dff4b0a6

SHA256
a19e3c7c03ef1b5625790b1c9c42594909311ab6df540fbf43c6aa93300ab166

SHA512
6b24d0e038c433b995bd05de7c8fe7dd7b0a11152937c189b8854c95780b0220a9435de0db7ac796a7de11a59c61d56b1aef9a8dbaba62d02325122ceb8b003d

Download Submit
C:\Program Files\TacticalAgent\python\py3.11.9_amd64\python.exe

Filesize
100KB

MD5
36c241133b4dbb462e256e1f71fd3978

SHA1
9d5e522e58db2aec26f97ffb9494e91e303d2215

SHA256
5f7b89a612c9b8af1d6456cdfcd1dbe5ca630849e79aebced9bee9a6694952ec

SHA512
d7778924806f6dcd4edb13aba4fcdd3344095c23cac77135aff0df7107b729e97552980c0a580f72c77be342a2878b3d835facba1b5c7af65e1b712e7a68410b

Download Submit
C:\Program Files\TacticalAgent\python\py3.11.9_amd64\python3.DLL

Filesize
65KB

MD5
7e07c63636a01df77cd31cfca9a5c745

SHA1
593765bc1729fdca66dd45bbb6ea9fcd882f42a6

SHA256
db84bc052cfb121fe4db36242ba5f1d2c031b600ef5d8d752cf25b7c02b6bac6

SHA512
8c538625be972481c495c7271398993cfe188e2f0a71d38fb51eb18b62467205fe3944def156d0ff09a145670af375d2fc974c6b18313fa275ce6b420decc729

Download Submit
C:\Program Files\TacticalAgent\python\py3.11.9_amd64\python311._pth

Filesize
79B

MD5
100fde37fb5a1c52be24384742b2becd

SHA1
eefc7f71c51429268602015b8e6544d1dd04be60

SHA256
eaf714069da6bf371d13eda976ddf679e50aab42d7facbbb06e2bb3ab7388cbf

SHA512
1699600413598da8767e17623af480abd12b899b2de7027a23ed0f7c86a485be0853336243d4352ef8c18d9bd489c601855b47c46c9346f2481125c8fc3fe780

Download Submit
C:\Program Files\TacticalAgent\python\py3.11.9_amd64\python311.dll

Filesize
5.5MB

MD5
387bb2c1e40bde1517f06b46313766be

SHA1
601f83ef61c7699652dec17edd5a45d6c20786c4

SHA256
0817a2a657a24c0d5fbb60df56960f42fc66b3039d522ec952dab83e2d869364

SHA512
521cde6eaa5d4a2e0ef6bbfdea50b00750ae022c1c7bd66b20654c035552b49c9d2fac18ef503bbd136a7a307bdeb97f759d45c25228a0bf0c37739b6e897bad

Download Submit
C:\Program Files\TacticalAgent\python\py3.11.9_amd64\python311.zip

Filesize
4.1MB

MD5
3b0bae146b23c080c12d499ca769bc65

SHA1
b64c07c68b391080aaa537ebfa48bb2e7306a69c

SHA256
7d0f59c930e7d3d9352399ea3c95c0272489b3c09a8e95faaedfa8a23e20e5b1

SHA512
39a82f62b4805b24bb7e42e8c42839d3b31853654751a343781783390151b84e4638a4d2bb87f0e5f074a6c2503b0b3f6d1e754d47a06a7c1034105ff112e0ae

Download Submit
C:\Program Files\TacticalAgent\python\py3.11.9_amd64\select.pyd

Filesize
29KB

MD5
e4ab524f78a4cf31099b43b35d2faec3

SHA1
a9702669ef49b3a043ca5550383826d075167291

SHA256
bae0974390945520eb99ab32486c6a964691f8f4a028ac408d98fa8fb0db7d90

SHA512
5fccfb3523c87ad5ab2cde4b9c104649c613388bc35b6561517ae573d3324f9191dd53c0f118b9808ba2907440cbc92aecfc77d0512ef81534e970118294cdee

Download Submit
C:\Program Files\TacticalAgent\tacticalrmm.exe

Filesize
9.2MB

MD5
bb383b7c3d5e4acb1001ab099b5b0f3c

SHA1
cb0c85f84a454aa4b1aab02bfba47c4355c2311e

SHA256
a6d3159c858aa3704f35d69b27829618ad0d1bae894c848a5233100c17464f95

SHA512
157dda96d1cacea55a6be27b9d432225b47d7334e664e577cef82a14c7eb1be1b8b84423b3905a4c1caecb5394be264d9b5c3e32109a4893e51a9d406ce740be

Download Submit
C:\ProgramData\TacticalRMM\1568585474.py

Filesize
114B

MD5
f2d59ef80460a0bb49989102d7b982bb

SHA1
442e18380cde0c438b9723e42ca06ee2617456db

SHA256
49ff789e3999cb3759015e1a5d85a3b6807d19c0b9db2674618a258181164527

SHA512
66477dee59369e9919621ccf4fe7024a3bec7e6f6e2d30981e88f7d78d1743801780f07a0f9cb98c69e518be22340179cd14d8b5ae40d8db993fb771ac3a573f

Download Submit
C:\ProgramData\TacticalRMM\2184275981.py

Filesize
167B

MD5
14c2bddac34109e4bf190c93e175ee84

SHA1
d4c3bdc6b0c1568553e2189f3aeac5b0851673af

SHA256
8eb837aa261848788cbdd8ef39bbb68b2d0ba22cf9a62f9a52c5180c6d6c83a6

SHA512
75e63a70f4d85956c47e0f2af968e7eff076de13cc780d1df50946e516bb3b21f1c55e6049515f673c690d8bfa23090b9cfcdeeff2f17578e486fef64b680530

Download Submit
C:\ProgramData\TacticalRMM\tacticalagent-v2.8.0-windows-amd64.exe

