File name:

trmm-agent.exe

Full analysis: https://app.any.run/tasks/3b8879e4-5a1b-4c37-8c03-a846237b6a75
Verdict: Malicious activity
Analysis date: November 16, 2024, 10:13:01
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
golang
arch-doc
arch-exec
arch-scr
meshagent
ip-check
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows, 7 sections
MD5:

E842A814DE15A8E77A9938853A79CF7C

SHA1:

667A688BF8A79E0BFCC4B2893F3CAD8E730F3491

SHA256:

CB2BA9DC5F6F961A86781B1DE66A420276C32535AF30113828BE41E78798DDA5

SSDEEP:

98304:F89z9qgAdj3+GaOhdwMVHM4ZSCry1OYQau6q:I

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Starts NET.EXE for service management

      • cmd.exe (PID: 5172)
      • net.exe (PID: 1112)
      • cmd.exe (PID: 3828)
      • net.exe (PID: 6248)
      • net.exe (PID: 5232)
      • cmd.exe (PID: 6260)
      • cmd.exe (PID: 5508)
      • net.exe (PID: 6248)

    • Dynamically loads an assembly (POWERSHELL)

      • powershell.exe (PID: 3648)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 5892)
      • powershell.exe (PID: 1580)
      • powershell.exe (PID: 5516)
      • powershell.exe (PID: 5284)
      • powershell.exe (PID: 2776)
      • powershell.exe (PID: 6940)
      • powershell.exe (PID: 6424)

    • Changes powershell execution policy (Bypass)

      • tacticalrmm.exe (PID: 7048)
      • tacticalrmm.exe (PID: 528)
      • tacticalrmm.exe (PID: 6640)

    • Downloads the requested resource (POWERSHELL)

      • powershell.exe (PID: 5284)

    • Modifies registry (POWERSHELL)

      • powershell.exe (PID: 6424)

  • SUSPICIOUS

    • Adds/modifies Windows certificates

      • trmm-agent.exe (PID: 5792)

    • Runs PING.EXE to delay simulation

      • cmd.exe (PID: 5172)
      • cmd.exe (PID: 6260)

    • Executable content was dropped or overwritten

      • tacticalagent-v2.8.0-windows-amd64.exe (PID: 6028)
      • tacticalagent-v2.8.0-windows-amd64.tmp (PID: 6424)
      • tacticalrmm.exe (PID: 5328)
      • meshagent.exe (PID: 6584)
      • tacticalrmm.exe (PID: 528)
      • powershell.exe (PID: 5284)
      • trmm-agent.exe (PID: 5792)

    • Starts CMD.EXE for commands execution

      • tacticalagent-v2.8.0-windows-amd64.tmp (PID: 6424)
      • MeshAgent.exe (PID: 7088)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 5508)

    • Uses WMIC.EXE to obtain system information

      • MeshAgent.exe (PID: 7088)

    • Executes as Windows Service

      • MeshAgent.exe (PID: 7088)
      • tacticalrmm.exe (PID: 528)

    • Uses WMIC.EXE to obtain operating system information

      • MeshAgent.exe (PID: 7088)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 3648)

    • Process drops python dynamic module

      • tacticalrmm.exe (PID: 528)

    • The process bypasses the loading of PowerShell profile settings

      • MeshAgent.exe (PID: 7088)
      • tacticalrmm.exe (PID: 7048)
      • tacticalrmm.exe (PID: 528)
      • tacticalrmm.exe (PID: 6640)

    • Uses WMIC.EXE to obtain computer system information

      • MeshAgent.exe (PID: 7088)

    • The process hides Powershell's copyright startup banner

      • MeshAgent.exe (PID: 7088)

    • Starts POWERSHELL.EXE for commands execution

      • MeshAgent.exe (PID: 7088)
      • tacticalrmm.exe (PID: 7048)
      • tacticalrmm.exe (PID: 528)
      • tacticalrmm.exe (PID: 6640)

    • There is functionality for taking screenshot (YARA)

      • MeshAgent.exe (PID: 7088)

    • Application launched itself

      • tacticalrmm.exe (PID: 528)

    • MeshAgent potential remote access (YARA)

      • MeshAgent.exe (PID: 7088)
      • tacticalrmm.exe (PID: 528)

    • The process executes Powershell scripts

      • tacticalrmm.exe (PID: 7048)
      • tacticalrmm.exe (PID: 528)
      • tacticalrmm.exe (PID: 6640)

    • The process hide an interactive prompt from the user

      • tacticalrmm.exe (PID: 7048)
      • tacticalrmm.exe (PID: 528)
      • tacticalrmm.exe (PID: 6640)

    • Process drops legitimate windows executable

      • tacticalrmm.exe (PID: 528)

    • Gets file extension (POWERSHELL)

      • powershell.exe (PID: 5284)

    • Drops 7-zip archiver for unpacking

      • powershell.exe (PID: 5284)

    • Gets path to any of the special folders (POWERSHELL)

      • powershell.exe (PID: 5284)

    • There is functionality for capture public ip (YARA)

      • tacticalrmm.exe (PID: 528)

    • Gets or sets the security protocol (POWERSHELL)

      • powershell.exe (PID: 5284)

    • Creates a directory (POWERSHELL)

      • powershell.exe (PID: 5284)

    • The process drops C-runtime libraries

      • tacticalrmm.exe (PID: 528)

  • INFO

    • Checks supported languages

      • trmm-agent.exe (PID: 5792)

    • Creates files in the program directory

      • trmm-agent.exe (PID: 5792)
      • tacticalagent-v2.8.0-windows-amd64.tmp (PID: 6424)
      • tacticalrmm.exe (PID: 5612)
      • tacticalrmm.exe (PID: 5328)
      • meshagent.exe (PID: 6584)
      • MeshAgent.exe (PID: 7088)

    • Create files in a temporary directory

      • tacticalagent-v2.8.0-windows-amd64.exe (PID: 6028)
      • tacticalagent-v2.8.0-windows-amd64.tmp (PID: 6424)

    • Reads the computer name

      • trmm-agent.exe (PID: 5792)

    • Reads the machine GUID from the registry

      • trmm-agent.exe (PID: 5792)

    • Reads the software policy settings

      • trmm-agent.exe (PID: 5792)

    • Application based on Golang

      • trmm-agent.exe (PID: 5792)
      • tacticalrmm.exe (PID: 528)

    • The process uses the downloaded file

      • powershell.exe (PID: 5068)
      • powershell.exe (PID: 6664)
      • powershell.exe (PID: 3648)

    • Drops encrypted VBS script (Microsoft Script Encoder)

      • tacticalrmm.exe (PID: 5328)

    • Drops encrypted JS script (Microsoft Script Encoder)

      • tacticalrmm.exe (PID: 5328)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 5068)
      • powershell.exe (PID: 6664)
      • powershell.exe (PID: 5284)

    • Uses string replace method (POWERSHELL)

      • powershell.exe (PID: 6500)
      • powershell.exe (PID: 5284)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 6500)

    • Checks whether the specified file exists (POWERSHELL)

      • powershell.exe (PID: 5284)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 6424)
      • powershell.exe (PID: 5284)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 0000:00:00 00:00:00
ImageFileCharacteristics: Executable, Large address aware, No debug
PEType: PE32+
LinkerVersion: 3
CodeSize: 2520576
InitializedDataSize: 246784
UninitializedDataSize: -
EntryPoint: 0x66fe0
OSVersion: 6.1
ImageVersion: 1
SubsystemVersion: 6.1
Subsystem: Windows command line
FileVersionNumber: 2.0.4.0
ProductVersionNumber: 2.0.4.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: AmidaWare LLC
FileDescription: Tactical RMM Installer
FileVersion: v2.0.4.0
InternalName: rmm.exe
LegalCopyright: Copyright (c) 2022 AmidaWare LLC
OriginalFileName: installer.go
ProductName: Tactical RMM Installer
ProductVersion: v2.0.4.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
226
Monitored processes
84
Malicious processes
9
Suspicious processes
5

Behavior graph

Click at the process to see the details
start trmm-agent.exe conhost.exe no specs tacticalagent-v2.8.0-windows-amd64.exe tacticalagent-v2.8.0-windows-amd64.tmp cmd.exe no specs conhost.exe no specs ping.exe no specs net.exe no specs net1.exe no specs cmd.exe no specs conhost.exe no specs net.exe no specs net1.exe no specs cmd.exe no specs conhost.exe no specs ping.exe no specs net.exe no specs net1.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs tacticalrmm.exe no specs cmd.exe no specs conhost.exe no specs net.exe no specs net1.exe no specs tacticalrmm.exe meshagent.exe #MESHAGENT meshagent.exe wmic.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs meshagent.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs #MESHAGENT tacticalrmm.exe powershell.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs manage-bde.exe no specs tacticalrmm.exe conhost.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs meshagent.exe no specs conhost.exe no specs powershell.exe conhost.exe no specs setx.exe no specs setx.exe no specs setx.exe no specs setx.exe no specs choco.exe no specs tacticalrmm.exe conhost.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs tacticalrmm.exe conhost.exe no specs trmm-agent.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
528"C:\Program Files\TacticalAgent\tacticalrmm.exe" -m svcC:\Program Files\TacticalAgent\tacticalrmm.exe
services.exe
User:
SYSTEM
Company:
AmidaWare Inc
Integrity Level:
SYSTEM
Description:
Tactical RMM Agent
Version:
v2.8.0.0
Modules
Images
c:\program files\tacticalagent\tacticalrmm.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\cryptbase.dll
540"C:\ProgramData\chocolatey\choco.exe" -vC:\ProgramData\chocolatey\choco.exepowershell.exe
User:
SYSTEM
Company:
Chocolatey Software, Inc.
Integrity Level:
SYSTEM
Description:
Exit code:
0
Version:
2.4.0.0
Modules
Images
c:\programdata\chocolatey\choco.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
612C:\WINDOWS\system32\net1 stop tacticalrmmC:\Windows\SysWOW64\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
2
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\net1.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll
612\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1112net stop tacticalrpcC:\Windows\SysWOW64\net.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
2
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\net.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1396\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1500\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1552\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeWMIC.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1580C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass C:\ProgramData\TacticalRMM\620371545.ps1C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exetacticalrmm.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1580"C:\WINDOWS\System32\setx.exe" ChocolateyLastPathUpdate 133762256587992031C:\Windows\System32\setx.exepowershell.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Setx - Sets environment variables
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\setx.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ws2_32.dll
Total events
74 126
Read events
74 045
Write events
69
Delete events
12

Modification events

(PID) Process:(5792) trmm-agent.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates
Operation:delete valueName:D1CBCA5DB2D52A7F693B674DE5F05A1D0C957DF0
Value:
(PID) Process:(5792) trmm-agent.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1CBCA5DB2D52A7F693B674DE5F05A1D0C957DF0
Operation:writeName:Blob
Value:
040000000100000010000000FA68BCD9B57FADFDC91D068328CC24C11400000001000000140000003AE10986D4CF19C29676744976DCE035C663639A6200000001000000200000004FF460D54B9C86DABFBCFC5712E0400D2BED3FBC4D4FBDAA86E06ADCD2A9AD7A090000000100000054000000305206082B0601050507030206082B06010505070303060A2B0601040182370A030406082B0601050507030406082B0601050507030606082B0601050507030706082B0601050507030106082B060105050703080F00000001000000300000000B043572C899DEC43EFD590CFCE610CF443A6315925EBFE589F7506907E44824608489581C7CA0E041458514CF157614030000000100000014000000D1CBCA5DB2D52A7F693B674DE5F05A1D0C957DF019000000010000001000000076935B5C5A037216DAAF8AAC76DF42C153000000010000004300000030413022060C2B06010401B231010201050130123010060A2B0601040182373C0101030200C0301B060567810C010330123010060A2B0601040182373C0101030200C00B00000001000000180000005300650063007400690067006F00200045004300430000001D0000000100000010000000280CF6042C30A2646644BA7286A3AA972000000001000000930200003082028F30820215A00302010202105C8B99C55A94C5D27156DECD8980CC26300A06082A8648CE3D040303308188310B3009060355040613025553311330110603550408130A4E6577204A6572736579311430120603550407130B4A65727365792043697479311E301C060355040A131554686520555345525452555354204E6574776F726B312E302C06035504031325555345525472757374204543432043657274696669636174696F6E20417574686F72697479301E170D3130303230313030303030305A170D3338303131383233353935395A308188310B3009060355040613025553311330110603550408130A4E6577204A6572736579311430120603550407130B4A65727365792043697479311E301C060355040A131554686520555345525452555354204E6574776F726B312E302C06035504031325555345525472757374204543432043657274696669636174696F6E20417574686F726974793076301006072A8648CE3D020106052B81040022036200041AAC545AA9F96823E77AD5246F53C65AD84BABC6D5B6D1E67371AEDD9CD60C61FDDBA08903B80514EC57CEEE5D3FE221B3CEF7D48A79E0A3837E2D97D061C4F199DC259163AB7F30A3B470E2C7A1339CF3BF2E5C53B15FB37D327F8A34E37979A3423040301D0603551D0E041604143AE10986D4CF19C29676744976DCE035C663639A300E0603551D0F0101FF040403020106300F0603551D130101FF040530030101FF300A06082A8648CE3D040303036800306502303667A11608DCE49700411D4EBEE16301CF3BAA421164A09D94390211795C7B1DFA64B9EE1642B3BF8AC209C4ECE4B14D023100E92A61478C524A4B4E1870F6D644D66EF583BA6D58BD24D95648EAEFC4A24681886A3A46D1A99B4DC961DAD15D576A18
(PID) Process:(5792) trmm-agent.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1CBCA5DB2D52A7F693B674DE5F05A1D0C957DF0
Operation:writeName:Blob
Value:
5C0000000100000004000000800100001D0000000100000010000000280CF6042C30A2646644BA7286A3AA970B00000001000000180000005300650063007400690067006F002000450043004300000053000000010000004300000030413022060C2B06010401B231010201050130123010060A2B0601040182373C0101030200C0301B060567810C010330123010060A2B0601040182373C0101030200C019000000010000001000000076935B5C5A037216DAAF8AAC76DF42C1030000000100000014000000D1CBCA5DB2D52A7F693B674DE5F05A1D0C957DF00F00000001000000300000000B043572C899DEC43EFD590CFCE610CF443A6315925EBFE589F7506907E44824608489581C7CA0E041458514CF157614090000000100000054000000305206082B0601050507030206082B06010505070303060A2B0601040182370A030406082B0601050507030406082B0601050507030606082B0601050507030706082B0601050507030106082B060105050703086200000001000000200000004FF460D54B9C86DABFBCFC5712E0400D2BED3FBC4D4FBDAA86E06ADCD2A9AD7A1400000001000000140000003AE10986D4CF19C29676744976DCE035C663639A040000000100000010000000FA68BCD9B57FADFDC91D068328CC24C12000000001000000930200003082028F30820215A00302010202105C8B99C55A94C5D27156DECD8980CC26300A06082A8648CE3D040303308188310B3009060355040613025553311330110603550408130A4E6577204A6572736579311430120603550407130B4A65727365792043697479311E301C060355040A131554686520555345525452555354204E6574776F726B312E302C06035504031325555345525472757374204543432043657274696669636174696F6E20417574686F72697479301E170D3130303230313030303030305A170D3338303131383233353935395A308188310B3009060355040613025553311330110603550408130A4E6577204A6572736579311430120603550407130B4A65727365792043697479311E301C060355040A131554686520555345525452555354204E6574776F726B312E302C06035504031325555345525472757374204543432043657274696669636174696F6E20417574686F726974793076301006072A8648CE3D020106052B81040022036200041AAC545AA9F96823E77AD5246F53C65AD84BABC6D5B6D1E67371AEDD9CD60C61FDDBA08903B80514EC57CEEE5D3FE221B3CEF7D48A79E0A3837E2D97D061C4F199DC259163AB7F30A3B470E2C7A1339CF3BF2E5C53B15FB37D327F8A34E37979A3423040301D0603551D0E041604143AE10986D4CF19C29676744976DCE035C663639A300E0603551D0F0101FF040403020106300F0603551D130101FF040530030101FF300A06082A8648CE3D040303036800306502303667A11608DCE49700411D4EBEE16301CF3BAA421164A09D94390211795C7B1DFA64B9EE1642B3BF8AC209C4ECE4B14D023100E92A61478C524A4B4E1870F6D644D66EF583BA6D58BD24D95648EAEFC4A24681886A3A46D1A99B4DC961DAD15D576A18
(PID) Process:(5792) trmm-agent.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates
Operation:delete valueName:D1EB23A46D17D68FD92564C2F1F1601764D8E349
Value:
(PID) Process:(5792) trmm-agent.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349
Operation:writeName:Blob
Value:
040000000100000010000000497904B0EB8719AC47B0BC11519B74D0140000000100000014000000A0110A233E96F107ECE2AF29EF82A57FD030A4B4620000000100000020000000D7A7A0FB5D7E2731D771E9484EBCDEF71D5F0C3E0A2948782BC83EE0EA699EF4090000000100000054000000305206082B0601050507030206082B06010505070303060A2B0601040182370A030406082B0601050507030406082B0601050507030606082B0601050507030706082B0601050507030106082B060105050703080F00000001000000140000003E8E6487F8FD27D322A269A71EDAAC5D57811286030000000100000014000000D1EB23A46D17D68FD92564C2F1F1601764D8E3491900000001000000100000002AA1C05E2AE606F198C2C5E937C97AA253000000010000004300000030413022060C2B06010401B231010201050130123010060A2B0601040182373C0101030200C0301B060567810C010330123010060A2B0601040182373C0101030200C00B000000010000001C0000005300650063007400690067006F0020002800410041004100290000001D00000001000000100000002E0D6875874A44C820912E85E964CFDB200000000100000036040000308204323082031AA003020102020101300D06092A864886F70D0101050500307B310B3009060355040613024742311B301906035504080C1247726561746572204D616E636865737465723110300E06035504070C0753616C666F7264311A3018060355040A0C11436F6D6F646F204341204C696D697465643121301F06035504030C18414141204365727469666963617465205365727669636573301E170D3034303130313030303030305A170D3238313233313233353935395A307B310B3009060355040613024742311B301906035504080C1247726561746572204D616E636865737465723110300E06035504070C0753616C666F7264311A3018060355040A0C11436F6D6F646F204341204C696D697465643121301F06035504030C1841414120436572746966696361746520536572766963657330820122300D06092A864886F70D01010105000382010F003082010A0282010100BE409DF46EE1EA76871C4D45448EBE46C883069DC12AFE181F8EE402FAF3AB5D508A16310B9A06D0C57022CD492D5463CCB66E68460B53EACB4C24C0BC724EEAF115AEF4549A120AC37AB23360E2DA8955F32258F3DEDCCFEF8386A28C944F9F68F29890468427C776BFE3CC352C8B5E07646582C048B0A891F9619F762050A891C766B5EB78620356F08A1A13EA31A31EA099FD38F6F62732586F07F56BB8FB142BAFB7AACCD6635F738CDA0599A838A8CB17783651ACE99EF4783A8DCF0FD942E2980CAB2F9F0E01DEEF9F9949F12DDFAC744D1B98B547C5E529D1F99018C7629CBE83C7267B3E8A25C7C0DD9DE6356810209D8FD8DED2C3849C0D5EE82FC90203010001A381C03081BD301D0603551D0E04160414A0110A233E96F107ECE2AF29EF82A57FD030A4B4300E0603551D0F0101FF040403020106300F0603551D130101FF040530030101FF307B0603551D1F047430723038A036A0348632687474703A2F2F63726C2E636F6D6F646F63612E636F6D2F414141436572746966696361746553657276696365732E63726C3036A034A0328630687474703A2F2F63726C2E636F6D6F646F2E6E65742F414141436572746966696361746553657276696365732E63726C300D06092A864886F70D010105050003820101000856FC02F09BE8FFA4FAD67BC64480CE4FC4C5F60058CCA6B6BC1449680476E8E6EE5DEC020F60D68D50184F264E01E3E6B0A5EEBFBC745441BFFDFC12B8C74F5AF48960057F60B7054AF3F6F1C2BFC4B97486B62D7D6BCCD2F346DD2FC6E06AC3C334032C7D96DD5AC20EA70A99C1058BAB0C2FF35C3ACF6C37550987DE53406C58EFFCB6AB656E04F61BDC3CE05A15C69ED9F15948302165036CECE92173EC9B03A1E037ADA015188FFABA02CEA72CA910132CD4E50826AB229760F8905E74D4A29A53BDF2A968E0A26EC2D76CB1A30F9EBFEB68E756F2AEF2E32B383A0981B56B85D7BE2DED3F1AB7B263E2F5622C82D46A004150F139839F95E93696986E
(PID) Process:(5792) trmm-agent.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349
Operation:writeName:Blob
Value:
5C0000000100000004000000000800001D00000001000000100000002E0D6875874A44C820912E85E964CFDB0B000000010000001C0000005300650063007400690067006F00200028004100410041002900000053000000010000004300000030413022060C2B06010401B231010201050130123010060A2B0601040182373C0101030200C0301B060567810C010330123010060A2B0601040182373C0101030200C01900000001000000100000002AA1C05E2AE606F198C2C5E937C97AA2030000000100000014000000D1EB23A46D17D68FD92564C2F1F1601764D8E3490F00000001000000140000003E8E6487F8FD27D322A269A71EDAAC5D57811286090000000100000054000000305206082B0601050507030206082B06010505070303060A2B0601040182370A030406082B0601050507030406082B0601050507030606082B0601050507030706082B0601050507030106082B06010505070308620000000100000020000000D7A7A0FB5D7E2731D771E9484EBCDEF71D5F0C3E0A2948782BC83EE0EA699EF4140000000100000014000000A0110A233E96F107ECE2AF29EF82A57FD030A4B4040000000100000010000000497904B0EB8719AC47B0BC11519B74D0200000000100000036040000308204323082031AA003020102020101300D06092A864886F70D0101050500307B310B3009060355040613024742311B301906035504080C1247726561746572204D616E636865737465723110300E06035504070C0753616C666F7264311A3018060355040A0C11436F6D6F646F204341204C696D697465643121301F06035504030C18414141204365727469666963617465205365727669636573301E170D3034303130313030303030305A170D3238313233313233353935395A307B310B3009060355040613024742311B301906035504080C1247726561746572204D616E636865737465723110300E06035504070C0753616C666F7264311A3018060355040A0C11436F6D6F646F204341204C696D697465643121301F06035504030C1841414120436572746966696361746520536572766963657330820122300D06092A864886F70D01010105000382010F003082010A0282010100BE409DF46EE1EA76871C4D45448EBE46C883069DC12AFE181F8EE402FAF3AB5D508A16310B9A06D0C57022CD492D5463CCB66E68460B53EACB4C24C0BC724EEAF115AEF4549A120AC37AB23360E2DA8955F32258F3DEDCCFEF8386A28C944F9F68F29890468427C776BFE3CC352C8B5E07646582C048B0A891F9619F762050A891C766B5EB78620356F08A1A13EA31A31EA099FD38F6F62732586F07F56BB8FB142BAFB7AACCD6635F738CDA0599A838A8CB17783651ACE99EF4783A8DCF0FD942E2980CAB2F9F0E01DEEF9F9949F12DDFAC744D1B98B547C5E529D1F99018C7629CBE83C7267B3E8A25C7C0DD9DE6356810209D8FD8DED2C3849C0D5EE82FC90203010001A381C03081BD301D0603551D0E04160414A0110A233E96F107ECE2AF29EF82A57FD030A4B4300E0603551D0F0101FF040403020106300F0603551D130101FF040530030101FF307B0603551D1F047430723038A036A0348632687474703A2F2F63726C2E636F6D6F646F63612E636F6D2F414141436572746966696361746553657276696365732E63726C3036A034A0328630687474703A2F2F63726C2E636F6D6F646F2E6E65742F414141436572746966696361746553657276696365732E63726C300D06092A864886F70D010105050003820101000856FC02F09BE8FFA4FAD67BC64480CE4FC4C5F60058CCA6B6BC1449680476E8E6EE5DEC020F60D68D50184F264E01E3E6B0A5EEBFBC745441BFFDFC12B8C74F5AF48960057F60B7054AF3F6F1C2BFC4B97486B62D7D6BCCD2F346DD2FC6E06AC3C334032C7D96DD5AC20EA70A99C1058BAB0C2FF35C3ACF6C37550987DE53406C58EFFCB6AB656E04F61BDC3CE05A15C69ED9F15948302165036CECE92173EC9B03A1E037ADA015188FFABA02CEA72CA910132CD4E50826AB229760F8905E74D4A29A53BDF2A968E0A26EC2D76CB1A30F9EBFEB68E756F2AEF2E32B383A0981B56B85D7BE2DED3F1AB7B263E2F5622C82D46A004150F139839F95E93696986E
(PID) Process:(6424) tacticalagent-v2.8.0-windows-amd64.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{0D34D278-5FAF-4159-A4A0-4E2D2C08139D}_is1
Operation:writeName:Inno Setup: Setup Version
Value:
6.2.2
(PID) Process:(6424) tacticalagent-v2.8.0-windows-amd64.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{0D34D278-5FAF-4159-A4A0-4E2D2C08139D}_is1
Operation:writeName:Inno Setup: App Path
Value:
C:\Program Files\TacticalAgent
(PID) Process:(6424) tacticalagent-v2.8.0-windows-amd64.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{0D34D278-5FAF-4159-A4A0-4E2D2C08139D}_is1
Operation:writeName:InstallLocation
Value:
C:\Program Files\TacticalAgent\
(PID) Process:(6424) tacticalagent-v2.8.0-windows-amd64.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{0D34D278-5FAF-4159-A4A0-4E2D2C08139D}_is1
Operation:writeName:Inno Setup: Icon Group
Value:
(Default)
Executable files
223
Suspicious files
31
Text files
2 601
Unknown types
0

Dropped files

PID
Process
Filename
Type
6424tacticalagent-v2.8.0-windows-amd64.tmpC:\Program Files\TacticalAgent\unins000.exeexecutable
MD5:5E81857286E2795352225BE245FBD62B
SHA256:2624C22DA19E89717DCD522D22B21849A1C3F0EB781333DF85BE5FCD57597278
6424tacticalagent-v2.8.0-windows-amd64.tmpC:\Program Files\TacticalAgent\is-VFR97.tmpexecutable
MD5:5E81857286E2795352225BE245FBD62B
SHA256:2624C22DA19E89717DCD522D22B21849A1C3F0EB781333DF85BE5FCD57597278
6028tacticalagent-v2.8.0-windows-amd64.exeC:\Users\admin\AppData\Local\Temp\is-2J6RP.tmp\tacticalagent-v2.8.0-windows-amd64.tmpexecutable
MD5:A639312111D278FEE4F70299C134D620
SHA256:4B0BE5167A31A77E28E3F0A7C83C9D289845075B51E70691236603B1083649DF
6424tacticalagent-v2.8.0-windows-amd64.tmpC:\Users\admin\AppData\Local\Temp\Setup Log 2024-11-16 #001.txttext
MD5:6353246D04562F6C87533D4998F677EC
SHA256:387BEB1B00E95273DC8E8E9C3C84568F820476FBDEF31FA89F671EEDC2AD8B5D
6424tacticalagent-v2.8.0-windows-amd64.tmpC:\Program Files\TacticalAgent\tacticalrmm.exeexecutable
MD5:6CFBD2DA5F304A3B8972EAFE6FE4D191
SHA256:AD29D4E9E01870FFBDB6F2498E6CE36A708E56DB2AD431BA2D80BF5A6CAAC069
6424tacticalagent-v2.8.0-windows-amd64.tmpC:\Users\admin\AppData\Local\Temp\is-U7LRF.tmp\_isetup\_setup64.tmpexecutable
MD5:E4211D6D009757C078A9FAC7FF4F03D4
SHA256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
6424tacticalagent-v2.8.0-windows-amd64.tmpC:\Program Files\TacticalAgent\unins000.datbinary
MD5:F74ECE6FB61C6B9782D6C07C4E797513
SHA256:EDC1F30D4E4EE4D2AA2A722803787929439522887692BAC432358561AF0C1E74
5328tacticalrmm.exeC:\Program Files\TacticalAgent\meshagent.exeexecutable
MD5:1B74D88E20FEA90B69E3577E3642B56A
SHA256:55EE776182B5EE973F7BFFC959656BDD0E8E8029F847FE02854BF5860E77E45C
7088MeshAgent.exeC:\Program Files\Mesh Agent\MeshAgent.mshtext
MD5:F96CF9F7E35EC05323BC4B17B552404F
SHA256:79392962C6B1C88A35924E32803CC4048D80E1D4DD8BD02D1F35A12D045F1130
7088MeshAgent.exeC:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\88EE15AAA3E1A6281BF79435A444DA41FD0639BDbinary
MD5:A214756BB65FEF067F062A349F02A7D8
SHA256:69252F8011EE9BCAED0E8A39A87B2E48C34FFD7C3A233D3A97832CCC4ADB2EE7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
82
DNS requests
32
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5784
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
binary
471 b
whitelisted
4360
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
US
binary
314 b
whitelisted
6504
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
DE
binary
418 b
whitelisted
6944
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
DE
binary
973 b
whitelisted
6944
svchost.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
DE
binary
1.01 Kb
whitelisted
6288
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
US
binary
471 b
whitelisted
6504
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
DE
binary
408 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
6944
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4292
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5488
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4360
SearchApp.exe
104.126.37.136:443
www.bing.com
Akamai International B.V.
DE
whitelisted
4360
SearchApp.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
4
System
192.168.100.255:138
whitelisted
5792
trmm-agent.exe
140.82.121.4:443
github.com
GITHUB
US
shared
5792
trmm-agent.exe
185.199.110.133:443
objects.githubusercontent.com
FASTLY
US
shared
5784
svchost.exe
40.126.32.74:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.124.78.146
whitelisted
google.com
  • 142.250.186.46
whitelisted
www.bing.com
  • 104.126.37.136
  • 104.126.37.139
  • 104.126.37.137
  • 104.126.37.128
  • 104.126.37.153
  • 104.126.37.186
  • 104.126.37.144
  • 104.126.37.178
  • 104.126.37.131
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
github.com
  • 140.82.121.4
shared
objects.githubusercontent.com
  • 185.199.110.133
  • 185.199.109.133
  • 185.199.108.133
  • 185.199.111.133
shared
login.live.com
  • 40.126.32.74
  • 40.126.32.140
  • 40.126.32.72
  • 20.190.160.14
  • 40.126.32.68
  • 20.190.160.17
  • 40.126.32.133
  • 20.190.160.20
whitelisted
th.bing.com
  • 104.126.37.123
  • 104.126.37.177
  • 104.126.37.153
  • 104.126.37.130
  • 104.126.37.144
  • 104.126.37.161
  • 104.126.37.139
  • 104.126.37.137
  • 104.126.37.186
whitelisted
go.microsoft.com
  • 23.213.166.81
whitelisted
crl.microsoft.com
  • 23.53.40.176
  • 23.53.40.178
whitelisted

Threats

PID
Process
Class
Message
528
tacticalrmm.exe
Potentially Bad Traffic
ET INFO Observed Chocolatey Windows Package Management Domain (chocolatey .org in TLS SNI)
5284
powershell.exe
Potentially Bad Traffic
ET INFO Observed Chocolatey Windows Package Management Domain (chocolatey .org in TLS SNI)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
trmm-agent.exe