meshagent | a9fcd874776f3f25782f85303cec11ac2c2e599d05e3d8a3ec3cb5e253bf7d12

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25/01/2025, 13:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-25_4c63b362b73a36e9410738b9f81428ef_frostygoop_hijackloader_luca-stealer_poet-rat_snatch.exe
Size

5.0MB
MD5

4c63b362b73a36e9410738b9f81428ef
SHA1

32824d470f193773e515870c9d3cf8dfa076b2a6
SHA256

a9fcd874776f3f25782f85303cec11ac2c2e599d05e3d8a3ec3cb5e253bf7d12
SHA512

17715f6600d44747bf22f4960256d33b4c3e6eb6192f24ad09207023870182b0c72a14851afb36d99f20e94ca646717a6fd9c7021b12a579a2585f06c0d02b64
SSDEEP

49152:wRg0nHs3wQuuhrb/T8vO90d7HjmAFd4A64nsfJoRLvXW4uyRcH5g3ZCNUgxocMCF:b3wQuu81n256dgxtrE7+eGt

Score

10^/10

meshagent tacticalrmm backdoor defense_evasion discovery execution persistence privilege_escalation rat trojan

Malware Config

Extracted

Family

meshagent

Version

Botnet

TacticalRMM

http://mesh.trmm.v-consulting.com:443/agent.ashx

Attributes

mesh_id
0x79CC638C055FE100C59C9323FA6EBA3DC401BCC6B1C545978FD06AA55AE1B47307B41240C24A067C6BA18464D5E8CDF5
server_id
0F065FD3EA3A2BA9B18DA11DE9E25D6F976A32944350A24CB834A6D1A6EAD7F86F0388FF89786D8F26B5DF45DC73EB03
wss
wss://mesh.trmm.v-consulting.com:443/agent.ashx

Extracted

Language

ps1

Source

URLs

exe.dropper

https://github.com/rustdesk/rustdesk/releases/latest

exe.dropper

https://github.com/rustdesk/rustdesk/releases/download/$rustdesk_version/rustdesk-$rustdesk_version-x86_64.exe

Signatures

Detects MeshAgent payload 1 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023cb5-30.dat	family_meshagent

MeshAgent
MeshAgent is an open source remote access trojan written in C++.
rat trojan backdoor meshagent
Meshagent family
meshagent

Blocklisted process makes network request 3 IoCs

flow	pid	Process
65	2872	powershell.exe
113	2648	powershell.exe
115	2648	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Downloads MZ/PE file 1 IoCs

flow	pid	Process
77	320	Process not Found

Modifies Windows Firewall 2 TTPs 3 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2308	netsh.exe
3600	netsh.exe
4304	netsh.exe

Modifies service settings 1 TTPs
Alters the configuration of existing services.
defense_evasion

Windows Service
T1543.003

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Mesh Agent\ImagePath = "\"C:\\Program Files\\Mesh Agent\\MeshAgent.exe\" "	meshagent.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 31 IoCs

pid	Process
2528	tacticalagent-v2.8.0-windows-amd64.exe
2872	tacticalagent-v2.8.0-windows-amd64.tmp
3644	tacticalrmm.exe
1888	tacticalrmm.exe
2216	meshagent.exe
3532	MeshAgent.exe
2368	MeshAgent.exe
4800	tacticalrmm.exe
2224	tacticalrmm.exe
3048	tacticalrmm.exe
2156	tacticalrmm.exe
5028	tacticalrmm.exe
3744	tacticalrmm.exe
2196	tacticalrmm.exe
3916	tacticalrmm.exe
3644	rustdesk.exe
1840	rustdesk.exe
4608	rustdesk.exe
2064	MeshAgent.exe
3400	RustDesk.exe
4268	RustDesk.exe
4360	RustDesk.exe
1180	RustDesk.exe
1576	RustDesk.exe
952	rustdesk.exe
2928	rustdesk.exe
3212	RustDesk.exe
1572	RustDesk.exe
3688	RustDesk.exe
3536	RustDesk.exe
5568	choco.exe

Loads dropped DLL 64 IoCs

pid	Process
3644	rustdesk.exe
3644	rustdesk.exe
3644	rustdesk.exe
3644	rustdesk.exe
3644	rustdesk.exe
3644	rustdesk.exe
3644	rustdesk.exe
3644	rustdesk.exe
3644	rustdesk.exe
3644	rustdesk.exe
3644	rustdesk.exe
3644	rustdesk.exe
3644	rustdesk.exe
3644	rustdesk.exe
3644	rustdesk.exe
1840	rustdesk.exe
1840	rustdesk.exe
1840	rustdesk.exe
1840	rustdesk.exe
1840	rustdesk.exe
1840	rustdesk.exe
1840	rustdesk.exe
1840	rustdesk.exe
1840	rustdesk.exe
1840	rustdesk.exe
1840	rustdesk.exe
1840	rustdesk.exe
1840	rustdesk.exe
4608	rustdesk.exe
4608	rustdesk.exe
4608	rustdesk.exe
4608	rustdesk.exe
4608	rustdesk.exe
4608	rustdesk.exe
4608	rustdesk.exe
4608	rustdesk.exe
4608	rustdesk.exe
4608	rustdesk.exe
4608	rustdesk.exe
4608	rustdesk.exe
4608	rustdesk.exe
3400	RustDesk.exe
3400	RustDesk.exe
3400	RustDesk.exe
3400	RustDesk.exe
3400	RustDesk.exe
3400	RustDesk.exe
3400	RustDesk.exe
3400	RustDesk.exe
3400	RustDesk.exe
3400	RustDesk.exe
3400	RustDesk.exe
3400	RustDesk.exe
3400	RustDesk.exe
3400	RustDesk.exe
3400	RustDesk.exe
3400	RustDesk.exe
4268	RustDesk.exe
4268	RustDesk.exe
4268	RustDesk.exe
4268	RustDesk.exe
4268	RustDesk.exe
4268	RustDesk.exe
4268	RustDesk.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Power Settings 1 TTPs 1 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
3804	powercfg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\95ACDE76590227F6B040BCEF74EF842783E31292	MeshAgent.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\rustdesk\file_selector_windows_plugin.dll	rustdesk.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\rustdesk\data\flutter_assets\assets\auth-gitlab.svg	rustdesk.exe
File opened for modification	C:\Windows\System32\rpcrt4.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\user32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\Kernel.Appcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\apphelp.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\ws2_32.pdb	MeshAgent.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\rustdesk\data\flutter_assets\assets\auth-auth0.svg	rustdesk.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\rustdesk\data\flutter_assets\assets\insecure_relay.svg	rustdesk.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\rustdesk\data\flutter_assets\assets\message_24dp_5F6368.svg	rustdesk.exe
File opened for modification	C:\Windows\System32\dll\sechost.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\shcore.pdb	MeshAgent.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\System32\dll\comctl32.pdb	MeshAgent.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\rustdesk\data\flutter_assets\packages\window_manager\images\ic_chrome_close.png	rustdesk.exe
File opened for modification	C:\Windows\System32\symbols\dll\ncrypt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\gdi32full.pdb	MeshAgent.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\rustdesk\desktop_drop_plugin.dll	rustdesk.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\rustdesk\data\flutter_assets\assets\fullscreen.svg	rustdesk.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\rustdesk\data\flutter_assets\packages\dash_chat_2\assets\placeholder.png	rustdesk.exe
File opened for modification	C:\Windows\System32\dll\ws2_32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\rpcrt4.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\crypt32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\iphlpapi.pdb	MeshAgent.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\rustdesk\RuntimeBroker_rustdesk.exe	rustdesk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\System32\symbols\dll\msvcp_win.pdb	MeshAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\rustdesk\window_size_plugin.dll	rustdesk.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\rustdesk\data\flutter_assets\assets\tabbar.ttf	rustdesk.exe
File opened for modification	C:\Windows\System32\dll\gdi32full.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\bcryptprimitives.pdb	MeshAgent.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\rustdesk\screen_retriever_plugin.dll	rustdesk.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\rustdesk\data\flutter_assets\assets\transfer.svg	rustdesk.exe
File opened for modification	C:\Windows\System32\DLL\kernel32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\dbghelp.pdb	MeshAgent.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\rustdesk\data\icudtl.dat	rustdesk.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\rustdesk\data\flutter_assets\assets\home.svg	rustdesk.exe
File opened for modification	C:\Windows\System32\exe\MeshService64.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\msvcrt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\ntasn1.pdb	MeshAgent.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\rustdesk\data\flutter_assets\AssetManifest.json	rustdesk.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\rustdesk\data\flutter_assets\assets\pinned.svg	rustdesk.exe
File opened for modification	C:\Windows\System32\symbols\DLL\bcrypt.pdb	MeshAgent.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\rustdesk\url_launcher_windows_plugin.dll	rustdesk.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\rustdesk\usbmmidd_v2\x64\usbmmIdd.dll	rustdesk.exe
File opened for modification	C:\Windows\System32\dll\advapi32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\msvcp_win.pdb	MeshAgent.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys\A7DB7C52DE48A62D589DF933C6936D1254EFBB74	MeshAgent.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\rustdesk\usbmmidd_v2\usbmmIdd.inf	rustdesk.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\rustdesk\data\flutter_assets\assets\actions.svg	rustdesk.exe
File opened for modification	C:\Windows\System32\ntdll.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\win32u.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\combase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\gdiplus.pdb	MeshAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\rustdesk\data\flutter_assets\assets\android.svg	rustdesk.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\rustdesk\data\flutter_assets\assets\dots.svg	rustdesk.exe
File opened for modification	C:\Windows\System32\ole32.pdb	MeshAgent.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\rustdesk\data\flutter_assets\assets\insecure.svg	rustdesk.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\rustdesk\flutter_windows.dll	rustdesk.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\rustdesk\data\flutter_assets\assets\close.svg	rustdesk.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\rustdesk\data\flutter_assets\assets\secure_relay.svg	rustdesk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\pip\_vendor\packaging\version.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\pip\_vendor\pygments\__init__.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\pip\_vendor\rich\_emoji_codes.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\pip\_vendor\webencodings\labels.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\win32com\test\errorSemantics.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\_distutils_hack\override.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\cryptography\hazmat\backends\openssl\aead.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\pip\_internal\vcs\subversion.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\pip\_vendor\rich\spinner.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\pysnmp\__init__.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\pythonwin\pywin\framework\winout.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\setuptools\_distutils\dist.py	tacticalrmm.exe
File created	C:\Program Files\RustDesk\data\icudtl.dat	xcopy.exe
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\Cryptodome\Signature\pkcs1_15.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\win32\win32api.pyd	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\pip\_vendor\chardet\resultdict.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\win32\lib\win32con.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\setuptools\glob.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\cryptography-42.0.8.dist-info\REQUESTED	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\h11-0.14.0.dist-info\RECORD	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\pip\_vendor\packaging\py.typed	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\pysnmp\proto\secmod\rfc3414\priv\des.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\pythonwin\win32uiole.pyd	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\setuptools\launch.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\cryptography\hazmat\primitives\asymmetric\padding.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\isapi\__init__.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\pip\_internal\utils\compat.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\win32\test\win32rcparser\test.rc	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\pyexpat.pyd	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\charset_normalizer-3.3.2.dist-info\top_level.txt	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\pip\_internal\exceptions.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\pysmi\borrower\__init__.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\win32\Demos\security\sspi\socket_server.py	tacticalrmm.exe
File created	C:\Program Files\RustDesk\data\flutter_assets\assets\display.svg	xcopy.exe
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\Cryptodome\SelfTest\Signature\__init__.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\pysmi\codegen\base.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\pysnmp\proto\mpmod\__init__.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\pip\_vendor\rich\themes.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\pyasn1\type\tag.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\Cryptodome\SelfTest\Hash\test_SHA256.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\idna\__init__.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\pip\_vendor\requests\packages.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\pysmi\reader\localfile.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\pysmi\writer\localfile.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\requests\__init__.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\adodbapi\readme.txt	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\Cryptodome\Cipher\PKCS1_v1_5.pyi	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\setuptools-70.0.0.dist-info\RECORD	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\adodbapi\apibase.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\Cryptodome\SelfTest\Hash\common.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\cryptography\hazmat\bindings\_rust\openssl\hmac.pyi	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\pythonwin\pywin\scintilla\formatter.py	tacticalrmm.exe
File created	C:\Program Files\RustDesk\data\flutter_assets\shaders\ink_sparkle.frag	xcopy.exe
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\_queue.pyd	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\pythonwin\pywin\Demos\fontdemo.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\websockets\headers.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\win32\test\test_win32timezone.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\anyio\abc\_testing.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\msgpack\fallback.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\pysnmp\smi\mibs\RFC1213-MIB.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\setuptools\windows_support.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\websockets\datastructures.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\win32com\test\testDates.py	tacticalrmm.exe
File created	C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\Cryptodome\Cipher\__init__.py	tacticalrmm.exe

Drops file in Windows directory 32 IoCs

description	ioc	Process
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\RustDesk\config\RustDesk.3212_ThreadId(2)_1737811957177626100	RustDesk.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\RustDesk\log\uninstall-amyuni-idd\rustdesk_rCURRENT.log	rustdesk.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\RustDesk\config\RustDesk_hwcodec.4360_ThreadId(11)_1737811948213232300	RustDesk.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\RustDesk\log\get-id\RustDesk_rCURRENT.log	rustdesk.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\RustDesk\log\server\RustDesk_rCURRENT.log	RustDesk.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\RustDesk\log\check-hwcodec-config\RustDesk_rCURRENT.log	RustDesk.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\RustDesk\config\RustDesk2.4360_ThreadId(2)_1737811948209897200	RustDesk.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\RustDesk\config\RustDesk.4360_ThreadId(2)_1737811948210473000	RustDesk.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\RustDesk\config\RustDesk.4360_ThreadId(2)_1737811948210919400	RustDesk.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\RustDesk\config\RustDesk2.toml	powershell.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\RustDesk\config\RustDesk2.3688_ThreadId(3)_1737811958769322700	RustDesk.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\RustDesk\log\silent-install\rustdesk_rCURRENT.log	rustdesk.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\RustDesk\config\RustDesk.4360_ThreadId(2)_1737811948153336000	RustDesk.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\RustDesk\config\RustDesk2.4360_ThreadId(23)_1737811948307939800	RustDesk.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\RustDesk\config\RustDesk2.3688_ThreadId(24)_1737811958515144700	RustDesk.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\RustDesk\log\service\RustDesk_rCURRENT.log	RustDesk.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\RustDesk\log\server\RustDesk_rCURRENT.log	RustDesk.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\RustDesk\log\service\RustDesk_rCURRENT.log	RustDesk.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\RustDesk\config\RustDesk.3688_ThreadId(3)_1737811958774014900	RustDesk.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\RustDesk\config\RustDesk.4360_ThreadId(28)_1737811948157725400	RustDesk.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\RustDesk\log\password\RustDesk_rCURRENT.log	RustDesk.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\RustDesk\log\tray\RustDesk_rCURRENT.log	RustDesk.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\RustDesk\log\check-hwcodec-config\RustDesk_rCURRENT.log	RustDesk.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\RustDesk\config\RustDesk_hwcodec.3688_ThreadId(11)_1737811958524819800	RustDesk.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\RustDesk\config\RustDesk2.3688_ThreadId(25)_1737811958620664800	RustDesk.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\RustDesk\log\import-config\RustDesk_rCURRENT.log	RustDesk.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\RustDesk\config\RustDesk2.4360_ThreadId(25)_1737811948253208200	RustDesk.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\RustDesk\log\get-id\RustDesk_rCURRENT.log	rustdesk.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\RustDesk\config\RustDesk2.toml	powershell.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\RustDesk\config\RustDesk2.3212_ThreadId(2)_1737811957183661100	RustDesk.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\RustDesk\log\uninstall-cert\rustdesk_rCURRENT.log	rustdesk.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\RustDesk\config\RustDesk2.4360_ThreadId(23)_1737811948144354200	RustDesk.exe