Filesize
4.3MB

MD5
2f046950e65922336cd83bf0dbc9de33

SHA1
ddc64a8b21c8146c93c0b19c1eeb0ef784b980c6

SHA256
412e1f600251b21911c582e69381f677e663231f5e1d10786d88a026e00ea811

SHA512
a11cbf8b8b692d2d5a0e3af5a97f91a3d1f3e7aa39966eb7d62b3244b3913f2fdc21823d5c94de0d98e579f801709df44433af91567356361d5d9699a93b2cbc

Download Submit
C:\ProgramData\chocolatey\choco.exe

Filesize
11.1MB

MD5
81bb68ad26a6e56d94589a286cf39028

SHA1
77b4988bf328666fd214f1e7651e2e58a7c677fa

SHA256
523069aff82f8eafc993b3f901afe8865f835026efda1a75afeac50eb2f4041a

SHA512
9e3f168ac16c130f028cbda1ac3ec62d607f872080f2dff260ae853854538b9e7eaab3bf4077df9b2674a172fa1f239ca1c019a1442054041ea17c867930a74f

Download Submit
C:\ProgramData\chocolatey\config\chocolatey.config.4760.update

Filesize
8KB

MD5
a3f016f5f2bd742ff1591950260f6f75

SHA1
7feabbcc2e2d51c09065071f58da23990e215b72

SHA256
6621f97fca4589b04e4c9a835344371fc3ecdf1f4cdac5c1492c05fcc23629f3

SHA512
ad6a96131221f3e8ac1e5bfc094ae1c09344a65f84b73d6933650e26417a569275e049b564b4c954641c7906a5fbbc886e37fa4a4bfb8216ccf3b519d09c7250

Download Submit
C:\ProgramData\chocolatey\config\chocolatey.config.backup

Filesize
809B

MD5
8b6737800745d3b99886d013b3392ac3

SHA1
bb94da3f294922d9e8d31879f2d145586a182e19

SHA256
86f10504ca147d13a157944f926141fe164a89fa8a71847458bda7102abb6594

SHA512
654dda9b645b4900ac6e5bb226494921194dab7de71d75806f645d9b94ed820055914073ef9a5407e468089c0b2ee4d021f03c2ea61e73889b553895e79713df

Download Submit
C:\ProgramData\chocolatey\helpers\chocolateyInstaller.psm1

Filesize
21KB

MD5
8feb9f84cfd079bf675f4c448eb62c27

SHA1
f0a7c0eb89c94a81d72efaa0d4e72a2acf9a15a2

SHA256
4af7d8dcdba7335f96d4d7f9b7ab75b29a890380d8c7c35c59f60739db8a604e

SHA512
34346669024dcc273338913794103d16b723fbfe7d3fbd6eb89d3561b4e7134906fdaeeabcdaee653f452a9917ed48ed79fbf56e507f9e41e4adb7b4f32f48da

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Format-FileSize.ps1

Filesize
15KB

MD5
c1e5f78407a38c0f2bef0839274a30d5

SHA1
2e5d91ff054720b94e7795474e23fbe202635165

SHA256
d47a44752fd6a983f9ab0e48aa8b12a2b0bc772ea0bb380c64723bb8e0b2ccbb

SHA512
81c22988af2065e94e4420e1b71d1bd2c12406a74f0984c7183a4905d4cc397a71728a9b0dc41ea625bb12e231fb002e3c965f92f60bcc12e5b0be81b26e056a

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-CheckSumValid.ps1

Filesize
25KB

MD5
32fdfad78eecf1a6936525069d0eda09

SHA1
bf1f751146e73887de2c54a183d70a005a7453ab

SHA256
0e34c0c610bad2bca1c36e24908003886e6e8d506a7ce5cfee85c921faea61e9

SHA512
e9b9645391589365969e990967b5133de10090c212d000638c1553d98fdf7d0e6f99d9284d6f9f7385a7ffc2d37038bb430ce79bf3a44fa652ae745907833665

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-ChocolateyConfigValue.ps1

Filesize
15KB

MD5
7686ed92bc6bc3606d914ac3d6555d73

SHA1
6db9151efb0c2d693ac2acb8099967a7c32fe47b

SHA256
83eb927efcd495e15fd4ff5d043e1f0cf4b2dceded9aeb5a4af3db0cde2bfd8b

SHA512
df7c252898fcf6829632b3d576b72c2a3232b24741fcb1ee50ebe7d7bafe86e0cceeb75f08b22ae177e57c6758572842b341c7d933f229d9d2c99388488b120d

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-ChocolateyPath.ps1

Filesize
16KB

MD5
1235a3a21c64fe5563c06f65543d7d77

SHA1
204bcd4af12c7de4c83b2d2cdb22955e6c2eacf2

SHA256
18f1e1dc7ea4c3daae3fc51fd1373330c0132270180ed93bcac7a1d2843353f5

SHA512
b51476e608368120458d276b662a860cb863cc64f41556099c1bbd5c901b3a300b8d4266f44003b14a9d3d25a0832db7afe2c025858ff9d3c194acdabe0ef237

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-ChocolateyUnzip.ps1

Filesize
25KB

MD5
37ce9d39ab4ab1d9e9d9373173152e1c

SHA1
a0e06df561391156ac3623f56afa824173a6e34f

SHA256
bb77491d99fa16f09048e81a2cedc29f3e6397d0d166ba2f72317aca04347c25

SHA512
9f9b21df7bca9c15fac1582900932f77d6fbd1e80ec751d88141a6479d78ee2622df1b96bf1606c0df3c3cb0a7f553b5a8567c30590cbb1260dc8614dda8de49

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-ChocolateyWebFile.ps1

Filesize
31KB

MD5
5c544f7d387ca56993a00e0a132a2e93

SHA1
8214c283a1cda735803e8e2b76db9715932b150a

SHA256
5a763e6f6895fb36c99c942c56b2e5860e316978ce61ffb6d5a4599b357eae4e

SHA512
2577d38f631b8061bbc9b73ad0a33b47dc97929ba463141c6c9216cdf1219a278b30ea8420c399d72a440065954a0a54f01546dc17f34fce0151f35de87caa3e

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-FtpFile.ps1

Filesize
22KB

MD5
be4288d0cf3bf6203139f32b258a2d2a

SHA1
5deeb81fd84ee5038e08e546e7ee233dde64c0fd

SHA256
a0d1fcec293a9d8b1340bbf54194884ef1c7495c3cbe9d4d5673edf2e5ccfb43

SHA512
86090ee2fd2a77f8b38e3385af0189a657583e1ebdce2cf8ebd096714ae2081f9c62306cbc5712cd15475309d8c1ebc340842936afbff4bfee1c148f8626d47b

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-OSArchitectureWidth.ps1

Filesize
16KB

MD5
96ce9de89c3e9d3afa2107ae3d30630a

SHA1
0856953bf3b426be54f6759ab1ec9be6a35c631b

SHA256
30f831b5189132d642edfd7cc9e4f44b11ae357652e1748073d94206544d4b77

SHA512
4ec2bd382fb306aac0da8009e9e05e4e5b6b0ef248718415c1e255935d70a4d9211d98adb2992174660f07eb0239c8ac2491734d6c6d1e957b72ea568df6e012

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-PackageParameters.ps1

Filesize
21KB

MD5
847e9548a2e02e2e4d73f7fa08467e67

SHA1
022e03be3a51aad9b3c0ef950c3eff14d09343e1

SHA256
d537580623ca8088692ad463e8913a83edb50963bd4b3b2b7b579e4e2b3b71f9

SHA512
4c6ddbe465adc27bc97cb684a43b6baab59bbf21b8d8a2bc73d6ae618a6dff4816f139a246558e0b8c49fe7d2d5068f16f19cc132f21d7076d833764aa24f86c

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-ToolsLocation.ps1

Filesize
17KB

MD5
8e6fa8b04f177d447f161517548f4d47

SHA1
b39f9c37d1db563aa25298b60bcd5129bc6614c4

SHA256
10ef1bd8a810ee08f601a207ac83a4c7d9ebad1a4777378cf3749e3c56b98c48

SHA512
44137b572237b5b1fea00039d5cfe10f182f20595740e185f40026c87b07d3c05e1eb1fae82f4919c6795a0acdb79dbc9d28ba78d8f16e6dc32a42aeb5b74331

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-UACEnabled.ps1

Filesize
15KB

MD5
4346017feb0a9b795191efd686b789c3

SHA1
b58d82c54a00fa402199b5efec3bae97c40c0d15

SHA256
3f0c1c8c91696c6ae9c0e41589319d200d2c4bd16cabf4e2f1a11fc947a72f91

SHA512
680172309ba9da0ed0786c7b1bd967f6a3d09e9989d14d85c6566250c83dc2d997d48f6fccf2faccca6548a56ddf39f2d577806f5325e558670442c26607a22f

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-UninstallRegistryKey.ps1

Filesize
19KB

MD5
5d9a27ae842c05255f5a6e7f2465ffe3

SHA1
59066ff2d8da1a2f552cf61c484400affab5aa2b

SHA256
573fd644bee61bf85053989c7111be4a33223ce9bfd0ae5f95e05382fa08a1f5

SHA512
b0cb5641bca08c03cbc9e57aa12a06f255f1888b76d32b821561b9217d1d293b6c2d5188acf483bcaebe3c83afeead2aa308b3741fb8a171cc23b8fd472ff5b1

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-VirusCheckValid.ps1

Filesize
15KB

MD5
4aacdca3061553326f51b0938232d897

SHA1
6df122a2c6d7d5954915a871494a5333601e5f9c

SHA256
73d85aa2297033f106a0c8c3138efb9ad36f97ed108e040f12348fae94c56f74

SHA512
c74b505b20da653ef68615df221508b76937cdb7956f54c6a07d314283e3fa8b03ee1e14d0d49c0fd6b99c2d8e126678f97645c7ab4f340cd58f1566b4e42eca

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-WebFile.ps1

Filesize
28KB

MD5
101b16272234051204428a4e53b99113

SHA1
f1a08992c63f405838838c26d309a1f918ba312c

SHA256
2dc9ae2d1de175e6b867ff89f84ba25d08dd5f41b84e2818318ca23f3eb5797e

SHA512
bde4deb19594733afd878d8e804787197ab894a3d6c60eda32f393a0445e59eac60240028d20b189566efa34b408b784e01967cd83811f77ac82a9ea6d75d9c0

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-WebFileName.ps1

Filesize
23KB

MD5
22a06bb57eeae0b3c1d63f0b23c83541

SHA1
a2dda0d44ff38b0b248cde072c95707b183c40ef

SHA256
db062d9d09d7dae751e626bf97138eae6e9350112e2738cb3be9ef78dbdace1a

SHA512
c243228df368d3bec03bbaba9a91c7c966d089d982937ee18c53a2a6fc217b08c029d5b62871b55fd84859a30d60037f013c26966237d1c2b14b6d81e650488c

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-WebHeaders.ps1

Filesize
20KB

MD5
5540d1bea1c41384c0a44be773820695

SHA1
adbb11f9371154d5bb440fc522ea68c3730d684a

SHA256
1d15d738c319132c792ac6f8820f50ccb0fc32597e9c886746bcc31fcce2c683

SHA512
1e870c37493f2ec59468b27320e249422912ddfae8c8a60338e6754e16d809c7572694ca369e0a7e67c6d3607b4262e2455f66ac855b451f6bbbb0e772119e4e

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Install-BinFile.ps1

Filesize
20KB

MD5
78e046bd9c5524eae4c290c5f1d8d090

SHA1
0200b5c106effb26fab84e8b432725f626cea9ca

SHA256
767fd247f1f93cac6188ba1a0c3398b87cf3178e25ded4a16ced7e9bb3cd27f6

SHA512
073ce96951bc1a95d31eaf4a6d6ed7ab7e876847d88b6ce38b31cdb0fb28a6fe093999010c9a19fdba6acd87c1a6e1ebf6085448122ebe6a97b9015cd904715f

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Install-ChocolateyEnvironmentVariable.ps1

Filesize
18KB

MD5
b7412f3a46a112d74783b105c5cb0638

SHA1
408a73cdf57ced4256526e5c699699a2fa089086

SHA256
223f17f84d214c9fa9478817eff65a2681d505dfbfb6b81a2121e446e9614000

SHA512
afa565f67cbd19789825f378c1fa7d468b6b3018ba574be2a225774e26a31c35dcee18eefbbfb163e1687420084a52667642c38b68fe0695b3294fd480386f62

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Install-ChocolateyExplorerMenuItem.ps1

Filesize
18KB

MD5
cfbc57e6f8b07ab19d0a2658cf790306

SHA1
4f90b9c43645e2370040f40e88ccd48628a7012f

SHA256
1e2fb44e0be817b5e16a03a30502c65f61dddc551bd3923ea571e3f83980e049

SHA512
f4af36cff89378e138ccbcb58ccb0204bbb059097dc5a566368c3dea7f7a1fac9a4a174a9e84b221bb83df0d5b3ef7c04160f9f63106cff8db859321c803b3e8

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Install-ChocolateyFileAssociation.ps1

Filesize
17KB

MD5
564e96072345c9f3f4e96e32d95108ec

SHA1
4f83114c167c77253870f837b83db806ffbcccdf

SHA256
a8e90f1f01264ac52e7523394777616d06a53daaeb16868f3e8a06426fc0e586

SHA512
80d0264ab8d51347040296c758d6fe0282442edde39d20115ff632770eebe71421661cd23c3a8d200197109f2507e5e72197209417c5d10beef182004a57ac49

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Install-ChocolateyInstallPackage.ps1

Filesize
28KB

MD5
5e189d783f6f603161b85c157ac6c0d4

SHA1
4303565e26f06b5ff9f6cbcc889ac5ababb8d930

SHA256
09e1973a0286c5912c7f233fce89b2efd9347efdd085869437d9fcbe69a5c5d7

SHA512
2fced12cafea173c86c3f47a7be856b9d4971092881056c0150762e885277adedb1233352d376fb3690951079f5d6a2d1a8643531dedc1006a678c0d7c145f94

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Install-ChocolateyPackage.ps1

Filesize
30KB

MD5
5e6faf3925a572faab69a45cb05e8352

SHA1
bab071428238635e6290fa2741bd63cc803d73d5

SHA256
16b5df14198360715d06a5f12f2b1976d38e729bbe37748e0cbb17f57c4f367e

SHA512
453f3b6a672a521fadbf7966cd84efd011fa6b9186a08234c3ded39e43e898ab0a48229bb46661710c16dafbfd889ab4c45fb34bc0fa01d4a30122a8ace7f478

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Install-ChocolateyPinnedTaskBarItem.ps1

Filesize
16KB

MD5
e26dfd45f80e72a07d8cce6ce2692b28

SHA1
7b97a013651daa86133cda74101d643e96fdc1a8

SHA256
dba9b9e9329fa5d918b1e941dbfed9363a616033cdfcad4a0c60af9c41c4c4ac

SHA512
d7ba6a76b53df979f923fd819679e2a15cdc4a55618a26cfdda8f8455469fcc319bc502cdb77d602ced1d498386626d891c30326de96538be240069e9dd54aaf

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Install-ChocolateyPowershellCommand.ps1

Filesize
23KB

MD5
5e5319e30be55a660e75a5bb04219ad5

SHA1
8d7457acddf8257c6c9651e3480bf4ee72699361

SHA256
aeee93f35724d656a73d1572522fe9b985fa1cae6978b0405398ef9327a1580d

SHA512
80534b6a71b8d0a216ddd13556046c86275df088208861c6f5ab0c88301a785ae2eb685266892381d47d2b3ecec25accd476377be146c8e51cced57a0aa10d63

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Install-ChocolateyShortcut.ps1

Filesize
22KB

MD5
65469f9f27a5dbdef060a0560aa0db7c

SHA1
fe49184d2db322a919513c9667625efa9009a632

SHA256
3410aeb9bc5106b29f2c4cbc74c9febdc229c569153ddb1e41188a7396079a3b

SHA512
8b6ba9ece1f8f53f0e5710dbb7330bf2dcdc8e8f844627bdf54670fea9040bc3239b1673291f1682a5bb404cf9d11e9a1732a1c5484bfb05b0f77db6af3138b5

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Install-ChocolateyVsixPackage.ps1

Filesize
22KB

MD5
e0e54825bf32d160b62c691d2f314611

SHA1
6e89de9aec3f94c6e046fbb04be28e33a8fc8732

SHA256
4e982ce84c225c6870cc78120e5f85fb622756feff4c7e8eb7088473a2538620

SHA512
6f6d018cd2ab86553746027953439c8c7f1251e5a4bc7b8514d8416babee69d8ee8c7c7698b4f1bce4f2fa815a35ebcbf5bd81580b629e5b2bb20481e9020166

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Install-ChocolateyZipPackage.ps1

Filesize
23KB

MD5
7cb49e4054a7cc234f428faee99d0ace

SHA1
86acfd18a8a274fb4bd0d745a23b501016851b6e

SHA256
ddbdd5abde46f4aa7d5bd472f3d2b1182835a6739c9194aac70749c4bc1fba4b

SHA512
86e27a5a58736ed0c0c2fbb11d7c744fc437a195f768ea223817eca6b4225b541e6ed554a2d9e27626fda793603d1a41e6ff52d39af060c4ca1eea557a52789b

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Install-Vsix.ps1

Filesize
16KB

MD5
05ee41715ae0ccd260cb385c3727d607

SHA1
afdbd2d4a0fd050d20af8e107b2dadddc45ac49f

SHA256
dad0ef31eb232c6c189e0ad947e62e71c5239bf2dad8f9d72a06cf3544a427a4

SHA512
1314234805a0b1048e97a5644c4084254258d9a525fd3175a893c4b0aa37dd682e13bcf21e13355593b4ade7e823d190ca695b4edba04f3e5136d65fbe856dd4

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Set-PowerShellExitCode.ps1

Filesize
15KB

MD5
a917ff0cdf22fe0543dc06713d9cb160

SHA1
efad7626fdf18230a8f9a2e6e0e9df7639d3b600

SHA256
fffb05319b00efb87d2705760ef351c11ad2b1913469635b980d386310bf0e1f

SHA512
505aa2b2559511bbae8124ca4898e003e6b494a3e4db7b13231d1007f23829c595dd1cf953e50bc67e32ea4a967bcd51971625be9ffc8757f57f75f6e106c6ba

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Start-ChocolateyProcessAsAdmin.ps1

Filesize
31KB

MD5
1de230e139174065c73a46f5917f27b5

SHA1
80e19d04dd84da6904b696e4a1caa93953eeda86

SHA256
694c4daed9add47d4ece4bd07568aa57dbc1f3316426f78ce5fd1ef2f2ce2625

SHA512
93549f700b93115939075a9bbdafacbd2500d8c4c02a3e0312bb0823b09850a8575e2ad8d8b6c4dbf62838e2f383bc94321965b45af73b552797100306d6d2f3

Download Submit
C:\ProgramData\chocolatey\helpers\functions\UnInstall-ChocolateyZipPackage.ps1

Filesize
16KB

MD5
bce016992a8576f7a481c6d2962e0879

SHA1
4a7a84db35e3a2d43d7aa0980c0342dd164a16e7

SHA256
599ea45533dc1ab68a9646c6a88b71f4fc11a8669fa3ee8f41360435ca8816dc

SHA512
4dc541851496a407a26674bb302bc3b624fb9d6e581f1ee61dc34daa0d031648f02b5c2fcc7a0002ff96becfa75264635933a503f570ee425d418a22ebd50a8e

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Uninstall-BinFile.ps1

Filesize
17KB

MD5
56afaba9f733028dc1d8e03e21be15dc

SHA1
fd16728498a14961a97ee1a80b9ffa3f3bc3b6d4

SHA256
f706530f0cdabb2f02c9d5b70d7de77d1f02fc4f6730c815ff8410dcf208b9fc

SHA512
54090832d0d6cb1439986190da356c7cd5caffa052118185a6336c0d73f87b937dc5548603f843ab2e5302103ced01a2a9b1f409c4057db5e1aea4a5c7c4dcf7

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Uninstall-ChocolateyEnvironmentVariable.ps1

Filesize
16KB

MD5
f3d779698e09e13fbd55f0a5c6914616

SHA1
44eef7c9b8563cb5d7489abbe6f5158484aefb64

SHA256
c20b736bce859734c4497c6d5aaec13bfa3c201461cc02f48a7539fea54be59e

SHA512
ab266effc4e26d5b04a3a5693e57f979c780a6d7590bc27090225cb44a831fb7a2396540323a70f6456cd7806e00e9738dba866b0bafdfb0226a962e38aca0f0

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Uninstall-ChocolateyPackage.ps1

Filesize
20KB

MD5
bbd9b99d0ab44f6e4a9fb80d6f3a7afa

SHA1
f3a980d5493597144fdbbaad86f5207c2e39e08b

SHA256
07ced451a144a7f6e3fd24d19bfcb2e2a5ea49a969a036754cb833dc2d2986cb

SHA512
06ba6cba2290e4bb6ff3adb09961a260ce811f25a97a2cef0cac7b25e94fc3bfa177fda21b69f9f6ad62901578f16d9716eefe60dfd76cdc925eadc7a730d14b

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Write-FunctionCallLogMessage.ps1

Filesize
15KB

MD5
7fdc886cd1db91065a017a76c9096aed

SHA1
6029f809be8ab12cbe0f25552b25fcfc757dfdd8

SHA256
117e7bbfd11da2f5bd00f66aa004837dd774485e96334fb42b8ac537f4fb012b

SHA512
d5eaa0cdcc09a0673320a1be26e628e067182ae93b9aded6cf275faf68fba7bd6002e1d446bc9b8e9377221de4611058ba32fdc6b4fcb2e53795c3e202c828b5

Download Submit
C:\ProgramData\chocolatey\logs\chocolatey.log

Filesize
1KB

MD5
c3b3c14b05a394822f183260bf85125f

SHA1
6331d3a8b95f3ecafdc3eb3cf5daf2b7c7cf4246

SHA256
b9604b66381d0334d3d519a24d6a7aeb343e2016e0d3edde30be8885b465d7f8

SHA512
d570d8323e118c01642aa98506927d3a0603251d56ecefebc3ada3bb3e9fb4596b9ea3506ec27f34d96cef9d6ecf98e2b27fc0541c457c3817c6f55645518b5e

Download Submit
C:\ProgramData\chocolatey\logs\chocolatey.log

Filesize
2KB

MD5
1030ac520eaa92dc295705140b2821d6

SHA1
bd3a65d0689acd5683d83c7ed92ba254eaa74784

SHA256
36dcf4534ed03e1c21ad8fc3aaa2143097b7bdeaf1c8a59bac8fff8e98954f72

SHA512
7dd7710e2d9b64c034d8995f8af7d54d01805c7f1bb809c0f2eb65b1f753b38c510be8eb2c173d12aee9e164a940f4fce7865fbb9eabf7e05b1fab69a3a64323

Download Submit
C:\ProgramData\chocolatey\logs\chocolatey.log

Filesize
4KB

MD5
8464699713259c0e10bb9c6cbd34a1b7

SHA1
367c0f3956db0fc9edc528df10cb1ac1eed27c86

SHA256
dae2135e276551a1f7c01fae2c9bebef38faccf0d61e6f9cf325b4df978766d7

SHA512
66890949caeae51e360b5629f8a8291bac58b8fdcd4823022c8931b3c6743691faaa9088599da76e3a71abf7ccb1018c8d9486ca9b4c526fbef5235f4db11bf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-KS97S.tmp\tacticalagent-v2.8.0-windows-amd64.tmp

Filesize
3.0MB

MD5
a639312111d278fee4f70299c134d620

SHA1
6144ca6e18a5444cdb9b633a6efee67aff931115

SHA256
4b0be5167a31a77e28e3f0a7c83c9d289845075b51e70691236603b1083649df

SHA512
f47f01d072ff9ed42f5b36600ddfc344a6a4b967c1b671ffc0e76531e360bfd55a1a9950305ad33f7460f3f5dd8953e317b108cd434f2db02987fa018d57437c

Download Submit
C:\Windows\Temp\__PSScriptPolicyTest_ieolqckq.zxl.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\Temp\chocolatey\chocoInstall\chocolatey.zip

Filesize
5.2MB

MD5
fb8a8797df8557e9457f51e6afa50719

SHA1
6197a100c32a899e08255f9ea81d5576aeb0109a

SHA256
2506845399044f126f9503fa74b71c42fdb2efa4b2b88d141f8f7f828f787ade

SHA512
8230ce6a4a88aa51e3346c52970fd19960f653ee69e1fa679869c32b14990b0c585876b3bce5cfe5cfdf7afd4db15eee5e38f67f2151d79fc1d4c1a8c13cc94b

Download Submit
C:\Windows\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\CREDITS.txt

Filesize
54KB

MD5
f83cad2fd60c8481cc758247cd3cdba7

SHA1
51ceb9559258dd0fa7472d4398858f79ef92377c

SHA256
869c97ce5da39cd5a8e022ff8d699ae0d0475da92a86785ac272ea56d11e7dbe

SHA512
41d46143f4ddbf68e0331b9eb1ffefd9efac6fb32fdc216eedda47da441313fe8f4f36b5667701f4d4dc3222c7f3b921f7a3aa9dc09d22a3893d9465ee0123df

Download Submit
C:\Windows\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\LICENSE.txt

Filesize
670B

MD5
b4ecfc2ff4822ce40435ada0a02d4ec5

SHA1
8aaf3f290d08011ade263f8a3ab4fe08ecde2b64

SHA256
a42ac97c0186e34bdc5f5a7d87d00a424754592f0ec80b522a872d630c1e870a

SHA512
eafac709be29d5730cb4ecd16e1c9c281f399492c183d05cc5093d3853cda7570e6b9385fbc80a40ff960b5a53dae6ae1f01fc218e60234f7adced6dccbd6a43

Download Submit
C:\Windows\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\choco.exe.manifest

Filesize
2KB

MD5
1b3ed984f60915f976b02be949e212cb

SHA1
30bccfed65aef852a8f8563387eb14b740fd0aa3

SHA256
d715d6071e5cdd6447d46ed8e903b9b3ad5952acc7394ee17593d87a546c17fc

SHA512
3ec5b3b09ef73992eabc118b07c457eb2ca43ce733147fd2e14cccde138f220aee8cb3d525c832a20611edb332710b32a2fc151f3075e2020d8fd1606007c000

Download Submit
C:\Windows\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\helpers\Chocolatey.PowerShell.dll

Filesize
31KB

MD5
d5d5c05fc33a0e124ec803e0349c6b7a

SHA1
ba776d42dafb8096c8171fd4d3abf292ad68c94f

SHA256
8e85eb27ec529f30af635884d6ed605a64c5f261b761d43acabd3fbc88e00120

SHA512
9b8b53238538e35a965822098abe76cd25bab28a755de3a28eea2228f107a620128ccfba89e9910914a7d902b7a165dafa4baf48927d2036e7563176685ed3cb

Download Submit
C:\Windows\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\helpers\Chocolatey.PowerShell.dll-help.xml

Filesize
58KB

MD5
4aea8ae4fce73819e9ed3f0d1ddcce15

SHA1
9929df74840ed8bba92cc143856e6bade4e74706

SHA256
dae3916c3cbab1e4fc6ec9afb052d878dfb6df4430b1cd7db2fee836f9fc0dae

SHA512
5dda75da0f69a45203144ab596a3234dc0db4b713d7460aef2ff0ffa541bf0aa6a2f0fee2028755a5662d5d9c76e5101e3a181a540340cc3028498aaf93442c2

Download Submit
C:\Windows\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\helpers\ChocolateyTabExpansion.ps1

Filesize
30KB

MD5
e9560a5db604a37892506434cad8da5a

SHA1
764dc0254f2fb547ae0700056d0f21edbd26cdd5

SHA256
58528e116d09a434872a38eb3b9dd125216fa29a493b795f49cb49a4c8bf2e0a

SHA512
ab839d9f681c45ae5dac4274de0981f7a90e33e47a6b0b1925aac9f49bae022e88283dc65e7a7de6b3a02edc28ec0cfeb63ecc8dcab2e7dfd8950f49ab695631

Download Submit
C:\Windows\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\helpers\chocolateyProfile.psm1

Filesize
15KB

MD5
0637a9e7b868959a070b0cf2693178c1

SHA1
271a52fa8d36e93e9f36ff8b454243ea106a680e

SHA256
ed69cde7544efe46ecbc66b10edc55140e49cd2fa17f5ccf0e214d769e3cad2b

SHA512
7c8067f7fc9e09ca36cd098c10fb52dc3b33be053d70c1666f418307adab85e4226ceaf15b893a7f9d37c832ed55bf0ae586390d676dba873ed2ec0b900d1bbe

Download Submit
C:\Windows\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\helpers\chocolateyScriptRunner.ps1

Filesize
17KB

MD5
0870ae75b1d8f0823ad8bb05bbdc90df

SHA1
9f6a23ac198321235d3d0b1ef1547863fe7c680d

SHA256
859cfa5d9dc747a5bc5651331977beef2177cf8335a24a8f0a26d7965fd66944

SHA512
3bae1a9c7a7610ec86c5187de2ccffd295bd0d054a86000fe76a5d375842b98806a6d4f227dda5b0ab289b6365d664a2c3e55891add3e5cdc22efb75a410894e

Download Submit
C:\Windows\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\redirects\RefreshEnv.cmd

Filesize
4KB

MD5
cc04b34e013e08cc6f4e0c66969c5295

SHA1
a33f1cb08b56828e3b742ee13cf789442dd5c12f

SHA256
8b6b1d8f6bfab3dc9fbee30d6b2f3093ea3eccd5c66e57161dbe1b8f703fa74c

SHA512
b485af21fcbb699d783e64e035595be7a117a1d6af62166c6d50ebd59ed8953141444f17f3bd07a865c9dd11aa7c75d5a4f2bdfb8b739a1668d055779f0d0c10

Download Submit
C:\Windows\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\redirects\choco.exe

Filesize
143KB

MD5
3ba75f6c247e087f6a62abd0eed1e1fb

SHA1
09bac37ae2c6089675669351401a0e24ef0c29c7

SHA256
0a8346b38cf7b727976fb29470106469004ff59cc7258d4f885803c70f992d75

SHA512
0fe690063dd13ebe6455fa298f933acdf2a12421a6b4ca6798255240c14018c705a68673a193d3f6cf7a03ab08c973284df9760416a13cd9a469197ff9dbe22f

Download Submit
C:\Windows\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\redirects\choco.exe.ignore

Filesize
2B

MD5
81051bcc2cf1bedf378224b0a93e2877

SHA1
ba8ab5a0280b953aa97435ff8946cbcbb2755a27

SHA256
7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6

SHA512
1b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d

Download Submit
C:\Windows\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\tools\7z.dll

Filesize
1.2MB

MD5
a1a9b229e66a8a6a66588f170029a9e7

SHA1
eb4f3e3cd35a55e8f064512802e72b06d5ebc7d9

SHA256
07f88bae90a4c49e200981445d78683c5ef21ef71bb6927fa7cfd59bca431e80

SHA512
c647dba0743a177c4efe01cf321d66669c89fbc5d8f448c33199e6506244da8b69a512c7319c6fe33efd2d43544171b612e7b094ab7e68def7004faa972580fb

Download Submit
C:\Windows\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\tools\7z.dll.manifest

Filesize
513B

MD5
8f89387331c12b55eaa26e5188d9e2ff

SHA1
537fdd4f1018ce8d08a3d151ad07b55d96e94dd2

SHA256
6b7368ce5e38f6e0ee03ca0a9d1a2322cc0afc07e8de9dcc94e156853eae5033

SHA512
04c10ae52f85d3a27d4b05b3d1427ddc2afaccfe94ed228f8f6ae4447fd2465d102f2dd95caf1b617f8c76cb4243716469d1da3dac3292854acd4a63ce0fd239

Download Submit
C:\Windows\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\tools\7z.exe

Filesize
339KB

MD5
96b85d45cfe551f87e5f141ee18bf82e

SHA1
3b21a8ec46a782bf407174fe6f328ec4649fb779

SHA256
8b9f09e2bcaac9166a0f87525864f29c868f2cb8b779ca6d3d63b93b388d5c89

SHA512
24e9de5502929d9104411e7f465327998a8b997de46670db6a8f009755576b93d93e90f6bc08fd7406c9e37859e24b54227dac610ddddde152073aca0e5924ca

Download Submit
C:\Windows\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\tools\7zip.license.txt

Filesize
3KB

MD5
f4995e1bc415b0d91044673cd10a0379

SHA1
f2eec05948e9cf7d1b00515a69c6f63bf69e9cca

SHA256
f037e7689f86a12a3f5f836dc73004547c089e4a2017687e5e0b803a19e3888b

SHA512
e7bb1bacab6925978416e3da2acb32543b16b4f0f2289cc896194598ee9ade5c62aa746c51cf6bf4568e77e96c0a1014e4ddb968f18f95178ee8dfb1e5a72b96

Download Submit
C:\Windows\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\tools\checksum.exe

Filesize
38KB

MD5
d97ae723b3d204ab53aec2d7eba7fd83

SHA1
820f87e99a3fd7d57325e3607c557daad23db055

SHA256
3b87ec9eb4e055fdb23ef606585fc26c651e4379782cbe507e11e3b5f477a32c

SHA512
0414153c9320eb9da95c887e9033b778305cc2947269c8a3450163c11d086e8ff0fa2dfa8b8d7aae5187cbb63c96e7b296445fbe050a24c08737b5ebc0121d67

Download Submit
C:\Windows\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\tools\checksum.exe.config

Filesize
150B

MD5
e9ad5dd7b32c44f8a241de0e883d7733

SHA1
034c69b120c514ad9ed83c7bad32624560e4b464

SHA256
9b250c32cbec90d2a61cb90055ac825d7a5f9a5923209cfd0625fca09a908d0a

SHA512
bf5a6c477dc5dfeb85ca82d2aed72bd72ed990bedcaf477af0e8cad9cdf3cfbebddc19fa69a054a65bc1ae55aaf8819abcd9624a18a03310a20c80c116c99cc4

Download Submit
C:\Windows\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\tools\checksum.license.txt

Filesize
95B

MD5
a10b78183254da1214dd51a5ace74bc0

SHA1
5c9206f667d319e54de8c9743a211d0e202f5311

SHA256
29472b6be2f4e7134f09cc2fadf088cb87089853b383ca4af29c19cc8dfc1a62

SHA512
cae9f800da290386de37bb779909561b4ea4cc5042809e85236d029d9125b3a30f6981bc6b3c80b998f727c48eb322a8ad7f3b5fb36ea3f8c8dd717d4e8be55e

Download Submit
C:\Windows\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\tools\shimgen.exe

Filesize
555KB

MD5
189a2921a8f10ae9fd38c0cf187327ed

SHA1
dec460a7fa6650ec2a36905f7ed52221bfbe930c

SHA256
83fecbc76fdfe6a72bf23e7b9d14dcad8cffa92b019da5dececcc6a128db05c9

SHA512
ee01ec4c53a4add48e46fc3ad29b255653233d97a148769a997110cb8dfe21ddc5cf86eb1b950494911f21293b4b458b9acb705a59bd273046b6a10b862942be

Download Submit
C:\Windows\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\tools\shimgen.license.txt

Filesize
3KB

MD5
89ac7c94d1013f7b3e32215a3db41731

SHA1
1511376e8a74a28d15bb62a75713754e650c8a8d

SHA256
d4d2ef2c520ec3e4ecff52c867ebd28e357900e0328bb4173cb46996ded353f4

SHA512
9ba2b0029e84de81ffef19b4b17a6d29ee652049bb3152372f504a06121a944ac1a2b1b57c6b0447979d5de9a931186fef9bd0667d5358d3c9cb29b817533792

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
06d16fea6ab505097d16fcaa32949d47

SHA1
0c1c719831fa41cd102d0d72d61c0f46ec5b8de8

SHA256
54e15de2bef9f651d7717e2a336ac6b2ea2b723e6f29d2b153d8fbbc89aef723

SHA512
03c00f1eebb51cec11703141ae9d9c3ac589f5495bc04d8a4b043714089a9d50bd3a520e4d72b4a4c99f5b9bf5f689bf2585fa5c7d4ddbe6f71cbba0172f593a

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
571249b3b4b18c4e7042aa8f54583e87

SHA1
010ef1dd9d68e33b5394ed0aff2e49a0395849ea

SHA256
bf6a30cf48b9f9861ce27d029b9751064aae640299a98ba1cd6c0faae2cf144f

SHA512
1b92f4d6407af29080527946e55033d0a6e666ed9c32fda8af6f9dcf2c613b00784a7b191db18030bd8950c26cc2a6fc8e6ecdc9de39d26969e50ad7022d7039

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
f04a18626af209cd8b1dbaffa50c75b8

SHA1
829cda337d32b346a50a599cef0bce7b6ab9ef7f

SHA256
3536283159365aa972872ccd793f18cb44cfe9f336ccbe5259b5ad91e43f9690

SHA512
fca8aa51788745420695e1574b6a0d73719a6dd6cba0c6f0e9a319bf59cb58dbf534051b353b906bb1af7d56a8ddd2a94a874188227f47d6ee372bf7f1da9a3b

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
2c0bdf06d302688498d4e7f9cd669ab5

SHA1
18186323d93499e03f737f137b4ad795eb7f470b

SHA256
86cd6b95819282eee4bd6c900b27ebeddf453a90a9f6147978e9137479f36bd6

SHA512
f8f02ab1cb6906975695369183d00d7f25ec4c54c40aba5ac0a1f42312c5eff5a6774a8e84c3357415555405f7e9754deebe8335dd1fdcf693137ab044cc18fe

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\2621FC2CA8553984514C8F80A8DE1540E70C8167

Filesize
1KB

MD5
158f133c12315231f7244681cce7826e

SHA1
ac4d29acc8f6dc63e1d37aae2b2ac18a3a0b9bd4

SHA256
f3faff38e209863d542e1d8137d600e94f6338b1340b62c505abafb79c42ad48

SHA512
7ddc9183c6beebce6c83e25898da0bbfb104c8ba9e84474a5d8bf5bf24f6761c575d62ea04bdbf02433d0e07b538ecffa6ce75c94bc6ce26574eec88fe782fab

Download Submit
memory/1060-10-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/1060-24-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/1180-65-0x0000022EFB110000-0x0000022EFB132000-memory.dmp

Filesize
136KB

Download
memory/1180-70-0x0000022EFD770000-0x0000022EFD7B4000-memory.dmp

Filesize
272KB

Download
memory/1180-71-0x0000022EFD840000-0x0000022EFD8B6000-memory.dmp

Filesize
472KB

Download
memory/2444-156-0x000001862A0C0000-0x000001862A0E4000-memory.dmp

Filesize
144KB

Download
memory/2444-155-0x000001862A0C0000-0x000001862A0EA000-memory.dmp

Filesize
168KB

Download
memory/3400-132-0x000001A1C8F90000-0x000001A1C9045000-memory.dmp

Filesize
724KB

Download
memory/3688-103-0x000001A07A720000-0x000001A07A7D5000-memory.dmp

Filesize
724KB

Download
memory/3688-108-0x000001A07A670000-0x000001A07A678000-memory.dmp

Filesize
32KB

Download
memory/3688-102-0x000001A07A640000-0x000001A07A65C000-memory.dmp

Filesize
112KB

Download
memory/3688-104-0x000001A07A630000-0x000001A07A63A000-memory.dmp

Filesize
40KB

Download
memory/3688-105-0x000001A07A680000-0x000001A07A69C000-memory.dmp

Filesize
112KB

Download
memory/3688-106-0x000001A07A660000-0x000001A07A66A000-memory.dmp

Filesize
40KB

Download
memory/3688-107-0x000001A07A800000-0x000001A07A81A000-memory.dmp

Filesize
104KB

Download
memory/3688-110-0x000001A07A7F0000-0x000001A07A7FA000-memory.dmp

Filesize
40KB

Download
memory/3688-109-0x000001A07A7E0000-0x000001A07A7E6000-memory.dmp

Filesize
24KB

Download
memory/4408-6-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/4408-3-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/4408-25-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/4472-2897-0x00000224B7E30000-0x00000224B7EE5000-memory.dmp

Filesize
724KB

Download
memory/4472-2899-0x00000224B8070000-0x00000224B8082000-memory.dmp

Filesize
72KB

Download
memory/4472-2900-0x00000224B8050000-0x00000224B805A000-memory.dmp

Filesize
40KB

Download
memory/4472-3073-0x00000224B7EF0000-0x00000224B7EFC000-memory.dmp

Filesize
48KB

Download
memory/4760-3303-0x000001CD95530000-0x000001CD96042000-memory.dmp

Filesize
11.1MB

Download
memory/4760-3316-0x000001CD968E0000-0x000001CD96930000-memory.dmp

Filesize
320KB

Download
memory/4760-3353-0x000001CDAF2D0000-0x000001CDAF2EE000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads