File name:

trmm-testing-test-workstation-amd64.exe

Full analysis: https://app.any.run/tasks/a9414a14-7653-40dc-8316-b7e3db33d658
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: January 16, 2025, 19:04:28
OS: Windows 11 Professional (build: 22000, 64 bit)
Tags:
golang
loader
ms-smartcard
ip-check
meshagent
evasion
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows, 7 sections
MD5:

5C5A5108D7B01B5DAE1FEEB2F1461336

SHA1:

A144C90D755DDF78F699544F75A622E8502F2289

SHA256:

3D550B8B386D201750D4C590E6A31C4A89FD9F409A7B8EE17541C9DD0227FB5A

SSDEEP:

98304:b89z9qgAdj3+GaOhdwMVHM4ZSC9y1lYQau6q:g

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Starts NET.EXE for service management

      • cmd.exe (PID: 6312)
      • net.exe (PID: 6716)
      • cmd.exe (PID: 2704)
      • net.exe (PID: 6768)
      • net.exe (PID: 4364)
      • cmd.exe (PID: 3940)
      • cmd.exe (PID: 4960)
      • net.exe (PID: 5872)

    • Executing a file with an untrusted certificate

      • meshagent.exe (PID: 1784)
      • MeshAgent.exe (PID: 2648)

    • Changes the Windows auto-update feature

      • tacticalrmm.exe (PID: 6876)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 3976)

    • Changes powershell execution policy (Bypass)

      • tacticalrmm.exe (PID: 5956)

    • Downloads the requested resource (POWERSHELL)

      • powershell.exe (PID: 3976)

    • Script downloads file (POWERSHELL)

      • powershell.exe (PID: 3976)

  • SUSPICIOUS

    • Reads settings of System Certificates

      • trmm-testing-test-workstation-amd64.exe (PID: 1668)
      • tacticalrmm.exe (PID: 6876)

    • Executable content was dropped or overwritten

      • trmm-testing-test-workstation-amd64.exe (PID: 1668)
      • tacticalagent-v2.8.0-windows-amd64.exe (PID: 1232)
      • tacticalagent-v2.8.0-windows-amd64.tmp (PID: 2132)
      • tacticalrmm.exe (PID: 6876)
      • tacticalrmm.exe (PID: 5956)
      • powershell.exe (PID: 3976)

    • Reads the Windows owner or organization settings

      • tacticalagent-v2.8.0-windows-amd64.tmp (PID: 2132)

    • Starts CMD.EXE for commands execution

      • tacticalagent-v2.8.0-windows-amd64.tmp (PID: 2132)
      • tacticalrmm.exe (PID: 6876)

    • Runs PING.EXE to delay simulation

      • cmd.exe (PID: 6312)
      • cmd.exe (PID: 3940)

    • Windows service management via SC.EXE

      • sc.exe (PID: 5092)
      • sc.exe (PID: 2648)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 1116)

    • Creates or modifies Windows services

      • tacticalrmm.exe (PID: 6708)
      • tacticalrmm.exe (PID: 6876)
      • meshagent.exe (PID: 1784)
      • tacticalrmm.exe (PID: 5956)

    • MeshAgent potential remote access (YARA)

      • tacticalrmm.exe (PID: 6876)
      • MeshAgent.exe (PID: 1140)
      • tacticalrmm.exe (PID: 5956)

    • Creates a software uninstall entry

      • meshagent.exe (PID: 1784)

    • There is functionality for capture public ip (YARA)

      • tacticalrmm.exe (PID: 6876)
      • tacticalrmm.exe (PID: 5956)

    • Executes as Windows Service

      • MeshAgent.exe (PID: 1140)
      • tacticalrmm.exe (PID: 5956)

    • There is functionality for taking screenshot (YARA)

      • MeshAgent.exe (PID: 1140)

    • Searches for installed software

      • tacticalrmm.exe (PID: 6876)

    • Uses NETSH.EXE to add a firewall rule or allowed programs

      • cmd.exe (PID: 5948)

    • Application launched itself

      • tacticalrmm.exe (PID: 5956)

    • Checks for external IP

      • svchost.exe (PID: 1656)

    • The process bypasses the loading of PowerShell profile settings

      • tacticalrmm.exe (PID: 5956)

    • Uses NETSH.EXE to change the status of the firewall

      • cmd.exe (PID: 4172)

    • The process hide an interactive prompt from the user

      • tacticalrmm.exe (PID: 5956)

    • The process executes Powershell scripts

      • tacticalrmm.exe (PID: 5956)

