Malware analysis fc39e6cb0ae28dcd647eedbb041a5c9aa295b2db883232960ef0a48d86e93856.exe Malicious activity

Add for printing

File name:	fc39e6cb0ae28dcd647eedbb041a5c9aa295b2db883232960ef0a48d86e93856.exe
Full analysis:	https://app.any.run/tasks/20ced0de-2a62-4991-b2be-3c5b527e198b
Verdict:	Malicious activity
Analysis date:	February 01, 2024, 04:26:47
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Indicators:
MIME:	application/x-dosexec
File info:	PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
MD5:	B8B966DB021D7B8AAEE6965B3DBA4A28
SHA1:	189ED55B5E1BEF3F1F2FDE5C092F70DC6779A3F6
SHA256:	FC39E6CB0AE28DCD647EEDBB041A5C9AA295B2DB883232960EF0A48D86E93856
SSDEEP:	98304:qUFz9qgAoj3+uaOhkwMteU4ZSCPy1RYQau6qLm:WE

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 120 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.0.9600.18860 KB4052978
Adobe Acrobat Reader DC MUI (15.007.20033)
Adobe Flash Player 27 ActiveX (27.0.0.187)
Adobe Flash Player 27 NPAPI (27.0.0.187)
Adobe Flash Player 27 PPAPI (27.0.0.187)
CCleaner (5.35)
Google Chrome (109.0.5414.120)
Google Update Helper (1.3.33.23)
Java 8 Update 92 (64-bit) (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft Edge (109.0.1518.115)
Microsoft Edge Update (1.3.177.11)
Microsoft Office Access MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Office 32-bit Components 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.4763.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.4763.1000)
Microsoft Office Proof (French) 2010 (14.0.4763.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.4763.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared 32-bit MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Single Image 2010 (14.0.4763.1000)
Microsoft Office Word MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2005 Redistributable (x64) (8.0.61000)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (11.0.61030.0)
Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.61030 (11.0.61030)
Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.61030 (11.0.61030)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (115.0.2)
Mozilla Maintenance Service (115.0.2)
Notepad++ (64-bit x64) (7.5.1)
PowerShell 7-x64 (7.2.11.0)
Skype version 8.100 (8.100)
Update for Microsoft .NET Framework 4.8 (KB4503575) (1)
VLC media player (2.2.6)
WinRAR 5.60 (64-bit) (5.60.0)