Launches sc.exe 12 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3760	sc.exe
4628	sc.exe
3140	sc.exe
1528	sc.exe
964	sc.exe
5036	sc.exe
3752	sc.exe
2840	sc.exe
4916	sc.exe
1576	sc.exe
5064	sc.exe
3488	sc.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1704	powershell.exe
3276	powershell.exe
2560	powershell.exe
2872	powershell.exe
1960	powershell.exe
1312	powershell.exe
4496	powershell.exe
2648	powershell.exe
4128	powershell.exe
1572	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tacticalagent-v2.8.0-windows-amd64.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tacticalagent-v2.8.0-windows-amd64.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3532	PING.EXE
2824	cmd.exe
4392	PING.EXE
4832	cmd.exe

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	rustdesk.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	rustdesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	rustdesk.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	rustdesk.exe

Kills process with taskkill 6 IoCs

defense_evasion

pid	Process
1164	taskkill.exe
740	taskkill.exe
4660	taskkill.exe
3516	taskkill.exe
3688	taskkill.exe
2288	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1841 = "Russia TZ 4 Daylight Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time"	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-752 = "Tonga Standard Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)"	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Environment\ChocolateyLastPathUpdate = "133822855590811247"	setx.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time"	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time"	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-302 = "Romance Standard Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-3141 = "South Sudan Daylight Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time"	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-11 = "Azores Daylight Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time"	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2751 = "Tomsk Daylight Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time"	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-191 = "Mountain Daylight Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1891 = "Russia TZ 3 Daylight Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time"	tacticalrmm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time"	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2452 = "Saint Pierre Standard Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time"	tacticalrmm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time"	tacticalrmm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	MeshAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe

Modifies registry class 30 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\rustdesk\shell	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\rustdesk\URL Protocol	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.rustdesk\shell\open\command	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.rustdesk\shell\open\command\ = "\"C:\\Program Files\\RustDesk\\RustDesk.exe\" --play \"%1\""	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\rustdesk\	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\rustdesk	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\rustdesk\shell\open	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.rustdesk\STARTMENUSHORTCUTS = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.rustdesk\DefaultIcon	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.rustdesk\shell\open\command	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\rustdesk\shell\	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\rustdesk\shell\open\command\	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.rustdesk\	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.rustdesk\shell	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\rustdesk	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\rustdesk\shell\open\command	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\rustdesk\shell\open\command\ = "\"C:\\Program Files\\RustDesk\\RustDesk.exe\" \"%1\""	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.rustdesk	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.rustdesk	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.rustdesk\DefaultIcon\ = "\"C:\\Program Files\\RustDesk\\RustDesk.exe\",0"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.rustdesk\shell\	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.rustdesk\DESKTOPSHORTCUTS = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.rustdesk	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.rustdesk\shell\open\	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.rustdesk\shell\open\command\	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\rustdesk\shell\open\	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\rustdesk\shell\open\command	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.rustdesk\shell\open	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.rustdesk\DefaultIcon	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.rustdesk\DefaultIcon\	reg.exe

Modifies system certificate store 2 TTPs 12 IoCs

defense_evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	2025-01-25_4c63b362b73a36e9410738b9f81428ef_frostygoop_hijackloader_luca-stealer_poet-rat_snatch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	tacticalrmm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	tacticalrmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	tacticalrmm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800001900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	tacticalrmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4	tacticalrmm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 04000000010000001000000091de0625abdafd32170cbb25172a84670f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b06010505070301620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae4140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee419000000010000001000000063664b080559a094d10f0a3c5f4f629020000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	tacticalrmm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	2025-01-25_4c63b362b73a36e9410738b9f81428ef_frostygoop_hijackloader_luca-stealer_poet-rat_snatch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	2025-01-25_4c63b362b73a36e9410738b9f81428ef_frostygoop_hijackloader_luca-stealer_poet-rat_snatch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	tacticalrmm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	tacticalrmm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 5c00000001000000040000000008000019000000010000001000000063664b080559a094d10f0a3c5f4f62900300000001000000140000002796bae63f1801e277261ba0d77770028f20eee41d000000010000001000000099949d2179811f6b30a8c99c4f6b4226140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e3620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae409000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec537261877604000000010000001000000091de0625abdafd32170cbb25172a846720000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	tacticalrmm.exe

Runs net.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
4392	PING.EXE
3532	PING.EXE

Suspicious behavior: EnumeratesProcesses 56 IoCs

pid	Process
3644	tacticalrmm.exe
1888	tacticalrmm.exe
1704	powershell.exe
1704	powershell.exe
3276	powershell.exe
3276	powershell.exe
2560	powershell.exe
2560	powershell.exe
4128	powershell.exe
4128	powershell.exe
1888	tacticalrmm.exe
1888	tacticalrmm.exe
4800	tacticalrmm.exe
2224	tacticalrmm.exe
2196	tacticalrmm.exe
3048	tacticalrmm.exe
3744	tacticalrmm.exe
2156	tacticalrmm.exe
5028	tacticalrmm.exe
2872	powershell.exe
2872	powershell.exe
2872	powershell.exe
1572	powershell.exe
1572	powershell.exe
1960	powershell.exe
1960	powershell.exe
1572	powershell.exe
1960	powershell.exe
1312	powershell.exe
1312	powershell.exe
1312	powershell.exe
2872	powershell.exe
4800	tacticalrmm.exe
4800	tacticalrmm.exe
4800	tacticalrmm.exe
4800	tacticalrmm.exe
4800	tacticalrmm.exe
4800	tacticalrmm.exe
3916	tacticalrmm.exe
4496	powershell.exe
4496	powershell.exe
4496	powershell.exe
4268	RustDesk.exe
4268	RustDesk.exe
4360	RustDesk.exe
4360	RustDesk.exe
1576	RustDesk.exe
2648	powershell.exe
2648	powershell.exe
2648	powershell.exe
1572	RustDesk.exe
1572	RustDesk.exe
3688	RustDesk.exe
3688	RustDesk.exe
3688	RustDesk.exe
3688	RustDesk.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4660	taskkill.exe
Token: SeDebugPrivilege	3644	tacticalrmm.exe
Token: SeDebugPrivilege	1888	tacticalrmm.exe
Token: SeAssignPrimaryTokenPrivilege	1640	wmic.exe
Token: SeIncreaseQuotaPrivilege	1640	wmic.exe
Token: SeSecurityPrivilege	1640	wmic.exe
Token: SeTakeOwnershipPrivilege	1640	wmic.exe
Token: SeLoadDriverPrivilege	1640	wmic.exe
Token: SeSystemtimePrivilege	1640	wmic.exe
Token: SeBackupPrivilege	1640	wmic.exe
Token: SeRestorePrivilege	1640	wmic.exe
Token: SeShutdownPrivilege	1640	wmic.exe
Token: SeSystemEnvironmentPrivilege	1640	wmic.exe
Token: SeUndockPrivilege	1640	wmic.exe
Token: SeManageVolumePrivilege	1640	wmic.exe
Token: SeAssignPrimaryTokenPrivilege	1640	wmic.exe
Token: SeIncreaseQuotaPrivilege	1640	wmic.exe
Token: SeSecurityPrivilege	1640	wmic.exe
Token: SeTakeOwnershipPrivilege	1640	wmic.exe
Token: SeLoadDriverPrivilege	1640	wmic.exe
Token: SeSystemtimePrivilege	1640	wmic.exe
Token: SeBackupPrivilege	1640	wmic.exe
Token: SeRestorePrivilege	1640	wmic.exe
Token: SeShutdownPrivilege	1640	wmic.exe
Token: SeSystemEnvironmentPrivilege	1640	wmic.exe
Token: SeUndockPrivilege	1640	wmic.exe
Token: SeManageVolumePrivilege	1640	wmic.exe
Token: SeAssignPrimaryTokenPrivilege	4916	wmic.exe
Token: SeIncreaseQuotaPrivilege	4916	wmic.exe
Token: SeSecurityPrivilege	4916	wmic.exe
Token: SeTakeOwnershipPrivilege	4916	wmic.exe
Token: SeLoadDriverPrivilege	4916	wmic.exe
Token: SeSystemtimePrivilege	4916	wmic.exe
Token: SeBackupPrivilege	4916	wmic.exe
Token: SeRestorePrivilege	4916	wmic.exe
Token: SeShutdownPrivilege	4916	wmic.exe
Token: SeSystemEnvironmentPrivilege	4916	wmic.exe
Token: SeUndockPrivilege	4916	wmic.exe
Token: SeManageVolumePrivilege	4916	wmic.exe
Token: SeAssignPrimaryTokenPrivilege	4916	wmic.exe
Token: SeIncreaseQuotaPrivilege	4916	wmic.exe
Token: SeSecurityPrivilege	4916	wmic.exe
Token: SeTakeOwnershipPrivilege	4916	wmic.exe
Token: SeLoadDriverPrivilege	4916	wmic.exe
Token: SeSystemtimePrivilege	4916	wmic.exe
Token: SeBackupPrivilege	4916	wmic.exe
Token: SeRestorePrivilege	4916	wmic.exe
Token: SeShutdownPrivilege	4916	wmic.exe
Token: SeSystemEnvironmentPrivilege	4916	wmic.exe
Token: SeUndockPrivilege	4916	wmic.exe
Token: SeManageVolumePrivilege	4916	wmic.exe
Token: SeAssignPrimaryTokenPrivilege	1312	wmic.exe
Token: SeIncreaseQuotaPrivilege	1312	wmic.exe
Token: SeSecurityPrivilege	1312	wmic.exe
Token: SeTakeOwnershipPrivilege	1312	wmic.exe
Token: SeLoadDriverPrivilege	1312	wmic.exe
Token: SeSystemtimePrivilege	1312	wmic.exe
Token: SeBackupPrivilege	1312	wmic.exe
Token: SeRestorePrivilege	1312	wmic.exe
Token: SeShutdownPrivilege	1312	wmic.exe
Token: SeSystemEnvironmentPrivilege	1312	wmic.exe
Token: SeUndockPrivilege	1312	wmic.exe
Token: SeManageVolumePrivilege	1312	wmic.exe
Token: SeAssignPrimaryTokenPrivilege	1312	wmic.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2872	tacticalagent-v2.8.0-windows-amd64.tmp
1576	RustDesk.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3820 wrote to memory of 2528	3820	2025-01-25_4c63b362b73a36e9410738b9f81428ef_frostygoop_hijackloader_luca-stealer_poet-rat_snatch.exe	86
PID 3820 wrote to memory of 2528	3820	2025-01-25_4c63b362b73a36e9410738b9f81428ef_frostygoop_hijackloader_luca-stealer_poet-rat_snatch.exe	86
PID 3820 wrote to memory of 2528	3820	2025-01-25_4c63b362b73a36e9410738b9f81428ef_frostygoop_hijackloader_luca-stealer_poet-rat_snatch.exe	86
PID 2528 wrote to memory of 2872	2528	tacticalagent-v2.8.0-windows-amd64.exe	87
PID 2528 wrote to memory of 2872	2528	tacticalagent-v2.8.0-windows-amd64.exe	87
PID 2528 wrote to memory of 2872	2528	tacticalagent-v2.8.0-windows-amd64.exe	87
PID 2872 wrote to memory of 2824	2872	tacticalagent-v2.8.0-windows-amd64.tmp	88
PID 2872 wrote to memory of 2824	2872	tacticalagent-v2.8.0-windows-amd64.tmp	88
PID 2872 wrote to memory of 2824	2872	tacticalagent-v2.8.0-windows-amd64.tmp	88
PID 2824 wrote to memory of 4392	2824	cmd.exe	90
PID 2824 wrote to memory of 4392	2824	cmd.exe	90
PID 2824 wrote to memory of 4392	2824	cmd.exe	90
PID 2824 wrote to memory of 4012	2824	cmd.exe	91
PID 2824 wrote to memory of 4012	2824	cmd.exe	91
PID 2824 wrote to memory of 4012	2824	cmd.exe	91
PID 4012 wrote to memory of 4416	4012	net.exe	92
PID 4012 wrote to memory of 4416	4012	net.exe	92
PID 4012 wrote to memory of 4416	4012	net.exe	92
PID 2872 wrote to memory of 836	2872	tacticalagent-v2.8.0-windows-amd64.tmp	93
PID 2872 wrote to memory of 836	2872	tacticalagent-v2.8.0-windows-amd64.tmp	93
PID 2872 wrote to memory of 836	2872	tacticalagent-v2.8.0-windows-amd64.tmp	93
PID 836 wrote to memory of 1684	836	cmd.exe	95
PID 836 wrote to memory of 1684	836	cmd.exe	95
PID 836 wrote to memory of 1684	836	cmd.exe	95
PID 1684 wrote to memory of 3564	1684	net.exe	96
PID 1684 wrote to memory of 3564	1684	net.exe	96
PID 1684 wrote to memory of 3564	1684	net.exe	96
PID 2872 wrote to memory of 4832	2872	tacticalagent-v2.8.0-windows-amd64.tmp	97
PID 2872 wrote to memory of 4832	2872	tacticalagent-v2.8.0-windows-amd64.tmp	97
PID 2872 wrote to memory of 4832	2872	tacticalagent-v2.8.0-windows-amd64.tmp	97
PID 4832 wrote to memory of 3532	4832	cmd.exe	99
PID 4832 wrote to memory of 3532	4832	cmd.exe	99
PID 4832 wrote to memory of 3532	4832	cmd.exe	99
PID 4832 wrote to memory of 1696	4832	cmd.exe	100
PID 4832 wrote to memory of 1696	4832	cmd.exe	100
PID 4832 wrote to memory of 1696	4832	cmd.exe	100
PID 1696 wrote to memory of 1916	1696	net.exe	101
PID 1696 wrote to memory of 1916	1696	net.exe	101
PID 1696 wrote to memory of 1916	1696	net.exe	101
PID 2872 wrote to memory of 2752	2872	tacticalagent-v2.8.0-windows-amd64.tmp	102
PID 2872 wrote to memory of 2752	2872	tacticalagent-v2.8.0-windows-amd64.tmp	102
PID 2872 wrote to memory of 2752	2872	tacticalagent-v2.8.0-windows-amd64.tmp	102
PID 2752 wrote to memory of 4660	2752	cmd.exe	104
PID 2752 wrote to memory of 4660	2752	cmd.exe	104
PID 2752 wrote to memory of 4660	2752	cmd.exe	104
PID 2872 wrote to memory of 4868	2872	tacticalagent-v2.8.0-windows-amd64.tmp	107
PID 2872 wrote to memory of 4868	2872	tacticalagent-v2.8.0-windows-amd64.tmp	107
PID 2872 wrote to memory of 4868	2872	tacticalagent-v2.8.0-windows-amd64.tmp	107
PID 4868 wrote to memory of 1528	4868	cmd.exe	109
PID 4868 wrote to memory of 1528	4868	cmd.exe	109
PID 4868 wrote to memory of 1528	4868	cmd.exe	109
PID 2872 wrote to memory of 3876	2872	tacticalagent-v2.8.0-windows-amd64.tmp	110
PID 2872 wrote to memory of 3876	2872	tacticalagent-v2.8.0-windows-amd64.tmp	110
PID 2872 wrote to memory of 3876	2872	tacticalagent-v2.8.0-windows-amd64.tmp	110
PID 3876 wrote to memory of 4916	3876	cmd.exe	112
PID 3876 wrote to memory of 4916	3876	cmd.exe	112
PID 3876 wrote to memory of 4916	3876	cmd.exe	112
PID 2872 wrote to memory of 1852	2872	tacticalagent-v2.8.0-windows-amd64.tmp	113
PID 2872 wrote to memory of 1852	2872	tacticalagent-v2.8.0-windows-amd64.tmp	113
PID 2872 wrote to memory of 1852	2872	tacticalagent-v2.8.0-windows-amd64.tmp	113
PID 1852 wrote to memory of 3644	1852	cmd.exe	115
PID 1852 wrote to memory of 3644	1852	cmd.exe	115
PID 2872 wrote to memory of 4048	2872	tacticalagent-v2.8.0-windows-amd64.tmp	116
PID 2872 wrote to memory of 4048	2872	tacticalagent-v2.8.0-windows-amd64.tmp	116

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2025-01-25_4c63b362b73a36e9410738b9f81428ef_frostygoop_hijackloader_luca-stealer_poet-rat_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-25_4c63b362b73a36e9410738b9f81428ef_frostygoop_hijackloader_luca-stealer_poet-rat_snatch.exe"
1⤵
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:3820
- C:\ProgramData\TacticalRMM\tacticalagent-v2.8.0-windows-amd64.exe
  C:\ProgramData\TacticalRMM\tacticalagent-v2.8.0-windows-amd64.exe /VERYSILENT /SUPPRESSMSGBOXES
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2528
- - C:\Users\Admin\AppData\Local\Temp\is-0BS5P.tmp\tacticalagent-v2.8.0-windows-amd64.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-0BS5P.tmp\tacticalagent-v2.8.0-windows-amd64.tmp" /SL5="$401CC,3660179,825344,C:\ProgramData\TacticalRMM\tacticalagent-v2.8.0-windows-amd64.exe" /VERYSILENT /SUPPRESSMSGBOXES
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2872
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c ping 127.0.0.1 -n 2 && net stop tacticalrpc
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Suspicious use of WriteProcessMemory
      PID:2824
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        5⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4392
    - - C:\Windows\SysWOW64\net.exe
        
        net stop tacticalrpc
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4012
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop tacticalrpc
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4416
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c net stop tacticalagent
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:836
    - - C:\Windows\SysWOW64\net.exe
        
        net stop tacticalagent
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1684
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop tacticalagent
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3564
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c ping 127.0.0.1 -n 2 && net stop tacticalrmm
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Suspicious use of WriteProcessMemory
      PID:4832
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        5⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3532
    - - C:\Windows\SysWOW64\net.exe
        
        net stop tacticalrmm
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1696
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop tacticalrmm
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1916
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c taskkill /F /IM tacticalrmm.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2752
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM tacticalrmm.exe
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4660
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c sc delete tacticalagent
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4868
    - - C:\Windows\SysWOW64\sc.exe
        
        sc delete tacticalagent
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:1528
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c sc delete tacticalrpc
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3876
    - - C:\Windows\SysWOW64\sc.exe
        
        sc delete tacticalrpc
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:4916
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c tacticalrmm.exe -m installsvc
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1852
    - - C:\Program Files\TacticalAgent\tacticalrmm.exe
        
        tacticalrmm.exe -m installsvc
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3644
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c net start tacticalrmm
      4⤵
      System Location Discovery: System Language Discovery
      PID:4048
    - - C:\Windows\SysWOW64\net.exe
        
        net start tacticalrmm
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2924
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start tacticalrmm
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1636
- C:\Program Files\TacticalAgent\tacticalrmm.exe
  "C:\Program Files\TacticalAgent\tacticalrmm.exe" -m install --api https://api.trmm.v-consulting.com --client-id 6 --site-id 9 --agent-type workstation --auth 5b9472796a1c23bdaf91ebdad8ab4b0ce080e83f3199cdd50bb816e3fa1ddd1e
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1888
- - C:\Program Files\TacticalAgent\meshagent.exe
    "C:\Program Files\TacticalAgent\meshagent.exe" -fullinstall
    3⤵
    - Sets service image path in registry
    - Executes dropped EXE
    PID:2216
- - C:\Program Files\Mesh Agent\MeshAgent.exe
    "C:\Program Files\Mesh Agent\MeshAgent.exe" -nodeid
    3⤵
    - Executes dropped EXE
    PID:2368

C:\Program Files\Mesh Agent\MeshAgent.exe
"C:\Program Files\Mesh Agent\MeshAgent.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3532
- C:\Windows\System32\wbem\wmic.exe
  wmic SystemEnclosure get ChassisTypes
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1640
- C:\Windows\system32\wbem\wmic.exe
  wmic os get oslanguage /FORMAT:LIST
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4916
- C:\Windows\System32\wbem\wmic.exe
  wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1312
- C:\Windows\system32\wbem\wmic.exe
  wmic os get oslanguage /FORMAT:LIST
  2⤵
  PID:3664
- C:\Windows\System32\wbem\wmic.exe
  wmic SystemEnclosure get ChassisTypes
  2⤵
  PID:2172
- C:\Windows\System32\wbem\wmic.exe
  wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
  2⤵
  PID:4620
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -noprofile -nologo -command -
  2⤵
  - Drops file in System32 directory
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:1704
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -noprofile -nologo -command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:3276
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -noprofile -nologo -command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:2560
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -noprofile -nologo -command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:4128
- C:\Windows\system32\cmd.exe
  /c manage-bde -protectors -get C: -Type recoverypassword
  2⤵
  PID:3220
- - C:\Windows\system32\manage-bde.exe
    manage-bde -protectors -get C: -Type recoverypassword
    3⤵
    PID:4884
- C:\Windows\system32\cmd.exe
  /c manage-bde -protectors -get F: -Type recoverypassword
  2⤵
  PID:1228
- - C:\Windows\system32\manage-bde.exe
    manage-bde -protectors -get F: -Type recoverypassword
    3⤵
    PID:4488

C:\Program Files\TacticalAgent\tacticalrmm.exe
"C:\Program Files\TacticalAgent\tacticalrmm.exe" -m svc
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:4800
- C:\Program Files\TacticalAgent\tacticalrmm.exe
  "C:\Program Files\TacticalAgent\tacticalrmm.exe" -m checkrunner
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:3916
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass C:\ProgramData\TacticalRMM\1946534243.ps1
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    PID:4496
- C:\Program Files\Mesh Agent\MeshAgent.exe
  "C:\Program Files\Mesh Agent\MeshAgent.exe" -nodeid
  2⤵
  - Executes dropped EXE
  PID:2064
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass C:\ProgramData\TacticalRMM\2500720667.ps1
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2648
- - C:\Windows\System32\setx.exe
    "C:\Windows\System32\setx.exe" ChocolateyLastPathUpdate 133822855582163852
    3⤵
    PID:3868
- - C:\Windows\System32\setx.exe
    "C:\Windows\System32\setx.exe" ChocolateyLastPathUpdate 133822855582857987
    3⤵
    PID:5060
- - C:\Windows\System32\setx.exe
    "C:\Windows\System32\setx.exe" ChocolateyLastPathUpdate 133822855584982223
    3⤵
    PID:1844
- - C:\Windows\System32\setx.exe
    "C:\Windows\System32\setx.exe" ChocolateyLastPathUpdate 133822855590811247
    3⤵
    - Modifies data under HKEY_USERS
    PID:5348
- - C:\ProgramData\chocolatey\choco.exe
    "C:\ProgramData\chocolatey\choco.exe" -v
    3⤵
    - Executes dropped EXE
    PID:5568

C:\Program Files\TacticalAgent\tacticalrmm.exe
"C:\Program Files\TacticalAgent\tacticalrmm.exe" -m taskrunner -p 30
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2224
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\ProgramData\TacticalRMM\1188416894.bat
  2⤵
  PID:3664
- - C:\Windows\system32\powercfg.exe
    powercfg.exe -x -standby-timeout-ac 0
    3⤵
    - Power Settings
    PID:3804

C:\Program Files\TacticalAgent\tacticalrmm.exe
"C:\Program Files\TacticalAgent\tacticalrmm.exe" -m taskrunner -p 8
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3048
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass C:\ProgramData\TacticalRMM\3581174901.ps1
  2⤵
  - Drops file in System32 directory
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:1572
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Program Files\RustDesk\RustDesk.exe" --get-id
    3⤵
    PID:1972
  - - C:\Program Files\RustDesk\rustdesk.exe
      "C:\Program Files\RustDesk\RustDesk.exe" --get-id
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      PID:952

C:\Program Files\TacticalAgent\tacticalrmm.exe
"C:\Program Files\TacticalAgent\tacticalrmm.exe" -m taskrunner -p 6
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3744
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass C:\ProgramData\TacticalRMM\1313068405.ps1
  2⤵
  - Blocklisted process makes network request
  - Drops file in Windows directory
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:2872
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" stop rustdesk
    3⤵
    PID:4812
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop rustdesk
      4⤵
      PID:4232
- - C:\Windows\TEMP\rustdesk.exe
    "C:\Windows\TEMP\rustdesk.exe" --silent-install
    3⤵
    - Drops file in System32 directory
    PID:2696
  - - C:\Windows\system32\taskkill.exe
      "taskkill" /F /IM RuntimeBroker_rustdesk.exe
      4⤵
      Kills process with taskkill
      PID:3516
  - - C:\Windows\system32\config\systemprofile\AppData\Local\rustdesk\rustdesk.exe
      "C:\Windows\system32\config\systemprofile\AppData\Local\rustdesk\.\rustdesk.exe" --silent-install
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      PID:3644
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Windows\TEMP\RustDesk_install.bat
        5⤵
        
        PID:4324
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:5000
      - C:\Windows\system32\sc.exe
        
        sc stop RustDesk
        6⤵
        Launches sc.exe
        
        PID:1576
      - C:\Windows\system32\sc.exe
        
        sc delete RustDesk
        6⤵
        Launches sc.exe
        
        PID:964
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM RuntimeBroker_rustdesk.exe
        6⤵
        Kills process with taskkill
        
        PID:3688
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM RustDesk.exe /FI "PID ne 3644"
        6⤵
        Kills process with taskkill
        
        PID:2288
      - C:\Windows\system32\reg.exe
        
        reg delete HKEY_CLASSES_ROOT\.rustdesk /f
        6⤵
        
        PID:2560
      - C:\Windows\system32\reg.exe
        
        reg delete HKEY_CLASSES_ROOT\rustdesk /f
        6⤵
        
        PID:3988
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall delete rule name="RustDesk Service"
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2308
      - C:\Windows\system32\config\systemprofile\AppData\Local\rustdesk\rustdesk.exe
        
        "C:\Windows\system32\config\systemprofile\AppData\Local\rustdesk\.\rustdesk.exe" --uninstall-cert
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:1840
      - C:\Windows\system32\reg.exe
        
        reg delete HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk /f
        6⤵
        
        PID:4744
      - C:\Windows\system32\config\systemprofile\AppData\Local\rustdesk\rustdesk.exe
        
        "C:\Windows\system32\config\systemprofile\AppData\Local\rustdesk\.\rustdesk.exe" --uninstall-amyuni-idd
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        Checks SCSI registry key(s)
        
        PID:4608
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:4840
      - C:\Windows\system32\xcopy.exe
        
        XCOPY "C:\Windows\system32\config\systemprofile\AppData\Local\rustdesk" "C:\Program Files\RustDesk" /Y /E /H /C /I /K /R /Z
        6⤵
        Drops file in Program Files directory
        
        PID:1480
      - C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk /f
        6⤵
        
        PID:3176
      - C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk /f /v DisplayIcon /t REG_SZ /d "C:\Program Files\RustDesk\RustDesk.exe"
        6⤵
        
        PID:3972
      - C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk /f /v DisplayName /t REG_SZ /d "RustDesk"
        6⤵
        
        PID:1532
      - C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk /f /v DisplayVersion /t REG_SZ /d "1.3.7"
        6⤵
        
        PID:720
      - C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk /f /v Version /t REG_SZ /d "1.3.7"
        6⤵
        
        PID:1844
      - C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk /f /v BuildDate /t REG_SZ /d "2025-01-21 09:41"
        6⤵
        
        PID:840
      - C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk /f /v InstallLocation /t REG_SZ /d "C:\Program Files\RustDesk"
        6⤵
        
        PID:3688
      - C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk /f /v Publisher /t REG_SZ /d "RustDesk"
        6⤵
        
        PID:1308
      - C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk /f /v VersionMajor /t REG_DWORD /d 1
        6⤵
        
        PID:2136
      - C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk /f /v VersionMinor /t REG_DWORD /d 3
        6⤵
        
        PID:2288
      - C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk /f /v VersionBuild /t REG_DWORD /d 7
        6⤵
        
        PID:4264
      - C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk /f /v UninstallString /t REG_SZ /d "\"C:\Program Files\RustDesk\RustDesk.exe\" --uninstall"
        6⤵
        
        PID:2560
      - C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk /f /v EstimatedSize /t REG_DWORD /d 261
        6⤵
        
        PID:4436
      - C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk /f /v WindowsInstaller /t REG_DWORD /d 0
        6⤵
        
        PID:2528
      - C:\Windows\system32\cscript.exe
        
        cscript "C:\Windows\TEMP\RustDesk_mk_shortcut.vbs"
        6⤵
        Modifies data under HKEY_USERS
        
        PID:2656
      - C:\Windows\system32\cscript.exe
        
        cscript "C:\Windows\TEMP\RustDesk_uninstall_shortcut.vbs"
        6⤵
        
        PID:4844
      - C:\Windows\system32\cscript.exe
        
        cscript "C:\Windows\TEMP\RustDesk_tray_shortcut.vbs"
        6⤵
        
        PID:1888
      - C:\Windows\system32\sc.exe
        
        sc stop RustDesk
        6⤵
        Launches sc.exe
        
        PID:5064
      - C:\Windows\system32\sc.exe
        
        sc delete RustDesk
        6⤵
        Launches sc.exe
        
        PID:3488
      - C:\Windows\system32\sc.exe
        
        sc create RustDesk binpath= "\"C:\Program Files\RustDesk\RustDesk.exe\" --import-config \"C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\RustDesk\config\RustDesk.toml\"" start= auto DisplayName= "RustDesk Service"
        6⤵
        Launches sc.exe
        
        PID:5036
      - C:\Windows\system32\sc.exe
        
        sc start RustDesk
        6⤵
        Launches sc.exe
        
        PID:3752
      - C:\Windows\system32\sc.exe
        
        sc stop RustDesk
        6⤵
        Launches sc.exe
        
        PID:3760
      - C:\Windows\system32\sc.exe
        
        sc delete RustDesk
        6⤵
        Launches sc.exe
        
        PID:4628
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1592
      - C:\Windows\system32\reg.exe
        
        reg add HKEY_CLASSES_ROOT\.rustdesk /f
        6⤵
        Modifies registry class
        
        PID:1852
      - C:\Windows\system32\reg.exe
        
        reg add HKEY_CLASSES_ROOT\.rustdesk /f /v DESKTOPSHORTCUTS /t REG_SZ /d "1"
        6⤵
        Modifies registry class
        
        PID:1612
      - C:\Windows\system32\reg.exe
        
        reg add HKEY_CLASSES_ROOT\.rustdesk /f /v STARTMENUSHORTCUTS /t REG_SZ /d "1"
        6⤵
        Modifies registry class
        
        PID:2892
      - C:\Windows\system32\reg.exe
        
        reg add HKEY_CLASSES_ROOT\.rustdesk\DefaultIcon /f
        6⤵
        Modifies registry class
        
        PID:3496
      - C:\Windows\system32\reg.exe
        
        reg add HKEY_CLASSES_ROOT\.rustdesk\DefaultIcon /f /ve /t REG_SZ /d "\"C:\Program Files\RustDesk\RustDesk.exe\",0"
        6⤵
        Modifies registry class
        
        PID:2648
      - C:\Windows\system32\reg.exe
        
        reg add HKEY_CLASSES_ROOT\.rustdesk\shell /f
        6⤵
        Modifies registry class
        
        PID:2776
      - C:\Windows\system32\reg.exe
        
        reg add HKEY_CLASSES_ROOT\.rustdesk\shell\open /f
        6⤵
        Modifies registry class
        
        PID:1580
      - C:\Windows\system32\reg.exe
        
        reg add HKEY_CLASSES_ROOT\.rustdesk\shell\open\command /f
        6⤵
        Modifies registry class
        
        PID:380
      - C:\Windows\system32\reg.exe
        
        reg add HKEY_CLASSES_ROOT\.rustdesk\shell\open\command /f /ve /t REG_SZ /d "\"C:\Program Files\RustDesk\RustDesk.exe\" --play \"%1\""
        6⤵
        Modifies registry class
        
        PID:2460
      - C:\Windows\system32\reg.exe
        
        reg add HKEY_CLASSES_ROOT\rustdesk /f
        6⤵
        Modifies registry class
        
        PID:1704
      - C:\Windows\system32\reg.exe
        
        reg add HKEY_CLASSES_ROOT\rustdesk /f /v "URL Protocol" /t REG_SZ /d ""
        6⤵
        Modifies registry class
        
        PID:2900
      - C:\Windows\system32\reg.exe
        
        reg add HKEY_CLASSES_ROOT\rustdesk\shell /f
        6⤵
        Modifies registry class
        
        PID:1972
      - C:\Windows\system32\reg.exe
        
        reg add HKEY_CLASSES_ROOT\rustdesk\shell\open /f
        6⤵
        Modifies registry class
        
        PID:920
      - C:\Windows\system32\reg.exe
        
        reg add HKEY_CLASSES_ROOT\rustdesk\shell\open\command /f
        6⤵
        Modifies registry class
        
        PID:4320
      - C:\Windows\system32\reg.exe
        
        reg add HKEY_CLASSES_ROOT\rustdesk\shell\open\command /f /ve /t REG_SZ /d "\"C:\Program Files\RustDesk\RustDesk.exe\" \"%1\""
        6⤵
        Modifies registry class
        
        PID:4876
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="RustDesk Service" dir=out action=allow program="C:\Program Files\RustDesk\RustDesk.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3600
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="RustDesk Service" dir=in action=allow program="C:\Program Files\RustDesk\RustDesk.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4304
      - C:\Windows\system32\sc.exe
        
        sc create RustDesk binpath= "\"C:\Program Files\RustDesk\RustDesk.exe\" --service" start= auto DisplayName= "RustDesk Service"
        6⤵
        Launches sc.exe
        
        PID:3140
      - C:\Windows\system32\sc.exe
        
        sc start RustDesk
        6⤵
        Launches sc.exe
        
        PID:2840
      - C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System /f /v SoftwareSASGeneration /t REG_DWORD /d 1
        6⤵
        
        PID:4448
    - - C:\Program Files\RustDesk\RustDesk.exe
        
        "C:\Program Files\RustDesk\RustDesk.exe" --tray
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        
        PID:1576
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" stop rustdesk
    3⤵
    PID:3752
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop rustdesk
      4⤵
      PID:2108
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "c:\Program Files\RustDesk\RustDesk.exe" --get-id
    3⤵
    PID:1484
  - - \??\c:\Program Files\RustDesk\rustdesk.exe
      "c:\Program Files\RustDesk\RustDesk.exe" --get-id
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      PID:2928
- - C:\Program Files\RustDesk\RustDesk.exe
    "C:\Program Files\RustDesk\RustDesk.exe" --password svEZhtFzJqYo
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:3212
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" start rustdesk
    3⤵
    PID:4932
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 start rustdesk
      4⤵
      PID:3964

C:\Program Files\TacticalAgent\tacticalrmm.exe
"C:\Program Files\TacticalAgent\tacticalrmm.exe" -m taskrunner -p 47
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2156

C:\Program Files\TacticalAgent\tacticalrmm.exe
"C:\Program Files\TacticalAgent\tacticalrmm.exe" -m taskrunner -p 39
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5028
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass C:\ProgramData\TacticalRMM\2134728488.ps1
  2⤵
  - Drops file in System32 directory
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:1312
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Windows\TEMP\ppla0upd\ppla0upd.cmdline"
    3⤵
    PID:1888
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Windows\TEMP\RESF121.tmp" "c:\Windows\Temp\ppla0upd\CSC2B371DE9C3F54A0A9D86ACE52C2576B0.TMP"
      4⤵
      PID:3688

C:\Program Files\TacticalAgent\tacticalrmm.exe
"C:\Program Files\TacticalAgent\tacticalrmm.exe" -m taskrunner -p 60
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2196
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass C:\ProgramData\TacticalRMM\3452545536.ps1
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:1960

C:\Program Files\RustDesk\RustDesk.exe
"C:\Program Files\RustDesk\RustDesk.exe" --import-config "C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\RustDesk\config\RustDesk.toml"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:3400

C:\Program Files\RustDesk\RustDesk.exe
"C:\Program Files\RustDesk\RustDesk.exe" --service
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:4268
- C:\Program Files\RustDesk\RustDesk.exe
  "C:\Program Files\RustDesk\RustDesk.exe" --server
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:4360
- - C:\Windows\system32\cmd.exe
    "cmd" /c "taskkill /F /IM RuntimeBroker_rustdesk.exe"
    3⤵
    PID:1004
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM RuntimeBroker_rustdesk.exe
      4⤵
      Kills process with taskkill
      PID:1164
- - C:\Program Files\RustDesk\RustDesk.exe
    "C:\Program Files\RustDesk\RustDesk.exe" --check-hwcodec-config
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:1180

C:\Program Files\RustDesk\RustDesk.exe
"C:\Program Files\RustDesk\RustDesk.exe" --service
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1572
- C:\Program Files\RustDesk\RustDesk.exe
  "C:\Program Files\RustDesk\RustDesk.exe" --server
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:3688
- - C:\Windows\system32\cmd.exe
    "cmd" /c "taskkill /F /IM RuntimeBroker_rustdesk.exe"
    3⤵
    PID:4516
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM RuntimeBroker_rustdesk.exe
      4⤵
      Kills process with taskkill
      PID:740
- - C:\Program Files\RustDesk\RustDesk.exe
    "C:\Program Files\RustDesk\RustDesk.exe" --check-hwcodec-config
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:3536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Power Settings

T1653

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Mesh Agent\MeshAgent.db

Filesize
153KB

MD5
c5e7d940f0190914b942c5518d7c6cc9

SHA1
85c707ff83d14a30272db154ce502043428ccead

SHA256
bf474ce8ee36df55da2d791eea8be73e9687bc51c2deab56ace9b44a62a5d5db

SHA512
b70db00c2ba2d7f15d49dcb4d618ee1d10d2ce1236d0485636d5c80caddbfc0b9bf5a5773074ad85e19e7eac3668c909eb3535a33fc7c3ffa13add00f3e95103

Download Submit
C:\Program Files\RustDesk\Uninstall RustDesk.lnk

Filesize
959B

MD5
cf7fc964d969a95daa53a1374ec58b0b

SHA1
f3fbe4b7b3a773c840773c281227e660df6b89b1

SHA256
b8bae2aa7cccc96eaa30798af44a1b2549ef1effd011ce47bd98b498835fd9e9

SHA512
416357372c446723c958f757c82c31ac071aecfbe6c823f5bc0317bd9be71677b148dbde19326c3fda1e0d17b6be845f2b98e44daf37b60d2b896628f06cac08

Download Submit
C:\Program Files\TacticalAgent\agent.log

Filesize
67B

MD5
1c3b90344e5742e0019f289d37c1b65d

SHA1
ce8794661f6c11fb31382052f3aaa01968a41be7

SHA256
dc2cd3f12dcdce5ab7553db1665ec49b8b920ce34f4deb54a24055f3fcfb60b4

SHA512
97a002a7cb8a07b6bca2de18c042bff1f31037f31f701232648193ac784014f18d9beeee37cd2b14878fa986baa0c854d3ab26362d378b8ac4e6607b1201267f

Download Submit
C:\Program Files\TacticalAgent\meshagent.exe

Filesize
3.3MB

MD5
2641d5b122336e87d2964c562898caea

SHA1
ad3b817c810702c6ccd060192566350ac5eb77fd

SHA256
88b6c219763de23bbe1752aa22d408bf9b3db1926e691fd6a299beb0680c9757

SHA512
4380d048e42ad1e58a64ea0bcb1f31c4cc343e43c12e052327a997505a804f68f2b26bad77dc48d4ce04b8d5d4adc6be6878c8ce462916247bc74ef136e2c401

Download Submit
C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\cryptography-42.0.8.dist-info\INSTALLER

Filesize
4B

MD5
365c9bfeb7d89244f2ce01c1de44cb85

SHA1
d7a03141d5d6b1e88b6b59ef08b6681df212c599

SHA256
ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508

SHA512
d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

Download Submit
C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\pyasn1\codec\native\__init__.py

Filesize
59B

MD5
0fc1b4d3e705f5c110975b1b90d43670

SHA1
14a9b683b19e8d7d9cb25262cdefcb72109b5569

SHA256
1040e52584b5ef6107dfd19489d37ff056e435c598f4e555f1edf4015e7ca67d

SHA512
8a147c06c8b0a960c9a3fa6da3b30a3b18d3612af9c663ee24c8d2066f45419a2ff4aa3a636606232eca12d7faef3da0cbbd3670a2d72a3281544e1c0b8edf81

Download Submit
C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\validators-0.28.3.dist-info\WHEEL

Filesize
92B

MD5
43136dde7dd276932f6197bb6d676ef4

SHA1
6b13c105452c519ea0b65ac1a975bd5e19c50122

SHA256
189eedfe4581172c1b6a02b97a8f48a14c0b5baa3239e4ca990fbd8871553714

SHA512
e7712ba7d36deb083ebcc3b641ad3e7d19fb071ee64ae3a35ad6a50ee882b20cd2e60ca1319199df12584fe311a6266ec74f96a3fb67e59f90c7b5909668aee1

Download Submit
C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\win32comext\internet\__init__.py

Filesize
135B

MD5
f45c606ffc55fd2f41f42012d917bce9

SHA1
ca93419cc53fb4efef251483abe766da4b8e2dfd

SHA256
f0bb50af1caea5b284bd463e5938229e7d22cc610b2d767ee1778e92a85849b4

SHA512
ba7bebe62a6c2216e68e2d484c098662ba3d5217b39a3156b30e776d2bb3cf5d4f31dcdc48a2eb99bc5d80fffe388b212ec707b7d10b48df601430a07608fd46

Download Submit
C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Scripts\normalizer.exe

Filesize
105KB

MD5
c485a95e68d04b1bce4aa5b4f301d90a

SHA1
8e0903ca5f0e2982b12c8bb49d4dff94a147a95e

SHA256
87d309b4470d3f2c21c686e6895fe95aeaee7a3b00948694d39bbe71ed86d169

SHA512
3bcfa7fc4fab47f140a8f21b55c09bd593fb2ba3379edc7bb4c60167c46dc440170c7ed1d918c118d8d7e312b4e126086caf87361e87b2e661c8b0434ed81289

Download Submit
C:\Program Files\TacticalAgent\tacticalrmm.exe

Filesize
9.2MB

MD5
bb383b7c3d5e4acb1001ab099b5b0f3c

SHA1
cb0c85f84a454aa4b1aab02bfba47c4355c2311e

SHA256
a6d3159c858aa3704f35d69b27829618ad0d1bae894c848a5233100c17464f95

SHA512
157dda96d1cacea55a6be27b9d432225b47d7334e664e577cef82a14c7eb1be1b8b84423b3905a4c1caecb5394be264d9b5c3e32109a4893e51a9d406ce740be

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RustDesk\RustDesk.lnk

Filesize
911B

MD5
0832c9e8d8c31a6b40fdcf8d582557cd

SHA1
fb38692427d8ee870b7ad2ea50025504d765bb44

SHA256
d6490526bb9d2e3c6077e7234f1d0576c3cd180c99dcc5ce768fdb244d271388

SHA512
f9b4f7ff917819155c93c14ea0643548e7fd4d151ffc6234a543e44e9b0cfd0c9899da898b7262a83edfe8091520190c5d8705b08311b946278260a4f24459ad

Download Submit
C:\ProgramData\TacticalRMM\1188416894.bat

Filesize
37B

MD5
29b672000c75e84cd3985d3d2f89e26d

SHA1
7c7ac7747dcd4a96a9faa5ae67fdd4d8b524ba8f

SHA256
aa93ae6cfcc842f1f00f2a18538f5702a4c709e6ff183cf72437489dd19ca99b

SHA512
02501cded7f45da19d282f7ad9562208849ad5f56b60e234c2e60c932951ceb21f30f1b0668ddad1348122a85d823b9b175f587208b4fb6ba68fcc25e2b90fe4

Download Submit
C:\ProgramData\TacticalRMM\1313068405.ps1

Filesize
4KB

MD5
4e75b4a107fbbaa58b8e658101b49114

SHA1
73c6d983dbb4287bc1868dcd70b3e8e5708d871a

SHA256
955e58a32809121f5d651e0b99248360721fdee4105e3e91a5a0d020257a562e

SHA512
fa8710a06b9c1cbb1932fbc487e44e9ad42d663a542f9b17d3ea517577b573cff633e343d3a39f96824610a3d38a8e2292fdefa4e823c1df34877b39459b6459

Download Submit
C:\ProgramData\TacticalRMM\1946534243.ps1

Filesize
1KB

MD5
765419c7c4016b7abfe7e214a4fac90d

SHA1
347439e58bf38bf0bf32f1de93e51d209344641f

SHA256
ffe10c724b7bacf68c161f830d5f698ec51c9cf6d5a0805481eb440583001b6e

SHA512
daefd8a58e29ebd0b4eb9566ec16cf0c4de10e1ad01348a4c0ed8bf47b07115cbd98ee70aada2637ac26b522497d8434a3f471bb7baf48c52bb9e72f3e2afc80

Download Submit
C:\ProgramData\TacticalRMM\2134728488.ps1

Filesize
21KB

MD5
c89475fb9834a86320ac2a95da38e1f8

SHA1
4a60ef0109792f433873df5d83049bc250527e19

SHA256
8f34a695a0470b5c5f573e7ed289b617bea7529973e2d4853632c9bf46fbf5e6

SHA512
ff68b6e20039d4fe091146ccdad29a148b13fb46459cf124ebfb5ef99038e5bc50c1c054fd55e32970c36c03d0bd1b35a4ed5140c945f4009652d44323865739

Download Submit
C:\ProgramData\TacticalRMM\3452545536.ps1

Filesize
612B

MD5
cf08abf0df6e2c6db2d9f869c830509f

SHA1
ca67d293539cca8aff809f654733aee65afa75dd

SHA256
2d6645f4b4a9eee9af1863af2e0e0da37d648c749aa4ffa8e033a6d344bd1282

SHA512
156048ae7acf35904170de8a6e9b589c72528dc7bb921453e96bf6a3f1fe065f9ec5878f7996a7778f4abf88ed5966c74f97cebf3d27e793165a56e5e87a0d2d

Download Submit
C:\ProgramData\TacticalRMM\3581174901.ps1

Filesize
631B

MD5
2e839009acca754f335573898e9b2813

SHA1
4bf40c3330ad3e7c605bea6969c7fc31f8454e54

SHA256
6573fb7db75c5decc90c58b87e4127ae4b02c2d4395735dabff94f83cb305524

SHA512
2e30252961c185d8f1ebc86d5e5e97b0481ae89321d8024eefe22f677673e31c30a8f620f2fb7a3e503b43f77f41360062b689cced6328afb9e8598859d3ba5b

Download Submit
C:\ProgramData\TacticalRMM\tacticalagent-v2.8.0-windows-amd64.exe

Filesize
4.3MB

MD5
2f046950e65922336cd83bf0dbc9de33

SHA1
ddc64a8b21c8146c93c0b19c1eeb0ef784b980c6

SHA256
412e1f600251b21911c582e69381f677e663231f5e1d10786d88a026e00ea811

SHA512
a11cbf8b8b692d2d5a0e3af5a97f91a3d1f3e7aa39966eb7d62b3244b3913f2fdc21823d5c94de0d98e579f801709df44433af91567356361d5d9699a93b2cbc

Download Submit
C:\ProgramData\chocolatey\choco.exe

Filesize
11.1MB

MD5
81bb68ad26a6e56d94589a286cf39028

SHA1
77b4988bf328666fd214f1e7651e2e58a7c677fa

SHA256
523069aff82f8eafc993b3f901afe8865f835026efda1a75afeac50eb2f4041a

SHA512
9e3f168ac16c130f028cbda1ac3ec62d607f872080f2dff260ae853854538b9e7eaab3bf4077df9b2674a172fa1f239ca1c019a1442054041ea17c867930a74f

Download Submit
C:\ProgramData\chocolatey\config\chocolatey.config

Filesize
8KB

MD5
a3f016f5f2bd742ff1591950260f6f75

SHA1
7feabbcc2e2d51c09065071f58da23990e215b72

SHA256
6621f97fca4589b04e4c9a835344371fc3ecdf1f4cdac5c1492c05fcc23629f3

SHA512
ad6a96131221f3e8ac1e5bfc094ae1c09344a65f84b73d6933650e26417a569275e049b564b4c954641c7906a5fbbc886e37fa4a4bfb8216ccf3b519d09c7250

Download Submit
C:\ProgramData\chocolatey\config\chocolatey.config.backup

Filesize
809B

MD5
8b6737800745d3b99886d013b3392ac3

SHA1
bb94da3f294922d9e8d31879f2d145586a182e19

SHA256
86f10504ca147d13a157944f926141fe164a89fa8a71847458bda7102abb6594

SHA512
654dda9b645b4900ac6e5bb226494921194dab7de71d75806f645d9b94ed820055914073ef9a5407e468089c0b2ee4d021f03c2ea61e73889b553895e79713df

Download Submit
C:\ProgramData\chocolatey\helpers\chocolateyInstaller.psm1

Filesize
21KB

MD5
8feb9f84cfd079bf675f4c448eb62c27

SHA1
f0a7c0eb89c94a81d72efaa0d4e72a2acf9a15a2

SHA256
4af7d8dcdba7335f96d4d7f9b7ab75b29a890380d8c7c35c59f60739db8a604e

SHA512
34346669024dcc273338913794103d16b723fbfe7d3fbd6eb89d3561b4e7134906fdaeeabcdaee653f452a9917ed48ed79fbf56e507f9e41e4adb7b4f32f48da

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Format-FileSize.ps1

Filesize
15KB

MD5
c1e5f78407a38c0f2bef0839274a30d5

SHA1
2e5d91ff054720b94e7795474e23fbe202635165

SHA256
d47a44752fd6a983f9ab0e48aa8b12a2b0bc772ea0bb380c64723bb8e0b2ccbb

SHA512
81c22988af2065e94e4420e1b71d1bd2c12406a74f0984c7183a4905d4cc397a71728a9b0dc41ea625bb12e231fb002e3c965f92f60bcc12e5b0be81b26e056a

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-CheckSumValid.ps1

Filesize
25KB

MD5
32fdfad78eecf1a6936525069d0eda09

SHA1
bf1f751146e73887de2c54a183d70a005a7453ab

SHA256
0e34c0c610bad2bca1c36e24908003886e6e8d506a7ce5cfee85c921faea61e9

SHA512
e9b9645391589365969e990967b5133de10090c212d000638c1553d98fdf7d0e6f99d9284d6f9f7385a7ffc2d37038bb430ce79bf3a44fa652ae745907833665

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-ChocolateyConfigValue.ps1

Filesize
15KB

MD5
7686ed92bc6bc3606d914ac3d6555d73

SHA1
6db9151efb0c2d693ac2acb8099967a7c32fe47b

SHA256
83eb927efcd495e15fd4ff5d043e1f0cf4b2dceded9aeb5a4af3db0cde2bfd8b

SHA512
df7c252898fcf6829632b3d576b72c2a3232b24741fcb1ee50ebe7d7bafe86e0cceeb75f08b22ae177e57c6758572842b341c7d933f229d9d2c99388488b120d

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-ChocolateyPath.ps1

Filesize
16KB

MD5
1235a3a21c64fe5563c06f65543d7d77

SHA1
204bcd4af12c7de4c83b2d2cdb22955e6c2eacf2

SHA256
18f1e1dc7ea4c3daae3fc51fd1373330c0132270180ed93bcac7a1d2843353f5

SHA512
b51476e608368120458d276b662a860cb863cc64f41556099c1bbd5c901b3a300b8d4266f44003b14a9d3d25a0832db7afe2c025858ff9d3c194acdabe0ef237

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-ChocolateyUnzip.ps1

Filesize
25KB

MD5
37ce9d39ab4ab1d9e9d9373173152e1c

SHA1
a0e06df561391156ac3623f56afa824173a6e34f

SHA256
bb77491d99fa16f09048e81a2cedc29f3e6397d0d166ba2f72317aca04347c25

SHA512
9f9b21df7bca9c15fac1582900932f77d6fbd1e80ec751d88141a6479d78ee2622df1b96bf1606c0df3c3cb0a7f553b5a8567c30590cbb1260dc8614dda8de49

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-ChocolateyWebFile.ps1

Filesize
31KB

MD5
5c544f7d387ca56993a00e0a132a2e93

SHA1
8214c283a1cda735803e8e2b76db9715932b150a

SHA256
5a763e6f6895fb36c99c942c56b2e5860e316978ce61ffb6d5a4599b357eae4e

SHA512
2577d38f631b8061bbc9b73ad0a33b47dc97929ba463141c6c9216cdf1219a278b30ea8420c399d72a440065954a0a54f01546dc17f34fce0151f35de87caa3e

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-FtpFile.ps1

Filesize
22KB

MD5
be4288d0cf3bf6203139f32b258a2d2a

SHA1
5deeb81fd84ee5038e08e546e7ee233dde64c0fd

SHA256
a0d1fcec293a9d8b1340bbf54194884ef1c7495c3cbe9d4d5673edf2e5ccfb43

SHA512
86090ee2fd2a77f8b38e3385af0189a657583e1ebdce2cf8ebd096714ae2081f9c62306cbc5712cd15475309d8c1ebc340842936afbff4bfee1c148f8626d47b

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-OSArchitectureWidth.ps1

Filesize
16KB

MD5
96ce9de89c3e9d3afa2107ae3d30630a

SHA1
0856953bf3b426be54f6759ab1ec9be6a35c631b

SHA256
30f831b5189132d642edfd7cc9e4f44b11ae357652e1748073d94206544d4b77

SHA512
4ec2bd382fb306aac0da8009e9e05e4e5b6b0ef248718415c1e255935d70a4d9211d98adb2992174660f07eb0239c8ac2491734d6c6d1e957b72ea568df6e012

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-PackageParameters.ps1

Filesize
21KB

MD5
847e9548a2e02e2e4d73f7fa08467e67

SHA1
022e03be3a51aad9b3c0ef950c3eff14d09343e1

SHA256
d537580623ca8088692ad463e8913a83edb50963bd4b3b2b7b579e4e2b3b71f9

SHA512
4c6ddbe465adc27bc97cb684a43b6baab59bbf21b8d8a2bc73d6ae618a6dff4816f139a246558e0b8c49fe7d2d5068f16f19cc132f21d7076d833764aa24f86c

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-ToolsLocation.ps1

Filesize
17KB

MD5
8e6fa8b04f177d447f161517548f4d47

SHA1
b39f9c37d1db563aa25298b60bcd5129bc6614c4

SHA256
10ef1bd8a810ee08f601a207ac83a4c7d9ebad1a4777378cf3749e3c56b98c48

SHA512
44137b572237b5b1fea00039d5cfe10f182f20595740e185f40026c87b07d3c05e1eb1fae82f4919c6795a0acdb79dbc9d28ba78d8f16e6dc32a42aeb5b74331

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-UACEnabled.ps1

Filesize
15KB

MD5
4346017feb0a9b795191efd686b789c3

SHA1
b58d82c54a00fa402199b5efec3bae97c40c0d15

SHA256
3f0c1c8c91696c6ae9c0e41589319d200d2c4bd16cabf4e2f1a11fc947a72f91

SHA512
680172309ba9da0ed0786c7b1bd967f6a3d09e9989d14d85c6566250c83dc2d997d48f6fccf2faccca6548a56ddf39f2d577806f5325e558670442c26607a22f

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-UninstallRegistryKey.ps1

Filesize
19KB

MD5
5d9a27ae842c05255f5a6e7f2465ffe3

SHA1
59066ff2d8da1a2f552cf61c484400affab5aa2b

SHA256
573fd644bee61bf85053989c7111be4a33223ce9bfd0ae5f95e05382fa08a1f5

SHA512
b0cb5641bca08c03cbc9e57aa12a06f255f1888b76d32b821561b9217d1d293b6c2d5188acf483bcaebe3c83afeead2aa308b3741fb8a171cc23b8fd472ff5b1

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-VirusCheckValid.ps1

Filesize
15KB

MD5
4aacdca3061553326f51b0938232d897

SHA1
6df122a2c6d7d5954915a871494a5333601e5f9c

SHA256
73d85aa2297033f106a0c8c3138efb9ad36f97ed108e040f12348fae94c56f74

SHA512
c74b505b20da653ef68615df221508b76937cdb7956f54c6a07d314283e3fa8b03ee1e14d0d49c0fd6b99c2d8e126678f97645c7ab4f340cd58f1566b4e42eca

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-WebFile.ps1

Filesize
28KB

MD5
101b16272234051204428a4e53b99113

SHA1
f1a08992c63f405838838c26d309a1f918ba312c

SHA256
2dc9ae2d1de175e6b867ff89f84ba25d08dd5f41b84e2818318ca23f3eb5797e

SHA512
bde4deb19594733afd878d8e804787197ab894a3d6c60eda32f393a0445e59eac60240028d20b189566efa34b408b784e01967cd83811f77ac82a9ea6d75d9c0

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-WebFileName.ps1

Filesize
23KB

MD5
22a06bb57eeae0b3c1d63f0b23c83541

SHA1
a2dda0d44ff38b0b248cde072c95707b183c40ef

SHA256
db062d9d09d7dae751e626bf97138eae6e9350112e2738cb3be9ef78dbdace1a

SHA512
c243228df368d3bec03bbaba9a91c7c966d089d982937ee18c53a2a6fc217b08c029d5b62871b55fd84859a30d60037f013c26966237d1c2b14b6d81e650488c

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-WebHeaders.ps1

Filesize
20KB

MD5
5540d1bea1c41384c0a44be773820695

SHA1
adbb11f9371154d5bb440fc522ea68c3730d684a

SHA256
1d15d738c319132c792ac6f8820f50ccb0fc32597e9c886746bcc31fcce2c683

SHA512
1e870c37493f2ec59468b27320e249422912ddfae8c8a60338e6754e16d809c7572694ca369e0a7e67c6d3607b4262e2455f66ac855b451f6bbbb0e772119e4e

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Install-BinFile.ps1

Filesize
20KB

MD5
78e046bd9c5524eae4c290c5f1d8d090

SHA1
0200b5c106effb26fab84e8b432725f626cea9ca

SHA256
767fd247f1f93cac6188ba1a0c3398b87cf3178e25ded4a16ced7e9bb3cd27f6

SHA512
073ce96951bc1a95d31eaf4a6d6ed7ab7e876847d88b6ce38b31cdb0fb28a6fe093999010c9a19fdba6acd87c1a6e1ebf6085448122ebe6a97b9015cd904715f

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Install-ChocolateyEnvironmentVariable.ps1

Filesize
18KB

MD5
b7412f3a46a112d74783b105c5cb0638

SHA1
408a73cdf57ced4256526e5c699699a2fa089086

SHA256
223f17f84d214c9fa9478817eff65a2681d505dfbfb6b81a2121e446e9614000

SHA512
afa565f67cbd19789825f378c1fa7d468b6b3018ba574be2a225774e26a31c35dcee18eefbbfb163e1687420084a52667642c38b68fe0695b3294fd480386f62

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Install-ChocolateyExplorerMenuItem.ps1

Filesize
18KB

MD5
cfbc57e6f8b07ab19d0a2658cf790306

SHA1
4f90b9c43645e2370040f40e88ccd48628a7012f

SHA256
1e2fb44e0be817b5e16a03a30502c65f61dddc551bd3923ea571e3f83980e049

SHA512
f4af36cff89378e138ccbcb58ccb0204bbb059097dc5a566368c3dea7f7a1fac9a4a174a9e84b221bb83df0d5b3ef7c04160f9f63106cff8db859321c803b3e8

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Install-ChocolateyFileAssociation.ps1

Filesize
17KB

MD5
564e96072345c9f3f4e96e32d95108ec

SHA1
4f83114c167c77253870f837b83db806ffbcccdf

SHA256
a8e90f1f01264ac52e7523394777616d06a53daaeb16868f3e8a06426fc0e586

SHA512
80d0264ab8d51347040296c758d6fe0282442edde39d20115ff632770eebe71421661cd23c3a8d200197109f2507e5e72197209417c5d10beef182004a57ac49

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Install-ChocolateyInstallPackage.ps1

Filesize
28KB

MD5
5e189d783f6f603161b85c157ac6c0d4

SHA1
4303565e26f06b5ff9f6cbcc889ac5ababb8d930

SHA256
09e1973a0286c5912c7f233fce89b2efd9347efdd085869437d9fcbe69a5c5d7

SHA512
2fced12cafea173c86c3f47a7be856b9d4971092881056c0150762e885277adedb1233352d376fb3690951079f5d6a2d1a8643531dedc1006a678c0d7c145f94

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Install-ChocolateyPackage.ps1

Filesize
30KB

MD5
5e6faf3925a572faab69a45cb05e8352

SHA1
bab071428238635e6290fa2741bd63cc803d73d5

SHA256
16b5df14198360715d06a5f12f2b1976d38e729bbe37748e0cbb17f57c4f367e

SHA512
453f3b6a672a521fadbf7966cd84efd011fa6b9186a08234c3ded39e43e898ab0a48229bb46661710c16dafbfd889ab4c45fb34bc0fa01d4a30122a8ace7f478

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Install-ChocolateyPinnedTaskBarItem.ps1

Filesize
16KB

MD5
e26dfd45f80e72a07d8cce6ce2692b28

SHA1
7b97a013651daa86133cda74101d643e96fdc1a8

SHA256
dba9b9e9329fa5d918b1e941dbfed9363a616033cdfcad4a0c60af9c41c4c4ac

SHA512
d7ba6a76b53df979f923fd819679e2a15cdc4a55618a26cfdda8f8455469fcc319bc502cdb77d602ced1d498386626d891c30326de96538be240069e9dd54aaf

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Install-ChocolateyPowershellCommand.ps1

Filesize
23KB

MD5
5e5319e30be55a660e75a5bb04219ad5

SHA1
8d7457acddf8257c6c9651e3480bf4ee72699361

SHA256
aeee93f35724d656a73d1572522fe9b985fa1cae6978b0405398ef9327a1580d

SHA512
80534b6a71b8d0a216ddd13556046c86275df088208861c6f5ab0c88301a785ae2eb685266892381d47d2b3ecec25accd476377be146c8e51cced57a0aa10d63

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Install-ChocolateyShortcut.ps1

Filesize
22KB

MD5
65469f9f27a5dbdef060a0560aa0db7c

SHA1
fe49184d2db322a919513c9667625efa9009a632

SHA256
3410aeb9bc5106b29f2c4cbc74c9febdc229c569153ddb1e41188a7396079a3b

SHA512
8b6ba9ece1f8f53f0e5710dbb7330bf2dcdc8e8f844627bdf54670fea9040bc3239b1673291f1682a5bb404cf9d11e9a1732a1c5484bfb05b0f77db6af3138b5

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Install-ChocolateyVsixPackage.ps1

Filesize
22KB

MD5
e0e54825bf32d160b62c691d2f314611

SHA1
6e89de9aec3f94c6e046fbb04be28e33a8fc8732

SHA256
4e982ce84c225c6870cc78120e5f85fb622756feff4c7e8eb7088473a2538620

SHA512
6f6d018cd2ab86553746027953439c8c7f1251e5a4bc7b8514d8416babee69d8ee8c7c7698b4f1bce4f2fa815a35ebcbf5bd81580b629e5b2bb20481e9020166

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Install-ChocolateyZipPackage.ps1

Filesize
23KB

MD5
7cb49e4054a7cc234f428faee99d0ace

SHA1
86acfd18a8a274fb4bd0d745a23b501016851b6e

SHA256
ddbdd5abde46f4aa7d5bd472f3d2b1182835a6739c9194aac70749c4bc1fba4b

SHA512
86e27a5a58736ed0c0c2fbb11d7c744fc437a195f768ea223817eca6b4225b541e6ed554a2d9e27626fda793603d1a41e6ff52d39af060c4ca1eea557a52789b

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Install-Vsix.ps1

Filesize
16KB

MD5
05ee41715ae0ccd260cb385c3727d607

SHA1
afdbd2d4a0fd050d20af8e107b2dadddc45ac49f

SHA256
dad0ef31eb232c6c189e0ad947e62e71c5239bf2dad8f9d72a06cf3544a427a4

SHA512
1314234805a0b1048e97a5644c4084254258d9a525fd3175a893c4b0aa37dd682e13bcf21e13355593b4ade7e823d190ca695b4edba04f3e5136d65fbe856dd4

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Set-PowerShellExitCode.ps1

Filesize
15KB

MD5
a917ff0cdf22fe0543dc06713d9cb160

SHA1
efad7626fdf18230a8f9a2e6e0e9df7639d3b600

SHA256
fffb05319b00efb87d2705760ef351c11ad2b1913469635b980d386310bf0e1f

SHA512
505aa2b2559511bbae8124ca4898e003e6b494a3e4db7b13231d1007f23829c595dd1cf953e50bc67e32ea4a967bcd51971625be9ffc8757f57f75f6e106c6ba

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Start-ChocolateyProcessAsAdmin.ps1

Filesize
31KB

MD5
1de230e139174065c73a46f5917f27b5

SHA1
80e19d04dd84da6904b696e4a1caa93953eeda86

SHA256
694c4daed9add47d4ece4bd07568aa57dbc1f3316426f78ce5fd1ef2f2ce2625

SHA512
93549f700b93115939075a9bbdafacbd2500d8c4c02a3e0312bb0823b09850a8575e2ad8d8b6c4dbf62838e2f383bc94321965b45af73b552797100306d6d2f3

Download Submit
C:\ProgramData\chocolatey\helpers\functions\UnInstall-ChocolateyZipPackage.ps1

Filesize
16KB

MD5
bce016992a8576f7a481c6d2962e0879

SHA1
4a7a84db35e3a2d43d7aa0980c0342dd164a16e7

SHA256
599ea45533dc1ab68a9646c6a88b71f4fc11a8669fa3ee8f41360435ca8816dc

SHA512
4dc541851496a407a26674bb302bc3b624fb9d6e581f1ee61dc34daa0d031648f02b5c2fcc7a0002ff96becfa75264635933a503f570ee425d418a22ebd50a8e

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Uninstall-BinFile.ps1

Filesize
17KB

MD5
56afaba9f733028dc1d8e03e21be15dc

SHA1
fd16728498a14961a97ee1a80b9ffa3f3bc3b6d4

SHA256
f706530f0cdabb2f02c9d5b70d7de77d1f02fc4f6730c815ff8410dcf208b9fc

SHA512
54090832d0d6cb1439986190da356c7cd5caffa052118185a6336c0d73f87b937dc5548603f843ab2e5302103ced01a2a9b1f409c4057db5e1aea4a5c7c4dcf7

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Uninstall-ChocolateyEnvironmentVariable.ps1

Filesize
16KB

MD5
f3d779698e09e13fbd55f0a5c6914616

SHA1
44eef7c9b8563cb5d7489abbe6f5158484aefb64

SHA256
c20b736bce859734c4497c6d5aaec13bfa3c201461cc02f48a7539fea54be59e

SHA512
ab266effc4e26d5b04a3a5693e57f979c780a6d7590bc27090225cb44a831fb7a2396540323a70f6456cd7806e00e9738dba866b0bafdfb0226a962e38aca0f0

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Uninstall-ChocolateyPackage.ps1

Filesize
20KB

MD5
bbd9b99d0ab44f6e4a9fb80d6f3a7afa

SHA1
f3a980d5493597144fdbbaad86f5207c2e39e08b

SHA256
07ced451a144a7f6e3fd24d19bfcb2e2a5ea49a969a036754cb833dc2d2986cb

SHA512
06ba6cba2290e4bb6ff3adb09961a260ce811f25a97a2cef0cac7b25e94fc3bfa177fda21b69f9f6ad62901578f16d9716eefe60dfd76cdc925eadc7a730d14b

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Write-FunctionCallLogMessage.ps1

Filesize
15KB

MD5
7fdc886cd1db91065a017a76c9096aed

SHA1
6029f809be8ab12cbe0f25552b25fcfc757dfdd8

SHA256
117e7bbfd11da2f5bd00f66aa004837dd774485e96334fb42b8ac537f4fb012b

SHA512
d5eaa0cdcc09a0673320a1be26e628e067182ae93b9aded6cf275faf68fba7bd6002e1d446bc9b8e9377221de4611058ba32fdc6b4fcb2e53795c3e202c828b5

Download Submit
C:\ProgramData\chocolatey\logs\chocolatey.log

Filesize
1KB

MD5
f67a2760acc497b3549430e2919db1dd

SHA1
21a7e5ff57cadf1fbbf8ba0a29ce00dbfe8963b6

SHA256
439535ba16c78115eee04ebc9ec352549a13fe43a5443baed90221300daa1fad

SHA512
dda9607fffa82425919a0820efef1035723cdb5536e4f97c9a467a9a1e06710b1b6c315adae02d172acdecb4f02e055a7df6f0c129225b323d1d830158006150

Download Submit
C:\ProgramData\chocolatey\logs\chocolatey.log

Filesize
2KB

MD5
23ee178fa8e1572e663ea5bb72d7ed01

SHA1
e18f91201e1bd3ee1ca6f0f0b69523b1f3b99381

SHA256
8a6d6ce8cae4e421ea0d779bb7274f69ed523e97962fa0784b0295ebe4c8f845

SHA512
0c5c3d36b3276f9e30080dd5c835280d69e961ccb6e890c77d09348352da2d50c97339024ab6e2632046d32128bc02903c21714beabf5cacbb7f5b9318671ff6

Download Submit
C:\ProgramData\chocolatey\logs\chocolatey.log

Filesize
4KB

MD5
b1c53a5b21385c2bff2a049cc2cd9d93

SHA1
f84d6387f9b1cacb4cf4189c8049d9c699fdd293

SHA256
6f18bc91282113d163f9e94aa086ac5832c59df52f14bca4fde165c6fde008b7

SHA512
9b411e92f1e10fb5b551dbe0215d7ba8790ce35cee53a405c59efadd1c0b3a6bba7b0317f2833603b61dd879f1b05a6baf1c5835efd4afaab0c956ca9c1e2f7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-0BS5P.tmp\tacticalagent-v2.8.0-windows-amd64.tmp

Filesize
3.0MB

MD5
a639312111d278fee4f70299c134d620

SHA1
6144ca6e18a5444cdb9b633a6efee67aff931115

SHA256
4b0be5167a31a77e28e3f0a7c83c9d289845075b51e70691236603b1083649df

SHA512
f47f01d072ff9ed42f5b36600ddfc344a6a4b967c1b671ffc0e76531e360bfd55a1a9950305ad33f7460f3f5dd8953e317b108cd434f2db02987fa018d57437c

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\rustdesk\desktop_drop_plugin.dll

Filesize
316KB

MD5
a7b06bcc89672f289b67e746efa1cce3

SHA1
668190cb1b8e83dd49e3b892847eed63ff449db3

SHA256
f6b73a6f9e19c7fc82d9c9123d330b2ebc18c1531dd58b5ceb661fcb4617d87c

SHA512
24fb1aad0d808e788ef6bb22af0f8a49cfd92315b7c200111671997e7ab52db32e2409b6f9c8df25ad1802751d5c693d06bd76851405d39117898cecb77a8118

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\rustdesk\desktop_multi_window_plugin.dll

Filesize
393KB

MD5
e9d7b19badb0c13dd05a848c6a619d7b

SHA1
8bd6bc04c5e6fc15e125e19070cf811fbd029cb1

SHA256
6d7842726064acaaa3a6fe04e9a6a0e3f442024c43fc3a67ec1381ed660984ac

SHA512
10c730a44c846b4c424d9003ed227fd50a8bb24708f0f1c85cd2944c5ab4db0cbcdada02526b70e0d9939d37384b945480cae00d0d216cf99fadab50150c2fe8

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\rustdesk\file_selector_windows_plugin.dll

Filesize
340KB

MD5
b1928fb4778cbd8c4145a1dc9a6a5089

SHA1
704c9bd95625def7c4916642904f537bf2d4551e

SHA256
eaac3539196b7071283e77e5a428e3aceb84a9a81efbd796f2d3a409ccd3594e

SHA512
2b231c27bc1b7b18adc57d055b5c41f89411f30c7f10ea8cff0fa2d3f05d808fb5fb1c2fe8afe12df2678dbf9360266393a8efbee78dc5b597bdbd11577a7aa4

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\rustdesk\flutter_custom_cursor_plugin.dll

Filesize
309KB

MD5
10d577e722650ff8cedf8382a7ca57f8

SHA1
0efe1635d80879f8d7ac4d1971bbdcb98f769b2d

SHA256
094ccbd4434e2f4f7483f5bd3e40a256a7159c0ba644b37fea9619c09d6f4323

SHA512
5998bef53c9691b9b941970d8a73fe1e6cf59b6bd53bf1f51feb9a3c6adee02534dd0713127d7a53aeb2726d4237c5696e1e1ec3360691d07672299209e7e09f

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\rustdesk\flutter_gpu_texture_renderer_plugin.dll

Filesize
339KB

MD5
fa8589e0ba39084bddeb895aa3f4e592

SHA1
2e12cb83664e2625458a93c5d64d9d97e56252e4

SHA256
fec41b218d631b8be595479a278a0593cb83df8ba5bae97dcdc7793ebfb1208f

SHA512
4dce97c9429e11e2ce00c89f051371198738ae8855834c205a567bb166c249bb4cdf409dac3da9e323f7a386932b94c4f3f0cda1e0a3ff592b38854d1bf19efb

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\rustdesk\rustdesk.exe

Filesize
261KB

MD5
17fb0165cdddfd8fc737a88a26f2613b

SHA1
d41709a326f7463b435bf9d8d76e097991c96a10

SHA256
8128917d9f3e7ecabbc39f4c221afdf9171ee8b71b2c0ef11fce8e14c13c91fe

SHA512
68e8ec2681fadbd39e65ebea00739850075ece46637b687f06c37ea9cc6b8f8fb777d8329d9bee8f78c0204046a570ab3a4cffbab8d783424c92ed18e4de239b

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\rustdesk\screen_retriever_plugin.dll

Filesize
535KB

MD5
f06c27377c9c580c4f9d7d52695fab12

SHA1
36d0cc216bde09ae40aab9cb1e8a2c7cd4f32a2a

SHA256
23c805c7772b3a7242f2cd79e03383b41ecf8ef7b7c4e96a807e5a3f63c157d9

SHA512
a8b11366c0eb9d99fdf2ff58a2f511cc841fe1903db4d9f86a516c7393ca91f6e7456f882fa82ab68d5a1ee1d246caa1dcfcd657f2b31f3b6a823d685ea66aae

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\rustdesk\texture_rgba_renderer_plugin.dll

Filesize
318KB

MD5
bdfae35493f180f5399093d18bd136f3

SHA1
bb460921867da431ed079e8f55441723fee224d6

SHA256
a67968a1933f9b70f44dbe64cb625bc5cbb5c320c60a6c2aebef8e9225712f0d

SHA512
1c7d2cfcc0966959df83cf104c43449a468ba903ec6558ddcb4ded5bb8161d5f0eacc56b74831a221a50eb3dca09b361f6cf9721a91294484ed2783513a95909

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\rustdesk\url_launcher_windows_plugin.dll

Filesize
318KB

MD5
74ee2ea527fc767bfa3b08c9e5aa37c2

SHA1
6ee4101ea0a888e8a94a2186d097148dd88f5036

SHA256
cdd3b5e184e4b8de4f4fd45b43e377e1730934ae4254b522fdbd5c7966cff6e9

SHA512
84762b14710d77cb80913887a1794a16551b9052838e2f8ac97b21e3c7b4c9f49aedd727ca4b02b3187ca4946a16fb4375a99b3c550afa2f499a6d383812b984

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\rustdesk\window_size_plugin.dll

Filesize
529KB

MD5
cc198c08060ac1b1298a6baf107a3b4e

SHA1
1e4175e985ec118f7b0e2de8503eef9f6d89a722

SHA256
378440ad5c9ab1915821d8722b703177b1031361c647e4ee53db10aeb3f9fd5a

SHA512
460bc04f6d2ff9a3db323848e2f582366f27ea44078e95ad13cfaf644ab201218845d4632ea5275469aa523e601168a854cbd351a44653c3e3e8c5ff96431726

Download Submit
C:\Windows\TEMP\RESF121.tmp

Filesize
1KB

MD5
65de5cd219903f557601b2c2ac58117d

SHA1
30ac679baec5c5675e95316ec9c5e5ffc5a075ba

SHA256
d0e7454cc766caf7bbb231b34a7e9396c97e9b188fd749afe20bbbcc39028053

SHA512
040124503bfa270da5ec08494d1ba00b6667d480580fdcda8bbd7665b7e85f8c56cf356a7674531cecaf173323e685d7a63e1780e3b766ab131af6aff2f4b013

Download Submit
C:\Windows\TEMP\ppla0upd\ppla0upd.dll

Filesize
6KB

MD5
b3cbae38f73347000a4634239db89965

SHA1
14628962ca06fbf05e7eb3e2609695cdc89d437b

SHA256
0f463bdacec8c3d14f1e3018b0dabcf02d81afb03bfd136a6b7488aad5d28cc8

SHA512
b4639a99cbdec9c20f62bfb0082a5558a09940ecffcdc99bb3adb61f9a9bcf9107a41bd7298b3ed40d66fccd8743a58e2be66f118bd66b625744fbaf5ebc4d58

Download Submit
C:\Windows\Temp\__PSScriptPolicyTest_fikypjnm.hzn.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\Temp\chocolatey\chocoInstall\chocolatey.zip

Filesize
5.2MB

MD5
fb8a8797df8557e9457f51e6afa50719

SHA1
6197a100c32a899e08255f9ea81d5576aeb0109a

SHA256
2506845399044f126f9503fa74b71c42fdb2efa4b2b88d141f8f7f828f787ade

SHA512
8230ce6a4a88aa51e3346c52970fd19960f653ee69e1fa679869c32b14990b0c585876b3bce5cfe5cfdf7afd4db15eee5e38f67f2151d79fc1d4c1a8c13cc94b

Download Submit
C:\Windows\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\CREDITS.txt

Filesize
54KB

MD5
f83cad2fd60c8481cc758247cd3cdba7

SHA1
51ceb9559258dd0fa7472d4398858f79ef92377c

SHA256
869c97ce5da39cd5a8e022ff8d699ae0d0475da92a86785ac272ea56d11e7dbe

SHA512
41d46143f4ddbf68e0331b9eb1ffefd9efac6fb32fdc216eedda47da441313fe8f4f36b5667701f4d4dc3222c7f3b921f7a3aa9dc09d22a3893d9465ee0123df

Download Submit
C:\Windows\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\LICENSE.txt

Filesize
670B

MD5
b4ecfc2ff4822ce40435ada0a02d4ec5

SHA1
8aaf3f290d08011ade263f8a3ab4fe08ecde2b64

SHA256
a42ac97c0186e34bdc5f5a7d87d00a424754592f0ec80b522a872d630c1e870a

SHA512
eafac709be29d5730cb4ecd16e1c9c281f399492c183d05cc5093d3853cda7570e6b9385fbc80a40ff960b5a53dae6ae1f01fc218e60234f7adced6dccbd6a43

Download Submit
C:\Windows\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\choco.exe.manifest

Filesize
2KB

MD5
1b3ed984f60915f976b02be949e212cb

SHA1
30bccfed65aef852a8f8563387eb14b740fd0aa3

SHA256
d715d6071e5cdd6447d46ed8e903b9b3ad5952acc7394ee17593d87a546c17fc

SHA512
3ec5b3b09ef73992eabc118b07c457eb2ca43ce733147fd2e14cccde138f220aee8cb3d525c832a20611edb332710b32a2fc151f3075e2020d8fd1606007c000

Download Submit
C:\Windows\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\helpers\Chocolatey.PowerShell.dll

Filesize
31KB

MD5
d5d5c05fc33a0e124ec803e0349c6b7a

SHA1
ba776d42dafb8096c8171fd4d3abf292ad68c94f

SHA256
8e85eb27ec529f30af635884d6ed605a64c5f261b761d43acabd3fbc88e00120

SHA512
9b8b53238538e35a965822098abe76cd25bab28a755de3a28eea2228f107a620128ccfba89e9910914a7d902b7a165dafa4baf48927d2036e7563176685ed3cb

Download Submit
C:\Windows\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\helpers\Chocolatey.PowerShell.dll-help.xml

Filesize
58KB

MD5
4aea8ae4fce73819e9ed3f0d1ddcce15

SHA1
9929df74840ed8bba92cc143856e6bade4e74706

SHA256
dae3916c3cbab1e4fc6ec9afb052d878dfb6df4430b1cd7db2fee836f9fc0dae

SHA512
5dda75da0f69a45203144ab596a3234dc0db4b713d7460aef2ff0ffa541bf0aa6a2f0fee2028755a5662d5d9c76e5101e3a181a540340cc3028498aaf93442c2

Download Submit
C:\Windows\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\helpers\ChocolateyTabExpansion.ps1

Filesize
30KB

MD5
e9560a5db604a37892506434cad8da5a

SHA1
764dc0254f2fb547ae0700056d0f21edbd26cdd5

SHA256
58528e116d09a434872a38eb3b9dd125216fa29a493b795f49cb49a4c8bf2e0a

SHA512
ab839d9f681c45ae5dac4274de0981f7a90e33e47a6b0b1925aac9f49bae022e88283dc65e7a7de6b3a02edc28ec0cfeb63ecc8dcab2e7dfd8950f49ab695631

Download Submit
C:\Windows\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\helpers\chocolateyProfile.psm1

Filesize
15KB

MD5
0637a9e7b868959a070b0cf2693178c1

SHA1
271a52fa8d36e93e9f36ff8b454243ea106a680e

SHA256
ed69cde7544efe46ecbc66b10edc55140e49cd2fa17f5ccf0e214d769e3cad2b

SHA512
7c8067f7fc9e09ca36cd098c10fb52dc3b33be053d70c1666f418307adab85e4226ceaf15b893a7f9d37c832ed55bf0ae586390d676dba873ed2ec0b900d1bbe

Download Submit
C:\Windows\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\helpers\chocolateyScriptRunner.ps1

Filesize
17KB

MD5
0870ae75b1d8f0823ad8bb05bbdc90df

SHA1
9f6a23ac198321235d3d0b1ef1547863fe7c680d

SHA256
859cfa5d9dc747a5bc5651331977beef2177cf8335a24a8f0a26d7965fd66944

SHA512
3bae1a9c7a7610ec86c5187de2ccffd295bd0d054a86000fe76a5d375842b98806a6d4f227dda5b0ab289b6365d664a2c3e55891add3e5cdc22efb75a410894e

Download Submit
C:\Windows\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\redirects\RefreshEnv.cmd

Filesize
4KB

MD5
cc04b34e013e08cc6f4e0c66969c5295

SHA1
a33f1cb08b56828e3b742ee13cf789442dd5c12f

SHA256
8b6b1d8f6bfab3dc9fbee30d6b2f3093ea3eccd5c66e57161dbe1b8f703fa74c

SHA512
b485af21fcbb699d783e64e035595be7a117a1d6af62166c6d50ebd59ed8953141444f17f3bd07a865c9dd11aa7c75d5a4f2bdfb8b739a1668d055779f0d0c10

Download Submit
C:\Windows\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\redirects\choco.exe

Filesize
143KB

MD5
3ba75f6c247e087f6a62abd0eed1e1fb

SHA1
09bac37ae2c6089675669351401a0e24ef0c29c7

SHA256
0a8346b38cf7b727976fb29470106469004ff59cc7258d4f885803c70f992d75

SHA512
0fe690063dd13ebe6455fa298f933acdf2a12421a6b4ca6798255240c14018c705a68673a193d3f6cf7a03ab08c973284df9760416a13cd9a469197ff9dbe22f

Download Submit
C:\Windows\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\redirects\choco.exe.ignore

Filesize
2B

MD5
81051bcc2cf1bedf378224b0a93e2877

SHA1
ba8ab5a0280b953aa97435ff8946cbcbb2755a27

SHA256
7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6

SHA512
1b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d

Download Submit
C:\Windows\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\tools\7z.dll

Filesize
1.2MB

MD5
a1a9b229e66a8a6a66588f170029a9e7

SHA1
eb4f3e3cd35a55e8f064512802e72b06d5ebc7d9

SHA256
07f88bae90a4c49e200981445d78683c5ef21ef71bb6927fa7cfd59bca431e80

SHA512
c647dba0743a177c4efe01cf321d66669c89fbc5d8f448c33199e6506244da8b69a512c7319c6fe33efd2d43544171b612e7b094ab7e68def7004faa972580fb

Download Submit
C:\Windows\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\tools\7z.dll.manifest

Filesize
513B

MD5
8f89387331c12b55eaa26e5188d9e2ff

SHA1
537fdd4f1018ce8d08a3d151ad07b55d96e94dd2

SHA256
6b7368ce5e38f6e0ee03ca0a9d1a2322cc0afc07e8de9dcc94e156853eae5033

SHA512
04c10ae52f85d3a27d4b05b3d1427ddc2afaccfe94ed228f8f6ae4447fd2465d102f2dd95caf1b617f8c76cb4243716469d1da3dac3292854acd4a63ce0fd239

Download Submit
C:\Windows\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\tools\7z.exe

Filesize
339KB

MD5
96b85d45cfe551f87e5f141ee18bf82e

SHA1
3b21a8ec46a782bf407174fe6f328ec4649fb779

SHA256
8b9f09e2bcaac9166a0f87525864f29c868f2cb8b779ca6d3d63b93b388d5c89

SHA512
24e9de5502929d9104411e7f465327998a8b997de46670db6a8f009755576b93d93e90f6bc08fd7406c9e37859e24b54227dac610ddddde152073aca0e5924ca

Download Submit
C:\Windows\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\tools\7zip.license.txt

Filesize
3KB

MD5
f4995e1bc415b0d91044673cd10a0379

SHA1
f2eec05948e9cf7d1b00515a69c6f63bf69e9cca

SHA256
f037e7689f86a12a3f5f836dc73004547c089e4a2017687e5e0b803a19e3888b

SHA512
e7bb1bacab6925978416e3da2acb32543b16b4f0f2289cc896194598ee9ade5c62aa746c51cf6bf4568e77e96c0a1014e4ddb968f18f95178ee8dfb1e5a72b96

Download Submit
C:\Windows\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\tools\checksum.exe

Filesize
38KB

MD5
d97ae723b3d204ab53aec2d7eba7fd83

SHA1
820f87e99a3fd7d57325e3607c557daad23db055

SHA256
3b87ec9eb4e055fdb23ef606585fc26c651e4379782cbe507e11e3b5f477a32c

SHA512
0414153c9320eb9da95c887e9033b778305cc2947269c8a3450163c11d086e8ff0fa2dfa8b8d7aae5187cbb63c96e7b296445fbe050a24c08737b5ebc0121d67

Download Submit
C:\Windows\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\tools\checksum.exe.config

Filesize
150B

MD5
e9ad5dd7b32c44f8a241de0e883d7733

SHA1
034c69b120c514ad9ed83c7bad32624560e4b464

SHA256
9b250c32cbec90d2a61cb90055ac825d7a5f9a5923209cfd0625fca09a908d0a

SHA512
bf5a6c477dc5dfeb85ca82d2aed72bd72ed990bedcaf477af0e8cad9cdf3cfbebddc19fa69a054a65bc1ae55aaf8819abcd9624a18a03310a20c80c116c99cc4

Download Submit
C:\Windows\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\tools\checksum.license.txt

Filesize
95B

MD5
a10b78183254da1214dd51a5ace74bc0

SHA1
5c9206f667d319e54de8c9743a211d0e202f5311

SHA256
29472b6be2f4e7134f09cc2fadf088cb87089853b383ca4af29c19cc8dfc1a62

SHA512
cae9f800da290386de37bb779909561b4ea4cc5042809e85236d029d9125b3a30f6981bc6b3c80b998f727c48eb322a8ad7f3b5fb36ea3f8c8dd717d4e8be55e

Download Submit
C:\Windows\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\tools\shimgen.exe

Filesize
555KB

MD5
189a2921a8f10ae9fd38c0cf187327ed

SHA1
dec460a7fa6650ec2a36905f7ed52221bfbe930c

SHA256
83fecbc76fdfe6a72bf23e7b9d14dcad8cffa92b019da5dececcc6a128db05c9

SHA512
ee01ec4c53a4add48e46fc3ad29b255653233d97a148769a997110cb8dfe21ddc5cf86eb1b950494911f21293b4b458b9acb705a59bd273046b6a10b862942be

Download Submit
C:\Windows\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\tools\shimgen.license.txt

Filesize
3KB

MD5
89ac7c94d1013f7b3e32215a3db41731

SHA1
1511376e8a74a28d15bb62a75713754e650c8a8d

SHA256
d4d2ef2c520ec3e4ecff52c867ebd28e357900e0328bb4173cb46996ded353f4

SHA512
9ba2b0029e84de81ffef19b4b17a6d29ee652049bb3152372f504a06121a944ac1a2b1b57c6b0447979d5de9a931186fef9bd0667d5358d3c9cb29b817533792

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
06d16fea6ab505097d16fcaa32949d47

SHA1
0c1c719831fa41cd102d0d72d61c0f46ec5b8de8

SHA256
54e15de2bef9f651d7717e2a336ac6b2ea2b723e6f29d2b153d8fbbc89aef723

SHA512
03c00f1eebb51cec11703141ae9d9c3ac589f5495bc04d8a4b043714089a9d50bd3a520e4d72b4a4c99f5b9bf5f689bf2585fa5c7d4ddbe6f71cbba0172f593a

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
8KB

MD5
81e70946b660e48bc68ec12b07203f2b

SHA1
9cbe0f37659de408713b03fa816d6f48c4dab4e0

SHA256
b8f26e8b12df2436d69c79af68bd0a0d8f1f588fb35c13d924112286a1686ece

SHA512
0a0dffa170b9a822e4c5e13b1a29d949433fd789e955f6cf0ba0d5a92bb90615184fd191f48152b3868d254145e79f130e9e60467ec39bbc0a4e9b1489459034

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
12efd9e44f0d41fd7900f6632a408e7f

SHA1
c7dbc70b1ea12ee6bbd73a50627a24de77e55dc9

SHA256
5a7b05e8cb9016e366046a961d321f0ca9c3576f2a06b240394594d4433d1fd9

SHA512
8003d2e64294aa2d19843d923997a3a148f7319d70d63d4f7a8cad5b1e4f4f33e4369a167c465b83eb56544834dc08553a263b1b728ec2bf30575da6455fcfc1

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
2c0bdf06d302688498d4e7f9cd669ab5

SHA1
18186323d93499e03f737f137b4ad795eb7f470b

SHA256
86cd6b95819282eee4bd6c900b27ebeddf453a90a9f6147978e9137479f36bd6

SHA512
f8f02ab1cb6906975695369183d00d7f25ec4c54c40aba5ac0a1f42312c5eff5a6774a8e84c3357415555405f7e9754deebe8335dd1fdcf693137ab044cc18fe

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
2KB

MD5
90887f70390809200b6a4998fe0e6ecb

SHA1
6e31c17c6f508e1b8cbc42a6fc7f3e8dbd7fb770

SHA256
aef5e6605b525b08877377dad82200f4baf4c9f8bd73fae3272af39751c280a4

SHA512
d6558fe6c7c3ecc92e7e1d0b0e44c6d26e998a6519ce6b426b06a5788531b7bd78781455b4268975e81d690a128d4c930a9ab3deb9eac689e298f582966c2584

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\rustdesk\flutter_windows.dll

Filesize
17.2MB

MD5
e61f642a8758bf43c8c60196d2146808

SHA1
5eab020859e5cbdc8cfc247c5dfeb365fb3caa52

SHA256
6b4e6d55bddf4b6918f4fe145a645b9b9fa48f176c95c486e71c48dcfa80a1b6

SHA512
ed9847ea553205c2da8a95b165cd598abaca5aaa065cde7a5162b44a2e1f2ba7cb303c60195c19c5a99f3ef9b3d6a437003d361dff76ccd3b644e4b391b71c12

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\rustdesk\uni_links_desktop_plugin.dll

Filesize
533KB

MD5
e0d4e23e3c5f7b97eda86c27980786dd

SHA1
50073bc6ef391b0b8bfdc7149904d75614576de7

SHA256
9b7b5a6efa9030aa87eb528cc1bef93d120189e05c3bc4d7c10f68a2aa73647d

SHA512
d364ea813f8c81ccd0c95c80eee4b74ae57a901365f10ead7060c29f88e58c31a2ed5d22e7a55c9c9fb1d6bf404657ac6fa8a1d8166aec85a246d0ce81cdb333

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\rustdesk\window_manager_plugin.dll

Filesize
578KB

MD5
f611269f84ffe75b5093da1bfda0c740

SHA1
557c91cfce40a9aa9e5c1504f942726dd7e706ce

SHA256
658a034879cbdb3755ca2892732e7fa97244606b368b87ef36dadd4cc72783d4

SHA512
24ed1fe45a3f8e32bdb88c671254ec08061a6af335c9e7bf5018eacb680765529b84427cc5ca2e298c26b16e52ac872158b11a6deeb50617474764dad21725cf

Download Submit
\??\c:\Windows\Temp\ppla0upd\CSC2B371DE9C3F54A0A9D86ACE52C2576B0.TMP

Filesize
652B

MD5
6115a426cd25e527153430627bba4d04

SHA1
4c6c6ab008890410995e4aab157ba34a7c2120fc

SHA256
e53b0580ba5c48861a4ef5639200668057af40b33c33c739697af479158f54dc

SHA512
b43a23d52f32b1a501e667bb64001a21931703873c2b1bde140702d86643d57f7423fb83b12983111428986dca197cdc5b6bfdd903703d7d91f0cf3f9cead042

Download Submit
\??\c:\Windows\Temp\ppla0upd\ppla0upd.0.cs

Filesize
6KB

MD5
933aec4358084d136849732335dc7d91

SHA1
768841832f670b84e182a526ba3fc22739e0f3ba

SHA256
4077dc7939beb20b1e75d5e65145e9f65a6669c5d6832acead5c1c86126e2267

SHA512
2b37cafe8a2746d2a8b07eb41fddd60598e9b763be127b48d700c41b12325c08d24be07768412f1a5993e85edeed10ef8ba55d0f0d9194b1b7fb9e144d07735d

Download Submit
\??\c:\Windows\Temp\ppla0upd\ppla0upd.cmdline

Filesize
333B

MD5
ae103d8a2ad84432f21bef33c85b4378

SHA1
49a5049b1b5e3bae100e2403b11776fa8df7ae82

SHA256
1d109d0bc1fe659f17f6f253a7ff1cf025754efd91b9e7a16c841504ee306c1e

SHA512
61c0aef08246db02e5f3536589421060d0385c6fbc5c462b66bb39defcdbe559faf3891e8eaf1bb2e170567309b4238536f952ff9575bad150aa859b0b3caff0

Download Submit
memory/1312-229-0x0000015331EF0000-0x00000153320B2000-memory.dmp

Filesize
1.8MB

Download
memory/1312-265-0x0000015332730000-0x0000015332C58000-memory.dmp

Filesize
5.2MB

Download
memory/1312-263-0x0000015331AD0000-0x0000015331AD8000-memory.dmp

Filesize
32KB

Download
memory/1704-59-0x000001F36DAB0000-0x000001F36DAD2000-memory.dmp

Filesize
136KB

Download
memory/1704-69-0x000001F36DF70000-0x000001F36DFB4000-memory.dmp

Filesize
272KB

Download
memory/1704-70-0x000001F36E040000-0x000001F36E0B6000-memory.dmp

Filesize
472KB

Download
memory/1960-228-0x0000027A9CCF0000-0x0000027A9CDA5000-memory.dmp

Filesize
724KB

Download
memory/2528-3-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/2528-6-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/2528-25-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/2648-3416-0x00000198E2820000-0x00000198E282C000-memory.dmp

Filesize
48KB

Download
memory/2648-2014-0x00000198E2840000-0x00000198E2852000-memory.dmp

Filesize
72KB

Download
memory/2648-2018-0x00000198E26C0000-0x00000198E26CA000-memory.dmp

Filesize
40KB

Download
memory/2872-250-0x0000020B235F0000-0x0000020B23604000-memory.dmp

Filesize
80KB

Download
memory/2872-24-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/2872-249-0x0000020B235A0000-0x0000020B235C6000-memory.dmp

Filesize
152KB

Download
memory/2872-10-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/3276-117-0x000001999D530000-0x000001999D53A000-memory.dmp

Filesize
40KB

Download
memory/3276-102-0x000001999D350000-0x000001999D35A000-memory.dmp

Filesize
40KB

Download
memory/3276-100-0x000001999D370000-0x000001999D38C000-memory.dmp

Filesize
112KB

Download
memory/3276-115-0x000001999D4D0000-0x000001999D4D8000-memory.dmp

Filesize
32KB

Download
memory/3276-116-0x000001999D4E0000-0x000001999D4E6000-memory.dmp

Filesize
24KB

Download
memory/3276-105-0x000001999D510000-0x000001999D52A000-memory.dmp

Filesize
104KB

Download
memory/3276-104-0x000001999D360000-0x000001999D36A000-memory.dmp

Filesize
40KB

Download
memory/3276-101-0x000001999D410000-0x000001999D4C5000-memory.dmp

Filesize
724KB

Download
memory/3276-103-0x000001999D4F0000-0x000001999D50C000-memory.dmp

Filesize
112KB

Download
memory/4128-153-0x00000201D8030000-0x00000201D805A000-memory.dmp

Filesize
168KB

Download
memory/4128-154-0x00000201D8030000-0x00000201D8054000-memory.dmp

Filesize
144KB

Download
memory/4128-152-0x00000201D7F70000-0x00000201D8025000-memory.dmp

Filesize
724KB

Download
memory/4496-296-0x000001F43D380000-0x000001F43D435000-memory.dmp

Filesize
724KB

Download
memory/5568-3676-0x0000028257D50000-0x0000028257DA0000-memory.dmp

Filesize
320KB

Download
memory/5568-3662-0x0000028256760000-0x0000028257272000-memory.dmp

Filesize
11.1MB

Download
memory/5568-3713-0x0000028257C20000-0x0000028257C3E000-memory.dmp

Filesize
120KB

Download