    • Starts POWERSHELL.EXE for commands execution

      • tacticalrmm.exe (PID: 5956)

    • Gets or sets the security protocol (POWERSHELL)

      • powershell.exe (PID: 3976)

    • Process drops python dynamic module

      • tacticalrmm.exe (PID: 5956)

    • Process drops legitimate windows executable

      • tacticalrmm.exe (PID: 5956)

    • Gets file extension (POWERSHELL)

      • powershell.exe (PID: 3976)

    • The process creates files with name similar to system file names

      • powershell.exe (PID: 3976)

  • INFO

    • Reads the software policy settings

      • trmm-testing-test-workstation-amd64.exe (PID: 1668)
      • tacticalrmm.exe (PID: 6876)
      • tacticalrmm.exe (PID: 5956)
      • tacticalrmm.exe (PID: 6768)

    • Checks supported languages

      • trmm-testing-test-workstation-amd64.exe (PID: 1668)
      • tacticalagent-v2.8.0-windows-amd64.exe (PID: 1232)
      • tacticalagent-v2.8.0-windows-amd64.tmp (PID: 2132)
      • tacticalrmm.exe (PID: 6708)
      • tacticalrmm.exe (PID: 6876)
      • meshagent.exe (PID: 1784)
      • MeshAgent.exe (PID: 1140)
      • MeshAgent.exe (PID: 5152)
      • tacticalrmm.exe (PID: 5956)
      • MeshAgent.exe (PID: 2648)
      • tacticalrmm.exe (PID: 6768)

    • Creates files in the program directory

      • trmm-testing-test-workstation-amd64.exe (PID: 1668)
      • tacticalrmm.exe (PID: 6708)
      • tacticalagent-v2.8.0-windows-amd64.tmp (PID: 2132)
      • tacticalrmm.exe (PID: 6876)
      • meshagent.exe (PID: 1784)
      • MeshAgent.exe (PID: 1140)
      • tacticalrmm.exe (PID: 5956)

    • Reads the computer name

      • trmm-testing-test-workstation-amd64.exe (PID: 1668)
      • tacticalagent-v2.8.0-windows-amd64.tmp (PID: 2132)
      • tacticalrmm.exe (PID: 6708)
      • tacticalrmm.exe (PID: 6876)
      • meshagent.exe (PID: 1784)
      • MeshAgent.exe (PID: 1140)
      • MeshAgent.exe (PID: 5152)
      • tacticalrmm.exe (PID: 5956)

    • Create files in a temporary directory

      • tacticalagent-v2.8.0-windows-amd64.exe (PID: 1232)
      • tacticalagent-v2.8.0-windows-amd64.tmp (PID: 2132)

    • Reads the machine GUID from the registry

      • trmm-testing-test-workstation-amd64.exe (PID: 1668)
      • tacticalrmm.exe (PID: 6708)
      • MeshAgent.exe (PID: 1140)
      • tacticalrmm.exe (PID: 6876)
      • tacticalrmm.exe (PID: 6768)
      • tacticalrmm.exe (PID: 5956)

    • Application based on Golang

      • trmm-testing-test-workstation-amd64.exe (PID: 1668)
      • tacticalrmm.exe (PID: 6876)
      • tacticalrmm.exe (PID: 5956)

    • The sample compiled with english language support

      • tacticalagent-v2.8.0-windows-amd64.tmp (PID: 2132)
      • tacticalrmm.exe (PID: 6876)
      • tacticalrmm.exe (PID: 5956)

    • Creates a software uninstall entry

      • tacticalagent-v2.8.0-windows-amd64.tmp (PID: 2132)

    • Reads product name

      • tacticalrmm.exe (PID: 6708)
      • tacticalrmm.exe (PID: 6876)
      • tacticalrmm.exe (PID: 5956)

    • Reads Environment values

      • tacticalrmm.exe (PID: 6708)
      • tacticalrmm.exe (PID: 6876)
      • tacticalrmm.exe (PID: 5956)

    • Drops encrypted JS script (Microsoft Script Encoder)

      • tacticalrmm.exe (PID: 6876)
      • tacticalrmm.exe (PID: 5956)

    • Drops encrypted VBS script (Microsoft Script Encoder)

      • tacticalrmm.exe (PID: 6876)
      • tacticalrmm.exe (PID: 5956)

    • The process uses the downloaded file

      • powershell.exe (PID: 3976)

    • Disables trace logs

      • powershell.exe (PID: 3976)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 3976)

    • Checks whether the specified file exists (POWERSHELL)

      • powershell.exe (PID: 3976)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 0000:00:00 00:00:00
ImageFileCharacteristics: Executable, Large address aware, No debug
PEType: PE32+
LinkerVersion: 3
CodeSize: 2520576
InitializedDataSize: 246784
UninitializedDataSize: -
EntryPoint: 0x66fe0
OSVersion: 6.1
ImageVersion: 1
SubsystemVersion: 6.1
Subsystem: Windows command line
FileVersionNumber: 2.0.4.0
ProductVersionNumber: 2.0.4.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: AmidaWare LLC
FileDescription: Tactical RMM Installer
FileVersion: v2.0.4.0
InternalName: rmm.exe
LegalCopyright: Copyright (c) 2022 AmidaWare LLC
OriginalFileName: installer.go
ProductName: Tactical RMM Installer
ProductVersion: v2.0.4.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
162
Monitored processes
51
Malicious processes
7
Suspicious processes
6

Behavior graph

Click at the process to see the details
start trmm-testing-test-workstation-amd64.exe conhost.exe no specs tacticalagent-v2.8.0-windows-amd64.exe tacticalagent-v2.8.0-windows-amd64.tmp cmd.exe no specs conhost.exe no specs ping.exe no specs net.exe no specs net1.exe no specs cmd.exe no specs conhost.exe no specs net.exe no specs net1.exe no specs cmd.exe no specs conhost.exe no specs ping.exe no specs net.exe no specs net1.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs tacticalrmm.exe no specs cmd.exe no specs conhost.exe no specs net.exe no specs net1.exe no specs #MESHAGENT tacticalrmm.exe meshagent.exe no specs #MESHAGENT meshagent.exe meshagent.exe no specs #MESHAGENT tacticalrmm.exe cmd.exe no specs netsh.exe no specs cmd.exe no specs netsh.exe no specs tacticalrmm.exe conhost.exe no specs svchost.exe meshagent.exe no specs conhost.exe no specs powershell.exe conhost.exe no specs trmm-testing-test-workstation-amd64.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
440"cmd.exe" /c tacticalrmm.exe -m installsvcC:\Windows\SysWOW64\cmd.exetacticalagent-v2.8.0-windows-amd64.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64base.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64con.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
440\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
932ping 127.0.0.1 -n 2 C:\Windows\SysWOW64\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
TCP/IP Ping Command
Exit code:
0
Version:
10.0.22000.653 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\ping.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64base.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64con.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
1116"cmd.exe" /c taskkill /F /IM tacticalrmm.exeC:\Windows\SysWOW64\cmd.exetacticalagent-v2.8.0-windows-amd64.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
128
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64base.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64con.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
1140"C:\Program Files\Mesh Agent\MeshAgent.exe" --installedByUser="S-1-5-21-166304369-59083888-3082702900-1001"C:\Program Files\Mesh Agent\MeshAgent.exe
services.exe
User:
SYSTEM
Integrity Level:
SYSTEM
Description:
MeshCentral Background Service Agent
Version:
2022-Dec-2 11:42:16-0800
Modules
Images
c:\program files\mesh agent\meshagent.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.22000.120_none_9d947278b86cc467\comctl32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
1232C:\ProgramData\TacticalRMM\tacticalagent-v2.8.0-windows-amd64.exe /VERYSILENT /SUPPRESSMSGBOXESC:\ProgramData\TacticalRMM\tacticalagent-v2.8.0-windows-amd64.exe
trmm-testing-test-workstation-amd64.exe
User:
admin
Company:
AmidaWare Inc
Integrity Level:
HIGH
Description:
Tactical RMM Agent Setup
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\programdata\tacticalrmm\tacticalagent-v2.8.0-windows-amd64.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64base.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64con.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
1484\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeMeshAgent.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
1568ping 127.0.0.1 -n 2 C:\Windows\SysWOW64\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
TCP/IP Ping Command
Exit code:
0
Version:
10.0.22000.653 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\ping.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64base.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64con.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
1656C:\Windows\system32\svchost.exe -k NetworkService -pC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
1668"C:\Users\admin\Desktop\trmm-testing-test-workstation-amd64.exe" C:\Users\admin\Desktop\trmm-testing-test-workstation-amd64.exe
explorer.exe
User:
admin
Company:
AmidaWare LLC
Integrity Level:
HIGH
Description:
Tactical RMM Installer
Exit code:
0
Version:
v2.0.4.0
Modules
Images
c:\users\admin\desktop\trmm-testing-test-workstation-amd64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cryptbase.dll
Total events
47 796
Read events
46 984
Write events
812
Delete events
0

Modification events

(PID) Process:(6708) tacticalrmm.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\4c\52C64B7E
Operation:writeName:C:\Windows\system32\,@tzres.dll,-462
Value:
Afghanistan Standard Time
(PID) Process:(6708) tacticalrmm.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\4c\52C64B7E
Operation:writeName:C:\Windows\system32\,@tzres.dll,-461
Value:
Afghanistan Daylight Time
(PID) Process:(6708) tacticalrmm.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\4c\52C64B7E
Operation:writeName:C:\Windows\system32\,@tzres.dll,-222
Value:
Alaskan Standard Time
(PID) Process:(6708) tacticalrmm.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\4c\52C64B7E
Operation:writeName:C:\Windows\system32\,@tzres.dll,-221
Value:
Alaskan Daylight Time
(PID) Process:(6708) tacticalrmm.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\4c\52C64B7E
Operation:writeName:C:\Windows\system32\,@tzres.dll,-2392
Value:
Aleutian Standard Time
(PID) Process:(6708) tacticalrmm.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\4c\52C64B7E
Operation:writeName:C:\Windows\system32\,@tzres.dll,-2391
Value:
Aleutian Daylight Time
(PID) Process:(6708) tacticalrmm.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\4c\52C64B7E
Operation:writeName:C:\Windows\system32\,@tzres.dll,-2162
Value:
Altai Standard Time
(PID) Process:(6708) tacticalrmm.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\4c\52C64B7E
Operation:writeName:C:\Windows\system32\,@tzres.dll,-2161
Value:
Altai Daylight Time
(PID) Process:(6708) tacticalrmm.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\4c\52C64B7E
Operation:writeName:C:\Windows\system32\,@tzres.dll,-392
Value:
Arab Standard Time
(PID) Process:(6708) tacticalrmm.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\4c\52C64B7E
Operation:writeName:C:\Windows\system32\,@tzres.dll,-391
Value:
Arab Daylight Time
Executable files
119
Suspicious files
10
Text files
1 011
Unknown types
0

Dropped files

PID
Process
Filename
Type
1784meshagent.exeC:\Program Files\Mesh Agent\MeshAgent.exe
MD5:
SHA256:
1232tacticalagent-v2.8.0-windows-amd64.exeC:\Users\admin\AppData\Local\Temp\is-58156.tmp\tacticalagent-v2.8.0-windows-amd64.tmpexecutable
MD5:A639312111D278FEE4F70299C134D620
SHA256:4B0BE5167A31A77E28E3F0A7C83C9D289845075B51E70691236603B1083649DF
2132tacticalagent-v2.8.0-windows-amd64.tmpC:\Program Files\TacticalAgent\unins000.datbinary
MD5:1FBCE55BD8B7BB9DC5A4E6F302AC5DFC
SHA256:C1C44B9632D2EDAA79BAF61248F9F3D451864D0DD426A59566D881A8F73F482A
1140MeshAgent.exeC:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\09761E72EE969B4389FD99C90474F6851FC31C84binary
MD5:FCA50737B771864E92E771BD6527A356
SHA256:52D487482F1405D8C9AA8C0E6F8783BC913AD90E79C60EF84EC3FA81630177BE
2132tacticalagent-v2.8.0-windows-amd64.tmpC:\Program Files\TacticalAgent\unins000.exeexecutable
MD5:5E81857286E2795352225BE245FBD62B
SHA256:2624C22DA19E89717DCD522D22B21849A1C3F0EB781333DF85BE5FCD57597278
2132tacticalagent-v2.8.0-windows-amd64.tmpC:\Program Files\TacticalAgent\is-KB6OR.tmpexecutable
MD5:6CFBD2DA5F304A3B8972EAFE6FE4D191
SHA256:AD29D4E9E01870FFBDB6F2498E6CE36A708E56DB2AD431BA2D80BF5A6CAAC069
2132tacticalagent-v2.8.0-windows-amd64.tmpC:\Program Files\TacticalAgent\is-R0SGS.tmpexecutable
MD5:5E81857286E2795352225BE245FBD62B
SHA256:2624C22DA19E89717DCD522D22B21849A1C3F0EB781333DF85BE5FCD57597278
6876tacticalrmm.exeC:\ProgramData\TacticalRMM\953976249.pytext
MD5:14C2BDDAC34109E4BF190C93E175EE84
SHA256:8EB837AA261848788CBDD8EF39BBB68B2D0BA22CF9A62F9A52C5180C6D6C83A6
6876tacticalrmm.exeC:\Program Files\TacticalAgent\meshagent.exeexecutable
MD5:B0CB851630A4E079BBD62BA830FBEF97
SHA256:F32AB646E3D5345A13C52DF23A74A2BA3E3629163F5C22D9D8E73DB4ABDC6B38
6876tacticalrmm.exeC:\Program Files\TacticalAgent\agent.logtext
MD5:10D2941A1AB8F575AED84FAA1D24566B
SHA256:6D66768226CBC40BC11546FD3E436CB316FC232F6B9CA4039DE4C8A06F9A8369
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
61
TCP/UDP connections
66
DNS requests
23
Threats
7

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.55.161.164:80
http://www.msftconnecttest.com/connecttest.txt
unknown
whitelisted
GET
302
140.82.121.4:443
https://github.com/amidaware/rmmagent/releases/download/v2.8.0/tacticalagent-v2.8.0-windows-amd64.exe
unknown
2860
svchost.exe
GET
200
199.232.214.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?0811ccc60b3de69d
unknown
whitelisted
GET
101
138.199.153.14:443
https://mesh.kf637.tech/agent.ashx
unknown
GET
101
138.199.153.14:443
https://api.kf637.tech/natsws
unknown
GET
101
138.199.153.14:443
https://api.kf637.tech/natsws
unknown
GET
302
140.82.121.4:443
https://github.com/amidaware/rmmagent/releases/download/v2.8.0/py3.11.9_amd64.zip
unknown
GET
101
138.199.153.14:443
https://mesh.kf637.tech/agent.ashx
unknown
5896
svchost.exe
POST
403
23.219.128.25:80
http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409
unknown
whitelisted
5896
svchost.exe
POST
403
23.219.128.25:80
http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:137
whitelisted
23.55.161.164:80
Akamai International B.V.
DE
unknown
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
217.20.57.36:80
ctldl.windowsupdate.com
US
whitelisted
1668
trmm-testing-test-workstation-amd64.exe
140.82.121.4:443
github.com
GITHUB
US
whitelisted
2860
svchost.exe
199.232.214.172:80
ctldl.windowsupdate.com
FASTLY
US
whitelisted
1668
trmm-testing-test-workstation-amd64.exe
185.199.111.133:443
objects.githubusercontent.com
FASTLY
US
shared
6876
tacticalrmm.exe
138.199.153.14:443
api.kf637.tech
DE
unknown
1140
MeshAgent.exe
138.199.153.14:443
api.kf637.tech
DE
unknown
6876
tacticalrmm.exe
188.114.97.3:443
icanhazip.tacticalrmm.io
CLOUDFLARENET
NL
unknown

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.74.206
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.104.136.2
  • 4.231.128.59
whitelisted
ctldl.windowsupdate.com
  • 217.20.57.36
  • 217.20.57.20
  • 84.201.210.39
  • 199.232.214.172
  • 199.232.210.172
whitelisted
github.com
  • 140.82.121.4
  • 140.82.121.3
whitelisted
objects.githubusercontent.com
  • 185.199.111.133
  • 185.199.109.133
  • 185.199.108.133
  • 185.199.110.133
shared
api.kf637.tech
  • 138.199.153.14
unknown
mesh.kf637.tech
  • 138.199.153.14
unknown
icanhazip.tacticalrmm.io
  • 188.114.97.3
  • 188.114.96.3
unknown
login.live.com
  • 20.190.159.75
  • 40.126.31.73
  • 20.190.159.23
  • 20.190.159.64
  • 20.190.159.71
  • 20.190.159.68
  • 40.126.31.67
  • 20.190.159.2
whitelisted
go.microsoft.com
  • 23.219.128.25
whitelisted

Threats

PID
Process
Class
Message
Misc activity
ET INFO Microsoft Connection Test
Device Retrieving External IP Address Detected
ET INFO Observed External IP Lookup Domain (icanhazip .com in TLS SNI)
1656
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (icanhazip .com)
1656
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ifconfig .co)
Device Retrieving External IP Address Detected
ET INFO Observed External IP Lookup Domain (ifconfig .co) in TLS SNI
5956
tacticalrmm.exe
Potentially Bad Traffic
ET INFO Observed Chocolatey Windows Package Management Domain (chocolatey .org in TLS SNI)
3976
powershell.exe
Potentially Bad Traffic
ET INFO Observed Chocolatey Windows Package Management Domain (chocolatey .org in TLS SNI)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
trmm-testing-test-workstation-amd64.exe