Add for printing

MALICIOUS
- Drops the executable file immediately after the start
  - fc39e6cb0ae28dcd647eedbb041a5c9aa295b2db883232960ef0a48d86e93856.exe (PID: 896)
  - tacticalagent-v2.6.1-windows-amd64.exe (PID: 2812)
  - tacticalagent-v2.6.1-windows-amd64.tmp (PID: 2692)
  - tacticalrmm.exe (PID: 3000)
  - meshagent.exe (PID: 1932)
  - csc.exe (PID: 2952)
  - tacticalrmm.exe (PID: 1088)
  - powershell.exe (PID: 2692)
- Starts NET.EXE for service management
  - cmd.exe (PID: 2192)
  - net.exe (PID: 2416)
  - cmd.exe (PID: 2172)
  - cmd.exe (PID: 2260)
  - net.exe (PID: 2156)
  - net.exe (PID: 1004)
  - net.exe (PID: 884)
  - cmd.exe (PID: 2804)
- Creates a writable file in the system directory
  - MeshAgent.exe (PID: 756)
  - powershell.exe (PID: 2664)
  - powershell.exe (PID: 2692)
- Bypass execution policy to execute commands
  - powershell.exe (PID: 2692)
- Changes powershell execution policy (Bypass)
  - tacticalrmm.exe (PID: 1088)
SUSPICIOUS
- Executable content was dropped or overwritten
  - fc39e6cb0ae28dcd647eedbb041a5c9aa295b2db883232960ef0a48d86e93856.exe (PID: 896)
  - tacticalagent-v2.6.1-windows-amd64.exe (PID: 2812)
  - tacticalagent-v2.6.1-windows-amd64.tmp (PID: 2692)
  - tacticalrmm.exe (PID: 3000)
  - meshagent.exe (PID: 1932)
  - tacticalrmm.exe (PID: 1088)
  - csc.exe (PID: 2952)
  - powershell.exe (PID: 2692)
- Reads settings of System Certificates
  - fc39e6cb0ae28dcd647eedbb041a5c9aa295b2db883232960ef0a48d86e93856.exe (PID: 896)
  - tacticalrmm.exe (PID: 3000)
- Reads the Windows owner or organization settings
  - tacticalagent-v2.6.1-windows-amd64.tmp (PID: 2692)
- Runs PING.EXE to delay simulation
  - cmd.exe (PID: 2260)
  - cmd.exe (PID: 2172)
- Uses TASKKILL.EXE to kill process
  - cmd.exe (PID: 2480)
- Creates or modifies Windows services
  - tacticalrmm.exe (PID: 3000)
  - meshagent.exe (PID: 1932)
  - tacticalrmm.exe (PID: 1088)
  - tacticalrmm.exe (PID: 1400)
- Adds/modifies Windows certificates
  - tacticalrmm.exe (PID: 3000)
- Reads the Internet Settings
  - tacticalrmm.exe (PID: 3000)
- Executes as Windows Service
  - MeshAgent.exe (PID: 756)
  - tacticalrmm.exe (PID: 1088)
- The process bypasses the loading of PowerShell profile settings
  - MeshAgent.exe (PID: 756)
  - tacticalrmm.exe (PID: 1088)
- Starts POWERSHELL.EXE for commands execution
  - MeshAgent.exe (PID: 756)
  - tacticalrmm.exe (PID: 1088)
- Searches for installed software
  - tacticalrmm.exe (PID: 3000)
  - tacticalrmm.exe (PID: 1088)
- Uses WMIC.EXE to obtain operating system information
  - MeshAgent.exe (PID: 756)
- Uses WMIC.EXE to obtain system information
  - MeshAgent.exe (PID: 756)
- Uses WMIC.EXE to obtain computer system information
  - MeshAgent.exe (PID: 756)
- The process hides Powershell's copyright startup banner
  - MeshAgent.exe (PID: 756)
- Uses NETSH.EXE to change the status of the firewall
  - cmd.exe (PID: 2124)
- Process drops legitimate windows executable
  - tacticalrmm.exe (PID: 1088)
- Starts CMD.EXE for commands execution
  - tacticalrmm.exe (PID: 3000)
  - tacticalagent-v2.6.1-windows-amd64.tmp (PID: 2692)
- Uses NETSH.EXE to add a firewall rule or allowed programs
  - cmd.exe (PID: 2256)
- The Powershell connects to the Internet
  - powershell.exe (PID: 2692)
- Unusual connection from system programs
  - powershell.exe (PID: 2692)
- The process hide an interactive prompt from the user
  - tacticalrmm.exe (PID: 1088)
- The process executes Powershell scripts
  - tacticalrmm.exe (PID: 1088)
- Application launched itself
  - tacticalrmm.exe (PID: 1088)
- Drops 7-zip archiver for unpacking
  - powershell.exe (PID: 2692)
- The process drops C-runtime libraries
  - tacticalrmm.exe (PID: 1088)
INFO
- Checks supported languages
  - fc39e6cb0ae28dcd647eedbb041a5c9aa295b2db883232960ef0a48d86e93856.exe (PID: 896)
  - tacticalagent-v2.6.1-windows-amd64.exe (PID: 2812)
  - tacticalagent-v2.6.1-windows-amd64.tmp (PID: 2692)
  - tacticalrmm.exe (PID: 2268)
  - tacticalrmm.exe (PID: 3000)
  - meshagent.exe (PID: 1932)
  - MeshAgent.exe (PID: 756)
  - tacticalrmm.exe (PID: 1088)
  - MeshAgent.exe (PID: 2416)
  - MeshAgent.exe (PID: 2332)
  - tacticalrmm.exe (PID: 1400)
  - csc.exe (PID: 2952)
  - cvtres.exe (PID: 892)
  - choco.exe (PID: 2540)
- Creates files in the program directory
  - fc39e6cb0ae28dcd647eedbb041a5c9aa295b2db883232960ef0a48d86e93856.exe (PID: 896)
  - tacticalagent-v2.6.1-windows-amd64.tmp (PID: 2692)
  - tacticalrmm.exe (PID: 2268)
  - tacticalrmm.exe (PID: 3000)
  - meshagent.exe (PID: 1932)
  - MeshAgent.exe (PID: 756)
  - tacticalrmm.exe (PID: 1088)
  - powershell.exe (PID: 2692)
  - choco.exe (PID: 2540)
- Reads the machine GUID from the registry
  - fc39e6cb0ae28dcd647eedbb041a5c9aa295b2db883232960ef0a48d86e93856.exe (PID: 896)
  - tacticalrmm.exe (PID: 2268)
  - tacticalrmm.exe (PID: 3000)
  - MeshAgent.exe (PID: 756)
  - meshagent.exe (PID: 1932)
  - tacticalrmm.exe (PID: 1088)
  - cvtres.exe (PID: 892)
  - csc.exe (PID: 2952)
  - tacticalrmm.exe (PID: 1400)
  - choco.exe (PID: 2540)
- Reads the computer name
  - fc39e6cb0ae28dcd647eedbb041a5c9aa295b2db883232960ef0a48d86e93856.exe (PID: 896)
  - tacticalagent-v2.6.1-windows-amd64.tmp (PID: 2692)
  - tacticalrmm.exe (PID: 2268)
  - tacticalrmm.exe (PID: 3000)
  - MeshAgent.exe (PID: 756)
  - meshagent.exe (PID: 1932)
  - MeshAgent.exe (PID: 2416)
  - tacticalrmm.exe (PID: 1088)
  - MeshAgent.exe (PID: 2332)
  - tacticalrmm.exe (PID: 1400)
  - choco.exe (PID: 2540)
- Create files in a temporary directory
  - tacticalagent-v2.6.1-windows-amd64.exe (PID: 2812)
  - tacticalrmm.exe (PID: 3000)
  - tacticalagent-v2.6.1-windows-amd64.tmp (PID: 2692)
- Reads Environment values
  - tacticalrmm.exe (PID: 2268)
  - tacticalrmm.exe (PID: 3000)
  - tacticalrmm.exe (PID: 1088)
  - tacticalrmm.exe (PID: 1400)
- Reads product name
  - tacticalrmm.exe (PID: 2268)
  - tacticalrmm.exe (PID: 3000)
  - tacticalrmm.exe (PID: 1088)
  - tacticalrmm.exe (PID: 1400)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win64 Executable (generic) (87.3)
.exe	\|	Generic Win/DOS Executable (6.3)
.exe	\|	DOS Executable Generic (6.3)

