meshagent | a9fcd874776f3f25782f85303cec11ac2c2e599d05e3d8a3ec3cb5e253bf7d12

Analysis

max time kernel
141s
max time network
148s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25-01-2025 13:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-25_4c63b362b73a36e9410738b9f81428ef_frostygoop_hijackloader_luca-stealer_poet-rat_snatch.exe
Size

5.0MB
MD5

4c63b362b73a36e9410738b9f81428ef
SHA1

32824d470f193773e515870c9d3cf8dfa076b2a6
SHA256

a9fcd874776f3f25782f85303cec11ac2c2e599d05e3d8a3ec3cb5e253bf7d12
SHA512

17715f6600d44747bf22f4960256d33b4c3e6eb6192f24ad09207023870182b0c72a14851afb36d99f20e94ca646717a6fd9c7021b12a579a2585f06c0d02b64
SSDEEP

49152:wRg0nHs3wQuuhrb/T8vO90d7HjmAFd4A64nsfJoRLvXW4uyRcH5g3ZCNUgxocMCF:b3wQuu81n256dgxtrE7+eGt

Score

10^/10

meshagent tacticalrmm backdoor defense_evasion discovery execution persistence rat trojan

Malware Config

Extracted

Family

meshagent

Version

Botnet

TacticalRMM

http://mesh.trmm.v-consulting.com:443/agent.ashx

Attributes

mesh_id
0x79CC638C055FE100C59C9323FA6EBA3DC401BCC6B1C545978FD06AA55AE1B47307B41240C24A067C6BA18464D5E8CDF5
server_id
0F065FD3EA3A2BA9B18DA11DE9E25D6F976A32944350A24CB834A6D1A6EAD7F86F0388FF89786D8F26B5DF45DC73EB03
wss
wss://mesh.trmm.v-consulting.com:443/agent.ashx

Extracted

Language

ps1

Source

URLs

exe.dropper

https://github.com/rustdesk/rustdesk/releases/latest

exe.dropper

https://github.com/rustdesk/rustdesk/releases/download/$rustdesk_version/rustdesk-$rustdesk_version-x86_64.exe

Signatures

Detects MeshAgent payload 1 IoCs

resource	yara_rule
behavioral1/files/0x000a0000000174b4-36.dat	family_meshagent

MeshAgent
MeshAgent is an open source remote access trojan written in C++.
rat trojan backdoor meshagent
Meshagent family
meshagent

Blocklisted process makes network request 6 IoCs

flow	pid	Process
41	1752	powershell.exe
42	1752	powershell.exe
44	1752	powershell.exe
45	1752	powershell.exe
63	3008	powershell.exe
64	3008	powershell.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Mesh Agent\ImagePath = "\"C:\\Program Files\\Mesh Agent\\MeshAgent.exe\" "	meshagent.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 19 IoCs

pid	Process
2188	tacticalagent-v2.8.0-windows-amd64.exe
2196	tacticalagent-v2.8.0-windows-amd64.tmp
2024	tacticalrmm.exe
2416	tacticalrmm.exe
2784	meshagent.exe
472	Process not Found
1620	MeshAgent.exe
912	MeshAgent.exe
2284	MeshAgent.exe
772	tacticalrmm.exe
1192	Process not Found
2640	tacticalrmm.exe
1720	MeshAgent.exe
2940	tacticalrmm.exe
2140	tacticalrmm.exe
2364	tacticalrmm.exe
2388	tacticalrmm.exe
1452	tacticalrmm.exe
1932	tacticalrmm.exe

Loads dropped DLL 9 IoCs

pid	Process
2188	tacticalagent-v2.8.0-windows-amd64.exe
2508	cmd.exe
2416	tacticalrmm.exe
1000	Process not Found
2428	Process not Found
1188	Process not Found
1632	Process not Found
2980	Process not Found
2368	Process not Found

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Power Settings 1 TTPs 1 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
916	powercfg.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	tacticalrmm.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC	tacticalrmm.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC	tacticalrmm.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	tacticalrmm.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	tacticalrmm.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	tacticalrmm.exe

Drops file in Program Files directory 31 IoCs

description	ioc	Process
File created	C:\Program Files\TacticalAgent\is-4J10V.tmp	tacticalagent-v2.8.0-windows-amd64.tmp
File opened for modification	C:\Program Files\TacticalAgent\agent.log	tacticalrmm.exe
File opened for modification	C:\Program Files\TacticalAgent\agent.log	tacticalrmm.exe
File opened for modification	C:\Program Files\TacticalAgent\agent.log	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\unins000.dat	tacticalagent-v2.8.0-windows-amd64.tmp
File created	C:\Program Files\Mesh Agent\MeshAgent.db	MeshAgent.exe
File opened for modification	C:\Program Files\Mesh Agent\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Program Files\TacticalAgent\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Program Files\TacticalAgent\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Program Files\TacticalAgent\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Program Files\TacticalAgent\agent.log	tacticalrmm.exe
File created	C:\Program Files\Mesh Agent\MeshAgent.exe	meshagent.exe
File opened for modification	C:\Program Files\TacticalAgent\agent.log	tacticalrmm.exe
File opened for modification	C:\Program Files\Mesh Agent\MeshAgent.db	MeshAgent.exe
File created	C:\Program Files\Mesh Agent\MeshAgent.msh	MeshAgent.exe
File opened for modification	C:\Program Files\Mesh Agent\MeshAgent.log	MeshAgent.exe
File opened for modification	C:\Program Files\TacticalAgent\agent.log	tacticalrmm.exe
File created	C:\Program Files\Mesh Agent\MeshAgent.db.tmp	MeshAgent.exe
File created	C:\Program Files\TacticalAgent\meshagent.exe	tacticalrmm.exe
File opened for modification	C:\Program Files\Mesh Agent\MeshAgent.db	MeshAgent.exe
File opened for modification	C:\Program Files\Mesh Agent\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Program Files\TacticalAgent\unins000.dat	tacticalagent-v2.8.0-windows-amd64.tmp
File opened for modification	C:\Program Files\Mesh Agent\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Program Files\TacticalAgent\agent.log	tacticalrmm.exe
File opened for modification	C:\Program Files\TacticalAgent\agent.log	tacticalrmm.exe
File opened for modification	C:\Program Files\TacticalAgent\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Program Files\Mesh Agent\MeshAgent.db.tmp	MeshAgent.exe
File opened for modification	C:\Program Files\Mesh Agent\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Program Files\TacticalAgent\agent.log	tacticalrmm.exe
File opened for modification	C:\Program Files\TacticalAgent\agent.log	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\is-UOMFR.tmp	tacticalagent-v2.8.0-windows-amd64.tmp

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WindowsUpdate.log	tacticalrmm.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3020	sc.exe
1724	sc.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3008	powershell.exe
2676	powershell.exe
1104	powershell.exe
1712	powershell.exe
2724	powershell.exe
2392	powershell.exe
1932	powershell.exe
1752	powershell.exe
2996	powershell.exe
1768	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tacticalagent-v2.8.0-windows-amd64.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tacticalagent-v2.8.0-windows-amd64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2220	cmd.exe
2864	PING.EXE
2940	cmd.exe
2836	PING.EXE

Kills process with taskkill 1 IoCs

defense_evasion

pid	Process
2772	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-449 = "Azerbaijan Standard Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-334 = "Jordan Daylight Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-181 = "Mountain Daylight Time (Mexico)"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-302 = "Romance Standard Time"	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-452 = "Caucasus Standard Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1041 = "Ulaanbaatar Daylight Time"	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-141 = "Canada Central Daylight Time"	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-291 = "Central European Daylight Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-31 = "Mid-Atlantic Daylight Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-501 = "Nepal Daylight Time"	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time"	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1022 = "Bangladesh Standard Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-742 = "New Zealand Standard Time"	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-512 = "Central Asia Standard Time"	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-522 = "N. Central Asia Standard Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time"	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-152 = "Central America Standard Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-201 = "US Mountain Daylight Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)"	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-362 = "GTB Standard Time"	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-731 = "Fiji Daylight Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-202 = "US Mountain Standard Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-471 = "Ekaterinburg Daylight Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time"	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-831 = "SA Eastern Daylight Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-472 = "Ekaterinburg Standard Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time"	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	tacticalrmm.exe

Modifies system certificate store 2 TTPs 10 IoCs

defense_evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	tacticalrmm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	tacticalrmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4	tacticalrmm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 0f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee420000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	tacticalrmm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 04000000010000001000000091de0625abdafd32170cbb25172a84670300000001000000140000002796bae63f1801e277261ba0d77770028f20eee41d000000010000001000000099949d2179811f6b30a8c99c4f6b4226140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e309000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec537261877620000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	tacticalrmm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 19000000010000001000000063664b080559a094d10f0a3c5f4f62900f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee404000000010000001000000091de0625abdafd32170cbb25172a846720000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	tacticalrmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	tacticalrmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	tacticalrmm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	tacticalrmm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	tacticalrmm.exe

Runs net.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
2864	PING.EXE
2836	PING.EXE

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
2024	tacticalrmm.exe
2416	tacticalrmm.exe
2416	tacticalrmm.exe
2676	powershell.exe
1104	powershell.exe
1712	powershell.exe
1932	powershell.exe
772	tacticalrmm.exe
772	tacticalrmm.exe
772	tacticalrmm.exe
772	tacticalrmm.exe
772	tacticalrmm.exe
2640	tacticalrmm.exe
772	tacticalrmm.exe
2724	powershell.exe
1752	powershell.exe
2940	tacticalrmm.exe
2364	tacticalrmm.exe
2140	tacticalrmm.exe
2388	tacticalrmm.exe
1452	tacticalrmm.exe
1932	tacticalrmm.exe
3008	powershell.exe
1768	powershell.exe
2996	powershell.exe
2392	powershell.exe
3008	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2772	taskkill.exe
Token: SeDebugPrivilege	2024	tacticalrmm.exe
Token: SeDebugPrivilege	2416	tacticalrmm.exe
Token: SeAssignPrimaryTokenPrivilege	2584	wmic.exe
Token: SeIncreaseQuotaPrivilege	2584	wmic.exe
Token: SeSecurityPrivilege	2584	wmic.exe
Token: SeTakeOwnershipPrivilege	2584	wmic.exe
Token: SeLoadDriverPrivilege	2584	wmic.exe
Token: SeSystemtimePrivilege	2584	wmic.exe
Token: SeBackupPrivilege	2584	wmic.exe
Token: SeRestorePrivilege	2584	wmic.exe
Token: SeShutdownPrivilege	2584	wmic.exe
Token: SeSystemEnvironmentPrivilege	2584	wmic.exe
Token: SeUndockPrivilege	2584	wmic.exe
Token: SeManageVolumePrivilege	2584	wmic.exe
Token: SeAssignPrimaryTokenPrivilege	2584	wmic.exe
Token: SeIncreaseQuotaPrivilege	2584	wmic.exe
Token: SeSecurityPrivilege	2584	wmic.exe
Token: SeTakeOwnershipPrivilege	2584	wmic.exe
Token: SeLoadDriverPrivilege	2584	wmic.exe
Token: SeSystemtimePrivilege	2584	wmic.exe
Token: SeBackupPrivilege	2584	wmic.exe
Token: SeRestorePrivilege	2584	wmic.exe
Token: SeShutdownPrivilege	2584	wmic.exe
Token: SeSystemEnvironmentPrivilege	2584	wmic.exe
Token: SeUndockPrivilege	2584	wmic.exe
Token: SeManageVolumePrivilege	2584	wmic.exe
Token: SeAssignPrimaryTokenPrivilege	1944	wmic.exe
Token: SeIncreaseQuotaPrivilege	1944	wmic.exe
Token: SeSecurityPrivilege	1944	wmic.exe
Token: SeTakeOwnershipPrivilege	1944	wmic.exe
Token: SeLoadDriverPrivilege	1944	wmic.exe
Token: SeSystemtimePrivilege	1944	wmic.exe
Token: SeBackupPrivilege	1944	wmic.exe
Token: SeRestorePrivilege	1944	wmic.exe
Token: SeShutdownPrivilege	1944	wmic.exe
Token: SeSystemEnvironmentPrivilege	1944	wmic.exe
Token: SeUndockPrivilege	1944	wmic.exe
Token: SeManageVolumePrivilege	1944	wmic.exe
Token: SeAssignPrimaryTokenPrivilege	1944	wmic.exe
Token: SeIncreaseQuotaPrivilege	1944	wmic.exe
Token: SeSecurityPrivilege	1944	wmic.exe
Token: SeTakeOwnershipPrivilege	1944	wmic.exe
Token: SeLoadDriverPrivilege	1944	wmic.exe
Token: SeSystemtimePrivilege	1944	wmic.exe
Token: SeBackupPrivilege	1944	wmic.exe
Token: SeRestorePrivilege	1944	wmic.exe
Token: SeShutdownPrivilege	1944	wmic.exe
Token: SeSystemEnvironmentPrivilege	1944	wmic.exe
Token: SeUndockPrivilege	1944	wmic.exe
Token: SeManageVolumePrivilege	1944	wmic.exe
Token: SeAssignPrimaryTokenPrivilege	2700	wmic.exe
Token: SeIncreaseQuotaPrivilege	2700	wmic.exe
Token: SeSecurityPrivilege	2700	wmic.exe
Token: SeTakeOwnershipPrivilege	2700	wmic.exe
Token: SeLoadDriverPrivilege	2700	wmic.exe
Token: SeSystemtimePrivilege	2700	wmic.exe
Token: SeBackupPrivilege	2700	wmic.exe
Token: SeRestorePrivilege	2700	wmic.exe
Token: SeShutdownPrivilege	2700	wmic.exe
Token: SeSystemEnvironmentPrivilege	2700	wmic.exe
Token: SeUndockPrivilege	2700	wmic.exe
Token: SeManageVolumePrivilege	2700	wmic.exe
Token: SeAssignPrimaryTokenPrivilege	2700	wmic.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2196	tacticalagent-v2.8.0-windows-amd64.tmp

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1092 wrote to memory of 2188	1092	2025-01-25_4c63b362b73a36e9410738b9f81428ef_frostygoop_hijackloader_luca-stealer_poet-rat_snatch.exe	31
PID 1092 wrote to memory of 2188	1092	2025-01-25_4c63b362b73a36e9410738b9f81428ef_frostygoop_hijackloader_luca-stealer_poet-rat_snatch.exe	31
PID 1092 wrote to memory of 2188	1092	2025-01-25_4c63b362b73a36e9410738b9f81428ef_frostygoop_hijackloader_luca-stealer_poet-rat_snatch.exe	31
PID 1092 wrote to memory of 2188	1092	2025-01-25_4c63b362b73a36e9410738b9f81428ef_frostygoop_hijackloader_luca-stealer_poet-rat_snatch.exe	31
PID 1092 wrote to memory of 2188	1092	2025-01-25_4c63b362b73a36e9410738b9f81428ef_frostygoop_hijackloader_luca-stealer_poet-rat_snatch.exe	31
PID 1092 wrote to memory of 2188	1092	2025-01-25_4c63b362b73a36e9410738b9f81428ef_frostygoop_hijackloader_luca-stealer_poet-rat_snatch.exe	31
PID 1092 wrote to memory of 2188	1092	2025-01-25_4c63b362b73a36e9410738b9f81428ef_frostygoop_hijackloader_luca-stealer_poet-rat_snatch.exe	31
PID 2188 wrote to memory of 2196	2188	tacticalagent-v2.8.0-windows-amd64.exe	32
PID 2188 wrote to memory of 2196	2188	tacticalagent-v2.8.0-windows-amd64.exe	32
PID 2188 wrote to memory of 2196	2188	tacticalagent-v2.8.0-windows-amd64.exe	32
PID 2188 wrote to memory of 2196	2188	tacticalagent-v2.8.0-windows-amd64.exe	32
PID 2188 wrote to memory of 2196	2188	tacticalagent-v2.8.0-windows-amd64.exe	32
PID 2188 wrote to memory of 2196	2188	tacticalagent-v2.8.0-windows-amd64.exe	32
PID 2188 wrote to memory of 2196	2188	tacticalagent-v2.8.0-windows-amd64.exe	32
PID 2196 wrote to memory of 2220	2196	tacticalagent-v2.8.0-windows-amd64.tmp	33
PID 2196 wrote to memory of 2220	2196	tacticalagent-v2.8.0-windows-amd64.tmp	33
PID 2196 wrote to memory of 2220	2196	tacticalagent-v2.8.0-windows-amd64.tmp	33
PID 2196 wrote to memory of 2220	2196	tacticalagent-v2.8.0-windows-amd64.tmp	33
PID 2220 wrote to memory of 2864	2220	cmd.exe	35
PID 2220 wrote to memory of 2864	2220	cmd.exe	35
PID 2220 wrote to memory of 2864	2220	cmd.exe	35
PID 2220 wrote to memory of 2864	2220	cmd.exe	35
PID 2220 wrote to memory of 2896	2220	cmd.exe	36
PID 2220 wrote to memory of 2896	2220	cmd.exe	36
PID 2220 wrote to memory of 2896	2220	cmd.exe	36
PID 2220 wrote to memory of 2896	2220	cmd.exe	36
PID 2896 wrote to memory of 2848	2896	net.exe	37
PID 2896 wrote to memory of 2848	2896	net.exe	37
PID 2896 wrote to memory of 2848	2896	net.exe	37
PID 2896 wrote to memory of 2848	2896	net.exe	37
PID 2196 wrote to memory of 2760	2196	tacticalagent-v2.8.0-windows-amd64.tmp	38
PID 2196 wrote to memory of 2760	2196	tacticalagent-v2.8.0-windows-amd64.tmp	38
PID 2196 wrote to memory of 2760	2196	tacticalagent-v2.8.0-windows-amd64.tmp	38
PID 2196 wrote to memory of 2760	2196	tacticalagent-v2.8.0-windows-amd64.tmp	38
PID 2760 wrote to memory of 2736	2760	cmd.exe	40
PID 2760 wrote to memory of 2736	2760	cmd.exe	40
PID 2760 wrote to memory of 2736	2760	cmd.exe	40
PID 2760 wrote to memory of 2736	2760	cmd.exe	40
PID 2736 wrote to memory of 2304	2736	net.exe	41
PID 2736 wrote to memory of 2304	2736	net.exe	41
PID 2736 wrote to memory of 2304	2736	net.exe	41
PID 2736 wrote to memory of 2304	2736	net.exe	41
PID 2196 wrote to memory of 2940	2196	tacticalagent-v2.8.0-windows-amd64.tmp	42
PID 2196 wrote to memory of 2940	2196	tacticalagent-v2.8.0-windows-amd64.tmp	42
PID 2196 wrote to memory of 2940	2196	tacticalagent-v2.8.0-windows-amd64.tmp	42
PID 2196 wrote to memory of 2940	2196	tacticalagent-v2.8.0-windows-amd64.tmp	42
PID 2940 wrote to memory of 2836	2940	cmd.exe	44
PID 2940 wrote to memory of 2836	2940	cmd.exe	44
PID 2940 wrote to memory of 2836	2940	cmd.exe	44
PID 2940 wrote to memory of 2836	2940	cmd.exe	44
PID 2940 wrote to memory of 2788	2940	cmd.exe	45
PID 2940 wrote to memory of 2788	2940	cmd.exe	45
PID 2940 wrote to memory of 2788	2940	cmd.exe	45
PID 2940 wrote to memory of 2788	2940	cmd.exe	45
PID 2788 wrote to memory of 2632	2788	net.exe	46
PID 2788 wrote to memory of 2632	2788	net.exe	46
PID 2788 wrote to memory of 2632	2788	net.exe	46
PID 2788 wrote to memory of 2632	2788	net.exe	46
PID 2196 wrote to memory of 2628	2196	tacticalagent-v2.8.0-windows-amd64.tmp	47
PID 2196 wrote to memory of 2628	2196	tacticalagent-v2.8.0-windows-amd64.tmp	47
PID 2196 wrote to memory of 2628	2196	tacticalagent-v2.8.0-windows-amd64.tmp	47
PID 2196 wrote to memory of 2628	2196	tacticalagent-v2.8.0-windows-amd64.tmp	47
PID 2628 wrote to memory of 2772	2628	cmd.exe	49
PID 2628 wrote to memory of 2772	2628	cmd.exe	49

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2025-01-25_4c63b362b73a36e9410738b9f81428ef_frostygoop_hijackloader_luca-stealer_poet-rat_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-25_4c63b362b73a36e9410738b9f81428ef_frostygoop_hijackloader_luca-stealer_poet-rat_snatch.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1092
- C:\ProgramData\TacticalRMM\tacticalagent-v2.8.0-windows-amd64.exe
  C:\ProgramData\TacticalRMM\tacticalagent-v2.8.0-windows-amd64.exe /VERYSILENT /SUPPRESSMSGBOXES
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2188
- - C:\Users\Admin\AppData\Local\Temp\is-STNN0.tmp\tacticalagent-v2.8.0-windows-amd64.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-STNN0.tmp\tacticalagent-v2.8.0-windows-amd64.tmp" /SL5="$80158,3660179,825344,C:\ProgramData\TacticalRMM\tacticalagent-v2.8.0-windows-amd64.exe" /VERYSILENT /SUPPRESSMSGBOXES
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2196
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c ping 127.0.0.1 -n 2 && net stop tacticalrpc
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Suspicious use of WriteProcessMemory
      PID:2220
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        5⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2864
    - - C:\Windows\SysWOW64\net.exe
        
        net stop tacticalrpc
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2896
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop tacticalrpc
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2848
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c net stop tacticalagent
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2760
    - - C:\Windows\SysWOW64\net.exe
        
        net stop tacticalagent
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2736
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop tacticalagent
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2304
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c ping 127.0.0.1 -n 2 && net stop tacticalrmm
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Suspicious use of WriteProcessMemory
      PID:2940
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        5⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2836
    - - C:\Windows\SysWOW64\net.exe
        
        net stop tacticalrmm
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2788
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop tacticalrmm
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2632
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c taskkill /F /IM tacticalrmm.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2628
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM tacticalrmm.exe
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2772
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c sc delete tacticalagent
      4⤵
      System Location Discovery: System Language Discovery
      PID:2680
    - - C:\Windows\SysWOW64\sc.exe
        
        sc delete tacticalagent
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:3020
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c sc delete tacticalrpc
      4⤵
      System Location Discovery: System Language Discovery
      PID:1104
    - - C:\Windows\SysWOW64\sc.exe
        
        sc delete tacticalrpc
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:1724
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c tacticalrmm.exe -m installsvc
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2508
    - - C:\Program Files\TacticalAgent\tacticalrmm.exe
        
        tacticalrmm.exe -m installsvc
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2024
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c net start tacticalrmm
      4⤵
      System Location Discovery: System Language Discovery
      PID:2356
    - - C:\Windows\SysWOW64\net.exe
        
        net start tacticalrmm
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1584
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start tacticalrmm
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2156
- C:\Program Files\TacticalAgent\tacticalrmm.exe
  "C:\Program Files\TacticalAgent\tacticalrmm.exe" -m install --api https://api.trmm.v-consulting.com --client-id 6 --site-id 9 --agent-type workstation --auth 5b9472796a1c23bdaf91ebdad8ab4b0ce080e83f3199cdd50bb816e3fa1ddd1e
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2416
- - C:\Program Files\TacticalAgent\meshagent.exe
    "C:\Program Files\TacticalAgent\meshagent.exe" -fullinstall
    3⤵
    - Sets service image path in registry
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:2784
- - C:\Program Files\Mesh Agent\MeshAgent.exe
    "C:\Program Files\Mesh Agent\MeshAgent.exe" -nodeid
    3⤵
    - Executes dropped EXE
    PID:912

C:\Program Files\Mesh Agent\MeshAgent.exe
"C:\Program Files\Mesh Agent\MeshAgent.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1620
- C:\Windows\System32\wbem\wmic.exe
  wmic SystemEnclosure get ChassisTypes
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2584
- C:\Windows\system32\wbem\wmic.exe
  wmic os get oslanguage /FORMAT:LIST
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1944
- C:\Windows\System32\wbem\wmic.exe
  wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2700
- C:\Windows\system32\wbem\wmic.exe
  wmic os get oslanguage /FORMAT:LIST
  2⤵
  PID:2096

C:\Program Files\Mesh Agent\MeshAgent.exe
"C:\Program Files\Mesh Agent\MeshAgent.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2284
- C:\Windows\System32\wbem\wmic.exe
  wmic SystemEnclosure get ChassisTypes
  2⤵
  PID:884
- C:\Windows\system32\wbem\wmic.exe
  wmic os get oslanguage /FORMAT:LIST
  2⤵
  PID:1600
- C:\Windows\System32\wbem\wmic.exe
  wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
  2⤵
  PID:2324
- C:\Windows\System32\wbem\wmic.exe
  wmic SystemEnclosure get ChassisTypes
  2⤵
  PID:2756
- C:\Windows\System32\wbem\wmic.exe
  wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
  2⤵
  PID:2760
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -noprofile -nologo -command -
  2⤵
  - Drops file in Program Files directory
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2676
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -noprofile -nologo -command -
  2⤵
  - Drops file in Program Files directory
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1104
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -noprofile -nologo -command -
  2⤵
  - Drops file in Program Files directory
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1712
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -noprofile -nologo -command -
  2⤵
  - Drops file in Program Files directory
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1932

C:\Program Files\TacticalAgent\tacticalrmm.exe
"C:\Program Files\TacticalAgent\tacticalrmm.exe" -m svc
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:772
- C:\Program Files\TacticalAgent\tacticalrmm.exe
  "C:\Program Files\TacticalAgent\tacticalrmm.exe" -m checkrunner
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:2640
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass C:\ProgramData\TacticalRMM\3846449057.ps1
    3⤵
    - Drops file in System32 directory
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2724
- C:\Program Files\Mesh Agent\MeshAgent.exe
  "C:\Program Files\Mesh Agent\MeshAgent.exe" -nodeid
  2⤵
  - Executes dropped EXE
  PID:1720
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass C:\ProgramData\TacticalRMM\3090847037.ps1
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1752

C:\Windows\system32\taskeng.exe
taskeng.exe {C85151C5-262D-4315-BFD7-2EFCBF3E651E} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:2724
- C:\Program Files\TacticalAgent\tacticalrmm.exe
  "C:\Program Files\TacticalAgent\tacticalrmm.exe" -m taskrunner -p 8
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:2388
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass C:\ProgramData\TacticalRMM\3871614904.ps1
    3⤵
    - Drops file in Program Files directory
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2392
- C:\Program Files\TacticalAgent\tacticalrmm.exe
  "C:\Program Files\TacticalAgent\tacticalrmm.exe" -m taskrunner -p 6
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:2940
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass C:\ProgramData\TacticalRMM\2058954537.ps1
    3⤵
    - Blocklisted process makes network request
    - Drops file in Program Files directory
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3008
  - - C:\Windows\system32\net.exe
      "C:\Windows\system32\net.exe" stop rustdesk
      4⤵
      PID:1624
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop rustdesk
        5⤵
        
        PID:2476
- C:\Program Files\TacticalAgent\tacticalrmm.exe
  "C:\Program Files\TacticalAgent\tacticalrmm.exe" -m taskrunner -p 47
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:2140
- C:\Program Files\TacticalAgent\tacticalrmm.exe
  "C:\Program Files\TacticalAgent\tacticalrmm.exe" -m taskrunner -p 60
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:2364
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass C:\ProgramData\TacticalRMM\639238980.ps1
    3⤵
    - Drops file in Program Files directory
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1768
- C:\Program Files\TacticalAgent\tacticalrmm.exe
  "C:\Program Files\TacticalAgent\tacticalrmm.exe" -m taskrunner -p 30
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:1932
- - C:\Windows\system32\cmd.exe
    cmd /c C:\ProgramData\TacticalRMM\2519378227.bat
    3⤵
    PID:2012
  - - C:\Windows\system32\powercfg.exe
      powercfg.exe -x -standby-timeout-ac 0
      4⤵
      Power Settings
      PID:916
- C:\Program Files\TacticalAgent\tacticalrmm.exe
  "C:\Program Files\TacticalAgent\tacticalrmm.exe" -m taskrunner -p 39
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:1452
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass C:\ProgramData\TacticalRMM\619376817.ps1
    3⤵
    - Drops file in Program Files directory
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Mesh Agent\MeshAgent.db

Filesize
35KB

MD5
e0500b210f9c35c0d1b8ae4be3782939

SHA1
3e9b8a5967b9f1ca0450c5f8cb03e52d43ef8cde

SHA256
d5981e57b568d85513edcf4d4fa4234a932c837d194c66bb580da38d1a2210b9

SHA512
514cf59dd757a2c700fd5be66d585f2d52dca7f94a420a340b7313b832e91a609e8d769d5976cebd7db4671d35faab4e7a22bce607918ff9d998813e5dafe336

Download Submit
C:\Program Files\Mesh Agent\MeshAgent.db

Filesize
153KB

MD5
474edbd6fc82305c22551c2ee2704f55

SHA1
dd4c9e28b997b95ee9dc067d0a3a48059e2acc3c

SHA256
13043b646a518ee1686d7896c981df24d21b6d772b2a0a44691a4637bfa7826b

SHA512
f1822bf453951937e254cebff0f997a4b8a49c65c3bb2eea25a836f18d0c288e418cbd24ffb66ad82b7a4b3b640482436ffcba38c1d2b86ccb0bb318359d3efe

Download Submit
C:\Program Files\Mesh Agent\MeshAgent.msh

Filesize
31KB

MD5
3def9ce05b48a96a5afbdea36aea0a4b

SHA1
75a0e960b1af485137301ee6021a54efa27bcf25

SHA256
6e9dd1a8e0181e570075f804d62da79e55da9d3d6ef6242a0ad6fab5b4178ce5

SHA512
657ca5d77dbf9536fa06a13ea2341eeb5d0da0645c0e4b00005b51f1d8994d3188f44fc38563bdb4d219f08e22d57330391f9c5ee261aa7b51d2c31fab728773

Download Submit
C:\Program Files\TacticalAgent\agent.log

Filesize
67B

MD5
6dd349bf47a21d588b20bfb3fd8f63b7

SHA1
9cd070e20729a73ba3e222296f30c4196ad504cb

SHA256
5fa4b707ebd1eaef55062f19e9b85a60cd66bdce3af35dd36bffdc18a87e6e1e

SHA512
9181ec85d3e5db1802b6db244ce2763f2ebb76d64436128897b704a29a623ee83a9305edaf42942502d6eec9bbdf01ef3efa1a099873a9d422fac8dbce4c5980

Download Submit
C:\Program Files\TacticalAgent\agent.log

Filesize
308B

MD5
01ef3ebd474d825294dbcb4cc36da6fd

SHA1
b4118861f5edbf42385a62c34021b17458d8454a

SHA256
b2a25a0608b1ed490fb8342de7e5806a0d045f5f470539493c729f28a1772b96

SHA512
65fdd38375330ea99ae73861c50d5666e846f5c977ff5b9ba42a3da650081be7e0ea5d8630b4f8f08307718e37cdb11bdc6db0f69912ae1b1f7ed29303e2fa37

Download Submit
C:\ProgramData\TacticalRMM\2058954537.ps1

Filesize
4KB

MD5
4e75b4a107fbbaa58b8e658101b49114

SHA1
73c6d983dbb4287bc1868dcd70b3e8e5708d871a

SHA256
955e58a32809121f5d651e0b99248360721fdee4105e3e91a5a0d020257a562e

SHA512
fa8710a06b9c1cbb1932fbc487e44e9ad42d663a542f9b17d3ea517577b573cff633e343d3a39f96824610a3d38a8e2292fdefa4e823c1df34877b39459b6459

Download Submit
C:\ProgramData\TacticalRMM\2519378227.bat

Filesize
37B

MD5
29b672000c75e84cd3985d3d2f89e26d

SHA1
7c7ac7747dcd4a96a9faa5ae67fdd4d8b524ba8f

SHA256
aa93ae6cfcc842f1f00f2a18538f5702a4c709e6ff183cf72437489dd19ca99b

SHA512
02501cded7f45da19d282f7ad9562208849ad5f56b60e234c2e60c932951ceb21f30f1b0668ddad1348122a85d823b9b175f587208b4fb6ba68fcc25e2b90fe4

Download Submit
C:\ProgramData\TacticalRMM\3090847037.ps1

Filesize
35KB

MD5
e9fb33c49bee675e226d1afeef2740d9

SHA1
ded4e30152638c4e53db4c3c62a76fe0b69e60ab

SHA256
44e045ed5350758616d664c5af631e7f2cd10165f5bf2bd82cbf3a0bb8f63462

SHA512
2661a981d48d58c9ceb1992e55061ce07af0d53b5f38b07de620376e0ea1d876c7e50965e67aee80fe723968bdb956dc7fd93e7923608534c8fb4d21739dbc48

Download Submit
C:\ProgramData\TacticalRMM\3846449057.ps1

Filesize
1KB

MD5
765419c7c4016b7abfe7e214a4fac90d

SHA1
347439e58bf38bf0bf32f1de93e51d209344641f

SHA256
ffe10c724b7bacf68c161f830d5f698ec51c9cf6d5a0805481eb440583001b6e

SHA512
daefd8a58e29ebd0b4eb9566ec16cf0c4de10e1ad01348a4c0ed8bf47b07115cbd98ee70aada2637ac26b522497d8434a3f471bb7baf48c52bb9e72f3e2afc80

Download Submit
C:\ProgramData\TacticalRMM\3871614904.ps1

Filesize
631B

MD5
2e839009acca754f335573898e9b2813

SHA1
4bf40c3330ad3e7c605bea6969c7fc31f8454e54

SHA256
6573fb7db75c5decc90c58b87e4127ae4b02c2d4395735dabff94f83cb305524

SHA512
2e30252961c185d8f1ebc86d5e5e97b0481ae89321d8024eefe22f677673e31c30a8f620f2fb7a3e503b43f77f41360062b689cced6328afb9e8598859d3ba5b

Download Submit
C:\ProgramData\TacticalRMM\619376817.ps1

Filesize
21KB

MD5
c89475fb9834a86320ac2a95da38e1f8

SHA1
4a60ef0109792f433873df5d83049bc250527e19

SHA256
8f34a695a0470b5c5f573e7ed289b617bea7529973e2d4853632c9bf46fbf5e6

SHA512
ff68b6e20039d4fe091146ccdad29a148b13fb46459cf124ebfb5ef99038e5bc50c1c054fd55e32970c36c03d0bd1b35a4ed5140c945f4009652d44323865739

Download Submit
C:\ProgramData\TacticalRMM\639238980.ps1

Filesize
612B

MD5
cf08abf0df6e2c6db2d9f869c830509f

SHA1
ca67d293539cca8aff809f654733aee65afa75dd

SHA256
2d6645f4b4a9eee9af1863af2e0e0da37d648c749aa4ffa8e033a6d344bd1282

SHA512
156048ae7acf35904170de8a6e9b589c72528dc7bb921453e96bf6a3f1fe065f9ec5878f7996a7778f4abf88ed5966c74f97cebf3d27e793165a56e5e87a0d2d

Download Submit
C:\ProgramData\TacticalRMM\tacticalagent-v2.8.0-windows-amd64.exe

Filesize
4.3MB

MD5
2f046950e65922336cd83bf0dbc9de33

SHA1
ddc64a8b21c8146c93c0b19c1eeb0ef784b980c6

SHA256
412e1f600251b21911c582e69381f677e663231f5e1d10786d88a026e00ea811

SHA512
a11cbf8b8b692d2d5a0e3af5a97f91a3d1f3e7aa39966eb7d62b3244b3913f2fdc21823d5c94de0d98e579f801709df44433af91567356361d5d9699a93b2cbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-STNN0.tmp\tacticalagent-v2.8.0-windows-amd64.tmp

Filesize
3.0MB

MD5
a639312111d278fee4f70299c134d620

SHA1
6144ca6e18a5444cdb9b633a6efee67aff931115

SHA256
4b0be5167a31a77e28e3f0a7c83c9d289845075b51e70691236603b1083649df

SHA512
f47f01d072ff9ed42f5b36600ddfc344a6a4b967c1b671ffc0e76531e360bfd55a1a9950305ad33f7460f3f5dd8953e317b108cd434f2db02987fa018d57437c

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
84e930de21304cf0fd0e04ecf67e6eff

SHA1
ad9a273167be4b30c96dbb85ba33a286e7ced956

SHA256
8fdff0e1dad59ad35bed0f8e29049c0c3b4b8ab3ab4eae0d9ad6b1b662f58315

SHA512
d834175cb5ef18aa69846c3670e7238eb15b9b73745e8b0fcac21974727f8ef542cf35646648fe2f11c40a79bd6d7883b0cead1666a70e28a3e550c0bfe2d834

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f94584e870500e6fb33c2096202e7570

SHA1
d4b960265037725ff4972342f8ecd90592727db9

SHA256
cadfc0d6d7ef58325ff41e447f16b586a1d305a94515104d2ec01c5712d0bf28

SHA512
742967aa980b6cbd1df4f0a4fa660d04a4d234c5cb46b703eee4067a32dc68ce418b30ce244a4c1a5f3a867dd9f998fcc5d7d007c052abc62b7823188c7fa33b

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
1786a8d459fb601ad2b5737e6adbf2dc

SHA1
b3f8ece61d5ef50c2555853cd34557fa909f0787

SHA256
9e4c7ee8249140e2699205ebccfb8dbc8b30f4fa66e70b8de4b293ae14a16964

SHA512
e63caef5ab071b35941e0d8d2010842ed8c302e0abf5f02e8248b9d63f5e09cc854d4ce048244d66e2fb87c3762c15ef74af2ea6d579e2e3ff0f73b7bd743654

Download Submit
C:\Windows\Temp\Cab9D6A.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\Tar9FE1.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Program Files\TacticalAgent\meshagent.exe

Filesize
3.3MB

MD5
2641d5b122336e87d2964c562898caea

SHA1
ad3b817c810702c6ccd060192566350ac5eb77fd

SHA256
88b6c219763de23bbe1752aa22d408bf9b3db1926e691fd6a299beb0680c9757

SHA512
4380d048e42ad1e58a64ea0bcb1f31c4cc343e43c12e052327a997505a804f68f2b26bad77dc48d4ce04b8d5d4adc6be6878c8ce462916247bc74ef136e2c401

Download Submit
\Program Files\TacticalAgent\tacticalrmm.exe

Filesize
9.2MB

MD5
bb383b7c3d5e4acb1001ab099b5b0f3c

SHA1
cb0c85f84a454aa4b1aab02bfba47c4355c2311e

SHA256
a6d3159c858aa3704f35d69b27829618ad0d1bae894c848a5233100c17464f95

SHA512
157dda96d1cacea55a6be27b9d432225b47d7334e664e577cef82a14c7eb1be1b8b84423b3905a4c1caecb5394be264d9b5c3e32109a4893e51a9d406ce740be

Download Submit
memory/772-158-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1104-120-0x0000000002010000-0x0000000002018000-memory.dmp

Filesize
32KB

Download
memory/1104-119-0x000000001B230000-0x000000001B512000-memory.dmp

Filesize
2.9MB

Download
memory/2024-25-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2024-24-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2188-7-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/2188-4-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/2188-30-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/2196-14-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/2196-29-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/2416-34-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2416-128-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2416-92-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2416-81-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2416-80-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2416-79-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2416-78-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2416-77-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2416-71-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2416-47-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2416-46-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2416-33-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2640-287-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2640-286-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2676-111-0x0000000001D50000-0x0000000001D58000-memory.dmp

Filesize
32KB

Download
memory/2676-110-0x000000001B240000-0x000000001B522000-memory.dmp

Filesize
2.9MB

Download
memory/3008-533-0x00000000016E0000-0x0000000001702000-memory.dmp

Filesize
136KB

Download
memory/3008-534-0x0000000001470000-0x0000000001482000-memory.dmp

Filesize
72KB

Download