EXIF

EXE

MachineType:	AMD AMD64
TimeStamp:	0000:00:00 00:00:00
ImageFileCharacteristics:	Executable, Large address aware, No debug
PEType:	PE32+
LinkerVersion:	3
CodeSize:	2520576
InitializedDataSize:	246784
UninitializedDataSize:	-
EntryPoint:	0x66fe0
OSVersion:	6.1
ImageVersion:	1
SubsystemVersion:	6.1
Subsystem:	Windows command line
FileVersionNumber:	2.0.4.0
ProductVersionNumber:	2.0.4.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
CompanyName:	AmidaWare LLC
FileDescription:	Tactical RMM Installer
FileVersion:	v2.0.4.0
InternalName:	rmm.exe
LegalCopyright:	Copyright (c) 2022 AmidaWare LLC
OriginalFileName:	installer.go
ProductName:	Tactical RMM Installer
ProductVersion:	v2.0.4.0

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

105

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

756

ping 127.0.0.1 -n 2

C:\Windows\SysWOW64\PING.EXE

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

TCP/IP Ping Command

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\syswow64\ping.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

756

"C:\Program Files\Mesh Agent\MeshAgent.exe" --installedByUser="S-1-5-21-3896776584-4254864009-862391680-1000"

C:\Program Files\Mesh Agent\MeshAgent.exe

services.exe

User:

SYSTEM

Integrity Level:

SYSTEM

Description:

MeshCentral Background Service Agent

Exit code:

Version:

2022-Dec-2 11:42:16-0800

Modules

Images
c:\program files\mesh agent\meshagent.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll

856

wmic SystemEnclosure get ChassisTypes

C:\Windows\System32\wbem\WMIC.exe

—

MeshAgent.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

WMI Commandline Utility

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll

884

net start tacticalrmm

C:\Windows\SysWOW64\net.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Net Command

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\syswow64\net.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

892

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Windows\System32\wbem\WMIC.exe

—

MeshAgent.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

WMI Commandline Utility

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll

892

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Windows\TEMP\RES8972.tmp" "c:\Windows\Temp\t3zlfl45\CSCC2B8AB70BF1642DF8FD54E931FFDDB7B.TMP"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

—

csc.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Microsoft® Resource File To COFF Object Conversion Utility

Exit code:

Version:

14.10.25028.0 built by: VCTOOLSD15RTM

Modules

Images
c:\windows\microsoft.net\framework64\v4.0.30319\cvtres.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\vcruntime140_clr0400.dll
c:\windows\system32\ucrtbase_clr0400.dll

896

"C:\Users\admin\AppData\Local\Temp\fc39e6cb0ae28dcd647eedbb041a5c9aa295b2db883232960ef0a48d86e93856.exe"

C:\Users\admin\AppData\Local\Temp\fc39e6cb0ae28dcd647eedbb041a5c9aa295b2db883232960ef0a48d86e93856.exe

explorer.exe

User:

admin

Company:

AmidaWare LLC

Integrity Level:

HIGH

Description:

Tactical RMM Installer

Exit code:

Version:

v2.0.4.0

Modules

Images
c:\users\admin\appdata\local\temp\fc39e6cb0ae28dcd647eedbb041a5c9aa295b2db883232960ef0a48d86e93856.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\winmm.dll
c:\windows\system32\user32.dll

1004

net stop tacticalagent

C:\Windows\SysWOW64\net.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Net Command

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\syswow64\net.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

1088

"C:\Program Files\TacticalAgent\tacticalrmm.exe" -m svc

C:\Program Files\TacticalAgent\tacticalrmm.exe

services.exe

User:

SYSTEM

Company:

AmidaWare Inc

Integrity Level:

SYSTEM

Description:

Tactical RMM Agent

Exit code:

Version:

v2.6.1.0

Modules

Images
c:\program files\tacticalagent\tacticalrmm.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\winmm.dll
c:\windows\system32\user32.dll

1104

"cmd.exe" /c sc delete tacticalrpc

C:\Windows\SysWOW64\cmd.exe

—

tacticalagent-v2.6.1-windows-amd64.tmp

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

1060

Version:

6.1.7601.17514 (win7sp1_rtm.101119-1850)

Modules

Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

Add for printing

Total events

22 402

Read events

20 510

Write events

1 892

Delete events

Modification events


(PID) Process:	(896) fc39e6cb0ae28dcd647eedbb041a5c9aa295b2db883232960ef0a48d86e93856.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\15A\52C64B7E
Operation:	write	Name:	LanguageList
Value: en-US
(PID) Process:	(2268) tacticalrmm.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\15A\52C64B7E
Operation:	write	Name:	LanguageList
Value: en-US
(PID) Process:	(3000) tacticalrmm.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\partmgr
Operation:	write	Name:	EnableCounterForIoctl
Value: 1
(PID) Process:	(3000) tacticalrmm.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\15A\52C64B7E
Operation:	write	Name:	LanguageList
Value: en-US
(PID) Process:	(3000) tacticalrmm.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\SystemCertificates\AuthRoot\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8
Operation:	write	Name:	Blob
Value: 1900000001000000100000002FE1F70BB05D7C92335BC5E05B984DA6030000000100000014000000CABD2A79A1076A31F21D253635CB039D4329A5E81D000000010000001000000073B6876195F5D18E048510422AEF04E314000000010000001400000079B459E67BB6E5E40173800888C81A58F6E99B6E090000000100000016000000301406082B0601050507030206082B060105050703010B000000010000001A0000004900530052004700200052006F006F007400200058003100000062000000010000002000000096BCEC06264976F37460779ACF28C5A7CFE8A3C0AAE11A8FFCEE05C0BDDF08C60F00000001000000200000003F0411EDE9C4477057D57E57883B1F205B20CDC0F3263129B1EE0269A2678F6320000000010000006F0500003082056B30820353A0030201020211008210CFB0D240E3594463E0BB63828B00300D06092A864886F70D01010B0500304F310B300906035504061302555331293027060355040A1320496E7465726E65742053656375726974792052657365617263682047726F7570311530130603550403130C4953524720526F6F74205831301E170D3135303630343131303433385A170D3335303630343131303433385A304F310B300906035504061302555331293027060355040A1320496E7465726E65742053656375726974792052657365617263682047726F7570311530130603550403130C4953524720526F6F7420583130820222300D06092A864886F70D01010105000382020F003082020A0282020100ADE82473F41437F39B9E2B57281C87BEDCB7DF38908C6E3CE657A078F775C2A2FEF56A6EF6004F28DBDE68866C4493B6B163FD14126BBF1FD2EA319B217ED1333CBA48F5DD79DFB3B8FF12F1219A4BC18A8671694A66666C8F7E3C70BFAD292206F3E4C0E680AEE24B8FB7997E94039FD347977C99482353E838AE4F0A6F832ED149578C8074B6DA2FD0388D7B0370211B75F2303CFA8FAEDDDA63ABEB164FC28E114B7ECF0BE8FFB5772EF4B27B4AE04C12250C708D0329A0E15324EC13D9EE19BF10B34A8C3F89A36151DEAC870794F46371EC2EE26F5B9881E1895C34796C76EF3B906279E6DBA49A2F26C5D010E10EDED9108E16FBB7F7A8F7C7E50207988F360895E7E237960D36759EFB0E72B11D9BBC03F94905D881DD05B42AD641E9AC0176950A0FD8DFD5BD121F352F28176CD298C1A80964776E4737BACEAC595E689D7F72D689C50641293E593EDD26F524C911A75AA34C401F46A199B5A73A516E863B9E7D72A712057859ED3E5178150B038F8DD02F05B23E7B4A1C4B730512FCC6EAE050137C439374B3CA74E78E1F0108D030D45B7136B407BAC130305C48B7823B98A67D608AA2A32982CCBABD83041BA2830341A1D605F11BC2B6F0A87C863B46A8482A88DC769A76BF1F6AA53D198FEB38F364DEC82B0D0A28FFF7DBE21542D422D0275DE179FE18E77088AD4EE6D98B3AC6DD27516EFFBC64F533434F0203010001A3423040300E0603551D0F0101FF040403020106300F0603551D130101FF040530030101FF301D0603551D0E0416041479B459E67BB6E5E40173800888C81A58F6E99B6E300D06092A864886F70D01010B05000382020100551F58A9BCB2A850D00CB1D81A6920272908AC61755C8A6EF882E5692FD5F6564BB9B8731059D321977EE74C71FBB2D260AD39A80BEA17215685F1500E59EBCEE059E9BAC915EF869D8F8480F6E4E99190DC179B621B45F06695D27C6FC2EA3BEF1FCFCBD6AE27F1A9B0C8AEFD7D7E9AFA2204EBFFD97FEA912B22B1170E8FF28A345B58D8FC01C954B9B826CC8A8833894C2D843C82DFEE965705BA2CBBF7C4B7C74E3B82BE31C822737392D1C280A43939103323824C3C9F86B255981DBE29868C229B9EE26B3B573A82704DDC09C789CB0A074D6CE85D8EC9EFCEABC7BBB52B4E45D64AD026CCE572CA086AA595E315A1F7A4EDC92C5FA5FBFFAC28022EBED77BBBE3717B9016D3075E46537C3707428CD3C4969CD599B52AE0951A8048AE4C3907CECC47A452952BBAB8FBADD233537DE51D4D6DD5A1B1C7426FE64027355CA328B7078DE78D3390E7239FFB509C796C46D5B415B3966E7E9B0C963AB8522D3FD65BE1FB08C284FE24A8A389DAAC6AE1182AB1A843615BD31FDC3B8D76F22DE88D75DF17336C3D53FB7BCB415FFFDCA2D06138E196B8AC5D8B37D775D533C09911AE9D41C1727584BE0241425F67244894D19B27BE073FB9B84F817451E17AB7ED9D23E2BEE0D52804133C31039EDD7A6C8FC60718C67FDE478E3F289E0406CFA5543477BDEC899BE91743DF5BDB5FFE8E1E57A2CD409D7E6222DADE1827
(PID) Process:	(3000) tacticalrmm.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\SystemCertificates\AuthRoot\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8
Operation:	write	Name:	Blob
Value: 0400000001000000100000000CD2F9E0DA1773E9ED864DA5E370E74E0F00000001000000200000003F0411EDE9C4477057D57E57883B1F205B20CDC0F3263129B1EE0269A2678F6362000000010000002000000096BCEC06264976F37460779ACF28C5A7CFE8A3C0AAE11A8FFCEE05C0BDDF08C60B000000010000001A0000004900530052004700200052006F006F0074002000580031000000090000000100000016000000301406082B0601050507030206082B0601050507030114000000010000001400000079B459E67BB6E5E40173800888C81A58F6E99B6E1D000000010000001000000073B6876195F5D18E048510422AEF04E3030000000100000014000000CABD2A79A1076A31F21D253635CB039D4329A5E81900000001000000100000002FE1F70BB05D7C92335BC5E05B984DA620000000010000006F0500003082056B30820353A0030201020211008210CFB0D240E3594463E0BB63828B00300D06092A864886F70D01010B0500304F310B300906035504061302555331293027060355040A1320496E7465726E65742053656375726974792052657365617263682047726F7570311530130603550403130C4953524720526F6F74205831301E170D3135303630343131303433385A170D3335303630343131303433385A304F310B300906035504061302555331293027060355040A1320496E7465726E65742053656375726974792052657365617263682047726F7570311530130603550403130C4953524720526F6F7420583130820222300D06092A864886F70D01010105000382020F003082020A0282020100ADE82473F41437F39B9E2B57281C87BEDCB7DF38908C6E3CE657A078F775C2A2FEF56A6EF6004F28DBDE68866C4493B6B163FD14126BBF1FD2EA319B217ED1333CBA48F5DD79DFB3B8FF12F1219A4BC18A8671694A66666C8F7E3C70BFAD292206F3E4C0E680AEE24B8FB7997E94039FD347977C99482353E838AE4F0A6F832ED149578C8074B6DA2FD0388D7B0370211B75F2303CFA8FAEDDDA63ABEB164FC28E114B7ECF0BE8FFB5772EF4B27B4AE04C12250C708D0329A0E15324EC13D9EE19BF10B34A8C3F89A36151DEAC870794F46371EC2EE26F5B9881E1895C34796C76EF3B906279E6DBA49A2F26C5D010E10EDED9108E16FBB7F7A8F7C7E50207988F360895E7E237960D36759EFB0E72B11D9BBC03F94905D881DD05B42AD641E9AC0176950A0FD8DFD5BD121F352F28176CD298C1A80964776E4737BACEAC595E689D7F72D689C50641293E593EDD26F524C911A75AA34C401F46A199B5A73A516E863B9E7D72A712057859ED3E5178150B038F8DD02F05B23E7B4A1C4B730512FCC6EAE050137C439374B3CA74E78E1F0108D030D45B7136B407BAC130305C48B7823B98A67D608AA2A32982CCBABD83041BA2830341A1D605F11BC2B6F0A87C863B46A8482A88DC769A76BF1F6AA53D198FEB38F364DEC82B0D0A28FFF7DBE21542D422D0275DE179FE18E77088AD4EE6D98B3AC6DD27516EFFBC64F533434F0203010001A3423040300E0603551D0F0101FF040403020106300F0603551D130101FF040530030101FF301D0603551D0E0416041479B459E67BB6E5E40173800888C81A58F6E99B6E300D06092A864886F70D01010B05000382020100551F58A9BCB2A850D00CB1D81A6920272908AC61755C8A6EF882E5692FD5F6564BB9B8731059D321977EE74C71FBB2D260AD39A80BEA17215685F1500E59EBCEE059E9BAC915EF869D8F8480F6E4E99190DC179B621B45F06695D27C6FC2EA3BEF1FCFCBD6AE27F1A9B0C8AEFD7D7E9AFA2204EBFFD97FEA912B22B1170E8FF28A345B58D8FC01C954B9B826CC8A8833894C2D843C82DFEE965705BA2CBBF7C4B7C74E3B82BE31C822737392D1C280A43939103323824C3C9F86B255981DBE29868C229B9EE26B3B573A82704DDC09C789CB0A074D6CE85D8EC9EFCEABC7BBB52B4E45D64AD026CCE572CA086AA595E315A1F7A4EDC92C5FA5FBFFAC28022EBED77BBBE3717B9016D3075E46537C3707428CD3C4969CD599B52AE0951A8048AE4C3907CECC47A452952BBAB8FBADD233537DE51D4D6DD5A1B1C7426FE64027355CA328B7078DE78D3390E7239FFB509C796C46D5B415B3966E7E9B0C963AB8522D3FD65BE1FB08C284FE24A8A389DAAC6AE1182AB1A843615BD31FDC3B8D76F22DE88D75DF17336C3D53FB7BCB415FFFDCA2D06138E196B8AC5D8B37D775D533C09911AE9D41C1727584BE0241425F67244894D19B27BE073FB9B84F817451E17AB7ED9D23E2BEE0D52804133C31039EDD7A6C8FC60718C67FDE478E3F289E0406CFA5543477BDEC899BE91743DF5BDB5FFE8E1E57A2CD409D7E6222DADE1827
(PID) Process:	(3000) tacticalrmm.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13
Operation:	write	Name:	Blob
Value: 1900000001000000100000006CF252FEC3E8F20996DE5D4DD9AEF424030000000100000014000000DAC9024F54D8F6DF94935FB1732638CA6AD77C1368000000010000000800000000409120D035D9017E000000010000000800000000C001B39667D6017F000000010000000E000000300C060A2B0601040182370A03041D00000001000000100000004558D512EECB27464920897DE7B66053140000000100000014000000C4A7B1A47B2C71FADBE14B9075FFC415608589100B000000010000001E000000440053005400200052006F006F00740020004300410020005800330000006200000001000000200000000687260331A72403D909F105E69BCF0D32E1BD2493FFC6D9206D11BCD6770739090000000100000042000000304006082B06010505070302060A2B0601040182370A030C060A2B0601040182370A030406082B0601050507030406082B0601050507030106082B060105050703080F00000001000000140000005BCAA1C2780F0BCB5A90770451D96F38963F012D20000000010000004E0300003082034A30820232A003020102021044AFB080D6A327BA893039862EF8406B300D06092A864886F70D0101050500303F31243022060355040A131B4469676974616C205369676E617475726520547275737420436F2E311730150603550403130E44535420526F6F74204341205833301E170D3030303933303231313231395A170D3231303933303134303131355A303F31243022060355040A131B4469676974616C205369676E617475726520547275737420436F2E311730150603550403130E44535420526F6F7420434120583330820122300D06092A864886F70D01010105000382010F003082010A0282010100DFAFE99750088357B4CC6265F69082ECC7D32C6B30CA5BECD9C37DC740C118148BE0E83376492AE33F214993AC4E0EAF3E48CB65EEFCD3210F65D22AD9328F8CE5F777B0127BB595C089A3A9BAED732E7A0C063283A27E8A1430CD11A0E12A38B9790A31FD50BD8065DFB7516383C8E28861EA4B6181EC526BB9A2E24B1A289F48A39E0CDA098E3E172E1EDD20DF5BC62A8AAB2EBD70ADC50B1A25907472C57B6AAB34D63089FFE568137B540BC8D6AEEC5A9C921E3D64B38CC6DFBFC94170EC1672D526EC38553943D0FCFD185C40F197EBD59A9B8D1DBADA25B9C6D8DFC115023AABDA6EF13E2EF55C089C3CD68369E4109B192AB62957E3E53D9B9FF0025D0203010001A3423040300F0603551D130101FF040530030101FF300E0603551D0F0101FF040403020106301D0603551D0E04160414C4A7B1A47B2C71FADBE14B9075FFC41560858910300D06092A864886F70D01010505000382010100A31A2C9B17005CA91EEE2866373ABF83C73F4BC309A095205DE3D95944D23E0D3EBD8A4BA0741FCE10829C741A1D7E981ADDCB134BB32044E491E9CCFC7DA5DB6AE5FEE6FDE04EDDB7003AB57049AFF2E5EB02F1D1028B19CB943A5E48C4181E58195F1E025AF00CF1B1ADA9DC59868B6EE991F586CAFAB96633AA595BCEE2A7167347CB2BCC99B03748CFE3564BF5CF0F0C723287C6F044BB53726D43F526489A5267B758ABFE67767178DB0DA256141339243185A2A8025A3047E1DD5007BC02099000EB6463609B16BC88C912E6D27D918BF93D328D65B4E97CB15776EAC5B62839BF15651CC8F677966A0A8D770BD8910B048E07DB29B60AEE9D82353510
(PID) Process:	(3000) tacticalrmm.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13
Operation:	write	Name:	Blob
Value: 040000000100000010000000410352DC0FF7501B16F0028EBA6F45C50F00000001000000140000005BCAA1C2780F0BCB5A90770451D96F38963F012D090000000100000042000000304006082B06010505070302060A2B0601040182370A030C060A2B0601040182370A030406082B0601050507030406082B0601050507030106082B060105050703086200000001000000200000000687260331A72403D909F105E69BCF0D32E1BD2493FFC6D9206D11BCD67707390B000000010000001E000000440053005400200052006F006F0074002000430041002000580033000000140000000100000014000000C4A7B1A47B2C71FADBE14B9075FFC415608589101D00000001000000100000004558D512EECB27464920897DE7B660537F000000010000000E000000300C060A2B0601040182370A03047E000000010000000800000000C001B39667D60168000000010000000800000000409120D035D901030000000100000014000000DAC9024F54D8F6DF94935FB1732638CA6AD77C131900000001000000100000006CF252FEC3E8F20996DE5D4DD9AEF42420000000010000004E0300003082034A30820232A003020102021044AFB080D6A327BA893039862EF8406B300D06092A864886F70D0101050500303F31243022060355040A131B4469676974616C205369676E617475726520547275737420436F2E311730150603550403130E44535420526F6F74204341205833301E170D3030303933303231313231395A170D3231303933303134303131355A303F31243022060355040A131B4469676974616C205369676E617475726520547275737420436F2E311730150603550403130E44535420526F6F7420434120583330820122300D06092A864886F70D01010105000382010F003082010A0282010100DFAFE99750088357B4CC6265F69082ECC7D32C6B30CA5BECD9C37DC740C118148BE0E83376492AE33F214993AC4E0EAF3E48CB65EEFCD3210F65D22AD9328F8CE5F777B0127BB595C089A3A9BAED732E7A0C063283A27E8A1430CD11A0E12A38B9790A31FD50BD8065DFB7516383C8E28861EA4B6181EC526BB9A2E24B1A289F48A39E0CDA098E3E172E1EDD20DF5BC62A8AAB2EBD70ADC50B1A25907472C57B6AAB34D63089FFE568137B540BC8D6AEEC5A9C921E3D64B38CC6DFBFC94170EC1672D526EC38553943D0FCFD185C40F197EBD59A9B8D1DBADA25B9C6D8DFC115023AABDA6EF13E2EF55C089C3CD68369E4109B192AB62957E3E53D9B9FF0025D0203010001A3423040300F0603551D130101FF040530030101FF300E0603551D0F0101FF040403020106301D0603551D0E04160414C4A7B1A47B2C71FADBE14B9075FFC41560858910300D06092A864886F70D01010505000382010100A31A2C9B17005CA91EEE2866373ABF83C73F4BC309A095205DE3D95944D23E0D3EBD8A4BA0741FCE10829C741A1D7E981ADDCB134BB32044E491E9CCFC7DA5DB6AE5FEE6FDE04EDDB7003AB57049AFF2E5EB02F1D1028B19CB943A5E48C4181E58195F1E025AF00CF1B1ADA9DC59868B6EE991F586CAFAB96633AA595BCEE2A7167347CB2BCC99B03748CFE3564BF5CF0F0C723287C6F044BB53726D43F526489A5267B758ABFE67767178DB0DA256141339243185A2A8025A3047E1DD5007BC02099000EB6463609B16BC88C912E6D27D918BF93D328D65B4E97CB15776EAC5B62839BF15651CC8F677966A0A8D770BD8910B048E07DB29B60AEE9D82353510
(PID) Process:	(1932) meshagent.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Mesh Agent
Operation:	write	Name:	ImagePath
Value: "C:\Program Files\Mesh Agent\MeshAgent.exe"
(PID) Process:	(756) MeshAgent.exe	Key:	HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\15A\52C64B7E
Operation:	write	Name:	LanguageList
Value: en-US

Add for printing

Executable files

172

Suspicious files

Text files

1 455

Unknown types

Dropped files

PID	Process	Filename		Type
896	fc39e6cb0ae28dcd647eedbb041a5c9aa295b2db883232960ef0a48d86e93856.exe	C:\ProgramData\TacticalRMM\tacticalagent-v2.6.1-windows-amd64.exe		executable
		MD5:1B03A5C84F80E3CECD83AB99118E1576	SHA256:1C85338D737773209FE6485EF61102B3012F0B81D1CAB1D7CCB29681FCE8428D
2692	tacticalagent-v2.6.1-windows-amd64.tmp	C:\Program Files\TacticalAgent\is-ODM2P.tmp		executable
		MD5:F93CAC9DE0548EA909FAF3EB1807122D	SHA256:6AF022E259A16E958501D614F47814FE3CF8598989DF683718F4D7DD3AF6555B
3000	tacticalrmm.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506		compressed
		MD5:AC05D27423A85ADC1622C714F2CB6184	SHA256:C6456E12E5E53287A547AF4103E0397CB9697E466CF75844312DC296D43D144D
3000	tacticalrmm.exe	C:\Users\admin\AppData\Local\Temp\CabD729.tmp		compressed
		MD5:AC05D27423A85ADC1622C714F2CB6184	SHA256:C6456E12E5E53287A547AF4103E0397CB9697E466CF75844312DC296D43D144D
3000	tacticalrmm.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506		binary
		MD5:82268A3670E4EF0CEB728C3AEB019584	SHA256:C6C9403AFBDF301DD7CCE0F38FFA60A8E9723DB6945491B31F6C052511E2C2B5
2692	tacticalagent-v2.6.1-windows-amd64.tmp	C:\Program Files\TacticalAgent\tacticalrmm.exe		executable
		MD5:302E0EC4266894C504D0600C727F40D1	SHA256:6F4D712B3E8B620CBCF48992FA4EED0F852C1A9B0C5AEB47BCD33C0A9384F168
2812	tacticalagent-v2.6.1-windows-amd64.exe	C:\Users\admin\AppData\Local\Temp\is-TF22D.tmp\tacticalagent-v2.6.1-windows-amd64.tmp		executable
		MD5:1A72B8895835B7B6395EBB8745DBDAF3	SHA256:9E01307B6D0884E0384CCC1476BB26B71726D550CCC7C6BD342059C4974879DD
2692	tacticalagent-v2.6.1-windows-amd64.tmp	C:\Program Files\TacticalAgent\unins000.exe		executable
		MD5:F93CAC9DE0548EA909FAF3EB1807122D	SHA256:6AF022E259A16E958501D614F47814FE3CF8598989DF683718F4D7DD3AF6555B
2692	tacticalagent-v2.6.1-windows-amd64.tmp	C:\Program Files\TacticalAgent\unins000.dat		binary
		MD5:122887D7974F8BCB0A22D14B64ADC6B9	SHA256:14CE95B5025DD39B44B50890085E4FCC98590F4C8FC763677E034A50E5A64712
2692	tacticalagent-v2.6.1-windows-amd64.tmp	C:\Users\admin\AppData\Local\Temp\Setup Log 2024-02-01 #001.txt		text
		MD5:B5D4B7D1CC453B415BE618D122587DB5	SHA256:3E3CD0F263065F16774EEBD68CD5417DDD67D09849037925D940D73D71146800

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
3000	tacticalrmm.exe	GET	200	23.32.238.219:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?5fe0405e3712e774	unknown	compressed	65.2 Kb	unknown
2692	powershell.exe	GET	200	93.184.221.240:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?659314f0cf787bda	unknown	compressed	4.66 Kb	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
1220	svchost.exe	239.255.255.250:3702	—	—	—	unknown
352	svchost.exe	224.0.0.252:5355	—	—	—	unknown
896	fc39e6cb0ae28dcd647eedbb041a5c9aa295b2db883232960ef0a48d86e93856.exe	140.82.121.3:443	github.com	GITHUB	US	unknown
896	fc39e6cb0ae28dcd647eedbb041a5c9aa295b2db883232960ef0a48d86e93856.exe	185.199.108.133:443	objects.githubusercontent.com	FASTLY	US	unknown
3000	tacticalrmm.exe	34.38.164.94:443	api.bithumb.ceo	GOOGLE-CLOUD-PLATFORM	US	unknown
3000	tacticalrmm.exe	23.32.238.219:80	ctldl.windowsupdate.com	Akamai International B.V.	DE	unknown
756	MeshAgent.exe	34.38.164.94:443	api.bithumb.ceo	GOOGLE-CLOUD-PLATFORM	US	unknown
3000	tacticalrmm.exe	188.114.97.3:443	icanhazip.tacticalrmm.io	CLOUDFLARENET	NL	unknown
1088	tacticalrmm.exe	34.38.164.94:443	api.bithumb.ceo	GOOGLE-CLOUD-PLATFORM	US	unknown

DNS requests

Domain	IP	Reputation
github.com	140.82.121.3	shared
objects.githubusercontent.com	185.199.108.133 185.199.109.133 185.199.110.133 185.199.111.133	shared
api.bithumb.ceo	34.38.164.94	unknown
ctldl.windowsupdate.com	23.32.238.219 23.32.238.208 23.32.238.201 93.184.221.240	whitelisted
mesh.bithumb.ceo	34.38.164.94	unknown
icanhazip.tacticalrmm.io	188.114.97.3 188.114.96.3	unknown
chocolatey.org	104.20.73.28 104.20.74.28	whitelisted
community.chocolatey.org	104.20.74.28 104.20.73.28	malicious
packages.chocolatey.org	104.20.73.28 104.20.74.28	unknown

Threats

PID	Process	Class	Message
1088	tacticalrmm.exe	Potentially Bad Traffic	ET INFO Observed Chocolatey Windows Package Management Domain (chocolatey .org in TLS SNI)
2692	powershell.exe	Potentially Bad Traffic	ET INFO Observed Chocolatey Windows Package Management Domain (chocolatey .org in TLS SNI)

Add for printing

No debug info

General Info

fc39e6cb0ae28dcd647eedbb041a5c9aa295b2db883232960ef0a48d86e93856.exe

B8B966DB021D7B8AAEE6965B3DBA4A28

189ED55B5E1BEF3F1F2FDE5C092F70DC6779A3F6

FC39E6CB0AE28DCD647EEDBB041A5C9AA295B2DB883232960EF0A48D86E93856

98304:qUFz9qgAoj3+uaOhkwMteU4ZSCPy1RYQau6qLm:WE

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

Starts NET.EXE for service management

Creates a writable file in the system directory

Bypass execution policy to execute commands

Changes powershell execution policy (Bypass)

SUSPICIOUS

Executable content was dropped or overwritten

Reads settings of System Certificates

Reads the Windows owner or organization settings

Runs PING.EXE to delay simulation

Uses TASKKILL.EXE to kill process

Creates or modifies Windows services

Adds/modifies Windows certificates

Reads the Internet Settings

Executes as Windows Service

The process bypasses the loading of PowerShell profile settings

Starts POWERSHELL.EXE for commands execution

Searches for installed software

Uses WMIC.EXE to obtain operating system information

Uses WMIC.EXE to obtain system information

Uses WMIC.EXE to obtain computer system information

The process hides Powershell's copyright startup banner

Uses NETSH.EXE to change the status of the firewall

Process drops legitimate windows executable

Starts CMD.EXE for commands execution

Uses NETSH.EXE to add a firewall rule or allowed programs

The Powershell connects to the Internet

Unusual connection from system programs

The process hide an interactive prompt from the user

The process executes Powershell scripts

Application launched itself

Drops 7-zip archiver for unpacking

The process drops C-runtime libraries

INFO

Checks supported languages

Creates files in the program directory

Reads the machine GUID from the registry

Reads the computer name

Create files in a temporary directory

Reads Environment values

Reads product name

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules